search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Corrected SRP-RSA ciphersuites when used under TLS 1.2.
[gnutls.git] / lib / gnutls_pubkey.c
blobdc4f545482aa1f7eb017841a5cd571649a992e62
1 /*
2 * GnuTLS PKCS#11 support
3 * Copyright (C) 2010 Free Software Foundation
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Library General Public
9 * License as published by the Free Software Foundation; either
10 * version 2 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Library General Public License for more details.
16 *
17 * You should have received a copy of the GNU Library General Public
18 * License along with this library; if not, write to the Free
19 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
20 * MA 02111-1307, USA
21 */
22
23 #include <gnutls_int.h>
24 #include <gnutls/pkcs11.h>
25 #include <stdio.h>
26 #include <string.h>
27 #include <gnutls_errors.h>
28 #include <gnutls_datum.h>
29 #include <pkcs11_int.h>
30 #include <gnutls/abstract.h>
31 #include <gnutls_pk.h>
32 #include <x509_int.h>
33 #include <openpgp/openpgp_int.h>
34 #include <gnutls_num.h>
35 #include <x509/common.h>
36 #include <x509_b64.h>
37 #include <abstract_int.h>
38
39 #define PK_PEM_HEADER "PUBLIC KEY"
40
41
42 struct gnutls_pubkey_st
43 {
44 gnutls_pk_algorithm_t pk_algorithm;
45 unsigned int bits; /* an indication of the security parameter */
46
47 /* the size of params depends on the public
48 * key algorithm
49 * RSA: [0] is modulus
50 * [1] is public exponent
51 * DSA: [0] is p
52 * [1] is q
53 * [2] is g
54 * [3] is public key
55 */
56 bigint_t params[MAX_PUBLIC_PARAMS_SIZE];
57 int params_size; /* holds the size of MPI params */
58
59 unsigned int key_usage; /* bits from GNUTLS_KEY_* */
60 };
61
62 static int pubkey_to_bits(gnutls_pk_algorithm_t pk, bigint_t* params, int params_size)
63 {
64 switch(pk)
65 {
66 case GNUTLS_PK_RSA:
67 return _gnutls_mpi_get_nbits(params[0]);
68 case GNUTLS_PK_DSA:
69 if (params_size < 3) return 0;
70 return _gnutls_mpi_get_nbits(params[3]);
71 default:
72 return 0;
73 }
74 }
75
76 /**
77 * gnutls_pubkey_get_pk_algorithm:
78 * @key: should contain a #gnutls_pubkey_t structure
79 * @bits: If set will return the number of bits of the parameters (may be NULL)
80 *
81 * This function will return the public key algorithm of a public
82 * key and if possible will return a number of bits that indicates
83 * the security parameter of the key.
84 *
85 * Returns: a member of the #gnutls_pk_algorithm_t enumeration on
86 * success, or a negative value on error.
87 **/
88 int
89 gnutls_pubkey_get_pk_algorithm (gnutls_pubkey_t key, unsigned int *bits)
90 {
91 if (bits)
92 *bits = key->bits;
93
94 return key->pk_algorithm;
95 }
96
97 /**
98 * gnutls_pubkey_get_key_usage:
99 * @key: should contain a #gnutls_pubkey_t structure
100 * @usage: If set will return the number of bits of the parameters (may be NULL)
101 *
102 * This function will return the key usage of the public key.
103 *
104 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
105 * negative error value.
106 **/
107 int
108 gnutls_pubkey_get_key_usage (gnutls_pubkey_t key, unsigned int *usage)
109 {
110 if (usage)
111 *usage = key->key_usage;
112
113 return 0;
114 }
115
116 /**
117 * gnutls_pubkey_init:
118 * @key: The structure to be initialized
119 *
120 * This function will initialize an public key structure.
121 *
122 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
123 * negative error value.
124 **/
125 int
126 gnutls_pubkey_init (gnutls_pubkey_t * key)
127 {
128 *key = gnutls_calloc (1, sizeof (struct gnutls_pubkey_st));
129 if (*key == NULL)
130 {
131 gnutls_assert ();
132 return GNUTLS_E_MEMORY_ERROR;
133 }
134
135 return 0;
136 }
137
138 /**
139 * gnutls_pubkey_deinit:
140 * @key: The structure to be deinitialized
141 *
142 * This function will deinitialize a public key structure.
