search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Corrected initialization of key when generating request. Reported by Petr Pisar.
[gnutls.git] / lib / gnutls_pubkey.c
blob49688f7975a11011b95ef2fcc67dbe3c1ff2b6a9
1 /*
2 * GnuTLS PKCS#11 support
3 * Copyright (C) 2010 Free Software Foundation
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Library General Public
9 * License as published by the Free Software Foundation; either
10 * version 2 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Library General Public License for more details.
16 *
17 * You should have received a copy of the GNU Library General Public
18 * License along with this library; if not, write to the Free
19 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
20 * MA 02111-1307, USA
21 */
22
23 #include <gnutls_int.h>
24 #include <pakchois/pakchois.h>
25 #include <gnutls/pkcs11.h>
26 #include <stdio.h>
27 #include <string.h>
28 #include <gnutls_errors.h>
29 #include <gnutls_datum.h>
30 #include <pkcs11_int.h>
31 #include <gnutls/abstract.h>
32 #include <gnutls_pk.h>
33 #include <x509_int.h>
34 #include <openpgp/openpgp_int.h>
35 #include <pkcs11_int.h>
36 #include <gnutls_num.h>
37 #include <x509/common.h>
38 #include <x509_b64.h>
39 #include <abstract_int.h>
40
41 #define PK_PEM_HEADER "PUBLIC KEY"
42
43
44 struct gnutls_pubkey_st
45 {
46 gnutls_pk_algorithm_t pk_algorithm;
47 unsigned int bits; /* an indication of the security parameter */
48
49 /* the size of params depends on the public
50 * key algorithm
51 * RSA: [0] is modulus
52 * [1] is public exponent
53 * DSA: [0] is p
54 * [1] is q
55 * [2] is g
56 * [3] is public key
57 */
58 bigint_t params[MAX_PUBLIC_PARAMS_SIZE];
59 int params_size; /* holds the size of MPI params */
60
61 unsigned int key_usage; /* bits from GNUTLS_KEY_* */
62 };
63
64 static int pubkey_to_bits(gnutls_pk_algorithm_t pk, bigint_t* params, int params_size)
65 {
66 switch(pk)
67 {
68 case GNUTLS_PK_RSA:
69 return _gnutls_mpi_get_nbits(params[0]);
70 case GNUTLS_PK_DSA:
71 if (params_size < 3) return 0;
72 return _gnutls_mpi_get_nbits(params[3]);
73 default:
74 return 0;
75 }
76 }
77
78 /**
79 * gnutls_pubkey_get_pk_algorithm:
80 * @key: should contain a #gnutls_pubkey_t structure
81 * @bits: If set will return the number of bits of the parameters (may be NULL)
82 *
83 * This function will return the public key algorithm of a public
84 * key and if possible will return a number of bits that indicates
85 * the security parameter of the key.
86 *
87 * Returns: a member of the #gnutls_pk_algorithm_t enumeration on
88 * success, or a negative value on error.
89 **/
90 int
91 gnutls_pubkey_get_pk_algorithm (gnutls_pubkey_t key, unsigned int *bits)
92 {
93 if (bits)
94 *bits = key->bits;
95
96 return key->pk_algorithm;
97 }
98
99 /**
100 * gnutls_pubkey_get_key_usage:
101 * @key: should contain a #gnutls_pubkey_t structure
102 * @usage: If set will return the number of bits of the parameters (may be NULL)
103 *
104 * This function will return the key usage of the public key.
105 *
106 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
107 * negative error value.
108 **/
109 int
110 gnutls_pubkey_get_key_usage (gnutls_pubkey_t key, unsigned int *usage)
111 {
112 if (usage)
113 *usage = key->key_usage;
114
115 return 0;
116 }
117
118 /**
119 * gnutls_pubkey_init:
120 * @key: The structure to be initialized
121 *
122 * This function will initialize an public key structure.
123 *
124 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
125 * negative error value.
126 **/
127 int
128 gnutls_pubkey_init (gnutls_pubkey_t * key)
129 {
130 *key = gnutls_calloc (1, sizeof (struct gnutls_pubkey_st));
131 if (*key == NULL)
132 {
133 gnutls_assert ();
134 return GNUTLS_E_MEMORY_ERROR;
135 }
136
137 return 0;
138 }
139
140 /**
141 * gnutls_pubkey_deinit:
142 * @key: The structure to be deinitialized
143 *
144 * This function will deinitialize a public key structure.
