gnutls_x509_trust_list_get_issuer() to compensate for the
missing gnutls_certificate_get_x509_cas().
+** libgnutls: Added gnutls_x509_crq_verify() to allow
+verification of the self signature in a certificate request.
+This allows verifying whether the owner of the private key
+is the generator of the request.
+
+** libgnutls: gnutls_x509_crt_set_crq() implicitly verifies
+the self signature of the request.
+
** API and ABI modifications:
gnutls_certificate_get_issuer: ADDED
gnutls_x509_trust_list_get_issuer: ADDED
+gnutls_x509_crq_verify: ADDED
+
* Version 2.99.1 (released 2011-04-23)
gnutls_certificate_print_formats_t format,
gnutls_datum_t * out);
+ int gnutls_x509_crq_verify (gnutls_x509_crq_t crq, unsigned int flags);
+
int gnutls_x509_crq_init (gnutls_x509_crq_t * crq);
void gnutls_x509_crq_deinit (gnutls_x509_crq_t crq);
int gnutls_x509_crq_import (gnutls_x509_crq_t crq,
gnutls_openpgp_crt_verify_hash;
gnutls_pubkey_import_privkey;
gnutls_pubkey_verify_data;
+ gnutls_certificate_get_issuer;
+ gnutls_x509_crq_verify;
} GNUTLS_2_10;
GNUTLS_3_0_0 {
gnutls_pubkey_get_openpgp_key_id;
gnutls_certificate_set_retrieve_function2;
gnutls_x509_trust_list_get_issuer;
- gnutls_certificate_get_issuer;
} GNUTLS_2_12;
GNUTLS_PRIVATE {
}
+/**
+ * gnutls_x509_crq_verify:
+ * @crq: is the crq to be verified
+ * @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.
+ *
+ * This function will verify self signature in the certificate
+ * request and return its status.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, %GNUTLS_E_PK_SIG_VERIFY_FAILED
+ * if verification failed, otherwise a negative error value.
+ **/
+int
+gnutls_x509_crq_verify (gnutls_x509_crq_t crq,
+ unsigned int flags)
+{
+gnutls_datum data = { NULL, 0 };
+gnutls_datum signature = { NULL, 0 };
+bigint_t params[MAX_PUBLIC_PARAMS_SIZE];
+int ret, params_size = 0, i;
+
+ ret =
+ _gnutls_x509_get_signed_data (crq->crq, "certificationRequestInfo", &data);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ return ret;
+ }
+
+ ret = _gnutls_x509_get_signature (crq->crq, "signature", &signature);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ goto cleanup;
+ }
+
+ params_size = MAX_PUBLIC_PARAMS_SIZE;
+ ret =
+ _gnutls_x509_crq_get_mpis(crq, params, ¶ms_size);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ goto cleanup;
+ }
+
+ ret = pubkey_verify_sig(&data, NULL, &signature,
+ gnutls_x509_crq_get_pk_algorithm (crq, NULL),
+ params, params_size);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ goto cleanup;
+ }
+
+ ret = 0;
+
+cleanup:
+ _gnutls_free_datum (&data);
+ _gnutls_free_datum (&signature);
+
+ for (i = 0; i < params_size; i++)
+ {
+ _gnutls_mpi_release (¶ms[i]);
+ }
+
+ return ret;
+}
#endif /* ENABLE_PKI */
+
return GNUTLS_E_INVALID_REQUEST;
}
+ result = gnutls_x509_crq_verify(crq, 0);
+ if (result < 0)
+ return gnutls_assert_val(result);
+
result = asn1_copy_node (crt->cert, "tbsCertificate.subject",
crq->crq, "certificationRequestInfo.subject");
if (result != ASN1_SUCCESS)
}
ret = gnutls_x509_crq_privkey_sign (crq, abs_pkey, GNUTLS_DIG_SHA1, 0);
- if (ret)
+ if (ret < 0)
{
fail ("gnutls_x509_crq_sign: %d\n", ret);
}
+ ret = gnutls_x509_crq_verify (crq, 0);
+ if (ret < 0)
+ {
+ fail ("gnutls_x509_crq_verify: %d\n", ret);
+ }
+
crq_key_id_len = 0;
ret = gnutls_x509_crq_get_key_id (crq, 0, crq_key_id, &crq_key_id_len);
if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)