143 **/
144 void
145 gnutls_pubkey_deinit (gnutls_pubkey_t key)
146 {
147 int i;
148
149 for (i = 0; i < key->params_size; i++)
150 {
151 _gnutls_mpi_release (&key->params[i]);
152 }
153
154 gnutls_free (key);
155 }
156
157 /**
158 * gnutls_pubkey_import_x509:
159 * @key: The public key
160 * @crt: The certificate to be imported
161 * @flags: should be zero
162 *
163 * This function will import the given public key to the abstract
164 * #gnutls_pubkey_t structure.
165 *
166 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
167 * negative error value.
168 **/
169 int
170 gnutls_pubkey_import_x509 (gnutls_pubkey_t key, gnutls_x509_crt_t crt,
171 unsigned int flags)
172 {
173 int ret;
174
175 key->pk_algorithm = gnutls_x509_crt_get_pk_algorithm (crt, &key->bits);
176
177 ret = gnutls_x509_crt_get_key_usage (crt, &key->key_usage, NULL);
178 if (ret < 0)
179 key->key_usage = 0;
180
181 key->params_size = sizeof (key->params) / sizeof (key->params[0]);
182 switch (key->pk_algorithm)
183 {
184 case GNUTLS_PK_RSA:
185 ret = _gnutls_x509_crt_get_mpis (crt, key->params, &key->params_size);
186 if (ret < 0)
187 {
188 gnutls_assert ();
189 return ret;
190 }
191 break;
192 case GNUTLS_PK_DSA:
193 ret = _gnutls_x509_crt_get_mpis (crt, key->params, &key->params_size);
194 if (ret < 0)
195 {
196 gnutls_assert ();
197 return ret;
198 }
199
200 break;
201 default:
202 gnutls_assert ();
203 return GNUTLS_E_INVALID_REQUEST;
204 }
205
206 return 0;
207 }
208
209 /**
210 * gnutls_pubkey_import_privkey: Imports the public key from a private
211 * @key: The public key
212 * @pkey: The private key
213 * @usage: GNUTLS_KEY_* key usage flags.
214 * @flags: should be zero
215 *
216 * This function will import the given public key to the abstract
217 * #gnutls_pubkey_t structure.
218 *
219 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
220 * negative error value.
221 *
222 * Since: 2.12.0
223 **/
224 int
225 gnutls_pubkey_import_privkey (gnutls_pubkey_t key, gnutls_privkey_t pkey,
226 unsigned int usage, unsigned int flags)
227 {
228 key->pk_algorithm = gnutls_privkey_get_pk_algorithm (pkey, &key->bits);
229
230 key->key_usage = usage;
231
232 key->params_size = sizeof (key->params) / sizeof (key->params[0]);
233
234 return _gnutls_privkey_get_public_mpis (pkey, key->params,
235 &key->params_size);
236 }
237
238 /**
239 * gnutls_pubkey_get_preferred_hash_algorithm:
240 * @key: Holds the certificate
241 * @hash: The result of the call with the hash algorithm used for signature
242 * @mand: If non zero it means that the algorithm MUST use this hash. May be NULL.
243 *
244 * This function will read the certifcate and return the appropriate digest
245 * algorithm to use for signing with this certificate. Some certificates (i.e.
246 * DSA might not be able to sign without the preferred algorithm).
247 *
248 * Returns: the 0 if the hash algorithm is found. A negative value is
249 * returned on error.
250 *
251 * Since: 2.11.0
252 **/
253 int
254 gnutls_pubkey_get_preferred_hash_algorithm (gnutls_pubkey_t key,
255 gnutls_digest_algorithm_t *
256 hash, unsigned int *mand)
257 {
258 int ret;
259
260 if (key == NULL)
261 {
262 gnutls_assert ();
263 return GNUTLS_E_INVALID_REQUEST;
264 }
265
266 ret = _gnutls_pk_get_hash_algorithm (key->pk_algorithm,
267 key->params, key->params_size,
268 hash, mand);
269
270 return ret;
271 }
272
273 #ifdef ENABLE_PKCS11
274
275 /**
276 * gnutls_pubkey_import_pkcs11: Imports a public key from a pkcs11 key
277 * @key: The public key
278 * @obj: The parameters to be imported
279 * @flags: should be zero
280 *
281 * This function will import the given public key to the abstract
282 * #gnutls_pubkey_t structure.
