sshkey: Add support for ECDSA keys
authorTobias Brunner <tobias@strongswan.org>
Mon, 1 Apr 2013 16:16:17 +0000 (18:16 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 7 May 2013 15:08:31 +0000 (17:08 +0200)
src/libstrongswan/plugins/sshkey/sshkey_builder.c

index 31c7b21..986e860 100644 (file)
 
 #include "sshkey_builder.h"
 
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
 #include <bio/bio_reader.h>
 #include <utils/debug.h>
 
+#define ECDSA_PREFIX "ecdsa-sha2-"
+
+/**
+ * Parse an EC domain parameter identifier as defined in RFC 5656
+ */
+static chunk_t parse_ec_identifier(chunk_t identifier)
+{
+       chunk_t oid = chunk_empty;
+
+       if (chunk_equals(identifier, chunk_from_str("nistp256")))
+       {
+               oid = asn1_build_known_oid(OID_PRIME256V1);
+       }
+       else if (chunk_equals(identifier, chunk_from_str("nistp384")))
+       {
+               oid = asn1_build_known_oid(OID_SECT384R1);
+       }
+       else if (chunk_equals(identifier, chunk_from_str("nistp521")))
+       {
+               oid = asn1_build_known_oid(OID_SECT521R1);
+       }
+       else
+       {
+               char ascii[64];
+
+               if (snprintf(ascii, sizeof(ascii), "%.*s", (int)identifier.len,
+                                        identifier.ptr) < sizeof(ascii))
+               {
+                       oid = asn1_wrap(ASN1_OID, "m", asn1_oid_from_string(ascii));
+               }
+       }
+       return oid;
+}
+
 /**
  * Load a generic public key from an SSH key blob
  */
@@ -48,6 +84,40 @@ static sshkey_public_key_t *parse_public_key(chunk_t blob)
                return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
                                                BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
        }
+       else if (format.len > strlen(ECDSA_PREFIX) &&
+                        strneq(format.ptr, ECDSA_PREFIX, strlen(ECDSA_PREFIX)))
+       {
+               chunk_t ec_blob, identifier, q, oid, encoded;
+               sshkey_public_key_t *key;
+
+               ec_blob = reader->peek(reader);
+               reader->destroy(reader);
+               reader = bio_reader_create(ec_blob);
+               if (!reader->read_data32(reader, &identifier) ||
+                       !reader->read_data32(reader, &q))
+               {
+                       DBG1(DBG_LIB, "invalid ECDSA key in SSH key");
+                       reader->destroy(reader);
+                       return NULL;
+               }
+               oid = parse_ec_identifier(identifier);
+               if (!oid.ptr)
+               {
+                       DBG1(DBG_LIB, "invalid ECDSA key identifier in SSH key");
+                       reader->destroy(reader);
+                       return NULL;
+               }
+               reader->destroy(reader);
+               /* build key from subjectPublicKeyInfo */
+               encoded = asn1_wrap(ASN1_SEQUENCE, "mm",
+                                               asn1_wrap(ASN1_SEQUENCE, "mm",
+                                                       asn1_build_known_oid(OID_EC_PUBLICKEY), oid),
+                                               asn1_bitstring("c", q));
+               key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
+                                                       KEY_ECDSA, BUILD_BLOB_ASN1_DER, encoded, BUILD_END);
+               chunk_free(&encoded);
+               return key;
+       }
        DBG1(DBG_LIB, "unsupported SSH key format %.*s", (int)format.len,
                 format.ptr);
        reader->destroy(reader);