summaryrefslogtreecommitdiff
path: root/src/libstrongswan/crypto/crl.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan/crypto/crl.c')
-rwxr-xr-xsrc/libstrongswan/crypto/crl.c19
1 files changed, 17 insertions, 2 deletions
diff --git a/src/libstrongswan/crypto/crl.c b/src/libstrongswan/crypto/crl.c
index b4ae37b2e..d52078ea9 100755
--- a/src/libstrongswan/crypto/crl.c
+++ b/src/libstrongswan/crypto/crl.c
@@ -18,6 +18,8 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
+ *
+ * RCSID $Id: crl.c 3300 2007-10-12 21:53:18Z andreas $
*/
#include <sys/stat.h>
@@ -290,7 +292,8 @@ bool parse_x509crl(chunk_t blob, u_int level0, private_crl_t *crl)
}
else if (extn_oid == OID_AUTHORITY_KEY_ID)
{
- parse_authorityKeyIdentifier(object, level, &crl->authKeyID, &crl->authKeySerialNumber);
+ x509_parse_authorityKeyIdentifier(object, level,
+ &crl->authKeyID, &crl->authKeySerialNumber);
}
else if (extn_oid == OID_CRL_NUMBER)
{
@@ -304,6 +307,11 @@ bool parse_x509crl(chunk_t blob, u_int level0, private_crl_t *crl)
break;
case CRL_OBJ_ALGORITHM:
crl->algorithm = parse_algorithmIdentifier(object, level, NULL);
+ if (crl->algorithm != crl->sigAlg)
+ {
+ DBG1(" signature algorithms do not agree");
+ return FALSE;
+ }
break;
case CRL_OBJ_SIGNATURE:
crl->signature = object;
@@ -374,7 +382,14 @@ static bool is_newer(const private_crl_t *this, const private_crl_t *other)
*/
static bool verify(const private_crl_t *this, const rsa_public_key_t *signer)
{
- return signer->verify_emsa_pkcs1_signature(signer, this->tbsCertList, this->signature) == SUCCESS;
+ hash_algorithm_t algorithm = hasher_algorithm_from_oid(this->algorithm);
+
+ if (algorithm == HASH_UNKNOWN)
+ {
+ DBG1(" unknown signature algorithm");
+ return FALSE;
+ }
+ return signer->verify_emsa_pkcs1_signature(signer, algorithm, this->tbsCertList, this->signature) == SUCCESS;
}
/**