lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-30 22:43:08 +03:00
Code Activity

Add basic PSS cert verification

Browse Source 
Still todo:
- handle MGF-hash != sign-hash
- check effective salt len == announced salt len
- add support in the PK layer so that we don't have to bypass it here
This commit is contained in:
Manuel Pégourié-Gonnard
2014-06-02 18:11:07 +02:00
parent e6d1d82b66
commit 920e1cd5e2
4 changed files with 180 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
library/x509_crt.c
View File

@ -1669,6 +1669,21 @@ static int x509_crt_verify_top(
continue;
}
#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES)
if( child->sig_pk == POLARSSL_PK_RSASSA_PSS )
{
if( pk_can_do( &trust_ca->pk, POLARSSL_PK_RSA ) == 0 ||
rsa_rsassa_pss_verify( pk_rsa( trust_ca->pk ),
NULL, NULL, RSA_PUBLIC,
child->sig_md,
md_info->size, hash,
child->sig.p ) != 0 )
{
continue;
}
}
else
#endif
if( pk_can_do( &trust_ca->pk, child->sig_pk ) == 0 ||
pk_verify( &trust_ca->pk, child->sig_md, hash, md_info->size,
child->sig.p, child->sig.len ) != 0 )
@ -1758,6 +1773,21 @@ static int x509_crt_verify_child(
{
md( md_info, child->tbs.p, child->tbs.len, hash );
#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES)
if( child->sig_pk == POLARSSL_PK_RSASSA_PSS )
{
if( pk_can_do( &parent->pk, POLARSSL_PK_RSA ) == 0 ||
rsa_rsassa_pss_verify( pk_rsa( parent->pk ),
NULL, NULL, RSA_PUBLIC,
child->sig_md,
md_info->size, hash,
child->sig.p ) != 0 )
{
*flags |= BADCERT_NOT_TRUSTED;
}
}
else
#endif
if( pk_can_do( &parent->pk, child->sig_pk ) == 0 ||
pk_verify( &parent->pk, child->sig_md, hash, md_info->size,
child->sig.p, child->sig.len ) != 0 )