/src/gnutls/lib/x509/key_decode.c

Source (jump to first uncovered line)
/*
 * Copyright (C) 2011-2012 Free Software Foundation, Inc.
 * Copyright (C) 2013-2017 Red Hat
 *
 * Author: Nikos Mavrogiannopoulos
 *
 * This file is part of GnuTLS.
 *
 * The GnuTLS is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public License
 * as published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>
 *
 */

#include "gnutls_int.h"
#include "errors.h"
#include <global.h>
#include <libtasn1.h>
#include <datum.h>
#include "common.h"
#include "x509_int.h"
#include "pk.h"
#include <num.h>
#include <ecc.h>

static int _gnutls_x509_read_rsa_pubkey(uint8_t * der, int dersize,
          gnutls_pk_params_st * params);
static int _gnutls_x509_read_dsa_pubkey(uint8_t * der, int dersize,
          gnutls_pk_params_st * params);
static int _gnutls_x509_read_ecc_pubkey(uint8_t * der, int dersize,
          gnutls_pk_params_st * params);
static int _gnutls_x509_read_eddsa_pubkey(gnutls_ecc_curve_t curve,
            uint8_t * der, int dersize,
            gnutls_pk_params_st * params);
static int _gnutls_x509_read_ecdh_pubkey(gnutls_ecc_curve_t curve,
           uint8_t * der, int dersize,
           gnutls_pk_params_st * params);
static int _gnutls_x509_read_gost_pubkey(uint8_t * der, int dersize,
           gnutls_pk_params_st * params);

static int
_gnutls_x509_read_dsa_params(uint8_t * der, int dersize,
           gnutls_pk_params_st * params);

/*
 * some x509 certificate parsing functions that relate to MPI parameter
 * extraction. This reads the BIT STRING subjectPublicKey.
 * Returns 2 parameters (m,e). It does not set params_nr.
 */
int
_gnutls_x509_read_rsa_pubkey(uint8_t * der, int dersize,
           gnutls_pk_params_st * params)
{
  int result;
  asn1_node spk = NULL;

  if ((result = asn1_create_element
       (_gnutls_get_gnutls_asn(), "GNUTLS.RSAPublicKey", &spk))
      != ASN1_SUCCESS) {
    gnutls_assert();
    return _gnutls_asn2err(result);
  }

  result = asn1_der_decoding(&spk, der, dersize, NULL);

  if (result != ASN1_SUCCESS) {
    gnutls_assert();
    asn1_delete_structure(&spk);
    return _gnutls_asn2err(result);
  }

  if (_gnutls_x509_read_int(spk, "modulus", &params->params[0]) < 0) {
    gnutls_assert();
    asn1_delete_structure(&spk);
    return GNUTLS_E_ASN1_GENERIC_ERROR;
  }

  if (_gnutls_x509_read_int(spk, "publicExponent",
          &params->params[1]) < 0) {
    gnutls_assert();
    _gnutls_mpi_release(&params->params[0]);
    asn1_delete_structure(&spk);
    return GNUTLS_E_ASN1_GENERIC_ERROR;
  }

  asn1_delete_structure(&spk);

  return 0;

}

/*
 * some x509 certificate parsing functions that relate to MPI parameter
 * extraction. This reads the BIT STRING subjectPublicKey.
 * Returns 2 parameters (m,e). It does not set params_nr.
 */
int
_gnutls_x509_read_ecc_pubkey(uint8_t * der, int dersize,
           gnutls_pk_params_st * params)
{
  /* RFC5480 defines the public key to be an ECPoint (i.e. OCTET STRING),
   * Then it says that the OCTET STRING _value_ is converted to BIT STRING.
   * That means that the value we place there is the raw X9.62 one. */
  return _gnutls_ecc_ansi_x962_import(der, dersize,
              &params->params[ECC_X],
              &params->params[ECC_Y]);
}

int _gnutls_x509_read_eddsa_pubkey(gnutls_ecc_curve_t curve,
           uint8_t * der, int dersize,
           gnutls_pk_params_st * params)
{
  int size = gnutls_ecc_curve_get_size(curve);
  if (dersize != size)
    return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);

  return _gnutls_set_datum(&params->raw_pub, der, dersize);
}

int _gnutls_x509_read_ecdh_pubkey(gnutls_ecc_curve_t curve,
          uint8_t * der, int dersize,
          gnutls_pk_params_st * params)
{
  int size = gnutls_ecc_curve_get_size(curve);
  if (dersize != size)
    return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);

  return _gnutls_set_datum(&params->raw_pub, der, dersize);
}

/* Pubkey is a concatenation of X (in little endian) and Y (also LE)
 * encoded into OCTET STRING. */
static int
_gnutls_x509_read_gost_pubkey(uint8_t * der, int dersize,
            gnutls_pk_params_st * params)
{
  int ret;
  int len;
  bigint_t *x = &params->params[GOST_X];
  bigint_t *y = &params->params[GOST_Y];

  /* Quick and dirty parsing of OCTET STRING of 0x40 or 0x80 bytes */
  if (dersize < 1 || der[0] != ASN1_TAG_OCTET_STRING) {
    return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
  }

  der++;
  dersize--;

  ret = asn1_get_length_der(der, dersize, &len);
  if (ret <= 0 || ret % 2 != 0 || dersize != len + ret) {
    return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
  }

  der += len;
  dersize -= len;

  /* read data */
  ret = _gnutls_mpi_init_scan_le(x, der, dersize / 2);
  if (ret < 0)
    return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);

  ret = _gnutls_mpi_init_scan_le(y, der + dersize / 2, dersize / 2);
  if (ret < 0) {
    _gnutls_mpi_release(y);
    return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
  }

  return 0;
}

/* reads p,q and g 
 * from the certificate (subjectPublicKey BIT STRING).
 * params[0-2]. It does NOT set params_nr.
 */
static int
_gnutls_x509_read_dsa_params(uint8_t * der, int dersize,
           gnutls_pk_params_st * params)
{
  int result;
  asn1_node spk = NULL;

  if ((result = asn1_create_element
       (_gnutls_get_pkix(), "PKIX1.Dss-Parms", &spk)) != ASN1_SUCCESS) {
    gnutls_assert();
    return _gnutls_asn2err(result);
  }

  result = asn1_der_decoding(&spk, der, dersize, NULL);

  if (result != ASN1_SUCCESS) {
    gnutls_assert();
    asn1_delete_structure(&spk);
    return _gnutls_asn2err(result);
  }

