replaced get_rsa_private_key() by rsa_signature() in order restrict the distribution...
authorAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 11 Sep 2007 10:18:25 +0000 (10:18 -0000)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 11 Sep 2007 10:18:25 +0000 (10:18 -0000)
src/charon/config/credentials/local_credential_store.c
src/charon/sa/authenticators/rsa_authenticator.c
src/libstrongswan/credential_store.h

index fff4b17..48b1291 100644 (file)
@@ -350,31 +350,6 @@ static ca_info_t* get_issuer(private_local_credential_store_t *this, x509_t *cer
 }
 
 /**
- * Implementation of local_credential_store_t.get_rsa_private_key.
- */
-static rsa_private_key_t *get_rsa_private_key(private_local_credential_store_t *this,
-                                                                                         rsa_public_key_t *pubkey)
-{
-       rsa_private_key_t *found = NULL, *current;
-       iterator_t *iterator;
-
-       pthread_mutex_lock(&(this->keys_mutex));
-       iterator = this->private_keys->create_iterator(this->private_keys, TRUE);
-
-       while (iterator->iterate(iterator, (void**)&current))
-       {
-               if (current->belongs_to(current, pubkey))
-               {
-                       found = current->clone(current);
-                       break;
-               }
-       }
-       iterator->destroy(iterator);
-       pthread_mutex_unlock(&(this->keys_mutex));
-       return found;
-}
-
-/**
  * Implementation of local_credential_store_t.has_rsa_private_key.
  */
 static bool has_rsa_private_key(private_local_credential_store_t *this, rsa_public_key_t *pubkey)
@@ -756,10 +731,51 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f
 }
 
 /**
+ * Implementation of local_credential_store_t.rsa_signature.
+ */
+static status_t rsa_signature(private_local_credential_store_t *this,
+                                                         rsa_public_key_t *pubkey,
+                                                         hash_algorithm_t hash_algorithm,
+                                                         chunk_t data, chunk_t *signature)
+{
+       rsa_private_key_t *current, *key = NULL;
+       iterator_t *iterator;
+       status_t status;
+       chunk_t keyid = pubkey->get_keyid(pubkey);
+
+       DBG2(DBG_IKE, "looking for RSA private key with keyid %#B...", &keyid);
+       pthread_mutex_lock(&(this->keys_mutex));
+
+       iterator = this->private_keys->create_iterator(this->private_keys, TRUE);
+       while (iterator->iterate(iterator, (void**)&current))
+       {
+               if (current->belongs_to(current, pubkey))
+               {
+                       key = current->clone(current);
+                       break;
+               }
+       }
+       iterator->destroy(iterator);
+
+       if (key)
+       {
+               DBG2(DBG_IKE, "  matching RSA private key found");
+               status = key->build_emsa_pkcs1_signature(key, hash_algorithm, data, signature);
+       }
+       else
+       {
+               DBG1(DBG_IKE, "no RSA private key found with keyid %#B", &keyid);
+               status = NOT_FOUND;
+       }
+       pthread_mutex_unlock(&(this->keys_mutex));
+       return status;
+}
+
+/**
  * Implementation of local_credential_store_t.verify_signature.
  */
 static status_t verify_signature(private_local_credential_store_t *this,
-                                                                chunk_t hash, chunk_t sig,
+                                                                chunk_t hash, chunk_t signature,
                                                                 identification_t *id, ca_info_t **issuer_p)
 {
        iterator_t *iterator = this->certs->create_iterator(this->certs, TRUE);
@@ -816,7 +832,7 @@ static status_t verify_signature(private_local_credential_store_t *this,
                                }
                                *issuer_p = issuer;
                        }
-                       sig_status = public_key->verify_emsa_pkcs1_signature(public_key, hash, sig);
+                       sig_status = public_key->verify_emsa_pkcs1_signature(public_key, hash, signature);
                        if (sig_status == SUCCESS)
                        {
                                DBG2(DBG_CFG, "candidate peer certificate has a matching RSA public key");
@@ -1560,13 +1576,13 @@ local_credential_store_t * local_credential_store_create(void)
        this->public.credential_store.get_shared_key = (status_t (*) (credential_store_t*,identification_t*,identification_t*,chunk_t*))get_shared_key;
        this->public.credential_store.get_eap_key = (status_t (*) (credential_store_t*,identification_t*,identification_t*,chunk_t*))get_eap_key;
        this->public.credential_store.get_rsa_public_key = (rsa_public_key_t*(*)(credential_store_t*,identification_t*))get_rsa_public_key;
-       this->public.credential_store.get_rsa_private_key = (rsa_private_key_t* (*) (credential_store_t*,rsa_public_key_t*))get_rsa_private_key;
        this->public.credential_store.has_rsa_private_key = (bool (*) (credential_store_t*,rsa_public_key_t*))has_rsa_private_key;
        this->public.credential_store.get_certificate = (x509_t* (*) (credential_store_t*,identification_t*))get_certificate;
        this->public.credential_store.get_auth_certificate = (x509_t* (*) (credential_store_t*,u_int,identification_t*))get_auth_certificate;
        this->public.credential_store.get_ca_certificate_by_keyid = (x509_t* (*) (credential_store_t*,chunk_t))get_ca_certificate_by_keyid;
        this->public.credential_store.get_issuer = (ca_info_t* (*) (credential_store_t*,x509_t*))get_issuer;
        this->public.credential_store.is_trusted = (bool (*) (credential_store_t*,const char*,x509_t*))is_trusted;
+       this->public.credential_store.rsa_signature = (status_t (*) (credential_store_t*,rsa_public_key_t*,hash_algorithm_t,chunk_t,chunk_t*))rsa_signature;
        this->public.credential_store.verify_signature = (status_t (*) (credential_store_t*,chunk_t,chunk_t,identification_t*,ca_info_t**))verify_signature;
        this->public.credential_store.verify = (bool (*) (credential_store_t*,x509_t*,bool*))verify;
        this->public.credential_store.add_end_certificate = (x509_t* (*) (credential_store_t*,x509_t*))add_end_certificate;
index bb3d846..4f49650 100644 (file)
@@ -98,14 +98,13 @@ static status_t build(private_rsa_authenticator_t *this, chunk_t ike_sa_init,
        chunk_t auth_data;
        status_t status;
        rsa_public_key_t *my_pubkey;
-       rsa_private_key_t *my_key;
        identification_t *my_id;
        prf_t *prf;
 
        my_id = this->ike_sa->get_my_id(this->ike_sa);
        DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
                 my_id, auth_method_names, AUTH_RSA);
-       DBG2(DBG_IKE, "looking for RSA public key belonging to '%D'", my_id);
+       DBG2(DBG_IKE, "looking for RSA public key belonging to '%D'...", my_id);
 
        my_pubkey = charon->credentials->get_rsa_public_key(charon->credentials, my_id);
        if (my_pubkey == NULL)
@@ -113,28 +112,18 @@ static status_t build(private_rsa_authenticator_t *this, chunk_t ike_sa_init,
                DBG1(DBG_IKE, "no RSA public key found for '%D'", my_id);
                return NOT_FOUND;
        }
-       DBG2(DBG_IKE, "matching RSA public key found");
-       chunk = my_pubkey->get_keyid(my_pubkey);
-       DBG2(DBG_IKE, "looking for RSA private key with keyid %#B", &chunk);
-       my_key = charon->credentials->get_rsa_private_key(charon->credentials, my_pubkey);
-       if (my_key == NULL)
-       {
-               DBG1(DBG_IKE, "no RSA private key found for %D with keyid %#B",
-                        my_id, &chunk);
-               return NOT_FOUND;
-       }
-       DBG2(DBG_IKE, "matching RSA private key found");
+       DBG2(DBG_IKE, "  matching RSA public key found");
 
        prf = this->ike_sa->get_prf(this->ike_sa);
        prf->set_key(prf, this->ike_sa->get_skp_build(this->ike_sa));
        octets = build_tbs_octets(ike_sa_init, other_nonce, my_id, prf);
-       status = my_key->build_emsa_pkcs1_signature(my_key, HASH_SHA1, octets, &auth_data);
+       status = charon->credentials->rsa_signature(charon->credentials,
+                                                                               my_pubkey, HASH_SHA1, octets, &auth_data);
        chunk_free(&octets);
 
        if (status != SUCCESS)
        {
-               my_key->destroy(my_key);
-               DBG1(DBG_IKE, "build signature of SHA1 hash failed");
+               DBG1(DBG_IKE, "building RSA signature with SHA-1 hash failed");
                return status;
        }
        DBG2(DBG_IKE, "successfully signed with RSA private key");
@@ -142,8 +131,6 @@ static status_t build(private_rsa_authenticator_t *this, chunk_t ike_sa_init,
        *auth_payload = auth_payload_create();
        (*auth_payload)->set_auth_method(*auth_payload, AUTH_RSA);
        (*auth_payload)->set_data(*auth_payload, auth_data);
-       
-       my_key->destroy(my_key);
        chunk_free(&auth_data);
        return SUCCESS;
 }
index 43c0d2a..62b6ad2 100755 (executable)
@@ -88,17 +88,6 @@ struct credential_store_t {
        rsa_public_key_t* (*get_rsa_public_key) (credential_store_t *this, identification_t *id);
        
        /**
-        * @brief Returns the RSA private key belonging to an RSA public key
-        * 
-        * The returned rsa_private_key_t must be destroyed by the caller after usage.
-        * 
-        * @param this                                  calling object
-        * @param pubkey                                public key 
-        * @return                                              private key, or NULL if not found
-        */     
-       rsa_private_key_t* (*get_rsa_private_key) (credential_store_t *this, rsa_public_key_t *pubkey);
-
-       /**
         * @brief Is there a matching RSA private key belonging to an RSA public key?
         * 
         * @param this                                  calling object
@@ -145,6 +134,20 @@ struct credential_store_t {
        ca_info_t* (*get_issuer) (credential_store_t *this, x509_t* cert);
 
        /**
+        * @brief  RSA private key belonging to an RSA public key
+        * 
+        * 
+        * @param this                                  calling object
+        * @param pubkey                                public key used to find the matching private key
+        * @param hash_algorithm                hash algorithm to be used for signature
+        * @param data                                  data block to be signed
+        * @param signature                             signature to be returned
+        * @return                                              status of the signature process - SUCCESS if successful
+        */     
+       status_t (*rsa_signature) (credential_store_t *this, rsa_public_key_t *pubkey, hash_algorithm_t hash_algorithm,
+                                                          chunk_t data, chunk_t *signature);
+
+       /**
         * @brief Verify an RSA signature given the ID of the signer
         * 
         * @param this                                  calling object
@@ -154,7 +157,8 @@ struct credential_store_t {
         * @param issuer_p                              issuer of the signer's certificate (if not self-signed).
         * @return                                              status of the verification - SUCCESS if successful
         */
-       status_t (*verify_signature) (credential_store_t *this, chunk_t hash, chunk_t sig, identification_t *id, ca_info_t **issuer_p);
+       status_t (*verify_signature) (credential_store_t *this, chunk_t hash, chunk_t sig, identification_t *id,
+                                                                 ca_info_t **issuer_p);
        
        /**
         * @brief Verify an X.509 certificate up to trust anchor without any status checks