652663108b06f0c5911eb89b884c71cf467b42a8
[strongswan.git] / src / libstrongswan / plugins / sshkey / sshkey_builder.c
1 /*
2 * Copyright (C) 2013 Tobias Brunner
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #define _GNU_SOURCE /* for fmemopen() */
17 #include <unistd.h>
18 #include <stdio.h>
19 #include <errno.h>
20
21 #include "sshkey_builder.h"
22
23 #include <asn1/oid.h>
24 #include <asn1/asn1.h>
25 #include <bio/bio_reader.h>
26 #include <utils/debug.h>
27
28 #define ECDSA_PREFIX "ecdsa-sha2-"
29
30 /**
31 * Parse an EC domain parameter identifier as defined in RFC 5656
32 */
33 static chunk_t parse_ec_identifier(chunk_t identifier)
34 {
35 chunk_t oid = chunk_empty;
36
37 if (chunk_equals(identifier, chunk_from_str("nistp256")))
38 {
39 oid = asn1_build_known_oid(OID_PRIME256V1);
40 }
41 else if (chunk_equals(identifier, chunk_from_str("nistp384")))
42 {
43 oid = asn1_build_known_oid(OID_SECT384R1);
44 }
45 else if (chunk_equals(identifier, chunk_from_str("nistp521")))
46 {
47 oid = asn1_build_known_oid(OID_SECT521R1);
48 }
49 else
50 {
51 char ascii[64];
52
53 if (snprintf(ascii, sizeof(ascii), "%.*s", (int)identifier.len,
54 identifier.ptr) < sizeof(ascii))
55 {
56 oid = asn1_wrap(ASN1_OID, "m", asn1_oid_from_string(ascii));
57 }
58 }
59 return oid;
60 }
61
62 /**
63 * Load a generic public key from an SSH key blob
64 */
65 static sshkey_public_key_t *parse_public_key(chunk_t blob)
66 {
67 bio_reader_t *reader;
68 chunk_t format;
69
70 reader = bio_reader_create(blob);
71 if (!reader->read_data32(reader, &format))
72 {
73 DBG1(DBG_LIB, "invalid key format in SSH key");
74 reader->destroy(reader);
75 return NULL;
76 }
77 if (chunk_equals(format, chunk_from_str("ssh-rsa")))
78 {
79 chunk_t n, e;
80
81 if (!reader->read_data32(reader, &e) ||
82 !reader->read_data32(reader, &n))
83 {
84 DBG1(DBG_LIB, "invalid RSA key in SSH key");
85 reader->destroy(reader);
86 return NULL;
87 }
88 reader->destroy(reader);
89 return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
90 BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
91 }
92 else if (format.len > strlen(ECDSA_PREFIX) &&
93 strpfx(format.ptr, ECDSA_PREFIX))
94 {
95 chunk_t ec_blob, identifier, q, oid, encoded;
96 sshkey_public_key_t *key;
97
98 ec_blob = reader->peek(reader);
99 reader->destroy(reader);
100 reader = bio_reader_create(ec_blob);
101 if (!reader->read_data32(reader, &identifier) ||
102 !reader->read_data32(reader, &q))
103 {
104 DBG1(DBG_LIB, "invalid ECDSA key in SSH key");
105 reader->destroy(reader);
106 return NULL;
107 }
108 oid = parse_ec_identifier(identifier);
109 if (!oid.ptr)
110 {
111 DBG1(DBG_LIB, "invalid ECDSA key identifier in SSH key");
112 reader->destroy(reader);
113 return NULL;
114 }
115 reader->destroy(reader);
116 /* build key from subjectPublicKeyInfo */
117 encoded = asn1_wrap(ASN1_SEQUENCE, "mm",
118 asn1_wrap(ASN1_SEQUENCE, "mm",
119 asn1_build_known_oid(OID_EC_PUBLICKEY), oid),
120 asn1_bitstring("c", q));
121 key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
122 KEY_ECDSA, BUILD_BLOB_ASN1_DER, encoded, BUILD_END);
123 chunk_free(&encoded);
124 return key;
125 }
126 DBG1(DBG_LIB, "unsupported SSH key format %.*s", (int)format.len,
127 format.ptr);
128 reader->destroy(reader);
129 return NULL;
130 }
131
132 /**
133 * Load SSH key from a FILE stream, closes the stream
134 */
135 static sshkey_public_key_t *load_from_stream(FILE *file)
136 {
137 sshkey_public_key_t *public = NULL;
138 chunk_t blob = chunk_empty;
139 enumerator_t *enumerator;
140 char line[1024], *token;
141
142 while (!public && fgets(line, sizeof(line), file))
143 { /* the format is: ssh-[rsa|ecdsa-...] <key(base64)> <identifier> */
144 if (!strpfx(line, "ssh-"))
145 {
146 continue;
147 }
148 enumerator = enumerator_create_token(line, " ", " ");
149 if (enumerator->enumerate(enumerator, &token) &&
150 enumerator->enumerate(enumerator, &token))
151 {
152 blob = chunk_from_base64(chunk_from_str(token), NULL);
153 }
154 enumerator->destroy(enumerator);
155 if (blob.ptr)
156 {
157 public = parse_public_key(blob);
158 chunk_free(&blob);
159 }
160 }
161 fclose(file);
162 return public;
163 }
164
165 /**
166 * Load SSH key from a blob of data (most likely the content of a file)
167 */
168 static sshkey_public_key_t *load_from_blob(chunk_t blob)
169 {
170 FILE *stream;
171
172 stream = fmemopen(blob.ptr, blob.len, "r");
173 if (!stream)
174 {
175 return NULL;
176 }
177 return load_from_stream(stream);
178 }
179
180 /**
181 * Load SSH key from file
182 */
183 static sshkey_public_key_t *load_from_file(char *file)
184 {
185 FILE *stream;
186
187 stream = fopen(file, "r");
188 if (!stream)
189 {
190 DBG1(DBG_LIB, " opening '%s' failed: %s", file, strerror(errno));
191 return NULL;
192 }
193 return load_from_stream(stream);
194 }
195
196 /**
197 * See header.
198 */
199 sshkey_public_key_t *sshkey_public_key_load(key_type_t type, va_list args)
200 {
201 chunk_t sshkey = chunk_empty, blob = chunk_empty;
202 char *file = NULL;
203
204 while (TRUE)
205 {
206 switch (va_arg(args, builder_part_t))
207 {
208 case BUILD_BLOB_SSHKEY:
209 sshkey = va_arg(args, chunk_t);
210 continue;
211 case BUILD_FROM_FILE:
212 file = va_arg(args, char*);
213 continue;
214 case BUILD_BLOB:
215 blob = va_arg(args, chunk_t);
216 continue;
217 case BUILD_END:
218 break;
219 default:
220 return NULL;
221 }
222 break;
223 }
224 if (sshkey.ptr)
225 {
226 return parse_public_key(sshkey);
227 }
228 if (file)
229 {
230 return load_from_file(file);
231 }
232 if (blob.ptr)
233 {
234 return load_from_blob(blob);
235 }
236 return NULL;
237 }