yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-22 12:05:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix X.509 keysize check with multiple CAs

Browse Source 
Assume we have two trusted CAs with the same name, the first uses ECDSA 256
bits, the second RSA 2048; cert is signed by the second. If we do the keysize
check before we checked the key types match, we'll raise the badkey flags when
checking the EC-256 CA and it will remain up even when we finally find the
correct CA. So, move the check for the key size after signature verification,
which implicitly checks the key type.
This commit is contained in:
Manuel Pégourié-Gonnard 2015-06-27 14:41:38 +02:00
parent 1c5b9fc19f
commit fa67ebaebb
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
library/x509_crt.c
View File

@ -1938,9 +1938,6 @@ static int x509_crt_verify_top(
continue;
}
if( x509_profile_check_key( profile, child->sig_pk, &trust_ca->pk ) != 0 )
*flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk,
child->sig_md, hash, mbedtls_md_get_size( md_info ),
child->sig.p, child->sig.len ) != 0 )
@ -1952,6 +1949,10 @@ static int x509_crt_verify_top(
* Top of chain is signed by a trusted CA
*/
*flags &= ~MBEDTLS_X509_BADCERT_NOT_TRUSTED;
if( x509_profile_check_key( profile, child->sig_pk, &trust_ca->pk ) != 0 )
*flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
break;
}