source-git / mingw-gnutls

Clone
Source Code
GIT

Blame lib/pubkey.c

c8 master
  1.   c33d3197415a74fa79f3dd935daa2012d33a4b1f
  2.   lib
  3.   pubkey.c
Blob History Raw
Packit 549fdc 
/*
Packit 549fdc 
 * GnuTLS public key support
Packit 549fdc 
 * Copyright (C) 2010-2012 Free Software Foundation, Inc.
Packit 549fdc 
 * Copyright (C) 2017 Red Hat, Inc.
Packit 549fdc 
 *
Packit 549fdc 
 * Author: Nikos Mavrogiannopoulos
Packit 549fdc 
 *
Packit 549fdc 
 * The GnuTLS is free software; you can redistribute it and/or
Packit 549fdc 
 * modify it under the terms of the GNU Lesser General Public License
Packit 549fdc 
 * as published by the Free Software Foundation; either version 2.1 of
Packit 549fdc 
 * the License, or (at your option) any later version.
Packit 549fdc 
 *
Packit 549fdc 
 * This library is distributed in the hope that it will be useful, but
Packit 549fdc 
 * WITHOUT ANY WARRANTY; without even the implied warranty of
Packit 549fdc 
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
Packit 549fdc 
 * Lesser General Public License for more details.
Packit 549fdc 
 *
Packit 549fdc 
 * You should have received a copy of the GNU Lesser General Public License
Packit 549fdc 
 * along with this program.  If not, see <http://www.gnu.org/licenses/>
Packit 549fdc 
 */
Packit 549fdc
Packit 549fdc 
#include "gnutls_int.h"
Packit 549fdc 
#include <gnutls/pkcs11.h>
Packit 549fdc 
#include <stdio.h>
Packit 549fdc 
#include <string.h>
Packit 549fdc 
#include "errors.h"
Packit 549fdc 
#include <datum.h>
Packit 549fdc 
#include <pkcs11_int.h>
Packit 549fdc 
#include <gnutls/abstract.h>
Packit 549fdc 
#include <tls-sig.h>
Packit 549fdc 
#include <pk.h>
Packit 549fdc 
#include <x509_int.h>
Packit 549fdc 
#include <num.h>
Packit 549fdc 
#include <x509/common.h>
Packit 549fdc 
#include <x509_b64.h>
Packit 549fdc 
#include <abstract_int.h>
Packit 549fdc 
#include <fips.h>
Packit 549fdc 
#include "urls.h"
Packit 549fdc 
#include <ecc.h>
Packit 549fdc
Packit 549fdc 
static int
Packit 549fdc 
pubkey_verify_hashed_data(const gnutls_sign_entry_st *se,
Packit 549fdc 
			  const mac_entry_st *me,
Packit 549fdc 
			  const gnutls_datum_t * hash,
Packit 549fdc 
			  const gnutls_datum_t * signature,
Packit 549fdc 
			  gnutls_pk_params_st * params,
Packit 549fdc 
			  gnutls_x509_spki_st * sign_params,
Packit 549fdc 
			  unsigned flags);
Packit 549fdc
Packit 549fdc 
unsigned pubkey_to_bits(const gnutls_pk_params_st * params)
Packit 549fdc 
{
Packit 549fdc 
	switch (params->algo) {
Packit 549fdc 
	case GNUTLS_PK_RSA:
Packit 549fdc 
	case GNUTLS_PK_RSA_PSS:
Packit 549fdc 
		return _gnutls_mpi_get_nbits(params->params[RSA_MODULUS]);
Packit 549fdc 
	case GNUTLS_PK_DSA:
Packit 549fdc 
		return _gnutls_mpi_get_nbits(params->params[DSA_P]);
Packit 549fdc 
	case GNUTLS_PK_ECDSA:
Packit 549fdc 
	case GNUTLS_PK_EDDSA_ED25519:
Packit 549fdc 
		return gnutls_ecc_curve_get_size(params->curve) * 8;
Packit 549fdc 
	default:
Packit 549fdc 
		return 0;
Packit 549fdc 
	}
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_get_pk_algorithm:
Packit 549fdc 
 * @key: should contain a #gnutls_pubkey_t type
Packit 549fdc 
 * @bits: If set will return the number of bits of the parameters (may be NULL)
Packit 549fdc 
 *
Packit 549fdc 
 * This function will return the public key algorithm of a public
Packit 549fdc 
 * key and if possible will return a number of bits that indicates
Packit 549fdc 
 * the security parameter of the key.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: a member of the #gnutls_pk_algorithm_t enumeration on
Packit 549fdc 
 *   success, or a negative error code on error.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 2.12.0
Packit 549fdc 
 **/
Packit 549fdc 
int gnutls_pubkey_get_pk_algorithm(gnutls_pubkey_t key, unsigned int *bits)
Packit 549fdc 
{
Packit 549fdc 
	if (bits)
Packit 549fdc 
		*bits = key->bits;
Packit 549fdc
Packit 549fdc 
	return key->params.algo;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_get_key_usage:
Packit 549fdc 
 * @key: should contain a #gnutls_pubkey_t type
Packit 549fdc 
 * @usage: If set will return the number of bits of the parameters (may be NULL)
Packit 549fdc 
 *
Packit 549fdc 
 * This function will return the key usage of the public key.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
Packit 549fdc 
 *   negative error value.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 2.12.0
Packit 549fdc 
 **/
Packit 549fdc 
int gnutls_pubkey_get_key_usage(gnutls_pubkey_t key, unsigned int *usage)
Packit 549fdc 
{
Packit 549fdc 
	if (usage)
Packit 549fdc 
		*usage = key->key_usage;
Packit 549fdc
Packit 549fdc 
	return 0;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_init:
Packit 549fdc 
 * @key: A pointer to the type to be initialized
Packit 549fdc 
 *
Packit 549fdc 
 * This function will initialize a public key.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
Packit 549fdc 
 *   negative error value.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 2.12.0
Packit 549fdc 
 **/
Packit 549fdc 
int gnutls_pubkey_init(gnutls_pubkey_t * key)
Packit 549fdc 
{
Packit 549fdc 
	FAIL_IF_LIB_ERROR;
Packit 549fdc
Packit 549fdc 
	*key = gnutls_calloc(1, sizeof(struct gnutls_pubkey_st));
Packit 549fdc 
	if (*key == NULL) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_MEMORY_ERROR;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	return 0;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_deinit:
Packit 549fdc 
 * @key: The key to be deinitialized
Packit 549fdc 
 *
Packit 549fdc 
 * This function will deinitialize a public key structure.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 2.12.0
Packit 549fdc 
 **/
Packit 549fdc 
void gnutls_pubkey_deinit(gnutls_pubkey_t key)
Packit 549fdc 
{
Packit 549fdc 
	if (!key)
Packit 549fdc 
		return;
Packit 549fdc 
	gnutls_pk_params_release(&key->params);
Packit 549fdc 
	gnutls_free(key);
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_import_x509:
Packit 549fdc 
 * @key: The public key
Packit 549fdc 
 * @crt: The certificate to be imported
Packit 549fdc 
 * @flags: should be zero
Packit 549fdc 
 *
Packit 549fdc 
 * This function will import the given public key to the abstract
Packit 549fdc 
 * #gnutls_pubkey_t type.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
Packit 549fdc 
 *   negative error value.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 2.12.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_import_x509(gnutls_pubkey_t key, gnutls_x509_crt_t crt,
Packit 549fdc 
			  unsigned int flags)
Packit 549fdc 
{
Packit 549fdc 
	int ret;
Packit 549fdc
Packit 549fdc 
	gnutls_pk_params_release(&key->params);
Packit 549fdc 
	/* params initialized in _gnutls_x509_crt_get_mpis */
Packit 549fdc
Packit 549fdc 
	ret = gnutls_x509_crt_get_pk_algorithm(crt, &key->bits);
Packit 549fdc 
	if (ret < 0)
Packit 549fdc 
		return gnutls_assert_val(ret);
Packit 549fdc
Packit 549fdc 
	key->params.algo = ret;
Packit 549fdc
Packit 549fdc 
	ret = gnutls_x509_crt_get_key_usage(crt, &key->key_usage, NULL);
Packit 549fdc 
	if (ret < 0)
Packit 549fdc 
		key->key_usage = 0;
Packit 549fdc
Packit 549fdc 
	ret = _gnutls_x509_crt_get_mpis(crt, &key->params);
Packit 549fdc 
	if (ret < 0) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return ret;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	return 0;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_import_x509_crq:
Packit 549fdc 
 * @key: The public key
Packit 549fdc 
 * @crq: The certificate to be imported
Packit 549fdc 
 * @flags: should be zero
Packit 549fdc 
 *
Packit 549fdc 
 * This function will import the given public key to the abstract
Packit 549fdc 
 * #gnutls_pubkey_t type.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
Packit 549fdc 
 *   negative error value.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 3.1.5
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_import_x509_crq(gnutls_pubkey_t key, gnutls_x509_crq_t crq,
Packit 549fdc 
			      unsigned int flags)
Packit 549fdc 
{
Packit 549fdc 
	int ret;
Packit 549fdc
Packit 549fdc 
	gnutls_pk_params_release(&key->params);
Packit 549fdc 
	/* params initialized in _gnutls_x509_crq_get_mpis */
Packit 549fdc
Packit 549fdc 
	key->params.algo = gnutls_x509_crq_get_pk_algorithm(crq, &key->bits);
Packit 549fdc
Packit 549fdc 
	ret = gnutls_x509_crq_get_key_usage(crq, &key->key_usage, NULL);
Packit 549fdc 
	if (ret < 0)
Packit 549fdc 
		key->key_usage = 0;
Packit 549fdc
Packit 549fdc 
	ret = _gnutls_x509_crq_get_mpis(crq, &key->params);
Packit 549fdc 
	if (ret < 0) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return ret;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	return 0;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_import_privkey:
Packit 549fdc 
 * @key: The public key
Packit 549fdc 
 * @pkey: The private key
Packit 549fdc 
 * @usage: GNUTLS_KEY_* key usage flags.
Packit 549fdc 
 * @flags: should be zero
Packit 549fdc 
 *
Packit 549fdc 
 * Imports the public key from a private.  This function will import
Packit 549fdc 
 * the given public key to the abstract #gnutls_pubkey_t type.
Packit 549fdc 
 *
Packit 549fdc 
 * Note that in certain keys this operation may not be possible, e.g.,
Packit 549fdc 
 * in other than RSA PKCS#11 keys.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
Packit 549fdc 
 *   negative error value.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 2.12.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_import_privkey(gnutls_pubkey_t key, gnutls_privkey_t pkey,
Packit 549fdc 
			     unsigned int usage, unsigned int flags)
Packit 549fdc 
{
Packit 549fdc 
	gnutls_pk_params_release(&key->params);
Packit 549fdc 
	gnutls_pk_params_init(&key->params);
Packit 549fdc
Packit 549fdc 
	key->key_usage = usage;
Packit 549fdc 
	key->params.algo = gnutls_privkey_get_pk_algorithm(pkey, &key->bits);
Packit 549fdc
Packit 549fdc 
	return _gnutls_privkey_get_public_mpis(pkey, &key->params);
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_get_preferred_hash_algorithm:
Packit 549fdc 
 * @key: Holds the certificate
Packit 549fdc 
 * @hash: The result of the call with the hash algorithm used for signature
Packit 549fdc 
 * @mand: If non zero it means that the algorithm MUST use this hash. May be NULL.
Packit 549fdc 
 *
Packit 549fdc 
 * This function will read the certificate and return the appropriate digest
Packit 549fdc 
 * algorithm to use for signing with this certificate. Some certificates (i.e.
