I've added a couple of new command-line options:
- -digest: Digest algorithm to be used for signatures. Defaults to 'sha1'
- -issuer: X509 name of the issuer. Defaults to recipient
- -raverified: Assume that Proof-of-Possession (POPO) has been verified by RA
- -implicitconfirm: Request implicit confirmation of enrolled certificate
- -timeout: Connect timeout in seconds (or 0 for none). Default 120
Doing so, I generalized the code for signature generation to arbitrary combinations of digest/hash algorithms and signature algorithms. This not only makes the code fully general in this respect, but also more concise. This improvement is critical for us using the latest EJBCA version, which misbehaves when using SHA-1 (but works well with SHA256 and up).
I corrected the use of the HttpTimeout context parameter and added a FIXME that it sould be respected not only for connecting to the server but also for waiting for a response messge (in case libCURL is not used).
Error output has been inproved for the case receiving a bogus response (in case libCURL is used).
I added eror handling in case X509_LOOKUP_load_file() fails and added resource cleanup also for other error cases within create_cert_store(),
I improved the way the server and path info is handed to libCURL and made the tool slightly less verbose on success and allow for unsigned error responses.
Finally, I fixed a couple of error message texts and source-code comments.
The respective patch is attached. In case you prefer to receive individual patches for each of the changes, please let me know and I can split this cumulative patch into independent pieces.
Reported by: DDVO
Original Ticket: cmpforopenssl/bugs/25