Blob PrivateKey::sign(const Blob& data) const { if (!key) throw CryptoException("Can't sign data: no private key set !"); gnutls_datum_t sig; const gnutls_datum_t dat {(unsigned char*)data.data(), (unsigned)data.size()}; if (gnutls_privkey_sign_data(key, GNUTLS_DIG_SHA512, 0, &dat, &sig) != GNUTLS_E_SUCCESS) throw CryptoException("Can't sign data !"); Blob ret(sig.data, sig.data+sig.size); gnutls_free(sig.data); return ret; }
static gchar* _make_rsasha1_base64_signature(const gchar* base_string, const gchar* key) { gnutls_privkey_t pkey; gnutls_x509_privkey_t x509_pkey; gnutls_datum_t pkey_data; gnutls_datum_t signature; gchar* out = NULL; pkey_data.data = (guchar*)key; pkey_data.size = strlen(key); gnutls_privkey_init(&pkey); gnutls_x509_privkey_init(&x509_pkey); int res = gnutls_x509_privkey_import(x509_pkey, &pkey_data, GNUTLS_X509_FMT_PEM); if (res != GNUTLS_E_SUCCESS) { goto out; } res = gnutls_privkey_import_x509(pkey, x509_pkey, 0); if (res != GNUTLS_E_SUCCESS) { goto out; } res = gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA1, 0, &pkey_data, &signature); if (res != GNUTLS_E_SUCCESS) { goto out; } out = g_malloc0((signature.size / 3 + 1) * 4 + 4); gint state = 0; gint save = 0; gchar* p = out; p += g_base64_encode_step(signature.data, signature.size, FALSE, p, &state, &save); g_base64_encode_close(FALSE, p, &state, &save); gnutls_free(signature.data); out: gnutls_x509_privkey_deinit(x509_pkey); gnutls_privkey_deinit(pkey); return out; }
static void *start_thread(void *arg) { thread_data_st *data = arg; int ret; gnutls_datum_t sig; ret = gnutls_privkey_sign_data(data->pkey, GNUTLS_DIG_SHA256, 0, &testdata, &sig); if (ret < 0) pthread_exit((void*)-2); gnutls_free(sig.data); pthread_exit(0); }
Eet_Error eet_identity_sign(FILE *fp, Eet_Key *key) { #ifdef HAVE_SIGNATURE Eet_Error err = EET_ERROR_NONE; struct stat st_buf; void *data; int fd; int head[3]; unsigned char *sign = NULL; unsigned char *cert = NULL; # ifdef HAVE_GNUTLS gnutls_datum_t datum = { NULL, 0 }; size_t sign_len = 0; size_t cert_len = 0; gnutls_datum_t signum = { NULL, 0 }; gnutls_privkey_t privkey; # else /* ifdef HAVE_GNUTLS */ # if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) EVP_MD_CTX *md_ctx; # else EVP_MD_CTX md_ctx; # endif unsigned int sign_len = 0; int cert_len = 0; # endif /* ifdef HAVE_GNUTLS */ /* A few check and flush pending write. */ if (!fp || !key || !key->certificate || !key->private_key) return EET_ERROR_BAD_OBJECT; if (!emile_cipher_init()) return EET_ERROR_NOT_IMPLEMENTED; /* Get the file size. */ fd = fileno(fp); if (fd < 0) return EET_ERROR_BAD_OBJECT; if (fstat(fd, &st_buf) < 0) return EET_ERROR_MMAP_FAILED; /* let's make mmap safe and just get 0 pages for IO erro */ eina_mmap_safety_enabled_set(EINA_TRUE); /* Map the file in memory. */ data = mmap(NULL, st_buf.st_size, PROT_READ, MAP_PRIVATE, fd, 0); if (data == MAP_FAILED) return EET_ERROR_MMAP_FAILED; # ifdef HAVE_GNUTLS datum.data = data; datum.size = st_buf.st_size; /* Get the signature length */ if (gnutls_privkey_init(&privkey) < 0) { err = EET_ERROR_SIGNATURE_FAILED; goto on_error; } if (gnutls_privkey_import_x509(privkey, key->private_key, 0) < 0) { err = EET_ERROR_SIGNATURE_FAILED; goto on_error; } if (gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA1, 0, &datum, &signum) < 0) { err = EET_ERROR_SIGNATURE_FAILED; goto on_error; } sign = signum.data; sign_len = signum.size; /* Get the certificate length */ if (gnutls_x509_crt_export(key->certificate, GNUTLS_X509_FMT_DER, cert, &cert_len) && !cert_len) { err = EET_ERROR_SIGNATURE_FAILED; goto