pk: implement deterministic ECDSA/DSA

This exposes the deterministic ECDSA/DSA functionality through the
GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

11 files changed, 290 insertions, 5 deletions

diff --git a/.gitignore b/.gitignore
index 37f34bdcea..e80cff4539 100644
--- a/.gitignore
+++ b/.gitignore
@@ -696,6 +696,7 @@ tests/sign-md5-rep
 tests/sign-pk-api
 tests/sign-verify
 tests/sign-verify-data
+tests/sign-verify-deterministic
 tests/sign-verify-ed25519-rfc8080
 tests/sign-verify-ext
 tests/sign-verify-ext4
diff --git a/NEWS b/NEWS
index f5ed67969d..73a4b6925d 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,13 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc.
 Copyright (C) 2013-2019 Nikos Mavrogiannopoulos
 See the end for copying conditions.
 
+* Version 3.6.10 (unreleased)
+
+** libgnutls: Added support for deterministic ECDSA/DSA (RFC6979)
+   Deterministic signing can be enabled by setting
+   GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE when calling gnutls_privkey_sign_*()
+   functions (#94).
+
 * Version 3.6.9 (released 2019-07-25)
 
 ** libgnutls: add gnutls_hash_copy/gnutls_hmac_copy functions that will create a copy
diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h
index 43124abafb..33eca6031c 100644
--- a/lib/crypto-backend.h
+++ b/lib/crypto-backend.h
@@ -187,6 +187,13 @@ typedef struct gnutls_x509_spki_st {
 	/* if non-zero, the legacy value for PKCS#7 signatures will be
 	 * written for RSA signatures. */
 	unsigned int legacy;
+
+	/* the digest used by ECDSA/DSA */
+	gnutls_digest_algorithm_t dsa_dig;
+
+	/* flags may include GNUTLS_PK_FLAG_REPRODUCIBLE for
+	 * deterministic ECDSA/DSA */
+	unsigned int flags;
 } gnutls_x509_spki_st;
 
 #define GNUTLS_MAX_PK_PARAMS 16
@@ -219,9 +226,16 @@ typedef struct {
  */
 typedef enum {
 	GNUTLS_PK_FLAG_NONE = 0,
-	GNUTLS_PK_FLAG_PROVABLE = 1
+	GNUTLS_PK_FLAG_PROVABLE = 1,
+	GNUTLS_PK_FLAG_REPRODUCIBLE = 2
 } gnutls_pk_flag_t;
 
+#define FIX_SIGN_PARAMS(params, flags, dig) do {		\
+	if ((flags) & GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE) {	\
+		(params).flags |= GNUTLS_PK_FLAG_REPRODUCIBLE;	\
+		(params).dsa_dig = (dig);			\
+	}							\
+} while (0)
 
 void gnutls_pk_params_release(gnutls_pk_params_st * p);
 void gnutls_pk_params_clear(gnutls_pk_params_st * p);
diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h
index d4b7da68b2..d8805681a9 100644
--- a/lib/includes/gnutls/abstract.h
+++ b/lib/includes/gnutls/abstract.h
@@ -371,7 +371,10 @@ int gnutls_privkey_status(gnutls_privkey_t key);
  * gnutls_privkey_flags:
  * @GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA: Make an RSA signature on the hashed data as in the TLS protocol.
  * @GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS: Make an RSA signature on the hashed data with the PSS padding.
- * @GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE: Make an RSA-PSS signature on the hashed data with reproducible parameters (zero salt).
+ * @GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE: Make a signature on the hashed data with reproducible parameters.
+ *   For RSA-PSS, that means to use empty salt instead of random value. For ECDSA/DSA, it uses the deterministic
+ *   construction of random parameter according to RFC 6979. Note that
+ *   this only supports the NIST curves and DSA subgroup bits up to 512.
  * @GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE: When importing a private key, automatically
  *   release it when the structure it was imported is released.
  * @GNUTLS_PRIVKEY_IMPORT_COPY: Copy required values during import.
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 08117c2d82..ebd6481cf7 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -54,6 +54,8 @@
 #include "gost/gostdsa.h"
 #include "gost/ecc-gost-curve.h"
 #endif
+#include "int/ecdsa-compute-k.h"
+#include "int/dsa-compute-k.h"
 #include <gnettle.h>
 #include <fips.h>
 
@@ -86,6 +88,12 @@ static void rnd_nonce_func(void *_ctx, size_t length, uint8_t * data)
 	}
 }
 
+static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data)
+{
+	mpz_t *k = _ctx;
+	nettle_mpz_get_str_256 (length, data, *k);
+}
+
 static void
 ecc_scalar_zclear (struct ecc_scalar *s)
 {
@@ -782,6 +790,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 			struct dsa_signature sig;
 			int curve_id = pk_params->curve;
 			const struct ecc_curve *curve;
+			mpz_t k;
+			void *random_ctx;
+			nettle_random_func *random_func;
 
 			curve = get_supported_nist_curve(curve_id);
 			if (curve == NULL)
@@ -808,7 +819,23 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 				hash_len = vdata->size;
 			}
 
-			ecdsa_sign(&priv, NULL, rnd_nonce_func, hash_len,
+			mpz_init(k);
+			if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) {
+				ret = _gnutls_ecdsa_compute_k(k,
+							      curve_id,
+							      pk_params->params[ECC_K],
+							      sign_params->dsa_dig,
+							      vdata->data,
+							      vdata->size);
+				if (ret < 0)
+					goto ecdsa_cleanup;
+				random_ctx = &k;
+				random_func = rnd_mpz_func;
+			} else {
+				random_ctx = NULL;
+				random_func = rnd_nonce_func;
+			}
+			ecdsa_sign(&priv, random_ctx, random_func, hash_len,
 				   vdata->data, &sig);
 
 			/* prevent memory leaks */
@@ -824,6 +851,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
  ecdsa_cleanup:
 			dsa_signature_clear(&sig);
 			ecc_scalar_zclear(&priv);
+			mpz_clear(k);
 
 			if (ret < 0) {
 				gnutls_assert();
@@ -836,6 +864,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 			struct dsa_params pub;
 			bigint_t priv;
 			struct dsa_signature sig;
+			mpz_t k;
+			void *random_ctx;
+			nettle_random_func *random_func;
 
 			memset(&priv, 0, sizeof(priv));
 			memset(&pub, 0, sizeof(pub));
@@ -856,8 +887,26 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 				hash_len = vdata->size;
 			}
 
+			mpz_init(k);
+			if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) {
+				ret = _gnutls_dsa_compute_k(k,
+							    pub.q,
+							    TOMPZ(priv),
+							    sign_params->dsa_dig,
+							    vdata->data,
+							    vdata->size);
+				if (ret < 0)
+					goto dsa_fail;
+				/* cancel-out dsa_sign's addition of 1 to random data */
+				mpz_sub_ui (k, k, 1);
+				random_ctx = &k;
+				random_func = rnd_mpz_func;
+			} else {
+				random_ctx = NULL;
+				random_func = rnd_nonce_func;
+			}
 			ret =
-			    dsa_sign(&pub, TOMPZ(priv), NULL, rnd_nonce_func,
+			    dsa_sign(&pub, TOMPZ(priv), random_ctx, random_func,
 				     hash_len, vdata->data, &sig);
 			if (ret == 0 || HAVE_LIB_ERROR()) {
 				gnutls_assert();
@@ -871,6 +920,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 
  dsa_fail:
 			dsa_signature_clear(&sig);
+			mpz_clear(k);
 
 			if (ret < 0) {
 				gnutls_assert();
diff --git a/lib/privkey.c b/lib/privkey.c
index 8683b4e20f..4ef07c8b06 100644
--- a/lib/privkey.c
+++ b/lib/privkey.c
@@ -1134,6 +1134,8 @@ gnutls_privkey_sign_data(gnutls_privkey_t signer,
 		return ret;
 	}
 
+	FIX_SIGN_PARAMS(params, flags, hash);
+
 	return privkey_sign_and_hash_data(signer, _gnutls_pk_to_sign_entry(params.pk, hash), data, signature, &params);
 }
 
@@ -1186,6 +1188,8 @@ gnutls_privkey_sign_data2(gnutls_privkey_t signer,
 		return ret;
 	}
 
+	FIX_SIGN_PARAMS(params, flags, se->hash);
+
 	return privkey_sign_and_hash_data(signer, se, data, signature, &params);
 }
 
@@ -1253,6 +1257,8 @@ gnutls_privkey_sign_hash2(gnutls_privkey_t signer,
 		return ret;
 	}
 
+	FIX_SIGN_PARAMS(params, flags, se->hash);
+
 	return privkey_sign_prehashed(signer, se, hash_data, signature, &params);
 }
 
