Update GOST to use 2012 OIDs/params

author: Jack Lloyd <[email protected]> 2019-08-03 19:21:33 -0400
committer: Jack Lloyd <[email protected]> 2019-08-03 19:32:18 -0400
commit: 4719685cbf74904e0e4cc205cf09830cff1b04dc (patch)
tree: bc53f46336a93d2940c63f0c4fbf93f1cad9de21 /src
parent: da7e97bfcfcd476b28a2ac8cf95d32feecd7dae9 (diff)
11 files changed, 53 insertions, 26 deletions
diff --git a/src/build-data/oids.txt b/src/build-data/oids.txt
index b17d8b611..cb4ea5456 100644
--- a/src/build-data/oids.txt
+++ b/src/build-data/oids.txt
@@ -201,9 +201,10 @@
 1.2.643.7.1.1.2.2 = Streebog-256
 1.2.643.7.1.1.2.3 = Streebog-512
 
-1.2.643.7.1.1.3.2 = GOST-34.10/EMSA1(Streebog-256)
+1.2.643.7.1.1.3.2 = GOST-34.10-2012-256/EMSA1(Streebog-256)
+1.2.643.7.1.1.3.3 = GOST-34.10-2012-512/EMSA1(Streebog-512)
 
-1.3.6.1.4.1.25258.1.6.1 = GOST-34.10/EMSA1(SHA-256)
+1.3.6.1.4.1.25258.1.6.1 = GOST-34.10-2012-256/EMSA1(SHA-256)
 
 # Encryption algos
 [encryption]
diff --git a/src/lib/asn1/oid_maps.cpp b/src/lib/asn1/oid_maps.cpp
index 0072f989b..47d418271 100644
--- a/src/lib/asn1/oid_maps.cpp
+++ b/src/lib/asn1/oid_maps.cpp
@@ -1,7 +1,7 @@
 /*
 * OID maps
 *
-* This file was automatically generated by ./src/scripts/oids.py on 2019-08-01
+* This file was automatically generated by ./src/scripts/oids.py on 2019-08-03
 *
 * All manual edits to this file will be lost. Edit the script
 * then regenerate this source file.
@@ -51,7 +51,8 @@ std::unordered_map<std::string, std::string> OIDS::load_oid2str_map()
       { "1.2.643.7.1.1.1.2", "GOST-34.10-2012-512" },
       { "1.2.643.7.1.1.2.2", "Streebog-256" },
       { "1.2.643.7.1.1.2.3", "Streebog-512" },
-      { "1.2.643.7.1.1.3.2", "GOST-34.10/EMSA1(Streebog-256)" },
+      { "1.2.643.7.1.1.3.2", "GOST-34.10-2012-256/EMSA1(Streebog-256)" },
+      { "1.2.643.7.1.1.3.3", "GOST-34.10-2012-512/EMSA1(Streebog-512)" },
       { "1.2.643.7.1.2.1.1.1", "gost_256A" },
       { "1.2.643.7.1.2.1.1.2", "gost_256B" },
       { "1.2.643.7.1.2.1.2.1", "gost_512A" },
@@ -139,7 +140,7 @@ std::unordered_map<std::string, std::string> OIDS::load_oid2str_map()
       { "1.3.6.1.4.1.11591.4.11", "Scrypt" },
       { "1.3.6.1.4.1.25258.1.3", "McEliece" },
       { "1.3.6.1.4.1.25258.1.5", "XMSS-draft6" },
-      { "1.3.6.1.4.1.25258.1.6.1", "GOST-34.10/EMSA1(SHA-256)" },
+      { "1.3.6.1.4.1.25258.1.6.1", "GOST-34.10-2012-256/EMSA1(SHA-256)" },
       { "1.3.6.1.4.1.25258.1.8", "XMSS" },
       { "1.3.6.1.4.1.25258.3.1", "Serpent/CBC" },
       { "1.3.6.1.4.1.25258.3.101", "Serpent/GCM" },
@@ -332,10 +333,11 @@ std::unordered_map<std::string, OID> OIDS::load_str2oid_map()
       { "ElGamal", OID({1,3,6,1,4,1,3029,1,2,1}) },
       { "GOST-34.10", OID({1,2,643,2,2,19}) },
       { "GOST-34.10-2012-256", OID({1,2,643,7,1,1,1,1}) },
+      { "GOST-34.10-2012-256/EMSA1(SHA-256)", OID({1,3,6,1,4,1,25258,1,6,1}) },
+      { "GOST-34.10-2012-256/EMSA1(Streebog-256)", OID({1,2,643,7,1,1,3,2}) },
       { "GOST-34.10-2012-512", OID({1,2,643,7,1,1,1,2}) },
+      { "GOST-34.10-2012-512/EMSA1(Streebog-512)", OID({1,2,643,7,1,1,3,3}) },
       { "GOST-34.10/EMSA1(GOST-R-34.11-94)", OID({1,2,643,2,2,3}) },
-      { "GOST-34.10/EMSA1(SHA-256)", OID({1,3,6,1,4,1,25258,1,6,1}) },
-      { "GOST-34.10/EMSA1(Streebog-256)", OID({1,2,643,7,1,1,3,2}) },
       { "GOST.INN", OID({1,2,643,3,131,1,1}) },
       { "GOST.IssuerSigningTool", OID({1,2,643,100,112}) },
       { "GOST.OGRN", OID({1,2,643,100,1}) },
diff --git a/src/lib/pk_pad/emsa1/emsa1.cpp b/src/lib/pk_pad/emsa1/emsa1.cpp
index 66d8ec852..e1bc8db6e 100644
--- a/src/lib/pk_pad/emsa1/emsa1.cpp
+++ b/src/lib/pk_pad/emsa1/emsa1.cpp
@@ -109,15 +109,20 @@ AlgorithmIdentifier EMSA1::config_for_x509(const Private_Key& key,
          " not supported for signature algorithm " + key.algo_name());
       }
 
