private-key: Add optional parameters argument to sign() method
authorTobias Brunner <tobias@strongswan.org>
Tue, 19 Sep 2017 15:26:58 +0000 (17:26 +0200)
committerTobias Brunner <tobias@strongswan.org>
Wed, 8 Nov 2017 15:48:10 +0000 (16:48 +0100)
29 files changed:
scripts/pubkey_speed.c
src/charon-tkm/src/tkm/tkm_private_key.c
src/conftest/hooks/pretend_auth.c
src/conftest/hooks/rebuild_auth.c
src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_private_key.c
src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
src/libstrongswan/credentials/keys/private_key.h
src/libstrongswan/plugins/agent/agent_private_key.c
src/libstrongswan/plugins/bliss/bliss_private_key.c
src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c
src/libstrongswan/plugins/curve25519/curve25519_private_key.c
src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
src/libstrongswan/plugins/pgp/pgp_builder.c
src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c
src/libstrongswan/plugins/x509/x509_ac.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/plugins/x509/x509_crl.c
src/libstrongswan/plugins/x509/x509_ocsp_request.c
src/libstrongswan/plugins/x509/x509_pkcs10.c
src/libstrongswan/tests/suites/test_ecdsa.c
src/libstrongswan/tests/suites/test_ed25519.c
src/libstrongswan/tests/suites/test_rsa.c
src/libtls/tls_crypto.c
src/libtpmtss/plugins/tpm/tpm_private_key.c

index 8ccaa0b..2928772 100644 (file)
@@ -118,7 +118,7 @@ int main(int argc, char *argv[])
        start_timing(&timing);
        for (round = 0; round < rounds; round++)
        {
-               if (!private->sign(private, scheme, data, &sigs[round]))
+               if (!private->sign(private, scheme, NULL, data, &sigs[round]))
                {
                        printf("creating signature failed\n");
                        exit(1);
index db57ec1..02351b6 100644 (file)
@@ -58,7 +58,7 @@ METHOD(private_key_t, get_type, key_type_t,
 }
 
 METHOD(private_key_t, sign, bool,
-       private_tkm_private_key_t *this, signature_scheme_t scheme,
+       private_tkm_private_key_t *this, signature_scheme_t scheme, void *params,
        chunk_t data, chunk_t *signature)
 {
        signature_type sig;
index d80196e..4be6f45 100644 (file)
@@ -244,7 +244,7 @@ static bool build_auth(private_pretend_auth_t *this,
                private->destroy(private);
                return FALSE;
        }
-       if (!private->sign(private, scheme, octets, &auth_data))
+       if (!private->sign(private, scheme, NULL, octets, &auth_data))
        {
                chunk_free(&octets);
                private->destroy(private);
index b2df278..bc20292 100644 (file)
@@ -143,7 +143,7 @@ static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa,
                id->destroy(id);
                return FALSE;
        }
-       if (!private->sign(private, scheme, octets, &auth_data))
+       if (!private->sign(private, scheme, NULL, octets, &auth_data))
        {
                chunk_free(&octets);
                private->destroy(private);
index d1f1bcb..4e49c2e 100644 (file)
@@ -53,7 +53,7 @@ struct private_private_key_t {
 };
 
 METHOD(private_key_t, sign, bool,
-       private_private_key_t *this, signature_scheme_t scheme,
+       private_private_key_t *this, signature_scheme_t scheme, void *params,
        chunk_t data, chunk_t *signature)
 {
        JNIEnv *env;
index 8e048c8..41be15a 100644 (file)
@@ -110,7 +110,7 @@ METHOD(authenticator_t, build, status_t,
        }
        free(dh.ptr);
 
