diff options
| author | Daiki Ueno <dueno@redhat.com> | 2017-03-16 11:38:58 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-05-29 08:23:49 +0200 |
| commit | 9e5452193c3510102801fd86b6e65d37b5dc1012 (patch) | |
| tree | 1c401b3900c8a6f3ffac58ad839266e8c228f941 /lib/x509/x509_int.h | |
| parent | 03c811b7f9a280182b486473567a0b93fe1dc291 (diff) | |
| download | gnutls-9e5452193c3510102801fd86b6e65d37b5dc1012.tar.gz | |
x509: implement RSA-PSS signature scheme
This patch enables RSA-PSS signature scheme in the X.509 functions and
certtool.
When creating RSA-PSS signature, there are 3 different scenarios:
a. both a private key and a certificate are RSA-PSS
b. the private key is RSA, while the certificate is RSA-PSS
c. both the private key and the certificate are RSA
For (a) and (b), the RSA-PSS parameters are read from the certificate.
Any conflicts in parameters between the private key and the certificate
are reported as an error.
For (c), the sign functions, such as gnutls_x509_crt_privkey_sign() or
gnutls_privkey_sign_data(), shall be instructed to generate an RSA-PSS
signature. This can be done with the new flag
GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS.
Verification is similar to signing, except for the case (c), use the
flag GNUTLS_VERIFY_USE_RSA_PSS instead of
GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS.
From the command line, certtool has a couple of new options: --rsa-pss
and --rsa-pss-sign. The --rsa-pss option indicates that the generated
private key or certificate is restricted to RSA-PSS, while the
--rsa-pss-sign option indicates that the generated certificate is signed
with RSA-PSS.
For simplicity, there is no means of choosing arbitrary salt length.
When it is not given by a private key or a certificate, it is
automatically calculated from the underlying hash algorithm and the
RSA modulus bits.
[minor naming changes by nmav]
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib/x509/x509_int.h')
| -rw-r--r-- | lib/x509/x509_int.h | 40 |
1 files changed, 32 insertions, 8 deletions
diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h index 38f07d6ed8..7b2d38457d 100644 --- a/lib/x509/x509_int.h +++ b/lib/x509/x509_int.h @@ -156,8 +156,12 @@ int _gnutls_x509_get_tbs(ASN1_TYPE cert, const char *tbs_name, gnutls_datum_t * tbs); int _gnutls_x509_pkix_sign(ASN1_TYPE src, const char *src_name, gnutls_digest_algorithm_t, + unsigned int flags, gnutls_x509_crt_t issuer, gnutls_privkey_t issuer_key); +int _gnutls_x509_crt_get_sign_params(gnutls_x509_crt_t issuer, + const gnutls_x509_spki_st *key_params, + gnutls_x509_spki_st *params); /* dn.c */ #define OID_X520_COUNTRY_NAME "2.5.4.6" @@ -229,11 +233,6 @@ _gnutls_x509_verify_algorithm(gnutls_digest_algorithm_t * hash, gnutls_pk_algorithm_t pk, gnutls_pk_params_st * issuer_params); -int _gnutls_x509_verify_data(const mac_entry_st * me, - const gnutls_datum_t * data, - const gnutls_datum_t * signature, - gnutls_x509_crt_t issuer); - /* privkey.h */ void _gnutls_x509_privkey_reinit(gnutls_x509_privkey_t key); @@ -252,6 +251,19 @@ _gnutls_x509_read_ecc_params(uint8_t * der, int dersize, int _gnutls_asn1_encode_privkey(gnutls_pk_algorithm_t pk, ASN1_TYPE * c2, gnutls_pk_params_st * params, unsigned compat); +int _gnutls_x509_privkey_get_sign_params(gnutls_x509_privkey_t key, + gnutls_x509_spki_st * params); +int _gnutls_x509_privkey_find_sign_params(gnutls_x509_privkey_t key, + gnutls_pk_algorithm_t pk, + gnutls_digest_algorithm_t dig, + unsigned flags, + gnutls_x509_spki_st *params); + +int _gnutls_x509_read_rsa_pss_params(uint8_t * der, int dersize, + gnutls_x509_spki_st * params); +int _gnutls_x509_write_rsa_pss_params(gnutls_x509_spki_st * params, + gnutls_datum_t * der); + /* extensions.c */ int _gnutls_x509_crl_get_extension_oid(gnutls_x509_crl_t crl, int indx, void *oid, @@ -312,13 +324,24 @@ int _gnutls_x509_crq_get_mpis(gnutls_x509_crq_t cert, int _gnutls_x509_crt_get_mpis(gnutls_x509_crt_t cert, gnutls_pk_params_st * params); +int _gnutls_x509_crt_read_sign_params(gnutls_x509_crt_t crt, + gnutls_x509_spki_st *params); +int _gnutls_x509_crq_read_sign_params(gnutls_x509_crq_t crt, + gnutls_x509_spki_st *params); + int _gnutls_x509_read_pubkey_params(gnutls_pk_algorithm_t, uint8_t * der, int dersize, gnutls_pk_params_st * params); +int _gnutls_x509_check_pubkey_params(gnutls_pk_algorithm_t algo, + gnutls_pk_params_st * params); int _gnutls_x509_read_pubkey(gnutls_pk_algorithm_t, uint8_t * der, int dersize, gnutls_pk_params_st * params); +int _gnutls_x509_read_pubkey_signature_params(gnutls_pk_algorithm_t algo, + uint8_t * der, int dersize, + gnutls_pk_params_st * params); + int _gnutls_x509_write_ecc_params(gnutls_ecc_curve_t curve, gnutls_datum_t * der); int _gnutls_x509_write_ecc_pubkey(gnutls_pk_params_st * params, @@ -352,9 +375,10 @@ int _gnutls_x509_read_key_int(ASN1_TYPE node, const char *value, int _gnutls_x509_write_key_int(ASN1_TYPE node, const char *value, bigint_t mpi, int lz); -int _gnutls_x509_write_sig_params(ASN1_TYPE dst, const char *dst_name, - gnutls_pk_algorithm_t pk_algorithm, - gnutls_digest_algorithm_t, unsigned legacy); +int _gnutls_x509_read_sign_params(ASN1_TYPE src, const char *src_name, + gnutls_x509_spki_st *params); +int _gnutls_x509_write_sign_params(ASN1_TYPE dst, const char *dst_name, + gnutls_x509_spki_st *params); /* pkcs12.h */ #include <gnutls/pkcs12.h> |