diff options
author | lloyd <[email protected]> | 2015-02-04 04:03:38 +0000 |
---|---|---|
committer | lloyd <[email protected]> | 2015-02-04 04:03:38 +0000 |
commit | 0dd060fed07b0060f94e3bae62e125a85c1bb877 (patch) | |
tree | ed4bc7a961e2b30f17ed5e80769c84b0c313c8b7 /src/lib/cert/x509 | |
parent | f9a7c85b74be0f4a7273e8e0591703af83036e81 (diff) |
Remove algo factory, engines, global RNG, global state, etc.
Convert all uses of Algorithm_Factory and the engines to using Algo_Registry
The shared pool of entropy sources remains but is moved to EntropySource.
With that and few remaining initializations (default OIDs and aliases)
moved elsewhere, the global state is empty and init and shutdown are no-ops.
Remove almost all of the headers and code for handling the global
state, except LibraryInitializer which remains as a compatability stub.
Update seeding for blinding so only one hacky almost-global RNG
instance needs to be setup instead of across all pubkey uses (it uses
either the system RNG or an AutoSeeded_RNG if the system RNG is not
available).
Diffstat (limited to 'src/lib/cert/x509')
-rw-r--r-- | src/lib/cert/x509/info.txt | 1 | ||||
-rw-r--r-- | src/lib/cert/x509/x509_ca.cpp | 15 | ||||
-rw-r--r-- | src/lib/cert/x509/x509_obj.cpp | 2 | ||||
-rw-r--r-- | src/lib/cert/x509/x509cert.cpp | 1 | ||||
-rw-r--r-- | src/lib/cert/x509/x509path.cpp | 13 |
5 files changed, 21 insertions, 11 deletions
diff --git a/src/lib/cert/x509/info.txt b/src/lib/cert/x509/info.txt index a74fd6631..39e51a625 100644 --- a/src/lib/cert/x509/info.txt +++ b/src/lib/cert/x509/info.txt @@ -2,6 +2,7 @@ define X509_CERTIFICATES 20131128 define OCSP 20131128 <requires> +asn1 datastor http_util </requires> diff --git a/src/lib/cert/x509/x509_ca.cpp b/src/lib/cert/x509/x509_ca.cpp index 7703c49fd..e6f689016 100644 --- a/src/lib/cert/x509/x509_ca.cpp +++ b/src/lib/cert/x509/x509_ca.cpp @@ -13,6 +13,7 @@ #include <botan/parsing.h> #include <botan/lookup.h> #include <botan/oids.h> +#include <botan/hash.h> #include <botan/key_constraint.h> #include <algorithm> #include <typeinfo> @@ -218,17 +219,16 @@ PK_Signer* choose_sig_format(const Private_Key& key, const std::string& hash_fn, AlgorithmIdentifier& sig_algo) { - std::string padding; - const std::string algo_name = key.algo_name(); - const HashFunction* proto_hash = retrieve_hash(hash_fn); - if(!proto_hash) + std::unique_ptr<HashFunction> hash(get_hash(hash_fn)); + if(!hash) throw Algorithm_Not_Found(hash_fn); - if(key.max_input_bits() < proto_hash->output_length()*8) + if(key.max_input_bits() < hash->output_length() * 8) throw Invalid_Argument("Key is too small for chosen hash function"); + std::string padding; if(algo_name == "RSA") padding = "EMSA3"; else if(algo_name == "DSA") @@ -238,10 +238,9 @@ PK_Signer* choose_sig_format(const Private_Key& key, else throw Invalid_Argument("Unknown X.509 signing key type: " + algo_name); - Signature_Format format = - (key.message_parts() > 1) ? DER_SEQUENCE : IEEE_1363; + const Signature_Format format = (key.message_parts() > 1) ? DER_SEQUENCE : IEEE_1363; - padding = padding + '(' + proto_hash->name() + ')'; + padding = padding + '(' + hash->name() + ')'; sig_algo.oid = OIDS::lookup(algo_name + "/" + padding); sig_algo.parameters = key.algorithm_identifier().parameters; diff --git a/src/lib/cert/x509/x509_obj.cpp b/src/lib/cert/x509/x509_obj.cpp index 746fc7312..71449098e 100644 --- a/src/lib/cert/x509/x509_obj.cpp +++ b/src/lib/cert/x509/x509_obj.cpp @@ -175,6 +175,8 @@ std::string X509_Object::hash_used_for_signature() const */ bool X509_Object::check_signature(const Public_Key* pub_key) const { + if(!pub_key) + throw std::runtime_error("No key provided for " + PEM_label_pref + " signature check"); std::unique_ptr<const Public_Key> key(pub_key); return check_signature(*key); } diff --git a/src/lib/cert/x509/x509cert.cpp b/src/lib/cert/x509/x509cert.cpp index f901001ac..b04e7c462 100644 --- a/src/lib/cert/x509/x509cert.cpp +++ b/src/lib/cert/x509/x509cert.cpp @@ -15,6 +15,7 @@ #include <botan/lookup.h> #include <botan/oids.h> #include <botan/pem.h> +#include <botan/hash.h> #include <botan/hex.h> #include <algorithm> #include <iterator> diff --git a/src/lib/cert/x509/x509path.cpp b/src/lib/cert/x509/x509path.cpp index 111c4c3b7..fa6d34a2d 100644 --- a/src/lib/cert/x509/x509path.cpp +++ b/src/lib/cert/x509/x509path.cpp @@ -124,11 +124,18 @@ check_chain(const std::vector<X509_Certificate>& cert_path, std::unique_ptr<Public_Key> issuer_key(issuer.subject_public_key()); - if(subject.check_signature(*issuer_key) == false) + if(!issuer_key) + { status.insert(Certificate_Status_Code::SIGNATURE_ERROR); + } + else + { + if(subject.check_signature(*issuer_key) == false) + status.insert(Certificate_Status_Code::SIGNATURE_ERROR); - if(issuer_key->estimated_strength() < restrictions.minimum_key_strength()) - status.insert(Certificate_Status_Code::SIGNATURE_METHOD_TOO_WEAK); + if(issuer_key->estimated_strength() < restrictions.minimum_key_strength()) + status.insert(Certificate_Status_Code::SIGNATURE_METHOD_TOO_WEAK); + } // Allow untrusted hashes on self-signed roots if(!trusted_hashes.empty() && !at_self_signed_root) |