removed gnutls_pubkey_get_verify_algorithm() and unnecessary internal APIs

8 files changed, 41 insertions, 175 deletions

diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h
index 920ab3bb03..09aa93c87f 100644
--- a/lib/crypto-backend.h
+++ b/lib/crypto-backend.h
@@ -326,12 +326,6 @@ typedef struct gnutls_crypto_pk {
 	int (*verify) (gnutls_pk_algorithm_t, const gnutls_datum_t * data,
 		       const gnutls_datum_t * sig,
 		       const gnutls_pk_params_st * pub);
-	/* given a signature and the public parameters,
-	 * suggest a hash algorithm */
-	int (*hash_algorithm) (gnutls_pk_algorithm_t,
-			       const gnutls_datum_t * sig,
-			       gnutls_pk_params_st * issuer_params,
-			       gnutls_digest_algorithm_t *);
 	/* sanity checks the public key parameters */
 	int (*verify_priv_params) (gnutls_pk_algorithm_t,
 			      const gnutls_pk_params_st * priv);
diff --git a/lib/gnutls_pk.c b/lib/gnutls_pk.c
index 2b5ad3e0b4..a4750bc8f0 100644
--- a/lib/gnutls_pk.c
+++ b/lib/gnutls_pk.c
@@ -217,23 +217,6 @@ void gnutls_pk_params_clear(gnutls_pk_params_st * p)
 	}
 }
 
-int
-_gnutls_pk_get_hash_algorithm(gnutls_pk_algorithm_t pk,
-			      gnutls_pk_params_st * params,
-			      gnutls_digest_algorithm_t * dig,
-			      unsigned int *mand)
-{
-	if (mand) {
-		if (pk == GNUTLS_PK_DSA)
-			*mand = 1;
-		else
-			*mand = 0;
-	}
-
-	return _gnutls_x509_verify_algorithm(dig, NULL, pk, params);
-
-}
-
 /* Writes the digest information and the digest in a DER encoded
  * structure. The digest info is allocated and stored into the info structure.
  */
diff --git a/lib/gnutls_pk.h b/lib/gnutls_pk.h
index 4434f6d5bf..34712f5098 100644
--- a/lib/gnutls_pk.h
+++ b/lib/gnutls_pk.h
@@ -74,11 +74,6 @@ decode_ber_digest_info(const gnutls_datum_t * info,
 		       gnutls_digest_algorithm_t * hash,
 		       uint8_t * digest, unsigned int *digest_size);
 
-int _gnutls_pk_get_hash_algorithm(gnutls_pk_algorithm_t pk,
-				  gnutls_pk_params_st *,
-				  gnutls_digest_algorithm_t * dig,
-				  unsigned int *mand);
-
 int
 _gnutls_params_get_rsa_raw(const gnutls_pk_params_st* params,
 				    gnutls_datum_t * m, gnutls_datum_t * e,
diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c
index ea1f9a7786..d0cb93717d 100644
--- a/lib/gnutls_pubkey.c
+++ b/lib/gnutls_pubkey.c
@@ -271,14 +271,38 @@ gnutls_pubkey_get_preferred_hash_algorithm(gnutls_pubkey_t key,
 					   hash, unsigned int *mand)
 {
 	int ret;
+	const mac_entry_st *me;
 
 	if (key == NULL) {
 		gnutls_assert();
 		return GNUTLS_E_INVALID_REQUEST;
 	}
 
-	ret = _gnutls_pk_get_hash_algorithm(key->pk_algorithm,
-					    &key->params, hash, mand);
+	if (mand)
+		*mand = 0;
+
+	switch (key->pk_algorithm) {
+	case GNUTLS_PK_DSA:
+		if (mand)
+			*mand = 1;
+	case GNUTLS_PK_EC:
+
+		me = _gnutls_dsa_q_to_hash(key->pk_algorithm, &key->params, NULL);
+		if (hash)
+			*hash = (gnutls_digest_algorithm_t)me->id;
+
+		ret = 0;
+		break;
+	case GNUTLS_PK_RSA:
+		if (hash)
+			*hash = GNUTLS_DIG_SHA256;
+		ret = 0;
+		break;
+
+	default:
+		gnutls_assert();
+		ret = GNUTLS_E_INTERNAL_ERROR;
+	}
 
 	return ret;
 }
@@ -1645,40 +1669,6 @@ gnutls_pubkey_encrypt_data(gnutls_pubkey_t key, unsigned int flags,
 				  plaintext, &key->params);
 }
 
-/**
- * gnutls_pubkey_get_verify_algorithm:
- * @key: Holds the certificate
- * @signature: contains the signature
- * @hash: The result of the call with the hash algorithm used for signature
- *
- * This function will read the certifcate and the signed data to
- * determine the hash algorithm used to generate the signature.
- *
- * This function is only for informative purposes, as it does not
- * return a cryptographically binding result. Modifications to the signature
- * may cause this function to return an incorrect result.
- *
- * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
- *   negative error value.
- *
- * Since: 2.12.0
- **/
-int
-gnutls_pubkey_get_verify_algorithm(gnutls_pubkey_t key,
-				   const gnutls_datum_t * signature,
-				   gnutls_digest_algorithm_t * hash)
-{
-	if (key == NULL) {
-		gnutls_assert();
-		return GNUTLS_E_INVALID_REQUEST;
-	}
-
-	return _gnutls_x509_verify_algorithm(hash, signature,
-					     key->pk_algorithm,
-					     &key->params);
-
-}
-
 /* Checks whether the public key given is compatible with the
  * signature algorithm used. The session is only used for audit logging, and
  * it may be null.
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 127e267060..343b11a226 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -574,7 +574,6 @@ GNUTLS_3_4
 	gnutls_pubkey_import_dsa_raw;
 	gnutls_pubkey_import_rsa_raw;
 	gnutls_pubkey_import_pkcs11_url;
-	gnutls_pubkey_get_verify_algorithm;
 	gnutls_pubkey_import;
 	gnutls_x509_crt_set_pubkey;
 	gnutls_x509_crq_set_pubkey;
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 11f2c8dacf..31df491f96 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -1762,94 +1762,9 @@ cleanup:
 	return ret;
 }
 
