cli_crt *crtmgr_verify_pkcs7(crtmgr *m, const uint8_t *issuer, const uint8_t *serial, const void *signature, unsigned int signature_len, cli_crt_hashtype hashtype, const uint8_t *refhash, cli_vrfy_type vrfytype) { cli_crt *i; mp_int sig; int ret; if(signature_len < 1024/8 || signature_len > 4096/8+1) { cli_dbgmsg("crtmgr_verify_pkcs7: unsupported sig len: %u\n", signature_len); return NULL; } if((ret = mp_init(&sig))) { cli_errmsg("crtmgr_verify_pkcs7: mp_init failed with %d\n", ret); return NULL; } if((ret=mp_read_unsigned_bin(&sig, signature, signature_len))) { cli_warnmsg("crtmgr_verify_pkcs7: mp_read_unsigned_bin failed with %d\n", ret); return NULL; } for(i = m->crts; i; i = i->next) { if(vrfytype == VRFY_CODE && !i->codeSign) continue; if(vrfytype == VRFY_TIME && !i->timeSign) continue; if(!memcmp(i->issuer, issuer, sizeof(i->issuer)) && !memcmp(i->serial, serial, sizeof(i->serial)) && !crtmgr_rsa_verify(i, &sig, hashtype, refhash)) { break; } } mp_clear(&sig); return i; }
cli_crt *crtmgr_verify_crt(crtmgr *m, cli_crt *x509) { cli_crt *i = m->crts, *best = NULL; int score = 0; for (i = m->crts; i; i = i->next) { if (!memcmp(i->subject, x509->subject, sizeof(i->subject)) && !memcmp(i->serial, x509->serial, sizeof(i->serial))) { if (i->isBlacklisted) return i; } } for(i = m->crts; i; i = i->next) { if(i->certSign && !memcmp(i->subject, x509->issuer, sizeof(i->subject)) && !crtmgr_rsa_verify(i, &x509->sig, x509->hashtype, x509->tbshash)) { int curscore; if((x509->codeSign & i->codeSign) == x509->codeSign && (x509->timeSign & i->timeSign) == x509->timeSign) return i; curscore = (x509->codeSign & i->codeSign) + (x509->timeSign & i->timeSign); if(curscore > score) { best = i; score = curscore; } } } return best; }