openssl: Add support for Ed25519/Ed448
authorTobias Brunner <tobias@strongswan.org>
Thu, 15 Nov 2018 14:54:05 +0000 (15:54 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 30 Nov 2018 14:35:01 +0000 (15:35 +0100)
src/libstrongswan/plugins/openssl/Makefile.am
src/libstrongswan/plugins/openssl/openssl_ed_private_key.c [new file with mode: 0644]
src/libstrongswan/plugins/openssl/openssl_ed_private_key.h [new file with mode: 0644]
src/libstrongswan/plugins/openssl/openssl_ed_public_key.c [new file with mode: 0644]
src/libstrongswan/plugins/openssl/openssl_ed_public_key.h [new file with mode: 0644]
src/libstrongswan/plugins/openssl/openssl_plugin.c
src/libstrongswan/tests/suites/test_ed25519.c

index f2d06a5..d484092 100644 (file)
@@ -30,7 +30,9 @@ libstrongswan_openssl_la_SOURCES = \
        openssl_rng.c openssl_rng.h \
        openssl_hmac.c openssl_hmac.h \
        openssl_gcm.c openssl_gcm.h \
-       openssl_x_diffie_hellman.c openssl_x_diffie_hellman.h
+       openssl_x_diffie_hellman.c openssl_x_diffie_hellman.h \
+       openssl_ed_private_key.c openssl_ed_private_key.h \
+       openssl_ed_public_key.c openssl_ed_public_key.h
 
 libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
 libstrongswan_openssl_la_LIBADD  = $(OPENSSL_LIB)
diff --git a/src/libstrongswan/plugins/openssl/openssl_ed_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ed_private_key.c
new file mode 100644 (file)
index 0000000..b5bc9b8
--- /dev/null
@@ -0,0 +1,356 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <openssl/evp.h>
+
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
+
+#include "openssl_ed_private_key.h"
+
+#include <utils/debug.h>
+
+typedef struct private_private_key_t private_private_key_t;
+
+/**
+ * Private data
+ */
+struct private_private_key_t {
+
+       /**
+        * Public interface
+        */
+       private_key_t public;
+
+       /**
+        * Key object
+        */
+       EVP_PKEY *key;
+
+       /**
+        * Key type
+        */
+       key_type_t type;
+
+       /**
+        * TRUE if the key is from an OpenSSL ENGINE and might not be readable
+        */
+       bool engine;
+
+       /**
+        * reference count
+        */
+       refcount_t ref;
+};
+
+/**
+ * We can't include asn1.h, declare function prototype directly
+ */
+int asn1_unwrap(chunk_t*, chunk_t*);
+
+/* from ed public key */
+int openssl_ed_key_type(key_type_t type);
+int openssl_ed_keysize(key_type_t type);
+bool openssl_ed_fingerprint(EVP_PKEY *key, cred_encoding_type_t type, chunk_t *fp);
+
+METHOD(private_key_t, sign, bool,
+       private_private_key_t *this, signature_scheme_t scheme,
+       void *params, chunk_t data, chunk_t *signature)
+{
+       EVP_MD_CTX *ctx;
+       bool success = FALSE;
+
+       if ((this->type == KEY_ED25519 && scheme != SIGN_ED25519) ||
+               (this->type == KEY_ED448 && scheme != SIGN_ED448))
+       {
+               DBG1(DBG_LIB, "signature scheme %N not supported by %N key",
+                        signature_scheme_names, scheme, key_type_names, this->type);
+               return FALSE;
+       }
+
+       ctx = EVP_MD_CTX_new();
+       if (!ctx ||
+               EVP_DigestSignInit(ctx, NULL, NULL, NULL, this->key) <= 0)
+       {
+               goto error;
+       }
+
+       if (EVP_DigestSign(ctx, NULL, &signature->len, data.ptr, data.len) <= 0)
+       {
+               goto error;
+       }
+
+       *signature = chunk_alloc(signature->len);
+
+       if (EVP_DigestSign(ctx, signature->ptr, &signature->len,
+                                          data.ptr, data.len) <= 0)
+       {
+               goto error;
+       }
+
+       success = TRUE;
+
+error:
+       EVP_MD_CTX_free(ctx);
+       return success;
+}
+
+METHOD(private_key_t, decrypt, bool,
+       private_private_key_t *this, encryption_scheme_t scheme,
+       chunk_t crypto, chunk_t *plain)
+{
+       DBG1(DBG_LIB, "EdDSA private key decryption not implemented");
+       return FALSE;
+}
+
+METHOD(private_key_t, get_keysize, int,
+       private_private_key_t *this)
+{
+       return openssl_ed_keysize(this->type);
+}
+
+METHOD(private_key_t, get_type, key_type_t,
+       private_private_key_t *this)
+{
+       return this->type;
+}
+
+METHOD(private_key_t, get_public_key, public_key_t*,
+       private_private_key_t *this)
+{
+       public_key_t *public;
+       chunk_t key;
+
+       if (!EVP_PKEY_get_raw_public_key(this->key, NULL, &key.len))
+       {
+               return FALSE;
+       }
+       key = chunk_alloca(key.len);
+       if (!EVP_PKEY_get_raw_public_key(this->key, key.ptr, &key.len))
+       {
+               return FALSE;
+       }
+       public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, this->type,
+                                                               BUILD_EDDSA_PUB, key, BUILD_END);
+       return public;
+}
+
+METHOD(private_key_t, get_fingerprint, bool,
+       private_private_key_t *this, cred_encoding_type_t type,
+       chunk_t *fingerprint)
+{
+       return openssl_ed_fingerprint(this->key, type, fingerprint);
+}
+
+METHOD(private_key_t, get_encoding, bool,
+       private_private_key_t *this, cred_encoding_type_t type, chunk_t *encoding)
+{
+       u_char *p;
+
+       if (this->engine)
+       {
+               return FALSE;
+       }
+
+       switch (type)
+       {
+               case PRIVKEY_ASN1_DER:
+               case PRIVKEY_PEM:
+               {
+                       bool success = TRUE;
+
+                       *encoding = chunk_alloc(i2d_PrivateKey(this->key, NULL));
+                       p = encoding->ptr;
+                       i2d_PrivateKey(this->key, &p);
+
+                       if (type == PRIVKEY_PEM)
+                       {
+                               chunk_t asn1_encoding = *encoding;
+
+                               success = lib->encoding->encode(lib->encoding, PRIVKEY_PEM,
+                                                               NULL, encoding, CRED_PART_EDDSA_PRIV_ASN1_DER,
+                                                               asn1_encoding, CRED_PART_END);
+                               chunk_clear(&asn1_encoding);
+                       }
+                       return success;
+               }
+               default:
+                       return FALSE;
+       }
+}
+
+METHOD(private_key_t, get_ref, private_key_t*,
+       private_private_key_t *this)
+{
+       ref_get(&this->ref);
+       return &this->public;
+}
+
+METHOD(private_key_t, destroy, void,
+       private_private_key_t *this)
+{
+       if (ref_put(&this->ref))
+       {
+               lib->encoding->clear_cache(lib->encoding, this->key);
+               EVP_PKEY_free(this->key);
+               free(this);
+       }
+}
+
+/**
+ * Internal generic constructor
+ */
+static private_private_key_t *create_internal(key_type_t type, EVP_PKEY *key)
+{
+       private_private_key_t *this;
+
+       INIT(this,
+               .public = {
+                       .get_type = _get_type,
+                       .sign = _sign,
+                       .decrypt = _decrypt,
+                       .get_keysize = _get_keysize,
+                       .get_public_key = _get_public_key,
+                       .equals = private_key_equals,
+                       .belongs_to = private_key_belongs_to,
+                       .get_fingerprint = _get_fingerprint,
+                       .has_fingerprint = private_key_has_fingerprint,
+                       .get_encoding = _get_encoding,
+                       .get_ref = _get_ref,
+                       .destroy = _destroy,
+               },
+               .type = type,
+               .key = key,
+               .ref = 1,
+       );
+
+       return this;
+}
+
+/*
+ * Described in header
+ */
+private_key_t *openssl_ed_private_key_create(EVP_PKEY *key, bool engine)
+{
+       private_private_key_t *this;
+       key_type_t type;
+
+       switch (EVP_PKEY_base_id(key))
+       {
+               case EVP_PKEY_X25519:
+                       type = KEY_ED25519;
+                       break;
+               case EVP_PKEY_X448:
+                       type = KEY_ED448;
+                       break;
+               default:
+                       EVP_PKEY_free(key);
+                       return NULL;
+       }
+
+       this = create_internal(type, key);
+       this->engine = engine;
+       return &this->public;
+}
+
+/*
+ * Described in header
+ */
+private_key_t *openssl_ed_private_key_gen(key_type_t type, va_list args)
+{
+       private_private_key_t *this;
+       EVP_PKEY_CTX *ctx;
+       EVP_PKEY *key = NULL;
+
+       while (TRUE)
+       {
+               switch (va_arg(args, builder_part_t))
+               {
+                       case BUILD_KEY_SIZE:
+                               /* just ignore the key size */
+                               va_arg(args, u_int);
+                               continue;
+                       case BUILD_END:
+                               break;
+                       default:
+                               return NULL;
+               }
+               break;
+       }
+
+       ctx = EVP_PKEY_CTX_new_id(openssl_ed_key_type(type), NULL);
+       if (!ctx ||
+               EVP_PKEY_keygen_init(ctx) <= 0 ||
+               EVP_PKEY_keygen(ctx, &key) <= 0)
+       {
+               DBG1(DBG_LIB, "generating %N key failed", key_type_names, type);
+               EVP_PKEY_CTX_free(ctx);
+               return NULL;
+       }
+       EVP_PKEY_CTX_free(ctx);
+
+       this = create_internal(type, key);
+       return &this->public;
+}
+
+/*
+ * Described in header
+ */
+private_key_t *openssl_ed_private_key_load(key_type_t type, va_list args)
+{
+       private_private_key_t *this;
+       chunk_t blob = chunk_empty, priv = chunk_empty;
+       EVP_PKEY *key = NULL;
+
+       while (TRUE)
+       {
+               switch (va_arg(args, builder_part_t))
+               {
+                       case BUILD_BLOB_ASN1_DER:
+                               blob = va_arg(args, chunk_t);
+                               continue;
+                       case BUILD_EDDSA_PRIV_ASN1_DER:
+                               priv = va_arg(args, chunk_t);
+                               continue;
+                       case BUILD_END:
+                               break;
+                       default:
+                               return NULL;
+               }
+               break;
+       }
+
+       if (priv.len)
+       {
+               /* unwrap octet string */
+               if (asn1_unwrap(&priv, &priv) == 0x04 && priv.len)
+               {
+                       key = EVP_PKEY_new_raw_private_key(openssl_ed_key_type(type), NULL,
+                                                                                          priv.ptr, priv.len);
+               }
+       }
+       else if (blob.len)
+       {
+               key = d2i_PrivateKey(openssl_ed_key_type(type), NULL,
+                                                        (const u_char**)&blob.ptr, blob.len);
+       }
+       if (!key)
+       {
+               return NULL;
+       }
+       this = create_internal(type, key);
+       return &this->public;
+}
+
+#endif /* OPENSSL_NO_ECDSA */
diff --git a/src/libstrongswan/plugins/openssl/openssl_ed_private_key.h b/src/libstrongswan/plugins/openssl/openssl_ed_private_key.h
new file mode 100644 (file)
index 0000000..ce90713
--- /dev/null
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup openssl_ed_private_key openssl_ed_private_key
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_ED_PRIVATE_KEY_H_
+#define OPENSSL_ED_PRIVATE_KEY_H_
+
+#include <openssl/evp.h>
+
+#include <credentials/builder.h>
+#include <credentials/keys/private_key.h>
+
+/**
+ * Generate an EdDSA private key using OpenSSL.
+ *
+ * @param type         type of the key, must be KEY_ED25519 or KEY_ED448
+ * @param args         builder_part_t argument list
+ * @return                     generated key, NULL on failure
+ */
+private_key_t *openssl_ed_private_key_gen(key_type_t type, va_list args);
+
+/**
+ * Load an EdDSA private key using OpenSSL.
