From 72e306c7e30f0a37fcccc912f692d5562e754c57 Mon Sep 17 00:00:00 2001
From: Love Hornquist Astrand <lha@h5l.org>
Date: Fri, 21 Aug 2009 18:34:21 -0700
Subject: [PATCH] Push cert down deaper into the stack

---
 lib/hx509/cert.c    | 33 ++++++++++++++++++++++++++++-----
 lib/hx509/crypto.c  | 24 ++----------------------
 lib/hx509/print.c   |  2 +-
 lib/hx509/revoke.c  |  6 +++---
 lib/hx509/softp11.c |  2 +-
 5 files changed, 35 insertions(+), 32 deletions(-)

diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index cd9ae01fa..976101178 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -2243,7 +2243,8 @@ hx509_verify_path(hx509_context context,
      */
 
     for (i = path.len - 1; i >= 0; i--) {
-	Certificate *signer, *c;
+	hx509_cert signer;
+	Certificate *c;
 
 	c = _hx509_get_cert(path.val[i]);
 
@@ -2251,9 +2252,9 @@ hx509_verify_path(hx509_context context,
 	if (i + 1 == path.len) {
 	    int selfsigned;
 
-	    signer = path.val[i]->data;
+	    signer = path.val[i];
 
-	    ret = certificate_is_self_signed(context, signer, &selfsigned);
+	    ret = certificate_is_self_signed(context, signer->data, &selfsigned);
 	    if (ret)
 		goto out;
 
@@ -2262,7 +2263,7 @@ hx509_verify_path(hx509_context context,
 		continue;
 	} else {
 	    /* take next certificate in chain */
-	    signer = path.val[i + 1]->data;
+	    signer = path.val[i + 1];
 	}
 
 	/* verify signatureValue */
@@ -2326,9 +2327,31 @@ hx509_verify_signature(hx509_context context,
 		       const heim_octet_string *data,
 		       const heim_octet_string *sig)
 {
-    return _hx509_verify_signature(context, signer->data, alg, data, sig);
+    return _hx509_verify_signature(context, signer, alg, data, sig);
 }
 
+int
+_hx509_verify_signature_bitstring(hx509_context context,
+				  const hx509_cert signer,
+				  const AlgorithmIdentifier *alg,
+				  const heim_octet_string *data,
+				  const heim_bit_string *sig)
+{
+    heim_octet_string os;
+
+    if (sig->length & 7) {
+	hx509_set_error_string(context, 0, HX509_CRYPTO_SIG_INVALID_FORMAT,
+			       "signature not multiple of 8 bits");
+	return HX509_CRYPTO_SIG_INVALID_FORMAT;
+    }
+
+    os.data = sig->data;
+    os.length = sig->length / 8;
+
+    return _hx509_verify_signature(context, signer, alg, data, &os);
+}
+
+
 
 /**
  * Verify that the certificate is allowed to be used for the hostname
diff --git a/lib/hx509/crypto.c b/lib/hx509/crypto.c
index 0e41b3c49..7c086bc7c 100644
--- a/lib/hx509/crypto.c
+++ b/lib/hx509/crypto.c
@@ -1495,12 +1495,13 @@ _hx509_signature_best_before(hx509_context context,
 
 int
 _hx509_verify_signature(hx509_context context,
-			const Certificate *signer,
+			const hx509_cert cert,
 			const AlgorithmIdentifier *alg,
 			const heim_octet_string *data,
 			const heim_octet_string *sig)
 {
     const struct signature_alg *md;
+    const Certificate *signer = _hx509_get_cert(cert);
 
     md = find_sig_alg(&alg->algorithm);
     if (md == NULL) {
@@ -1527,27 +1528,6 @@ _hx509_verify_signature(hx509_context context,
     return (*md->verify_signature)(context, md, signer, alg, data, sig);
 }
 
-int
-_hx509_verify_signature_bitstring(hx509_context context,
-				  const Certificate *signer,
-				  const AlgorithmIdentifier *alg,
-				  const heim_octet_string *data,
-				  const heim_bit_string *sig)
-{
-    heim_octet_string os;
-
-    if (sig->length & 7) {
-	hx509_set_error_string(context, 0, HX509_CRYPTO_SIG_INVALID_FORMAT,
-			       "signature not multiple of 8 bits");
-	return HX509_CRYPTO_SIG_INVALID_FORMAT;
-    }
-
-    os.data = sig->data;
-    os.length = sig->length / 8;
-
-    return _hx509_verify_signature(context, signer, alg, data, &os);
-}
-
 int
 _hx509_create_signature(hx509_context context,
 			const hx509_private_key signer,
diff --git a/lib/hx509/print.c b/lib/hx509/print.c
index ddafb7f46..56e4f7211 100644
--- a/lib/hx509/print.c
+++ b/lib/hx509/print.c
@@ -1017,7 +1017,7 @@ hx509_validate_cert(hx509_context context,
 
     if (status.selfsigned) {
 	ret = _hx509_verify_signature_bitstring(context,
-						c,
+						cert,
 						&c->signatureAlgorithm,
 						&c->tbsCertificate._save,
 						&c->signatureValue);
diff --git a/lib/hx509/revoke.c b/lib/hx509/revoke.c
index adb31164c..74f2d7467 100644
--- a/lib/hx509/revoke.c
+++ b/lib/hx509/revoke.c
@@ -223,7 +223,7 @@ verify_ocsp(hx509_context context,
 	}
 
 	ret = _hx509_verify_signature_bitstring(context,
-						p,
+						parent,
 						&s->signatureAlgorithm,
 						&s->tbsCertificate._save,
 						&s->signatureValue);
@@ -240,7 +240,7 @@ verify_ocsp(hx509_context context,
     }
 
     ret = _hx509_verify_signature_bitstring(context,
-					    _hx509_get_cert(signer),
+					    signer,
 					    &ocsp->ocsp.signatureAlgorithm,
 					    &ocsp->ocsp.tbsResponseData._save,
 					    &ocsp->ocsp.signature);
@@ -506,7 +506,7 @@ verify_crl(hx509_context context,
     }
 
     ret = _hx509_verify_signature_bitstring(context,
-					    _hx509_get_cert(signer),
+					    signer,
 					    &crl->signatureAlgorithm,
 					    &crl->tbsCertList._save,
 					    &crl->signatureValue);
diff --git a/lib/hx509/softp11.c b/lib/hx509/softp11.c
index 2c7f61949..f18b98a3d 100644
--- a/lib/hx509/softp11.c
+++ b/lib/hx509/softp11.c
@@ -1617,7 +1617,7 @@ C_Verify(CK_SESSION_HANDLE hSession,
     data.length = ulSignatureLen;
 
     hret = _hx509_verify_signature(context,
-				   _hx509_get_cert(o->cert),
+				   o->cert,
 				   alg,
 				   &data,
 				   &sig);