int (*verify) (gnutls_pk_algorithm_t, const gnutls_datum_t * data,
const gnutls_datum_t * sig,
const gnutls_pk_params_st * pub);
- /* given a signature and the public parameters,
- * suggest a hash algorithm */
- int (*hash_algorithm) (gnutls_pk_algorithm_t,
- const gnutls_datum_t * sig,
- gnutls_pk_params_st * issuer_params,
- gnutls_digest_algorithm_t *);
/* sanity checks the public key parameters */
int (*verify_priv_params) (gnutls_pk_algorithm_t,
const gnutls_pk_params_st * priv);
}
}
-int
-_gnutls_pk_get_hash_algorithm(gnutls_pk_algorithm_t pk,
- gnutls_pk_params_st * params,
- gnutls_digest_algorithm_t * dig,
- unsigned int *mand)
-{
- if (mand) {
- if (pk == GNUTLS_PK_DSA)
- *mand = 1;
- else
- *mand = 0;
- }
-
- return _gnutls_x509_verify_algorithm(dig, NULL, pk, params);
-
-}
-
/* Writes the digest information and the digest in a DER encoded
* structure. The digest info is allocated and stored into the info structure.
*/
gnutls_digest_algorithm_t * hash,
uint8_t * digest, unsigned int *digest_size);
-int _gnutls_pk_get_hash_algorithm(gnutls_pk_algorithm_t pk,
- gnutls_pk_params_st *,
- gnutls_digest_algorithm_t * dig,
- unsigned int *mand);
-
int
_gnutls_params_get_rsa_raw(const gnutls_pk_params_st* params,
gnutls_datum_t * m, gnutls_datum_t * e,
hash, unsigned int *mand)
{
int ret;
+ const mac_entry_st *me;
if (key == NULL) {
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
- ret = _gnutls_pk_get_hash_algorithm(key->pk_algorithm,
- &key->params, hash, mand);
+ if (mand)
+ *mand = 0;
+
+ switch (key->pk_algorithm) {
+ case GNUTLS_PK_DSA:
+ if (mand)
+ *mand = 1;
+ case GNUTLS_PK_EC:
+
+ me = _gnutls_dsa_q_to_hash(key->pk_algorithm, &key->params, NULL);
+ if (hash)
+ *hash = (gnutls_digest_algorithm_t)me->id;
+
+ ret = 0;
+ break;
+ case GNUTLS_PK_RSA:
+ if (hash)
+ *hash = GNUTLS_DIG_SHA256;
+ ret = 0;
+ break;
+
+ default:
+ gnutls_assert();
+ ret = GNUTLS_E_INTERNAL_ERROR;
+ }
return ret;
}
plaintext, &key->params);
}
-/**
- * gnutls_pubkey_get_verify_algorithm:
- * @key: Holds the certificate
- * @signature: contains the signature
- * @hash: The result of the call with the hash algorithm used for signature
- *
- * This function will read the certifcate and the signed data to
- * determine the hash algorithm used to generate the signature.
- *
- * This function is only for informative purposes, as it does not
- * return a cryptographically binding result. Modifications to the signature
- * may cause this function to return an incorrect result.
- *
- * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
- * negative error value.
- *
- * Since: 2.12.0
- **/
-int
-gnutls_pubkey_get_verify_algorithm(gnutls_pubkey_t key,
- const gnutls_datum_t * signature,
- gnutls_digest_algorithm_t * hash)
-{
- if (key == NULL) {
- gnutls_assert();
- return GNUTLS_E_INVALID_REQUEST;
- }
-
- return _gnutls_x509_verify_algorithm(hash, signature,
- key->pk_algorithm,
- &key->params);
-
-}
-
/* Checks whether the public key given is compatible with the
* signature algorithm used. The session is only used for audit logging, and
* it may be null.
gnutls_pubkey_import_dsa_raw;
gnutls_pubkey_import_rsa_raw;
gnutls_pubkey_import_pkcs11_url;
- gnutls_pubkey_get_verify_algorithm;
gnutls_pubkey_import;
gnutls_x509_crt_set_pubkey;
gnutls_x509_crq_set_pubkey;
return ret;
}
-/* Given a signature and parameters, it should return
- * the hash algorithm used in the signature. This is a kludge
- * but until we deprecate gnutls_pubkey_get_verify_algorithm()
- * we depend on it.
