diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-11-26 08:59:24 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-11-26 08:59:24 +0000 |
commit | d5cc889902e0fc6beaaefcfac069b0dc089795b0 (patch) | |
tree | dc5cd46f99d77ecc409141216e26eea4819eae01 /lib | |
parent | 16a3924dfb57012744cbebe6d1f0cd5059df7d44 (diff) | |
download | gnutls-d5cc889902e0fc6beaaefcfac069b0dc089795b0.tar.gz |
Exported the gnutls_x509_privkey_sign_data(), gnutls_x509_privkey_verify_data()
and gnutls_x509_crt_verify_data().
Diffstat (limited to 'lib')
-rw-r--r-- | lib/gnutls_pk.c | 14 | ||||
-rw-r--r-- | lib/x509/privkey.c | 92 | ||||
-rw-r--r-- | lib/x509/verify.c | 91 | ||||
-rw-r--r-- | lib/x509/verify.h | 4 | ||||
-rw-r--r-- | lib/x509/x509.c | 34 |
5 files changed, 195 insertions, 40 deletions
diff --git a/lib/gnutls_pk.c b/lib/gnutls_pk.c index 4ae4cc198f..78a294a43d 100644 --- a/lib/gnutls_pk.c +++ b/lib/gnutls_pk.c @@ -410,17 +410,17 @@ int _gnutls_dsa_sign(gnutls_datum * signature, const gnutls_datum *hash, return ret; } - if (encode_ber_rs( signature, rs[0], rs[1])!=0) { - gnutls_assert(); - _gnutls_mpi_release(&rs[0]); - _gnutls_mpi_release(&rs[1]); - return GNUTLS_E_MEMORY_ERROR; - } - + ret = encode_ber_rs( signature, rs[0], rs[1]); + /* free r,s */ _gnutls_mpi_release(&rs[0]); _gnutls_mpi_release(&rs[1]); + if (ret!=0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + return 0; } diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c index e2cf819beb..7cc0097e85 100644 --- a/lib/x509/privkey.c +++ b/lib/x509/privkey.c @@ -31,6 +31,8 @@ #include <dn.h> #include <mpi.h> #include <extensions.h> +#include <sign.h> +#include <verify.h> static int _encode_rsa( ASN1_TYPE* c2, GNUTLS_MPI* params); @@ -953,3 +955,93 @@ cleanup: _gnutls_free_datum( &der); return result; } + +#ifdef ENABLE_PKI + +/** + * gnutls_x509_privkey_sign_data - This function will sign the given data using the private key params + * @key: Holds the key + * @digest: should be MD5 or SHA1 + * @flags: should be 0 for now + * @data: holds the data to be signed + * @signature: will contain the signature + * @signature_size: holds the size of signature (and will be replaced by the new size) + * + * This function will sign the given data using a signature algorithm supported by + * the private key. Signature algorithms are always used together with a hash functions. + * Different hash functions may be used for the RSA algorithm, but only + * SHA-1 for the DSA keys. + * + * If the buffer provided is not long enough to hold the output, then + * GNUTLS_E_SHORT_MEMORY_BUFFER will be returned. + * + * In case of failure a negative value will be returned, and + * 0 on success. + * + **/ +int gnutls_x509_privkey_sign_data( gnutls_x509_privkey key, gnutls_digest_algorithm digest, + unsigned int flags, const gnutls_datum* data, + void* signature, size_t* signature_size) +{ +int result; +gnutls_datum sig = { NULL, 0 }; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = _gnutls_x509_sign( data, digest, key, &sig); + if (result < 0) { + gnutls_assert(); + return result; + } + + if (*signature_size < sig.size) { + *signature_size = sig.size; + _gnutls_free_datum( &sig); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + *signature_size = sig.size; + memcpy( signature, sig.data, sig.size); + + _gnutls_free_datum( &sig); + + return 0; +} + +/** + * gnutls_x509_privkey_verify_data - This function will verify the given signed data. + * @key: Holds the key + * @flags: should be 0 for now + * @data: holds the data to be signed + * @signature: contains the signature + * + * This function will verify the given signed data, using the parameters in the + * private key. + * + * In case of a verification failure 0 is returned, and + * 1 on success. + * + **/ +int gnutls_x509_privkey_verify_data( gnutls_x509_privkey key, unsigned int flags, + const gnutls_datum* data, const gnutls_datum* signature) +{ +int result; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = _gnutls_x509_privkey_verify_signature( data, signature, key); + if (result < 0) { + gnutls_assert(); + return 0; + } + + return result; +} + +#endif diff --git a/lib/x509/verify.c b/lib/x509/verify.c index d10821227b..24c7cdb702 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -41,7 +41,6 @@ static int _gnutls_verify_certificate2(gnutls_x509_crt cert, gnutls_x509_crt *trusted_cas, int tcas_size, unsigned int flags, unsigned int* output); -static int _gnutls_x509_verify_signature(const gnutls_datum* signed_data, const gnutls_datum* signature, gnutls_x509_crt issuer); static @@ -460,67 +459,93 @@ _pkcs1_rsa_verify_sig( const gnutls_datum* text, const