added PBE, moved some enums and C secmem out of qca_core

svn path=/trunk/kdesupport/qca/; revision=382285
2025-05-11 18:29:33 +00:00 · 2005-01-25 13:01:45 +00:00 · 2005-01-25 13:01:45 +00:00 · ca4a3a543d
commit ca4a3a543d
parent b9c40d98fc
11 changed files with 152 additions and 154 deletions
--- a/35
+++ b/35
@ -11,20 +11,20 @@
  threading (safety, usability) in API and plugins
  smart cards, external keyring drives
  it's possible we use QSecureArray in some unnecessary places
  don't forget to QCA_EXPORT everything
 * finish API:
  move secure memory C functions to qca_tools.h
  make public C functions to init in qca_tools.h, that qca_core will use
  cert/crl: Distinguished Names (Botan has X509_DN)
  cert: turn Info into an enum
  openpgp: be sure to support key expiration and validity
  shortcuts for reading/writing certs, etc, directly to files?
  cert: extensions
-  tls: session reuse
+  cert fingerprints (sha1 and md5)
  cert/csr/crl: path limit, subject/issuer ids (useful for create/validate)
  cert/csr: constraints, ex_constraints, policies (same as above)
  cert/csr: subjectAltName
  crl: issuer info, authority_key_id
  tls: session reuse
  openpgp: be sure to support key expiration and validity
  shortcuts for reading/writing certs, etc, directly to files?
  quoted-printable TextFilter
 * finish code for APIs:
@ -39,6 +39,15 @@
  default provider should have built-in sha1 and md5 (?)
  system store: all added certs need to be flagged as trusted
 * build system:
  on non-win/mac, allow specifying of flatfile store, else install/use built-in
  make sure it installs properly
 * qt 4 upgrade:
  new include styles
  use qmake .prf for auto-discovery by applications
  use qplugin
 * examples
  create example for BigInteger
  update cipher example (after API sorted out)
@ -51,23 +60,11 @@
  qca-openssl: need to implement locking callbacks.
  figure out why Valgrind reports so many memory leaks
 * consider new APIs:
  cert/pkey: fingerprints (is there a standard for this?)
  pkey: ability to choose cipher for toDER/PEM passphrase?
  personalbundle: cert chain vs cert + trusted certs?
 * build system:
  on non-win/mac, allow specifying of flatfile store, else install/use built-in
  make sure it installs properly
 * qt 4 upgrade:
  new include styles
  use qmake .prf for auto-discovery by applications
  use qplugin
 * possibilities for the future:
  xmldsig
  xmlenc (sort of done already in cutestuff/xmlsec, but need to qca-ify)
  advanced pgp functionality (full key info and ability to manipulate keyrings)
  Key wrapping - RFC3217 and RFC3394
  dtls (secure UDP)
  aes pbe algos
--- a/include/QtCrypto/qca_cert.h
+++ b/include/QtCrypto/qca_cert.h
@ -24,14 +24,12 @@
 #include <qmap.h>
 #include "qca_core.h"
 #include "qca_publickey.h"
 class QDateTime;
 namespace QCA
 {
 	class PublicKey;
 	class PrivateKey;
 	/**
 	   Certificate Request Format
 	*/
@ -41,6 +39,39 @@ namespace QCA
 		CSR_SPKAC   ///< Signed Public Key and Challenge (Netscape) format
 	};
 	/**
 	   The validity (or otherwise) of a certificate
 	*/
 	enum CertValidity
 	{
 		Valid,              ///< The certificate is valid
 		Rejected,           ///< The root CA rejected the certificate purpose
 		Untrusted,          ///< The certificate is not trusted
 		SignatureFailed,    ///< The signature does not match
 		InvalidCA,          ///< The Certificate Authority is invalid
 		InvalidPurpose,     ///< The purpose does not match the intended usage
 		SelfSigned,         ///< The certificate is self-signed, and is not
 		                    ///< found in the list of trusted certificates
 		Revoked,            ///< The certificate has been revoked
 		PathLengthExceeded, ///< The path length from the root CA to this certificate is too long
 		Expired,            ///< The certificate has expired
 		Unknown             ///< Validity is unknown
 	};
 	/**
