* for more details.
*/
+#include <asn1/oid.h>
+
#include "public_key.h"
ENUM(key_type_names, KEY_RSA, KEY_DSA,
"DSA"
);
-ENUM(signature_scheme_names, SIGN_DEFAULT, SIGN_ECDSA_521,
+ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521,
+ "UNKNOWN",
"DEFAULT",
"RSA_EMSA_PKCS1_NULL",
"RSA_EMSA_PKCS1_MD5",
"ECDSA-521",
);
+/*
+ * Defined in header.
+ */
+signature_scheme_t signature_scheme_from_oid(int oid)
+{
+ switch (oid)
+ {
+ case OID_MD5_WITH_RSA:
+ case OID_MD5:
+ return SIGN_RSA_EMSA_PKCS1_MD5;
+ case OID_SHA1_WITH_RSA:
+ case OID_SHA1:
+ return SIGN_RSA_EMSA_PKCS1_SHA1;
+ case OID_SHA256_WITH_RSA:
+ case OID_SHA256:
+ return SIGN_RSA_EMSA_PKCS1_SHA256;
+ case OID_SHA384_WITH_RSA:
+ case OID_SHA384:
+ return SIGN_RSA_EMSA_PKCS1_SHA384;
+ case OID_SHA512_WITH_RSA:
+ case OID_SHA512:
+ return SIGN_RSA_EMSA_PKCS1_SHA512;
+ case OID_ECDSA_WITH_SHA1:
+ case OID_EC_PUBLICKEY:
+ return SIGN_ECDSA_WITH_SHA1;
+ default:
+ return SIGN_UNKNOWN;
+ }
+}
+
* variants is OCTET_STRING instead of the default BIT_STRING.
*/
enum signature_scheme_t {
+ /** Unknown signature scheme */
+ SIGN_UNKNOWN,
/** Default scheme of the underlying crypto system */
SIGN_DEFAULT,
/** EMSA-PKCS1_v1.5 signature over digest without digestInfo */
void (*destroy)(public_key_t *this);
};
+/**
+ * Conversion of ASN.1 signature or hash OID to signature scheme.
+ *
+ * @param oid ASN.1 OID
+ * @return signature_scheme, SIGN_UNKNOWN if OID is unsupported
+ */
+signature_scheme_t signature_scheme_from_oid(int oid);
+
#endif /** PUBLIC_KEY_H_ @}*/
return FALSE;
}
}
- /* TODO: generic OID to scheme mapper? */
- switch (this->algorithm)
- {
- case OID_MD5_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_MD5;
- break;
- case OID_SHA1_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
- break;
- case OID_SHA256_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA256;
- break;
- case OID_SHA384_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA384;
- break;
- case OID_SHA512_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA512;
- break;
- case OID_ECDSA_WITH_SHA1:
- scheme = SIGN_ECDSA_WITH_SHA1;
- break;
- default:
- return FALSE;
- }
- if (key == NULL)
+
+ /* determine signature scheme */
+ scheme = signature_scheme_from_oid(this->algorithm);
+
+ if (scheme == SIGN_UNKNOWN || key == NULL)
{
return FALSE;
}
{
return FALSE;
}
- /* TODO: generic OID to scheme mapper? */
- switch (this->algorithm)
- {
- case OID_MD5_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_MD5;
- break;
- case OID_SHA1_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
- break;
- case OID_SHA256_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA256;
- break;
- case OID_SHA384_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA384;
- break;
- case OID_SHA512_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA512;
- break;
- case OID_ECDSA_WITH_SHA1:
- scheme = SIGN_ECDSA_WITH_SHA1;
- break;
- default:
- return FALSE;
- }
+
+ /* get the public key of the issuer */
key = issuer->get_public_key(issuer);
- if (key == NULL)
+
+ /* determine signature scheme */
+ scheme = signature_scheme_from_oid(this->algorithm);
+
+ if (scheme == SIGN_UNKNOWN || key == NULL)
{
return FALSE;
}
return FALSE;
}
}
- /* TODO: generic OID to scheme mapper? */
- switch (this->algorithm)
- {
- case OID_MD5_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_MD5;
- break;
- case OID_SHA1_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
- break;
- case OID_SHA256_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA256;
- break;
- case OID_SHA384_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA384;
- break;
- case OID_SHA512_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA512;
