Provide TKM credential encoder

The TKM credential encoder creates fingerprints of type
KEYID_PUBKEY_INFO_SHA1 and KEYID_PUBKEY_SHA1 using
CRED_PART_RSA_PUB_ASN1_DER.

This makes the pkcs1 plugin unnecessary.

5 files changed, 150 insertions, 26 deletions

diff --git a/src/charon-tkm/Makefile.am b/src/charon-tkm/Makefile.am
index 515a40571..457e5e44e 100644
--- a/src/charon-tkm/Makefile.am
+++ b/src/charon-tkm/Makefile.am
@@ -25,7 +25,6 @@ BUILD_OPTS = \
 PLUGINS = \
 	kernel-netlink \
 	pem \
-	pkcs1 \
 	socket-default \
 	openssl \
 	stroke
diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c
index 92217b87f..988541e36 100644
--- a/src/charon-tkm/src/charon-tkm.c
+++ b/src/charon-tkm/src/charon-tkm.c
@@ -41,6 +41,7 @@
 #include "tkm_kernel_ipsec.h"
 #include "tkm_public_key.h"
 #include "tkm_cred.h"
+#include "tkm_encoder.h"
 
 /**
  * TKM bus listener for IKE authorize events.
@@ -345,6 +346,9 @@ int main(int argc, char *argv[])
 	creds = tkm_cred_create();
 	lib->credmgr->add_set(lib->credmgr, (credential_set_t*)creds);
 
+	/* register TKM credential encoder */
+	lib->encoding->add_encoder(lib->encoding, tkm_encoder_encode);
+
 	/* add handler for SEGV and ILL,
 	 * INT and TERM are handled by sigwait() in run() */
 	action.sa_handler = segv_handler;
@@ -371,6 +375,7 @@ int main(int argc, char *argv[])
 	charon->bus->remove_listener(charon->bus, &listener->listener);
 	listener->destroy(listener);
 	creds->destroy(creds);
+	lib->encoding->remove_encoder(lib->encoding, tkm_encoder_encode);
 
 deinit:
 	libcharon_deinit();
diff --git a/src/charon-tkm/src/tkm/tkm_encoder.c b/src/charon-tkm/src/tkm/tkm_encoder.c
new file mode 100644
index 000000000..d5367ea78
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_encoder.c
@@ -0,0 +1,106 @@
+/*
+ * Copyright (C) 2013 Reto Buerki
+ * Copyright (C) 2013 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <utils/debug.h>
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+
+#include "tkm_encoder.h"
+
+/**
+ * Build the SHA1 hash of pubkey(info) ASN.1 data.
+ */
+static bool hash_pubkey(chunk_t pubkey, chunk_t *hash)
+{
+	hasher_t *hasher;
+
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (!hasher || !hasher->allocate_hash(hasher, pubkey, hash))
+	{
+		DBG1(DBG_LIB, "SHA1 hash algorithm not supported, "
+			 "fingerprinting failed");
+		DESTROY_IF(hasher);
+		chunk_free(&pubkey);
+		return FALSE;
+	}
+	hasher->destroy(hasher);
+	chunk_free(&pubkey);
+	return TRUE;
+}
+
+/**
+ * Encode the public key blob into subjectPublicKeyInfo.
+ */
+static bool build_pub_info(chunk_t *encoding, va_list args)
+{
+	chunk_t blob;
+
+	if (cred_encoding_args(args, CRED_PART_RSA_PUB_ASN1_DER, &blob,
+						   CRED_PART_END))
+	{
+		*encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
+							  asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+							  asn1_bitstring("c", blob));
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Build the fingerprint of the subjectPublicKeyInfo object.
+ */
+static bool build_info_sha1(chunk_t *encoding, va_list args)
+{
+	chunk_t pubkey;
+
+	if (build_pub_info(&pubkey, args))
+	{
+		return hash_pubkey(pubkey, encoding);
+	}
+	return FALSE;
+}
+
+/**
+ * Build the fingerprint of the subjectPublicKey object.
+ */
+static bool build_sha1(chunk_t *encoding, va_list args)
+{
+	chunk_t blob;
+
+	if (cred_encoding_args(args, CRED_PART_RSA_PUB_ASN1_DER, &blob,
+						   CRED_PART_END))
+	{
+		return hash_pubkey(chunk_clone(blob), encoding);
+	}
+	return FALSE;
+}
+
+/**
+ * See header.
+ */
+bool tkm_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
+						va_list args)
+{
+	switch (type)
+	{
+		case KEYID_PUBKEY_INFO_SHA1:
+			return build_info_sha1(encoding, args);
+		case KEYID_PUBKEY_SHA1:
+			return build_sha1(encoding, args);
+		default:
+			return FALSE;
+	}
+}
diff --git a/src/charon-tkm/src/tkm/tkm_encoder.h b/src/charon-tkm/src/tkm/tkm_encoder.h
new file mode 100644
index 000000000..e97e1e301
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_encoder.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2013 Reto Buerki
+ * Copyright (C) 2013 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef TKM_ENCODER_H_
+#define TKM_ENCODER_H_
+
+#include <credentials/cred_encoding.h>
+
+/**
+ * Encoding function for TKM key fingerprints.
+ */
+bool tkm_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
+						va_list args);
+
+#endif /** TKM_ENCODER_H_ */
diff --git a/src/charon-tkm/src/tkm/tkm_public_key.c b/src/charon-tkm/src/tkm/tkm_public_key.c
index d56f65269..e3f64ddba 100644
--- a/src/charon-tkm/src/tkm/tkm_public_key.c
+++ b/src/charon-tkm/src/tkm/tkm_public_key.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2012 Reto Buerki
- * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Copyright (C) 2012-2013 Reto Buerki
+ * Copyright (C) 2012-2013 Adrian-Ken Rueegsegger
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -14,8 +14,6 @@
  * for more details.
  */
 
