[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_99_0-65-g1880d48
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_99_0-65-g1880d48 |
|
Date: |
Sun, 17 Apr 2011 21:55:05 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=1880d4807b8ff20e8e1fa4dd1104baea5802d193
The branch, master has been updated
via 1880d4807b8ff20e8e1fa4dd1104baea5802d193 (commit)
via 61d8cae724446a5f4531d20c285e186b9ba45b6d (commit)
from b4fb5cc26affff88970954b223215edb8df56e84 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 1880d4807b8ff20e8e1fa4dd1104baea5802d193
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Apr 17 23:54:59 2011 +0200
updated
commit 61d8cae724446a5f4531d20c285e186b9ba45b6d
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Apr 17 12:13:46 2011 +0200
Combined external abstract API with internal usage of gnutls_cert.
This results to a gnutls_pcert_st struct exported in abstract.h.
This change will allow a certificate retrieval callback that
does not require gnutls to decode or encode the provided certificate.
-----------------------------------------------------------------------
Summary of changes:
.gitignore | 2 +
lib/Makefile.am | 4 +-
lib/abstract_int.h | 7 +
lib/auth/cert.c | 217 +++++++++++++-------------
lib/auth/cert.h | 21 ++--
lib/auth/dhe.c | 10 +-
lib/auth/rsa.c | 55 ++++---
lib/auth/rsa_export.c | 35 ++---
lib/auth/srp_rsa.c | 10 +-
lib/ext/signature.c | 37 +----
lib/ext/signature.h | 5 +-
lib/gnutls_algorithms.c | 1 -
lib/gnutls_cert.c | 189 +----------------------
lib/gnutls_cert.h | 94 ------------
lib/gnutls_handshake.c | 1 -
lib/gnutls_int.h | 4 +-
lib/gnutls_mpi.c | 1 +
lib/gnutls_pcert.c | 328 ++++++++++++++++++++++++++++++++++++++++
lib/gnutls_privkey.c | 4 +-
lib/gnutls_pubkey.c | 142 ++++++++++++++++-
lib/gnutls_sig.c | 98 ++++++------
lib/gnutls_sig.h | 8 +-
lib/gnutls_state.c | 2 +-
lib/gnutls_ui.c | 2 +-
lib/gnutls_x509.c | 51 +++----
lib/gnutls_x509.h | 2 +-
lib/includes/gnutls/abstract.h | 37 +++++
lib/opencdk/pubkey.c | 3 +-
lib/openpgp/gnutls_openpgp.c | 180 +---------------------
lib/openpgp/gnutls_openpgp.h | 8 -
lib/openpgp/openpgp_int.h | 7 +-
lib/openpgp/pgp.c | 8 +-
lib/openpgp/pgpverify.c | 2 +-
lib/openpgp/privkey.c | 14 +-
lib/pkcs11_int.h | 1 +
lib/x509/common.h | 1 +
lib/x509/pkcs12_encr.c | 1 +
lib/x509/sign.c | 1 -
lib/x509/verify-high.c | 1 -
lib/x509/verify.c | 4 +-
lib/x509/x509.c | 1 +
lib/x509/x509_int.h | 6 +
42 files changed, 813 insertions(+), 792 deletions(-)
delete mode 100644 lib/gnutls_cert.h
create mode 100644 lib/gnutls_pcert.c
diff --git a/.gitignore b/.gitignore
index 2b60786..90c9940 100644
--- a/.gitignore
+++ b/.gitignore
@@ -453,3 +453,5 @@ lib/accelerated/intel/libintel.la
doc/cyclo/cyclo-gnutls.html
lib/ext/libgnutls_ext.la
lib/auth/libgnutls_auth.la
+tests/cipher-test
+tests/suite/x509paths/X509tests
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 7afe690..bb5975c 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -72,7 +72,7 @@ COBJECTS = gnutls_record.c gnutls_compress.c debug.c
gnutls_cipher.c \
gnutls_dh_primes.c gnutls_alert.c system.c \
gnutls_str.c gnutls_state.c gnutls_x509.c gnutls_rsa_export.c \
gnutls_helper.c gnutls_supplemental.c crypto.c random.c \
- crypto-api.c gnutls_privkey.c \
+ crypto-api.c gnutls_privkey.c gnutls_pcert.c \
pkcs11.c pkcs11_privkey.c gnutls_pubkey.c pkcs11_write.c locks.c \
pkcs11_secret.c hash.c gnutls_dtls.c system_override.c
@@ -89,7 +89,7 @@ HFILES = abstract_int.h debug.h gnutls_compress.h
gnutls_cipher.h \
gnutls_dh.h gnutls_kx.h gnutls_hash_int.h gnutls_cipher_int.h \
gnutls_db.h gnutls_auth.h gnutls_extensions.h \
x509_b64.h gnutls_v2_compat.h gnutls_datum.h \
- gnutls_mpi.h gnutls_pk.h gnutls_record.h gnutls_cert.h \
+ gnutls_mpi.h gnutls_pk.h gnutls_record.h \
gnutls_constate.h gnutls_global.h gnutls_sig.h gnutls_mem.h \
gnutls_session_pack.h gnutls_str.h \
gnutls_state.h gnutls_x509.h \
diff --git a/lib/abstract_int.h b/lib/abstract_int.h
index d0bec14..45440fe 100644
--- a/lib/abstract_int.h
+++ b/lib/abstract_int.h
@@ -6,4 +6,11 @@
int _gnutls_privkey_get_public_mpis (gnutls_privkey_t key,
bigint_t * params, int *params_size);
+int _gnutls_pubkey_compatible_with_sig(gnutls_pubkey_t pubkey,
gnutls_protocol_t ver,
+ gnutls_sign_algorithm_t sign);
+int _gnutls_pubkey_is_over_rsa_512(gnutls_pubkey_t pubkey);
+int
+_gnutls_pubkey_get_mpis (gnutls_pubkey_t key,
+ bigint_t * params, int *params_size);
+
#endif
diff --git a/lib/auth/cert.c b/lib/auth/cert.c
index 2f20f0e..275e9bf 100644
--- a/lib/auth/cert.c
+++ b/lib/auth/cert.c
@@ -30,7 +30,6 @@
#include <gnutls_int.h>
#include "gnutls_auth.h"
#include "gnutls_errors.h"
-#include <gnutls_cert.h>
#include <auth/cert.h>
#include "gnutls_dh.h"
#include "gnutls_num.h"
@@ -53,11 +52,11 @@
static gnutls_privkey_t alloc_and_load_pgp_key (const gnutls_openpgp_privkey_t
key, int deinit);
-static gnutls_cert *alloc_and_load_pgp_certs (gnutls_openpgp_crt_t cert);
+static gnutls_pcert_st *alloc_and_load_pgp_certs (gnutls_openpgp_crt_t cert);
#endif
-static gnutls_cert *alloc_and_load_x509_certs (gnutls_x509_crt_t * certs,
+static gnutls_pcert_st *alloc_and_load_x509_certs (gnutls_x509_crt_t * certs,
unsigned);
static gnutls_privkey_t alloc_and_load_x509_key (gnutls_x509_privkey_t key,
int deinit);
@@ -66,12 +65,14 @@ static gnutls_privkey_t alloc_and_load_pkcs11_key
(gnutls_pkcs11_privkey_t
key, int deinit);
-/* Copies data from a internal certificate struct (gnutls_cert) to
+/* Copies data from a internal certificate struct (gnutls_pcert_st) to
* exported certificate struct (cert_auth_info_t)
*/
static int
_gnutls_copy_certificate_auth_info (cert_auth_info_t info,
- gnutls_cert * cert, size_t ncerts)
+ gnutls_pcert_st *certs, size_t ncerts,
+ int subkey_used, /* openpgp only */
+ void* keyid)
{
/* Copy peer's information to auth_info_t
*/
@@ -102,11 +103,11 @@ _gnutls_copy_certificate_auth_info (cert_auth_info_t info,
for (i = 0; i < ncerts; i++)
{
- if (cert->raw.size > 0)
+ if (certs[i].cert.size > 0)
{
ret =
_gnutls_set_datum (&info->raw_certificate_list[i],
- cert[i].raw.data, cert[i].raw.size);
+ certs[i].cert.data, certs[i].cert.size);
if (ret < 0)
{
gnutls_assert ();
@@ -115,15 +116,14 @@ _gnutls_copy_certificate_auth_info (cert_auth_info_t info,
}
}
info->ncerts = ncerts;
-
- info->cert_type = cert[0].cert_type;
- info->sign_algo = cert[0].sign_algo;
+ info->cert_type = certs[0].type;
#ifdef ENABLE_OPENPGP
- if (cert[0].cert_type == GNUTLS_CRT_OPENPGP)
+ if (certs[0].type == GNUTLS_CRT_OPENPGP)
{
- info->use_subkey = cert[0].use_subkey;
- memcpy (info->subkey_id, cert[0].subkey_id, sizeof (info->subkey_id));
+ info->use_subkey = subkey_used;
+ if (keyid)
+ memcpy (info->subkey_id, keyid, GNUTLS_OPENPGP_KEYID_SIZE);
}
#endif
@@ -167,7 +167,7 @@ _gnutls_check_pk_algo_in_list (const gnutls_pk_algorithm_t *
* specified in cert.
*/
static int
-_gnutls_cert_get_issuer_dn (gnutls_cert * cert, gnutls_datum_t * odn)
+_gnutls_cert_get_issuer_dn (gnutls_pcert_st* cert, gnutls_datum_t * odn)
{
ASN1_TYPE dn;
int len, result;
@@ -180,7 +180,7 @@ _gnutls_cert_get_issuer_dn (gnutls_cert * cert,
gnutls_datum_t * odn)
return _gnutls_asn2err (result);
}
- result = asn1_der_decoding (&dn, cert->raw.data, cert->raw.size, NULL);
+ result = asn1_der_decoding (&dn, cert->cert.data, cert->cert.size, NULL);
if (result != ASN1_SUCCESS)
{
/* couldn't decode DER */
@@ -189,7 +189,7 @@ _gnutls_cert_get_issuer_dn (gnutls_cert * cert,
gnutls_datum_t * odn)
return _gnutls_asn2err (result);
}
- result = asn1_der_decoding_startEnd (dn, cert->raw.data, cert->raw.size,
+ result = asn1_der_decoding_startEnd (dn, cert->cert.data, cert->cert.size,
"tbsCertificate.issuer", &start, &end);
if (result != ASN1_SUCCESS)
@@ -204,7 +204,7 @@ _gnutls_cert_get_issuer_dn (gnutls_cert * cert,
gnutls_datum_t * odn)
len = end - start + 1;
odn->size = len;
- odn->data = &cert->raw.data[start];
+ odn->data = &cert->cert.data[start];
return 0;
}
@@ -258,7 +258,7 @@ _find_x509_cert (const gnutls_certificate_credentials_t
cred,
* the *_SIGN algorithm matches
* the cert is our cert!
*/
- cert_pk = cred->cert_list[i][0].subject_pk_algorithm;
+ cert_pk =
gnutls_pubkey_get_pk_algorithm(cred->cert_list[i][0].pubkey, NULL);
if ((memcmp (odn.data, data, size) == 0) &&
(_gnutls_check_pk_algo_in_list
@@ -307,8 +307,8 @@ _find_openpgp_cert (const gnutls_certificate_credentials_t
cred,
*/
if ((_gnutls_check_pk_algo_in_list
(pk_algos, pk_algos_length,
- cred->cert_list[i][0].subject_pk_algorithm) == 0)
- && (cred->cert_list[i][0].cert_type == GNUTLS_CRT_OPENPGP))
+ gnutls_pubkey_get_pk_algorithm(cred->cert_list[i][0].pubkey,
NULL)) == 0)
+ && (cred->cert_list[i][0].type == GNUTLS_CRT_OPENPGP))
{
*indx = i;
break;
@@ -453,7 +453,7 @@ call_get_cert_callback (gnutls_session_t session,
gnutls_pk_algorithm_t * pk_algos, int pk_algos_length)
{
unsigned i;
- gnutls_cert *local_certs = NULL;
+ gnutls_pcert_st *local_certs = NULL;
gnutls_privkey_t local_key = NULL;
int ret = GNUTLS_E_INTERNAL_ERROR;
gnutls_certificate_type_t type = gnutls_certificate_type_get (session);
@@ -756,7 +756,7 @@ static int
_gnutls_gen_x509_crt (gnutls_session_t session, gnutls_buffer_st * data)
{
int ret, i;
- gnutls_cert *apr_cert_list;
+ gnutls_pcert_st *apr_cert_list;
gnutls_privkey_t apr_pkey;
int apr_cert_list_length;
@@ -773,7 +773,7 @@ _gnutls_gen_x509_crt (gnutls_session_t session,
gnutls_buffer_st * data)
ret = 3;
for (i = 0; i < apr_cert_list_length; i++)
{
- ret += apr_cert_list[i].raw.size + 3;
+ ret += apr_cert_list[i].cert.size + 3;
/* hold size
* for uint24 */
}
@@ -793,8 +793,8 @@ _gnutls_gen_x509_crt (gnutls_session_t session,
gnutls_buffer_st * data)
for (i = 0; i < apr_cert_list_length; i++)
{
- ret = _gnutls_buffer_append_data_prefix( data, 24,
apr_cert_list[i].raw.data,
- apr_cert_list[i].raw.size);
+ ret = _gnutls_buffer_append_data_prefix( data, 24,
apr_cert_list[i].cert.data,
+ apr_cert_list[i].cert.size);
if (ret < 0)
return gnutls_assert_val(ret);
}
@@ -810,10 +810,13 @@ static int
_gnutls_gen_openpgp_certificate (gnutls_session_t session, gnutls_buffer_st *
data)
{
int ret;
- gnutls_cert *apr_cert_list;
+ gnutls_pcert_st *apr_cert_list;
gnutls_privkey_t apr_pkey;
int apr_cert_list_length;
uint8_t type;
+ uint8_t fpr[20];
+ size_t fpr_size;
+ unsigned int use_subkey = 0;
/* find the appropriate certificate */
if ((ret =
@@ -827,12 +830,18 @@ _gnutls_gen_openpgp_certificate (gnutls_session_t
session, gnutls_buffer_st * da
ret = 3 + 1 + 3;
+
if (apr_cert_list_length > 0)
{
- if (apr_cert_list[0].use_subkey != 0)
- ret += 1 + sizeof (apr_cert_list[0].subkey_id); /* for the keyid */
+ fpr_size = sizeof(fpr);
+ ret = gnutls_pubkey_get_openpgp_key_id(apr_cert_list[0].pubkey, 0, fpr,
&fpr_size, &use_subkey);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ if (use_subkey != 0)
+ ret += 1 + fpr_size; /* for the keyid */
- ret += apr_cert_list[0].raw.size;
+ ret += apr_cert_list[0].cert.size;
}
ret = _gnutls_buffer_append_prefix( data, 24, ret - 3);
@@ -842,7 +851,7 @@ _gnutls_gen_openpgp_certificate (gnutls_session_t session,
gnutls_buffer_st * da
if (apr_cert_list_length > 0)
{
- if (apr_cert_list[0].use_subkey != 0)
+ if (use_subkey != 0)
{
type = PGP_KEY_SUBKEY;
@@ -850,8 +859,7 @@ _gnutls_gen_openpgp_certificate (gnutls_session_t session,
gnutls_buffer_st * da
if (ret < 0)
return gnutls_assert_val(ret);
- ret = _gnutls_buffer_append_data_prefix( data, 8,
apr_cert_list[0].subkey_id,
- sizeof (apr_cert_list[0].subkey_id));
+ ret = _gnutls_buffer_append_data_prefix( data, 8, fpr, fpr_size);
if (ret < 0)
return gnutls_assert_val(ret);
}
@@ -863,8 +871,8 @@ _gnutls_gen_openpgp_certificate (gnutls_session_t session,
gnutls_buffer_st * da
return gnutls_assert_val(ret);
}
- ret = _gnutls_buffer_append_data_prefix( data, 24,
apr_cert_list[0].raw.data,
- apr_cert_list[0].raw.size);
+ ret = _gnutls_buffer_append_data_prefix( data, 24,
apr_cert_list[0].cert.data,
+ apr_cert_list[0].cert.size);
if (ret < 0)
return gnutls_assert_val(ret);
}
@@ -890,9 +898,10 @@ _gnutls_gen_openpgp_certificate_fpr (gnutls_session_t
session, gnutls_buffer_st
int ret, packet_size;
uint8_t type, fpr[20];
size_t fpr_size;
- gnutls_cert *apr_cert_list;
+ gnutls_pcert_st *apr_cert_list;
gnutls_privkey_t apr_pkey;
int apr_cert_list_length;
+ unsigned int use_subkey = 0;
/* find the appropriate certificate */
if ((ret =
@@ -903,14 +912,19 @@ _gnutls_gen_openpgp_certificate_fpr (gnutls_session_t
session, gnutls_buffer_st
return ret;
}
+ fpr_size = sizeof(fpr);
+ ret = gnutls_pubkey_get_openpgp_key_id(apr_cert_list[0].pubkey, 0, fpr,
&fpr_size, &use_subkey);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
packet_size = 3 + 1;
- if (apr_cert_list[0].use_subkey)
- packet_size += 1 + sizeof (apr_cert_list[0].subkey_id); /* for the
keyid */
+ if (use_subkey)
+ packet_size += 1 + fpr_size; /* for the keyid */
/* Only v4 fingerprints are sent
*/
- if (apr_cert_list_length > 0 && apr_cert_list[0].version == 4)
+ if (apr_cert_list_length > 0)
packet_size += 20 + 1;
else /* empty certificate case */
return _gnutls_gen_openpgp_certificate (session, data);
@@ -919,7 +933,7 @@ _gnutls_gen_openpgp_certificate_fpr (gnutls_session_t
session, gnutls_buffer_st
if (ret < 0)
return gnutls_assert_val(ret);
- if (apr_cert_list[0].use_subkey)
+ if (use_subkey)
{
type = PGP_KEY_FINGERPRINT_SUBKEY;
ret = _gnutls_buffer_append_data( data, &type, 1);
@@ -927,7 +941,7 @@ _gnutls_gen_openpgp_certificate_fpr (gnutls_session_t
session, gnutls_buffer_st
return gnutls_assert_val(ret);
ret = _gnutls_buffer_append_data_prefix( data, 8,
- apr_cert_list[0].subkey_id, sizeof(apr_cert_list[0].subkey_id));
+ fpr, fpr_size);
if (ret < 0)
return gnutls_assert_val(ret);
}
@@ -941,7 +955,7 @@ _gnutls_gen_openpgp_certificate_fpr (gnutls_session_t
session, gnutls_buffer_st
fpr_size = sizeof(fpr);
if ((ret =
- _gnutls_openpgp_fingerprint (&apr_cert_list[0].raw, fpr,
+ _gnutls_openpgp_fingerprint (&apr_cert_list[0].cert, fpr,
&fpr_size)) < 0)
{
gnutls_assert ();
@@ -998,7 +1012,7 @@ _gnutls_gen_cert_server_certificate (gnutls_session_t
session, gnutls_buffer_st
/* Process server certificate
*/
-#define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++)
_gnutls_gcert_deinit(&peer_certificate_list[x])
+#define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++)
gnutls_pcert_deinit(&peer_certificate_list[x])
static int
_gnutls_proc_x509_server_certificate (gnutls_session_t session,
opaque * data, size_t data_size)
@@ -1009,7 +1023,7 @@ _gnutls_proc_x509_server_certificate (gnutls_session_t
session,
gnutls_certificate_credentials_t cred;
ssize_t dsize = data_size;
int i;
- gnutls_cert *peer_certificate_list;
+ gnutls_pcert_st *peer_certificate_list;
size_t peer_certificate_list_size = 0, j, x;
gnutls_datum_t tmp;
@@ -1076,15 +1090,12 @@ _gnutls_proc_x509_server_certificate (gnutls_session_t
session,
*/
peer_certificate_list =
- gnutls_malloc (sizeof (gnutls_cert) * (peer_certificate_list_size));
-
+ gnutls_calloc (1, sizeof (gnutls_pcert_st) * (peer_certificate_list_size));
if (peer_certificate_list == NULL)
{
gnutls_assert ();
return GNUTLS_E_MEMORY_ERROR;
}
- memset (peer_certificate_list, 0, sizeof (gnutls_cert) *
- peer_certificate_list_size);
p = data + 3;
@@ -1101,26 +1112,23 @@ _gnutls_proc_x509_server_certificate (gnutls_session_t
session,
tmp.size = len;
tmp.data = p;
- if ((ret =
- _gnutls_x509_raw_cert_to_gcert (&peer_certificate_list
- [j], &tmp,
- CERT_ONLY_EXTENSIONS)) < 0)
+ ret =
+ gnutls_pcert_import_x509_raw (&peer_certificate_list
+ [j], &tmp, GNUTLS_X509_FMT_DER, 0);
+ if (ret < 0)
{
gnutls_assert ();
goto cleanup;
}
- /* check if signature algorithm is supported */
- ret =
- _gnutls_session_sign_algo_enabled (session,
- peer_certificate_list
- [j].sign_algo);
+ ret = _gnutls_session_sign_algo_enabled (session,
+ peer_certificate_list[j].sign_algo);
if (ret < 0)
{
gnutls_assert ();
goto cleanup;
}
-
+
p += len;
}
@@ -1128,7 +1136,7 @@ _gnutls_proc_x509_server_certificate (gnutls_session_t
session,
if ((ret =
_gnutls_copy_certificate_auth_info (info,
peer_certificate_list,
- peer_certificate_list_size)) < 0)
+ peer_certificate_list_size, 0,
NULL)) < 0)
{
gnutls_assert ();
goto cleanup;
@@ -1151,7 +1159,6 @@ cleanup:
}
-#define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++)
_gnutls_gcert_deinit(&peer_certificate_list[x])
#ifdef ENABLE_OPENPGP
static int
_gnutls_proc_openpgp_server_certificate (gnutls_session_t session,
@@ -1163,10 +1170,10 @@ _gnutls_proc_openpgp_server_certificate
(gnutls_session_t session,
gnutls_certificate_credentials_t cred;
ssize_t dsize = data_size;
int x, key_type;
- gnutls_cert *peer_certificate_list = NULL;
+ gnutls_pcert_st *peer_certificate_list = NULL;
int peer_certificate_list_size = 0;
gnutls_datum_t tmp, akey = { NULL, 0 };
- gnutls_openpgp_keyid_t subkey_id;
+ uint8_t subkey_id[GNUTLS_OPENPGP_KEYID_SIZE];
unsigned int subkey_id_set = 0;
cred = (gnutls_certificate_credentials_t)
@@ -1213,7 +1220,7 @@ _gnutls_proc_openpgp_server_certificate (gnutls_session_t
session,
if (key_type == PGP_KEY_FINGERPRINT_SUBKEY || key_type == PGP_KEY_SUBKEY)
{
/* check size */
- if (*p != sizeof (subkey_id))
+ if (*p != GNUTLS_OPENPGP_KEYID_SIZE)
{
gnutls_assert ();
return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
@@ -1222,9 +1229,9 @@ _gnutls_proc_openpgp_server_certificate (gnutls_session_t
session,
DECR_LEN (dsize, 1);
p++;
- DECR_LEN (dsize, sizeof (subkey_id));
- memcpy (subkey_id, p, sizeof (subkey_id));
- p += sizeof (subkey_id);
+ DECR_LEN (dsize, GNUTLS_OPENPGP_KEYID_SIZE);
+ memcpy (subkey_id, p, GNUTLS_OPENPGP_KEYID_SIZE);
+ p += GNUTLS_OPENPGP_KEYID_SIZE;
subkey_id_set = 1;
@@ -1298,30 +1305,30 @@ _gnutls_proc_openpgp_server_certificate
(gnutls_session_t session,
}
peer_certificate_list =
- gnutls_malloc (sizeof (gnutls_cert) * (peer_certificate_list_size));
+ gnutls_calloc (1, sizeof (gnutls_pcert_st) * (peer_certificate_list_size));
if (peer_certificate_list == NULL)
{
gnutls_assert ();
ret = GNUTLS_E_MEMORY_ERROR;
goto cleanup;
}
- memset (peer_certificate_list, 0, sizeof (gnutls_cert) *
- peer_certificate_list_size);
- if ((ret =
- _gnutls_openpgp_raw_crt_to_gcert (&peer_certificate_list[0],
+ ret =
+ gnutls_pcert_import_openpgp_raw (&peer_certificate_list[0],
&tmp,
- subkey_id_set ? subkey_id : NULL)) <
- 0)
+ GNUTLS_OPENPGP_FMT_RAW,
+ (subkey_id_set!=0)?subkey_id:NULL, 0);
+ if (ret < 0)
{
gnutls_assert ();
goto cleanup;
}
- if ((ret =
+ ret =
_gnutls_copy_certificate_auth_info (info,
peer_certificate_list,
- peer_certificate_list_size)) < 0)
+ peer_certificate_list_size,
subkey_id_set, (subkey_id_set!=0)?subkey_id:NULL);
+ if (ret < 0)
{
gnutls_assert ();
goto cleanup;
@@ -1525,7 +1532,7 @@ int
_gnutls_gen_cert_client_cert_vrfy (gnutls_session_t session, gnutls_buffer_st
* data)
{
int ret;
- gnutls_cert *apr_cert_list;
+ gnutls_pcert_st *apr_cert_list;
gnutls_privkey_t apr_pkey;
int apr_cert_list_length;
gnutls_datum_t signature = { NULL, 0 };
@@ -1609,7 +1616,7 @@ _gnutls_proc_cert_client_cert_vrfy (gnutls_session_t
session,
opaque *pdata = data;
gnutls_datum_t sig;
cert_auth_info_t info = _gnutls_get_auth_info (session);
- gnutls_cert peer_cert;
+ gnutls_pcert_st peer_cert;
gnutls_sign_algorithm_t sign_algo = GNUTLS_SIGN_UNKNOWN;
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
@@ -1653,9 +1660,9 @@ _gnutls_proc_cert_client_cert_vrfy (gnutls_session_t
session,
sig.data = pdata;
sig.size = size;
- ret = _gnutls_get_auth_info_gcert (&peer_cert,
+ ret = _gnutls_get_auth_info_pcert (&peer_cert,
session->security_parameters.cert_type,
- info, CERT_NO_COPY);
+ info);
if (ret < 0)
{
@@ -1668,10 +1675,10 @@ _gnutls_proc_cert_client_cert_vrfy (gnutls_session_t
session,
sign_algo)) < 0)
{
gnutls_assert ();
- _gnutls_gcert_deinit (&peer_cert);
+ gnutls_pcert_deinit (&peer_cert);
return ret;
}
- _gnutls_gcert_deinit (&peer_cert);
+ gnutls_pcert_deinit (&peer_cert);
return 0;
}
@@ -1766,7 +1773,7 @@ _gnutls_gen_cert_server_cert_req (gnutls_session_t
session, gnutls_buffer_st * d
*/
int
_gnutls_get_selected_cert (gnutls_session_t session,
- gnutls_cert ** apr_cert_list,
+ gnutls_pcert_st ** apr_cert_list,
int *apr_cert_list_length,
gnutls_privkey_t * apr_pkey)
{
@@ -1803,20 +1810,20 @@ _gnutls_get_selected_cert (gnutls_session_t session,
return 0;
}
-/* converts the given x509 certificate to gnutls_cert* and allocates
+/* converts the given x509 certificate list to gnutls_pcert_st* and allocates
* space for them.
*/
-static gnutls_cert *
+static gnutls_pcert_st *
alloc_and_load_x509_certs (gnutls_x509_crt_t * certs, unsigned ncerts)
{
- gnutls_cert *local_certs;
+ gnutls_pcert_st *local_certs;
int ret = 0;
unsigned i, j;
if (certs == NULL)
return NULL;
- local_certs = gnutls_malloc (sizeof (gnutls_cert) * ncerts);
+ local_certs = gnutls_malloc (sizeof (gnutls_pcert_st) * ncerts);
if (local_certs == NULL)
{
gnutls_assert ();
@@ -1825,7 +1832,7 @@ alloc_and_load_x509_certs (gnutls_x509_crt_t * certs,
unsigned ncerts)
for (i = 0; i < ncerts; i++)
{
- ret = _gnutls_x509_crt_to_gcert (&local_certs[i], certs[i], 0);
+ ret = gnutls_pcert_import_x509 (&local_certs[i], certs[i], 0);
if (ret < 0)
break;
}
@@ -1835,7 +1842,7 @@ alloc_and_load_x509_certs (gnutls_x509_crt_t * certs,
unsigned ncerts)
gnutls_assert ();
for (j = 0; j < i; j++)
{
- _gnutls_gcert_deinit (&local_certs[j]);
+ gnutls_pcert_deinit (&local_certs[j]);
}
gnutls_free (local_certs);
return NULL;
@@ -1881,23 +1888,23 @@ alloc_and_load_x509_key (gnutls_x509_privkey_t key, int
deinit)
* space for them.