  /* If the parameters are not included in the certificate
   * then the issuer's parameters should be used. This is not
   * implemented, and is not used in practice (along with DSA).
   */

  /* Read p */

  if (_gnutls_x509_read_int(spk, "p", &params->params[0]) < 0) {
    gnutls_assert();
    asn1_delete_structure(&spk);
    return GNUTLS_E_ASN1_GENERIC_ERROR;
  }

  /* Read q */

  if (_gnutls_x509_read_int(spk, "q", &params->params[1]) < 0) {
    gnutls_assert();
    asn1_delete_structure(&spk);
    _gnutls_mpi_release(&params->params[0]);
    return GNUTLS_E_ASN1_GENERIC_ERROR;
  }

  /* Read g */

  if (_gnutls_x509_read_int(spk, "g", &params->params[2]) < 0) {
    gnutls_assert();
    asn1_delete_structure(&spk);
    _gnutls_mpi_release(&params->params[0]);
    _gnutls_mpi_release(&params->params[1]);
    return GNUTLS_E_ASN1_GENERIC_ERROR;
  }

  asn1_delete_structure(&spk);

  params->params_nr = 3;  /* public key is missing */
  params->algo = GNUTLS_PK_DSA;

  return 0;

}

/* reads the curve from the certificate.
 * params[0-4]. It does NOT set params_nr.
 */
int
_gnutls_x509_read_ecc_params(uint8_t * der, int dersize, unsigned int *curve)
{
  int ret;
  asn1_node spk = NULL;
  char oid[MAX_OID_SIZE];
  int oid_size;

  if ((ret = asn1_create_element
       (_gnutls_get_gnutls_asn(), "GNUTLS.ECParameters",
        &spk)) != ASN1_SUCCESS) {
    gnutls_assert();
    return _gnutls_asn2err(ret);
  }

  ret = asn1_der_decoding(&spk, der, dersize, NULL);

  if (ret != ASN1_SUCCESS) {
    gnutls_assert();
    ret = _gnutls_asn2err(ret);
    goto cleanup;
  }

  /* read the curve */
  oid_size = sizeof(oid);
  ret = asn1_read_value(spk, "namedCurve", oid, &oid_size);
  if (ret != ASN1_SUCCESS) {
    gnutls_assert();
    ret = _gnutls_asn2err(ret);
    goto cleanup;
  }

  *curve = gnutls_oid_to_ecc_curve(oid);
  if (*curve == GNUTLS_ECC_CURVE_INVALID) {
    _gnutls_debug_log("Curve %s is not supported\n", oid);
    gnutls_assert();
    ret = GNUTLS_E_ECC_UNSUPPORTED_CURVE;
    goto cleanup;
  }

  ret = 0;

 cleanup:

  asn1_delete_structure(&spk);

  return ret;

}

/* Reads RSA-PSS parameters.
 */
int
_gnutls_x509_read_rsa_pss_params(uint8_t * der, int dersize,
         gnutls_x509_spki_st * params)
{
  int result;
  asn1_node spk = NULL;
  asn1_node c2 = NULL;
  gnutls_digest_algorithm_t digest;
  char oid[MAX_OID_SIZE] = "";
  int size;
  unsigned int trailer;
  gnutls_datum_t value = { NULL, 0 };

  if ((result = asn1_create_element
       (_gnutls_get_gnutls_asn(), "GNUTLS.RSAPSSParameters", &spk))
      != ASN1_SUCCESS) {
    gnutls_assert();
    result = _gnutls_asn2err(result);
    goto cleanup;
  }

  result = _asn1_strict_der_decode(&spk, der, dersize, NULL);

  if (result != ASN1_SUCCESS) {
    gnutls_assert();
    result = _gnutls_asn2err(result);
    goto cleanup;
  }

  size = sizeof(oid);
  result = asn1_read_value(spk, "hashAlgorithm.algorithm", oid, &size);
  if (result == ASN1_SUCCESS)
    digest = gnutls_oid_to_digest(oid);
  else if (result == ASN1_ELEMENT_NOT_FOUND)
    /* The default hash algorithm is SHA-1 */
    digest = GNUTLS_DIG_SHA1;
  else {
    gnutls_assert();
    result = _gnutls_asn2err(result);
    goto cleanup;
  }

  if (digest == GNUTLS_DIG_UNKNOWN) {
    gnutls_assert();
    _gnutls_debug_log("Unknown RSA-PSS hash: %s\n", oid);
    result = GNUTLS_E_UNKNOWN_HASH_ALGORITHM;
    goto cleanup;
  }

  size = sizeof(oid);
  result = asn1_read_value(spk, "maskGenAlgorithm.algorithm", oid, &size);
  if (result == ASN1_SUCCESS) {
    gnutls_digest_algorithm_t digest2;

    /* Error out if algorithm other than mgf1 is specified */
    if (strcmp(oid, PKIX1_RSA_PSS_MGF1_OID) != 0) {
      gnutls_assert();
      _gnutls_debug_log("Unknown mask algorithm: %s\n", oid);
      result = GNUTLS_E_UNKNOWN_ALGORITHM;
      goto cleanup;
    }

    /* Check if maskGenAlgorithm.parameters does exist and
     * is identical to hashAlgorithm */
    result =
        _gnutls_x509_read_value(spk, "maskGenAlgorithm.parameters",
              &value);
    if (result < 0) {
      gnutls_assert();
      goto cleanup;
    }

    if ((result = asn1_create_element
         (_gnutls_get_pkix(), "PKIX1.AlgorithmIdentifier", &c2))
        != ASN1_SUCCESS) {
      gnutls_assert();
      result = _gnutls_asn2err(result);
      goto cleanup;
    }

    result =
        _asn1_strict_der_decode(&c2, value.data, value.size, NULL);
    if (result != ASN1_SUCCESS) {
      gnutls_assert();
      result = _gnutls_asn2err(result);
      goto cleanup;
    }

