]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
certtool: allow specifying seed size when generating provable DH parameters
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Thu, 28 Apr 2016 14:34:29 +0000 (16:34 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Thu, 28 Apr 2016 15:02:19 +0000 (17:02 +0200)
src/certtool-common.c
src/certtool-common.h
src/certtool.c

index dab6c59f998e78b49c07ec33259a01eec031bee8..97ec3523c37c5d19d3cf485cc7a090478223460f 100644 (file)
@@ -1296,7 +1296,34 @@ int generate_prime(FILE * outfile, int how, common_info_st * info)
                                exit(1);
                        }
 
-                       ret = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_DSA, bits, GNUTLS_PRIVKEY_FLAG_PROVABLE);
+                       if (info->seed_size > 0) {
+                               gnutls_keygen_data_st data;
+                               gnutls_datum_t hexseed, seed;
+
+                               hexseed.data = (void*)info->seed;
+                               hexseed.size = info->seed_size;
+
+                               ret = gnutls_hex_decode2(&hexseed, &seed);
+                               if (ret < 0) {
+                                       fprintf(stderr, "Could not hex decode data: %s\n", gnutls_strerror(ret));
+                                       exit(1);
+                               }
+
+                               if (seed.size < 32) {
+                                       fprintf(stderr, "For DH parameter generation a 32-byte seed value or larger is expected (have: %d); use -d 2 for more information.\n", (int)seed.size);
+                                       exit(1);
+                               }
+
+                               data.type = GNUTLS_KEYGEN_SEED;
+                               data.data = seed.data;
+                               data.size = seed.size;
+
+                               ret = gnutls_x509_privkey_generate2(pkey, GNUTLS_PK_DSA, bits, GNUTLS_PRIVKEY_FLAG_PROVABLE, &data, 1);
+                               gnutls_free(seed.data);
+                       } else {
+                               ret = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_DSA, bits, GNUTLS_PRIVKEY_FLAG_PROVABLE);
+                       }
+
                        if (ret < 0) {
                                fprintf(stderr,
                                        "Error generating DSA parameters: %s\n",
index 8bd5355bce5da817279f492cdae73482f47626c0..9b4aad9e8f57041225f70b660d23b3c1b4ba5837 100644 (file)
@@ -57,6 +57,9 @@ typedef struct common_info {
        /* for key generation */
        unsigned provable;
 
+       const char *seed;
+       unsigned seed_size;
+
        const char *pin;
        const char *so_pin;
 
index db8e626164901103c080a05fc24677778c44bd82..4ac8a1a983b7d1ebccf4f4bf34ca92a1add3046f 100644 (file)
@@ -155,27 +155,30 @@ generate_private_key_int(common_info_st * cinfo)
                }
        }
 
-       if (HAVE_OPT(SEED)) {
+       if (cinfo->seed_size > 0) {
                gnutls_keygen_data_st data;
-               unsigned char seed[256];
-               size_t seed_size = sizeof(seed);
-               ret = gnutls_hex2bin(OPT_ARG(SEED), strlen(OPT_ARG(SEED)), seed, &seed_size);
+               gnutls_datum_t hexseed, seed;
+
+               hexseed.data = (void*)cinfo->seed;
+               hexseed.size = cinfo->seed_size;
+
+               ret = gnutls_hex_decode2(&hexseed, &seed);
                if (ret < 0) {
                        fprintf(stderr, "Could not hex decode data: %s\n", gnutls_strerror(ret));
                        exit(1);
                }
 
                data.type = GNUTLS_KEYGEN_SEED;
-               data.data = seed;
-               data.size = seed_size;
+               data.data = seed.data;
+               data.size = seed.size;
 
                if (key_type == GNUTLS_PK_RSA) {
-                       if ((bits == 3072 && seed_size != 32) || (bits == 2048 && seed_size != 28)) {
-                               fprintf(stderr, "The seed size (%d) doesn't match the size of the request security level; use -d 2 for more information.\n", (int)seed_size);
+                       if ((bits == 3072 && seed.size != 32) || (bits == 2048 && seed.size != 28)) {
+                               fprintf(stderr, "The seed size (%d) doesn't match the size of the request security level; use -d 2 for more information.\n", (int)seed.size);
                        }
                } else if (key_type == GNUTLS_PK_DSA) {
-                       if (seed_size != 65) {
-                               fprintf(stderr, "The seed size (%d) doesn't match the size of the request security level; use -d 2 for more information.\n", (int)seed_size);
+                       if (seed.size != 65) {
+                               fprintf(stderr, "The seed size (%d) doesn't match the size of the request security level; use -d 2 for more information.\n", (int)seed.size);
                        }
                }
 
@@ -1054,7 +1057,6 @@ static void cmd_parser(int argc, char **argv)
        } else
                outfile = stdout;
 
-
        if (HAVE_OPT(INFILE)) {
                struct stat st;
                if (stat(OPT_ARG(INFILE), &st) == 0) {
@@ -1168,6 +1170,11 @@ static void cmd_parser(int argc, char **argv)
        if (HAVE_OPT(VERBOSE))
                cinfo.verbose = 1;
 
+       if (HAVE_OPT(SEED)) {
+               cinfo.seed = OPT_ARG(SEED);
+               cinfo.seed_size = strlen(OPT_ARG(SEED));
+       }
+
        cinfo.batch = batch;
        cinfo.cprint = HAVE_OPT(CPRINT);