summaryrefslogtreecommitdiff
path: root/src/libstrongswan/plugins/pkcs8
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2013-08-25 15:37:26 +0200
committerYves-Alexis Perez <corsac@debian.org>2013-08-25 15:37:26 +0200
commit6b99c8d9cff7b3e8ae8f3204b99e7ea40f791349 (patch)
tree009fc492961e13860d2a4bc2de8caf2bbe2975e7 /src/libstrongswan/plugins/pkcs8
parentc83921a2b566aa9d55d8ccc7258f04fca6292ee6 (diff)
downloadvyos-strongswan-6b99c8d9cff7b3e8ae8f3204b99e7ea40f791349.tar.gz
vyos-strongswan-6b99c8d9cff7b3e8ae8f3204b99e7ea40f791349.zip
Imported Upstream version 5.1.0
Diffstat (limited to 'src/libstrongswan/plugins/pkcs8')
-rw-r--r--src/libstrongswan/plugins/pkcs8/Makefile.am7
-rw-r--r--src/libstrongswan/plugins/pkcs8/Makefile.in78
-rw-r--r--src/libstrongswan/plugins/pkcs8/pkcs8_builder.c471
-rw-r--r--src/libstrongswan/plugins/pkcs8/pkcs8_plugin.c1
4 files changed, 74 insertions, 483 deletions
diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.am b/src/libstrongswan/plugins/pkcs8/Makefile.am
index bcaf2c6a5..98e3263df 100644
--- a/src/libstrongswan/plugins/pkcs8/Makefile.am
+++ b/src/libstrongswan/plugins/pkcs8/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+ -rdynamic
if MONOLITHIC
noinst_LTLIBRARIES = libstrongswan-pkcs8.la
diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in
index 879020383..9ed381e38 100644
--- a/src/libstrongswan/plugins/pkcs8/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs8/Makefile.in
@@ -62,7 +62,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
$(top_srcdir)/m4/macros/with.m4 \
$(top_srcdir)/m4/macros/enable-disable.m4 \
$(top_srcdir)/m4/macros/add-plugin.m4 \
- $(top_srcdir)/configure.in
+ $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d
@@ -101,9 +101,13 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
libstrongswan_pkcs8_la_LIBADD =
am_libstrongswan_pkcs8_la_OBJECTS = pkcs8_plugin.lo pkcs8_builder.lo
libstrongswan_pkcs8_la_OBJECTS = $(am_libstrongswan_pkcs8_la_OBJECTS)
-libstrongswan_pkcs8_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
- $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
- $(libstrongswan_pkcs8_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_pkcs8_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_pkcs8_la_LDFLAGS) \
+ $(LDFLAGS) -o $@
@MONOLITHIC_FALSE@am_libstrongswan_pkcs8_la_rpath = -rpath \
@MONOLITHIC_FALSE@ $(plugindir)
@MONOLITHIC_TRUE@am_libstrongswan_pkcs8_la_rpath =
@@ -113,13 +117,26 @@ am__depfiles_maybe = depfiles
am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
- --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
- $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo " CC " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
- --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
- $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo " CCLD " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo " GEN " $@;
SOURCES = $(libstrongswan_pkcs8_la_SOURCES)
DIST_SOURCES = $(libstrongswan_pkcs8_la_SOURCES)
am__can_run_installinfo = \
@@ -133,6 +150,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
@@ -145,6 +163,8 @@ CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