+   const std::string sig_name = key.algo_name() + "/" + name();
    AlgorithmIdentifier sig_algo;
-   sig_algo.oid = OIDS::lookup( key.algo_name() + "/" + name() );
+   sig_algo.oid = OIDS::lookup(sig_name);
+   if(sig_algo.oid.empty())
+      throw Lookup_Error("No OID defined for " + sig_name);
 
    std::string algo_name = key.algo_name();
    if(algo_name == "DSA" ||
       algo_name == "ECDSA" ||
       algo_name == "ECGDSA" ||
       algo_name == "ECKCDSA" ||
-      algo_name == "GOST-34.10")
+      algo_name == "GOST-34.10" ||
+      algo_name == "GOST-34.10-2012-256" ||
+      algo_name == "GOST-34.10-2012-512")
       {
       // for DSA, ECDSA, GOST parameters "SHALL" be empty
       sig_algo.parameters = {};
diff --git a/src/lib/pk_pad/padding.cpp b/src/lib/pk_pad/padding.cpp
index 134bb4101..bac3fcd7e 100644
--- a/src/lib/pk_pad/padding.cpp
+++ b/src/lib/pk_pad/padding.cpp
@@ -24,6 +24,8 @@ const std::map<const std::string, std::vector<std::string>> allowed_signature_pa
    { "ECGDSA", {"EMSA1"} },
    { "ECKCDSA", {"EMSA1"} },
    { "GOST-34.10", {"EMSA1"} },
+   { "GOST-34.10-2012-256", {"EMSA1"} },
+   { "GOST-34.10-2012-512", {"EMSA1"} },
    { "RSA", {"EMSA4", "EMSA3"} },
    };
 
diff --git a/src/lib/pubkey/gost_3410/gost_3410.cpp b/src/lib/pubkey/gost_3410/gost_3410.cpp
index d2324fd13..7e4dbe221 100644
--- a/src/lib/pubkey/gost_3410/gost_3410.cpp
+++ b/src/lib/pubkey/gost_3410/gost_3410.cpp
@@ -40,6 +40,11 @@ std::vector<uint8_t> GOST_3410_PublicKey::public_key_bits() const
    return output;
    }
 
