|
Packit Service |
4684c1 |
/*
|
|
Packit Service |
4684c1 |
* GnuTLS public key support
|
|
Packit Service |
4684c1 |
* Copyright (C) 2010-2012 Free Software Foundation, Inc.
|
|
Packit Service |
4684c1 |
* Copyright (C) 2017 Red Hat, Inc.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Author: Nikos Mavrogiannopoulos
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The GnuTLS is free software; you can redistribute it and/or
|
|
Packit Service |
4684c1 |
* modify it under the terms of the GNU Lesser General Public License
|
|
Packit Service |
4684c1 |
* as published by the Free Software Foundation; either version 2.1 of
|
|
Packit Service |
4684c1 |
* the License, or (at your option) any later version.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This library is distributed in the hope that it will be useful, but
|
|
Packit Service |
4684c1 |
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
4684c1 |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit Service |
4684c1 |
* Lesser General Public License for more details.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* You should have received a copy of the GNU Lesser General Public License
|
|
Packit Service |
4684c1 |
* along with this program. If not, see <https://www.gnu.org/licenses/>
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#include "gnutls_int.h"
|
|
Packit Service |
4684c1 |
#include <gnutls/pkcs11.h>
|
|
Packit Service |
4684c1 |
#include <stdio.h>
|
|
Packit Service |
4684c1 |
#include <string.h>
|
|
Packit Service |
4684c1 |
#include "errors.h"
|
|
Packit Service |
4684c1 |
#include <datum.h>
|
|
Packit Service |
4684c1 |
#include <pkcs11_int.h>
|
|
Packit Service |
4684c1 |
#include <gnutls/abstract.h>
|
|
Packit Service |
4684c1 |
#include <tls-sig.h>
|
|
Packit Service |
4684c1 |
#include <pk.h>
|
|
Packit Service |
4684c1 |
#include <x509_int.h>
|
|
Packit Service |
4684c1 |
#include <num.h>
|
|
Packit Service |
4684c1 |
#include <x509/common.h>
|
|
Packit Service |
4684c1 |
#include <x509_b64.h>
|
|
Packit Service |
4684c1 |
#include <abstract_int.h>
|
|
Packit Service |
4684c1 |
#include <fips.h>
|
|
Packit Service |
4684c1 |
#include "urls.h"
|
|
Packit Service |
4684c1 |
#include <ecc.h>
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static int
|
|
Packit Service |
4684c1 |
pubkey_verify_hashed_data(const gnutls_sign_entry_st *se,
|
|
Packit Service |
4684c1 |
const mac_entry_st *me,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * hash,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * signature,
|
|
Packit Service |
4684c1 |
gnutls_pk_params_st * params,
|
|
Packit Service |
4684c1 |
gnutls_x509_spki_st * sign_params,
|
|
Packit Service |
4684c1 |
unsigned flags);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static
|
|
Packit Service |
4684c1 |
int pubkey_supports_sig(gnutls_pubkey_t pubkey,
|
|
Packit Service |
4684c1 |
const gnutls_sign_entry_st *se);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
unsigned pubkey_to_bits(const gnutls_pk_params_st * params)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
switch (params->algo) {
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_RSA:
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_RSA_PSS:
|
|
Packit Service |
4684c1 |
return _gnutls_mpi_get_nbits(params->params[RSA_MODULUS]);
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_DSA:
|
|
Packit Service |
4684c1 |
return _gnutls_mpi_get_nbits(params->params[DSA_P]);
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_ECDSA:
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_EDDSA_ED25519:
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_EDDSA_ED448:
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_GOST_01:
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_GOST_12_256:
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_GOST_12_512:
|
|
Packit Service |
4684c1 |
return gnutls_ecc_curve_get_size(params->curve) * 8;
|
|
Packit Service |
4684c1 |
default:
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_get_pk_algorithm:
|
|
Packit Service |
4684c1 |
* @key: should contain a #gnutls_pubkey_t type
|
|
Packit Service |
4684c1 |
* @bits: If set will return the number of bits of the parameters (may be NULL)
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will return the public key algorithm of a public
|
|
Packit Service |
4684c1 |
* key and if possible will return a number of bits that indicates
|
|
Packit Service |
4684c1 |
* the security parameter of the key.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: a member of the #gnutls_pk_algorithm_t enumeration on
|
|
Packit Service |
4684c1 |
* success, or a negative error code on error.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 2.12.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int gnutls_pubkey_get_pk_algorithm(gnutls_pubkey_t key, unsigned int *bits)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (bits)
|
|
Packit Service |
4684c1 |
*bits = key->bits;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return key->params.algo;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_get_key_usage:
|
|
Packit Service |
4684c1 |
* @key: should contain a #gnutls_pubkey_t type
|
|
Packit Service |
4684c1 |
* @usage: If set will return the number of bits of the parameters (may be NULL)
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will return the key usage of the public key.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 2.12.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int gnutls_pubkey_get_key_usage(gnutls_pubkey_t key, unsigned int *usage)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (usage)
|
|
Packit Service |
4684c1 |
*usage = key->key_usage;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_init:
|
|
Packit Service |
4684c1 |
* @key: A pointer to the type to be initialized
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will initialize a public key.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 2.12.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int gnutls_pubkey_init(gnutls_pubkey_t * key)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
FAIL_IF_LIB_ERROR;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
*key = gnutls_calloc(1, sizeof(struct gnutls_pubkey_st));
|
|
Packit Service |
4684c1 |
if (*key == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_MEMORY_ERROR;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_deinit:
|
|
Packit Service |
4684c1 |
* @key: The key to be deinitialized
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will deinitialize a public key structure.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 2.12.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void gnutls_pubkey_deinit(gnutls_pubkey_t key)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (!key)
|
|
Packit Service |
4684c1 |
return;
|
|
Packit Service |
4684c1 |
gnutls_pk_params_release(&key->params);
|
|
Packit Service |
4684c1 |
gnutls_free(key);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_import_x509:
|
|
Packit Service |
4684c1 |
* @key: The public key
|
|
Packit Service |
4684c1 |
* @crt: The certificate to be imported
|
|
Packit Service |
4684c1 |
* @flags: should be zero
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will import the given public key to the abstract
|
|
Packit Service |
4684c1 |
* #gnutls_pubkey_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 2.12.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_import_x509(gnutls_pubkey_t key, gnutls_x509_crt_t crt,
|
|
Packit Service |
4684c1 |
unsigned int flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_pk_params_release(&key->params);
|
|
Packit Service |
4684c1 |
/* params initialized in _gnutls_x509_crt_get_mpis */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_crt_get_pk_algorithm(crt, &key->bits);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
key->params.algo = ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_crt_get_key_usage(crt, &key->key_usage, NULL);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
key->key_usage = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_x509_crt_get_mpis(crt, &key->params);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_import_x509_crq:
|
|
Packit Service |
4684c1 |
* @key: The public key
|
|
Packit Service |
4684c1 |
* @crq: The certificate to be imported
|
|
Packit Service |
4684c1 |
* @flags: should be zero
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will import the given public key to the abstract
|
|
Packit Service |
4684c1 |
* #gnutls_pubkey_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.1.5
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_import_x509_crq(gnutls_pubkey_t key, gnutls_x509_crq_t crq,
|
|
Packit Service |
4684c1 |
unsigned int flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_pk_params_release(&key->params);
|
|
Packit Service |
4684c1 |
/* params initialized in _gnutls_x509_crq_get_mpis */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
key->params.algo = gnutls_x509_crq_get_pk_algorithm(crq, &key->bits);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_crq_get_key_usage(crq, &key->key_usage, NULL);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
key->key_usage = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_x509_crq_get_mpis(crq, &key->params);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_import_privkey:
|
|
Packit Service |
4684c1 |
* @key: The public key
|
|
Packit Service |
4684c1 |
* @pkey: The private key
|
|
Packit Service |
4684c1 |
* @usage: GNUTLS_KEY_* key usage flags.
|
|
Packit Service |
4684c1 |
* @flags: should be zero
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Imports the public key from a private. This function will import
|
|
Packit Service |
4684c1 |
* the given public key to the abstract #gnutls_pubkey_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Note that in certain keys this operation may not be possible, e.g.,
|
|
Packit Service |
4684c1 |
* in other than RSA PKCS#11 keys.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 2.12.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_import_privkey(gnutls_pubkey_t key, gnutls_privkey_t pkey,
|
|
Packit Service |
4684c1 |
unsigned int usage, unsigned int flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
gnutls_pk_params_release(&key->params);
|
|
Packit Service |
4684c1 |
gnutls_pk_params_init(&key->params);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
key->key_usage = usage;
|
|
Packit Service |
4684c1 |
key->params.algo = gnutls_privkey_get_pk_algorithm(pkey, &key->bits);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return _gnutls_privkey_get_public_mpis(pkey, &key->params);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_get_preferred_hash_algorithm:
|
|
Packit Service |
4684c1 |
* @key: Holds the certificate
|
|
Packit Service |
4684c1 |
* @hash: The result of the call with the hash algorithm used for signature
|
|
Packit Service |
4684c1 |
* @mand: If non zero it means that the algorithm MUST use this hash. May be NULL.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will read the certificate and return the appropriate digest
|
|
Packit Service |
4684c1 |
* algorithm to use for signing with this certificate. Some certificates (i.e.
|
|
Packit Service |
4684c1 |
* DSA might not be able to sign without the preferred algorithm).
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* To get the signature algorithm instead of just the hash use gnutls_pk_to_sign()
|
|
Packit Service |
4684c1 |
* with the algorithm of the certificate/key and the provided @hash.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: the 0 if the hash algorithm is found. A negative error code is
|
|
Packit Service |
4684c1 |
* returned on error.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 2.12.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_get_preferred_hash_algorithm(gnutls_pubkey_t key,
|
|
Packit Service |
4684c1 |
gnutls_digest_algorithm_t *
|
|
Packit Service |
4684c1 |
hash, unsigned int *mand)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
const mac_entry_st *me;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (mand)
|
|
Packit Service |
4684c1 |
*mand = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
switch (key->params.algo) {
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_DSA:
|
|
Packit Service |
4684c1 |
if (mand)
|
|
Packit Service |
4684c1 |
*mand = 1;
|
|
Packit Service |
4684c1 |
FALLTHROUGH;
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_ECDSA:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
me = _gnutls_dsa_q_to_hash(&key->params, NULL);
|
|
Packit Service |
4684c1 |
if (hash)
|
|
Packit Service |
4684c1 |
*hash = (gnutls_digest_algorithm_t)me->id;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = 0;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_EDDSA_ED25519:
|
|
Packit Service |
4684c1 |
if (hash)
|
|
Packit Service |
4684c1 |
*hash = GNUTLS_DIG_SHA512;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = 0;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_EDDSA_ED448:
|
|
Packit Service |
4684c1 |
if (hash)
|
|
Packit Service |
4684c1 |
*hash = GNUTLS_DIG_SHAKE_256;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = 0;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_GOST_01:
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_GOST_12_256:
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_GOST_12_512:
|
|
Packit Service |
4684c1 |
if (hash)
|
|
Packit Service |
4684c1 |
*hash = _gnutls_gost_digest(key->params.algo);
|
|
Packit Service |
4684c1 |
if (mand)
|
|
Packit Service |
4684c1 |
*mand = 1;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = 0;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_RSA_PSS:
|
|
Packit Service |
4684c1 |
if (mand && key->params.spki.rsa_pss_dig)
|
|
Packit Service |
4684c1 |
*mand = 1;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (hash) {
|
|
Packit Service |
4684c1 |
if (key->params.spki.rsa_pss_dig) {
|
|
Packit Service |
4684c1 |
*hash = key->params.spki.rsa_pss_dig;
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
*hash = _gnutls_pk_bits_to_sha_hash(pubkey_to_bits(&key->params));
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
ret = 0;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_RSA:
|
|
Packit Service |
4684c1 |
if (hash)
|
|
Packit Service |
4684c1 |
*hash = _gnutls_pk_bits_to_sha_hash(pubkey_to_bits(&key->params));
|
|
Packit Service |
4684c1 |
ret = 0;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
default:
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
ret = GNUTLS_E_INTERNAL_ERROR;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#ifdef ENABLE_PKCS11
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* The EC_PARAMS attribute can contain either printable string with curve name
|
|
Packit Service |
4684c1 |
* or OID defined in RFC 8410 */
|
|
Packit Service |
4684c1 |
static int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_parse_ecc_eddsa_params(const gnutls_datum_t *parameters,
|
|
Packit Service |
4684c1 |
gnutls_ecc_curve_t *outcurve)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
gnutls_ecc_curve_t curve = GNUTLS_ECC_CURVE_INVALID;
|
|
Packit Service |
4684c1 |
ASN1_TYPE asn1 = ASN1_TYPE_EMPTY;
|
|
Packit Service |
4684c1 |
unsigned int etype = ASN1_ETYPE_INVALID;
|
|
Packit Service |
4684c1 |
char str[MAX_OID_SIZE];
|
|
Packit Service |
4684c1 |
int str_size;
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = asn1_create_element(_gnutls_get_gnutls_asn(),
|
|
Packit Service |
4684c1 |
"GNUTLS.pkcs-11-ec-Parameters", &asn1);
|
|
Packit Service |
4684c1 |
if (ret != ASN1_SUCCESS) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return _gnutls_asn2err(ret);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = asn1_der_decoding(&asn1, parameters->data, parameters->size,
|
|
Packit Service |
4684c1 |
NULL);
|
|
Packit Service |
4684c1 |
if (ret != ASN1_SUCCESS) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
ret = _gnutls_asn2err(ret);
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Read the type of choice.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
str_size = sizeof(str) - 1;
|
|
Packit Service |
4684c1 |
ret = asn1_read_value(asn1, "", str, &str_size);
|
|
Packit Service |
4684c1 |
if (ret != ASN1_SUCCESS) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
ret = _gnutls_asn2err(ret);
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
str[str_size] = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Convert the choice to enum type */
|
|
Packit Service |
4684c1 |
if (strcmp(str, "oId") == 0) {
|
|
Packit Service |
4684c1 |
etype = ASN1_ETYPE_OBJECT_ID;
|
|
Packit Service |
4684c1 |
} else if (strcmp(str, "curveName") == 0) {
|
|
Packit Service |
4684c1 |
etype = ASN1_ETYPE_PRINTABLE_STRING;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
str_size = sizeof(str) - 1;
|
|
Packit Service |
4684c1 |
switch (etype) {
|
|
Packit Service |
4684c1 |
case ASN1_ETYPE_OBJECT_ID:
|
|
Packit Service |
4684c1 |
ret = asn1_read_value(asn1, "oId", str, &str_size);
|
|
Packit Service |
4684c1 |
if (ret != ASN1_SUCCESS) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
ret = _gnutls_asn2err(ret);
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
curve = gnutls_oid_to_ecc_curve(str);
|
|
Packit Service |
4684c1 |
if (curve != GNUTLS_ECC_CURVE_ED25519 &&
|
|
Packit Service |
4684c1 |
curve != GNUTLS_ECC_CURVE_ED448) {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("Curve %s is not supported for EdDSA\n", str);
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
curve = GNUTLS_ECC_CURVE_INVALID;
|
|
Packit Service |
4684c1 |
ret = GNUTLS_E_ECC_UNSUPPORTED_CURVE;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = GNUTLS_E_SUCCESS;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
case ASN1_ETYPE_PRINTABLE_STRING:
|
|
Packit Service |
4684c1 |
ret = asn1_read_value(asn1, "curveName", str, &str_size);
|
|
Packit Service |
4684c1 |
if (ret != ASN1_SUCCESS) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
ret = _gnutls_asn2err(ret);
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (str_size == strlen("edwards25519") &&
|
|
Packit Service |
4684c1 |
strncmp(str, "edwards25519", str_size) == 0) {
|
|
Packit Service |
4684c1 |
curve = GNUTLS_ECC_CURVE_ED25519;
|
|
Packit Service |
4684c1 |
ret = GNUTLS_E_SUCCESS;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
} else if (str_size == strlen("edwards448") &&
|
|
Packit Service |
4684c1 |
strncmp(str, "edwards448", str_size) == 0) {
|
|
Packit Service |
4684c1 |
curve = GNUTLS_ECC_CURVE_ED448;
|
|
Packit Service |
4684c1 |
ret = GNUTLS_E_SUCCESS;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
/* FALLTHROUGH */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
default:
|
|
Packit Service |
4684c1 |
/* Neither of CHOICEs found. Fail */
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
ret = GNUTLS_E_ECC_UNSUPPORTED_CURVE;
|
|
Packit Service |
4684c1 |
curve = GNUTLS_ECC_CURVE_INVALID;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
cleanup:
|
|
Packit Service |
4684c1 |
asn1_delete_structure(&asn1);
|
|
Packit Service |
4684c1 |
*outcurve = curve;
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_import_ecc_eddsa(gnutls_pubkey_t key,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * parameters,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * ecpoint)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_ecc_curve_t curve = GNUTLS_ECC_CURVE_INVALID;
|
|
Packit Service |
4684c1 |
gnutls_datum_t raw_point = {NULL, 0};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_pubkey_parse_ecc_eddsa_params(parameters, &curve);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_x509_decode_string(ASN1_ETYPE_OCTET_STRING,
|
|
Packit Service |
4684c1 |
ecpoint->data, ecpoint->size,
|
|
Packit Service |
4684c1 |
&raw_point, 0);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
gnutls_free(raw_point.data);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
ret = gnutls_pubkey_import_ecc_raw(key, curve, &raw_point, NULL);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_free(raw_point.data);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_import_pkcs11:
|
|
Packit Service |
4684c1 |
* @key: The public key
|
|
Packit Service |
4684c1 |
* @obj: The parameters to be imported
|
|
Packit Service |
4684c1 |
* @flags: should be zero
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Imports a public key from a pkcs11 key. This function will import
|
|
Packit Service |
4684c1 |
* the given public key to the abstract #gnutls_pubkey_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 2.12.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_import_pkcs11(gnutls_pubkey_t key,
|
|
Packit Service |
4684c1 |
gnutls_pkcs11_obj_t obj, unsigned int flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret, type;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
type = gnutls_pkcs11_obj_get_type(obj);
|
|
Packit Service |
4684c1 |
if (type != GNUTLS_PKCS11_OBJ_PUBKEY
|
|
Packit Service |
4684c1 |
&& type != GNUTLS_PKCS11_OBJ_X509_CRT) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (type == GNUTLS_PKCS11_OBJ_X509_CRT) {
|
|
Packit Service |
4684c1 |
gnutls_x509_crt_t xcrt;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_crt_init(&xcrt);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert()
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_crt_import_pkcs11(xcrt, obj);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
goto cleanup_crt;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_pubkey_import_x509(key, xcrt, 0);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
goto cleanup_crt;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_crt_get_key_usage(xcrt, &key->key_usage, NULL);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
key->key_usage = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = 0;
|
|
Packit Service |
4684c1 |
cleanup_crt:
|
|
Packit Service |
4684c1 |
gnutls_x509_crt_deinit(xcrt);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
key->key_usage = obj->key_usage;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
switch (obj->pk_algorithm) {
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_RSA:
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_RSA_PSS:
|
|
Packit Service |
4684c1 |
ret = gnutls_pubkey_import_rsa_raw(key, &obj->pubkey[0],
|
|
Packit Service |
4684c1 |
&obj->pubkey[1]);
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_DSA:
|
|
Packit Service |
4684c1 |
ret = gnutls_pubkey_import_dsa_raw(key, &obj->pubkey[0],
|
|
Packit Service |
4684c1 |
&obj->pubkey[1],
|
|
Packit Service |
4684c1 |
&obj->pubkey[2],
|
|
Packit Service |
4684c1 |
&obj->pubkey[3]);
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_EC:
|
|
Packit Service |
4684c1 |
ret = gnutls_pubkey_import_ecc_x962(key, &obj->pubkey[0],
|
|
Packit Service |
4684c1 |
&obj->pubkey[1]);
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_EDDSA_ED25519:
|
|
Packit Service |
4684c1 |
ret = gnutls_pubkey_import_ecc_eddsa(key, &obj->pubkey[0],
|
|
Packit Service |
4684c1 |
&obj->pubkey[1]);
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
default:
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_UNIMPLEMENTED_FEATURE;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#endif /* ENABLE_PKCS11 */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_export:
|
|
Packit Service |
4684c1 |
* @key: Holds the certificate
|
|
Packit Service |
4684c1 |
* @format: the format of output params. One of PEM or DER.
|
|
Packit Service |
4684c1 |
* @output_data: will contain a certificate PEM or DER encoded
|
|
Packit Service |
4684c1 |
* @output_data_size: holds the size of output_data (and will be
|
|
Packit Service |
4684c1 |
* replaced by the actual size of parameters)
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will export the public key to DER or PEM format.
|
|
Packit Service |
4684c1 |
* The contents of the exported data is the SubjectPublicKeyInfo
|
|
Packit Service |
4684c1 |
* X.509 structure.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* If the buffer provided is not long enough to hold the output, then
|
|
Packit Service |
4684c1 |
* *output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will
|
|
Packit Service |
4684c1 |
* be returned.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* If the structure is PEM encoded, it will have a header
|
|
Packit Service |
4684c1 |
* of "BEGIN CERTIFICATE".
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: In case of failure a negative error code will be
|
|
Packit Service |
4684c1 |
* returned, and 0 on success.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 2.12.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_export(gnutls_pubkey_t key,
|
|
Packit Service |
4684c1 |
gnutls_x509_crt_fmt_t format, void *output_data,
|
|
Packit Service |
4684c1 |
size_t * output_data_size)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int result;
|
|
Packit Service |
4684c1 |
ASN1_TYPE spk = ASN1_TYPE_EMPTY;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if ((result = asn1_create_element
|
|
Packit Service |
4684c1 |
(_gnutls_get_pkix(), "PKIX1.SubjectPublicKeyInfo", &spk))
|
|
Packit Service |
4684c1 |
!= ASN1_SUCCESS) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return _gnutls_asn2err(result);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
result =
|
|
Packit Service |
4684c1 |
_gnutls_x509_encode_and_copy_PKI_params(spk, "",
|
|
Packit Service |
4684c1 |
&key->params);
|
|
Packit Service |
4684c1 |
if (result < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
result = _gnutls_x509_export_int_named(spk, "",
|
|
Packit Service |
4684c1 |
format, PEM_PK,
|
|
Packit Service |
4684c1 |
output_data,
|
|
Packit Service |
4684c1 |
output_data_size);
|
|
Packit Service |
4684c1 |
if (result < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
result = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
cleanup:
|
|
Packit Service |
4684c1 |
asn1_delete_structure(&spk;;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return result;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_export2:
|
|
Packit Service |
4684c1 |
* @key: Holds the certificate
|
|
Packit Service |
4684c1 |
* @format: the format of output params. One of PEM or DER.
|
|
Packit Service |
4684c1 |
* @out: will contain a certificate PEM or DER encoded
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will export the public key to DER or PEM format.
|
|
Packit Service |
4684c1 |
* The contents of the exported data is the SubjectPublicKeyInfo
|
|
Packit Service |
4684c1 |
* X.509 structure.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The output buffer will be allocated using gnutls_malloc().
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* If the structure is PEM encoded, it will have a header
|
|
Packit Service |
4684c1 |
* of "BEGIN CERTIFICATE".
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: In case of failure a negative error code will be
|
|
Packit Service |
4684c1 |
* returned, and 0 on success.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.1.3
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_export2(gnutls_pubkey_t key,
|
|
Packit Service |
4684c1 |
gnutls_x509_crt_fmt_t format, gnutls_datum_t * out)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int result;
|
|
Packit Service |
4684c1 |
ASN1_TYPE spk = ASN1_TYPE_EMPTY;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if ((result = asn1_create_element
|
|
Packit Service |
4684c1 |
(_gnutls_get_pkix(), "PKIX1.SubjectPublicKeyInfo", &spk))
|
|
Packit Service |
4684c1 |
!= ASN1_SUCCESS) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return _gnutls_asn2err(result);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
result =
|
|
Packit Service |
4684c1 |
_gnutls_x509_encode_and_copy_PKI_params(spk, "",
|
|
Packit Service |
4684c1 |
&key->params);
|
|
Packit Service |
4684c1 |
if (result < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
result = _gnutls_x509_export_int_named2(spk, "",
|
|
Packit Service |
4684c1 |
format, PEM_PK,
|
|
Packit Service |
4684c1 |
out);
|
|
Packit Service |
4684c1 |
if (result < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
result = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
cleanup:
|
|
Packit Service |
4684c1 |
asn1_delete_structure(&spk;;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return result;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_get_key_id:
|
|
Packit Service |
4684c1 |
* @key: Holds the public key
|
|
Packit Service |
4684c1 |
* @flags: should be one of the flags from %gnutls_keyid_flags_t
|
|
Packit Service |
4684c1 |
* @output_data: will contain the key ID
|
|
Packit Service |
4684c1 |
* @output_data_size: holds the size of output_data (and will be
|
|
Packit Service |
4684c1 |
* replaced by the actual size of parameters)
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will return a unique ID that depends on the public
|
|
Packit Service |
4684c1 |
* key parameters. This ID can be used in checking whether a
|
|
Packit Service |
4684c1 |
* certificate corresponds to the given public key.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* If the buffer provided is not long enough to hold the output, then
|
|
Packit Service |
4684c1 |
* *output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will
|
|
Packit Service |
4684c1 |
* be returned. The output will normally be a SHA-1 hash output,
|
|
Packit Service |
4684c1 |
* which is 20 bytes.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: In case of failure a negative error code will be
|
|
Packit Service |
4684c1 |
* returned, and 0 on success.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 2.12.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_get_key_id(gnutls_pubkey_t key, unsigned int flags,
|
|
Packit Service |
4684c1 |
unsigned char *output_data,
|
|
Packit Service |
4684c1 |
size_t * output_data_size)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret =
|
|
Packit Service |
4684c1 |
_gnutls_get_key_id(&key->params,
|
|
Packit Service |
4684c1 |
output_data, output_data_size, flags);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_export_rsa_raw2:
|
|
Packit Service |
4684c1 |
* @key: Holds the certificate
|
|
Packit Service |
4684c1 |
* @m: will hold the modulus (may be %NULL)
|
|
Packit Service |
4684c1 |
* @e: will hold the public exponent (may be %NULL)
|
|
Packit Service |
4684c1 |
* @flags: flags from %gnutls_abstract_export_flags_t
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will export the RSA public key's parameters found in
|
|
Packit Service |
4684c1 |
* the given structure. The new parameters will be allocated using
|
|
Packit Service |
4684c1 |
* gnutls_malloc() and will be stored in the appropriate datum.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function allows for %NULL parameters since 3.4.1.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.6.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_export_rsa_raw2(gnutls_pubkey_t key,
|
|
Packit Service |
4684c1 |
gnutls_datum_t * m, gnutls_datum_t * e,
|
|
Packit Service |
4684c1 |
unsigned flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
mpi_dprint_func dprint = _gnutls_mpi_dprint_lz;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (flags & GNUTLS_EXPORT_FLAG_NO_LZ)
|
|
Packit Service |
4684c1 |
dprint = _gnutls_mpi_dprint;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (!GNUTLS_PK_IS_RSA(key->params.algo)) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (m) {
|
|
Packit Service |
4684c1 |
ret = dprint(key->params.params[0], m);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (e) {
|
|
Packit Service |
4684c1 |
ret = dprint(key->params.params[1], e);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
_gnutls_free_datum(m);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_export_rsa_raw:
|
|
Packit Service |
4684c1 |
* @key: Holds the certificate
|
|
Packit Service |
4684c1 |
* @m: will hold the modulus (may be %NULL)
|
|
Packit Service |
4684c1 |
* @e: will hold the public exponent (may be %NULL)
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will export the RSA public key's parameters found in
|
|
Packit Service |
4684c1 |
* the given structure. The new parameters will be allocated using
|
|
Packit Service |
4684c1 |
* gnutls_malloc() and will be stored in the appropriate datum.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function allows for %NULL parameters since 3.4.1.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.3.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_export_rsa_raw(gnutls_pubkey_t key,
|
|
Packit Service |
4684c1 |
gnutls_datum_t * m, gnutls_datum_t * e)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
return gnutls_pubkey_export_rsa_raw2(key, m, e, 0);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_export_dsa_raw:
|
|
Packit Service |
4684c1 |
* @key: Holds the public key
|
|
Packit Service |
4684c1 |
* @p: will hold the p (may be %NULL)
|
|
Packit Service |
4684c1 |
* @q: will hold the q (may be %NULL)
|
|
Packit Service |
4684c1 |
* @g: will hold the g (may be %NULL)
|
|
Packit Service |
4684c1 |
* @y: will hold the y (may be %NULL)
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will export the DSA public key's parameters found in
|
|
Packit Service |
4684c1 |
* the given certificate. The new parameters will be allocated using
|
|
Packit Service |
4684c1 |
* gnutls_malloc() and will be stored in the appropriate datum.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function allows for %NULL parameters since 3.4.1.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.3.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_export_dsa_raw(gnutls_pubkey_t key,
|
|
Packit Service |
4684c1 |
gnutls_datum_t * p, gnutls_datum_t * q,
|
|
Packit Service |
4684c1 |
gnutls_datum_t * g, gnutls_datum_t * y)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
return gnutls_pubkey_export_dsa_raw2(key, p, q, g, y, 0);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_export_dsa_raw2:
|
|
Packit Service |
4684c1 |
* @key: Holds the public key
|
|
Packit Service |
4684c1 |
* @p: will hold the p (may be %NULL)
|
|
Packit Service |
4684c1 |
* @q: will hold the q (may be %NULL)
|
|
Packit Service |
4684c1 |
* @g: will hold the g (may be %NULL)
|
|
Packit Service |
4684c1 |
* @y: will hold the y (may be %NULL)
|
|
Packit Service |
4684c1 |
* @flags: flags from %gnutls_abstract_export_flags_t
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will export the DSA public key's parameters found in
|
|
Packit Service |
4684c1 |
* the given certificate. The new parameters will be allocated using
|
|
Packit Service |
4684c1 |
* gnutls_malloc() and will be stored in the appropriate datum.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function allows for %NULL parameters since 3.4.1.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.6.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_export_dsa_raw2(gnutls_pubkey_t key,
|
|
Packit Service |
4684c1 |
gnutls_datum_t * p, gnutls_datum_t * q,
|
|
Packit Service |
4684c1 |
gnutls_datum_t * g, gnutls_datum_t * y,
|
|
Packit Service |
4684c1 |
unsigned flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
mpi_dprint_func dprint = _gnutls_mpi_dprint_lz;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (flags & GNUTLS_EXPORT_FLAG_NO_LZ)
|
|
Packit Service |
4684c1 |
dprint = _gnutls_mpi_dprint;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key->params.algo != GNUTLS_PK_DSA) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* P */
|
|
Packit Service |
4684c1 |
if (p) {
|
|
Packit Service |
4684c1 |
ret = dprint(key->params.params[0], p);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Q */
|
|
Packit Service |
4684c1 |
if (q) {
|
|
Packit Service |
4684c1 |
ret = dprint(key->params.params[1], q);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
_gnutls_free_datum(p);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* G */
|
|
Packit Service |
4684c1 |
if (g) {
|
|
Packit Service |
4684c1 |
ret = dprint(key->params.params[2], g);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
_gnutls_free_datum(p);
|
|
Packit Service |
4684c1 |
_gnutls_free_datum(q);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Y */
|
|
Packit Service |
4684c1 |
if (y) {
|
|
Packit Service |
4684c1 |
ret = dprint(key->params.params[3], y);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
_gnutls_free_datum(p);
|
|
Packit Service |
4684c1 |
_gnutls_free_datum(g);
|
|
Packit Service |
4684c1 |
_gnutls_free_datum(q);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_export_ecc_raw:
|
|
Packit Service |
4684c1 |
* @key: Holds the public key
|
|
Packit Service |
4684c1 |
* @curve: will hold the curve (may be %NULL)
|
|
Packit Service |
4684c1 |
* @x: will hold x-coordinate (may be %NULL)
|
|
Packit Service |
4684c1 |
* @y: will hold y-coordinate (may be %NULL)
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will export the ECC public key's parameters found in
|
|
Packit Service |
4684c1 |
* the given key. The new parameters will be allocated using
|
|
Packit Service |
4684c1 |
* gnutls_malloc() and will be stored in the appropriate datum.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* In EdDSA curves the @y parameter will be %NULL and the other parameters
|
|
Packit Service |
4684c1 |
* will be in the native format for the curve.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function allows for %NULL parameters since 3.4.1.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_export_ecc_raw(gnutls_pubkey_t key,
|
|
Packit Service |
4684c1 |
gnutls_ecc_curve_t * curve,
|
|
Packit Service |
4684c1 |
gnutls_datum_t * x, gnutls_datum_t * y)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
return gnutls_pubkey_export_ecc_raw2(key, curve, x, y, 0);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_export_ecc_raw2:
|
|
Packit Service |
4684c1 |
* @key: Holds the public key
|
|
Packit Service |
4684c1 |
* @curve: will hold the curve (may be %NULL)
|
|
Packit Service |
4684c1 |
* @x: will hold x-coordinate (may be %NULL)
|
|
Packit Service |
4684c1 |
* @y: will hold y-coordinate (may be %NULL)
|
|
Packit Service |
4684c1 |
* @flags: flags from %gnutls_abstract_export_flags_t
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will export the ECC public key's parameters found in
|
|
Packit Service |
4684c1 |
* the given key. The new parameters will be allocated using
|
|
Packit Service |
4684c1 |
* gnutls_malloc() and will be stored in the appropriate datum.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* In EdDSA curves the @y parameter will be %NULL and the other parameters
|
|
Packit Service |
4684c1 |
* will be in the native format for the curve.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function allows for %NULL parameters since 3.4.1.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.6.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_export_ecc_raw2(gnutls_pubkey_t key,
|
|
Packit Service |
4684c1 |
gnutls_ecc_curve_t * curve,
|
|
Packit Service |
4684c1 |
gnutls_datum_t * x, gnutls_datum_t * y,
|
|
Packit Service |
4684c1 |
unsigned int flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
mpi_dprint_func dprint = _gnutls_mpi_dprint_lz;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (flags & GNUTLS_EXPORT_FLAG_NO_LZ)
|
|
Packit Service |
4684c1 |
dprint = _gnutls_mpi_dprint;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (!IS_EC(key->params.algo)) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (curve)
|
|
Packit Service |
4684c1 |
*curve = key->params.curve;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key->params.algo == GNUTLS_PK_EDDSA_ED25519 ||
|
|
Packit Service |
4684c1 |
key->params.algo == GNUTLS_PK_EDDSA_ED448) {
|
|
Packit Service |
4684c1 |
if (x) {
|
|
Packit Service |
4684c1 |
ret = _gnutls_set_datum(x, key->params.raw_pub.data, key->params.raw_pub.size);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
if (y) {
|
|
Packit Service |
4684c1 |
y->data = NULL;
|
|
Packit Service |
4684c1 |
y->size = 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* ECDSA */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* X */
|
|
Packit Service |
4684c1 |
if (x) {
|
|
Packit Service |
4684c1 |
ret = dprint(key->params.params[ECC_X], x);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Y */
|
|
Packit Service |
4684c1 |
if (y) {
|
|
Packit Service |
4684c1 |
ret = dprint(key->params.params[ECC_Y], y);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
_gnutls_free_datum(x);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_export_ecc_x962:
|
|
Packit Service |
4684c1 |
* @key: Holds the public key
|
|
Packit Service |
4684c1 |
* @parameters: DER encoding of an ANSI X9.62 parameters
|
|
Packit Service |
4684c1 |
* @ecpoint: DER encoding of ANSI X9.62 ECPoint
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will export the ECC public key's parameters found in
|
|
Packit Service |
4684c1 |
* the given certificate. The new parameters will be allocated using
|
|
Packit Service |
4684c1 |
* gnutls_malloc() and will be stored in the appropriate datum.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.3.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int gnutls_pubkey_export_ecc_x962(gnutls_pubkey_t key,
|
|
Packit Service |
4684c1 |
gnutls_datum_t * parameters,
|
|
Packit Service |
4684c1 |
gnutls_datum_t * ecpoint)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
gnutls_datum_t raw_point = {NULL,0};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key == NULL || key->params.algo != GNUTLS_PK_EC)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_x509_write_ecc_pubkey(&key->params, &raw_point);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_x509_encode_string(ASN1_ETYPE_OCTET_STRING,
|
|
Packit Service |
4684c1 |
raw_point.data, raw_point.size, ecpoint);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_x509_write_ecc_params(key->params.curve, parameters);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
_gnutls_free_datum(ecpoint);
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = 0;
|
|
Packit Service |
4684c1 |
cleanup:
|
|
Packit Service |
4684c1 |
gnutls_free(raw_point.data);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_export_gost_raw2:
|
|
Packit Service |
4684c1 |
* @key: Holds the public key
|
|
Packit Service |
4684c1 |
* @curve: will hold the curve (may be %NULL)
|
|
Packit Service |
4684c1 |
* @digest: will hold the curve (may be %NULL)
|
|
Packit Service |
4684c1 |
* @paramset: will hold the parameters id (may be %NULL)
|
|
Packit Service |
4684c1 |
* @x: will hold the x-coordinate (may be %NULL)
|
|
Packit Service |
4684c1 |
* @y: will hold the y-coordinate (may be %NULL)
|
|
Packit Service |
4684c1 |
* @flags: flags from %gnutls_abstract_export_flags_t
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will export the GOST public key's parameters found in
|
|
Packit Service |
4684c1 |
* the given key. The new parameters will be allocated using
|
|
Packit Service |
4684c1 |
* gnutls_malloc() and will be stored in the appropriate datum.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Note: parameters will be stored with least significant byte first. On
|
|
Packit Service |
4684c1 |
* version 3.6.3 this was incorrectly returned in big-endian format.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.6.3
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_export_gost_raw2(gnutls_pubkey_t key,
|
|
Packit Service |
4684c1 |
gnutls_ecc_curve_t * curve,
|
|
Packit Service |
4684c1 |
gnutls_digest_algorithm_t * digest,
|
|
Packit Service |
4684c1 |
gnutls_gost_paramset_t * paramset,
|
|
Packit Service |
4684c1 |
gnutls_datum_t * x, gnutls_datum_t * y,
|
|
Packit Service |
4684c1 |
unsigned int flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
mpi_dprint_func dprint = _gnutls_mpi_dprint_le;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key->params.algo != GNUTLS_PK_GOST_01 &&
|
|
Packit Service |
4684c1 |
key->params.algo != GNUTLS_PK_GOST_12_256 &&
|
|
Packit Service |
4684c1 |
key->params.algo != GNUTLS_PK_GOST_12_512) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (curve)
|
|
Packit Service |
4684c1 |
*curve = key->params.curve;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (digest)
|
|
Packit Service |
4684c1 |
*digest = _gnutls_gost_digest(key->params.algo);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (paramset)
|
|
Packit Service |
4684c1 |
*paramset = key->params.gost_params;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* X */
|
|
Packit Service |
4684c1 |
if (x) {
|
|
Packit Service |
4684c1 |
ret = dprint(key->params.params[GOST_X], x);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Y */
|
|
Packit Service |
4684c1 |
if (y) {
|
|
Packit Service |
4684c1 |
ret = dprint(key->params.params[GOST_Y], y);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
_gnutls_free_datum(x);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_import:
|
|
Packit Service |
4684c1 |
* @key: The public key.
|
|
Packit Service |
4684c1 |
* @data: The DER or PEM encoded certificate.
|
|
Packit Service |
4684c1 |
* @format: One of DER or PEM
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will import the provided public key in
|
|
Packit Service |
4684c1 |
* a SubjectPublicKeyInfo X.509 structure to a native
|
|
Packit Service |
4684c1 |
* %gnutls_pubkey_t type. The output will be stored
|
|
Packit Service |
4684c1 |
* in @key. If the public key is PEM encoded it should have a header
|
|
Packit Service |
4684c1 |
* of "PUBLIC KEY".
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 2.12.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_import(gnutls_pubkey_t key,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * data,
|
|
Packit Service |
4684c1 |
gnutls_x509_crt_fmt_t format)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int result = 0, need_free = 0;
|
|
Packit Service |
4684c1 |
gnutls_datum_t _data;
|
|
Packit Service |
4684c1 |
ASN1_TYPE spk;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_data.data = data->data;
|
|
Packit Service |
4684c1 |
_data.size = data->size;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* If the Certificate is in PEM format then decode it
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
if (format == GNUTLS_X509_FMT_PEM) {
|
|
Packit Service |
4684c1 |
/* Try the first header */
|
|
Packit Service |
4684c1 |
result =
|
|
Packit Service |
4684c1 |
_gnutls_fbase64_decode(PEM_PK, data->data,
|
|
Packit Service |
4684c1 |
data->size, &_data);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (result < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return result;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
need_free = 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if ((result = asn1_create_element
|
|
Packit Service |
4684c1 |
(_gnutls_get_pkix(), "PKIX1.SubjectPublicKeyInfo", &spk))
|
|
Packit Service |
4684c1 |
!= ASN1_SUCCESS) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
result = _gnutls_asn2err(result);
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
result = _asn1_strict_der_decode(&spk, _data.data, _data.size, NULL);
|
|
Packit Service |
4684c1 |
if (result != ASN1_SUCCESS) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
result = _gnutls_asn2err(result);
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
result = _gnutls_get_asn_mpis(spk, "", &key->params);
|
|
Packit Service |
4684c1 |
if (result < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
key->bits = pubkey_to_bits(&key->params);
|
|
Packit Service |
4684c1 |
result = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
cleanup:
|
|
Packit Service |
4684c1 |
asn1_delete_structure(&spk;;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (need_free)
|
|
Packit Service |
4684c1 |
_gnutls_free_datum(&_data);
|
|
Packit Service |
4684c1 |
return result;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_x509_crt_set_pubkey:
|
|
Packit Service |
4684c1 |
* @crt: should contain a #gnutls_x509_crt_t type
|
|
Packit Service |
4684c1 |
* @key: holds a public key
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will set the public parameters from the given public
|
|
Packit Service |
4684c1 |
* key to the certificate. The @key can be deallocated after that.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 2.12.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int gnutls_x509_crt_set_pubkey(gnutls_x509_crt_t crt, gnutls_pubkey_t key)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int result;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (crt == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
result = _gnutls_x509_encode_and_copy_PKI_params(crt->cert,
|
|
Packit Service |
4684c1 |
"tbsCertificate.subjectPublicKeyInfo",
|
|
Packit Service |
4684c1 |
&key->params);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (result < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return result;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key->key_usage)
|
|
Packit Service |
4684c1 |
gnutls_x509_crt_set_key_usage(crt, key->key_usage);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_x509_crq_set_pubkey:
|
|
Packit Service |
4684c1 |
* @crq: should contain a #gnutls_x509_crq_t type
|
|
Packit Service |
4684c1 |
* @key: holds a public key
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will set the public parameters from the given public
|
|
Packit Service |
4684c1 |
* key to the request. The @key can be deallocated after that.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 2.12.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int gnutls_x509_crq_set_pubkey(gnutls_x509_crq_t crq, gnutls_pubkey_t key)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int result;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (crq == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
result = _gnutls_x509_encode_and_copy_PKI_params
|
|
Packit Service |
4684c1 |
(crq->crq,
|
|
Packit Service |
4684c1 |
"certificationRequestInfo.subjectPKInfo",
|
|
Packit Service |
4684c1 |
&key->params);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (result < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return result;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key->key_usage)
|
|
Packit Service |
4684c1 |
gnutls_x509_crq_set_key_usage(crq, key->key_usage);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_set_key_usage:
|
|
Packit Service |
4684c1 |
* @key: a certificate of type #gnutls_x509_crt_t
|
|
Packit Service |
4684c1 |
* @usage: an ORed sequence of the GNUTLS_KEY_* elements.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will set the key usage flags of the public key. This
|
|
Packit Service |
4684c1 |
* is only useful if the key is to be exported to a certificate or
|
|
Packit Service |
4684c1 |
* certificate request.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 2.12.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int gnutls_pubkey_set_key_usage(gnutls_pubkey_t key, unsigned int usage)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
key->key_usage = usage;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#ifdef ENABLE_PKCS11
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#if 0
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_import_pkcs11_url:
|
|
Packit Service |
4684c1 |
* @key: A key of type #gnutls_pubkey_t
|
|
Packit Service |
4684c1 |
* @url: A PKCS 11 url
|
|
Packit Service |
4684c1 |
* @flags: One of GNUTLS_PKCS11_OBJ_* flags
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will import a PKCS 11 certificate to a #gnutls_pubkey_t
|
|
Packit Service |
4684c1 |
* structure.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 2.12.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_import_pkcs11_url(gnutls_pubkey_t key, const char *url,
|
|
Packit Service |
4684c1 |
unsigned int flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int x;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static int
|
|
Packit Service |
4684c1 |
_gnutls_pubkey_import_pkcs11_url(gnutls_pubkey_t key, const char *url,
|
|
Packit Service |
4684c1 |
unsigned int flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
gnutls_pkcs11_obj_t pcrt;
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_pkcs11_obj_init(&pcrt);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key->pin.cb)
|
|
Packit Service |
4684c1 |
gnutls_pkcs11_obj_set_pin_function(pcrt, key->pin.cb,
|
|
Packit Service |
4684c1 |
key->pin.data);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_pkcs11_obj_import_url(pcrt, url, flags|GNUTLS_PKCS11_OBJ_FLAG_EXPECT_PUBKEY);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_pubkey_import_pkcs11(key, pcrt, flags);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = 0;
|
|
Packit Service |
4684c1 |
cleanup:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_pkcs11_obj_deinit(pcrt);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#endif /* ENABLE_PKCS11 */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_import_url:
|
|
Packit Service |
4684c1 |
* @key: A key of type #gnutls_pubkey_t
|
|
Packit Service |
4684c1 |
* @url: A PKCS 11 url
|
|
Packit Service |
4684c1 |
* @flags: One of GNUTLS_PKCS11_OBJ_* flags
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will import a public key from the provided URL.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.1.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_import_url(gnutls_pubkey_t key, const char *url,
|
|
Packit Service |
4684c1 |
unsigned int flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
unsigned i;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (i=0;i<_gnutls_custom_urls_size;i++) {
|
|
Packit Service |
4684c1 |
if (strncmp(url, _gnutls_custom_urls[i].name, _gnutls_custom_urls[i].name_size) == 0) {
|
|
Packit Service |
4684c1 |
if (_gnutls_custom_urls[i].import_pubkey)
|
|
Packit Service |
4684c1 |
return _gnutls_custom_urls[i].import_pubkey(key, url, flags);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (strncmp(url, PKCS11_URL, PKCS11_URL_SIZE) == 0)
|
|
Packit Service |
4684c1 |
#ifdef ENABLE_PKCS11
|
|
Packit Service |
4684c1 |
return _gnutls_pubkey_import_pkcs11_url(key, url, flags);
|
|
Packit Service |
4684c1 |
#else
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (strncmp(url, TPMKEY_URL, TPMKEY_URL_SIZE) == 0)
|
|
Packit Service |
4684c1 |
#ifdef HAVE_TROUSERS
|
|
Packit Service |
4684c1 |
return gnutls_pubkey_import_tpm_url(key, url, NULL, 0);
|
|
Packit Service |
4684c1 |
#else
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_import_rsa_raw:
|
|
Packit Service |
4684c1 |
* @key: The key
|
|
Packit Service |
4684c1 |
* @m: holds the modulus
|
|
Packit Service |
4684c1 |
* @e: holds the public exponent
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will replace the parameters in the given structure.
|
|
Packit Service |
4684c1 |
* The new parameters should be stored in the appropriate
|
|
Packit Service |
4684c1 |
* gnutls_datum.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: %GNUTLS_E_SUCCESS on success, or an negative error code.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 2.12.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_import_rsa_raw(gnutls_pubkey_t key,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * m,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * e)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (key == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_pk_params_release(&key->params);
|
|
Packit Service |
4684c1 |
gnutls_pk_params_init(&key->params);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (_gnutls_mpi_init_scan_nz(&key->params.params[0], m->data, m->size)) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_MPI_SCAN_FAILED;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (_gnutls_mpi_init_scan_nz(&key->params.params[1], e->data, e->size)) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
_gnutls_mpi_release(&key->params.params[0]);
|
|
Packit Service |
4684c1 |
return GNUTLS_E_MPI_SCAN_FAILED;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
key->params.params_nr = RSA_PUBLIC_PARAMS;
|
|
Packit Service |
4684c1 |
key->params.algo = GNUTLS_PK_RSA;
|
|
Packit Service |
4684c1 |
key->bits = pubkey_to_bits(&key->params);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_import_ecc_raw:
|
|
Packit Service |
4684c1 |
* @key: The structure to store the parsed key
|
|
Packit Service |
4684c1 |
* @curve: holds the curve
|
|
Packit Service |
4684c1 |
* @x: holds the x-coordinate
|
|
Packit Service |
4684c1 |
* @y: holds the y-coordinate
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will convert the given elliptic curve parameters to a
|
|
Packit Service |
4684c1 |
* #gnutls_pubkey_t. The output will be stored in @key.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* In EdDSA curves the @y parameter should be %NULL and the @x parameter must
|
|
Packit Service |
4684c1 |
* be the value in the native format for the curve.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_import_ecc_raw(gnutls_pubkey_t key,
|
|
Packit Service |
4684c1 |
gnutls_ecc_curve_t curve,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * x,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * y)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key == NULL || x == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_pk_params_release(&key->params);
|
|
Packit Service |
4684c1 |
gnutls_pk_params_init(&key->params);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (curve_is_eddsa(curve)) {
|
|
Packit Service |
4684c1 |
unsigned size = gnutls_ecc_curve_get_size(curve);
|
|
Packit Service |
4684c1 |
if (x->size != size) {
|
|
Packit Service |
4684c1 |
ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_set_datum(&key->params.raw_pub, x->data, x->size);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
switch (curve) {
|
|
Packit Service |
4684c1 |
case GNUTLS_ECC_CURVE_ED25519:
|
|
Packit Service |
4684c1 |
key->params.algo = GNUTLS_PK_EDDSA_ED25519;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
case GNUTLS_ECC_CURVE_ED448:
|
|
Packit Service |
4684c1 |
key->params.algo = GNUTLS_PK_EDDSA_ED448;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
default:
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
key->params.curve = curve;
|
|
Packit Service |
4684c1 |
key->bits = pubkey_to_bits(&key->params);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* ECDSA */
|
|
Packit Service |
4684c1 |
if (y == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
key->params.curve = curve;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (_gnutls_mpi_init_scan_nz
|
|
Packit Service |
4684c1 |
(&key->params.params[ECC_X], x->data, x->size)) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
ret = GNUTLS_E_MPI_SCAN_FAILED;
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
key->params.params_nr++;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (_gnutls_mpi_init_scan_nz
|
|
Packit Service |
4684c1 |
(&key->params.params[ECC_Y], y->data, y->size)) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
ret = GNUTLS_E_MPI_SCAN_FAILED;
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
key->params.params_nr++;
|
|
Packit Service |
4684c1 |
key->params.algo = GNUTLS_PK_ECDSA;
|
|
Packit Service |
4684c1 |
key->bits = pubkey_to_bits(&key->params);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
cleanup:
|
|
Packit Service |
4684c1 |
gnutls_pk_params_release(&key->params);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_import_ecc_x962:
|
|
Packit Service |
4684c1 |
* @key: The structure to store the parsed key
|
|
Packit Service |
4684c1 |
* @parameters: DER encoding of an ANSI X9.62 parameters
|
|
Packit Service |
4684c1 |
* @ecpoint: DER encoding of ANSI X9.62 ECPoint
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will convert the given elliptic curve parameters to a
|
|
Packit Service |
4684c1 |
* #gnutls_pubkey_t. The output will be stored in @key.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_import_ecc_x962(gnutls_pubkey_t key,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * parameters,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * ecpoint)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
gnutls_datum_t raw_point = {NULL,0};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_pk_params_release(&key->params);
|
|
Packit Service |
4684c1 |
gnutls_pk_params_init(&key->params);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
key->params.params_nr = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret =
|
|
Packit Service |
4684c1 |
_gnutls_x509_read_ecc_params(parameters->data,
|
|
Packit Service |
4684c1 |
parameters->size, &key->params.curve);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_x509_decode_string(ASN1_ETYPE_OCTET_STRING,
|
|
Packit Service |
4684c1 |
ecpoint->data, ecpoint->size, &raw_point, 0);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_ecc_ansi_x962_import(raw_point.data, raw_point.size,
|
|
Packit Service |
4684c1 |
&key->params.params[ECC_X],
|
|
Packit Service |
4684c1 |
&key->params.params[ECC_Y]);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
key->params.params_nr += 2;
|
|
Packit Service |
4684c1 |
key->params.algo = GNUTLS_PK_EC;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_free(raw_point.data);
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
cleanup:
|
|
Packit Service |
4684c1 |
gnutls_pk_params_release(&key->params);
|
|
Packit Service |
4684c1 |
gnutls_free(raw_point.data);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_import_gost_raw:
|
|
Packit Service |
4684c1 |
* @key: The structure to store the parsed key
|
|
Packit Service |
4684c1 |
* @curve: holds the curve
|
|
Packit Service |
4684c1 |
* @digest: holds the digest
|
|
Packit Service |
4684c1 |
* @paramset: holds the parameters id
|
|
Packit Service |
4684c1 |
* @x: holds the x-coordinate
|
|
Packit Service |
4684c1 |
* @y: holds the y-coordinate
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will convert the given GOST public key's parameters to a
|
|
Packit Service |
4684c1 |
* #gnutls_pubkey_t. The output will be stored in @key. @digest should be
|
|
Packit Service |
4684c1 |
* one of GNUTLS_DIG_GOSR_94, GNUTLS_DIG_STREEBOG_256 or
|
|
Packit Service |
4684c1 |
* GNUTLS_DIG_STREEBOG_512. If @paramset is set to GNUTLS_GOST_PARAMSET_UNKNOWN
|
|
Packit Service |
4684c1 |
* default one will be selected depending on @digest.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Note: parameters should be stored with least significant byte first. On
|
|
Packit Service |
4684c1 |
* version 3.6.3 big-endian format was used incorrectly.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.6.3
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_import_gost_raw(gnutls_pubkey_t key,
|
|
Packit Service |
4684c1 |
gnutls_ecc_curve_t curve,
|
|
Packit Service |
4684c1 |
gnutls_digest_algorithm_t digest,
|
|
Packit Service |
4684c1 |
gnutls_gost_paramset_t paramset,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * x,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * y)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
gnutls_pk_algorithm_t pk_algo;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
pk_algo = _gnutls_digest_gost(digest);
|
|
Packit Service |
4684c1 |
if (pk_algo == GNUTLS_PK_UNKNOWN)
|
|
Packit Service |
4684c1 |
return GNUTLS_E_ILLEGAL_PARAMETER;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (paramset == GNUTLS_GOST_PARAMSET_UNKNOWN)
|
|
Packit Service |
4684c1 |
paramset = _gnutls_gost_paramset_default(pk_algo);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_pk_params_release(&key->params);
|
|
Packit Service |
4684c1 |
gnutls_pk_params_init(&key->params);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
key->params.curve = curve;
|
|
Packit Service |
4684c1 |
key->params.gost_params = paramset;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (_gnutls_mpi_init_scan_le
|
|
Packit Service |
4684c1 |
(&key->params.params[GOST_X], x->data, x->size)) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
ret = GNUTLS_E_MPI_SCAN_FAILED;
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
key->params.params_nr++;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (_gnutls_mpi_init_scan_le
|
|
Packit Service |
4684c1 |
(&key->params.params[GOST_Y], y->data, y->size)) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
ret = GNUTLS_E_MPI_SCAN_FAILED;
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
key->params.params_nr++;
|
|
Packit Service |
4684c1 |
key->params.algo = pk_algo;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
cleanup:
|
|
Packit Service |
4684c1 |
gnutls_pk_params_release(&key->params);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_import_dsa_raw:
|
|
Packit Service |
4684c1 |
* @key: The structure to store the parsed key
|
|
Packit Service |
4684c1 |
* @p: holds the p
|
|
Packit Service |
4684c1 |
* @q: holds the q
|
|
Packit Service |
4684c1 |
* @g: holds the g
|
|
Packit Service |
4684c1 |
* @y: holds the y
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will convert the given DSA raw parameters to the
|
|
Packit Service |
4684c1 |
* native #gnutls_pubkey_t format. The output will be stored
|
|
Packit Service |
4684c1 |
* in @key.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 2.12.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_import_dsa_raw(gnutls_pubkey_t key,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * p,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * q,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * g,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * y)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
size_t siz = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_pk_params_release(&key->params);
|
|
Packit Service |
4684c1 |
gnutls_pk_params_init(&key->params);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
siz = p->size;
|
|
Packit Service |
4684c1 |
if (_gnutls_mpi_init_scan_nz(&key->params.params[0], p->data, siz)) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_MPI_SCAN_FAILED;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
siz = q->size;
|
|
Packit Service |
4684c1 |
if (_gnutls_mpi_init_scan_nz(&key->params.params[1], q->data, siz)) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
_gnutls_mpi_release(&key->params.params[0]);
|
|
Packit Service |
4684c1 |
return GNUTLS_E_MPI_SCAN_FAILED;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
siz = g->size;
|
|
Packit Service |
4684c1 |
if (_gnutls_mpi_init_scan_nz(&key->params.params[2], g->data, siz)) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
_gnutls_mpi_release(&key->params.params[1]);
|
|
Packit Service |
4684c1 |
_gnutls_mpi_release(&key->params.params[0]);
|
|
Packit Service |
4684c1 |
return GNUTLS_E_MPI_SCAN_FAILED;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
siz = y->size;
|
|
Packit Service |
4684c1 |
if (_gnutls_mpi_init_scan_nz(&key->params.params[3], y->data, siz)) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
_gnutls_mpi_release(&key->params.params[2]);
|
|
Packit Service |
4684c1 |
_gnutls_mpi_release(&key->params.params[1]);
|
|
Packit Service |
4684c1 |
_gnutls_mpi_release(&key->params.params[0]);
|
|
Packit Service |
4684c1 |
return GNUTLS_E_MPI_SCAN_FAILED;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
key->params.params_nr = DSA_PUBLIC_PARAMS;
|
|
Packit Service |
4684c1 |
key->params.algo = GNUTLS_PK_DSA;
|
|
Packit Service |
4684c1 |
key->bits = pubkey_to_bits(&key->params);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Updates the gnutls_x509_spki_st parameters based on the signature
|
|
Packit Service |
4684c1 |
* information, and reports any incompatibilities between the existing
|
|
Packit Service |
4684c1 |
* parameters (if any) with the signature algorithm */
|
|
Packit Service |
4684c1 |
static
|
|
Packit Service |
4684c1 |
int fixup_spki_params(const gnutls_pk_params_st *key_params, const gnutls_sign_entry_st *se,
|
|
Packit Service |
4684c1 |
const mac_entry_st *me, gnutls_x509_spki_st *params)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
unsigned bits;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (se->pk != key_params->algo) {
|
|
Packit Service |
4684c1 |
if (!sign_supports_priv_pk_algorithm(se, key_params->algo)) {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("have key: %s/%d, with sign %s/%d\n",
|
|
Packit Service |
4684c1 |
gnutls_pk_get_name(key_params->algo), key_params->algo,
|
|
Packit Service |
4684c1 |
se->name, se->id);
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_CONSTRAINT_ERROR);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (params->pk == GNUTLS_PK_RSA_PSS) {
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
if (!GNUTLS_PK_IS_RSA(key_params->algo))
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_CONSTRAINT_ERROR);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* The requested sign algorithm is RSA-PSS, while the
|
|
Packit Service |
4684c1 |
* pubkey doesn't include parameter information. Fill
|
|
Packit Service |
4684c1 |
* it with the same way as gnutls_privkey_sign*. */
|
|
Packit Service |
4684c1 |
if (key_params->algo == GNUTLS_PK_RSA || params->rsa_pss_dig == 0) {
|
|
Packit Service |
4684c1 |
bits = pubkey_to_bits(key_params);
|
|
Packit Service |
4684c1 |
params->rsa_pss_dig = se->hash;
|
|
Packit Service |
4684c1 |
ret = _gnutls_find_rsa_pss_salt_size(bits, me, 0);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
params->salt_size = ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (params->rsa_pss_dig != se->hash)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_CONSTRAINT_ERROR);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_verify_data2:
|
|
Packit Service |
4684c1 |
* @pubkey: Holds the public key
|
|
Packit Service |
4684c1 |
* @algo: The signature algorithm used
|
|
Packit Service |
4684c1 |
* @flags: Zero or an OR list of #gnutls_certificate_verify_flags
|
|
Packit Service |
4684c1 |
* @data: holds the signed data
|
|
Packit Service |
4684c1 |
* @signature: contains the signature
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will verify the given signed data, using the
|
|
Packit Service |
4684c1 |
* parameters from the certificate.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
|
|
Packit Service |
4684c1 |
* is returned, and zero or positive code on success. For known to be insecure
|
|
Packit Service |
4684c1 |
* signatures this function will return %GNUTLS_E_INSUFFICIENT_SECURITY unless
|
|
Packit Service |
4684c1 |
* the flag %GNUTLS_VERIFY_ALLOW_BROKEN is specified.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_verify_data2(gnutls_pubkey_t pubkey,
|
|
Packit Service |
4684c1 |
gnutls_sign_algorithm_t algo,
|
|
Packit Service |
4684c1 |
unsigned int flags,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * data,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * signature)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
const mac_entry_st *me;
|
|
Packit Service |
4684c1 |
gnutls_x509_spki_st params;
|
|
Packit Service |
4684c1 |
const gnutls_sign_entry_st *se;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (pubkey == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (flags & GNUTLS_VERIFY_USE_TLS1_RSA)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
memcpy(¶ms, &pubkey->params.spki, sizeof(gnutls_x509_spki_st));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
se = _gnutls_sign_to_entry(algo);
|
|
Packit Service |
4684c1 |
if (se == NULL)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = pubkey_supports_sig(pubkey, se);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
params.pk = se->pk;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
me = hash_to_entry(se->hash);
|
|
Packit Service |
4684c1 |
if (me == NULL && !_gnutls_pk_is_not_prehashed(se->pk))
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = pubkey_verify_data(se, me, data, signature, &pubkey->params,
|
|
Packit Service |
4684c1 |
¶ms, flags);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_verify_hash2:
|
|
Packit Service |
4684c1 |
* @key: Holds the public key
|
|
Packit Service |
4684c1 |
* @algo: The signature algorithm used
|
|
Packit Service |
4684c1 |
* @flags: Zero or an OR list of #gnutls_certificate_verify_flags
|
|
Packit Service |
4684c1 |
* @hash: holds the hash digest to be verified
|
|
Packit Service |
4684c1 |
* @signature: contains the signature
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will verify the given signed digest, using the
|
|
Packit Service |
4684c1 |
* parameters from the public key. Note that unlike gnutls_privkey_sign_hash(),
|
|
Packit Service |
4684c1 |
* this function accepts a signature algorithm instead of a digest algorithm.
|
|
Packit Service |
4684c1 |
* You can use gnutls_pk_to_sign() to get the appropriate value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
|
|
Packit Service |
4684c1 |
* is returned, and zero or positive code on success. For known to be insecure
|
|
Packit Service |
4684c1 |
* signatures this function will return %GNUTLS_E_INSUFFICIENT_SECURITY unless
|
|
Packit Service |
4684c1 |
* the flag %GNUTLS_VERIFY_ALLOW_BROKEN is specified.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_verify_hash2(gnutls_pubkey_t key,
|
|
Packit Service |
4684c1 |
gnutls_sign_algorithm_t algo,
|
|
Packit Service |
4684c1 |
unsigned int flags,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * hash,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * signature)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
const mac_entry_st *me;
|
|
Packit Service |
4684c1 |
gnutls_x509_spki_st params;
|
|
Packit Service |
4684c1 |
const gnutls_sign_entry_st *se;
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (_gnutls_pk_is_not_prehashed(key->params.algo)) {
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
memcpy(¶ms, &key->params.spki, sizeof(gnutls_x509_spki_st));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (flags & GNUTLS_VERIFY_USE_TLS1_RSA) {
|
|
Packit Service |
4684c1 |
if (!GNUTLS_PK_IS_RSA(key->params.algo))
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY);
|
|
Packit Service |
4684c1 |
params.pk = GNUTLS_PK_RSA;
|
|
Packit Service |
4684c1 |
/* we do not check for insecure algorithms with this flag */
|
|
Packit Service |
4684c1 |
return _gnutls_pk_verify(params.pk, hash, signature,
|
|
Packit Service |
4684c1 |
&key->params, ¶ms);
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
se = _gnutls_sign_to_entry(algo);
|
|
Packit Service |
4684c1 |
if (se == NULL)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = pubkey_supports_sig(key, se);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
params.pk = se->pk;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
me = hash_to_entry(se->hash);
|
|
Packit Service |
4684c1 |
if (me == NULL && !_gnutls_pk_is_not_prehashed(se->pk))
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = pubkey_verify_hashed_data(se, me, hash, signature,
|
|
Packit Service |
4684c1 |
&key->params,
|
|
Packit Service |
4684c1 |
¶ms, flags);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_encrypt_data:
|
|
Packit Service |
4684c1 |
* @key: Holds the public key
|
|
Packit Service |
4684c1 |
* @flags: should be 0 for now
|
|
Packit Service |
4684c1 |
* @plaintext: The data to be encrypted
|
|
Packit Service |
4684c1 |
* @ciphertext: contains the encrypted data
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will encrypt the given data, using the public
|
|
Packit Service |
4684c1 |
* key. On success the @ciphertext will be allocated using gnutls_malloc().
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_encrypt_data(gnutls_pubkey_t key, unsigned int flags,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * plaintext,
|
|
Packit Service |
4684c1 |
gnutls_datum_t * ciphertext)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (key == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return _gnutls_pk_encrypt(key->params.algo, ciphertext,
|
|
Packit Service |
4684c1 |
plaintext, &key->params);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static
|
|
Packit Service |
4684c1 |
int pubkey_supports_sig(gnutls_pubkey_t pubkey,
|
|
Packit Service |
4684c1 |
const gnutls_sign_entry_st *se)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (pubkey->params.algo == GNUTLS_PK_ECDSA && se->curve) {
|
|
Packit Service |
4684c1 |
gnutls_ecc_curve_t curve = pubkey->params.curve;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (curve != se->curve) {
|
|
Packit Service |
4684c1 |
_gnutls_handshake_log("have key: ECDSA with %s/%d, with sign %s/%d\n",
|
|
Packit Service |
4684c1 |
gnutls_ecc_curve_get_name(curve), (int)curve,
|
|
Packit Service |
4684c1 |
se->name, se->id);
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (se->pk != pubkey->params.algo) { /* if the PK algorithm of the signature differs to the one on the pubkey */
|
|
Packit Service |
4684c1 |
if (!sign_supports_priv_pk_algorithm(se, pubkey->params.algo)) {
|
|
Packit Service |
4684c1 |
_gnutls_handshake_log("have key: %s/%d, with sign %s/%d\n",
|
|
Packit Service |
4684c1 |
gnutls_pk_get_name(pubkey->params.algo), pubkey->params.algo,
|
|
Packit Service |
4684c1 |
se->name, se->id);
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Checks whether the public key given is compatible with the
|
|
Packit Service |
4684c1 |
* signature algorithm used. The session is only used for audit logging, and
|
|
Packit Service |
4684c1 |
* it may be null.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
int _gnutls_pubkey_compatible_with_sig(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
gnutls_pubkey_t pubkey,
|
|
Packit Service |
4684c1 |
const version_entry_st * ver,
|
|
Packit Service |
4684c1 |
gnutls_sign_algorithm_t sign)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
unsigned int hash_size = 0;
|
|
Packit Service |
4684c1 |
unsigned int sig_hash_size;
|
|
Packit Service |
4684c1 |
const mac_entry_st *me;
|
|
Packit Service |
4684c1 |
const gnutls_sign_entry_st *se;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
se = _gnutls_sign_to_entry(sign);
|
|
Packit Service |
4684c1 |
if (se == NULL && _gnutls_version_has_selectable_sighash(ver))
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (pubkey->params.algo == GNUTLS_PK_DSA) {
|
|
Packit Service |
4684c1 |
me = _gnutls_dsa_q_to_hash(&pubkey->params, &hash_size);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* DSA keys over 1024 bits cannot be used with TLS 1.x, x<2 */
|
|
Packit Service |
4684c1 |
if (!_gnutls_version_has_selectable_sighash(ver)) {
|
|
Packit Service |
4684c1 |
if (me->id != GNUTLS_MAC_SHA1)
|
|
Packit Service |
4684c1 |
return
|
|
Packit Service |
4684c1 |
gnutls_assert_val
|
|
Packit Service |
4684c1 |
(GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL);
|
|
Packit Service |
4684c1 |
} else if (se != NULL) {
|
|
Packit Service |
4684c1 |
me = hash_to_entry(se->hash);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
sig_hash_size = _gnutls_hash_get_algo_len(me);
|
|
Packit Service |
4684c1 |
if (sig_hash_size < hash_size)
|
|
Packit Service |
4684c1 |
_gnutls_audit_log(session,
|
|
Packit Service |
4684c1 |
"The hash size used in signature (%u) is less than the expected (%u)\n",
|
|
Packit Service |
4684c1 |
sig_hash_size,
|
|
Packit Service |
4684c1 |
hash_size);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
} else if (pubkey->params.algo == GNUTLS_PK_ECDSA) {
|
|
Packit Service |
4684c1 |
if (_gnutls_version_has_selectable_sighash(ver)
|
|
Packit Service |
4684c1 |
&& se != NULL) {
|
|
Packit Service |
4684c1 |
_gnutls_dsa_q_to_hash(&pubkey->params, &hash_size);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
me = hash_to_entry(se->hash);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
sig_hash_size = _gnutls_hash_get_algo_len(me);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (sig_hash_size < hash_size)
|
|
Packit Service |
4684c1 |
_gnutls_audit_log(session,
|
|
Packit Service |
4684c1 |
"The hash size used in signature (%u) is less than the expected (%u)\n",
|
|
Packit Service |
4684c1 |
sig_hash_size,
|
|
Packit Service |
4684c1 |
hash_size);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
} else if (pubkey->params.algo == GNUTLS_PK_GOST_01 ||
|
|
Packit Service |
4684c1 |
pubkey->params.algo == GNUTLS_PK_GOST_12_256 ||
|
|
Packit Service |
4684c1 |
pubkey->params.algo == GNUTLS_PK_GOST_12_512) {
|
|
Packit Service |
4684c1 |
if (_gnutls_version_has_selectable_sighash(ver)
|
|
Packit Service |
4684c1 |
&& se != NULL) {
|
|
Packit Service |
4684c1 |
if (_gnutls_gost_digest(pubkey->params.algo) != se->hash) {
|
|
Packit Service |
4684c1 |
_gnutls_audit_log(session,
|
|
Packit Service |
4684c1 |
"The hash algo used in signature (%u) is not expected (%u)\n",
|
|
Packit Service |
4684c1 |
se->hash, _gnutls_gost_digest(pubkey->params.algo));
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_CONSTRAINT_ERROR);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
} else if (pubkey->params.algo == GNUTLS_PK_RSA_PSS) {
|
|
Packit Service |
4684c1 |
if (!_gnutls_version_has_selectable_sighash(ver))
|
|
Packit Service |
4684c1 |
/* this should not have happened */
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* RSA PSS public keys are restricted to a single digest, i.e., signature */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (pubkey->params.spki.rsa_pss_dig && pubkey->params.spki.rsa_pss_dig != se->hash) {
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_CONSTRAINT_ERROR);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (se != NULL)
|
|
Packit Service |
4684c1 |
return pubkey_supports_sig(pubkey, se);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Returns the public key.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
_gnutls_pubkey_get_mpis(gnutls_pubkey_t key, gnutls_pk_params_st * params)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
return _gnutls_pk_params_copy(params, &key->params);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* if hash==MD5 then we do RSA-MD5
|
|
Packit Service |
4684c1 |
* if hash==SHA then we do RSA-SHA
|
|
Packit Service |
4684c1 |
* params[0] is modulus
|
|
Packit Service |
4684c1 |
* params[1] is public key
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
static int
|
|
Packit Service |
4684c1 |
_pkcs1_rsa_verify_sig(gnutls_pk_algorithm_t pk,
|
|
Packit Service |
4684c1 |
const mac_entry_st * me,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * text,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * prehash,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * signature,
|
|
Packit Service |
4684c1 |
gnutls_pk_params_st * params,
|
|
Packit Service |
4684c1 |
gnutls_x509_spki_st * sign_params)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
uint8_t md[MAX_HASH_SIZE], *cmp;
|
|
Packit Service |
4684c1 |
unsigned int digest_size;
|
|
Packit Service |
4684c1 |
gnutls_datum_t d, di;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (unlikely(me == NULL))
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
digest_size = _gnutls_hash_get_algo_len(me);
|
|
Packit Service |
4684c1 |
if (prehash) {
|
|
Packit Service |
4684c1 |
if (prehash->data == NULL || prehash->size != digest_size)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
cmp = prehash->data;
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
if (!text) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_hash_fast((gnutls_digest_algorithm_t)me->id,
|
|
Packit Service |
4684c1 |
text->data, text->size, md);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
cmp = md;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
d.data = cmp;
|
|
Packit Service |
4684c1 |
d.size = digest_size;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (pk == GNUTLS_PK_RSA) {
|
|
Packit Service |
4684c1 |
/* decrypted is a BER encoded data of type DigestInfo
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
ret = encode_ber_digest_info(me, &d, &di);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_pk_verify(pk, &di, signature, params,
|
|
Packit Service |
4684c1 |
sign_params);
|
|
Packit Service |
4684c1 |
_gnutls_free_datum(&di);
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
ret = _gnutls_pk_verify(pk, &d, signature, params,
|
|
Packit Service |
4684c1 |
sign_params);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Hashes input data and verifies a signature.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
static int
|
|
Packit Service |
4684c1 |
dsa_verify_hashed_data(gnutls_pk_algorithm_t pk,
|
|
Packit Service |
4684c1 |
const mac_entry_st * algo,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * hash,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * signature,
|
|
Packit Service |
4684c1 |
gnutls_pk_params_st * params,
|
|
Packit Service |
4684c1 |
gnutls_x509_spki_st * sign_params)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
gnutls_datum_t digest;
|
|
Packit Service |
4684c1 |
unsigned int hash_len;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (algo == NULL)
|
|
Packit Service |
4684c1 |
algo = _gnutls_dsa_q_to_hash(params, &hash_len);
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
hash_len = _gnutls_hash_get_algo_len(algo);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* SHA1 or better allowed */
|
|
Packit Service |
4684c1 |
if (!hash->data || hash->size < hash_len) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
_gnutls_debug_log
|
|
Packit Service |
4684c1 |
("Hash size (%d) does not correspond to hash %s(%d) or better.\n",
|
|
Packit Service |
4684c1 |
(int) hash->size, _gnutls_mac_get_name(algo),
|
|
Packit Service |
4684c1 |
hash_len);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (hash->size != 20) /* SHA1 is allowed */
|
|
Packit Service |
4684c1 |
return
|
|
Packit Service |
4684c1 |
gnutls_assert_val
|
|
Packit Service |
4684c1 |
(GNUTLS_E_PK_SIG_VERIFY_FAILED);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
digest.data = hash->data;
|
|
Packit Service |
4684c1 |
digest.size = hash->size;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return _gnutls_pk_verify(pk, &digest, signature, params, sign_params);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static int
|
|
Packit Service |
4684c1 |
dsa_verify_data(gnutls_pk_algorithm_t pk,
|
|
Packit Service |
4684c1 |
const mac_entry_st * algo,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * data,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * signature,
|
|
Packit Service |
4684c1 |
gnutls_pk_params_st * params,
|
|
Packit Service |
4684c1 |
gnutls_x509_spki_st * sign_params)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
uint8_t _digest[MAX_HASH_SIZE];
|
|
Packit Service |
4684c1 |
gnutls_datum_t digest;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (algo == NULL)
|
|
Packit Service |
4684c1 |
algo = _gnutls_dsa_q_to_hash(params, NULL);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_hash_fast((gnutls_digest_algorithm_t)algo->id,
|
|
Packit Service |
4684c1 |
data->data, data->size, _digest);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
digest.data = _digest;
|
|
Packit Service |
4684c1 |
digest.size = _gnutls_hash_get_algo_len(algo);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return _gnutls_pk_verify(pk, &digest, signature, params, sign_params);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Verifies the signature data, and returns GNUTLS_E_PK_SIG_VERIFY_FAILED if
|
|
Packit Service |
4684c1 |
* not verified, or 1 otherwise.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
static int
|
|
Packit Service |
4684c1 |
pubkey_verify_hashed_data(const gnutls_sign_entry_st *se,
|
|
Packit Service |
4684c1 |
const mac_entry_st *me,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * hash,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * signature,
|
|
Packit Service |
4684c1 |
gnutls_pk_params_st * params,
|
|
Packit Service |
4684c1 |
gnutls_x509_spki_st * sign_params,
|
|
Packit Service |
4684c1 |
unsigned flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (unlikely(me==NULL))
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_UNKNOWN_HASH_ALGORITHM);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = fixup_spki_params(params, se, me, sign_params);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
switch (se->pk) {
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_RSA:
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_RSA_PSS:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (_pkcs1_rsa_verify_sig
|
|
Packit Service |
4684c1 |
(se->pk, me, NULL, hash, signature, params, sign_params) != 0)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_PK_SIG_VERIFY_FAILED;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_ECDSA:
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_GOST_01:
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_GOST_12_256:
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_GOST_12_512:
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_DSA:
|
|
Packit Service |
4684c1 |
if (dsa_verify_hashed_data
|
|
Packit Service |
4684c1 |
(se->pk, me, hash, signature, params, sign_params) != 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_PK_SIG_VERIFY_FAILED;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
default:
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (_gnutls_sign_is_secure2(se, 0) == 0 && _gnutls_is_broken_sig_allowed(se, flags) == 0) {
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Verifies the signature data, and returns GNUTLS_E_PK_SIG_VERIFY_FAILED if
|
|
Packit Service |
4684c1 |
* not verified, or 1 otherwise.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
pubkey_verify_data(const gnutls_sign_entry_st *se,
|
|
Packit Service |
4684c1 |
const mac_entry_st *me,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * data,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * signature,
|
|
Packit Service |
4684c1 |
gnutls_pk_params_st * params,
|
|
Packit Service |
4684c1 |
gnutls_x509_spki_st * sign_params,
|
|
Packit Service |
4684c1 |
unsigned flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (unlikely(me == NULL))
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_UNKNOWN_HASH_ALGORITHM);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = fixup_spki_params(params, se, me, sign_params);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
switch (se->pk) {
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_RSA:
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_RSA_PSS:
|
|
Packit Service |
4684c1 |
if (_pkcs1_rsa_verify_sig
|
|
Packit Service |
4684c1 |
(se->pk, me, data, NULL, signature, params, sign_params) != 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_PK_SIG_VERIFY_FAILED;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_EDDSA_ED25519:
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_EDDSA_ED448:
|
|
Packit Service |
4684c1 |
if (_gnutls_pk_verify(se->pk, data, signature, params, sign_params) != 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_PK_SIG_VERIFY_FAILED;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_EC:
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_DSA:
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_GOST_01:
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_GOST_12_256:
|
|
Packit Service |
4684c1 |
case GNUTLS_PK_GOST_12_512:
|
|
Packit Service |
4684c1 |
if (dsa_verify_data
|
|
Packit Service |
4684c1 |
(se->pk, me, data, signature, params, sign_params) != 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_PK_SIG_VERIFY_FAILED;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
default:
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (_gnutls_sign_is_secure2(se,0) == 0 && _gnutls_is_broken_sig_allowed(se, flags) == 0) {
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
const mac_entry_st *_gnutls_dsa_q_to_hash(const gnutls_pk_params_st *
|
|
Packit Service |
4684c1 |
params, unsigned int *hash_len)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int bits = 0;
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (params->algo == GNUTLS_PK_DSA)
|
|
Packit Service |
4684c1 |
bits = _gnutls_mpi_get_nbits(params->params[1]);
|
|
Packit Service |
4684c1 |
else if (params->algo == GNUTLS_PK_EC)
|
|
Packit Service |
4684c1 |
bits = gnutls_ecc_curve_get_size(params->curve) * 8;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (bits <= 160) {
|
|
Packit Service |
4684c1 |
if (hash_len)
|
|
Packit Service |
4684c1 |
*hash_len = 20;
|
|
Packit Service |
4684c1 |
ret = GNUTLS_DIG_SHA1;
|
|
Packit Service |
4684c1 |
} else if (bits <= 192) {
|
|
Packit Service |
4684c1 |
if (hash_len)
|
|
Packit Service |
4684c1 |
*hash_len = 24;
|
|
Packit Service |
4684c1 |
ret = GNUTLS_DIG_SHA256;
|
|
Packit Service |
4684c1 |
} else if (bits <= 224) {
|
|
Packit Service |
4684c1 |
if (hash_len)
|
|
Packit Service |
4684c1 |
*hash_len = 28;
|
|
Packit Service |
4684c1 |
ret = GNUTLS_DIG_SHA256;
|
|
Packit Service |
4684c1 |
} else if (bits <= 256) {
|
|
Packit Service |
4684c1 |
if (hash_len)
|
|
Packit Service |
4684c1 |
*hash_len = 32;
|
|
Packit Service |
4684c1 |
ret = GNUTLS_DIG_SHA256;
|
|
Packit Service |
4684c1 |
} else if (bits <= 384) {
|
|
Packit Service |
4684c1 |
if (hash_len)
|
|
Packit Service |
4684c1 |
*hash_len = 48;
|
|
Packit Service |
4684c1 |
ret = GNUTLS_DIG_SHA384;
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
if (hash_len)
|
|
Packit Service |
4684c1 |
*hash_len = 64;
|
|
Packit Service |
4684c1 |
ret = GNUTLS_DIG_SHA512;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return mac_to_entry(ret);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_set_pin_function:
|
|
Packit Service |
4684c1 |
* @key: A key of type #gnutls_pubkey_t
|
|
Packit Service |
4684c1 |
* @fn: the callback
|
|
Packit Service |
4684c1 |
* @userdata: data associated with the callback
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will set a callback function to be used when
|
|
Packit Service |
4684c1 |
* required to access the object. This function overrides any other
|
|
Packit Service |
4684c1 |
* global PIN functions.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Note that this function must be called right after initialization
|
|
Packit Service |
4684c1 |
* to have effect.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.1.0
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void gnutls_pubkey_set_pin_function(gnutls_pubkey_t key,
|
|
Packit Service |
4684c1 |
gnutls_pin_callback_t fn,
|
|
Packit Service |
4684c1 |
void *userdata)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
key->pin.cb = fn;
|
|
Packit Service |
4684c1 |
key->pin.data = userdata;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_import_x509_raw:
|
|
Packit Service |
4684c1 |
* @pkey: The public key
|
|
Packit Service |
4684c1 |
* @data: The public key data to be imported
|
|
Packit Service |
4684c1 |
* @format: The format of the public key
|
|
Packit Service |
4684c1 |
* @flags: should be zero
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will import the given public key to the abstract
|
|
Packit Service |
4684c1 |
* #gnutls_pubkey_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.1.3
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int gnutls_pubkey_import_x509_raw(gnutls_pubkey_t pkey,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * data,
|
|
Packit Service |
4684c1 |
gnutls_x509_crt_fmt_t format,
|
|
Packit Service |
4684c1 |
unsigned int flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
gnutls_x509_crt_t xpriv;
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_crt_init(&xpriv);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_crt_import(xpriv, data, format);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_pubkey_import_x509(pkey, xpriv, flags);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
cleanup:
|
|
Packit Service |
4684c1 |
gnutls_x509_crt_deinit(xpriv);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_verify_params:
|
|
Packit Service |
4684c1 |
* @key: should contain a #gnutls_pubkey_t type
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will verify the public key parameters.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.3.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int gnutls_pubkey_verify_params(gnutls_pubkey_t key)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_pk_verify_pub_params(key->params.algo, &key->params);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_get_spki:
|
|
Packit Service |
4684c1 |
* @pubkey: a public key of type #gnutls_pubkey_t
|
|
Packit Service |
4684c1 |
* @spki: a SubjectPublicKeyInfo structure of type #gnutls_pubkey_spki_t
|
|
Packit Service |
4684c1 |
* @flags: must be zero
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will return the public key information if available.
|
|
Packit Service |
4684c1 |
* The provided @spki must be initialized.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.6.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_get_spki(gnutls_pubkey_t pubkey, gnutls_x509_spki_t spki, unsigned int flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (pubkey == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (pubkey->params.spki.pk == GNUTLS_PK_UNKNOWN)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
memcpy(spki, &pubkey->params.spki, sizeof(gnutls_x509_spki_st));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_pubkey_set_spki:
|
|
Packit Service |
4684c1 |
* @pubkey: a public key of type #gnutls_pubkey_t
|
|
Packit Service |
4684c1 |
* @spki: a SubjectPublicKeyInfo structure of type #gnutls_pubkey_spki_t
|
|
Packit Service |
4684c1 |
* @flags: must be zero
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will set the public key information.
|
|
Packit Service |
4684c1 |
* The provided @spki must be initialized.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.6.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_pubkey_set_spki(gnutls_pubkey_t pubkey, const gnutls_x509_spki_t spki, unsigned int flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (pubkey == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (!_gnutls_pk_are_compat(pubkey->params.algo, spki->pk))
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
memcpy(&pubkey->params.spki, spki, sizeof(gnutls_x509_spki_st));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
pubkey->params.algo = spki->pk;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|