From 8e43e0440c06bf8cacabc6879439c9a75475bcb5 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Fri, 19 Jan 2024 10:35:58 +0700 Subject: Align sig alg checks in X509Certificate, X509Crl --- crypto/src/x509/X509Certificate.cs | 21 ++------------------- crypto/src/x509/X509Crl.cs | 3 +-- crypto/src/x509/X509SignatureUtil.cs | 22 ++++++++++++++++++++-- 3 files changed, 23 insertions(+), 23 deletions(-) diff --git a/crypto/src/x509/X509Certificate.cs b/crypto/src/x509/X509Certificate.cs index 316eaad99..572acb2c7 100644 --- a/crypto/src/x509/X509Certificate.cs +++ b/crypto/src/x509/X509Certificate.cs @@ -717,7 +717,7 @@ namespace Org.BouncyCastle.X509 { var tbsCertificate = c.TbsCertificate; - if (!IsAlgIDEqual(c.SignatureAlgorithm, tbsCertificate.Signature)) + if (!X509SignatureUtilities.AreEquivalentAlgorithms(c.SignatureAlgorithm, tbsCertificate.Signature)) throw new CertificateException("signature algorithm in TBS cert not same as outer cert"); return X509Utilities.VerifySignature(verifier, tbsCertificate, c.Signature); @@ -748,22 +748,5 @@ namespace Org.BouncyCastle.X509 { return PublicKeyFactory.CreateKey(c.SubjectPublicKeyInfo); } - - private static bool IsAlgIDEqual(AlgorithmIdentifier id1, AlgorithmIdentifier id2) - { - if (!id1.Algorithm.Equals(id2.Algorithm)) - return false; - - Asn1Encodable p1 = id1.Parameters; - Asn1Encodable p2 = id2.Parameters; - - if ((p1 == null) == (p2 == null)) - return Objects.Equals(p1, p2); - - // Exactly one of p1, p2 is null at this point - return p1 == null - ? p2.ToAsn1Object() is Asn1Null - : p1.ToAsn1Object() is Asn1Null; - } } -} \ No newline at end of file +} diff --git a/crypto/src/x509/X509Crl.cs b/crypto/src/x509/X509Crl.cs index 9c3e0fd03..fec33f09c 100644 --- a/crypto/src/x509/X509Crl.cs +++ b/crypto/src/x509/X509Crl.cs @@ -181,8 +181,7 @@ namespace Org.BouncyCastle.X509 { var tbsCertList = c.TbsCertList; - // TODO Compare IsAlgIDEqual in X509Certificate.CheckSignature - if (!c.SignatureAlgorithm.Equals(tbsCertList.Signature)) + if (!X509SignatureUtilities.AreEquivalentAlgorithms(c.SignatureAlgorithm, tbsCertList.Signature)) throw new CrlException("Signature algorithm on CertificateList does not match TbsCertList."); return X509Utilities.VerifySignature(verifier, tbsCertList, c.Signature); diff --git a/crypto/src/x509/X509SignatureUtil.cs b/crypto/src/x509/X509SignatureUtil.cs index 307d5a527..635e7d70b 100644 --- a/crypto/src/x509/X509SignatureUtil.cs +++ b/crypto/src/x509/X509SignatureUtil.cs @@ -12,7 +12,25 @@ namespace Org.BouncyCastle.X509 { internal class X509SignatureUtilities { - internal static string GetSignatureName(AlgorithmIdentifier sigAlgID) + internal static bool AreEquivalentAlgorithms(AlgorithmIdentifier id1, AlgorithmIdentifier id2) + { + if (!id1.Algorithm.Equals(id2.Algorithm)) + return false; + + Asn1Encodable p1 = id1.Parameters; + Asn1Encodable p2 = id2.Parameters; + + if (p1 == p2) + return true; + if (p1 == null) + return p2.ToAsn1Object() is Asn1Null; + if (p2 == null) + return p1.ToAsn1Object() is Asn1Null; + + return p1.Equals(p2); + } + + internal static string GetSignatureName(AlgorithmIdentifier sigAlgID) { DerObjectIdentifier sigAlgOid = sigAlgID.Algorithm; Asn1Encodable parameters = sigAlgID.Parameters; @@ -87,5 +105,5 @@ namespace Org.BouncyCastle.X509 return digestAlgOID.GetID(); } } - } + } } -- cgit 1.4.1