 	   Specify the intended usage of a certificate
 	*/
 	enum CertUsage
 	{
 		Any             = 0x00, ///< Any application, or unspecified
 		TLSServer       = 0x01, ///< server side of a TLS or SSL connection
 		TLSClient       = 0x02, ///< client side of a TLS or SSL connection
 		CodeSigning     = 0x04, ///< code signing certificate
 		EmailProtection = 0x08, ///< email (S/MIME) certificate
 		TimeStamping    = 0x10, ///< time stamping certificate
 		CRLSigning      = 0x20  ///< certificate revocation list signing certificate
 	};
 	// note: in SPKAC mode, all options are ignored except for challenge
 	class QCA_EXPORT CertificateOptions
 	{
--- a/include/QtCrypto/qca_core.h
+++ b/include/QtCrypto/qca_core.h
@ -29,10 +29,6 @@
 #include "qca_export.h"
 #include "qca_tools.h"
 // Direct secure memory access.  For interfacing with C libraries if needed.
 QCA_EXPORT void *qca_secure_alloc(int bytes);
 QCA_EXPORT void qca_secure_free(void *p);
 /** 
 * QCA - the Qt Cryptographic Architecture
 */
@ -105,87 +101,6 @@ namespace QCA
 		Decode  ///< Operate in the "reverse" direction; for example, decrypting
 	};
 	enum DL_Group
 	{
 		DSA_512,
 		DSA_768,
 		DSA_1024,
 		IETF_768,
 		IETF_1024,
 		IETF_1536,
 		IETF_2048,
 		IETF_3072,
 		IETF_4096
 	};
 	/**
 	   Encryption algorithms
 	*/
 	enum EncAlgo
 	{
 		EME_PKCS1v15,  ///< Block type 2 (PKCD1, Version 1.5)
 		EME_PKCS1_OAEP ///< Optimal asymmetric encryption padding (PKCS1, Version 2.0)
 	};
 	/**
 	   Signature algorithm variants
 	*/
 	enum SignAlgo
 	{
 		SignUnknown, ///< Unknown signing algorithm
 		EMSA1_SHA1,  ///< SHA1, with EMSA1 (IEEE1363-2000) encoding (this is the usual DSA algorithm - FIPS186)
 		EMSA3_SHA1,  ///< SHA1, with EMSA3 (ie PKCS1 Version 1.5) encoding
 		EMSA3_MD5,   ///< MD5, with EMSA3 (ie PKCS1 Version 1.5) encoding (this is the usual RSA algorithm)
 		EMSA3_MD2,   ///< MD2, with EMSA3 (ie PKCS1 Version 1.5) encoding
 		EMSA3_RIPEMD160 ///< RIPEMD160, with EMSA3 (ie PKCS1 Version 1.5) encoding
 	};
 	/**
 	   The validity (or otherwise) of a certificate
 	*/
 	enum CertValidity
 	{
 		Valid,              ///< The certificate is valid
 		Rejected,           ///< The root CA rejected the certificate purpose
 		Untrusted,          ///< The certificate is not trusted
 		SignatureFailed,    ///< The signature does not match
 		InvalidCA,          ///< The Certificate Authority is invalid
 		InvalidPurpose,     ///< The purpose does not match the intended usage
 		SelfSigned,         ///< The certificate is self-signed, and is not
 		                    ///< found in the list of trusted certificates
 		Revoked,            ///< The certificate has been revoked
 		PathLengthExceeded, ///< The path length from the root CA to this certificate is too long
 		Expired,            ///< The certificate has expired
 		Unknown             ///< Validity is unknown
 	};
 	/**
 	   Specify the intended usage of a certificate
 	*/
 	enum CertUsage
 	{
 		Any             = 0x00, ///< Any application, or unspecified
 		TLSServer       = 0x01, ///< server side of a TLS or SSL connection
 		TLSClient       = 0x02, ///< client side of a TLS or SSL connection
 		CodeSigning     = 0x04, ///< code signing certificate
 		EmailProtection = 0x08, ///< email (S/MIME) certificate
 		TimeStamping    = 0x10, ///< time stamping certificate
 		CRLSigning      = 0x20  ///< certificate revocation list signing certificate
 	};
 	/**
 	 * Specify the lower-bound for acceptable TLS/SASL security layers
 	 */
 	enum SecurityLevel
 	{
 		SL_None,      ///< indicates that no security is ok
 		SL_Integrity, ///< must at least get integrity protection
 		SL_Export,    ///< must be export level bits or more
 		SL_Baseline,  ///< must be 128 bit or more
 		SL_High,      ///< must be more than 128 bit
 		SL_Highest    ///< SL_High or max possible, whichever is greater
 	};
 	/**
 	 * Initialise %QCA.
