Exported the gnutls_x509_privkey_sign_data(), gnutls_x509_privkey_verify_data()

and gnutls_x509_crt_verify_data().
author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2003-11-26 08:59:24 +0000
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2003-11-26 08:59:24 +0000
commit: d5cc889902e0fc6beaaefcfac069b0dc089795b0 (patch)
tree: dc5cd46f99d77ecc409141216e26eea4819eae01 /lib
parent: 16a3924dfb57012744cbebe6d1f0cd5059df7d44 (diff)
download: gnutls-d5cc889902e0fc6beaaefcfac069b0dc089795b0.tar.gz
5 files changed, 195 insertions, 40 deletions
diff --git a/lib/gnutls_pk.c b/lib/gnutls_pk.c
index 4ae4cc198f..78a294a43d 100644
--- a/lib/gnutls_pk.c
+++ b/lib/gnutls_pk.c
@@ -410,17 +410,17 @@ int _gnutls_dsa_sign(gnutls_datum * signature, const gnutls_datum *hash,
 		return ret;
 	}
 
-	if (encode_ber_rs( signature, rs[0], rs[1])!=0) {
-		gnutls_assert();
-		_gnutls_mpi_release(&rs[0]);
-		_gnutls_mpi_release(&rs[1]);
-		return GNUTLS_E_MEMORY_ERROR;
-	}
-
+	ret = encode_ber_rs( signature, rs[0], rs[1]);
+	
 	/* free r,s */
 	_gnutls_mpi_release(&rs[0]);
 	_gnutls_mpi_release(&rs[1]);
 
+	if (ret!=0) {
+		gnutls_assert();
+		return GNUTLS_E_MEMORY_ERROR;
+	}
+
 	return 0;
 }
 
diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c
index e2cf819beb..7cc0097e85 100644
--- a/lib/x509/privkey.c
+++ b/lib/x509/privkey.c
@@ -31,6 +31,8 @@
 #include <dn.h>
 #include <mpi.h>
 #include <extensions.h>
+#include <sign.h>
+#include <verify.h>
 
 static int _encode_rsa( ASN1_TYPE* c2, GNUTLS_MPI* params);
 
@@ -953,3 +955,93 @@ cleanup:
 	_gnutls_free_datum( &der);
 	return result;
 }
+
+#ifdef ENABLE_PKI
+
+/**
+  * gnutls_x509_privkey_sign_data - This function will sign the given data using the private key params
+  * @key: Holds the key
+  * @digest: should be MD5 or SHA1
+  * @flags: should be 0 for now
+  * @data: holds the data to be signed
+  * @signature: will contain the signature
+  * @signature_size: holds the size of signature (and will be replaced by the new size)
+  *
+  * This function will sign the given data using a signature algorithm supported by
+  * the private key. Signature algorithms are always used together with a hash functions.
+  * Different hash functions may be used for the RSA algorithm, but only
+  * SHA-1 for the DSA keys.
+  *
+  * If the buffer provided is not long enough to hold the output, then
+  * GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.
+  *
+  * In case of failure a negative value will be returned, and
+  * 0 on success.
+  *
+  **/
+int gnutls_x509_privkey_sign_data( gnutls_x509_privkey key, gnutls_digest_algorithm digest,
+	unsigned int flags, const gnutls_datum* data,
+	void* signature, size_t* signature_size)
+{
+int result;
+gnutls_datum sig = { NULL, 0 };
+
+	if (key == NULL) {
+		gnutls_assert();
+		return GNUTLS_E_INVALID_REQUEST;
+	}
+
+	result = _gnutls_x509_sign( data, digest, key, &sig);
+	if (result < 0) {
+		gnutls_assert();
+		return result;
+	}
+	
+	if (*signature_size < sig.size) {
+		*signature_size = sig.size;
+		_gnutls_free_datum( &sig);
+		return GNUTLS_E_SHORT_MEMORY_BUFFER;
+	}
+	
+	*signature_size = sig.size;
+	memcpy( signature, sig.data, sig.size);
+	
+	_gnutls_free_datum( &sig);
+
+	return 0;
+}
+
+/**
+  * gnutls_x509_privkey_verify_data - This function will verify the given signed data.
+  * @key: Holds the key
+  * @flags: should be 0 for now
+  * @data: holds the data to be signed
+  * @signature: contains the signature
+  *
+  * This function will verify the given signed data, using the parameters in the
+  * private key.
+  *
+  * In case of a verification failure 0 is returned, and
+  * 1 on success.
+  *
+  **/
+int gnutls_x509_privkey_verify_data( gnutls_x509_privkey key, unsigned int flags, 
+	const gnutls_datum* data, const gnutls_datum* signature)
+{
+int result;
+
+	if (key == NULL) {
+		gnutls_assert();
+		return GNUTLS_E_INVALID_REQUEST;
+	}
+
+	result = _gnutls_x509_privkey_verify_signature( data, signature, key);
+	if (result < 0) {
+		gnutls_assert();
+		return 0;
+	}
+	
+	return result;
+}
+
+#endif
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index d10821227b..24c7cdb702 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -41,7 +41,6 @@
 static int _gnutls_verify_certificate2(gnutls_x509_crt cert,
 			       gnutls_x509_crt *trusted_cas, int tcas_size, 
 			       unsigned int flags, unsigned int* output);
-static
 int _gnutls_x509_verify_signature(const gnutls_datum* signed_data,
 	const gnutls_datum* signature, gnutls_x509_crt issuer);
 static
@@ -460,67 +459,93 @@ _pkcs1_rsa_verify_sig( const gnutls_datum* text, const gnutls_datum* signature,
 	return 0;		
 }
 
