diff options
| -rw-r--r-- | lib/gnutls_privkey.c | 5 | ||||
| -rw-r--r-- | lib/gnutls_pubkey.c | 1 | ||||
| -rw-r--r-- | lib/gnutls_sig.c | 164 | ||||
| -rw-r--r-- | lib/gnutls_sig.h | 10 | ||||
| -rw-r--r-- | lib/openpgp/gnutls_openpgp.h | 5 | ||||
| -rw-r--r-- | lib/openpgp/privkey.c | 1 | ||||
| -rw-r--r-- | lib/pkcs11_int.h | 5 | ||||
| -rw-r--r-- | lib/pkcs11_privkey.c | 12 | ||||
| -rw-r--r-- | lib/x509/Makefile.am | 1 | ||||
| -rw-r--r-- | lib/x509/privkey.c | 1 | ||||
| -rw-r--r-- | lib/x509/sign.c | 163 | ||||
| -rw-r--r-- | lib/x509/sign.h | 9 |
12 files changed, 193 insertions, 184 deletions
diff --git a/lib/gnutls_privkey.c b/lib/gnutls_privkey.c index 4ba21d4e8d..4e3b640205 100644 --- a/lib/gnutls_privkey.c +++ b/lib/gnutls_privkey.c @@ -30,10 +30,11 @@ #include <gnutls_datum.h> #include <pkcs11_int.h> #include <gnutls/abstract.h> -#include <sign.h> #include <gnutls_pk.h> #include <x509_int.h> #include <openpgp/openpgp_int.h> +#include <openpgp/gnutls_openpgp.h> +#include <gnutls_sig.h> struct gnutls_privkey_st { @@ -385,7 +386,7 @@ _gnutls_privkey_sign_hash (gnutls_privkey_t key, hash, signature); #endif case GNUTLS_PRIVKEY_PKCS11: - return gnutls_pkcs11_privkey_sign_hash (key->key.pkcs11, + return _gnutls_pkcs11_privkey_sign_hash (key->key.pkcs11, hash, signature); case GNUTLS_PRIVKEY_X509: return _gnutls_soft_sign (key->key.x509->pk_algorithm, key->key.x509->params, diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c index bce1334398..7169aecb80 100644 --- a/lib/gnutls_pubkey.c +++ b/lib/gnutls_pubkey.c @@ -30,7 +30,6 @@ #include <gnutls_datum.h> #include <pkcs11_int.h> #include <gnutls/abstract.h> -#include <sign.h> #include <gnutls_pk.h> #include <x509_int.h> #include <openpgp/openpgp_int.h> diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c index 165a6dc03a..714cf35409 100644 --- a/lib/gnutls_sig.c +++ b/lib/gnutls_sig.c @@ -304,7 +304,7 @@ _gnutls_tls_sign (gnutls_session_t session, } } - return gnutls_privkey_sign_hash (pkey, hash_concat, signature); + return _gnutls_privkey_sign_hash (pkey, hash_concat, signature); } static int @@ -796,3 +796,165 @@ _gnutls_handshake_sign_cert_vrfy (gnutls_session_t session, return ret; } + +int pk_hash_data(gnutls_pk_algorithm_t pk, gnutls_digest_algorithm_t hash, + bigint_t * params, + const gnutls_datum_t * data, gnutls_datum_t * digest) +{ + int ret; + + switch (pk) + { + case GNUTLS_PK_RSA: + if (hash != GNUTLS_DIG_SHA1 && hash != GNUTLS_DIG_SHA224 && + hash != GNUTLS_DIG_SHA256) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + break; + case GNUTLS_PK_DSA: + if (params && hash != _gnutls_dsa_q_to_hash (params[1])) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + break; + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + digest->size = _gnutls_hash_get_algo_len (hash); + digest->data = gnutls_malloc (digest->size); + if (digest->data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + ret = _gnutls_hash_fast(hash, data->data, data->size, digest->data); + if (ret < 0) + { + gnutls_assert(); + goto cleanup; + } + + return 0; + +cleanup: + gnutls_free(digest->data); + return ret; +} + +/* Writes the digest information and the digest in a DER encoded + * structure. The digest info is allocated and stored into the info structure. + */ +static int +encode_ber_digest_info (gnutls_digest_algorithm_t hash, + const gnutls_datum_t * digest, + gnutls_datum_t * output) +{ + ASN1_TYPE dinfo = ASN1_TYPE_EMPTY; + int result; + const char *algo; + opaque* tmp_output; + int