on_error; } /* Get the certificate */ cert = malloc(cert_len); if (!cert || gnutls_x509_crt_export(key->certificate, GNUTLS_X509_FMT_DER, cert, &cert_len)) { if (!cert) err = EET_ERROR_OUT_OF_MEMORY; else err = EET_ERROR_SIGNATURE_FAILED; goto on_error; } # else /* ifdef HAVE_GNUTLS */ sign_len = EVP_PKEY_size(key->private_key); sign = malloc(sign_len); if (!sign) { err = EET_ERROR_OUT_OF_MEMORY; goto on_error; } /* Do the signature. */ #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) md_ctx = EVP_MD_CTX_new(); EVP_SignInit(md_ctx, EVP_sha1()); EVP_SignUpdate(md_ctx, data, st_buf.st_size); err = EVP_SignFinal(md_ctx, sign, (unsigned int *)&sign_len, key->private_key); EVP_MD_CTX_free(md_ctx); #else EVP_SignInit(&md_ctx, EVP_sha1()); EVP_SignUpdate(&md_ctx, data, st_buf.st_size); err = EVP_SignFinal(&md_ctx, sign, (unsigned int *)&sign_len, key->private_key); EVP_MD_CTX_cleanup(&md_ctx); #endif if (err != 1) { ERR_print_errors_fp(stdout); err = EET_ERROR_SIGNATURE_FAILED; goto on_error; } /* Give me the der (binary form for X509). */ cert_len = i2d_X509(key->certificate, &cert); if (cert_len < 0) { ERR_print_errors_fp(stdout); err = EET_ERROR_X509_ENCODING_FAILED; goto on_error; } # endif /* ifdef HAVE_GNUTLS */ /* Append the signature at the end of the file. */ head[0] = (int)htonl ((unsigned int)EET_MAGIC_SIGN); head[1] = (int)htonl ((unsigned int)sign_len); head[2] = (int)htonl ((unsigned int)cert_len); if (fwrite(head, sizeof(head), 1, fp) != 1) { err = EET_ERROR_WRITE_ERROR; goto on_error; } if (fwrite(sign, sign_len, 1, fp) != 1) { err = EET_ERROR_WRITE_ERROR; goto on_error; } if (fwrite(cert, cert_len, 1, fp) != 1) { err = EET_ERROR_WRITE_ERROR; goto on_error; } on_error: # ifdef HAVE_GNUTLS if (cert) free(cert); # else /* ifdef HAVE_GNUTLS */ if (cert) OPENSSL_free(cert); # endif /* ifdef HAVE_GNUTLS */ if (sign) free(sign); munmap(data, st_buf.st_size); return err; #else /* ifdef HAVE_SIGNATURE */ fp = NULL; key = NULL; return EET_ERROR_NOT_IMPLEMENTED; #endif /* ifdef HAVE_SIGNATURE */ }
/*- * _gnutls_x509_pkix_sign - This function will sign a CRL or a certificate with a key * @src: should contain an ASN1_TYPE * @issuer: is the certificate of the certificate issuer * @issuer_key: holds the issuer's private key * * This function will sign a CRL or a certificate with the issuer's private key, and * will copy the issuer's information into the CRL or certificate. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. -*/ int _gnutls_x509_pkix_sign (ASN1_TYPE src, const char *src_name, gnutls_digest_algorithm_t dig, gnutls_x509_crt_t issuer, gnutls_privkey_t issuer_key) { int result; gnutls_datum_t signature; gnutls_datum_t tbs; char name[128]; /* Step 1. Copy the issuer's name into the certificate. */ _gnutls_str_cpy (name, sizeof (name), src_name); _gnutls_str_cat (name, sizeof (name), ".issuer"); result = asn1_copy_node (src, name, issuer->cert, "tbsCertificate.subject"); if (result != ASN1_SUCCESS) { gnutls_assert (); return _gnutls_asn2err (result); } /* Step 1.5. Write the signature stuff in the tbsCertificate. */ _gnutls_str_cpy (name, sizeof (name), src_name); _gnutls_str_cat (name, sizeof (name), ".signature"); result = _gnutls_x509_write_sig_params (src, name, gnutls_privkey_get_pk_algorithm (issuer_key, NULL), dig); if (result < 0) { gnutls_assert (); return result; } /* Step 2. Sign the certificate. */ result = _gnutls_x509_get_tbs (src, src_name, &tbs); if (result < 0) { gnutls_assert (); return result; } result = gnutls_privkey_sign_data (issuer_key, dig, 0, &tbs, &signature); gnutls_free (tbs.data); if (result < 0) { gnutls_assert (); return result; } /* write the signature (bits) */ result = asn1_write_value (src, "signature", signature.data, signature.size * 8); _gnutls_free_datum (&signature); if (result != ASN1_SUCCESS) { gnutls_assert (); return _gnutls_asn2err (result); } /* Step 3. Move up and write the AlgorithmIdentifier, which is also * the same. */ result = _gnutls_x509_write_sig_params (src, "signatureAlgorithm", gnutls_privkey_get_pk_algorithm (issuer_key, NULL), dig); if (result < 0) { gnutls_assert (); return result; } return 0; }
static int import_tpm_key(gnutls_privkey_t pkey, const gnutls_datum_t * fdata, gnutls_tpmkey_fmt_t format, TSS_UUID * uuid, TSS_FLAG storage, const char *srk_password, const char *key_password) { int err, ret; struct tpm_ctx_st *s; gnutls_datum_t tmp_sig; s = gnutls_malloc(sizeof(*s)); if (s == NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; } ret = tpm_open_session(s, srk_password); if (ret < 0) { gnutls_assert(); goto out_ctx; } if (fdata != NULL) { ret = load_key(s->tpm_ctx, s->srk, fdata, format, &s->tpm_key); if (ret < 0) { gnutls_assert(); goto out_session; } } else if (uuid) { err = Tspi_Context_LoadKeyByUUID(s->tpm_ctx, storage, *uuid, &s->tpm_key); if (err) { gnutls_assert(); ret = tss_err(err); goto out_session; } } else { gnutls_assert(); ret = GNUTLS_E_INVALID_REQUEST; goto out_session; } ret = gnutls_privkey_import_ext2(pkey, GNUTLS_PK_RSA, s, tpm_sign_fn, NULL, tpm_deinit_fn, 0); if (ret < 0) { gnutls_assert(); goto out_session; } ret = gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA1, 0, &nulldata, &tmp_sig); if (ret == GNUTLS_E_TPM_KEY_PASSWORD_ERROR) { if (!s->tpm_key_policy) { err = Tspi_Context_CreateObject(s->tpm_ctx, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &s-> tpm_key_policy); if (err) { gnutls_assert(); ret = tss_err(err); goto out_key; } err = Tspi_Policy_AssignToObject(s->tpm_key_policy, s->tpm_key); if (err) { gnutls_assert(); ret = tss_err(err); goto out_key_policy; } } err = myTspi_Policy_SetSecret(s->tpm_key_policy, SAFE_LEN(key_password), (void *) key_password); if (err) { gnutls_assert(); ret = tss_err_key(err); goto out_key_policy; } } else if (ret < 0) { gnutls_assert(); goto out_session; } return 0; out_key_policy: Tspi_Context_CloseObject(s->tpm_ctx, s->tpm_key_policy); s->tpm_key_policy = 0; out_key: Tspi_Context_CloseObject(s->tpm_ctx, s->tpm_key); s->tpm_key = 0; out_session: tpm_close_session(s); out_ctx: gnutls_free(s); return ret; }
void pkcs11_test_sign(FILE * outfile, const char *url, unsigned int flags, common_info_st * info) { gnutls_privkey_t privkey; gnutls_pubkey_t pubkey; int ret; gnutls_datum_t data, sig = {NULL, 0}; int pk; pkcs11_common(info); FIX(url, outfile, 0, info); data.data = (void*)TEST_DATA; data.size = sizeof(TEST_DATA)-1; ret = gnutls_privkey_init(&privkey); if (ret < 0) { fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); exit(1); } ret = gnutls_pubkey_init(&pubkey); if (ret < 0) { fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); exit(1); } ret = gnutls_privkey_import_url(privkey, url, flags); if (ret < 0) { fprintf(stderr, "Cannot import private key: %s\n", gnutls_strerror(ret)); exit(1); } ret = gnutls_pubkey_import_privkey(pubkey, privkey, GNUTLS_KEY_DIGITAL_SIGNATURE, flags); if (ret < 0) { fprintf(stderr, "Cannot import public key: %s\n", gnutls_strerror(ret)); exit(1); } ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA1, 0, &data, &sig); if (ret < 0) { fprintf(stderr, "Cannot sign data: %s\n", gnutls_strerror(ret)); exit(1); } pk = gnutls_pubkey_get_pk_algorithm(pubkey, NULL); fprintf(stderr, "Verifying against private key parameters... "); ret = gnutls_pubkey_verify_data2(pubkey, gnutls_pk_to_sign(pk, GNUTLS_DIG_SHA1), 0, &data, &sig); if (ret < 0) { fprintf(stderr, "Cannot verify signed data: %s\n", gnutls_strerror(ret)); exit(1); } fprintf(stderr, "ok\n"); /* now try to verify against a public key within the token */ gnutls_pubkey_deinit(pubkey); ret = gnutls_pubkey_init(&pubkey); if (ret < 0) { fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); exit(1); } ret = gnutls_pubkey_import_url(pubkey, url, flags); if (ret < 0) { fprintf(stderr, "Cannot find a corresponding public key object in token: %s\n", gnutls_strerror(ret)); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) exit(0); exit(1); } fprintf(stderr, "Verifying against public key in the token... "); ret = gnutls_pubkey_verify_data2(pubkey, gnutls_pk_to_sign(pk, GNUTLS_DIG_SHA1), 0, &data, &sig); if (ret < 0) { fprintf(stderr, "Cannot verify signed data: %s\n", gnutls_strerror(ret)); exit(1); } fprintf(stderr, "ok\n"); gnutls_free(sig.data); gnutls_pubkey_deinit(pubkey); gnutls_privkey_deinit(privkey); UNFIX; }
static int import_tpm_key(gnutls_privkey_t pkey, const gnutls_datum_t * fdata, gnutls_tpmkey_fmt_t format, TSS_UUID * uuid, TSS_FLAG storage, const char *srk_password, const char *_key_password) { int err, ret; struct tpm_ctx_st *s; gnutls_datum_t tmp_sig; char *key_password = NULL; uint32_t authusage; s = gnutls_malloc(sizeof(*s)); if (s == NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; } if (_key_password != NULL) { gnutls_datum_t pout; ret = _gnutls_utf8_password_normalize(_key_password, strlen(_key_password), &pout, 1); if (ret < 0) { gnutls_assert(); goto out_ctx; } key_password = (char*)pout.data; } /* normalization of srk_password happens in tpm_open_session() */ ret = tpm_open_session(s, srk_password, 1); if (ret < 0) { gnutls_assert(); goto out_ctx; } if (fdata != NULL) { ret = load_key(s->tpm_ctx, s->srk, fdata, format, &s->tpm_key); if (ret < 0) { gnutls_assert(); goto out_session; } } else if (uuid) { err = pTspi_Context_LoadKeyByUUID(s->tpm_ctx, storage, *uuid, &s->tpm_key); if (err) { gnutls_assert(); ret = tss_err(err); goto out_session; } } else { gnutls_assert(); ret = GNUTLS_E_INVALID_REQUEST; goto out_session; } err = pTspi_GetAttribUint32(s->tpm_key, TSS_TSPATTRIB_KEY_INFO, TSS_TSPATTRIB_KEYINFO_AUTHUSAGE, &authusage); if (err) { gnutls_assert(); ret = tss_err(err); goto out_session; } if (authusage) { if (!_key_password) { ret = GNUTLS_E_TPM_KEY_PASSWORD_ERROR; goto out_session; } err = pTspi_Context_CreateObject(s->tpm_ctx, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &s->tpm_key_policy); if (err) { gnutls_assert(); ret = tss_err(err); goto out_key; } err = pTspi_Policy_AssignToObject(s->tpm_key_policy, s->tpm_key); if (err) { gnutls_assert(); ret = tss_err(err); goto out_key_policy; } err = myTspi_Policy_SetSecret(s->tpm_key_policy, SAFE_LEN(key_password), (void *) key_password); if (err) { gnutls_assert(); ret = tss_err_key(err); goto out_key_policy; } } ret = gnutls_privkey_import_ext2(pkey, GNUTLS_PK_RSA, s, tpm_sign_fn, NULL, tpm_deinit_fn, 0); if (ret < 0) { gnutls_assert(); goto out_session; } ret = gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA1, 0, &nulldata, &tmp_sig); if (ret < 0) { gnutls_assert(); goto out_session; } gnutls_free(key_password); return 0; out_key_policy: pTspi_Context_CloseObject(s->tpm_ctx, s->tpm_key_policy); s->tpm_key_policy = 0; out_key: pTspi_Context_CloseObject(s->tpm_ctx, s->tpm_key); s->tpm_key = 0; out_session: _gnutls_privkey_cleanup(pkey); tpm_close_session(s); out_ctx: gnutls_free(s); gnutls_free(key_password); return ret; }
void doit(void) { gnutls_x509_privkey_t key; gnutls_x509_crt_t crt; gnutls_pubkey_t pubkey; gnutls_privkey_t privkey; gnutls_sign_algorithm_t sign_algo; gnutls_datum_t signature; gnutls_datum_t signature2; int ret; size_t i; global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(6); for (i = 0; i < sizeof(key_dat) / sizeof(key_dat[0]); i++) { if (debug) success("loop %d\n", (int) i); ret = gnutls_x509_privkey_init(&key); if (ret < 0) fail("gnutls_x509_privkey_init\n"); ret = gnutls_x509_privkey_import(key, &key_dat[i], GNUTLS_X509_FMT_PEM); if (ret < 0) fail("gnutls_x509_privkey_import\n"); ret = gnutls_pubkey_init(&pubkey); if (ret < 0) fail("gnutls_privkey_init\n"); ret = gnutls_privkey_init(&privkey); if (ret < 0) fail("gnutls_pubkey_init\n"); ret = gnutls_privkey_import_x509(privkey, key, 0); if (ret < 0) fail("gnutls_privkey_import_x509\n"); ret = gnutls_privkey_sign_hash(privkey, GNUTLS_DIG_SHA1, 0, &hash_data, &signature2); if (ret < 0) fail("gnutls_privkey_sign_hash\n"); ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA1, 0, &raw_data, &signature); if (ret < 0) fail("gnutls_x509_privkey_sign_hash\n"); ret = gnutls_x509_crt_init(&crt); if (ret < 0) fail("gnutls_x509_crt_init\n"); ret = gnutls_x509_crt_import(crt, &cert_dat[i], GNUTLS_X509_FMT_PEM); if (ret < 0) fail("gnutls_x509_crt_import\n"); ret = gnutls_pubkey_import_x509(pubkey, crt, 0); if (ret < 0) fail("gnutls_x509_pubkey_import\n"); ret = gnutls_x509_crt_get_signature_algorithm(crt); if (ret != GNUTLS_SIGN_RSA_SHA1) fail("gnutls_crt_get_signature_algorithm\n"); ret = gnutls_pubkey_verify_hash2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, &hash_data, &signature); if (ret < 0) fail("gnutls_x509_pubkey_verify_hash2\n"); ret = gnutls_pubkey_verify_hash2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, &hash_data, &signature2); if (ret < 0) fail("gnutls_x509_pubkey_verify_hash-1 (hashed data)\n"); /* should fail */ ret = gnutls_pubkey_verify_hash2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, &invalid_hash_data, &signature2); if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) fail("gnutls_x509_pubkey_verify_hash-2 (hashed data)\n"); sign_algo = gnutls_pk_to_sign(gnutls_pubkey_get_pk_algorithm (pubkey, NULL), GNUTLS_DIG_SHA1); ret = gnutls_pubkey_verify_hash2(pubkey, sign_algo, 0, &hash_data, &signature2); if (ret < 0) fail("gnutls_x509_pubkey_verify_hash2-1 (hashed data)\n"); /* should fail */ ret = gnutls_pubkey_verify_hash2(pubkey, sign_algo, 0, &invalid_hash_data, &signature2); if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) fail("gnutls_x509_pubkey_verify_hash2-2 (hashed data)\n"); /* test the raw interface */ gnutls_free(signature.data); signature.data = NULL; if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL) == GNUTLS_PK_RSA) { ret = gnutls_privkey_sign_hash(privkey, GNUTLS_DIG_SHA1, GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA, &hash_data, &signature); if (ret < 0) fail("gnutls_privkey_sign_hash: %s\n", gnutls_strerror(ret)); sign_algo = gnutls_pk_to_sign (gnutls_pubkey_get_pk_algorithm(pubkey, NULL), GNUTLS_DIG_SHA1); ret = gnutls_pubkey_verify_hash2(pubkey, sign_algo, GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA, &hash_data, &signature); if (ret < 0) fail("gnutls_pubkey_verify_hash-3 (raw hashed data)\n"); gnutls_free(signature.data); /* test the legacy API */ ret = gnutls_privkey_sign_raw_data(privkey, 0, &hash_data, &signature); if (ret < 0) fail("gnutls_privkey_sign_raw_data: %s\n", gnutls_strerror(ret)); ret = gnutls_pubkey_verify_hash2(pubkey, sign_algo, GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA, &hash_data, &signature); if (ret < 0) fail("gnutls_pubkey_verify_hash-4 (legacy raw hashed data)\n"); } gnutls_free(signature.data); gnutls_free(signature2.data); gnutls_x509_privkey_deinit(key); gnutls_x509_crt_deinit(crt); gnutls_privkey_deinit(privkey); gnutls_pubkey_deinit(pubkey); } gnutls_global_deinit(); }
void doit (void) { gnutls_x509_privkey_t key; gnutls_x509_crt_t crt; gnutls_pubkey_t pubkey; gnutls_privkey_t privkey; gnutls_digest_algorithm_t hash_algo; gnutls_sign_algorithm_t sign_algo; gnutls_datum_t signature; gnutls_datum_t signature2; int ret; size_t i; gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (6); for (i = 0; i < sizeof (key_dat) / sizeof (key_dat[0]); i++) { if (debug) success ("loop %d\n", (int) i); ret = gnutls_x509_privkey_init (&key); if (ret < 0) fail ("gnutls_x509_privkey_init\n"); ret = gnutls_x509_privkey_import (key, &key_dat[i], GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("gnutls_x509_privkey_import\n"); ret = gnutls_pubkey_init (&pubkey); if (ret < 0) fail ("gnutls_privkey_init\n"); ret = gnutls_privkey_init (&privkey); if (ret < 0) fail ("gnutls_pubkey_init\n"); ret = gnutls_privkey_import_x509 (privkey, key, 0); if (ret < 0) fail ("gnutls_privkey_import_x509\n"); ret = gnutls_privkey_sign_hash (privkey, GNUTLS_DIG_SHA1, 0, &hash_data, &signature2); if (ret < 0) fail ("gnutls_privkey_sign_hash\n"); ret = gnutls_privkey_sign_data (privkey, GNUTLS_DIG_SHA1, 0, &raw_data, &signature); if (ret < 0) fail ("gnutls_x509_privkey_sign_hash\n"); ret = gnutls_x509_crt_init (&crt); if (ret < 0) fail ("gnutls_x509_crt_init\n"); ret = gnutls_x509_crt_import (crt, &cert_dat[i], GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("gnutls_x509_crt_import\n"); ret = gnutls_pubkey_import_x509 (pubkey, crt, 0); if (ret < 0) fail ("gnutls_x509_pubkey_import\n"); ret = gnutls_pubkey_get_verify_algorithm (pubkey, &signature, &hash_algo); if (ret < 0 || hash_algo != GNUTLS_DIG_SHA1) fail ("gnutls_x509_crt_get_verify_algorithm\n"); ret = gnutls_pubkey_verify_hash (pubkey, 0, &hash_data, &signature); if (ret < 0) fail ("gnutls_x509_pubkey_verify_hash\n"); ret = gnutls_pubkey_get_verify_algorithm (pubkey, &signature2, &hash_algo); if (ret < 0 || hash_algo != GNUTLS_DIG_SHA1) fail ("gnutls_x509_crt_get_verify_algorithm (hashed data)\n"); ret = gnutls_pubkey_verify_hash (pubkey, 0, &hash_data, &signature2); if (ret < 0) fail ("gnutls_x509_pubkey_verify_hash-1 (hashed data)\n"); /* should fail */ ret = gnutls_pubkey_verify_hash (pubkey, 0, &invalid_hash_data, &signature2); if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) fail ("gnutls_x509_pubkey_verify_hash-2 (hashed data)\n"); sign_algo = gnutls_pk_to_sign(gnutls_pubkey_get_pk_algorithm(pubkey, NULL), GNUTLS_DIG_SHA1); ret = gnutls_pubkey_verify_hash2 (pubkey, sign_algo, 0, &hash_data, &signature2); if (ret < 0) fail ("gnutls_x509_pubkey_verify_hash2-1 (hashed data)\n"); /* should fail */ ret = gnutls_pubkey_verify_hash2 (pubkey, sign_algo, 0, &invalid_hash_data, &signature2); if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) fail ("gnutls_x509_pubkey_verify_hash2-2 (hashed data)\n"); gnutls_free(signature.data); gnutls_free(signature2.data); gnutls_x509_privkey_deinit (key); gnutls_x509_crt_deinit (crt); gnutls_privkey_deinit (privkey); gnutls_pubkey_deinit (pubkey); } gnutls_global_deinit (); }