+std::string GOST_3410_PublicKey::algo_name() const
+   {
+   return "GOST-34.10-2012-" + std::to_string(domain().get_p_bits());
+   }
+
 AlgorithmIdentifier GOST_3410_PublicKey::algorithm_identifier() const
    {
    std::vector<uint8_t> params;
diff --git a/src/lib/pubkey/gost_3410/gost_3410.h b/src/lib/pubkey/gost_3410/gost_3410.h
index 8c42f5091..3f475d434 100644
--- a/src/lib/pubkey/gost_3410/gost_3410.h
+++ b/src/lib/pubkey/gost_3410/gost_3410.h
@@ -42,7 +42,7 @@ class BOTAN_PUBLIC_API(2,0) GOST_3410_PublicKey : public virtual EC_PublicKey
       * Get this keys algorithm name.
       * @result this keys algorithm name
       */
-      std::string algo_name() const override { return "GOST-34.10"; }
+      std::string algo_name() const override;
 
       AlgorithmIdentifier algorithm_identifier() const override;
 
diff --git a/src/lib/pubkey/pk_algs.cpp b/src/lib/pubkey/pk_algs.cpp
index 126f27cd4..f59583e1f 100644
--- a/src/lib/pubkey/pk_algs.cpp
+++ b/src/lib/pubkey/pk_algs.cpp
@@ -252,8 +252,10 @@ std::string default_ec_group_for(const std::string& alg_name)
    {
    if(alg_name == "SM2" || alg_name == "SM2_Enc" || alg_name == "SM2_Sig")
       return "sm2p256v1";
-   if(alg_name == "GOST-34.10")
+   if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256")
       return "gost_256A";
+   if(alg_name == "GOST-34.10-2012-512")
+      return "gost_512A";
    if(alg_name == "ECGDSA")
       return "brainpool256r1";
    return "secp256r1";
@@ -339,7 +341,9 @@ create_private_key(const std::string& alg_name,
       alg_name == "SM2" ||
       alg_name == "SM2_Sig" ||
       alg_name == "SM2_Enc" ||
-      alg_name == "GOST-34.10")
+      alg_name == "GOST-34.10" ||
+      alg_name == "GOST-34.10-2012-256" ||
+      alg_name == "GOST-34.10-2012-512")
       {
       const EC_Group ec_group(params.empty() ? default_ec_group_for(alg_name) : params);
 
@@ -359,7 +363,7 @@ create_private_key(const std::string& alg_name,
 #endif
 
 #if defined(BOTAN_HAS_GOST_34_10_2001)
-      if(alg_name == "GOST-34.10")
+      if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" || alg_name == "GOST-34.10-2012-512")
          return std::unique_ptr<Private_Key>(new GOST_3410_PrivateKey(rng, ec_group));
 #endif
 
diff --git a/src/lib/pubkey/pk_keys.cpp b/src/lib/pubkey/pk_keys.cpp
index fbbc6f7dd..ce3eeeb7f 100644
--- a/src/lib/pubkey/pk_keys.cpp
+++ b/src/lib/pubkey/pk_keys.cpp
@@ -52,13 +52,12 @@ std::vector<uint8_t> Public_Key::subject_public_key() const
 */
 OID Public_Key::get_oid() const
    {
-   try {
-      return OIDS::lookup(algo_name());
-      }
-   catch(Lookup_Error&)
-      {
+   const OID oid = OIDS::lookup(algo_name());
+
+   if(oid.empty())
       throw Lookup_Error("PK algo " + algo_name() + " has no defined OIDs");
-      }
+
+   return oid;
    }
 
