verify: move idc-related parsing to idc.c

Extract the IDC-parsing code from IDC_check_hash, and use it to initialise a BIO. This BIO can then be used to perform the PKCS7 verification. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-12 23:11:46 -07:00 · 2012-05-12 23:11:46 -07:00 · e404a4d412
commit e404a4d412
parent d5f1a61b99
3 changed files with 47 additions and 28 deletions
--- a/idc.c
+++ b/idc.c
@ -217,20 +217,48 @@ int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO *si, struct image *image)
 	return 0;
 }

-int IDC_check_hash(struct image *image, PKCS7 *p7)
+struct idc *IDC_get(PKCS7 *p7, BIO *bio)
+{
+	const unsigned char *buf, *idcbuf;
+	ASN1_STRING *str;
+	IDC *idc;
+
+	/* extract the idc from the signed PKCS7 'other' data */
+	str = p7->d.sign->contents->d.other->value.asn1_string;
+	idcbuf = buf = ASN1_STRING_data(str);
+	idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str));
+
+	/* If we were passed a BIO, write the idc data, minus type and length,
+	 * to the BIO. This can be used to PKCS7_verify the idc */
+	if (bio) {
+		uint32_t idclen;
+		uint8_t tmp;
+
+		tmp = idcbuf[1];
+
+		if (!(tmp & 0x80)) {
+			idclen = tmp & 0x7f;
+			idcbuf += 2;
+		} else if ((tmp & 0x82) == 0x82) {
+			idclen = (idcbuf[2] << 8) +
+				 idcbuf[3];
+			idcbuf += 4;
+		}
+
+		BIO_write(bio, idcbuf, idclen);
+	}
+
+	return idc;
+}
+
+int IDC_check_hash(struct idc *idc, struct image *image)
 {
 	unsigned char sha[SHA256_DIGEST_LENGTH];
 	const unsigned char *buf;
 	ASN1_STRING *str;
-	IDC *idc;

 	image_hash_sha256(image, sha);

-	/* extract the idc from the signed PKCS7 'other' data */
-	str = p7->d.sign->contents->d.other->value.asn1_string;
-	buf = ASN1_STRING_data(str);
-	idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str));
-
 	/* check hash algorithm sanity */
 	if (OBJ_cmp(idc->digest->alg->algorithm, OBJ_nid2obj(NID_sha256))) {
 		fprintf(stderr, "Invalid algorithm type\n");