Make OpenSSL an hcrypto backend proper
This adds a new backend for libhcrypto: the OpenSSL backend. Now libhcrypto has these backends: - hcrypto itself (i.e., the algorithms coded in lib/hcrypto) - Common Crypto (OS X) - PKCS#11 (specifically for Solaris, but not Solaris-specific) - Windows CNG (Windows) - OpenSSL (generic) The ./configure --with-openssl=... option no longer disables the use of hcrypto. Instead it enables the use of OpenSSL as a (and the default) backend in libhcrypto. The libhcrypto framework is now always used. OpenSSL should no longer be used directly within Heimdal, except in the OpenSSL hcrypto backend itself, and files where elliptic curve (EC) crypto is needed. Because libhcrypto's EC support is incomplete, we can only use OpenSSL for EC. Currently that means separating all EC-using code so that it does not use hcrypto, thus the libhx509/hxtool and PKINIT EC code has been moved out of the files it used to be in.
This commit is contained in:
Nicolas Williams
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2004 - 2006 Kungliga Tekniska Högskolan
|
||||
* Copyright (c) 2004 - 2016 Kungliga Tekniska Högskolan
|
||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||
* All rights reserved.
|
||||
*
|
||||
@@ -70,8 +70,16 @@
|
||||
|
||||
#include <der.h>
|
||||
|
||||
/*
|
||||
* We use OpenSSL for EC, but to do this we need to disable cross-references
|
||||
* between OpenSSL and hcrypto bn.h and such. Source files that use OpenSSL EC
|
||||
* must define HEIM_NO_CRYPTO_HDRS before including this file.
|
||||
*/
|
||||
|
||||
#define HC_DEPRECATED_CRYPTO
|
||||
#ifndef HEIM_NO_CRYPTO_HDRS
|
||||
#include "crypto-headers.h"
|
||||
#endif
|
||||
|
||||
struct hx509_keyset_ops;
|
||||
struct hx509_collector;
|
||||
@@ -213,6 +221,95 @@ extern const AlgorithmIdentifier * _hx509_crypto_default_sig_alg;
|
||||
extern const AlgorithmIdentifier * _hx509_crypto_default_digest_alg;
|
||||
extern const AlgorithmIdentifier * _hx509_crypto_default_secret_alg;
|
||||
|
||||
/*
|
||||
* Private bits from crypto.c, so crypto-ec.c can also see them.
|
||||
*
|
||||
* This is part of the use-OpenSSL-for-EC hack.
|
||||
*/
|
||||
|
||||
struct hx509_crypto;
|
||||
|
||||
struct signature_alg;
|
||||
|
||||
struct hx509_generate_private_context {
|
||||
const heim_oid *key_oid;
|
||||
int isCA;
|
||||
unsigned long num_bits;
|
||||
};
|
||||
|
||||
struct hx509_private_key_ops {
|
||||
const char *pemtype;
|
||||
const heim_oid *key_oid;
|
||||
int (*available)(const hx509_private_key,
|
||||
const AlgorithmIdentifier *);
|
||||
int (*get_spki)(hx509_context,
|
||||
const hx509_private_key,
|
||||
SubjectPublicKeyInfo *);
|
||||
int (*export)(hx509_context context,
|
||||
const hx509_private_key,
|
||||
hx509_key_format_t,
|
||||
heim_octet_string *);
|
||||
int (*import)(hx509_context, const AlgorithmIdentifier *,
|
||||
const void *, size_t, hx509_key_format_t,
|
||||
hx509_private_key);
|
||||
int (*generate_private_key)(hx509_context,
|
||||
struct hx509_generate_private_context *,
|
||||
hx509_private_key);
|
||||
BIGNUM *(*get_internal)(hx509_context, hx509_private_key, const char *);
|
||||
};
|
||||
|
||||
struct hx509_private_key {
|
||||
unsigned int ref;
|
||||
const struct signature_alg *md;
|
||||
const heim_oid *signature_alg;
|
||||
union {
|
||||
RSA *rsa;
|
||||
void *keydata;
|
||||
void *ecdsa; /* EC_KEY */
|
||||
} private_key;
|
||||
hx509_private_key_ops *ops;
|
||||
};
|
||||
|
||||
/*
|
||||
*
|
||||
*/
|
||||
|
||||
struct signature_alg {
|
||||
const char *name;
|
||||
const heim_oid *sig_oid;
|
||||
const AlgorithmIdentifier *sig_alg;
|
||||
const heim_oid *key_oid;
|
||||
const AlgorithmIdentifier *digest_alg;
|
||||
int flags;
|
||||
#define PROVIDE_CONF 0x1
|
||||
#define REQUIRE_SIGNER 0x2
|
||||
#define SELF_SIGNED_OK 0x4
|
||||
#define WEAK_SIG_ALG 0x8
|
||||
|
||||
#define SIG_DIGEST 0x100
|
||||
#define SIG_PUBLIC_SIG 0x200
|
||||
#define SIG_SECRET 0x400
|
||||
|
||||
#define RA_RSA_USES_DIGEST_INFO 0x1000000
|
||||
|
||||
time_t best_before; /* refuse signature made after best before date */
|
||||
const EVP_MD *(*evp_md)(void);
|
||||
int (*verify_signature)(hx509_context context,
|
||||
const struct signature_alg *,
|
||||
const Certificate *,
|
||||
const AlgorithmIdentifier *,
|
||||
const heim_octet_string *,
|
||||
const heim_octet_string *);
|
||||
int (*create_signature)(hx509_context,
|
||||
const struct signature_alg *,
|
||||
const hx509_private_key,
|
||||
const AlgorithmIdentifier *,
|
||||
const heim_octet_string *,
|
||||
AlgorithmIdentifier *,
|
||||
heim_octet_string *);
|
||||
int digest_size;
|
||||
};
|
||||
|
||||
/*
|
||||
* Configurable options
|
||||
*/
|
||||
|
||||
Reference in New Issue
Block a user