updated pluto to new fingerprinting API
This commit is contained in:
Martin Willi
parent
5bceb90c86
commit
b4b68b64b8
|
|
@ -464,18 +464,18 @@ process_txt_rr_body(u_char *str
|
|||
{
|
||||
char cidb[BUF_LEN];
|
||||
char gwidb[BUF_LEN];
|
||||
identification_t *keyid;
|
||||
public_key_t *pub_key;
|
||||
chunk_t keyid;
|
||||
public_key_t *key;
|
||||
|
||||
idtoa(client_id, cidb, sizeof(cidb));
|
||||
idtoa(&gi.gw_id, gwidb, sizeof(gwidb));
|
||||
pub_key = gi.key->public_key;
|
||||
keyid = pub_key->get_id(pub_key, ID_PUBKEY_SHA1);
|
||||
key = gi.key->public_key;
|
||||
|
||||
if (gi.gw_key_present)
|
||||
if (gi.gw_key_present &&
|
||||
key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &keyid))
|
||||
{
|
||||
DBG_log("gateway for %s is %s with key %Y"
|
||||
, cidb, gwidb, keyid);
|
||||
DBG_log("gateway for %s is %s with key %#B"
|
||||
, cidb, gwidb, &keyid);
|
||||
}
|
||||
else
|
||||
{
|
||||
|
|
|
|||
|
|
@ -1495,17 +1495,18 @@ struct tac_state {
|
|||
static bool take_a_crack(struct tac_state *s, pubkey_t *kr)
|
||||
{
|
||||
public_key_t *pub_key = kr->public_key;
|
||||
identification_t *keyid = pub_key->get_id(pub_key, ID_PUBKEY_INFO_SHA1);
|
||||
chunk_t keyid = chunk_empty;
|
||||
signature_scheme_t scheme;
|
||||
|
||||
s->tried_cnt++;
|
||||
scheme = oakley_to_signature_scheme(s->st->st_oakley.auth);
|
||||
pub_key->get_fingerprint(pub_key, KEY_ID_PUBKEY_INFO_SHA1, &keyid);
|
||||
|
||||
if (pub_key->verify(pub_key, scheme, s->hash, s->sig))
|
||||
{
|
||||
DBG(DBG_CRYPT | DBG_CONTROL,
|
||||
DBG_log("%s check passed with keyid %Y",
|
||||
enum_show(&oakley_auth_names, s->st->st_oakley.auth), keyid)
|
||||
DBG_log("%s check passed with keyid %#B",
|
||||
enum_show(&oakley_auth_names, s->st->st_oakley.auth), &keyid)
|
||||
)
|
||||
unreference_key(&s->st->st_peer_pubkey);
|
||||
s->st->st_peer_pubkey = reference_key(kr);
|
||||
|
|
@ -1514,8 +1515,8 @@ static bool take_a_crack(struct tac_state *s, pubkey_t *kr)
|
|||
else
|
||||
{
|
||||
DBG(DBG_CRYPT,
|
||||
DBG_log("%s check failed with keyid %Y",
|
||||
enum_show(&oakley_auth_names, s->st->st_oakley.auth), keyid)
|
||||
DBG_log("%s check failed with keyid %#B",
|
||||
enum_show(&oakley_auth_names, s->st->st_oakley.auth), &keyid)
|
||||
)
|
||||
return FALSE;
|
||||
}
|
||||
|
|
@ -4491,14 +4492,12 @@ static enum verify_oppo_step quick_inI1_outR1_process_answer(
|
|||
next_step = vos_done;
|
||||
{
|
||||
public_key_t *pub_key;
|
||||
identification_t *p1st_keyid;
|
||||
struct gw_info *gwp;
|
||||
|
||||
/* check that the public key that authenticated
|
||||
* the ISAKMP SA (p1st) will do for this gateway.
|
||||
*/
|
||||
pub_key = p1st->st_peer_pubkey->public_key;
|
||||
p1st_keyid = pub_key->get_id(pub_key, ID_PUBKEY_INFO_SHA1);
|
||||
|
||||
ugh = "peer's client does not delegate to peer";
|
||||
for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
|
||||
|
|
@ -4510,9 +4509,8 @@ static enum verify_oppo_step quick_inI1_outR1_process_answer(
|
|||
* it implies fetching a KEY from the same
|
||||
* place we must have gotten it.
