search

kakwa / uts-server

Micro RFC 3161 Time-Stamp server written in C.
http://uts-server.readthedocs.org/en/latest/
MIT License
75 stars 21 forks source link

uts-server does not respect digest algorithm #18

Open gnugnug opened 2 years ago

gnugnug commented 2 years ago

First of all thank you for wrapping the OpenSSL calls in a webserver interface, very useful!

Problem: Regardless which digest algorithm is specified in the timestamp request, uts-server always applies the same digest algorithm to the timestamp response. Example: signtool sign /sha1 <CodeSignCert> /fd sha512 /tr http://uts-server /td sha512 file.exe

Expected result: The code signature as well as the timestamp both use SHA512. Actual behaviour: While the code signature is using SHA512, the timestamp is applied with a SHA256 digest. Changing the /td in the example parameter to any other value has no effect, uts-server always uses SHA256.

It seems that the code to select the digest algorithm is commented out in src/lib/rfc3161.c lin 154+ but I don't know enough about the timestamp query structure on how to extract this value. Using TS_CONF_set_signer_digest(conf, section, NULL, resp_ctx) I can set the digest algorithm to something else than sha256 via the uts-server configuration file (eg _signerdigest = sha512), but then the algorithm is just hardcoded to something else and still not picked up from the request.