CHECK_CFLAGS = @CHECK_CFLAGS@
CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
@@ -160,6 +180,7 @@ ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
+GENHTML = @GENHTML@
GPERF = @GPERF@
GPRBUILD = @GPRBUILD@
GREP = @GREP@
@@ -168,6 +189,7 @@ INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
LD = @LD@
LDFLAGS = @LDFLAGS@
LEX = @LEX@
@@ -214,6 +236,7 @@ SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
VERSION = @VERSION@
YACC = @YACC@
YFLAGS = @YFLAGS@
@@ -242,6 +265,7 @@ charon_natt_port = @charon_natt_port@
charon_plugins = @charon_plugins@
charon_udp_port = @charon_udp_port@
clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
datadir = @datadir@
datarootdir = @datarootdir@
dbusservicedir = @dbusservicedir@
@@ -319,8 +343,12 @@ top_srcdir = @top_srcdir@
urandom_device = @urandom_device@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+ -rdynamic
+
@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pkcs8.la
@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pkcs8.la
libstrongswan_pkcs8_la_SOURCES = \
@@ -404,7 +432,7 @@ clean-pluginLTLIBRARIES:
rm -f "$${dir}/so_locations"; \
done
libstrongswan-pkcs8.la: $(libstrongswan_pkcs8_la_OBJECTS) $(libstrongswan_pkcs8_la_DEPENDENCIES) $(EXTRA_libstrongswan_pkcs8_la_DEPENDENCIES)
- $(libstrongswan_pkcs8_la_LINK) $(am_libstrongswan_pkcs8_la_rpath) $(libstrongswan_pkcs8_la_OBJECTS) $(libstrongswan_pkcs8_la_LIBADD) $(LIBS)
+ $(AM_V_CCLD)$(libstrongswan_pkcs8_la_LINK) $(am_libstrongswan_pkcs8_la_rpath) $(libstrongswan_pkcs8_la_OBJECTS) $(libstrongswan_pkcs8_la_LIBADD) $(LIBS)
mostlyclean-compile:
-rm -f *.$(OBJEXT)
@@ -416,25 +444,25 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs8_plugin.Plo@am__quote@
.c.o:
-@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $<
.c.obj:
-@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
.c.lo:
-@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
mostlyclean-libtool:
-rm -f *.lo
diff --git a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
index 26a3620d7..e93a8361c 100644
--- a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
+++ b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
@@ -19,6 +19,7 @@
#include <asn1/oid.h>
#include <asn1/asn1.h>
#include <asn1/asn1_parser.h>
+#include <crypto/pkcs5.h>
#include <credentials/keys/private_key.h>
/**
@@ -101,450 +102,39 @@ end:
}
/**
- * Verify padding of decrypted blob.
- * Length of blob is adjusted accordingly.
- */
-static bool verify_padding(chunk_t *blob)
-{
- u_int8_t padding, count;
-
- padding = count = blob->ptr[blob->len - 1];
- if (padding > 8)
- {
- return FALSE;
- }
- for (; blob->len && count; --blob->len, --count)
- {
- if (blob->ptr[blob->len - 1] != padding)
- {
- return FALSE;
- }
- }
- return TRUE;
-}
-
-/**
- * Prototype for key derivation functions.
- */
-typedef bool (*kdf_t)(void *generator, chunk_t password, chunk_t salt,
- u_int64_t iterations, chunk_t key);
-
-/**
* Try to decrypt the given blob with multiple passwords using the given
- * key derivation function. keymat is where the kdf function writes the key
- * to, key and iv point to the actual keys and initialization vectors resp.
+ * pkcs5 object.