145 **/
146 void
147 gnutls_pubkey_deinit (gnutls_pubkey_t key)
148 {
149 int i;
150
151 for (i = 0; i < key->params_size; i++)
152 {
153 _gnutls_mpi_release (&key->params[i]);
154 }
155
156 gnutls_free (key);
157 }
158
159 /**
160 * gnutls_pubkey_import_x509:
161 * @key: The public key
162 * @crt: The certificate to be imported
163 * @flags: should be zero
164 *
165 * This function will import the given public key to the abstract
166 * #gnutls_pubkey_t structure.
167 *
168 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
169 * negative error value.
170 **/
171 int
172 gnutls_pubkey_import_x509 (gnutls_pubkey_t key, gnutls_x509_crt_t crt,
173 unsigned int flags)
174 {
175 int ret;
176
177 key->pk_algorithm = gnutls_x509_crt_get_pk_algorithm (crt, &key->bits);
178
179 ret = gnutls_x509_crt_get_key_usage (crt, &key->key_usage, NULL);
180 if (ret < 0)
181 key->key_usage = 0;
182
183 key->params_size = sizeof (key->params) / sizeof (key->params[0]);
184 switch (key->pk_algorithm)
185 {
186 case GNUTLS_PK_RSA:
187 ret = _gnutls_x509_crt_get_mpis (crt, key->params, &key->params_size);
188 if (ret < 0)
189 {
190 gnutls_assert ();
191 return ret;
192 }
193 break;
194 case GNUTLS_PK_DSA:
195 ret = _gnutls_x509_crt_get_mpis (crt, key->params, &key->params_size);
196 if (ret < 0)
197 {
198 gnutls_assert ();
199 return ret;
200 }
201
202 break;
203 default:
204 gnutls_assert ();
205 return GNUTLS_E_INVALID_REQUEST;
206 }
207
208 return 0;
209 }
210
211 /**
212 * gnutls_pubkey_import_privkey: Imports the public key from a private
213 * @key: The public key
214 * @pkey: The private key
215 * @usage: GNUTLS_KEY_* key usage flags.
216 * @flags: should be zero
217 *
218 * This function will import the given public key to the abstract
219 * #gnutls_pubkey_t structure.
220 *
221 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
222 * negative error value.
223 *
224 * Since: 2.12.0
225 **/
226 int
227 gnutls_pubkey_import_privkey (gnutls_pubkey_t key, gnutls_privkey_t pkey,
228 unsigned int usage, unsigned int flags)
229 {
230 key->pk_algorithm = gnutls_privkey_get_pk_algorithm (pkey, &key->bits);
231
232 key->key_usage = usage;
233
234 key->params_size = sizeof (key->params) / sizeof (key->params[0]);
235
236 return _gnutls_privkey_get_public_mpis (pkey, key->params,
237 &key->params_size);
238 }
239
240 /**
241 * gnutls_pubkey_get_preferred_hash_algorithm:
242 * @key: Holds the certificate
243 * @hash: The result of the call with the hash algorithm used for signature
244 * @mand: If non zero it means that the algorithm MUST use this hash. May be NULL.
245 *
246 * This function will read the certifcate and return the appropriate digest
247 * algorithm to use for signing with this certificate. Some certificates (i.e.
248 * DSA might not be able to sign without the preferred algorithm).
249 *
250 * Returns: the 0 if the hash algorithm is found. A negative value is
251 * returned on error.
252 *
253 * Since: 2.11.0
254 **/
255 int
256 gnutls_pubkey_get_preferred_hash_algorithm (gnutls_pubkey_t key,
257 gnutls_digest_algorithm_t *
258 hash, unsigned int *mand)
259 {
260 int ret;
261
262 if (key == NULL)
263 {
264 gnutls_assert ();
265 return GNUTLS_E_INVALID_REQUEST;
266 }
267
268 ret = _gnutls_pk_get_hash_algorithm (key->pk_algorithm,
269 key->params, key->params_size,
270 hash, mand);
271
272 return ret;
273 }
274
275
276 /**
277 * gnutls_pubkey_import_pkcs11: Imports a public key from a pkcs11 key
278 * @key: The public key
279 * @obj: The parameters to be imported
280 * @flags: should be zero
281 *
282 * This function will import the given public key to the abstract
283 * #gnutls_pubkey_t structure.
