diff options
| author | Andreas Steffen <andreas.steffen@strongswan.org> | 2014-11-28 13:13:47 +0100 |
|---|---|---|
| committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2014-11-29 14:51:18 +0100 |
| commit | b6bb32e658347ac150478959c0f15caab0fdea88 (patch) | |
| tree | d1481682d60927c96d23bd0d11faac8e9b0f2a0f | |
| parent | 43d92475998f85b977ca98dd8ac81fc630a19000 (diff) | |
| download | strongswan-b6bb32e658347ac150478959c0f15caab0fdea88.tar.bz2 strongswan-b6bb32e658347ac150478959c0f15caab0fdea88.tar.xz | |
Implemented full BLISS support for IKEv2 public key authentication and the pki tool
| -rw-r--r-- | src/libcharon/plugins/stroke/stroke_cred.c | 23 | ||||
| -rw-r--r-- | src/libcharon/plugins/stroke/stroke_plugin.c | 1 | ||||
| -rw-r--r-- | src/libcharon/sa/authenticator.c | 10 | ||||
| -rw-r--r-- | src/libcharon/sa/authenticator.h | 10 | ||||
| -rw-r--r-- | src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c | 9 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/bliss/bliss_plugin.c | 4 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_ac.c | 4 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_crl.c | 2 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_ocsp_request.c | 6 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_ocsp_response.c | 4 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_pkcs10.c | 2 | ||||
| -rw-r--r-- | src/pki/commands/acert.c | 5 | ||||
| -rw-r--r-- | src/pki/commands/issue.c | 6 | ||||
| -rw-r--r-- | src/pki/commands/keyid.c | 7 | ||||
| -rw-r--r-- | src/pki/commands/req.c | 11 | ||||
| -rw-r--r-- | src/pki/commands/self.c | 6 | ||||
| -rw-r--r-- | src/pki/commands/signcrl.c | 5 |
17 files changed, 97 insertions, 18 deletions
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c index 83431d17c..0dc03ec16 100644 --- a/src/libcharon/plugins/stroke/stroke_cred.c +++ b/src/libcharon/plugins/stroke/stroke_cred.c @@ -1124,6 +1124,7 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets, while (fetchline(src, &line)) { chunk_t ids, token; + key_type_t key_type; shared_key_type_t type; line_nr++; @@ -1222,10 +1223,22 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets, DBG1(DBG_CFG, "line %d: missing token", line_nr); break; } - if (match("RSA", &token) || match("ECDSA", &token)) + if (match("RSA", &token) || match("ECDSA", &token) || + match("BLISS", &token)) { - if (!load_private(secrets, line, line_nr, prompt, - match("RSA", &token) ? KEY_RSA : KEY_ECDSA)) + if (match("RSA", &token)) + { + key_type = KEY_RSA; + } + else if (match("ECDSA", &token)) + { + key_type = KEY_ECDSA; + } + else + { + key_type = KEY_BLISS; + } + if (!load_private(secrets, line, line_nr, prompt, key_type)) { break; } @@ -1256,8 +1269,8 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets, } else { - DBG1(DBG_CFG, "line %d: token must be either " - "RSA, ECDSA, P12, PIN, PSK, EAP, XAUTH or NTLM", line_nr); + DBG1(DBG_CFG, "line %d: token must be either RSA, ECDSA, BLISS, " + "P12, PIN, PSK, EAP, XAUTH or NTLM", line_nr); break; } } diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c index 31df1f99b..f64b99f08 100644 --- a/src/libcharon/plugins/stroke/stroke_plugin.c +++ b/src/libcharon/plugins/stroke/stroke_plugin.c @@ -69,6 +69,7 @@ METHOD(plugin_t, get_features, int, PLUGIN_SDEPEND(PRIVKEY, KEY_RSA), PLUGIN_SDEPEND(PRIVKEY, KEY_ECDSA), PLUGIN_SDEPEND(PRIVKEY, KEY_DSA), + PLUGIN_SDEPEND(PRIVKEY, KEY_BLISS), PLUGIN_SDEPEND(CERT_DECODE, CERT_ANY), PLUGIN_SDEPEND(CERT_DECODE, CERT_X509), PLUGIN_SDEPEND(CERT_DECODE, CERT_X509_CRL), diff --git a/src/libcharon/sa/authenticator.c b/src/libcharon/sa/authenticator.c index 8571274ac..a3d67ed7a 100644 --- a/src/libcharon/sa/authenticator.c +++ b/src/libcharon/sa/authenticator.c @@ -31,12 +31,15 @@ ENUM_BEGIN(auth_method_names, AUTH_RSA, AUTH_DSS, "RSA signature", "pre-shared key", "DSS signature"); -ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_GSPM, AUTH_DSS, +ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_NULL, AUTH_DSS, "ECDSA-256 signature", "ECDSA-384 signature", "ECDSA-521 signature", - "secure password method"); -ENUM_NEXT(auth_method_names, AUTH_XAUTH_INIT_PSK, AUTH_HYBRID_RESP_RSA, AUTH_GSPM, + "secure password method", + "NULL authentication"); +ENUM_NEXT(auth_method_names, AUTH_BLISS, AUTH_BLISS, AUTH_NULL, + "BLISS