privkey_sign_and_hash_data: handle prehashed signatures

This allows this function to handle ed25519, i.e., allows it
to operate for PKCS#7 signatures.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2 files changed, 9 insertions, 6 deletions

diff --git a/lib/algorithms/sign.c b/lib/algorithms/sign.c
index be4b19ec18..55be3d9bdc 100644
--- a/lib/algorithms/sign.c
+++ b/lib/algorithms/sign.c
@@ -127,6 +127,9 @@ static const gnutls_sign_entry_st sign_algorithms[] = {
 	{"RSA-PSS-SHA512", PK_PKIX1_RSA_PSS_OID, GNUTLS_SIGN_RSA_PSS_SHA512,
 	 GNUTLS_PK_RSA, GNUTLS_DIG_SHA512, {{8, 6}}},
 
+	 /* The hash algorithm here is set to be SHA512, although that is
+	  * an internal detail of Ed25519; we set it, because CMS/PKCS#7 requires
+	  * that mapping. */
 	 {"EdDSA-Ed25519", SIG_EDDSA_SHA512_OID, GNUTLS_SIGN_EDDSA_ED25519,
 	 GNUTLS_PK_EDDSA_ED25519, GNUTLS_DIG_SHA512, {{8, 7}}},
 
diff --git a/lib/privkey.c b/lib/privkey.c
index 6dc33e9e22..05fd8b362d 100644
--- a/lib/privkey.c
+++ b/lib/privkey.c
@@ -1007,11 +1007,7 @@ gnutls_privkey_sign_data(gnutls_privkey_t signer,
 		return ret;
 	}
 
-	if (_gnutls_pk_is_not_prehashed(signer->pk_algorithm)) {
-		return privkey_sign_raw_data(signer, data, signature, &params);
-	} else {
-		return privkey_sign_and_hash_data(signer, data, signature, &params);
-	}
+	return privkey_sign_and_hash_data(signer, data, signature, &params);
 }
 
 /**
@@ -1133,8 +1129,12 @@ privkey_sign_and_hash_data(gnutls_privkey_t signer,
 {
 	int ret;
 	gnutls_datum_t digest;
-	const mac_entry_st *me = hash_to_entry(params->dig);
+	const mac_entry_st *me;
+
+	if (_gnutls_pk_is_not_prehashed(signer->pk_algorithm))
+		return privkey_sign_raw_data(signer, data, signature, params);
 
+	me = hash_to_entry(params->dig);
 	if (me == NULL)
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);