0x02 "BLISS-II" OID_BLISS_II
0x03 "BLISS-III" OID_BLISS_III
0x04 "BLISS-IV" OID_BLISS_IV
+ 0x03 "blissSigType"
+ 0x01 "BLISS-with-SHA512" OID_BLISS_WITH_SHA512
0x89 ""
0x31 ""
0x01 ""
"BLISS"
);
-ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_IV_SHA384,
+ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA512,
"UNKNOWN",
"RSA_EMSA_PKCS1_NULL",
"RSA_EMSA_PKCS1_MD5",
"ECDSA-256",
"ECDSA-384",
"ECDSA-521",
- "BLISS-I_SHA256",
- "BLISS-IV_SHA384",
+ "BLISS_WITH_SHA512",
);
ENUM(encryption_scheme_names, ENCRYPT_UNKNOWN, ENCRYPT_RSA_OAEP_SHA512,
return SIGN_ECDSA_WITH_SHA384_DER;
case OID_ECDSA_WITH_SHA512:
return SIGN_ECDSA_WITH_SHA512_DER;
+ case OID_BLISS_PUBLICKEY:
+ case OID_BLISS_WITH_SHA512:
+ return SIGN_BLISS_WITH_SHA512;
default:
return SIGN_UNKNOWN;
}
SIGN_ECDSA_384,
/** ECDSA on the P-521 curve with SHA-512 as in RFC 4754 */
SIGN_ECDSA_521,
- /** BLISS-I with SHA-256 */
- SIGN_BLISS_I_SHA256,
- /** BLISS-IV with SHA-384 */
- SIGN_BLISS_IV_SHA384,
+ /** BLISS with SHA-512 */
+ SIGN_BLISS_WITH_SHA512,
};
/**
default:
return OID_UNKNOWN;
}
+ case KEY_BLISS:
+ switch (alg)
+ {
+ case HASH_SHA512:
+ return OID_BLISS_WITH_SHA512;
+ default:
+ return OID_UNKNOWN;
+ }
default:
return OID_UNKNOWN;
}
PLUGIN_REGISTER(PUBKEY, bliss_public_key_load, TRUE),
PLUGIN_PROVIDE(PUBKEY, KEY_BLISS),
/* signature schemes, private */
- PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_I_SHA256),
- PLUGIN_DEPENDS(HASHER, HASH_SHA256),
- PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_IV_SHA384),
- PLUGIN_DEPENDS(HASHER, HASH_SHA384),
+ PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA512),
+ PLUGIN_DEPENDS(HASHER, HASH_SHA512),
/* signature verification schemes */
- PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_I_SHA256),
- PLUGIN_DEPENDS(HASHER, HASH_SHA256),
- PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_IV_SHA384),
- PLUGIN_DEPENDS(HASHER, HASH_SHA384),
+ PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA512),
+ PLUGIN_DEPENDS(HASHER, HASH_SHA512),
};
*features = f;
{
switch (scheme)
{
- case SIGN_BLISS_I_SHA256:
- return FALSE;
- case SIGN_BLISS_IV_SHA384:
- return FALSE;
+ case SIGN_BLISS_WITH_SHA512:
+ DBG2(DBG_LIB, "empty signature");
+ *signature = chunk_empty;
+ return TRUE;
default:
DBG1(DBG_LIB, "signature scheme %N not supported with BLISS",
signature_scheme_names, scheme);
{
switch (scheme)
{
- case SIGN_BLISS_I_SHA256:
- return FALSE;
- case SIGN_BLISS_IV_SHA384:
+ case SIGN_BLISS_WITH_SHA512:
return FALSE;
default:
DBG1(DBG_LIB, "signature scheme %N not supported by BLISS",
identification_t *id = NULL;
linked_list_t *san, *ocsp, *permitted, *excluded, *policies, *mappings;
int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT;
- int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
+ int inhibit_mapping = X509_NO_CONSTRAINT;
+ int require_explicit = X509_NO_CONSTRAINT;
chunk_t serial = chunk_empty;
chunk_t encoding = chunk_empty;
time_t not_before, not_after, lifetime = 1095 * 24 * 60 * 60;
{
type = KEY_ECDSA;
}
+ else if (streq(arg, "bliss"))
+ {
+ type = KEY_BLISS;
+ digest = HASH_SHA512;
+ }
else
{
error = "invalid input type";
command_register((command_t) {
self, 's', "self",
"create a self signed certificate",
- {" [--in file|--keyid hex] [--type rsa|ecdsa]",
+ {" [--in file|--keyid hex] [--type rsa|ecdsa|bliss]",
" --dn distinguished-name [--san subjectAltName]+",
"[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
"[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",