[SCM] GNU gnutls branch, master, updated. gnutls_2_99

gnutls-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SCM] GNU gnutls branch, master, updated. gnutls_2_99_1-16-g91e62ff

From:	Nikos Mavrogiannopoulos
Subject:	[SCM] GNU gnutls branch, master, updated. gnutls_2_99_1-16-g91e62ff
Date:	Sat, 07 May 2011 16:46:35 +0000

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=91e62ff65030af57bed038decfa3aac392f75cac

The branch, master has been updated
       via  91e62ff65030af57bed038decfa3aac392f75cac (commit)
      from  50c4bb2247957f852dfc52de2e9ca39e09bd3de0 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 91e62ff65030af57bed038decfa3aac392f75cac
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Sat May 7 18:44:21 2011 +0200

    Added gnutls_x509_crq_verify().

-----------------------------------------------------------------------

Summary of changes:
 NEWS                       |   10 ++++++
 lib/includes/gnutls/x509.h |    2 +
 lib/libgnutls.map          |    3 +-
 lib/x509/crq.c             |   67 ++++++++++++++++++++++++++++++++++++++++++++
 lib/x509/x509_write.c      |    4 ++
 tests/crq_key_id.c         |    8 ++++-
 6 files changed, 92 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index eea62ca..ca94162 100644
--- a/NEWS
+++ b/NEWS
@@ -9,9 +9,19 @@ See the end for copying conditions.
 gnutls_x509_trust_list_get_issuer() to compensate for the
 missing gnutls_certificate_get_x509_cas().
 
+** libgnutls: Added gnutls_x509_crq_verify() to allow
+verification of the self signature in a certificate request.
+This allows verifying whether the owner of the private key
+is the generator of the request.
+
+** libgnutls: gnutls_x509_crt_set_crq() implicitly verifies
+the self signature of the request.
+
 ** API and ABI modifications:
 gnutls_certificate_get_issuer: ADDED
 gnutls_x509_trust_list_get_issuer: ADDED
+gnutls_x509_crq_verify: ADDED
+
 
 * Version 2.99.1 (released 2011-04-23)
 
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index f220844..6ddd85c 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -721,6 +721,8 @@ extern "C"
                              gnutls_certificate_print_formats_t format,
                              gnutls_datum_t * out);
 
+  int gnutls_x509_crq_verify (gnutls_x509_crq_t crq, unsigned int flags);
+
   int gnutls_x509_crq_init (gnutls_x509_crq_t * crq);
   void gnutls_x509_crq_deinit (gnutls_x509_crq_t crq);
   int gnutls_x509_crq_import (gnutls_x509_crq_t crq,
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 229792e..63bacd2 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -677,6 +677,8 @@ GNUTLS_2_12
        gnutls_openpgp_crt_verify_hash;
        gnutls_pubkey_import_privkey;
        gnutls_pubkey_verify_data;
+       gnutls_certificate_get_issuer;
+       gnutls_x509_crq_verify;
 } GNUTLS_2_10;
 
 GNUTLS_3_0_0 {
@@ -710,7 +712,6 @@ GNUTLS_3_0_0 {
        gnutls_pubkey_get_openpgp_key_id;
        gnutls_certificate_set_retrieve_function2;
        gnutls_x509_trust_list_get_issuer;
-       gnutls_certificate_get_issuer;
 } GNUTLS_2_12;
 
 GNUTLS_PRIVATE {
diff --git a/lib/x509/crq.c b/lib/x509/crq.c
index 02dc2c4..ed0f844 100644
--- a/lib/x509/crq.c
+++ b/lib/x509/crq.c
@@ -2521,5 +2521,72 @@ gnutls_x509_crq_privkey_sign (gnutls_x509_crq_t crq, 
gnutls_privkey_t key,
 }
 