|
||||
*/
|
||||
if (!gwp->gw_key_present || p1st_keyid->equals(p1st_keyid,
|
||||
gwp->key->public_key->get_id(gwp->key->public_key,
|
||||
ID_PUBKEY_INFO_SHA1))
|
||||
if (!gwp->gw_key_present ||
|
||||
pub_key->equals(pub_key, gwp->key->public_key)
|
||||
)
|
||||
{
|
||||
ugh = NULL; /* good! */
|
||||
|
|
|
|||
|
|
@ -1433,7 +1433,7 @@ void list_public_keys(bool utc)
|
|||
{
|
||||
pubkey_t *key = p->key;
|
||||
public_key_t *public = key->public_key;
|
||||
identification_t *keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
|
||||
chunk_t keyid;
|
||||
char buf[BUF_LEN];
|
||||
|
||||
idtoa(&key->id, buf, BUF_LEN);
|
||||
|
|
@ -1443,7 +1443,10 @@ void list_public_keys(bool utc)
|
|||
public->get_keysize(public) * BITS_PER_BYTE,
|
||||
&key->until_time, utc,
|
||||
check_expiry(key->until_time, PUBKEY_WARNING_INTERVAL, TRUE));
|
||||
whack_log(RC_COMMENT," keyid: %Y", keyid);
|
||||
if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
|
||||
{
|
||||
whack_log(RC_COMMENT," keyid: %#B", &keyid);
|
||||
}
|
||||
if (key->issuer.len > 0)
|
||||
{
|
||||
dntoa(buf, BUF_LEN, key->issuer);
|
||||
|
|
|
|||
|
|
@ -282,12 +282,15 @@ static bool parse_pgp_pubkey_packet(chunk_t *packet, pgpcert_t *cert)
|
|||
}
|
||||
else
|
||||
{
|
||||
chunk_t fp;
|
||||
|
||||
/* V3 fingerprint is computed by public_key_t class */
|
||||
cert->fingerprint = cert->public_key->get_id(cert->public_key, ID_KEY_ID);
|
||||
if (cert->fingerprint == NULL)
|
||||
if (!cert->public_key->get_fingerprint(cert->public_key, KEY_ID_PGPV3,
|
||||
&fp))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
cert->fingerprint = identification_create_from_encoding(ID_KEY_ID, fp);
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
|
@ -484,6 +487,7 @@ void list_pgp_end_certs(bool utc)
|
|||
while (cert != NULL)
|
||||
{
|
||||
public_key_t *key = cert->public_key;
|
||||
chunk_t keyid;
|
||||
cert_t c;
|
||||
|
||||
c.type = CERT_PGP;
|
||||
|
|
@ -496,10 +500,12 @@ void list_pgp_end_certs(bool utc)
|
|||
check_expiry(cert->until, CA_CERT_WARNING_INTERVAL, TRUE));
|
||||
whack_log(RC_COMMENT, " pubkey: %N %4d bits%s",
|
||||
key_type_names, key->get_type(key),
|
||||
key->get_keysize(key) * BITS_PER_BYTE,
|
||||
key->get_keysize(key) * BITS_PER_BYTE,
|
||||
has_private_key(c)? ", has private key" : "");
|
||||
whack_log(RC_COMMENT, " keyid: %Y",
|
||||
key->get_id(key, ID_PUBKEY_INFO_SHA1));
|
||||
if (key->get_fingerprint(key, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
|
||||
{
|
||||
whack_log(RC_COMMENT, " keyid: %#B", &keyid);
|
||||
}
|
||||
cert = cert->next;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1121,14 +1121,14 @@ static chunk_t build_tbs_x509cert(x509cert_t *cert, public_key_t *rsa)
|
|||
{
|
||||
/* version is always X.509v3 */
|
||||
chunk_t version = asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2);
|
||||
|
||||
chunk_t key = chunk_empty;
|
||||
chunk_t extensions = chunk_empty;
|
||||
|
||||
chunk_t key = rsa->get_encoding(rsa);
|
||||
rsa->get_encoding(rsa, KEY_PUB_ASN1_DER, &key);
|
||||
|
||||
chunk_t keyInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
|
||||
asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
|
||||
asn1_bitstring("m", key));
|
||||
asn1_bitstring("m", key));
|
||||
|
||||
if (cert->subjectAltName != NULL)
|
||||
{
|
||||
|
|
@ -1398,17 +1398,15 @@ void gntoid(struct id *id, const generalName_t *gn)
|
|||
*/
|
||||
bool compute_subjectKeyID(x509cert_t *cert, chunk_t subjectKeyID)
|
||||
{
|
||||
identification_t *keyid;
|
||||
chunk_t encoding;
|
||||
|
||||
keyid = cert->public_key->get_id(cert->public_key, ID_PUBKEY_SHA1);
|
||||
if (keyid == NULL)
|
||||
chunk_t fingerprint;
|
||||
|
||||
if (!cert->public_key->get_fingerprint(cert->public_key, KEY_ID_PUBKEY_SHA1,
|
||||
&fingerprint))
|
||||
{
|
||||
plog(" unable to compute subjectKeyID");
|
||||
return FALSE;
|
||||
}
|
||||
encoding = keyid->get_encoding(keyid);
|
||||
memcpy(subjectKeyID.ptr, encoding.ptr, subjectKeyID.len);
|
||||
memcpy(subjectKeyID.ptr, fingerprint.ptr, subjectKeyID.len);
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
|
|
@ -2070,6 +2068,7 @@ void list_x509cert_chain(const char *caption, x509cert_t* cert,
|
|||
{
|
||||
u_char buf[BUF_LEN];
|
||||
public_key_t *key = cert->public_key;
|
||||
chunk_t keyid;
|
||||
cert_t c;
|
||||
|
||||
c.type = CERT_X509_SIGNATURE;
|
||||
|
|
@ -2103,8 +2102,10 @@ void list_x509cert_chain(const char *caption, x509cert_t* cert,
|
|||
key->get_keysize(key) * BITS_PER_BYTE,
|
||||
cert->smartcard ? ", on smartcard" :
|
||||
(has_private_key(c)? ", has private key" : ""));
|
||||
whack_log(RC_COMMENT, " keyid: %Y",
|
||||
key->get_id(key, ID_PUBKEY_INFO_SHA1));
|
||||
if (key->get_fingerprint(key, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
|
||||
{
|
||||
whack_log(RC_COMMENT, " keyid: %#B", &keyid);
|
||||
}
|
||||
if (cert->subjectKeyID.ptr != NULL)
|
||||
{
|
||||
datatot(cert->subjectKeyID.ptr, cert->subjectKeyID.len, ':',
|
||||
|
|
|
|||
Loading…
Reference in New Issue