tmp_output_size; + + algo = _gnutls_x509_mac_to_oid ((gnutls_mac_algorithm_t) hash); + if (algo == NULL) + { + gnutls_assert (); + _gnutls_x509_log ("Hash algorithm: %d\n", hash); + return GNUTLS_E_UNKNOWN_PK_ALGORITHM; + } + + if ((result = asn1_create_element (_gnutls_get_gnutls_asn (), + "GNUTLS.DigestInfo", + &dinfo)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + + result = asn1_write_value (dinfo, "digestAlgorithm.algorithm", algo, 1); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&dinfo); + return _gnutls_asn2err (result); + } + + /* Write an ASN.1 NULL in the parameters field. This matches RFC + 3279 and RFC 4055, although is arguable incorrect from a historic + perspective (see those documents for more information). + Regardless of what is correct, this appears to be what most + implementations do. */ + result = asn1_write_value (dinfo, "digestAlgorithm.parameters", + ASN1_NULL, ASN1_NULL_SIZE); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&dinfo); + return _gnutls_asn2err (result); + } + + result = asn1_write_value (dinfo, "digest", digest->data, digest->size); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&dinfo); + return _gnutls_asn2err (result); + } + + tmp_output_size = 0; + asn1_der_coding (dinfo, "", NULL, &tmp_output_size, NULL); + + tmp_output = gnutls_malloc (tmp_output_size); + if (output->data == NULL) + { + gnutls_assert (); + asn1_delete_structure (&dinfo); + return GNUTLS_E_MEMORY_ERROR; + } + + result = asn1_der_coding (dinfo, "", tmp_output, &tmp_output_size, NULL); + if (result != ASN1_SUCCESS) + { + gnutls_assert (); + asn1_delete_structure (&dinfo); + return _gnutls_asn2err (result); + } + + asn1_delete_structure (&dinfo); + + output->size = tmp_output_size; + output->data = tmp_output; + + return 0; +} + +/* if hash==MD5 then we do RSA-MD5 + * if hash==SHA then we do RSA-SHA + * params[0] is modulus + * params[1] is public key + */ +int +pk_prepare_pkcs1_rsa_hash (gnutls_digest_algorithm_t hash, + gnutls_datum_t * digest) +{ + int ret; + gnutls_datum old_digest = { digest->data, digest->size }; + + /* Encode the digest as a DigestInfo + */ + if ((ret = encode_ber_digest_info (hash, digest, digest)) != 0) + { + gnutls_assert (); + return ret; + } + + _gnutls_free_datum(&old_digest); + + return 0; +} diff --git a/lib/gnutls_sig.h b/lib/gnutls_sig.h index 77a97afa4d..3d85f03e4c 100644 --- a/lib/gnutls_sig.h +++ b/lib/gnutls_sig.h @@ -56,4 +56,14 @@ int _gnutls_soft_sign (gnutls_pk_algorithm_t algo, const gnutls_datum_t * data, gnutls_datum_t * signature); +int pk_prepare_pkcs1_rsa_hash (gnutls_digest_algorithm_t hash, + gnutls_datum_t * output); +int pk_hash_data(gnutls_pk_algorithm_t pk, gnutls_digest_algorithm_t hash, + bigint_t * params, const gnutls_datum_t * data, gnutls_datum_t * digest); + +int +_gnutls_privkey_sign_hash (gnutls_privkey_t key, + const gnutls_datum_t * hash, + gnutls_datum_t * signature); + #endif diff --git a/lib/openpgp/gnutls_openpgp.h b/lib/openpgp/gnutls_openpgp.h index b5f67d40fe..c89b867f1c 100644 --- a/lib/openpgp/gnutls_openpgp.h +++ b/lib/openpgp/gnutls_openpgp.h @@ -49,6 +49,11 @@ time_t _gnutls_openpgp_get_raw_key_creation_time (const gnutls_datum_t * time_t _gnutls_openpgp_get_raw_key_expiration_time (const gnutls_datum_t * cert); +int +_gnutls_openpgp_privkey_sign_hash (gnutls_openpgp_privkey_t key, + const gnutls_datum_t * hash, + gnutls_datum_t * signature); + #endif /*GNUTLS_OPENPGP_LOCAL_H */ diff --git a/lib/openpgp/privkey.c