** libgnutls: The deprecated gnutls_x509_privkey_sign_hash() was
replaced by gnutls_privkey_sign_hash2().
-** Added helper functions for signature verification:
+** libgnutls: gnutls_pubkey_verify_data, gnutls_pubkey_verify_hash,
+gnutls_openpgp_crt_verify_hash, gnutls_x509_privkey_verify_data,
+gnutls_x509_crt_verify_data, gnutls_x509_crt_verify_hash
+return the negative error code GNUTLS_E_PK_SIG_VERIFY_FAILED
+if verification fails.
+
+** libgnutls: Added helper functions for signature verification:
gnutls_pubkey_verify_data() and gnutls_pubkey_import_privkey().
** libgnutls: Added gnutls_pkcs11_privkey_sign_hash2(),
* This function will verify the given signed data, using the
* parameters from the certificate.
*
- * Returns: In case of a verification failure 0 is returned, and 1 on
- * success.
+ * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
+ * is returned, and a positive code on success.
**/
int
gnutls_pubkey_verify_data (gnutls_pubkey_t pubkey, unsigned int flags,
* This function will verify the given signed digest, using the
* parameters from the certificate.
*
- * Returns: In case of a verification failure 0 is returned, and 1 on
- * success.
+ * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
+ * is returned, and a positive code on success.
**/
int
gnutls_pubkey_verify_hash (gnutls_pubkey_t key, unsigned int flags,
* This function will verify the given signed digest, using the
* parameters from the certificate.
*
- * Returns: In case of a verification failure 0 is returned, and 1 on
- * success.
+ * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
+ * is returned, and a positive code on success.
**/
int
gnutls_openpgp_crt_verify_hash (gnutls_openpgp_crt_t crt, unsigned int flags,
if (ret < 0)
{
gnutls_assert ();
- return 0;
+ return ret;
}
return ret;
* This function will verify the given signed data, using the
* parameters in the private key.
*
- * Returns: In case of a verification failure 0 is returned, and 1 on
- * success.
+ * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
+ * is returned, and a positive code on success.
**/
int
gnutls_x509_privkey_verify_data (gnutls_x509_privkey_t key,
if (result < 0)
{
gnutls_assert ();
- return 0;
+ return result;
}
return result;
gnutls_datum_t cert_signed_data = { NULL, 0 };
gnutls_datum_t cert_signature = { NULL, 0 };
gnutls_x509_crt_t issuer = NULL;
- int ret, issuer_version, result;
+ int issuer_version, result;
if (output)
*output = 0;
goto cleanup;
}
- ret =
+ result =
_gnutls_x509_verify_signature (&cert_signed_data, NULL, &cert_signature,
issuer);
- if (ret < 0)
- {
- gnutls_assert ();
- }
- else if (ret == 0)
+ if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED)
{
gnutls_assert ();
/* error. ignore it */
if (output)
*output |= GNUTLS_CERT_INVALID;
- ret = 0;
+ result = 0;
+ }
+ else if (result < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
}
/* If the certificate is not self signed check if the algorithms
{
if (output)
*output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
- ret = 0;
+ result = 0;
}
}
- result = ret;
-
cleanup:
_gnutls_free_datum (&cert_signed_data);
_gnutls_free_datum (&cert_signature);
return ret;
}
-/* Verifies the signature data, and returns 0 if not verified,
- * or 1 otherwise.
+/* Verifies the signature data, and returns GNUTLS_E_PK_SIG_VERIFY_FAILED if
+ * not verified, or 1 otherwise.
*/
int
pubkey_verify_sig (const gnutls_datum_t * tbs,
(tbs, hash, signature, issuer_params, issuer_params_size) != 0)
{
gnutls_assert ();
- return 0;
+ return GNUTLS_E_PK_SIG_VERIFY_FAILED;
}
return 1;
(tbs, hash, signature, issuer_params, issuer_params_size) != 0)
{
gnutls_assert ();
- return 0;
+ return GNUTLS_E_PK_SIG_VERIFY_FAILED;
}
return 1;
}
/* verifies if the certificate is properly signed.
