[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12

gnutls-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_4-5-gc8672d

From:	Nikos Mavrogiannopoulos
Subject:	[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_4-5-gc8672dc
Date:	Sat, 07 May 2011 16:48:04 +0000

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=c8672dc009d27ff10eb4f43522a352fcf658d14d

The branch, gnutls_2_12_x has been updated
       via  c8672dc009d27ff10eb4f43522a352fcf658d14d (commit)
      from  9d4ed0c28ae4cb451bae1d3f63e77cf3ebb2d971 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit c8672dc009d27ff10eb4f43522a352fcf658d14d
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Sat May 7 18:44:21 2011 +0200

    Added gnutls_x509_crq_verify().

-----------------------------------------------------------------------

Summary of changes:
 NEWS                       |   10 ++++++-
 lib/includes/gnutls/x509.h |    2 +
 lib/libgnutls.map          |   35 +++++++++++++++++++++++
 lib/x509/crq.c             |   67 ++++++++++++++++++++++++++++++++++++++++++++
 lib/x509/x509_write.c      |    4 ++
 tests/crq_key_id.c         |    8 ++++-
 6 files changed, 124 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index cdaa4be..c42bd5e 100644
--- a/NEWS
+++ b/NEWS
@@ -11,8 +11,16 @@ via URLs.
 ** libgnutls: gnutls_pkcs11_privkey_import_url() will now correctly read
 the public key algorithm of the key.
 
+** libgnutls: Added gnutls_x509_crq_verify() to allow
+verification of the self signature in a certificate request.
+This allows verifying whether the owner of the private key
+is the generator of the request.
+
+** libgnutls: gnutls_x509_crt_set_crq() implicitly verifies
+the self signature of the request.
+
 ** API and ABI modifications:
-No changes since last version.
+gnutls_x509_crq_verify: ADDED
 
 
 * Version 2.12.4 (released 2011-05-06)
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index 8e47c4b..bc7846b 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -707,6 +707,8 @@ extern "C"
                              gnutls_certificate_print_formats_t format,
                              gnutls_datum_t * out);
 
+  int gnutls_x509_crq_verify (gnutls_x509_crq_t crq, unsigned int flags);
+
   int gnutls_x509_crq_init (gnutls_x509_crq_t * crq);
   void gnutls_x509_crq_deinit (gnutls_x509_crq_t crq);
   int gnutls_x509_crq_import (gnutls_x509_crq_t crq,
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 2fc197a..3306314 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -690,8 +690,43 @@ GNUTLS_2_12
        gnutls_pubkey_import_privkey;
        gnutls_pubkey_verify_data;
        gnutls_certificate_get_issuer;
+       gnutls_x509_crq_verify;
 } GNUTLS_2_10;
 
+GNUTLS_3_0_0 {
+  global:
+       gnutls_x509_trust_list_verify_crt;
+       gnutls_x509_trust_list_add_crls;
+       gnutls_x509_trust_list_add_cas;
+       gnutls_x509_trust_list_init;
+       gnutls_x509_trust_list_deinit;
+       gnutls_x509_crl_list_import;
+       gnutls_x509_crl_list_import2;
+       gnutls_x509_crt_list_import2;
+       gnutls_cipher_tag;
+       gnutls_cipher_add_auth;
+       gnutls_dtls_set_timeouts;
+       gnutls_transport_set_pull_timeout_function;
+       gnutls_dtls_get_mtu;
+       gnutls_dtls_set_mtu;
+        gnutls_record_recv_seq;
+       gnutls_key_generate;
+       gnutls_dtls_cookie_verify;
+       gnutls_dtls_cookie_send;
+       gnutls_dtls_prestate_set;
+       gnutls_dtls_get_data_mtu;
+       gnutls_cipher_set_iv;
+       gnutls_pcert_deinit;
+       gnutls_pcert_import_x509;
+       gnutls_pcert_import_x509_raw;
+       gnutls_pcert_import_openpgp;
+       gnutls_pcert_import_openpgp_raw;
+       gnutls_pubkey_get_openpgp_key_id;
+       gnutls_certificate_set_retrieve_function2;
+       gnutls_x509_trust_list_get_issuer;
+} GNUTLS_2_12;
+>>>>>>> 91e62ff... Added gnutls_x509_crq_verify().
+
 GNUTLS_PRIVATE {
   global:
     # Internal symbols needed by libgnutls-extra:
diff --git a/lib/x509/crq.c b/lib/x509/crq.c
index 02dc2c4..ed0f844 100644
--- a/lib/x509/crq.c
+++ b/lib/x509/crq.c
@@ -2521,5 +2521,72 @@ gnutls_x509_crq_privkey_sign (gnutls_x509_crq_t crq, 
gnutls_privkey_t key,
 }
 
 
+/**
+ * gnutls_x509_crq_verify:
+ * @crq: is the crq to be verified
+ * @flags: Flags that may be used to change the verification algorithm. Use OR 
of the gnutls_certificate_verify_flags enumerations.
+ *
+ * This function will verify self signature in the certificate
+ * request and return its status.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, 
%GNUTLS_E_PK_SIG_VERIFY_FAILED
+ * if verification failed, otherwise a negative error value.
+ **/
+int
+gnutls_x509_crq_verify (gnutls_x509_crq_t crq,
+                        unsigned int flags)
+{
+gnutls_datum data = { NULL, 0 };
+gnutls_datum signature = { NULL, 0 };
+bigint_t params[MAX_PUBLIC_PARAMS_SIZE];
+int ret, params_size = 0, i;
+
+  ret =
+    _gnutls_x509_get_signed_data (crq->crq, "certificationRequestInfo", &data);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      return ret;
+    }
+
+  ret = _gnutls_x509_get_signature (crq->crq, "signature", &signature);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      goto cleanup;
+    }
+
+  params_size = MAX_PUBLIC_PARAMS_SIZE;
+  ret =
+    _gnutls_x509_crq_get_mpis(crq, params, &params_size);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      goto cleanup;
+    }
+
+  ret = pubkey_verify_sig(&data, NULL, &signature,
+                          gnutls_x509_crq_get_pk_algorithm (crq, NULL),
+    params, params_size);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      goto cleanup;
+    }
+
+  ret = 0;
+
+cleanup:
+  _gnutls_free_datum (&data);
+  _gnutls_free_datum (&signature);
+
+  for (i = 0; i < params_size; i++)
+      {
+            _gnutls_mpi_release (&params[i]);
+      }
+
+  return ret;
+}
 
 #endif /* ENABLE_PKI */
+
diff --git a/lib/x509/x509_write.c b/lib/x509/x509_write.c
index a0b830e..55117a4 100644
--- a/lib/x509/x509_write.c
+++ b/lib/x509/x509_write.c
@@ -268,6 +268,10 @@ gnutls_x509_crt_set_crq (gnutls_x509_crt_t crt, 
gnutls_x509_crq_t crq)
       return GNUTLS_E_INVALID_REQUEST;
     }
 
+  result = gnutls_x509_crq_verify(crq, 0);
+  if (result < 0)
+    return gnutls_assert_val(result);
+
   result = asn1_copy_node (crt->cert, "tbsCertificate.subject",
                            crq->crq, "certificationRequestInfo.subject");
   if (result != ASN1_SUCCESS)
diff --git a/tests/crq_key_id.c b/tests/crq_key_id.c
index fff9f8f..74d5dc6 100644
--- a/tests/crq_key_id.c
+++ b/tests/crq_key_id.c
@@ -137,11 +137,17 @@ doit (void)
         }
 
       ret = gnutls_x509_crq_privkey_sign (crq, abs_pkey, GNUTLS_DIG_SHA1, 0);
-      if (ret)
+      if (ret < 0)
         {
           fail ("gnutls_x509_crq_sign: %d\n", ret);
         }
 
+      ret = gnutls_x509_crq_verify (crq, 0);
+      if (ret < 0)
+        {
+          fail ("gnutls_x509_crq_verify: %d\n", ret);
+        }
+
       crq_key_id_len = 0;
       ret = gnutls_x509_crq_get_key_id (crq, 0, crq_key_id, &crq_key_id_len);
       if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)


hooks/post-receive
-- 
GNU gnutls

[Prev in Thread]

Current Thread

[Next in Thread]

[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_4-5-gc8672dc, Nikos Mavrogiannopoulos <=

Prev by Date: [SCM] GNU gnutls branch, master, updated. gnutls_2_99_1-16-g91e62ff
Next by Date: [SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_4-6-gf55dd6e
Previous by thread: [SCM] GNU gnutls branch, master, updated. gnutls_2_99_1-16-g91e62ff
Next by thread: [SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_4-6-gf55dd6e
Index(es):
- Date
- Thread