284 *
285 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
286 * negative error value.
287 **/
288 int
289 gnutls_pubkey_import_pkcs11 (gnutls_pubkey_t key,
290 gnutls_pkcs11_obj_t obj, unsigned int flags)
291 {
292 int ret;
293
294 ret = gnutls_pkcs11_obj_get_type (obj);
295 if (ret != GNUTLS_PKCS11_OBJ_PUBKEY)
296 {
297 gnutls_assert ();
298 return GNUTLS_E_INVALID_REQUEST;
299 }
300
301 key->key_usage = obj->key_usage;
302
303 switch (obj->pk_algorithm)
304 {
305 case GNUTLS_PK_RSA:
306 ret = gnutls_pubkey_import_rsa_raw (key, &obj->pubkey[0],
307 &obj->pubkey[1]);
308 break;
309 case GNUTLS_PK_DSA:
310 ret = gnutls_pubkey_import_dsa_raw (key, &obj->pubkey[0],
311 &obj->pubkey[1],
312 &obj->pubkey[2], &obj->pubkey[3]);
313 break;
314 default:
315 gnutls_assert ();
316 return GNUTLS_E_UNIMPLEMENTED_FEATURE;
317 }
318
319 if (ret < 0)
320 {
321 gnutls_assert ();
322 return ret;
323 }
324
325 return 0;
326 }
327
328 #ifdef ENABLE_OPENPGP
329 /**
330 * gnutls_pubkey_import_openpgp: Imports a public key from an openpgp key
331 * @key: The public key
332 * @crt: The certificate to be imported
333 * @flags: should be zero
334 *
335 * This function will import the given public key to the abstract
336 * #gnutls_pubkey_t structure. The subkey set as preferred will be
337 * imported or the master key otherwise.
338 *
339 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
340 * negative error value.
341 **/
342 int
343 gnutls_pubkey_import_openpgp (gnutls_pubkey_t key,
344 gnutls_openpgp_crt_t crt,
345 unsigned int flags)
346 {
347 int ret, idx;
348 uint32_t kid32[2];
349 uint32_t *k;
350 uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
351
352 ret = gnutls_openpgp_crt_get_preferred_key_id (crt, keyid);
353 if (ret == GNUTLS_E_OPENPGP_PREFERRED_KEY_ERROR)
354 {
355 key->pk_algorithm = gnutls_openpgp_crt_get_pk_algorithm (crt, &key->bits);
356
357 ret = gnutls_openpgp_crt_get_key_usage (crt, &key->key_usage);
358 if (ret < 0)
359 key->key_usage = 0;
360
361 k = NULL;
362 }
363 else
364 {
365 if (ret < 0)
366 {
367 gnutls_assert ();
368 return ret;
369 }
370
371 KEYID_IMPORT (kid32, keyid);
372 k = kid32;
373
374 idx = gnutls_openpgp_crt_get_subkey_idx (crt, keyid);
375
376 ret = gnutls_openpgp_crt_get_subkey_usage (crt, idx, &key->key_usage);
377 if (ret < 0)
378 key->key_usage = 0;
379
380 key->pk_algorithm = gnutls_openpgp_crt_get_subkey_pk_algorithm (crt, idx, NULL);
381 }
382
383 switch (key->pk_algorithm)
384 {
385 case GNUTLS_PK_RSA:
386 ret =
387 _gnutls_openpgp_crt_get_mpis (crt, k, key->params,
388 &key->params_size);
389 if (ret < 0)
390 {
391 gnutls_assert ();
392 return ret;
393 }
394 break;
395 case GNUTLS_PK_DSA:
396 ret =
397 _gnutls_openpgp_crt_get_mpis (crt, k, key->params,
398 &key->params_size);
399 if (ret < 0)
400 {
401 gnutls_assert ();
402 return ret;
403 }
404 break;
405 default:
406 gnutls_assert ();
407 return GNUTLS_E_INVALID_REQUEST;
408 }
409
410 return 0;
411 }
412
413 #endif
414
415 /**
416 * gnutls_pubkey_export:
417 * @key: Holds the certificate
418 * @format: the format of output params. One of PEM or DER.
419 * @output_data: will contain a certificate PEM or DER encoded
420 * @output_data_size: holds the size of output_data (and will be
421 * replaced by the actual size of parameters)
422 *
423 * This function will export the certificate to DER or PEM format.
424 *
425 * If the buffer provided is not long enough to hold the output, then
426 * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
427 * be returned.
428 *
429 * If the structure is PEM encoded, it will have a header
430 * of "BEGIN CERTIFICATE".
431 *
432 * Return value: In case of failure a negative value will be
433 * returned, and 0 on success.
434 **/
435 int
436 gnutls_pubkey_export (gnutls_pubkey_t key,
437 gnutls_x509_crt_fmt_t format, void *output_data,
438 size_t * output_data_size)
439 {
440 int result;
441 ASN1_TYPE spk = ASN1_TYPE_EMPTY;
442
443 if (key == NULL)
444 {
445 gnutls_assert ();
446 return GNUTLS_E_INVALID_REQUEST;
447 }
448
449 if ((result = asn1_create_element
450 (_gnutls_get_pkix (), "PKIX1.SubjectPublicKeyInfo", &spk))
451 != ASN1_SUCCESS)
452 {
453 gnutls_assert ();
454 return _gnutls_asn2err (result);
455 }
456
457 result =
458 _gnutls_x509_encode_and_copy_PKI_params (spk, "",
459 key->pk_algorithm,
460 key->params, key->params_size);
461 if (result < 0)
462 {
463 gnutls_assert ();
464 goto cleanup;
465 }
466
467 result = _gnutls_x509_export_int_named (spk, "",
468 format, PK_PEM_HEADER,
469 output_data, output_data_size);
470 if (result < 0)
471 {
472 gnutls_assert ();
473 goto cleanup;
474 }
475
476 result = 0;
477
478 cleanup:
479 asn1_delete_structure (&spk);
480
481 return result;
482
483 }
484
485 /**
486 * gnutls_pubkey_get_key_id:
487 * @key: Holds the public key
488 * @flags: should be 0 for now
489 * @output_data: will contain the key ID
490 * @output_data_size: holds the size of output_data (and will be
491 * replaced by the actual size of parameters)
492 *
493 * This function will return a unique ID the depends on the public
494 * key parameters. This ID can be used in checking whether a
495 * certificate corresponds to the given public key.
496 *
497 * If the buffer provided is not long enough to hold the output, then
498 * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
499 * be returned. The output will normally be a SHA-1 hash output,
500 * which is 20 bytes.
501 *
502 * Return value: In case of failure a negative value will be
503 * returned, and 0 on success.
504 **/
505 int
506 gnutls_pubkey_get_key_id (gnutls_pubkey_t key, unsigned int flags,
507 unsigned char *output_data,
508 size_t * output_data_size)
509 {
510 int ret = 0;
511
512 if (key == NULL)
513 {
514 gnutls_assert ();
515 return GNUTLS_E_INVALID_REQUEST;
516 }
517
518 ret =
519 _gnutls_get_key_id (key->pk_algorithm, key->params,
520 key->params_size, output_data, output_data_size);
521 if (ret < 0)
522 {
523 gnutls_assert ();
524 return ret;
525 }
526
527 return 0;
528 }
529
530 /**
531 * gnutls_pubkey_get_pk_rsa_raw:
532 * @key: Holds the certificate
533 * @m: will hold the modulus
534 * @e: will hold the public exponent
535 *
536 * This function will export the RSA public key's parameters found in
537 * the given structure. The new parameters will be allocated using
538 * gnutls_malloc() and will be stored in the appropriate datum.
539 *
540 * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
541 **/
542 int
543 gnutls_pubkey_get_pk_rsa_raw (gnutls_pubkey_t key,
544 gnutls_datum_t * m, gnutls_datum_t * e)
545 {
546 int ret;
547
548 if (key == NULL)
549 {
550 gnutls_assert ();
551 return GNUTLS_E_INVALID_REQUEST;
552 }
553
554 if (key->pk_algorithm != GNUTLS_PK_RSA)
555 {
556 gnutls_assert ();
557 return GNUTLS_E_INVALID_REQUEST;
558 }
559
560 ret = _gnutls_mpi_dprint_lz (key->params[0], m);
561 if (ret < 0)
562 {
563 gnutls_assert ();
564 return ret;
565 }
566
567 ret = _gnutls_mpi_dprint_lz (key->params[1], e);
568 if (ret < 0)
569 {
570 gnutls_assert ();
571 _gnutls_free_datum (m);
572 return ret;
573 }
574
575 return 0;
576 }
577
578 /**
579 * gnutls_pubkey_get_pk_dsa_raw:
580 * @key: Holds the public key
581 * @p: will hold the p
582 * @q: will hold the q
583 * @g: will hold the g
584 * @y: will hold the y
585 *
586 * This function will export the DSA public key's parameters found in
587 * the given certificate. The new parameters will be allocated using
588 * gnutls_malloc() and will be stored in the appropriate datum.
589 *
590 * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
591 **/
592 int
593 gnutls_pubkey_get_pk_dsa_raw (gnutls_pubkey_t key,
594 gnutls_datum_t * p, gnutls_datum_t * q,
595 gnutls_datum_t * g, gnutls_datum_t * y)
596 {
597 int ret;
598
599 if (key == NULL)
600 {
601 gnutls_assert ();
602 return GNUTLS_E_INVALID_REQUEST;
603 }
604
605 if (key->pk_algorithm != GNUTLS_PK_DSA)
606 {
607 gnutls_assert ();
608 return GNUTLS_E_INVALID_REQUEST;
609 }
610
611 /* P */
612 ret = _gnutls_mpi_dprint_lz (key->params[0], p);
613 if (ret < 0)
614 {
615 gnutls_assert ();
616 return ret;
617 }
618
619 /* Q */
620 ret = _gnutls_mpi_dprint_lz (key->params[1], q);
621 if (ret < 0)
622 {
623 gnutls_assert ();
624 _gnutls_free_datum (p);
625 return ret;
626 }
627
628
629 /* G */
630 ret = _gnutls_mpi_dprint_lz (key->params[2], g);
631 if (ret < 0)
632 {
633 gnutls_assert ();
634 _gnutls_free_datum (p);
635 _gnutls_free_datum (q);
636 return ret;
637 }
638
639
640 /* Y */
641 ret = _gnutls_mpi_dprint_lz (key->params[3], y);
642 if (ret < 0)
643 {
644 gnutls_assert ();
645 _gnutls_free_datum (p);
646 _gnutls_free_datum (g);
647 _gnutls_free_datum (q);
648 return ret;
649 }
650
651 return 0;
652 }
653
654 /**
655 * gnutls_pubkey_import:
656 * @key: The structure to store the parsed public key.
657 * @data: The DER or PEM encoded certificate.
658 * @format: One of DER or PEM
659 *
660 * This function will convert the given DER or PEM encoded Public key
661 * to the native gnutls_pubkey_t format.The output will be stored * in @ key.
662 * If the Certificate is PEM encoded it should have a header of "PUBLIC KEY".
663 *
664 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
665 * negative error value.
666 **/
667 int
668 gnutls_pubkey_import (gnutls_pubkey_t key,
669 const gnutls_datum_t * data,
670 gnutls_x509_crt_fmt_t format)
671 {
672 int result = 0, need_free = 0;
673 gnutls_datum_t _data;
674 ASN1_TYPE spk;
675
676 if (key == NULL)
677 {
678 gnutls_assert ();
679 return GNUTLS_E_INVALID_REQUEST;
680 }
681
682 _data.data = data->data;
683 _data.size = data->size;
684
685 /* If the Certificate is in PEM format then decode it
686 */
687 if (format == GNUTLS_X509_FMT_PEM)
688 {
689 opaque *out;
690
691 /* Try the first header */
692 result =
693 _gnutls_fbase64_decode (PK_PEM_HEADER, data->data, data->size, &out);
694
695 if (result <= 0)
696 {
697 if (result == 0)
698 result = GNUTLS_E_INTERNAL_ERROR;
699 gnutls_assert ();
700 return result;
701 }
702
703 _data.data = out;
704 _data.size = result;
705
706 need_free = 1;
707 }
708
709 if ((result = asn1_create_element
710 (_gnutls_get_pkix (), "PKIX1.SubjectPublicKeyInfo", &spk))
711 != ASN1_SUCCESS)
712 {
713 gnutls_assert ();
714 result = _gnutls_asn2err (result);
715 goto cleanup;
716 }
717
718 result = asn1_der_decoding (&spk, _data.data, _data.size, NULL);
719 if (result != ASN1_SUCCESS)
720 {
721 gnutls_assert ();
722 result = _gnutls_asn2err (result);
723 goto cleanup;
724 }
725
726 key->params_size = sizeof (key->params) / sizeof (key->params[0]);
727 result = _gnutls_get_asn_mpis (spk, "", key->params, &key->params_size);
728 if (result < 0)
729 {
730 gnutls_assert ();
731 goto cleanup;
732 }
733
734 /* this has already been called by get_asn_mpis() thus it cannot
735 * fail.