 
+/**
+ * gnutls_x509_crq_verify:
+ * @crq: is the crq to be verified
+ * @flags: Flags that may be used to change the verification algorithm. Use OR 
of the gnutls_certificate_verify_flags enumerations.
+ *
+ * This function will verify self signature in the certificate
+ * request and return its status.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, 
%GNUTLS_E_PK_SIG_VERIFY_FAILED
+ * if verification failed, otherwise a negative error value.
+ **/
+int
+gnutls_x509_crq_verify (gnutls_x509_crq_t crq,
+                        unsigned int flags)
+{
+gnutls_datum data = { NULL, 0 };
+gnutls_datum signature = { NULL, 0 };
+bigint_t params[MAX_PUBLIC_PARAMS_SIZE];
+int ret, params_size = 0, i;
+
+  ret =
+    _gnutls_x509_get_signed_data (crq->crq, "certificationRequestInfo", &data);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      return ret;
+    }
+
+  ret = _gnutls_x509_get_signature (crq->crq, "signature", &signature);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      goto cleanup;
+    }
+
+  params_size = MAX_PUBLIC_PARAMS_SIZE;
+  ret =
+    _gnutls_x509_crq_get_mpis(crq, params, &params_size);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      goto cleanup;
+    }
+
+  ret = pubkey_verify_sig(&data, NULL, &signature,
+                          gnutls_x509_crq_get_pk_algorithm (crq, NULL),
+    params, params_size);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      goto cleanup;
+    }
+
+  ret = 0;
+
+cleanup:
+  _gnutls_free_datum (&data);
+  _gnutls_free_datum (&signature);
+
+  for (i = 0; i < params_size; i++)
+      {
+            _gnutls_mpi_release (&params[i]);
+      }
+
+  return ret;
+}
 
 #endif /* ENABLE_PKI */
+
diff --git a/lib/x509/x509_write.c b/lib/x509/x509_write.c
index 5d31a83..68f0103 100644
--- a/lib/x509/x509_write.c
+++ b/lib/x509/x509_write.c
@@ -268,6 +268,10 @@ gnutls_x509_crt_set_crq (gnutls_x509_crt_t crt, 
gnutls_x509_crq_t crq)
       return GNUTLS_E_INVALID_REQUEST;
     }
 
+  result = gnutls_x509_crq_verify(crq, 0);
+  if (result < 0)
+    return gnutls_assert_val(result);
+
   result = asn1_copy_node (crt->cert, "tbsCertificate.subject",
                            crq->crq, "certificationRequestInfo.subject");
   if (result != ASN1_SUCCESS)
diff --git a/tests/crq_key_id.c b/tests/crq_key_id.c
index fff9f8f..74d5dc6 100644
--- a/tests/crq_key_id.c
+++ b/tests/crq_key_id.c
@@ -137,11 +137,17 @@ doit (void)
         }
 
       ret = gnutls_x509_crq_privkey_sign (crq, abs_pkey, GNUTLS_DIG_SHA1, 0);
-      if (ret)
+      if (ret < 0)
         {
           fail ("gnutls_x509_crq_sign: %d\n", ret);
         }
 
+      ret = gnutls_x509_crq_verify (crq, 0);
+      if (ret < 0)
+        {
+          fail ("gnutls_x509_crq_verify: %d\n", ret);
+        }
+
       crq_key_id_len = 0;
       ret = gnutls_x509_crq_get_key_id (crq, 0, crq_key_id, &crq_key_id_len);
       if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)


hooks/post-receive
-- 
GNU gnutls

[Prev in Thread]

Current Thread

[Next in Thread]

[SCM] GNU gnutls branch, master, updated. gnutls_2_99_1-16-g91e62ff, Nikos Mavrogiannopoulos <=

Prev by Date: [SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_4-4-g9d4ed0c
Next by Date: [SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_4-5-gc8672dc
Previous by thread: [SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_4-4-g9d4ed0c
Next by thread: [SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_4-5-gc8672dc
Index(es):
- Date
- Thread