Annotation of embedaddon/strongswan/src/libstrongswan/credentials/keys/public_key.c, revision 1.1
1.1 ! misho 1: /*
! 2: * Copyright (C) 2015-2017 Tobias Brunner
! 3: * Copyright (C) 2014-2016 Andreas Steffen
! 4: * Copyright (C) 2007 Martin Willi
! 5: * HSR Hochschule fuer Technik Rapperswil
! 6: *
! 7: * This program is free software; you can redistribute it and/or modify it
! 8: * under the terms of the GNU General Public License as published by the
! 9: * Free Software Foundation; either version 2 of the License, or (at your
! 10: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
! 11: *
! 12: * This program is distributed in the hope that it will be useful, but
! 13: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
! 14: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
! 15: * for more details.
! 16: */
! 17:
! 18: #include <asn1/oid.h>
! 19:
! 20: #include "public_key.h"
! 21: #include "signature_params.h"
! 22:
! 23: ENUM(key_type_names, KEY_ANY, KEY_BLISS,
! 24: "ANY",
! 25: "RSA",
! 26: "ECDSA",
! 27: "DSA",
! 28: "ED25519",
! 29: "ED448",
! 30: "BLISS"
! 31: );
! 32:
! 33: ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA3_512,
! 34: "UNKNOWN",
! 35: "RSA_EMSA_PKCS1_NULL",
! 36: "RSA_EMSA_PKCS1_MD5",
! 37: "RSA_EMSA_PKCS1_SHA1",
! 38: "RSA_EMSA_PKCS1_SHA2_224",
! 39: "RSA_EMSA_PKCS1_SHA2_256",
! 40: "RSA_EMSA_PKCS1_SHA2_384",
! 41: "RSA_EMSA_PKCS1_SHA2_512",
! 42: "RSA_EMSA_PKCS1_SHA3_224",
! 43: "RSA_EMSA_PKCS1_SHA3_256",
! 44: "RSA_EMSA_PKCS1_SHA3_384",
! 45: "RSA_EMSA_PKCS1_SHA3_512",
! 46: "RSA_EMSA_PSS",
! 47: "ECDSA_WITH_SHA1_DER",
! 48: "ECDSA_WITH_SHA256_DER",
! 49: "ECDSA_WITH_SHA384_DER",
! 50: "ECDSA_WITH_SHA512_DER",
! 51: "ECDSA_WITH_NULL",
! 52: "ECDSA-256",
! 53: "ECDSA-384",
! 54: "ECDSA-521",
! 55: "ED25519",
! 56: "ED448",
! 57: "BLISS_WITH_SHA2_256",
! 58: "BLISS_WITH_SHA2_384",
! 59: "BLISS_WITH_SHA2_512",
! 60: "BLISS_WITH_SHA3_256",
! 61: "BLISS_WITH_SHA3_384",
! 62: "BLISS_WITH_SHA3_512",
! 63: );
! 64:
! 65: ENUM(encryption_scheme_names, ENCRYPT_UNKNOWN, ENCRYPT_RSA_OAEP_SHA512,
! 66: "ENCRYPT_UNKNOWN",
! 67: "ENCRYPT_RSA_PKCS1",
! 68: "ENCRYPT_RSA_OAEP_SHA1",
! 69: "ENCRYPT_RSA_OAEP_SHA224",
! 70: "ENCRYPT_RSA_OAEP_SHA256",
! 71: "ENCRYPT_RSA_OAEP_SHA384",
! 72: "ENCRYPT_RSA_OAEP_SHA512",
! 73: );
! 74:
! 75: /**
! 76: * See header.
! 77: */
! 78: bool public_key_equals(public_key_t *this, public_key_t *other)
! 79: {
! 80: cred_encoding_type_t type;
! 81: chunk_t a, b;
! 82:
! 83: if (this == other)
! 84: {
! 85: return TRUE;
! 86: }
! 87:
! 88: for (type = 0; type < CRED_ENCODING_MAX; type++)
! 89: {
! 90: if (this->get_fingerprint(this, type, &a) &&
! 91: other->get_fingerprint(other, type, &b))
! 92: {
! 93: return chunk_equals(a, b);
! 94: }
! 95: }
! 96: return FALSE;
! 97: }
! 98:
! 99: /**
! 100: * See header.
! 101: */
! 102: bool public_key_has_fingerprint(public_key_t *public, chunk_t fingerprint)
! 103: {
! 104: cred_encoding_type_t type;
! 105: chunk_t current;
! 106:
! 107: for (type = 0; type < KEYID_MAX; type++)
! 108: {
! 109: if (public->get_fingerprint(public, type, ¤t) &&
! 110: chunk_equals(current, fingerprint))
! 111: {
! 112: return TRUE;
! 113: }
! 114: }
! 115: return FALSE;
! 116: }
! 117:
! 118: /*
! 119: * Defined in header.