736 */
737 key->pk_algorithm = _gnutls_x509_get_pk_algorithm (spk, "", NULL);
738 key->bits = pubkey_to_bits(key->pk_algorithm, key->params, key->params_size);
739
740 result = 0;
741
742 cleanup:
743 asn1_delete_structure (&spk);
744
745 if (need_free)
746 _gnutls_free_datum (&_data);
747 return result;
748 }
749
750 /**
751 * gnutls_x509_crt_set_pubkey:
752 * @crt: should contain a #gnutls_x509_crt_t structure
753 * @key: holds a public key
754 *
755 * This function will set the public parameters from the given public
756 * key to the request.
757 *
758 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
759 * negative error value.
760 **/
761 int
762 gnutls_x509_crt_set_pubkey (gnutls_x509_crt_t crt, gnutls_pubkey_t key)
763 {
764 int result;
765
766 if (crt == NULL)
767 {
768 gnutls_assert ();
769 return GNUTLS_E_INVALID_REQUEST;
770 }
771
772 result = _gnutls_x509_encode_and_copy_PKI_params (crt->cert,
773 "tbsCertificate.subjectPublicKeyInfo",
774 key->pk_algorithm,
775 key->params,
776 key->params_size);
777
778 if (result < 0)
779 {
780 gnutls_assert ();
781 return result;
782 }
783
784 if (key->key_usage)
785 gnutls_x509_crt_set_key_usage (crt, key->key_usage);
786
787 return 0;
788 }
789
790 /**
791 * gnutls_x509_crq_set_pubkey:
792 * @crq: should contain a #gnutls_x509_crq_t structure
793 * @key: holds a public key
794 *
795 * This function will set the public parameters from the given public
796 * key to the request.
797 *
798 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
799 * negative error value.
800 **/
801 int
802 gnutls_x509_crq_set_pubkey (gnutls_x509_crq_t crq, gnutls_pubkey_t key)
803 {
804 int result;
805
806 if (crq == NULL)
807 {
808 gnutls_assert ();
809 return GNUTLS_E_INVALID_REQUEST;
810 }
811
812 result = _gnutls_x509_encode_and_copy_PKI_params
813 (crq->crq,
814 "certificationRequestInfo.subjectPKInfo",
815 key->pk_algorithm, key->params, key->params_size);
816
817 if (result < 0)
818 {
819 gnutls_assert ();
820 return result;
821 }
822
823 if (key->key_usage)
824 gnutls_x509_crq_set_key_usage (crq, key->key_usage);
825
826 return 0;
827 }
828
829 /**
830 * gnutls_pubkey_set_key_usage:
831 * @key: a certificate of type #gnutls_x509_crt_t
832 * @usage: an ORed sequence of the GNUTLS_KEY_* elements.
833 *
834 * This function will set the key usage flags of the public key. This
835 * is only useful if the key is to be exported to a certificate or
836 * certificate request.
837 *
838 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
839 * negative error value.
840 **/
841 int
842 gnutls_pubkey_set_key_usage (gnutls_pubkey_t key, unsigned int usage)
843 {
844 key->key_usage = usage;
845
846 return 0;
847 }
848
849 /**
850 * gnutls_pubkey_import_pkcs11_url:
851 * @key: A key of type #gnutls_pubkey_t
852 * @url: A PKCS 11 url
853 * @flags: One of GNUTLS_PKCS11_OBJ_* flags
854 *
855 * This function will import a PKCS 11 certificate to a #gnutls_pubkey_t
856 * structure.