Packit 549fdc 
 * DSA might not be able to sign without the preferred algorithm).
Packit 549fdc 
 *
Packit 549fdc 
 * To get the signature algorithm instead of just the hash use gnutls_pk_to_sign()
Packit 549fdc 
 * with the algorithm of the certificate/key and the provided @hash.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: the 0 if the hash algorithm is found. A negative error code is
Packit 549fdc 
 * returned on error.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 2.12.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_get_preferred_hash_algorithm(gnutls_pubkey_t key,
Packit 549fdc 
					   gnutls_digest_algorithm_t *
Packit 549fdc 
					   hash, unsigned int *mand)
Packit 549fdc 
{
Packit 549fdc 
	int ret;
Packit 549fdc 
	const mac_entry_st *me;
Packit 549fdc
Packit 549fdc 
	if (key == NULL) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if (mand)
Packit 549fdc 
		*mand = 0;
Packit 549fdc
Packit 549fdc 
	switch (key->params.algo) {
Packit 549fdc 
	case GNUTLS_PK_DSA:
Packit 549fdc 
		if (mand)
Packit 549fdc 
			*mand = 1;
Packit 549fdc 
		/* fallthrough */
Packit 549fdc 
	case GNUTLS_PK_ECDSA:
Packit 549fdc
Packit 549fdc 
		me = _gnutls_dsa_q_to_hash(&key->params, NULL);
Packit 549fdc 
		if (hash)
Packit 549fdc 
			*hash = (gnutls_digest_algorithm_t)me->id;
Packit 549fdc
Packit 549fdc 
		ret = 0;
Packit 549fdc 
		break;
Packit 549fdc 
	case GNUTLS_PK_EDDSA_ED25519:
Packit 549fdc 
		if (hash)
Packit 549fdc 
			*hash = GNUTLS_DIG_SHA512;
Packit 549fdc
Packit 549fdc 
		ret = 0;
Packit 549fdc 
		break;
Packit 549fdc 
	case GNUTLS_PK_RSA_PSS:
Packit 549fdc 
		if (mand && key->params.spki.rsa_pss_dig)
Packit 549fdc 
			*mand = 1;
Packit 549fdc
Packit 549fdc 
		if (hash) {
Packit 549fdc 
			if (key->params.spki.rsa_pss_dig) {
Packit 549fdc 
				*hash = key->params.spki.rsa_pss_dig;
Packit 549fdc 
			} else {
Packit 549fdc 
				*hash = _gnutls_pk_bits_to_sha_hash(pubkey_to_bits(&key->params));
Packit 549fdc 
			}
Packit 549fdc 
		}
Packit 549fdc 
		ret = 0;
Packit 549fdc 
		break;
Packit 549fdc 
	case GNUTLS_PK_RSA:
Packit 549fdc 
		if (hash)
Packit 549fdc 
			*hash = _gnutls_pk_bits_to_sha_hash(pubkey_to_bits(&key->params));
Packit 549fdc 
		ret = 0;
Packit 549fdc 
		break;
Packit 549fdc
Packit 549fdc 
	default:
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		ret = GNUTLS_E_INTERNAL_ERROR;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	return ret;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
#ifdef ENABLE_PKCS11
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_import_pkcs11:
Packit 549fdc 
 * @key: The public key
Packit 549fdc 
 * @obj: The parameters to be imported
Packit 549fdc 
 * @flags: should be zero
Packit 549fdc 
 *
Packit 549fdc 
 * Imports a public key from a pkcs11 key. This function will import
Packit 549fdc 
 * the given public key to the abstract #gnutls_pubkey_t type.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
Packit 549fdc 
 *   negative error value.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 2.12.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_import_pkcs11(gnutls_pubkey_t key,
Packit 549fdc 
			    gnutls_pkcs11_obj_t obj, unsigned int flags)
Packit 549fdc 
{
Packit 549fdc 
	int ret, type;
Packit 549fdc
Packit 549fdc 
	type = gnutls_pkcs11_obj_get_type(obj);
Packit 549fdc 
	if (type != GNUTLS_PKCS11_OBJ_PUBKEY
Packit 549fdc 
	    && type != GNUTLS_PKCS11_OBJ_X509_CRT) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if (type == GNUTLS_PKCS11_OBJ_X509_CRT) {
Packit 549fdc 
		gnutls_x509_crt_t xcrt;
Packit 549fdc
Packit 549fdc 
		ret = gnutls_x509_crt_init(&xcrt);
Packit 549fdc 
		if (ret < 0) {
Packit 549fdc 
			gnutls_assert()
Packit 549fdc 
			    return ret;
Packit 549fdc 
		}
Packit 549fdc
Packit 549fdc 
		ret = gnutls_x509_crt_import_pkcs11(xcrt, obj);
Packit 549fdc 
		if (ret < 0) {
Packit 549fdc 
			gnutls_assert();
Packit 549fdc 
			goto cleanup_crt;
Packit 549fdc 
		}
Packit 549fdc
Packit 549fdc 
		ret = gnutls_pubkey_import_x509(key, xcrt, 0);
Packit 549fdc 
		if (ret < 0) {
Packit 549fdc 
			gnutls_assert();
Packit 549fdc 
			goto cleanup_crt;
Packit 549fdc 
		}
Packit 549fdc
Packit 549fdc 
		ret = gnutls_x509_crt_get_key_usage(xcrt, &key->key_usage, NULL);
Packit 549fdc 
		if (ret < 0)
Packit 549fdc 
		  key->key_usage = 0;
Packit 549fdc
Packit 549fdc 
		ret = 0;
Packit 549fdc 
	      cleanup_crt:
Packit 549fdc 
		gnutls_x509_crt_deinit(xcrt);
Packit 549fdc 
		return ret;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	key->key_usage = obj->key_usage;
Packit 549fdc
Packit 549fdc 
	switch (obj->pk_algorithm) {
Packit 549fdc 
	case GNUTLS_PK_RSA:
Packit 549fdc 
	case GNUTLS_PK_RSA_PSS:
Packit 549fdc 
		ret = gnutls_pubkey_import_rsa_raw(key, &obj->pubkey[0],
Packit 549fdc 
						   &obj->pubkey[1]);
Packit 549fdc 
		break;
Packit 549fdc 
	case GNUTLS_PK_DSA:
Packit 549fdc 
		ret = gnutls_pubkey_import_dsa_raw(key, &obj->pubkey[0],
Packit 549fdc 
						   &obj->pubkey[1],
Packit 549fdc 
						   &obj->pubkey[2],
Packit 549fdc 
						   &obj->pubkey[3]);
Packit 549fdc 
		break;
Packit 549fdc 
	case GNUTLS_PK_EC:
Packit 549fdc 
		ret = gnutls_pubkey_import_ecc_x962(key, &obj->pubkey[0],
Packit 549fdc 
						    &obj->pubkey[1]);
Packit 549fdc 
		break;
Packit 549fdc 
	default:
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_UNIMPLEMENTED_FEATURE;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if (ret < 0) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return ret;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	return 0;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
#endif				/* ENABLE_PKCS11 */
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_export:
Packit 549fdc 
 * @key: Holds the certificate
Packit 549fdc 
 * @format: the format of output params. One of PEM or DER.
Packit 549fdc 
 * @output_data: will contain a certificate PEM or DER encoded
Packit 549fdc 
 * @output_data_size: holds the size of output_data (and will be
Packit 549fdc 
 *   replaced by the actual size of parameters)
Packit 549fdc 
 *
Packit 549fdc 
 * This function will export the public key to DER or PEM format.
Packit 549fdc 
 * The contents of the exported data is the SubjectPublicKeyInfo
Packit 549fdc 
 * X.509 structure.
Packit 549fdc 
 *
Packit 549fdc 
 * If the buffer provided is not long enough to hold the output, then
Packit 549fdc 
 * *output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will
Packit 549fdc 
 * be returned.
Packit 549fdc 
 *
Packit 549fdc 
 * If the structure is PEM encoded, it will have a header
Packit 549fdc 
 * of "BEGIN CERTIFICATE".
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: In case of failure a negative error code will be
Packit 549fdc 
 *   returned, and 0 on success.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 2.12.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_export(gnutls_pubkey_t key,
Packit 549fdc 
		     gnutls_x509_crt_fmt_t format, void *output_data,
Packit 549fdc 
		     size_t * output_data_size)
Packit 549fdc 
{
Packit 549fdc 
	int result;
Packit 549fdc 
	ASN1_TYPE spk = ASN1_TYPE_EMPTY;
Packit 549fdc
Packit 549fdc 
	if (key == NULL) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if ((result = asn1_create_element
Packit 549fdc 
	     (_gnutls_get_pkix(), "PKIX1.SubjectPublicKeyInfo", &spk))
Packit 549fdc 
	    != ASN1_SUCCESS) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return _gnutls_asn2err(result);
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	result =
Packit 549fdc 
	    _gnutls_x509_encode_and_copy_PKI_params(spk, "",
Packit 549fdc 
						    &key->params);
Packit 549fdc 
	if (result < 0) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		goto cleanup;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	result = _gnutls_x509_export_int_named(spk, "",
Packit 549fdc 
					       format, PEM_PK,
Packit 549fdc 
					       output_data,
Packit 549fdc 
					       output_data_size);
Packit 549fdc 
	if (result < 0) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		goto cleanup;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	result = 0;
Packit 549fdc
Packit 549fdc 
      cleanup:
Packit 549fdc 
	asn1_delete_structure(&spk;;
Packit 549fdc
Packit 549fdc 
	return result;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_export2:
Packit 549fdc 
 * @key: Holds the certificate
Packit 549fdc 
 * @format: the format of output params. One of PEM or DER.
Packit 549fdc 
 * @out: will contain a certificate PEM or DER encoded
Packit 549fdc 
 *
Packit 549fdc 
 * This function will export the public key to DER or PEM format.
Packit 549fdc 
 * The contents of the exported data is the SubjectPublicKeyInfo
Packit 549fdc 
 * X.509 structure.
Packit 549fdc 
 *
Packit 549fdc 
 * The output buffer will be allocated using gnutls_malloc().
Packit 549fdc 
 *
Packit 549fdc 
 * If the structure is PEM encoded, it will have a header
Packit 549fdc 
 * of "BEGIN CERTIFICATE".
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: In case of failure a negative error code will be
Packit 549fdc 
 *   returned, and 0 on success.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 3.1.3
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_export2(gnutls_pubkey_t key,
Packit 549fdc 
		      gnutls_x509_crt_fmt_t format, gnutls_datum_t * out)
Packit 549fdc 
{
Packit 549fdc 
	int result;
Packit 549fdc 
	ASN1_TYPE spk = ASN1_TYPE_EMPTY;
Packit 549fdc
Packit 549fdc 
	if (key == NULL) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if ((result = asn1_create_element
Packit 549fdc 
	     (_gnutls_get_pkix(), "PKIX1.SubjectPublicKeyInfo", &spk))
Packit 549fdc 
	    != ASN1_SUCCESS) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return _gnutls_asn2err(result);
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	result =
Packit 549fdc 
	    _gnutls_x509_encode_and_copy_PKI_params(spk, "",
Packit 549fdc 
						    &key->params);
Packit 549fdc 
	if (result < 0) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		goto cleanup;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	result = _gnutls_x509_export_int_named2(spk, "",
Packit 549fdc 
						format, PEM_PK,
Packit 549fdc 
						out);
Packit 549fdc 
	if (result < 0) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		goto cleanup;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	result = 0;
Packit 549fdc
Packit 549fdc 
      cleanup:
Packit 549fdc 
	asn1_delete_structure(&spk;;
Packit 549fdc
Packit 549fdc 
	return result;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_get_key_id:
Packit 549fdc 
 * @key: Holds the public key
Packit 549fdc 
 * @flags: should be one of the flags from %gnutls_keyid_flags_t
Packit 549fdc 
 * @output_data: will contain the key ID
Packit 549fdc 
 * @output_data_size: holds the size of output_data (and will be
Packit 549fdc 
 *   replaced by the actual size of parameters)
Packit 549fdc 
 *
Packit 549fdc 
 * This function will return a unique ID that depends on the public
Packit 549fdc 
 * key parameters. This ID can be used in checking whether a
Packit 549fdc 
 * certificate corresponds to the given public key.