gnutls_datum* signature, return 0; } -/* verifies if the certificate is properly signed. - * returns 0 on failure and 1 on success. - * - * 'tbs' is the signed data - * 'signature' is the signature! +/* Verifies the signature data, and returns 0 if not verified, + * or 1 otherwise. */ -static -int _gnutls_x509_verify_signature( const gnutls_datum* tbs, - const gnutls_datum* signature, gnutls_x509_crt issuer) +static int verify_sig( const gnutls_datum* tbs, const gnutls_datum* signature, + gnutls_pk_algorithm pk, GNUTLS_MPI* issuer_params, int issuer_params_size) { -GNUTLS_MPI issuer_params[MAX_PUBLIC_PARAMS_SIZE]; -int ret, issuer_params_size, i; - - /* Read the MPI parameters from the issuer's certificate. - */ - issuer_params_size = MAX_PUBLIC_PARAMS_SIZE; - ret = _gnutls_x509_crt_get_mpis(issuer, issuer_params, &issuer_params_size); - if ( ret < 0) { - gnutls_assert(); - return ret; - } - - switch( gnutls_x509_crt_get_pk_algorithm(issuer, NULL)) + switch( pk ) { case GNUTLS_PK_RSA: if (_pkcs1_rsa_verify_sig( tbs, signature, issuer_params, issuer_params_size)!=0) { gnutls_assert(); - ret = 0; - goto finish; + return 0; } - ret = 1; - goto finish; + return 1; break; case GNUTLS_PK_DSA: if (_gnutls_dsa_verify( tbs, signature, issuer_params, issuer_params_size)!=0) { gnutls_assert(); - ret = 0; - goto finish; + return 0; } - ret = 1; - goto finish; + return 1; break; default: gnutls_assert(); - ret = GNUTLS_E_INTERNAL_ERROR; - goto finish; + return GNUTLS_E_INTERNAL_ERROR; } +} - finish: +/* verifies if the certificate is properly signed. + * returns 0 on failure and 1 on success. + * + * 'tbs' is the signed data + * 'signature' is the signature! + */ +int _gnutls_x509_verify_signature( const gnutls_datum* tbs, + const gnutls_datum* signature, gnutls_x509_crt issuer) +{ +GNUTLS_MPI issuer_params[MAX_PUBLIC_PARAMS_SIZE]; +int ret, issuer_params_size, i; + + /* Read the MPI parameters from the issuer's certificate. + */ + issuer_params_size = MAX_PUBLIC_PARAMS_SIZE; + ret = _gnutls_x509_crt_get_mpis(issuer, issuer_params, &issuer_params_size); + if ( ret < 0) { + gnutls_assert(); + return ret; + } + + ret = verify_sig( tbs, signature, gnutls_x509_crt_get_pk_algorithm(issuer, NULL), + issuer_params, issuer_params_size); + if ( ret < 0) { + gnutls_assert(); + } /* release all allocated MPIs */ for (i = 0; i < issuer_params_size; i++) { _gnutls_mpi_release( &issuer_params[i]); } + + return ret; +} + +/* verifies if the certificate is properly signed. + * returns 0 on failure and 1 on success. + * + * 'tbs' is the signed data + * 'signature' is the signature! + */ +int _gnutls_x509_privkey_verify_signature( const gnutls_datum* tbs, + const gnutls_datum* signature, gnutls_x509_privkey issuer) +{ + int ret; + + ret = verify_sig( tbs, signature, issuer->pk_algorithm, + issuer->params, issuer->params_size); + if ( ret < 0) { + gnutls_assert(); + } + return ret; } diff --git a/lib/x509/verify.h b/lib/x509/verify.h index c8c677bac0..1c4a283a13 100644 --- a/lib/x509/verify.h +++ b/lib/x509/verify.h @@ -19,3 +19,7 @@ int gnutls_x509_crt_list_verify( gnutls_x509_crt* cert_list, int cert_list_lengt gnutls_x509_crl* CRL_list, int CRL_list_length, unsigned int flags, unsigned int *verify); +int _gnutls_x509_verify_signature( const gnutls_datum* tbs, + const gnutls_datum* signature, gnutls_x509_crt issuer); +int _gnutls_x509_privkey_verify_signature( const gnutls_datum* tbs, + const gnutls_datum* signature, gnutls_x509_privkey issuer); diff --git a/lib/x509/x509.c b/lib/x509/x509.c index baa023a7ed..d6d78592af 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -36,6 +36,7 @@ #include <gnutls_ui.h> #include <mpi.h> #include <privkey.h> +#include <verify.h> /** * gnutls_x509_crt_init - This function initializes a gnutls_x509_crt structure @@ -1271,4 +1272,37 @@ int gnutls_x509_crt_check_revocation(gnutls_x509_crt cert, return 0; /* not revoked. */ } +/** + * gnutls_x509_crt_verify_data - This function will verify the given signed data. + * @crt: Holds the certificate + * @flags: should be 0 for now + * @data: holds the data to be signed + * @signature: contains the signature + * + * This function will verify the given signed data, using the parameters from the + * certificate. + * + * In case of a verification failure 0 is returned, and + * 1 on success. + * + **/ +int gnutls_x509_crt_verify_data( gnutls_x509_crt crt, unsigned int flags, + const gnutls_datum* data, const gnutls_datum* signature) +{ +int result; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = _gnutls_x509_verify_signature( data, signature, crt); + if (result < 0) { + gnutls_assert(); + return 0; + } + + return result; +} + #endif |