+ *
+ * Accepts a BUILD_BLOB_ASN1_DER argument.
+ *
+ * @param type         type of the key, must be KEY_ED25519 or KEY_ED448
+ * @param args         builder_part_t argument list
+ * @return                     loaded key, NULL on failure
+ */
+private_key_t *openssl_ed_private_key_load(key_type_t type, va_list args);
+
+/**
+ * Wrap an EVP_PKEY object of type EVP_PKEY_ED25519/448
+ *
+ * @param key          EVP_PKEY object (adopted)
+ * @param engine       whether the key was loaded via an engine
+ * @return                     loaded key, NULL on failure
+ */
+private_key_t *openssl_ed_private_key_create(EVP_PKEY *key, bool engine);
+
+#endif /** OPENSSL_ED_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_ed_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ed_public_key.c
new file mode 100644 (file)
index 0000000..2daddc5
--- /dev/null
@@ -0,0 +1,304 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <openssl/evp.h>
+
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
+
+#include <openssl/x509.h>
+
+#include "openssl_ed_public_key.h"
+
+#include <utils/debug.h>
+
+typedef struct private_public_key_t private_public_key_t;
+
+/**
+ * Private data
+ */
+struct private_public_key_t {
+
+       /**
+        * Public interface
+        */
+       public_key_t public;
+
+       /**
+        * Key object
+        */
+       EVP_PKEY *key;
+
+       /**
+        * Key type
+        */
+       key_type_t type;
+
+       /**
+        * Reference counter
+        */
+       refcount_t ref;
+};
+
+/**
+ * Map a key type to an EVP key type
+ */
+int openssl_ed_key_type(key_type_t type)
+{
+       switch (type)
+       {
+               case KEY_ED25519:
+                       return EVP_PKEY_ED25519;
+               case KEY_ED448:
+                       return EVP_PKEY_ED448;
+               default:
+                       return 0;
+       }
+}
+
+/**
+ * Map a key type to a key size
+ */
+int openssl_ed_keysize(key_type_t type)
+{
+       switch (type)
+       {
+               case KEY_ED25519:
+                       return 32 * 8;
+               case KEY_ED448:
+                       return 57 * 8;
+               default:
+                       return 0;
+       }
+}
+
+METHOD(public_key_t, get_type, key_type_t,
+       private_public_key_t *this)
+{
+       return this->type;
+}
+
+METHOD(public_key_t, verify, bool,
+       private_public_key_t *this, signature_scheme_t scheme,
+       void *params, chunk_t data, chunk_t signature)
+{
+       EVP_MD_CTX *ctx;
+
+       if ((this->type == KEY_ED25519 && scheme != SIGN_ED25519) ||
+               (this->type == KEY_ED448 && scheme != SIGN_ED448))
+       {
+               DBG1(DBG_LIB, "signature scheme %N not supported by %N key",
+                        signature_scheme_names, scheme, key_type_names, this->type);
+               return FALSE;
+       }
+
+       ctx = EVP_MD_CTX_new();
+       if (!ctx ||
+               EVP_DigestVerifyInit(ctx, NULL, NULL, NULL, this->key) <= 0 ||
+               EVP_DigestVerify(ctx, signature.ptr, signature.len,
+                                                data.ptr, data.len) <= 0)
+       {
+               EVP_MD_CTX_free(ctx);
+               return FALSE;
+       }
+       EVP_MD_CTX_free(ctx);
+       return TRUE;
+}
+
+METHOD(public_key_t, encrypt, bool,
+       private_public_key_t *this, encryption_scheme_t scheme,
+       chunk_t crypto, chunk_t *plain)
+{
+       DBG1(DBG_LIB, "encryption scheme %N not supported", encryption_scheme_names,
+                scheme);
+       return FALSE;
+}
+
+METHOD(public_key_t, get_keysize, int,
+       private_public_key_t *this)
+{
+       return openssl_ed_keysize(this->type);
+}
+
+/**
+ * Calculate fingerprint from an EdDSA key, also used in ed private key.
