gnutls_pubkey_export: ADDED
gnutls_pubkey_get_key_id: ADDED
gnutls_pubkey_get_key_usage: ADDED
+gnutls_pubkey_verify_hash: ADDED
+gnutls_pubkey_get_verify_algorithm: ADDED
gnutls_pkcs11_type_get_name: ADDED
gnutls_pubkey_import_pkcs11_url: ADDED
gnutls_pubkey_import: ADDED
/**
* gnutls_pubkey_get_pk_rsa_raw:
- * @crt: Holds the certificate
+ * @key: Holds the certificate
* @m: will hold the modulus
* @e: will hold the public exponent
*
/**
* gnutls_pubkey_get_pk_dsa_raw:
- * @crt: Holds the certificate
+ * @key: Holds the public key
* @p: will hold the p
* @q: will hold the q
* @g: will hold the g
return result;
}
+/**
+ * gnutls_x509_crt_set_pubkey:
+ * @crt: should contain a #gnutls_x509_crt_t structure
+ * @key: holds a public key
+ *
+ * This function will set the public parameters from the given public
+ * key to the request.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
int gnutls_x509_crt_set_pubkey(gnutls_x509_crt_t crt, gnutls_pubkey_t key)
{
int result;
return 0;
}
+/**
+ * gnutls_x509_crq_set_pubkey:
+ * @crq: should contain a #gnutls_x509_crq_t structure
+ * @key: holds a public key
+ *
+ * This function will set the public parameters from the given public
+ * key to the request.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
int gnutls_x509_crq_set_pubkey(gnutls_x509_crq_t crq, gnutls_pubkey_t key)
{
int result;
return 0;
}
+
+/**
+ * gnutls_pubkey_verify_hash:
+ * @key: Holds the certificate
+ * @flags: should be 0 for now
+ * @hash: holds the hash digest to be verified
+ * @signature: contains the signature
+ *
+ * This function will verify the given signed digest, using the
+ * parameters from the certificate.
+ *
+ * Returns: In case of a verification failure 0 is returned, and 1 on
+ * success.
+ **/
+int
+gnutls_pubkey_verify_hash (gnutls_pubkey_t key, unsigned int flags,
+ const gnutls_datum_t * hash,
+ const gnutls_datum_t * signature)
+{
+ int ret;
+
+ if (key == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ ret =
+ pubkey_verify_sig (NULL, hash, signature, key->pk_algorithm,
+ key->params, key->params_size);
+
+ return ret;
+}
+
+/**
+ * gnutls_pubkey_get_verify_algorithm:
+ * @key: Holds the certificate
+ * @signature: contains the signature
+ * @hash: The result of the call with the hash algorithm used for signature
+ *
+ * This function will read the certifcate and the signed data to
+ * determine the hash algorithm used to generate the signature.
+ *
+ * Returns: the 0 if the hash algorithm is found. A negative value is
+ * returned on error.
+ **/
+int
+gnutls_pubkey_get_verify_algorithm (gnutls_pubkey_t key,
+ const gnutls_datum_t * signature,
+ gnutls_digest_algorithm_t * hash)
+{
+ if (key == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ return _gnutls_x509_verify_algorithm ((gnutls_mac_algorithm_t *) hash,
+ signature, key->pk_algorithm, key->params,
+ key->params_size);
+
+}
int gnutls_x509_crq_set_pubkey (gnutls_x509_crq_t crq,
gnutls_pubkey_t key);
+int
+gnutls_pubkey_verify_hash (gnutls_pubkey_t key, unsigned int flags,
+ const gnutls_datum_t * hash,
+ const gnutls_datum_t * signature);
+int
+gnutls_pubkey_get_verify_algorithm (gnutls_pubkey_t key,
+ const gnutls_datum_t * signature,
+ gnutls_digest_algorithm_t * hash);
/* Private key operations */
gnutls_pubkey_import_dsa_raw;
gnutls_pubkey_import_rsa_raw;
gnutls_pubkey_import_pkcs11_url;
+ gnutls_pubkey_get_verify_algorithm;
+ gnutls_pubkey_verify_hash;
gnutls_pkcs11_obj_export;
gnutls_pubkey_import;
gnutls_x509_crt_set_pubkey;
void _asnstr_append_name(char* name, size_t name_size, const char* part1, const char* part2);
+int pubkey_verify_sig (const gnutls_datum_t * tbs,
+ const gnutls_datum_t * hash,
+ const gnutls_datum_t * signature,
+ gnutls_pk_algorithm_t pk, bigint_t * issuer_params,
+ int issuer_params_size);
+
#endif
/* Verifies the signature data, and returns 0 if not verified,
* or 1 otherwise.
