Implement EC cert and crl verification

96d59120 · Manuel Pégourié-Gonnard · 211a64c7 · 96d59120
Commit 96d59120 authored Aug 09, 2013 by Manuel Pégourié-Gonnard
Show whitespace changes
Inline Side-by-side

Showing with 36 additions and 9 deletions

library/x509parse.c library/x509parse.c +36 -9

No files found.
--- a/library/x509parse.c
+++ b/library/x509parse.c
@@ -3305,6 +3305,7 @@ int x509parse_revoked( const x509_cert *crt, const x509_crl *crl )
 static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca,
        x509_crl *crl_list)
 {
+    int ret;
    int flags = 0;
    unsigned char hash[POLARSSL_MD_MAX_SIZE];
    const md_info_t *md_info;
@@ -3360,9 +3361,20 @@ static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca,
        else
 #endif /* POLARSSL_RSA_C */
 #if defined(POLARSSL_ECDSA_C)
-        if( ca->pk.type == POLARSSL_PK_ECKEY ) {
+        if( pk_can_ecdsa( ca->pk ) ) {
-            /* EC NOT IMPLEMENTED YET */
+            if( ( ret = pk_ec_to_ecdsa( &ca->pk ) ) != 0 )
-            return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
+                return( ret );
+            if( ecdsa_read_signature( (ecdsa_context *) ca->pk.data,
+                        hash, md_info->size,
+                        crl_list->sig.p, crl_list->sig.len ) != 0 )
+            {
+                /*
+                 * CRL is not trusted
+                 */
+                flags |= BADCRL_NOT_TRUSTED;
+                break;
+            }
        }
        else
 #endif /* POLARSSL_ECDSA_C */
@@ -3490,9 +3502,17 @@ static int x509parse_verify_top(
        else
 #endif /* POLARSSL_RSA_C */
 #if defined(POLARSSL_ECDSA_C)
-        if( trust_ca->pk.type == POLARSSL_PK_ECKEY ) {
+        if( pk_can_ecdsa( trust_ca->pk ) ) {
-            /* EC NOT IMPLEMENTED YET */
+            if( ( ret = pk_ec_to_ecdsa( &trust_ca->pk ) ) != 0 )
-            return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
+                return( ret );
+            if( ecdsa_read_signature( (ecdsa_context *) trust_ca->pk.data,
+                        hash, md_info->size,
+                        child->sig.p, child->sig.len ) != 0 )
+            {
+                trust_ca = trust_ca->next;
+                continue;
+            }
        }
        else
 #endif /* POLARSSL_ECDSA_C */
@@ -3579,9 +3599,16 @@ static int x509parse_verify_child(
        else
 #endif /* POLARSSL_RSA_C */
 #if defined(POLARSSL_ECDSA_C)
-        if( parent->pk.type == POLARSSL_PK_ECKEY ) {
+        if( pk_can_ecdsa( parent->pk ) ) {
-            /* EC NOT IMPLEMENTED YET */
+            if( ( ret = pk_ec_to_ecdsa( &parent->pk ) ) != 0 )
-            return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
+                return( ret );
+            if( ecdsa_read_signature( (ecdsa_context *) parent->pk.data,
+                        hash, md_info->size,
+                        child->sig.p, child->sig.len ) != 0 )
+            {
+                *flags |= BADCERT_NOT_TRUSTED;
+            }
        }
        else
 #endif /* POLARSSL_ECDSA_C */