*/
-static private_key_t *decrypt_private_key(chunk_t blob,
- encryption_algorithm_t encr, size_t key_len, kdf_t kdf,
- void *generator, chunk_t salt, u_int64_t iterations,
- chunk_t keymat, chunk_t key, chunk_t iv)
+static private_key_t *decrypt_private_key(pkcs5_t *pkcs5, chunk_t blob)
{
enumerator_t *enumerator;
shared_key_t *shared;
- crypter_t *crypter;
private_key_t *private_key = NULL;
- crypter = lib->crypto->create_crypter(lib->crypto, encr, key_len);
- if (!crypter)
- {
- DBG1(DBG_ASN, " %N encryption algorithm not available",
- encryption_algorithm_names, encr);
- return NULL;
- }
- if (blob.len % crypter->get_block_size(crypter))
- {
- DBG1(DBG_ASN, " data size is not a multiple of block size");
- crypter->destroy(crypter);
- return NULL;
- }
-
enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
SHARED_PRIVATE_KEY_PASS, NULL, NULL);
while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
{
chunk_t decrypted;
- if (!kdf(generator, shared->get_key(shared), salt, iterations, keymat))
- {
- continue;
- }
- if (!crypter->set_key(crypter, key) ||
- !crypter->decrypt(crypter, blob, iv, &decrypted))
+ if (!pkcs5->decrypt(pkcs5, shared->get_key(shared), blob, &decrypted))
{
continue;
}
- if (verify_padding(&decrypted))
+ private_key = parse_private_key(decrypted);
+ if (private_key)
{
- private_key = parse_private_key(decrypted);
- if (private_key)
- {
- chunk_clear(&decrypted);
- break;
- }
+ chunk_clear(&decrypted);
+ break;
}
chunk_free(&decrypted);
}
enumerator->destroy(enumerator);
- crypter->destroy(crypter);
-
- return private_key;
-}
-
-/**
- * Function F of PBKDF2
- */
-static bool pbkdf2_f(chunk_t block, prf_t *prf, chunk_t seed,
- u_int64_t iterations)
-{
- chunk_t u;
- u_int64_t i;
-
- u = chunk_alloca(prf->get_block_size(prf));
- if (!prf->get_bytes(prf, seed, u.ptr))
- {
- return FALSE;
- }
- memcpy(block.ptr, u.ptr, block.len);
-
- for (i = 1; i < iterations; i++)
- {
- if (!prf->get_bytes(prf, u, u.ptr))
- {
- return FALSE;
- }
- memxor(block.ptr, u.ptr, block.len);
- }
- return TRUE;
-}
-
-/**
- * PBKDF2 key derivation function
- */
-static bool pbkdf2(prf_t *prf, chunk_t password, chunk_t salt,
- u_int64_t iterations, chunk_t key)
-{
- chunk_t keymat, block, seed;
- size_t blocks;
- u_int32_t i = 0, *ni;
-
- if (!prf->set_key(prf, password))
- {
- return FALSE;
- }
-
- block.len = prf->get_block_size(prf);
- blocks = (key.len - 1) / block.len + 1;
- keymat = chunk_alloca(blocks * block.len);
-
- seed = chunk_cata("cc", salt, chunk_from_thing(i));
- ni = (u_int32_t*)(seed.ptr + salt.len);
-
- for (; i < blocks; i++)
- {
- *ni = htonl(i + 1);
- block.ptr = keymat.ptr + (i * block.len);
- if (!pbkdf2_f(block, prf, seed, iterations))
- {
- return FALSE;
- }
- }
- memcpy(key.ptr, keymat.ptr, key.len);
-
- return TRUE;
-}
-
-/**
- * Decrypt an encrypted PKCS#8 encoded private key according to PBES2
- */
-static private_key_t *decrypt_private_key_pbes2(chunk_t blob,
- encryption_algorithm_t encr, size_t key_len,