- */
-static int wrap_nettle_hash_algorithm(gnutls_pk_algorithm_t pk,
- const gnutls_datum_t * sig,
- gnutls_pk_params_st * issuer_params,
- gnutls_digest_algorithm_t *
- hash_algo)
-{
- uint8_t digest[MAX_HASH_SIZE];
- uint8_t *rdi = NULL;
- gnutls_datum_t di;
- unsigned digest_size;
- mpz_t s;
- struct rsa_public_key pub;
- const mac_entry_st *me;
- int ret;
-
- mpz_init(s);
-
- switch (pk) {
- case GNUTLS_PK_DSA:
- case GNUTLS_PK_EC:
-
- me = _gnutls_dsa_q_to_hash(pk, issuer_params, NULL);
- if (hash_algo)
- *hash_algo = (gnutls_digest_algorithm_t)me->id;
-
- ret = 0;
- break;
- case GNUTLS_PK_RSA:
- if (sig == NULL) { /* return a sensible algorithm */
- if (hash_algo)
- *hash_algo = GNUTLS_DIG_SHA256;
- return 0;
- }
-
- _rsa_params_to_pubkey(issuer_params, &pub);
-
- digest_size = sizeof(digest);
-
- nettle_mpz_set_str_256_u(s, sig->size, sig->data);
-
- ret = extract_digest_info(&pub, &di, &rdi, s);
- if (ret == 0) {
- ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
- gnutls_assert();
- goto cleanup;
- }
-
- digest_size = sizeof(digest);
- if ((ret =
- decode_ber_digest_info(&di, hash_algo, digest,
- &digest_size)) < 0) {
- gnutls_assert();
- goto cleanup;
- }
-
- if (digest_size !=
- _gnutls_hash_get_algo_len(mac_to_entry(
- (gnutls_mac_algorithm_t)*hash_algo))) {
- gnutls_assert();
- ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
- goto cleanup;
- }
-
- ret = 0;
- break;
-
- default:
- gnutls_assert();
- ret = GNUTLS_E_INTERNAL_ERROR;
- }
-
- cleanup:
- mpz_clear(s);
- gnutls_free(rdi);
- return ret;
-
-}
-
-
int crypto_pk_prio = INT_MAX;
gnutls_crypto_pk_st _gnutls_pk_ops = {
- .hash_algorithm = wrap_nettle_hash_algorithm,
.encrypt = _wrap_nettle_pk_encrypt,
.decrypt = _wrap_nettle_pk_decrypt,
.sign = _wrap_nettle_pk_sign,
}
#endif
-/* This will return the appropriate hash to verify the given signature.
- * If signature is NULL it will return an (or the) appropriate hash for
- * the given parameters.
- */
-int
-_gnutls_x509_verify_algorithm(gnutls_digest_algorithm_t * hash,
- const gnutls_datum_t * signature,
- gnutls_pk_algorithm_t pk,
- gnutls_pk_params_st * issuer_params)
-{
- return _gnutls_pk_hash_algorithm(pk, signature, issuer_params,
- hash);
-}
-
/* verifies if the certificate is properly signed.
* returns GNUTLS_E_PK_VERIFY_SIG_FAILED on failure and 1 on success.
*
gnutls_digest_algorithm_t *
hash, unsigned int *mand)
{
- gnutls_pk_params_st issuer_params;
int ret;
+ gnutls_pubkey_t pubkey;
if (crt == NULL) {
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
- ret = _gnutls_x509_crt_get_mpis(crt, &issuer_params);
- if (ret < 0) {
+ ret = gnutls_pubkey_init(&pubkey);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret = gnutls_pubkey_import_x509(pubkey, crt, 0);
+ if (ret < 0) {
gnutls_assert();
- return ret;
+ goto cleanup;
}
- ret =
- _gnutls_pk_get_hash_algorithm(gnutls_x509_crt_get_pk_algorithm
- (crt, NULL), &issuer_params,
- hash, mand);
-
- /* release allocated mpis */
- gnutls_pk_params_release(&issuer_params);
+ ret = gnutls_pubkey_get_preferred_hash_algorithm(pubkey, hash, mand);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+ cleanup:
+ gnutls_pubkey_deinit(pubkey);
return ret;
}
projects / thirdparty / gnutls.git / commitdiff