    size = sizeof(oid);
    result = asn1_read_value(c2, "algorithm", oid, &size);
    if (result == ASN1_SUCCESS)
      digest2 = gnutls_oid_to_digest(oid);
    else if (result == ASN1_ELEMENT_NOT_FOUND)
      /* The default hash algorithm for mgf1 is SHA-1 */
      digest2 = GNUTLS_DIG_SHA1;
    else {
      gnutls_assert();
      result = _gnutls_asn2err(result);
      goto cleanup;
    }

    if (digest != digest2) {
      gnutls_assert();
      result = GNUTLS_E_CONSTRAINT_ERROR;
      goto cleanup;
    }
  } else if (result != ASN1_ELEMENT_NOT_FOUND) {
    gnutls_assert();
    result = _gnutls_asn2err(result);
    goto cleanup;
  }

  memset(params, 0, sizeof(gnutls_x509_spki_st));
  params->pk = GNUTLS_PK_RSA_PSS;
  params->rsa_pss_dig = digest;

  result = _gnutls_x509_read_uint(spk, "saltLength", &params->salt_size);
  if (result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND ||
      result == GNUTLS_E_ASN1_VALUE_NOT_FOUND)
    params->salt_size = 20;
  else if (result < 0) {
    gnutls_assert();
    goto cleanup;
  }

  result = _gnutls_x509_read_uint(spk, "trailerField", &trailer);
  if (result == GNUTLS_E_ASN1_VALUE_NOT_FOUND ||
      result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND)
    trailer = 1;
  else if (result < 0) {
    gnutls_assert();
    goto cleanup;
  }
  if (trailer != 1) {
    gnutls_assert();
    result = GNUTLS_E_CERTIFICATE_ERROR;
    goto cleanup;
  }

  result = 0;
 cleanup:
  _gnutls_free_datum(&value);
  asn1_delete_structure(&c2);
  asn1_delete_structure(&spk);
  return result;
}

/* reads the curve from the certificate.
 * It does NOT set params_nr.
 */
int
_gnutls_x509_read_gost_params(uint8_t * der, int dersize,
            gnutls_pk_params_st * params,
            gnutls_pk_algorithm_t algo)
{
  int ret;
  asn1_node spk = NULL;
  char oid[MAX_OID_SIZE];
  int oid_size;
  gnutls_ecc_curve_t curve;
  gnutls_gost_paramset_t param;

  if ((ret = asn1_create_element(_gnutls_get_gnutls_asn(),
               algo == GNUTLS_PK_GOST_01 ?
               "GNUTLS.GOSTParametersOld" :
               "GNUTLS.GOSTParameters",
               &spk)) != ASN1_SUCCESS) {
    gnutls_assert();
    return _gnutls_asn2err(ret);
  }

  ret = _asn1_strict_der_decode(&spk, der, dersize, NULL);

  if (ret != ASN1_SUCCESS) {
    gnutls_assert();
    ret = _gnutls_asn2err(ret);
    goto cleanup;
  }

  /* read the curve */
  oid_size = sizeof(oid);
  ret = asn1_read_value(spk, "publicKeyParamSet", oid, &oid_size);
  if (ret != ASN1_SUCCESS) {
    gnutls_assert();
    ret = _gnutls_asn2err(ret);
    goto cleanup;
  }

  curve = gnutls_oid_to_ecc_curve(oid);
  if (curve == GNUTLS_ECC_CURVE_INVALID) {
    _gnutls_debug_log("Curve %s is not supported\n", oid);
    gnutls_assert();
    ret = GNUTLS_E_ECC_UNSUPPORTED_CURVE;
    goto cleanup;
  }

  /* Read the digest */
  oid_size = sizeof(oid);
  ret = asn1_read_value(spk, "digestParamSet", oid, &oid_size);
  if (ret != ASN1_SUCCESS && ret != ASN1_ELEMENT_NOT_FOUND) {
    gnutls_assert();
    ret = _gnutls_asn2err(ret);
    goto cleanup;
  }
  /* For now ignore the OID: we use pk OID instead */

  oid_size = sizeof(oid);
  ret = asn1_read_value(spk, "encryptionParamSet", oid, &oid_size);
  if (ret != ASN1_SUCCESS && ret != ASN1_ELEMENT_NOT_FOUND) {
    gnutls_assert();
    ret = _gnutls_asn2err(ret);
    goto cleanup;
  }

  if (ret != ASN1_ELEMENT_NOT_FOUND)
    param = gnutls_oid_to_gost_paramset(oid);
  else
    param = _gnutls_gost_paramset_default(algo);

  if (param == GNUTLS_GOST_PARAMSET_UNKNOWN) {
    gnutls_assert();
    ret = param;
    goto cleanup;
  }

  params->curve = curve;
  params->gost_params = param;
  ret = 0;

 cleanup:

  asn1_delete_structure(&spk);

  return ret;

}

/* This function must be called after _gnutls_x509_read_params()
 */
int _gnutls_x509_read_pubkey(gnutls_pk_algorithm_t algo, uint8_t * der,
           int dersize, gnutls_pk_params_st * params)
{
  int ret;

  switch (algo) {
  case GNUTLS_PK_RSA:
  case GNUTLS_PK_RSA_PSS:
    ret = _gnutls_x509_read_rsa_pubkey(der, dersize, params);
    if (ret >= 0) {
      params->algo = algo;
      params->params_nr = RSA_PUBLIC_PARAMS;
    }
    break;
  case GNUTLS_PK_DSA:
    if (params->params_nr != 3) /* _gnutls_x509_read_pubkey_params must have been called */
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);

    ret = _gnutls_x509_read_dsa_pubkey(der, dersize, params);
    if (ret >= 0) {
      params->algo = GNUTLS_PK_DSA;
      params->params_nr = DSA_PUBLIC_PARAMS;
    }
    break;
  case GNUTLS_PK_ECDSA:
    ret = _gnutls_x509_read_ecc_pubkey(der, dersize, params);
    if (ret >= 0) {
      params->algo = GNUTLS_PK_ECDSA;
      params->params_nr = ECC_PUBLIC_PARAMS;
    }
    break;
  case GNUTLS_PK_EDDSA_ED25519:
    ret =
        _gnutls_x509_read_eddsa_pubkey(GNUTLS_ECC_CURVE_ED25519,
               der, dersize, params);
    break;
  case GNUTLS_PK_EDDSA_ED448:
    ret =
        _gnutls_x509_read_eddsa_pubkey(GNUTLS_ECC_CURVE_ED448, der,
               dersize, params);
    break;
  case GNUTLS_PK_ECDH_X25519:
    ret =
        _gnutls_x509_read_ecdh_pubkey(GNUTLS_ECC_CURVE_X25519, der,
              dersize, params);
    break;
  case GNUTLS_PK_ECDH_X448:
    ret =
        _gnutls_x509_read_ecdh_pubkey(GNUTLS_ECC_CURVE_X448, der,
              dersize, params);
    break;
  case GNUTLS_PK_GOST_01:
  case GNUTLS_PK_GOST_12_256:
  case GNUTLS_PK_GOST_12_512:
    ret = _gnutls_x509_read_gost_pubkey(der, dersize, params);
    if (ret >= 0) {
      params->algo = algo;
      params->params_nr = GOST_PUBLIC_PARAMS;
    }
    break;
  default:
    ret = gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
    break;
  }
  return ret;
}

