corrected signing and verifying with DSA keys.

5 files changed, 109 insertions, 86 deletions

diff --git a/lib/x509/crq.c b/lib/x509/crq.c
index 224ff3a70a..8ed79f331a 100644
--- a/lib/x509/crq.c
+++ b/lib/x509/crq.c
@@ -629,45 +629,11 @@ const char* pk;
 
 	/* Step 3. Write the signatureAlgorithm field.
 	 */
-	pk = _gnutls_x509_sign2oid( key->pk_algorithm, GNUTLS_MAC_SHA);
-	if (pk == NULL) {
-		gnutls_assert();
-		return GNUTLS_E_INVALID_REQUEST;
-	}
-
-	/* write the RSA OID
-	 */
-	result = asn1_write_value( crq->crq, "signatureAlgorithm.algorithm", pk, 1);
-	if (result != ASN1_SUCCESS) {
+	result = _gnutls_x509_write_sig_params( crq->crq, "signatureAlgorithm",
+		key->pk_algorithm, key->params, key->params_size);
+	if (result < 0) {
 		gnutls_assert();
-		return _gnutls_asn2err(result);
-	}
-
-	if (key->pk_algorithm == GNUTLS_PK_DSA) {
-		gnutls_datum der;
-
-		result = _gnutls_x509_write_dsa_params( key->params, key->params_size, &der);
-		if (result < 0) {
-			gnutls_assert();
-			return result;
-		}
-
-		result = asn1_write_value( crq->crq, "signatureAlgorithm.parameters", der.data, der.size);
-		_gnutls_free_datum( &der);
-
-		if (result != ASN1_SUCCESS) {
-			gnutls_assert();
-			return _gnutls_asn2err(result);
-		}
-		
-	} else {
-		/* RSA so disable the parameters.
-		 */
-		result = asn1_write_value( crq->crq, "signatureAlgorithm.parameters", NULL, 0);
-		if (result != ASN1_SUCCESS) {
-			gnutls_assert();
-			return _gnutls_asn2err(result);
-		}
+		return result;
 	}
 
 	return 0;
diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c
index 575e66574c..007e728336 100644
--- a/lib/x509/mpi.c
+++ b/lib/x509/mpi.c
@@ -331,6 +331,68 @@ cleanup:
 }
 
 /*
+ * This function writes and encodes the parameters for DSS or RSA keys.
+ * This is the "signatureAlgorithm" fields.
+ */
+int _gnutls_x509_write_sig_params( ASN1_TYPE dst, const char* dst_name,
+	gnutls_pk_algorithm pk_algorithm, GNUTLS_MPI * params, int params_size)
+{
+gnutls_datum der;
+int result;
+char name[128];
+const char* pk;
+
+	_gnutls_str_cpy( name, sizeof(name), dst_name);
+	_gnutls_str_cat( name, sizeof(name), ".algorithm");
+
+	pk = _gnutls_x509_sign2oid( pk_algorithm, GNUTLS_MAC_SHA);
+	if (pk == NULL) {
+		gnutls_assert();
+		return GNUTLS_E_INVALID_REQUEST;
+	}
+	
+	/* write the OID.
+	 */
+	result = asn1_write_value( dst, name, pk, 1);
+	if (result != ASN1_SUCCESS) {
+		gnutls_assert();
+		return _gnutls_asn2err(result);
+	}
+
+
+	_gnutls_str_cpy( name, sizeof(name), dst_name);
+	_gnutls_str_cat( name, sizeof(name), ".parameters");
+	
+	if (pk_algorithm == GNUTLS_PK_DSA) {
+		result = _gnutls_x509_write_dsa_params( params, params_size, &der);
+		if (result < 0) {
+			gnutls_assert();
+			return result;
+		}
+		
+		result = asn1_write_value( dst, name, der.data, der.size);
+		_gnutls_free_datum( &der);
+		
+		if (result != ASN1_SUCCESS) {
+			gnutls_assert();
+			return _gnutls_asn2err(result);
+		}
+	} else { /* RSA */
+		result = asn1_write_value( dst, name, NULL, 0);
+
+		if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) {
+			/* Here we ignore the element not found error, since this
+			 * may have been disabled before.
+			 */
+			gnutls_assert();
+			return _gnutls_asn2err(result);
+		}
+	}
+
+	return 0;
+}
+
+/*
  * This function writes the parameters for DSS keys.
  * Needs 3 parameters (p,q,g).
  *
diff --git a/lib/x509/mpi.h b/lib/x509/mpi.h
index 6eff6f88b8..cfa92918f7 100644
--- a/lib/x509/mpi.h
+++ b/lib/x509/mpi.h
@@ -1,3 +1,4 @@
+#include <gnutls_int.h>
 #include "x509.h"
 
 int _gnutls_x509_crt_get_mpis( gnutls_x509_crt cert,
@@ -20,3 +21,6 @@ int _gnutls_x509_read_int( ASN1_TYPE node, const char* value,
 	GNUTLS_MPI* ret_mpi);
 int _gnutls_x509_write_int( ASN1_TYPE node, const char* value, GNUTLS_MPI mpi, int lz);
 int _gnutls_x509_write_uint32( ASN1_TYPE node, const char* value, uint32 num);
+
+int _gnutls_x509_write_sig_params( ASN1_TYPE dst, const char* dst_name,
+	gnutls_pk_algorithm pk_algorithm, GNUTLS_MPI * params, int params_size);
diff --git a/lib/x509/sign.c b/lib/x509/sign.c
index 340a599174..b32c21569b 100644
--- a/lib/x509/sign.c
+++ b/lib/x509/sign.c
@@ -279,7 +279,6 @@ int _gnutls_x509_pkix_sign(ASN1_TYPE src, const char* src_name,
 {
 int result;
 gnutls_datum signature;
-const char* pk;
 char name[128];
 
