summaryrefslogtreecommitdiff
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
...
* pkcs11: mark RSA PKCS#11 key which can do RSA-PSSNikos Mavrogiannopoulos2017-08-041-1/+12
| | | | | | | | Also refuse to sign with RSA-PSS if the mechanism is not supported. Relates #208 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: select a signature algorithm earlyNikos Mavrogiannopoulos2017-08-043-6/+60
| | | | | | | | | | | | That is, select the signature algorithm at the point the certificate and ciphersuites are decided. Also ensure that a compatible signature algorithm with the ciphersuite and the key is selected. That prevents situations where a ciphersuite and a certificate are negotiated, but later on the handshake we figure that there are no common signature algorithms. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_pkcs11_token_check_mechanism: introduced function to check token for ↵Nikos Mavrogiannopoulos2017-08-045-0/+83
| | | | | | a particular mechanism Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509/output: print error on invalid public key parameters on certificateNikos Mavrogiannopoulos2017-08-042-18/+36
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_pk_get_oid: return early on unknown algorithmNikos Mavrogiannopoulos2017-08-041-0/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* spki: combined all exported functions to a single set and getNikos Mavrogiannopoulos2017-08-043-106/+37
| | | | | | | | This simplifies setting parameters for a particular key type, as well as getting them. The advantage is that they are set atomically, preventing an inadverterly half-filled structure. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* introduced error code GNUTLS_E_PK_INVALID_PUBKEY_PARAMSNikos Mavrogiannopoulos2017-08-044-5/+8
| | | | | | | This is being use to indicate errors in the public key parameters such as the RSA-PSS salt size or digest algorithm. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_privkey_generate*: allow specifying the SPKI parameters for key ↵Nikos Mavrogiannopoulos2017-08-043-16/+26
| | | | | | | | | | generation This in turn removes the need for reading the flag GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE on the key generation process. The flag is now only used during key signing which is also its documented purpose. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_privkey_set_spki: check validity of parameters setNikos Mavrogiannopoulos2017-08-041-0/+9
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_cr*_set_spki: check for validity of parameters setNikos Mavrogiannopoulos2017-08-042-54/+90
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_x509_check_pubkey_params: removed unnecessary parameterNikos Mavrogiannopoulos2017-08-043-6/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_pubkey_import_x509: propagate errors from ↵Nikos Mavrogiannopoulos2017-08-041-1/+5
| | | | | | gnutls_x509_crt_get_pk_algorithm Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _rsa_pss_verify_digest: verify the validity of the salt_size length on ↵Nikos Mavrogiannopoulos2017-08-041-0/+2
| | | | | | verification Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_privkey_import: immediately exit on GNUTLS_E_PK_INVALID_PRIVKEYNikos Mavrogiannopoulos2017-08-041-0/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* wrap_nettle_pk_fixup: check RSA PSS parameters for validity on importNikos Mavrogiannopoulos2017-08-041-2/+14
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_*_set_spki: removed arbitrary restrictions to setting parametersNikos Mavrogiannopoulos2017-08-042-21/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* pct_test: use local SPKI structure to override parameters if not setNikos Mavrogiannopoulos2017-08-041-3/+9
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* fixup_spki_params: use GNUTLS_E_CONSTRAINT_ERROR for RSA-PSS violationsNikos Mavrogiannopoulos2017-08-041-3/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_x509_read_pkalgo_params: initialize params structureNikos Mavrogiannopoulos2017-08-041-2/+4
| | | | | | | | That is the primary call on these parameters, thus it should initialize the structure with something reasonable. That is similar to behavior of _gnutls_x509_read_rsa_pss_params. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* RSA-PSS parameter checking was moved to lower level functionsNikos Mavrogiannopoulos2017-08-044-36/+34
| | | | | | That way all PKI callers get protected by the checks. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* signature security level check were moved to lower level functionsNikos Mavrogiannopoulos2017-08-044-25/+31
| | | | | | | That way all callers (including PKI functions) get protected by the available checks. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _wrap_nettle_pk_encrypt: return GNUTLS_E_INVALID_REQUEST on unsupported ↵Nikos Mavrogiannopoulos2017-08-041-2/+2
| | | | | | | | algorithms That is a more specific error code than internal error. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* verify_crt: translate GNUTLS_E_CONSTRAINT_ERROR to verification status flagNikos Mavrogiannopoulos2017-08-041-0/+6
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509/sign: in debugging mode print the signature algorithmNikos Mavrogiannopoulos2017-08-041-0/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_x509_validate_sign_params: use GNUTLS_E_CONSTRAINT_ERROR for ↵Nikos Mavrogiannopoulos2017-08-041-2/+2
| | | | | | mismatch of RSA-PSS parameters Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_x509_read_rsa_pss_params: fail early on unknown hash algorithmsNikos Mavrogiannopoulos2017-08-041-4/+12