@@ -1376,6 +1382,8 @@ gnutls_privkey_sign_hash(gnutls_privkey_t signer,
 	if (unlikely(se == NULL))
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
+	FIX_SIGN_PARAMS(params, flags, hash_algo);
+
 	return privkey_sign_prehashed(signer, se,
 				      hash_data, signature, &params);
 }
diff --git a/lib/x509/crq.c b/lib/x509/crq.c
index c8899f81a5..4ca67535dd 100644
--- a/lib/x509/crq.c
+++ b/lib/x509/crq.c
@@ -2642,6 +2642,8 @@ gnutls_x509_crq_privkey_sign(gnutls_x509_crq_t crq, gnutls_privkey_t key,
 	if (se == NULL)
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
+	FIX_SIGN_PARAMS(params, flags, dig);
+
 	result = privkey_sign_and_hash_data(key, se,
 					    &tbs, &signature, &params);
 	gnutls_free(tbs.data);
diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
index 21fff7b07a..98669e8879 100644
--- a/lib/x509/pkcs7.c
+++ b/lib/x509/pkcs7.c
@@ -2532,6 +2532,8 @@ int gnutls_pkcs7_sign(gnutls_pkcs7_t pkcs7,
 		goto cleanup;
 	}
 
+	FIX_SIGN_PARAMS(params, flags, dig);
+
 	ret = privkey_sign_and_hash_data(signer_key, se,
 					 &sigdata, &signature, &params);
 	if (ret < 0) {
diff --git a/lib/x509/sign.c b/lib/x509/sign.c
index 8f7a96f218..461524f5bf 100644
--- a/lib/x509/sign.c
+++ b/lib/x509/sign.c
@@ -175,6 +175,8 @@ _gnutls_x509_pkix_sign(ASN1_TYPE src, const char *src_name,
 		return result;
 	}
 
+	FIX_SIGN_PARAMS(params, flags, dig);
+
 	if (_gnutls_pk_is_not_prehashed(params.pk)) {
 		result = privkey_sign_raw_data(issuer_key, se, &tbs, &signature, &params);
 	} else {
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 7970ad6b30..a8c2d152ec 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -214,7 +214,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
 	 null_retrieve_function tls-record-size-limit tls-crt_type-neg \
 	 resume-with-stek-expiration resume-with-previous-stek rawpk-api \
 	 tls-record-size-limit-asym dh-compute ecdh-compute sign-verify-data-newapi \
-	 sign-verify-newapi
+	 sign-verify-newapi sign-verify-deterministic
 
