diff options
author | Tobias Brunner <tobias@strongswan.org> | 2017-10-02 16:21:13 +0200 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2017-11-08 16:48:10 +0100 |
commit | 24b2ede283d6753ea6e2484607705f0a493d1f1e (patch) | |
tree | 1b0296b6357aeaff60985df1f2fe431255a6b7ab /src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c | |
parent | a4aaef747731574fe73ee035e56468f92ad0b616 (diff) | |
download | strongswan-24b2ede283d6753ea6e2484607705f0a493d1f1e.tar.bz2 strongswan-24b2ede283d6753ea6e2484607705f0a493d1f1e.tar.xz |
ikev2: Support signing with RSASSA-PSS via RFC 7427 signature auth
Diffstat (limited to 'src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c')
-rw-r--r-- | src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c | 27 |
1 files changed, 21 insertions, 6 deletions
diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c index 3c58d9beb..08d15ef00 100644 --- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c @@ -104,18 +104,32 @@ static bool parse_signature_auth_data(chunk_t *auth_data, key_type_t *key_type, * Build authentication data used for Signature Authentication as per RFC 7427 */ static bool build_signature_auth_data(chunk_t *auth_data, - signature_scheme_t scheme) + signature_params_t *params) { - chunk_t data; + chunk_t data, parameters = chunk_empty; uint8_t len; int oid; - oid = signature_scheme_to_oid(scheme); + oid = signature_scheme_to_oid(params->scheme); if (oid == OID_UNKNOWN) { + chunk_free(auth_data); return FALSE; } - data = asn1_algorithmIdentifier(oid); + if (params->scheme == SIGN_RSA_EMSA_PSS && + !rsa_pss_params_build(params->params, ¶meters)) + { + chunk_free(auth_data); + return FALSE; + } + if (parameters.len) + { + data = asn1_algorithmIdentifier_params(oid, parameters); + } + else + { + data = asn1_algorithmIdentifier(oid); + } len = data.len; *auth_data = chunk_cat("cmm", chunk_from_thing(len), data, *auth_data); return TRUE; @@ -253,8 +267,9 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this, while (enumerator->enumerate(enumerator, ¶ms)) { scheme = params->scheme; - if (private->sign(private, scheme, NULL, octets, auth_data) && - build_signature_auth_data(auth_data, scheme)) + if (private->sign(private, scheme, params->params, octets, + auth_data) && + build_signature_auth_data(auth_data, params)) { status = SUCCESS; break; |