857 *
858 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
859 * negative error value.
860 **/
861
862 int
863 gnutls_pubkey_import_pkcs11_url (gnutls_pubkey_t key, const char *url,
864 unsigned int flags)
865 {
866 gnutls_pkcs11_obj_t pcrt;
867 int ret;
868
869 ret = gnutls_pkcs11_obj_init (&pcrt);
870 if (ret < 0)
871 {
872 gnutls_assert ();
873 return ret;
874 }
875
876 ret = gnutls_pkcs11_obj_import_url (pcrt, url, flags);
877 if (ret < 0)
878 {
879 gnutls_assert ();
880 goto cleanup;
881 }
882
883 ret = gnutls_pubkey_import_pkcs11 (key, pcrt, 0);
884 if (ret < 0)
885 {
886 gnutls_assert ();
887 goto cleanup;
888 }
889
890 ret = 0;
891 cleanup:
892
893 gnutls_pkcs11_obj_deinit (pcrt);
894
895 return ret;
896 }
897
898 /**
899 * gnutls_pubkey_import_rsa_raw:
900 * @key: Is a structure will hold the parameters
901 * @m: holds the modulus
902 * @e: holds the public exponent
903 *
904 * This function will replace the parameters in the given structure.
905 * The new parameters should be stored in the appropriate
906 * gnutls_datum.
907 *
908 * Returns: %GNUTLS_E_SUCCESS on success, or an negative error code.
909 **/
910 int
911 gnutls_pubkey_import_rsa_raw (gnutls_pubkey_t key,
912 const gnutls_datum_t * m,
913 const gnutls_datum_t * e)
914 {
915 size_t siz = 0;
916
917 if (key == NULL)
918 {
919 gnutls_assert ();
920 return GNUTLS_E_INVALID_REQUEST;
921 }
922
923 siz = m->size;
924 if (_gnutls_mpi_scan_nz (&key->params[0], m->data, siz))
925 {
926 gnutls_assert ();
927 return GNUTLS_E_MPI_SCAN_FAILED;
928 }
929
930 siz = e->size;
931 if (_gnutls_mpi_scan_nz (&key->params[1], e->data, siz))
932 {
933 gnutls_assert ();
934 _gnutls_mpi_release (&key->params[0]);
935 return GNUTLS_E_MPI_SCAN_FAILED;
936 }
937
938 key->params_size = RSA_PUBLIC_PARAMS;
939 key->pk_algorithm = GNUTLS_PK_RSA;
940 key->bits = pubkey_to_bits(GNUTLS_PK_RSA, key->params, key->params_size);
941
942 return 0;
943 }
944
945 /**
946 * gnutls_pubkey_import_dsa_raw:
947 * @key: The structure to store the parsed key
948 * @p: holds the p
949 * @q: holds the q
950 * @g: holds the g
951 * @y: holds the y
952 *
953 * This function will convert the given DSA raw parameters to the
954 * native #gnutls_pubkey_t format. The output will be stored
955 * in @key.
956 *
957 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
958 * negative error value.
