From 4719685cbf74904e0e4cc205cf09830cff1b04dc Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Sat, 3 Aug 2019 19:21:33 -0400 Subject: Update GOST to use 2012 OIDs/params --- src/build-data/oids.txt | 5 +++-- src/lib/asn1/oid_maps.cpp | 12 +++++++----- src/lib/pk_pad/emsa1/emsa1.cpp | 9 +++++++-- src/lib/pk_pad/padding.cpp | 2 ++ src/lib/pubkey/gost_3410/gost_3410.cpp | 5 +++++ src/lib/pubkey/gost_3410/gost_3410.h | 2 +- src/lib/pubkey/pk_algs.cpp | 10 +++++++--- src/lib/pubkey/pk_keys.cpp | 11 +++++------ src/lib/x509/key_constraint.cpp | 18 ++++++++++++------ src/lib/x509/x509_obj.cpp | 4 +++- src/lib/x509/x509self.cpp | 1 + 11 files changed, 53 insertions(+), 26 deletions(-) (limited to 'src') diff --git a/src/build-data/oids.txt b/src/build-data/oids.txt index b17d8b611..cb4ea5456 100644 --- a/src/build-data/oids.txt +++ b/src/build-data/oids.txt @@ -201,9 +201,10 @@ 1.2.643.7.1.1.2.2 = Streebog-256 1.2.643.7.1.1.2.3 = Streebog-512 -1.2.643.7.1.1.3.2 = GOST-34.10/EMSA1(Streebog-256) +1.2.643.7.1.1.3.2 = GOST-34.10-2012-256/EMSA1(Streebog-256) +1.2.643.7.1.1.3.3 = GOST-34.10-2012-512/EMSA1(Streebog-512) -1.3.6.1.4.1.25258.1.6.1 = GOST-34.10/EMSA1(SHA-256) +1.3.6.1.4.1.25258.1.6.1 = GOST-34.10-2012-256/EMSA1(SHA-256) # Encryption algos [encryption] diff --git a/src/lib/asn1/oid_maps.cpp b/src/lib/asn1/oid_maps.cpp index 0072f989b..47d418271 100644 --- a/src/lib/asn1/oid_maps.cpp +++ b/src/lib/asn1/oid_maps.cpp @@ -1,7 +1,7 @@ /* * OID maps * -* This file was automatically generated by ./src/scripts/oids.py on 2019-08-01 +* This file was automatically generated by ./src/scripts/oids.py on 2019-08-03 * * All manual edits to this file will be lost. Edit the script * then regenerate this source file. @@ -51,7 +51,8 @@ std::unordered_map OIDS::load_oid2str_map() { "1.2.643.7.1.1.1.2", "GOST-34.10-2012-512" }, { "1.2.643.7.1.1.2.2", "Streebog-256" }, { "1.2.643.7.1.1.2.3", "Streebog-512" }, - { "1.2.643.7.1.1.3.2", "GOST-34.10/EMSA1(Streebog-256)" }, + { "1.2.643.7.1.1.3.2", "GOST-34.10-2012-256/EMSA1(Streebog-256)" }, + { "1.2.643.7.1.1.3.3", "GOST-34.10-2012-512/EMSA1(Streebog-512)" }, { "1.2.643.7.1.2.1.1.1", "gost_256A" }, { "1.2.643.7.1.2.1.1.2", "gost_256B" }, { "1.2.643.7.1.2.1.2.1", "gost_512A" }, @@ -139,7 +140,7 @@ std::unordered_map OIDS::load_oid2str_map() { "1.3.6.1.4.1.11591.4.11", "Scrypt" }, { "1.3.6.1.4.1.25258.1.3", "McEliece" }, { "1.3.6.1.4.1.25258.1.5", "XMSS-draft6" }, - { "1.3.6.1.4.1.25258.1.6.1", "GOST-34.10/EMSA1(SHA-256)" }, + { "1.3.6.1.4.1.25258.1.6.1", "GOST-34.10-2012-256/EMSA1(SHA-256)" }, { "1.3.6.1.4.1.25258.1.8", "XMSS" }, { "1.3.6.1.4.1.25258.3.1", "Serpent/CBC" }, { "1.3.6.1.4.1.25258.3.101", "Serpent/GCM" }, @@ -332,10 +333,11 @@ std::unordered_map OIDS::load_str2oid_map() { "ElGamal", OID({1,3,6,1,4,1,3029,1,2,1}) }, { "GOST-34.10", OID({1,2,643,2,2,19}) }, { "GOST-34.10-2012-256", OID({1,2,643,7,1,1,1,1}) }, + { "GOST-34.10-2012-256/EMSA1(SHA-256)", OID({1,3,6,1,4,1,25258,1,6,1}) }, + { "GOST-34.10-2012-256/EMSA1(Streebog-256)", OID({1,2,643,7,1,1,3,2}) }, { "GOST-34.10-2012-512", OID({1,2,643,7,1,1,1,2}) }, + { "GOST-34.10-2012-512/EMSA1(Streebog-512)", OID({1,2,643,7,1,1,3,3}) }, { "GOST-34.10/EMSA1(GOST-R-34.11-94)", OID({1,2,643,2,2,3}) }, - { "GOST-34.10/EMSA1(SHA-256)", OID({1,3,6,1,4,1,25258,1,6,1}) }, - { "GOST-34.10/EMSA1(Streebog-256)", OID({1,2,643,7,1,1,3,2}) }, { "GOST.INN", OID({1,2,643,3,131,1,1}) }, { "GOST.IssuerSigningTool", OID({1,2,643,100,112}) }, { "GOST.OGRN", OID({1,2,643,100,1}) }, diff --git a/src/lib/pk_pad/emsa1/emsa1.cpp b/src/lib/pk_pad/emsa1/emsa1.cpp index 66d8ec852..e1bc8db6e 100644 --- a/src/lib/pk_pad/emsa1/emsa1.cpp +++ b/src/lib/pk_pad/emsa1/emsa1.cpp @@ -109,15 +109,20 @@ AlgorithmIdentifier EMSA1::config_for_x509(const Private_Key& key, " not supported for signature algorithm " + key.algo_name()); } + const std::string sig_name = key.algo_name() + "/" + name(); AlgorithmIdentifier sig_algo; - sig_algo.oid = OIDS::lookup( key.algo_name() + "/" + name() ); + sig_algo.oid = OIDS::lookup(sig_name); + if(sig_algo.oid.empty()) + throw Lookup_Error("No OID defined for " + sig_name); std::string algo_name = key.algo_name(); if(algo_name == "DSA" || algo_name == "ECDSA" || algo_name == "ECGDSA" || algo_name == "ECKCDSA" || - algo_name == "GOST-34.10") + algo_name == "GOST-34.10" || + algo_name == "GOST-34.10-2012-256" || + algo_name == "GOST-34.10-2012-512") { // for DSA, ECDSA, GOST parameters "SHALL" be empty sig_algo.parameters = {}; diff --git a/src/lib/pk_pad/padding.cpp b/src/lib/pk_pad/padding.cpp index 134bb4101..bac3fcd7e 100644 --- a/src/lib/pk_pad/padding.cpp +++ b/src/lib/pk_pad/padding.cpp @@ -24,6 +24,8 @@ const std::map> allowed_signature_pa { "ECGDSA", {"EMSA1"} }, { "ECKCDSA", {"EMSA1"} }, { "GOST-34.10", {"EMSA1"} }, + { "GOST-34.10-2012-256", {"EMSA1"} }, + { "GOST-34.10-2012-512", {"EMSA1"} }, { "RSA", {"EMSA4", "EMSA3"} }, }; diff --git a/src/lib/pubkey/gost_3410/gost_3410.cpp b/src/lib/pubkey/gost_3410/gost_3410.cpp index d2324fd13..7e4dbe221 100644 --- a/src/lib/pubkey/gost_3410/gost_3410.cpp +++ b/src/lib/pubkey/gost_3410/gost_3410.cpp @@ -40,6 +40,11 @@ std::vector GOST_3410_PublicKey::public_key_bits() const return output; } +std::string GOST_3410_PublicKey::algo_name() const + { + return "GOST-34.10-2012-" + std::to_string(domain().get_p_bits()); + } + AlgorithmIdentifier GOST_3410_PublicKey::algorithm_identifier() const { std::vector params; diff --git a/src/lib/pubkey/gost_3410/gost_3410.h b/src/lib/pubkey/gost_3410/gost_3410.h index 8c42f5091..3f475d434 100644 --- a/src/lib/pubkey/gost_3410/gost_3410.h +++ b/src/lib/pubkey/gost_3410/gost_3410.h @@ -42,7 +42,7 @@ class BOTAN_PUBLIC_API(2,0) GOST_3410_PublicKey : public virtual EC_PublicKey * Get this keys algorithm name. * @result this keys algorithm name */ - std::string algo_name() const override { return "GOST-34.10"; } + std::string algo_name() const override; AlgorithmIdentifier algorithm_identifier() const override; diff --git a/src/lib/pubkey/pk_algs.cpp b/src/lib/pubkey/pk_algs.cpp index 126f27cd4..f59583e1f 100644 --- a/src/lib/pubkey/pk_algs.cpp +++ b/src/lib/pubkey/pk_algs.cpp @@ -252,8 +252,10 @@ std::string default_ec_group_for(const std::string& alg_name) { if(alg_name == "SM2" || alg_name == "SM2_Enc" || alg_name == "SM2_Sig") return "sm2p256v1"; - if(alg_name == "GOST-34.10") + if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256") return "gost_256A"; + if(alg_name == "GOST-34.10-2012-512") + return "gost_512A"; if(alg_name == "ECGDSA") return "brainpool256r1"; return "secp256r1"; @@ -339,7 +341,9 @@ create_private_key(const std::string& alg_name, alg_name == "SM2" || alg_name == "SM2_Sig" || alg_name == "SM2_Enc" || - alg_name == "GOST-34.10") + alg_name == "GOST-34.10" || + alg_name == "GOST-34.10-2012-256" || + alg_name == "GOST-34.10-2012-512") { const EC_Group ec_group(params.empty() ? default_ec_group_for(alg_name) : params); @@ -359,7 +363,7 @@ create_private_key(const std::string& alg_name, #endif #if defined(BOTAN_HAS_GOST_34_10_2001) - if(alg_name == "GOST-34.10") + if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" || alg_name == "GOST-34.10-2012-512") return std::unique_ptr(new GOST_3410_PrivateKey(rng, ec_group)); #endif diff --git a/src/lib/pubkey/pk_keys.cpp b/src/lib/pubkey/pk_keys.cpp index fbbc6f7dd..ce3eeeb7f 100644 --- a/src/lib/pubkey/pk_keys.cpp +++ b/src/lib/pubkey/pk_keys.cpp @@ -52,13 +52,12 @@ std::vector Public_Key::subject_public_key() const */ OID Public_Key::get_oid() const { - try { - return OIDS::lookup(algo_name()); - } - catch(Lookup_Error&) - { + const OID oid = OIDS::lookup(algo_name()); + + if(oid.empty()) throw Lookup_Error("PK algo " + algo_name() + " has no defined OIDs"); - } + + return oid; } secure_vector Private_Key::private_key_info() const diff --git a/src/lib/x509/key_constraint.cpp b/src/lib/x509/key_constraint.cpp index 95a59d65f..05bd8edb0 100644 --- a/src/lib/x509/key_constraint.cpp +++ b/src/lib/x509/key_constraint.cpp @@ -68,25 +68,31 @@ std::string key_constraints_to_string(Key_Constraints constraints) * Make sure the given key constraints are permitted for the given key type */ void verify_cert_constraints_valid_for_key_type(const Public_Key& pub_key, - Key_Constraints constraints) + Key_Constraints constraints) { const std::string name = pub_key.algo_name(); size_t permitted = 0; - if(name == "DH" || name == "ECDH") + const bool can_agree = (name == "DH" || name == "ECDH"); + const bool can_encrypt = (name == "RSA" || name == "ElGamal"); + + const bool can_sign = + (name == "RSA" || name == "DSA" || + name == "ECDSA" || name == "ECGDSA" || name == "ECKCDSA" || name == "Ed25519" || + name == "GOST-34.10" || name == "GOST-34.10-2012-256" || name == "GOST-34.10-2012-512"); + + if(can_agree) { permitted |= KEY_AGREEMENT | ENCIPHER_ONLY | DECIPHER_ONLY; } - if(name == "RSA" || name == "ElGamal") + if(can_encrypt) { permitted |= KEY_ENCIPHERMENT | DATA_ENCIPHERMENT; } - if(name == "RSA" || name == "DSA" || - name == "ECDSA" || name == "ECGDSA" || name == "ECKCDSA" || name == "GOST-34.10" || - name == "Ed25519") + if(can_sign) { permitted |= DIGITAL_SIGNATURE | NON_REPUDIATION | KEY_CERT_SIGN | CRL_SIGN; } diff --git a/src/lib/x509/x509_obj.cpp b/src/lib/x509/x509_obj.cpp index a48e088ac..dd1e51cd7 100644 --- a/src/lib/x509/x509_obj.cpp +++ b/src/lib/x509/x509_obj.cpp @@ -304,7 +304,9 @@ std::string choose_sig_algo(AlgorithmIdentifier& sig_algo, algo_name == "ECDSA" || algo_name == "ECGDSA" || algo_name == "ECKCDSA" || - algo_name == "GOST-34.10") + algo_name == "GOST-34.10" || + algo_name == "GOST-34.10-2012-256" || + algo_name == "GOST-34.10-2012-512") { padding = "EMSA1(" + hash_fn + ")"; } diff --git a/src/lib/x509/x509self.cpp b/src/lib/x509/x509self.cpp index 0c5e85491..d84544eff 100644 --- a/src/lib/x509/x509self.cpp +++ b/src/lib/x509/x509self.cpp @@ -62,6 +62,7 @@ X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts, const std::vector pub_key = X509::BER_encode(key); std::unique_ptr signer(choose_sig_format(key, sig_opts, rng, hash_fn, sig_algo)); + BOTAN_ASSERT_NOMSG(sig_algo.get_oid().has_value()); load_info(opts, subject_dn, subject_alt); Extensions extensions = opts.extensions; -- cgit v1.2.3