From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Sun, 9 Nov 2014 13:38:55 +0000 (+0100)
Subject: Started implementing BLISS signature generation
X-Git-Tag: 5.2.2dr1~15
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f673966b9fb1f2fe8b94b9377e7159f7dcc2f8c6;p=thirdparty%2Fstrongswan.git

Started implementing BLISS signature generation
---

diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index e0e0e18c16..61c4968e36 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -218,6 +218,8 @@
                     0x02     "BLISS-II"					OID_BLISS_II
                     0x03     "BLISS-III"				OID_BLISS_III
                     0x04     "BLISS-IV"					OID_BLISS_IV
+                  0x03       "blissSigType"
+                    0x01     "BLISS-with-SHA512"		OID_BLISS_WITH_SHA512
           0x89               ""
             0x31             ""
               0x01           ""
diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
index 5ec6f562a4..40d96100e5 100644
--- a/src/libstrongswan/credentials/keys/public_key.c
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -26,7 +26,7 @@ ENUM(key_type_names, KEY_ANY, KEY_BLISS,
 	"BLISS"
 );
 
-ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_IV_SHA384,
+ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA512,
 	"UNKNOWN",
 	"RSA_EMSA_PKCS1_NULL",
 	"RSA_EMSA_PKCS1_MD5",
@@ -43,8 +43,7 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_IV_SHA384,
 	"ECDSA-256",
 	"ECDSA-384",
 	"ECDSA-521",
-	"BLISS-I_SHA256",
-	"BLISS-IV_SHA384",
+	"BLISS_WITH_SHA512",
 );
 
 ENUM(encryption_scheme_names, ENCRYPT_UNKNOWN, ENCRYPT_RSA_OAEP_SHA512,
@@ -134,6 +133,9 @@ signature_scheme_t signature_scheme_from_oid(int oid)
 			return SIGN_ECDSA_WITH_SHA384_DER;
 		case OID_ECDSA_WITH_SHA512:
 			return SIGN_ECDSA_WITH_SHA512_DER;
+		case OID_BLISS_PUBLICKEY:
+		case OID_BLISS_WITH_SHA512:
+			return SIGN_BLISS_WITH_SHA512;
 		default:
 			return SIGN_UNKNOWN;
 	}
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index 728c08e256..ef681c9708 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -93,10 +93,8 @@ enum signature_scheme_t {
 	SIGN_ECDSA_384,
 	/** ECDSA on the P-521 curve with SHA-512 as in RFC 4754           */
 	SIGN_ECDSA_521,
-	/** BLISS-I with SHA-256                                           */
-	SIGN_BLISS_I_SHA256,
-	/** BLISS-IV with SHA-384                                          */
-	SIGN_BLISS_IV_SHA384,
+	/** BLISS with SHA-512                                             */
+	SIGN_BLISS_WITH_SHA512,
 };
 
 /**
diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
index 13cbb5a591..b5e1134ba2 100644
--- a/src/libstrongswan/crypto/hashers/hasher.c
+++ b/src/libstrongswan/crypto/hashers/hasher.c
@@ -323,6 +323,14 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key)
 				default:
 					return OID_UNKNOWN;
 			}
+		case KEY_BLISS:
+			switch (alg)
+			{
+				case HASH_SHA512:
+					return OID_BLISS_WITH_SHA512;
+				default:
+					return OID_UNKNOWN;
+			}
 		default:
 			return OID_UNKNOWN;
 	}
diff --git a/src/libstrongswan/plugins/bliss/bliss_plugin.c b/src/libstrongswan/plugins/bliss/bliss_plugin.c
index 7958940851..c5920a15a9 100644
--- a/src/libstrongswan/plugins/bliss/bliss_plugin.c
+++ b/src/libstrongswan/plugins/bliss/bliss_plugin.c
@@ -51,15 +51,11 @@ METHOD(plugin_t, get_features, int,
 		PLUGIN_REGISTER(PUBKEY, bliss_public_key_load, TRUE),
 			PLUGIN_PROVIDE(PUBKEY, KEY_BLISS),
 		/* signature schemes, private */
-		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_I_SHA256),
-			PLUGIN_DEPENDS(HASHER, HASH_SHA256),
-		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_IV_SHA384),
-			PLUGIN_DEPENDS(HASHER, HASH_SHA384),
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA512),
+			PLUGIN_DEPENDS(HASHER, HASH_SHA512),
 		/* signature verification schemes */
-		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_I_SHA256),
-			PLUGIN_DEPENDS(HASHER, HASH_SHA256),
-		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_IV_SHA384),
-			PLUGIN_DEPENDS(HASHER, HASH_SHA384),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA512),
+			PLUGIN_DEPENDS(HASHER, HASH_SHA512),
 	};
 	*features = f;
 
diff --git a/src/libstrongswan/plugins/bliss/bliss_private_key.c b/src/libstrongswan/plugins/bliss/bliss_private_key.c
index df7bbbf529..68fcb6d9f8 100644
--- a/src/libstrongswan/plugins/bliss/bliss_private_key.c
+++ b/src/libstrongswan/plugins/bliss/bliss_private_key.c
@@ -88,10 +88,10 @@ METHOD(private_key_t, sign, bool,
 {
 	switch (scheme)
 	{
-		case SIGN_BLISS_I_SHA256:
-			return FALSE;
-		case SIGN_BLISS_IV_SHA384:
-			return FALSE;
+		case SIGN_BLISS_WITH_SHA512:
+			DBG2(DBG_LIB, "empty signature");
+			*signature = chunk_empty;
+			return TRUE;
 		default:
 			DBG1(DBG_LIB, "signature scheme %N not supported with BLISS",
 				 signature_scheme_names, scheme);
diff --git a/src/libstrongswan/plugins/bliss/bliss_public_key.c b/src/libstrongswan/plugins/bliss/bliss_public_key.c
index 9d39ae64fa..fbfecfaa3d 100644
--- a/src/libstrongswan/plugins/bliss/bliss_public_key.c
+++ b/src/libstrongswan/plugins/bliss/bliss_public_key.c
@@ -59,9 +59,7 @@ METHOD(public_key_t, verify, bool,
 {
 	switch (scheme)
 	{
-		case SIGN_BLISS_I_SHA256:
-			return FALSE;
-		case SIGN_BLISS_IV_SHA384:
+		case SIGN_BLISS_WITH_SHA512:
 			return FALSE;
 		default:
 			DBG1(DBG_LIB, "signature scheme %N not supported by BLISS",
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index daefcdc100..813efb40f4 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -57,7 +57,8 @@ static int self()
 	identification_t *id = NULL;
 	linked_list_t *san, *ocsp, *permitted, *excluded, *policies, *mappings;
 	int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT;
-	int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
+	int inhibit_mapping = X509_NO_CONSTRAINT;
+	int require_explicit = X509_NO_CONSTRAINT;
 	chunk_t serial = chunk_empty;
 	chunk_t encoding = chunk_empty;
 	time_t not_before, not_after, lifetime = 1095 * 24 * 60 * 60;
@@ -88,6 +89,11 @@ static int self()
 				{
 					type = KEY_ECDSA;
 				}
+				else if (streq(arg, "bliss"))
+				{
+					type = KEY_BLISS;
+					digest = HASH_SHA512;
+				}
 				else
 				{
 					error = "invalid input type";
@@ -407,7 +413,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		self, 's', "self",
 		"create a self signed certificate",
-		{" [--in file|--keyid hex] [--type rsa|ecdsa]",
+		{" [--in file|--keyid hex] [--type rsa|ecdsa|bliss]",
 		 " --dn distinguished-name [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
 		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",