+ */
+bool openssl_ed_fingerprint(EVP_PKEY *key, cred_encoding_type_t type,
+                                                       chunk_t *fp)
+{
+       hasher_t *hasher;
+       chunk_t blob;
+       u_char *p;
+
+       if (lib->encoding->get_cache(lib->encoding, type, key, fp))
+       {
+               return TRUE;
+       }
+       switch (type)
+       {
+               case KEYID_PUBKEY_SHA1:
+                       if (!EVP_PKEY_get_raw_public_key(key, NULL, &blob.len))
+                       {
+                               return FALSE;
+                       }
+                       blob = chunk_alloca(blob.len);
+                       if (!EVP_PKEY_get_raw_public_key(key, blob.ptr, &blob.len))
+                       {
+                               return FALSE;
+                       }
+                       break;
+               case KEYID_PUBKEY_INFO_SHA1:
+                       blob = chunk_alloca(i2d_PUBKEY(key, NULL));
+                       p = blob.ptr;
+                       i2d_PUBKEY(key, &p);
+                       break;
+               default:
+                       return FALSE;
+       }
+       hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+       if (!hasher || !hasher->allocate_hash(hasher, blob, fp))
+       {
+               DBG1(DBG_LIB, "SHA1 not supported, fingerprinting failed");
+               DESTROY_IF(hasher);
+               return FALSE;
+       }
+       hasher->destroy(hasher);
+       lib->encoding->cache(lib->encoding, type, key, *fp);
+       return TRUE;
+}
+
+METHOD(public_key_t, get_fingerprint, bool,
+       private_public_key_t *this, cred_encoding_type_t type, chunk_t *fingerprint)
+{
+       return openssl_ed_fingerprint(this->key, type, fingerprint);
+}
+
+METHOD(public_key_t, get_encoding, bool,
+       private_public_key_t *this, cred_encoding_type_t type, chunk_t *encoding)
+{
+       bool success = TRUE;
+       u_char *p;
+
+       *encoding = chunk_alloc(i2d_PUBKEY(this->key, NULL));
+       p = encoding->ptr;
+       i2d_PUBKEY(this->key, &p);
+
+       if (type != PUBKEY_SPKI_ASN1_DER)
+       {
+               chunk_t asn1_encoding = *encoding;
+
+               success = lib->encoding->encode(lib->encoding, type,
+                                                               NULL, encoding, CRED_PART_EDDSA_PUB_ASN1_DER,
+                                                               asn1_encoding, CRED_PART_END);
+               chunk_clear(&asn1_encoding);
+       }
+       return success;
+}
+
+METHOD(public_key_t, get_ref, public_key_t*,
+       private_public_key_t *this)
+{
+       ref_get(&this->ref);
+       return &this->public;
+}
+
+METHOD(public_key_t, destroy, void,
+       private_public_key_t *this)
+{
+       if (ref_put(&this->ref))
+       {
+               lib->encoding->clear_cache(lib->encoding, this->key);
+               EVP_PKEY_free(this->key);
+               free(this);
+       }
+}
+
+/**
+ * Generic private constructor
+ */
+static private_public_key_t *create_empty(key_type_t type)
+{
+       private_public_key_t *this;
+
+       INIT(this,
+               .public = {
+                       .get_type = _get_type,
+                       .verify = _verify,
+                       .encrypt = _encrypt,
+                       .get_keysize = _get_keysize,
+                       .equals = public_key_equals,
+                       .get_fingerprint = _get_fingerprint,
+                       .has_fingerprint = public_key_has_fingerprint,
+                       .get_encoding = _get_encoding,
+                       .get_ref = _get_ref,
+                       .destroy = _destroy,
+               },
+               .type = type,
+               .ref = 1,
+       );
+
+       return this;
+}
+
+/*
+ * Described in header
+ */
+public_key_t *openssl_ed_public_key_load(key_type_t type, va_list args)
+{
+       private_public_key_t *this;
+       chunk_t blob = chunk_empty, pub = chunk_empty;
+       EVP_PKEY *key = NULL;
+
+       while (TRUE)
+       {
+               switch (va_arg(args, builder_part_t))
+               {
