gnutls_pubkey_import_privkey: ADDED
gnutls_pubkey_verify_data: ADDED
gnutls_privkey_sign_hash2: ADDED
-gnutls_x509_privkey_sign_hash2: ADDED
-gnutls_x509_privkey_sign_data2: ADDED
gnutls_privkey_sign_data2: ADDED (in place of gnutls_privkey_sign_data)
gnutls_x509_privkey_sign_data: DEPRECATED
gnutls_x509_privkey_sign_hash: DEPRECATED
gnutls_psk_netconf_derive_key: DEPRECATED
gnutls_session_set_finished_function: DEPRECATED
gnutls_ext_register: DEPRECATED
+gnutls_x509_crt_verify_hash: DEPRECATED
+gnutls_x509_crt_verify_data: DEPRECATED
+gnutls_x509_crt_get_verify_algorithm: DEPRECATED
+gnutls_x509_crt_get_preferred_hash_algorithm: DEPRECATED
gnutls_openpgp_privkey_sign_hash: REMOVED
gnutls_openpgp_privkey_decrypt_data: REMOVED
gnutls_pkcs11_privkey_sign_hash: REMOVED
_GNUTLS_GCC_ATTR_DEPRECATED;
/* This is a very dangerous and error-prone function.
- * Do not use.
+ * Use gnutls_privkey_sign_hash2() instead.
*/
int gnutls_x509_privkey_sign_hash (gnutls_x509_privkey_t key,
const gnutls_datum_t * hash,
const gnutls_datum_t * signature)
_GNUTLS_GCC_ATTR_DEPRECATED;
-/* we support the gnutls_x509_privkey_sign_data2() instead.
+/* we support the gnutls_privkey_sign_data2() instead.
*/
int gnutls_x509_privkey_sign_data (gnutls_x509_privkey_t key,
gnutls_digest_algorithm_t digest,
size_t * signature_size)
_GNUTLS_GCC_ATTR_DEPRECATED;
+ /* gnutls_pubkey_verify_data() */
+ int gnutls_x509_crt_verify_data (gnutls_x509_crt_t crt,
+ unsigned int flags,
+ const gnutls_datum_t * data,
+ const gnutls_datum_t * signature)
+ _GNUTLS_GCC_ATTR_DEPRECATED;
+
+
+ /* gnutls_pubkey_verify_hash() */
+ int gnutls_x509_crt_verify_hash (gnutls_x509_crt_t crt,
+ unsigned int flags,
+ const gnutls_datum_t * hash,
+ const gnutls_datum_t * signature)
+ _GNUTLS_GCC_ATTR_DEPRECATED;
+
+ /* gnutls_pubkey_get_verify_algorithm() */
+ int gnutls_x509_crt_get_verify_algorithm (gnutls_x509_crt_t crt,
+ const gnutls_datum_t * signature,
+ gnutls_digest_algorithm_t * hash)
+ _GNUTLS_GCC_ATTR_DEPRECATED;
+
+ /* gnutls_pubkey_get_preferred_hash_algorithm() */
+ int gnutls_x509_crt_get_preferred_hash_algorithm (gnutls_x509_crt_t crt,
+ gnutls_digest_algorithm_t
+ * hash,
+ unsigned int *mand)
+ _GNUTLS_GCC_ATTR_DEPRECATED;
+
+
#endif /* _GNUTLS_COMPAT_H */
unsigned int flags,
unsigned char *output_data,
size_t * output_data_size);
- int gnutls_x509_crt_get_preferred_hash_algorithm (gnutls_x509_crt_t crt,
- gnutls_digest_algorithm_t
- * hash,
- unsigned int *mand);
int gnutls_x509_crt_set_authority_key_id (gnutls_x509_crt_t cert,
const void *id, size_t id_size);
gnutls_datum_t * q,
gnutls_datum_t * u);
-/* Signing stuff.
