From: Aki Tuomi Date: Mon, 23 Jan 2017 12:56:27 +0000 (+0200) Subject: lib-dcrypt: Add signature API X-Git-Tag: 2.3.8~46 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5d17528eb5d0ea897105aa9340c3ea03fa440636;p=thirdparty%2Fdovecot%2Fcore.git lib-dcrypt: Add signature API --- diff --git a/src/lib-dcrypt/dcrypt-private.h b/src/lib-dcrypt/dcrypt-private.h index f036dd2dc1..bf3a5f192d 100644 --- a/src/lib-dcrypt/dcrypt-private.h +++ b/src/lib-dcrypt/dcrypt-private.h @@ -181,6 +181,14 @@ struct dcrypt_vfs { enum dcrypt_key_usage usage); void (*key_set_usage_private)(struct dcrypt_private_key *key, enum dcrypt_key_usage usage); + bool (*sign)(struct dcrypt_private_key *key, const char *algorithm, + const void *data, size_t data_len, buffer_t *signature_r, + enum dcrypt_padding padding, const char **error_r); + bool (*verify)(struct dcrypt_public_key *key, const char *algorithm, + const void *data, size_t data_len, + const unsigned char *signature, size_t signature_len, + bool *valid_r, enum dcrypt_padding padding, + const char **error_r); }; void dcrypt_set_vfs(struct dcrypt_vfs *vfs); diff --git a/src/lib-dcrypt/dcrypt.c b/src/lib-dcrypt/dcrypt.c index 9c5922d16c..0d8dbf53ef 100644 --- a/src/lib-dcrypt/dcrypt.c +++ b/src/lib-dcrypt/dcrypt.c @@ -570,6 +570,39 @@ void dcrypt_key_set_usage_private(struct dcrypt_private_key *key, dcrypt_vfs->key_set_usage_private(key, usage); } +bool dcrypt_sign(struct dcrypt_private_key *key, const char *algorithm, + const void *data, size_t data_len, buffer_t *signature_r, + enum dcrypt_padding padding, const char **error_r) +{ + i_assert(dcrypt_vfs != NULL); + + if (dcrypt_vfs->sign == NULL) { + *error_r = "Not implemented"; + return FALSE; + } + + return dcrypt_vfs->sign(key, algorithm, data, data_len, + signature_r, padding, error_r); +} + +bool dcrypt_verify(struct dcrypt_public_key *key, const char *algorithm, + const void *data, size_t data_len, + const unsigned char *signature, size_t signature_len, + bool *valid_r, enum dcrypt_padding padding, + const char **error_r) +{ + i_assert(dcrypt_vfs != NULL); + + if (dcrypt_vfs->verify == NULL) { + *error_r = "Not implemented"; + return FALSE; + } + + return dcrypt_vfs->verify(key, algorithm, data, data_len, + signature, signature_len, + valid_r, padding, error_r); +} + int parse_jwk_key(const char *key_data, struct json_tree **tree_r, const char **error_r) { diff --git a/src/lib-dcrypt/dcrypt.h b/src/lib-dcrypt/dcrypt.h index ba1fb8e54d..dbb6bef943 100644 --- a/src/lib-dcrypt/dcrypt.h +++ b/src/lib-dcrypt/dcrypt.h @@ -57,6 +57,19 @@ enum dcrypt_key_usage { DCRYPT_KEY_USAGE_SIGN, }; +/* this parameter makes sense with RSA only + default for RSA means either PSS (sign/verify) + or OAEP (encrypt/decrypt). + for ECDSA default can be used. +*/ +enum dcrypt_padding { + DCRYPT_PADDING_DEFAULT, + DCRYPT_PADDING_RSA_PKCS1_PSS, + DCRYPT_PADDING_RSA_PKCS1_OAEP, + DCRYPT_PADDING_RSA_PKCS1, /* for compatibility use only */ + DCRYPT_PADDING_RSA_NO, +}; + struct dcrypt_settings { /* OpenSSL engine to use */ const char *crypto_device; @@ -206,6 +219,25 @@ bool dcrypt_ecdh_derive_secret_peer(struct dcrypt_public_key *peer_key, buffer_t *R, buffer_t *S, const char **error_r); +/** Signature functions + algorithm is name of digest algorithm to use, such as SHA256. + + both RSA and EC keys are supported. +*/ + +/* returns false on error, true on success */ +bool dcrypt_sign(struct dcrypt_private_key *key, const char *algorithm, + const void *data, size_t data_len, buffer_t *signature_r, + enum dcrypt_padding padding, const char **error_r); + +/* check valid_r for signature validity + false return means it wasn't able to verify it for other reasons */ +bool dcrypt_verify(struct dcrypt_public_key *key, const char *algorithm, + const void *data, size_t data_len, + const unsigned char *signature, size_t signature_len, + bool *valid_r, enum dcrypt_padding padding, + const char **error_r); + /** * generate cryptographic data from password and salt. Use 1000-10000 for rounds. */