! 120: */
! 121: signature_scheme_t signature_scheme_from_oid(int oid)
! 122: {
! 123: switch (oid)
! 124: {
! 125: case OID_MD5_WITH_RSA:
! 126: case OID_MD5:
! 127: return SIGN_RSA_EMSA_PKCS1_MD5;
! 128: case OID_SHA1_WITH_RSA:
! 129: case OID_SHA1:
! 130: return SIGN_RSA_EMSA_PKCS1_SHA1;
! 131: case OID_SHA224_WITH_RSA:
! 132: case OID_SHA224:
! 133: return SIGN_RSA_EMSA_PKCS1_SHA2_224;
! 134: case OID_SHA256_WITH_RSA:
! 135: case OID_SHA256:
! 136: return SIGN_RSA_EMSA_PKCS1_SHA2_256;
! 137: case OID_SHA384_WITH_RSA:
! 138: case OID_SHA384:
! 139: return SIGN_RSA_EMSA_PKCS1_SHA2_384;
! 140: case OID_SHA512_WITH_RSA:
! 141: case OID_SHA512:
! 142: return SIGN_RSA_EMSA_PKCS1_SHA2_512;
! 143: case OID_RSASSA_PKCS1V15_WITH_SHA3_224:
! 144: return SIGN_RSA_EMSA_PKCS1_SHA3_224;
! 145: case OID_RSASSA_PKCS1V15_WITH_SHA3_256:
! 146: return SIGN_RSA_EMSA_PKCS1_SHA3_256;
! 147: case OID_RSASSA_PKCS1V15_WITH_SHA3_384:
! 148: return SIGN_RSA_EMSA_PKCS1_SHA3_384;
! 149: case OID_RSASSA_PKCS1V15_WITH_SHA3_512:
! 150: return SIGN_RSA_EMSA_PKCS1_SHA3_512;
! 151: case OID_RSASSA_PSS:
! 152: return SIGN_RSA_EMSA_PSS;
! 153: case OID_ECDSA_WITH_SHA1:
! 154: case OID_EC_PUBLICKEY:
! 155: return SIGN_ECDSA_WITH_SHA1_DER;
! 156: case OID_ECDSA_WITH_SHA256:
! 157: return SIGN_ECDSA_WITH_SHA256_DER;
! 158: case OID_ECDSA_WITH_SHA384:
! 159: return SIGN_ECDSA_WITH_SHA384_DER;
! 160: case OID_ECDSA_WITH_SHA512:
! 161: return SIGN_ECDSA_WITH_SHA512_DER;
! 162: case OID_ED25519:
! 163: return SIGN_ED25519;
! 164: case OID_ED448:
! 165: return SIGN_ED448;
! 166: case OID_BLISS_PUBLICKEY:
! 167: case OID_BLISS_WITH_SHA2_512:
! 168: return SIGN_BLISS_WITH_SHA2_512;
! 169: case OID_BLISS_WITH_SHA2_384:
! 170: return SIGN_BLISS_WITH_SHA2_384;
! 171: case OID_BLISS_WITH_SHA2_256:
! 172: return SIGN_BLISS_WITH_SHA2_256;
! 173: case OID_BLISS_WITH_SHA3_512:
! 174: return SIGN_BLISS_WITH_SHA3_512;
! 175: case OID_BLISS_WITH_SHA3_384:
! 176: return SIGN_BLISS_WITH_SHA3_384;
! 177: case OID_BLISS_WITH_SHA3_256:
! 178: return SIGN_BLISS_WITH_SHA3_256;
! 179: }
! 180: return SIGN_UNKNOWN;
! 181: }
! 182:
! 183: /*
! 184: * Defined in header.