- chunk_t iv, pseudo_random_function_t prf_func,
- chunk_t salt, u_int64_t iterations)
-{
- private_key_t *private_key;
- prf_t *prf;
- chunk_t key;
-
- prf = lib->crypto->create_prf(lib->crypto, prf_func);
- if (!prf)
- {
- DBG1(DBG_ASN, " %N prf algorithm not available",
- pseudo_random_function_names, prf_func);
- return NULL;
- }
-
- key = chunk_alloca(key_len);
-
- private_key = decrypt_private_key(blob, encr, key_len, (kdf_t)pbkdf2, prf,
- salt, iterations, key, key, iv);
-
- prf->destroy(prf);
- return private_key;
-}
-
-/**
- * PBKDF1 key derivation function
- */
-static bool pbkdf1(hasher_t *hasher, chunk_t password, chunk_t salt,
- u_int64_t iterations, chunk_t key)
-{
- chunk_t hash;
- u_int64_t i;
-
- hash = chunk_alloca(hasher->get_hash_size(hasher));
- if (!hasher->get_hash(hasher, password, NULL) ||
- !hasher->get_hash(hasher, salt, hash.ptr))
- {
- return FALSE;
- }
-
- for (i = 1; i < iterations; i++)
- {
- if (!hasher->get_hash(hasher, hash, hash.ptr))
- {
- return FALSE;
- }
- }
-
- memcpy(key.ptr, hash.ptr, key.len);
-
- return TRUE;
-}
-
-/**
- * Decrypt an encrypted PKCS#8 encoded private key according to PBES1
- */
-static private_key_t *decrypt_private_key_pbes1(chunk_t blob,
- encryption_algorithm_t encr, size_t key_len,
- hash_algorithm_t hash, chunk_t salt,
- u_int64_t iterations)
-{
- private_key_t *private_key = NULL;
- hasher_t *hasher = NULL;
- chunk_t keymat, key, iv;
-
- hasher = lib->crypto->create_hasher(lib->crypto, hash);
- if (!hasher)
- {
- DBG1(DBG_ASN, " %N hash algorithm not available",
- hash_algorithm_names, hash);
- goto end;
- }
- if (hasher->get_hash_size(hasher) < key_len)
- {
- goto end;
- }
-
- keymat = chunk_alloca(key_len * 2);
- key.len = key_len;
- key.ptr = keymat.ptr;
- iv.len = key_len;
- iv.ptr = keymat.ptr + key_len;
-
- private_key = decrypt_private_key(blob, encr, key_len, (kdf_t)pbkdf1,
- hasher, salt, iterations, keymat,
- key, iv);
-
-end:
- DESTROY_IF(hasher);
return private_key;
}
/**
- * Parse an ASN1_INTEGER to a u_int64_t.
- */
-static u_int64_t parse_asn1_integer_uint64(chunk_t blob)
-{
- u_int64_t val = 0;
- int i;
-
- for (i = 0; i < blob.len; i++)
- { /* if it is longer than 8 bytes, we just use the 8 LSBs */
- val <<= 8;
- val |= (u_int64_t)blob.ptr[i];
- }
- return val;
-}
-
-/**
- * ASN.1 definition of a PBKDF2-params structure
- * The salt is actually a CHOICE and could be an AlgorithmIdentifier from
- * PBKDF2-SaltSources (but as per RFC 2898 that's for future versions).
- */
-static const asn1Object_t pbkdf2ParamsObjects[] = {
- { 0, "PBKDF2-params", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
- { 1, "salt", ASN1_OCTET_STRING, ASN1_BODY }, /* 1 */
- { 1, "iterationCount",ASN1_INTEGER, ASN1_BODY }, /* 2 */
- { 1, "keyLength", ASN1_INTEGER, ASN1_OPT|ASN1_BODY }, /* 3 */
- { 1, "end opt", ASN1_EOC, ASN1_END }, /* 4 */
- { 1, "prf", ASN1_EOC, ASN1_DEF|ASN1_RAW }, /* 5 */
- { 0, "exit", ASN1_EOC, ASN1_EXIT }
-};