 	 * This call is not normally required, because it is cleaner
--- a/include/QtCrypto/qca_publickey.h
+++ b/include/QtCrypto/qca_publickey.h
@ -37,6 +37,51 @@ namespace QCA
 	class DHPublicKey;
 	class DHPrivateKey;
 	enum DL_Group
 	{
 		DSA_512,
 		DSA_768,
 		DSA_1024,
 		IETF_768,
 		IETF_1024,
 		IETF_1536,
 		IETF_2048,
 		IETF_3072,
 		IETF_4096
 	};
 	/**
 	   Encryption algorithms
 	*/
 	enum EncAlgo
 	{
 		EME_PKCS1v15,  ///< Block type 2 (PKCD1, Version 1.5)
 		EME_PKCS1_OAEP ///< Optimal asymmetric encryption padding (PKCS1, Version 2.0)
 	};
 	/**
 	   Signature algorithm variants
 	*/
 	enum SignAlgo
 	{
 		SignUnknown, ///< Unknown signing algorithm
 		EMSA1_SHA1,  ///< SHA1, with EMSA1 (IEEE1363-2000) encoding (this is the usual DSA algorithm - FIPS186)
 		EMSA3_SHA1,  ///< SHA1, with EMSA3 (ie PKCS1 Version 1.5) encoding
 		EMSA3_MD5,   ///< MD5, with EMSA3 (ie PKCS1 Version 1.5) encoding (this is the usual RSA algorithm)
 		EMSA3_MD2,   ///< MD2, with EMSA3 (ie PKCS1 Version 1.5) encoding
 		EMSA3_RIPEMD160 ///< RIPEMD160, with EMSA3 (ie PKCS1 Version 1.5) encoding
 	};
 	/**
 	   Password-based encryption
 	*/
 	enum PBEAlgo
 	{
 		PBEDefault,         ///< Use modern default (same as PBE2_TripleDES_SHA1)
 		PBE2_DES_SHA1,      ///< PKCS#5 v2.0 DES/CBC/SHA1
 		PBE2_TripleDES_SHA1 ///< PKCS#5 v2.0 TripleDES/CBC/SHA1
 	};
 	class QCA_EXPORT PKey : public Algorithm
 	{
 	public:
@ -137,8 +182,8 @@ namespace QCA
 		SymmetricKey deriveKey(const PublicKey &theirs);
 		// import / export
-		QSecureArray toDER(const QSecureArray &passphrase = QSecureArray() ) const;
+		QSecureArray toDER(const QSecureArray &passphrase = QSecureArray(), PBEAlgo pbe = PBEDefault) const;
-		QString toPEM(const QSecureArray &passphrase = QSecureArray() ) const;
+		QString toPEM(const QSecureArray &passphrase = QSecureArray(), PBEAlgo pbe = PBEDefault) const;
 		static PrivateKey fromDER(const QSecureArray &a, const QSecureArray &passphrase = QSecureArray(), const QString &provider = QString());
 		static PrivateKey fromPEM(const QString &s, const QSecureArray &passphrase = QSecureArray(), const QString &provider = QString());
--- a/include/QtCrypto/qca_securelayer.h
+++ b/include/QtCrypto/qca_securelayer.h
@ -24,15 +24,25 @@
 #include <qobject.h>
 #include "qca_core.h"
 #include "qca_publickey.h"
 #include "qca_cert.h"
 class QHostAddress;
 namespace QCA
 {
-	class PrivateKey;
+	/**
-	class Certificate;
+	 * Specify the lower-bound for acceptable TLS/SASL security layers
-	class CertificateChain;
+	 */
-	class Store;
+	enum SecurityLevel
 	{
 		SL_None,      ///< indicates that no security is ok
