check matching issuer crt and key for all algs

use mbedtls_pk_check_pair to verify if issuer certificate and issuer key match,
instad of explicitely comparing RSA public component.
Raised and fix suggested by dbedev in #777
This commit is contained in:
Ron Eldor 2017-02-07 19:14:58 +02:00
parent cef21e4cd9
commit 0049f7857d

View File

@ -497,11 +497,7 @@ int main( int argc, char *argv[] )
// //
if( strlen( opt.issuer_crt ) ) if( strlen( opt.issuer_crt ) )
{ {
if( !mbedtls_pk_can_do( &issuer_crt.pk, MBEDTLS_PK_RSA ) || if( mbedtls_pk_check_pair( &issuer_crt.pk, issuer_key ) != 0 )
mbedtls_mpi_cmp_mpi( &mbedtls_pk_rsa( issuer_crt.pk )->N,
&mbedtls_pk_rsa( *issuer_key )->N ) != 0 ||
mbedtls_mpi_cmp_mpi( &mbedtls_pk_rsa( issuer_crt.pk )->E,
&mbedtls_pk_rsa( *issuer_key )->E ) != 0 )
{ {
mbedtls_printf( " failed\n ! issuer_key does not match issuer certificate\n\n" ); mbedtls_printf( " failed\n ! issuer_key does not match issuer certificate\n\n" );
ret = -1; ret = -1;