Added gnutls_x509_crq_verify().

4 files changed, 75 insertions, 1 deletions

diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index f220844d77..6ddd85c836 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -721,6 +721,8 @@ extern "C"
                              gnutls_certificate_print_formats_t format,
                              gnutls_datum_t * out);
 
+  int gnutls_x509_crq_verify (gnutls_x509_crq_t crq, unsigned int flags);
+
   int gnutls_x509_crq_init (gnutls_x509_crq_t * crq);
   void gnutls_x509_crq_deinit (gnutls_x509_crq_t crq);
   int gnutls_x509_crq_import (gnutls_x509_crq_t crq,
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 229792e955..63bacd2104 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -677,6 +677,8 @@ GNUTLS_2_12
 	gnutls_openpgp_crt_verify_hash;
 	gnutls_pubkey_import_privkey;
 	gnutls_pubkey_verify_data;
+	gnutls_certificate_get_issuer;
+	gnutls_x509_crq_verify;
 } GNUTLS_2_10;
 
 GNUTLS_3_0_0 {
@@ -710,7 +712,6 @@ GNUTLS_3_0_0 {
 	gnutls_pubkey_get_openpgp_key_id;
 	gnutls_certificate_set_retrieve_function2;
 	gnutls_x509_trust_list_get_issuer;
-	gnutls_certificate_get_issuer;
 } GNUTLS_2_12;
 
 GNUTLS_PRIVATE {
diff --git a/lib/x509/crq.c b/lib/x509/crq.c
index 02dc2c4a80..ed0f844a56 100644
--- a/lib/x509/crq.c
+++ b/lib/x509/crq.c
@@ -2521,5 +2521,72 @@ gnutls_x509_crq_privkey_sign (gnutls_x509_crq_t crq, gnutls_privkey_t key,
 }
 
 
+/**
+ * gnutls_x509_crq_verify:
+ * @crq: is the crq to be verified
+ * @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.
+ *
+ * This function will verify self signature in the certificate
+ * request and return its status.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, %GNUTLS_E_PK_SIG_VERIFY_FAILED
+ * if verification failed, otherwise a negative error value.
+ **/
+int
+gnutls_x509_crq_verify (gnutls_x509_crq_t crq,
+                        unsigned int flags)
+{
+gnutls_datum data = { NULL, 0 };
+gnutls_datum signature = { NULL, 0 };
+bigint_t params[MAX_PUBLIC_PARAMS_SIZE];
+int ret, params_size = 0, i;
+
+  ret =
+    _gnutls_x509_get_signed_data (crq->crq, "certificationRequestInfo", &data);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      return ret;
+    }
+
+  ret = _gnutls_x509_get_signature (crq->crq, "signature", &signature);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      goto cleanup;
+    }
+
+  params_size = MAX_PUBLIC_PARAMS_SIZE;
+  ret =
+    _gnutls_x509_crq_get_mpis(crq, params, &params_size);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      goto cleanup;
+    }
+
+  ret = pubkey_verify_sig(&data, NULL, &signature,
+                          gnutls_x509_crq_get_pk_algorithm (crq, NULL),
+    params, params_size);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      goto cleanup;
+    }
+
+  ret = 0;
+
+cleanup:
+  _gnutls_free_datum (&data);
+  _gnutls_free_datum (&signature);
+
+  for (i = 0; i < params_size; i++)
+      {
+            _gnutls_mpi_release (&params[i]);
+      }
+
+  return ret;
+}
 
 #endif /* ENABLE_PKI */
+
diff --git a/lib/x509/x509_write.c b/lib/x509/x509_write.c
index 5d31a830da..68f0103670 100644
--- a/lib/x509/x509_write.c
+++ b/lib/x509/x509_write.c
@@ -268,6 +268,10 @@ gnutls_x509_crt_set_crq (gnutls_x509_crt_t crt, gnutls_x509_crq_t crq)
       return GNUTLS_E_INVALID_REQUEST;
     }
 
+  result = gnutls_x509_crq_verify(crq, 0);
+  if (result < 0)
+    return gnutls_assert_val(result);
+
   result = asn1_copy_node (crt->cert, "tbsCertificate.subject",
                            crq->crq, "certificationRequestInfo.subject");
   if (result != ASN1_SUCCESS)