- break;
- case OID_ECDSA_WITH_SHA1:
- scheme = SIGN_ECDSA_WITH_SHA1;
- break;
- default:
- return FALSE;
- }
- if (key == NULL)
+
+ /* determine signature scheme */
+ scheme = signature_scheme_from_oid(this->algorithm);
+
+ if (scheme == SIGN_UNKNOWN || key == NULL)
{
return FALSE;
}
{
return FALSE;
}
- /* TODO: generic OID to scheme mapper? */
- switch (this->signatureAlgorithm)
- {
- case OID_MD5_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_MD5;
- break;
- case OID_SHA1_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
- break;
- case OID_SHA256_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA256;
- break;
- case OID_SHA384_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA384;
- break;
- case OID_SHA512_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA512;
- break;
- case OID_ECDSA_WITH_SHA1:
- scheme = SIGN_ECDSA_WITH_SHA1;
- break;
- default:
- return FALSE;
- }
+
+ /* get the public key of the issuer */
key = issuer->get_public_key(issuer);
- if (key == NULL)
+
+ /* determine signature scheme */
+ scheme = signature_scheme_from_oid(this->signatureAlgorithm);
+
+ if (scheme == SIGN_UNKNOWN || key == NULL)
{
return FALSE;
}
const x509cert_t *issuer_cert)
{
public_key_t *key = issuer_cert->public_key;
- signature_scheme_t scheme = SIGN_DEFAULT;
+ signature_scheme_t scheme = signature_scheme_from_oid(algorithm);
- switch (algorithm)
+ if (scheme == SIGN_UNKNOWN)
{
- case OID_MD5_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_MD5;
- break;
- case OID_SHA1_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
- break;
- case OID_SHA256_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA256;
- break;
- case OID_SHA384_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA384;
- break;
- case OID_SHA512_WITH_RSA:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA512;
- break;
- case OID_ECDSA_WITH_SHA1:
- scheme = SIGN_ECDSA_WITH_SHA1;
- break;
- default:
- return FALSE;
+ return FALSE;
}
return key->verify(key, scheme, tbs, sig);
}
/**
* Build an ASN.1 encoded PKCS#1 signature over a binary blob
*/
-chunk_t x509_build_signature(chunk_t tbs, int hash_alg, private_key_t *key,
+chunk_t x509_build_signature(chunk_t tbs, int algorithm, private_key_t *key,
bool bit_string)
{
- signature_scheme_t scheme = SIGN_DEFAULT;
chunk_t signature;
+ signature_scheme_t scheme = signature_scheme_from_oid(algorithm);
- switch (hash_alg)
- {
- case OID_MD5:
- scheme = SIGN_RSA_EMSA_PKCS1_MD5;
- break;
- case OID_SHA1:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
- break;
- case OID_SHA256:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA256;
- break;
- case OID_SHA384:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA384;
- break;
- case OID_SHA512:
- scheme = SIGN_RSA_EMSA_PKCS1_SHA512;
- break;
- default:
- return chunk_empty;
- }
- if (!key->sign(key, scheme, tbs, &signature))
+ if (scheme == SIGN_UNKNOWN || !key->sign(key, scheme, tbs, &signature))
{
return chunk_empty;
}
, chunk_t *authKeyID, chunk_t *authKeySerialNumber);
extern chunk_t get_directoryName(chunk_t blob, int level, bool implicit);
extern err_t check_validity(const x509cert_t *cert, time_t *until);
+
extern bool x509_check_signature(chunk_t tbs, chunk_t sig, int algorithm,
const x509cert_t *issuer_cert);
-extern chunk_t x509_build_signature(chunk_t tbs, int hash_alg, private_key_t *key,
- bool bit_string);
+extern chunk_t x509_build_signature(chunk_t tbs, int algorithm,
+ private_key_t *key, bool bit_string);
+
extern bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until);
extern x509cert_t* add_x509cert(x509cert_t *cert);
extern x509cert_t* get_x509cert(chunk_t issuer, chunk_t serial, chunk_t keyid,