*/
#ifdef ENABLE_OPENPGP
-static gnutls_cert *
+static gnutls_pcert_st *
alloc_and_load_pgp_certs (gnutls_openpgp_crt_t cert)
{
- gnutls_cert *local_certs;
+ gnutls_pcert_st *local_certs;
int ret = 0;
if (cert == NULL)
return NULL;
- local_certs = gnutls_malloc (sizeof (gnutls_cert));
+ local_certs = gnutls_malloc (sizeof (gnutls_pcert_st));
if (local_certs == NULL)
{
gnutls_assert ();
return NULL;
}
- ret = _gnutls_openpgp_crt_to_gcert (local_certs, cert);
+ ret = gnutls_pcert_import_openpgp (local_certs, cert, 0);
if (ret < 0)
{
gnutls_assert ();
@@ -1907,18 +1914,11 @@ alloc_and_load_pgp_certs (gnutls_openpgp_crt_t cert)
if (ret < 0)
{
gnutls_assert ();
- _gnutls_gcert_deinit (local_certs);
+ gnutls_pcert_deinit (local_certs);
gnutls_free (local_certs);
return NULL;
}
- ret =
- gnutls_openpgp_crt_get_preferred_key_id (cert, local_certs->subkey_id);
- if (ret < 0)
- local_certs->use_subkey = 0;
- else
- local_certs->use_subkey = 1;
-
return local_certs;
}
@@ -1998,7 +1998,7 @@ _gnutls_selected_certs_deinit (gnutls_session_t session)
for (i = 0; i < session->internals.selected_cert_list_length; i++)
{
- _gnutls_gcert_deinit (&session->internals.selected_cert_list[i]);
+ gnutls_pcert_deinit (&session->internals.selected_cert_list[i]);
}
gnutls_free (session->internals.selected_cert_list);
session->internals.selected_cert_list = NULL;
@@ -2012,7 +2012,7 @@ _gnutls_selected_certs_deinit (gnutls_session_t session)
void
_gnutls_selected_certs_set (gnutls_session_t session,
- gnutls_cert * certs, int ncerts,
+ gnutls_pcert_st * certs, int ncerts,
gnutls_privkey_t key, int need_free)
{
_gnutls_selected_certs_deinit (session);
@@ -2072,22 +2072,21 @@ _gnutls_server_select_cert (gnutls_session_t session,
for (i = 0; i < cred->ncerts; i++)
{
+ gnutls_pk_algorithm pk =
gnutls_pubkey_get_pk_algorithm(cred->cert_list[i][0].pubkey,NULL);
/* find one compatible certificate
*/
- _gnutls_handshake_log("HSK[%p]: certificate[%d] PK algorithm: %s (%d) -
ctype: %s (%d) - sig: %s (%d)\n", session, i,
- gnutls_pk_get_name(cred->cert_list[i][0].subject_pk_algorithm),
cred->cert_list[i][0].subject_pk_algorithm,
- gnutls_certificate_type_get_name(cred->cert_list[i][0].cert_type),
cred->cert_list[i][0].cert_type,
- gnutls_sign_get_name(cred->cert_list[i][0].sign_algo),
cred->cert_list[i][0].sign_algo);
+ _gnutls_handshake_log("HSK[%p]: certificate[%d] PK algorithm: %s (%d) -
ctype: %s (%d)\n", session, i,
+ gnutls_pk_get_name(pk), pk,
+ gnutls_certificate_type_get_name(cred->cert_list[i][0].type),
cred->cert_list[i][0].type);
if (requested_algo == GNUTLS_PK_ANY ||
- requested_algo == cred->cert_list[i][0].subject_pk_algorithm)
+ requested_algo == pk)
{
/* if cert type and signature algorithm matches
*/
/* *INDENT-OFF* */
- if (session->security_parameters.cert_type
- == cred->cert_list[i][0].cert_type
- && (cred->cert_list[i][0].cert_type == GNUTLS_CRT_OPENPGP
+ if (session->security_parameters.cert_type ==
cred->cert_list[i][0].type
+ && (cred->cert_list[i][0].type == GNUTLS_CRT_OPENPGP
|| /* FIXME: make this a check for certificate
type capabilities */
_gnutls_session_sign_algo_requested
diff --git a/lib/auth/cert.h b/lib/auth/cert.h
index 045525b..d26935b 100644
--- a/lib/auth/cert.h
+++ b/lib/auth/cert.h
@@ -25,7 +25,6 @@
#ifndef AUTH_CERT_H
#define AUTH_CERT_H
-#include "gnutls_cert.h"
#include "gnutls_auth.h"
#include <auth/dh_common.h>
#include "x509/x509_int.h"
@@ -45,7 +44,7 @@ typedef struct gnutls_certificate_credentials_st
*/
gnutls_params_function *params_func;
- gnutls_cert **cert_list;
+ gnutls_pcert_st **cert_list;
/* contains a list of a list of certificates.
* eg (X509): [0] certificate1, certificate11, certificate111
* (if more than one, one certificate certifies the one before)
@@ -115,10 +114,9 @@ typedef struct cert_auth_info_st
unsigned int ncerts; /* holds the size of the list above */
gnutls_certificate_type_t cert_type;
- gnutls_sign_algorithm_t sign_algo;
#ifdef ENABLE_OPENPGP
int use_subkey;
- gnutls_openpgp_keyid_t subkey_id;
+ uint8_t subkey_id[GNUTLS_OPENPGP_KEYID_SIZE];
#endif
} *cert_auth_info_t;
@@ -135,7 +133,7 @@ int _gnutls_proc_cert_cert_req (gnutls_session_t, opaque *,
size_t);
int _gnutls_proc_cert_client_cert_vrfy (gnutls_session_t, opaque *, size_t);
int _gnutls_proc_cert_server_certificate (gnutls_session_t, opaque *, size_t);
int _gnutls_get_selected_cert (gnutls_session_t session,
- gnutls_cert ** apr_cert_list,
+ gnutls_pcert_st ** apr_cert_list,
int *apr_cert_list_length,
gnutls_privkey_t * apr_pkey);
@@ -143,7 +141,7 @@ int _gnutls_server_select_cert (struct gnutls_session_int *,
gnutls_pk_algorithm_t);
void _gnutls_selected_certs_deinit (gnutls_session_t session);
void _gnutls_selected_certs_set (gnutls_session_t session,
- gnutls_cert * certs, int ncerts,
+ gnutls_pcert_st * certs, int ncerts,
gnutls_privkey_t key, int need_free);
#define _gnutls_proc_cert_client_certificate
_gnutls_proc_cert_server_certificate
@@ -154,14 +152,17 @@ gnutls_rsa_params_t _gnutls_certificate_get_rsa_params
(gnutls_rsa_params_t
* func,
gnutls_session_t);
-int _gnutls_get_auth_info_gcert (gnutls_cert * gcert,
+int _gnutls_get_auth_info_pcert (gnutls_pcert_st* gcert,
gnutls_certificate_type_t type,
- cert_auth_info_t info,
- int flags /* OR of ConvFlags */ );
+ cert_auth_info_t info);
int certificate_credential_append_crt_list (gnutls_certificate_credentials_t
- res, gnutls_cert * crt, int nr);
+ res, gnutls_pcert_st* crt, int nr);
int certificate_credentials_append_pkey (gnutls_certificate_credentials_t res,
gnutls_privkey_t pkey);
+int _gnutls_selected_cert_supported_kx (struct gnutls_session_int *session,
+ gnutls_kx_algorithm_t ** alg,
+ int *alg_size);
+
#endif
diff --git a/lib/auth/dhe.c b/lib/auth/dhe.c
index ca0a235..c8badfe 100644
--- a/lib/auth/dhe.c
+++ b/lib/auth/dhe.c
@@ -86,7 +86,7 @@ gen_dhe_server_kx (gnutls_session_t session,
gnutls_buffer_st* data)
bigint_t g, p;
const bigint_t *mpis;
int ret = 0, data_size;
- gnutls_cert *apr_cert_list;
+ gnutls_pcert_st *apr_cert_list;
gnutls_privkey_t apr_pkey;
int apr_cert_list_length;
gnutls_datum_t signature = { NULL, 0 }, ddata;
@@ -218,7 +218,7 @@ proc_dhe_server_kx (gnutls_session_t session, opaque * data,
int ret;
cert_auth_info_t info = _gnutls_get_auth_info (session);
ssize_t data_size = _data_size;
- gnutls_cert peer_cert;
+ gnutls_pcert_st peer_cert;
gnutls_sign_algorithm_t sign_algo = GNUTLS_SIGN_UNKNOWN;
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
@@ -267,9 +267,9 @@ proc_dhe_server_kx (gnutls_session_t session, opaque * data,
signature.size = sigsize;
if ((ret =
- _gnutls_get_auth_info_gcert (&peer_cert,
+ _gnutls_get_auth_info_pcert (&peer_cert,
session->security_parameters.cert_type,
- info, CERT_NO_COPY)) < 0)
+ info)) < 0)
{
gnutls_assert ();
return ret;
@@ -279,7 +279,7 @@ proc_dhe_server_kx (gnutls_session_t session, opaque * data,
_gnutls_handshake_verify_data (session, &peer_cert, &vparams, &signature,
sign_algo);
- _gnutls_gcert_deinit (&peer_cert);
+ gnutls_pcert_deinit (&peer_cert);
if (ret < 0)
{
gnutls_assert ();
diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
index bcb6692..2e5b7f5 100644
--- a/lib/auth/rsa.c
+++ b/lib/auth/rsa.c
@@ -42,6 +42,7 @@
#include <gnutls_x509.h>
#include <random.h>
#include <gnutls_mpi.h>
+#include <abstract_int.h>
int _gnutls_gen_rsa_client_kx (gnutls_session_t, gnutls_buffer_st*);
static int proc_rsa_client_kx (gnutls_session_t, opaque *, size_t);
@@ -72,7 +73,9 @@ _gnutls_get_public_rsa_params (gnutls_session_t session,
{
int ret;
cert_auth_info_t info;
- gnutls_cert peer_cert;
+ gnutls_pcert_st peer_cert;
+ bigint_t tmp_params[RSA_PUBLIC_PARAMS];
+ int tmp_params_size;
int i;
/* normal non export case */
@@ -86,9 +89,9 @@ _gnutls_get_public_rsa_params (gnutls_session_t session,
}
ret =
- _gnutls_get_auth_info_gcert (&peer_cert,
+ _gnutls_get_auth_info_pcert (&peer_cert,
session->security_parameters.cert_type,
- info, CERT_ONLY_PUBKEY | CERT_NO_COPY);
+ info);
if (ret < 0)
{
@@ -96,50 +99,54 @@ _gnutls_get_public_rsa_params (gnutls_session_t session,
return ret;
}
+ if (*params_len < RSA_PUBLIC_PARAMS)
+ {
+ gnutls_assert ();
+ ret = GNUTLS_E_INTERNAL_ERROR;
+ goto cleanup;
+ }
+ *params_len = RSA_PUBLIC_PARAMS;
/* EXPORT case: */
if (_gnutls_cipher_suite_get_kx_algo
(&session->security_parameters.current_cipher_suite) ==
- GNUTLS_KX_RSA_EXPORT
- && _gnutls_mpi_get_nbits (peer_cert.params[0]) > 512)
+ GNUTLS_KX_RSA_EXPORT &&
+ _gnutls_pubkey_is_over_rsa_512(peer_cert.pubkey) == 0)
{
-
- _gnutls_gcert_deinit (&peer_cert);
-
if (session->key->rsa[0] == NULL || session->key->rsa[1] == NULL)
{
gnutls_assert ();
- return GNUTLS_E_INTERNAL_ERROR;
+ ret = GNUTLS_E_INTERNAL_ERROR;
+ goto cleanup;
}
- if (*params_len < 2)
- {
- gnutls_assert ();
- return GNUTLS_E_INTERNAL_ERROR;
- }
- *params_len = 2;
for (i = 0; i < *params_len; i++)
{
params[i] = _gnutls_mpi_copy (session->key->rsa[i]);
}
- return 0;
+ ret = 0;
+ goto cleanup;
}
- /* end of export case */
-
- if (*params_len < peer_cert.params_size)
+ tmp_params_size = RSA_PUBLIC_PARAMS;
+ ret = _gnutls_pubkey_get_mpis(peer_cert.pubkey, tmp_params,
&tmp_params_size);
+ if (ret < 0)
{
- gnutls_assert ();
- return GNUTLS_E_INTERNAL_ERROR;
+ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+ goto cleanup;
}
- *params_len = peer_cert.params_size;
+ /* end of export case */
for (i = 0; i < *params_len; i++)
{
- params[i] = _gnutls_mpi_copy (peer_cert.params[i]);
+ params[i] = _gnutls_mpi_copy (tmp_params[i]);
}
- _gnutls_gcert_deinit (&peer_cert);
+
+ ret = 0;
+
+cleanup:
+ gnutls_pcert_deinit (&peer_cert);
return 0;
}
diff --git a/lib/auth/rsa_export.c b/lib/auth/rsa_export.c
index f27a092..7829a1a 100644
--- a/lib/auth/rsa_export.c
+++ b/lib/auth/rsa_export.c
@@ -43,6 +43,7 @@
#include <gnutls_rsa_export.h>
#include <gnutls_state.h>
#include <random.h>
+#include <abstract_int.h>
int _gnutls_gen_rsa_client_kx (gnutls_session_t, gnutls_buffer_st*);
static int gen_rsa_export_server_kx (gnutls_session_t, gnutls_buffer_st*);
@@ -73,7 +74,7 @@ static int
_gnutls_get_private_rsa_params (gnutls_session_t session,
bigint_t ** params, int *params_size)
{
- int bits;
+ int ret;
gnutls_certificate_credentials_t cred;
gnutls_rsa_params_t rsa_params;
@@ -91,13 +92,11 @@ _gnutls_get_private_rsa_params (gnutls_session_t session,
return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
}
- bits =
- _gnutls_mpi_get_nbits (session->internals.
- selected_cert_list[0].params[0]);
+ ret =
_gnutls_pubkey_is_over_rsa_512(session->internals.selected_cert_list[0].pubkey);
if (_gnutls_cipher_suite_get_kx_algo
(&session->security_parameters.current_cipher_suite)
- != GNUTLS_KX_RSA_EXPORT || bits < 512)
+ != GNUTLS_KX_RSA_EXPORT || ret < 0)
{
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
@@ -239,7 +238,7 @@ gen_rsa_export_server_kx (gnutls_session_t session,
gnutls_buffer_st* data)
gnutls_rsa_params_t rsa_params;
const bigint_t *rsa_mpis;
int ret = 0;
- gnutls_cert *apr_cert_list;
+ gnutls_pcert_st *apr_cert_list;
gnutls_privkey_t apr_pkey;
int apr_cert_list_length;
gnutls_datum_t signature, ddata;
@@ -337,7 +336,7 @@ gen_rsa_export_server_kx (gnutls_session_t session,
gnutls_buffer_st* data)
int
_gnutls_peers_cert_less_512 (gnutls_session_t session)
{
- gnutls_cert peer_cert;
+ gnutls_pcert_st peer_cert;
int ret;
cert_auth_info_t info = _gnutls_get_auth_info (session);
@@ -349,28 +348,28 @@ _gnutls_peers_cert_less_512 (gnutls_session_t session)
}
if ((ret =
- _gnutls_get_auth_info_gcert (&peer_cert,
+ _gnutls_get_auth_info_pcert (&peer_cert,
session->security_parameters.cert_type,
- info, CERT_NO_COPY)) < 0)
+ info)) < 0)
{
gnutls_assert ();
return 0;
}
- if (peer_cert.subject_pk_algorithm != GNUTLS_PK_RSA)
+ if (gnutls_pubkey_get_pk_algorithm(peer_cert.pubkey, NULL) != GNUTLS_PK_RSA)
{
gnutls_assert ();
- _gnutls_gcert_deinit (&peer_cert);
+ gnutls_pcert_deinit (&peer_cert);
return 0;
}
- if (_gnutls_mpi_get_nbits (peer_cert.params[0]) <= 512)
+ if (_gnutls_pubkey_is_over_rsa_512(peer_cert.pubkey) < 0)
{
- _gnutls_gcert_deinit (&peer_cert);
+ gnutls_pcert_deinit (&peer_cert);
return 1;
}
- _gnutls_gcert_deinit (&peer_cert);
+ gnutls_pcert_deinit (&peer_cert);
return 0;
}
@@ -388,7 +387,7 @@ proc_rsa_export_server_kx (gnutls_session_t session,
int ret;
ssize_t data_size = _data_size;
cert_auth_info_t info;
- gnutls_cert peer_cert;
+ gnutls_pcert_st peer_cert;
info = _gnutls_get_auth_info (session);
if (info == NULL || info->ncerts == 0)
@@ -448,9 +447,9 @@ proc_rsa_export_server_kx (gnutls_session_t session,
signature.size = sigsize;
if ((ret =
- _gnutls_get_auth_info_gcert (&peer_cert,
+ _gnutls_get_auth_info_pcert (&peer_cert,
session->security_parameters.cert_type,
- info, CERT_NO_COPY)) < 0)
+ info)) < 0)
{
gnutls_assert ();
return ret;
@@ -460,7 +459,7 @@ proc_rsa_export_server_kx (gnutls_session_t session,
_gnutls_handshake_verify_data (session, &peer_cert, &vparams, &signature,
GNUTLS_SIGN_UNKNOWN);
- _gnutls_gcert_deinit (&peer_cert);
+ gnutls_pcert_deinit (&peer_cert);
if (ret < 0)
{
gnutls_assert ();
diff --git a/lib/auth/srp_rsa.c b/lib/auth/srp_rsa.c
index bafaf7c..675e917 100644
--- a/lib/auth/srp_rsa.c
+++ b/lib/auth/srp_rsa.c
@@ -85,7 +85,7 @@ gen_srp_cert_server_kx (gnutls_session_t session,
gnutls_buffer_st* data)
ssize_t ret, data_size;
gnutls_datum_t signature, ddata;
gnutls_certificate_credentials_t cred;
- gnutls_cert *apr_cert_list;
+ gnutls_pcert_st *apr_cert_list;
gnutls_privkey_t apr_pkey;
int apr_cert_list_length;
gnutls_sign_algorithm_t sign_algo;
@@ -145,7 +145,7 @@ proc_srp_cert_server_kx (gnutls_session_t session, opaque *
data,
gnutls_datum_t vparams, signature;
ssize_t data_size;
cert_auth_info_t info;
- gnutls_cert peer_cert;
+ gnutls_pcert_st peer_cert;
opaque *p;
ret = _gnutls_proc_srp_server_kx (session, data, _data_size);
@@ -177,9 +177,9 @@ proc_srp_cert_server_kx (gnutls_session_t session, opaque *
data,
signature.size = sigsize;
ret =
- _gnutls_get_auth_info_gcert (&peer_cert,
+ _gnutls_get_auth_info_pcert (&peer_cert,
session->security_parameters.cert_type,
- info, CERT_NO_COPY);
+ info);
if (ret < 0)
{
@@ -191,7 +191,7 @@ proc_srp_cert_server_kx (gnutls_session_t session, opaque *
data,
_gnutls_handshake_verify_data (session, &peer_cert, &vparams, &signature,
GNUTLS_SIGN_UNKNOWN);
- _gnutls_gcert_deinit (&peer_cert);
+ gnutls_pcert_deinit (&peer_cert);
if (ret < 0)
{
gnutls_assert ();
diff --git a/lib/ext/signature.c b/lib/ext/signature.c
index 723ebd3..ad8f3b8 100644
--- a/lib/ext/signature.c
+++ b/lib/ext/signature.c
@@ -35,7 +35,7 @@
#include <gnutls_num.h>
#include <gnutls_algorithms.h>
#include <x509/common.h> /* dsa_q_to_hash */
-#include <gnutls_cert.h>
+#include <abstract_int.h>
static int _gnutls_signature_algorithm_recv_params (gnutls_session_t session,
const opaque * data,
@@ -250,42 +250,21 @@ _gnutls_signature_algorithm_send_params (gnutls_session_t
session,
return 0;
}
-int cert_compatible_with_sig(gnutls_cert* cert, gnutls_protocol_t ver,
- gnutls_sign_algorithm_t sign)
-{
- if (cert->subject_pk_algorithm == GNUTLS_PK_DSA)
- { /* override */
- int hash_algo = _gnutls_dsa_q_to_hash (cert->params[1]);
-
- /* DSA keys over 1024 bits cannot be used with TLS 1.x, x<2 */
- if (!_gnutls_version_has_selectable_sighash (ver))
- {
- if (hash_algo != GNUTLS_DIG_SHA1)
- return
gnutls_assert_val(GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL);
- }
- else
- {
- if (_gnutls_sign_get_hash_algorithm(sign) != hash_algo)
- return GNUTLS_E_UNWANTED_ALGORITHM;
- }
-
- }
-
- return 0;
-}
-
/* Returns a requested by the peer signature algorithm that
* matches the given public key algorithm. Index can be increased
* to return the second choice etc.