signature"); +ENUM_NEXT(auth_method_names, AUTH_XAUTH_INIT_PSK, AUTH_HYBRID_RESP_RSA, AUTH_BLISS, "XAuthInitPSK", "XAuthRespPSK", "XAuthInitRSA", @@ -99,6 +102,7 @@ authenticator_t *authenticator_create_verifier( case AUTH_ECDSA_256: case AUTH_ECDSA_384: case AUTH_ECDSA_521: + case AUTH_BLISS: return (authenticator_t*)pubkey_authenticator_create_verifier(ike_sa, sent_nonce, received_init, reserved); case AUTH_PSK: diff --git a/src/libcharon/sa/authenticator.h b/src/libcharon/sa/authenticator.h index 914f42d9d..aefb94294 100644 --- a/src/libcharon/sa/authenticator.h +++ b/src/libcharon/sa/authenticator.h @@ -80,6 +80,16 @@ enum auth_method_t { AUTH_GSPM = 12, /** + * NULL Authentication Method as specified in draft-ietf-ipsecme-ikev2-null-auth + */ + AUTH_NULL = 13, + + /** + * BLISS Authentication Method + */ + AUTH_BLISS = 220, + + /** * IKEv1 initiator XAUTH with PSK, outside of IANA range */ AUTH_XAUTH_INIT_PSK = 256, diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c index 6fb14bc06..2188fb2e8 100644 --- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c @@ -106,6 +106,11 @@ METHOD(authenticator_t, build, status_t, return status; } break; + case KEY_BLISS: + /* we currently use SHA512 only */ + scheme = SIGN_BLISS_WITH_SHA512; + auth_method = AUTH_BLISS; + break; default: DBG1(DBG_IKE, "private key of type %N not supported", key_type_names, private->get_type(private)); @@ -170,6 +175,10 @@ METHOD(authenticator_t, process, status_t, case AUTH_ECDSA_521: scheme = SIGN_ECDSA_521; break; + case AUTH_BLISS: + key_type = KEY_BLISS; + scheme = SIGN_BLISS_WITH_SHA512; + break; default: return INVALID_ARG; } diff --git a/src/libstrongswan/plugins/bliss/bliss_plugin.c b/src/libstrongswan/plugins/bliss/bliss_plugin.c index c5920a15a..2021885b3 100644 --- a/src/libstrongswan/plugins/bliss/bliss_plugin.c +++ b/src/libstrongswan/plugins/bliss/bliss_plugin.c @@ -45,11 +45,15 @@ METHOD(plugin_t, get_features, int, /* private/public keys */ PLUGIN_REGISTER(PRIVKEY, bliss_private_key_load, TRUE), PLUGIN_PROVIDE(PRIVKEY, KEY_BLISS), + PLUGIN_REGISTER(PRIVKEY, bliss_private_key_load, TRUE), + PLUGIN_PROVIDE(PRIVKEY, KEY_ANY), PLUGIN_REGISTER(PRIVKEY_GEN, bliss_private_key_gen, FALSE), PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_BLISS), PLUGIN_DEPENDS(RNG, RNG_TRUE), PLUGIN_REGISTER(PUBKEY, bliss_public_key_load, TRUE), PLUGIN_PROVIDE(PUBKEY, KEY_BLISS), + PLUGIN_REGISTER(PUBKEY, bliss_public_key_load, TRUE), + PLUGIN_PROVIDE(PUBKEY, KEY_ANY), /* signature schemes, private */ PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA512), PLUGIN_DEPENDS(HASHER, HASH_SHA512), diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c index ed58377a6..bfc200421 100644 --- a/src/libstrongswan/plugins/x509/x509_ac.c +++ b/src/libstrongswan/plugins/x509/x509_ac.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler * Copyright (C) 2003 Martin Berner, Lukas Suter - * Copyright (C) 2002-2009 Andreas Steffen + * Copyright (C) 2002-2014 Andreas Steffen * Copyright (C) 2009 Martin Willi * * HSR Hochschule fuer Technik Rapperswil @@ -557,7 +557,7 @@ static bool parse_certificate(private_x509_ac_t *this) } break; case AC_OBJ_SIGNATURE: - this->signature = object; + this->signature = chunk_skip(object, 1); break; default: break; diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c index d6057c30f..d171ec2c4 100644 --- a/src/libstrongswan/plugins/x509/x509_crl.c +++ b/src/libstrongswan/plugins/x509/x509_crl.c @@ -347,7 +347,7 @@ static bool parse(private_x509_crl_t *this) break; } case CRL_OBJ_SIGNATURE: - this->signature = object; + this->signature = chunk_skip(object, 1); break; default: break; diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c index ff0f0231f..eb5b01986 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2008-2009 Martin Willi - * Copyright (C) 2007 Andreas Steffen + * Copyright (C) 2007-2014 Andreas Steffen * Hochschule fuer Technik Rapperswil * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen * @@ -265,6 +265,10 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this, oid = OID_ECDSA_WITH_SHA1; scheme = SIGN_ECDSA_WITH_SHA1_DER; break; + case KEY_BLISS: + oid = OID_BLISS_WITH_SHA512; + scheme = SIGN_BLISS_WITH_SHA512; + break; default: DBG1(DBG_LIB, "unable to sign OCSP request, %N signature not " "supported", key_type_names, this->key->get_type(this->key)); diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c