Packit 549fdc 
 *
Packit 549fdc 
 * If the buffer provided is not long enough to hold the output, then
Packit 549fdc 
 * *output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will
Packit 549fdc 
 * be returned.  The output will normally be a SHA-1 hash output,
Packit 549fdc 
 * which is 20 bytes.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: In case of failure a negative error code will be
Packit 549fdc 
 *   returned, and 0 on success.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 2.12.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_get_key_id(gnutls_pubkey_t key, unsigned int flags,
Packit 549fdc 
			 unsigned char *output_data,
Packit 549fdc 
			 size_t * output_data_size)
Packit 549fdc 
{
Packit 549fdc 
	int ret = 0;
Packit 549fdc
Packit 549fdc 
	if (key == NULL) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	ret =
Packit 549fdc 
	    _gnutls_get_key_id(&key->params,
Packit 549fdc 
			       output_data, output_data_size, flags);
Packit 549fdc 
	if (ret < 0) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return ret;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	return 0;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_export_rsa_raw2:
Packit 549fdc 
 * @key: Holds the certificate
Packit 549fdc 
 * @m: will hold the modulus (may be %NULL)
Packit 549fdc 
 * @e: will hold the public exponent (may be %NULL)
Packit 549fdc 
 * @flags: flags from %gnutls_abstract_export_flags_t
Packit 549fdc 
 *
Packit 549fdc 
 * This function will export the RSA public key's parameters found in
Packit 549fdc 
 * the given structure.  The new parameters will be allocated using
Packit 549fdc 
 * gnutls_malloc() and will be stored in the appropriate datum.
Packit 549fdc 
 *
Packit 549fdc 
 * This function allows for %NULL parameters since 3.4.1.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 3.6.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_export_rsa_raw2(gnutls_pubkey_t key,
Packit 549fdc 
			     gnutls_datum_t * m, gnutls_datum_t * e,
Packit 549fdc 
			     unsigned flags)
Packit 549fdc 
{
Packit 549fdc 
	int ret;
Packit 549fdc 
	mpi_dprint_func dprint = _gnutls_mpi_dprint_lz;
Packit 549fdc
Packit 549fdc 
	if (flags & GNUTLS_EXPORT_FLAG_NO_LZ)
Packit 549fdc 
		dprint = _gnutls_mpi_dprint;
Packit 549fdc
Packit 549fdc 
	if (key == NULL) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if (!GNUTLS_PK_IS_RSA(key->params.algo)) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if (m) {
Packit 549fdc 
		ret = dprint(key->params.params[0], m);
Packit 549fdc 
		if (ret < 0) {
Packit 549fdc 
			gnutls_assert();
Packit 549fdc 
			return ret;
Packit 549fdc 
		}
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if (e) {
Packit 549fdc 
		ret = dprint(key->params.params[1], e);
Packit 549fdc 
		if (ret < 0) {
Packit 549fdc 
			gnutls_assert();
Packit 549fdc 
			_gnutls_free_datum(m);
Packit 549fdc 
			return ret;
Packit 549fdc 
		}
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	return 0;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_export_rsa_raw:
Packit 549fdc 
 * @key: Holds the certificate
Packit 549fdc 
 * @m: will hold the modulus (may be %NULL)
Packit 549fdc 
 * @e: will hold the public exponent (may be %NULL)
Packit 549fdc 
 *
Packit 549fdc 
 * This function will export the RSA public key's parameters found in
Packit 549fdc 
 * the given structure.  The new parameters will be allocated using
Packit 549fdc 
 * gnutls_malloc() and will be stored in the appropriate datum.
Packit 549fdc 
 *
Packit 549fdc 
 * This function allows for %NULL parameters since 3.4.1.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 3.3.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_export_rsa_raw(gnutls_pubkey_t key,
Packit 549fdc 
			     gnutls_datum_t * m, gnutls_datum_t * e)
Packit 549fdc 
{
Packit 549fdc 
	return gnutls_pubkey_export_rsa_raw2(key, m, e, 0);
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_export_dsa_raw:
Packit 549fdc 
 * @key: Holds the public key
Packit 549fdc 
 * @p: will hold the p (may be %NULL)
Packit 549fdc 
 * @q: will hold the q (may be %NULL)
Packit 549fdc 
 * @g: will hold the g (may be %NULL)
Packit 549fdc 
 * @y: will hold the y (may be %NULL)
Packit 549fdc 
 *
Packit 549fdc 
 * This function will export the DSA public key's parameters found in
Packit 549fdc 
 * the given certificate.  The new parameters will be allocated using
Packit 549fdc 
 * gnutls_malloc() and will be stored in the appropriate datum.
Packit 549fdc 
 *
Packit 549fdc 
 * This function allows for %NULL parameters since 3.4.1.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 3.3.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_export_dsa_raw(gnutls_pubkey_t key,
Packit 549fdc 
			     gnutls_datum_t * p, gnutls_datum_t * q,
Packit 549fdc 
			     gnutls_datum_t * g, gnutls_datum_t * y)
Packit 549fdc 
{
Packit 549fdc 
	return gnutls_pubkey_export_dsa_raw2(key, p, q, g, y, 0);
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_export_dsa_raw2:
Packit 549fdc 
 * @key: Holds the public key
Packit 549fdc 
 * @p: will hold the p (may be %NULL)
Packit 549fdc 
 * @q: will hold the q (may be %NULL)
Packit 549fdc 
 * @g: will hold the g (may be %NULL)
Packit 549fdc 
 * @y: will hold the y (may be %NULL)
Packit 549fdc 
 * @flags: flags from %gnutls_abstract_export_flags_t
Packit 549fdc 
 *
Packit 549fdc 
 * This function will export the DSA public key's parameters found in
Packit 549fdc 
 * the given certificate.  The new parameters will be allocated using
Packit 549fdc 
 * gnutls_malloc() and will be stored in the appropriate datum.
Packit 549fdc 
 *
Packit 549fdc 
 * This function allows for %NULL parameters since 3.4.1.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 3.6.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_export_dsa_raw2(gnutls_pubkey_t key,
Packit 549fdc 
			     gnutls_datum_t * p, gnutls_datum_t * q,
Packit 549fdc 
			     gnutls_datum_t * g, gnutls_datum_t * y,
Packit 549fdc 
			     unsigned flags)
Packit 549fdc 
{
Packit 549fdc 
	int ret;
Packit 549fdc 
	mpi_dprint_func dprint = _gnutls_mpi_dprint_lz;
Packit 549fdc
Packit 549fdc 
	if (flags & GNUTLS_EXPORT_FLAG_NO_LZ)
Packit 549fdc 
		dprint = _gnutls_mpi_dprint;
Packit 549fdc
Packit 549fdc 
	if (key == NULL) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if (key->params.algo != GNUTLS_PK_DSA) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	/* P */
Packit 549fdc 
	if (p) {
Packit 549fdc 
		ret = dprint(key->params.params[0], p);
Packit 549fdc 
		if (ret < 0) {
Packit 549fdc 
			gnutls_assert();
Packit 549fdc 
			return ret;
Packit 549fdc 
		}
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	/* Q */
Packit 549fdc 
	if (q) {
Packit 549fdc 
		ret = dprint(key->params.params[1], q);
Packit 549fdc 
		if (ret < 0) {
Packit 549fdc 
			gnutls_assert();
Packit 549fdc 
			_gnutls_free_datum(p);
Packit 549fdc 
			return ret;
Packit 549fdc 
		}
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	/* G */
Packit 549fdc 
	if (g) {
Packit 549fdc 
		ret = dprint(key->params.params[2], g);
Packit 549fdc 
		if (ret < 0) {
Packit 549fdc 
			gnutls_assert();
Packit 549fdc 
			_gnutls_free_datum(p);
Packit 549fdc 
			_gnutls_free_datum(q);
Packit 549fdc 
			return ret;
Packit 549fdc 
		}
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	/* Y */
Packit 549fdc 
	if (y) {
Packit 549fdc 
		ret = dprint(key->params.params[3], y);
Packit 549fdc 
		if (ret < 0) {
Packit 549fdc 
			gnutls_assert();
Packit 549fdc 
			_gnutls_free_datum(p);
Packit 549fdc 
			_gnutls_free_datum(g);
Packit 549fdc 
			_gnutls_free_datum(q);
Packit 549fdc 
			return ret;
Packit 549fdc 
		}
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	return 0;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_export_ecc_raw:
Packit 549fdc 
 * @key: Holds the public key
Packit 549fdc 
 * @curve: will hold the curve (may be %NULL)
Packit 549fdc 
 * @x: will hold x (may be %NULL)
Packit 549fdc 
 * @y: will hold y (may be %NULL)
Packit 549fdc 
 *
Packit 549fdc 
 * This function will export the ECC public key's parameters found in
Packit 549fdc 
 * the given key.  The new parameters will be allocated using
Packit 549fdc 
 * gnutls_malloc() and will be stored in the appropriate datum.
Packit 549fdc 
 * For EdDSA public keys, @y will be set to %NULL.
Packit 549fdc 
 *
Packit 549fdc 
 * This function allows for %NULL parameters since 3.4.1.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 3.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_export_ecc_raw(gnutls_pubkey_t key,
Packit 549fdc 
			     gnutls_ecc_curve_t * curve,
Packit 549fdc 
			     gnutls_datum_t * x, gnutls_datum_t * y)
Packit 549fdc 
{
Packit 549fdc 
	return gnutls_pubkey_export_ecc_raw2(key, curve, x, y, 0);
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_export_ecc_raw2:
Packit 549fdc 
 * @key: Holds the public key
Packit 549fdc 
 * @curve: will hold the curve (may be %NULL)
Packit 549fdc 
 * @x: will hold x (may be %NULL)
Packit 549fdc 
 * @y: will hold y (may be %NULL)
Packit 549fdc 
 * @flags: flags from %gnutls_abstract_export_flags_t
Packit 549fdc 
 *
Packit 549fdc 
 * This function will export the ECC public key's parameters found in
Packit 549fdc 
 * the given key.  The new parameters will be allocated using
Packit 549fdc 
 * gnutls_malloc() and will be stored in the appropriate datum.
