diff options
| author | David Howells <dhowells@redhat.com> | 2015-07-20 21:16:33 +0100 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2015-08-12 17:01:01 +0100 |
| commit | ed8c20762a314124cbdd62e9d3e8aa7aa2a16020 (patch) | |
| tree | c92b41d3ff5f5971061631459029edadae904df6 /scripts/extract-cert.c | |
| parent | 60d65cacd7c2d84a6dcad69bcb57bbf0220c8643 (diff) | |
| download | linux-ed8c20762a314124cbdd62e9d3e8aa7aa2a16020.tar.bz2 | |
sign-file: Generate CMS message as signature instead of PKCS#7
Make sign-file use the OpenSSL CMS routines to generate a message to be
used as the signature blob instead of the PKCS#7 routines. This allows us
to change how the matching X.509 certificate is selected. With PKCS#7 the
only option is to match on the serial number and issuer fields of an X.509
certificate; with CMS, we also have the option of matching by subjectKeyId
extension. The new behaviour is selected with the "-k" flag.
Without the -k flag specified, the output is pretty much identical to the
PKCS#7 output.
Whilst we're at it, don't include the S/MIME capability list in the message
as it's irrelevant to us.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-By: David Woodhouse <David.Woodhouse@intel.com
Diffstat (limited to 'scripts/extract-cert.c')
0 files changed, 0 insertions, 0 deletions