-       if (private->sign(private, scheme, hash, &sig))
+       if (private->sign(private, scheme, NULL, hash, &sig))
        {
                sig_payload = hash_payload_create(PLV1_SIGNATURE);
                sig_payload->set_hash(sig_payload, sig);
index e47abc7..befdfe3 100644 (file)
@@ -222,7 +222,7 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this,
                while (enumerator->enumerate(enumerator, &schemep))
                {
                        scheme = *schemep;
-                       if (private->sign(private, scheme, octets, auth_data) &&
+                       if (private->sign(private, scheme, NULL, octets, auth_data) &&
                                build_signature_auth_data(auth_data, scheme))
                        {
                                status = SUCCESS;
@@ -318,7 +318,7 @@ static status_t sign_classic(private_pubkey_authenticator_t *this,
        }
 
        if (get_auth_octets_scheme(this, FALSE, id, &octets, &scheme) &&
-               private->sign(private, scheme, octets, auth_data))
+               private->sign(private, scheme, NULL, octets, auth_data))
        {
                status = SUCCESS;
        }
index b9f7dad..d7cfdd7 100644 (file)
@@ -1,6 +1,7 @@
 /*
+ * Copyright (C) 2017 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -42,11 +43,12 @@ struct private_key_t {
         * Create a signature over a chunk of data.
         *
         * @param scheme        signature scheme to use
+        * @param params        optional parameters required by the specified scheme
         * @param data          chunk of data to sign
         * @param signature     where to allocate created signature
         * @return                      TRUE if signature created
         */
-       bool (*sign)(private_key_t *this, signature_scheme_t scheme,
+       bool (*sign)(private_key_t *this, signature_scheme_t scheme, void *params,
                                 chunk_t data, chunk_t *signature);
        /**
         * Decrypt a chunk of data.
index bb55c45..cf2c5ea 100644 (file)
@@ -233,7 +233,7 @@ static bool scheme_supported(private_agent_private_key_t *this,
 }
 
 METHOD(private_key_t, sign, bool,
-       private_agent_private_key_t *this, signature_scheme_t scheme,
+       private_agent_private_key_t *this, signature_scheme_t scheme, void *params,
        chunk_t data, chunk_t *signature)
 {
        uint32_t len, flags;
index 25253ed..964edcd 100644 (file)
@@ -512,7 +512,7 @@ end:
 }
 
 METHOD(private_key_t, sign, bool,
-       private_bliss_private_key_t *this, signature_scheme_t scheme,
+       private_bliss_private_key_t *this, signature_scheme_t scheme, void *params,
        chunk_t data, chunk_t *signature)
 {
        switch (scheme)
index dc50115..908ea91 100644 (file)
@@ -118,7 +118,7 @@ START_TEST(test_bliss_sign_all)
                /* generate and verify 1000 BLISS signatures */
                while (verify_count--)
                {
-                       ck_assert(privkey->sign(privkey, signature_scheme, msg,
+                       ck_assert(privkey->sign(privkey, signature_scheme, NULL, msg,
                                                                        &signature));
                        ck_assert(pubkey->verify(pubkey, signature_scheme, NULL, msg,
                                                                         signature));
@@ -172,11 +172,11 @@ START_TEST(test_bliss_sign_fail)
        ck_assert(!privkey->decrypt(privkey, ENCRYPT_UNKNOWN, chunk_empty, NULL));
 
        /* sign with invalid signature scheme */
-       ck_assert(!privkey->sign(privkey, SIGN_UNKNOWN, msg, &signature));
+       ck_assert(!privkey->sign(privkey, SIGN_UNKNOWN, NULL, msg, &signature));
 
        /* generate valid signature */
        msg = chunk_from_str("Hello Dolly!");
-       ck_assert(privkey->sign(privkey, SIGN_BLISS_WITH_SHA2_512, msg, &signature));
+       ck_assert(privkey->sign(privkey, SIGN_BLISS_WITH_SHA2_512, NULL, msg, &signature));
 
        /* verify with invalid signature scheme */
        ck_assert(!pubkey->verify(pubkey, SIGN_UNKNOWN, NULL, msg, signature));
index 2a7303c..878be4c 100644 (file)
@@ -63,7 +63,7 @@ METHOD(private_key_t, get_type, key_type_t,
 
