bool
PublicKey::checkSignature(const Blob& data, const Blob& signature) const {
if (!pk)
return false;
const gnutls_datum_t sig {(uint8_t*)signature.data(), (unsigned)signature.size()};
const gnutls_datum_t dat {(uint8_t*)data.data(), (unsigned)data.size()};
int rc = gnutls_pubkey_verify_data2(pk, GNUTLS_SIGN_RSA_SHA512, 0, &dat, &sig);
return rc >= 0;
}
int main(void)
{
gnutls_x509_crt_t crt;
gnutls_pubkey_t pubkey;
gnutls_datum_t data = { (void *) "foo", 3 };
gnutls_datum_t sig = { (void *) "bar", 3 };
int ret;
global_init();
ret = gnutls_x509_crt_init(&crt);
if (ret < 0)
return 1;
ret = gnutls_pubkey_init(&pubkey);
if (ret < 0)
return 1;
ret =
gnutls_x509_crt_import(crt, &dsa_cert_dat,
GNUTLS_X509_FMT_PEM);
if (ret < 0)
return 1;
ret = gnutls_pubkey_import_x509(pubkey, crt, 0);
if (ret < 0)
return 1;
ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_DSA_SHA1, 0, &data, &sig);
if (ret < 0 && ret != GNUTLS_E_PK_SIG_VERIFY_FAILED)
return 1;
//printf ("success!\n");
gnutls_x509_crt_deinit(crt);
gnutls_pubkey_deinit(pubkey);
gnutls_global_deinit();
return 0;
}
void doit(void)
{
char buf[128];
int ret;
const char *lib, *bin;
gnutls_x509_crt_t crt;
gnutls_x509_privkey_t key;
gnutls_datum_t tmp, sig;
gnutls_privkey_t pkey;
gnutls_pubkey_t pubkey;
gnutls_pubkey_t pubkey2;
unsigned i, sigalgo;
bin = softhsm_bin();
lib = softhsm_lib();
ret = global_init();
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
}
gnutls_pkcs11_set_pin_function(pin_func, NULL);
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
set_softhsm_conf(CONFIG);
snprintf(buf, sizeof(buf),
"%s --init-token --slot 0 --label test --so-pin " PIN " --pin "
PIN, bin);
system(buf);
ret = gnutls_pkcs11_add_provider(lib, NULL);
if (ret < 0) {
fail("gnutls_x509_crt_init: %s\n", gnutls_strerror(ret));
}
if (verify_eddsa_presence() == 0) {
fprintf(stderr, "Skipping test as no EDDSA mech is supported\n");
exit(77);
}
ret = gnutls_x509_crt_init(&crt);
if (ret < 0)
fail("gnutls_x509_crt_init: %s\n", gnutls_strerror(ret));
ret =
gnutls_x509_crt_import(crt, &server_ca3_eddsa_cert,
GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("gnutls_x509_crt_import: %s\n", gnutls_strerror(ret));
if (debug) {
gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_ONELINE, &tmp);
printf("\tCertificate: %.*s\n", tmp.size, tmp.data);
gnutls_free(tmp.data);
}
ret = gnutls_x509_privkey_init(&key);
if (ret < 0) {
fail("gnutls_x509_privkey_init: %s\n", gnutls_strerror(ret));
}
ret =
gnutls_x509_privkey_import(key, &server_ca3_eddsa_key,
GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fail("gnutls_x509_privkey_import: %s\n", gnutls_strerror(ret));
}
/* initialize softhsm token */
ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test");
if (ret < 0) {
fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret));
}
ret =
gnutls_pkcs11_token_set_pin(SOFTHSM_URL, NULL, PIN,
GNUTLS_PIN_USER);
if (ret < 0) {
fail("gnutls_pkcs11_token_set_pin: %s\n", gnutls_strerror(ret));
}
ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, crt, "cert",
GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE |
GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
if (ret < 0) {
fail("gnutls_pkcs11_copy_x509_crt: %s\n", gnutls_strerror(ret));
}
ret =
gnutls_pkcs11_copy_x509_privkey(SOFTHSM_URL, key, "cert",
GNUTLS_KEY_DIGITAL_SIGNATURE |
GNUTLS_KEY_KEY_ENCIPHERMENT,
GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE
|
GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE
| GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
if (ret < 0) {
fail("gnutls_pkcs11_copy_x509_privkey: %s\n",
gnutls_strerror(ret));
}
gnutls_x509_crt_deinit(crt);
gnutls_x509_privkey_deinit(key);
gnutls_pkcs11_set_pin_function(NULL, NULL);
assert(gnutls_privkey_init(&pkey) == 0);
ret =
gnutls_privkey_import_pkcs11_url(pkey,
SOFTHSM_URL
";object=cert;object-type=private;pin-value="
PIN);
if (ret < 0) {
fail("error in gnutls_privkey_import_pkcs11_url: %s\n", gnutls_strerror(ret));
}
assert(gnutls_pubkey_init(&pubkey) == 0);
assert(gnutls_pubkey_import_privkey(pubkey, pkey, 0, 0) == 0);
assert(gnutls_pubkey_init(&pubkey2) == 0);
assert(gnutls_pubkey_import_x509_raw
(pubkey2, &server_ca3_eddsa_cert, GNUTLS_X509_FMT_PEM, 0) == 0);
/* this is the algorithm supported by the certificate */
sigalgo = GNUTLS_SIGN_EDDSA_ED25519;
for (i = 0; i < 20; i++) {
/* check whether privkey and pubkey are operational
* by signing and verifying */
ret =
gnutls_privkey_sign_data2(pkey, sigalgo, 0,
&testdata, &sig);
if (ret < 0)
myfail("Error signing data %s\n", gnutls_strerror(ret));
/* verify against the pubkey in PKCS #11 */
ret =
gnutls_pubkey_verify_data2(pubkey, sigalgo, 0,
&testdata, &sig);
if (ret < 0)
myfail("Error verifying data1: %s\n",
gnutls_strerror(ret));
/* verify against the raw pubkey */
ret =
gnutls_pubkey_verify_data2(pubkey2, sigalgo, 0,
&testdata, &sig);
if (ret < 0)
myfail("Error verifying data2: %s\n",
gnutls_strerror(ret));
gnutls_free(sig.data);
}
gnutls_pubkey_deinit(pubkey2);
gnutls_pubkey_deinit(pubkey);
gnutls_privkey_deinit(pkey);
gnutls_global_deinit();
remove(CONFIG);
}
void
pkcs11_test_sign(FILE * outfile, const char *url, unsigned int flags,
common_info_st * info)
{
gnutls_privkey_t privkey;
gnutls_pubkey_t pubkey;
int ret;
gnutls_datum_t data, sig = {NULL, 0};
int pk;
pkcs11_common(info);
FIX(url, outfile, 0, info);
data.data = (void*)TEST_DATA;
data.size = sizeof(TEST_DATA)-1;
ret = gnutls_privkey_init(&privkey);
if (ret < 0) {
fprintf(stderr, "Error in %s:%d: %s\n", __func__,
__LINE__, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pubkey_init(&pubkey);
if (ret < 0) {
fprintf(stderr, "Error in %s:%d: %s\n", __func__,
__LINE__, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_privkey_import_url(privkey, url, flags);
if (ret < 0) {
fprintf(stderr, "Cannot import private key: %s\n",
gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pubkey_import_privkey(pubkey, privkey, GNUTLS_KEY_DIGITAL_SIGNATURE, flags);
if (ret < 0) {
fprintf(stderr, "Cannot import public key: %s\n",
gnutls_strerror(ret));
exit(1);
}
ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA1, 0, &data, &sig);
if (ret < 0) {
fprintf(stderr, "Cannot sign data: %s\n",
gnutls_strerror(ret));
exit(1);
}
pk = gnutls_pubkey_get_pk_algorithm(pubkey, NULL);
fprintf(stderr, "Verifying against private key parameters... ");
ret = gnutls_pubkey_verify_data2(pubkey, gnutls_pk_to_sign(pk, GNUTLS_DIG_SHA1),
0, &data, &sig);
if (ret < 0) {
fprintf(stderr, "Cannot verify signed data: %s\n",
gnutls_strerror(ret));
exit(1);
}
fprintf(stderr, "ok\n");
/* now try to verify against a public key within the token */
gnutls_pubkey_deinit(pubkey);
ret = gnutls_pubkey_init(&pubkey);
if (ret < 0) {
fprintf(stderr, "Error in %s:%d: %s\n", __func__,
__LINE__, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pubkey_import_url(pubkey, url, flags);
if (ret < 0) {
fprintf(stderr, "Cannot find a corresponding public key object in token: %s\n",
gnutls_strerror(ret));
if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
exit(0);
exit(1);
}
fprintf(stderr, "Verifying against public key in the token... ");
ret = gnutls_pubkey_verify_data2(pubkey, gnutls_pk_to_sign(pk, GNUTLS_DIG_SHA1),
0, &data, &sig);
if (ret < 0) {
fprintf(stderr, "Cannot verify signed data: %s\n",
gnutls_strerror(ret));
exit(1);
}
fprintf(stderr, "ok\n");
gnutls_free(sig.data);
gnutls_pubkey_deinit(pubkey);
gnutls_privkey_deinit(privkey);
UNFIX;
}