search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Removed incorrect test on IPAddresses (was relying on IPaddresses encoded as text)
[gnutls.git] / lib / gnutls_pubkey.c
bloba8fc97581f09f1d33af797cc49b892d8538ba100
1 /*
2 * GnuTLS PKCS#11 support
3 * Copyright (C) 2010 Free Software Foundation
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Library General Public
9 * License as published by the Free Software Foundation; either
10 * version 2 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Library General Public License for more details.
16 *
17 * You should have received a copy of the GNU Library General Public
18 * License along with this library; if not, write to the Free
19 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
20 * MA 02111-1307, USA
21 */
22
23 #include <gnutls_int.h>
24 #include <pakchois/pakchois.h>
25 #include <gnutls/pkcs11.h>
26 #include <stdio.h>
27 #include <stdbool.h>
28 #include <string.h>
29 #include <gnutls_errors.h>
30 #include <gnutls_datum.h>
31 #include <pkcs11_int.h>
32 #include <gnutls/abstract.h>
33 #include <gnutls_pk.h>
34 #include <x509_int.h>
35 #include <openpgp/openpgp_int.h>
36 #include <pkcs11_int.h>
37 #include <gnutls_num.h>
38 #include <x509/common.h>
39 #include <x509_b64.h>
40 #include <abstract_int.h>
41
42 #define PK_PEM_HEADER "PUBLIC KEY"
43
44
45 struct gnutls_pubkey_st
46 {
47 gnutls_pk_algorithm_t pk_algorithm;
48 unsigned int bits; /* an indication of the security parameter */
49
50 /* the size of params depends on the public
51 * key algorithm
52 * RSA: [0] is modulus
53 * [1] is public exponent
54 * DSA: [0] is p
55 * [1] is q
56 * [2] is g
57 * [3] is public key
58 */
59 bigint_t params[MAX_PUBLIC_PARAMS_SIZE];
60 int params_size; /* holds the size of MPI params */
61
62 unsigned int key_usage; /* bits from GNUTLS_KEY_* */
63 };
64
65 static int pubkey_to_bits(gnutls_pk_algorithm_t pk, bigint_t* params, int params_size)
66 {
67 switch(pk)
68 {
69 case GNUTLS_PK_RSA:
70 return _gnutls_mpi_get_nbits(params[0]);
71 case GNUTLS_PK_DSA:
72 if (params_size < 3) return 0;
73 return _gnutls_mpi_get_nbits(params[3]);
74 default:
75 return 0;
76 }
77 }
78
79 /**
80 * gnutls_pubkey_get_pk_algorithm:
81 * @key: should contain a #gnutls_pubkey_t structure
82 * @bits: If set will return the number of bits of the parameters (may be NULL)
83 *
84 * This function will return the public key algorithm of a public
85 * key and if possible will return a number of bits that indicates
86 * the security parameter of the key.
87 *
88 * Returns: a member of the #gnutls_pk_algorithm_t enumeration on
89 * success, or a negative value on error.
90 **/
91 int
92 gnutls_pubkey_get_pk_algorithm (gnutls_pubkey_t key, unsigned int *bits)
93 {
94 if (bits)
95 *bits = key->bits;
96
97 return key->pk_algorithm;
98 }
99
100 /**
101 * gnutls_pubkey_get_key_usage:
102 * @key: should contain a #gnutls_pubkey_t structure
103 * @usage: If set will return the number of bits of the parameters (may be NULL)
104 *
105 * This function will return the key usage of the public key.
106 *
107 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
108 * negative error value.
109 **/
110 int
111 gnutls_pubkey_get_key_usage (gnutls_pubkey_t key, unsigned int *usage)
112 {
113 if (usage)
114 *usage = key->key_usage;
115
116 return 0;
117 }
118
119 /**
120 * gnutls_pubkey_init:
121 * @key: The structure to be initialized
122 *
123 * This function will initialize an public key structure.
124 *
125 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
126 * negative error value.
127 **/
128 int
129 gnutls_pubkey_init (gnutls_pubkey_t * key)
130 {
131 *key = gnutls_calloc (1, sizeof (struct gnutls_pubkey_st));
132 if (*key == NULL)
133 {
134 gnutls_assert ();
135 return GNUTLS_E_MEMORY_ERROR;
136 }
137
138 return 0;
139 }
140
141 /**
142 * gnutls_pubkey_deinit:
143 * @key: The structure to be deinitialized
144 *
145 * This function will deinitialize a public key structure.
