Added gnutls_pubkey_verify_hash(), gnutls_pubkey_get_verify_algorithm().

8 files changed, 147 insertions, 32 deletions

diff --git a/NEWS b/NEWS
index 69b3390e3f..65b132a382 100644
--- a/NEWS
+++ b/NEWS
@@ -88,6 +88,8 @@ gnutls_pubkey_get_pk_dsa_raw: ADDED
 gnutls_pubkey_export: ADDED
 gnutls_pubkey_get_key_id: ADDED
 gnutls_pubkey_get_key_usage: ADDED
+gnutls_pubkey_verify_hash: ADDED
+gnutls_pubkey_get_verify_algorithm: ADDED
 gnutls_pkcs11_type_get_name: ADDED
 gnutls_pubkey_import_pkcs11_url: ADDED
 gnutls_pubkey_import: ADDED
diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c
index 67dc916a6d..d5a3cbabd7 100644
--- a/lib/gnutls_pubkey.c
+++ b/lib/gnutls_pubkey.c
@@ -409,7 +409,7 @@ gnutls_pubkey_get_key_id(gnutls_pubkey_t key, unsigned int flags,
 
 /**
  * gnutls_pubkey_get_pk_rsa_raw:
- * @crt: Holds the certificate
+ * @key: Holds the certificate
  * @m: will hold the modulus
  * @e: will hold the public exponent
  *
@@ -453,7 +453,7 @@ gnutls_pubkey_get_pk_rsa_raw(gnutls_pubkey_t key,
 
 /**
  * gnutls_pubkey_get_pk_dsa_raw:
- * @crt: Holds the certificate
+ * @key: Holds the public key
  * @p: will hold the p
  * @q: will hold the q
  * @g: will hold the g
@@ -611,6 +611,17 @@ int gnutls_pubkey_import(gnutls_pubkey_t key,
 	return result;
 }
 
+/**
+ * gnutls_x509_crt_set_pubkey:
+ * @crt: should contain a #gnutls_x509_crt_t structure
+ * @key: holds a public key
+ *
+ * This function will set the public parameters from the given public
+ * key to the request. 
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ *   negative error value.
+ **/
 int gnutls_x509_crt_set_pubkey(gnutls_x509_crt_t crt, gnutls_pubkey_t key)
 {
 	int result;
@@ -637,6 +648,17 @@ int gnutls_x509_crt_set_pubkey(gnutls_x509_crt_t crt, gnutls_pubkey_t key)
 	return 0;
 }
 
+/**
+ * gnutls_x509_crq_set_pubkey:
+ * @crq: should contain a #gnutls_x509_crq_t structure
+ * @key: holds a public key
+ *
+ * This function will set the public parameters from the given public
+ * key to the request. 
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ *   negative error value.
+ **/
 int gnutls_x509_crq_set_pubkey(gnutls_x509_crq_t crq, gnutls_pubkey_t key)
 {
 	int result;
@@ -818,3 +840,65 @@ gnutls_pubkey_import_dsa_raw(gnutls_pubkey_t key,
 	return 0;
 
 }
+
+/**
+ * gnutls_pubkey_verify_hash:
+ * @key: Holds the certificate
+ * @flags: should be 0 for now
+ * @hash: holds the hash digest to be verified
+ * @signature: contains the signature
+ *
+ * This function will verify the given signed digest, using the
+ * parameters from the certificate.
+ *
+ * Returns: In case of a verification failure 0 is returned, and 1 on
+ * success.
+ **/
+int
+gnutls_pubkey_verify_hash (gnutls_pubkey_t key, unsigned int flags,
+			     const gnutls_datum_t * hash,
+			     const gnutls_datum_t * signature)
+{
+  int ret;
+
+  if (key == NULL)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_INVALID_REQUEST;
+    }
+
+   ret =
+    pubkey_verify_sig (NULL, hash, signature, key->pk_algorithm,
+		key->params, key->params_size);
+
+  return ret;
+}
+
+/**
+ * gnutls_pubkey_get_verify_algorithm:
+ * @key: Holds the certificate
+ * @signature: contains the signature
+ * @hash: The result of the call with the hash algorithm used for signature
+ *
+ * This function will read the certifcate and the signed data to
+ * determine the hash algorithm used to generate the signature.
+ *
+ * Returns: the 0 if the hash algorithm is found. A negative value is
+ * returned on error.
+ **/
+int
+gnutls_pubkey_get_verify_algorithm (gnutls_pubkey_t key,
+				      const gnutls_datum_t * signature,
+				      gnutls_digest_algorithm_t * hash)
+{
+  if (key == NULL)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_INVALID_REQUEST;
+    }
+
+  return _gnutls_x509_verify_algorithm ((gnutls_mac_algorithm_t *) hash,
+			signature, key->pk_algorithm, key->params,
+			key->params_size);
+
+}
diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h
index a02e9c475f..5e14890672 100644
--- a/lib/includes/gnutls/abstract.h
+++ b/lib/includes/gnutls/abstract.h
@@ -61,6 +61,14 @@ int gnutls_x509_crt_set_pubkey (gnutls_x509_crt_t crt,
 int gnutls_x509_crq_set_pubkey (gnutls_x509_crq_t crq,
 			       gnutls_pubkey_t key);
 
+int
+gnutls_pubkey_verify_hash (gnutls_pubkey_t key, unsigned int flags,
+			     const gnutls_datum_t * hash,
+			     const gnutls_datum_t * signature);
+int
+gnutls_pubkey_get_verify_algorithm (gnutls_pubkey_t key,
+				      const gnutls_datum_t * signature,
+				      gnutls_digest_algorithm_t * hash);
 
 /* Private key operations */
 
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 724771f2fb..2bdf696165 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -665,6 +665,8 @@ GNUTLS_2_11
 	gnutls_pubkey_import_dsa_raw;
 	gnutls_pubkey_import_rsa_raw;
 	gnutls_pubkey_import_pkcs11_url;
+	gnutls_pubkey_get_verify_algorithm;
+	gnutls_pubkey_verify_hash;
 	gnutls_pkcs11_obj_export;
 	gnutls_pubkey_import;
 	gnutls_x509_crt_set_pubkey;
diff --git a/lib/x509/common.h b/lib/x509/common.h
index bf73cb928a..2892fb6313 100644
--- a/lib/x509/common.h
+++ b/lib/x509/common.h
@@ -137,4 +137,10 @@ int _gnutls_get_key_id (gnutls_pk_algorithm_t pk, bigint_t* params, int params_s
 
 void _asnstr_append_name(char* name, size_t name_size, const char* part1, const char* part2);
 
+int pubkey_verify_sig (const gnutls_datum_t * tbs,
+	    const gnutls_datum_t * hash,
+	    const gnutls_datum_t * signature,
+	    gnutls_pk_algorithm_t pk, bigint_t * issuer_params,
+	    int issuer_params_size);
+
 #endif
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 569f4a45fd..b74c06f7e1 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -823,8 +823,8 @@ dsa_verify_sig (const gnutls_datum_t * text,
 /* Verifies the signature data, and returns 0 if not verified,
  * or 1 otherwise.
  */
-static int
-verify_sig (const gnutls_datum_t * tbs,
+int
+pubkey_verify_sig (const gnutls_datum_t * tbs,
 	    const gnutls_datum_t * hash,
 	    const gnutls_datum_t * signature,
 	    gnutls_pk_algorithm_t pk, bigint_t * issuer_params,
@@ -865,42 +865,25 @@ verify_sig (const gnutls_datum_t * tbs,
 int
 _gnutls_x509_verify_algorithm (gnutls_mac_algorithm_t * hash,
 			       const gnutls_datum_t * signature,
-			       const gnutls_x509_crt_t issuer)
+			       gnutls_pk_algorithm pk,
+			       bigint_t* issuer_params, unsigned int issuer_params_size)
 {
-  bigint_t issuer_params[MAX_PUBLIC_PARAMS_SIZE];
   opaque digest[MAX_HASH_SIZE];
   gnutls_datum_t decrypted;
-  int issuer_params_size;
   int digest_size;
-  int ret, i;
+  int ret;
 
-  switch (gnutls_x509_crt_get_pk_algorithm (issuer, NULL))
+  switch(pk)
     {
     case GNUTLS_PK_DSA:
       if (hash)
 	*hash = GNUTLS_MAC_SHA1;
       return 0;
-
     case GNUTLS_PK_RSA:
-      issuer_params_size = MAX_PUBLIC_PARAMS_SIZE;
-      ret =
-	_gnutls_x509_crt_get_mpis (issuer, issuer_params,
-				   &issuer_params_size);
-      if (ret < 0)
-	{
-	  gnutls_assert ();
-	  return ret;
-	}
-
       ret =
 	_gnutls_pkcs1_rsa_decrypt (&decrypted, signature,
 				   issuer_params, issuer_params_size, 1);
 
-      /* release allocated mpis */
-      for (i = 0; i < issuer_params_size; i++)
-	{
-	  _gnutls_mpi_release (&issuer_params[i]);
-	}
 
       if (ret < 0)
 	{
@@ -960,7 +943,7 @@ _gnutls_x509_verify_signature (const gnutls_datum_t * tbs,
     }
 
   ret =
-    verify_sig (tbs, hash, signature,
+    pubkey_verify_sig (tbs, hash, signature,
 		gnutls_x509_crt_get_pk_algorithm (issuer, NULL),
 		issuer_params, issuer_params_size);
   if (ret < 0)
@@ -991,7 +974,7 @@ _gnutls_x509_privkey_verify_signature (const gnutls_datum_t * tbs,
 {
   int ret;
 
-  ret = verify_sig (tbs, NULL, signature, issuer->pk_algorithm,
+  ret = pubkey_verify_sig (tbs, NULL, signature, issuer->pk_algorithm,
 		    issuer->params, issuer->params_size);
   if (ret < 0)
     {
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index eca9bc5f42..0e00b41812 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -2504,14 +2504,37 @@ gnutls_x509_crt_get_verify_algorithm (gnutls_x509_crt_t crt,
 				      const gnutls_datum_t * signature,
 				      gnutls_digest_algorithm_t * hash)
 {
+  bigint_t issuer_params[MAX_PUBLIC_PARAMS_SIZE];
+  int issuer_params_size;
+  int ret, i;
+
   if (crt == NULL)
     {
       gnutls_assert ();
       return GNUTLS_E_INVALID_REQUEST;
     }
 
-  return _gnutls_x509_verify_algorithm ((gnutls_mac_algorithm_t *) hash,
-					signature, crt);
+  issuer_params_size = MAX_PUBLIC_PARAMS_SIZE;
+  ret =
+	_gnutls_x509_crt_get_mpis (crt, issuer_params,
+				   &issuer_params_size);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      return ret;
+    }
+
+  ret = _gnutls_x509_verify_algorithm ((gnutls_mac_algorithm_t *) hash,
+			signature, gnutls_x509_crt_get_pk_algorithm (crt, NULL),
+			issuer_params, issuer_params_size);
+
+  /* release allocated mpis */
+  for (i = 0; i < issuer_params_size; i++)
+    {
+      _gnutls_mpi_release (&issuer_params[i]);
+    }
+
+  return ret;
 }
 
 /**
@@ -2523,6 +2546,9 @@ gnutls_x509_crt_get_verify_algorithm (gnutls_x509_crt_t crt,
  *
  * This function will verify the given signed data, using the
  * parameters from the certificate.
+ * 
+ * Note: Use gnutls_x509_crt_verify_hash() instead. This function
+ * does not do the implied hashing of the data.
  *
  * Returns: In case of a verification failure 0 is returned, and 1 on
  * success.
diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h
index c1f4126337..f4000a5aae 100644
--- a/lib/x509/x509_int.h
+++ b/lib/x509/x509_int.h
@@ -180,9 +180,13 @@ int _gnutls_parse_general_name (ASN1_TYPE src, const char *src_name,
 /* verify.c */
 int gnutls_x509_crt_is_issuer (gnutls_x509_crt_t cert,
 			       gnutls_x509_crt_t issuer);
-int _gnutls_x509_verify_algorithm (gnutls_mac_algorithm_t * hash,
-				   const gnutls_datum_t * signature,
-				   const gnutls_x509_crt_t crt);
+
+int
+_gnutls_x509_verify_algorithm (gnutls_mac_algorithm_t * hash,
+			       const gnutls_datum_t * signature,
+			       gnutls_pk_algorithm pk,
+			       bigint_t* issuer_params, unsigned int issuer_params_size);
+
 int _gnutls_x509_verify_signature (const gnutls_datum_t * tbs,
 				   const gnutls_datum_t * hash,
 				   const gnutls_datum_t * signature,