OLD | NEW |
---|---|
1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
4 | 4 |
5 /* | 5 /* |
6 * Implementation of OCSP services, for both client and server. | 6 * Implementation of OCSP services, for both client and server. |
7 * (XXX, really, mostly just for client right now, but intended to do both.) | 7 * (XXX, really, mostly just for client right now, but intended to do both.) |
8 */ | 8 */ |
9 | 9 |
10 #include "prerror.h" | 10 #include "prerror.h" |
(...skipping 3787 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3798 | 3798 |
3799 return signerCert; | 3799 return signerCert; |
3800 } | 3800 } |
3801 | 3801 |
3802 SECStatus | 3802 SECStatus |
3803 ocsp_VerifyResponseSignature(CERTCertificate *signerCert, | 3803 ocsp_VerifyResponseSignature(CERTCertificate *signerCert, |
3804 ocspSignature *signature, | 3804 ocspSignature *signature, |
3805 SECItem *tbsResponseDataDER, | 3805 SECItem *tbsResponseDataDER, |
3806 void *pwArg) | 3806 void *pwArg) |
3807 { | 3807 { |
3808 SECItem rawSignature; | |
3809 SECKEYPublicKey *signerKey = NULL; | 3808 SECKEYPublicKey *signerKey = NULL; |
3810 SECStatus rv = SECFailure; | 3809 SECStatus rv = SECFailure; |
3810 CERTSignedData signedData; | |
wtc
2013/11/12 23:01:19
The changes in this file come from the upstream ch
| |
3811 | 3811 |
3812 /* | 3812 /* |
3813 * Now get the public key from the signer's certificate; we need | 3813 * Now get the public key from the signer's certificate; we need |
3814 * it to perform the verification. | 3814 * it to perform the verification. |
3815 */ | 3815 */ |
3816 signerKey = CERT_ExtractPublicKey(signerCert); | 3816 signerKey = CERT_ExtractPublicKey(signerCert); |
3817 if (signerKey == NULL) | 3817 if (signerKey == NULL) { |
3818 » return SECFailure; | 3818 return SECFailure; |
3819 } | |
3820 | |
3819 /* | 3821 /* |
3820 * We copy the signature data *pointer* and length, so that we can | 3822 * We copy the signature data *pointer* and length, so that we can |
3821 * modify the length without damaging the original copy. This is a | 3823 * modify the length without damaging the original copy. This is a |
3822 * simple copy, not a dup, so no destroy/free is necessary. | 3824 * simple copy, not a dup, so no destroy/free is necessary. |
3823 */ | 3825 */ |
3824 rawSignature = signature->signature; | 3826 signedData.signature = signature->signature; |
3825 /* | 3827 signedData.signatureAlgorithm = signature->signatureAlgorithm; |
3826 * The raw signature is a bit string, but we need to represent its | 3828 signedData.data = *tbsResponseDataDER; |
3827 * length in bytes, because that is what the verify function expects. | |
3828 */ | |
3829 DER_ConvertBitString(&rawSignature); | |
3830 | 3829 |
3831 rv = VFY_VerifyDataWithAlgorithmID(tbsResponseDataDER->data, | 3830 rv = CERT_VerifySignedDataWithPublicKey(&signedData, signerKey, pwArg); |
3832 tbsResponseDataDER->len, | 3831 if (rv != SECSuccess && |
3833 signerKey, &rawSignature, | 3832 (PORT_GetError() == SEC_ERROR_BAD_SIGNATURE || |
3834 &signature->signatureAlgorithm, | 3833 PORT_GetError() == SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED)) { |
3835 NULL, pwArg); | |
3836 if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_BAD_SIGNATURE) { | |
3837 PORT_SetError(SEC_ERROR_OCSP_BAD_SIGNATURE); | 3834 PORT_SetError(SEC_ERROR_OCSP_BAD_SIGNATURE); |
3838 } | 3835 } |
3839 | 3836 |
3840 if (signerKey != NULL) { | 3837 if (signerKey != NULL) { |
3841 SECKEY_DestroyPublicKey(signerKey); | 3838 SECKEY_DestroyPublicKey(signerKey); |
3842 } | 3839 } |
3843 | 3840 |
3844 return rv; | 3841 return rv; |
3845 } | 3842 } |
3846 | 3843 |
3847 | 3844 |
3848 /* | 3845 /* |
3849 * FUNCTION: CERT_VerifyOCSPResponseSignature | 3846 * FUNCTION: CERT_VerifyOCSPResponseSignature |
(...skipping 1963 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
5813 case ocspResponse_unauthorized: | 5810 case ocspResponse_unauthorized: |
5814 PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST); | 5811 PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST); |
5815 break; | 5812 break; |
5816 case ocspResponse_unused: | 5813 case ocspResponse_unused: |
5817 default: | 5814 default: |
5818 PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS); | 5815 PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS); |
5819 break; | 5816 break; |
5820 } | 5817 } |
5821 return SECFailure; | 5818 return SECFailure; |
5822 } | 5819 } |
OLD | NEW |