Provide TKM credential encoder
authorReto Buerki <reet@codelabs.ch>
Fri, 18 Jan 2013 13:40:02 +0000 (14:40 +0100)
committerTobias Brunner <tobias@strongswan.org>
Tue, 19 Mar 2013 14:23:51 +0000 (15:23 +0100)
The TKM credential encoder creates fingerprints of type
KEYID_PUBKEY_INFO_SHA1 and KEYID_PUBKEY_SHA1 using
CRED_PART_RSA_PUB_ASN1_DER.

This makes the pkcs1 plugin unnecessary.

src/charon-tkm/Makefile.am
src/charon-tkm/src/charon-tkm.c
src/charon-tkm/src/tkm/tkm_encoder.c [new file with mode: 0644]
src/charon-tkm/src/tkm/tkm_encoder.h [new file with mode: 0644]
src/charon-tkm/src/tkm/tkm_public_key.c

index 515a405..457e5e4 100644 (file)
@@ -25,7 +25,6 @@ BUILD_OPTS = \
 PLUGINS = \
        kernel-netlink \
        pem \
-       pkcs1 \
        socket-default \
        openssl \
        stroke
index 92217b8..988541e 100644 (file)
@@ -41,6 +41,7 @@
 #include "tkm_kernel_ipsec.h"
 #include "tkm_public_key.h"
 #include "tkm_cred.h"
+#include "tkm_encoder.h"
 
 /**
  * TKM bus listener for IKE authorize events.
@@ -345,6 +346,9 @@ int main(int argc, char *argv[])
        creds = tkm_cred_create();
        lib->credmgr->add_set(lib->credmgr, (credential_set_t*)creds);
 
+       /* register TKM credential encoder */
+       lib->encoding->add_encoder(lib->encoding, tkm_encoder_encode);
+
        /* add handler for SEGV and ILL,
         * INT and TERM are handled by sigwait() in run() */
        action.sa_handler = segv_handler;
@@ -371,6 +375,7 @@ int main(int argc, char *argv[])
        charon->bus->remove_listener(charon->bus, &listener->listener);
        listener->destroy(listener);
        creds->destroy(creds);
+       lib->encoding->remove_encoder(lib->encoding, tkm_encoder_encode);
 
 deinit:
        libcharon_deinit();
diff --git a/src/charon-tkm/src/tkm/tkm_encoder.c b/src/charon-tkm/src/tkm/tkm_encoder.c
new file mode 100644 (file)
index 0000000..d5367ea
--- /dev/null
@@ -0,0 +1,106 @@
+/*
+ * Copyright (C) 2013 Reto Buerki
+ * Copyright (C) 2013 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <utils/debug.h>
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+
+#include "tkm_encoder.h"
+
+/**
+ * Build the SHA1 hash of pubkey(info) ASN.1 data.
+ */
+static bool hash_pubkey(chunk_t pubkey, chunk_t *hash)
+{
+       hasher_t *hasher;
+
+       hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+       if (!hasher || !hasher->allocate_hash(hasher, pubkey, hash))
+       {
+               DBG1(DBG_LIB, "SHA1 hash algorithm not supported, "
+                        "fingerprinting failed");
+               DESTROY_IF(hasher);
+               chunk_free(&pubkey);
+               return FALSE;
+       }
+       hasher->destroy(hasher);
+       chunk_free(&pubkey);
+       return TRUE;
+}
+
+/**
+ * Encode the public key blob into subjectPublicKeyInfo.
+ */
+static bool build_pub_info(chunk_t *encoding, va_list args)
+{
+       chunk_t blob;
+
+       if (cred_encoding_args(args, CRED_PART_RSA_PUB_ASN1_DER, &blob,
+                                                  CRED_PART_END))
+       {
+               *encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
+                                                         asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+                                                         asn1_bitstring("c", blob));
+               return TRUE;
+       }
+       return FALSE;
+}
+
+/**
+ * Build the fingerprint of the subjectPublicKeyInfo object.
+ */
+static bool build_info_sha1(chunk_t *encoding, va_list args)
+{
+       chunk_t pubkey;
+
+       if (build_pub_info(&pubkey, args))
+       {
+               return hash_pubkey(pubkey, encoding);
+       }
+       return FALSE;
+}
+
+/**
+ * Build the fingerprint of the subjectPublicKey object.
+ */
+static bool build_sha1(chunk_t *encoding, va_list args)
+{
+       chunk_t blob;
+
+       if (cred_encoding_args(args, CRED_PART_RSA_PUB_ASN1_DER, &blob,
+                                                  CRED_PART_END))
+       {
+               return hash_pubkey(chunk_clone(blob), encoding);
+       }
+       return FALSE;
+}
+
+/**
+ * See header.
+ */
+bool tkm_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
+                                               va_list args)
+{
+       switch (type)
+       {
+               case KEYID_PUBKEY_INFO_SHA1:
+                       return build_info_sha1(encoding, args);
+               case KEYID_PUBKEY_SHA1:
+                       return build_sha1(encoding, args);
+               default:
+                       return FALSE;
+       }
+}
diff --git a/src/charon-tkm/src/tkm/tkm_encoder.h b/src/charon-tkm/src/tkm/tkm_encoder.h
new file mode 100644 (file)
index 0000000..e97e1e3
--- /dev/null
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2013 Reto Buerki
+ * Copyright (C) 2013 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef TKM_ENCODER_H_
+#define TKM_ENCODER_H_
+
+#include <credentials/cred_encoding.h>
+
+/**
+ * Encoding function for TKM key fingerprints.
+ */
+bool tkm_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
+                                               va_list args);
+
+#endif /** TKM_ENCODER_H_ */
index d56f652..e3f64dd 100644 (file)
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2012 Reto Buerki
- * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Copyright (C) 2012-2013 Reto Buerki
+ * Copyright (C) 2012-2013 Adrian-Ken Rueegsegger
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -14,8 +14,6 @@
  * for more details.
  */
 