Packit 549fdc 
 *
Packit 549fdc 
 * This function allows for %NULL parameters since 3.4.1.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 3.6.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_export_ecc_raw2(gnutls_pubkey_t key,
Packit 549fdc 
			     gnutls_ecc_curve_t * curve,
Packit 549fdc 
			     gnutls_datum_t * x, gnutls_datum_t * y,
Packit 549fdc 
			     unsigned int flags)
Packit 549fdc 
{
Packit 549fdc 
	int ret;
Packit 549fdc 
	mpi_dprint_func dprint = _gnutls_mpi_dprint_lz;
Packit 549fdc
Packit 549fdc 
	if (flags & GNUTLS_EXPORT_FLAG_NO_LZ)
Packit 549fdc 
		dprint = _gnutls_mpi_dprint;
Packit 549fdc
Packit 549fdc 
	if (key == NULL) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if (!IS_EC(key->params.algo)) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if (curve)
Packit 549fdc 
		*curve = key->params.curve;
Packit 549fdc
Packit 549fdc 
	if (key->params.algo == GNUTLS_PK_EDDSA_ED25519) {
Packit 549fdc 
		if (x) {
Packit 549fdc 
			ret = _gnutls_set_datum(x, key->params.raw_pub.data, key->params.raw_pub.size);
Packit 549fdc 
			if (ret < 0)
Packit 549fdc 
				return gnutls_assert_val(ret);
Packit 549fdc 
		}
Packit 549fdc 
		if (y) {
Packit 549fdc 
			y->data = NULL;
Packit 549fdc 
			y->size = 0;
Packit 549fdc 
		}
Packit 549fdc 
		return 0;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	/* ECDSA */
Packit 549fdc
Packit 549fdc 
	/* X */
Packit 549fdc 
	if (x) {
Packit 549fdc 
		ret = dprint(key->params.params[ECC_X], x);
Packit 549fdc 
		if (ret < 0) {
Packit 549fdc 
			gnutls_assert();
Packit 549fdc 
			return ret;
Packit 549fdc 
		}
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	/* Y */
Packit 549fdc 
	if (y) {
Packit 549fdc 
		ret = dprint(key->params.params[ECC_Y], y);
Packit 549fdc 
		if (ret < 0) {
Packit 549fdc 
			gnutls_assert();
Packit 549fdc 
			_gnutls_free_datum(x);
Packit 549fdc 
			return ret;
Packit 549fdc 
		}
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	return 0;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_export_ecc_x962:
Packit 549fdc 
 * @key: Holds the public key
Packit 549fdc 
 * @parameters: DER encoding of an ANSI X9.62 parameters
Packit 549fdc 
 * @ecpoint: DER encoding of ANSI X9.62 ECPoint
Packit 549fdc 
 *
Packit 549fdc 
 * This function will export the ECC public key's parameters found in
Packit 549fdc 
 * the given certificate.  The new parameters will be allocated using
Packit 549fdc 
 * gnutls_malloc() and will be stored in the appropriate datum.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 3.3.0
Packit 549fdc 
 **/
Packit 549fdc 
int gnutls_pubkey_export_ecc_x962(gnutls_pubkey_t key,
Packit 549fdc 
				  gnutls_datum_t * parameters,
Packit 549fdc 
				  gnutls_datum_t * ecpoint)
Packit 549fdc 
{
Packit 549fdc 
	int ret;
Packit 549fdc 
	gnutls_datum_t raw_point = {NULL,0};
Packit 549fdc
Packit 549fdc 
	if (key == NULL || key->params.algo != GNUTLS_PK_EC)
Packit 549fdc 
		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
Packit 549fdc
Packit 549fdc 
	ret = _gnutls_x509_write_ecc_pubkey(&key->params, &raw_point);
Packit 549fdc 
	if (ret < 0)
Packit 549fdc 
		return gnutls_assert_val(ret);
Packit 549fdc
Packit 549fdc 
	ret = _gnutls_x509_encode_string(ASN1_ETYPE_OCTET_STRING,
Packit 549fdc 
					 raw_point.data, raw_point.size, ecpoint);
Packit 549fdc 
	if (ret < 0) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		goto cleanup;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	ret = _gnutls_x509_write_ecc_params(key->params.curve, parameters);
Packit 549fdc 
	if (ret < 0) {
Packit 549fdc 
		_gnutls_free_datum(ecpoint);
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		goto cleanup;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	ret = 0;
Packit 549fdc 
 cleanup:
Packit 549fdc 
	gnutls_free(raw_point.data);
Packit 549fdc 
	return ret;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_import:
Packit 549fdc 
 * @key: The public key.
Packit 549fdc 
 * @data: The DER or PEM encoded certificate.
Packit 549fdc 
 * @format: One of DER or PEM
Packit 549fdc 
 *
Packit 549fdc 
 * This function will import the provided public key in
Packit 549fdc 
 * a SubjectPublicKeyInfo X.509 structure to a native
Packit 549fdc 
 * %gnutls_pubkey_t type. The output will be stored
Packit 549fdc 
 * in @key. If the public key is PEM encoded it should have a header
Packit 549fdc 
 * of "PUBLIC KEY".
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
Packit 549fdc 
 * negative error value.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 2.12.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_import(gnutls_pubkey_t key,
Packit 549fdc 
		     const gnutls_datum_t * data,
Packit 549fdc 
		     gnutls_x509_crt_fmt_t format)
Packit 549fdc 
{
Packit 549fdc 
	int result = 0, need_free = 0;
Packit 549fdc 
	gnutls_datum_t _data;
Packit 549fdc 
	ASN1_TYPE spk;
Packit 549fdc 
	gnutls_ecc_curve_t curve;
Packit 549fdc
Packit 549fdc 
	if (key == NULL) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	_data.data = data->data;
Packit 549fdc 
	_data.size = data->size;
Packit 549fdc
Packit 549fdc 
	/* If the Certificate is in PEM format then decode it
Packit 549fdc 
	 */
Packit 549fdc 
	if (format == GNUTLS_X509_FMT_PEM) {
Packit 549fdc 
		/* Try the first header */
Packit 549fdc 
		result =
Packit 549fdc 
		    _gnutls_fbase64_decode(PEM_PK, data->data,
Packit 549fdc 
					   data->size, &_data);
Packit 549fdc
Packit 549fdc 
		if (result < 0) {
Packit 549fdc 
			gnutls_assert();
Packit 549fdc 
			return result;
Packit 549fdc 
		}
Packit 549fdc
Packit 549fdc 
		need_free = 1;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if ((result = asn1_create_element
Packit 549fdc 
	     (_gnutls_get_pkix(), "PKIX1.SubjectPublicKeyInfo", &spk))
Packit 549fdc 
	    != ASN1_SUCCESS) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		result = _gnutls_asn2err(result);
Packit 549fdc 
		goto cleanup;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	result = _asn1_strict_der_decode(&spk, _data.data, _data.size, NULL);
Packit 549fdc 
	if (result != ASN1_SUCCESS) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		result = _gnutls_asn2err(result);
Packit 549fdc 
		goto cleanup;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	result = _gnutls_get_asn_mpis(spk, "", &key->params);
Packit 549fdc 
	if (result < 0) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		goto cleanup;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	/* this has already been called by get_asn_mpis() thus it cannot
Packit 549fdc 
	 * fail.
Packit 549fdc 
	 */
Packit 549fdc 
	key->params.algo = _gnutls_x509_get_pk_algorithm(spk, "", &curve, NULL);
Packit 549fdc
Packit 549fdc 
	key->params.curve = curve;
Packit 549fdc 
	key->bits = pubkey_to_bits(&key->params);
Packit 549fdc
Packit 549fdc 
	result = 0;
Packit 549fdc
Packit 549fdc 
      cleanup:
Packit 549fdc 
	asn1_delete_structure(&spk;;
Packit 549fdc
Packit 549fdc 
	if (need_free)
Packit 549fdc 
		_gnutls_free_datum(&_data);
Packit 549fdc 
	return result;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_x509_crt_set_pubkey:
Packit 549fdc 
 * @crt: should contain a #gnutls_x509_crt_t type
Packit 549fdc 
 * @key: holds a public key
Packit 549fdc 
 *
Packit 549fdc 
 * This function will set the public parameters from the given public
Packit 549fdc 
 * key to the certificate. The @key can be deallocated after that.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
Packit 549fdc 
 *   negative error value.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 2.12.0
Packit 549fdc 
 **/
Packit 549fdc 
int gnutls_x509_crt_set_pubkey(gnutls_x509_crt_t crt, gnutls_pubkey_t key)
Packit 549fdc 
{
Packit 549fdc 
	int result;
Packit 549fdc
Packit 549fdc 
	if (crt == NULL) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	result = _gnutls_x509_encode_and_copy_PKI_params(crt->cert,
Packit 549fdc 
							 "tbsCertificate.subjectPublicKeyInfo",
Packit 549fdc 
							 &key->params);
Packit 549fdc
Packit 549fdc 
	if (result < 0) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return result;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if (key->key_usage)
Packit 549fdc 
		gnutls_x509_crt_set_key_usage(crt, key->key_usage);
Packit 549fdc
Packit 549fdc 
	return 0;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_x509_crq_set_pubkey:
Packit 549fdc 
 * @crq: should contain a #gnutls_x509_crq_t type
Packit 549fdc 
 * @key: holds a public key
Packit 549fdc 
 *
Packit 549fdc 
 * This function will set the public parameters from the given public
Packit 549fdc 
 * key to the request. The @key can be deallocated after that.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
Packit 549fdc 
 *   negative error value.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 2.12.0
Packit 549fdc 
 **/
Packit 549fdc 
int gnutls_x509_crq_set_pubkey(gnutls_x509_crq_t crq, gnutls_pubkey_t key)
Packit 549fdc 
{
Packit 549fdc 
	int result;
Packit 549fdc
Packit 549fdc 
	if (crq == NULL) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	result = _gnutls_x509_encode_and_copy_PKI_params
Packit 549fdc 
	    (crq->crq,
Packit 549fdc 
	     "certificationRequestInfo.subjectPKInfo",
Packit 549fdc 
	     &key->params);
Packit 549fdc
Packit 549fdc 
	if (result < 0) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return result;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if (key->key_usage)
Packit 549fdc 
		gnutls_x509_crq_set_key_usage(crq, key->key_usage);
Packit 549fdc
Packit 549fdc 
	return 0;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_set_key_usage:
Packit 549fdc 
 * @key: a certificate of type #gnutls_x509_crt_t
Packit 549fdc 
 * @usage: an ORed sequence of the GNUTLS_KEY_* elements.