-#define PBKDF2_SALT 1
-#define PBKDF2_ITERATION_COUNT 2
-#define PBKDF2_KEY_LENGTH 3
-#define PBKDF2_PRF 5
-
-/**
- * Parse a PBKDF2-params structure
- */
-static void parse_pbkdf2_params(chunk_t blob, chunk_t *salt,
- u_int64_t *iterations, size_t *key_len,
- pseudo_random_function_t *prf)
-{
- asn1_parser_t *parser;
- chunk_t object;
- int objectID;
-
- parser = asn1_parser_create(pbkdf2ParamsObjects, blob);
-
- *key_len = 0; /* key_len is optional */
-
- while (parser->iterate(parser, &objectID, &object))
- {
- switch (objectID)
- {
- case PBKDF2_SALT:
- {
- *salt = object;
- break;
- }
- case PBKDF2_ITERATION_COUNT:
- {
- *iterations = parse_asn1_integer_uint64(object);
- break;
- }
- case PBKDF2_KEY_LENGTH:
- {
- *key_len = (size_t)parse_asn1_integer_uint64(object);
- break;
- }
- case PBKDF2_PRF:
- { /* defaults to id-hmacWithSHA1 */
- *prf = PRF_HMAC_SHA1;
- break;
- }
- }
- }
-
- parser->destroy(parser);
-}
-
-/**
- * ASN.1 definition of a PBES2-params structure
- */
-static const asn1Object_t pbes2ParamsObjects[] = {
- { 0, "PBES2-params", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
- { 1, "keyDerivationFunc", ASN1_EOC, ASN1_RAW }, /* 1 */
- { 1, "encryptionScheme", ASN1_EOC, ASN1_RAW }, /* 2 */
- { 0, "exit", ASN1_EOC, ASN1_EXIT }
-};
-#define PBES2PARAMS_KEY_DERIVATION_FUNC 1
-#define PBES2PARAMS_ENCRYPTION_SCHEME 2
-
-/**
- * Parse a PBES2-params structure
- */
-static void parse_pbes2_params(chunk_t blob, chunk_t *salt,
- u_int64_t *iterations, size_t *key_len,
- pseudo_random_function_t *prf,
- encryption_algorithm_t *encr, chunk_t *iv)
-{
- asn1_parser_t *parser;
- chunk_t object, params;
- int objectID;
-
- parser = asn1_parser_create(pbes2ParamsObjects, blob);
-
- while (parser->iterate(parser, &objectID, &object))
- {
- switch (objectID)
- {
- case PBES2PARAMS_KEY_DERIVATION_FUNC:
- {
- int oid = asn1_parse_algorithmIdentifier(object,
- parser->get_level(parser) + 1, &params);
- if (oid != OID_PBKDF2)
- { /* unsupported key derivation function */
- goto end;
- }
- parse_pbkdf2_params(params, salt, iterations, key_len, prf);
- break;
- }
- case PBES2PARAMS_ENCRYPTION_SCHEME:
- {
- int oid = asn1_parse_algorithmIdentifier(object,
- parser->get_level(parser) + 1, &params);
- if (oid != OID_3DES_EDE_CBC)
- { /* unsupported encryption scheme */
- goto end;
- }
- if (*key_len <= 0)
- { /* default key len for DES-EDE3-CBC-Pad */
- *key_len = 24;
- }
- if (!asn1_parse_simple_object(&params, ASN1_OCTET_STRING,
- parser->get_level(parser) + 1, "IV"))
- {
- goto end;
- }
- *encr = ENCR_3DES;
- *iv = params;
- break;
- }
- }
- }
-
-end:
- parser->destroy(parser);
-}
-
-/**
- * ASN.1 definition of a PBEParameter structure
- */
-static const asn1Object_t pbeParameterObjects[] = {
- { 0, "PBEParameter", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
- { 1, "salt", ASN1_OCTET_STRING, ASN1_BODY }, /* 1 */
- { 1, "iterationCount", ASN1_INTEGER, ASN1_BODY }, /* 2 */
- { 0, "exit", ASN1_EOC, ASN1_EXIT }