- */
- int gnutls_x509_privkey_sign_data2 (gnutls_x509_privkey_t key,
- gnutls_digest_algorithm_t digest,
- unsigned int flags,
- const gnutls_datum_t * data,
- gnutls_datum_t * signature);
- int gnutls_x509_crt_verify_data (gnutls_x509_crt_t crt,
- unsigned int flags,
- const gnutls_datum_t * data,
- const gnutls_datum_t * signature);
-
- int gnutls_x509_privkey_sign_hash2 (gnutls_x509_privkey_t signer,
- gnutls_digest_algorithm_t hash_algo,
- unsigned int flags,
- const gnutls_datum_t * hash_data,
- gnutls_datum_t * signature);
-
- int gnutls_x509_crt_verify_hash (gnutls_x509_crt_t crt,
- unsigned int flags,
- const gnutls_datum_t * hash,
- const gnutls_datum_t * signature);
-
- int gnutls_x509_crt_get_verify_algorithm (gnutls_x509_crt_t crt,
- const gnutls_datum_t * signature,
- gnutls_digest_algorithm_t * hash);
-
-
-
/* Certificate request stuff.
*/
struct gnutls_x509_crq_int;
gnutls_privkey_import_pkcs11;
gnutls_privkey_import_x509;
gnutls_privkey_import_openpgp;
- gnutls_privkey_sign_data;
gnutls_privkey_decrypt_data;
gnutls_pkcs11_privkey_export_url;
gnutls_x509_crq_privkey_sign;
gnutls_pkcs11_token_set_pin;
gnutls_pkcs11_token_get_mechanism;
gnutls_privkey_sign_hash2;
- gnutls_openpgp_privkey_sign_data2;
- gnutls_openpgp_privkey_sign_hash2;
- gnutls_x509_privkey_sign_hash2;
+ gnutls_privkey_sign_data2;
gnutls_openpgp_crt_verify_hash;
- gnutls_x509_privkey_sign_data2;
gnutls_pkcs11_privkey_sign_hash2;
gnutls_pubkey_import_privkey;
gnutls_pubkey_verify_data;
#ifdef ENABLE_PKI
-/**
- * gnutls_x509_privkey_sign_data2:
- * @signer: Holds the key
- * @digest: should be MD5 or SHA1
- * @flags: should be 0 for now
- * @data: holds the data to be signed
- * @signature: will contain the signature allocate with gnutls_malloc()
+/*-
+ * _gnutls_x509_privkey_sign_hash2:
+ * @signer: Holds the signer's key
+ * @hash_algo: The hash algorithm used
+ * @hash_data: holds the data to be signed
+ * @signature: will contain newly allocated signature
+ * @flags: zero for now
*
- * This function will sign the given data using a signature algorithm
+ * This function will sign the given hashed data using a signature algorithm
* supported by the private key. Signature algorithms are always used
* together with a hash functions. Different hash functions may be
* used for the RSA algorithm, but only SHA-1,SHA-224 and SHA-256
*
* The RSA algorithm is used in PKCS #1 v1.5 mode.
*
- * If the buffer provided is not long enough to hold the output, then
- * *@signature_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will
- * be returned.
- *
* Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
* negative error value.
- **/
-int
-gnutls_x509_privkey_sign_data2 (gnutls_x509_privkey_t signer,
- gnutls_digest_algorithm_t hash,
+ -*/
+static int
+_gnutls_x509_privkey_sign_hash2 (gnutls_x509_privkey_t signer,
+ gnutls_digest_algorithm_t hash_algo,
unsigned int flags,
- const gnutls_datum_t * data,
+ const gnutls_datum_t * hash_data,
gnutls_datum_t * signature)
{
int ret;
gnutls_datum_t digest;
- ret =
- pk_hash_data (signer->pk_algorithm, hash, signer->params, data, &digest);
+ digest.data = gnutls_malloc (hash_data->size);
+ if (digest.data == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+ digest.size = hash_data->size;
+ memcpy (digest.data, hash_data->data, digest.size);
+
+ ret = pk_prepare_hash (signer->pk_algorithm, hash_algo, &digest);
if (ret < 0)
{
gnutls_assert ();
- return ret;
+ goto cleanup;
}
- ret =
- gnutls_x509_privkey_sign_hash2 (signer, hash, flags, &digest, signature);
+ ret = _gnutls_soft_sign (signer->pk_algorithm, signer->params,
+ signer->params_size, &digest, signature);
+
if (ret < 0)
{
gnutls_assert ();
}
/*-
- * gnutls_x509_privkey_sign_hash:
+ * _gnutls_x509_privkey_sign_hash:
* @key: Holds the key
* @hash: holds the data to be signed
* @signature: will contain newly allocated signature
return 0;
}
-/**
- * gnutls_x509_privkey_sign_hash2:
- * @signer: Holds the signer's key
- * @hash_algo: The hash algorithm used
- * @hash_data: holds the data to be signed
- * @signature: will contain newly allocated signature
- * @flags: zero for now
- *
- * This function will sign the given hashed data using a signature algorithm
- * supported by the private key. Signature algorithms are always used
- * together with a hash functions. Different hash functions may be
- * used for the RSA algorithm, but only SHA-1,SHA-224 and SHA-256
- * for the DSA keys, depending on their bit size.
