diff options
-rw-r--r-- | lib/abstract_int.h | 2 | ||||
-rw-r--r-- | lib/privkey.c | 57 | ||||
-rw-r--r-- | lib/x509/crq.c | 2 | ||||
-rw-r--r-- | lib/x509/pkcs7.c | 2 | ||||
-rw-r--r-- | lib/x509/privkey.c | 55 | ||||
-rw-r--r-- | lib/x509/sign.c | 2 | ||||
-rw-r--r-- | lib/x509/x509_int.h | 5 |
7 files changed, 53 insertions, 72 deletions
diff --git a/lib/abstract_int.h b/lib/abstract_int.h index 250e94453d..baa7a3c62a 100644 --- a/lib/abstract_int.h +++ b/lib/abstract_int.h @@ -84,7 +84,7 @@ int _gnutls_privkey_get_public_mpis(gnutls_privkey_t key, int _gnutls_privkey_get_sign_params(gnutls_privkey_t key, gnutls_x509_spki_st * params); -int _gnutls_privkey_find_sign_params(gnutls_privkey_t key, +int _gnutls_privkey_update_sign_params(gnutls_privkey_t key, gnutls_pk_algorithm_t pk, gnutls_digest_algorithm_t dig, unsigned flags, diff --git a/lib/privkey.c b/lib/privkey.c index 9def4109a9..e92ce49763 100644 --- a/lib/privkey.c +++ b/lib/privkey.c @@ -335,7 +335,7 @@ _gnutls_privkey_get_sign_params(gnutls_privkey_t key, * with PK and DIG. PARAMS must be initialized with * _gnutls_privkey_get_sign_params in advance. */ int -_gnutls_privkey_find_sign_params(gnutls_privkey_t key, +_gnutls_privkey_update_sign_params(gnutls_privkey_t key, gnutls_pk_algorithm_t pk, gnutls_digest_algorithm_t dig, unsigned flags, @@ -350,12 +350,51 @@ _gnutls_privkey_find_sign_params(gnutls_privkey_t key, case GNUTLS_PRIVKEY_PKCS11: break; #endif - case GNUTLS_PRIVKEY_X509: - return _gnutls_x509_privkey_find_sign_params(key->key.x509, - pk, - dig, - flags, - params); + case GNUTLS_PRIVKEY_X509: { + unsigned salt_size = 0; + gnutls_pk_algorithm_t key_pk; + unsigned bits; + + if (flags & GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS) { + if (!GNUTLS_PK_IS_RSA(pk)) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + pk = GNUTLS_PK_RSA_PSS; + } + + key_pk = gnutls_x509_privkey_get_pk_algorithm2(key->key.x509, &bits); + if (!(key_pk == pk || + (key_pk == GNUTLS_PK_RSA && pk == GNUTLS_PK_RSA_PSS))) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (pk == GNUTLS_PK_RSA_PSS) { + const mac_entry_st *me; + + me = hash_to_entry(dig); + if (unlikely(me == NULL)) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + if (params->pk == GNUTLS_PK_RSA) + salt_size = 0; + else if (params->pk == GNUTLS_PK_RSA_PSS) { + if (dig != params->dig) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + salt_size = params->salt_size; + } + + if (!(flags & GNUTLS_PRIVKEY_SIGN_FLAG_REPRODUCIBLE)) + salt_size = _gnutls_find_rsa_pss_salt_size(bits, me, + salt_size); + } + + params->salt_size = salt_size; + + break; + } default: gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; @@ -1166,7 +1205,7 @@ gnutls_privkey_sign_data(gnutls_privkey_t signer, return ret; } - ret = _gnutls_privkey_find_sign_params(signer, signer->pk_algorithm, + ret = _gnutls_privkey_update_sign_params(signer, signer->pk_algorithm, hash, flags, ¶ms); if (ret < 0) { gnutls_assert(); @@ -1256,7 +1295,7 @@ gnutls_privkey_sign_hash(gnutls_privkey_t signer, return ret; } - ret = _gnutls_privkey_find_sign_params(signer, signer->pk_algorithm, + ret = _gnutls_privkey_update_sign_params(signer, signer->pk_algorithm, hash_algo, flags, ¶ms); if (ret < 0) { gnutls_assert(); diff --git a/lib/x509/crq.c b/lib/x509/crq.c index e6f774d1f7..2e53bfadb3 100644 --- a/lib/x509/crq.c +++ b/lib/x509/crq.c @@ -2845,7 +2845,7 @@ gnutls_x509_crq_privkey_sign(gnutls_x509_crq_t crq, gnutls_privkey_t key, } pk = gnutls_privkey_get_pk_algorithm(key, NULL); - result = _gnutls_privkey_find_sign_params(key, pk, dig, 0, ¶ms); + result = _gnutls_privkey_update_sign_params(key, pk, dig, 0, ¶ms); if (result < 0) { gnutls_assert(); return result; diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c index 9222af652e..2812b7f89d 100644 --- a/lib/x509/pkcs7.c +++ b/lib/x509/pkcs7.c @@ -2498,7 +2498,7 @@ int gnutls_pkcs7_sign(gnutls_pkcs7_t pkcs7, goto cleanup; } - result = _gnutls_privkey_find_sign_params(signer_key, pk, dig, 0, + result = _gnutls_privkey_update_sign_params(signer_key, pk, dig, 0, ¶ms); if (result < 0) { gnutls_assert(); diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c index b8e6092c34..6015b7610b 100644 --- a/lib/x509/privkey.c +++ b/lib/x509/privkey.c @@ -2184,60 +2184,7 @@ _gnutls_x509_privkey_get_sign_params(gnutls_x509_privkey_t key, gnutls_x509_spki_st *params) { memcpy(params, &key->params.sign, sizeof(gnutls_x509_spki_st)); - params->pk = gnutls_x509_privkey_get_pk_algorithm2(key, NULL); + params->pk = key->pk_algorithm; return 0; } -int -_gnutls_x509_privkey_find_sign_params(gnutls_x509_privkey_t key, - gnutls_pk_algorithm_t pk, - gnutls_digest_algorithm_t dig, - unsigned flags, - gnutls_x509_spki_st *params) -{ - unsigned salt_size = 0; - gnutls_pk_algorithm_t key_pk; - unsigned bits; - - if (flags & GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS) { - if (!GNUTLS_PK_IS_RSA(pk)) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - pk = GNUTLS_PK_RSA_PSS; - } - - key_pk = gnutls_x509_privkey_get_pk_algorithm2(key, &bits); - if (!(key_pk == pk || - (key_pk == GNUTLS_PK_RSA && pk == GNUTLS_PK_RSA_PSS))) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - if (pk == GNUTLS_PK_RSA_PSS) { - const mac_entry_st *me; - - me = hash_to_entry(dig); - if (unlikely(me == NULL)) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - - if (params->pk == GNUTLS_PK_RSA) - salt_size = 0; - else if (params->pk == GNUTLS_PK_RSA_PSS) { - if (dig != params->dig) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - salt_size = params->salt_size; - } - - if ((flags & GNUTLS_PRIVKEY_SIGN_FLAG_REPRODUCIBLE) == 0) - salt_size = _gnutls_find_rsa_pss_salt_size(bits, me, - salt_size); - } - - params->pk = pk; - params->dig = dig; - params->salt_size = salt_size; - - return 0; -} diff --git a/lib/x509/sign.c b/lib/x509/sign.c index 0abe92a3b4..20387d8826 100644 --- a/lib/x509/sign.c +++ b/lib/x509/sign.c @@ -128,7 +128,7 @@ _gnutls_x509_pkix_sign(ASN1_TYPE src, const char *src_name, return result; } - result = _gnutls_privkey_find_sign_params(issuer_key, pk, dig, flags, + result = _gnutls_privkey_update_sign_params(issuer_key, pk, dig, flags, ¶ms); if (result < 0) { gnutls_assert(); diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h index 7b2d38457d..13cbc96e4b 100644 --- a/lib/x509/x509_int.h +++ b/lib/x509/x509_int.h @@ -253,11 +253,6 @@ int _gnutls_asn1_encode_privkey(gnutls_pk_algorithm_t pk, ASN1_TYPE * c2, int _gnutls_x509_privkey_get_sign_params(gnutls_x509_privkey_t key, gnutls_x509_spki_st * params); -int _gnutls_x509_privkey_find_sign_params(gnutls_x509_privkey_t key, - gnutls_pk_algorithm_t pk, - gnutls_digest_algorithm_t dig, - unsigned flags, - gnutls_x509_spki_st *params); int _gnutls_x509_read_rsa_pss_params(uint8_t * der, int dersize, gnutls_x509_spki_st * params); |