 		SL_Integrity, ///< must at least get integrity protection
 		SL_Export,    ///< must be export level bits or more
 		SL_Baseline,  ///< must be 128 bit or more
 		SL_High,      ///< must be more than 128 bit
 		SL_Highest    ///< SL_High or max possible, whichever is greater
 	};
 	// securefilter basic rule: after calling a function that might
 	//  affect something, call others to get the results.
--- a/include/QtCrypto/qca_securemessage.h
+++ b/include/QtCrypto/qca_securemessage.h
@ -24,15 +24,13 @@
 #include <qobject.h>
 #include "qca_core.h"
 #include "qca_publickey.h"
 #include "qca_cert.h"
 class QDateTime;
 namespace QCA
 {
 	class PrivateKey;
 	class Certificate;
 	class CertificateChain;
 	class Store;
 	class SecureMessageSystem;
 	class SecureMessageKey
--- a/include/QtCrypto/qca_tools.h
+++ b/include/QtCrypto/qca_tools.h
@ -26,6 +26,10 @@
 #include <qcstring.h>
 #include <qstring.h>
 // Direct secure memory access.  For interfacing with C libraries if needed.
 QCA_EXPORT void *qca_secure_alloc(int bytes);
 QCA_EXPORT void qca_secure_free(void *p);
 /**
 \class QSecureArray qca_tools.h QtCrypto
--- a/include/QtCrypto/qcaprovider.h
+++ b/include/QtCrypto/qcaprovider.h
@ -28,6 +28,7 @@
 #include <qhostaddress.h>
 #include "qca_core.h"
 #include "qca_basic.h"
 #include "qca_cert.h"
 #include <limits>
--- a/src/qca_core.cpp
+++ b/src/qca_core.cpp
@ -21,7 +21,6 @@
 #include "qca_core.h"
 #include <qptrdict.h>
 #include "qca_tools.h"
 #include "qca_plugin.h"
 #include "qca_textfilter.h"
@ -37,8 +36,6 @@ namespace QCA {
 // from qca_tools
 bool botan_init(int prealloc, bool mmap);
 void botan_deinit();
 void *botan_secure_alloc(int bytes);
 void botan_secure_free(void *p, int bytes);
 // from qca_default
 Provider *create_default_provider();
@ -48,7 +45,6 @@ Provider *create_default_provider();
 //----------------------------------------------------------------------------
 static QCA::ProviderManager *manager = 0;
 static QCA::Random *global_rng = 0;
 static QPtrDict<int> *memtable = 0;
 static bool qca_init = false;
 static bool qca_secmem = false;
@ -93,9 +89,6 @@ void init(MemoryMode mode, int prealloc)
 #endif
 	}
 	memtable = new QPtrDict<int>;
 	memtable->setAutoDelete(true);
 	manager = new ProviderManager;
 	manager->setDefault(create_default_provider()); // manager owns it
 }
@ -111,9 +104,6 @@ void deinit()
 	delete manager;
 	manager = 0;
 	delete memtable;
 	memtable = 0;
 	botan_deinit();
 	qca_secmem = false;
 	qca_init = false;
@ -254,27 +244,6 @@ QByteArray hexToArray(const QString &str)
 	return Hex().stringToArray(str).toByteArray();
 }
 } // namespace QCA
 void *qca_secure_alloc(int bytes)
 {
 	void *p = QCA::botan_secure_alloc(bytes);
 	QCA::memtable->insert(p, new int(bytes));
 	return p;
 }
 void qca_secure_free(void *p)
 {
 	int *bytes = QCA::memtable->find(p);
 	if(bytes)
 	{
 		QCA::botan_secure_free(p, *bytes);
 		QCA::memtable->remove(p);
 	}
 }
 namespace QCA {
 Provider::Context *getContext(const QString &type, const QString &provider)
 {
 	init();
--- a/src/qca_publickey.cpp
+++ b/src/qca_publickey.cpp
@ -396,13 +396,15 @@ SymmetricKey PrivateKey::deriveKey(const PublicKey &theirs)
 	return ((PKeyContext *)context())->key()->deriveKey(*(theirContext->key()));
 }
-QSecureArray PrivateKey::toDER(const QSecureArray &passphrase) const
+QSecureArray PrivateKey::toDER(const QSecureArray &passphrase, PBEAlgo pbe) const
 {
 	Q_UNUSED(pbe);
 	return ((PKeyContext *)context())->privateToDER(passphrase);
 }
-QString PrivateKey::toPEM(const QSecureArray &passphrase) const
+QString PrivateKey::toPEM(const QSecureArray &passphrase, PBEAlgo pbe) const
 {
 	Q_UNUSED(pbe);
 	return ((PKeyContext *)context())->privateToPEM(passphrase);
 }
--- a/src/qca_tools.cpp
+++ b/src/qca_tools.cpp
@ -19,16 +19,18 @@
 *
 */
 #include "qtextstream.h"
 #include "qca_tools.h"
 #include <qptrdict.h>
 #include <qtextstream.h>
 #ifdef Q_OS_UNIX
 # include <stdlib.h>
 # include <sys/mman.h>
 #endif
 #include "botantools/botantools.h"
-using namespace QCA;
+namespace QCA {
 static bool can_lock()
 {
@ -55,11 +57,10 @@ static void add_mmap()
 #endif
 }
 namespace QCA {
 // Botan shouldn't throw any exceptions in our init/deinit.
 static const Botan::SecureAllocator *alloc = 0;
 static QPtrDict<int> *memtable = 0;
 bool botan_init(int prealloc, bool mmap)
 {
@ -88,11 +89,17 @@ bool botan_init(int prealloc, bool mmap)
 	}
 	alloc = Botan::get_allocator("default");
 	memtable = new QPtrDict<int>;
 	memtable->setAutoDelete(true);
 	return secmem;
 }
 void botan_deinit()
 {
 	delete memtable;
 	memtable = 0;
 	alloc = 0;
 	Botan::Init::shutdown_memory_subsystem();
 	Botan::Init::set_mutex_type(0);
@ -108,8 +115,27 @@ void botan_secure_free(void *p, int bytes)
 	alloc->deallocate(p, (Botan::u32bit)bytes);
 }
 } // end namespace QCA
 void *qca_secure_alloc(int bytes)
 {
 	void *p = QCA::botan_secure_alloc(bytes);
 	QCA::memtable->insert(p, new int(bytes));
 	return p;
 }
 void qca_secure_free(void *p)
 {
 	int *bytes = QCA::memtable->find(p);
 	if(bytes)
 	{
 		QCA::botan_secure_free(p, *bytes);
 		QCA::memtable->remove(p);
 	}
 }
 using namespace QCA;
 //----------------------------------------------------------------------------
 // QSecureArray
 //----------------------------------------------------------------------------