index ad04c7dea..60133fc7f 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c @@ -1,6 +1,6 @@ /** * Copyright (C) 2008-2009 Martin Willi - * Copyright (C) 2007 Andreas Steffen + * Copyright (C) 2007-2014 Andreas Steffen * Hochschule fuer Technik Rapperswil * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen * @@ -537,7 +537,7 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this, parser->get_level(parser)+1, NULL); break; case BASIC_RESPONSE_SIGNATURE: - this->signature = object; + this->signature = chunk_skip(object, 1); break; case BASIC_RESPONSE_CERTIFICATE: { diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c index 024b4dba5..20561f7e2 100644 --- a/src/libstrongswan/plugins/x509/x509_pkcs10.c +++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c @@ -435,7 +435,7 @@ static bool parse_certificate_request(private_x509_pkcs10_t *this) this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL); break; case PKCS10_SIGNATURE: - this->signature = object; + this->signature = chunk_skip(object, 1); break; default: break; diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c index 185aa40b4..03d90a103 100644 --- a/src/pki/commands/acert.c +++ b/src/pki/commands/acert.c @@ -166,6 +166,11 @@ static int acert() error = "issuer private key does not match issuer certificate"; goto end; } + if (private->get_type(private) == KEY_BLISS) + { + /* currently only SHA-512 is supported */ + digest = HASH_SHA512; + } if (hex) { diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index aaa2c2ff7..c1d4cf8f2 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -287,6 +287,7 @@ static int issue() } break; } + if (!cacert) { error = "--cacert is required"; @@ -362,6 +363,11 @@ static int issue() } public->destroy(public); + if (private->get_type(private) == KEY_BLISS) + { + /* currently only SHA-512 is supported */ + digest = HASH_SHA512; + } if (hex) { serial = chunk_from_hex(chunk_create(hex, strlen(hex)), NULL); diff --git a/src/pki/commands/keyid.c b/src/pki/commands/keyid.c index c3ac0c288..3bc62e74d 100644 --- a/src/pki/commands/keyid.c +++ b/src/pki/commands/keyid.c @@ -52,6 +52,11 @@ static int keyid() type = CRED_PRIVATE_KEY; subtype = KEY_ECDSA; } + else if (streq(arg, "bliss-priv")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_BLISS; + } else if (streq(arg, "pub")) { type = CRED_PUBLIC_KEY; @@ -164,7 +169,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { keyid, 'k', "keyid", "calculate key identifiers of a key/certificate", - {"[--in file] [--type rsa-priv|ecdsa-priv|pub|pkcs10|x509]"}, + {"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|pkcs10|x509]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "input file, default: stdin"}, diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c index 023683569..fbe47ecc8 100644 --- a/src/pki/commands/req.c +++ b/src/pki/commands/req.c @@ -57,6 +57,10 @@ static int req() { type = KEY_ECDSA; } + else if (streq(arg, "bliss")) + { + type = KEY_BLISS; + } else { error = "invalid input type"; @@ -98,6 +102,11 @@ static int req() break; } + if (type == KEY_BLISS) + { + /* currently only SHA-512 is supported */ + digest = HASH_SHA512; + } if (!dn) { error = "--dn is required"; @@ -185,7 +194,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { req, 'r', "req", "create a PKCS#10 certificate request", - {" [--in file] [--type rsa|ecdsa] --dn distinguished-name", + {" [--in file] [--type rsa|ecdsa|bliss] --dn distinguished-name", "[--san subjectAltName]+ [--password challengePassword]", "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index 813efb40f..a67115d9b 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -92,7 +92,6 @@ static int self() else if (streq(arg, "bliss")) { type = KEY_BLISS; - digest = HASH_SHA512; } else { @@ -263,6 +262,11 @@ static int self() break; } + if (type == KEY_BLISS) + { + /* currently only SHA-512 is supported */ + digest = HASH_SHA512; + } if (!dn) { error = "--dn is required"; diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c index e5f49efe2..212e1a820 100644 --- a/src/pki/commands/signcrl.c +++ b/src/pki/commands/signcrl.c @@ -335,6 +335,11 @@ static int sign_crl() error = "CA private key does not match CA certificate"; goto error; } + if (private->get_type(private) == KEY_BLISS) + { + /* currently only SHA-512 is supported */ + digest = HASH_SHA512; + } if (basecrl) { |