283 *
284 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
285 * negative error value.
286 **/
287 int
288 gnutls_pubkey_import_pkcs11 (gnutls_pubkey_t key,
289 gnutls_pkcs11_obj_t obj, unsigned int flags)
290 {
291 int ret;
292
293 ret = gnutls_pkcs11_obj_get_type (obj);
294 if (ret != GNUTLS_PKCS11_OBJ_PUBKEY)
295 {
296 gnutls_assert ();
297 return GNUTLS_E_INVALID_REQUEST;
298 }
299
300 key->key_usage = obj->key_usage;
301
302 switch (obj->pk_algorithm)
303 {
304 case GNUTLS_PK_RSA:
305 ret = gnutls_pubkey_import_rsa_raw (key, &obj->pubkey[0],
306 &obj->pubkey[1]);
307 break;
308 case GNUTLS_PK_DSA:
309 ret = gnutls_pubkey_import_dsa_raw (key, &obj->pubkey[0],
310 &obj->pubkey[1],
311 &obj->pubkey[2], &obj->pubkey[3]);
312 break;
313 default:
314 gnutls_assert ();
315 return GNUTLS_E_UNIMPLEMENTED_FEATURE;
316 }
317
318 if (ret < 0)
319 {
320 gnutls_assert ();
321 return ret;
322 }
323
324 return 0;
325 }
326
327 #endif /* ENABLE_PKCS11 */
328
329 #ifdef ENABLE_OPENPGP
330 /**
331 * gnutls_pubkey_import_openpgp: Imports a public key from an openpgp key
332 * @key: The public key
333 * @crt: The certificate to be imported
334 * @flags: should be zero
335 *
336 * This function will import the given public key to the abstract
337 * #gnutls_pubkey_t structure. The subkey set as preferred will be
338 * imported or the master key otherwise.
339 *
340 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
341 * negative error value.
342 **/
343 int
344 gnutls_pubkey_import_openpgp (gnutls_pubkey_t key,
345 gnutls_openpgp_crt_t crt,
346 unsigned int flags)
347 {
348 int ret, idx;
349 uint32_t kid32[2];
350 uint32_t *k;
351 uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
352
353 ret = gnutls_openpgp_crt_get_preferred_key_id (crt, keyid);
354 if (ret == GNUTLS_E_OPENPGP_PREFERRED_KEY_ERROR)
355 {
356 key->pk_algorithm = gnutls_openpgp_crt_get_pk_algorithm (crt, &key->bits);
357
358 ret = gnutls_openpgp_crt_get_key_usage (crt, &key->key_usage);
359 if (ret < 0)
360 key->key_usage = 0;
361
362 k = NULL;
363 }
364 else
365 {
366 if (ret < 0)
367 {
368 gnutls_assert ();
369 return ret;
370 }
371
372 KEYID_IMPORT (kid32, keyid);
373 k = kid32;
374
375 idx = gnutls_openpgp_crt_get_subkey_idx (crt, keyid);
376
377 ret = gnutls_openpgp_crt_get_subkey_usage (crt, idx, &key->key_usage);
378 if (ret < 0)
379 key->key_usage = 0;
380
381 key->pk_algorithm = gnutls_openpgp_crt_get_subkey_pk_algorithm (crt, idx, NULL);
382 }
383
384 switch (key->pk_algorithm)
385 {
386 case GNUTLS_PK_RSA:
387 ret =
388 _gnutls_openpgp_crt_get_mpis (crt, k, key->params,
389 &key->params_size);
390 if (ret < 0)
391 {
392 gnutls_assert ();
393 return ret;
394 }
395 break;
396 case GNUTLS_PK_DSA:
397 ret =
398 _gnutls_openpgp_crt_get_mpis (crt, k, key->params,
399 &key->params_size);
400 if (ret < 0)
401 {
402 gnutls_assert ();
403 return ret;
404 }
405 break;
406 default:
407 gnutls_assert ();
408 return GNUTLS_E_INVALID_REQUEST;
409 }
410
411 return 0;
412 }
413
414 #endif
415
416 /**
417 * gnutls_pubkey_export:
418 * @key: Holds the certificate
419 * @format: the format of output params. One of PEM or DER.
