3 files changed, 65 insertions, 58 deletions

diff --git a/src/charon/config/credentials/local_credential_store.c b/src/charon/config/credentials/local_credential_store.c
index fff4b175f..48b129128 100644
--- a/src/charon/config/credentials/local_credential_store.c
+++ b/src/charon/config/credentials/local_credential_store.c
@@ -350,31 +350,6 @@ static ca_info_t* get_issuer(private_local_credential_store_t *this, x509_t *cer
 }
 
 /**
- * Implementation of local_credential_store_t.get_rsa_private_key.
- */
-static rsa_private_key_t *get_rsa_private_key(private_local_credential_store_t *this,
-											  rsa_public_key_t *pubkey)
-{
-	rsa_private_key_t *found = NULL, *current;
-	iterator_t *iterator;
-
-	pthread_mutex_lock(&(this->keys_mutex));
-	iterator = this->private_keys->create_iterator(this->private_keys, TRUE);
-
-	while (iterator->iterate(iterator, (void**)&current))
-	{
-		if (current->belongs_to(current, pubkey))
-		{
-			found = current->clone(current);
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-	pthread_mutex_unlock(&(this->keys_mutex));
-	return found;
-}
-
-/**
  * Implementation of local_credential_store_t.has_rsa_private_key.
  */
 static bool has_rsa_private_key(private_local_credential_store_t *this, rsa_public_key_t *pubkey)
@@ -756,10 +731,51 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f
 }
 
