privkey: return less specific but more appropriate error on invalid pks for ext keys

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

prior to negotiating a signature check compatibility with private key

That is, check if the private key can support the public key operation
needed for the signature. That in particular includes, excluding the
Ed25519 and RSA-PSS from being used with the 'EXT' keys as the
current API cannot handle them, and RSA-PSS from being used by PKCS#11
RSA keys which do not provide the CKM_RSA_PKCS_PSS mechanism.

Relates #234
Resolves #209

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

pkcs11: mark RSA PKCS#11 key which can do RSA-PSS

Also refuse to sign with RSA-PSS if the mechanism is not supported.

Relates #208

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: select a signature algorithm early

That is, select the signature algorithm at the point the certificate and
ciphersuites are decided. Also ensure that a compatible signature algorithm
with the ciphersuite and the key is selected.

That prevents situations where a ciphersuite and a certificate are
negotiated, but later on the handshake we figure that there are no
common signature algorithms.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added basic unit test of gnutls_pkcs11_token_check_mechanism

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_pkcs11_token_check_mechanism: introduced function to check token for a particular mechanism

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

x509/output: print error on invalid public key parameters on certificate

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_pk_get_oid: return early on unknown algorithm

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: check whether the gnutls_x509_*_set_spki will reject invalid values

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: updated for gnutls_x509_spki_get_rsa_pss_params

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit test of generation of legal and illegal rsa-pss parameters

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

spki: combined all exported functions to a single set and get

This simplifies setting parameters for a particular key type,
as well as getting them. The advantage is that they are set
atomically, preventing an inadverterly half-filled structure.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: set RSA-PSS parameters using GNUTLS_KEYGEN_SPKI kdata type

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

introduced error code GNUTLS_E_PK_INVALID_PUBKEY_PARAMS

This is being use to indicate errors in the public key parameters
such as the RSA-PSS salt size or digest algorithm.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_x509_privkey_generate*: allow specifying the SPKI parameters for key generation

This in turn removes the need for reading the flag GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE
on the key generation process. The flag is now only used during key signing
which is also its documented purpose.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_x509_privkey_set_spki: check validity of parameters set

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_x509_cr*_set_spki: check for validity of parameters set

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_x509_check_pubkey_params: removed unnecessary parameter

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added check for import of RSA-PSS key with invalid salt

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_pubkey_import_x509: propagate errors from gnutls_x509_crt_get_pk_algorithm

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_rsa_pss_verify_digest: verify the validity of the salt_size length on verification

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_x509_privkey_import: immediately exit on GNUTLS_E_PK_INVALID_PRIVKEY

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

wrap_nettle_pk_fixup: check RSA PSS parameters for validity on import

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_x509_*_set_spki: removed arbitrary restrictions to setting parameters

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit test for the SPKI abstract functions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: chainverify: included negative and positive tests with RSA-PSS signed chains

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

pct_test: use local SPKI structure to override parameters if not set

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

fixup_spki_params: use GNUTLS_E_CONSTRAINT_ERROR for RSA-PSS violations

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_x509_read_pkalgo_params: initialize params structure

That is the primary call on these parameters, thus it should
initialize the structure with something reasonable. That is
similar to behavior of _gnutls_x509_read_rsa_pss_params.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

RSA-PSS parameter checking was moved to lower level functions

That way all PKI callers get protected by the checks.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

signature security level check were moved to lower level functions

That way all callers (including PKI functions) get protected by
the available checks.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_wrap_nettle_pk_encrypt: return GNUTLS_E_INVALID_REQUEST on unsupported algorithms

That is a more specific error code than internal error.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: print signature algorithm in cert verification output

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

verify_crt: translate GNUTLS_E_CONSTRAINT_ERROR to verification status flag

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

x509/sign: in debugging mode print the signature algorithm

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_x509_validate_sign_params: use GNUTLS_E_CONSTRAINT_ERROR for mismatch of RSA-PSS parameters

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_x509_read_rsa_pss_params: fail early on unknown hash algorithms

Also utilize GNUTLS_E_CONSTRAINT_ERROR for signaling differences
between the hash functions.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_pubkey_get_preferred_hash_algorithm: will take into account the RSA-PSS SPKI

In addition it will offer a SHA hash depending on the key size for
RSA public keys.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: sign_params_to_flags: use strtok to parse input

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: copy SPKI information from private key when available

That also addresses a bug due to which SPKI information was not set.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

x509/output: Subject Public Key parameters are printed just before actual key

That allows to easier figure out algorithm and basic parameters, rather
than having them at the end of long key output.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_x509_crt_set_spki: be more verbose in parameter restrictions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_privkey_update_spki_params: use GNUTLS_E_CONSTRAINT_ERROR on mismatch of hash

That is a more specific error code for hash mismatch between
public key information and signature. In addition only override
the salt size, if it is set to zero without the proper flags.