 secure_vector<uint8_t> Private_Key::private_key_info() const
diff --git a/src/lib/x509/key_constraint.cpp b/src/lib/x509/key_constraint.cpp
index 95a59d65f..05bd8edb0 100644
--- a/src/lib/x509/key_constraint.cpp
+++ b/src/lib/x509/key_constraint.cpp
@@ -68,25 +68,31 @@ std::string key_constraints_to_string(Key_Constraints constraints)
 * Make sure the given key constraints are permitted for the given key type
 */
 void verify_cert_constraints_valid_for_key_type(const Public_Key& pub_key,
-                                                      Key_Constraints constraints)
+                                                Key_Constraints constraints)
    {
    const std::string name = pub_key.algo_name();
 
    size_t permitted = 0;
 
-   if(name == "DH" || name == "ECDH")
+   const bool can_agree = (name == "DH" || name == "ECDH");
+   const bool can_encrypt = (name == "RSA" || name == "ElGamal");
+
+   const bool can_sign =
+      (name == "RSA" || name == "DSA" ||
+       name == "ECDSA" || name == "ECGDSA" || name == "ECKCDSA" || name == "Ed25519" ||
+       name == "GOST-34.10" || name == "GOST-34.10-2012-256" || name == "GOST-34.10-2012-512");
+
+   if(can_agree)
       {
       permitted |= KEY_AGREEMENT | ENCIPHER_ONLY | DECIPHER_ONLY;
       }
 
-   if(name == "RSA" || name == "ElGamal")
+   if(can_encrypt)
       {
       permitted |= KEY_ENCIPHERMENT | DATA_ENCIPHERMENT;
       }
 
-   if(name == "RSA" || name == "DSA" ||
-      name == "ECDSA" || name == "ECGDSA" || name == "ECKCDSA" || name == "GOST-34.10" ||
-      name == "Ed25519")
+   if(can_sign)
       {
       permitted |= DIGITAL_SIGNATURE | NON_REPUDIATION | KEY_CERT_SIGN | CRL_SIGN;
       }
diff --git a/src/lib/x509/x509_obj.cpp b/src/lib/x509/x509_obj.cpp
index a48e088ac..dd1e51cd7 100644
--- a/src/lib/x509/x509_obj.cpp
+++ b/src/lib/x509/x509_obj.cpp
@@ -304,7 +304,9 @@ std::string choose_sig_algo(AlgorithmIdentifier& sig_algo,
            algo_name == "ECDSA" ||
            algo_name == "ECGDSA" ||
            algo_name == "ECKCDSA" ||
-           algo_name == "GOST-34.10")
+           algo_name == "GOST-34.10" ||
+           algo_name == "GOST-34.10-2012-256" ||
+           algo_name == "GOST-34.10-2012-512")
       {
       padding = "EMSA1(" + hash_fn + ")";
       }
diff --git a/src/lib/x509/x509self.cpp b/src/lib/x509/x509self.cpp
index 0c5e85491..d84544eff 100644
--- a/src/lib/x509/x509self.cpp
+++ b/src/lib/x509/x509self.cpp
@@ -62,6 +62,7 @@ X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts,
 
    const std::vector<uint8_t> pub_key = X509::BER_encode(key);
    std::unique_ptr<PK_Signer> signer(choose_sig_format(key, sig_opts, rng, hash_fn, sig_algo));
+   BOTAN_ASSERT_NOMSG(sig_algo.get_oid().has_value());
    load_info(opts, subject_dn, subject_alt);
 
    Extensions extensions = opts.extensions;
author	Jack Lloyd <[email protected]>	2019-08-03 19:21:33 -0400
committer	Jack Lloyd <[email protected]>	2019-08-03 19:32:18 -0400
commit	4719685cbf74904e0e4cc205cf09830cff1b04dc (patch)
tree	bc53f46336a93d2940c63f0c4fbf93f1cad9de21 /src
parent	da7e97bfcfcd476b28a2ac8cf95d32feecd7dae9 (diff)