 /**
+ * Implementation of local_credential_store_t.rsa_signature.
+ */
+static status_t rsa_signature(private_local_credential_store_t *this,
+							  rsa_public_key_t *pubkey,
+							  hash_algorithm_t hash_algorithm,
+							  chunk_t data, chunk_t *signature)
+{
+	rsa_private_key_t *current, *key = NULL;
+	iterator_t *iterator;
+	status_t status;
+	chunk_t keyid = pubkey->get_keyid(pubkey);
+
+	DBG2(DBG_IKE, "looking for RSA private key with keyid %#B...", &keyid);
+	pthread_mutex_lock(&(this->keys_mutex));
+
+	iterator = this->private_keys->create_iterator(this->private_keys, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (current->belongs_to(current, pubkey))
+		{
+			key = current->clone(current);
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+
+	if (key)
+	{
+		DBG2(DBG_IKE, "  matching RSA private key found");
+		status = key->build_emsa_pkcs1_signature(key, hash_algorithm, data, signature);
+	}
+	else
+	{
+		DBG1(DBG_IKE, "no RSA private key found with keyid %#B", &keyid);
+		status = NOT_FOUND;
+	}
+	pthread_mutex_unlock(&(this->keys_mutex));
+	return status;
+}
+
+/**
  * Implementation of local_credential_store_t.verify_signature.
  */
 static status_t verify_signature(private_local_credential_store_t *this,
-								 chunk_t hash, chunk_t sig,
+								 chunk_t hash, chunk_t signature,
 								 identification_t *id, ca_info_t **issuer_p)
 {
 	iterator_t *iterator = this->certs->create_iterator(this->certs, TRUE);
@@ -816,7 +832,7 @@ static status_t verify_signature(private_local_credential_store_t *this,
 				}
 				*issuer_p = issuer;
 			}
-			sig_status = public_key->verify_emsa_pkcs1_signature(public_key, hash, sig);
+			sig_status = public_key->verify_emsa_pkcs1_signature(public_key, hash, signature);
 			if (sig_status == SUCCESS)
 			{
 				DBG2(DBG_CFG, "candidate peer certificate has a matching RSA public key");
@@ -1560,13 +1576,13 @@ local_credential_store_t * local_credential_store_create(void)
 	this->public.credential_store.get_shared_key = (status_t (*) (credential_store_t*,identification_t*,identification_t*,chunk_t*))get_shared_key;
 	this->public.credential_store.get_eap_key = (status_t (*) (credential_store_t*,identification_t*,identification_t*,chunk_t*))get_eap_key;
 	this->public.credential_store.get_rsa_public_key = (rsa_public_key_t*(*)(credential_store_t*,identification_t*))get_rsa_public_key;
-	this->public.credential_store.get_rsa_private_key = (rsa_private_key_t* (*) (credential_store_t*,rsa_public_key_t*))get_rsa_private_key;
 	this->public.credential_store.has_rsa_private_key = (bool (*) (credential_store_t*,rsa_public_key_t*))has_rsa_private_key;
 	this->public.credential_store.get_certificate = (x509_t* (*) (credential_store_t*,identification_t*))get_certificate;
 	this->public.credential_store.get_auth_certificate = (x509_t* (*) (credential_store_t*,u_int,identification_t*))get_auth_certificate;
 	this->public.credential_store.get_ca_certificate_by_keyid = (x509_t* (*) (credential_store_t*,chunk_t))get_ca_certificate_by_keyid;
 	this->public.credential_store.get_issuer = (ca_info_t* (*) (credential_store_t*,x509_t*))get_issuer;
 	this->public.credential_store.is_trusted = (bool (*) (credential_store_t*,const char*,x509_t*))is_trusted;
+	this->public.credential_store.rsa_signature = (status_t (*) (credential_store_t*,rsa_public_key_t*,hash_algorithm_t,chunk_t,chunk_t*))rsa_signature;
 	this->public.credential_store.verify_signature = (status_t (*) (credential_store_t*,chunk_t,chunk_t,identification_t*,ca_info_t**))verify_signature;
 	this->public.credential_store.verify = (bool (*) (credential_store_t*,x509_t*,bool*))verify;
 	this->public.credential_store.add_end_certificate = (x509_t* (*) (credential_store_t*,x509_t*))add_end_certificate;
diff --git a/src/charon/sa/authenticators/rsa_authenticator.c b/src/charon/sa/authenticators/rsa_authenticator.c
index bb3d846a8..4f4965009 100644
--- a/src/charon/sa/authenticators/rsa_authenticator.c
+++ b/src/charon/sa/authenticators/rsa_authenticator.c
@@ -98,14 +98,13 @@ static status_t build(private_rsa_authenticator_t *this, chunk_t ike_sa_init,
 	chunk_t auth_data;
 	status_t status;
 	rsa_public_key_t *my_pubkey;
-	rsa_private_key_t *my_key;
 	identification_t *my_id;
 	prf_t *prf;
 
 	my_id = this->ike_sa->get_my_id(this->ike_sa);
 	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
 		 my_id, auth_method_names, AUTH_RSA);
-	DBG2(DBG_IKE, "looking for RSA public key belonging to '%D'", my_id);
+	DBG2(DBG_IKE, "looking for RSA public key belonging to '%D'...", my_id);
 
 	my_pubkey = charon->credentials->get_rsa_public_key(charon->credentials, my_id);
 	if (my_pubkey == NULL)
@@ -113,28 +112,18 @@ static status_t build(private_rsa_authenticator_t *this, chunk_t ike_sa_init,
 		DBG1(DBG_IKE, "no RSA public key found for '%D'", my_id);
 		return NOT_FOUND;
 	}
-	DBG2(DBG_IKE, "matching RSA public key found");
-	chunk = my_pubkey->get_keyid(my_pubkey);
-	DBG2(DBG_IKE, "looking for RSA private key with keyid %#B", &chunk);
-	my_key = charon->credentials->get_rsa_private_key(charon->credentials, my_pubkey);
-	if (my_key == NULL)
-	{
-		DBG1(DBG_IKE, "no RSA private key found for %D with keyid %#B",
-			 my_id, &chunk);
-		return NOT_FOUND;
-	}
-	DBG2(DBG_IKE, "matching RSA private key found");
+	DBG2(DBG_IKE, "  matching RSA public key found");
 