420 * @output_data: will contain a certificate PEM or DER encoded
421 * @output_data_size: holds the size of output_data (and will be
422 * replaced by the actual size of parameters)
423 *
424 * This function will export the certificate to DER or PEM format.
425 *
426 * If the buffer provided is not long enough to hold the output, then
427 * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
428 * be returned.
429 *
430 * If the structure is PEM encoded, it will have a header
431 * of "BEGIN CERTIFICATE".
432 *
433 * Return value: In case of failure a negative value will be
434 * returned, and 0 on success.
435 **/
436 int
437 gnutls_pubkey_export (gnutls_pubkey_t key,
438 gnutls_x509_crt_fmt_t format, void *output_data,
439 size_t * output_data_size)
440 {
441 int result;
442 ASN1_TYPE spk = ASN1_TYPE_EMPTY;
443
444 if (key == NULL)
445 {
446 gnutls_assert ();
447 return GNUTLS_E_INVALID_REQUEST;
448 }
449
450 if ((result = asn1_create_element
451 (_gnutls_get_pkix (), "PKIX1.SubjectPublicKeyInfo", &spk))
452 != ASN1_SUCCESS)
453 {
454 gnutls_assert ();
455 return _gnutls_asn2err (result);
456 }
457
458 result =
459 _gnutls_x509_encode_and_copy_PKI_params (spk, "",
460 key->pk_algorithm,
461 key->params, key->params_size);
462 if (result < 0)
463 {
464 gnutls_assert ();
465 goto cleanup;
466 }
467
468 result = _gnutls_x509_export_int_named (spk, "",
469 format, PK_PEM_HEADER,
470 output_data, output_data_size);
471 if (result < 0)
472 {
473 gnutls_assert ();
474 goto cleanup;
475 }
476
477 result = 0;
478
479 cleanup:
480 asn1_delete_structure (&spk);
481
482 return result;
483
484 }
485
486 /**
487 * gnutls_pubkey_get_key_id:
488 * @key: Holds the public key
489 * @flags: should be 0 for now
490 * @output_data: will contain the key ID
491 * @output_data_size: holds the size of output_data (and will be
492 * replaced by the actual size of parameters)
493 *
494 * This function will return a unique ID the depends on the public
495 * key parameters. This ID can be used in checking whether a
496 * certificate corresponds to the given public key.
497 *
498 * If the buffer provided is not long enough to hold the output, then
499 * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
500 * be returned. The output will normally be a SHA-1 hash output,
501 * which is 20 bytes.
502 *
503 * Return value: In case of failure a negative value will be
504 * returned, and 0 on success.
505 **/
506 int
507 gnutls_pubkey_get_key_id (gnutls_pubkey_t key, unsigned int flags,
508 unsigned char *output_data,
509 size_t * output_data_size)
510 {
511 int ret = 0;
512
513 if (key == NULL)
514 {
515 gnutls_assert ();
516 return GNUTLS_E_INVALID_REQUEST;
517 }
518
519 ret =
520 _gnutls_get_key_id (key->pk_algorithm, key->params,
521 key->params_size, output_data, output_data_size);
522 if (ret < 0)
523 {
524 gnutls_assert ();
525 return ret;
526 }
527
528 return 0;
529 }
530
531 /**
532 * gnutls_pubkey_get_pk_rsa_raw:
533 * @key: Holds the certificate
534 * @m: will hold the modulus
535 * @e: will hold the public exponent
536 *
537 * This function will export the RSA public key's parameters found in
538 * the given structure. The new parameters will be allocated using
539 * gnutls_malloc() and will be stored in the appropriate datum.