 if HAVE_SECCOMP_TESTS
 ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp
diff --git a/tests/sign-verify-deterministic.c b/tests/sign-verify-deterministic.c
new file mode 100644
index 0000000000..fe4873fc89
--- /dev/null
+++ b/tests/sign-verify-deterministic.c
@@ -0,0 +1,196 @@
+/*
+ * Copyright (C) 2017-2019 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos, Daiki Ueno
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GnuTLS; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#ifndef _WIN32
+# include <netinet/in.h>
+# include <sys/socket.h>
+# include <arpa/inet.h>
+#endif
+#include <unistd.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include <gnutls/abstract.h>
+#include "utils.h"
+
+/* verifies whether the sign-data and verify-data APIs
+ * operate as expected with deterministic ECDSA/DSA (RFC 6979) */
+
+static void tls_log_func(int level, const char *str)
+{
+	fprintf(stderr, "<%d> %s", level, str);
+}
+
+struct _key_tests_st {
+	const char *name;
+	gnutls_datum_t key;
+	gnutls_datum_t msg;
+	gnutls_datum_t sig;
+	gnutls_pk_algorithm_t pk;
+	gnutls_digest_algorithm_t digest;
+	gnutls_sign_algorithm_t sigalgo;
+	unsigned int sign_flags;
+};
+
+/* Test vectors from RFC 6979 */
+static const char dsa_privkey_rfc6979[] =
+    "-----BEGIN DSA PRIVATE KEY-----\n"
+    "MIIBugIBAAKBgQCG9coD3P6yJQY/+DCgx2m53Z1hU62R184n94fEMni0R+ZTO4ax\n"
+    "i+1uiki3hKFMJSxb4Nv2C4bWOFvS8S+3Y+2Ic6v9P1ui4KjApZCC6sBWk15Sna98\n"
+    "YQRniZx3re38hGyIGHC3sZsrWPm+BSGhcALjvda4ZoXukLPZobAreCsXeQIVAJlv\n"
+    "ln9sjjiNnijQHiBfupV6VpixAoGAB7D5JUYVC2JRS7dx4qDAzjh/A72mxWtQUgn/\n"
+    "Jf08Ez2Ju82X6QTgkRTZp9796t/JB46lRNLkAa7sxAu5+794/YeZWhChwny3eJtZ\n"
+    "S6fvtcQyap/lmgcOE223cXVGStykF75dzi9A0QpGo6OUPyarf9nAOY/4x27gpWgm\n"
+    "qKiPHb0CgYBd9eAd7THQKX4nThaRwZL+WGj++eGahHdkVLEAzxb2U5IZWji5BSPi\n"
+    "VC7mGHHARAy4fDIvxLTS7F4efsdm4b6NTOk1Q33BHDyP1CYziTPr/nOcs0ZfTTZo\n"
+    "xeRzUIJTseaC9ly9xPrpPC6iEjkOVJBahuIiMXC0Tqp9pd2f/Pt/OwIUQRYCyxmm\n"
+    "zMNElNedmO8eftWvJfc=\n"
+    "-----END DSA PRIVATE KEY-----\n";
+
+static const char ecdsa_secp256r1_privkey_rfc6979[] =
+    "-----BEGIN EC PRIVATE KEY-----\n"
+    "MHgCAQEEIQDJr6nYRbp1FmtcIVdnsdaTTlDD2zbomxJ7imIrEg9nIaAKBggqhkjO\n"
+    "PQMBB6FEA0IABGD+1LolWp0xyWHrdMY1bWjASbiSO2H6bOZpYi5g8p+2eQP+EAi4\n"
+    "vJmkGunpVii8ZPLxsgwtfp9Rd6PClNRGIpk=\n"
+    "-----END EC PRIVATE KEY-----\n";
+
+static const char sample[] = "sample";
+
+static const
+struct _key_tests_st tests[] = {
+	{
+		.name = "dsa key",
+		.key = {(void *) dsa_privkey_rfc6979, sizeof(dsa_privkey_rfc6979)-1},
+		.msg = {(void *) sample, sizeof(sample)-1},
+		.sig = {(void *) "\x30\x2d\x02\x15\x00\x81\xf2\xf5\x85\x0b\xe5\xbc\x12\x3c\x43\xf7\x1a\x30\x33\xe9\x38\x46\x11\xc5\x45\x02\x14\x4c\xdd\x91\x4b\x65\xeb\x6c\x66\xa8\xaa\xad\x27\x29\x9b\xee\x6b\x03\x5f\x5e\x89", 47},
+		.pk = GNUTLS_PK_DSA,
+		.digest = GNUTLS_DIG_SHA256,
+		.sigalgo = GNUTLS_SIGN_DSA_SHA256,
+		.sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE
+	},
+	{
+		.name = "ecdsa key",
+		.key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1},
+		.msg = {(void *) sample, sizeof(sample)-1},
+		.sig = {(void *) "\x30\x46\x02\x21\x00\xef\xd4\x8b\x2a\xac\xb6\xa8\xfd\x11\x40\xdd\x9c\xd4\x5e\x81\xd6\x9d\x2c\x87\x7b\x56\xaa\xf9\x91\xc3\x4d\x0e\xa8\x4e\xaf\x37\x16\x02\x21\x00\xf7\xcb\x1c\x94\x2d\x65\x7c\x41\xd4\x36\xc7\xa1\xb6\xe2\x9f\x65\xf3\xe9\x00\xdb\xb9\xaf\xf4\x06\x4d\xc4\xab\x2f\x84\x3a\xcd\xa8", 72},
+		.pk = GNUTLS_PK_ECDSA,
+		.digest = GNUTLS_DIG_SHA256,
+		.sigalgo = GNUTLS_SIGN_ECDSA_SECP256R1_SHA256,