*/
-static int
-verify_sig (const gnutls_datum_t * tbs,
+int
+pubkey_verify_sig (const gnutls_datum_t * tbs,
const gnutls_datum_t * hash,
const gnutls_datum_t * signature,
gnutls_pk_algorithm_t pk, bigint_t * issuer_params,
int
_gnutls_x509_verify_algorithm (gnutls_mac_algorithm_t * hash,
const gnutls_datum_t * signature,
- const gnutls_x509_crt_t issuer)
+ gnutls_pk_algorithm pk,
+ bigint_t* issuer_params, unsigned int issuer_params_size)
{
- bigint_t issuer_params[MAX_PUBLIC_PARAMS_SIZE];
opaque digest[MAX_HASH_SIZE];
gnutls_datum_t decrypted;
- int issuer_params_size;
int digest_size;
- int ret, i;
-
- issuer_params_size = MAX_PUBLIC_PARAMS_SIZE;
- ret =
- _gnutls_x509_crt_get_mpis (issuer, issuer_params,
- &issuer_params_size);
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
+ int ret;
- switch (gnutls_x509_crt_get_pk_algorithm (issuer, NULL))
+ switch(pk)
{
case GNUTLS_PK_DSA:
break;
case GNUTLS_PK_RSA:
-
ret =
_gnutls_pkcs1_rsa_decrypt (&decrypted, signature,
issuer_params, issuer_params_size, 1);
}
ret =
- verify_sig (tbs, hash, signature,
+ pubkey_verify_sig (tbs, hash, signature,
gnutls_x509_crt_get_pk_algorithm (issuer, NULL),
issuer_params, issuer_params_size);
if (ret < 0)
{
int ret;
- ret = verify_sig (tbs, NULL, signature, issuer->pk_algorithm,
+ ret = pubkey_verify_sig (tbs, NULL, signature, issuer->pk_algorithm,
issuer->params, issuer->params_size);
if (ret < 0)
{
const gnutls_datum_t * signature,
gnutls_digest_algorithm_t * hash)
{
+ bigint_t issuer_params[MAX_PUBLIC_PARAMS_SIZE];
+ int issuer_params_size;
+ int ret, i;
+
if (crt == NULL)
{
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
}
- return _gnutls_x509_verify_algorithm ((gnutls_mac_algorithm_t *) hash,
- signature, crt);
+ issuer_params_size = MAX_PUBLIC_PARAMS_SIZE;
+ ret =
+ _gnutls_x509_crt_get_mpis (crt, issuer_params,
+ &issuer_params_size);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ return ret;
+ }
+
+ ret = _gnutls_x509_verify_algorithm ((gnutls_mac_algorithm_t *) hash,
+ signature, gnutls_x509_crt_get_pk_algorithm (crt, NULL),
+ issuer_params, issuer_params_size);
+
+ /* release allocated mpis */
+ for (i = 0; i < issuer_params_size; i++)
+ {
+ _gnutls_mpi_release (&issuer_params[i]);
+ }
+
+ return ret;
}
/**
* This function will verify the given signed data, using the
* parameters from the certificate.
*
+ * Note: Use gnutls_x509_crt_verify_hash() instead. This function
+ * does not do the implied hashing of the data.
+ *
* Returns: In case of a verification failure 0 is returned, and 1 on
* success.
**/
/* verify.c */
int gnutls_x509_crt_is_issuer (gnutls_x509_crt_t cert,
gnutls_x509_crt_t issuer);
-int _gnutls_x509_verify_algorithm (gnutls_mac_algorithm_t * hash,
- const gnutls_datum_t * signature,
- const gnutls_x509_crt_t crt);
+
+int
+_gnutls_x509_verify_algorithm (gnutls_mac_algorithm_t * hash,
+ const gnutls_datum_t * signature,
+ gnutls_pk_algorithm pk,
+ bigint_t* issuer_params, unsigned int issuer_params_size);
+
int _gnutls_x509_verify_signature (const gnutls_datum_t * tbs,
const gnutls_datum_t * hash,
const gnutls_datum_t * signature,