| | | | | | | Also utilize GNUTLS_E_CONSTRAINT_ERROR for signaling differences between the hash functions. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_pubkey_get_preferred_hash_algorithm: will take into account the ↵Nikos Mavrogiannopoulos2017-08-041-2/+14
| | | | | | | | | RSA-PSS SPKI In addition it will offer a SHA hash depending on the key size for RSA public keys. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509/output: Subject Public Key parameters are printed just before actual keyNikos Mavrogiannopoulos2017-08-041-65/+28
| | | | | | | That allows to easier figure out algorithm and basic parameters, rather than having them at the end of long key output. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_crt_set_spki: be more verbose in parameter restrictionsNikos Mavrogiannopoulos2017-08-041-4/+14
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_privkey_update_spki_params: use GNUTLS_E_CONSTRAINT_ERROR on ↵Nikos Mavrogiannopoulos2017-08-041-3/+2
| | | | | | | | | | | | | mismatch of hash That is a more specific error code for hash mismatch between public key information and signature. In addition only override the salt size, if it is set to zero without the proper flags. That prevents the update function from setting an invalid (lower) than the expected size. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_x509_write_rsa_pss_params: refuse to write RSA-PSS parameters we ↵Nikos Mavrogiannopoulos2017-08-041-0/+4
| | | | | | cannot use Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_*_get_signature_algorithm: simplified error handlingNikos Mavrogiannopoulos2017-08-034-18/+22
| | | | | | | | | These functions were documented to return a negative error code on failure, as well as GNUTLS_SIGN_UNKNOWN on unknown algorithms. Simplify them by only returning GNUTLS_SIGN_UNKNOWN on all error conditions. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_x509_get_signature_algorithm: return negative error code on unknown ↵Nikos Mavrogiannopoulos2017-08-031-3/+6
| | | | | | | | algorithm This allows internal callers to quickly fail on errors. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* compare_sig_algorithm: modify to work even for certs with unsupported ↵Nikos Mavrogiannopoulos2017-08-031-9/+16
| | | | | | signature algorithm Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* pubkey_verify_hashed_data: simplified and made staticNikos Mavrogiannopoulos2017-08-033-29/+38
| | | | | | | | That also removes its ability to operate with the 'unknown' signature algorithm, and forces the TLS 1.0 key exchange to supply the right algorithm or flags. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* pubkey_verify_data: accept signature entry instead of PK and hashNikos Mavrogiannopoulos2017-08-034-22/+26
| | | | | | | That aligns better with current callers which know the signature algorithm in use. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Added convention for missing SubjectPublicKeyInfo params fieldNikos Mavrogiannopoulos2017-08-0313-44/+83
| | | | | | | | That is, when that field is missing, the spki_st structure field pk will be set to GNUTLS_PK_UNKNOWN. In that case other fields are undefined. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* *set_spki(): return error on incompatible algorithmsNikos Mavrogiannopoulos2017-08-036-0/+29
| | | | | | | In addition update the public key algorithm field in the respective structure. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_privkey_generate2: do not hardcode the RSA-PSS hash to SHA256Nikos Mavrogiannopoulos2017-08-033-3/+22
| | | | | | | | Instead use _gnutls_pk_bits_to_sha_hash() to set an appropriate hash for the number of bits of the key. This matches better the "intention" of RSA-PSS or tying the security parameter with the salt and hash. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _decode_pkcs8_rsa_pss_key: ensure we set the PSS PK identifierNikos Mavrogiannopoulos2017-08-031-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* cleanup: removed duplicate parameter in gnutls_pubkey_stNikos Mavrogiannopoulos2017-08-033-39/+33
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_privkey_int: eliminated duplicate pk_algorithm fieldNikos Mavrogiannopoulos2017-08-038-60/+54
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* cleanup: removed unnecessary/duplicate parameters in _dsa_q_to_hashNikos Mavrogiannopoulos2017-08-033-18/+14
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* cleanup: removed unnecessary/duplicate parameters in functionsNikos Mavrogiannopoulos2017-08-034-15/+17
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* cleanup: removed unnecessary/duplicate parameters in functionsNikos Mavrogiannopoulos2017-08-0311-51/+25
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* abstract.h: added functions to read and write SPKI informationNikos Mavrogiannopoulos2017-08-034-0/+130
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_privkey_set_spki: introduced function to update SPKI on a keyNikos Mavrogiannopoulos2017-08-033-0/+29
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509.h: Renamed SPKI related functionsNikos Mavrogiannopoulos2017-08-036-130/+115
| | | | | | | | This better reflects their purpose as providers of information for subject public key. In addition use 'const' for fields that should be left intact. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_pubkey_compatible_with_sig: enforce RSA-PSS requirementsNikos Mavrogiannopoulos2017-08-031-6/+20
| | | | | | | | That is require that parameters in an RSA-PSS key which has them explicitly set, are respected with regards to signature algorithm negotiation. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_pubkey_verify*: use common function to set RSA-PSS parametersNikos Mavrogiannopoulos2017-08-031-45/+43
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
View Lorry Controller Status