Packit 549fdc 
 *
Packit 549fdc 
 * This function will set the key usage flags of the public key. This
Packit 549fdc 
 * is only useful if the key is to be exported to a certificate or
Packit 549fdc 
 * certificate request.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
Packit 549fdc 
 *   negative error value.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 2.12.0
Packit 549fdc 
 **/
Packit 549fdc 
int gnutls_pubkey_set_key_usage(gnutls_pubkey_t key, unsigned int usage)
Packit 549fdc 
{
Packit 549fdc 
	key->key_usage = usage;
Packit 549fdc
Packit 549fdc 
	return 0;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
#ifdef ENABLE_PKCS11
Packit 549fdc
Packit 549fdc 
#if 0
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_import_pkcs11_url:
Packit 549fdc 
 * @key: A key of type #gnutls_pubkey_t
Packit 549fdc 
 * @url: A PKCS 11 url
Packit 549fdc 
 * @flags: One of GNUTLS_PKCS11_OBJ_* flags
Packit 549fdc 
 *
Packit 549fdc 
 * This function will import a PKCS 11 certificate to a #gnutls_pubkey_t
Packit 549fdc 
 * structure.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
Packit 549fdc 
 *   negative error value.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 2.12.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_import_pkcs11_url(gnutls_pubkey_t key, const char *url,
Packit 549fdc 
				unsigned int flags)
Packit 549fdc 
{
Packit 549fdc 
	int x;
Packit 549fdc 
}
Packit 549fdc 
#endif
Packit 549fdc
Packit 549fdc 
static int
Packit 549fdc 
_gnutls_pubkey_import_pkcs11_url(gnutls_pubkey_t key, const char *url,
Packit 549fdc 
				unsigned int flags)
Packit 549fdc 
{
Packit 549fdc 
	gnutls_pkcs11_obj_t pcrt;
Packit 549fdc 
	int ret;
Packit 549fdc
Packit 549fdc 
	ret = gnutls_pkcs11_obj_init(&pcrt);
Packit 549fdc 
	if (ret < 0) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return ret;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if (key->pin.cb)
Packit 549fdc 
		gnutls_pkcs11_obj_set_pin_function(pcrt, key->pin.cb,
Packit 549fdc 
						   key->pin.data);
Packit 549fdc
Packit 549fdc 
	ret = gnutls_pkcs11_obj_import_url(pcrt, url, flags|GNUTLS_PKCS11_OBJ_FLAG_EXPECT_PUBKEY);
Packit 549fdc 
	if (ret < 0) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		goto cleanup;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	ret = gnutls_pubkey_import_pkcs11(key, pcrt, flags);
Packit 549fdc 
	if (ret < 0) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		goto cleanup;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	ret = 0;
Packit 549fdc 
      cleanup:
Packit 549fdc
Packit 549fdc 
	gnutls_pkcs11_obj_deinit(pcrt);
Packit 549fdc
Packit 549fdc 
	return ret;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
#endif				/* ENABLE_PKCS11 */
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_import_url:
Packit 549fdc 
 * @key: A key of type #gnutls_pubkey_t
Packit 549fdc 
 * @url: A PKCS 11 url
Packit 549fdc 
 * @flags: One of GNUTLS_PKCS11_OBJ_* flags
Packit 549fdc 
 *
Packit 549fdc 
 * This function will import a public key from the provided URL.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
Packit 549fdc 
 *   negative error value.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 3.1.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_import_url(gnutls_pubkey_t key, const char *url,
Packit 549fdc 
			 unsigned int flags)
Packit 549fdc 
{
Packit 549fdc 
	unsigned i;
Packit 549fdc
Packit 549fdc 
	for (i=0;i<_gnutls_custom_urls_size;i++) {
Packit 549fdc 
		if (strncmp(url, _gnutls_custom_urls[i].name, _gnutls_custom_urls[i].name_size) == 0) {
Packit 549fdc 
			if (_gnutls_custom_urls[i].import_pubkey)
Packit 549fdc 
				return _gnutls_custom_urls[i].import_pubkey(key, url, flags);
Packit 549fdc 
		}
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if (strncmp(url, PKCS11_URL, PKCS11_URL_SIZE) == 0)
Packit 549fdc 
#ifdef ENABLE_PKCS11
Packit 549fdc 
		return _gnutls_pubkey_import_pkcs11_url(key, url, flags);
Packit 549fdc 
#else
Packit 549fdc 
		return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
Packit 549fdc 
#endif
Packit 549fdc
Packit 549fdc 
	if (strncmp(url, TPMKEY_URL, TPMKEY_URL_SIZE) == 0)
Packit 549fdc 
#ifdef HAVE_TROUSERS
Packit 549fdc 
		return gnutls_pubkey_import_tpm_url(key, url, NULL, 0);
Packit 549fdc 
#else
Packit 549fdc 
		return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
Packit 549fdc 
#endif
Packit 549fdc
Packit 549fdc 
	return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_import_rsa_raw:
Packit 549fdc 
 * @key: The key
Packit 549fdc 
 * @m: holds the modulus
Packit 549fdc 
 * @e: holds the public exponent
Packit 549fdc 
 *
Packit 549fdc 
 * This function will replace the parameters in the given structure.
Packit 549fdc 
 * The new parameters should be stored in the appropriate
Packit 549fdc 
 * gnutls_datum.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: %GNUTLS_E_SUCCESS on success, or an negative error code.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 2.12.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_import_rsa_raw(gnutls_pubkey_t key,
Packit 549fdc 
			     const gnutls_datum_t * m,
Packit 549fdc 
			     const gnutls_datum_t * e)
Packit 549fdc 
{
Packit 549fdc 
	if (key == NULL) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	gnutls_pk_params_release(&key->params);
Packit 549fdc 
	gnutls_pk_params_init(&key->params);
Packit 549fdc
Packit 549fdc 
	if (_gnutls_mpi_init_scan_nz(&key->params.params[0], m->data, m->size)) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_MPI_SCAN_FAILED;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if (_gnutls_mpi_init_scan_nz(&key->params.params[1], e->data, e->size)) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		_gnutls_mpi_release(&key->params.params[0]);
Packit 549fdc 
		return GNUTLS_E_MPI_SCAN_FAILED;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	key->params.params_nr = RSA_PUBLIC_PARAMS;
Packit 549fdc 
	key->params.algo = GNUTLS_PK_RSA;
Packit 549fdc 
	key->bits = pubkey_to_bits(&key->params);
Packit 549fdc
Packit 549fdc 
	return 0;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_import_ecc_raw:
Packit 549fdc 
 * @key: The structure to store the parsed key
Packit 549fdc 
 * @curve: holds the curve
Packit 549fdc 
 * @x: holds the x
Packit 549fdc 
 * @y: holds the y
Packit 549fdc 
 *
Packit 549fdc 
 * This function will convert the given elliptic curve parameters to a
Packit 549fdc 
 * #gnutls_pubkey_t.  The output will be stored in @key. For EdDSA
Packit 549fdc 
 * keys the @y parameter should be %NULL.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
Packit 549fdc 
 *   negative error value.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 3.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_import_ecc_raw(gnutls_pubkey_t key,
Packit 549fdc 
			     gnutls_ecc_curve_t curve,
Packit 549fdc 
			     const gnutls_datum_t * x,
Packit 549fdc 
			     const gnutls_datum_t * y)
Packit 549fdc 
{
Packit 549fdc 
	int ret;
Packit 549fdc
Packit 549fdc 
	if (key == NULL) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	gnutls_pk_params_release(&key->params);
Packit 549fdc 
	gnutls_pk_params_init(&key->params);
Packit 549fdc
Packit 549fdc 
	if (curve_is_eddsa(curve)) {
Packit 549fdc 
		ret = _gnutls_set_datum(&key->params.raw_pub, x->data, x->size);
Packit 549fdc 
		if (ret < 0) {
Packit 549fdc 
			gnutls_assert();
Packit 549fdc 
			goto cleanup;
Packit 549fdc 
		}
Packit 549fdc
Packit 549fdc 
		key->params.algo = GNUTLS_PK_EDDSA_ED25519;
Packit 549fdc 
		key->params.curve = curve;
Packit 549fdc
Packit 549fdc 
		return 0;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	/* ECDSA */
Packit 549fdc 
	key->params.curve = curve;
Packit 549fdc
Packit 549fdc 
	if (_gnutls_mpi_init_scan_nz
Packit 549fdc 
	    (&key->params.params[ECC_X], x->data, x->size)) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		ret = GNUTLS_E_MPI_SCAN_FAILED;
Packit 549fdc 
		goto cleanup;
Packit 549fdc 
	}
Packit 549fdc 
	key->params.params_nr++;
Packit 549fdc
Packit 549fdc 
	if (_gnutls_mpi_init_scan_nz
Packit 549fdc 
	    (&key->params.params[ECC_Y], y->data, y->size)) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		ret = GNUTLS_E_MPI_SCAN_FAILED;
Packit 549fdc 
		goto cleanup;
Packit 549fdc 
	}
Packit 549fdc 
	key->params.params_nr++;
Packit 549fdc 
	key->params.algo = GNUTLS_PK_ECDSA;
Packit 549fdc
Packit 549fdc 
	return 0;
Packit 549fdc
Packit 549fdc 
      cleanup:
Packit 549fdc 
	gnutls_pk_params_release(&key->params);
Packit 549fdc 
	return ret;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_import_ecc_x962:
Packit 549fdc 
 * @key: The structure to store the parsed key
Packit 549fdc 
 * @parameters: DER encoding of an ANSI X9.62 parameters
Packit 549fdc 
 * @ecpoint: DER encoding of ANSI X9.62 ECPoint
Packit 549fdc 
 *
Packit 549fdc 
 * This function will convert the given elliptic curve parameters to a
Packit 549fdc 
 * #gnutls_pubkey_t.  The output will be stored in @key.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
Packit 549fdc 
 *   negative error value.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 3.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_import_ecc_x962(gnutls_pubkey_t key,
Packit 549fdc 
			      const gnutls_datum_t * parameters,
Packit 549fdc 
			      const gnutls_datum_t * ecpoint)
Packit 549fdc 
{
Packit 549fdc 
	int ret;
Packit 549fdc 
	gnutls_datum_t raw_point = {NULL,0};
Packit 549fdc
Packit 549fdc 
	if (key == NULL) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	gnutls_pk_params_release(&key->params);
Packit 549fdc 
	gnutls_pk_params_init(&key->params);
Packit 549fdc
Packit 549fdc 
	key->params.params_nr = 0;
Packit 549fdc
Packit 549fdc 
	ret =
Packit 549fdc 
	    _gnutls_x509_read_ecc_params(parameters->data,
Packit 549fdc 
					 parameters->size, &key->params.curve);
Packit 549fdc 
	if (ret < 0) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		goto cleanup;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	ret = _gnutls_x509_decode_string(ASN1_ETYPE_OCTET_STRING,
Packit 549fdc 
					 ecpoint->data, ecpoint->size, &raw_point, 0);
Packit 549fdc 
	if (ret < 0) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		goto cleanup;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	ret = _gnutls_ecc_ansi_x962_import(raw_point.data, raw_point.size,
Packit 549fdc 
					   &key->params.params[ECC_X],
Packit 549fdc 
					   &key->params.params[ECC_Y]);
Packit 549fdc 
	if (ret < 0) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		goto cleanup;
Packit 549fdc 
	}
Packit 549fdc 
	key->params.params_nr += 2;
Packit 549fdc 
	key->params.algo = GNUTLS_PK_EC;
Packit 549fdc
Packit 549fdc 
	gnutls_free(raw_point.data);
Packit 549fdc 
	return 0;
Packit 549fdc
Packit 549fdc 
      cleanup:
Packit 549fdc 
	gnutls_pk_params_release(&key->params);
Packit 549fdc 
	gnutls_free(raw_point.data);
Packit 549fdc 
	return ret;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_import_dsa_raw:
Packit 549fdc 
 * @key: The structure to store the parsed key
Packit 549fdc 
 * @p: holds the p
Packit 549fdc 
 * @q: holds the q
Packit 549fdc 
 * @g: holds the g
Packit 549fdc 
 * @y: holds the y
Packit 549fdc 
 *
Packit 549fdc 
