diff options
-rw-r--r-- | doc/relnotes/1_11_12.rst | 12 | ||||
-rw-r--r-- | src/lib/asn1/oid_lookup/default.cpp | 11 | ||||
-rw-r--r-- | src/lib/pubkey/mce/mceliece_key.h | 2 | ||||
-rw-r--r-- | src/lib/pubkey/pkcs8.cpp | 20 |
4 files changed, 31 insertions, 14 deletions
diff --git a/doc/relnotes/1_11_12.rst b/doc/relnotes/1_11_12.rst index 344dc95dc..516f41e81 100644 --- a/doc/relnotes/1_11_12.rst +++ b/doc/relnotes/1_11_12.rst @@ -2,6 +2,12 @@ Version 1.11.12, Not Yet Released ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * Add Curve25519. The implementation is based on curve25519-donna-c64.c - by Adam Langley. New (completely non-standard) OIDs and - formats for encrypting Curve25519 keys under PKCS #8 and including - them in certificates and CRLs have been defined. + by Adam Langley. New (completely non-standard) OIDs and formats for + encrypting Curve25519 keys under PKCS #8 and including them in + certificates and CRLs have been defined. + +* When encrypted as PKCS #8 structures, Curve25519 and McEliece + private keys default to using AES-256/GCM instead of AES-256/CBC + +* Define OIDs for OCB mode with AES, Serpent and Twofish. + diff --git a/src/lib/asn1/oid_lookup/default.cpp b/src/lib/asn1/oid_lookup/default.cpp index 54e834439..03b1be99f 100644 --- a/src/lib/asn1/oid_lookup/default.cpp +++ b/src/lib/asn1/oid_lookup/default.cpp @@ -1,6 +1,6 @@ /* * OID Registry -* (C) 1999-2010,2013 Jack Lloyd +* (C) 1999-2010,2013,2014 Jack Lloyd * * Distributed under the terms of the Botan license */ @@ -24,7 +24,8 @@ void set_defaults() OIDS::add_oidstr("1.3.6.1.4.1.3029.1.2.1", "ElGamal"); OIDS::add_oidstr("1.3.6.1.4.1.25258.1.1", "RW"); OIDS::add_oidstr("1.3.6.1.4.1.25258.1.2", "NR"); - OIDS::add_oidstr("1.3.6.1.4.1.25258.1.3", "McEliece/BIGGF2M"); + OIDS::add_oidstr("1.3.6.1.4.1.25258.1.3", "McEliece"); + OIDS::add_oidstr("1.3.6.1.4.1.25258.1.4", "Curve25519"); // X9.62 ecPublicKey, valid for ECDSA and ECDH (RFC 3279 sec 2.3.5) OIDS::add_oidstr("1.2.840.10045.2.1", "ECDSA"); @@ -59,6 +60,12 @@ void set_defaults() OIDS::add_oidstr("1.3.6.1.4.1.25258.3.101", "Serpent/GCM"); OIDS::add_oidstr("1.3.6.1.4.1.25258.3.102", "Twofish/GCM"); + OIDS::add_oidstr("1.3.6.1.4.1.25258.3.2.1", "AES-128/OCB"); + OIDS::add_oidstr("1.3.6.1.4.1.25258.3.2.2", "AES-192/OCB"); + OIDS::add_oidstr("1.3.6.1.4.1.25258.3.2.3", "AES-256/OCB"); + OIDS::add_oidstr("1.3.6.1.4.1.25258.3.2.4", "Serpent/OCB"); + OIDS::add_oidstr("1.3.6.1.4.1.25258.3.2.5", "Twofish/OCB"); + /* Hash Functions */ OIDS::add_oidstr("1.2.840.113549.2.5", "MD5"); OIDS::add_oidstr("1.3.6.1.4.1.11591.12.2", "Tiger(24,3)"); diff --git a/src/lib/pubkey/mce/mceliece_key.h b/src/lib/pubkey/mce/mceliece_key.h index cb9412c05..d8b4b59ce 100644 --- a/src/lib/pubkey/mce/mceliece_key.h +++ b/src/lib/pubkey/mce/mceliece_key.h @@ -32,7 +32,7 @@ class BOTAN_DLL McEliece_PublicKey : public virtual Public_Key McEliece_PublicKey(const McEliece_PublicKey & other); - std::string algo_name() const { return "McEliece/BIGGF2M"; } + std::string algo_name() const { return "McEliece"; } /** * Get the maximum number of bits allowed to be fed to this key. diff --git a/src/lib/pubkey/pkcs8.cpp b/src/lib/pubkey/pkcs8.cpp index 15f0c4539..298cea064 100644 --- a/src/lib/pubkey/pkcs8.cpp +++ b/src/lib/pubkey/pkcs8.cpp @@ -153,17 +153,21 @@ std::string PEM_encode(const Private_Key& key) namespace { std::pair<std::string, std::string> -choose_pbe_params(const std::string& pbe_algo) +choose_pbe_params(const std::string& pbe_algo, const std::string& key_algo) { - if(!pbe_algo.empty()) + if(pbe_algo == "") { - SCAN_Name request(pbe_algo); - if(request.algo_name() != "PBE-PKCS5v20") - throw std::runtime_error("Unsupported PBE " + pbe_algo); - return std::make_pair(request.arg(1), request.arg(0)); + // Defaults: + if(key_algo == "Curve25519" || key_algo == "McEliece") + return std::make_pair("AES-256/GCM", "SHA-512"); + else // for everything else (RSA, DSA, ECDSA, GOST, ...) + return std::make_pair("AES-256/CBC", "SHA-256"); } - return std::make_pair("AES-256/CBC", "SHA-256"); + SCAN_Name request(pbe_algo); + if(request.algo_name() != "PBE-PKCS5v20" || request.arg_count() != 2) + throw std::runtime_error("Unsupported PBE " + pbe_algo); + return std::make_pair(request.arg(1), request.arg(0)); } } @@ -177,7 +181,7 @@ std::vector<byte> BER_encode(const Private_Key& key, std::chrono::milliseconds msec, const std::string& pbe_algo) { - const auto pbe_params = choose_pbe_params(pbe_algo); + const auto pbe_params = choose_pbe_params(pbe_algo, key.algo_name()); const std::pair<AlgorithmIdentifier, std::vector<byte>> pbe_info = pbes2_encrypt(PKCS8::BER_encode(key), pass, msec, |