aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan/credentials/keys/public_key.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan/credentials/keys/public_key.c')
-rw-r--r--src/libstrongswan/credentials/keys/public_key.c148
1 files changed, 146 insertions, 2 deletions
diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
index c342ac128..bd5915e60 100644
--- a/src/libstrongswan/credentials/keys/public_key.c
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -1,4 +1,5 @@
/*
+ * Copyright (C) 2015 Tobias Brunner
* Copyright (C) 2007 Martin Willi
* Copyright (C) 2014 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
@@ -142,8 +143,151 @@ signature_scheme_t signature_scheme_from_oid(int oid)
return SIGN_BLISS_WITH_SHA256;
case OID_BLISS_WITH_SHA384:
return SIGN_BLISS_WITH_SHA384;
- default:
- return SIGN_UNKNOWN;
}
+ return SIGN_UNKNOWN;
}
+/*
+ * Defined in header.
+ */
+int signature_scheme_to_oid(signature_scheme_t scheme)
+{
+ switch (scheme)
+ {
+ case SIGN_UNKNOWN:
+ case SIGN_RSA_EMSA_PKCS1_NULL:
+ case SIGN_ECDSA_WITH_NULL:
+ case SIGN_ECDSA_256:
+ case SIGN_ECDSA_384:
+ case SIGN_ECDSA_521:
+ break;
+ case SIGN_RSA_EMSA_PKCS1_MD5:
+ return OID_MD5_WITH_RSA;
+ case SIGN_RSA_EMSA_PKCS1_SHA1:
+ return OID_SHA1_WITH_RSA;
+ case SIGN_RSA_EMSA_PKCS1_SHA224:
+ return OID_SHA224_WITH_RSA;
+ case SIGN_RSA_EMSA_PKCS1_SHA256:
+ return OID_SHA256_WITH_RSA;
+ case SIGN_RSA_EMSA_PKCS1_SHA384:
+ return OID_SHA384_WITH_RSA;
+ case SIGN_RSA_EMSA_PKCS1_SHA512:
+ return OID_SHA512_WITH_RSA;
+ case SIGN_ECDSA_WITH_SHA1_DER:
+ return OID_ECDSA_WITH_SHA1;
+ case SIGN_ECDSA_WITH_SHA256_DER:
+ return OID_ECDSA_WITH_SHA256;
+ case SIGN_ECDSA_WITH_SHA384_DER:
+ return OID_ECDSA_WITH_SHA384;
+ case SIGN_ECDSA_WITH_SHA512_DER:
+ return OID_ECDSA_WITH_SHA512;
+ case SIGN_BLISS_WITH_SHA256:
+ return OID_BLISS_WITH_SHA256;
+ case SIGN_BLISS_WITH_SHA384:
+ return OID_BLISS_WITH_SHA384;
+ case SIGN_BLISS_WITH_SHA512:
+ return OID_BLISS_WITH_SHA512;
+ }
+ return OID_UNKNOWN;
+}
+
+/**
+ * Map for signature schemes to the key type and maximum key size allowed.
+ * We only cover schemes with hash algorithms supported by IKEv2 signature
+ * authentication.
+ */
+static struct {
+ signature_scheme_t scheme;
+ key_type_t type;
+ int max_keysize;
+} scheme_map[] = {
+ { SIGN_RSA_EMSA_PKCS1_SHA256, KEY_RSA, 3072 },
+ { SIGN_RSA_EMSA_PKCS1_SHA384, KEY_RSA, 7680 },
+ { SIGN_RSA_EMSA_PKCS1_SHA512, KEY_RSA, 0 },
+ { SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, 256 },
+ { SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, 384 },
+ { SIGN_ECDSA_WITH_SHA512_DER, KEY_ECDSA, 0 },
+ { SIGN_BLISS_WITH_SHA256, KEY_BLISS, 128 },
+ { SIGN_BLISS_WITH_SHA384, KEY_BLISS, 192 },
+ { SIGN_BLISS_WITH_SHA512, KEY_BLISS, 0 },
+};
+
+/**
+ * Private data for signature scheme enumerator
+ */
+typedef struct {
+ enumerator_t public;
+ int index;
+ key_type_t type;
+ int size;
+} private_enumerator_t;
+
+METHOD(enumerator_t, signature_schemes_enumerate, bool,
+ private_enumerator_t *this, signature_scheme_t *scheme)
+{
+ while (++this->index < countof(scheme_map))
+ {
+ if (this->type == scheme_map[this->index].type &&
+ (this->size <= scheme_map[this->index].max_keysize ||
+ !scheme_map[this->index].max_keysize))
+ {
+ *scheme = scheme_map[this->index].scheme;
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
+
+/*
+ * Defined in header.
+ */
+enumerator_t *signature_schemes_for_key(key_type_t type, int size)
+{
+ private_enumerator_t *this;
+
+ INIT(this,
+ .public = {
+ .enumerate = (void*)_signature_schemes_enumerate,
+ .destroy = (void*)free,
+ },
+ .index = -1,
+ .type = type,
+ .size = size,
+ );
+
+ return &this->public;
+}
+
+/*
+ * Defined in header.
+ */
+key_type_t key_type_from_signature_scheme(signature_scheme_t scheme)
+{
+ switch (scheme)
+ {
+ case SIGN_UNKNOWN:
+ break;
+ case SIGN_RSA_EMSA_PKCS1_NULL:
+ case SIGN_RSA_EMSA_PKCS1_MD5:
+ case SIGN_RSA_EMSA_PKCS1_SHA1:
+ case SIGN_RSA_EMSA_PKCS1_SHA224:
+ case SIGN_RSA_EMSA_PKCS1_SHA256:
+ case SIGN_RSA_EMSA_PKCS1_SHA384:
+ case SIGN_RSA_EMSA_PKCS1_SHA512:
+ return KEY_RSA;
+ case SIGN_ECDSA_WITH_SHA1_DER:
+ case SIGN_ECDSA_WITH_SHA256_DER:
+ case SIGN_ECDSA_WITH_SHA384_DER:
+ case SIGN_ECDSA_WITH_SHA512_DER:
+ case SIGN_ECDSA_WITH_NULL:
+ case SIGN_ECDSA_256:
+ case SIGN_ECDSA_384:
+ case SIGN_ECDSA_521:
+ return KEY_ECDSA;
+ case SIGN_BLISS_WITH_SHA256:
+ case SIGN_BLISS_WITH_SHA384:
+ case SIGN_BLISS_WITH_SHA512:
+ return KEY_BLISS;
+ }
+ return KEY_ANY;
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-24 01:47:37 +0000