 * This function will convert the given DSA raw parameters to the
Packit 549fdc 
 * native #gnutls_pubkey_t format.  The output will be stored
Packit 549fdc 
 * in @key.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
Packit 549fdc 
 *   negative error value.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 2.12.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_import_dsa_raw(gnutls_pubkey_t key,
Packit 549fdc 
			     const gnutls_datum_t * p,
Packit 549fdc 
			     const gnutls_datum_t * q,
Packit 549fdc 
			     const gnutls_datum_t * g,
Packit 549fdc 
			     const gnutls_datum_t * y)
Packit 549fdc 
{
Packit 549fdc 
	size_t siz = 0;
Packit 549fdc
Packit 549fdc 
	if (key == NULL) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	gnutls_pk_params_release(&key->params);
Packit 549fdc 
	gnutls_pk_params_init(&key->params);
Packit 549fdc
Packit 549fdc 
	siz = p->size;
Packit 549fdc 
	if (_gnutls_mpi_init_scan_nz(&key->params.params[0], p->data, siz)) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_MPI_SCAN_FAILED;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	siz = q->size;
Packit 549fdc 
	if (_gnutls_mpi_init_scan_nz(&key->params.params[1], q->data, siz)) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		_gnutls_mpi_release(&key->params.params[0]);
Packit 549fdc 
		return GNUTLS_E_MPI_SCAN_FAILED;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	siz = g->size;
Packit 549fdc 
	if (_gnutls_mpi_init_scan_nz(&key->params.params[2], g->data, siz)) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		_gnutls_mpi_release(&key->params.params[1]);
Packit 549fdc 
		_gnutls_mpi_release(&key->params.params[0]);
Packit 549fdc 
		return GNUTLS_E_MPI_SCAN_FAILED;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	siz = y->size;
Packit 549fdc 
	if (_gnutls_mpi_init_scan_nz(&key->params.params[3], y->data, siz)) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		_gnutls_mpi_release(&key->params.params[2]);
Packit 549fdc 
		_gnutls_mpi_release(&key->params.params[1]);
Packit 549fdc 
		_gnutls_mpi_release(&key->params.params[0]);
Packit 549fdc 
		return GNUTLS_E_MPI_SCAN_FAILED;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	key->params.params_nr = DSA_PUBLIC_PARAMS;
Packit 549fdc 
	key->params.algo = GNUTLS_PK_DSA;
Packit 549fdc 
	key->bits = pubkey_to_bits(&key->params);
Packit 549fdc
Packit 549fdc 
	return 0;
Packit 549fdc
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
#define OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA 1
Packit 549fdc
Packit 549fdc 
/* Updates the gnutls_x509_spki_st parameters based on the signature
Packit 549fdc 
 * information, and reports any incompatibilities between the existing
Packit 549fdc 
 * parameters (if any) with the signature algorithm */
Packit 549fdc 
static
Packit 549fdc 
int fixup_spki_params(const gnutls_pk_params_st *key_params, const gnutls_sign_entry_st *se,
Packit 549fdc 
		       const mac_entry_st *me, gnutls_x509_spki_st *params)
Packit 549fdc 
{
Packit 549fdc 
	unsigned bits;
Packit 549fdc
Packit 549fdc 
	if (se->pk != key_params->algo) {
Packit 549fdc 
		if (!gnutls_sign_supports_pk_algorithm(se->id, key_params->algo)) {
Packit 549fdc 
			_gnutls_debug_log("have key: %s/%d, with sign %s/%d\n",
Packit 549fdc 
					gnutls_pk_get_name(key_params->algo), key_params->algo,
Packit 549fdc 
					se->name, se->id);
Packit 549fdc 
			return gnutls_assert_val(GNUTLS_E_CONSTRAINT_ERROR);
Packit 549fdc 
		}
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if (params->pk == GNUTLS_PK_RSA_PSS) {
Packit 549fdc
Packit 549fdc 
		if (!GNUTLS_PK_IS_RSA(key_params->algo))
Packit 549fdc 
			return gnutls_assert_val(GNUTLS_E_CONSTRAINT_ERROR);
Packit 549fdc
Packit 549fdc 
		/* The requested sign algorithm is RSA-PSS, while the
Packit 549fdc 
		 * pubkey doesn't include parameter information. Fill
Packit 549fdc 
		 * it with the same way as gnutls_privkey_sign*. */
Packit 549fdc 
		if (key_params->algo == GNUTLS_PK_RSA || params->rsa_pss_dig == 0) {
Packit 549fdc 
			bits = pubkey_to_bits(key_params);
Packit 549fdc 
			params->rsa_pss_dig = se->hash;
Packit 549fdc 
			params->salt_size = _gnutls_find_rsa_pss_salt_size(bits, me, 0);
Packit 549fdc 
		}
Packit 549fdc
Packit 549fdc 
		if (params->rsa_pss_dig != se->hash)
Packit 549fdc 
			return gnutls_assert_val(GNUTLS_E_CONSTRAINT_ERROR);
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	return 0;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_verify_data2:
Packit 549fdc 
 * @pubkey: Holds the public key
Packit 549fdc 
 * @algo: The signature algorithm used
Packit 549fdc 
 * @flags: Zero or an OR list of #gnutls_certificate_verify_flags
Packit 549fdc 
 * @data: holds the signed data
Packit 549fdc 
 * @signature: contains the signature
Packit 549fdc 
 *
Packit 549fdc 
 * This function will verify the given signed data, using the
Packit 549fdc 
 * parameters from the certificate.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
Packit 549fdc 
 * is returned, and zero or positive code on success. For known to be insecure
Packit 549fdc 
 * signatures this function will return %GNUTLS_E_INSUFFICIENT_SECURITY unless
Packit 549fdc 
 * the flag %GNUTLS_VERIFY_ALLOW_BROKEN is specified.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 3.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_verify_data2(gnutls_pubkey_t pubkey,
Packit 549fdc 
			   gnutls_sign_algorithm_t algo,
Packit 549fdc 
			   unsigned int flags,
Packit 549fdc 
			   const gnutls_datum_t * data,
Packit 549fdc 
			   const gnutls_datum_t * signature)
Packit 549fdc 
{
Packit 549fdc 
	int ret;
Packit 549fdc 
	const mac_entry_st *me;
Packit 549fdc 
	gnutls_x509_spki_st params;
Packit 549fdc 
	const gnutls_sign_entry_st *se;
Packit 549fdc
Packit 549fdc 
	if (pubkey == NULL) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if (flags & OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA || flags & GNUTLS_VERIFY_USE_TLS1_RSA)
Packit 549fdc 
		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
Packit 549fdc
Packit 549fdc 
	memcpy(&params, &pubkey->params.spki, sizeof(gnutls_x509_spki_st));
Packit 549fdc
Packit 549fdc 
	se = _gnutls_sign_to_entry(algo);
Packit 549fdc 
	if (se == NULL)
Packit 549fdc 
		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
Packit 549fdc 
	params.pk = se->pk;
Packit 549fdc
Packit 549fdc 
	me = hash_to_entry(se->hash);
Packit 549fdc 
	if (me == NULL && !_gnutls_pk_is_not_prehashed(se->pk))
Packit 549fdc 
		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
Packit 549fdc
Packit 549fdc 
	ret = pubkey_verify_data(se, me, data, signature, &pubkey->params,
Packit 549fdc 
				 &params, flags);
Packit 549fdc 
	if (ret < 0) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return ret;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	return 0;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_verify_hash2:
Packit 549fdc 
 * @key: Holds the public key
Packit 549fdc 
 * @algo: The signature algorithm used
Packit 549fdc 
 * @flags: Zero or an OR list of #gnutls_certificate_verify_flags
Packit 549fdc 
 * @hash: holds the hash digest to be verified
Packit 549fdc 
 * @signature: contains the signature
Packit 549fdc 
 *
Packit 549fdc 
 * This function will verify the given signed digest, using the
Packit 549fdc 
 * parameters from the public key. Note that unlike gnutls_privkey_sign_hash(),
Packit 549fdc 
 * this function accepts a signature algorithm instead of a digest algorithm.
Packit 549fdc 
 * You can use gnutls_pk_to_sign() to get the appropriate value.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
Packit 549fdc 
 * is returned, and zero or positive code on success. For known to be insecure
Packit 549fdc 
 * signatures this function will return %GNUTLS_E_INSUFFICIENT_SECURITY unless
Packit 549fdc 
 * the flag %GNUTLS_VERIFY_ALLOW_BROKEN is specified.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 3.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_verify_hash2(gnutls_pubkey_t key,
Packit 549fdc 
			   gnutls_sign_algorithm_t algo,
Packit 549fdc 
			   unsigned int flags,
Packit 549fdc 
			   const gnutls_datum_t * hash,
Packit 549fdc 
			   const gnutls_datum_t * signature)
Packit 549fdc 
{
Packit 549fdc 
	const mac_entry_st *me;
Packit 549fdc 
	gnutls_x509_spki_st params;
Packit 549fdc 
	const gnutls_sign_entry_st *se;
Packit 549fdc 
	int ret;
Packit 549fdc
Packit 549fdc 
	if (key == NULL) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if (_gnutls_pk_is_not_prehashed(key->params.algo)) {
Packit 549fdc 
		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	memcpy(&params, &key->params.spki, sizeof(gnutls_x509_spki_st));
Packit 549fdc
Packit 549fdc 
	if (flags & OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA || flags & GNUTLS_VERIFY_USE_TLS1_RSA) {
Packit 549fdc 
		if (!GNUTLS_PK_IS_RSA(key->params.algo))
Packit 549fdc 
			return gnutls_assert_val(GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY);
Packit 549fdc 
		params.pk = GNUTLS_PK_RSA;
Packit 549fdc 
		/* we do not check for insecure algorithms with this flag */
Packit 549fdc 
		return _gnutls_pk_verify(params.pk, hash, signature,
Packit 549fdc 
					 &key->params, &params);
Packit 549fdc 
	} else {
Packit 549fdc 
		se = _gnutls_sign_to_entry(algo);
Packit 549fdc 
		if (se == NULL)
Packit 549fdc 
			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
Packit 549fdc
Packit 549fdc 
		params.pk = se->pk;
Packit 549fdc
Packit 549fdc 
		me = hash_to_entry(se->hash);
Packit 549fdc 
		if (me == NULL && !_gnutls_pk_is_not_prehashed(se->pk))
Packit 549fdc 
			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
Packit 549fdc
Packit 549fdc 
		ret = pubkey_verify_hashed_data(se, me, hash, signature,
Packit 549fdc 
						&key->params,
Packit 549fdc 
						&params, flags);
Packit 549fdc 
		if (ret < 0) {
Packit 549fdc 
			gnutls_assert();
Packit 549fdc 
			return ret;
Packit 549fdc 
		}
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	return 0;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_encrypt_data:
Packit 549fdc 
 * @key: Holds the public key
Packit 549fdc 
 * @flags: should be 0 for now
Packit 549fdc 
 * @plaintext: The data to be encrypted
Packit 549fdc 
 * @ciphertext: contains the encrypted data
Packit 549fdc 
 *
Packit 549fdc 
 * This function will encrypt the given data, using the public
Packit 549fdc 
 * key. On success the @ciphertext will be allocated using gnutls_malloc().
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
Packit 549fdc 
 *   negative error value.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 3.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_encrypt_data(gnutls_pubkey_t key, unsigned int flags,
Packit 549fdc 
			   const gnutls_datum_t * plaintext,
Packit 549fdc 
			   gnutls_datum_t * ciphertext)
Packit 549fdc 
{
Packit 549fdc 
	if (key == NULL) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	return _gnutls_pk_encrypt(key->params.algo, ciphertext,
Packit 549fdc 
				  plaintext, &key->params);
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/* Checks whether the public key given is compatible with the
Packit 549fdc 
 * signature algorithm used. The session is only used for audit logging, and
Packit 549fdc 
 * it may be null.