540 *
541 * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
542 **/
543 int
544 gnutls_pubkey_get_pk_rsa_raw (gnutls_pubkey_t key,
545 gnutls_datum_t * m, gnutls_datum_t * e)
546 {
547 int ret;
548
549 if (key == NULL)
550 {
551 gnutls_assert ();
552 return GNUTLS_E_INVALID_REQUEST;
553 }
554
555 if (key->pk_algorithm != GNUTLS_PK_RSA)
556 {
557 gnutls_assert ();
558 return GNUTLS_E_INVALID_REQUEST;
559 }
560
561 ret = _gnutls_mpi_dprint_lz (key->params[0], m);
562 if (ret < 0)
563 {
564 gnutls_assert ();
565 return ret;
566 }
567
568 ret = _gnutls_mpi_dprint_lz (key->params[1], e);
569 if (ret < 0)
570 {
571 gnutls_assert ();
572 _gnutls_free_datum (m);
573 return ret;
574 }
575
576 return 0;
577 }
578
579 /**
580 * gnutls_pubkey_get_pk_dsa_raw:
581 * @key: Holds the public key
582 * @p: will hold the p
583 * @q: will hold the q
584 * @g: will hold the g
585 * @y: will hold the y
586 *
587 * This function will export the DSA public key's parameters found in
588 * the given certificate. The new parameters will be allocated using
589 * gnutls_malloc() and will be stored in the appropriate datum.
590 *
591 * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
592 **/
593 int
594 gnutls_pubkey_get_pk_dsa_raw (gnutls_pubkey_t key,
595 gnutls_datum_t * p, gnutls_datum_t * q,
596 gnutls_datum_t * g, gnutls_datum_t * y)
597 {
598 int ret;
599
600 if (key == NULL)
601 {
602 gnutls_assert ();
603 return GNUTLS_E_INVALID_REQUEST;
604 }
605
606 if (key->pk_algorithm != GNUTLS_PK_DSA)
607 {
608 gnutls_assert ();
609 return GNUTLS_E_INVALID_REQUEST;
610 }
611
612 /* P */
613 ret = _gnutls_mpi_dprint_lz (key->params[0], p);
614 if (ret < 0)
615 {
616 gnutls_assert ();
617 return ret;
618 }
619
620 /* Q */
621 ret = _gnutls_mpi_dprint_lz (key->params[1], q);
622 if (ret < 0)
623 {
624 gnutls_assert ();
625 _gnutls_free_datum (p);
626 return ret;
627 }
628
629
630 /* G */
631 ret = _gnutls_mpi_dprint_lz (key->params[2], g);
632 if (ret < 0)
633 {
634 gnutls_assert ();
635 _gnutls_free_datum (p);
636 _gnutls_free_datum (q);
637 return ret;
638 }
639
640
641 /* Y */
642 ret = _gnutls_mpi_dprint_lz (key->params[3], y);
643 if (ret < 0)
644 {
645 gnutls_assert ();
646 _gnutls_free_datum (p);
647 _gnutls_free_datum (g);
648 _gnutls_free_datum (q);
649 return ret;
650 }
651
652 return 0;
653 }
654
655 /**
656 * gnutls_pubkey_import:
657 * @key: The structure to store the parsed public key.
658 * @data: The DER or PEM encoded certificate.
659 * @format: One of DER or PEM
660 *
661 * This function will convert the given DER or PEM encoded Public key
662 * to the native gnutls_pubkey_t format.The output will be stored * in @ key.
663 * If the Certificate is PEM encoded it should have a header of "PUBLIC KEY".
664 *
665 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
666 * negative error value.
667 **/
668 int
669 gnutls_pubkey_import (gnutls_pubkey_t key,
670 const gnutls_datum_t * data,
671 gnutls_x509_crt_fmt_t format)
672 {
673 int result = 0, need_free = 0;
674 gnutls_datum_t _data;
675 ASN1_TYPE spk;
676
677 if (key == NULL)
678 {
679 gnutls_assert ();
680 return GNUTLS_E_INVALID_REQUEST;
681 }
682
683 _data.data = data->data;
684 _data.size = data->size;
685
686 /* If the Certificate is in PEM format then decode it
687 */
688 if (format == GNUTLS_X509_FMT_PEM)
689 {
690 opaque *out;
691
692 /* Try the first header */
693 result =
694 _gnutls_fbase64_decode (PK_PEM_HEADER, data->data, data->size, &out);
695
696 if (result <= 0)
697 {
698 if (result == 0)
699 result = GNUTLS_E_INTERNAL_ERROR;
700 gnutls_assert ();
701 return result;
702 }
703
704 _data.data = out;
705 _data.size = result;
706
707 need_free = 1;
708 }
709
710 if ((result = asn1_create_element
711 (_gnutls_get_pkix (), "PKIX1.SubjectPublicKeyInfo", &spk))
712 != ASN1_SUCCESS)
713 {
714 gnutls_assert ();
715 result = _gnutls_asn2err (result);
716 goto cleanup;
717 }
718
719 result = asn1_der_decoding (&spk, _data.data, _data.size, NULL);
720 if (result != ASN1_SUCCESS)
721 {
722 gnutls_assert ();
723 result = _gnutls_asn2err (result);
724 goto cleanup;
725 }
726
727 key->params_size = sizeof (key->params) / sizeof (key->params[0]);
728 result = _gnutls_get_asn_mpis (spk, "", key->params, &key->params_size);
729 if (result < 0)
730 {
731 gnutls_assert ();
732 goto cleanup;
733 }
734
735 /* this has already been called by get_asn_mpis() thus it cannot
736 * fail.