-#include <utils/debug.h>
-
 #include "tkm_public_key.h"
 
 typedef struct private_tkm_public_key_t private_tkm_public_key_t;
@@ -31,14 +29,9 @@ struct private_tkm_public_key_t {
 	tkm_public_key_t public;
 
 	/**
-	 * Public modulus.
+	 * ASN.1 blob of pubkey.
 	 */
-	chunk_t n;
-
-	/**
-	 * Public exponent.
-	 */
-	chunk_t e;
+	chunk_t asn_blob;
 
 	/**
 	 * Reference count.
@@ -87,8 +80,7 @@ METHOD(public_key_t, get_fingerprint, bool,
 		return TRUE;
 	}
 	return lib->encoding->encode(lib->encoding, type, this, fp,
-								 CRED_PART_RSA_MODULUS, this->n,
-								 CRED_PART_RSA_PUB_EXP, this->e,
+								 CRED_PART_RSA_PUB_ASN1_DER, this->asn_blob,
 								 CRED_PART_END);
 }
 
@@ -105,8 +97,7 @@ METHOD(public_key_t, destroy, void,
 	if (ref_put(&this->ref))
 	{
 		lib->encoding->clear_cache(lib->encoding, this);
-		chunk_free(&this->n);
-		chunk_free(&this->e);
+		chunk_free(&this->asn_blob);
 		free(this);
 	}
 }
@@ -117,18 +108,14 @@ METHOD(public_key_t, destroy, void,
 tkm_public_key_t *tkm_public_key_load(key_type_t type, va_list args)
 {
 	private_tkm_public_key_t *this;
-	chunk_t n, e;
+	chunk_t blob = chunk_empty;
 
-	n = e = chunk_empty;
 	while (TRUE)
 	{
 		switch (va_arg(args, builder_part_t))
 		{
-			case BUILD_RSA_MODULUS:
-				n = va_arg(args, chunk_t);
-				continue;
-			case BUILD_RSA_PUB_EXP:
-				e = va_arg(args, chunk_t);
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
 				continue;
 			case BUILD_END:
 				break;
@@ -138,7 +125,7 @@ tkm_public_key_t *tkm_public_key_load(key_type_t type, va_list args)
 		break;
 	}
 
-	if (!e.ptr || !n.ptr)
+	if (!blob.ptr)
 	{
 		return NULL;
 	}
@@ -159,8 +146,7 @@ tkm_public_key_t *tkm_public_key_load(key_type_t type, va_list args)
 			},
 		},
 		.ref = 1,
-		.n = chunk_clone(n),
-		.e = chunk_clone(e),
+		.asn_blob = chunk_clone(blob),
 	);
 
 	return &this->public;