- *
- * Use gnutls_x509_crt_get_preferred_hash_algorithm() to determine
- * the hash algorithm.
- *
- * The RSA algorithm is used in PKCS #1 v1.5 mode.
- *
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative error value.
- **/
-int
-gnutls_x509_privkey_sign_hash2 (gnutls_x509_privkey_t signer,
- gnutls_digest_algorithm_t hash_algo,
- unsigned int flags,
- const gnutls_datum_t * hash_data,
- gnutls_datum_t * signature)
-{
- int ret;
- gnutls_datum_t digest;
-
- digest.data = gnutls_malloc (hash_data->size);
- if (digest.data == NULL)
- {
- gnutls_assert ();
- return GNUTLS_E_MEMORY_ERROR;
- }
- digest.size = hash_data->size;
- memcpy (digest.data, hash_data->data, digest.size);
-
- ret = pk_prepare_hash (signer->pk_algorithm, hash_algo, &digest);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
-
- ret = _gnutls_soft_sign (signer->pk_algorithm, signer->params,
- signer->params_size, &digest, signature);
-
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
-
- ret = 0;
-
-cleanup:
- _gnutls_free_datum (&digest);
- return ret;
-}
-
/*-
* gnutls_x509_privkey_sign_data:
* @key: Holds the key
{
int result;
gnutls_datum_t sig = { NULL, 0 };
+ gnutls_datum_t hash;
if (key == NULL)
{
return GNUTLS_E_INVALID_REQUEST;
}
- result = gnutls_x509_privkey_sign_data2 (key, digest, flags, data, &sig);
+ result =
+ pk_hash_data (key->pk_algorithm, digest, key->params, data, &hash);
if (result < 0)
{
gnutls_assert ();
return result;
}
+ result =
+ _gnutls_x509_privkey_sign_hash2 (key, digest, flags, &hash, signature);
+
+ _gnutls_free_datum(&hash);
+
+ if (result < 0)
+ {
+ gnutls_assert ();
+ return result;
+ }
+
if (*signature_size < sig.size)
{
*signature_size = sig.size;
* This function will read the certifcate and the signed data to
* determine the hash algorithm used to generate the signature.
*
+ * Deprecated: Use gnutls_pubkey_get_verify_algorithm() instead.
+ *
* Returns: the 0 if the hash algorithm is found. A negative value is
* returned on error.
*
* algorithm to use for signing with this certificate. Some certificates (i.e.
* DSA might not be able to sign without the preferred algorithm).
*
+ * Deprecated: Please use gnutls_pubkey_get_preferred_hash_algorithm().
+ *
* Returns: the 0 if the hash algorithm is found. A negative value is
* returned on error.
*
* This function will verify the given signed data, using the
* parameters from the certificate.
*
+ * Deprecated. Please use gnutls_pubkey_verify_data().
+ *
* Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
* is returned, and a positive code on success.
**/
* This function will verify the given signed digest, using the
* parameters from the certificate.
*
+ * Deprecated. Please use gnutls_pubkey_verify_data().
+ *
* Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
* is returned, and a positive code on success.