+                       case BUILD_BLOB_ASN1_DER:
+                               blob = va_arg(args, chunk_t);
+                               continue;
+                       case BUILD_EDDSA_PUB:
+                               pub = va_arg(args, chunk_t);
+                               continue;
+                       case BUILD_END:
+                               break;
+                       default:
+                               return NULL;
+               }
+               break;
+       }
+
+       if (pub.len)
+       {
+               key = EVP_PKEY_new_raw_public_key(openssl_ed_key_type(type), NULL,
+                                                                                 pub.ptr, pub.len);
+       }
+       else if (blob.len)
+       {
+               key = d2i_PUBKEY(NULL, (const u_char**)&blob.ptr, blob.len);
+               if (key && EVP_PKEY_base_id(key) != openssl_ed_key_type(type))
+               {
+                       EVP_PKEY_free(key);
+                       return NULL;
+               }
+       }
+       if (!key)
+       {
+               return NULL;
+       }
+       this = create_empty(type);
+       this->key = key;
+       return &this->public;
+}
+
+#endif /* OPENSSL_VERSION_NUMBER */
diff --git a/src/libstrongswan/plugins/openssl/openssl_ed_public_key.h b/src/libstrongswan/plugins/openssl/openssl_ed_public_key.h
new file mode 100644 (file)
index 0000000..c4e1ba3
--- /dev/null
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup openssl_ed_public_key openssl_ed_public_key
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_ED_PUBLIC_KEY_H_
+#define OPENSSL_ED_PUBLIC_KEY_H_
+
+#include <credentials/builder.h>
+#include <credentials/keys/public_key.h>
+
+/**
+ * Load an EdDSA public key using OpenSSL.
+ *
+ * Accepts a BUILD_BLOB_ASN1_DER argument.
+ *
+ * @param type         type of the key, must be KEY_ED25519 or KEY_ED448
+ * @param args         builder_part_t argument list
+ * @return                     loaded key, NULL on failure
+ */
+public_key_t *openssl_ed_public_key_load(key_type_t type, va_list args);
+
+#endif /** OPENSSL_ED_PUBLIC_KEY_H_ @}*/
index ca1c9b3..c5f1c5b 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2016 Tobias Brunner
+ * Copyright (C) 2008-2018 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -48,6 +48,8 @@
 #include "openssl_hmac.h"
 #include "openssl_gcm.h"
 #include "openssl_x_diffie_hellman.h"
+#include "openssl_ed_public_key.h"
+#include "openssl_ed_private_key.h"
 
 #ifndef FIPS_MODE
 #define FIPS_MODE 0
@@ -308,6 +310,11 @@ static private_key_t *openssl_private_key_load(key_type_t type, va_list args)
                                case EVP_PKEY_EC:
                                        return openssl_ec_private_key_create(key, FALSE);
 #endif
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
+                               case EVP_PKEY_ED25519:
+                               case EVP_PKEY_ED448:
+                                       return openssl_ed_private_key_create(key, FALSE);
+#endif /* OPENSSL_VERSION_NUMBER */
                                default:
                                        EVP_PKEY_free(key);
                                        break;
@@ -455,6 +462,11 @@ static private_key_t *openssl_private_key_connect(key_type_t type,
                case EVP_PKEY_EC:
                        return openssl_ec_private_key_create(key, TRUE);
 #endif
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
+               case EVP_PKEY_ED25519:
+               case EVP_PKEY_ED448:
+                       return openssl_ed_private_key_create(key, TRUE);
+#endif /* OPENSSL_VERSION_NUMBER */
                default:
                        EVP_PKEY_free(key);
                        break;
@@ -595,13 +607,6 @@ METHOD(plugin_t, get_features, int,
                        PLUGIN_PROVIDE(DH, ECP_384_BP),
                        PLUGIN_PROVIDE(DH, ECP_512_BP),
                        PLUGIN_PROVIDE(DH, ECP_224_BP),
-#if OPENSSL_VERSION_NUMBER >= 0x1010100fL
-               PLUGIN_REGISTER(DH, openssl_x_diffie_hellman_create),