*/
gnutls_sign_algorithm_t
-_gnutls_session_get_sign_algo (gnutls_session_t session, gnutls_cert* cert)
+_gnutls_session_get_sign_algo (gnutls_session_t session, gnutls_pcert_st* cert)
{
unsigned i;
int ret;
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
sig_ext_st *priv;
extension_priv_data_t epriv;
+ int cert_algo;
+
+ cert_algo = gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL);
ret =
_gnutls_ext_get_session_data (session,
@@ -297,14 +276,14 @@ _gnutls_session_get_sign_algo (gnutls_session_t session,
gnutls_cert* cert)
|| priv->sign_algorithms_size == 0)
/* none set, allow SHA-1 only */
{
- return _gnutls_x509_pk_to_sign (cert->subject_pk_algorithm,
GNUTLS_DIG_SHA1);
+ return _gnutls_x509_pk_to_sign (cert_algo, GNUTLS_DIG_SHA1);
}
for (i = 0; i < priv->sign_algorithms_size; i++)
{
- if (_gnutls_sign_get_pk_algorithm (priv->sign_algorithms[i]) ==
cert->subject_pk_algorithm)
+ if (_gnutls_sign_get_pk_algorithm (priv->sign_algorithms[i]) ==
cert_algo)
{
- if (cert_compatible_with_sig(cert, ver, priv->sign_algorithms[i]) <
0)
+ if (_gnutls_pubkey_compatible_with_sig(cert->pubkey, ver,
priv->sign_algorithms[i]) < 0)
continue;
return priv->sign_algorithms[i];
diff --git a/lib/ext/signature.h b/lib/ext/signature.h
index 0288ff1..89b31d7 100644
--- a/lib/ext/signature.h
+++ b/lib/ext/signature.h
@@ -35,14 +35,11 @@ extern extension_entry_st ext_mod_sig;
int _gnutls_session_sign_algo_requested (gnutls_session_t session,
gnutls_sign_algorithm_t sig);
gnutls_sign_algorithm_t
-_gnutls_session_get_sign_algo (gnutls_session_t session, gnutls_cert* cert);
+_gnutls_session_get_sign_algo (gnutls_session_t session, gnutls_pcert_st*
cert);
int _gnutls_sign_algorithm_parse_data (gnutls_session_t session,
const opaque * data, size_t data_size);
int _gnutls_sign_algorithm_write_params (gnutls_session_t session,
opaque * data, size_t max_data_size);
int _gnutls_session_sign_algo_enabled (gnutls_session_t session,
gnutls_sign_algorithm_t sig);
-int cert_compatible_with_sig(gnutls_cert* cert, gnutls_protocol_t ver,
- gnutls_sign_algorithm_t sign);
-
#endif
diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c
index 972eee5..b54e5cd 100644
--- a/lib/gnutls_algorithms.c
+++ b/lib/gnutls_algorithms.c
@@ -26,7 +26,6 @@
#include "gnutls_int.h"
#include "gnutls_algorithms.h"
#include "gnutls_errors.h"
-#include "gnutls_cert.h"
#include <x509/common.h>
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index 04b2543..f587f16 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -30,7 +30,6 @@
#include <gnutls_int.h>
#include <gnutls_errors.h>
#include <auth/cert.h>
-#include <gnutls_cert.h>
#include <gnutls_datum.h>
#include <gnutls_mpi.h>
#include <gnutls_global.h>
@@ -63,7 +62,7 @@ gnutls_certificate_free_keys
(gnutls_certificate_credentials_t sc)
{
for (j = 0; j < sc->cert_list_length[i]; j++)
{
- _gnutls_gcert_deinit (&sc->cert_list[i][j]);
+ gnutls_pcert_deinit (&sc->cert_list[i][j]);
}
gnutls_free (sc->cert_list[i]);
}
@@ -233,9 +232,9 @@ _gnutls_selected_cert_supported_kx (gnutls_session_t
session,
int *alg_size)
{
gnutls_kx_algorithm_t kx;
- gnutls_pk_algorithm_t pk;
+ gnutls_pk_algorithm_t pk, cert_pk;
gnutls_kx_algorithm_t kxlist[MAX_ALGOS];
- gnutls_cert *cert;
+ gnutls_pcert_st *cert;
int i;
if (session->internals.selected_cert_list_length == 0)
@@ -246,12 +245,13 @@ _gnutls_selected_cert_supported_kx (gnutls_session_t
session,
}
cert = &session->internals.selected_cert_list[0];
+ cert_pk = gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL);
i = 0;
for (kx = 0; kx < MAX_ALGOS; kx++)
{
pk = _gnutls_map_pk_get_pk (kx);
- if (pk == cert->subject_pk_algorithm)
+ if (pk == cert_pk)
{
/* then check key usage */
if (_gnutls_check_key_usage (cert, kx) == 0)
@@ -709,183 +709,6 @@ gnutls_certificate_activation_time_peers
(gnutls_session_t session)
}
}
-/* Converts the first certificate for the cert_auth_info structure
- * to a gcert.
- */
-int
-_gnutls_get_auth_info_gcert (gnutls_cert * gcert,
- gnutls_certificate_type_t type,
- cert_auth_info_t info,
- int flags /* OR of ConvFlags */ )
-{
- switch (type)
- {
- case GNUTLS_CRT_X509:
- return _gnutls_x509_raw_cert_to_gcert (gcert,
- &info->raw_certificate_list[0],
- flags);
-#ifdef ENABLE_OPENPGP
- case GNUTLS_CRT_OPENPGP:
- return _gnutls_openpgp_raw_crt_to_gcert (gcert,
- &info->raw_certificate_list[0],
- info->use_subkey ? info->
- subkey_id : NULL);
-#endif
- default:
- gnutls_assert ();
- return GNUTLS_E_INTERNAL_ERROR;
- }
-}
-
-/* This function will convert a der certificate to a format
- * (structure) that gnutls can understand and use. Actually the
- * important thing on this function is that it extracts the
- * certificate's (public key) parameters.
- *
- * The noext flag is used to complete the handshake even if the
- * extensions found in the certificate are unsupported and critical.
- * The critical extensions will be catched by the verification functions.
- */
-int
-_gnutls_x509_raw_cert_to_gcert (gnutls_cert * gcert,
- const gnutls_datum_t * derCert,
- int flags /* OR of ConvFlags */ )
-{
- int ret;
- gnutls_x509_crt_t cert;
-
- ret = gnutls_x509_crt_init (&cert);
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
-
- ret = gnutls_x509_crt_import (cert, derCert, GNUTLS_X509_FMT_DER);
- if (ret < 0)
- {
- gnutls_assert ();
- gnutls_x509_crt_deinit (cert);
- return ret;
- }
-
- ret = _gnutls_x509_crt_to_gcert (gcert, cert, flags);
- gnutls_x509_crt_deinit (cert);
-
- return ret;
-}
-
-/* Like above but it accepts a parsed certificate instead.
- */
-int
-_gnutls_x509_crt_to_gcert (gnutls_cert * gcert,
- gnutls_x509_crt_t cert, unsigned int flags)
-{
- int ret = 0;
-
- memset (gcert, 0, sizeof (gnutls_cert));
- gcert->cert_type = GNUTLS_CRT_X509;
- gcert->sign_algo = gnutls_x509_crt_get_signature_algorithm (cert);
-
- if (!(flags & CERT_NO_COPY))
- {
-#define SMALL_DER 1536
- opaque *der;
- size_t der_size = SMALL_DER;
-
- /* initially allocate a bogus size, just in case the certificate
- * fits in it. That way we minimize the DER encodings performed.
- */
- der = gnutls_malloc (SMALL_DER);
- if (der == NULL)
- {
- gnutls_assert ();
- return GNUTLS_E_MEMORY_ERROR;
- }
-
- ret =
- gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_DER, der, &der_size);
- if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
- {
- gnutls_assert ();
- gnutls_free (der);
- return ret;
- }
-
- if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
- {
- der = gnutls_realloc (der, der_size);
- if (der == NULL)
- {
- gnutls_assert ();
- return GNUTLS_E_MEMORY_ERROR;
- }
-
- ret =
- gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_DER, der,
- &der_size);
- if (ret < 0)
- {
- gnutls_assert ();
- gnutls_free (der);
- return ret;
- }
- }
-
- gcert->raw.data = der;
- gcert->raw.size = der_size;
- }
- else
- /* now we have 0 or a bitwise or of things to decode */
- flags ^= CERT_NO_COPY;
-
-
- if (flags & CERT_ONLY_EXTENSIONS || flags == 0)
- {
- ret = gnutls_x509_crt_get_key_usage (cert, &gcert->key_usage, NULL);
- if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
- gcert->key_usage = 0;
- else if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
- gcert->version = gnutls_x509_crt_get_version (cert);
- }
- gcert->subject_pk_algorithm = gnutls_x509_crt_get_pk_algorithm (cert, NULL);
-
- if (flags & CERT_ONLY_PUBKEY || flags == 0)
- {
- gcert->params_size = MAX_PUBLIC_PARAMS_SIZE;
- ret =
- _gnutls_x509_crt_get_mpis (cert, gcert->params, &gcert->params_size);
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
- }
-
- return 0;
-
-}
-
-void
-_gnutls_gcert_deinit (gnutls_cert * cert)
-{
- int i;
-
- if (cert == NULL)
- return;
-
- for (i = 0; i < cert->params_size; i++)
- {
- _gnutls_mpi_release (&cert->params[i]);
- }
-
- _gnutls_free_datum (&cert->raw);
-}
-
/**
* gnutls_sign_callback_set:
* @session: is a gnutls session
@@ -934,3 +757,5 @@ gnutls_sign_callback_get (gnutls_session_t session, void
**userdata)
*userdata = session->internals.sign_func_userdata;
return session->internals.sign_func;
}
+
+
diff --git a/lib/gnutls_cert.h b/lib/gnutls_cert.h
deleted file mode 100644
index a989b43..0000000
--- a/lib/gnutls_cert.h
+++ /dev/null
@@ -1,94 +0,0 @@
-/*
- * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2008, 2010 Free
- * Software Foundation, Inc.
- *
- * Author: Nikos Mavrogiannopoulos
- *
- * This file is part of GnuTLS.
- *
- * The GnuTLS is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public License
- * as published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
- * USA
- *
- */
-
-#ifndef GNUTLS_CERT_H
-#define GNUTLS_CERT_H
-
-#include <gnutls_pk.h>
-#include "x509/x509_int.h"
-#include <gnutls/openpgp.h>
-
-#define MAX_PUBLIC_PARAMS_SIZE 4 /* ok for RSA and DSA */
-
-/* parameters should not be larger than this limit */
-#define DSA_PUBLIC_PARAMS 4
-#define RSA_PUBLIC_PARAMS 2
-
-typedef struct gnutls_cert
-{
- /* the size of params depends on the public
- * key algorithm
- * RSA: [0] is modulus
- * [1] is public exponent
- * DSA: [0] is p
- * [1] is q
- * [2] is g
- * [3] is public key
- */
- bigint_t params[MAX_PUBLIC_PARAMS_SIZE];
- int params_size; /* holds the size of MPI params */
-
- gnutls_pk_algorithm_t subject_pk_algorithm;
-
- unsigned int key_usage; /* bits from KEY_*
- */
-
- unsigned int version;
- /* holds the type (PGP, X509)
- */
- gnutls_certificate_type_t cert_type;
- gnutls_sign_algorithm_t sign_algo;
-
- gnutls_datum_t raw;
-
-#ifdef ENABLE_OPENPGP
- int use_subkey;
- gnutls_openpgp_keyid_t subkey_id;
-#endif
-} gnutls_cert;
-
-/* because gnutls_session_t is not defined when this file is included */
-struct gnutls_session_int;
-
-typedef enum ConvFlags
-{
- CERT_NO_COPY = 2,
- CERT_ONLY_PUBKEY = 4,
- CERT_ONLY_EXTENSIONS = 16
-} ConvFlags;
-
-int _gnutls_x509_raw_cert_to_gcert (gnutls_cert * gcert,
- const gnutls_datum_t * derCert,
- int flags);
-int _gnutls_x509_crt_to_gcert (gnutls_cert * gcert, gnutls_x509_crt_t cert,
- unsigned int flags);
-
-void _gnutls_gcert_deinit (gnutls_cert * cert);
-
-int _gnutls_selected_cert_supported_kx (struct gnutls_session_int *session,
- gnutls_kx_algorithm_t ** alg,
- int *alg_size);
-
-#endif
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index a7f6fc6..7aa53a3 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -45,7 +45,6 @@
#include "gnutls_auth.h"
#include "gnutls_v2_compat.h"
#include <auth/cert.h>
-#include "gnutls_cert.h"
#include "gnutls_constate.h"
#include <gnutls_record.h>
#include <gnutls_state.h>
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 8f595c7..ab9776e 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -59,6 +59,7 @@ typedef struct
} uint64;
#include <gnutls/gnutls.h>
+#include <gnutls/abstract.h>
/*
* They are not needed any more. You can simply enable
@@ -394,7 +395,6 @@ typedef struct record_parameters_st record_parameters_st;
#include <gnutls_hash_int.h>
#include <gnutls_cipher_int.h>
#include <gnutls_compress.h>
-#include <gnutls_cert.h>
typedef struct
{
@@ -748,7 +748,7 @@ typedef struct
* use _gnutls_selected_certs_deinit() and _gnutls_selected_certs_set()
* to change them.