146 **/
147 void
148 gnutls_pubkey_deinit (gnutls_pubkey_t key)
149 {
150 int i;
151
152 for (i = 0; i < key->params_size; i++)
153 {
154 _gnutls_mpi_release (&key->params[i]);
155 }
156
157 gnutls_free (key);
158 }
159
160 /**
161 * gnutls_pubkey_import_x509:
162 * @key: The public key
163 * @crt: The certificate to be imported
164 * @flags: should be zero
165 *
166 * This function will import the given public key to the abstract
167 * #gnutls_pubkey_t structure.
168 *
169 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
170 * negative error value.
171 **/
172 int
173 gnutls_pubkey_import_x509 (gnutls_pubkey_t key, gnutls_x509_crt_t crt,
174 unsigned int flags)
175 {
176 int ret;
177
178 key->pk_algorithm = gnutls_x509_crt_get_pk_algorithm (crt, &key->bits);
179
180 ret = gnutls_x509_crt_get_key_usage (crt, &key->key_usage, NULL);
181 if (ret < 0)
182 key->key_usage = 0;
183
184 key->params_size = sizeof (key->params) / sizeof (key->params[0]);
185 switch (key->pk_algorithm)
186 {
187 case GNUTLS_PK_RSA:
188 ret = _gnutls_x509_crt_get_mpis (crt, key->params, &key->params_size);
189 if (ret < 0)
190 {
191 gnutls_assert ();
192 return ret;
193 }
194 break;
195 case GNUTLS_PK_DSA:
196 ret = _gnutls_x509_crt_get_mpis (crt, key->params, &key->params_size);
197 if (ret < 0)
198 {
199 gnutls_assert ();
200 return ret;
201 }
202
203 break;
204 default:
205 gnutls_assert ();
206 return GNUTLS_E_INVALID_REQUEST;
207 }
208
209 return 0;
210 }
211
212 /**
213 * gnutls_pubkey_import_privkey: Imports the public key from a private
214 * @key: The public key
215 * @pkey: The private key
216 * @usage: GNUTLS_KEY_* key usage flags.
217 * @flags: should be zero
218 *
219 * This function will import the given public key to the abstract
220 * #gnutls_pubkey_t structure.
221 *
222 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
223 * negative error value.
224 *
225 * Since: 2.12.0
226 **/
227 int
228 gnutls_pubkey_import_privkey (gnutls_pubkey_t key, gnutls_privkey_t pkey,
229 unsigned int usage, unsigned int flags)
230 {
231 key->pk_algorithm = gnutls_privkey_get_pk_algorithm (pkey, &key->bits);
232
233 key->key_usage = usage;
234
235 key->params_size = sizeof (key->params) / sizeof (key->params[0]);
236
237 return _gnutls_privkey_get_public_mpis (pkey, key->params,
238 &key->params_size);
239 }
240
241 /**
242 * gnutls_pubkey_get_preferred_hash_algorithm:
243 * @key: Holds the certificate
244 * @hash: The result of the call with the hash algorithm used for signature
245 * @mand: If non zero it means that the algorithm MUST use this hash. May be NULL.
246 *
247 * This function will read the certifcate and return the appropriate digest
248 * algorithm to use for signing with this certificate. Some certificates (i.e.
249 * DSA might not be able to sign without the preferred algorithm).
250 *
251 * Returns: the 0 if the hash algorithm is found. A negative value is
252 * returned on error.
253 *
254 * Since: 2.11.0
255 **/
256 int
257 gnutls_pubkey_get_preferred_hash_algorithm (gnutls_pubkey_t key,
258 gnutls_digest_algorithm_t *
259 hash, unsigned int *mand)
260 {
261 int ret;
262
263 if (key == NULL)
264 {
265 gnutls_assert ();
266 return GNUTLS_E_INVALID_REQUEST;
267 }
268
269 ret = _gnutls_pk_get_hash_algorithm (key->pk_algorithm,
270 key->params, key->params_size,
271 hash, mand);
272
273 return ret;
274 }
275
276
277 /**
278 * gnutls_pubkey_import_pkcs11: Imports a public key from a pkcs11 key
279 * @key: The public key
280 * @obj: The parameters to be imported
281 * @flags: should be zero
282 *
283 * This function will import the given public key to the abstract
284 * #gnutls_pubkey_t structure.
