Updated openssl plugin to the new builder API
[strongswan.git] / src / libstrongswan / plugins / openssl / openssl_ec_private_key.c
index f333bd3..8533140 100644 (file)
@@ -34,162 +34,138 @@ struct private_openssl_ec_private_key_t {
         * Public interface for this signer.
         */
        openssl_ec_private_key_t public;
-       
+
        /**
         * EC key object
         */
        EC_KEY *ec;
-       
+
        /**
         * reference count
         */
-       refcount_t ref; 
+       refcount_t ref;
 };
 
-/**
- * Mapping from the signature scheme defined in (RFC 4754) to the elliptic
- * curve and the hash algorithm
- */
-typedef struct {
-       /**
-        * Scheme specified in RFC 4754
-        */
-       int scheme;
-       
-       /**
-        * NID of the hash
-        */
-       int hash;
-       
-       /**
-        * NID of the curve
-        */
-       int curve;
-} openssl_ecdsa_scheme_t;
-
-#define END_OF_LIST -1
-
-/**
- * Signature schemes
- */
-static openssl_ecdsa_scheme_t ecdsa_schemes[] = {
-       {SIGN_ECDSA_WITH_SHA1,  NID_sha1,       -1},
-       {SIGN_ECDSA_256,                NID_sha256,     NID_X9_62_prime256v1},
-       {SIGN_ECDSA_384,                NID_sha384,     NID_secp384r1},
-       {SIGN_ECDSA_521,                NID_sha512,     NID_secp521r1},
-       {END_OF_LIST,                   0,                      0},
-};
+/* from ec public key */
+bool openssl_ec_fingerprint(EC_KEY *ec, key_encoding_type_t type, chunk_t *fp);
 
 /**
- * Look up the hash and curve of a signature scheme
+ * Build a signature as in RFC 4754
  */
-static bool lookup_scheme(int scheme, int *hash, int *curve)
+static bool build_signature(private_openssl_ec_private_key_t *this,
+                                                       chunk_t hash, chunk_t *signature)
 {
-       openssl_ecdsa_scheme_t *ecdsa_scheme = ecdsa_schemes;
-       while (ecdsa_scheme->scheme != END_OF_LIST)
+       bool built = FALSE;
+       ECDSA_SIG *sig;
+
+       sig = ECDSA_do_sign(hash.ptr, hash.len, this->ec);
+       if (sig)
        {
-               if (scheme == ecdsa_scheme->scheme)
-               {
-                       *hash = ecdsa_scheme->hash;
-                       *curve = ecdsa_scheme->curve;
-                       return TRUE;
-               }
-               ecdsa_scheme++;
+               /* concatenate BNs r/s to a signature chunk */
+               built = openssl_bn_cat(EC_FIELD_ELEMENT_LEN(EC_KEY_get0_group(this->ec)),
+                                                          sig->r, sig->s, signature);
+               ECDSA_SIG_free(sig);
        }
-       return FALSE;
+       return built;
 }
 
-/* from ec public key */
-bool openssl_ec_fingerprint(EC_KEY *ec, key_encoding_type_t type, chunk_t *fp);
-
 /**
- * Convert an ECDSA_SIG to a chunk by concatenating r and s.
- * This function allocates memory for the chunk.
+ * Build a RFC 4754 signature for a specified curve and hash algorithm
  */
-static bool sig2chunk(const EC_GROUP *group, ECDSA_SIG *sig, chunk_t *chunk)
+static bool build_curve_signature(private_openssl_ec_private_key_t *this,
+                                                               signature_scheme_t scheme, int nid_hash,
+                                                               int nid_curve, chunk_t data, chunk_t *signature)
 {
-       return openssl_bn_cat(EC_FIELD_ELEMENT_LEN(group), sig->r, sig->s, chunk);
-}
+       const EC_GROUP *my_group;
+       EC_GROUP *req_group;
+       chunk_t hash;
+       bool built;
 
-/**
- * Build the signature
- */
-static bool build_signature(private_openssl_ec_private_key_t *this,
-                                                       chunk_t hash, chunk_t *signature)
-{
-       ECDSA_SIG *sig;
-       bool success;
-       
-       sig = ECDSA_do_sign(hash.ptr, hash.len, this->ec);
-       if (!sig)
+       req_group = EC_GROUP_new_by_curve_name(nid_curve);
+       if (!req_group)
+       {
+               DBG1("signature scheme %N not supported in EC (required curve "
+                        "not supported)", signature_scheme_names, scheme);
+               return FALSE;
+       }
+       my_group = EC_KEY_get0_group(this->ec);
+       if (EC_GROUP_cmp(my_group, req_group, NULL) != 0)
+       {
+               DBG1("signature scheme %N not supported by private key",
+                        signature_scheme_names, scheme);
+               return FALSE;
+       }
+       EC_GROUP_free(req_group);
+       if (!openssl_hash_chunk(nid_hash, data, &hash))
        {
                return FALSE;
        }
-       success = sig2chunk(EC_KEY_get0_group(this->ec), sig, signature);
-       ECDSA_SIG_free(sig);
-       return success;
+       built = build_signature(this, hash, signature);
+       chunk_free(&hash);
+       return built;
 }
 
 /**
- * Implementation of private_key_t.get_type.
+ * Build a DER encoded signature as in RFC 3279
  */
-static key_type_t get_type(private_openssl_ec_private_key_t *this)
+static bool build_der_signature(private_openssl_ec_private_key_t *this,
+                                                               int hash_nid, chunk_t data, chunk_t *signature)
 {
-       return KEY_ECDSA;
+       chunk_t hash, sig;
+       int siglen = 0;
+       bool built;
+
+       if (!openssl_hash_chunk(hash_nid, data, &hash))
+       {
+               return FALSE;
+       }
+       sig = chunk_alloc(ECDSA_size(this->ec));
+       built = ECDSA_sign(0, hash.ptr, hash.len, sig.ptr, &siglen, this->ec) == 1;
+       sig.len = siglen;
+       if (built)
+       {
+               *signature = sig;
+       }
+       else
+       {
+               free(sig.ptr);
+       }
+       free(hash.ptr);
+       return built;
 }
 
 /**
  * Implementation of private_key_t.sign.
  */
-static bool sign(private_openssl_ec_private_key_t *this, signature_scheme_t scheme, 
-                                chunk_t data, chunk_t *signature)
+static bool sign(private_openssl_ec_private_key_t *this,
+                                signature_scheme_t scheme, chunk_t data, chunk_t *signature)
 {
-       bool success;
-       
-       if (scheme == SIGN_ECDSA_WITH_NULL)
+       switch (scheme)
        {
-               success = build_signature(this, data, signature);
-       }
-       else
-       {
-               EC_GROUP *req_group;
-               const EC_GROUP *my_group;
-               chunk_t hash = chunk_empty;
-               int hash_type, curve;
-               
-               if (!lookup_scheme(scheme, &hash_type, &curve))
-               {
-                       DBG1("signature scheme %N not supported in EC",
-                                        signature_scheme_names, scheme);
-                       return FALSE;
-               }
-               
-               if (curve != -1)
-               {
-                       req_group = EC_GROUP_new_by_curve_name(curve);
-                       if (!req_group)
-                       {
-                               DBG1("signature scheme %N not supported in EC (required curve "
-                                        "not supported)", signature_scheme_names, scheme);
-                               return FALSE;
-                       }
-                       my_group = EC_KEY_get0_group(this->ec);
-                       if (EC_GROUP_cmp(my_group, req_group, NULL) != 0)
-                       {
-                               DBG1("signature scheme %N not supported by private key",
-                                        signature_scheme_names, scheme);
-                               return FALSE;
-                       }
-                       EC_GROUP_free(req_group);
-               }
-               if (!openssl_hash_chunk(hash_type, data, &hash))
-               {
+               case SIGN_ECDSA_WITH_NULL:
+                       return build_signature(this, data, signature);
+               case SIGN_ECDSA_WITH_SHA1_DER:
+                       return build_der_signature(this, NID_sha1, data, signature);
+               case SIGN_ECDSA_WITH_SHA256_DER:
+                       return build_der_signature(this, NID_sha256, data, signature);
+               case SIGN_ECDSA_WITH_SHA384_DER:
+                       return build_der_signature(this, NID_sha384, data, signature);
+               case SIGN_ECDSA_WITH_SHA512_DER:
+                       return build_der_signature(this, NID_sha512, data, signature);
+               case SIGN_ECDSA_256:
+                       return build_curve_signature(this, scheme, NID_sha256,
+                                                                                NID_X9_62_prime256v1, data, signature);
+               case SIGN_ECDSA_384:
+                       return build_curve_signature(this, scheme, NID_sha384,
+                                                                                NID_secp384r1, data, signature);
+               case SIGN_ECDSA_521:
+                       return build_curve_signature(this, scheme, NID_sha512,
+                                                                                NID_secp521r1, data, signature);
+               default:
+                       DBG1("signature scheme %N not supported",
+                                signature_scheme_names, scheme);
                        return FALSE;
-               }
-               success = build_signature(this, hash, signature);
-               chunk_free(&hash);
-       }       
-       return success;
+       }
 }
 
 /**
@@ -211,6 +187,14 @@ static size_t get_keysize(private_openssl_ec_private_key_t *this)
 }
 