 	prf = this->ike_sa->get_prf(this->ike_sa);
 	prf->set_key(prf, this->ike_sa->get_skp_build(this->ike_sa));
 	octets = build_tbs_octets(ike_sa_init, other_nonce, my_id, prf);
-	status = my_key->build_emsa_pkcs1_signature(my_key, HASH_SHA1, octets, &auth_data);
+	status = charon->credentials->rsa_signature(charon->credentials,
+										my_pubkey, HASH_SHA1, octets, &auth_data);
 	chunk_free(&octets);
 
 	if (status != SUCCESS)
 	{
-		my_key->destroy(my_key);
-		DBG1(DBG_IKE, "build signature of SHA1 hash failed");
+		DBG1(DBG_IKE, "building RSA signature with SHA-1 hash failed");
 		return status;
 	}
 	DBG2(DBG_IKE, "successfully signed with RSA private key");
@@ -142,8 +131,6 @@ static status_t build(private_rsa_authenticator_t *this, chunk_t ike_sa_init,
 	*auth_payload = auth_payload_create();
 	(*auth_payload)->set_auth_method(*auth_payload, AUTH_RSA);
 	(*auth_payload)->set_data(*auth_payload, auth_data);
-	
-	my_key->destroy(my_key);
 	chunk_free(&auth_data);
 	return SUCCESS;
 }
diff --git a/src/libstrongswan/credential_store.h b/src/libstrongswan/credential_store.h
index 43c0d2ae8..62b6ad2d5 100755
--- a/src/libstrongswan/credential_store.h
+++ b/src/libstrongswan/credential_store.h
@@ -88,17 +88,6 @@ struct credential_store_t {
 	rsa_public_key_t* (*get_rsa_public_key) (credential_store_t *this, identification_t *id);
 	
 	/**
-	 * @brief Returns the RSA private key belonging to an RSA public key
-	 * 
-	 * The returned rsa_private_key_t must be destroyed by the caller after usage.
-	 * 
-	 * @param this					calling object
-	 * @param pubkey				public key 
-	 * @return						private key, or NULL if not found
-	 */	
-	rsa_private_key_t* (*get_rsa_private_key) (credential_store_t *this, rsa_public_key_t *pubkey);
-
-	/**
 	 * @brief Is there a matching RSA private key belonging to an RSA public key?
 	 * 
 	 * @param this					calling object
@@ -145,6 +134,20 @@ struct credential_store_t {
 	ca_info_t* (*get_issuer) (credential_store_t *this, x509_t* cert);
 
 	/**
+	 * @brief  RSA private key belonging to an RSA public key
+	 * 
+	 * 
+	 * @param this					calling object
+	 * @param pubkey				public key used to find the matching private key
+	 * @param hash_algorithm		hash algorithm to be used for signature
+	 * @param data					data block to be signed
+	 * @param signature				signature to be returned
+	 * @return						status of the signature process - SUCCESS if successful
+	 */	
+	status_t (*rsa_signature) (credential_store_t *this, rsa_public_key_t *pubkey, hash_algorithm_t hash_algorithm,
+							   chunk_t data, chunk_t *signature);
+
+	/**
 	 * @brief Verify an RSA signature given the ID of the signer
 	 * 
 	 * @param this					calling object
@@ -154,7 +157,8 @@ struct credential_store_t {
 	 * @param issuer_p				issuer of the signer's certificate (if not self-signed).
 	 * @return						status of the verification - SUCCESS if successful
 	 */
-	status_t (*verify_signature) (credential_store_t *this, chunk_t hash, chunk_t sig, identification_t *id, ca_info_t **issuer_p);
+	status_t (*verify_signature) (credential_store_t *this, chunk_t hash, chunk_t sig, identification_t *id,
+								  ca_info_t **issuer_p);
 	
 	/**
 	 * @brief Verify an X.509 certificate up to trust anchor without any status checks