diff options
| author | Daiki Ueno <dueno@redhat.com> | 2017-03-16 11:38:58 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-05-29 08:23:49 +0200 |
| commit | 9e5452193c3510102801fd86b6e65d37b5dc1012 (patch) | |
| tree | 1c401b3900c8a6f3ffac58ad839266e8c228f941 /lib/includes/gnutls/x509.h | |
| parent | 03c811b7f9a280182b486473567a0b93fe1dc291 (diff) | |
| download | gnutls-9e5452193c3510102801fd86b6e65d37b5dc1012.tar.gz | |
x509: implement RSA-PSS signature scheme
This patch enables RSA-PSS signature scheme in the X.509 functions and
certtool.
When creating RSA-PSS signature, there are 3 different scenarios:
a. both a private key and a certificate are RSA-PSS
b. the private key is RSA, while the certificate is RSA-PSS
c. both the private key and the certificate are RSA
For (a) and (b), the RSA-PSS parameters are read from the certificate.
Any conflicts in parameters between the private key and the certificate
are reported as an error.
For (c), the sign functions, such as gnutls_x509_crt_privkey_sign() or
gnutls_privkey_sign_data(), shall be instructed to generate an RSA-PSS
signature. This can be done with the new flag
GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS.
Verification is similar to signing, except for the case (c), use the
flag GNUTLS_VERIFY_USE_RSA_PSS instead of
GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS.
From the command line, certtool has a couple of new options: --rsa-pss
and --rsa-pss-sign. The --rsa-pss option indicates that the generated
private key or certificate is restricted to RSA-PSS, while the
--rsa-pss-sign option indicates that the generated certificate is signed
with RSA-PSS.
For simplicity, there is no means of choosing arbitrary salt length.
When it is not given by a private key or a certificate, it is
automatically calculated from the underlying hash algorithm and the
RSA modulus bits.
[minor naming changes by nmav]
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib/includes/gnutls/x509.h')
| -rw-r--r-- | lib/includes/gnutls/x509.h | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index 4646299368..cc30a5fd6c 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -413,8 +413,28 @@ time_t gnutls_x509_crt_get_expiration_time(gnutls_x509_crt_t cert); int gnutls_x509_crt_get_serial(gnutls_x509_crt_t cert, void *result, size_t * result_size); +typedef struct gnutls_x509_spki_st *gnutls_x509_spki_t; + +int gnutls_x509_spki_init(gnutls_x509_spki_t *spki); +void gnutls_x509_spki_deinit(gnutls_x509_spki_t spki); +int gnutls_x509_spki_get_pk_algorithm(gnutls_x509_spki_t spki); +void gnutls_x509_spki_set_pk_algorithm(gnutls_x509_spki_t spki, + gnutls_pk_algorithm_t pk); +int gnutls_x509_spki_get_digest_algorithm(gnutls_x509_spki_t spki); +void gnutls_x509_spki_set_digest_algorithm(gnutls_x509_spki_t spki, + gnutls_digest_algorithm_t dig); +int gnutls_x509_spki_get_salt_size(gnutls_x509_spki_t spki); +void gnutls_x509_spki_set_salt_size(gnutls_x509_spki_t spki, + unsigned int salt_size); + int gnutls_x509_crt_get_pk_algorithm(gnutls_x509_crt_t cert, unsigned int *bits); +int gnutls_x509_crt_set_pk_algorithm(gnutls_x509_crt_t crt, + gnutls_x509_spki_t spki, + unsigned int flags); +int gnutls_x509_crt_get_pk_algorithm2(gnutls_x509_crt_t cert, + gnutls_x509_spki_t spki, + unsigned int *bits); int gnutls_x509_crt_get_pk_rsa_raw(gnutls_x509_crt_t crt, gnutls_datum_t * m, gnutls_datum_t * e); int gnutls_x509_crt_get_pk_dsa_raw(gnutls_x509_crt_t crt, @@ -945,6 +965,7 @@ typedef enum gnutls_certificate_verify_flags { GNUTLS_VERIFY_USE_TLS1_RSA = 1 << 13, GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS = 1 << 14, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1 = 1 << 15, + GNUTLS_VERIFY_USE_RSA_PSS = 1 << 16 /* cannot exceed 2^24 due to GNUTLS_PROFILE_TO_VFLAGS() */ } gnutls_certificate_verify_flags; @@ -1167,6 +1188,9 @@ int gnutls_x509_privkey_import_dsa_raw(gnutls_x509_privkey_t key, int gnutls_x509_privkey_get_pk_algorithm(gnutls_x509_privkey_t key); int gnutls_x509_privkey_get_pk_algorithm2(gnutls_x509_privkey_t key, unsigned int *bits); +int gnutls_x509_privkey_get_pk_algorithm3(gnutls_x509_privkey_t key, + gnutls_x509_spki_t spki, + unsigned int *bits); int gnutls_x509_privkey_get_key_id(gnutls_x509_privkey_t key, unsigned int flags, unsigned char *output_data, @@ -1391,6 +1415,12 @@ int gnutls_x509_crq_get_attribute_info(gnutls_x509_crq_t crq, size_t * sizeof_oid); int gnutls_x509_crq_get_pk_algorithm(gnutls_x509_crq_t crq, unsigned int *bits); +int gnutls_x509_crq_get_pk_algorithm2(gnutls_x509_crq_t crq, + gnutls_x509_spki_t spki, + unsigned int *bits); +int gnutls_x509_crq_set_pk_algorithm(gnutls_x509_crq_t crq, + gnutls_x509_spki_t spki, + unsigned int flags); int gnutls_x509_crq_get_signature_oid(gnutls_x509_crq_t crq, char *oid, size_t *oid_size); int gnutls_x509_crq_get_pk_oid(gnutls_x509_crq_t crq, char *oid, size_t *oid_size); |