*/
- gnutls_cert *selected_cert_list;
+ gnutls_pcert_st *selected_cert_list;
int selected_cert_list_length;
struct gnutls_privkey_st *selected_key;
int selected_need_free:1;
diff --git a/lib/gnutls_mpi.c b/lib/gnutls_mpi.c
index b42a95e..2193654 100644
--- a/lib/gnutls_mpi.c
+++ b/lib/gnutls_mpi.c
@@ -33,6 +33,7 @@
#include <gnutls_num.h>
#include <gnutls_mpi.h>
#include <random.h>
+#include <x509/x509_int.h>
/* Functions that refer to the mpi library.
*/
diff --git a/lib/gnutls_pcert.c b/lib/gnutls_pcert.c
new file mode 100644
index 0000000..8787058
--- /dev/null
+++ b/lib/gnutls_pcert.c
@@ -0,0 +1,328 @@
+/*
+ * Copyright (C) 2011 Free Software Foundation, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
+ * USA
+ *
+ */
+
+#include <gnutls_int.h>
+#include <gnutls_errors.h>
+#include <auth/cert.h>
+#include <gnutls_x509.h>
+#include "x509/x509_int.h"
+#ifdef ENABLE_OPENPGP
+#include "openpgp/gnutls_openpgp.h"
+#endif
+
+/**
+ * gnutls_pcert_import_x509:
+ * @pcert: The pcert structure
+ * @crt: The raw certificate to be imported
+ * @flags: zero for now
+ *
+ * This convenience function will import the given certificate to a
+ * #gnutls_pcert_st structure. The structure must be deinitialized
+ * afterwards using gnutls_pcert_deinit();
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
+int gnutls_pcert_import_x509 (gnutls_pcert_st* pcert,
+ gnutls_x509_crt_t crt, unsigned int flags)
+{
+int ret;
+size_t sz;
+
+ memset(pcert, 0, sizeof(*pcert));
+
+ pcert->type = GNUTLS_CRT_X509;
+ pcert->sign_algo = gnutls_x509_crt_get_signature_algorithm(crt);
+ pcert->cert.data = NULL;
+
+ sz = 0;
+ ret = gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_DER, NULL, &sz);
+ if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
+ {
+ ret = gnutls_assert_val(ret);
+ goto cleanup;
+ }
+
+ pcert->cert.data = gnutls_malloc(sz);
+ if (pcert->cert.data == NULL)
+ {
+ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ goto cleanup;
+ }
+
+ ret = gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_DER, pcert->cert.data,
&sz);
+ if (ret < 0)
+ {
+ ret = gnutls_assert_val(ret);
+ goto cleanup;
+ }
+ pcert->cert.size = sz;
+
+ ret = gnutls_pubkey_init(&pcert->pubkey);
+ if (ret < 0)
+ {
+ ret = gnutls_assert_val(ret);
+ goto cleanup;
+ }
+
+ ret = gnutls_pubkey_import_x509(pcert->pubkey, crt, 0);
+ if (ret < 0)
+ {
+ gnutls_pubkey_deinit(pcert->pubkey);
+ ret = gnutls_assert_val(ret);
+ goto cleanup;
+ }
+
+ return 0;
+
+cleanup:
+ gnutls_free(pcert->cert.data);
+
+ return ret;
+}
+
+/**
+ * gnutls_pcert_import_x509_raw:
+ * @pcert: The pcert structure
+ * @cert: The raw certificate to be imported
+ * @format: The format of the certificate
+ * @flags: zero for now
+ *
+ * This convenience function will import the given certificate to a
+ * #gnutls_pcert_st structure. The structure must be deinitialized
+ * afterwards using gnutls_pcert_deinit();
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
+int gnutls_pcert_import_x509_raw (gnutls_pcert_st *pcert,
+ const gnutls_datum_t* cert,
+ gnutls_x509_crt_fmt_t format, unsigned int flags)
+{
+int ret;
+gnutls_x509_crt_t crt;
+
+ memset(pcert, 0, sizeof(*pcert));
+
+ ret = gnutls_x509_crt_init(&crt);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret = gnutls_x509_crt_import(crt, cert, format);
+ if (ret < 0)
+ {
+ ret = gnutls_assert_val(ret);
+ goto cleanup;
+ }
+
+ ret = gnutls_pcert_import_x509(pcert, crt, flags);
+ if (ret < 0)
+ {
+ ret = gnutls_assert_val(ret);
+ goto cleanup;
+ }
+
+ ret = 0;
+
+cleanup:
+ gnutls_x509_crt_deinit(crt);
+
+ return ret;
+}
+
+/**
+ * gnutls_pcert_import_openpgp:
+ * @pcert: The pcert structure
+ * @cert: The raw certificate to be imported
+ * @flags: zero for now
+ *
+ * This convenience function will import the given certificate to a
+ * #gnutls_pcert_st structure. The structure must be deinitialized
+ * afterwards using gnutls_pcert_deinit();
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
+int gnutls_pcert_import_openpgp (gnutls_pcert_st* pcert,
+ gnutls_openpgp_crt_t crt, unsigned int flags)
+{
+int ret;
+size_t sz;
+
+ memset(pcert, 0, sizeof(*pcert));
+
+ pcert->type = GNUTLS_CRT_OPENPGP;
+ pcert->sign_algo = GNUTLS_SIGN_UNKNOWN;
+ pcert->cert.data = NULL;
+
+ sz = 0;
+ ret = gnutls_openpgp_crt_export(crt, GNUTLS_OPENPGP_FMT_RAW, NULL, &sz);
+ if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
+ {
+ ret = gnutls_assert_val(ret);
+ goto cleanup;
+ }
+
+ pcert->cert.data = gnutls_malloc(sz);
+ if (pcert->cert.data == NULL)
+ {
+ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ goto cleanup;
+ }
+
+ ret = gnutls_openpgp_crt_export(crt, GNUTLS_X509_FMT_DER, pcert->cert.data,
&sz);
+ if (ret < 0)
+ {
+ ret = gnutls_assert_val(ret);
+ goto cleanup;
+ }
+ pcert->cert.size = sz;
+
+ ret = gnutls_pubkey_init(&pcert->pubkey);
+ if (ret < 0)
+ {
+ ret = gnutls_assert_val(ret);
+ goto cleanup;
+ }
+
+ ret = gnutls_pubkey_import_openpgp(pcert->pubkey, crt, 0);
+ if (ret < 0)
+ {
+ gnutls_pubkey_deinit(pcert->pubkey);
+ ret = gnutls_assert_val(ret);
+ goto cleanup;
+ }
+
+ return 0;
+
+cleanup:
+ gnutls_free(pcert->cert.data);
+
+ return ret;
+}
+
+/**
+ * gnutls_pcert_import_openpgp_raw:
+ * @pcert: The pcert structure
+ * @cert: The raw certificate to be imported
+ * @format: The format of the certificate
+ * @keyid: The key ID to use (NULL for the master key)
+ * @flags: zero for now
+ *
+ * This convenience function will import the given certificate to a
+ * #gnutls_pcert_st structure. The structure must be deinitialized
+ * afterwards using gnutls_pcert_deinit();
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
+int gnutls_pcert_import_openpgp_raw (gnutls_pcert_st *pcert,
+ const gnutls_datum_t* cert,
+ gnutls_openpgp_crt_fmt_t format,
+ gnutls_openpgp_keyid_t keyid,
+ unsigned int flags)
+{
+int ret;
+gnutls_openpgp_crt_t crt;
+
+ memset(pcert, 0, sizeof(*pcert));
+
+ pcert->cert.data = NULL;
+
+ ret = gnutls_openpgp_crt_init(&crt);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret = gnutls_openpgp_crt_import(crt, cert, format);
+ if (ret < 0)
+ {
+ ret = gnutls_assert_val(ret);
+ goto cleanup;
+ }
+
+ if (keyid != NULL)
+ {
+ ret = gnutls_openpgp_crt_set_preferred_key_id(crt, keyid);
+ if (ret < 0)
+ {
+ ret = gnutls_assert_val(ret);
+ goto cleanup;
+ }
+ }
+
+ ret = gnutls_pcert_import_openpgp(pcert, crt, flags);
+ if (ret < 0)
+ {
+ ret = gnutls_assert_val(ret);
+ goto cleanup;
+ }
+ ret = 0;
+
+cleanup:
+ gnutls_openpgp_crt_deinit(crt);
+
+ return ret;
+}
+
+/**
+ * gnutls_pcert_deinit:
+ * @pcert: The structure to be deinitialized
+ *
+ * This function will deinitialize a pcert structure.
+ **/
+void
+gnutls_pcert_deinit (gnutls_pcert_st *pcert)
+{
+ gnutls_pubkey_deinit(pcert->pubkey);
+ pcert->pubkey = NULL;
+ gnutls_free(pcert->cert.data);
+ pcert->cert.data = NULL;
+}
+
+/* Converts the first certificate for the cert_auth_info structure
+ * to a pcert.
+ */
+int
+_gnutls_get_auth_info_pcert (gnutls_pcert_st* pcert,
+ gnutls_certificate_type_t type,
+ cert_auth_info_t info)
+{
+ switch (type)
+ {
+ case GNUTLS_CRT_X509:
+ return gnutls_pcert_import_x509_raw(pcert,
&info->raw_certificate_list[0],
+ GNUTLS_X509_FMT_DER, GNUTLS_PCERT_NO_CERT);
+#ifdef ENABLE_OPENPGP
+ case GNUTLS_CRT_OPENPGP:
+ return gnutls_pcert_import_openpgp_raw(pcert,
+ &info->raw_certificate_list[0],
+ GNUTLS_OPENPGP_FMT_RAW,
+ info->use_subkey ? info->
+ subkey_id : NULL,
GNUTLS_PCERT_NO_CERT);
+#endif
+ default:
+ gnutls_assert ();
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+}
diff --git a/lib/gnutls_privkey.c b/lib/gnutls_privkey.c
index 4dc83b4..2b92efb 100644
--- a/lib/gnutls_privkey.c
+++ b/lib/gnutls_privkey.c
@@ -188,7 +188,7 @@ _gnutls_privkey_get_public_mpis (gnutls_privkey_t key,
bigint_t tmp_params[MAX_PRIV_PARAMS_SIZE];
int tmp_params_size = MAX_PRIV_PARAMS_SIZE;
uint32_t kid[2], i;
- gnutls_openpgp_keyid_t keyid;
+ uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
ret =
gnutls_openpgp_privkey_get_preferred_key_id (key->key.openpgp,
@@ -390,7 +390,7 @@ gnutls_privkey_import_openpgp (gnutls_privkey_t pkey,
unsigned int flags)
{
int ret, idx;
-gnutls_openpgp_keyid_t keyid;
+uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
ret = check_if_clean(pkey);
if (ret < 0)
diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c
index 1775a62..0c60ea5 100644
--- a/lib/gnutls_pubkey.c
+++ b/lib/gnutls_pubkey.c
@@ -41,6 +41,8 @@
#define PK_PEM_HEADER "PUBLIC KEY"
+#define OPENPGP_KEY_PRIMARY 2
+#define OPENPGP_KEY_SUBKEY 1
struct gnutls_pubkey_st
{
@@ -59,6 +61,9 @@ struct gnutls_pubkey_st
bigint_t params[MAX_PUBLIC_PARAMS_SIZE];
int params_size; /* holds the size of MPI params */
+ uint8_t openpgp_key_id[GNUTLS_OPENPGP_KEYID_SIZE];
+ int openpgp_key_id_set;
+
unsigned int key_usage; /* bits from GNUTLS_KEY_* */
};
@@ -348,13 +353,17 @@ gnutls_pubkey_import_openpgp (gnutls_pubkey_t key,
int ret, idx;
uint32_t kid32[2];
uint32_t *k;
- gnutls_openpgp_keyid_t keyid;
+ uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
ret = gnutls_openpgp_crt_get_preferred_key_id (crt, keyid);
if (ret == GNUTLS_E_OPENPGP_PREFERRED_KEY_ERROR)
{
- key->pk_algorithm = gnutls_openpgp_crt_get_pk_algorithm(crt, NULL);
key->pk_algorithm = gnutls_openpgp_crt_get_pk_algorithm (crt,
&key->bits);
+ key->openpgp_key_id_set = OPENPGP_KEY_PRIMARY;
+
+ ret = gnutls_openpgp_crt_get_key_id(crt, key->openpgp_key_id);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
ret = gnutls_openpgp_crt_get_key_usage (crt, &key->key_usage);
if (ret < 0)
@@ -369,12 +378,17 @@ gnutls_pubkey_import_openpgp (gnutls_pubkey_t key,
gnutls_assert ();
return ret;
}
+ key->openpgp_key_id_set = OPENPGP_KEY_SUBKEY;
KEYID_IMPORT (kid32, keyid);
k = kid32;
idx = gnutls_openpgp_crt_get_subkey_idx (crt, keyid);
+ ret = gnutls_openpgp_crt_get_subkey_id(crt, idx, key->openpgp_key_id);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
ret = gnutls_openpgp_crt_get_subkey_usage (crt, idx, &key->key_usage);
if (ret < 0)
key->key_usage = 0;
@@ -385,6 +399,7 @@ gnutls_pubkey_import_openpgp (gnutls_pubkey_t key,
switch (key->pk_algorithm)
{
case GNUTLS_PK_RSA:
+ key->params_size = MAX_PUBLIC_PARAMS_SIZE;
ret =
_gnutls_openpgp_crt_get_mpis (crt, k, key->params,
&key->params_size);
@@ -395,6 +410,7 @@ gnutls_pubkey_import_openpgp (gnutls_pubkey_t key,
}
break;
case GNUTLS_PK_DSA:
+ key->params_size = MAX_PUBLIC_PARAMS_SIZE;
ret =
_gnutls_openpgp_crt_get_mpis (crt, k, key->params,
&key->params_size);
@@ -412,6 +428,60 @@ gnutls_pubkey_import_openpgp (gnutls_pubkey_t key,
return 0;
}
+/**
+ * gnutls_pubkey_get_openpgp_key_id:
+ * @key: Holds the public key
+ * @flags: should be 0 for now
+ * @output_data: will contain the key ID
+ * @output_data_size: holds the size of output_data (and will be
+ * replaced by the actual size of parameters)
+ * @subkey: Will be non zero if the key ID corresponds to a subkey
+ *
+ * This function will return a unique ID the depends on the public
+ * key parameters. This ID can be used in checking whether a
+ * certificate corresponds to the given public key.
+ *
+ * If the buffer provided is not long enough to hold the output, then
+ * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
+ * be returned. The output will normally be a SHA-1 hash output,
+ * which is 20 bytes.
+ *
+ * Return value: In case of failure a negative value will be
+ * returned, and 0 on success.
