whether it is mandatory to use this algorithm.
return 0;
}
+int _gnutls_pk_get_hash_algorithm(gnutls_pk_algorithm_t pk, bigint_t* params, int params_size,
+ gnutls_digest_algorithm_t *dig, unsigned int *mand)
+{
+ if (mand)
+ {
+ if (pk == GNUTLS_PK_DSA)
+ *mand = 1;
+ else
+ *mand = 0;
+ }
+
+ return _gnutls_x509_verify_algorithm ((gnutls_mac_algorithm_t *) dig,
+ NULL, pk, params, params_size);
+
+}
int _gnutls_calc_rsa_exp(bigint_t* params, unsigned int params_size);
+int _gnutls_pk_get_hash_algorithm(gnutls_pk_algorithm_t pk, bigint_t* params, int params_size,
+ gnutls_digest_algorithm_t *dig, unsigned int *mand);
+
#endif /* GNUTLS_PK_H */
* gnutls_pubkey_get_preferred_hash_algorithm:
* @key: Holds the certificate
* @hash: The result of the call with the hash algorithm used for signature
+ * @mand: If non zero it means that the algorithm MUST use this hash. May be NULL.
*
* This function will read the certifcate and return the appropriate digest
* algorithm to use for signing with this certificate. Some certificates (i.e.
**/
int
gnutls_pubkey_get_preferred_hash_algorithm (gnutls_pubkey_t key,
- gnutls_digest_algorithm_t * hash)
+ gnutls_digest_algorithm_t * hash, unsigned int *mand)
{
int ret;
return GNUTLS_E_INVALID_REQUEST;
}
- ret = _gnutls_x509_verify_algorithm ((gnutls_mac_algorithm_t *) hash,
- NULL, key->pk_algorithm,
- key->params, key->params_size);
+ ret = _gnutls_pk_get_hash_algorithm(key->pk_algorithm,
+ key->params, key->params_size, hash, mand);
return ret;
}
unsigned int flags);
int gnutls_pubkey_get_preferred_hash_algorithm (gnutls_pubkey_t key,
- gnutls_digest_algorithm_t * hash);
+ gnutls_digest_algorithm_t * hash, unsigned int *mand);
int gnutls_pubkey_get_pk_rsa_raw (gnutls_pubkey_t crt,
gnutls_datum_t * m, gnutls_datum_t * e);
unsigned char *output_data,
size_t * output_data_size);
int gnutls_x509_crt_get_preferred_hash_algorithm (gnutls_x509_crt_t crt,
- gnutls_digest_algorithm_t * hash);
+ gnutls_digest_algorithm_t * hash, unsigned int *mand);
int gnutls_x509_crt_set_authority_key_id (gnutls_x509_crt_t cert,
const void *id, size_t id_size);
const gnutls_datum_t * data,
gnutls_x509_crt_fmt_t format);
int gnutls_x509_crq_get_preferred_hash_algorithm (gnutls_x509_crq_t crq,
- gnutls_digest_algorithm_t * hash);
+ gnutls_digest_algorithm_t * hash, unsigned int* mand);
int gnutls_x509_crq_get_dn (gnutls_x509_crq_t crq, char *buf,
size_t * sizeof_buf);
gnutls_x509_crq_sign (gnutls_x509_crq_t crq, gnutls_x509_privkey_t key)
{
gnutls_digest_algorithm_t dig;
-int ret = gnutls_x509_crq_get_preferred_hash_algorithm (crq, &dig);
+int ret = gnutls_x509_crq_get_preferred_hash_algorithm (crq, &dig, NULL);
if (ret < 0)
{
* gnutls_x509_crq_get_preferred_hash_algorithm:
* @crq: Holds the certificate
* @hash: The result of the call with the hash algorithm used for signature
+ * @mand: If non zero it means that the algorithm MUST use this hash. May be NULL.
*
* This function will read the certifcate and return the appropriate digest
* algorithm to use for signing with this certificate. Some certificates (i.e.
**/
int
gnutls_x509_crq_get_preferred_hash_algorithm (gnutls_x509_crq_t crq,
- gnutls_digest_algorithm_t * hash)
+ gnutls_digest_algorithm_t * hash, unsigned int *mand)
{
bigint_t params[MAX_PUBLIC_PARAMS_SIZE];
int params_size;
int ret, i;
- if (crt == NULL)
+ if (crq == NULL)
{
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
return ret;
}
- ret = _gnutls_x509_verify_algorithm ((gnutls_mac_algorithm_t *) hash,
- NULL, gnutls_x509_crq_get_pk_algorithm (crq, NULL),
- params, params_size);
+ ret = _gnutls_pk_get_hash_algorithm(gnutls_x509_crq_get_pk_algorithm (crq, NULL),
+ params, params_size, hash, mand);
/* release allocated mpis */
for (i = 0; i < params_size; i++)
return ret;
}
+
+
/**
* gnutls_x509_crt_get_preferred_hash_algorithm:
* @crt: Holds the certificate
* @hash: The result of the call with the hash algorithm used for signature
+ * @mand: If non zero it means that the algorithm MUST use this hash. May be NULL.
*
* This function will read the certifcate and return the appropriate digest
* algorithm to use for signing with this certificate. Some certificates (i.e.
**/
int
gnutls_x509_crt_get_preferred_hash_algorithm (gnutls_x509_crt_t crt,
- gnutls_digest_algorithm_t * hash)
+ gnutls_digest_algorithm_t * hash, unsigned int *mand)
{
bigint_t issuer_params[MAX_PUBLIC_PARAMS_SIZE];
int issuer_params_size;
return ret;
}
- ret = _gnutls_x509_verify_algorithm ((gnutls_mac_algorithm_t *) hash,
- NULL, gnutls_x509_crt_get_pk_algorithm (crt, NULL),
- issuer_params, issuer_params_size);
+ ret = _gnutls_pk_get_hash_algorithm(gnutls_x509_crt_get_pk_algorithm (crt, NULL),
+ issuer_params, issuer_params_size, hash, mand);
/* release allocated mpis */
for (i = 0; i < issuer_params_size; i++)
{
gnutls_digest_algorithm_t dig;
int result;
+unsigned int mand;
- if (default_dig != GNUTLS_DIG_UNKNOWN)
- dig = default_dig;
- else
+ result = gnutls_x509_crt_get_preferred_hash_algorithm(crt, &dig, &mand);
+ if (result < 0)
{
- result = gnutls_x509_crt_get_preferred_hash_algorithm(crt, &dig);
- if (result < 0)
- {
error (EXIT_FAILURE, 0, "crl_preferred_hash_algorithm: %s",
gnutls_strerror (result));
- }
}
+ /* if algorithm allows alternatives */
+ if (mand == 0 && default_dig != GNUTLS_DIG_UNKNOWN)
+ dig = default_dig;
+
return dig;
}
default_dig = GNUTLS_DIG_UNKNOWN;
if (info.hash != NULL)
{
- fprintf(stderr, "Warning: It is suggested that you do not use this parameter unless you know what you are doing. "
- "It is not always possible to set specific algorithms, for example DSA keys are unable to use any algorithm and "
- "thus using the defaults is highly recommended!\n");
- sleep(2);
-
if (strcasecmp (info.hash, "md5") == 0)
{
fprintf (stderr,