+		.sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE
+	},
+	{
+		.name = "ecdsa key",
+		.key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1},
+		.msg = {(void *) sample, sizeof(sample)-1},
+		.sig = {(void *) "\x30\x46\x02\x21\x00\xef\xd4\x8b\x2a\xac\xb6\xa8\xfd\x11\x40\xdd\x9c\xd4\x5e\x81\xd6\x9d\x2c\x87\x7b\x56\xaa\xf9\x91\xc3\x4d\x0e\xa8\x4e\xaf\x37\x16\x02\x21\x00\xf7\xcb\x1c\x94\x2d\x65\x7c\x41\xd4\x36\xc7\xa1\xb6\xe2\x9f\x65\xf3\xe9\x00\xdb\xb9\xaf\xf4\x06\x4d\xc4\xab\x2f\x84\x3a\xcd\xa8", 72},
+		.pk = GNUTLS_PK_ECDSA,
+		.digest = GNUTLS_DIG_SHA256,
+		.sigalgo = GNUTLS_SIGN_ECDSA_SHA256,
+		.sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE
+	},
+	{
+		.name = "ecdsa key (q bits < h bits)",
+		.key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1},
+		.msg = {(void *) sample, sizeof(sample)-1},
+		.sig = {(void *) "\x30\x44\x02\x20\x0e\xaf\xea\x03\x9b\x20\xe9\xb4\x23\x09\xfb\x1d\x89\xe2\x13\x05\x7c\xbf\x97\x3d\xc0\xcf\xc8\xf1\x29\xed\xdd\xc8\x00\xef\x77\x19\x02\x20\x48\x61\xf0\x49\x1e\x69\x98\xb9\x45\x51\x93\xe3\x4e\x7b\x0d\x28\x4d\xdd\x71\x49\xa7\x4b\x95\xb9\x26\x1f\x13\xab\xde\x94\x09\x54", 70},
+		.pk = GNUTLS_PK_ECDSA,
+		.digest = GNUTLS_DIG_SHA384,
+		.sigalgo = GNUTLS_SIGN_ECDSA_SHA384,
+		.sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE
+	},
+	{
+		.name = "ecdsa key (q bits > h bits)",
+		.key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1},
+		.msg = {(void *) sample, sizeof(sample)-1},
+		.sig = {(void *) "\x30\x45\x02\x20\x53\xb2\xff\xf5\xd1\x75\x2b\x2c\x68\x9d\xf2\x57\xc0\x4c\x40\xa5\x87\xfa\xba\xbb\x3f\x6f\xc2\x70\x2f\x13\x43\xaf\x7c\xa9\xaa\x3f\x02\x21\x00\xb9\xaf\xb6\x4f\xdc\x03\xdc\x1a\x13\x1c\x7d\x23\x86\xd1\x1e\x34\x9f\x07\x0a\xa4\x32\xa4\xac\xc9\x18\xbe\xa9\x88\xbf\x75\xc7\x4c", 71},
+		.pk = GNUTLS_PK_ECDSA,
+		.digest = GNUTLS_DIG_SHA224,
+		.sigalgo = GNUTLS_SIGN_ECDSA_SHA224,
+		.sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE
+	}
+};
+
+#define testfail(fmt, ...) \
+	fail("%s: "fmt, tests[i].name, ##__VA_ARGS__)
+
+void doit(void)
+{
+	gnutls_pubkey_t pubkey;
+	gnutls_privkey_t privkey;
+	gnutls_datum_t signature;
+	int ret;
+	size_t i;
+
+	global_init();
+
+	gnutls_global_set_log_function(tls_log_func);
+	if (debug)
+		gnutls_global_set_log_level(6);
+
+	for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
+		success("testing: %s - %s\n", tests[i].name, gnutls_sign_algorithm_get_name(tests[i].sigalgo));
+
+		ret = gnutls_privkey_init(&privkey);
+		if (ret < 0)
+			testfail("gnutls_privkey_init\n");
+
+		ret = gnutls_privkey_import_x509_raw(privkey, &tests[i].key, GNUTLS_X509_FMT_PEM, NULL, 0);
+		if (ret < 0)
+			testfail("gnutls_privkey_import_x509_raw\n");
+
+		ret = gnutls_privkey_sign_data(privkey, tests[i].digest, tests[i].sign_flags,
+					       &tests[i].msg, &signature);
+		if (ret < 0)
+			testfail("gnutls_privkey_sign_data\n");
+
+		if (signature.size != tests[i].sig.size ||
+		    memcmp(signature.data, tests[i].sig.data, signature.size) != 0)
+			testfail("signature does not match");
+
+		ret = gnutls_pubkey_init(&pubkey);
+		if (ret < 0)
+			testfail("gnutls_pubkey_init\n");
+
+		ret = gnutls_pubkey_import_privkey(pubkey, privkey, 0, 0);
+		if (ret < 0)
+			testfail("gnutls_pubkey_import_privkey\n");
+
+		ret =
+		    gnutls_pubkey_verify_data2(pubkey, tests[i].sigalgo, 0, &tests[i].msg,
+					      &signature);
+		if (ret < 0)
+			testfail("gnutls_pubkey_verify_data2\n");
+
+		gnutls_free(signature.data);
+		gnutls_privkey_deinit(privkey);
+		gnutls_pubkey_deinit(pubkey);
+	}
+
+	gnutls_global_deinit();
+}