 METHOD(private_key_t, sign, bool,
        private_curve25519_private_key_t *this, signature_scheme_t scheme,
-       chunk_t data, chunk_t *signature)
+       void *params, chunk_t data, chunk_t *signature)
 {
        uint8_t r[HASH_SIZE_SHA512], k[HASH_SIZE_SHA512], sig[HASH_SIZE_SHA512];
        hasher_t *hasher;
index 15b876b..71bc4c9 100644 (file)
@@ -200,7 +200,7 @@ METHOD(private_key_t, get_type, key_type_t,
 
 METHOD(private_key_t, sign, bool,
        private_gcrypt_rsa_private_key_t *this, signature_scheme_t scheme,
-       chunk_t data, chunk_t *sig)
+       void *params, chunk_t data, chunk_t *sig)
 {
        switch (scheme)
        {
index 21b4208..ae376b9 100644 (file)
@@ -341,7 +341,7 @@ METHOD(private_key_t, get_type, key_type_t,
 
 METHOD(private_key_t, sign, bool,
        private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
-       chunk_t data, chunk_t *signature)
+       void *params, chunk_t data, chunk_t *signature)
 {
        switch (scheme)
        {
index d187c06..3641907 100644 (file)
@@ -151,7 +151,7 @@ static bool build_der_signature(private_openssl_ec_private_key_t *this,
 
 METHOD(private_key_t, sign, bool,
        private_openssl_ec_private_key_t *this, signature_scheme_t scheme,
-       chunk_t data, chunk_t *signature)
+       void *params, chunk_t data, chunk_t *signature)
 {
        switch (scheme)
        {
index fd624e6..f2c320f 100644 (file)
@@ -149,7 +149,7 @@ METHOD(private_key_t, get_type, key_type_t,
 
 METHOD(private_key_t, sign, bool,
        private_openssl_rsa_private_key_t *this, signature_scheme_t scheme,
-       chunk_t data, chunk_t *signature)
+       void *params, chunk_t data, chunk_t *signature)
 {
        switch (scheme)
        {
index fe0be45..e8f5c5d 100644 (file)
@@ -116,21 +116,17 @@ static private_key_t *parse_rsa_private_key(chunk_t blob)
                                                BUILD_END);
 }
 
-/**
- * Implementation of private_key_t.sign for encryption-only keys
- */
-static bool sign_not_allowed(private_key_t *this, signature_scheme_t scheme,
-                                                        chunk_t data, chunk_t *signature)
+METHOD(private_key_t, sign_not_allowed, bool,
+       private_key_t *this, signature_scheme_t scheme, void *params,
+       chunk_t data, chunk_t *signature)
 {
        DBG1(DBG_LIB, "signing failed - decryption only key");
        return FALSE;
 }
 
-/**
- * Implementation of private_key_t.decrypt for signature-only keys
- */
-static bool decrypt_not_allowed(private_key_t *this, encryption_scheme_t scheme,
-                                                               chunk_t crypto, chunk_t *plain)
+METHOD(private_key_t, decrypt_not_allowed, bool,
+       private_key_t *this, encryption_scheme_t scheme,
+       chunk_t crypto, chunk_t *plain)
 {
        DBG1(DBG_LIB, "decryption failed - signature only key");
        return FALSE;
@@ -186,7 +182,7 @@ static private_key_t *parse_private_key(chunk_t blob)
                                                                          BUILD_BLOB_PGP, packet, BUILD_END);
                        if (key)
                        {
-                               key->sign = sign_not_allowed;
+                               key->sign = _sign_not_allowed;
                        }
                        return key;
                case PGP_PUBKEY_ALG_RSA_SIGN_ONLY:
@@ -194,7 +190,7 @@ static private_key_t *parse_private_key(chunk_t blob)
                                                                          BUILD_BLOB_PGP, packet, BUILD_END);
                        if (key)
                        {
-                               key->decrypt = decrypt_not_allowed;
+                               key->decrypt = _decrypt_not_allowed;
                        }
                        return key;
                case PGP_PUBKEY_ALG_ECDSA:
index 1d10169..6158f6d 100644 (file)
@@ -243,7 +243,7 @@ static bool reauth(private_pkcs11_private_key_t *this,
 }
 
