-
Notifications
You must be signed in to change notification settings - Fork 55
Expand file tree
/
Copy pathxmlsec1-1.3.10.legacy.patch
More file actions
105 lines (101 loc) · 4.26 KB
/
Copy pathxmlsec1-1.3.10.legacy.patch
File metadata and controls
105 lines (101 loc) · 4.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
--- a/src/openssl/signatures.c 2026-04-20 08:56:41
+++ b/src/openssl/signatures.c 2026-04-20 08:56:41
@@ -38,6 +38,8 @@
#endif /* XMLSEC_OPENSSL_API_300 */
#include "../cast_helpers.h"
+#include <openssl/x509.h>
+
#include "../transform_helpers.h"
#include "openssl_compat.h"
@@ -1068,7 +1070,11 @@
goto error;
}
} else {
- ret = EVP_PKEY_verify_init(pKeyCtx);
+ if(ctx->rsaPadding == RSA_PKCS1_PADDING) {
+ ret = EVP_PKEY_verify_recover_init(pKeyCtx);
+ } else {
+ ret = EVP_PKEY_verify_init(pKeyCtx);
+ }
if(ret <= 0) {
xmlSecOpenSSLError2("EVP_PKEY_verify_init", xmlSecTransformGetName(transform),
"ret=%d", ret);
@@ -1076,11 +1082,13 @@
}
}
- ret = EVP_PKEY_CTX_set_signature_md(pKeyCtx, ctx->digest);
- if(ret <= 0) {
- xmlSecOpenSSLError2("EVP_PKEY_CTX_set_signature_md", xmlSecTransformGetName(transform),
- "ret=%d", ret);
- goto error;
+ if(transform->operation == xmlSecTransformOperationSign || ctx->rsaPadding != RSA_PKCS1_PADDING) {
+ ret = EVP_PKEY_CTX_set_signature_md(pKeyCtx, ctx->digest);
+ if(ret <= 0) {
+ xmlSecOpenSSLError2("EVP_PKEY_CTX_set_signature_md", xmlSecTransformGetName(transform),
+ "ret=%d", ret);
+ goto error;
+ }
}
}
#if defined(XMLSEC_OPENSSL_API_350)
@@ -1214,7 +1222,60 @@
case xmlSecOpenSSLEvpSignatureFormat_DoNothing:
/* signature is saved to XML as it was generated by OpenSSL */
XMLSEC_SAFE_CAST_SIZE_TO_UINT(dataSize, dataLen, goto done, xmlSecTransformGetName(transform));
- ret = EVP_PKEY_verify(pKeyCtx, (xmlSecByte*)data, dataLen, dataToSign, dataToSignSize);
+ if(ctx->rsaPadding != RSA_PKCS1_PADDING) {
+ ret = EVP_PKEY_verify(pKeyCtx, (xmlSecByte*)data, dataLen, dataToSign, dataToSignSize);
+ } else {
+ unsigned char * recvData = NULL;
+ size_t recvDataLen = 0;
+ const unsigned char * recvDataPtr;
+ X509_SIG * sig = NULL;
+ const X509_ALGOR *algor = NULL;
+ const ASN1_OCTET_STRING *value = NULL;
+ unsigned int dgstSize;
+
+ ret = EVP_PKEY_verify_recover(pKeyCtx, NULL, &recvDataLen, data, dataLen);
+ if((ret <= 0) || (recvDataLen <= 0)) {
+ xmlSecOpenSSLError("EVP_PKEY_verify_recover", xmlSecTransformGetName(transform));
+ goto done;
+ }
+
+ recvData = OPENSSL_malloc(recvDataLen);
+ ret = EVP_PKEY_verify_recover(pKeyCtx, recvData, &recvDataLen, data, dataLen);
+ if((ret <= 0) || (recvDataLen <= 0)) {
+ xmlSecOpenSSLError("EVP_PKEY_verify_recover", xmlSecTransformGetName(transform));
+ OPENSSL_free(recvData);
+ goto done;
+ }
+
+ recvDataPtr = recvData;
+ sig = d2i_X509_SIG(NULL, &recvDataPtr, (long)recvDataLen);
+ OPENSSL_free(recvData);
+ if(!sig) {
+ xmlSecOpenSSLError("d2i_X509_SIG", xmlSecTransformGetName(transform));
+ goto done;
+ }
+
+ X509_SIG_get0(sig, &algor, &value);
+ if((algor->parameter != NULL) && (ASN1_TYPE_get(algor->parameter) != V_ASN1_NULL)) {
+ xmlSecInternalError("Signature algorithm parameter type is not ASN1 NULL", xmlSecTransformGetName(transform));
+ X509_SIG_free(sig);
+ goto done;
+ }
+
+ if(EVP_MD_nid(ctx->digest) != OBJ_obj2nid(algor->algorithm)) {
+ xmlSecInternalError("Signature digest method does not match expected digest method", xmlSecTransformGetName(transform));
+ X509_SIG_free(sig);
+ goto done;
+ }
+
+ dgstSize = (unsigned int)EVP_MD_size(ctx->digest);
+ if(((const unsigned int)value->length == dgstSize) && (memcmp(value->data, dataToSign, dgstSize) == 0)) {
+ ret = 1;
+ } else {
+ ret = 0;
+ }
+ X509_SIG_free(sig);
+ }
break;
case xmlSecOpenSSLEvpSignatureFormat_Dsa: