From 27d661657bdc704476aa6d6fbaad852626c2708b Mon Sep 17 00:00:00 2001
From: Paul Bakker <p.j.bakker@polarssl.org>
Date: Wed, 17 Mar 2010 06:56:01 +0000
Subject: [PATCH]  - Added x509_get_sig_alg() to allow easy future X509
 signature algorithm determination expansion

---
 ChangeLog               |  6 ++++-
 include/polarssl/x509.h |  2 ++
 library/x509parse.c     | 57 ++++++++++++++++++++++-------------------
 3 files changed, 38 insertions(+), 27 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 3a63c4420..15c51af24 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,11 +1,15 @@
 PolarSSL ChangeLog
 
 = Version 0.12.2 released on XXXXXXXX
-Changes
+Features
    * Added option parsing for host and port selection to
      ssl_client2
    * Added support for GeneralizedTime in X509 parsing
+
+Changes
    * Added const correctness for main code base
+   * X509 signature algorithm determination is now
+     in a function to allow easy future expansion
 
 Bug fixes
    * Fixed bug resulting in failure to send the last
diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h
index 06b979fff..9e1d5d6ac 100644
--- a/include/polarssl/x509.h
+++ b/include/polarssl/x509.h
@@ -180,6 +180,7 @@ typedef struct _x509_cert
 
     x509_buf sig_oid2;
     x509_buf sig;
+    int sig_alg;
 
     struct _x509_cert *next; 
 }
@@ -220,6 +221,7 @@ typedef struct _x509_crl
 
     x509_buf sig_oid2;
     x509_buf sig;
+    int sig_alg;
 
     struct _x509_crl *next; 
 }
diff --git a/library/x509parse.c b/library/x509parse.c
index 68d4b7030..3013e9b55 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c
@@ -790,6 +790,29 @@ static int x509_get_entries( unsigned char **p,
     return( 0 );
 }
 
+static int x509_get_sig_alg( const x509_buf *sig_oid, int *sig_alg )
+{
+    if( sig_oid->len == 9 &&
+        memcmp( sig_oid->p, OID_PKCS1, 8 ) == 0 )
+    {
+        if( sig_oid->p[8] >= 2 && sig_oid->p[8] <= 5 )
+        {
+            *sig_alg = sig_oid->p[8];
+            return( 0 );
+        }
+
+        if ( sig_oid->p[8] >= 11 && sig_oid->p[8] <= 14 )
+        {
+            *sig_alg = sig_oid->p[8];
+            return( 0 );
+        }
+
+        return( POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG );
+    }
+
+    return( POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG );
+}
+
 /*
  * Parse one or more certificates and add them to the chained list
  */
@@ -957,19 +980,10 @@ int x509parse_crt( x509_cert *chain, const unsigned char *buf, int buflen )
         return( POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION );
     }
 
-    if( crt->sig_oid1.len != 9 ||
-        memcmp( crt->sig_oid1.p, OID_PKCS1, 8 ) != 0 )
+    if( ( ret = x509_get_sig_alg( &crt->sig_oid1, &crt->sig_alg ) ) != 0 )
     {
         x509_free( crt );
-        return( POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG );
-    }
-
-    if( crt->sig_oid1.p[8] < 2 ||
-        ( crt->sig_oid1.p[8] > 5 && crt->sig_oid1.p[8] < 11 ) ||
-        crt->sig_oid1.p[8] > 14 )
-    {
-        x509_free( crt );
-        return( POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG );
+        return( ret );
     }
 
     /*
@@ -1313,16 +1327,7 @@ int x509parse_crl( x509_crl *chain, const unsigned char *buf, int buflen )
         return( POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION );
     }
 
-    if( crl->sig_oid1.len != 9 ||
-        memcmp( crl->sig_oid1.p, OID_PKCS1, 8 ) != 0 )
-    {
-        x509_crl_free( crl );
-        return( POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG );
-    }
-
-    if( crl->sig_oid1.p[8] < 2 ||
-        ( crl->sig_oid1.p[8] > 5 && crl->sig_oid1.p[8] < 11 ) ||
-    crl->sig_oid1.p[8] > 14 )
+    if( ( ret = x509_get_sig_alg( &crl->sig_oid1, &crl->sig_alg ) ) != 0 )
     {
         x509_crl_free( crl );
         return( POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG );
@@ -2011,7 +2016,7 @@ int x509parse_cert_info( char *buf, size_t size, const char *prefix,
     ret = snprintf( p, n, "\n%ssigned using  : RSA+", prefix );
     SAFE_SNPRINTF();
 
-    switch( crt->sig_oid1.p[8] )
+    switch( crt->sig_alg )
     {
         case SIG_RSA_MD2    : ret = snprintf( p, n, "MD2"    ); break;
         case SIG_RSA_MD4    : ret = snprintf( p, n, "MD4"    ); break;
@@ -2102,7 +2107,7 @@ int x509parse_crl_info( char *buf, size_t size, const char *prefix,
     ret = snprintf( p, n, "\n%ssigned using  : RSA+", prefix );
     SAFE_SNPRINTF();
 
-    switch( crl->sig_oid1.p[8] )
+    switch( crl->sig_alg )
     {
         case SIG_RSA_MD2    : ret = snprintf( p, n, "MD2"    ); break;
         case SIG_RSA_MD4    : ret = snprintf( p, n, "MD4"    ); break;
@@ -2265,7 +2270,7 @@ int x509parse_verify( x509_cert *crt,
             continue;
         }
 
-        hash_id = crt->sig_oid1.p[8];
+        hash_id = crt->sig_alg;
 
         x509_hash( crt->tbs.p, crt->tbs.len, hash_id, hash );
 
@@ -2296,7 +2301,7 @@ int x509parse_verify( x509_cert *crt,
             trust_ca->max_pathlen < pathlen )
             break;
 
-        hash_id = crt->sig_oid1.p[8];
+        hash_id = crt->sig_alg;
 
         x509_hash( crt->tbs.p, crt->tbs.len, hash_id, hash );
 
@@ -2336,7 +2341,7 @@ int x509parse_verify( x509_cert *crt,
         /*
          * Check if CRL is correctry signed by the trusted CA
          */
-        hash_id = ca_crl->sig_oid1.p[8];
+        hash_id = ca_crl->sig_alg;
 
         x509_hash( ca_crl->tbs.p, ca_crl->tbs.len, hash_id, hash );