From 84b5e9971c2335b28348039c051572d9eea79389 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Fri, 4 Aug 2017 09:25:31 +0200
Subject: spki: combined all exported functions to a single set and get

This simplifies setting parameters for a particular key type,
as well as getting them. The advantage is that they are set
atomically, preventing an inadverterly half-filled structure.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 lib/includes/gnutls/x509.h |  15 +++---
 lib/libgnutls.map          |   8 +--
 lib/x509/spki.c            | 120 +++++++++++----------------------------------
 src/certtool-common.c      |  17 +++----
 src/certtool.c             |  22 +++++----
 5 files changed, 57 insertions(+), 125 deletions(-)

diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index 3175dcff8f..86d45dd5c4 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -417,15 +417,12 @@ typedef struct gnutls_x509_spki_st *gnutls_x509_spki_t;
 
 int gnutls_x509_spki_init(gnutls_x509_spki_t *spki);
 void gnutls_x509_spki_deinit(gnutls_x509_spki_t spki);
-int gnutls_x509_spki_get_pk_algorithm(gnutls_x509_spki_t spki);
-void gnutls_x509_spki_set_pk_algorithm(gnutls_x509_spki_t spki,
-				       gnutls_pk_algorithm_t pk);
-int gnutls_x509_spki_get_digest_algorithm(gnutls_x509_spki_t spki);
-void gnutls_x509_spki_set_digest_algorithm(gnutls_x509_spki_t spki,
-					   gnutls_digest_algorithm_t dig);
-int gnutls_x509_spki_get_salt_size(gnutls_x509_spki_t spki);
-void gnutls_x509_spki_set_salt_size(gnutls_x509_spki_t spki,
-				    unsigned int salt_size);
+
+int gnutls_x509_spki_get_rsa_pss_params(gnutls_x509_spki_t spki,
+			gnutls_digest_algorithm_t *dig, unsigned int *salt_size);
+
+void gnutls_x509_spki_set_rsa_pss_params(gnutls_x509_spki_t spki,
+			gnutls_digest_algorithm_t dig, unsigned int salt_size);
 
 int gnutls_x509_crt_get_pk_algorithm(gnutls_x509_crt_t cert,
 				     unsigned int *bits);
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 250929bb86..5e1ea798a8 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1150,12 +1150,8 @@ GNUTLS_3_4
 	gnutls_encode_rs_value;
 	gnutls_x509_spki_init;
 	gnutls_x509_spki_deinit;
-	gnutls_x509_spki_get_pk_algorithm;
-	gnutls_x509_spki_set_pk_algorithm;
-	gnutls_x509_spki_get_digest_algorithm;
-	gnutls_x509_spki_set_digest_algorithm;
-	gnutls_x509_spki_get_salt_size;
-	gnutls_x509_spki_set_salt_size;
+	gnutls_x509_spki_get_rsa_pss_params;
+	gnutls_x509_spki_set_rsa_pss_params;
 	gnutls_x509_crt_get_spki;
 	gnutls_x509_crt_set_spki;
 	gnutls_x509_crq_get_spki;
diff --git a/lib/x509/spki.c b/lib/x509/spki.c
index ea4814a448..7b7787f149 100644
--- a/lib/x509/spki.c
+++ b/lib/x509/spki.c
@@ -74,119 +74,57 @@ gnutls_x509_spki_deinit(gnutls_x509_spki_t spki)
 }
 
