diff options
Diffstat (limited to 'src/pkcs11.c')
-rw-r--r-- | src/pkcs11.c | 38 |
1 files changed, 32 insertions, 6 deletions
diff --git a/src/pkcs11.c b/src/pkcs11.c index ab2b81d601..4453343941 100644 --- a/src/pkcs11.c +++ b/src/pkcs11.c @@ -262,6 +262,8 @@ pkcs11_test_sign(FILE * outfile, const char *url, unsigned int flags, int ret; gnutls_datum_t data, sig = {NULL, 0}; int pk; + gnutls_digest_algorithm_t hash; + gnutls_sign_algorithm_t sig_algo; pkcs11_common(info); @@ -298,18 +300,42 @@ pkcs11_test_sign(FILE * outfile, const char *url, unsigned int flags, app_exit(1); } - ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA256, 0, &data, &sig); + pk = gnutls_privkey_get_pk_algorithm(privkey, NULL); + + if (info->hash == GNUTLS_DIG_UNKNOWN) + hash = GNUTLS_DIG_SHA256; + else + hash = info->hash; + + if (info->rsa_pss_sign && pk == GNUTLS_PK_RSA) + pk = GNUTLS_PK_RSA_PSS; + + sig_algo = gnutls_pk_to_sign(pk, hash); + if (sig_algo == GNUTLS_SIGN_UNKNOWN) { + fprintf(stderr, "No supported signature algorithm for %s and %s\n", + gnutls_pk_get_name(pk), gnutls_digest_get_name(hash)); + app_exit(1); + } + + fprintf(stderr, "Signing using %s... ", gnutls_sign_get_name(sig_algo)); + + ret = gnutls_privkey_sign_data2(privkey, sig_algo, 0, &data, &sig); if (ret < 0) { fprintf(stderr, "Cannot sign data: %s\n", gnutls_strerror(ret)); + /* in case of unsupported signature algorithm allow + * calling apps to distinguish error codes (used + * by testpkcs11.sh */ + if (ret == GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM) + app_exit(2); app_exit(1); } - pk = gnutls_pubkey_get_pk_algorithm(pubkey, NULL); + fprintf(stderr, "ok\n"); fprintf(stderr, "Verifying against private key parameters... "); - ret = gnutls_pubkey_verify_data2(pubkey, gnutls_pk_to_sign(pk, GNUTLS_DIG_SHA256), - 0, &data, &sig); + ret = gnutls_pubkey_verify_data2(pubkey, sig_algo, + 0, &data, &sig); if (ret < 0) { fprintf(stderr, "Cannot verify signed data: %s\n", gnutls_strerror(ret)); @@ -337,8 +363,8 @@ pkcs11_test_sign(FILE * outfile, const char *url, unsigned int flags, } fprintf(stderr, "Verifying against public key in the token... "); - ret = gnutls_pubkey_verify_data2(pubkey, gnutls_pk_to_sign(pk, GNUTLS_DIG_SHA256), - 0, &data, &sig); + ret = gnutls_pubkey_verify_data2(pubkey, sig_algo, + 0, &data, &sig); if (ret < 0) { fprintf(stderr, "Cannot verify signed data: %s\n", gnutls_strerror(ret)); |