/* This function must be called prior to _gnutls_x509_read_pubkey()
 */
int _gnutls_x509_read_pubkey_params(gnutls_pk_algorithm_t algo,
            uint8_t * der, int dersize,
            gnutls_pk_params_st * params)
{
  switch (algo) {
  case GNUTLS_PK_RSA:
  case GNUTLS_PK_EDDSA_ED25519:
  case GNUTLS_PK_EDDSA_ED448:
    return 0;
  case GNUTLS_PK_RSA_PSS:
    return _gnutls_x509_read_rsa_pss_params(der, dersize,
              &params->spki);
  case GNUTLS_PK_DSA:
    return _gnutls_x509_read_dsa_params(der, dersize, params);
  case GNUTLS_PK_EC:
    return _gnutls_x509_read_ecc_params(der, dersize,
                &params->curve);
  case GNUTLS_PK_GOST_01:
  case GNUTLS_PK_GOST_12_256:
  case GNUTLS_PK_GOST_12_512:
    return _gnutls_x509_read_gost_params(der, dersize, params,
                 algo);
  default:
    return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
  }
}

/* This function must be called after _gnutls_x509_read_pubkey()
 */
int _gnutls_x509_check_pubkey_params(gnutls_pk_params_st * params)
{
  switch (params->algo) {
  case GNUTLS_PK_RSA_PSS:{
      unsigned bits;
      const mac_entry_st *me;
      size_t hash_size;

      if (params->spki.pk == GNUTLS_PK_UNKNOWN) /* no params present */
        return 0;

      bits = pubkey_to_bits(params);

      me = hash_to_entry(params->spki.rsa_pss_dig);
      if (unlikely(me == NULL))
        return
            gnutls_assert_val
            (GNUTLS_E_PK_INVALID_PUBKEY_PARAMS);

      hash_size = _gnutls_hash_get_algo_len(me);
      if (hash_size + params->spki.salt_size + 2 >
          (bits + 7) / 8)
        return
            gnutls_assert_val
            (GNUTLS_E_PK_INVALID_PUBKEY_PARAMS);
      return 0;
    }
  case GNUTLS_PK_RSA:
  case GNUTLS_PK_DSA:
  case GNUTLS_PK_ECDSA:
  case GNUTLS_PK_EDDSA_ED25519:
  case GNUTLS_PK_EDDSA_ED448:
  case GNUTLS_PK_ECDH_X25519:
  case GNUTLS_PK_ECDH_X448:
  case GNUTLS_PK_GOST_01:
  case GNUTLS_PK_GOST_12_256:
  case GNUTLS_PK_GOST_12_512:
    return 0;
  default:
    return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
  }
}

/* reads DSA's Y
 * from the certificate 
 * only sets params[3]
 */
int
_gnutls_x509_read_dsa_pubkey(uint8_t * der, int dersize,
           gnutls_pk_params_st * params)
{
  return _gnutls_x509_read_der_int(der, dersize, &params->params[3]);
}

