* gnutls_privkey_sign_data:
* @signer: Holds the key
* @hash: should be a digest algorithm
- * @flags: should be 0 for now
+ * @flags: Zero or on of %gnutls_privkey_flags_t
* @data: holds the data to be signed
* @signature: will contain the signature allocate with gnutls_malloc()
*
int ret;
gnutls_datum_t digest;
+ if (flags & GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
ret = pk_hash_data (signer->pk_algorithm, hash, NULL, data, &digest);
if (ret < 0)
{
* gnutls_privkey_sign_hash:
* @signer: Holds the signer's key
* @hash_algo: The hash algorithm used
- * @flags: zero for now
+ * @flags: Zero or on of %gnutls_privkey_flags_t
* @hash_data: holds the data to be signed
* @signature: will contain newly allocated signature
*
int ret;
gnutls_datum_t digest;
+ if (flags & GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA)
+ return gnutls_privkey_sign_raw_data (signer, flags, hash_data, signature);
+
digest.data = gnutls_malloc (hash_data->size);
if (digest.data == NULL)
{
* For example on an RSA key the input @data should be of the DigestInfo
* PKCS #1 1.5 format. Use it only if you know what are you doing.
*
+ * Note this function is equivalent to using the %GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA
+ * flag with gnutls_privkey_sign_hash().
+ *
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
/**
* gnutls_pubkey_verify_data:
* @pubkey: Holds the public key
- * @flags: should be 0 for now
+ * @flags: Zero or on of %gnutls_pubkey_flags_t
* @data: holds the signed data
* @signature: contains the signature
*
return GNUTLS_E_INVALID_REQUEST;
}
+ if (flags & GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
ret = gnutls_pubkey_get_verify_algorithm (pubkey, signature, &hash);
if (ret < 0)
return gnutls_assert_val(ret);
* gnutls_pubkey_verify_data2:
* @pubkey: Holds the public key
* @algo: The signature algorithm used
- * @flags: should be 0 for now
+ * @flags: Zero or on of %gnutls_pubkey_flags_t
* @data: holds the signed data
* @signature: contains the signature
*
return GNUTLS_E_INVALID_REQUEST;
}
+ if (flags & GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
ret = pubkey_verify_data( pubkey->pk_algorithm, gnutls_sign_get_hash_algorithm(algo),
data, signature, &pubkey->params);
if (ret < 0)
/**
* gnutls_pubkey_verify_hash:
* @key: Holds the public key
- * @flags: should be 0 for now
+ * @flags: Zero or on of %gnutls_pubkey_flags_t
* @hash: holds the hash digest to be verified
* @signature: contains the signature
*
* gnutls_pubkey_verify_hash2:
* @key: Holds the public key
* @algo: The signature algorithm used
- * @flags: should be 0 for now
+ * @flags: Zero or on of %gnutls_pubkey_flags_t
* @hash: holds the hash digest to be verified
* @signature: contains the signature
*
return GNUTLS_E_INVALID_REQUEST;
}
- if (flags & GNUTLS_PUBKEY_VERIFY_FLAG_TLS_RSA)
- return _gnutls_pk_verify (GNUTLS_PK_RSA, hash, signature, &key->params);
+ if (flags & GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA)
+ {
+ return _gnutls_pk_verify (GNUTLS_PK_RSA, hash, signature, &key->params);
+ }
else
{
return pubkey_verify_hashed_data (key->pk_algorithm, gnutls_sign_get_hash_algorithm(algo),
/* decrypted is a BER encoded data of type DigestInfo
*/
-
ret = encode_ber_digest_info (hash, &d, &di);
if (ret < 0)
return gnutls_assert_val(ret);
ret = _gnutls_pk_verify (GNUTLS_PK_RSA, &di, signature, params);
+ _gnutls_free_datum (&di);
- _gnutls_free_datum (&di);
-
return ret;
}
/* Public key operations */
-#define GNUTLS_PUBKEY_VERIFY_FLAG_TLS_RSA 1
-/* The following flag disables call to PIN callbacks etc.
- * Only works for TPM keys.
+#define GNUTLS_PUBKEY_VERIFY_FLAG_TLS_RSA GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA
+/**
+ * gnutls_pubkey_flags:
+ * @GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA: This indicates that a (raw) RSA signature is provided
+ * as in the TLS 1.0 protocol.
+ * @GNUTLS_PUBKEY_DISABLE_CALLBACKS: The following flag disables call to PIN callbacks. Only
+ * relevant to TPM keys.
+ * @GNUTLS_PUBKEY_GET_OPENPGP_FINGERPRINT: request an OPENPGP fingerprint instead of the default.
+ *
+ * Enumeration of different certificate import flags.
*/
-#define GNUTLS_PUBKEY_DISABLE_CALLBACKS (1<<2)
-#define GNUTLS_PUBKEY_GET_OPENPGP_FINGERPRINT (1<<3)
+ typedef enum gnutls_pubkey_flags
+ {
+ GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA = 1,
+ GNUTLS_PUBKEY_DISABLE_CALLBACKS = 1<<2,
+ GNUTLS_PUBKEY_GET_OPENPGP_FINGERPRINT = 1<<3,
+ } gnutls_pubkey_flags_t;
struct gnutls_pubkey_st;
typedef struct gnutls_pubkey_st *gnutls_pubkey_t;
gnutls_privkey_type_t gnutls_privkey_get_type (gnutls_privkey_t key);
int gnutls_privkey_status (gnutls_privkey_t key);
-
-#define GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE (1<<0)
-#define GNUTLS_PRIVKEY_IMPORT_COPY (1<<1)
-/* The following flag disables call to PIN callbacks etc.
- * Only works for TPM keys.
+/**
+ * gnutls_privkey_flags:
+ * @GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA: Make an RSA signature on the hashed data as in the TLS protocol.
+ * @GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE: When importing a private key, automatically
+ * release it when the structure it was imported is released.
+ * @GNUTLS_PRIVKEY_IMPORT_COPY: Copy required values during import.
+ * @GNUTLS_PRIVKEY_DISABLE_CALLBACKS: The following flag disables call to PIN callbacks etc.
+ * Only relevant to TPM keys.
+ *
+ * Enumeration of different certificate import flags.
*/
-#define GNUTLS_PRIVKEY_DISABLE_CALLBACKS (1<<2)
+ typedef enum gnutls_privkey_flags
+ {
+ GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE = 1,
+ GNUTLS_PRIVKEY_IMPORT_COPY = 1<<1,
+ GNUTLS_PRIVKEY_DISABLE_CALLBACKS = 1<<2,
+ GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA = 1<<4,
+ } gnutls_privkey_flags_t;
+
int gnutls_privkey_import_pkcs11 (gnutls_privkey_t pkey,
gnutls_pkcs11_privkey_t key,
unsigned int flags);
if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED)
fail ("gnutls_x509_pubkey_verify_hash2-2 (hashed data)\n");
-
+ /* test the raw interface */
+ gnutls_free(signature.data);
+ signature.data = NULL;
+
+ if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL) == GNUTLS_PK_RSA)
+ {
+ ret = gnutls_privkey_sign_hash (privkey, GNUTLS_DIG_SHA1, GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA,
+ &hash_data, &signature);
+ if (ret < 0)
+ fail ("gnutls_privkey_sign_hash: %s\n", gnutls_strerror(ret));
+
+ sign_algo = gnutls_pk_to_sign(gnutls_pubkey_get_pk_algorithm(pubkey, NULL),
+ GNUTLS_DIG_SHA1);
+
+ ret = gnutls_pubkey_verify_hash2 (pubkey, sign_algo, GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA, &hash_data, &signature);
+ if (ret < 0)
+ fail ("gnutls_pubkey_verify_hash-3 (raw hashed data)\n");
+ }
gnutls_free(signature.data);
gnutls_free(signature2.data);
gnutls_x509_privkey_deinit (key);