Packit 549fdc 
 */
Packit 549fdc 
int _gnutls_pubkey_compatible_with_sig(gnutls_session_t session,
Packit 549fdc 
				       gnutls_pubkey_t pubkey,
Packit 549fdc 
				       const version_entry_st * ver,
Packit 549fdc 
				       gnutls_sign_algorithm_t sign)
Packit 549fdc 
{
Packit 549fdc 
	unsigned int hash_size = 0;
Packit 549fdc 
	unsigned int sig_hash_size;
Packit 549fdc 
	const mac_entry_st *me;
Packit 549fdc 
	const gnutls_sign_entry_st *se;
Packit 549fdc
Packit 549fdc 
	se = _gnutls_sign_to_entry(sign);
Packit 549fdc 
	if (se == NULL && _gnutls_version_has_selectable_sighash(ver))
Packit 549fdc 
		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
Packit 549fdc
Packit 549fdc 
	if (pubkey->params.algo == GNUTLS_PK_DSA) {
Packit 549fdc 
		me = _gnutls_dsa_q_to_hash(&pubkey->params, &hash_size);
Packit 549fdc
Packit 549fdc 
		/* DSA keys over 1024 bits cannot be used with TLS 1.x, x<2 */
Packit 549fdc 
		if (!_gnutls_version_has_selectable_sighash(ver)) {
Packit 549fdc 
			if (me->id != GNUTLS_MAC_SHA1)
Packit 549fdc 
				return
Packit 549fdc 
				    gnutls_assert_val
Packit 549fdc 
				    (GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL);
Packit 549fdc 
		} else if (se != NULL) {
Packit 549fdc 
			me = hash_to_entry(se->hash);
Packit 549fdc 
			sig_hash_size = _gnutls_hash_get_algo_len(me);
Packit 549fdc 
			if (sig_hash_size < hash_size)
Packit 549fdc 
				_gnutls_audit_log(session,
Packit 549fdc 
						  "The hash size used in signature (%u) is less than the expected (%u)\n",
Packit 549fdc 
						  sig_hash_size,
Packit 549fdc 
						  hash_size);
Packit 549fdc 
		}
Packit 549fdc
Packit 549fdc 
	} else if (pubkey->params.algo == GNUTLS_PK_EC) {
Packit 549fdc 
		if (_gnutls_version_has_selectable_sighash(ver)
Packit 549fdc 
		    && se != NULL) {
Packit 549fdc
Packit 549fdc 
			_gnutls_dsa_q_to_hash(&pubkey->params,
Packit 549fdc 
						   &hash_size);
Packit 549fdc
Packit 549fdc 
			me = hash_to_entry(se->hash);
Packit 549fdc 
			sig_hash_size = _gnutls_hash_get_algo_len(me);
Packit 549fdc
Packit 549fdc 
			if (sig_hash_size < hash_size)
Packit 549fdc 
				_gnutls_audit_log(session,
Packit 549fdc 
						  "The hash size used in signature (%u) is less than the expected (%u)\n",
Packit 549fdc 
						  sig_hash_size,
Packit 549fdc 
						  hash_size);
Packit 549fdc 
		}
Packit 549fdc
Packit 549fdc 
	} else if (pubkey->params.algo == GNUTLS_PK_RSA_PSS) {
Packit 549fdc 
		if (!_gnutls_version_has_selectable_sighash(ver))
Packit 549fdc 
			/* this should not have happened */
Packit 549fdc 
			return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
Packit 549fdc
Packit 549fdc 
		/* RSA PSS public keys are restricted to a single digest, i.e., signature */
Packit 549fdc
Packit 549fdc 
		if (pubkey->params.spki.rsa_pss_dig && pubkey->params.spki.rsa_pss_dig != se->hash) {
Packit 549fdc 
			return gnutls_assert_val(GNUTLS_E_CONSTRAINT_ERROR);
Packit 549fdc 
		}
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	return 0;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/* Returns the public key.
Packit 549fdc 
 */
Packit 549fdc 
int
Packit 549fdc 
_gnutls_pubkey_get_mpis(gnutls_pubkey_t key, gnutls_pk_params_st * params)
Packit 549fdc 
{
Packit 549fdc 
	return _gnutls_pk_params_copy(params, &key->params);
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/* if hash==MD5 then we do RSA-MD5
Packit 549fdc 
 * if hash==SHA then we do RSA-SHA
Packit 549fdc 
 * params[0] is modulus
Packit 549fdc 
 * params[1] is public key
Packit 549fdc 
 */
Packit 549fdc 
static int
Packit 549fdc 
_pkcs1_rsa_verify_sig(gnutls_pk_algorithm_t pk,
Packit 549fdc 
		      const mac_entry_st * me,
Packit 549fdc 
		      const gnutls_datum_t * text,
Packit 549fdc 
		      const gnutls_datum_t * prehash,
Packit 549fdc 
		      const gnutls_datum_t * signature,
Packit 549fdc 
		      gnutls_pk_params_st * params,
Packit 549fdc 
		      gnutls_x509_spki_st * sign_params)
Packit 549fdc 
{
Packit 549fdc 
	int ret;
Packit 549fdc 
	uint8_t md[MAX_HASH_SIZE], *cmp;
Packit 549fdc 
	unsigned int digest_size;
Packit 549fdc 
	gnutls_datum_t d, di;
Packit 549fdc
Packit 549fdc 
	if (unlikely(me == NULL))
Packit 549fdc 
		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
Packit 549fdc
Packit 549fdc 
	digest_size = _gnutls_hash_get_algo_len(me);
Packit 549fdc 
	if (prehash) {
Packit 549fdc 
		if (prehash->data == NULL || prehash->size != digest_size)
Packit 549fdc 
			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
Packit 549fdc
Packit 549fdc 
		cmp = prehash->data;
Packit 549fdc 
	} else {
Packit 549fdc 
		if (!text) {
Packit 549fdc 
			gnutls_assert();
Packit 549fdc 
			return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
		}
Packit 549fdc
Packit 549fdc 
		ret = _gnutls_hash_fast((gnutls_digest_algorithm_t)me->id,
Packit 549fdc 
					text->data, text->size, md);
Packit 549fdc 
		if (ret < 0) {
Packit 549fdc 
			gnutls_assert();
Packit 549fdc 
			return ret;
Packit 549fdc 
		}
Packit 549fdc
Packit 549fdc 
		cmp = md;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	d.data = cmp;
Packit 549fdc 
	d.size = digest_size;
Packit 549fdc
Packit 549fdc 
	if (pk == GNUTLS_PK_RSA) {
Packit 549fdc 
		/* decrypted is a BER encoded data of type DigestInfo
Packit 549fdc 
		 */
Packit 549fdc 
		ret = encode_ber_digest_info(me, &d, &di);
Packit 549fdc 
		if (ret < 0)
Packit 549fdc 
			return gnutls_assert_val(ret);
Packit 549fdc
Packit 549fdc 
		ret = _gnutls_pk_verify(pk, &di, signature, params,
Packit 549fdc 
					sign_params);
Packit 549fdc 
		_gnutls_free_datum(&di);
Packit 549fdc 
	} else {
Packit 549fdc 
		ret = _gnutls_pk_verify(pk, &d, signature, params,
Packit 549fdc 
					sign_params);
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	return ret;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/* Hashes input data and verifies a signature.
Packit 549fdc 
 */
Packit 549fdc 
static int
Packit 549fdc 
dsa_verify_hashed_data(gnutls_pk_algorithm_t pk,
Packit 549fdc 
		       const mac_entry_st * algo,
Packit 549fdc 
		       const gnutls_datum_t * hash,
Packit 549fdc 
		       const gnutls_datum_t * signature,
Packit 549fdc 
		       gnutls_pk_params_st * params,
Packit 549fdc 
		       gnutls_x509_spki_st * sign_params)
Packit 549fdc 
{
Packit 549fdc 
	gnutls_datum_t digest;
Packit 549fdc 
	unsigned int hash_len;
Packit 549fdc
Packit 549fdc 
	if (algo == NULL)
Packit 549fdc 
		algo = _gnutls_dsa_q_to_hash(params, &hash_len);
Packit 549fdc 
	else
Packit 549fdc 
		hash_len = _gnutls_hash_get_algo_len(algo);
Packit 549fdc
Packit 549fdc 
	/* SHA1 or better allowed */
Packit 549fdc 
	if (!hash->data || hash->size < hash_len) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		_gnutls_debug_log
Packit 549fdc 
		    ("Hash size (%d) does not correspond to hash %s(%d) or better.\n",
Packit 549fdc 
		     (int) hash->size, _gnutls_mac_get_name(algo),
Packit 549fdc 
		     hash_len);
Packit 549fdc
Packit 549fdc 
		if (hash->size != 20)	/* SHA1 is allowed */
Packit 549fdc 
			return
Packit 549fdc 
			    gnutls_assert_val
Packit 549fdc 
			    (GNUTLS_E_PK_SIG_VERIFY_FAILED);
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	digest.data = hash->data;
Packit 549fdc 
	digest.size = hash->size;
Packit 549fdc
Packit 549fdc 
	return _gnutls_pk_verify(pk, &digest, signature, params, sign_params);
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
static int
Packit 549fdc 
dsa_verify_data(gnutls_pk_algorithm_t pk,
Packit 549fdc 
		const mac_entry_st * algo,
Packit 549fdc 
		const gnutls_datum_t * data,
Packit 549fdc 
		const gnutls_datum_t * signature,
Packit 549fdc 
		gnutls_pk_params_st * params,
Packit 549fdc 
		gnutls_x509_spki_st * sign_params)
Packit 549fdc 
{
Packit 549fdc 
	int ret;
Packit 549fdc 
	uint8_t _digest[MAX_HASH_SIZE];
Packit 549fdc 
	gnutls_datum_t digest;
Packit 549fdc
Packit 549fdc 
	if (algo == NULL)
Packit 549fdc 
		algo = _gnutls_dsa_q_to_hash(params, NULL);
Packit 549fdc
Packit 549fdc 
	ret = _gnutls_hash_fast((gnutls_digest_algorithm_t)algo->id,
Packit 549fdc 
				data->data, data->size, _digest);
Packit 549fdc 
	if (ret < 0)
Packit 549fdc 
		return gnutls_assert_val(ret);
Packit 549fdc
Packit 549fdc 
	digest.data = _digest;
Packit 549fdc 
	digest.size = _gnutls_hash_get_algo_len(algo);
Packit 549fdc
Packit 549fdc 
	return _gnutls_pk_verify(pk, &digest, signature, params, sign_params);
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/* Verifies the signature data, and returns GNUTLS_E_PK_SIG_VERIFY_FAILED if
Packit 549fdc 
 * not verified, or 1 otherwise.
Packit 549fdc 
 */
Packit 549fdc 
static int
Packit 549fdc 
pubkey_verify_hashed_data(const gnutls_sign_entry_st *se,
Packit 549fdc 
			  const mac_entry_st *me,
Packit 549fdc 
			  const gnutls_datum_t * hash,
Packit 549fdc 
			  const gnutls_datum_t * signature,
Packit 549fdc 
			  gnutls_pk_params_st * params,
Packit 549fdc 
			  gnutls_x509_spki_st * sign_params,
Packit 549fdc 
			  unsigned flags)
Packit 549fdc 
{
Packit 549fdc 
	int ret;
Packit 549fdc
Packit 549fdc 
	if (unlikely(me==NULL))
Packit 549fdc 
		return gnutls_assert_val(GNUTLS_E_UNKNOWN_HASH_ALGORITHM);
Packit 549fdc
Packit 549fdc 
	ret = fixup_spki_params(params, se, me, sign_params);
Packit 549fdc 
	if (ret < 0)
Packit 549fdc 
		return gnutls_assert_val(ret);
Packit 549fdc
Packit 549fdc 
	switch (se->pk) {
Packit 549fdc 
	case GNUTLS_PK_RSA:
Packit 549fdc 
	case GNUTLS_PK_RSA_PSS:
Packit 549fdc
Packit 549fdc 
		if (_pkcs1_rsa_verify_sig
Packit 549fdc 
		    (se->pk, me, NULL, hash, signature, params, sign_params) != 0)
Packit 549fdc 
		{
Packit 549fdc 
			gnutls_assert();
Packit 549fdc 
			return GNUTLS_E_PK_SIG_VERIFY_FAILED;
Packit 549fdc 
		}
Packit 549fdc
Packit 549fdc 
		return 1;
Packit 549fdc 
		break;
Packit 549fdc
Packit 549fdc 
	case GNUTLS_PK_ECDSA:
Packit 549fdc 
	case GNUTLS_PK_DSA:
Packit 549fdc 
		if (dsa_verify_hashed_data
Packit 549fdc 
		    (se->pk, me, hash, signature, params, sign_params) != 0) {
Packit 549fdc 
			gnutls_assert();
Packit 549fdc 
			return GNUTLS_E_PK_SIG_VERIFY_FAILED;
Packit 549fdc 
		}
Packit 549fdc
Packit 549fdc 
		return 1;
Packit 549fdc 
		break;
Packit 549fdc 
	default:
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if (_gnutls_sign_is_secure2(se, 0) == 0 && _gnutls_is_broken_sig_allowed(se, flags) == 0) {
Packit 549fdc 
		return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY);
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	return 1;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/* Verifies the signature data, and returns GNUTLS_E_PK_SIG_VERIFY_FAILED if
Packit 549fdc 
 * not verified, or 1 otherwise.