-/* verifies if the certificate is properly signed.
- * returns 0 on failure and 1 on success.
- * 
- * 'tbs' is the signed data
- * 'signature' is the signature!
+/* Verifies the signature data, and returns 0 if not verified,
+ * or 1 otherwise.
  */
-static
-int _gnutls_x509_verify_signature( const gnutls_datum* tbs,
-	const gnutls_datum* signature, gnutls_x509_crt issuer) 
+static int verify_sig( const gnutls_datum* tbs, const gnutls_datum* signature,
+	gnutls_pk_algorithm pk, GNUTLS_MPI* issuer_params, int issuer_params_size)
 {
-GNUTLS_MPI issuer_params[MAX_PUBLIC_PARAMS_SIZE];
-int ret, issuer_params_size, i;
-
-	/* Read the MPI parameters from the issuer's certificate.
-	 */
-	issuer_params_size = MAX_PUBLIC_PARAMS_SIZE;
-	ret = _gnutls_x509_crt_get_mpis(issuer, issuer_params, &issuer_params_size);
 
-	if ( ret < 0) {
-		gnutls_assert();
-		return ret;
-	}
-
-	switch( gnutls_x509_crt_get_pk_algorithm(issuer, NULL)) 
+	switch( pk ) 
 	{
 		case GNUTLS_PK_RSA:
 
 			if (_pkcs1_rsa_verify_sig( tbs, signature, issuer_params, issuer_params_size)!=0) {
 				gnutls_assert();
-				ret = 0;
-				goto finish;
+				return 0;
 			}
 
-			ret = 1;
-			goto finish;
+			return 1;
 			break;
 
 		case GNUTLS_PK_DSA:
 			if (_gnutls_dsa_verify( tbs, signature, issuer_params, issuer_params_size)!=0) {
 				gnutls_assert();
-				ret = 0;
-				goto finish;
+				return 0;
 			}
 
-			ret = 1;
-			goto finish;
+			return 1;
 			break;
 		default:
 			gnutls_assert();
-			ret = GNUTLS_E_INTERNAL_ERROR;
-			goto finish;
+			return GNUTLS_E_INTERNAL_ERROR;
 
