Started implementing BLISS signature generation
authorAndreas Steffen <andreas.steffen@strongswan.org>
Sun, 9 Nov 2014 13:38:55 +0000 (14:38 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Sat, 29 Nov 2014 13:51:16 +0000 (14:51 +0100)
src/libstrongswan/asn1/oid.txt
src/libstrongswan/credentials/keys/public_key.c
src/libstrongswan/credentials/keys/public_key.h
src/libstrongswan/crypto/hashers/hasher.c
src/libstrongswan/plugins/bliss/bliss_plugin.c
src/libstrongswan/plugins/bliss/bliss_private_key.c
src/libstrongswan/plugins/bliss/bliss_public_key.c
src/pki/commands/self.c

index e0e0e18..61c4968 100644 (file)
                     0x02     "BLISS-II"                                        OID_BLISS_II
                     0x03     "BLISS-III"                               OID_BLISS_III
                     0x04     "BLISS-IV"                                        OID_BLISS_IV
+                  0x03       "blissSigType"
+                    0x01     "BLISS-with-SHA512"               OID_BLISS_WITH_SHA512
           0x89               ""
             0x31             ""
               0x01           ""
index 5ec6f56..40d9610 100644 (file)
@@ -26,7 +26,7 @@ ENUM(key_type_names, KEY_ANY, KEY_BLISS,
        "BLISS"
 );
 
-ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_IV_SHA384,
+ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA512,
        "UNKNOWN",
        "RSA_EMSA_PKCS1_NULL",
        "RSA_EMSA_PKCS1_MD5",
@@ -43,8 +43,7 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_IV_SHA384,
        "ECDSA-256",
        "ECDSA-384",
        "ECDSA-521",
-       "BLISS-I_SHA256",
-       "BLISS-IV_SHA384",
+       "BLISS_WITH_SHA512",
 );
 
 ENUM(encryption_scheme_names, ENCRYPT_UNKNOWN, ENCRYPT_RSA_OAEP_SHA512,
@@ -134,6 +133,9 @@ signature_scheme_t signature_scheme_from_oid(int oid)
                        return SIGN_ECDSA_WITH_SHA384_DER;
                case OID_ECDSA_WITH_SHA512:
                        return SIGN_ECDSA_WITH_SHA512_DER;
+               case OID_BLISS_PUBLICKEY:
+               case OID_BLISS_WITH_SHA512:
+                       return SIGN_BLISS_WITH_SHA512;
                default:
                        return SIGN_UNKNOWN;
        }
index 728c08e..ef681c9 100644 (file)
@@ -93,10 +93,8 @@ enum signature_scheme_t {
        SIGN_ECDSA_384,
        /** ECDSA on the P-521 curve with SHA-512 as in RFC 4754           */
        SIGN_ECDSA_521,
-       /** BLISS-I with SHA-256                                           */
-       SIGN_BLISS_I_SHA256,
-       /** BLISS-IV with SHA-384                                          */
-       SIGN_BLISS_IV_SHA384,
+       /** BLISS with SHA-512                                             */
+       SIGN_BLISS_WITH_SHA512,
 };
 
 /**
index 13cbb5a..b5e1134 100644 (file)
@@ -323,6 +323,14 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key)
                                default:
                                        return OID_UNKNOWN;
                        }
+               case KEY_BLISS:
+                       switch (alg)
+                       {
+                               case HASH_SHA512:
+                                       return OID_BLISS_WITH_SHA512;
+                               default:
+                                       return OID_UNKNOWN;
+                       }
                default:
                        return OID_UNKNOWN;
        }
index 7958940..c5920a1 100644 (file)
@@ -51,15 +51,11 @@ METHOD(plugin_t, get_features, int,
                PLUGIN_REGISTER(PUBKEY, bliss_public_key_load, TRUE),
                        PLUGIN_PROVIDE(PUBKEY, KEY_BLISS),
                /* signature schemes, private */
-               PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_I_SHA256),
-                       PLUGIN_DEPENDS(HASHER, HASH_SHA256),
-               PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_IV_SHA384),
-                       PLUGIN_DEPENDS(HASHER, HASH_SHA384),
+               PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA512),
+                       PLUGIN_DEPENDS(HASHER, HASH_SHA512),
                /* signature verification schemes */
-               PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_I_SHA256),
-                       PLUGIN_DEPENDS(HASHER, HASH_SHA256),
-               PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_IV_SHA384),
-                       PLUGIN_DEPENDS(HASHER, HASH_SHA384),
+               PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA512),
+                       PLUGIN_DEPENDS(HASHER, HASH_SHA512),
        };
        *features = f;
 
index df7bbbf..68fcb6d 100644 (file)
@@ -88,10 +88,10 @@ METHOD(private_key_t, sign, bool,
 {
        switch (scheme)
        {
-               case SIGN_BLISS_I_SHA256:
-                       return FALSE;
-               case SIGN_BLISS_IV_SHA384:
-                       return FALSE;
+               case SIGN_BLISS_WITH_SHA512:
+                       DBG2(DBG_LIB, "empty signature");
+                       *signature = chunk_empty;
+                       return TRUE;
                default:
                        DBG1(DBG_LIB, "signature scheme %N not supported with BLISS",
                                 signature_scheme_names, scheme);
index 9d39ae6..fbfecfa 100644 (file)
@@ -59,9 +59,7 @@ METHOD(public_key_t, verify, bool,
 {
        switch (scheme)
        {
-               case SIGN_BLISS_I_SHA256:
-                       return FALSE;
-               case SIGN_BLISS_IV_SHA384:
+               case SIGN_BLISS_WITH_SHA512:
                        return FALSE;
                default:
                        DBG1(DBG_LIB, "signature scheme %N not supported by BLISS",
index daefcdc..813efb4 100644 (file)
@@ -57,7 +57,8 @@ static int self()
        identification_t *id = NULL;
        linked_list_t *san, *ocsp, *permitted, *excluded, *policies, *mappings;
        int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT;
-       int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
+       int inhibit_mapping = X509_NO_CONSTRAINT;
+       int require_explicit = X509_NO_CONSTRAINT;
        chunk_t serial = chunk_empty;
        chunk_t encoding = chunk_empty;
        time_t not_before, not_after, lifetime = 1095 * 24 * 60 * 60;
@@ -88,6 +89,11 @@ static int self()
                                {
                                        type = KEY_ECDSA;
                                }
+                               else if (streq(arg, "bliss"))
+                               {
+                                       type = KEY_BLISS;
+                                       digest = HASH_SHA512;
+                               }
                                else
                                {
                                        error = "invalid input type";
@@ -407,7 +413,7 @@ static void __attribute__ ((constructor))reg()
        command_register((command_t) {
                self, 's', "self",
                "create a self signed certificate",
-               {" [--in file|--keyid hex] [--type rsa|ecdsa]",
+               {" [--in file|--keyid hex] [--type rsa|ecdsa|bliss]",
                 " --dn distinguished-name [--san subjectAltName]+",
                 "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
                 "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",