285 *
286 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
287 * negative error value.
288 **/
289 int
290 gnutls_pubkey_import_pkcs11 (gnutls_pubkey_t key,
291 gnutls_pkcs11_obj_t obj, unsigned int flags)
292 {
293 int ret;
294
295 ret = gnutls_pkcs11_obj_get_type (obj);
296 if (ret != GNUTLS_PKCS11_OBJ_PUBKEY)
297 {
298 gnutls_assert ();
299 return GNUTLS_E_INVALID_REQUEST;
300 }
301
302 key->key_usage = obj->key_usage;
303
304 switch (obj->pk_algorithm)
305 {
306 case GNUTLS_PK_RSA:
307 ret = gnutls_pubkey_import_rsa_raw (key, &obj->pubkey[0],
308 &obj->pubkey[1]);
309 break;
310 case GNUTLS_PK_DSA:
311 ret = gnutls_pubkey_import_dsa_raw (key, &obj->pubkey[0],
312 &obj->pubkey[1],
313 &obj->pubkey[2], &obj->pubkey[3]);
314 break;
315 default:
316 gnutls_assert ();
317 return GNUTLS_E_UNIMPLEMENTED_FEATURE;
318 }
319
320 if (ret < 0)
321 {
322 gnutls_assert ();
323 return ret;
324 }
325
326 return 0;
327 }
328
329 #ifdef ENABLE_OPENPGP
330 /**
331 * gnutls_pubkey_import_openpgp: Imports a public key from an openpgp key
332 * @key: The public key
333 * @crt: The certificate to be imported
334 * @flags: should be zero
335 *
336 * This function will import the given public key to the abstract
337 * #gnutls_pubkey_t structure. The subkey set as preferred will be
338 * imported or the master key otherwise.
339 *
340 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
341 * negative error value.
342 **/
343 int
344 gnutls_pubkey_import_openpgp (gnutls_pubkey_t key,
345 gnutls_openpgp_crt_t crt,
346 unsigned int flags)
347 {
348 int ret, idx;
349 uint32_t kid32[2];
350 uint32_t *k;
351 uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
352
353 ret = gnutls_openpgp_crt_get_preferred_key_id (crt, keyid);
354 if (ret == GNUTLS_E_OPENPGP_PREFERRED_KEY_ERROR)
355 {
356 key->pk_algorithm = gnutls_openpgp_crt_get_pk_algorithm (crt, &key->bits);
357
358 ret = gnutls_openpgp_crt_get_key_usage (crt, &key->key_usage);
359 if (ret < 0)
360 key->key_usage = 0;
361
362 k = NULL;
363 }
364 else
365 {
366 if (ret < 0)
367 {
368 gnutls_assert ();
369 return ret;
370 }
371
372 KEYID_IMPORT (kid32, keyid);
373 k = kid32;
374
375 idx = gnutls_openpgp_crt_get_subkey_idx (crt, keyid);
376
377 ret = gnutls_openpgp_crt_get_subkey_usage (crt, idx, &key->key_usage);
378 if (ret < 0)
379 key->key_usage = 0;
380
381 key->pk_algorithm = gnutls_openpgp_crt_get_subkey_pk_algorithm (crt, idx, NULL);
382 }
383
384 switch (key->pk_algorithm)
385 {
386 case GNUTLS_PK_RSA:
387 ret =
388 _gnutls_openpgp_crt_get_mpis (crt, k, key->params,
389 &key->params_size);
390 if (ret < 0)
391 {
392 gnutls_assert ();
393 return ret;
394 }
395 break;
396 case GNUTLS_PK_DSA:
397 ret =
398 _gnutls_openpgp_crt_get_mpis (crt, k, key->params,
399 &key->params_size);
400 if (ret < 0)
401 {
402 gnutls_assert ();
403 return ret;
404 }
405 break;
406 default:
407 gnutls_assert ();
408 return GNUTLS_E_INVALID_REQUEST;
409 }
410
411 return 0;
412 }
413
414 #endif
415
416 /**
417 * gnutls_pubkey_export:
418 * @key: Holds the certificate
419 * @format: the format of output params. One of PEM or DER.
420 * @output_data: will contain a certificate PEM or DER encoded
421 * @output_data_size: holds the size of output_data (and will be
422 * replaced by the actual size of parameters)
423 *
424 * This function will export the certificate to DER or PEM format.
425 *
426 * If the buffer provided is not long enough to hold the output, then
427 * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
428 * be returned.
429 *
430 * If the structure is PEM encoded, it will have a header
431 * of "BEGIN CERTIFICATE".
432 *
433 * Return value: In case of failure a negative value will be
434 * returned, and 0 on success.
435 **/
436 int
437 gnutls_pubkey_export (gnutls_pubkey_t key,
438 gnutls_x509_crt_fmt_t format, void *output_data,
439 size_t * output_data_size)
440 {
441 int result;
442 ASN1_TYPE spk = ASN1_TYPE_EMPTY;
443
444 if (key == NULL)
445 {
446 gnutls_assert ();
447 return GNUTLS_E_INVALID_REQUEST;
448 }
449
450 if ((result = asn1_create_element
451 (_gnutls_get_pkix (), "PKIX1.SubjectPublicKeyInfo", &spk))
452 != ASN1_SUCCESS)
453 {
454 gnutls_assert ();
455 return _gnutls_asn2err (result);
456 }
457
458 result =
459 _gnutls_x509_encode_and_copy_PKI_params (spk, "",
460 key->pk_algorithm,
461 key->params, key->params_size);
462 if (result < 0)
463 {
464 gnutls_assert ();
465 goto cleanup;
466 }
467
468 result = _gnutls_x509_export_int_named (spk, "",
469 format, PK_PEM_HEADER,
470 output_data, output_data_size);
471 if (result < 0)
472 {
473 gnutls_assert ();
474 goto cleanup;
475 }
476
477 result = 0;
478
479 cleanup:
480 asn1_delete_structure (&spk);
481
482 return result;
483
484 }
485
486 /**
487 * gnutls_pubkey_get_key_id:
488 * @key: Holds the public key
489 * @flags: should be 0 for now
490 * @output_data: will contain the key ID
491 * @output_data_size: holds the size of output_data (and will be
492 * replaced by the actual size of parameters)
493 *
494 * This function will return a unique ID the depends on the public
495 * key parameters. This ID can be used in checking whether a
496 * certificate corresponds to the given public key.
497 *
498 * If the buffer provided is not long enough to hold the output, then
499 * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
500 * be returned. The output will normally be a SHA-1 hash output,
501 * which is 20 bytes.
502 *
503 * Return value: In case of failure a negative value will be
504 * returned, and 0 on success.
505 **/
506 int
507 gnutls_pubkey_get_key_id (gnutls_pubkey_t key, unsigned int flags,
508 unsigned char *output_data,
509 size_t * output_data_size)
510 {
511 int ret = 0;
512
513 if (key == NULL)
514 {
515 gnutls_assert ();
516 return GNUTLS_E_INVALID_REQUEST;
517 }
518
519 ret =
520 _gnutls_get_key_id (key->pk_algorithm, key->params,
521 key->params_size, output_data, output_data_size);
522 if (ret < 0)
523 {
524 gnutls_assert ();
525 return ret;
526 }
527
528 return 0;
529 }
530
531 /**
532 * gnutls_pubkey_get_pk_rsa_raw:
533 * @key: Holds the certificate
534 * @m: will hold the modulus
535 * @e: will hold the public exponent
536 *
537 * This function will export the RSA public key's parameters found in
538 * the given structure. The new parameters will be allocated using
539 * gnutls_malloc() and will be stored in the appropriate datum.
