while (fetchline(src, &line))
{
chunk_t ids, token;
+ key_type_t key_type;
shared_key_type_t type;
line_nr++;
DBG1(DBG_CFG, "line %d: missing token", line_nr);
break;
}
- if (match("RSA", &token) || match("ECDSA", &token))
+ if (match("RSA", &token) || match("ECDSA", &token) ||
+ match("BLISS", &token))
{
- if (!load_private(secrets, line, line_nr, prompt,
- match("RSA", &token) ? KEY_RSA : KEY_ECDSA))
+ if (match("RSA", &token))
+ {
+ key_type = KEY_RSA;
+ }
+ else if (match("ECDSA", &token))
+ {
+ key_type = KEY_ECDSA;
+ }
+ else
+ {
+ key_type = KEY_BLISS;
+ }
+ if (!load_private(secrets, line, line_nr, prompt, key_type))
{
break;
}
}
else
{
- DBG1(DBG_CFG, "line %d: token must be either "
- "RSA, ECDSA, P12, PIN, PSK, EAP, XAUTH or NTLM", line_nr);
+ DBG1(DBG_CFG, "line %d: token must be either RSA, ECDSA, BLISS, "
+ "P12, PIN, PSK, EAP, XAUTH or NTLM", line_nr);
break;
}
}
PLUGIN_SDEPEND(PRIVKEY, KEY_RSA),
PLUGIN_SDEPEND(PRIVKEY, KEY_ECDSA),
PLUGIN_SDEPEND(PRIVKEY, KEY_DSA),
+ PLUGIN_SDEPEND(PRIVKEY, KEY_BLISS),
PLUGIN_SDEPEND(CERT_DECODE, CERT_ANY),
PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
PLUGIN_SDEPEND(CERT_DECODE, CERT_X509_CRL),
"RSA signature",
"pre-shared key",
"DSS signature");
-ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_GSPM, AUTH_DSS,
+ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_NULL, AUTH_DSS,
"ECDSA-256 signature",
"ECDSA-384 signature",
"ECDSA-521 signature",
- "secure password method");
-ENUM_NEXT(auth_method_names, AUTH_XAUTH_INIT_PSK, AUTH_HYBRID_RESP_RSA, AUTH_GSPM,
+ "secure password method",
+ "NULL authentication");
+ENUM_NEXT(auth_method_names, AUTH_BLISS, AUTH_BLISS, AUTH_NULL,
+ "BLISS signature");
+ENUM_NEXT(auth_method_names, AUTH_XAUTH_INIT_PSK, AUTH_HYBRID_RESP_RSA, AUTH_BLISS,
"XAuthInitPSK",
"XAuthRespPSK",
"XAuthInitRSA",
case AUTH_ECDSA_256:
case AUTH_ECDSA_384:
case AUTH_ECDSA_521:
+ case AUTH_BLISS:
return (authenticator_t*)pubkey_authenticator_create_verifier(ike_sa,
sent_nonce, received_init, reserved);
case AUTH_PSK:
AUTH_GSPM = 12,
/**
+ * NULL Authentication Method as specified in draft-ietf-ipsecme-ikev2-null-auth
+ */
+ AUTH_NULL = 13,
+
+ /**
+ * BLISS Authentication Method
+ */
+ AUTH_BLISS = 220,
+
+ /**
* IKEv1 initiator XAUTH with PSK, outside of IANA range
*/
AUTH_XAUTH_INIT_PSK = 256,
return status;
}
break;
+ case KEY_BLISS:
+ /* we currently use SHA512 only */
+ scheme = SIGN_BLISS_WITH_SHA512;
+ auth_method = AUTH_BLISS;
+ break;
default:
DBG1(DBG_IKE, "private key of type %N not supported",
key_type_names, private->get_type(private));
case AUTH_ECDSA_521:
scheme = SIGN_ECDSA_521;
break;
+ case AUTH_BLISS:
+ key_type = KEY_BLISS;
+ scheme = SIGN_BLISS_WITH_SHA512;
+ break;
default:
return INVALID_ARG;
}
/* private/public keys */
PLUGIN_REGISTER(PRIVKEY, bliss_private_key_load, TRUE),
PLUGIN_PROVIDE(PRIVKEY, KEY_BLISS),
+ PLUGIN_REGISTER(PRIVKEY, bliss_private_key_load, TRUE),
+ PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
PLUGIN_REGISTER(PRIVKEY_GEN, bliss_private_key_gen, FALSE),
PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_BLISS),
PLUGIN_DEPENDS(RNG, RNG_TRUE),
PLUGIN_REGISTER(PUBKEY, bliss_public_key_load, TRUE),
PLUGIN_PROVIDE(PUBKEY, KEY_BLISS),
+ PLUGIN_REGISTER(PUBKEY, bliss_public_key_load, TRUE),
+ PLUGIN_PROVIDE(PUBKEY, KEY_ANY),
/* signature schemes, private */
PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA512),
PLUGIN_DEPENDS(HASHER, HASH_SHA512),
/*
* Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
* Copyright (C) 2003 Martin Berner, Lukas Suter
