diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2010-05-22 20:46:36 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2010-05-22 20:46:36 +0200 |
commit | c17f26a6835c94d5c8e03479490e15d00c247501 (patch) | |
tree | 2d37e9d14474fb5b3a8a2e3ec131bcf74da39b8f | |
parent | 548da8184e5b117dc783e71a582347602173d302 (diff) | |
download | gnutls-c17f26a6835c94d5c8e03479490e15d00c247501.tar.gz |
Added gnutls_pubkey_verify_hash(), gnutls_pubkey_get_verify_algorithm().
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | lib/gnutls_pubkey.c | 88 | ||||
-rw-r--r-- | lib/includes/gnutls/abstract.h | 8 | ||||
-rw-r--r-- | lib/libgnutls.map | 2 | ||||
-rw-r--r-- | lib/x509/common.h | 6 | ||||
-rw-r--r-- | lib/x509/verify.c | 33 | ||||
-rw-r--r-- | lib/x509/x509.c | 30 | ||||
-rw-r--r-- | lib/x509/x509_int.h | 10 |
8 files changed, 147 insertions, 32 deletions
@@ -88,6 +88,8 @@ gnutls_pubkey_get_pk_dsa_raw: ADDED gnutls_pubkey_export: ADDED gnutls_pubkey_get_key_id: ADDED gnutls_pubkey_get_key_usage: ADDED +gnutls_pubkey_verify_hash: ADDED +gnutls_pubkey_get_verify_algorithm: ADDED gnutls_pkcs11_type_get_name: ADDED gnutls_pubkey_import_pkcs11_url: ADDED gnutls_pubkey_import: ADDED diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c index 67dc916a6d..d5a3cbabd7 100644 --- a/lib/gnutls_pubkey.c +++ b/lib/gnutls_pubkey.c @@ -409,7 +409,7 @@ gnutls_pubkey_get_key_id(gnutls_pubkey_t key, unsigned int flags, /** * gnutls_pubkey_get_pk_rsa_raw: - * @crt: Holds the certificate + * @key: Holds the certificate * @m: will hold the modulus * @e: will hold the public exponent * @@ -453,7 +453,7 @@ gnutls_pubkey_get_pk_rsa_raw(gnutls_pubkey_t key, /** * gnutls_pubkey_get_pk_dsa_raw: - * @crt: Holds the certificate + * @key: Holds the public key * @p: will hold the p * @q: will hold the q * @g: will hold the g @@ -611,6 +611,17 @@ int gnutls_pubkey_import(gnutls_pubkey_t key, return result; } +/** + * gnutls_x509_crt_set_pubkey: + * @crt: should contain a #gnutls_x509_crt_t structure + * @key: holds a public key + * + * This function will set the public parameters from the given public + * key to the request. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_x509_crt_set_pubkey(gnutls_x509_crt_t crt, gnutls_pubkey_t key) { int result; @@ -637,6 +648,17 @@ int gnutls_x509_crt_set_pubkey(gnutls_x509_crt_t crt, gnutls_pubkey_t key) return 0; } +/** + * gnutls_x509_crq_set_pubkey: + * @crq: should contain a #gnutls_x509_crq_t structure + * @key: holds a public key + * + * This function will set the public parameters from the given public + * key to the request. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ int gnutls_x509_crq_set_pubkey(gnutls_x509_crq_t crq, gnutls_pubkey_t key) { int result; @@ -818,3 +840,65 @@ gnutls_pubkey_import_dsa_raw(gnutls_pubkey_t key, return 0; } + +/** + * gnutls_pubkey_verify_hash: + * @key: Holds the certificate + * @flags: should be 0 for now + * @hash: holds the hash digest to be verified + * @signature: contains the signature + * + * This function will verify the given signed digest, using the + * parameters from the certificate. + * + * Returns: In case of a verification failure 0 is returned, and 1 on + * success. + **/ +int +gnutls_pubkey_verify_hash (gnutls_pubkey_t key, unsigned int flags, + const gnutls_datum_t * hash, + const gnutls_datum_t * signature) +{ + int ret; + + if (key == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = + pubkey_verify_sig (NULL, hash, signature, key->pk_algorithm, + key->params, key->params_size); + + return ret; +} + +/** + * gnutls_pubkey_get_verify_algorithm: + * @key: Holds the certificate + * @signature: contains the signature + * @hash: The result of the call with the hash algorithm used for signature + * + * This function will read the certifcate and the signed data to + * determine the hash algorithm used to generate the signature. + * + * Returns: the 0 if the hash algorithm is found. A negative value is + * returned on error. + **/ +int +gnutls_pubkey_get_verify_algorithm (gnutls_pubkey_t key, + const gnutls_datum_t * signature, + gnutls_digest_algorithm_t * hash) +{ + if (key == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_verify_algorithm ((gnutls_mac_algorithm_t *) hash, + signature, key->pk_algorithm, key->params, + key->params_size); + +} diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h index a02e9c475f..5e14890672 100644 --- a/lib/includes/gnutls/abstract.h +++ b/lib/includes/gnutls/abstract.h @@ -61,6 +61,14 @@ int gnutls_x509_crt_set_pubkey (gnutls_x509_crt_t crt, int gnutls_x509_crq_set_pubkey (gnutls_x509_crq_t crq, gnutls_pubkey_t key); +int +gnutls_pubkey_verify_hash (gnutls_pubkey_t key, unsigned int flags, + const gnutls_datum_t * hash, + const gnutls_datum_t * signature); +int +gnutls_pubkey_get_verify_algorithm (gnutls_pubkey_t key, + const gnutls_datum_t * signature, + gnutls_digest_algorithm_t * hash); /* Private key operations */ diff --git a/lib/libgnutls.map b/lib/libgnutls.map index 724771f2fb..2bdf696165 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -665,6 +665,8 @@ GNUTLS_2_11 gnutls_pubkey_import_dsa_raw; gnutls_pubkey_import_rsa_raw; gnutls_pubkey_import_pkcs11_url; + gnutls_pubkey_get_verify_algorithm; + gnutls_pubkey_verify_hash; gnutls_pkcs11_obj_export; gnutls_pubkey_import; gnutls_x509_crt_set_pubkey; diff --git a/lib/x509/common.h b/lib/x509/common.h index bf73cb928a..2892fb6313 100644 --- a/lib/x509/common.h +++ b/lib/x509/common.h @@ -137,4 +137,10 @@ int _gnutls_get_key_id (gnutls_pk_algorithm_t pk, bigint_t* params, int params_s void _asnstr_append_name(char* name, size_t name_size, const char* part1, const char* part2); +int pubkey_verify_sig (const gnutls_datum_t * tbs, + const gnutls_datum_t * hash, + const gnutls_datum_t * signature, + gnutls_pk_algorithm_t pk, bigint_t * issuer_params, + int issuer_params_size); + #endif diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 569f4a45fd..b74c06f7e1 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -823,8 +823,8 @@ dsa_verify_sig (const gnutls_datum_t * text, /* Verifies the signature data, and returns 0 if not verified, * or 1 otherwise. */ -static int -verify_sig (const gnutls_datum_t * tbs, +int +pubkey_verify_sig (const gnutls_datum_t * tbs, const gnutls_datum_t * hash, const gnutls_datum_t * signature, gnutls_pk_algorithm_t pk, bigint_t * issuer_params, @@ -865,42 +865,25 @@ verify_sig (const gnutls_datum_t * tbs, int _gnutls_x509_verify_algorithm (gnutls_mac_algorithm_t * hash, const gnutls_datum_t * signature, - const gnutls_x509_crt_t issuer) + gnutls_pk_algorithm pk, + bigint_t* issuer_params, unsigned int issuer_params_size) { - bigint_t issuer_params[MAX_PUBLIC_PARAMS_SIZE]; opaque digest[MAX_HASH_SIZE]; gnutls_datum_t decrypted; - int issuer_params_size; int digest_size; - int ret, i; + int ret; - switch (gnutls_x509_crt_get_pk_algorithm (issuer, NULL)) + switch(pk) { case GNUTLS_PK_DSA: if (hash) *hash = GNUTLS_MAC_SHA1; return 0; - case GNUTLS_PK_RSA: - issuer_params_size = MAX_PUBLIC_PARAMS_SIZE; - ret = - _gnutls_x509_crt_get_mpis (issuer, issuer_params, - &issuer_params_size); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - ret = _gnutls_pkcs1_rsa_decrypt (&decrypted, signature, issuer_params, issuer_params_size, 1); - /* release allocated mpis */ - for (i = 0; i < issuer_params_size; i++) - { - _gnutls_mpi_release (&issuer_params[i]); - } if (ret < 0) { @@ -960,7 +943,7 @@ _gnutls_x509_verify_signature (const gnutls_datum_t * tbs, } ret = - verify_sig (tbs, hash, signature, + pubkey_verify_sig (tbs, hash, signature, gnutls_x509_crt_get_pk_algorithm (issuer, NULL), issuer_params, issuer_params_size); if (ret < 0) @@ -991,7 +974,7 @@ _gnutls_x509_privkey_verify_signature (const gnutls_datum_t * tbs, { int ret; - ret = verify_sig (tbs, NULL, signature, issuer->pk_algorithm, + ret = pubkey_verify_sig (tbs, NULL, signature, issuer->pk_algorithm, issuer->params, issuer->params_size); if (ret < 0) { diff --git a/lib/x509/x509.c b/lib/x509/x509.c index eca9bc5f42..0e00b41812 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -2504,14 +2504,37 @@ gnutls_x509_crt_get_verify_algorithm (gnutls_x509_crt_t crt, const gnutls_datum_t * signature, gnutls_digest_algorithm_t * hash) { + bigint_t issuer_params[MAX_PUBLIC_PARAMS_SIZE]; + int issuer_params_size; + int ret, i; + if (crt == NULL) { gnutls_assert (); return GNUTLS_E_INVALID_REQUEST; } - return _gnutls_x509_verify_algorithm ((gnutls_mac_algorithm_t *) hash, - signature, crt); + issuer_params_size = MAX_PUBLIC_PARAMS_SIZE; + ret = + _gnutls_x509_crt_get_mpis (crt, issuer_params, + &issuer_params_size); + if (ret < 0) + { + gnutls_assert (); + return ret; + } + + ret = _gnutls_x509_verify_algorithm ((gnutls_mac_algorithm_t *) hash, + signature, gnutls_x509_crt_get_pk_algorithm (crt, NULL), + issuer_params, issuer_params_size); + + /* release allocated mpis */ + for (i = 0; i < issuer_params_size; i++) + { + _gnutls_mpi_release (&issuer_params[i]); + } + + return ret; } /** @@ -2523,6 +2546,9 @@ gnutls_x509_crt_get_verify_algorithm (gnutls_x509_crt_t crt, * * This function will verify the given signed data, using the * parameters from the certificate. + * + * Note: Use gnutls_x509_crt_verify_hash() instead. This function + * does not do the implied hashing of the data. * * Returns: In case of a verification failure 0 is returned, and 1 on * success. diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h index c1f4126337..f4000a5aae 100644 --- a/lib/x509/x509_int.h +++ b/lib/x509/x509_int.h @@ -180,9 +180,13 @@ int _gnutls_parse_general_name (ASN1_TYPE src, const char *src_name, /* verify.c */ int gnutls_x509_crt_is_issuer (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer); -int _gnutls_x509_verify_algorithm (gnutls_mac_algorithm_t * hash, - const gnutls_datum_t * signature, - const gnutls_x509_crt_t crt); + +int +_gnutls_x509_verify_algorithm (gnutls_mac_algorithm_t * hash, + const gnutls_datum_t * signature, + gnutls_pk_algorithm pk, + bigint_t* issuer_params, unsigned int issuer_params_size); + int _gnutls_x509_verify_signature (const gnutls_datum_t * tbs, const gnutls_datum_t * hash, const gnutls_datum_t * signature, |