737 */
738 key->pk_algorithm = _gnutls_x509_get_pk_algorithm (spk, "", NULL);
739 key->bits = pubkey_to_bits(key->pk_algorithm, key->params, key->params_size);
740
741 result = 0;
742
743 cleanup:
744 asn1_delete_structure (&spk);
745
746 if (need_free)
747 _gnutls_free_datum (&_data);
748 return result;
749 }
750
751 /**
752 * gnutls_x509_crt_set_pubkey:
753 * @crt: should contain a #gnutls_x509_crt_t structure
754 * @key: holds a public key
755 *
756 * This function will set the public parameters from the given public
757 * key to the request.
758 *
759 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
760 * negative error value.
761 **/
762 int
763 gnutls_x509_crt_set_pubkey (gnutls_x509_crt_t crt, gnutls_pubkey_t key)
764 {
765 int result;
766
767 if (crt == NULL)
768 {
769 gnutls_assert ();
770 return GNUTLS_E_INVALID_REQUEST;
771 }
772
773 result = _gnutls_x509_encode_and_copy_PKI_params (crt->cert,
774 "tbsCertificate.subjectPublicKeyInfo",
775 key->pk_algorithm,
776 key->params,
777 key->params_size);
778
779 if (result < 0)
780 {
781 gnutls_assert ();
782 return result;
783 }
784
785 if (key->key_usage)
786 gnutls_x509_crt_set_key_usage (crt, key->key_usage);
787
788 return 0;
789 }
790
791 /**
792 * gnutls_x509_crq_set_pubkey:
793 * @crq: should contain a #gnutls_x509_crq_t structure
794 * @key: holds a public key
795 *
796 * This function will set the public parameters from the given public
797 * key to the request.
798 *
799 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
800 * negative error value.
801 **/
802 int
803 gnutls_x509_crq_set_pubkey (gnutls_x509_crq_t crq, gnutls_pubkey_t key)
804 {
805 int result;
806
807 if (crq == NULL)
808 {
809 gnutls_assert ();
810 return GNUTLS_E_INVALID_REQUEST;
811 }
812
813 result = _gnutls_x509_encode_and_copy_PKI_params
814 (crq->crq,
815 "certificationRequestInfo.subjectPKInfo",
816 key->pk_algorithm, key->params, key->params_size);
817
818 if (result < 0)
819 {
820 gnutls_assert ();
821 return result;
822 }
823
824 if (key->key_usage)
825 gnutls_x509_crq_set_key_usage (crq, key->key_usage);
826
827 return 0;
828 }
829
830 /**
831 * gnutls_pubkey_set_key_usage:
832 * @key: a certificate of type #gnutls_x509_crt_t
833 * @usage: an ORed sequence of the GNUTLS_KEY_* elements.
834 *
835 * This function will set the key usage flags of the public key. This
836 * is only useful if the key is to be exported to a certificate or
837 * certificate request.
838 *
839 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
840 * negative error value.
841 **/
842 int
843 gnutls_pubkey_set_key_usage (gnutls_pubkey_t key, unsigned int usage)
844 {
845 key->key_usage = usage;
846
847 return 0;
848 }
849
850 #ifdef ENABLE_PKCS11
851
852 /**
853 * gnutls_pubkey_import_pkcs11_url:
854 * @key: A key of type #gnutls_pubkey_t
855 * @url: A PKCS 11 url
856 * @flags: One of GNUTLS_PKCS11_OBJ_* flags
857 *
858 * This function will import a PKCS 11 certificate to a #gnutls_pubkey_t
859 * structure.
