diff --git a/include/polarssl/pk.h b/include/polarssl/pk.h index f06ec68a4..a2d166f33 100644 --- a/include/polarssl/pk.h +++ b/include/polarssl/pk.h @@ -89,6 +89,9 @@ typedef struct /** Public key type */ pk_type_t type; + /** Tell if the context implements this type (eg ECKEY can do ECDSA) */ + int (*can_do)( pk_type_t type ); + /** Verify signature */ int (*verify_func)( void *ctx, const unsigned char *hash, const md_info_t *md_info, @@ -131,33 +134,6 @@ void pk_free( pk_context *ctx ); */ int pk_set_type( pk_context *ctx, pk_type_t type ); -#if defined(POLARSSL_ECDSA_C) -/** - * \brief Convert a generic EC key into an ECDSA context - * - * \param ctx Context to convert - * - * \return 0 on success, or - * POLARSSL_ERR_PK_MALLOC_FAILED or - * POLARSSL_ERR_PK_TYPE_MISMATCH. - */ -int pk_ec_to_ecdsa( pk_context *ctx ); - -/** - * \brief Tell if a PK context can be used for ECDSA - * - * \param ctx Context to check - * - * \return 0 if context cannot be used for ECDSA, - * 1 otherwise - */ -static inline int pk_can_ecdsa( pk_context ctx ) -{ - return( ctx.type == POLARSSL_PK_ECKEY || - ctx.type == POLARSSL_PK_ECDSA ); -} -#endif /* POLARSSL_ECDSA_C */ - #if defined(POLARSSL_RSA_C) /** * \brief Wrap a RSA context in a PK context diff --git a/library/pk.c b/library/pk.c index 121049054..6cfc16bbd 100644 --- a/library/pk.c +++ b/library/pk.c @@ -146,42 +146,6 @@ int pk_set_type( pk_context *ctx, pk_type_t type ) return( 0 ); } -#if defined(POLARSSL_ECDSA_C) -/* - * Convert generic EC context to ECDSA - */ -int pk_ec_to_ecdsa( pk_context *ctx ) -{ - ecp_keypair *eckey; - ecdsa_context *ecdsa; - - if( ctx->type == POLARSSL_PK_ECDSA ) - return( 0 ); - - if( ctx->type != POLARSSL_PK_ECKEY ) - return( POLARSSL_ERR_PK_TYPE_MISMATCH ); - - eckey = (ecp_keypair *) ctx->data; - - if( ( ecdsa = polarssl_malloc( sizeof( ecdsa_context ) ) ) == NULL ) - return( POLARSSL_ERR_PK_MALLOC_FAILED ); - - ecdsa_init( ecdsa ); - - /* struct ecdsa_context begins the same as struct ecp_keypair */ - memcpy( ecdsa, eckey, sizeof( ecp_keypair ) ); - - if( ! ctx->dont_free ) - polarssl_free( eckey ); - - ctx->dont_free = 0; - ctx->type = POLARSSL_PK_ECDSA; - ctx->data = ecdsa; - - return( 0 ); -} -#endif /* POLARSSL_ECDSA_C */ - #if defined(POLARSSL_RSA_C) /* * Wrap an RSA context in a PK context diff --git a/library/pk_wrap.c b/library/pk_wrap.c index fe47b388e..f7b0833eb 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -40,6 +40,11 @@ #endif #if defined(POLARSSL_RSA_C) +static int rsa_can_do( pk_type_t type ) +{ + return( type == POLARSSL_PK_RSA ); +} + static int rsa_verify_wrap( void *ctx, const unsigned char *hash, const md_info_t *md_info, const unsigned char *sig, size_t sig_len ) @@ -52,11 +57,17 @@ static int rsa_verify_wrap( void *ctx, const pk_info_t rsa_info = { POLARSSL_PK_RSA, + rsa_can_do, rsa_verify_wrap, }; #endif /* POLARSSL_RSA_C */ #if defined(POLARSSL_ECDSA_C) +int ecdsa_can_do( pk_type_t type ) +{ + return( type == POLARSSL_PK_ECDSA ); +} + int ecdsa_verify_wrap( void *ctx, const unsigned char *hash, const md_info_t *md_info, const unsigned char *sig, size_t sig_len ) @@ -67,11 +78,19 @@ int ecdsa_verify_wrap( void *ctx, const pk_info_t ecdsa_info = { POLARSSL_PK_ECDSA, + ecdsa_can_do, ecdsa_verify_wrap, }; #endif /* POLARSSL_ECDSA_C */ #if defined(POLARSSL_ECP_C) +static int eckey_can_do( pk_type_t type ) +{ + return( type == POLARSSL_PK_ECKEY || + type == POLARSSL_PK_ECKEY_DH || + type == POLARSSL_PK_ECDSA ); +} + static int eckey_verify_wrap( void *ctx, const unsigned char *hash, const md_info_t *md_info, const unsigned char *sig, size_t sig_len ) @@ -101,6 +120,7 @@ static int eckey_verify_wrap( void *ctx, const pk_info_t eckey_info = { POLARSSL_PK_ECKEY, + eckey_can_do, eckey_verify_wrap, }; #endif /* POLARSSL_ECP_C */ diff --git a/library/x509parse.c b/library/x509parse.c index 15823bd97..31b1fa063 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -3344,33 +3344,13 @@ static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca, md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash ); -#if defined(POLARSSL_RSA_C) - if( crl_list->sig_pk == POLARSSL_PK_RSA ) + if( ca->pk.info->can_do( crl_list->sig_pk ) == 0 || + ca->pk.info->verify_func( ca->pk.data, hash, md_info, + crl_list->sig.p, crl_list->sig.len ) != 0 ) { - if( ca->pk.type != POLARSSL_PK_RSA || - ca->pk.info->verify_func( ca->pk.data, - hash, md_info, crl_list->sig.p, crl_list->sig.len ) != 0 ) - { - flags |= BADCRL_NOT_TRUSTED; - break; - } + flags |= BADCRL_NOT_TRUSTED; + break; } - else -#endif /* POLARSSL_RSA_C */ -#if defined(POLARSSL_ECDSA_C) - if( crl_list->sig_pk == POLARSSL_PK_ECDSA ) - { - if( ! pk_can_ecdsa( ca->pk ) || - ca->pk.info->verify_func( ca->pk.data, - hash, md_info, crl_list->sig.p, crl_list->sig.len ) != 0 ) - { - flags |= BADCRL_NOT_TRUSTED; - break; - } - } - else -#endif /* POLARSSL_ECDSA_C */ - return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); /* * Check for validity of CRL (Do not drop out) @@ -3457,7 +3437,7 @@ static int x509parse_verify_top( */ if( child->subject_raw.len == trust_ca->subject_raw.len && memcmp( child->subject_raw.p, trust_ca->subject_raw.p, - child->issuer_raw.len ) == 0 ) + child->issuer_raw.len ) == 0 ) { check_path_cnt--; } @@ -3481,33 +3461,13 @@ static int x509parse_verify_top( md( md_info, child->tbs.p, child->tbs.len, hash ); -#if defined(POLARSSL_RSA_C) - if( child->sig_pk == POLARSSL_PK_RSA ) + if( trust_ca->pk.info->can_do( child->sig_pk ) == 0 || + trust_ca->pk.info->verify_func( trust_ca->pk.data, hash, md_info, + child->sig.p, child->sig.len ) != 0 ) { - if( trust_ca->pk.type != POLARSSL_PK_RSA || - trust_ca->pk.info->verify_func( trust_ca->pk.data, - hash, md_info, child->sig.p, child->sig.len ) != 0 ) - { - trust_ca = trust_ca->next; - continue; - } + trust_ca = trust_ca->next; + continue; } - else -#endif /* POLARSSL_RSA_C */ -#if defined(POLARSSL_ECDSA_C) - if( child->sig_pk == POLARSSL_PK_ECDSA ) - { - if( ! pk_can_ecdsa( trust_ca->pk ) || - trust_ca->pk.info->verify_func( trust_ca->pk.data, - hash, md_info, child->sig.p, child->sig.len ) != 0 ) - { - trust_ca = trust_ca->next; - continue; - } - } - else -#endif /* POLARSSL_ECDSA_C */ - return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); /* * Top of chain is signed by a trusted CA @@ -3578,31 +3538,12 @@ static int x509parse_verify_child( { md( md_info, child->tbs.p, child->tbs.len, hash ); -#if defined(POLARSSL_RSA_C) - if( child->sig_pk == POLARSSL_PK_RSA ) + if( parent->pk.info->can_do( child->sig_pk ) == 0 || + parent->pk.info->verify_func( parent->pk.data, hash, md_info, + child->sig.p, child->sig.len ) != 0 ) { - if( parent->pk.type != POLARSSL_PK_RSA || - parent->pk.info->verify_func( parent->pk.data, - hash, md_info, child->sig.p, child->sig.len ) != 0 ) - { - *flags |= BADCERT_NOT_TRUSTED; - } + *flags |= BADCERT_NOT_TRUSTED; } - else -#endif /* POLARSSL_RSA_C */ -#if defined(POLARSSL_ECDSA_C) - if( child->sig_pk == POLARSSL_PK_ECDSA ) - { - if( ! pk_can_ecdsa( parent->pk ) || - parent->pk.info->verify_func( parent->pk.data, - hash, md_info, child->sig.p, child->sig.len ) != 0 ) - { - *flags |= BADCERT_NOT_TRUSTED; - } - } - else -#endif /* POLARSSL_ECDSA_C */ - return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); } /* Check trusted CA's CRL for the given crt */