]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Added gnutls_pubkey_verify_hash(), gnutls_pubkey_get_verify_algorithm().
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Sat, 22 May 2010 18:46:36 +0000 (20:46 +0200)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Thu, 3 Jun 2010 17:52:30 +0000 (19:52 +0200)
NEWS
lib/gnutls_pubkey.c
lib/includes/gnutls/abstract.h
lib/libgnutls.map
lib/x509/common.h
lib/x509/verify.c
lib/x509/x509.c
lib/x509/x509_int.h

diff --git a/NEWS b/NEWS
index 060f9359faa2bb1eff48e6b7c3763334d0655789..f4fc00cbf4967a0f90fd033e84119bd0070bb563 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -88,6 +88,8 @@ gnutls_pubkey_get_pk_dsa_raw: ADDED
 gnutls_pubkey_export: ADDED
 gnutls_pubkey_get_key_id: ADDED
 gnutls_pubkey_get_key_usage: ADDED
+gnutls_pubkey_verify_hash: ADDED
+gnutls_pubkey_get_verify_algorithm: ADDED
 gnutls_pkcs11_type_get_name: ADDED
 gnutls_pubkey_import_pkcs11_url: ADDED
 gnutls_pubkey_import: ADDED
index 67dc916a6dff472da48b4a32ce0ad7facb993199..543a8d3443c8aeaa5c8c887758d88c0e144eabf0 100644 (file)
@@ -409,7 +409,7 @@ gnutls_pubkey_get_key_id(gnutls_pubkey_t key, unsigned int flags,
 
 /**
  * gnutls_pubkey_get_pk_rsa_raw:
- * @crt: Holds the certificate
+ * @key: Holds the certificate
  * @m: will hold the modulus
  * @e: will hold the public exponent
  *
@@ -453,7 +453,7 @@ gnutls_pubkey_get_pk_rsa_raw(gnutls_pubkey_t key,
 
 /**
  * gnutls_pubkey_get_pk_dsa_raw:
- * @crt: Holds the certificate
+ * @key: Holds the public key
  * @p: will hold the p
  * @q: will hold the q
  * @g: will hold the g
@@ -611,6 +611,17 @@ int gnutls_pubkey_import(gnutls_pubkey_t key,
        return result;
 }
 
+/**
+ * gnutls_x509_crt_set_pubkey:
+ * @crt: should contain a #gnutls_x509_crt_t structure
+ * @key: holds a public key
+ *
+ * This function will set the public parameters from the given public
+ * key to the request.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ *   negative error value.
+ **/
 int gnutls_x509_crt_set_pubkey(gnutls_x509_crt_t crt, gnutls_pubkey_t key)
 {
        int result;
@@ -637,6 +648,17 @@ int gnutls_x509_crt_set_pubkey(gnutls_x509_crt_t crt, gnutls_pubkey_t key)
        return 0;
 }
 
+/**
+ * gnutls_x509_crq_set_pubkey:
+ * @crq: should contain a #gnutls_x509_crq_t structure
+ * @key: holds a public key
+ *
+ * This function will set the public parameters from the given public
+ * key to the request.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ *   negative error value.
+ **/
 int gnutls_x509_crq_set_pubkey(gnutls_x509_crq_t crq, gnutls_pubkey_t key)
 {
        int result;
@@ -818,3 +840,65 @@ gnutls_pubkey_import_dsa_raw(gnutls_pubkey_t key,
        return 0;
 
