Move signature version checking to verify_hash()

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
2025-04-28 14:43:37 +02:00 · 2014-01-24 14:48:02 +02:00 · 2014-01-24 14:48:02 +02:00 · 3299fba40d
commit 3299fba40d
parent 906861a308
2 changed files with 14 additions and 11 deletions
--- a/src/libevm.c
+++ b/src/libevm.c
@ -460,6 +460,19 @@ int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int sig
 {
 	char *key;

+	/* Get signature type from sig header if user did not enforce it */
+	if (!params.user_sig_type) {
+		if (sig[0] == DIGSIG_VERSION_1) {
+			params.verify_hash = verify_hash_v1;
+			/* Read pubkey from RSA key */
+			params.x509 = 0;
+		} else if (sig[0] == DIGSIG_VERSION_2) {
+			params.verify_hash = verify_hash_v2;
+			/* Read pubkey from x509 cert */
+			params.x509 = 1;
+		}
+	}
+
 	/* Determine what key to use for verification*/
 	key = params.keyfile ? : params.x509 ?
 			"/etc/keys/x509_evm.der" :
@ -493,16 +506,5 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen)
 	if (hashlen <= 1)
 		return hashlen;

-	/* Get signature type from sig header if user did not enforce it */
-	if (!params.user_sig_type) {
-		if (sig[1] == DIGSIG_VERSION_1)
-			params.verify_hash = verify_hash_v1;
-		else if (sig[1] == DIGSIG_VERSION_2) {
-			params.verify_hash = verify_hash_v2;
-			/* Read pubkey from x509 cert */
-			params.x509 = 1;
-		}
-	}
-
 	return verify_hash(hash, hashlen, sig + 1, siglen - 1);
 }
--- a/src/libevm.h
+++ b/src/libevm.h
@ -152,6 +152,7 @@ RSA *read_pub_key(const char *keyfile);
 int verify_hash_v1(const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile);
 int verify_hash_v2(const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile);

+int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen);
 int ima_verify_signature(const char *file, unsigned char *sig, int siglen);

 #endif