void
doit (void)
{
gnutls_x509_privkey_t key;
gnutls_x509_crt_t crt;
gnutls_pubkey_t pubkey;
gnutls_privkey_t privkey;
gnutls_digest_algorithm_t hash_algo;
gnutls_sign_algorithm_t sign_algo;
gnutls_datum_t signature;
gnutls_datum_t signature2;
int ret;
size_t i;
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (6);
for (i = 0; i < sizeof (key_dat) / sizeof (key_dat[0]); i++)
{
if (debug)
success ("loop %d\n", (int) i);
ret = gnutls_x509_privkey_init (&key);
if (ret < 0)
fail ("gnutls_x509_privkey_init\n");
ret =
gnutls_x509_privkey_import (key, &key_dat[i], GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_privkey_import\n");
ret = gnutls_pubkey_init (&pubkey);
if (ret < 0)
fail ("gnutls_privkey_init\n");
ret = gnutls_privkey_init (&privkey);
if (ret < 0)
fail ("gnutls_pubkey_init\n");
ret = gnutls_privkey_import_x509 (privkey, key, 0);
if (ret < 0)
fail ("gnutls_privkey_import_x509\n");
ret = gnutls_privkey_sign_hash (privkey, GNUTLS_DIG_SHA1, 0,
&hash_data, &signature2);
if (ret < 0)
fail ("gnutls_privkey_sign_hash\n");
ret = gnutls_privkey_sign_data (privkey, GNUTLS_DIG_SHA1, 0,
&raw_data, &signature);
if (ret < 0)
fail ("gnutls_x509_privkey_sign_hash\n");
ret = gnutls_x509_crt_init (&crt);
if (ret < 0)
fail ("gnutls_x509_crt_init\n");
ret = gnutls_x509_crt_import (crt, &cert_dat[i], GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import\n");
ret =
gnutls_pubkey_import_x509 (pubkey, crt, 0);
if (ret < 0)
fail ("gnutls_x509_pubkey_import\n");
ret =
gnutls_pubkey_get_verify_algorithm (pubkey, &signature, &hash_algo);
if (ret < 0 || hash_algo != GNUTLS_DIG_SHA1)
fail ("gnutls_x509_crt_get_verify_algorithm\n");
ret = gnutls_pubkey_verify_hash (pubkey, 0, &hash_data, &signature);
if (ret < 0)
fail ("gnutls_x509_pubkey_verify_hash\n");
ret =
gnutls_pubkey_get_verify_algorithm (pubkey, &signature2, &hash_algo);
if (ret < 0 || hash_algo != GNUTLS_DIG_SHA1)
fail ("gnutls_x509_crt_get_verify_algorithm (hashed data)\n");
ret = gnutls_pubkey_verify_hash (pubkey, 0, &hash_data, &signature2);
if (ret < 0)
fail ("gnutls_x509_pubkey_verify_hash-1 (hashed data)\n");
/* should fail */
ret = gnutls_pubkey_verify_hash (pubkey, 0, &invalid_hash_data, &signature2);
if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED)
fail ("gnutls_x509_pubkey_verify_hash-2 (hashed data)\n");
sign_algo = gnutls_pk_to_sign(gnutls_pubkey_get_pk_algorithm(pubkey, NULL),
GNUTLS_DIG_SHA1);
ret = gnutls_pubkey_verify_hash2 (pubkey, sign_algo, 0, &hash_data, &signature2);
if (ret < 0)
fail ("gnutls_x509_pubkey_verify_hash2-1 (hashed data)\n");
/* should fail */
ret = gnutls_pubkey_verify_hash2 (pubkey, sign_algo, 0, &invalid_hash_data, &signature2);
if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED)
fail ("gnutls_x509_pubkey_verify_hash2-2 (hashed data)\n");
gnutls_free(signature.data);
gnutls_free(signature2.data);
gnutls_x509_privkey_deinit (key);
gnutls_x509_crt_deinit (crt);
gnutls_privkey_deinit (privkey);
gnutls_pubkey_deinit (pubkey);
}
gnutls_global_deinit ();
}
static int
verify_tls_hash (gnutls_protocol_t ver, gnutls_pcert_st* cert,
const gnutls_datum_t * hash_concat,
gnutls_datum_t * signature, size_t sha1pos,
gnutls_pk_algorithm_t pk_algo)
{
int ret;
gnutls_datum_t vdata;
unsigned int key_usage = 0, flags;
if (cert == NULL)
{
gnutls_assert ();
return GNUTLS_E_CERTIFICATE_ERROR;
}
gnutls_pubkey_get_key_usage(cert->pubkey, &key_usage);
/* If the certificate supports signing continue.
*/
if (key_usage != 0)
if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
{
gnutls_assert ();
return GNUTLS_E_KEY_USAGE_VIOLATION;
}
if (pk_algo == GNUTLS_PK_UNKNOWN)
pk_algo = gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL);
switch (pk_algo)
{
case GNUTLS_PK_RSA:
vdata.data = hash_concat->data;
vdata.size = hash_concat->size;
/* verify signature */
if (!_gnutls_version_has_selectable_sighash (ver))
flags = GNUTLS_PUBKEY_VERIFY_FLAG_TLS_RSA;
else
flags = 0;
break;
case GNUTLS_PK_DSA:
vdata.data = &hash_concat->data[sha1pos];
vdata.size = hash_concat->size - sha1pos;
flags = 0;
break;
default:
gnutls_assert ();
return GNUTLS_E_INTERNAL_ERROR;
}
ret = gnutls_pubkey_verify_hash(cert->pubkey, flags, &vdata,
signature);
if (ret < 0)
return gnutls_assert_val(ret);
return 0;
}