 /**
- * gnutls_x509_spki_set_pk_algorithm:
- * @spki: the SubjectPublicKeyInfo structure
- * @pk: the public key algorithm of type #gnutls_pk_algorithm_t
- *
- * This function will set the public key algorithm of a
- * SubjectPublicKeyInfo structure.
- *
- * Since: 3.6.0
- *
- **/
-void
-gnutls_x509_spki_set_pk_algorithm(gnutls_x509_spki_t spki,
-				  gnutls_pk_algorithm_t pk)
-{
-	spki->pk = pk;
-}
-
-/**
- * gnutls_x509_spki_get_pk_algorithm:
- * @spki: the SubjectPublicKeyInfo structure
- *
- * This function will get the public key algorithm of a
- * SubjectPublicKeyInfo structure.
- *
- * Returns: a member of the #gnutls_pk_algorithm_t enumeration on
- * success, or %GNUTLS_PK_UNKNOWN on error.
- *
- * Since: 3.6.0
- *
- **/
-int
-gnutls_x509_spki_get_pk_algorithm(gnutls_x509_spki_t spki)
-{
-	return spki->pk;
-}
-
-/**
- * gnutls_x509_spki_set_digest_algorithm:
+ * gnutls_x509_spki_set_rsa_pss_params:
  * @spki: the SubjectPublicKeyInfo structure
  * @dig: a digest algorithm of type #gnutls_digest_algorithm_t
+ * @salt_size: the size of salt string
  *
- * This function will set the digest algorithm of a
- * SubjectPublicKeyInfo structure. This is relevant for
- * RSA-PSS signatures which store the digest algorithm
- * in the SubjectPublicKeyInfo.
+ * This function will set the public key parameters for
+ * an RSA-PSS algorithm, in the SubjectPublicKeyInfo structure.
  *
  * Since: 3.6.0
  *
  **/
 void
-gnutls_x509_spki_set_digest_algorithm(gnutls_x509_spki_t spki,
-				      gnutls_digest_algorithm_t dig)
+gnutls_x509_spki_set_rsa_pss_params(gnutls_x509_spki_t spki,
+				    gnutls_digest_algorithm_t dig,
+				    unsigned int salt_size)
 {
+	spki->pk = GNUTLS_PK_RSA_PSS;
 	spki->rsa_pss_dig = dig;
+	spki->salt_size = salt_size;
 }
 
 /**
- * gnutls_x509_spki_get_digest_algorithm:
+ * gnutls_x509_spki_get_rsa_pss_params:
  * @spki: the SubjectPublicKeyInfo structure
+ * @dig: if non-NULL, it will hold the digest algorithm
+ * @salt_size: if non-NULL, it will hold the salt size
  *
- * This function will get the digest algorithm of a
- * SubjectPublicKeyInfo structure. This is relevant for
- * RSA-PSS signatures which store the digest algorithm
- * in the SubjectPublicKeyInfo.
+ * This function will get the public key algorithm parameters
+ * of RSA-PSS type.
  *
- * Returns: a member of the #gnutls_digest_algorithm_t enumeration on
- * success, or a %GNUTLS_DIG_UNKNOWN on error.
+ * Returns: zero if the parameters are present or a negative
+ *     value on error.
  *
  * Since: 3.6.0
  *
  **/
 int
-gnutls_x509_spki_get_digest_algorithm(gnutls_x509_spki_t spki)
+gnutls_x509_spki_get_rsa_pss_params(gnutls_x509_spki_t spki,
+				    gnutls_digest_algorithm_t *dig,
+				    unsigned int *salt_size)
 {
-	return spki->rsa_pss_dig;
-}
+	if (spki->pk == 0)
+		return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
 
-/**
- * gnutls_x509_spki_set_salt_size:
- * @spki: the SubjectPublicKeyInfo structure
- * @salt_size: the size of salt string
- *
- * This function will set the salt size parameter of a
- * SubjectPublicKeyInfo structure.
- *
- * The salt is used in the RSA-PSS signature scheme.
- *
- * Since: 3.6.0
- *
- **/
-void
-gnutls_x509_spki_set_salt_size(gnutls_x509_spki_t spki,
-			       unsigned int salt_size)
-{
-	spki->salt_size = salt_size;
-}
+	if (spki->pk != GNUTLS_PK_RSA_PSS)
+		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
-/**
- * gnutls_x509_spki_get_salt_size:
- * @spki: the SubjectPublicKeyInfo structure
- *
- * This function will get the salt size parameter of a
- * SubjectPublicKeyInfo structure.
- *
- * The salt is used in the RSA-PSS signature scheme.
- *
- * Returns: salt size as a positive integer, or zero.
- *
- * Since: 3.6.0
- *
- **/
-int
-gnutls_x509_spki_get_salt_size(gnutls_x509_spki_t spki)
-{
-	return spki->salt_size;
+	if (dig)
+		*dig = spki->rsa_pss_dig;
+	if (salt_size)
+		*salt_size = spki->salt_size;
+
+	return 0;
 }
diff --git a/src/certtool-common.c b/src/certtool-common.c
index 378d644eb2..6a7d983fd7 100644
--- a/src/certtool-common.c
+++ b/src/certtool-common.c
@@ -1139,6 +1139,9 @@ static void privkey_info_int(FILE *outfile, common_info_st * cinfo,
 	fprintf(outfile, "%s\n", cprint ? cprint : "Unknown");
 