959 **/
960 int
961 gnutls_pubkey_import_dsa_raw (gnutls_pubkey_t key,
962 const gnutls_datum_t * p,
963 const gnutls_datum_t * q,
964 const gnutls_datum_t * g,
965 const gnutls_datum_t * y)
966 {
967 size_t siz = 0;
968
969 if (key == NULL)
970 {
971 gnutls_assert ();
972 return GNUTLS_E_INVALID_REQUEST;
973 }
974
975 siz = p->size;
976 if (_gnutls_mpi_scan_nz (&key->params[0], p->data, siz))
977 {
978 gnutls_assert ();
979 return GNUTLS_E_MPI_SCAN_FAILED;
980 }
981
982 siz = q->size;
983 if (_gnutls_mpi_scan_nz (&key->params[1], q->data, siz))
984 {
985 gnutls_assert ();
986 _gnutls_mpi_release (&key->params[0]);
987 return GNUTLS_E_MPI_SCAN_FAILED;
988 }
989
990 siz = g->size;
991 if (_gnutls_mpi_scan_nz (&key->params[2], g->data, siz))
992 {
993 gnutls_assert ();
994 _gnutls_mpi_release (&key->params[1]);
995 _gnutls_mpi_release (&key->params[0]);
996 return GNUTLS_E_MPI_SCAN_FAILED;
997 }
998
999 siz = y->size;
1000 if (_gnutls_mpi_scan_nz (&key->params[3], y->data, siz))
1001 {
1002 gnutls_assert ();
1003 _gnutls_mpi_release (&key->params[2]);
1004 _gnutls_mpi_release (&key->params[1]);
1005 _gnutls_mpi_release (&key->params[0]);
1006 return GNUTLS_E_MPI_SCAN_FAILED;
1007 }
1008
1009 key->params_size = DSA_PUBLIC_PARAMS;
1010 key->pk_algorithm = GNUTLS_PK_DSA;
1011 key->bits = pubkey_to_bits(GNUTLS_PK_DSA, key->params, key->params_size);
1012
1013 return 0;
1014
1015 }
1016
1017 /**
1018 * gnutls_pubkey_verify_data:
1019 * @pubkey: Holds the public key
1020 * @flags: should be 0 for now
1021 * @data: holds the data to be signed
1022 * @signature: contains the signature
1023 *
1024 * This function will verify the given signed data, using the
1025 * parameters from the certificate.
1026 *
1027 * Returns: In case of a verification failure
1028 * %GNUTLS_E_PK_SIG_VERIFY_FAILED is returned, and a positive code
1029 * on success.
1030 *
1031 * Since: 2.12.0
1032 **/
1033 int
1034 gnutls_pubkey_verify_data (gnutls_pubkey_t pubkey, unsigned int flags,
1035 const gnutls_datum_t * data,
1036 const gnutls_datum_t * signature)
1037 {
1038 int ret;
1039
1040 if (pubkey == NULL)
1041 {
1042 gnutls_assert ();
1043 return GNUTLS_E_INVALID_REQUEST;
1044 }
1045
1046 ret = pubkey_verify_sig( data, NULL, signature, pubkey->pk_algorithm,
1047 pubkey->params, pubkey->params_size);
1048 if (ret < 0)
1049 {
1050 gnutls_assert();
1051 }
1052
1053 return ret;
1054 }
1055
1056
1057 /**
1058 * gnutls_pubkey_verify_hash:
1059 * @key: Holds the certificate
1060 * @flags: should be 0 for now
1061 * @hash: holds the hash digest to be verified
1062 * @signature: contains the signature
1063 *
1064 * This function will verify the given signed digest, using the
1065 * parameters from the certificate.
1066 *
1067 * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
1068 * is returned, and a positive code on success.
1069 **/
1070 int
1071 gnutls_pubkey_verify_hash (gnutls_pubkey_t key, unsigned int flags,
1072 const gnutls_datum_t * hash,
1073 const gnutls_datum_t * signature)
1074 {
1075 int ret;
1076
1077 if (key == NULL)
1078 {
1079 gnutls_assert ();
1080 return GNUTLS_E_INVALID_REQUEST;
1081 }
1082
1083 ret =
1084 pubkey_verify_sig (NULL, hash, signature, key->pk_algorithm,
1085 key->params, key->params_size);
1086
1087 return ret;
1088 }
1089
1090 /**
1091 * gnutls_pubkey_get_verify_algorithm:
1092 * @key: Holds the certificate
1093 * @signature: contains the signature
1094 * @hash: The result of the call with the hash algorithm used for signature
1095 *
1096 * This function will read the certifcate and the signed data to
1097 * determine the hash algorithm used to generate the signature.
1098 *
1099 * Returns: the 0 if the hash algorithm is found. A negative value is
1100 * returned on error.
1101 **/
1102 int
1103 gnutls_pubkey_get_verify_algorithm (gnutls_pubkey_t key,
1104 const gnutls_datum_t * signature,
1105 gnutls_digest_algorithm_t * hash)
1106 {
1107 if (key == NULL)
1108 {
1109 gnutls_assert ();
1110 return GNUTLS_E_INVALID_REQUEST;
1111 }
1112
1113 return _gnutls_x509_verify_algorithm ((gnutls_mac_algorithm_t *)
1114 hash, signature,
1115 key->pk_algorithm,
1116 key->params, key->params_size);
1117
1118 }
Implementation of the SSL/TLS protocol