diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c index 2e3ad30df..cef010b4d 100644 --- a/lib/hx509/cert.c +++ b/lib/hx509/cert.c @@ -1662,12 +1662,13 @@ hx509_verify_path(hx509_context context, } /* verify signatureValue */ - ret = _hx509_verify_signature_bitstring(signer, + ret = _hx509_verify_signature_bitstring(context, + signer, &c->signatureAlgorithm, &c->tbsCertificate._save, &c->signatureValue); if (ret) { - hx509_set_error_string(context, 0, ret, + hx509_set_error_string(context, HX509_ERROR_APPEND, ret, "Failed to verify signature of certificate"); goto out; } @@ -1688,8 +1689,7 @@ hx509_verify_signature(hx509_context context, const heim_octet_string *data, const heim_octet_string *sig) { - hx509_clear_error_string(context); - return _hx509_verify_signature(signer->data, alg, data, sig); + return _hx509_verify_signature(context, signer->data, alg, data, sig); } int @@ -1980,7 +1980,8 @@ _hx509_query_match_cert(hx509_context context, const hx509_query *q, hx509_cert os.length = c->tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.length / 8; - ret = _hx509_verify_signature(NULL, + ret = _hx509_verify_signature(context, + NULL, hx509_signature_sha1(), &os, q->keyhash_sha1); diff --git a/lib/hx509/revoke.c b/lib/hx509/revoke.c index bc69dc310..9b66424a2 100644 --- a/lib/hx509/revoke.c +++ b/lib/hx509/revoke.c @@ -165,12 +165,13 @@ verify_ocsp(hx509_context context, goto out; } - ret = _hx509_verify_signature_bitstring(p, + ret = _hx509_verify_signature_bitstring(context, + p, &s->signatureAlgorithm, &s->tbsCertificate._save, &s->signatureValue); if (ret) { - hx509_set_error_string(context, 0, ret, + hx509_set_error_string(context, HX509_ERROR_APPEND, ret, "OSCP signer signature invalid"); goto out; } @@ -181,12 +182,14 @@ verify_ocsp(hx509_context context, goto out; } - ret = _hx509_verify_signature_bitstring(_hx509_get_cert(signer), + ret = _hx509_verify_signature_bitstring(context, + _hx509_get_cert(signer), &ocsp->ocsp.signatureAlgorithm, &ocsp->ocsp.tbsResponseData._save, &ocsp->ocsp.signature); if (ret) { - hx509_set_error_string(context, 0, ret, "OSCP signature invalid"); + hx509_set_error_string(context, HX509_ERROR_APPEND, ret, + "OSCP signature invalid"); goto out; } @@ -417,12 +420,13 @@ verify_crl(hx509_context context, goto out; } - ret = _hx509_verify_signature_bitstring(p, + ret = _hx509_verify_signature_bitstring(context, + p, &s->signatureAlgorithm, &s->tbsCertificate._save, &s->signatureValue); if (ret) { - hx509_set_error_string(context, 0, ret, + hx509_set_error_string(context, HX509_ERROR_APPEND, ret, "CRL signer signature invalid"); goto out; } @@ -432,12 +436,13 @@ verify_crl(hx509_context context, goto out; } - ret = _hx509_verify_signature_bitstring(_hx509_get_cert(signer), + ret = _hx509_verify_signature_bitstring(context, + _hx509_get_cert(signer), &crl->signatureAlgorithm, &crl->tbsCertList._save, &crl->signatureValue); if (ret) { - hx509_set_error_string(context, 0, ret, "CRL signature invalid"); + hx509_set_error_string(context, HX509_ERROR_APPEND, ret, "CRL signature invalid"); goto out; } @@ -572,7 +577,8 @@ hx509_revoke_verify(hx509_context context, continue; /* verify issuer hashes hash */ - ret = _hx509_verify_signature(NULL, + ret = _hx509_verify_signature(context, + NULL, &ocsp->ocsp.tbsResponseData.responses.val[i].certID.hashAlgorithm, &c->tbsCertificate.issuer._save, &ocsp->ocsp.tbsResponseData.responses.val[i].certID.issuerNameHash); @@ -582,7 +588,8 @@ hx509_revoke_verify(hx509_context context, os.data = p->tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data; os.length = p->tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.length / 8; - ret = _hx509_verify_signature(NULL, + ret = _hx509_verify_signature(context, + NULL, &ocsp->ocsp.tbsResponseData.responses.val[i].certID.hashAlgorithm, &os, &ocsp->ocsp.tbsResponseData.responses.val[i].certID.issuerKeyHash); @@ -975,7 +982,8 @@ hx509_ocsp_verify(hx509_context context, continue; /* verify issuer hashes hash */ - ret = _hx509_verify_signature(NULL, + ret = _hx509_verify_signature(context, + NULL, &basic.tbsResponseData.responses.val[i].certID.hashAlgorithm, &c->tbsCertificate.issuer._save, &basic.tbsResponseData.responses.val[i].certID.issuerNameHash);