-};
-#define PBEPARAM_SALT 1
-#define PBEPARAM_ITERATION_COUNT 2
-
-/**
- * Parse a PBEParameter structure
- */
-static void parse_pbe_parameters(chunk_t blob, chunk_t *salt,
- u_int64_t *iterations)
-{
- asn1_parser_t *parser;
- chunk_t object;
- int objectID;
-
- parser = asn1_parser_create(pbeParameterObjects, blob);
-
- while (parser->iterate(parser, &objectID, &object))
- {
- switch (objectID)
- {
- case PBEPARAM_SALT:
- {
- *salt = object;
- break;
- }
- case PBEPARAM_ITERATION_COUNT:
- {
- *iterations = parse_asn1_integer_uint64(object);
- break;
- }
- }
- }
-
- parser->destroy(parser);
-}
-
-/**
* ASN.1 definition of an encryptedPrivateKeyInfo structure
*/
static const asn1Object_t encryptedPKIObjects[] = {
@@ -563,14 +153,10 @@ static const asn1Object_t encryptedPKIObjects[] = {
static private_key_t *parse_encrypted_private_key(chunk_t blob)
{
asn1_parser_t *parser;
- chunk_t object, params, salt = chunk_empty, iv = chunk_empty;
- u_int64_t iterations = 0;
+ chunk_t object;
int objectID;
- encryption_algorithm_t encr = ENCR_UNDEFINED;
- hash_algorithm_t hash = HASH_UNKNOWN;
- pseudo_random_function_t prf = PRF_UNDEFINED;
private_key_t *key = NULL;
- size_t key_len = 8;
+ pkcs5_t *pkcs5 = NULL;
parser = asn1_parser_create(encryptedPKIObjects, blob);
@@ -580,49 +166,24 @@ static private_key_t *parse_encrypted_private_key(chunk_t blob)
{
case EPKINFO_ENCRYPTION_ALGORITHM:
{
- int oid = asn1_parse_algorithmIdentifier(object,
- parser->get_level(parser) + 1, &params);
-
- switch (oid)
+ pkcs5 = pkcs5_from_algorithmIdentifier(object,
+ parser->get_level(parser) + 1);
+ if (!pkcs5)
{
- case OID_PBE_MD5_DES_CBC:
- encr = ENCR_DES;
- hash = HASH_MD5;
- parse_pbe_parameters(params, &salt, &iterations);
- break;
- case OID_PBE_SHA1_DES_CBC:
- encr = ENCR_DES;
- hash = HASH_SHA1;
- parse_pbe_parameters(params, &salt, &iterations);
- break;
- case OID_PBES2:
- parse_pbes2_params(params, &salt, &iterations,
- &key_len, &prf, &encr, &iv);
- break;
- default:
- /* encryption scheme not supported */
- goto end;
+ goto end;
}
break;
}
case EPKINFO_ENCRYPTED_DATA:
{
- if (prf != PRF_UNDEFINED)
- {
- key = decrypt_private_key_pbes2(object, encr, key_len, iv,
- prf, salt, iterations);
- }
- else
- {
- key = decrypt_private_key_pbes1(object, encr, key_len, hash,
- salt, iterations);
- }
+ key = decrypt_private_key(pkcs5, object);
break;
}
}
}
end:
+ DESTROY_IF(pkcs5);
parser->destroy(parser);
return key;
}
diff --git a/src/libstrongswan/plugins/pkcs8/pkcs8_plugin.c b/src/libstrongswan/plugins/pkcs8/pkcs8_plugin.c
index f78c83054..129fbb045 100644
--- a/src/libstrongswan/plugins/pkcs8/pkcs8_plugin.c
+++ b/src/libstrongswan/plugins/pkcs8/pkcs8_plugin.c
@@ -43,6 +43,7 @@ METHOD(plugin_t, get_features, int,
{
static plugin_feature_t f[] = {
PLUGIN_REGISTER(PRIVKEY, pkcs8_private_key_load, FALSE),
+ PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
PLUGIN_PROVIDE(PRIVKEY, KEY_RSA),
PLUGIN_PROVIDE(PRIVKEY, KEY_ECDSA),
};