! 185: */
! 186: int signature_scheme_to_oid(signature_scheme_t scheme)
! 187: {
! 188: switch (scheme)
! 189: {
! 190: case SIGN_UNKNOWN:
! 191: case SIGN_RSA_EMSA_PKCS1_NULL:
! 192: case SIGN_ECDSA_WITH_NULL:
! 193: case SIGN_ECDSA_256:
! 194: case SIGN_ECDSA_384:
! 195: case SIGN_ECDSA_521:
! 196: break;
! 197: case SIGN_RSA_EMSA_PKCS1_MD5:
! 198: return OID_MD5_WITH_RSA;
! 199: case SIGN_RSA_EMSA_PKCS1_SHA1:
! 200: return OID_SHA1_WITH_RSA;
! 201: case SIGN_RSA_EMSA_PKCS1_SHA2_224:
! 202: return OID_SHA224_WITH_RSA;
! 203: case SIGN_RSA_EMSA_PKCS1_SHA2_256:
! 204: return OID_SHA256_WITH_RSA;
! 205: case SIGN_RSA_EMSA_PKCS1_SHA2_384:
! 206: return OID_SHA384_WITH_RSA;
! 207: case SIGN_RSA_EMSA_PKCS1_SHA2_512:
! 208: return OID_SHA512_WITH_RSA;
! 209: case SIGN_RSA_EMSA_PKCS1_SHA3_224:
! 210: return OID_RSASSA_PKCS1V15_WITH_SHA3_224;
! 211: case SIGN_RSA_EMSA_PKCS1_SHA3_256:
! 212: return OID_RSASSA_PKCS1V15_WITH_SHA3_256;
! 213: case SIGN_RSA_EMSA_PKCS1_SHA3_384:
! 214: return OID_RSASSA_PKCS1V15_WITH_SHA3_384;
! 215: case SIGN_RSA_EMSA_PKCS1_SHA3_512:
! 216: return OID_RSASSA_PKCS1V15_WITH_SHA3_384;
! 217: case SIGN_RSA_EMSA_PSS:
! 218: return OID_RSASSA_PSS;
! 219: case SIGN_ECDSA_WITH_SHA1_DER:
! 220: return OID_ECDSA_WITH_SHA1;
! 221: case SIGN_ECDSA_WITH_SHA256_DER:
! 222: return OID_ECDSA_WITH_SHA256;
! 223: case SIGN_ECDSA_WITH_SHA384_DER:
! 224: return OID_ECDSA_WITH_SHA384;
! 225: case SIGN_ECDSA_WITH_SHA512_DER:
! 226: return OID_ECDSA_WITH_SHA512;
! 227: case SIGN_ED25519:
! 228: return OID_ED25519;
! 229: case SIGN_ED448:
! 230: return OID_ED448;
! 231: case SIGN_BLISS_WITH_SHA2_256:
! 232: return OID_BLISS_WITH_SHA2_256;
! 233: case SIGN_BLISS_WITH_SHA2_384:
! 234: return OID_BLISS_WITH_SHA2_384;
! 235: case SIGN_BLISS_WITH_SHA2_512:
! 236: return OID_BLISS_WITH_SHA2_512;
! 237: case SIGN_BLISS_WITH_SHA3_256:
! 238: return OID_BLISS_WITH_SHA3_256;
! 239: case SIGN_BLISS_WITH_SHA3_384:
! 240: return OID_BLISS_WITH_SHA3_384;
! 241: case SIGN_BLISS_WITH_SHA3_512:
! 242: return OID_BLISS_WITH_SHA3_512;
! 243: }
! 244: return OID_UNKNOWN;
! 245: }
! 246:
! 247: /**
! 248: * Parameters for RSA/PSS signature schemes
! 249: */
! 250: #define PSS_PARAMS(bits) static rsa_pss_params_t pss_params_sha##bits = { \
! 251: .hash = HASH_SHA##bits, \
! 252: .mgf1_hash = HASH_SHA##bits, \
! 253: .salt_len = HASH_SIZE_SHA##bits, \
! 254: }
! 255:
! 256: PSS_PARAMS(256);
! 257: PSS_PARAMS(384);
! 258: PSS_PARAMS(512);
! 259:
! 260: /**
! 261: * Map for signature schemes to the key type and maximum key size allowed.
! 262: * We only cover schemes with hash algorithms supported by IKEv2 signature
! 263: * authentication.