That prevents the update function from setting an invalid (lower)
than the expected size.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

cert-tests: use .tmp suffix for all tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: allow specifying RSA-PSS parameters for key generation

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_x509_write_rsa_pss_params: refuse to write RSA-PSS parameters we cannot use

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: group together common options

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: modified to account new errors

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_x509_*_get_signature_algorithm: simplified error handling

These functions were documented to return a negative error code
on failure, as well as GNUTLS_SIGN_UNKNOWN on unknown algorithms.
Simplify them by only returning GNUTLS_SIGN_UNKNOWN on all error
conditions.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_x509_get_signature_algorithm: return negative error code on unknown algorithm

This allows internal callers to quickly fail on errors.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

compare_sig_algorithm: modify to work even for certs with unsupported signature algorithm

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

pubkey_verify_hashed_data: simplified and made static

That also removes its ability to operate with the 'unknown'
signature algorithm, and forces the TLS 1.0 key exchange to
supply the right algorithm or flags.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

pubkey_verify_data: accept signature entry instead of PK and hash

That aligns better with current callers which know the signature
algorithm in use.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

NEWS: documented the SPKI handling functions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added RSA and RSA PSS key unit tests

That is test:
 1. Whether RSA-PSS keys will refuse to sign with incompatible signature
 2. Whether RSA-PSS public keys cannot be used for encryption
 3. Whether RSA-PSS keys cannot be used for signing with PKCS#1 1.5
 4. Whether an RSA key can be converted to an RSA-PSS one with the public APIs

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: do not print error on missing RSA-PSS parameters on key

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Added convention for missing SubjectPublicKeyInfo params field

That is, when that field is missing, the spki_st structure field
pk will be set to GNUTLS_PK_UNKNOWN. In that case other fields
are undefined.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

*set_spki(): return error on incompatible algorithms

In addition update the public key algorithm field in the
respective structure.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_x509_privkey_generate2: do not hardcode the RSA-PSS hash to SHA256

Instead use _gnutls_pk_bits_to_sha_hash() to set an appropriate hash
for the number of bits of the key. This matches better the "intention"
of RSA-PSS or tying the security parameter with the salt and hash.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_decode_pkcs8_rsa_pss_key: ensure we set the PSS PK identifier

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

cleanup: removed duplicate parameter in gnutls_pubkey_st

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_x509_privkey_int: eliminated duplicate pk_algorithm field

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

cleanup: removed unnecessary/duplicate parameters in _dsa_q_to_hash

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

cleanup: removed unnecessary/duplicate parameters in functions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

cleanup: removed unnecessary/duplicate parameters in functions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

abstract.h: added functions to read and write SPKI information

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_x509_privkey_set_spki: introduced function to update SPKI on a key

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit test for the SPKI related functions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

x509.h: Renamed SPKI related functions

This better reflects their purpose as providers of information
for subject public key. In addition use 'const' for fields that
should be left intact.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: introduced RSA-PSS key exchange with a key fixed to rsa-pss with sha256

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_pubkey_compatible_with_sig: enforce RSA-PSS requirements

That is require that parameters in an RSA-PSS key which has them
explicitly set, are respected with regards to signature algorithm
negotiation.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: eagain-common.h: remove superfluous information

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: renamed tests for uniformity

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit test for RSA-PSS signing over PKCS#11

This requires a softhsm with support for RSA_PKCS_PSS mechanism.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_pubkey_verify*: use common function to set RSA-PSS parameters

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

pkcs11: added support for signatures with RSA-PSS

Relates #209

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_pk_params_st: renamed sign field to spki

The name "sign" was ambiguous with regard to its intented
use, as it could refer to digital signature parameters
which was not exactly the case. That field contains parameters
present in the subject public key info (SPKI), which could
be used in a digital signature, but not necessarily.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Clarified the purpose of the spki params related functions

_gnutls_privkey_get_sign_params was renamed to _gnutls_privkey_get_spki_params,
_gnutls_privkey_update_sign_params to _gnutls_privkey_update_spki_params,
and the dig entry of gnutls_x509_spki_st was renamed to rsa_pss_dig.

The reason is that there could be a confusion on the purpose of
the 'dig' entry, as it could be assumed to be the signature's hash
algorithm in the general case. That could not be because the SPKI
parameters do not contain it for any other algorithm than RSA-PSS.
As such, make a logical separation from SPKI reading functions
with the signature reading functions and try to use the
gnutls_sign_entry_st when signature information is required.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Pass the signature algorithm lower in the verification stack

This will allow enhancing the back-ends (PKCS#11 and ext) for
signing with the new signature algorithms like RSA-PSS and Ed25519.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

fuzz: introduced mem.h with common callbacks for mem access

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

fuzz: added SRP server and client fuzzers

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

fuzz: introduced psk.h common header

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

fuzz: added PSK server fuzzer

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

fuzz: added PSK client fuzzer

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls-cli: introduced options to save client and server traces

This allows to easier obtain traces for use in fuzzers.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

fuzz: ported libidn2's main.c taking advantage of afl-clang-fast

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls_system_recv_timeout: doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tlsfuzzer: enabled EC tests for x25519

That includes tests for default curve.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tlsfuzzer: enabled test for ECDHE without the supported groups/EC extension

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Set a default supported curve

RFC4492 and draft-ietf-tls-rfc4492bis-17 mention:
"A client that proposes ECC cipher suites may choose not to include these
extensions.  In this case, the server is free to choose any one of
the elliptic curves or point formats listed in Section 5."

As such, we set a default curve to be used in the case the
server encounters a handshake with no supported groups/curves
extension.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tlsfuzzer: removed duplicate tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tlsfuzzer: fixed comment fields

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli: use FFDHE3072 parameters for benchmarking

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_figure_dh_params: do not use have_ffdhe flag

This flag is intended to indicate whether the peer has advertized
at least one FFDHE group, and not whether we have negotiated FFDHE.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit test for group listings in priority structure

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: updated cipher-listings.sh for the new groups listing

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>