Coverage Report

Created: 2023-03-26 08:33

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright (C) 2011-2012 Free Software Foundation, Inc.
3		* Copyright (C) 2013-2017 Red Hat
4		*
5		* Author: Nikos Mavrogiannopoulos
6		*
7		* This file is part of GnuTLS.
8		*
9		* The GnuTLS is free software; you can redistribute it and/or
10		* modify it under the terms of the GNU Lesser General Public License
11		* as published by the Free Software Foundation; either version 2.1 of
12		* the License, or (at your option) any later version.
13		*
14		* This library is distributed in the hope that it will be useful, but
15		* WITHOUT ANY WARRANTY; without even the implied warranty of
16		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17		* Lesser General Public License for more details.
18		*
19		* You should have received a copy of the GNU Lesser General Public License
20		* along with this program. If not, see <https://www.gnu.org/licenses/>
21		*
22		*/
23
24		#include "gnutls_int.h"
25		#include "errors.h"
26		#include <global.h>
27		#include <libtasn1.h>
28		#include <datum.h>
29		#include "common.h"
30		#include "x509_int.h"
31		#include "pk.h"
32		#include <num.h>
33		#include <ecc.h>
34
35		static int _gnutls_x509_read_rsa_pubkey(uint8_t * der, int dersize,
36		gnutls_pk_params_st * params);
37		static int _gnutls_x509_read_dsa_pubkey(uint8_t * der, int dersize,
38		gnutls_pk_params_st * params);
39		static int _gnutls_x509_read_ecc_pubkey(uint8_t * der, int dersize,
40		gnutls_pk_params_st * params);
41		static int _gnutls_x509_read_eddsa_pubkey(gnutls_ecc_curve_t curve,
42		uint8_t * der, int dersize,
43		gnutls_pk_params_st * params);
44		static int _gnutls_x509_read_ecdh_pubkey(gnutls_ecc_curve_t curve,
45		uint8_t * der, int dersize,
46		gnutls_pk_params_st * params);
47		static int _gnutls_x509_read_gost_pubkey(uint8_t * der, int dersize,
48		gnutls_pk_params_st * params);
49
50		static int
51		_gnutls_x509_read_dsa_params(uint8_t * der, int dersize,
52		gnutls_pk_params_st * params);
53
54		/*
55		* some x509 certificate parsing functions that relate to MPI parameter
56		* extraction. This reads the BIT STRING subjectPublicKey.
57		* Returns 2 parameters (m,e). It does not set params_nr.
58		*/
59		int
60		_gnutls_x509_read_rsa_pubkey(uint8_t * der, int dersize,
61		gnutls_pk_params_st * params)
62	0	{
63	0	int result;
64	0	asn1_node spk = NULL;
65
66	0	if ((result = asn1_create_element
67	0	(_gnutls_get_gnutls_asn(), "GNUTLS.RSAPublicKey", &spk))
68	0	!= ASN1_SUCCESS) {
69	0	gnutls_assert();
70	0	return _gnutls_asn2err(result);
71	0	}
72
73	0	result = asn1_der_decoding(&spk, der, dersize, NULL);
74
75	0	if (result != ASN1_SUCCESS) {
76	0	gnutls_assert();
77	0	asn1_delete_structure(&spk);
78	0	return _gnutls_asn2err(result);
79	0	}
80
81	0	if (_gnutls_x509_read_int(spk, "modulus", &params->params[0]) < 0) {
82	0	gnutls_assert();
83	0	asn1_delete_structure(&spk);
84	0	return GNUTLS_E_ASN1_GENERIC_ERROR;
85	0	}
86
87	0	if (_gnutls_x509_read_int(spk, "publicExponent",
88	0	&params->params[1]) < 0) {
89	0	gnutls_assert();
90	0	_gnutls_mpi_release(&params->params[0]);
91	0	asn1_delete_structure(&spk);
92	0	return GNUTLS_E_ASN1_GENERIC_ERROR;
93	0	}
94
95	0	asn1_delete_structure(&spk);
96
97	0	return 0;
98
99	0	}
100
101		/*
102		* some x509 certificate parsing functions that relate to MPI parameter
103		* extraction. This reads the BIT STRING subjectPublicKey.
104		* Returns 2 parameters (m,e). It does not set params_nr.
105		*/
106		int
107		_gnutls_x509_read_ecc_pubkey(uint8_t * der, int dersize,
108		gnutls_pk_params_st * params)
109	0	{
110		/* RFC5480 defines the public key to be an ECPoint (i.e. OCTET STRING),
111		* Then it says that the OCTET STRING _value_ is converted to BIT STRING.
112		* That means that the value we place there is the raw X9.62 one. */
113	0	return _gnutls_ecc_ansi_x962_import(der, dersize,
114	0	&params->params[ECC_X],
115	0	&params->params[ECC_Y]);
116	0	}
117
118		int _gnutls_x509_read_eddsa_pubkey(gnutls_ecc_curve_t curve,
119		uint8_t * der, int dersize,
120		gnutls_pk_params_st * params)
121	0	{
122	0	int size = gnutls_ecc_curve_get_size(curve);
123	0	if (dersize != size)
124	0	return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
125
126	0	return _gnutls_set_datum(&params->raw_pub, der, dersize);
127	0	}
128
129		int _gnutls_x509_read_ecdh_pubkey(gnutls_ecc_curve_t curve,
130		uint8_t * der, int dersize,
131		gnutls_pk_params_st * params)
132	0	{
133	0	int size = gnutls_ecc_curve_get_size(curve);
134	0	if (dersize != size)
135	0	return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
136
137	0	return _gnutls_set_datum(&params->raw_pub, der, dersize);
138	0	}
139
140		/* Pubkey is a concatenation of X (in little endian) and Y (also LE)
141		* encoded into OCTET STRING. */
142		static int
143		_gnutls_x509_read_gost_pubkey(uint8_t * der, int dersize,
144		gnutls_pk_params_st * params)
145	0	{
146	0	int ret;
147	0	int len;
148	0	bigint_t *x = &params->params[GOST_X];
149	0	bigint_t *y = &params->params[GOST_Y];
150