 }
+
+/**
+ * gnutls_pubkey_verify_hash:
+ * @key: Holds the certificate
+ * @flags: should be 0 for now
+ * @hash: holds the hash digest to be verified
+ * @signature: contains the signature
+ *
+ * This function will verify the given signed digest, using the
+ * parameters from the certificate.
+ *
+ * Returns: In case of a verification failure 0 is returned, and 1 on
+ * success.
+ **/
+int
+gnutls_pubkey_verify_hash (gnutls_pubkey_t key, unsigned int flags,
+                            const gnutls_datum_t * hash,
+                            const gnutls_datum_t * signature)
+{
+  int ret;
+
+  if (key == NULL)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_INVALID_REQUEST;
+    }
+
+   ret =
+    pubkey_verify_sig (NULL, hash, signature, key->pk_algorithm,
+               key->params, key->params_size);
+
+  return ret;
+}
+
+/**
+ * gnutls_pubkey_get_verify_algorithm:
+ * @key: Holds the certificate
+ * @signature: contains the signature
+ * @hash: The result of the call with the hash algorithm used for signature
+ *
+ * This function will read the certifcate and the signed data to
+ * determine the hash algorithm used to generate the signature.
+ *
+ * Returns: the 0 if the hash algorithm is found. A negative value is
+ * returned on error.
+ **/
+int
+gnutls_pubkey_get_verify_algorithm (gnutls_pubkey_t key,
+                                     const gnutls_datum_t * signature,
+                                     gnutls_digest_algorithm_t * hash)
+{
+  if (key == NULL)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_INVALID_REQUEST;
+    }
+
+  return _gnutls_x509_verify_algorithm ((gnutls_mac_algorithm_t *) hash,
+                       signature, key->pk_algorithm, key->params,
+                       key->params_size);
+
+}
index a02e9c475ffdef0486d9f370ff6ed87dfc60eff4..5e148906728aade640066108e81cc6643b25cd3e 100644 (file)
@@ -61,6 +61,14 @@ int gnutls_x509_crt_set_pubkey (gnutls_x509_crt_t crt,
 int gnutls_x509_crq_set_pubkey (gnutls_x509_crq_t crq,
                               gnutls_pubkey_t key);
 
+int
+gnutls_pubkey_verify_hash (gnutls_pubkey_t key, unsigned int flags,
+                            const gnutls_datum_t * hash,
+                            const gnutls_datum_t * signature);
+int
+gnutls_pubkey_get_verify_algorithm (gnutls_pubkey_t key,
+                                     const gnutls_datum_t * signature,
+                                     gnutls_digest_algorithm_t * hash);
 
 /* Private key operations */
 
index de2533cbac0a3db45a2628decccf7aea66870c60..256d01664c14860801873263bfa6762f0ce0f5ed 100644 (file)
@@ -663,6 +663,8 @@ GNUTLS_2_11
        gnutls_pubkey_import_dsa_raw;
        gnutls_pubkey_import_rsa_raw;
        gnutls_pubkey_import_pkcs11_url;
+       gnutls_pubkey_get_verify_algorithm;
+       gnutls_pubkey_verify_hash;
        gnutls_pkcs11_obj_export;
        gnutls_pubkey_import;
        gnutls_x509_crt_set_pubkey;
index aba51b99c2a651772334612776e4df171d1f1a46..960906a1626badcba023ab4d128db199b28379ea 100644 (file)
@@ -139,4 +139,10 @@ int _gnutls_get_key_id (gnutls_pk_algorithm_t pk, bigint_t* params, int params_s
 
 void _asnstr_append_name(char* name, size_t name_size, const char* part1, const char* part2);
 
+int pubkey_verify_sig (const gnutls_datum_t * tbs,
+           const gnutls_datum_t * hash,
+           const gnutls_datum_t * signature,
+           gnutls_pk_algorithm_t pk, bigint_t * issuer_params,
+           int issuer_params_size);
+
 #endif
index 4eaa6a2932fd63782308a8aed80ac2af938ca477..b243d886f7f4f5ea2508531176b6ac6516408397 100644 (file)
@@ -823,8 +823,8 @@ dsa_verify_sig (const gnutls_datum_t * text,
 /* Verifies the signature data, and returns 0 if not verified,
  * or 1 otherwise.
  */
-static int
-verify_sig (const gnutls_datum_t * tbs,
+int
+pubkey_verify_sig (const gnutls_datum_t * tbs,
            const gnutls_datum_t * hash,
            const gnutls_datum_t * signature,
            gnutls_pk_algorithm_t pk, bigint_t * issuer_params,
@@ -878,26 +878,15 @@ gnutls_digest_algorithm_t _gnutls_dsa_q_to_hash(bigint_t q)
 int
 _gnutls_x509_verify_algorithm (gnutls_mac_algorithm_t * hash,
                               const gnutls_datum_t * signature,
-                              const gnutls_x509_crt_t issuer)
+                              gnutls_pk_algorithm pk,
+                              bigint_t* issuer_params, unsigned int issuer_params_size)
 {
-  bigint_t issuer_params[MAX_PUBLIC_PARAMS_SIZE];
   opaque digest[MAX_HASH_SIZE];
   gnutls_datum_t decrypted;
-  int issuer_params_size;
   int digest_size;
-  int ret, i;
-
-  issuer_params_size = MAX_PUBLIC_PARAMS_SIZE;
-  ret =
-    _gnutls_x509_crt_get_mpis (issuer, issuer_params,
-                                  &issuer_params_size);
-  if (ret < 0)
-    {
-      gnutls_assert ();
-      return ret;
-    }
+  int ret;
 
