Support BLISS signatures with SHA-3 hash

10 files changed, 52 insertions, 9 deletions

diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
index bd5915e60..3ffa9b98d 100644
--- a/src/libstrongswan/credentials/keys/public_key.c
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2015 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -47,6 +47,9 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA512,
 	"BLISS_WITH_SHA256",
 	"BLISS_WITH_SHA384",
 	"BLISS_WITH_SHA512",
+	"BLISS_WITH_SHA3_256",
+	"BLISS_WITH_SHA3_384",
+	"BLISS_WITH_SHA3_512",
 );
 
 ENUM(encryption_scheme_names, ENCRYPT_UNKNOWN, ENCRYPT_RSA_OAEP_SHA512,
@@ -139,10 +142,16 @@ signature_scheme_t signature_scheme_from_oid(int oid)
 		case OID_BLISS_PUBLICKEY:
 		case OID_BLISS_WITH_SHA512:
 			return SIGN_BLISS_WITH_SHA512;
-		case OID_BLISS_WITH_SHA256:
-			return SIGN_BLISS_WITH_SHA256;
 		case OID_BLISS_WITH_SHA384:
 			return SIGN_BLISS_WITH_SHA384;
+		case OID_BLISS_WITH_SHA256:
+			return SIGN_BLISS_WITH_SHA256;
+		case OID_BLISS_WITH_SHA3_512:
+			return SIGN_BLISS_WITH_SHA3_512;
+		case OID_BLISS_WITH_SHA3_384:
+			return SIGN_BLISS_WITH_SHA3_384;
+		case OID_BLISS_WITH_SHA3_256:
+			return SIGN_BLISS_WITH_SHA3_256;
 	}
 	return SIGN_UNKNOWN;
 }
@@ -187,6 +196,12 @@ int signature_scheme_to_oid(signature_scheme_t scheme)
 			return OID_BLISS_WITH_SHA384;
 		case SIGN_BLISS_WITH_SHA512:
 			return OID_BLISS_WITH_SHA512;
+		case SIGN_BLISS_WITH_SHA3_256:
+			return OID_BLISS_WITH_SHA3_256;
+		case SIGN_BLISS_WITH_SHA3_384:
+			return OID_BLISS_WITH_SHA3_384;
+		case SIGN_BLISS_WITH_SHA3_512:
+			return OID_BLISS_WITH_SHA3_512;
 	}
 	return OID_UNKNOWN;
 }
@@ -287,6 +302,9 @@ key_type_t key_type_from_signature_scheme(signature_scheme_t scheme)
 		case SIGN_BLISS_WITH_SHA256:
 		case SIGN_BLISS_WITH_SHA384:
 		case SIGN_BLISS_WITH_SHA512:
+		case SIGN_BLISS_WITH_SHA3_256:
+		case SIGN_BLISS_WITH_SHA3_384:
+		case SIGN_BLISS_WITH_SHA3_512:
 			return KEY_BLISS;
 	}
 	return KEY_ANY;
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index 66e98b294..38c04f554 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2015 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -100,6 +100,12 @@ enum signature_scheme_t {
 	SIGN_BLISS_WITH_SHA384,
 	/** BLISS with SHA-512                                             */
 	SIGN_BLISS_WITH_SHA512,
+	/** BLISS with SHA-3_256                                           */
+	SIGN_BLISS_WITH_SHA3_256,
+	/** BLISS with SHA-3_384                                           */
+	SIGN_BLISS_WITH_SHA3_384,
+	/** BLISS with SHA-3_512                                           */
+	SIGN_BLISS_WITH_SHA3_512,
 };
 
