• David Howells's avatar
    X.509: Extract signature digest and make self-signed cert checks earlier · 6c2dc5ae
    David Howells authored
    Extract the signature digest for an X.509 certificate earlier, at the end
    of x509_cert_parse() rather than leaving it to the callers thereof since it
    has to be called anyway.
    
    Further, immediately after that, check the signature on self-signed
    certificates, also rather in the callers of x509_cert_parse().
    
    We note in the x509_certificate struct the following bits of information:
    
     (1) Whether the signature is self-signed (even if we can't check the
         signature due to missing crypto).
    
     (2) Whether the key held in the certificate needs unsupported crypto to be
         used.  We may get a PKCS#7 message with X.509 certs that we can't make
         use of - we just ignore them and give ENOPKG at the end it we couldn't
         verify anything if at least one of these unusable certs are in the
         chain of trust.
    
     (3) Whether the signature held in the certificate needs unsupported crypto
         to be checked.  We can still use the key held in this certificate,
         even if we can't check the signature on it - if it is held in the
         system trusted keyring, for instance.  We just can't add it to a ring
         of trusted keys or follow it further up the chain of trust.
    
    Making these checks earlier allows x509_check_signature() to be removed and
    replaced with direct calls to public_key_verify_signature().
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    6c2dc5ae
pkcs7_verify.c 12.4 KB