 	if (key_type == GNUTLS_PK_RSA_PSS) {
+		gnutls_digest_algorithm_t dig;
+		unsigned int salt_size;
+
 		ret = gnutls_x509_privkey_get_spki(key, spki, 0);
 		if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
 			goto spki_skip;
@@ -1148,21 +1151,15 @@ static void privkey_info_int(FILE *outfile, common_info_st * cinfo,
 			goto spki_skip;
 		}
 
-		ret = gnutls_x509_spki_get_digest_algorithm(spki);
+		ret = gnutls_x509_spki_get_rsa_pss_params(spki, &dig, &salt_size);
 		if (ret < 0) {
-			fprintf(stderr, "spki_get_digest_algorithm: %s\n",
+			fprintf(stderr, "spki_get_rsa_pss_params: %s\n",
 				gnutls_strerror(ret));
 		} else {
 			fprintf(outfile, "\t\tHash Algorithm: %s\n",
-				gnutls_digest_get_name(ret));
+				gnutls_digest_get_name(dig));
+			fprintf(outfile, "\t\tSalt Length: %d\n", salt_size);
 		}
-
-		ret = gnutls_x509_spki_get_salt_size(spki);
-		if (ret < 0) {
-			fprintf(stderr, "spki_get_salt_size: %s\n",
-				gnutls_strerror(ret));
-		} else
-			fprintf(outfile, "\t\tSalt Length: %d\n", ret);
 	}
 
  spki_skip:
diff --git a/src/certtool.c b/src/certtool.c
index ffd51e76cd..7afbb8297e 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -197,10 +197,6 @@ generate_private_key_int(common_info_st * cinfo)
 		app_exit(1);
 	}
 
-	if (HAVE_OPT(SALT_SIZE)) {
-		gnutls_x509_spki_set_salt_size(spki, OPT_VALUE_SALT_SIZE);
-	}
-
 	if (cinfo->seed_size > 0) {
 		kdata[kdata_size].type = GNUTLS_KEYGEN_SEED;
 		kdata[kdata_size].data = (void*)cinfo->seed;
@@ -219,13 +215,21 @@ generate_private_key_int(common_info_st * cinfo)
 		flags |= GNUTLS_PRIVKEY_FLAG_PROVABLE;
 	}
 
-	if (default_dig) {
-		gnutls_x509_spki_set_digest_algorithm(spki, default_dig);
+	if (key_type == GNUTLS_PK_RSA_PSS && (default_dig || HAVE_OPT(SALT_SIZE))) {
+		unsigned salt_size;
 
-	}
+		if (!default_dig) {
+			fprintf(stderr, "You must provide the hash algorithm and optionally the salt size for RSA-PSS\n");
+			app_exit(1);
+		}
+
+		if (HAVE_OPT(SALT_SIZE)) {
+			salt_size = OPT_VALUE_SALT_SIZE;
+		} else {
+			salt_size = gnutls_hash_get_len(default_dig);
+		}
 
-	if (default_dig || HAVE_OPT(SALT_SIZE)) {
-		gnutls_x509_spki_set_pk_algorithm(spki, key_type);
+		gnutls_x509_spki_set_rsa_pss_params(spki, default_dig, salt_size);
 
 		kdata[kdata_size].type = GNUTLS_KEYGEN_SPKI;
 		kdata[kdata_size].data = (void*)spki;
-- 
cgit v1.2.1