 METHOD(private_key_t, sign, bool,
-       private_pkcs11_private_key_t *this, signature_scheme_t scheme,
+       private_pkcs11_private_key_t *this, signature_scheme_t scheme, void *params,
        chunk_t data, chunk_t *signature)
 {
        CK_MECHANISM_PTR mechanism;
index 4d822a4..9b6d3a8 100644 (file)
@@ -564,7 +564,7 @@ static bool generate(private_pkcs7_signed_data_t *this, private_key_t *key,
 
        attributes = pkcs9->get_encoding(pkcs9);
 
-       if (!key->sign(key, scheme, attributes, &encryptedDigest))
+       if (!key->sign(key, scheme, NULL, attributes, &encryptedDigest))
        {
                free(data.ptr);
                return FALSE;
index a01b270..2a1ef63 100644 (file)
@@ -763,7 +763,7 @@ static bool build_ac(private_x509_ac_t *this)
        chunk_t signatureValue, attributeCertificateInfo;
 
        attributeCertificateInfo = build_attr_cert_info(this);
-       if (!this->signerKey->sign(this->signerKey, SIGN_RSA_EMSA_PKCS1_SHA1,
+       if (!this->signerKey->sign(this->signerKey, SIGN_RSA_EMSA_PKCS1_SHA1, NULL,
                                                           attributeCertificateInfo, &signatureValue))
        {
                free(attributeCertificateInfo.ptr);
index c626859..6d2fb9d 100644 (file)
@@ -2562,7 +2562,8 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
                subject->get_encoding(subject),
                key_info, extensions);
 
-       if (!sign_key->sign(sign_key, scheme, cert->tbsCertificate, &cert->signature))
+       if (!sign_key->sign(sign_key, scheme, NULL, cert->tbsCertificate,
+                                               &cert->signature))
        {
                return FALSE;
        }
index 5896aa2..8ea7025 100644 (file)
@@ -787,7 +787,7 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert,
                                                        asn1_wrap(ASN1_SEQUENCE, "m", certList),
                                                        extensions);
 
-       if (!key->sign(key, signature_scheme_from_oid(this->algorithm),
+       if (!key->sign(key, signature_scheme_from_oid(this->algorithm), NULL,
                                   this->tbsCertList, &this->signature))
        {
                return FALSE;
index aef76af..de2ad98 100644 (file)
@@ -276,7 +276,7 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this,
                        return chunk_empty;
        }
 
-       if (!this->key->sign(this->key, scheme, tbsRequest, &signature))
+       if (!this->key->sign(this->key, scheme, NULL, tbsRequest, &signature))
        {
                DBG1(DBG_LIB, "creating OCSP signature failed, skipped");
                return chunk_empty;
index 5455541..beeb436 100644 (file)
@@ -584,7 +584,7 @@ static bool generate(private_x509_pkcs10_t *cert, private_key_t *sign_key,
                                                        key_info,
                                                        attributes);
 
-       if (!sign_key->sign(sign_key, scheme, cert->certificationRequestInfo,
+       if (!sign_key->sign(sign_key, scheme, NULL, cert->certificationRequestInfo,
                                                &cert->signature))
        {
                return FALSE;
index d30d87e..6edae81 100644 (file)
@@ -57,7 +57,7 @@ static void test_good_sig(private_key_t *privkey, public_key_t *pubkey)
                {
                        continue;
                }
-               fail_unless(privkey->sign(privkey, schemes[i].scheme, data, &sig),
+               fail_unless(privkey->sign(privkey, schemes[i].scheme, NULL, data, &sig),
                                        "sign %N", signature_scheme_names, schemes[i].scheme);
                fail_unless(pubkey->verify(pubkey, schemes[i].scheme, NULL, data, sig),
                                        "verify %N", signature_scheme_names, schemes[i].scheme);
index 6fbec12..86cbb1b 100644 (file)
@@ -297,7 +297,7 @@ START_TEST(test_ed25519_sign)
        ck_assert(public->equals(public, pubkey));
 
