Skip to content

Commit e403ff3

Browse files
committed
library: x509: change order of checks in x509_crt_check_signature()
Checking that parent PK type is OK is definitely faster than computing an hash, so invert the checks. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
1 parent 6ba8736 commit e403ff3

File tree

1 file changed

+5
-5
lines changed

1 file changed

+5
-5
lines changed

library/x509_crt.c

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2110,6 +2110,11 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child,
21102110
psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(child->sig_md);
21112111
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
21122112

2113+
/* Skip expensive computation on obvious mismatch */
2114+
if (!mbedtls_pk_can_do(&parent->pk, (mbedtls_pk_type_t) child->sig_pk)) {
2115+
return -1;
2116+
}
2117+
21132118
status = psa_hash_compute(hash_alg,
21142119
child->tbs.p,
21152120
child->tbs.len,
@@ -2120,11 +2125,6 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child,
21202125
return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
21212126
}
21222127

2123-
/* Skip expensive computation on obvious mismatch */
2124-
if (!mbedtls_pk_can_do(&parent->pk, (mbedtls_pk_type_t) child->sig_pk)) {
2125-
return -1;
2126-
}
2127-
21282128
#if defined(MBEDTLS_ECP_RESTARTABLE)
21292129
if (rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_SIGALG_ECDSA) {
21302130
return mbedtls_pk_verify_restartable(&parent->pk,

0 commit comments

Comments
 (0)