-#include <utils/debug.h>
-
 #include "tkm_public_key.h"
 
 typedef struct private_tkm_public_key_t private_tkm_public_key_t;
@@ -31,14 +29,9 @@ struct private_tkm_public_key_t {
        tkm_public_key_t public;
 
        /**
-        * Public modulus.
+        * ASN.1 blob of pubkey.
         */
-       chunk_t n;
-
-       /**
-        * Public exponent.
-        */
-       chunk_t e;
+       chunk_t asn_blob;
 
        /**
         * Reference count.
@@ -87,8 +80,7 @@ METHOD(public_key_t, get_fingerprint, bool,
                return TRUE;
        }
        return lib->encoding->encode(lib->encoding, type, this, fp,
-                                                                CRED_PART_RSA_MODULUS, this->n,
-                                                                CRED_PART_RSA_PUB_EXP, this->e,
+                                                                CRED_PART_RSA_PUB_ASN1_DER, this->asn_blob,
                                                                 CRED_PART_END);
 }
 
@@ -105,8 +97,7 @@ METHOD(public_key_t, destroy, void,
        if (ref_put(&this->ref))
        {
                lib->encoding->clear_cache(lib->encoding, this);
-               chunk_free(&this->n);
-               chunk_free(&this->e);
+               chunk_free(&this->asn_blob);
                free(this);
        }
 }
@@ -117,18 +108,14 @@ METHOD(public_key_t, destroy, void,
 tkm_public_key_t *tkm_public_key_load(key_type_t type, va_list args)
 {
        private_tkm_public_key_t *this;
-       chunk_t n, e;
+       chunk_t blob = chunk_empty;
 
-       n = e = chunk_empty;
        while (TRUE)
        {
                switch (va_arg(args, builder_part_t))
                {
-                       case BUILD_RSA_MODULUS:
-                               n = va_arg(args, chunk_t);
-                               continue;
-                       case BUILD_RSA_PUB_EXP:
-                               e = va_arg(args, chunk_t);
+                       case BUILD_BLOB_ASN1_DER:
+                               blob = va_arg(args, chunk_t);
                                continue;
                        case BUILD_END:
                                break;
@@ -138,7 +125,7 @@ tkm_public_key_t *tkm_public_key_load(key_type_t type, va_list args)
                break;
        }
 
-       if (!e.ptr || !n.ptr)
+       if (!blob.ptr)
        {
                return NULL;
        }
@@ -159,8 +146,7 @@ tkm_public_key_t *tkm_public_key_load(key_type_t type, va_list args)
                        },
                },
                .ref = 1,
-               .n = chunk_clone(n),
-               .e = chunk_clone(e),
+               .asn_blob = chunk_clone(blob),
        );
 
        return &this->public;