        /* sign */
-       ck_assert(key->sign(key, SIGN_ED25519, sig_tests[_i].msg, &sig));
+       ck_assert(key->sign(key, SIGN_ED25519, NULL, sig_tests[_i].msg, &sig));
        ck_assert(sig.len == 64);
        ck_assert(chunk_equals(sig, sig_tests[_i].sig));
 
@@ -340,10 +340,10 @@ START_TEST(test_ed25519_gen)
        ck_assert(!key->decrypt(key, ENCRYPT_UNKNOWN, msg, NULL));
 
        /* wrong signature scheme */
-       ck_assert(!key->sign(key, SIGN_ED448, msg, &sig));
+       ck_assert(!key->sign(key, SIGN_ED448, NULL, msg, &sig));
 
        /* correct signature scheme*/
-       ck_assert(key->sign(key, SIGN_ED25519, msg, &sig));
+       ck_assert(key->sign(key, SIGN_ED25519, NULL, msg, &sig));
 
        /* export public key */
        pubkey = key->get_public_key(key);
@@ -404,7 +404,7 @@ START_TEST(test_ed25519_speed)
                key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED25519,
                                                                 BUILD_KEY_SIZE, 256, BUILD_END);
                ck_assert(key != NULL);
-               ck_assert(key->sign(key, SIGN_ED25519, msg, &sig));
+               ck_assert(key->sign(key, SIGN_ED25519, NULL, msg, &sig));
                pubkey = key->get_public_key(key);
                ck_assert(pubkey != NULL);
                ck_assert(pubkey->verify(pubkey, SIGN_ED25519, NULL, msg, sig));
index a155980..07a7310 100644 (file)
@@ -47,7 +47,7 @@ static void test_good_sig(private_key_t *privkey, public_key_t *pubkey)
                {
                        continue;
                }
-               fail_unless(privkey->sign(privkey, schemes[i], data, &sig),
+               fail_unless(privkey->sign(privkey, schemes[i], NULL, data, &sig),
                                        "sign %N", signature_scheme_names, schemes[i]);
                fail_unless(pubkey->verify(pubkey, schemes[i], NULL, data, sig),
                                        "verify %N", signature_scheme_names, schemes[i]);
index 29af5d9..7f7742e 100644 (file)
@@ -1428,7 +1428,7 @@ METHOD(tls_crypto_t, sign, bool,
                        {
                                scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
                                if (scheme != SIGN_UNKNOWN &&
-                                       key->sign(key, scheme, data, &sig))
+                                       key->sign(key, scheme, NULL, data, &sig))
                                {
                                        done = TRUE;
                                        break;
@@ -1460,7 +1460,8 @@ METHOD(tls_crypto_t, sign, bool,
                                {
                                        return FALSE;
                                }
-                               done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
+                               done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
+                                                                &sig);
                                free(hash.ptr);
                                if (!done)
                                {
@@ -1469,7 +1470,7 @@ METHOD(tls_crypto_t, sign, bool,
                                DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
                                break;
                        case KEY_ECDSA:
-                               if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
+                               if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data, &sig))
                                {
                                        return FALSE;
                                }
index bd5a8ba..0df5ee9 100644 (file)
@@ -76,7 +76,7 @@ METHOD(private_key_t, get_keysize, int,
 }
 
 METHOD(private_key_t, sign, bool,
-       private_tpm_private_key_t *this, signature_scheme_t scheme,
+       private_tpm_private_key_t *this, signature_scheme_t scheme, void *params,
        chunk_t data, chunk_t *signature)
 {
        chunk_t pin = chunk_empty;
@@ -191,7 +191,7 @@ tpm_private_key_t *tpm_private_key_connect(key_type_t type, va_list args)
        if (!tpm)
        {
                DBG1(DBG_LIB, "no TPM 2.0 found");
-               return NULL;    
+               return NULL;
        }
 
        INIT(this,