Certificate_Status_Code Response::verify_signature(const X509_Certificate& issuer) const
{
if (m_responses.empty())
return m_dummy_response_status;
try
{
std::unique_ptr<Public_Key> pub_key(issuer.subject_public_key());
const std::vector<std::string> sig_info =
split_on(OIDS::lookup(m_sig_algo.get_oid()), '/');
if(sig_info.size() != 2 || sig_info[0] != pub_key->algo_name())
return Certificate_Status_Code::OCSP_RESPONSE_INVALID;
std::string padding = sig_info[1];
Signature_Format format = (pub_key->message_parts() >= 2) ? DER_SEQUENCE : IEEE_1363;
PK_Verifier verifier(*pub_key, padding, format);
if(verifier.verify_message(ASN1::put_in_sequence(m_tbs_bits), m_signature))
return Certificate_Status_Code::OCSP_SIGNATURE_OK;
else
return Certificate_Status_Code::OCSP_SIGNATURE_ERROR;
}
catch(Exception&)
{
return Certificate_Status_Code::OCSP_SIGNATURE_ERROR;
}
}
/*
* Verify a Certificate Verify message
*/
bool Certificate_Verify::verify(const X509_Certificate& cert,
const Handshake_State& state,
const Policy& policy) const
{
std::unique_ptr<Public_Key> key(cert.subject_public_key());
policy.check_peer_key_acceptable(*key);
std::pair<std::string, Signature_Format> format =
state.parse_sig_format(*key.get(), m_hash_algo, m_sig_algo,
true, policy);
PK_Verifier verifier(*key, format.first, format.second);
return verifier.verify_message(state.hash().get_contents(), m_signature);
}
/*
* Verify a Certificate Verify message
*/
bool Certificate_Verify::verify(const X509_Certificate& cert,
const Handshake_State& state,
const Policy& policy) const
{
std::unique_ptr<Public_Key> key(cert.subject_public_key());
policy.check_peer_key_acceptable(*key);
std::pair<std::string, Signature_Format> format =
state.parse_sig_format(*key.get(), m_scheme, true, policy);
const bool signature_valid =
state.callbacks().tls_verify_message(*key, format.first, format.second,
state.hash().get_contents(), m_signature);
#if defined(BOTAN_UNSAFE_FUZZER_MODE)
return true;
#else
return signature_valid;
#endif
}
/**
* Verify a Certificate Verify message
*/
bool Certificate_Verify::verify(const X509_Certificate& cert,
HandshakeHash& hash)
{
// FIXME: duplicate of Server_Key_Exchange::verify
std::auto_ptr<Public_Key> key(cert.subject_public_key());
std::string padding = "";
Signature_Format format = IEEE_1363;
if(key->algo_name() == "RSA")
padding = "EMSA3(TLS.Digest.0)";
else if(key->algo_name() == "DSA")
{
padding == "EMSA1(SHA-1)";
format = DER_SEQUENCE;
}
else
throw Invalid_Argument(key->algo_name() +
" is invalid/unknown for TLS signatures");
PK_Verifier verifier(*key, padding, format);
return verifier.verify_message(hash.final(), signature);
}