Packit 549fdc 
 */
Packit 549fdc 
int
Packit 549fdc 
pubkey_verify_data(const gnutls_sign_entry_st *se,
Packit 549fdc 
		   const mac_entry_st *me,
Packit 549fdc 
		   const gnutls_datum_t * data,
Packit 549fdc 
		   const gnutls_datum_t * signature,
Packit 549fdc 
		   gnutls_pk_params_st * params,
Packit 549fdc 
		   gnutls_x509_spki_st * sign_params,
Packit 549fdc 
		   unsigned flags)
Packit 549fdc 
{
Packit 549fdc 
	int ret;
Packit 549fdc
Packit 549fdc 
	if (unlikely(me == NULL))
Packit 549fdc 
		return gnutls_assert_val(GNUTLS_E_UNKNOWN_HASH_ALGORITHM);
Packit 549fdc
Packit 549fdc 
	ret = fixup_spki_params(params, se, me, sign_params);
Packit 549fdc 
	if (ret < 0)
Packit 549fdc 
		return gnutls_assert_val(ret);
Packit 549fdc
Packit 549fdc 
	switch (se->pk) {
Packit 549fdc 
	case GNUTLS_PK_RSA:
Packit 549fdc 
	case GNUTLS_PK_RSA_PSS:
Packit 549fdc 
		if (_pkcs1_rsa_verify_sig
Packit 549fdc 
		    (se->pk, me, data, NULL, signature, params, sign_params) != 0) {
Packit 549fdc 
			gnutls_assert();
Packit 549fdc 
			return GNUTLS_E_PK_SIG_VERIFY_FAILED;
Packit 549fdc 
		}
Packit 549fdc
Packit 549fdc 
		break;
Packit 549fdc
Packit 549fdc 
	case GNUTLS_PK_EDDSA_ED25519:
Packit 549fdc 
		if (_gnutls_pk_verify(se->pk, data, signature, params, sign_params) != 0) {
Packit 549fdc 
			gnutls_assert();
Packit 549fdc 
			return GNUTLS_E_PK_SIG_VERIFY_FAILED;
Packit 549fdc 
		}
Packit 549fdc
Packit 549fdc 
		break;
Packit 549fdc
Packit 549fdc 
	case GNUTLS_PK_EC:
Packit 549fdc 
	case GNUTLS_PK_DSA:
Packit 549fdc 
		if (dsa_verify_data
Packit 549fdc 
		    (se->pk, me, data, signature, params, sign_params) != 0) {
Packit 549fdc 
			gnutls_assert();
Packit 549fdc 
			return GNUTLS_E_PK_SIG_VERIFY_FAILED;
Packit 549fdc 
		}
Packit 549fdc
Packit 549fdc 
		break;
Packit 549fdc 
	default:
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if (_gnutls_sign_is_secure2(se,0) == 0 && _gnutls_is_broken_sig_allowed(se, flags) == 0) {
Packit 549fdc 
		return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY);
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	return 1;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
const mac_entry_st *_gnutls_dsa_q_to_hash(const gnutls_pk_params_st *
Packit 549fdc 
					  params, unsigned int *hash_len)
Packit 549fdc 
{
Packit 549fdc 
	int bits = 0;
Packit 549fdc 
	int ret;
Packit 549fdc
Packit 549fdc 
	if (params->algo == GNUTLS_PK_DSA)
Packit 549fdc 
		bits = _gnutls_mpi_get_nbits(params->params[1]);
Packit 549fdc 
	else if (params->algo == GNUTLS_PK_EC)
Packit 549fdc 
		bits = gnutls_ecc_curve_get_size(params->curve) * 8;
Packit 549fdc
Packit 549fdc 
	if (bits <= 160) {
Packit 549fdc 
		if (hash_len)
Packit 549fdc 
			*hash_len = 20;
Packit 549fdc 
		ret = GNUTLS_DIG_SHA1;
Packit 549fdc 
	} else if (bits <= 192) {
Packit 549fdc 
		if (hash_len)
Packit 549fdc 
			*hash_len = 24;
Packit 549fdc 
		ret = GNUTLS_DIG_SHA256;
Packit 549fdc 
	} else if (bits <= 224) {
Packit 549fdc 
		if (hash_len)
Packit 549fdc 
			*hash_len = 28;
Packit 549fdc 
		ret = GNUTLS_DIG_SHA256;
Packit 549fdc 
	} else if (bits <= 256) {
Packit 549fdc 
		if (hash_len)
Packit 549fdc 
			*hash_len = 32;
Packit 549fdc 
		ret = GNUTLS_DIG_SHA256;
Packit 549fdc 
	} else if (bits <= 384) {
Packit 549fdc 
		if (hash_len)
Packit 549fdc 
			*hash_len = 48;
Packit 549fdc 
		ret = GNUTLS_DIG_SHA384;
Packit 549fdc 
	} else {
Packit 549fdc 
		if (hash_len)
Packit 549fdc 
			*hash_len = 64;
Packit 549fdc 
		ret = GNUTLS_DIG_SHA512;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	return mac_to_entry(ret);
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_set_pin_function:
Packit 549fdc 
 * @key: A key of type #gnutls_pubkey_t
Packit 549fdc 
 * @fn: the callback
Packit 549fdc 
 * @userdata: data associated with the callback
Packit 549fdc 
 *
Packit 549fdc 
 * This function will set a callback function to be used when
Packit 549fdc 
 * required to access the object. This function overrides any other
Packit 549fdc 
 * global PIN functions.
Packit 549fdc 
 *
Packit 549fdc 
 * Note that this function must be called right after initialization
Packit 549fdc 
 * to have effect.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 3.1.0
Packit 549fdc 
 *
Packit 549fdc 
 **/
Packit 549fdc 
void gnutls_pubkey_set_pin_function(gnutls_pubkey_t key,
Packit 549fdc 
				    gnutls_pin_callback_t fn,
Packit 549fdc 
				    void *userdata)
Packit 549fdc 
{
Packit 549fdc 
	key->pin.cb = fn;
Packit 549fdc 
	key->pin.data = userdata;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_import_x509_raw:
Packit 549fdc 
 * @pkey: The public key
Packit 549fdc 
 * @data: The public key data to be imported
Packit 549fdc 
 * @format: The format of the public key
Packit 549fdc 
 * @flags: should be zero
Packit 549fdc 
 *
Packit 549fdc 
 * This function will import the given public key to the abstract
Packit 549fdc 
 * #gnutls_pubkey_t type.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
Packit 549fdc 
 *   negative error value.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 3.1.3
Packit 549fdc 
 **/
Packit 549fdc 
int gnutls_pubkey_import_x509_raw(gnutls_pubkey_t pkey,
Packit 549fdc 
				  const gnutls_datum_t * data,
Packit 549fdc 
				  gnutls_x509_crt_fmt_t format,
Packit 549fdc 
				  unsigned int flags)
Packit 549fdc 
{
Packit 549fdc 
	gnutls_x509_crt_t xpriv;
Packit 549fdc 
	int ret;
Packit 549fdc
Packit 549fdc 
	ret = gnutls_x509_crt_init(&xpriv);
Packit 549fdc 
	if (ret < 0)
Packit 549fdc 
		return gnutls_assert_val(ret);
Packit 549fdc
Packit 549fdc 
	ret = gnutls_x509_crt_import(xpriv, data, format);
Packit 549fdc 
	if (ret < 0) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		goto cleanup;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	ret = gnutls_pubkey_import_x509(pkey, xpriv, flags);
Packit 549fdc 
	if (ret < 0) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		goto cleanup;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	ret = 0;
Packit 549fdc
Packit 549fdc 
      cleanup:
Packit 549fdc 
	gnutls_x509_crt_deinit(xpriv);
Packit 549fdc
Packit 549fdc 
	return ret;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_verify_params:
Packit 549fdc 
 * @key: should contain a #gnutls_pubkey_t type
Packit 549fdc 
 *
Packit 549fdc 
 * This function will verify the private key parameters.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
Packit 549fdc 
 *   negative error value.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 3.3.0
Packit 549fdc 
 **/
Packit 549fdc 
int gnutls_pubkey_verify_params(gnutls_pubkey_t key)
Packit 549fdc 
{
Packit 549fdc 
	int ret;
Packit 549fdc
Packit 549fdc 
	ret = _gnutls_pk_verify_pub_params(key->params.algo, &key->params);
Packit 549fdc 
	if (ret < 0) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return ret;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	return 0;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_get_spki:
Packit 549fdc 
 * @pubkey: a public key of type #gnutls_pubkey_t
Packit 549fdc 
 * @spki: a SubjectPublicKeyInfo structure of type #gnutls_pubkey_spki_t
Packit 549fdc 
 * @flags: must be zero
Packit 549fdc 
 *
Packit 549fdc 
 * This function will return the public key information if available.
Packit 549fdc 
 * The provided @spki must be initialized.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
Packit 549fdc 
 *   negative error value.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 3.6.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_get_spki(gnutls_pubkey_t pubkey, gnutls_x509_spki_t spki, unsigned int flags)
Packit 549fdc 
{
Packit 549fdc 
	if (pubkey == NULL) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if (pubkey->params.spki.pk == GNUTLS_PK_UNKNOWN)
Packit 549fdc 
		return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
Packit 549fdc
Packit 549fdc 
	memcpy(spki, &pubkey->params.spki, sizeof(gnutls_x509_spki_st));
Packit 549fdc
Packit 549fdc 
	return 0;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
/**
Packit 549fdc 
 * gnutls_pubkey_set_spki:
Packit 549fdc 
 * @pubkey: a public key of type #gnutls_pubkey_t
Packit 549fdc 
 * @spki: a SubjectPublicKeyInfo structure of type #gnutls_pubkey_spki_t
Packit 549fdc 
 * @flags: must be zero
Packit 549fdc 
 *
Packit 549fdc 
 * This function will set the public key information.
Packit 549fdc 
 * The provided @spki must be initialized.
Packit 549fdc 
 *
Packit 549fdc 
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
Packit 549fdc 
 *   negative error value.
Packit 549fdc 
 *
Packit 549fdc 
 * Since: 3.6.0
Packit 549fdc 
 **/
Packit 549fdc 
int
Packit 549fdc 
gnutls_pubkey_set_spki(gnutls_pubkey_t pubkey, const gnutls_x509_spki_t spki, unsigned int flags)
Packit 549fdc 
{
Packit 549fdc 
	if (pubkey == NULL) {
Packit 549fdc 
		gnutls_assert();
Packit 549fdc 
		return GNUTLS_E_INVALID_REQUEST;
Packit 549fdc 
	}
Packit 549fdc
Packit 549fdc 
	if (!_gnutls_pk_are_compat(pubkey->params.algo, spki->pk))
Packit 549fdc 
                return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
Packit 549fdc
Packit 549fdc 
	memcpy(&pubkey->params.spki, spki, sizeof(gnutls_x509_spki_st));
Packit 549fdc
Packit 549fdc 
	pubkey->params.algo = spki->pk;
Packit 549fdc
Packit 549fdc 
	return 0;
Packit 549fdc 
}

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation