diff options
-rw-r--r-- | lib/x509/crq.c | 42 | ||||
-rw-r--r-- | lib/x509/mpi.c | 62 | ||||
-rw-r--r-- | lib/x509/mpi.h | 4 | ||||
-rw-r--r-- | lib/x509/sign.c | 57 | ||||
-rw-r--r-- | lib/x509/verify.c | 30 |
5 files changed, 109 insertions, 86 deletions
diff --git a/lib/x509/crq.c b/lib/x509/crq.c index 224ff3a70a..8ed79f331a 100644 --- a/lib/x509/crq.c +++ b/lib/x509/crq.c @@ -629,45 +629,11 @@ const char* pk; /* Step 3. Write the signatureAlgorithm field. */ - pk = _gnutls_x509_sign2oid( key->pk_algorithm, GNUTLS_MAC_SHA); - if (pk == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - /* write the RSA OID - */ - result = asn1_write_value( crq->crq, "signatureAlgorithm.algorithm", pk, 1); - if (result != ASN1_SUCCESS) { + result = _gnutls_x509_write_sig_params( crq->crq, "signatureAlgorithm", + key->pk_algorithm, key->params, key->params_size); + if (result < 0) { gnutls_assert(); - return _gnutls_asn2err(result); - } - - if (key->pk_algorithm == GNUTLS_PK_DSA) { - gnutls_datum der; - - result = _gnutls_x509_write_dsa_params( key->params, key->params_size, &der); - if (result < 0) { - gnutls_assert(); - return result; - } - - result = asn1_write_value( crq->crq, "signatureAlgorithm.parameters", der.data, der.size); - _gnutls_free_datum( &der); - - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - - } else { - /* RSA so disable the parameters. - */ - result = asn1_write_value( crq->crq, "signatureAlgorithm.parameters", NULL, 0); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } + return result; } return 0; diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c index 575e66574c..007e728336 100644 --- a/lib/x509/mpi.c +++ b/lib/x509/mpi.c @@ -331,6 +331,68 @@ cleanup: } /* + * This function writes and encodes the parameters for DSS or RSA keys. + * This is the "signatureAlgorithm" fields. + */ +int _gnutls_x509_write_sig_params( ASN1_TYPE dst, const char* dst_name, + gnutls_pk_algorithm pk_algorithm, GNUTLS_MPI * params, int params_size) +{ +gnutls_datum der; +int result; +char name[128]; +const char* pk; + + _gnutls_str_cpy( name, sizeof(name), dst_name); + _gnutls_str_cat( name, sizeof(name), ".algorithm"); + + pk = _gnutls_x509_sign2oid( pk_algorithm, GNUTLS_MAC_SHA); + if (pk == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* write the OID. + */ + result = asn1_write_value( dst, name, pk, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + + _gnutls_str_cpy( name, sizeof(name), dst_name); + _gnutls_str_cat( name, sizeof(name), ".parameters"); + + if (pk_algorithm == GNUTLS_PK_DSA) { + result = _gnutls_x509_write_dsa_params( params, params_size, &der); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = asn1_write_value( dst, name, der.data, der.size); + _gnutls_free_datum( &der); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + } else { /* RSA */ + result = asn1_write_value( dst, name, NULL, 0); + + if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) { + /* Here we ignore the element not found error, since this + * may have been disabled before. + */ + gnutls_assert(); + return _gnutls_asn2err(result); + } + } + + return 0; +} + +/* * This function writes the parameters for DSS keys. * Needs 3 parameters (p,q,g). * diff --git a/lib/x509/mpi.h b/lib/x509/mpi.h index 6eff6f88b8..cfa92918f7 100644 --- a/lib/x509/mpi.h +++ b/lib/x509/mpi.h @@ -1,3 +1,4 @@ +#include <gnutls_int.h> #include "x509.h" int _gnutls_x509_crt_get_mpis( gnutls_x509_crt cert, @@ -20,3 +21,6 @@ int _gnutls_x509_read_int( ASN1_TYPE node, const char* value, GNUTLS_MPI* ret_mpi); int _gnutls_x509_write_int( ASN1_TYPE node, const char* value, GNUTLS_MPI mpi, int lz); int _gnutls_x509_write_uint32( ASN1_TYPE node, const char* value, uint32 num); + +int _gnutls_x509_write_sig_params( ASN1_TYPE dst, const char* dst_name, + gnutls_pk_algorithm pk_algorithm, GNUTLS_MPI * params, int params_size); diff --git a/lib/x509/sign.c b/lib/x509/sign.c index 340a599174..b32c21569b 100644 --- a/lib/x509/sign.c +++ b/lib/x509/sign.c @@ -279,7 +279,6 @@ int _gnutls_x509_pkix_sign(ASN1_TYPE src, const char* src_name, { int result; gnutls_datum signature; -const char* pk; char name[128]; /* Step 1. Copy the issuer's name into the certificate. @@ -296,39 +295,16 @@ char name[128]; /* Step 1.5. Write the signature stuff in the tbsCertificate. */ - /* write the RSA OID - */ - pk = _gnutls_x509_sign2oid( issuer_key->pk_algorithm, GNUTLS_MAC_SHA); - if (pk == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - _gnutls_str_cpy( name, sizeof(name), src_name); - _gnutls_str_cat( name, sizeof(name), ".signature.algorithm"); + _gnutls_str_cat( name, sizeof(name), ".signature"); - result = asn1_write_value( src, name, pk, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - -#warning CHECKME - /* disable parameters, which are not used in RSA. - */ - _gnutls_str_cpy( name, sizeof(name), src_name); - _gnutls_str_cat( name, sizeof(name), ".signature.parameters"); - - result = asn1_write_value( src, name, NULL, 0); - if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) { - /* Here we ignore the element not found error, since this - * may have been disabled before. - */ + result = _gnutls_x509_write_sig_params( src, name, + issuer_key->pk_algorithm, issuer_key->params, issuer_key->params_size); + if (result < 0) { gnutls_assert(); - return _gnutls_asn2err(result); + return result; } - /* Step 2. Sign the certificate. */ result = _gnutls_x509_sign_tbs( src, src_name, GNUTLS_MAC_SHA, @@ -350,28 +326,15 @@ char name[128]; return _gnutls_asn2err(result); } - /* Step 2. Move up and write the AlgorithmIdentifier, which is also + /* Step 3. Move up and write the AlgorithmIdentifier, which is also * the same. */ - /* write the RSA or DSA OID - */ - result = asn1_write_value( src, "signatureAlgorithm.algorithm", pk, 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - -#warning CHECKME - /* disable parameters, which are not used in RSA. - */ - result = asn1_write_value( src, "signatureAlgorithm.parameters", NULL, 0); - if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) { - /* Here we ignore the element not found error, since this - * may have been disabled before. - */ + result = _gnutls_x509_write_sig_params( src, "signatureAlgorithm", + issuer_key->pk_algorithm, issuer_key->params, issuer_key->params_size); + if (result < 0) { gnutls_assert(); - return _gnutls_asn2err(result); + return result; } return 0; diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 24c7cdb702..7055debb2e 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -459,6 +459,34 @@ _pkcs1_rsa_verify_sig( const gnutls_datum* text, const gnutls_datum* signature, return 0; } +/* Hashes input data and verifies a DSA signature. + */ +static int +dsa_verify_sig( const gnutls_datum* text, const gnutls_datum* signature, + GNUTLS_MPI *params, int params_len) +{ + int ret; + opaque _digest[MAX_HASH_SIZE]; + gnutls_datum digest; + GNUTLS_HASH_HANDLE hd; + + hd = _gnutls_hash_init( GNUTLS_MAC_SHA); + if (hd == NULL) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } + + _gnutls_hash( hd, text->data, text->size); + _gnutls_hash_deinit( hd, _digest); + + digest.data = _digest; + digest.size = 20; + + ret = _gnutls_dsa_verify( &digest, signature, params, params_len); + + return ret; +} + /* Verifies the signature data, and returns 0 if not verified, * or 1 otherwise. */ @@ -479,7 +507,7 @@ static int verify_sig( const gnutls_datum* tbs, const gnutls_datum* signature, break; case GNUTLS_PK_DSA: - if (_gnutls_dsa_verify( tbs, signature, issuer_params, issuer_params_size)!=0) { + if (dsa_verify_sig( tbs, signature, issuer_params, issuer_params_size)!=0) { gnutls_assert(); return 0; } |