860 *
861 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
862 * negative error value.
863 **/
864
865 int
866 gnutls_pubkey_import_pkcs11_url (gnutls_pubkey_t key, const char *url,
867 unsigned int flags)
868 {
869 gnutls_pkcs11_obj_t pcrt;
870 int ret;
871
872 ret = gnutls_pkcs11_obj_init (&pcrt);
873 if (ret < 0)
874 {
875 gnutls_assert ();
876 return ret;
877 }
878
879 ret = gnutls_pkcs11_obj_import_url (pcrt, url, flags);
880 if (ret < 0)
881 {
882 gnutls_assert ();
883 goto cleanup;
884 }
885
886 ret = gnutls_pubkey_import_pkcs11 (key, pcrt, 0);
887 if (ret < 0)
888 {
889 gnutls_assert ();
890 goto cleanup;
891 }
892
893 ret = 0;
894 cleanup:
895
896 gnutls_pkcs11_obj_deinit (pcrt);
897
898 return ret;
899 }
900
901 #endif /* ENABLE_PKCS11 */
902
903 /**
904 * gnutls_pubkey_import_rsa_raw:
905 * @key: Is a structure will hold the parameters
906 * @m: holds the modulus
907 * @e: holds the public exponent
908 *
909 * This function will replace the parameters in the given structure.
910 * The new parameters should be stored in the appropriate
911 * gnutls_datum.
912 *
913 * Returns: %GNUTLS_E_SUCCESS on success, or an negative error code.
914 **/
915 int
916 gnutls_pubkey_import_rsa_raw (gnutls_pubkey_t key,
917 const gnutls_datum_t * m,
918 const gnutls_datum_t * e)
919 {
920 size_t siz = 0;
921
922 if (key == NULL)
923 {
924 gnutls_assert ();
925 return GNUTLS_E_INVALID_REQUEST;
926 }
927
928 siz = m->size;
929 if (_gnutls_mpi_scan_nz (&key->params[0], m->data, siz))
930 {
931 gnutls_assert ();
932 return GNUTLS_E_MPI_SCAN_FAILED;
933 }
934
935 siz = e->size;
936 if (_gnutls_mpi_scan_nz (&key->params[1], e->data, siz))
937 {
938 gnutls_assert ();
939 _gnutls_mpi_release (&key->params[0]);
940 return GNUTLS_E_MPI_SCAN_FAILED;
941 }
942
943 key->params_size = RSA_PUBLIC_PARAMS;
944 key->pk_algorithm = GNUTLS_PK_RSA;
945 key->bits = pubkey_to_bits(GNUTLS_PK_RSA, key->params, key->params_size);
946
947 return 0;
948 }
949
950 /**
951 * gnutls_pubkey_import_dsa_raw:
952 * @key: The structure to store the parsed key
953 * @p: holds the p
954 * @q: holds the q
955 * @g: holds the g
956 * @y: holds the y
957 *
958 * This function will convert the given DSA raw parameters to the
959 * native #gnutls_pubkey_t format. The output will be stored
960 * in @key.
961 *
962 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
963 * negative error value.