- * returns 0 on failure and 1 on success.
+ * returns GNUTLS_E_PK_VERIFY_SIG_FAILED on failure and 1 on success.
*
* 'tbs' is the signed data
* 'signature' is the signature!
}
/* verifies if the certificate is properly signed.
- * returns 0 on failure and 1 on success.
+ * returns GNUTLS_E_PK_VERIFY_SIG_FAILED on failure and 1 on success.
*
* 'tbs' is the signed data
* 'signature' is the signature!
gnutls_datum_t crl_signed_data = { NULL, 0 };
gnutls_datum_t crl_signature = { NULL, 0 };
gnutls_x509_crt_t issuer;
- int ret, result;
+ int result;
if (output)
*output = 0;
goto cleanup;
}
- ret =
+ result =
_gnutls_x509_verify_signature (&crl_signed_data, NULL, &crl_signature,
issuer);
- if (ret < 0)
- {
- gnutls_assert ();
- }
- else if (ret == 0)
+ if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED)
{
gnutls_assert ();
/* error. ignore it */
if (output)
*output |= GNUTLS_CERT_INVALID;
- ret = 0;
+ result = 0;
+ }
+ else if (result < 0)
+ {
+ gnutls_assert ();
+ goto cleanup;
}
{
{
if (output)
*output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
- ret = 0;
+ result = 0;
}
}
- result = ret;
-
cleanup:
_gnutls_free_datum (&crl_signed_data);
_gnutls_free_datum (&crl_signature);
* This function will verify the given signed data, using the
* parameters from the certificate.
*
- * Returns: In case of a verification failure 0 is returned, and 1 on
- * success.
+ * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
+ * is returned, and a positive code on success.
**/
int
gnutls_x509_crt_verify_data (gnutls_x509_crt_t crt, unsigned int flags,
if (result < 0)
{
gnutls_assert ();
- return 0;
+ return result;
}
return result;
* This function will verify the given signed digest, using the
* parameters from the certificate.
*
- * Returns: In case of a verification failure 0 is returned, and 1 on
- * success.
+ * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
+ * is returned, and a positive code on success.
**/
int
gnutls_x509_crt_verify_hash (gnutls_x509_crt_t crt, unsigned int flags,
if (result < 0)
{
gnutls_assert ();
- return 0;
+ return result;
}
return result;
fail ("gnutls_x509_crt_get_verify_algorithm\n");
ret = gnutls_x509_crt_verify_hash (crt, 0, &hash_data, &signature);
- if (ret <= 0)
+ if (ret < 0)
fail ("gnutls_x509_privkey_verify_hash\n");
ret =
fail ("gnutls_x509_crt_get_verify_algorithm (hashed data)\n");
ret = gnutls_x509_crt_verify_hash (crt, 0, &hash_data, &signature2);
- if (ret <= 0)
+ if (ret < 0)
fail ("gnutls_x509_privkey_verify_hash (hashed data)\n");
/* should fail */
ret = gnutls_x509_crt_verify_hash (crt, 0, &invalid_hash_data, &signature2);
- if (ret < 0 || ret == 1)
+ if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED)
fail ("gnutls_x509_privkey_verify_hash (hashed data)\n");
fail ("gnutls_pubkey_get_verify_algorithm\n");
/* should fail */
- ret = gnutls_pubkey_verify_hash (pubkey, 0, &invalid_hash_data, &signature);
- if (ret < 0 || ret == 1)
+ ret = gnutls_pubkey_verify_hash (pubkey, 0, &invalid_hash_data,
+ &signature); if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED)
fail ("gnutls_x509_privkey_verify_hash 1\n");
/* should succeed */
ret = gnutls_pubkey_verify_data (pubkey, 0, &raw_data, &signature);
- if (ret <= 0)
+ if (ret < 0)
fail ("gnutls_x509_privkey_verify_data\n");
gnutls_x509_privkey_deinit(key);