+ **/
+int
+gnutls_pubkey_get_openpgp_key_id (gnutls_pubkey_t key, unsigned int flags,
+ unsigned char *output_data,
+ size_t * output_data_size,
+ unsigned int *subkey)
+{
+ if (key == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ if (*output_data_size < sizeof(key->openpgp_key_id))
+ {
+ *output_data_size = sizeof(key->openpgp_key_id);
+ return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ }
+
+ if (key->openpgp_key_id_set == 0)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+ if (key->openpgp_key_id_set == OPENPGP_KEY_SUBKEY)
+ if (subkey) *subkey = 1;
+
+ if (output_data)
+ {
+ memcpy(output_data, key->openpgp_key_id, sizeof(key->openpgp_key_id));
+ }
+ *output_data_size = sizeof(key->openpgp_key_id);
+
+ return 0;
+}
+
#endif
/**
@@ -1020,7 +1090,7 @@ gnutls_pubkey_import_dsa_raw (gnutls_pubkey_t key,
* gnutls_pubkey_verify_data:
* @pubkey: Holds the public key
* @flags: should be 0 for now
- * @data: holds the data to be signed
+ * @data: holds the signed data
* @signature: contains the signature
*
* This function will verify the given signed data, using the
@@ -1074,19 +1144,20 @@ gnutls_pubkey_verify_hash (gnutls_pubkey_t key,
unsigned int flags,
const gnutls_datum_t * hash,
const gnutls_datum_t * signature)
{
- int ret;
-
if (key == NULL)
{
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
}
- ret =
- pubkey_verify_sig (NULL, hash, signature, key->pk_algorithm,
+ if (flags & GNUTLS_PUBKEY_VERIFY_FLAG_TLS_RSA)
+ return _gnutls_rsa_verify (hash, signature, key->params,
+ key->params_size, 1);
+ else
+ {
+ return pubkey_verify_sig (NULL, hash, signature, key->pk_algorithm,
key->params, key->params_size);
-
- return ret;
+ }
}
/**
@@ -1118,3 +1189,56 @@ gnutls_pubkey_get_verify_algorithm (gnutls_pubkey_t key,
key->params, key->params_size);
}
+
+
+int _gnutls_pubkey_compatible_with_sig(gnutls_pubkey_t pubkey,
gnutls_protocol_t ver,
+ gnutls_sign_algorithm_t sign)
+{
+ if (pubkey->pk_algorithm == GNUTLS_PK_DSA)
+ { /* override */
+ int hash_algo = _gnutls_dsa_q_to_hash (pubkey->params[1]);
+
+ /* DSA keys over 1024 bits cannot be used with TLS 1.x, x<2 */
+ if (!_gnutls_version_has_selectable_sighash (ver))
+ {
+ if (hash_algo != GNUTLS_DIG_SHA1)
+ return
gnutls_assert_val(GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL);
+ }
+ else if (sign != GNUTLS_SIGN_UNKNOWN)
+ {
+ if (_gnutls_sign_get_hash_algorithm(sign) != hash_algo)
+ return GNUTLS_E_UNWANTED_ALGORITHM;
+ }
+
+ }
+
+ return 0;
+}
+
+/* Returns zero if the public key has more than 512 bits */
+int _gnutls_pubkey_is_over_rsa_512(gnutls_pubkey_t pubkey)
+{
+ if (pubkey->pk_algorithm == GNUTLS_PK_RSA && _gnutls_mpi_get_nbits
(pubkey->params[0]) > 512)
+ return 0;
+ else
+ return GNUTLS_E_INVALID_REQUEST; /* doesn't matter */
+
+}
+
+/* Returns the public key. The mpis are the internal copy. Should
+ * not be deallocated.
+ */
+int
+_gnutls_pubkey_get_mpis (gnutls_pubkey_t key,
+ bigint_t * params, int *params_size)
+{
+ int i;
+
+ if (*params_size < key->params_size)
+ return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+
+ for (i=0;i<key->params_size;i++)
+ params[i] = key->params[i];
+
+ return 0;
+}
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index c80db8e..cfc491e 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -28,7 +28,6 @@
#include <x509_b64.h>
#include <auth/cert.h>
#include <gnutls_algorithms.h>
-#include <gnutls_cert.h>
#include <gnutls_datum.h>
#include <gnutls_mpi.h>
#include <gnutls_global.h>
@@ -41,10 +40,11 @@
#include <ext/signature.h>
#include <gnutls_state.h>
#include <x509/common.h>
+#include <abstract_int.h>
static int
sign_tls_hash (gnutls_session_t session, gnutls_digest_algorithm_t hash_algo,
- gnutls_cert * cert, gnutls_privkey_t pkey,
+ gnutls_pcert_st* cert, gnutls_privkey_t pkey,
const gnutls_datum_t * hash_concat,
gnutls_datum_t * signature);
@@ -59,7 +59,7 @@ sign_tls_hash (gnutls_session_t session,
gnutls_digest_algorithm_t hash_algo,
* Used in DHE_* ciphersuites.
*/
int
-_gnutls_handshake_sign_data (gnutls_session_t session, gnutls_cert * cert,
+_gnutls_handshake_sign_data (gnutls_session_t session, gnutls_pcert_st* cert,
gnutls_privkey_t pkey, gnutls_datum_t * params,
gnutls_datum_t * signature,
gnutls_sign_algorithm_t * sign_algo)
@@ -97,7 +97,7 @@ _gnutls_handshake_sign_data (gnutls_session_t session,
gnutls_cert * cert,
GNUTLS_RANDOM_SIZE);
_gnutls_hash (&td_sha, params->data, params->size);
- switch (cert->subject_pk_algorithm)
+ switch (gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL))
{
case GNUTLS_PK_RSA:
if (!_gnutls_version_has_selectable_sighash (ver))
@@ -207,19 +207,21 @@ _gnutls_soft_sign (gnutls_pk_algorithm_t algo, bigint_t *
params,
*/
static int
sign_tls_hash (gnutls_session_t session, gnutls_digest_algorithm_t hash_algo,
- gnutls_cert * cert, gnutls_privkey_t pkey,
+ gnutls_pcert_st* cert, gnutls_privkey_t pkey,
const gnutls_datum_t * hash_concat,
gnutls_datum_t * signature)
{
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
-
+ unsigned int key_usage = 0;
/* If our certificate supports signing
*/
if (cert != NULL)
{
- if (cert->key_usage != 0)
- if (!(cert->key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
+ gnutls_pubkey_get_key_usage(cert->pubkey, &key_usage);
+
+ if (key_usage != 0)
+ if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
{
gnutls_assert ();
return GNUTLS_E_KEY_USAGE_VIOLATION;
@@ -233,7 +235,7 @@ sign_tls_hash (gnutls_session_t session,
gnutls_digest_algorithm_t hash_algo,
return (*session->internals.sign_func)
(session, session->internals.sign_func_userdata,
- cert->cert_type, &cert->raw, hash_concat, signature);
+ cert->type, &cert->cert, hash_concat, signature);
}
}
@@ -244,33 +246,34 @@ sign_tls_hash (gnutls_session_t session,
gnutls_digest_algorithm_t hash_algo,
}
static int
-verify_tls_hash (gnutls_protocol_t ver, gnutls_cert * cert,
+verify_tls_hash (gnutls_protocol_t ver, gnutls_pcert_st* cert,
const gnutls_datum_t * hash_concat,
gnutls_datum_t * signature, size_t sha1pos,
gnutls_pk_algorithm_t pk_algo)
{
int ret;
gnutls_datum_t vdata;
+ unsigned int key_usage = 0, flags;
- if (cert == NULL || cert->version == 0)
- { /* this is the only way to check
- * if it is initialized
- */
+ if (cert == NULL)
+ {
gnutls_assert ();
return GNUTLS_E_CERTIFICATE_ERROR;
}
+ gnutls_pubkey_get_key_usage(cert->pubkey, &key_usage);
+
/* If the certificate supports signing continue.
*/
- if (cert->key_usage != 0)
- if (!(cert->key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
+ if (key_usage != 0)
+ if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
{
gnutls_assert ();
return GNUTLS_E_KEY_USAGE_VIOLATION;
}
if (pk_algo == GNUTLS_PK_UNKNOWN)
- pk_algo = cert->subject_pk_algorithm;
+ pk_algo = gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL);
switch (pk_algo)
{
case GNUTLS_PK_RSA:
@@ -280,17 +283,10 @@ verify_tls_hash (gnutls_protocol_t ver, gnutls_cert *
cert,
/* verify signature */
if (!_gnutls_version_has_selectable_sighash (ver))
- ret = _gnutls_rsa_verify (&vdata, signature, cert->params,
- cert->params_size, 1);
+ flags = GNUTLS_PUBKEY_VERIFY_FLAG_TLS_RSA;
else
- ret = pubkey_verify_sig( NULL, &vdata, signature, pk_algo,
- cert->params, cert->params_size);
+ flags = 0;
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
break;
case GNUTLS_PK_DSA:
@@ -298,14 +294,7 @@ verify_tls_hash (gnutls_protocol_t ver, gnutls_cert * cert,
vdata.data = &hash_concat->data[sha1pos];
vdata.size = hash_concat->size - sha1pos;
- ret = pubkey_verify_sig( NULL, &vdata, signature, pk_algo,
- cert->params, cert->params_size);
- /* verify signature */
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
+ flags = 0;
break;
default:
@@ -313,6 +302,11 @@ verify_tls_hash (gnutls_protocol_t ver, gnutls_cert * cert,
return GNUTLS_E_INTERNAL_ERROR;
}
+ ret = gnutls_pubkey_verify_hash(cert->pubkey, flags, &vdata,
+ signature);
+
+ if (ret < 0)
+ return gnutls_assert_val(ret);
return 0;
@@ -323,7 +317,7 @@ verify_tls_hash (gnutls_protocol_t ver, gnutls_cert * cert,
* Used in DHE_* ciphersuites.
*/
int
-_gnutls_handshake_verify_data (gnutls_session_t session, gnutls_cert * cert,
+_gnutls_handshake_verify_data (gnutls_session_t session, gnutls_pcert_st* cert,
const gnutls_datum_t * params,
gnutls_datum_t * signature,
gnutls_sign_algorithm_t algo)
@@ -341,7 +335,7 @@ _gnutls_handshake_verify_data (gnutls_session_t session,
gnutls_cert * cert,
_gnutls_handshake_log ("HSK[%p]: verify handshake data: using %s\n",
session, gnutls_sign_algorithm_get_name (algo));
- ret = cert_compatible_with_sig(cert, ver, algo);
+ ret = _gnutls_pubkey_compatible_with_sig(cert->pubkey, ver, algo);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -420,7 +414,7 @@ _gnutls_handshake_verify_data (gnutls_session_t session,
gnutls_cert * cert,
*/
static int
_gnutls_handshake_verify_cert_vrfy12 (gnutls_session_t session,
- gnutls_cert * cert,
+ gnutls_pcert_st* cert,
gnutls_datum_t * signature,
gnutls_sign_algorithm_t sign_algo)
{
@@ -432,18 +426,19 @@ _gnutls_handshake_verify_cert_vrfy12 (gnutls_session_t
session,
gnutls_digest_algorithm_t hash_algo;
digest_hd_st *handshake_td;
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
+ gnutls_pk_algorithm_t pk = gnutls_pubkey_get_pk_algorithm(cert->pubkey,
NULL);
handshake_td = &session->internals.handshake_mac_handle.tls12.sha1;
hash_algo = handshake_td->algorithm;
_sign_algo =
- _gnutls_x509_pk_to_sign (cert->subject_pk_algorithm, hash_algo);
+ _gnutls_x509_pk_to_sign (pk, hash_algo);
if (_sign_algo != sign_algo)
{
handshake_td = &session->internals.handshake_mac_handle.tls12.sha256;
hash_algo = handshake_td->algorithm;
_sign_algo =
- _gnutls_x509_pk_to_sign (cert->subject_pk_algorithm, hash_algo);
+ _gnutls_x509_pk_to_sign (pk, hash_algo);
if (sign_algo != _sign_algo)
{
gnutls_assert ();
@@ -464,8 +459,7 @@ _gnutls_handshake_verify_cert_vrfy12 (gnutls_session_t
session,
dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
ret =
- verify_tls_hash (ver, cert, &dconcat, signature, 0,
- cert->subject_pk_algorithm);
+ verify_tls_hash (ver, cert, &dconcat, signature, 0, pk);
if (ret < 0)
{
gnutls_assert ();
@@ -481,7 +475,7 @@ _gnutls_handshake_verify_cert_vrfy12 (gnutls_session_t
session,
*/
int
_gnutls_handshake_verify_cert_vrfy (gnutls_session_t session,
- gnutls_cert * cert,
+ gnutls_pcert_st *cert,
gnutls_datum_t * signature,
gnutls_sign_algorithm_t sign_algo)
{
@@ -567,7 +561,7 @@ _gnutls_handshake_verify_cert_vrfy (gnutls_session_t
session,
ret =
verify_tls_hash (ver, cert, &dconcat, signature, 16,
- cert->subject_pk_algorithm);
+ gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL));
if (ret < 0)
{
gnutls_assert ();
@@ -582,7 +576,7 @@ _gnutls_handshake_verify_cert_vrfy (gnutls_session_t
session,
*/
static int
_gnutls_handshake_sign_cert_vrfy12 (gnutls_session_t session,
- gnutls_cert * cert, gnutls_privkey_t pkey,
+ gnutls_pcert_st* cert, gnutls_privkey_t
pkey,
gnutls_datum_t * signature)
{
gnutls_datum_t dconcat;
@@ -647,15 +641,16 @@ _gnutls_handshake_sign_cert_vrfy12 (gnutls_session_t
session,
*/
int
_gnutls_handshake_sign_cert_vrfy (gnutls_session_t session,
- gnutls_cert * cert, gnutls_privkey_t pkey,
+ gnutls_pcert_st* cert, gnutls_privkey_t pkey,
gnutls_datum_t * signature)
{
gnutls_datum_t dconcat;
- int ret, hash_algo;
+ int ret;
opaque concat[MAX_SIG_SIZE];
digest_hd_st td_md5;
digest_hd_st td_sha;
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
+ gnutls_pk_algorithm_t pk = gnutls_pubkey_get_pk_algorithm(cert->pubkey,
NULL);
if (session->security_parameters.handshake_mac_handle_type ==
HANDSHAKE_MAC_TYPE_12)
@@ -699,7 +694,12 @@ _gnutls_handshake_sign_cert_vrfy (gnutls_session_t session,
else
_gnutls_hash_deinit (&td_sha, &concat[16]);
- switch (cert->subject_pk_algorithm)
+ /* ensure 1024 bit DSA keys are used */
+ ret = _gnutls_pubkey_compatible_with_sig(cert->pubkey, ver,
GNUTLS_SIGN_UNKNOWN);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ switch (pk)
{
case GNUTLS_PK_RSA:
ret =
@@ -728,10 +728,6 @@ _gnutls_handshake_sign_cert_vrfy (gnutls_session_t session,
dconcat.size = 36;
break;
case GNUTLS_PK_DSA:
- /* ensure 1024 bit DSA keys are used */
- hash_algo = _gnutls_dsa_q_to_hash (cert->params[1]);
- if (!_gnutls_version_has_selectable_sighash (ver) && hash_algo !=
GNUTLS_DIG_SHA1)
- return gnutls_assert_val(GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL);
dconcat.data = &concat[16];
dconcat.size = 20;
diff --git a/lib/gnutls_sig.h b/lib/gnutls_sig.h
index cce964f..44bbce0 100644
--- a/lib/gnutls_sig.h
+++ b/lib/gnutls_sig.h
@@ -29,24 +29,24 @@
#include <gnutls/abstract.h>
int _gnutls_handshake_sign_cert_vrfy (gnutls_session_t session,
- gnutls_cert * cert,
+ gnutls_pcert_st* cert,
gnutls_privkey_t pkey,
gnutls_datum_t * signature);
int _gnutls_handshake_sign_data (gnutls_session_t session,
- gnutls_cert * cert,
+ gnutls_pcert_st* cert,
gnutls_privkey_t pkey,
gnutls_datum_t * params,
gnutls_datum_t * signature,
gnutls_sign_algorithm_t * algo);
int _gnutls_handshake_verify_cert_vrfy (gnutls_session_t session,
- gnutls_cert * cert,
+ gnutls_pcert_st* cert,
gnutls_datum_t * signature,
gnutls_sign_algorithm_t);
int _gnutls_handshake_verify_data (gnutls_session_t session,
- gnutls_cert * cert,
+ gnutls_pcert_st* cert,
const gnutls_datum_t * params,
gnutls_datum_t * signature,
gnutls_sign_algorithm_t algo);
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index ecd720a..a8111ba 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -187,7 +187,7 @@ _gnutls_session_cert_type_supported (gnutls_session_t
session,
{
for (i = 0; i < cred->ncerts; i++)
{
- if (cred->cert_list[i][0].cert_type == cert_type)
+ if (cred->cert_list[i][0].type == cert_type)
{
cert_found = 1;
break;
diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c
index c023cde..2c3fc0d 100644
--- a/lib/gnutls_ui.c
+++ b/lib/gnutls_ui.c
@@ -479,7 +479,7 @@ gnutls_certificate_get_ours (gnutls_session_t session)
if (session->internals.selected_cert_list == NULL)
return NULL;
- return &session->internals.selected_cert_list[0].raw;
+ return &session->internals.selected_cert_list[0].cert;
}
/**
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index ef2ba5f..db506b5 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -26,7 +26,6 @@
#include <gnutls_int.h>
#include "gnutls_auth.h"
#include "gnutls_errors.h"
-#include <gnutls_cert.h>
#include <auth/cert.h>
#include "gnutls_dh.h"
#include "gnutls_num.h"
@@ -199,7 +198,7 @@ _gnutls_x509_cert_verify_peers (gnutls_session_t session,
static int
_gnutls_check_key_cert_match (gnutls_certificate_credentials_t res)
{
- unsigned int pk = res->cert_list[res->ncerts - 1][0].subject_pk_algorithm;
+ unsigned int pk = gnutls_pubkey_get_pk_algorithm(res->cert_list[res->ncerts
- 1][0].pubkey, NULL);
if (gnutls_privkey_get_pk_algorithm (res->pkey[res->ncerts - 1], NULL) !=
pk)
@@ -220,7 +219,7 @@ parse_der_cert_mem (gnutls_certificate_credentials_t res,
{
gnutls_datum_t tmp;
gnutls_x509_crt_t crt;
- gnutls_cert *ccert;
+ gnutls_pcert_st *ccert;
int ret;
ccert = gnutls_malloc (sizeof (*ccert));
@@ -248,7 +247,7 @@ parse_der_cert_mem (gnutls_certificate_credentials_t res,
goto cleanup;
}
- ret = _gnutls_x509_crt_to_gcert (ccert, crt, 0);
+ ret = gnutls_pcert_import_x509 (ccert, crt, 0);
gnutls_x509_crt_deinit (crt);
if (ret < 0)
@@ -278,12 +277,11 @@ static int
parse_pem_cert_mem (gnutls_certificate_credentials_t res,
const char *input_cert, int input_cert_size)
{
- int size, siz2;
+ int size;
const char *ptr;
- opaque *ptr2;
gnutls_datum_t tmp;
int ret, count, i;
- gnutls_cert *certs = NULL;
+ gnutls_pcert_st *certs = NULL;
/* move to the certificate
*/
@@ -304,16 +302,7 @@ parse_pem_cert_mem (gnutls_certificate_credentials_t res,
do
{
-
- siz2 = _gnutls_fbase64_decode (NULL, ptr, size, &ptr2);
- if (siz2 < 0)
- {
- gnutls_assert ();
- ret = GNUTLS_E_BASE64_DECODING_ERROR;
- goto cleanup;
- }
-
- certs = gnutls_realloc_fast (certs, (count + 1) * sizeof (gnutls_cert));
+ certs = gnutls_realloc_fast (certs, (count + 1) * sizeof
(gnutls_pcert_st));
if (certs == NULL)
{
@@ -322,18 +311,16 @@ parse_pem_cert_mem (gnutls_certificate_credentials_t res,
goto cleanup;
}
- tmp.data = ptr2;
- tmp.size = siz2;
+ tmp.data = (void*)ptr;
+ tmp.size = size;
- ret = _gnutls_x509_raw_cert_to_gcert (&certs[count], &tmp, 0);
+ ret = gnutls_pcert_import_x509_raw (&certs[count], &tmp,
GNUTLS_X509_FMT_PEM, 0);
if (ret < 0)
{
gnutls_assert ();
goto cleanup;
}
- _gnutls_free_datum (&tmp); /* free ptr2 */
-
/* now we move ptr after the pem header
*/
ptr++;
@@ -371,7 +358,7 @@ parse_pem_cert_mem (gnutls_certificate_credentials_t res,
cleanup:
for (i=0;i<count;i++)
- _gnutls_gcert_deinit(&certs[i]);
+ gnutls_pcert_deinit(&certs[i]);
gnutls_free(certs);
return ret;
}
@@ -632,7 +619,7 @@ read_cert_url (gnutls_certificate_credentials_t res, const
char *url)
{
int ret;
gnutls_x509_crt_t crt;
- gnutls_cert *ccert;
+ gnutls_pcert_st *ccert;
ccert = gnutls_malloc (sizeof (*ccert));
if (ccert == NULL)
@@ -663,7 +650,7 @@ read_cert_url (gnutls_certificate_credentials_t res, const
char *url)
return ret;
}
- ret = _gnutls_x509_crt_to_gcert (ccert, crt, 0);
+ ret = gnutls_pcert_import_x509 (ccert, crt, 0);
gnutls_x509_crt_deinit (crt);
if (ret < 0)
@@ -807,12 +794,12 @@ gnutls_certificate_set_x509_key_mem
(gnutls_certificate_credentials_t res,
int
certificate_credential_append_crt_list (gnutls_certificate_credentials_t res,
- gnutls_cert * crt, int nr)
+ gnutls_pcert_st * crt, int nr)
{
res->cert_list = gnutls_realloc_fast (res->cert_list,
(1 +
res->ncerts) *
- sizeof (gnutls_cert *));
+ sizeof (gnutls_pcert_st *));
if (res->cert_list == NULL)
{
gnutls_assert ();
@@ -880,7 +867,7 @@ gnutls_certificate_set_x509_key
(gnutls_certificate_credentials_t res,
{
int ret, i;
gnutls_privkey_t pkey;
- gnutls_cert *pcerts = NULL;
+ gnutls_pcert_st *pcerts = NULL;
/* this should be first
*/
@@ -906,7 +893,7 @@ gnutls_certificate_set_x509_key
(gnutls_certificate_credentials_t res,
}
/* load certificates */
- pcerts = gnutls_malloc (sizeof (gnutls_cert) * cert_list_size);
+ pcerts = gnutls_malloc (sizeof (gnutls_pcert_st) * cert_list_size);
if (pcerts == NULL)
{
gnutls_assert ();
@@ -915,7 +902,7 @@ gnutls_certificate_set_x509_key
(gnutls_certificate_credentials_t res,
for (i = 0; i < cert_list_size; i++)
{
- ret = _gnutls_x509_crt_to_gcert (&pcerts[i], cert_list[i], 0);
+ ret = gnutls_pcert_import_x509 (&pcerts[i], cert_list[i], 0);
if (ret < 0)
{
gnutls_assert ();
@@ -1052,7 +1039,7 @@ add_new_crt_to_rdn_seq (gnutls_certificate_credentials_t
res, gnutls_x509_crt_t*
* certificate (uses the KeyUsage field).
*/
int
-_gnutls_check_key_usage (const gnutls_cert * cert, gnutls_kx_algorithm_t alg)
+_gnutls_check_key_usage (const gnutls_pcert_st* cert, gnutls_kx_algorithm_t
alg)
{
unsigned int key_usage = 0;
int encipher_type;
@@ -1067,7 +1054,7 @@ _gnutls_check_key_usage (const gnutls_cert * cert,
gnutls_kx_algorithm_t alg)
_gnutls_map_kx_get_cred (alg, 0) == GNUTLS_CRD_CERTIFICATE)
{
- key_usage = cert->key_usage;
+ gnutls_pubkey_get_key_usage(cert->pubkey, &key_usage);
encipher_type = _gnutls_kx_encipher_type (alg);
diff --git a/lib/gnutls_x509.h b/lib/gnutls_x509.h
index db10589..119f3df 100644
--- a/lib/gnutls_x509.h
+++ b/lib/gnutls_x509.h
@@ -37,7 +37,7 @@ int _gnutls_x509_cert_verify_peers (gnutls_session_t session,
#define PEM_KEY_RSA_SEP "-----BEGIN RSA"
#define PEM_KEY_DSA_SEP "-----BEGIN DSA"
-int _gnutls_check_key_usage (const gnutls_cert * cert,
+int _gnutls_check_key_usage (const gnutls_pcert_st* cert,
gnutls_kx_algorithm_t alg);
int _gnutls_x509_raw_privkey_to_gkey (gnutls_privkey_t * privkey,
diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h
index 73266df..33eefef 100644
--- a/lib/includes/gnutls/abstract.h
+++ b/lib/includes/gnutls/abstract.h
@@ -49,6 +49,12 @@ int gnutls_pubkey_get_key_id (gnutls_pubkey_t key, unsigned
int flags,
unsigned char *output_data,
size_t * output_data_size);
+int
+gnutls_pubkey_get_openpgp_key_id (gnutls_pubkey_t key, unsigned int flags,
+ unsigned char *output_data,
+ size_t * output_data_size,
+ unsigned int *subkey);
+
int gnutls_pubkey_get_key_usage (gnutls_pubkey_t key, unsigned int *usage);
int gnutls_pubkey_set_key_usage (gnutls_pubkey_t key, unsigned int usage);
@@ -73,6 +79,7 @@ int gnutls_x509_crt_set_pubkey (gnutls_x509_crt_t crt,
gnutls_pubkey_t key);
int gnutls_x509_crq_set_pubkey (gnutls_x509_crq_t crq, gnutls_pubkey_t key);
+#define GNUTLS_PUBKEY_VERIFY_FLAG_TLS_RSA 1
int
gnutls_pubkey_verify_hash (gnutls_pubkey_t key, unsigned int flags,
const gnutls_datum_t * hash,
@@ -146,4 +153,34 @@ int gnutls_x509_crq_privkey_sign (gnutls_x509_crq_t crq,
gnutls_digest_algorithm_t dig,
unsigned int flags);
+/* pcert */
+typedef struct gnutls_pcert_st {
+ gnutls_pubkey_t pubkey;
+ gnutls_datum_t cert;
+ gnutls_certificate_type_t type; /* type of the certificate */
+ gnutls_sign_algorithm_t sign_algo; /* sign algorithm of the certificate
*/
+} gnutls_pcert_st;
+
+/* Do not initialize the "cert" element of
+ * the certificate */
+#define GNUTLS_PCERT_NO_CERT 1
+
+int gnutls_pcert_import_x509 (gnutls_pcert_st* pcert,
+ gnutls_x509_crt_t crt, unsigned int flags);
+
+int gnutls_pcert_import_x509_raw (gnutls_pcert_st* pcert,
+ const gnutls_datum_t* cert,
+ gnutls_x509_crt_fmt_t format, unsigned int flags);
+
+int gnutls_pcert_import_openpgp_raw (gnutls_pcert_st* pcert,
+ const gnutls_datum_t* cert,
+ gnutls_openpgp_crt_fmt_t format,
+ gnutls_openpgp_keyid_t keyid, unsigned int flags);
+
+int gnutls_pcert_import_openpgp (gnutls_pcert_st* pcert,
+ gnutls_openpgp_crt_t crt, unsigned int flags);
+
+void gnutls_pcert_deinit (gnutls_pcert_st* pcert);
+
+
#endif
diff --git a/lib/opencdk/pubkey.c b/lib/opencdk/pubkey.c
index 835e6b5..611aae8 100644
--- a/lib/opencdk/pubkey.c
+++ b/lib/opencdk/pubkey.c
@@ -27,7 +27,8 @@
#endif
#include <gnutls_int.h>
#include <gnutls_datum.h>
-
+#include <gnutls_pk.h>
+#include <x509/common.h>
#include "opencdk.h"
#include "main.h"
#include "packet.h"
diff --git a/lib/openpgp/gnutls_openpgp.c b/lib/openpgp/gnutls_openpgp.c
index 5917447..ca2eeef 100644
--- a/lib/openpgp/gnutls_openpgp.c
+++ b/lib/openpgp/gnutls_openpgp.c
@@ -27,11 +27,11 @@
#include "gnutls_errors.h"
#include "gnutls_mpi.h"
#include "gnutls_num.h"
-#include "gnutls_cert.h"
#include "gnutls_datum.h"
#include "gnutls_global.h"
#include "gnutls_openpgp.h"
#include "read-file.h"
+#include <gnutls/abstract.h>
#include <gnutls_str.h>
#include <gnutls_sig.h>
#include <stdio.h>
@@ -67,54 +67,6 @@ _gnutls_map_cdk_rc (int rc)
}
}
-/*-
- * _gnutls_openpgp_raw_crt_to_gcert - Converts raw OpenPGP data to GnuTLS certs
- * @cert: the certificate to store the data.
- * @raw: the buffer which contains the whole OpenPGP key packets.
- *
- * The RFC2440 (OpenPGP Message Format) data is converted to a GnuTLS
- * specific certificate.
- -*/
-int
-_gnutls_openpgp_raw_crt_to_gcert (gnutls_cert * gcert,
- const gnutls_datum_t * raw,
- const gnutls_openpgp_keyid_t keyid)
-{
- gnutls_openpgp_crt_t pcrt;
- int ret;
-
- ret = gnutls_openpgp_crt_init (&pcrt);
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
-
- ret = gnutls_openpgp_crt_import (pcrt, raw, GNUTLS_OPENPGP_FMT_RAW);
- if (ret < 0)
- {
- gnutls_assert ();
- gnutls_openpgp_crt_deinit (pcrt);
- return ret;
- }
-
- if (keyid != NULL)
- {
- ret = gnutls_openpgp_crt_set_preferred_key_id (pcrt, keyid);
- if (ret < 0)
- {
- gnutls_assert ();
- gnutls_openpgp_crt_deinit (pcrt);
- return ret;
- }
- }
-
- ret = _gnutls_openpgp_crt_to_gcert (gcert, pcrt);
- gnutls_openpgp_crt_deinit (pcrt);
-
- return ret;
-}
-
/**
* gnutls_certificate_set_openpgp_key:
* @res: is a #gnutls_certificate_credentials_t structure.
@@ -140,7 +92,7 @@ gnutls_certificate_set_openpgp_key
(gnutls_certificate_credentials_t res,
{
int ret;
gnutls_privkey_t privkey;
- gnutls_cert *ccert;
+ gnutls_pcert_st *ccert;
/* this should be first */
@@ -162,7 +114,7 @@ gnutls_certificate_set_openpgp_key
(gnutls_certificate_credentials_t res,
}
- ccert = gnutls_calloc (1, sizeof (gnutls_cert));
+ ccert = gnutls_calloc (1, sizeof (gnutls_pcert_st));
if (ccert == NULL)
{
gnutls_assert ();
@@ -170,7 +122,7 @@ gnutls_certificate_set_openpgp_key
(gnutls_certificate_credentials_t res,
return GNUTLS_E_MEMORY_ERROR;
}
- ret = _gnutls_openpgp_crt_to_gcert (ccert, crt);
+ ret = gnutls_pcert_import_openpgp (ccert, crt, 0);
if (ret < 0)
{
gnutls_assert ();
@@ -369,7 +321,7 @@ gnutls_certificate_set_openpgp_key_mem2
(gnutls_certificate_credentials_t res,
gnutls_openpgp_privkey_t pkey;
gnutls_openpgp_crt_t crt;
int ret;
- gnutls_openpgp_keyid_t keyid;
+ uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
ret = gnutls_openpgp_privkey_init (&pkey);
if (ret < 0)
@@ -718,125 +670,3 @@ gnutls_openpgp_set_recv_key_function (gnutls_session_t
session,
session->internals.openpgp_recv_key_func = func;
}
-
-/* Converts a parsed gnutls_openpgp_crt_t to a gnutls_cert structure.
- */
-int
-_gnutls_openpgp_crt_to_gcert (gnutls_cert * gcert, gnutls_openpgp_crt_t cert)
-{
- int ret;
- gnutls_openpgp_keyid_t keyid;
- char err_buf[33];
-
- memset (gcert, 0, sizeof (gnutls_cert));
- gcert->cert_type = GNUTLS_CRT_OPENPGP;
- gcert->sign_algo = GNUTLS_SIGN_UNKNOWN; /* N/A here */
-
- gcert->version = gnutls_openpgp_crt_get_version (cert);
- gcert->params_size = MAX_PUBLIC_PARAMS_SIZE;
-
- ret = gnutls_openpgp_crt_get_preferred_key_id (cert, keyid);
-
- if (ret == 0)
- {
- int idx;
- uint32_t kid32[2];
-
- _gnutls_debug_log
- ("Importing Openpgp cert and using openpgp sub key: %s\n",
- _gnutls_bin2hex (keyid, GNUTLS_OPENPGP_KEYID_SIZE, err_buf, sizeof
(err_buf),
- NULL));
-
- KEYID_IMPORT (kid32, keyid);
-
- idx = gnutls_openpgp_crt_get_subkey_idx (cert, keyid);
- if (idx < 0)
- {
- gnutls_assert ();
- return idx;
- }
-
- gcert->subject_pk_algorithm =
- gnutls_openpgp_crt_get_subkey_pk_algorithm (cert, idx, NULL);
-
- gnutls_openpgp_crt_get_subkey_usage (cert, idx, &gcert->key_usage);
- gcert->use_subkey = 1;
-
- memcpy (gcert->subkey_id, keyid, GNUTLS_OPENPGP_KEYID_SIZE);
-
- ret =
- _gnutls_openpgp_crt_get_mpis (cert, kid32, gcert->params,
- &gcert->params_size);
- }
- else
- {
- _gnutls_debug_log
- ("Importing Openpgp cert and using main openpgp key\n");
- gcert->subject_pk_algorithm =
- gnutls_openpgp_crt_get_pk_algorithm (cert, NULL);
-
- gnutls_openpgp_crt_get_key_usage (cert, &gcert->key_usage);
- ret =
- _gnutls_openpgp_crt_get_mpis (cert, NULL, gcert->params,
- &gcert->params_size);
- gcert->use_subkey = 0;
- }
-
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
-
- { /* copy the raw certificate */
-#define SMALL_RAW 512
- opaque *raw;
- size_t raw_size = SMALL_RAW;
-
- /* initially allocate a bogus size, just in case the certificate
- * fits in it. That way we minimize the DER encodings performed.
- */
- raw = gnutls_malloc (raw_size);
- if (raw == NULL)
- {
- gnutls_assert ();
- return GNUTLS_E_MEMORY_ERROR;
- }
-
- ret =
- gnutls_openpgp_crt_export (cert, GNUTLS_OPENPGP_FMT_RAW, raw,
- &raw_size);
- if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
- {
- gnutls_assert ();
- gnutls_free (raw);
- return ret;
- }
-
- if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
- {
- raw = gnutls_realloc (raw, raw_size);
- if (raw == NULL)
- {
- gnutls_assert ();
- return GNUTLS_E_MEMORY_ERROR;
- }
-
- ret =
- gnutls_openpgp_crt_export (cert, GNUTLS_OPENPGP_FMT_RAW, raw,
- &raw_size);
- if (ret < 0)
- {
- gnutls_assert ();
- gnutls_free (raw);
- return ret;
- }
- }
-
- gcert->raw.data = raw;
- gcert->raw.size = raw_size;
- }
-
- return 0;
-
-}
diff --git a/lib/openpgp/gnutls_openpgp.h b/lib/openpgp/gnutls_openpgp.h
index f9dbed4..70ba02a 100644
--- a/lib/openpgp/gnutls_openpgp.h
+++ b/lib/openpgp/gnutls_openpgp.h
@@ -25,14 +25,6 @@ int gnutls_openpgp_get_key (gnutls_datum_t * key,
key_attr_t by, opaque * pattern);
/* internal */
-int _gnutls_openpgp_raw_crt_to_gcert (gnutls_cert * cert,
- const gnutls_datum_t * raw,
- const gnutls_openpgp_keyid_t);
-
-int
-_gnutls_openpgp_raw_privkey_to_gkey (gnutls_privkey_t * pkey,
- const gnutls_datum_t * raw_key);
-
int
_gnutls_openpgp_request_key (gnutls_session_t,
gnutls_datum_t * ret,
diff --git a/lib/openpgp/openpgp_int.h b/lib/openpgp/openpgp_int.h
index bf0a970..7ad6d29 100644
--- a/lib/openpgp/openpgp_int.h
+++ b/lib/openpgp/openpgp_int.h
@@ -18,7 +18,7 @@
typedef struct gnutls_openpgp_crt_int
{
cdk_kbnode_t knode;
- gnutls_openpgp_keyid_t preferred_keyid;
+ uint8_t preferred_keyid[GNUTLS_OPENPGP_KEYID_SIZE];
int preferred_set;
} gnutls_openpgp_crt_int;
@@ -26,7 +26,7 @@ typedef struct gnutls_openpgp_crt_int
typedef struct gnutls_openpgp_privkey_int
{
cdk_kbnode_t knode;
- gnutls_openpgp_keyid_t preferred_keyid;
+ uint8_t preferred_keyid[GNUTLS_OPENPGP_KEYID_SIZE];
int preferred_set;
} gnutls_openpgp_privkey_int;
@@ -43,9 +43,6 @@ int _gnutls_openpgp_export (cdk_kbnode_t node,
void *output_data, size_t * output_data_size,
int private);
-int _gnutls_openpgp_crt_to_gcert (gnutls_cert * gcert,
- gnutls_openpgp_crt_t cert);
-
cdk_packet_t _gnutls_get_valid_subkey (cdk_kbnode_t knode, int key_type);
unsigned int _gnutls_get_pgp_key_usage (unsigned int pgp_usage);
diff --git a/lib/openpgp/pgp.c b/lib/openpgp/pgp.c
index cd204bc..e3c24c7 100644
--- a/lib/openpgp/pgp.c
+++ b/lib/openpgp/pgp.c
@@ -1426,7 +1426,7 @@ int
gnutls_openpgp_crt_get_pk_rsa_raw (gnutls_openpgp_crt_t crt,
gnutls_datum_t * m, gnutls_datum_t * e)
{
- gnutls_openpgp_keyid_t keyid;
+ uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
int ret;
ret = gnutls_openpgp_crt_get_key_id (crt, keyid);
@@ -1460,7 +1460,7 @@ gnutls_openpgp_crt_get_pk_dsa_raw (gnutls_openpgp_crt_t
crt,
gnutls_datum_t * p, gnutls_datum_t * q,
gnutls_datum_t * g, gnutls_datum_t * y)
{
- gnutls_openpgp_keyid_t keyid;
+ uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
int ret;
ret = gnutls_openpgp_crt_get_key_id (crt, keyid);
@@ -1494,7 +1494,7 @@ gnutls_openpgp_crt_get_subkey_pk_rsa_raw
(gnutls_openpgp_crt_t crt,
gnutls_datum_t * m,
gnutls_datum_t * e)
{
- gnutls_openpgp_keyid_t keyid;
+ uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
int ret;
ret = gnutls_openpgp_crt_get_subkey_id (crt, idx, keyid);
@@ -1532,7 +1532,7 @@ gnutls_openpgp_crt_get_subkey_pk_dsa_raw
(gnutls_openpgp_crt_t crt,
gnutls_datum_t * g,
gnutls_datum_t * y)
{
- gnutls_openpgp_keyid_t keyid;
+ uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
int ret;
ret = gnutls_openpgp_crt_get_subkey_id (crt, idx, keyid);
diff --git a/lib/openpgp/pgpverify.c b/lib/openpgp/pgpverify.c
index 4a2ca4e..a409f0d 100644
--- a/lib/openpgp/pgpverify.c
+++ b/lib/openpgp/pgpverify.c
@@ -61,7 +61,7 @@ gnutls_openpgp_crt_verify_ring (gnutls_openpgp_crt_t key,
gnutls_openpgp_keyring_t keyring,
unsigned int flags, unsigned int *verify)
{
- gnutls_openpgp_keyid_t id;
+ uint8_t id[GNUTLS_OPENPGP_KEYID_SIZE];
cdk_error_t rc;
int status;
diff --git a/lib/openpgp/privkey.c b/lib/openpgp/privkey.c
index f1ef139..2d0a39c 100644
--- a/lib/openpgp/privkey.c
+++ b/lib/openpgp/privkey.c
@@ -33,8 +33,8 @@
#include <gnutls_num.h>
#include <openpgp_int.h>
#include <gnutls_openpgp.h>
-#include <gnutls_cert.h>
#include <gnutls_sig.h>
+#include <gnutls_pk.h>
/**
* gnutls_openpgp_privkey_init:
@@ -1032,7 +1032,7 @@ gnutls_openpgp_privkey_export_rsa_raw
(gnutls_openpgp_privkey_t pkey,
gnutls_datum_t * d, gnutls_datum_t * p,
gnutls_datum_t * q, gnutls_datum_t * u)
{
- gnutls_openpgp_keyid_t keyid;
+ uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
int ret;
ret = gnutls_openpgp_privkey_get_key_id (pkey, keyid);
@@ -1068,7 +1068,7 @@ gnutls_openpgp_privkey_export_dsa_raw
(gnutls_openpgp_privkey_t pkey,
gnutls_datum_t * g, gnutls_datum_t * y,
gnutls_datum_t * x)
{
- gnutls_openpgp_keyid_t keyid;
+ uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
int ret;
ret = gnutls_openpgp_privkey_get_key_id (pkey, keyid);
@@ -1110,7 +1110,7 @@ gnutls_openpgp_privkey_export_subkey_rsa_raw
(gnutls_openpgp_privkey_t pkey,
gnutls_datum_t * q,
gnutls_datum_t * u)
{
- gnutls_openpgp_keyid_t keyid;
+ uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
int ret;
ret = gnutls_openpgp_privkey_get_subkey_id (pkey, idx, keyid);
@@ -1150,7 +1150,7 @@ gnutls_openpgp_privkey_export_subkey_dsa_raw
(gnutls_openpgp_privkey_t pkey,
gnutls_datum_t * y,
gnutls_datum_t * x)
{
- gnutls_openpgp_keyid_t keyid;
+ uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
int ret;
ret = gnutls_openpgp_privkey_get_subkey_id (pkey, idx, keyid);
@@ -1253,7 +1253,7 @@ gnutls_openpgp_privkey_sign_hash
(gnutls_openpgp_privkey_t key,
bigint_t params[MAX_PRIV_PARAMS_SIZE];
int params_size = MAX_PRIV_PARAMS_SIZE;
int pk_algorithm;
- gnutls_openpgp_keyid_t keyid;
+ uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
if (key == NULL)
{
@@ -1328,7 +1328,7 @@ _gnutls_openpgp_privkey_decrypt_data
(gnutls_openpgp_privkey_t key,
bigint_t params[MAX_PRIV_PARAMS_SIZE];
int params_size = MAX_PRIV_PARAMS_SIZE;
int pk_algorithm;
- gnutls_openpgp_keyid_t keyid;
+ uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
if (key == NULL)
{
diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
index e1bb607..19cb1df 100644
--- a/lib/pkcs11_int.h
+++ b/lib/pkcs11_int.h
@@ -3,6 +3,7 @@
#include <pakchois/pakchois.h>
#include <gnutls/pkcs11.h>
+#include <x509/x509_int.h>
#define PKCS11_ID_SIZE 128
#define PKCS11_LABEL_SIZE 128
diff --git a/lib/x509/common.h b/lib/x509/common.h
index 6fc1eb9..95be482 100644
--- a/lib/x509/common.h
+++ b/lib/x509/common.h
@@ -27,6 +27,7 @@
#define COMMON_H
#include <gnutls_algorithms.h>
+#include <x509/x509_int.h>
#define MAX_STRING_LEN 512
diff --git a/lib/x509/pkcs12_encr.c b/lib/x509/pkcs12_encr.c
index b4c83cf..8e0833e 100644
--- a/lib/x509/pkcs12_encr.c
+++ b/lib/x509/pkcs12_encr.c
@@ -28,6 +28,7 @@
#include <gnutls_mpi.h>
#include <gnutls_errors.h>
+#include <x509_int.h>
/* Returns 0 if the password is ok, or a negative error
* code instead.
diff --git a/lib/x509/sign.c b/lib/x509/sign.c
index 7860855..34a179d 100644
--- a/lib/x509/sign.c
+++ b/lib/x509/sign.c
@@ -32,7 +32,6 @@
#ifdef ENABLE_PKI
#include <gnutls_errors.h>
-#include <gnutls_cert.h>
#include <libtasn1.h>
#include <gnutls_global.h>
#include <gnutls_num.h> /* MAX */
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index 7aaedcb..8452009 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -25,7 +25,6 @@
#include <gnutls_int.h>
#include <gnutls_errors.h>
-#include <gnutls_cert.h>
#include <libtasn1.h>
#include <gnutls_global.h>
#include <gnutls_num.h> /* MAX */
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 5b6831a..5a9db51 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -29,15 +29,15 @@
#include <gnutls_int.h>
#include <gnutls_errors.h>
-#include <gnutls_cert.h>
#include <libtasn1.h>
#include <gnutls_global.h>
#include <gnutls_num.h> /* MAX */
#include <gnutls_sig.h>
#include <gnutls_str.h>
#include <gnutls_datum.h>
-#include "x509_int.h"
+#include <x509_int.h>
#include <common.h>
+#include <gnutls_pk.h>
static int is_crl_issuer (gnutls_x509_crl_t crl,
gnutls_x509_crt_t issuer_cert);
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index f6d3e90..020dc7d 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -34,6 +34,7 @@
#include <x509_b64.h>
#include <x509_int.h>
#include <libtasn1.h>
+#include <gnutls_pk.h>
/**
* gnutls_x509_crt_init:
diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h
index 11805d5..bde3aef 100644
--- a/lib/x509/x509_int.h
+++ b/lib/x509/x509_int.h
@@ -73,6 +73,12 @@ typedef struct gnutls_pkcs7_int
ASN1_TYPE pkcs7;
} gnutls_pkcs7_int;
+#define MAX_PUBLIC_PARAMS_SIZE 4 /* ok for RSA and DSA */
+
+/* parameters should not be larger than this limit */
+#define DSA_PUBLIC_PARAMS 4
+#define RSA_PUBLIC_PARAMS 2
+
#define MAX_PRIV_PARAMS_SIZE GNUTLS_MAX_PK_PARAMS /* ok for RSA and DSA
*/
/* parameters should not be larger than this limit */
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_99_0-65-g1880d48,
Nikos Mavrogiannopoulos <=