Blob
PrivateKey::sign(const Blob& data) const
{
if (!key)
throw CryptoException("Can't sign data: no private key set !");
gnutls_datum_t sig;
const gnutls_datum_t dat {(unsigned char*)data.data(), (unsigned)data.size()};
if (gnutls_privkey_sign_data(key, GNUTLS_DIG_SHA512, 0, &dat, &sig) != GNUTLS_E_SUCCESS)
throw CryptoException("Can't sign data !");
Blob ret(sig.data, sig.data+sig.size);
gnutls_free(sig.data);
return ret;
}
static gchar* _make_rsasha1_base64_signature(const gchar* base_string,
const gchar* key)
{
gnutls_privkey_t pkey;
gnutls_x509_privkey_t x509_pkey;
gnutls_datum_t pkey_data;
gnutls_datum_t signature;
gchar* out = NULL;
pkey_data.data = (guchar*)key;
pkey_data.size = strlen(key);
gnutls_privkey_init(&pkey);
gnutls_x509_privkey_init(&x509_pkey);
int res = gnutls_x509_privkey_import(x509_pkey, &pkey_data, GNUTLS_X509_FMT_PEM);
if (res != GNUTLS_E_SUCCESS) {
goto out;
}
res = gnutls_privkey_import_x509(pkey, x509_pkey, 0);
if (res != GNUTLS_E_SUCCESS) {
goto out;
}
res = gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA1, 0, &pkey_data,
&signature);
if (res != GNUTLS_E_SUCCESS) {
goto out;
}
out = g_malloc0((signature.size / 3 + 1) * 4 + 4);
gint state = 0;
gint save = 0;
gchar* p = out;
p += g_base64_encode_step(signature.data, signature.size,
FALSE, p, &state, &save);
g_base64_encode_close(FALSE, p, &state, &save);
gnutls_free(signature.data);
out:
gnutls_x509_privkey_deinit(x509_pkey);
gnutls_privkey_deinit(pkey);
return out;
}
static void *start_thread(void *arg)
{
thread_data_st *data = arg;
int ret;
gnutls_datum_t sig;
ret = gnutls_privkey_sign_data(data->pkey, GNUTLS_DIG_SHA256, 0, &testdata, &sig);
if (ret < 0)
pthread_exit((void*)-2);
gnutls_free(sig.data);
pthread_exit(0);
}
Eet_Error
eet_identity_sign(FILE *fp,
Eet_Key *key)
{
#ifdef HAVE_SIGNATURE
Eet_Error err = EET_ERROR_NONE;
struct stat st_buf;
void *data;
int fd;
int head[3];
unsigned char *sign = NULL;
unsigned char *cert = NULL;
# ifdef HAVE_GNUTLS
gnutls_datum_t datum = { NULL, 0 };
size_t sign_len = 0;
size_t cert_len = 0;
gnutls_datum_t signum = { NULL, 0 };
gnutls_privkey_t privkey;
# else /* ifdef HAVE_GNUTLS */
# if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
EVP_MD_CTX *md_ctx;
# else
EVP_MD_CTX md_ctx;
# endif
unsigned int sign_len = 0;
int cert_len = 0;
# endif /* ifdef HAVE_GNUTLS */
/* A few check and flush pending write. */
if (!fp || !key || !key->certificate || !key->private_key)
return EET_ERROR_BAD_OBJECT;
if (!emile_cipher_init()) return EET_ERROR_NOT_IMPLEMENTED;
/* Get the file size. */
fd = fileno(fp);
if (fd < 0)
return EET_ERROR_BAD_OBJECT;
if (fstat(fd, &st_buf) < 0)
return EET_ERROR_MMAP_FAILED;
/* let's make mmap safe and just get 0 pages for IO erro */
eina_mmap_safety_enabled_set(EINA_TRUE);
/* Map the file in memory. */
data = mmap(NULL, st_buf.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
if (data == MAP_FAILED)
return EET_ERROR_MMAP_FAILED;
# ifdef HAVE_GNUTLS
datum.data = data;
datum.size = st_buf.st_size;
/* Get the signature length */
if (gnutls_privkey_init(&privkey) < 0)
{
err = EET_ERROR_SIGNATURE_FAILED;
goto on_error;
}
if (gnutls_privkey_import_x509(privkey, key->private_key, 0) < 0)
{
err = EET_ERROR_SIGNATURE_FAILED;
goto on_error;
}
if (gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA1, 0, &datum, &signum) < 0)
{
err = EET_ERROR_SIGNATURE_FAILED;
goto on_error;
}
sign = signum.data;
sign_len = signum.size;
/* Get the certificate length */
if (gnutls_x509_crt_export(key->certificate, GNUTLS_X509_FMT_DER, cert,
&cert_len) &&
!cert_len)
{
err = EET_ERROR_SIGNATURE_FAILED;
goto on_error;
}
/* Get the certificate */
cert = malloc(cert_len);
if (!cert ||
gnutls_x509_crt_export(key->certificate, GNUTLS_X509_FMT_DER, cert,
&cert_len))
{
if (!cert)
err = EET_ERROR_OUT_OF_MEMORY;
else
err = EET_ERROR_SIGNATURE_FAILED;
goto on_error;
}
# else /* ifdef HAVE_GNUTLS */
sign_len = EVP_PKEY_size(key->private_key);
sign = malloc(sign_len);
if (!sign)
{
err = EET_ERROR_OUT_OF_MEMORY;
goto on_error;
}
/* Do the signature. */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
md_ctx = EVP_MD_CTX_new();
EVP_SignInit(md_ctx, EVP_sha1());
EVP_SignUpdate(md_ctx, data, st_buf.st_size);
err = EVP_SignFinal(md_ctx,
sign,
(unsigned int *)&sign_len,
key->private_key);
EVP_MD_CTX_free(md_ctx);
#else
EVP_SignInit(&md_ctx, EVP_sha1());
EVP_SignUpdate(&md_ctx, data, st_buf.st_size);
err = EVP_SignFinal(&md_ctx,
sign,
(unsigned int *)&sign_len,
key->private_key);
EVP_MD_CTX_cleanup(&md_ctx);
#endif
if (err != 1)
{
ERR_print_errors_fp(stdout);
err = EET_ERROR_SIGNATURE_FAILED;
goto on_error;
}
/* Give me the der (binary form for X509). */
cert_len = i2d_X509(key->certificate, &cert);
if (cert_len < 0)
{
ERR_print_errors_fp(stdout);
err = EET_ERROR_X509_ENCODING_FAILED;
goto on_error;
}
# endif /* ifdef HAVE_GNUTLS */
/* Append the signature at the end of the file. */
head[0] = (int)htonl ((unsigned int)EET_MAGIC_SIGN);
head[1] = (int)htonl ((unsigned int)sign_len);
head[2] = (int)htonl ((unsigned int)cert_len);
if (fwrite(head, sizeof(head), 1, fp) != 1)
{
err = EET_ERROR_WRITE_ERROR;
goto on_error;
}
if (fwrite(sign, sign_len, 1, fp) != 1)
{
err = EET_ERROR_WRITE_ERROR;
goto on_error;
}
if (fwrite(cert, cert_len, 1, fp) != 1)
{
err = EET_ERROR_WRITE_ERROR;
goto on_error;
}
on_error:
# ifdef HAVE_GNUTLS
if (cert)
free(cert);
# else /* ifdef HAVE_GNUTLS */
if (cert)
OPENSSL_free(cert);
# endif /* ifdef HAVE_GNUTLS */
if (sign)
free(sign);
munmap(data, st_buf.st_size);
return err;
#else /* ifdef HAVE_SIGNATURE */
fp = NULL;
key = NULL;
return EET_ERROR_NOT_IMPLEMENTED;
#endif /* ifdef HAVE_SIGNATURE */
}
/*-
* _gnutls_x509_pkix_sign - This function will sign a CRL or a certificate with a key
* @src: should contain an ASN1_TYPE
* @issuer: is the certificate of the certificate issuer
* @issuer_key: holds the issuer's private key
*
* This function will sign a CRL or a certificate with the issuer's private key, and
* will copy the issuer's information into the CRL or certificate.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
-*/
int
_gnutls_x509_pkix_sign (ASN1_TYPE src, const char *src_name,
gnutls_digest_algorithm_t dig,
gnutls_x509_crt_t issuer, gnutls_privkey_t issuer_key)
{
int result;
gnutls_datum_t signature;
gnutls_datum_t tbs;
char name[128];
/* Step 1. Copy the issuer's name into the certificate.
*/
_gnutls_str_cpy (name, sizeof (name), src_name);
_gnutls_str_cat (name, sizeof (name), ".issuer");
result = asn1_copy_node (src, name, issuer->cert, "tbsCertificate.subject");
if (result != ASN1_SUCCESS)
{
gnutls_assert ();
return _gnutls_asn2err (result);
}
/* Step 1.5. Write the signature stuff in the tbsCertificate.
*/
_gnutls_str_cpy (name, sizeof (name), src_name);
_gnutls_str_cat (name, sizeof (name), ".signature");
result = _gnutls_x509_write_sig_params (src, name,
gnutls_privkey_get_pk_algorithm
(issuer_key, NULL), dig);
if (result < 0)
{
gnutls_assert ();
return result;
}
/* Step 2. Sign the certificate.
*/
result = _gnutls_x509_get_tbs (src, src_name, &tbs);
if (result < 0)
{
gnutls_assert ();
return result;
}
result = gnutls_privkey_sign_data (issuer_key, dig, 0, &tbs, &signature);
gnutls_free (tbs.data);
if (result < 0)
{
gnutls_assert ();
return result;
}
/* write the signature (bits)
*/
result =
asn1_write_value (src, "signature", signature.data, signature.size * 8);
_gnutls_free_datum (&signature);
if (result != ASN1_SUCCESS)
{
gnutls_assert ();
return _gnutls_asn2err (result);
}
/* Step 3. Move up and write the AlgorithmIdentifier, which is also
* the same.
*/
result = _gnutls_x509_write_sig_params (src, "signatureAlgorithm",
gnutls_privkey_get_pk_algorithm
(issuer_key, NULL), dig);
if (result < 0)
{
gnutls_assert ();
return result;
}
return 0;
}
static int
import_tpm_key(gnutls_privkey_t pkey,
const gnutls_datum_t * fdata,
gnutls_tpmkey_fmt_t format,
TSS_UUID * uuid,
TSS_FLAG storage,
const char *srk_password, const char *key_password)
{
int err, ret;
struct tpm_ctx_st *s;
gnutls_datum_t tmp_sig;
s = gnutls_malloc(sizeof(*s));
if (s == NULL) {
gnutls_assert();
return GNUTLS_E_MEMORY_ERROR;
}
ret = tpm_open_session(s, srk_password);
if (ret < 0) {
gnutls_assert();
goto out_ctx;
}
if (fdata != NULL) {
ret =
load_key(s->tpm_ctx, s->srk, fdata, format,
&s->tpm_key);
if (ret < 0) {
gnutls_assert();
goto out_session;
}
} else if (uuid) {
err =
Tspi_Context_LoadKeyByUUID(s->tpm_ctx, storage,
*uuid, &s->tpm_key);
if (err) {
gnutls_assert();
ret = tss_err(err);
goto out_session;
}
} else {
gnutls_assert();
ret = GNUTLS_E_INVALID_REQUEST;
goto out_session;
}
ret =
gnutls_privkey_import_ext2(pkey, GNUTLS_PK_RSA, s,
tpm_sign_fn, NULL, tpm_deinit_fn,
0);
if (ret < 0) {
gnutls_assert();
goto out_session;
}
ret =
gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA1, 0, &nulldata,
&tmp_sig);
if (ret == GNUTLS_E_TPM_KEY_PASSWORD_ERROR) {
if (!s->tpm_key_policy) {
err = Tspi_Context_CreateObject(s->tpm_ctx,
TSS_OBJECT_TYPE_POLICY,
TSS_POLICY_USAGE,
&s->
tpm_key_policy);
if (err) {
gnutls_assert();
ret = tss_err(err);
goto out_key;
}
err =
Tspi_Policy_AssignToObject(s->tpm_key_policy,
s->tpm_key);
if (err) {
gnutls_assert();
ret = tss_err(err);
goto out_key_policy;
}
}
err = myTspi_Policy_SetSecret(s->tpm_key_policy,
SAFE_LEN(key_password),
(void *) key_password);
if (err) {
gnutls_assert();
ret = tss_err_key(err);
goto out_key_policy;
}
} else if (ret < 0) {
gnutls_assert();
goto out_session;
}
return 0;
out_key_policy:
Tspi_Context_CloseObject(s->tpm_ctx, s->tpm_key_policy);
s->tpm_key_policy = 0;
out_key:
Tspi_Context_CloseObject(s->tpm_ctx, s->tpm_key);
s->tpm_key = 0;
out_session:
tpm_close_session(s);
out_ctx:
gnutls_free(s);
return ret;
}
void
pkcs11_test_sign(FILE * outfile, const char *url, unsigned int flags,
common_info_st * info)
{
gnutls_privkey_t privkey;
gnutls_pubkey_t pubkey;
int ret;
gnutls_datum_t data, sig = {NULL, 0};
int pk;
pkcs11_common(info);
FIX(url, outfile, 0, info);
data.data = (void*)TEST_DATA;
data.size = sizeof(TEST_DATA)-1;
ret = gnutls_privkey_init(&privkey);
if (ret < 0) {
fprintf(stderr, "Error in %s:%d: %s\n", __func__,
__LINE__, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pubkey_init(&pubkey);
if (ret < 0) {
fprintf(stderr, "Error in %s:%d: %s\n", __func__,
__LINE__, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_privkey_import_url(privkey, url, flags);
if (ret < 0) {
fprintf(stderr, "Cannot import private key: %s\n",
gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pubkey_import_privkey(pubkey, privkey, GNUTLS_KEY_DIGITAL_SIGNATURE, flags);
if (ret < 0) {
fprintf(stderr, "Cannot import public key: %s\n",
gnutls_strerror(ret));
exit(1);
}
ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA1, 0, &data, &sig);
if (ret < 0) {
fprintf(stderr, "Cannot sign data: %s\n",
gnutls_strerror(ret));
exit(1);
}
pk = gnutls_pubkey_get_pk_algorithm(pubkey, NULL);
fprintf(stderr, "Verifying against private key parameters... ");
ret = gnutls_pubkey_verify_data2(pubkey, gnutls_pk_to_sign(pk, GNUTLS_DIG_SHA1),
0, &data, &sig);
if (ret < 0) {
fprintf(stderr, "Cannot verify signed data: %s\n",
gnutls_strerror(ret));
exit(1);
}
fprintf(stderr, "ok\n");
/* now try to verify against a public key within the token */
gnutls_pubkey_deinit(pubkey);
ret = gnutls_pubkey_init(&pubkey);
if (ret < 0) {
fprintf(stderr, "Error in %s:%d: %s\n", __func__,
__LINE__, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pubkey_import_url(pubkey, url, flags);
if (ret < 0) {
fprintf(stderr, "Cannot find a corresponding public key object in token: %s\n",
gnutls_strerror(ret));
if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
exit(0);
exit(1);
}
fprintf(stderr, "Verifying against public key in the token... ");
ret = gnutls_pubkey_verify_data2(pubkey, gnutls_pk_to_sign(pk, GNUTLS_DIG_SHA1),
0, &data, &sig);
if (ret < 0) {
fprintf(stderr, "Cannot verify signed data: %s\n",
gnutls_strerror(ret));
exit(1);
}
fprintf(stderr, "ok\n");
gnutls_free(sig.data);
gnutls_pubkey_deinit(pubkey);
gnutls_privkey_deinit(privkey);
UNFIX;
}
static int
import_tpm_key(gnutls_privkey_t pkey,
const gnutls_datum_t * fdata,
gnutls_tpmkey_fmt_t format,
TSS_UUID * uuid,
TSS_FLAG storage,
const char *srk_password, const char *_key_password)
{
int err, ret;
struct tpm_ctx_st *s;
gnutls_datum_t tmp_sig;
char *key_password = NULL;
uint32_t authusage;
s = gnutls_malloc(sizeof(*s));
if (s == NULL) {
gnutls_assert();
return GNUTLS_E_MEMORY_ERROR;
}
if (_key_password != NULL) {
gnutls_datum_t pout;
ret = _gnutls_utf8_password_normalize(_key_password, strlen(_key_password), &pout, 1);
if (ret < 0) {
gnutls_assert();
goto out_ctx;
}
key_password = (char*)pout.data;
}
/* normalization of srk_password happens in tpm_open_session() */
ret = tpm_open_session(s, srk_password, 1);
if (ret < 0) {
gnutls_assert();
goto out_ctx;
}
if (fdata != NULL) {
ret =
load_key(s->tpm_ctx, s->srk, fdata, format,
&s->tpm_key);
if (ret < 0) {
gnutls_assert();
goto out_session;
}
} else if (uuid) {
err =
pTspi_Context_LoadKeyByUUID(s->tpm_ctx, storage,
*uuid, &s->tpm_key);
if (err) {
gnutls_assert();
ret = tss_err(err);
goto out_session;
}
} else {
gnutls_assert();
ret = GNUTLS_E_INVALID_REQUEST;
goto out_session;
}
err = pTspi_GetAttribUint32(s->tpm_key, TSS_TSPATTRIB_KEY_INFO,
TSS_TSPATTRIB_KEYINFO_AUTHUSAGE,
&authusage);
if (err) {
gnutls_assert();
ret = tss_err(err);
goto out_session;
}
if (authusage) {
if (!_key_password) {
ret = GNUTLS_E_TPM_KEY_PASSWORD_ERROR;
goto out_session;
}
err = pTspi_Context_CreateObject(s->tpm_ctx,
TSS_OBJECT_TYPE_POLICY,
TSS_POLICY_USAGE,
&s->tpm_key_policy);
if (err) {
gnutls_assert();
ret = tss_err(err);
goto out_key;
}
err = pTspi_Policy_AssignToObject(s->tpm_key_policy,
s->tpm_key);
if (err) {
gnutls_assert();
ret = tss_err(err);
goto out_key_policy;
}
err = myTspi_Policy_SetSecret(s->tpm_key_policy,
SAFE_LEN(key_password),
(void *) key_password);
if (err) {
gnutls_assert();
ret = tss_err_key(err);
goto out_key_policy;
}
}
ret =
gnutls_privkey_import_ext2(pkey, GNUTLS_PK_RSA, s,
tpm_sign_fn, NULL, tpm_deinit_fn,
0);
if (ret < 0) {
gnutls_assert();
goto out_session;
}
ret =
gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA1, 0, &nulldata,
&tmp_sig);
if (ret < 0) {
gnutls_assert();
goto out_session;
}
gnutls_free(key_password);
return 0;
out_key_policy:
pTspi_Context_CloseObject(s->tpm_ctx, s->tpm_key_policy);
s->tpm_key_policy = 0;
out_key:
pTspi_Context_CloseObject(s->tpm_ctx, s->tpm_key);
s->tpm_key = 0;
out_session:
_gnutls_privkey_cleanup(pkey);
tpm_close_session(s);
out_ctx:
gnutls_free(s);
gnutls_free(key_password);
return ret;
}
void doit(void)
{
gnutls_x509_privkey_t key;
gnutls_x509_crt_t crt;
gnutls_pubkey_t pubkey;
gnutls_privkey_t privkey;
gnutls_sign_algorithm_t sign_algo;
gnutls_datum_t signature;
gnutls_datum_t signature2;
int ret;
size_t i;
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
for (i = 0; i < sizeof(key_dat) / sizeof(key_dat[0]); i++) {
if (debug)
success("loop %d\n", (int) i);
ret = gnutls_x509_privkey_init(&key);
if (ret < 0)
fail("gnutls_x509_privkey_init\n");
ret =
gnutls_x509_privkey_import(key, &key_dat[i],
GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("gnutls_x509_privkey_import\n");
ret = gnutls_pubkey_init(&pubkey);
if (ret < 0)
fail("gnutls_privkey_init\n");
ret = gnutls_privkey_init(&privkey);
if (ret < 0)
fail("gnutls_pubkey_init\n");
ret = gnutls_privkey_import_x509(privkey, key, 0);
if (ret < 0)
fail("gnutls_privkey_import_x509\n");
ret = gnutls_privkey_sign_hash(privkey, GNUTLS_DIG_SHA1, 0,
&hash_data, &signature2);
if (ret < 0)
fail("gnutls_privkey_sign_hash\n");
ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA1, 0,
&raw_data, &signature);
if (ret < 0)
fail("gnutls_x509_privkey_sign_hash\n");
ret = gnutls_x509_crt_init(&crt);
if (ret < 0)
fail("gnutls_x509_crt_init\n");
ret =
gnutls_x509_crt_import(crt, &cert_dat[i],
GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("gnutls_x509_crt_import\n");
ret = gnutls_pubkey_import_x509(pubkey, crt, 0);
if (ret < 0)
fail("gnutls_x509_pubkey_import\n");
ret =
gnutls_x509_crt_get_signature_algorithm(crt);
if (ret != GNUTLS_SIGN_RSA_SHA1)
fail("gnutls_crt_get_signature_algorithm\n");
ret =
gnutls_pubkey_verify_hash2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, &hash_data,
&signature);
if (ret < 0)
fail("gnutls_x509_pubkey_verify_hash2\n");
ret =
gnutls_pubkey_verify_hash2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, &hash_data,
&signature2);
if (ret < 0)
fail("gnutls_x509_pubkey_verify_hash-1 (hashed data)\n");
/* should fail */
ret =
gnutls_pubkey_verify_hash2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0,
&invalid_hash_data,
&signature2);
if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED)
fail("gnutls_x509_pubkey_verify_hash-2 (hashed data)\n");
sign_algo =
gnutls_pk_to_sign(gnutls_pubkey_get_pk_algorithm
(pubkey, NULL), GNUTLS_DIG_SHA1);
ret =
gnutls_pubkey_verify_hash2(pubkey, sign_algo, 0,
&hash_data, &signature2);
if (ret < 0)
fail("gnutls_x509_pubkey_verify_hash2-1 (hashed data)\n");
/* should fail */
ret =
gnutls_pubkey_verify_hash2(pubkey, sign_algo, 0,
&invalid_hash_data,
&signature2);
if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED)
fail("gnutls_x509_pubkey_verify_hash2-2 (hashed data)\n");
/* test the raw interface */
gnutls_free(signature.data);
signature.data = NULL;
if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL) ==
GNUTLS_PK_RSA) {
ret =
gnutls_privkey_sign_hash(privkey,
GNUTLS_DIG_SHA1,
GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA,
&hash_data,
&signature);
if (ret < 0)
fail("gnutls_privkey_sign_hash: %s\n",
gnutls_strerror(ret));
sign_algo =
gnutls_pk_to_sign
(gnutls_pubkey_get_pk_algorithm(pubkey, NULL),
GNUTLS_DIG_SHA1);
ret =
gnutls_pubkey_verify_hash2(pubkey, sign_algo,
GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA,
&hash_data,
&signature);
if (ret < 0)
fail("gnutls_pubkey_verify_hash-3 (raw hashed data)\n");
gnutls_free(signature.data);
/* test the legacy API */
ret =
gnutls_privkey_sign_raw_data(privkey, 0,
&hash_data,
&signature);
if (ret < 0)
fail("gnutls_privkey_sign_raw_data: %s\n",
gnutls_strerror(ret));
ret =
gnutls_pubkey_verify_hash2(pubkey, sign_algo,
GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA,
&hash_data,
&signature);
if (ret < 0)
fail("gnutls_pubkey_verify_hash-4 (legacy raw hashed data)\n");
}
gnutls_free(signature.data);
gnutls_free(signature2.data);
gnutls_x509_privkey_deinit(key);
gnutls_x509_crt_deinit(crt);
gnutls_privkey_deinit(privkey);
gnutls_pubkey_deinit(pubkey);
}
gnutls_global_deinit();
}
void
doit (void)
{
gnutls_x509_privkey_t key;
gnutls_x509_crt_t crt;
gnutls_pubkey_t pubkey;
gnutls_privkey_t privkey;
gnutls_digest_algorithm_t hash_algo;
gnutls_sign_algorithm_t sign_algo;
gnutls_datum_t signature;
gnutls_datum_t signature2;
int ret;
size_t i;
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (6);
for (i = 0; i < sizeof (key_dat) / sizeof (key_dat[0]); i++)
{
if (debug)
success ("loop %d\n", (int) i);
ret = gnutls_x509_privkey_init (&key);
if (ret < 0)
fail ("gnutls_x509_privkey_init\n");
ret =
gnutls_x509_privkey_import (key, &key_dat[i], GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_privkey_import\n");
ret = gnutls_pubkey_init (&pubkey);
if (ret < 0)
fail ("gnutls_privkey_init\n");
ret = gnutls_privkey_init (&privkey);
if (ret < 0)
fail ("gnutls_pubkey_init\n");
ret = gnutls_privkey_import_x509 (privkey, key, 0);
if (ret < 0)
fail ("gnutls_privkey_import_x509\n");
ret = gnutls_privkey_sign_hash (privkey, GNUTLS_DIG_SHA1, 0,
&hash_data, &signature2);
if (ret < 0)
fail ("gnutls_privkey_sign_hash\n");
ret = gnutls_privkey_sign_data (privkey, GNUTLS_DIG_SHA1, 0,
&raw_data, &signature);
if (ret < 0)
fail ("gnutls_x509_privkey_sign_hash\n");
ret = gnutls_x509_crt_init (&crt);
if (ret < 0)
fail ("gnutls_x509_crt_init\n");
ret = gnutls_x509_crt_import (crt, &cert_dat[i], GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import\n");
ret =
gnutls_pubkey_import_x509 (pubkey, crt, 0);
if (ret < 0)
fail ("gnutls_x509_pubkey_import\n");
ret =
gnutls_pubkey_get_verify_algorithm (pubkey, &signature, &hash_algo);
if (ret < 0 || hash_algo != GNUTLS_DIG_SHA1)
fail ("gnutls_x509_crt_get_verify_algorithm\n");
ret = gnutls_pubkey_verify_hash (pubkey, 0, &hash_data, &signature);
if (ret < 0)
fail ("gnutls_x509_pubkey_verify_hash\n");
ret =
gnutls_pubkey_get_verify_algorithm (pubkey, &signature2, &hash_algo);
if (ret < 0 || hash_algo != GNUTLS_DIG_SHA1)
fail ("gnutls_x509_crt_get_verify_algorithm (hashed data)\n");
ret = gnutls_pubkey_verify_hash (pubkey, 0, &hash_data, &signature2);
if (ret < 0)
fail ("gnutls_x509_pubkey_verify_hash-1 (hashed data)\n");
/* should fail */
ret = gnutls_pubkey_verify_hash (pubkey, 0, &invalid_hash_data, &signature2);
if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED)
fail ("gnutls_x509_pubkey_verify_hash-2 (hashed data)\n");
sign_algo = gnutls_pk_to_sign(gnutls_pubkey_get_pk_algorithm(pubkey, NULL),
GNUTLS_DIG_SHA1);
ret = gnutls_pubkey_verify_hash2 (pubkey, sign_algo, 0, &hash_data, &signature2);
if (ret < 0)
fail ("gnutls_x509_pubkey_verify_hash2-1 (hashed data)\n");
/* should fail */
ret = gnutls_pubkey_verify_hash2 (pubkey, sign_algo, 0, &invalid_hash_data, &signature2);
if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED)
fail ("gnutls_x509_pubkey_verify_hash2-2 (hashed data)\n");
gnutls_free(signature.data);
gnutls_free(signature2.data);
gnutls_x509_privkey_deinit (key);
gnutls_x509_crt_deinit (crt);
gnutls_privkey_deinit (privkey);
gnutls_pubkey_deinit (pubkey);
}
gnutls_global_deinit ();
}