 	}
+}
 
-	finish:
+/* verifies if the certificate is properly signed.
+ * returns 0 on failure and 1 on success.
+ * 
+ * 'tbs' is the signed data
+ * 'signature' is the signature!
+ */
+int _gnutls_x509_verify_signature( const gnutls_datum* tbs,
+	const gnutls_datum* signature, gnutls_x509_crt issuer) 
+{
+GNUTLS_MPI issuer_params[MAX_PUBLIC_PARAMS_SIZE];
+int ret, issuer_params_size, i;
+
+	/* Read the MPI parameters from the issuer's certificate.
+	 */
+	issuer_params_size = MAX_PUBLIC_PARAMS_SIZE;
+	ret = _gnutls_x509_crt_get_mpis(issuer, issuer_params, &issuer_params_size);
+	if ( ret < 0) {
+		gnutls_assert();
+		return ret;
+	}
+
+	ret = verify_sig( tbs, signature, gnutls_x509_crt_get_pk_algorithm(issuer, NULL),
+		issuer_params, issuer_params_size);
+	if ( ret < 0) {
+		gnutls_assert();
+	}
 
 	/* release all allocated MPIs
 	 */
 	for (i = 0; i < issuer_params_size; i++) {
 		_gnutls_mpi_release( &issuer_params[i]);
 	}
+
+	return ret;
+}
+
+/* verifies if the certificate is properly signed.
+ * returns 0 on failure and 1 on success.
+ * 
+ * 'tbs' is the signed data
+ * 'signature' is the signature!
+ */
+int _gnutls_x509_privkey_verify_signature( const gnutls_datum* tbs,
+	const gnutls_datum* signature, gnutls_x509_privkey issuer) 
+{
+	int ret;
+	
+	ret = verify_sig( tbs, signature, issuer->pk_algorithm, 
+		issuer->params, issuer->params_size);
+	if ( ret < 0) {
+		gnutls_assert();
+	}
+
 	return ret;
 }
 
diff --git a/lib/x509/verify.h b/lib/x509/verify.h
index c8c677bac0..1c4a283a13 100644
--- a/lib/x509/verify.h
+++ b/lib/x509/verify.h
@@ -19,3 +19,7 @@ int gnutls_x509_crt_list_verify( gnutls_x509_crt* cert_list, int cert_list_lengt
 	gnutls_x509_crl* CRL_list, int CRL_list_length, 
 	unsigned int flags, unsigned int *verify);
 
+int _gnutls_x509_verify_signature( const gnutls_datum* tbs,
+	const gnutls_datum* signature, gnutls_x509_crt issuer);
+int _gnutls_x509_privkey_verify_signature( const gnutls_datum* tbs,
+	const gnutls_datum* signature, gnutls_x509_privkey issuer);
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index baa023a7ed..d6d78592af 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -36,6 +36,7 @@
 #include <gnutls_ui.h>
 #include <mpi.h>
 #include <privkey.h>
+#include <verify.h>
 
 /**
   * gnutls_x509_crt_init - This function initializes a gnutls_x509_crt structure
@@ -1271,4 +1272,37 @@ int gnutls_x509_crt_check_revocation(gnutls_x509_crt cert,
 	return 0;		/* not revoked. */
 }
 
+/**
+  * gnutls_x509_crt_verify_data - This function will verify the given signed data.
+  * @crt: Holds the certificate
+  * @flags: should be 0 for now
+  * @data: holds the data to be signed
+  * @signature: contains the signature
+  *
+  * This function will verify the given signed data, using the parameters from the
+  * certificate.
+  *
+  * In case of a verification failure 0 is returned, and
+  * 1 on success.
+  *
+  **/
+int gnutls_x509_crt_verify_data( gnutls_x509_crt crt, unsigned int flags, 
+	const gnutls_datum* data, const gnutls_datum* signature)
+{
+int result;
+
+	if (crt == NULL) {
+		gnutls_assert();
+		return GNUTLS_E_INVALID_REQUEST;
+	}
+
+	result = _gnutls_x509_verify_signature( data, signature, crt);
+	if (result < 0) {
+		gnutls_assert();
+		return 0;
+	}
+	
+	return result;
+}
+
 #endif
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2003-11-26 08:59:24 +0000
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2003-11-26 08:59:24 +0000
commit	d5cc889902e0fc6beaaefcfac069b0dc089795b0 (patch)
tree	dc5cd46f99d77ecc409141216e26eea4819eae01 /lib
parent	16a3924dfb57012744cbebe6d1f0cd5059df7d44 (diff)
download	gnutls-d5cc889902e0fc6beaaefcfac069b0dc089795b0.tar.gz