-  switch (gnutls_x509_crt_get_pk_algorithm (issuer, NULL))
+  switch(pk)
     {
     case GNUTLS_PK_DSA:
       
@@ -908,7 +897,6 @@ _gnutls_x509_verify_algorithm (gnutls_mac_algorithm_t * hash,
       break;
 
     case GNUTLS_PK_RSA:
-
       ret =
        _gnutls_pkcs1_rsa_decrypt (&decrypted, signature,
                                   issuer_params, issuer_params_size, 1);
@@ -984,7 +972,7 @@ _gnutls_x509_verify_signature (const gnutls_datum_t * tbs,
     }
 
   ret =
-    verify_sig (tbs, hash, signature,
+    pubkey_verify_sig (tbs, hash, signature,
                gnutls_x509_crt_get_pk_algorithm (issuer, NULL),
                issuer_params, issuer_params_size);
   if (ret < 0)
@@ -1015,7 +1003,7 @@ _gnutls_x509_privkey_verify_signature (const gnutls_datum_t * tbs,
 {
   int ret;
 
-  ret = verify_sig (tbs, NULL, signature, issuer->pk_algorithm,
+  ret = pubkey_verify_sig (tbs, NULL, signature, issuer->pk_algorithm,
                    issuer->params, issuer->params_size);
   if (ret < 0)
     {
index c2914f5ade6960ea73c2771a023a667aa950b48d..17bd34a1e7758c1a144b7248c9549120bbabc889 100644 (file)
@@ -2499,14 +2499,37 @@ gnutls_x509_crt_get_verify_algorithm (gnutls_x509_crt_t crt,
                                      const gnutls_datum_t * signature,
                                      gnutls_digest_algorithm_t * hash)
 {
+  bigint_t issuer_params[MAX_PUBLIC_PARAMS_SIZE];
+  int issuer_params_size;
+  int ret, i;
+
   if (crt == NULL)
     {
       gnutls_assert ();
       return GNUTLS_E_INVALID_REQUEST;
     }
 
-  return _gnutls_x509_verify_algorithm ((gnutls_mac_algorithm_t *) hash,
-                                       signature, crt);
+  issuer_params_size = MAX_PUBLIC_PARAMS_SIZE;
+  ret =
+       _gnutls_x509_crt_get_mpis (crt, issuer_params,
+                                  &issuer_params_size);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      return ret;
+    }
+
+  ret = _gnutls_x509_verify_algorithm ((gnutls_mac_algorithm_t *) hash,
+                       signature, gnutls_x509_crt_get_pk_algorithm (crt, NULL),
+                       issuer_params, issuer_params_size);
+
+  /* release allocated mpis */
+  for (i = 0; i < issuer_params_size; i++)
+    {
+      _gnutls_mpi_release (&issuer_params[i]);
+    }
+
+  return ret;
 }
 
 /**
@@ -2519,6 +2542,9 @@ gnutls_x509_crt_get_verify_algorithm (gnutls_x509_crt_t crt,
  * This function will verify the given signed data, using the
  * parameters from the certificate.
  *
+ * Note: Use gnutls_x509_crt_verify_hash() instead. This function
+ * does not do the implied hashing of the data.
+ *
  * Returns: In case of a verification failure 0 is returned, and 1 on
  * success.
  **/
index 0ad3f6b284c0f7f7d0d1d02112f33f82c854163a..6d6a91411e3d0f644558d99338c035cf98abc86a 100644 (file)
@@ -180,9 +180,13 @@ int _gnutls_parse_general_name (ASN1_TYPE src, const char *src_name,
 /* verify.c */
 int gnutls_x509_crt_is_issuer (gnutls_x509_crt_t cert,
                               gnutls_x509_crt_t issuer);
-int _gnutls_x509_verify_algorithm (gnutls_mac_algorithm_t * hash,
-                                  const gnutls_datum_t * signature,
-                                  const gnutls_x509_crt_t crt);
+
+int
+_gnutls_x509_verify_algorithm (gnutls_mac_algorithm_t * hash,
+                              const gnutls_datum_t * signature,
+                              gnutls_pk_algorithm pk,
+                              bigint_t* issuer_params, unsigned int issuer_params_size);
+
 int _gnutls_x509_verify_signature (const gnutls_datum_t * tbs,
                                   const gnutls_datum_t * hash,
                                   const gnutls_datum_t * signature,