b/lib/openpgp/privkey.c index ab888a7f58..0199cd3ade 100644 --- a/lib/openpgp/privkey.c +++ b/lib/openpgp/privkey.c @@ -34,6 +34,7 @@ #include <openpgp_int.h> #include <gnutls_openpgp.h> #include <gnutls_cert.h> +#include <gnutls_sig.h> /** * gnutls_openpgp_privkey_init: diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h index 23aeb1ba96..4725d1ef54 100644 --- a/lib/pkcs11_int.h +++ b/lib/pkcs11_int.h @@ -97,4 +97,9 @@ int pkcs11_find_object (pakchois_session_t ** _pks, unsigned int pkcs11_obj_flags_to_int (unsigned int flags); +int +_gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t key, + const gnutls_datum_t * hash, + gnutls_datum_t * signature); + #endif diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c index efc5e6de2e..547db4d5ac 100644 --- a/lib/pkcs11_privkey.c +++ b/lib/pkcs11_privkey.c @@ -29,7 +29,7 @@ #include <gnutls_errors.h> #include <gnutls_datum.h> #include <pkcs11_int.h> -#include <sign.h> +#include <gnutls_sig.h> struct gnutls_pkcs11_privkey_st { @@ -165,7 +165,7 @@ gnutls_pkcs11_privkey_sign_data (gnutls_pkcs11_privkey_t signer, goto cleanup; } - ret = gnutls_pkcs11_privkey_sign_hash (signer, &digest, signature); + ret = _gnutls_pkcs11_privkey_sign_hash (signer, &digest, signature); _gnutls_free_datum (&digest); if (ret < 0) @@ -195,8 +195,8 @@ cleanup: } \ } while (ret < 0); -/** - * gnutls_pkcs11_privkey_sign_hash: +/*- + * _gnutls_pkcs11_privkey_sign_hash: * @key: Holds the key * @hash: holds the data to be signed (should be output of a hash) * @signature: will contain the signature allocated with gnutls_malloc() @@ -207,9 +207,9 @@ cleanup: * * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a * negative error value. - **/ + -*/ int -gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t key, +_gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t key, const gnutls_datum_t * hash, gnutls_datum_t * signature) { diff --git a/lib/x509/Makefile.am b/lib/x509/Makefile.am index 042f7ebb51..0081521fc5 100644 --- a/lib/x509/Makefile.am +++ b/lib/x509/Makefile.am @@ -37,7 +37,6 @@ noinst_LTLIBRARIES = libgnutls_x509.la libgnutls_x509_la_SOURCES = \ common.c \ common.h \ - sign.h \ crl.c \ crl_write.c \ crq.c \ diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c index eeac8090aa..32560a5d6d 100644 --- a/lib/x509/privkey.c +++ b/lib/x509/privkey.c @@ -34,7 +34,6 @@ #include <x509_b64.h> #include <x509_int.h> #include <gnutls_pk.h> -#include <sign.h> #include <gnutls_mpi.h> static int _gnutls_asn1_encode_rsa (ASN1_TYPE * c2, bigint_t * params); diff --git a/lib/x509/sign.c b/lib/x509/sign.c index 29dbc6656f..07f7ef6c60 100644 --- a/lib/x509/sign.c +++ b/lib/x509/sign.c @@ -41,171 +41,8 @@ #include <gnutls_datum.h> #include <x509_int.h> #include <common.h> -#include <sign.h> #include <gnutls/abstract.h> -/* Writes the digest information and the digest in a DER encoded - * structure. The digest info is allocated and stored into the info structure. - */ -static int -encode_ber_digest_info (gnutls_digest_algorithm_t hash, - const gnutls_datum_t * digest, - gnutls_datum_t * output) -{ - ASN1_TYPE dinfo = ASN1_TYPE_EMPTY; - int result; - const char *algo; - opaque* tmp_output; - int tmp_output_size; - - algo = _gnutls_x509_mac_to_oid ((gnutls_mac_algorithm_t) hash); - if (algo == NULL) - { - gnutls_assert (); - _gnutls_x509_log ("Hash algorithm: %d\n", hash); - return GNUTLS_E_UNKNOWN_PK_ALGORITHM; - } - - if ((result = asn1_create_element (_gnutls_get_gnutls_asn (), - "GNUTLS.DigestInfo", - &dinfo)) != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = asn1_write_value (dinfo, "digestAlgorithm.algorithm", algo, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&dinfo); - return _gnutls_asn2err (result); - } - - /* Write an ASN.1 NULL in the parameters field. This matches RFC - 3279 and RFC 4055, although is arguable incorrect from a historic - perspective (see those documents for more information). - Regardless of what is correct, this appears to be what most - implementations do. */ - result = asn1_write_value (dinfo, "digestAlgorithm.parameters", - ASN1_NULL, ASN1_NULL_SIZE); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&dinfo); - return _gnutls_asn2err (result); - } - - result = asn1_write_value (dinfo, "digest", digest->data, digest->size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&dinfo); - return _gnutls_asn2err (result); - } - - tmp_output_size = 0; - asn1_der_coding (dinfo, "", NULL, &tmp_output_size, NULL); - - tmp_output = gnutls_malloc (tmp_output_size); - if (output->data == NULL) - { - gnutls_assert (); - asn1_delete_structure (&dinfo); - return GNUTLS_E_MEMORY_ERROR; - } - - result = asn1_der_coding (dinfo, "", tmp_output, &tmp_output_size, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&dinfo); - return _gnutls_asn2err (result); - } - - asn1_delete_structure (&dinfo); - - output->size = tmp_output_size; - output->data = tmp_output; - - return 0; -} - -int pk_hash_data(gnutls_pk_algorithm_t pk, gnutls_digest_algorithm_t hash, - bigint_t * params, - const gnutls_datum_t * data, gnutls_datum_t * digest) -{ - int ret; - - switch (pk) - { - case GNUTLS_PK_RSA: - if (hash != GNUTLS_DIG_SHA1 && hash != GNUTLS_DIG_SHA224 && - hash != GNUTLS_DIG_SHA256) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - break; - case GNUTLS_PK_DSA: - if (params && hash != _gnutls_dsa_q_to_hash (params[1])) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - break; - default: - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - digest->size = _gnutls_hash_get_algo_len (hash); - digest->data = gnutls_malloc (digest->size); - if (digest->data == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - ret = _gnutls_hash_fast(hash, data->data, data->size, digest->data); - if (ret < 0) - { - gnutls_assert(); - goto cleanup; - } - - return 0; - -cleanup: - gnutls_free(digest->data); - return ret; -} - -/* if hash==MD5 then we do RSA-MD5 - * if hash==SHA then we do RSA-SHA - * params[0] is modulus - * params[1] is public key - */ -int -pk_prepare_pkcs1_rsa_hash (gnutls_digest_algorithm_t hash, - gnutls_datum_t * digest) -{ - int ret; - gnutls_datum old_digest = { digest->data, digest->size }; - - /* Encode the digest as a DigestInfo - */ - if ((ret = encode_ber_digest_info (hash, digest, digest)) != 0) - { - gnutls_assert (); - return ret; - } - - _gnutls_free_datum(&old_digest); - - return 0; -} - /* This is the same as the _gnutls_x509_sign, but this one will decode * the ASN1_TYPE given, and sign the DER data. Actually used to get the DER * of the TBS and sign it on the fly. diff --git a/lib/x509/sign.h b/lib/x509/sign.h deleted file mode 100644 index 5992bbd3bf..0000000000 --- a/lib/x509/sign.h +++ /dev/null @@ -1,9 +0,0 @@ -#ifndef GNUTLS_SIGN_H -#define GNUTLS_SIGN_H - -int pk_prepare_pkcs1_rsa_hash (gnutls_digest_algorithm_t hash, - gnutls_datum_t * output); -int pk_hash_data(gnutls_pk_algorithm_t pk, gnutls_digest_algorithm_t hash, - bigint_t * params, const gnutls_datum_t * data, gnutls_datum_t * digest); - -#endif |