 	/* Step 1. Copy the issuer's name into the certificate.
@@ -296,39 +295,16 @@ char name[128];
 
 	/* Step 1.5. Write the signature stuff in the tbsCertificate.
 	 */
-	/* write the RSA OID
-	 */
-	pk = _gnutls_x509_sign2oid( issuer_key->pk_algorithm, GNUTLS_MAC_SHA);
-	if (pk == NULL) {
-		gnutls_assert();
-		return GNUTLS_E_INVALID_REQUEST;
-	}
-
 	_gnutls_str_cpy( name, sizeof(name), src_name);
-	_gnutls_str_cat( name, sizeof(name), ".signature.algorithm");
+	_gnutls_str_cat( name, sizeof(name), ".signature");
 
-	result = asn1_write_value( src, name, pk, 1);
-	if (result != ASN1_SUCCESS) {
-		gnutls_assert();
-		return _gnutls_asn2err(result);
-	}
-
-#warning CHECKME
-	/* disable parameters, which are not used in RSA.
-	 */
-	_gnutls_str_cpy( name, sizeof(name), src_name);
-	_gnutls_str_cat( name, sizeof(name), ".signature.parameters");
-
-	result = asn1_write_value( src, name, NULL, 0);
-	if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) {
-		/* Here we ignore the element not found error, since this
-		 * may have been disabled before.
-		 */
+	result = _gnutls_x509_write_sig_params( src, name,
+		issuer_key->pk_algorithm, issuer_key->params, issuer_key->params_size);
+	if (result < 0) {
 		gnutls_assert();
-		return _gnutls_asn2err(result);
+		return result;
 	}
 
-
 	/* Step 2. Sign the certificate.
 	 */
 	result = _gnutls_x509_sign_tbs( src, src_name, GNUTLS_MAC_SHA,
@@ -350,28 +326,15 @@ char name[128];
 		return _gnutls_asn2err(result);
 	}
 
-	/* Step 2. Move up and write the AlgorithmIdentifier, which is also
+	/* Step 3. Move up and write the AlgorithmIdentifier, which is also
 	 * the same. 
 	 */
 
-	/* write the RSA or DSA OID
-	 */
-	result = asn1_write_value( src, "signatureAlgorithm.algorithm", pk, 1);
-	if (result != ASN1_SUCCESS) {
-		gnutls_assert();
-		return _gnutls_asn2err(result);
-	}
-
-#warning CHECKME
-	/* disable parameters, which are not used in RSA.
-	 */
-	result = asn1_write_value( src, "signatureAlgorithm.parameters", NULL, 0);
-	if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) {
-		/* Here we ignore the element not found error, since this
-		 * may have been disabled before.
-		 */
+	result = _gnutls_x509_write_sig_params( src, "signatureAlgorithm",
+		issuer_key->pk_algorithm, issuer_key->params, issuer_key->params_size);
+	if (result < 0) {
 		gnutls_assert();
-		return _gnutls_asn2err(result);
+		return result;
 	}
 
 	return 0;
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 24c7cdb702..7055debb2e 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -459,6 +459,34 @@ _pkcs1_rsa_verify_sig( const gnutls_datum* text, const gnutls_datum* signature,
 	return 0;		
 }
 
+/* Hashes input data and verifies a DSA signature.
+ */
+static int
+dsa_verify_sig( const gnutls_datum* text, const gnutls_datum* signature, 
+	GNUTLS_MPI *params, int params_len)
+{
+	int ret;
+	opaque _digest[MAX_HASH_SIZE];
+	gnutls_datum digest;
+	GNUTLS_HASH_HANDLE hd;
+
+	hd = _gnutls_hash_init( GNUTLS_MAC_SHA);
+	if (hd == NULL) {
+		gnutls_assert();
+		return GNUTLS_E_HASH_FAILED;
+	}
+	
+	_gnutls_hash( hd, text->data, text->size);
+	_gnutls_hash_deinit( hd, _digest);
+
+	digest.data = _digest;
+	digest.size = 20;
+
+	ret = _gnutls_dsa_verify( &digest, signature, params, params_len);
+
+	return ret;
+}
+
 /* Verifies the signature data, and returns 0 if not verified,
  * or 1 otherwise.
  */
@@ -479,7 +507,7 @@ static int verify_sig( const gnutls_datum* tbs, const gnutls_datum* signature,
 			break;
 
 		case GNUTLS_PK_DSA:
-			if (_gnutls_dsa_verify( tbs, signature, issuer_params, issuer_params_size)!=0) {
+			if (dsa_verify_sig( tbs, signature, issuer_params, issuer_params_size)!=0) {
 				gnutls_assert();
 				return 0;
 			}