introduced error code GNUTLS_E_PK_INVALID_PUBKEY_PARAMS

This is being use to indicate errors in the public key parameters
such as the RSA-PSS salt size or digest algorithm.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

4 files changed, 8 insertions, 5 deletions

diff --git a/lib/errors.c b/lib/errors.c
index f870426a44..8cedd4a281 100644
--- a/lib/errors.c
+++ b/lib/errors.c
@@ -406,8 +406,10 @@ static const gnutls_error_entry error_entries[] = {
 		    GNUTLS_E_IDNA_ERROR),
 	ERROR_ENTRY(N_("Cannot perform this action while handshake is in progress."),
 		    GNUTLS_E_UNAVAILABLE_DURING_HANDSHAKE),
-	ERROR_ENTRY(N_("The obtained public key is invalid."),
+	ERROR_ENTRY(N_("The public key is invalid."),
 		    GNUTLS_E_PK_INVALID_PUBKEY),
+	ERROR_ENTRY(N_("The public key parameters are invalid."),
+		    GNUTLS_E_PK_INVALID_PUBKEY_PARAMS),
 	ERROR_ENTRY(N_("The private key is invalid."),
 		    GNUTLS_E_PK_INVALID_PRIVKEY),
 	ERROR_ENTRY(N_("The DER time encoding is invalid."),
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index ebee1b1478..da8db487a0 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -2929,6 +2929,7 @@ unsigned gnutls_fips140_mode_enabled(void);
 #define GNUTLS_E_RECORD_OVERFLOW -417	/* GNUTLS_A_RECORD_OVERFLOW */
 #define GNUTLS_E_ASN1_TIME_ERROR -418
 #define GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY -419
+#define GNUTLS_E_PK_INVALID_PUBKEY_PARAMS -420
 
 #define GNUTLS_E_UNIMPLEMENTED_FEATURE -1250
 
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index f32a82d8e7..cd7dce243b 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -530,7 +530,7 @@ _rsa_pss_sign_digest_tr(gnutls_digest_algorithm_t dig,
 	}
 
 	/* This is also checked in pss_encode_mgf1, but error out earlier.  */
-	CHECK_INVALID_RSA_PSS_PARAMS(hash_size, salt_size, pub->size, GNUTLS_E_ILLEGAL_PARAMETER);
+	CHECK_INVALID_RSA_PSS_PARAMS(hash_size, salt_size, pub->size, GNUTLS_E_PK_INVALID_PUBKEY_PARAMS);
 
 	if (salt_size > 0) {
 		salt = gnutls_malloc(salt_size);
@@ -2352,7 +2352,7 @@ wrap_nettle_pk_fixup(gnutls_pk_algorithm_t algo,
 			/* sanity check for private key */
 			CHECK_INVALID_RSA_PSS_PARAMS(gnutls_hash_get_len(params->spki.rsa_pss_dig),
 						     params->spki.salt_size, pub_size,
-						     GNUTLS_E_PK_INVALID_PRIVKEY);
+						     GNUTLS_E_PK_INVALID_PUBKEY_PARAMS);
 		}
 
 	}
diff --git a/lib/x509/key_decode.c b/lib/x509/key_decode.c
index 4dab121fcf..fa65ba14fe 100644
--- a/lib/x509/key_decode.c
+++ b/lib/x509/key_decode.c
@@ -468,11 +468,11 @@ int _gnutls_x509_check_pubkey_params(gnutls_pk_params_st * params)
 
 		me = hash_to_entry(params->spki.rsa_pss_dig);
 		if (unlikely(me == NULL))
-			return gnutls_assert_val(GNUTLS_E_CERTIFICATE_ERROR);
+			return gnutls_assert_val(GNUTLS_E_PK_INVALID_PUBKEY_PARAMS);
 
 		hash_size = _gnutls_hash_get_algo_len(me);
 		if (hash_size + params->spki.salt_size + 2 > (bits + 7) / 8)
-			return gnutls_assert_val(GNUTLS_E_CERTIFICATE_ERROR);
+			return gnutls_assert_val(GNUTLS_E_PK_INVALID_PUBKEY_PARAMS);
 		return 0;
 	}
 	case GNUTLS_PK_RSA: