/* verifies if the certificate is properly signed.
* returns GNUTLS_E_PK_VERIFY_SIG_FAILED on failure and 1 on success.
*
* 'data' is the signed data
* 'signature' is the signature!
*/
int
_gnutls_x509_verify_data (gnutls_digest_algorithm_t algo,
const gnutls_datum_t * data,
const gnutls_datum_t * signature,
gnutls_x509_crt_t issuer)
{
gnutls_pk_params_st issuer_params;
int ret;
/* Read the MPI parameters from the issuer's certificate.
*/
ret =
_gnutls_x509_crt_get_mpis (issuer, &issuer_params);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
ret =
pubkey_verify_data (gnutls_x509_crt_get_pk_algorithm (issuer, NULL), algo,
data, signature, &issuer_params);
if (ret < 0)
{
gnutls_assert ();
}
/* release all allocated MPIs
*/
gnutls_pk_params_release(&issuer_params);
return ret;
}
/* verifies if the certificate is properly signed.
* returns GNUTLS_E_PK_VERIFY_SIG_FAILED on failure and 1 on success.
*
* 'data' is the signed data
* 'signature' is the signature!
*/
static int
_gnutls_x509_verify_data(gnutls_sign_algorithm_t sign,
const gnutls_datum_t * data,
const gnutls_datum_t * signature,
gnutls_x509_crt_t cert,
gnutls_x509_crt_t issuer,
unsigned vflags)
{
gnutls_pk_params_st params;
gnutls_pk_algorithm_t issuer_pk;
int ret;
gnutls_x509_spki_st sign_params;
const gnutls_sign_entry_st *se;
/* Read the MPI parameters from the issuer's certificate.
*/
ret = _gnutls_x509_crt_get_mpis(issuer, ¶ms);
if (ret < 0) {
gnutls_assert();
return ret;
}
issuer_pk = gnutls_x509_crt_get_pk_algorithm(issuer, NULL);
se = _gnutls_sign_to_entry(sign);
if (se == NULL)
return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
if (cert != NULL) {
ret = _gnutls_x509_read_sign_params(cert->cert,
"signatureAlgorithm",
&sign_params);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = _gnutls_x509_validate_sign_params(issuer_pk,
issuer->cert,
"tbsCertificate."
"subjectPublicKeyInfo."
"algorithm",
&sign_params);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
} else {
memcpy(&sign_params, ¶ms.spki,
sizeof(gnutls_x509_spki_st));
sign_params.pk = se->pk;
if (sign_params.pk == GNUTLS_PK_RSA_PSS)
sign_params.rsa_pss_dig = se->hash;
}
ret = pubkey_verify_data(se, hash_to_entry(se->hash), data, signature, ¶ms,
&sign_params, vflags);
if (ret < 0) {
gnutls_assert();
}
cleanup:
/* release all allocated MPIs
*/
gnutls_pk_params_release(¶ms);
return ret;
}