**/
get_dig (gnutls_x509_crt crt)
{
gnutls_digest_algorithm_t dig;
+ gnutls_pubkey_t pubkey;
int result;
unsigned int mand;
- result = gnutls_x509_crt_get_preferred_hash_algorithm (crt, &dig, &mand);
+ gnutls_pubkey_init(&pubkey);
+
+ result = gnutls_pubkey_import_x509(pubkey, crt, 0);
+ if (result < 0)
+ {
+ error (EXIT_FAILURE, 0, "gnutls_pubkey_import_x509: %s",
+ gnutls_strerror (result));
+ }
+
+ result = gnutls_pubkey_get_preferred_hash_algorithm (pubkey, &dig, &mand);
if (result < 0)
{
- error (EXIT_FAILURE, 0, "crl_preferred_hash_algorithm: %s",
+ error (EXIT_FAILURE, 0, "crt_get_preferred_hash_algorithm: %s",
gnutls_strerror (result));
}
+ gnutls_pubkey_deinit(pubkey);
+
/* if algorithm allows alternatives */
if (mand == 0 && default_dig != GNUTLS_DIG_UNKNOWN)
dig = default_dig;
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
+#include <gnutls/abstract.h>
static char dsa_cert[] =
"-----BEGIN CERTIFICATE-----\n"
main (void)
{
gnutls_x509_crt_t crt;
+ gnutls_pubkey_t pubkey;
gnutls_datum_t data = { (char *) "foo", 3 };
gnutls_datum_t sig = { (char *) "bar", 3 };
int ret;
if (ret < 0)
return 1;
+ ret = gnutls_pubkey_init (&pubkey);
+ if (ret < 0)
+ return 1;
+
ret = gnutls_x509_crt_import (crt, &dsa_cert_dat, GNUTLS_X509_FMT_PEM);
if (ret < 0)
return 1;
- ret = gnutls_x509_crt_verify_data (crt, 0, &data, &sig);
+ ret = gnutls_pubkey_import_x509( pubkey, crt, 0);
+ if (ret < 0)
+ return 1;
+
+ ret = gnutls_pubkey_verify_data (pubkey, 0, &data, &sig);
if (ret < 0 && ret != GNUTLS_E_PK_SIG_VERIFY_FAILED)
return 1;
//printf ("success!\n");
gnutls_x509_crt_deinit (crt);
+ gnutls_pubkey_deinit( pubkey);
gnutls_global_deinit ();
return 0;
if (ret < 0)
fail ("gnutls_x509_privkey_import\n");
+ ret = gnutls_pubkey_init (&pubkey);
+ if (ret < 0)
+ fail ("gnutls_privkey_init\n");
+
+ ret = gnutls_privkey_init (&privkey);
+ if (ret < 0)
+ fail ("gnutls_pubkey_init\n");
+
+ ret = gnutls_privkey_import_x509 (privkey, key, 0);
+ if (ret < 0)
+ fail ("gnutls_privkey_import_x509\n");
+
ret =
- gnutls_x509_privkey_sign_hash2 (key, GNUTLS_DIG_SHA1, 0, &hash_data,
+ gnutls_privkey_sign_hash2 (privkey, GNUTLS_DIG_SHA1, 0, &hash_data,
&signature2);
if (ret < 0)
- fail ("gnutls_x509_privkey_sign_hash\n");
+ fail ("gnutls_privkey_sign_hash\n");
ret =
- gnutls_x509_privkey_sign_data2 (key, GNUTLS_DIG_SHA1, 0, &raw_data,
+ gnutls_privkey_sign_data2 (privkey, GNUTLS_DIG_SHA1, 0, &raw_data,
&signature);
if (ret < 0)
fail ("gnutls_x509_privkey_sign_hash\n");
fail ("gnutls_x509_crt_import\n");
ret =
- gnutls_x509_crt_get_verify_algorithm (crt, &signature, &hash_algo);
+ gnutls_pubkey_import_x509 (pubkey, crt, 0);
+ if (ret < 0)
+ fail ("gnutls_x509_pubkey_import\n");
+
+ ret =
+ gnutls_pubkey_get_verify_algorithm (pubkey, &signature, &hash_algo);
if (ret < 0 || hash_algo != GNUTLS_DIG_SHA1)
