diff options
author | David Benjamin <davidben@chromium.org> | 2014-10-09 22:50:20 +0400 |
---|---|---|
committer | Adam Langley <agl@google.com> | 2014-10-10 01:52:52 +0400 |
commit | 8f160a680b855328df7c33b03f8e9c9eefd59a84 (patch) | |
tree | e65f2cda2282d84c5b1ab982be6b610d2e531d5d /crypto/x509 | |
parent | 2e1594dfb5f4efd9e93f1cc3db04e64f64ace5b4 (diff) |
Add EVP_DigestVerifyInitFromAlgorithm and EVP_DigestSignAlgorithm.
Factor the AlgorithmIdentifier portions of ASN1_item_sign and ASN1_item_verify
out. This makes it possible to initialize a signature context from an
AlgorithmIdentifier without needing the data parsed into an ASN1_ITEM/void*
pair and reserialized.
Change-Id: Idc2e06b1310a3f801aa25de323d39d2b7a44ef50
Reviewed-on: https://boringssl-review.googlesource.com/1916
Reviewed-by: Adam Langley <agl@google.com>
Diffstat (limited to 'crypto/x509')
-rw-r--r-- | crypto/x509/a_sign.c | 55 | ||||
-rw-r--r-- | crypto/x509/a_verify.c | 62 |
2 files changed, 11 insertions, 106 deletions
diff --git a/crypto/x509/a_sign.c b/crypto/x509/a_sign.c index a6bf7157..f219c239 100644 --- a/crypto/x509/a_sign.c +++ b/crypto/x509/a_sign.c @@ -84,65 +84,20 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2, ASN1_BIT_STRING *signature, void *asn, EVP_MD_CTX *ctx) { - const EVP_MD *type; EVP_PKEY *pkey; unsigned char *buf_in=NULL,*buf_out=NULL; size_t inl=0,outl=0,outll=0; - int signid, paramtype; - int rv; - type = EVP_MD_CTX_md(ctx); pkey = EVP_PKEY_CTX_get0_pkey(ctx->pctx); - if (!type || !pkey) + /* Write out the requested copies of the AlgorithmIdentifier. */ + if (algor1 && !EVP_DigestSignAlgorithm(ctx, algor1)) { - OPENSSL_PUT_ERROR(X509, ASN1_item_sign_ctx, X509_R_CONTEXT_NOT_INITIALISED); - return 0; - } - - if (pkey->ameth->item_sign) - { - rv = pkey->ameth->item_sign(ctx, it, asn, algor1, algor2, - signature); - if (rv == 1) - outl = signature->length; - /* Return value meanings: - * <=0: error. - * 1: method does everything. - * 2: carry on as normal. - * 3: ASN1 method sets algorithm identifiers: just sign. - */ - if (rv <= 0) - OPENSSL_PUT_ERROR(X509, ASN1_item_sign_ctx, ERR_R_EVP_LIB); - if (rv <= 1) - goto err; + goto err; } - else - rv = 2; - - if (rv == 2) + if (algor2 && !EVP_DigestSignAlgorithm(ctx, algor2)) { - /* TODO(fork): EVP_MD_FLAG_PKEY_METHOD_SIGNATURE seems to mean - * "is SHA". */ - if (!pkey->ameth || - !OBJ_find_sigid_by_algs(&signid, - EVP_MD_type(type), - pkey->ameth->pkey_id)) - { - OPENSSL_PUT_ERROR(X509, ASN1_item_sign_ctx, X509_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED); - return 0; - } - - if (pkey->ameth->pkey_flags & ASN1_PKEY_SIGPARAM_NULL) - paramtype = V_ASN1_NULL; - else - paramtype = V_ASN1_UNDEF; - - if (algor1) - X509_ALGOR_set0(algor1, OBJ_nid2obj(signid), paramtype, NULL); - if (algor2) - X509_ALGOR_set0(algor2, OBJ_nid2obj(signid), paramtype, NULL); - + goto err; } inl=ASN1_item_i2d(asn,&buf_in, it); diff --git a/crypto/x509/a_verify.c b/crypto/x509/a_verify.c index 51f0fd66..e728863f 100644 --- a/crypto/x509/a_verify.c +++ b/crypto/x509/a_verify.c @@ -75,69 +75,21 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signature, void *asn, EVP_PKEY *pkey) { EVP_MD_CTX ctx; - unsigned char *buf_in=NULL; - int ret= -1,inl; - const EVP_PKEY_ASN1_METHOD *ameth; - - int mdnid, pknid; + uint8_t *buf_in = NULL; + int ret = 0, inl; if (!pkey) { OPENSSL_PUT_ERROR(X509, ASN1_item_verify, ERR_R_PASSED_NULL_PARAMETER); - return 1; + return 0; } EVP_MD_CTX_init(&ctx); - /* Convert signature OID into digest and public key OIDs */ - if (!OBJ_find_sigid_algs(OBJ_obj2nid(a->algorithm), &mdnid, &pknid)) + if (!EVP_DigestVerifyInitFromAlgorithm(&ctx, a, pkey)) { - OPENSSL_PUT_ERROR(X509, ASN1_item_verify, ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM); goto err; } - if (mdnid == NID_undef) - { - if (!pkey->ameth || !pkey->ameth->item_verify) - { - OPENSSL_PUT_ERROR(X509, ASN1_item_verify, ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM); - goto err; - } - ret = pkey->ameth->item_verify(&ctx, it, asn, a, - signature, pkey); - /* Return value of 2 means carry on, anything else means we - * exit straight away: either a fatal error of the underlying - * verification routine handles all verification. - */ - if (ret != 2) - goto err; - ret = -1; - } - else - { - const EVP_MD *type; - type=EVP_get_digestbynid(mdnid); - if (type == NULL) - { - OPENSSL_PUT_ERROR(X509, ASN1_item_verify, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM); - goto err; - } - - /* Check public key OID matches public key type */ - ameth = EVP_PKEY_asn1_find(NULL, pknid); - if (ameth == NULL || ameth->pkey_id != pkey->ameth->pkey_id) - { - OPENSSL_PUT_ERROR(X509, ASN1_item_verify, ASN1_R_WRONG_PUBLIC_KEY_TYPE); - goto err; - } - - if (!EVP_DigestVerifyInit(&ctx, NULL, type, NULL, pkey)) - { - OPENSSL_PUT_ERROR(X509, ASN1_item_verify, ERR_R_EVP_LIB); - ret=0; - goto err; - } - - } inl = ASN1_item_i2d(asn, &buf_in, it); @@ -152,7 +104,6 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, OPENSSL_cleanse(buf_in,(unsigned int)inl); OPENSSL_free(buf_in); OPENSSL_PUT_ERROR(X509, ASN1_item_verify, ERR_R_EVP_LIB); - ret=0; goto err; } @@ -163,15 +114,14 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, (size_t)signature->length) <= 0) { OPENSSL_PUT_ERROR(X509, ASN1_item_verify, ERR_R_EVP_LIB); - ret=0; goto err; } /* we don't need to zero the 'ctx' because we just checked * public information */ /* memset(&ctx,0,sizeof(ctx)); */ - ret=1; + ret = 1; err: EVP_MD_CTX_cleanup(&ctx); - return(ret); + return ret; } |