aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan/plugins/openssl/openssl_x509.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan/plugins/openssl/openssl_x509.c')
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_x509.c41
1 files changed, 23 insertions, 18 deletions
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index d2773e3f8..e4932c2a1 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -1,6 +1,6 @@
/*
- * Copyright (C) 2011 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2017 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2010 revosec AG
@@ -154,7 +154,7 @@ struct private_openssl_x509_t {
/**
* Signature scheme of the certificate
*/
- signature_scheme_t scheme;
+ signature_params_t *scheme;
/**
* subjectAltNames
@@ -392,10 +392,6 @@ METHOD(certificate_t, issued_by, bool,
ASN1_BIT_STRING *sig;
chunk_t tbs;
- if (this->scheme == SIGN_UNKNOWN)
- {
- return FALSE;
- }
if (&this->public.x509.interface == issuer)
{
if (this->flags & X509_SELF_SIGNED)
@@ -431,7 +427,7 @@ METHOD(certificate_t, issued_by, bool,
tbs = openssl_i2chunk(X509_CINF, this->x509->cert_info);
#endif
X509_get0_signature(&sig, NULL, this->x509);
- valid = key->verify(key, this->scheme, NULL, tbs,
+ valid = key->verify(key, this->scheme->scheme, this->scheme->params, tbs,
openssl_asn1_str2chunk(sig));
free(tbs.ptr);
key->destroy(key);
@@ -439,9 +435,7 @@ METHOD(certificate_t, issued_by, bool,
out:
if (valid && scheme)
{
- INIT(*scheme,
- .scheme = this->scheme,
- );
+ *scheme = signature_params_clone(this->scheme);
}
return valid;
}
@@ -534,6 +528,7 @@ METHOD(certificate_t, destroy, void,
{
X509_free(this->x509);
}
+ signature_params_destroy(this->scheme);
DESTROY_IF(this->subject);
DESTROY_IF(this->issuer);
DESTROY_IF(this->pubkey);
@@ -1069,8 +1064,8 @@ static bool parse_certificate(private_openssl_x509_t *this)
{
const unsigned char *ptr = this->encoding.ptr;
hasher_t *hasher;
- chunk_t chunk;
- ASN1_OBJECT *oid, *oid_tbs;
+ chunk_t chunk, sig_scheme, sig_scheme_tbs;
+ ASN1_OBJECT *oid;
X509_ALGOR *alg;
this->x509 = d2i_X509(NULL, &ptr, this->encoding.len);
@@ -1125,15 +1120,25 @@ static bool parse_certificate(private_openssl_x509_t *this)
/* while X509_ALGOR_cmp() is declared in the headers of older OpenSSL
* versions, at least on Ubuntu 14.04 it is not actually defined */
X509_get0_signature(NULL, &alg, this->x509);
- X509_ALGOR_get0(&oid, NULL, NULL, alg);
+ sig_scheme = openssl_i2chunk(X509_ALGOR, alg);
alg = X509_get0_tbs_sigalg(this->x509);
- X509_ALGOR_get0(&oid_tbs, NULL, NULL, alg);
- if (!chunk_equals(openssl_asn1_obj2chunk(oid),
- openssl_asn1_obj2chunk(oid_tbs)))
+ sig_scheme_tbs = openssl_i2chunk(X509_ALGOR, alg);
+ if (!chunk_equals(sig_scheme, sig_scheme_tbs))
+ {
+ free(sig_scheme_tbs.ptr);
+ free(sig_scheme.ptr);
+ return FALSE;
+ }
+ free(sig_scheme_tbs.ptr);
+
+ INIT(this->scheme);
+ if (!signature_params_parse(sig_scheme, 0, this->scheme))
{
+ DBG1(DBG_ASN, "unable to parse signature algorithm");
+ free(sig_scheme.ptr);
return FALSE;
}
- this->scheme = signature_scheme_from_oid(openssl_asn1_known_oid(oid));
+ free(sig_scheme.ptr);
if (!parse_extensions(this))
{
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-20 04:39:56 +0000