! 264: */
! 265: static struct {
! 266: key_type_t type;
! 267: int max_keysize;
! 268: signature_params_t params;
! 269: } scheme_map[] = {
! 270: { KEY_RSA, 3072, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, }},
! 271: { KEY_RSA, 7680, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, }},
! 272: { KEY_RSA, 0, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, }},
! 273: { KEY_RSA, 3072, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256 }},
! 274: { KEY_RSA, 7680, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384 }},
! 275: { KEY_RSA, 0, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512 }},
! 276: { KEY_ECDSA, 256, { .scheme = SIGN_ECDSA_WITH_SHA256_DER }},
! 277: { KEY_ECDSA, 384, { .scheme = SIGN_ECDSA_WITH_SHA384_DER }},
! 278: { KEY_ECDSA, 0, { .scheme = SIGN_ECDSA_WITH_SHA512_DER }},
! 279: { KEY_ED25519, 0, { .scheme = SIGN_ED25519 }},
! 280: { KEY_ED448, 0, { .scheme = SIGN_ED448 }},
! 281: { KEY_BLISS, 128, { .scheme = SIGN_BLISS_WITH_SHA2_256 }},
! 282: { KEY_BLISS, 192, { .scheme = SIGN_BLISS_WITH_SHA2_384 }},
! 283: { KEY_BLISS, 0, { .scheme = SIGN_BLISS_WITH_SHA2_512 }},
! 284: };
! 285:
! 286: /**
! 287: * Private data for signature scheme enumerator
! 288: */
! 289: typedef struct {
! 290: enumerator_t public;
! 291: int index;
! 292: key_type_t type;
! 293: int size;
! 294: } private_enumerator_t;
! 295:
! 296: METHOD(enumerator_t, signature_schemes_enumerate, bool,
! 297: private_enumerator_t *this, va_list args)
! 298: {
! 299: signature_params_t **params;
! 300:
! 301: VA_ARGS_VGET(args, params);
! 302:
! 303: while (++this->index < countof(scheme_map))
! 304: {
! 305: if (this->type == scheme_map[this->index].type &&
! 306: (this->size <= scheme_map[this->index].max_keysize ||
! 307: !scheme_map[this->index].max_keysize))
! 308: {
! 309: *params = &scheme_map[this->index].params;
! 310: return TRUE;
! 311: }
! 312: }
! 313: return FALSE;
! 314: }
! 315:
! 316: /*
! 317: * Defined in header.
! 318: */
! 319: enumerator_t *signature_schemes_for_key(key_type_t type, int size)
! 320: {
! 321: private_enumerator_t *this;
! 322:
! 323: INIT(this,
! 324: .public = {
! 325: .enumerate = enumerator_enumerate_default,
! 326: .venumerate = _signature_schemes_enumerate,
! 327: .destroy = (void*)free,
! 328: },
! 329: .index = -1,
! 330: .type = type,
! 331: .size = size,
! 332: );
! 333:
! 334: return &this->public;
! 335: }
! 336:
! 337: /*
! 338: * Defined in header.
! 339: */
! 340: key_type_t key_type_from_signature_scheme(signature_scheme_t scheme)
! 341: {
! 342: switch (scheme)
! 343: {
! 344: case SIGN_UNKNOWN:
! 345: break;
! 346: case SIGN_RSA_EMSA_PKCS1_NULL:
! 347: case SIGN_RSA_EMSA_PKCS1_MD5:
! 348: case SIGN_RSA_EMSA_PKCS1_SHA1:
! 349: case SIGN_RSA_EMSA_PKCS1_SHA2_224:
! 350: case SIGN_RSA_EMSA_PKCS1_SHA2_256:
! 351: case SIGN_RSA_EMSA_PKCS1_SHA2_384:
! 352: case SIGN_RSA_EMSA_PKCS1_SHA2_512:
! 353: case SIGN_RSA_EMSA_PKCS1_SHA3_224:
! 354: case SIGN_RSA_EMSA_PKCS1_SHA3_256:
! 355: case SIGN_RSA_EMSA_PKCS1_SHA3_384:
! 356: case SIGN_RSA_EMSA_PKCS1_SHA3_512:
! 357: case SIGN_RSA_EMSA_PSS:
! 358: return KEY_RSA;
! 359: case SIGN_ECDSA_WITH_SHA1_DER:
! 360: case SIGN_ECDSA_WITH_SHA256_DER:
! 361: case SIGN_ECDSA_WITH_SHA384_DER:
! 362: case SIGN_ECDSA_WITH_SHA512_DER:
! 363: case SIGN_ECDSA_WITH_NULL:
! 364: case SIGN_ECDSA_256:
! 365: case SIGN_ECDSA_384:
! 366: case SIGN_ECDSA_521:
! 367: return KEY_ECDSA;
! 368: case SIGN_ED25519:
! 369: return KEY_ED25519;
! 370: case SIGN_ED448:
! 371: return KEY_ED448;
! 372: case SIGN_BLISS_WITH_SHA2_256:
! 373: case SIGN_BLISS_WITH_SHA2_384:
! 374: case SIGN_BLISS_WITH_SHA2_512:
! 375: case SIGN_BLISS_WITH_SHA3_256:
! 376: case SIGN_BLISS_WITH_SHA3_384:
! 377: case SIGN_BLISS_WITH_SHA3_512:
! 378: return KEY_BLISS;
! 379: }
! 380: return KEY_ANY;
! 381: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>