dirmngr: Fix verification of ECDSA signed CRLs.

* dirmngr/crlcache.c (finish_sig_check): Use raw value for the data. -- This had the usual signed/unsigned problem. By using the modern form we enforce Libgcrypt internal parsing as unsigned integer.
2025-01-30 16:17:02 +01:00 · 2022-11-15 09:56:13 +01:00 · 2022-11-15 09:56:13 +01:00 · 868dabb402
commit 868dabb402
parent 80ccded042
2 changed files with 4 additions and 3 deletions
--- a/dirmngr/crlcache.c
+++ b/dirmngr/crlcache.c
@ -1831,9 +1831,10 @@ finish_sig_check (ksba_crl_t crl, gcry_md_hd_t md, int algo,
      if (n > qbits/8)
        n = qbits/8;

-      err = gcry_sexp_build (&s_hash, NULL, "%b",
+      err = gcry_sexp_build (&s_hash, NULL, "(data(flags raw)(value %b))",
                             (int)n,
                             gcry_md_read (md, algo));
+
    }
  else
    {
@ -1852,7 +1853,7 @@ finish_sig_check (ksba_crl_t crl, gcry_md_hd_t md, int algo,
  /* Pass this on to the signature verification. */
  err = gcry_pk_verify (s_sig, s_hash, s_pkey);
  if (DBG_X509)
-    log_debug ("gcry_pk_verify: %s\n", gpg_strerror (err));
+    log_debug ("%s: gcry_pk_verify: %s\n", __func__, gpg_strerror (err));

 leave:
  xfree (sigval);
--- a/dirmngr/validate.c
+++ b/dirmngr/validate.c
@ -1164,7 +1164,7 @@ check_cert_sig (ksba_cert_t issuer_cert, ksba_cert_t cert)
  if (!err)
    err = gcry_pk_verify (s_sig, s_hash, s_pkey);
  if (DBG_X509)
-    log_debug ("gcry_pk_verify: %s\n", gpg_strerror (err));
+    log_debug ("%s: gcry_pk_verify: %s\n", __func__, gpg_strerror (err));

 leave:
  gcry_md_close (md);