-/* Given a signature and parameters, it should return
- * the hash algorithm used in the signature. This is a kludge
- * but until we deprecate gnutls_pubkey_get_verify_algorithm()
- * we depend on it.
- */
-static int wrap_nettle_hash_algorithm(gnutls_pk_algorithm_t pk,
-				      const gnutls_datum_t * sig,
-				      gnutls_pk_params_st * issuer_params,
-				      gnutls_digest_algorithm_t *
-				      hash_algo)
-{
-	uint8_t digest[MAX_HASH_SIZE];
-	uint8_t *rdi = NULL;
-	gnutls_datum_t di;
-	unsigned digest_size;
-	mpz_t s;
-	struct rsa_public_key pub;
-	const mac_entry_st *me;
-	int ret;
-
-	mpz_init(s);
-
-	switch (pk) {
-	case GNUTLS_PK_DSA:
-	case GNUTLS_PK_EC:
-
-		me = _gnutls_dsa_q_to_hash(pk, issuer_params, NULL);
-		if (hash_algo)
-			*hash_algo = (gnutls_digest_algorithm_t)me->id;
-
-		ret = 0;
-		break;
-	case GNUTLS_PK_RSA:
-		if (sig == NULL) {	/* return a sensible algorithm */
-			if (hash_algo)
-				*hash_algo = GNUTLS_DIG_SHA256;
-			return 0;
-		}
-
-		_rsa_params_to_pubkey(issuer_params, &pub);
-
-		digest_size = sizeof(digest);
-
-		nettle_mpz_set_str_256_u(s, sig->size, sig->data);
-
-		ret = extract_digest_info(&pub, &di, &rdi, s);
-		if (ret == 0) {
-			ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
-			gnutls_assert();
-			goto cleanup;
-		}
-
-		digest_size = sizeof(digest);
-		if ((ret =
-		     decode_ber_digest_info(&di, hash_algo, digest,
-					    &digest_size)) < 0) {
-			gnutls_assert();
-			goto cleanup;
-		}
-
-		if (digest_size !=
-		    _gnutls_hash_get_algo_len(mac_to_entry(
-		    	(gnutls_mac_algorithm_t)*hash_algo))) {
-			gnutls_assert();
-			ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
-			goto cleanup;
-		}
-
-		ret = 0;
-		break;
-
-	default:
-		gnutls_assert();
-		ret = GNUTLS_E_INTERNAL_ERROR;
-	}
-
-      cleanup:
-	mpz_clear(s);
-	gnutls_free(rdi);
-	return ret;
-
-}
-
-
 int crypto_pk_prio = INT_MAX;
 
 gnutls_crypto_pk_st _gnutls_pk_ops = {
-	.hash_algorithm = wrap_nettle_hash_algorithm,
 	.encrypt = _wrap_nettle_pk_encrypt,
 	.decrypt = _wrap_nettle_pk_decrypt,
 	.sign = _wrap_nettle_pk_sign,
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index aba2b01cca..0d83a78d0b 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -1198,20 +1198,6 @@ cleanup:
 }
 #endif
 
-/* This will return the appropriate hash to verify the given signature.
- * If signature is NULL it will return an (or the) appropriate hash for
- * the given parameters.
- */
-int
-_gnutls_x509_verify_algorithm(gnutls_digest_algorithm_t * hash,
-			      const gnutls_datum_t * signature,
-			      gnutls_pk_algorithm_t pk,
-			      gnutls_pk_params_st * issuer_params)
-{
-	return _gnutls_pk_hash_algorithm(pk, signature, issuer_params,
-					 hash);
-}
-
 /* verifies if the certificate is properly signed.
  * returns GNUTLS_E_PK_VERIFY_SIG_FAILED on failure and 1 on success.
  * 
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index e178c39b5b..d0371b8713 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -2808,28 +2808,32 @@ gnutls_x509_crt_get_preferred_hash_algorithm(gnutls_x509_crt_t crt,
 					     gnutls_digest_algorithm_t *
 					     hash, unsigned int *mand)
 {
-	gnutls_pk_params_st issuer_params;
 	int ret;
+	gnutls_pubkey_t pubkey;
 
 	if (crt == NULL) {
 		gnutls_assert();
 		return GNUTLS_E_INVALID_REQUEST;
 	}
 
-	ret = _gnutls_x509_crt_get_mpis(crt, &issuer_params);
-	if (ret < 0) {
+	ret = gnutls_pubkey_init(&pubkey);
+	if (ret < 0)
+		return gnutls_assert_val(ret);
+
+	ret = gnutls_pubkey_import_x509(pubkey, crt, 0);
+	if (ret < 0) {  
 		gnutls_assert();
-		return ret;
+		goto cleanup;
 	}
 
-	ret =
-	    _gnutls_pk_get_hash_algorithm(gnutls_x509_crt_get_pk_algorithm
-					  (crt, NULL), &issuer_params,
-					  hash, mand);
-
-	/* release allocated mpis */
-	gnutls_pk_params_release(&issuer_params);
+	ret = gnutls_pubkey_get_preferred_hash_algorithm(pubkey, hash, mand);
+	if (ret < 0) {  
+		gnutls_assert();
+		goto cleanup;
+	}
 
+ cleanup:
+ 	gnutls_pubkey_deinit(pubkey);
 	return ret;
 }