151		/* Quick and dirty parsing of OCTET STRING of 0x40 or 0x80 bytes */
152	0	if (dersize < 1 \|\| der[0] != ASN1_TAG_OCTET_STRING) {
153	0	return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
154	0	}
155
156	0	der++;
157	0	dersize--;
158
159	0	ret = asn1_get_length_der(der, dersize, &len);
160	0	if (ret <= 0 \|\| ret % 2 != 0 \|\| dersize != len + ret) {
161	0	return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
162	0	}
163
164	0	der += len;
165	0	dersize -= len;
166
167		/* read data */
168	0	ret = _gnutls_mpi_init_scan_le(x, der, dersize / 2);
169	0	if (ret < 0)
170	0	return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
171
172	0	ret = _gnutls_mpi_init_scan_le(y, der + dersize / 2, dersize / 2);
173	0	if (ret < 0) {
174	0	_gnutls_mpi_release(y);
175	0	return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
176	0	}
177
178	0	return 0;
179	0	}
180
181		/* reads p,q and g
182		* from the certificate (subjectPublicKey BIT STRING).
183		* params[0-2]. It does NOT set params_nr.
184		*/
185		static int
186		_gnutls_x509_read_dsa_params(uint8_t * der, int dersize,
187		gnutls_pk_params_st * params)
188	0	{
189	0	int result;
190	0	asn1_node spk = NULL;
191
192	0	if ((result = asn1_create_element
193	0	(_gnutls_get_pkix(), "PKIX1.Dss-Parms", &spk)) != ASN1_SUCCESS) {
194	0	gnutls_assert();
195	0	return _gnutls_asn2err(result);
196	0	}
197
198	0	result = asn1_der_decoding(&spk, der, dersize, NULL);
199
200	0	if (result != ASN1_SUCCESS) {
201	0	gnutls_assert();
202	0	asn1_delete_structure(&spk);
203	0	return _gnutls_asn2err(result);
204	0	}
205
206		/* If the parameters are not included in the certificate
207		* then the issuer's parameters should be used. This is not
208		* implemented, and is not used in practice (along with DSA).
209		*/
210
211		/* Read p */
212
213	0	if (_gnutls_x509_read_int(spk, "p", &params->params[0]) < 0) {
214	0	gnutls_assert();
215	0	asn1_delete_structure(&spk);
216	0	return GNUTLS_E_ASN1_GENERIC_ERROR;
217	0	}
218
219		/* Read q */
220
221	0	if (_gnutls_x509_read_int(spk, "q", &params->params[1]) < 0) {
222	0	gnutls_assert();
223	0	asn1_delete_structure(&spk);
224	0	_gnutls_mpi_release(&params->params[0]);
225	0	return GNUTLS_E_ASN1_GENERIC_ERROR;
226	0	}
227
228		/* Read g */
229
230	0	if (_gnutls_x509_read_int(spk, "g", &params->params[2]) < 0) {
231	0	gnutls_assert();
232	0	asn1_delete_structure(&spk);
233	0	_gnutls_mpi_release(&params->params[0]);
234	0	_gnutls_mpi_release(&params->params[1]);
235	0	return GNUTLS_E_ASN1_GENERIC_ERROR;
236	0	}
237
238	0	asn1_delete_structure(&spk);
239
240	0	params->params_nr = 3; /* public key is missing */
241	0	params->algo = GNUTLS_PK_DSA;
242
243	0	return 0;
244
245	0	}
246
247		/* reads the curve from the certificate.
248		* params[0-4]. It does NOT set params_nr.
249		*/
250		int
251		_gnutls_x509_read_ecc_params(uint8_t * der, int dersize, unsigned int *curve)
252	0	{
253	0	int ret;
254	0	asn1_node spk = NULL;
255	0	char oid[MAX_OID_SIZE];
256	0	int oid_size;
257
258	0	if ((ret = asn1_create_element
259	0	(_gnutls_get_gnutls_asn(), "GNUTLS.ECParameters",
260	0	&spk)) != ASN1_SUCCESS) {
261	0	gnutls_assert();
262	0	return _gnutls_asn2err(ret);
263	0	}
264
265	0	ret = asn1_der_decoding(&spk, der, dersize, NULL);
266
267	0	if (ret != ASN1_SUCCESS) {
268	0	gnutls_assert();
269	0	ret = _gnutls_asn2err(ret);
270	0	goto cleanup;
271	0	}
272
273		/* read the curve */
274	0	oid_size = sizeof(oid);
275	0	ret = asn1_read_value(spk, "namedCurve", oid, &oid_size);
276	0	if (ret != ASN1_SUCCESS) {
277	0	gnutls_assert();
278	0	ret = _gnutls_asn2err(ret);
279	0	goto cleanup;
280	0	}
281
282	0	*curve = gnutls_oid_to_ecc_curve(oid);
283	0	if (*curve == GNUTLS_ECC_CURVE_INVALID) {
284	0	_gnutls_debug_log("Curve %s is not supported\n", oid);
285	0	gnutls_assert();
286	0	ret = GNUTLS_E_ECC_UNSUPPORTED_CURVE;
287	0	goto cleanup;
288	0	}
289
290	0	ret = 0;
291
292	0	cleanup:
293
294	0	asn1_delete_structure(&spk);
295
296	0	return ret;
297
298	0	}
299
300		/* Reads RSA-PSS parameters.
301		*/
302		int
303		_gnutls_x509_read_rsa_pss_params(uint8_t * der, int dersize,
304		gnutls_x509_spki_st * params)
305	0	{
306	0	int result;
307	0	asn1_node spk = NULL;
308	0	asn1_node c2 = NULL;
309	0	gnutls_digest_algorithm_t digest;
310	0	char oid[MAX_OID_SIZE] = "";
311	0	int size;
312	0	unsigned int trailer;
313	0	gnutls_datum_t value = { NULL, 0 };
314
315	0	if ((result = asn1_create_element
316	0	(_gnutls_get_gnutls_asn(), "GNUTLS.RSAPSSParameters", &spk))
317	0	!= ASN1_SUCCESS) {
318	0	gnutls_assert();
319	0	result = _gnutls_asn2err(result);
320	0	goto cleanup;
321	0	}
322
323	0	result = _asn1_strict_der_decode(&spk, der, dersize, NULL);
324
325	0	if (result != ASN1_SUCCESS) {
326	0	gnutls_assert();
327	0	result = _gnutls_asn2err(result);
328	0	goto cleanup;
329	0	}
330
331	0	size = sizeof(oid);
332	0	result = asn1_read_value(spk, "hashAlgorithm.algorithm", oid, &size);
333	0	if (result == ASN1_SUCCESS)
334	0	digest = gnutls_oid_to_digest(oid);
335	0	else if (result == ASN1_ELEMENT_NOT_FOUND)
336		/* The default hash algorithm is SHA-1 */
337	0	digest = GNUTLS_DIG_SHA1;
338	0	else {
339	0	gnutls_assert();
340	0	result = _gnutls_asn2err(result);
341	0	goto cleanup;
342	0	}
343
344	0	if (digest == GNUTLS_DIG_UNKNOWN) {
345	0	gnutls_assert();
346	0	_gnutls_debug_log("Unknown RSA-PSS hash: %s\n", oid);
347	0	result = GNUTLS_E_UNKNOWN_HASH_ALGORITHM;
348	0	goto cleanup;
349	0	}
350
351	0	size = sizeof(oid);
352	0	result = asn1_read_value(spk, "maskGenAlgorithm.algorithm", oid, &size);
353	0	if (result == ASN1_SUCCESS) {
354	0	gnutls_digest_algorithm_t digest2;
355
356		/* Error out if algorithm other than mgf1 is specified */
357	0	if (strcmp(oid, PKIX1_RSA_PSS_MGF1_OID) != 0) {
358	0	gnutls_assert();
359	0	_gnutls_debug_log("Unknown mask algorithm: %s\n", oid);
360	0	result = GNUTLS_E_UNKNOWN_ALGORITHM;
361	0	goto cleanup;
362	0	}
363
364		/* Check if maskGenAlgorithm.parameters does exist and
365		* is identical to hashAlgorithm */
366	0	result =
367	0	_gnutls_x509_read_value(spk, "maskGenAlgorithm.parameters",
368	0	&value);
369	0	if (result < 0) {
370	0	gnutls_assert();
371	0	goto cleanup;
372	0	}
373
374	0	if ((result = asn1_create_element
375	0	(_gnutls_get_pkix(), "PKIX1.AlgorithmIdentifier", &c2))
376	0	!= ASN1_SUCCESS) {
377	0	gnutls_assert();
378	0	result = _gnutls_asn2err(result);
379	0	goto cleanup;
380	0	}
381
382	0	result =
383	0	_asn1_strict_der_decode(&c2, value.data, value.size, NULL);
384	0	if (result != ASN1_SUCCESS) {
385	0	gnutls_assert();
386	0	result = _gnutls_asn2err(result);
387	0	goto cleanup;
388	0	}
389
390	0	size = sizeof(oid);
391	0	result = asn1_read_value(c2, "algorithm", oid, &size);
392	0	if (result == ASN1_SUCCESS)
393	0	digest2 = gnutls_oid_to_digest(oid);
394	0	else if (result == ASN1_ELEMENT_NOT_FOUND)
395		/* The default hash algorithm for mgf1 is SHA-1 */
396	0	digest2 = GNUTLS_DIG_SHA1;
397	0	else {
398	0	gnutls_assert();
399	0	result = _gnutls_asn2err(result);
400	0	goto cleanup;
401	0	}
402
403	0	if (digest != digest2) {
404	0	gnutls_assert();
405	0	result = GNUTLS_E_CONSTRAINT_ERROR;
406	0	goto cleanup;
407	0	}
408	0	} else if (result != ASN1_ELEMENT_NOT_FOUND) {
409	0	gnutls_assert();
410	0	result = _gnutls_asn2err(result);
411	0	goto cleanup;
412	0	}
413
414	0	memset(params, 0, sizeof(gnutls_x509_spki_st));
415	0	params->pk = GNUTLS_PK_RSA_PSS;
416	0	params->rsa_pss_dig = digest;
417
418	0	result = _gnutls_x509_read_uint(spk, "saltLength", &params->salt_size);
419	0	if (result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND \|\|
420	0	result == GNUTLS_E_ASN1_VALUE_NOT_FOUND)
421	0	params->salt_size = 20;
422	0	else if (result < 0) {
423	0	gnutls_assert();
424	0	goto cleanup;
425	0	}
426
427	0	result = _gnutls_x509_read_uint(spk, "trailerField", &trailer);
428	0	if (result == GNUTLS_E_ASN1_VALUE_NOT_FOUND \|\|
429	0	result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND)
430	0	trailer = 1;
431	0	else if (result < 0) {
432	0	gnutls_assert();
433	0	goto cleanup;
434	0	}
435	0	if (trailer != 1) {
436	0	gnutls_assert();
437	0	result = GNUTLS_E_CERTIFICATE_ERROR;
438	0	goto cleanup;
439	0	}
440
441	0	result = 0;
442	0	cleanup:
443	0	_gnutls_free_datum(&value);
444	0	asn1_delete_structure(&c2);
445	0	asn1_delete_structure(&spk);
446	0	return result;
447	0	}
448
449		/* reads the curve from the certificate.
450		* It does NOT set params_nr.
451		*/
452		int
453		_gnutls_x509_read_gost_params(uint8_t * der, int dersize,
454		gnutls_pk_params_st * params,
455		gnutls_pk_algorithm_t algo)
456	0	{
457	0	int ret;
458	0	asn1_node spk = NULL;
459	0	char oid[MAX_OID_SIZE];
460	0	int oid_size;
461	0	gnutls_ecc_curve_t curve;
462	0	gnutls_gost_paramset_t param;
463
464	0	if ((ret = asn1_create_element(_gnutls_get_gnutls_asn(),
465	0	algo == GNUTLS_PK_GOST_01 ?
466	0	"GNUTLS.GOSTParametersOld" :
467	0	"GNUTLS.GOSTParameters",
468	0	&spk)) != ASN1_SUCCESS) {
469	0	gnutls_assert();
470	0	return _gnutls_asn2err(ret);
471	0	}
472
473	0	ret = _asn1_strict_der_decode(&spk, der, dersize, NULL);
474
475	0	if (ret != ASN1_SUCCESS) {
476	0	gnutls_assert();
477	0	ret = _gnutls_asn2err(ret);
478	0	goto cleanup;
479	0	}
480
481		/* read the curve */
482	0	oid_size = sizeof(oid);
483	0	ret = asn1_read_value(spk, "publicKeyParamSet", oid, &oid_size);
484	0	if (ret != ASN1_SUCCESS) {
485	0	gnutls_assert();
486	0	ret = _gnutls_asn2err(ret);
487	0	goto cleanup;
488	0	}
489
490	0	curve = gnutls_oid_to_ecc_curve(oid);
491	0	if (curve == GNUTLS_ECC_CURVE_INVALID) {
492	0	_gnutls_debug_log("Curve %s is not supported\n", oid);
493	0	gnutls_assert();
494	0	ret = GNUTLS_E_ECC_UNSUPPORTED_CURVE;
495	0	goto cleanup;
496	0	}
497
498		/* Read the digest */
499	0	oid_size = sizeof(oid);
500	0	ret = asn1_read_value(spk, "digestParamSet", oid, &oid_size);
501	0	if (ret != ASN1_SUCCESS && ret != ASN1_ELEMENT_NOT_FOUND) {
502	0	gnutls_assert();
503	0	ret = _gnutls_asn2err(ret);
504	0	goto cleanup;
505	0	}
506		/* For now ignore the OID: we use pk OID instead */
507
508	0	oid_size = sizeof(oid);
509	0	ret = asn1_read_value(spk, "encryptionParamSet", oid, &oid_size);
510	0	if (ret != ASN1_SUCCESS && ret != ASN1_ELEMENT_NOT_FOUND) {
511	0	gnutls_assert();
512	0	ret = _gnutls_asn2err(ret);
513	0	goto cleanup;
514	0	}
515
516	0	if (ret != ASN1_ELEMENT_NOT_FOUND)
517	0	param = gnutls_oid_to_gost_paramset(oid);
518	0	else
519	0	param = _gnutls_gost_paramset_default(algo);
520
521	0	if (param == GNUTLS_GOST_PARAMSET_UNKNOWN) {
522	0	gnutls_assert();
523	0	ret = param;
524	0	goto cleanup;
525	0	}
526
527	0	params->curve = curve;
528	0	params->gost_params = param;
529	0	ret = 0;
530
531	0	cleanup:
532
533	0	asn1_delete_structure(&spk);
534
535	0	return ret;
536
537	0	}
538
539		/* This function must be called after _gnutls_x509_read_params()
540		*/
541		int _gnutls_x509_read_pubkey(gnutls_pk_algorithm_t algo, uint8_t * der,
542		int dersize, gnutls_pk_params_st * params)
543	0	{
544	0	int ret;
545
546	0	switch (algo) {
547	0	case GNUTLS_PK_RSA:
548	0	case GNUTLS_PK_RSA_PSS:
549	0	ret = _gnutls_x509_read_rsa_pubkey(der, dersize, params);
550	0	if (ret >= 0) {
551	0	params->algo = algo;
552	0	params->params_nr = RSA_PUBLIC_PARAMS;
553	0	}
554	0	break;
555	0	case GNUTLS_PK_DSA:
556	0	if (params->params_nr != 3) /* _gnutls_x509_read_pubkey_params must have been called */
557	0	return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
558
559	0	ret = _gnutls_x509_read_dsa_pubkey(der, dersize, params);
560	0	if (ret >= 0) {
561	0	params->algo = GNUTLS_PK_DSA;
562	0	params->params_nr = DSA_PUBLIC_PARAMS;
563	0	}
564	0	break;
565	0	case GNUTLS_PK_ECDSA:
566	0	ret = _gnutls_x509_read_ecc_pubkey(der, dersize, params);
567	0	if (ret >= 0) {
568	0	params->algo = GNUTLS_PK_ECDSA;
569	0	params->params_nr = ECC_PUBLIC_PARAMS;
570	0	}
571	0	break;
572	0	case GNUTLS_PK_EDDSA_ED25519:
573	0	ret =
574	0	_gnutls_x509_read_eddsa_pubkey(GNUTLS_ECC_CURVE_ED25519,
575	0	der, dersize, params);
576	0	break;
577	0	case GNUTLS_PK_EDDSA_ED448:
578	0	ret =
579	0	_gnutls_x509_read_eddsa_pubkey(GNUTLS_ECC_CURVE_ED448, der,
580	0	dersize, params);
581	0	break;
582	0	case GNUTLS_PK_ECDH_X25519:
583	0	ret =
584	0	_gnutls_x509_read_ecdh_pubkey(GNUTLS_ECC_CURVE_X25519, der,
585	0	dersize, params);
586	0	break;
587	0	case GNUTLS_PK_ECDH_X448:
588	0	ret =
589	0	_gnutls_x509_read_ecdh_pubkey(GNUTLS_ECC_CURVE_X448, der,
590	0	dersize, params);
591	0	break;
592	0	case GNUTLS_PK_GOST_01:
593	0	case GNUTLS_PK_GOST_12_256:
594	0	case GNUTLS_PK_GOST_12_512:
595	0	ret = _gnutls_x509_read_gost_pubkey(der, dersize, params);
596	0	if (ret >= 0) {
597	0	params->algo = algo;
598	0	params->params_nr = GOST_PUBLIC_PARAMS;
599	0	}
600	0	break;
601	0	default:
602	0	ret = gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
603	0	break;
604	0	}
605	0	return ret;
606	0	}
607
608		/* This function must be called prior to _gnutls_x509_read_pubkey()
609		*/
610		int _gnutls_x509_read_pubkey_params(gnutls_pk_algorithm_t algo,
611		uint8_t * der, int dersize,
612		gnutls_pk_params_st * params)
613	0	{
614	0	switch (algo) {
615	0	case GNUTLS_PK_RSA:
616	0	case GNUTLS_PK_EDDSA_ED25519:
617	0	case GNUTLS_PK_EDDSA_ED448:
618	0	return 0;
619	0	case GNUTLS_PK_RSA_PSS:
620	0	return _gnutls_x509_read_rsa_pss_params(der, dersize,
621	0	&params->spki);
622	0	case GNUTLS_PK_DSA:
623	0	return _gnutls_x509_read_dsa_params(der, dersize, params);
624	0	case GNUTLS_PK_EC:
625	0	return _gnutls_x509_read_ecc_params(der, dersize,
626	0	&params->curve);
627	0	case GNUTLS_PK_GOST_01:
628	0	case GNUTLS_PK_GOST_12_256:
629	0	case GNUTLS_PK_GOST_12_512:
630	0	return _gnutls_x509_read_gost_params(der, dersize, params,
631	0	algo);
632	0	default:
633	0	return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
634	0	}
635	0	}
636
637		/* This function must be called after _gnutls_x509_read_pubkey()
638		*/
639		int _gnutls_x509_check_pubkey_params(gnutls_pk_params_st * params)
640	0	{
641	0	switch (params->algo) {
642	0	case GNUTLS_PK_RSA_PSS:{
643	0	unsigned bits;
644	0	const mac_entry_st *me;
645	0	size_t hash_size;
646
647	0	if (params->spki.pk == GNUTLS_PK_UNKNOWN) /* no params present */
648	0	return 0;
649
650	0	bits = pubkey_to_bits(params);
651
652	0	me = hash_to_entry(params->spki.rsa_pss_dig);
653	0	if (unlikely(me == NULL))
654	0	return
655	0	gnutls_assert_val
656	0	(GNUTLS_E_PK_INVALID_PUBKEY_PARAMS);
657
658	0	hash_size = _gnutls_hash_get_algo_len(me);
659	0	if (hash_size + params->spki.salt_size + 2 >
660	0	(bits + 7) / 8)
661	0	return
662	0	gnutls_assert_val
663	0	(GNUTLS_E_PK_INVALID_PUBKEY_PARAMS);
664	0	return 0;
665	0	}
666	0	case GNUTLS_PK_RSA:
667	0	case GNUTLS_PK_DSA:
668	0	case GNUTLS_PK_ECDSA:
669	0	case GNUTLS_PK_EDDSA_ED25519:
670	0	case GNUTLS_PK_EDDSA_ED448:
671	0	case GNUTLS_PK_ECDH_X25519:
672	0	case GNUTLS_PK_ECDH_X448:
673	0	case GNUTLS_PK_GOST_01:
674	0	case GNUTLS_PK_GOST_12_256:
675	0	case GNUTLS_PK_GOST_12_512:
676	0	return 0;
677	0	default:
678	0	return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
679	0	}
680	0	}
681
682		/* reads DSA's Y
683		* from the certificate
684		* only sets params[3]
685		*/
686		int
687		_gnutls_x509_read_dsa_pubkey(uint8_t * der, int dersize,
688		gnutls_pk_params_st * params)
689	0	{
690	0	return _gnutls_x509_read_der_int(der, dersize, &params->params[3]);
691	0	}