 /**
diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
index 5f8ea95a6..d936e126b 100644
--- a/src/libstrongswan/crypto/hashers/hasher.c
+++ b/src/libstrongswan/crypto/hashers/hasher.c
@@ -428,16 +428,19 @@ hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme)
 		case SIGN_ECDSA_WITH_SHA256_DER:
 		case SIGN_ECDSA_256:
 		case SIGN_BLISS_WITH_SHA256:
+		case SIGN_BLISS_WITH_SHA3_256:
 			return HASH_SHA256;
 		case SIGN_RSA_EMSA_PKCS1_SHA384:
 		case SIGN_ECDSA_WITH_SHA384_DER:
 		case SIGN_ECDSA_384:
 		case SIGN_BLISS_WITH_SHA384:
+		case SIGN_BLISS_WITH_SHA3_384:
 			return HASH_SHA384;
 		case SIGN_RSA_EMSA_PKCS1_SHA512:
 		case SIGN_ECDSA_WITH_SHA512_DER:
 		case SIGN_ECDSA_521:
 		case SIGN_BLISS_WITH_SHA512:
+		case SIGN_BLISS_WITH_SHA3_512:
 			return HASH_SHA512;
 	}
 	return HASH_UNKNOWN;
diff --git a/src/libstrongswan/plugins/bliss/bliss_private_key.c b/src/libstrongswan/plugins/bliss/bliss_private_key.c
index 1386eeb2d..22c194b7c 100644
--- a/src/libstrongswan/plugins/bliss/bliss_private_key.c
+++ b/src/libstrongswan/plugins/bliss/bliss_private_key.c
@@ -517,6 +517,12 @@ METHOD(private_key_t, sign, bool,
 			return sign_bliss(this, HASH_SHA384, data, signature);
 		case SIGN_BLISS_WITH_SHA512:
 			return sign_bliss(this, HASH_SHA512, data, signature);
+		case SIGN_BLISS_WITH_SHA3_256:
+			return sign_bliss(this, HASH_SHA3_256, data, signature);
+		case SIGN_BLISS_WITH_SHA3_384:
+			return sign_bliss(this, HASH_SHA3_384, data, signature);
+		case SIGN_BLISS_WITH_SHA3_512:
+			return sign_bliss(this, HASH_SHA3_512, data, signature);
 		default:
 			DBG1(DBG_LIB, "signature scheme %N not supported with BLISS",
 				 signature_scheme_names, scheme);
diff --git a/src/libstrongswan/plugins/bliss/bliss_public_key.c b/src/libstrongswan/plugins/bliss/bliss_public_key.c
index 2b305f6c2..ba34bf46b 100644
--- a/src/libstrongswan/plugins/bliss/bliss_public_key.c
+++ b/src/libstrongswan/plugins/bliss/bliss_public_key.c
@@ -199,6 +199,12 @@ METHOD(public_key_t, verify, bool,
 			return verify_bliss(this, HASH_SHA384, data, signature);
 		case SIGN_BLISS_WITH_SHA512:
 			return verify_bliss(this, HASH_SHA512, data, signature);
+		case SIGN_BLISS_WITH_SHA3_256:
+			return verify_bliss(this, HASH_SHA3_256, data, signature);
+		case SIGN_BLISS_WITH_SHA3_384:
+			return verify_bliss(this, HASH_SHA3_384, data, signature);
+		case SIGN_BLISS_WITH_SHA3_512:
+			return verify_bliss(this, HASH_SHA3_512, data, signature);
 		default:
 			DBG1(DBG_LIB, "signature scheme %N not supported by BLISS",
 				 signature_scheme_names, scheme);
diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c
index 7099977f2..4f850d6d1 100644
--- a/src/pki/commands/acert.c
+++ b/src/pki/commands/acert.c
@@ -278,7 +278,8 @@ static void __attribute__ ((constructor))reg()
 		{"[--in file] [--group name]* --issuerkey file|--issuerkeyid hex",
 		 " --issuercert file [--serial hex] [--lifetime hours]",
 		 " [--not-before datetime] [--not-after datetime] [--dateform form]",
-		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
+		 "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
+		 "[--outform der|pem]"},
 		{
 			{"help",			'h', 0, "show usage information"},
 			{"in",				'i', 1, "holder certificate, default: stdin"},
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 2dc9fcce3..fdc43d705 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -588,7 +588,8 @@ static void __attribute__ ((constructor))reg()
 		 "[--nc-excluded name] [--policy-mapping issuer-oid:subject-oid]",
 		 "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
 		 "[--cert-policy oid [--cps-uri uri] [--user-notice text]]+",
-		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
+		 "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
+		 "[--outform der|pem]"},
 		{
 			{"help",			'h', 0, "show usage information"},
 			{"in",				'i', 1, "key/request file to issue, default: stdin"},
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index da991b505..68d611250 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -196,7 +196,8 @@ static void __attribute__ ((constructor))reg()
 		"create a PKCS#10 certificate request",
 		{"  [--in file] [--type rsa|ecdsa|bliss] --dn distinguished-name",
 		 "[--san subjectAltName]+ [--password challengePassword]",
-		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
+		 "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
+		 "[--outform der|pem]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "private key input file, default: stdin"},
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index a785c2a0c..f4e83c76c 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -425,7 +425,8 @@ static void __attribute__ ((constructor))reg()
 		 "[--policy-map issuer-oid:subject-oid]",
 		 "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
 		 "[--cert-policy oid [--cps-uri uri] [--user-notice text]]+",
-		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
+		 "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
+		 "[--outform der|pem]"},
 		{
 			{"help",			'h', 0, "show usage information"},
 			{"in",				'i', 1, "private key input file, default: stdin"},
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index 720dfd8a9..6c27289f9 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -451,7 +451,7 @@ static void __attribute__ ((constructor))reg()
 		 "  [[--reason key-compromise|ca-compromise|affiliation-changed|",
 		 "             superseded|cessation-of-operation|certificate-hold]",
 		 "   [--date timestamp] --cert file|--serial hex]*",
-		 "  [--digest md5|sha1|sha224|sha256|sha384|sha512]",
+		 "  [--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
 		 "  [--outform der|pem]"},
 		{
 			{"help",		'h', 0, "show usage information"},