540 *
541 * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
542 **/
543 int
544 gnutls_pubkey_get_pk_rsa_raw (gnutls_pubkey_t key,
545 gnutls_datum_t * m, gnutls_datum_t * e)
546 {
547 int ret;
548
549 if (key == NULL)
550 {
551 gnutls_assert ();
552 return GNUTLS_E_INVALID_REQUEST;
553 }
554
555 if (key->pk_algorithm != GNUTLS_PK_RSA)
556 {
557 gnutls_assert ();
558 return GNUTLS_E_INVALID_REQUEST;
559 }
560
561 ret = _gnutls_mpi_dprint (key->params[0], m);
562 if (ret < 0)
563 {
564 gnutls_assert ();
565 return ret;
566 }
567
568 ret = _gnutls_mpi_dprint (key->params[1], e);
569 if (ret < 0)
570 {
571 gnutls_assert ();
572 _gnutls_free_datum (m);
573 return ret;
574 }
575
576 return 0;
577 }
578
579 /**
580 * gnutls_pubkey_get_pk_dsa_raw:
581 * @key: Holds the public key
582 * @p: will hold the p
583 * @q: will hold the q
584 * @g: will hold the g
585 * @y: will hold the y
586 *
587 * This function will export the DSA public key's parameters found in
588 * the given certificate. The new parameters will be allocated using
589 * gnutls_malloc() and will be stored in the appropriate datum.
590 *
591 * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
592 **/
593 int
594 gnutls_pubkey_get_pk_dsa_raw (gnutls_pubkey_t key,
595 gnutls_datum_t * p, gnutls_datum_t * q,
596 gnutls_datum_t * g, gnutls_datum_t * y)
597 {
598 int ret;
599
600 if (key == NULL)
601 {
602 gnutls_assert ();
603 return GNUTLS_E_INVALID_REQUEST;
604 }
605
606 if (key->pk_algorithm != GNUTLS_PK_DSA)
607 {
608 gnutls_assert ();
609 return GNUTLS_E_INVALID_REQUEST;
610 }
611
612 /* P */
613 ret = _gnutls_mpi_dprint (key->params[0], p);
614 if (ret < 0)
615 {
616 gnutls_assert ();
617 return ret;
618 }
619
620 /* Q */
621 ret = _gnutls_mpi_dprint (key->params[1], q);
622 if (ret < 0)
623 {
624 gnutls_assert ();
625 _gnutls_free_datum (p);
626 return ret;
627 }
628
629
630 /* G */
631 ret = _gnutls_mpi_dprint (key->params[2], g);
632 if (ret < 0)
633 {
634 gnutls_assert ();
635 _gnutls_free_datum (p);
636 _gnutls_free_datum (q);
637 return ret;
638 }
639
640
641 /* Y */
642 ret = _gnutls_mpi_dprint (key->params[3], y);
643 if (ret < 0)
644 {
645 gnutls_assert ();
646 _gnutls_free_datum (p);
647 _gnutls_free_datum (g);
648 _gnutls_free_datum (q);
649 return ret;
650 }
651
652 return 0;
653 }
654
655 /**
656 * gnutls_pubkey_import:
657 * @key: The structure to store the parsed public key.
658 * @data: The DER or PEM encoded certificate.
659 * @format: One of DER or PEM
660 *
661 * This function will convert the given DER or PEM encoded Public key
662 * to the native gnutls_pubkey_t format.The output will be stored * in @ key.
663 * If the Certificate is PEM encoded it should have a header of "PUBLIC KEY".
664 *
665 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
666 * negative error value.
667 **/
668 int
669 gnutls_pubkey_import (gnutls_pubkey_t key,
670 const gnutls_datum_t * data,
671 gnutls_x509_crt_fmt_t format)
672 {
673 int result = 0, need_free = 0;
674 gnutls_datum_t _data;
675 ASN1_TYPE spk;
676
677 if (key == NULL)
678 {
679 gnutls_assert ();
680 return GNUTLS_E_INVALID_REQUEST;
681 }
682
683 _data.data = data->data;
684 _data.size = data->size;
685
686 /* If the Certificate is in PEM format then decode it
687 */
688 if (format == GNUTLS_X509_FMT_PEM)
689 {
690 opaque *out;
691
692 /* Try the first header */
693 result =
694 _gnutls_fbase64_decode (PK_PEM_HEADER, data->data, data->size, &out);
695
696 if (result <= 0)
697 {
698 if (result == 0)
699 result = GNUTLS_E_INTERNAL_ERROR;
700 gnutls_assert ();
701 return result;
702 }
703
704 _data.data = out;
705 _data.size = result;
706
707 need_free = 1;
708 }
709
710 if ((result = asn1_create_element
711 (_gnutls_get_pkix (), "PKIX1.SubjectPublicKeyInfo", &spk))
712 != ASN1_SUCCESS)
713 {
714 gnutls_assert ();
715 result = _gnutls_asn2err (result);
716 goto cleanup;
717 }
718
719 result = asn1_der_decoding (&spk, _data.data, _data.size, NULL);
720 if (result != ASN1_SUCCESS)
721 {
722 gnutls_assert ();
723 result = _gnutls_asn2err (result);
724 goto cleanup;
725 }
726
727 key->params_size = sizeof (key->params) / sizeof (key->params[0]);
728 result = _gnutls_get_asn_mpis (spk, "", key->params, &key->params_size);
729 if (result < 0)
730 {
731 gnutls_assert ();
732 goto cleanup;
733 }
734
735 /* this has already been called by get_asn_mpis() thus it cannot
736 * fail.