- * Copyright (C) 2002-2009 Andreas Steffen
+ * Copyright (C) 2002-2014 Andreas Steffen
* Copyright (C) 2009 Martin Willi
*
* HSR Hochschule fuer Technik Rapperswil
}
break;
case AC_OBJ_SIGNATURE:
- this->signature = object;
+ this->signature = chunk_skip(object, 1);
break;
default:
break;
break;
}
case CRL_OBJ_SIGNATURE:
- this->signature = object;
+ this->signature = chunk_skip(object, 1);
break;
default:
break;
/*
* Copyright (C) 2008-2009 Martin Willi
- * Copyright (C) 2007 Andreas Steffen
+ * Copyright (C) 2007-2014 Andreas Steffen
* Hochschule fuer Technik Rapperswil
* Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
*
oid = OID_ECDSA_WITH_SHA1;
scheme = SIGN_ECDSA_WITH_SHA1_DER;
break;
+ case KEY_BLISS:
+ oid = OID_BLISS_WITH_SHA512;
+ scheme = SIGN_BLISS_WITH_SHA512;
+ break;
default:
DBG1(DBG_LIB, "unable to sign OCSP request, %N signature not "
"supported", key_type_names, this->key->get_type(this->key));
/**
* Copyright (C) 2008-2009 Martin Willi
- * Copyright (C) 2007 Andreas Steffen
+ * Copyright (C) 2007-2014 Andreas Steffen
* Hochschule fuer Technik Rapperswil
* Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
*
parser->get_level(parser)+1, NULL);
break;
case BASIC_RESPONSE_SIGNATURE:
- this->signature = object;
+ this->signature = chunk_skip(object, 1);
break;
case BASIC_RESPONSE_CERTIFICATE:
{
this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
break;
case PKCS10_SIGNATURE:
- this->signature = object;
+ this->signature = chunk_skip(object, 1);
break;
default:
break;
error = "issuer private key does not match issuer certificate";
goto end;
}
+ if (private->get_type(private) == KEY_BLISS)
+ {
+ /* currently only SHA-512 is supported */
+ digest = HASH_SHA512;
+ }
if (hex)
{
}
break;
}
+
if (!cacert)
{
error = "--cacert is required";
}
public->destroy(public);
+ if (private->get_type(private) == KEY_BLISS)
+ {
+ /* currently only SHA-512 is supported */
+ digest = HASH_SHA512;
+ }
if (hex)
{
serial = chunk_from_hex(chunk_create(hex, strlen(hex)), NULL);
type = CRED_PRIVATE_KEY;
subtype = KEY_ECDSA;
}
+ else if (streq(arg, "bliss-priv"))
+ {
+ type = CRED_PRIVATE_KEY;
+ subtype = KEY_BLISS;
+ }
else if (streq(arg, "pub"))
{
type = CRED_PUBLIC_KEY;
command_register((command_t)
{ keyid, 'k', "keyid",
"calculate key identifiers of a key/certificate",
- {"[--in file] [--type rsa-priv|ecdsa-priv|pub|pkcs10|x509]"},
+ {"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|pkcs10|x509]"},
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "input file, default: stdin"},
{
type = KEY_ECDSA;
}
+ else if (streq(arg, "bliss"))
+ {
+ type = KEY_BLISS;
+ }
else
{
error = "invalid input type";
break;
}
+ if (type == KEY_BLISS)
+ {
+ /* currently only SHA-512 is supported */
+ digest = HASH_SHA512;
+ }
if (!dn)
{
error = "--dn is required";
command_register((command_t) {
req, 'r', "req",
"create a PKCS#10 certificate request",
- {" [--in file] [--type rsa|ecdsa] --dn distinguished-name",
+ {" [--in file] [--type rsa|ecdsa|bliss] --dn distinguished-name",
"[--san subjectAltName]+ [--password challengePassword]",
"[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
{
else if (streq(arg, "bliss"))
{
type = KEY_BLISS;
- digest = HASH_SHA512;
}
else
{
break;
}
+ if (type == KEY_BLISS)
+ {
+ /* currently only SHA-512 is supported */
+ digest = HASH_SHA512;
+ }
if (!dn)
{
error = "--dn is required";
error = "CA private key does not match CA certificate";
goto error;
}
+ if (private->get_type(private) == KEY_BLISS)
+ {
+ /* currently only SHA-512 is supported */
+ digest = HASH_SHA512;
+ }
if (basecrl)
{