sshkey: Add support for ECDSA keys

2013-04-01 18:16:17 +02:00 · 2013-04-01 18:16:17 +02:00 · dd9e366814
parent 87692be215
commit dd9e366814
1 changed files with 70 additions and 0 deletions
--- a/src/libstrongswan/plugins/sshkey/sshkey_builder.c
+++ b/src/libstrongswan/plugins/sshkey/sshkey_builder.c
@ -15,9 +15,45 @@

 #include "sshkey_builder.h"

+#include <asn1/oid.h>
+#include <asn1/asn1.h>
 #include <bio/bio_reader.h>
 #include <utils/debug.h>

+#define ECDSA_PREFIX "ecdsa-sha2-"
+
+/**
+ * Parse an EC domain parameter identifier as defined in RFC 5656
+ */
+static chunk_t parse_ec_identifier(chunk_t identifier)
+{
+	chunk_t oid = chunk_empty;
+
+	if (chunk_equals(identifier, chunk_from_str("nistp256")))
+	{
+		oid = asn1_build_known_oid(OID_PRIME256V1);
+	}
+	else if (chunk_equals(identifier, chunk_from_str("nistp384")))
+	{
+		oid = asn1_build_known_oid(OID_SECT384R1);
+	}
+	else if (chunk_equals(identifier, chunk_from_str("nistp521")))
+	{
+		oid = asn1_build_known_oid(OID_SECT521R1);
+	}
+	else
+	{
+		char ascii[64];
+
+		if (snprintf(ascii, sizeof(ascii), "%.*s", (int)identifier.len,
+					 identifier.ptr) < sizeof(ascii))
+		{
+			oid = asn1_wrap(ASN1_OID, "m", asn1_oid_from_string(ascii));
+		}
+	}
+	return oid;
+}
+
 /**
 * Load a generic public key from an SSH key blob
 */
@ -48,6 +84,40 @@ static sshkey_public_key_t *parse_public_key(chunk_t blob)
 		return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
 						BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
 	}
+	else if (format.len > strlen(ECDSA_PREFIX) &&
+			 strneq(format.ptr, ECDSA_PREFIX, strlen(ECDSA_PREFIX)))
+	{
+		chunk_t ec_blob, identifier, q, oid, encoded;
+		sshkey_public_key_t *key;
+
+		ec_blob = reader->peek(reader);
+		reader->destroy(reader);
+		reader = bio_reader_create(ec_blob);
+		if (!reader->read_data32(reader, &identifier) ||
+			!reader->read_data32(reader, &q))
+		{
+			DBG1(DBG_LIB, "invalid ECDSA key in SSH key");
+			reader->destroy(reader);
+			return NULL;
+		}
+		oid = parse_ec_identifier(identifier);
+		if (!oid.ptr)
+		{
+			DBG1(DBG_LIB, "invalid ECDSA key identifier in SSH key");
+			reader->destroy(reader);
+			return NULL;
+		}
+		reader->destroy(reader);
+		/* build key from subjectPublicKeyInfo */
+		encoded = asn1_wrap(ASN1_SEQUENCE, "mm",
+						asn1_wrap(ASN1_SEQUENCE, "mm",
+							asn1_build_known_oid(OID_EC_PUBLICKEY), oid),
+						asn1_bitstring("c", q));
+		key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
+							KEY_ECDSA, BUILD_BLOB_ASN1_DER, encoded, BUILD_END);
+		chunk_free(&encoded);
+		return key;
+	}
 	DBG1(DBG_LIB, "unsupported SSH key format %.*s", (int)format.len,
 		 format.ptr);
 	reader->destroy(reader);