737 */
738 key->pk_algorithm = _gnutls_x509_get_pk_algorithm (spk, "", NULL);
739 key->bits = pubkey_to_bits(key->pk_algorithm, key->params, key->params_size);
740
741 result = 0;
742
743 cleanup:
744 asn1_delete_structure (&spk);
745
746 if (need_free)
747 _gnutls_free_datum (&_data);
748 return result;
749 }
750
751 /**
752 * gnutls_x509_crt_set_pubkey:
753 * @crt: should contain a #gnutls_x509_crt_t structure
754 * @key: holds a public key
755 *
756 * This function will set the public parameters from the given public
757 * key to the request.
758 *
759 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
760 * negative error value.
761 **/
762 int
763 gnutls_x509_crt_set_pubkey (gnutls_x509_crt_t crt, gnutls_pubkey_t key)
764 {
765 int result;
766
767 if (crt == NULL)
768 {
769 gnutls_assert ();
770 return GNUTLS_E_INVALID_REQUEST;
771 }
772
773 result = _gnutls_x509_encode_and_copy_PKI_params (crt->cert,
774 "tbsCertificate.subjectPublicKeyInfo",
775 key->pk_algorithm,
776 key->params,
777 key->params_size);
778
779 if (result < 0)
780 {
781 gnutls_assert ();
782 return result;
783 }
784
785 if (key->key_usage)
786 gnutls_x509_crt_set_key_usage (crt, key->key_usage);
787
788 return 0;
789 }
790
791 /**
792 * gnutls_x509_crq_set_pubkey:
793 * @crq: should contain a #gnutls_x509_crq_t structure
794 * @key: holds a public key
795 *
796 * This function will set the public parameters from the given public
797 * key to the request.
798 *
799 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
800 * negative error value.
801 **/
802 int
803 gnutls_x509_crq_set_pubkey (gnutls_x509_crq_t crq, gnutls_pubkey_t key)
804 {
805 int result;
806
807 if (crq == NULL)
808 {
809 gnutls_assert ();
810 return GNUTLS_E_INVALID_REQUEST;
811 }
812
813 result = _gnutls_x509_encode_and_copy_PKI_params
814 (crq->crq,
815 "certificationRequestInfo.subjectPKInfo",
816 key->pk_algorithm, key->params, key->params_size);
817
818 if (result < 0)
819 {
820 gnutls_assert ();
821 return result;
822 }
823
824 if (key->key_usage)
825 gnutls_x509_crq_set_key_usage (crq, key->key_usage);
826
827 return 0;
828 }
829
830 /**
831 * gnutls_pubkey_set_key_usage:
832 * @key: a certificate of type #gnutls_x509_crt_t
833 * @usage: an ORed sequence of the GNUTLS_KEY_* elements.
834 *
835 * This function will set the key usage flags of the public key. This
836 * is only useful if the key is to be exported to a certificate or
837 * certificate request.
838 *
839 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
840 * negative error value.
841 **/
842 int
843 gnutls_pubkey_set_key_usage (gnutls_pubkey_t key, unsigned int usage)
844 {
845 key->key_usage = usage;
846
847 return 0;
848 }
849
850 /**
851 * gnutls_pubkey_import_pkcs11_url:
852 * @key: A key of type #gnutls_pubkey_t
853 * @url: A PKCS 11 url
854 * @flags: One of GNUTLS_PKCS11_OBJ_* flags
855 *
856 * This function will import a PKCS 11 certificate to a #gnutls_pubkey_t
857 * structure.