 /**
+ * Implementation of private_key_t.get_type.
+ */
+static key_type_t get_type(private_openssl_ec_private_key_t *this)
+{
+       return KEY_ECDSA;
+}
+
+/**
  * Implementation of private_key_t.get_public_key.
  */
 static public_key_t* get_public_key(private_openssl_ec_private_key_t *this)
@@ -218,11 +202,11 @@ static public_key_t* get_public_key(private_openssl_ec_private_key_t *this)
        public_key_t *public;
        chunk_t key;
        u_char *p;
-       
+
        key = chunk_alloc(i2d_EC_PUBKEY(this->ec, NULL));
        p = key.ptr;
        i2d_EC_PUBKEY(this->ec, &p);
-       
+
        public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA,
                                                                BUILD_BLOB_ASN1_DER, key, BUILD_END);
        free(key.ptr);
@@ -245,7 +229,7 @@ static bool get_encoding(private_openssl_ec_private_key_t *this,
                                                 key_encoding_type_t type, chunk_t *encoding)
 {
        u_char *p;
-       
+
        switch (type)
        {
                case KEY_PRIV_ASN1_DER:
@@ -291,7 +275,7 @@ static void destroy(private_openssl_ec_private_key_t *this)
 static private_openssl_ec_private_key_t *create_empty(void)
 {
        private_openssl_ec_private_key_t *this = malloc_thing(private_openssl_ec_private_key_t);
-       
+
        this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
        this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
        this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
@@ -303,20 +287,41 @@ static private_openssl_ec_private_key_t *create_empty(void)
        this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
        this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
        this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
-       
+
        this->ec = NULL;
        this->ref = 1;
-       
+
        return this;
 }
 
 /**
- * Generate an ECDSA key of specified key size
+ * See header.
  */
-static openssl_ec_private_key_t *generate(size_t key_size)
+openssl_ec_private_key_t *openssl_ec_private_key_gen(key_type_t type,
+                                                                                                        va_list args)
 {
-       private_openssl_ec_private_key_t *this = create_empty();
-       
+       private_openssl_ec_private_key_t *this;
+       u_int key_size = 0;
+
+       while (TRUE)
+       {
+               switch (va_arg(args, builder_part_t))
+               {
+                       case BUILD_KEY_SIZE:
+                               key_size = va_arg(args, u_int);
+                               continue;
+                       case BUILD_END:
+                               break;
+                       default:
+                               return NULL;
+               }
+               break;
+       }
+       if (!key_size)
+       {
+               return NULL;
+       }
+       this = create_empty();
        switch (key_size)
        {
                case 256:
@@ -346,104 +351,41 @@ static openssl_ec_private_key_t *generate(size_t key_size)
 }
 
 /**
- * load private key from an ASN1 encoded blob
- */
-static openssl_ec_private_key_t *load(chunk_t blob)
-{
-       private_openssl_ec_private_key_t *this = create_empty();
-       
-       this->ec = d2i_ECPrivateKey(NULL, (const u_char**)&blob.ptr, blob.len);
-       
-       if (!this->ec)
-       {
-               destroy(this);
-               return NULL;
-       }
-       if (!EC_KEY_check_key(this->ec))
-       {
-               destroy(this);
-               return NULL;
-       }
-       return &this->public;
-}
-
-typedef struct private_builder_t private_builder_t;
-
-/**
- * Builder implementation for key loading/generation
- */
-struct private_builder_t {
-       /** implements the builder interface */
-       builder_t public;
-       /** loaded/generated private key */
-       openssl_ec_private_key_t *key;
-};
-
-/**
- * Implementation of builder_t.build
+ * See header.
  */
-static openssl_ec_private_key_t *build(private_builder_t *this)
+openssl_ec_private_key_t *openssl_ec_private_key_load(key_type_t type,
+                                                                                                         va_list args)
 {
-       openssl_ec_private_key_t *key = this->key;
-       
-       free(this);
-       return key;
-}
+       private_openssl_ec_private_key_t *this;
+       chunk_t blob = chunk_empty;
 
-/**
- * Implementation of builder_t.add
- */
-static void add(private_builder_t *this, builder_part_t part, ...)
-{
-       if (!this->key)
+       while (TRUE)
        {
-               va_list args;
-               
-               switch (part)
+               switch (va_arg(args, builder_part_t))
                {
-                       case BUILD_KEY_SIZE:
-                       {
-                               va_start(args, part);
-                               this->key = generate(va_arg(args, u_int));
-                               va_end(args);
-                               return;
-                       }
                        case BUILD_BLOB_ASN1_DER:
-                       {
-                               va_start(args, part);
-                               this->key = load(va_arg(args, chunk_t));
-                               va_end(args);
-                               return;
-                       }
-                       default:
+                               blob = va_arg(args, chunk_t);
+                               continue;
+                       case BUILD_END:
                                break;
+                       default:
+                               return NULL;
                }
+               break;
        }
-       if (this->key)
+
+       this = create_empty();
+       this->ec = d2i_ECPrivateKey(NULL, (const u_char**)&blob.ptr, blob.len);
+       if (!this->ec)
        {
-               destroy((private_openssl_ec_private_key_t*)this->key);
+               destroy(this);
+               return NULL;
        }
-       builder_cancel(&this->public);
-}
-
-/**
- * Builder construction function
- */
-builder_t *openssl_ec_private_key_builder(key_type_t type)
-{
-       private_builder_t *this;
-       
-       if (type != KEY_ECDSA)
+       if (!EC_KEY_check_key(this->ec))
        {
+               destroy(this);
                return NULL;
        }
-       
-       this = malloc_thing(private_builder_t);
-       
-       this->key = NULL;
-       this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
-       this->public.build = (void*(*)(builder_t *this))build;
-       
        return &this->public;
 }