964 **/
965 int
966 gnutls_pubkey_import_dsa_raw (gnutls_pubkey_t key,
967 const gnutls_datum_t * p,
968 const gnutls_datum_t * q,
969 const gnutls_datum_t * g,
970 const gnutls_datum_t * y)
971 {
972 size_t siz = 0;
973
974 if (key == NULL)
975 {
976 gnutls_assert ();
977 return GNUTLS_E_INVALID_REQUEST;
978 }
979
980 siz = p->size;
981 if (_gnutls_mpi_scan_nz (&key->params[0], p->data, siz))
982 {
983 gnutls_assert ();
984 return GNUTLS_E_MPI_SCAN_FAILED;
985 }
986
987 siz = q->size;
988 if (_gnutls_mpi_scan_nz (&key->params[1], q->data, siz))
989 {
990 gnutls_assert ();
991 _gnutls_mpi_release (&key->params[0]);
992 return GNUTLS_E_MPI_SCAN_FAILED;
993 }
994
995 siz = g->size;
996 if (_gnutls_mpi_scan_nz (&key->params[2], g->data, siz))
997 {
998 gnutls_assert ();
999 _gnutls_mpi_release (&key->params[1]);
1000 _gnutls_mpi_release (&key->params[0]);
1001 return GNUTLS_E_MPI_SCAN_FAILED;
1002 }
1003
1004 siz = y->size;
1005 if (_gnutls_mpi_scan_nz (&key->params[3], y->data, siz))
1006 {
1007 gnutls_assert ();
1008 _gnutls_mpi_release (&key->params[2]);
1009 _gnutls_mpi_release (&key->params[1]);
1010 _gnutls_mpi_release (&key->params[0]);
1011 return GNUTLS_E_MPI_SCAN_FAILED;
1012 }
1013
1014 key->params_size = DSA_PUBLIC_PARAMS;
1015 key->pk_algorithm = GNUTLS_PK_DSA;
1016 key->bits = pubkey_to_bits(GNUTLS_PK_DSA, key->params, key->params_size);
1017
1018 return 0;
1019
1020 }
1021
1022 /**
1023 * gnutls_pubkey_verify_data:
1024 * @pubkey: Holds the public key
1025 * @flags: should be 0 for now
1026 * @data: holds the data to be signed
1027 * @signature: contains the signature
1028 *
1029 * This function will verify the given signed data, using the
1030 * parameters from the certificate.
1031 *
1032 * Returns: In case of a verification failure
1033 * %GNUTLS_E_PK_SIG_VERIFY_FAILED is returned, and a positive code
1034 * on success.
1035 *
1036 * Since: 2.12.0
1037 **/
1038 int
1039 gnutls_pubkey_verify_data (gnutls_pubkey_t pubkey, unsigned int flags,
1040 const gnutls_datum_t * data,
1041 const gnutls_datum_t * signature)
1042 {
1043 int ret;
1044
1045 if (pubkey == NULL)
1046 {
1047 gnutls_assert ();
1048 return GNUTLS_E_INVALID_REQUEST;
1049 }
1050
1051 ret = pubkey_verify_sig( data, NULL, signature, pubkey->pk_algorithm,
1052 pubkey->params, pubkey->params_size);
1053 if (ret < 0)
1054 {
1055 gnutls_assert();
1056 }
1057
1058 return ret;
1059 }
1060
1061
1062 /**
1063 * gnutls_pubkey_verify_hash:
1064 * @key: Holds the certificate
1065 * @flags: should be 0 for now
1066 * @hash: holds the hash digest to be verified
1067 * @signature: contains the signature
1068 *
1069 * This function will verify the given signed digest, using the
1070 * parameters from the certificate.
1071 *
1072 * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
1073 * is returned, and a positive code on success.
1074 **/
1075 int
1076 gnutls_pubkey_verify_hash (gnutls_pubkey_t key, unsigned int flags,
1077 const gnutls_datum_t * hash,
1078 const gnutls_datum_t * signature)
1079 {
1080 int ret;
1081
1082 if (key == NULL)
1083 {
1084 gnutls_assert ();
1085 return GNUTLS_E_INVALID_REQUEST;
1086 }
1087
1088 ret =
1089 pubkey_verify_sig (NULL, hash, signature, key->pk_algorithm,
1090 key->params, key->params_size);
1091
1092 return ret;
1093 }
1094
1095 /**
1096 * gnutls_pubkey_get_verify_algorithm:
1097 * @key: Holds the certificate
1098 * @signature: contains the signature
1099 * @hash: The result of the call with the hash algorithm used for signature
1100 *
1101 * This function will read the certifcate and the signed data to
1102 * determine the hash algorithm used to generate the signature.
1103 *
1104 * Returns: the 0 if the hash algorithm is found. A negative value is
1105 * returned on error.
1106 **/
1107 int
1108 gnutls_pubkey_get_verify_algorithm (gnutls_pubkey_t key,
1109 const gnutls_datum_t * signature,
1110 gnutls_digest_algorithm_t * hash)
1111 {
1112 if (key == NULL)
1113 {
1114 gnutls_assert ();
1115 return GNUTLS_E_INVALID_REQUEST;
1116 }
1117
1118 return _gnutls_x509_verify_algorithm ((gnutls_mac_algorithm_t *)
1119 hash, signature,
1120 key->pk_algorithm,
1121 key->params, key->params_size);
1122
1123 }
Implementation of the SSL/TLS protocol