858 *
859 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
860 * negative error value.
861 **/
862
863 int
864 gnutls_pubkey_import_pkcs11_url (gnutls_pubkey_t key, const char *url,
865 unsigned int flags)
866 {
867 gnutls_pkcs11_obj_t pcrt;
868 int ret;
869
870 ret = gnutls_pkcs11_obj_init (&pcrt);
871 if (ret < 0)
872 {
873 gnutls_assert ();
874 return ret;
875 }
876
877 ret = gnutls_pkcs11_obj_import_url (pcrt, url, flags);
878 if (ret < 0)
879 {
880 gnutls_assert ();
881 goto cleanup;
882 }
883
884 ret = gnutls_pubkey_import_pkcs11 (key, pcrt, 0);
885 if (ret < 0)
886 {
887 gnutls_assert ();
888 goto cleanup;
889 }
890
891 ret = 0;
892 cleanup:
893
894 gnutls_pkcs11_obj_deinit (pcrt);
895
896 return ret;
897 }
898
899 /**
900 * gnutls_pubkey_import_rsa_raw:
901 * @key: Is a structure will hold the parameters
902 * @m: holds the modulus
903 * @e: holds the public exponent
904 *
905 * This function will replace the parameters in the given structure.
906 * The new parameters should be stored in the appropriate
907 * gnutls_datum.
908 *
909 * Returns: %GNUTLS_E_SUCCESS on success, or an negative error code.
910 **/
911 int
912 gnutls_pubkey_import_rsa_raw (gnutls_pubkey_t key,
913 const gnutls_datum_t * m,
914 const gnutls_datum_t * e)
915 {
916 size_t siz = 0;
917
918 if (key == NULL)
919 {
920 gnutls_assert ();
921 return GNUTLS_E_INVALID_REQUEST;
922 }
923
924 siz = m->size;
925 if (_gnutls_mpi_scan_nz (&key->params[0], m->data, siz))
926 {
927 gnutls_assert ();
928 return GNUTLS_E_MPI_SCAN_FAILED;
929 }
930
931 siz = e->size;
932 if (_gnutls_mpi_scan_nz (&key->params[1], e->data, siz))
933 {
934 gnutls_assert ();
935 _gnutls_mpi_release (&key->params[0]);
936 return GNUTLS_E_MPI_SCAN_FAILED;
937 }
938
939 key->params_size = RSA_PUBLIC_PARAMS;
940 key->pk_algorithm = GNUTLS_PK_RSA;
941 key->bits = pubkey_to_bits(GNUTLS_PK_RSA, key->params, key->params_size);
942
943 return 0;
944 }
945
946 /**
947 * gnutls_pubkey_import_dsa_raw:
948 * @key: The structure to store the parsed key
949 * @p: holds the p
950 * @q: holds the q
951 * @g: holds the g
952 * @y: holds the y
953 *
954 * This function will convert the given DSA raw parameters to the
955 * native #gnutls_pubkey_t format. The output will be stored
956 * in @key.
957 *
958 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
959 * negative error value.
960 **/
961 int
962 gnutls_pubkey_import_dsa_raw (gnutls_pubkey_t key,
963 const gnutls_datum_t * p,
964 const gnutls_datum_t * q,
965 const gnutls_datum_t * g,
966 const gnutls_datum_t * y)
967 {
968 size_t siz = 0;
969
970 if (key == NULL)
971 {
972 gnutls_assert ();
973 return GNUTLS_E_INVALID_REQUEST;
974 }
975
976 siz = p->size;
977 if (_gnutls_mpi_scan_nz (&key->params[0], p->data, siz))
978 {
979 gnutls_assert ();
980 return GNUTLS_E_MPI_SCAN_FAILED;
981 }
982
983 siz = q->size;
984 if (_gnutls_mpi_scan_nz (&key->params[1], q->data, siz))
985 {
986 gnutls_assert ();
987 _gnutls_mpi_release (&key->params[0]);
988 return GNUTLS_E_MPI_SCAN_FAILED;
989 }
990
991 siz = g->size;
992 if (_gnutls_mpi_scan_nz (&key->params[2], g->data, siz))
993 {
994 gnutls_assert ();
995 _gnutls_mpi_release (&key->params[1]);
996 _gnutls_mpi_release (&key->params[0]);
997 return GNUTLS_E_MPI_SCAN_FAILED;
998 }
999
1000 siz = y->size;
1001 if (_gnutls_mpi_scan_nz (&key->params[3], y->data, siz))
1002 {
1003 gnutls_assert ();
1004 _gnutls_mpi_release (&key->params[2]);
1005 _gnutls_mpi_release (&key->params[1]);
1006 _gnutls_mpi_release (&key->params[0]);
1007 return GNUTLS_E_MPI_SCAN_FAILED;
1008 }
1009
1010 key->params_size = DSA_PUBLIC_PARAMS;
1011 key->pk_algorithm = GNUTLS_PK_DSA;
1012 key->bits = pubkey_to_bits(GNUTLS_PK_DSA, key->params, key->params_size);
1013
1014 return 0;
1015
1016 }
1017
1018 /**
1019 * gnutls_pubkey_verify_data:
1020 * @pubkey: Holds the public key
1021 * @flags: should be 0 for now
1022 * @data: holds the data to be signed
1023 * @signature: contains the signature
1024 *
1025 * This function will verify the given signed data, using the
1026 * parameters from the certificate.
1027 *
1028 * Returns: In case of a verification failure
1029 * %GNUTLS_E_PK_SIG_VERIFY_FAILED is returned, and a positive code
1030 * on success.
1031 *
1032 * Since: 2.12.0
1033 **/
1034 int
1035 gnutls_pubkey_verify_data (gnutls_pubkey_t pubkey, unsigned int flags,
1036 const gnutls_datum_t * data,
1037 const gnutls_datum_t * signature)
1038 {
1039 int ret;
1040
1041 if (pubkey == NULL)
1042 {
1043 gnutls_assert ();
1044 return GNUTLS_E_INVALID_REQUEST;
1045 }
1046
1047 ret = pubkey_verify_sig( data, NULL, signature, pubkey->pk_algorithm,
1048 pubkey->params, pubkey->params_size);
1049 if (ret < 0)
1050 {
1051 gnutls_assert();
1052 }
1053
1054 return ret;
1055 }
1056
1057
1058 /**
1059 * gnutls_pubkey_verify_hash:
1060 * @key: Holds the certificate
1061 * @flags: should be 0 for now
1062 * @hash: holds the hash digest to be verified
1063 * @signature: contains the signature
1064 *
1065 * This function will verify the given signed digest, using the
1066 * parameters from the certificate.
1067 *
1068 * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
1069 * is returned, and a positive code on success.
1070 **/
1071 int
1072 gnutls_pubkey_verify_hash (gnutls_pubkey_t key, unsigned int flags,
1073 const gnutls_datum_t * hash,
1074 const gnutls_datum_t * signature)
1075 {
1076 int ret;
1077
1078 if (key == NULL)
1079 {
1080 gnutls_assert ();
1081 return GNUTLS_E_INVALID_REQUEST;
1082 }
1083
1084 ret =
1085 pubkey_verify_sig (NULL, hash, signature, key->pk_algorithm,
1086 key->params, key->params_size);
1087
1088 return ret;
1089 }
1090
1091 /**
1092 * gnutls_pubkey_get_verify_algorithm:
1093 * @key: Holds the certificate
1094 * @signature: contains the signature
1095 * @hash: The result of the call with the hash algorithm used for signature
1096 *
1097 * This function will read the certifcate and the signed data to
1098 * determine the hash algorithm used to generate the signature.
1099 *
1100 * Returns: the 0 if the hash algorithm is found. A negative value is
1101 * returned on error.
1102 **/
1103 int
1104 gnutls_pubkey_get_verify_algorithm (gnutls_pubkey_t key,
1105 const gnutls_datum_t * signature,
1106 gnutls_digest_algorithm_t * hash)
1107 {
1108 if (key == NULL)
1109 {
1110 gnutls_assert ();
1111 return GNUTLS_E_INVALID_REQUEST;
1112 }
1113
1114 return _gnutls_x509_verify_algorithm ((gnutls_mac_algorithm_t *)
1115 hash, signature,
1116 key->pk_algorithm,
1117 key->params, key->params_size);
1118
1119 }
Implementation of the SSL/TLS protocol