fail ("gnutls_x509_crt_get_verify_algorithm\n");
- ret = gnutls_x509_crt_verify_hash (crt, 0, &hash_data, &signature);
+ ret = gnutls_pubkey_verify_hash (pubkey, 0, &hash_data, &signature);
if (ret < 0)
fail ("gnutls_x509_privkey_verify_hash\n");
ret =
- gnutls_x509_crt_get_verify_algorithm (crt, &signature2, &hash_algo);
+ gnutls_pubkey_get_verify_algorithm (pubkey, &signature2, &hash_algo);
if (ret < 0 || hash_algo != GNUTLS_DIG_SHA1)
fail ("gnutls_x509_crt_get_verify_algorithm (hashed data)\n");
- ret = gnutls_x509_crt_verify_hash (crt, 0, &hash_data, &signature2);
+ ret = gnutls_pubkey_verify_hash (pubkey, 0, &hash_data, &signature2);
if (ret < 0)
fail ("gnutls_x509_privkey_verify_hash (hashed data)\n");
/* should fail */
- ret = gnutls_x509_crt_verify_hash (crt, 0, &invalid_hash_data, &signature2);
+ ret = gnutls_pubkey_verify_hash (pubkey, 0, &invalid_hash_data, &signature2);
if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED)
fail ("gnutls_x509_privkey_verify_hash (hashed data)\n");
gnutls_free(signature2.data);
gnutls_x509_privkey_deinit (key);
gnutls_x509_crt_deinit (crt);
+ gnutls_privkey_deinit (privkey);
+ gnutls_pubkey_deinit (pubkey);
}
- /* now try verifying using a pubkey that imports the
- * key from an RSA private key.
- */
-
- ret = gnutls_x509_privkey_init (&key);
- if (ret < 0)
- fail ("gnutls_x509_privkey_init\n");
-
- ret = gnutls_pubkey_init (&pubkey);
- if (ret < 0)
- fail ("gnutls_privkey_init\n");
-
- ret = gnutls_privkey_init (&privkey);
- if (ret < 0)
- fail ("gnutls_pubkey_init\n");
-
- ret = gnutls_x509_privkey_generate (key, GNUTLS_PK_RSA, 1024, 0);
- if (ret < 0)
- fail ("gnutls_x509_privkey_generate\n");
-
- ret =
- gnutls_x509_privkey_sign_data2 (key, GNUTLS_DIG_SHA1, 0, &raw_data,
- &signature);
- if (ret < 0)
- fail ("gnutls_x509_privkey_sign_hash\n");
-
- /* try verifying */
- ret = gnutls_privkey_import_x509 (privkey, key, 0);
- if (ret < 0)
- fail ("gnutls_privkey_import_x509\n");
-
- ret =
- gnutls_pubkey_import_privkey (pubkey, privkey,
- GNUTLS_KEY_DIGITAL_SIGNATURE |
- GNUTLS_KEY_KEY_ENCIPHERMENT, 0);
- if (ret < 0)
- fail ("gnutls_pubkey_import_privkey\n");
-
- ret = gnutls_pubkey_get_verify_algorithm (pubkey, &signature, &hash_algo);
- if (ret < 0 || hash_algo != GNUTLS_DIG_SHA1)
- fail ("gnutls_pubkey_get_verify_algorithm\n");
-
- /* should fail */
- ret = gnutls_pubkey_verify_hash (pubkey, 0, &invalid_hash_data,
- &signature); if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED)
- fail ("gnutls_x509_privkey_verify_hash 1\n");
-
- /* should succeed */
- ret = gnutls_pubkey_verify_data (pubkey, 0, &raw_data, &signature);
- if (ret < 0)
- fail ("gnutls_x509_privkey_verify_data\n");
-
- gnutls_x509_privkey_deinit(key);
- gnutls_privkey_deinit (privkey);
- gnutls_pubkey_deinit (pubkey);
- gnutls_free(signature.data);
-
gnutls_global_deinit ();
}