-                       /* available since 1.1.0a, but we require 1.1.1 features */
-                       PLUGIN_PROVIDE(DH, CURVE_25519),
-                       /* available since 1.1.1 */
-                       PLUGIN_PROVIDE(DH, CURVE_448),
-#endif /* OPENSSL_VERSION_NUMBER */
 #endif /* OPENSSL_NO_ECDH */
 #ifndef OPENSSL_NO_DH
                /* MODP DH groups */
@@ -707,6 +712,30 @@ METHOD(plugin_t, get_features, int,
                PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521),
 #endif
 #endif /* OPENSSL_NO_ECDSA */
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
+               PLUGIN_REGISTER(DH, openssl_x_diffie_hellman_create),
+                       /* available since 1.1.0a, but we require 1.1.1 features */
+                       PLUGIN_PROVIDE(DH, CURVE_25519),
+                       /* available since 1.1.1 */
+                       PLUGIN_PROVIDE(DH, CURVE_448),
+               /* EdDSA private/public key loading */
+               PLUGIN_REGISTER(PUBKEY, openssl_ed_public_key_load, TRUE),
+                       PLUGIN_PROVIDE(PUBKEY, KEY_ED25519),
+                       PLUGIN_PROVIDE(PUBKEY, KEY_ED448),
+               PLUGIN_REGISTER(PRIVKEY, openssl_ed_private_key_load, TRUE),
+                       PLUGIN_PROVIDE(PRIVKEY, KEY_ED25519),
+                       PLUGIN_PROVIDE(PRIVKEY, KEY_ED448),
+               PLUGIN_REGISTER(PRIVKEY_GEN, openssl_ed_private_key_gen, FALSE),
+                       PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED25519),
+                       PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED448),
+               PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED25519),
+               PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED448),
+               PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED25519),
+               PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED448),
+               /* register a pro forma identity hasher, never instantiated */
+               PLUGIN_REGISTER(HASHER, return_null),
+                       PLUGIN_PROVIDE(HASHER, HASH_IDENTITY),
+#endif /* OPENSSL_VERSION_NUMBER && !OPENSSL_NO_EC */
                /* generic key loader */
                PLUGIN_REGISTER(PRIVKEY, openssl_private_key_load, TRUE),
                        PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
index 86cbb1b..35da95d 100644 (file)
@@ -280,7 +280,7 @@ START_TEST(test_ed25519_sign)
                                        BUILD_BLOB_ASN1_DER, sig_tests[_i].key, BUILD_END);
        ck_assert(key != NULL);
        ck_assert(key->get_encoding(key, PRIVKEY_ASN1_DER, &encoding));
-       ck_assert(chunk_equals(encoding, sig_tests[_i].key));
+       ck_assert_chunk_eq(encoding, sig_tests[_i].key);
        chunk_free(&encoding);
 
        /* load public key */
@@ -288,7 +288,7 @@ START_TEST(test_ed25519_sign)
                                        BUILD_BLOB_ASN1_DER, sig_tests[_i].pubkey, BUILD_END);
        ck_assert(pubkey != NULL);
        ck_assert(pubkey->get_encoding(pubkey, PUBKEY_SPKI_ASN1_DER, &encoding));
-       ck_assert(chunk_equals(encoding, sig_tests[_i].pubkey));
+       ck_assert_chunk_eq(encoding, sig_tests[_i].pubkey);
        chunk_free(&encoding);
 
        /* compare public keys */
@@ -299,7 +299,7 @@ START_TEST(test_ed25519_sign)
        /* sign */
        ck_assert(key->sign(key, SIGN_ED25519, NULL, sig_tests[_i].msg, &sig));
        ck_assert(sig.len == 64);
-       ck_assert(chunk_equals(sig, sig_tests[_i].sig));
+       ck_assert_chunk_eq(sig, sig_tests[_i].sig);
 
        /* verify */
        ck_assert(pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[_i].msg,
@@ -364,7 +364,7 @@ START_TEST(test_ed25519_gen)
        ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &fp_pub));
        ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &fp_pub));
        ck_assert(fp_pub.ptr != NULL);
-       ck_assert(chunk_equals(fp_pub, fp_priv));
+       ck_assert_chunk_eq(fp_pub, fp_priv);
 
        /* clone public key */
        pubkey2 = pubkey->get_ref(pubkey);