revise based on feedback / questions

mirleft · Jan 21, 2020 · 9375e07 · 9375e07
1 parent eaea410
commit 9375e07
Showing 1 changed file with 8 additions and 15 deletions.
diff --git a/lib/validation.ml b/lib/validation.ml
@@ -14,17 +14,14 @@ let issuer_matches_subject
 let is_self_signed cert = issuer_matches_subject cert cert
 
 let validate_raw_signature hash_whitelist raw signature_algo signature_val pk_info =
-  match pk_info with
-  | `RSA issuing_key ->
+  match pk_info, Algorithm.to_signature_algorithm signature_algo with
+  | `RSA issuing_key, Some (`RSA, siga) ->
+    List.mem siga hash_whitelist &&
     ( match Rsa.PKCS1.sig_decode ~key:issuing_key signature_val with
       | None           -> false
       | Some signature ->
-        match
-          Certificate.decode_pkcs1_digest_info signature,
-          Algorithm.to_signature_algorithm signature_algo
-        with
-        | Ok (algo, hash), Some (`RSA, h) ->
-          List.mem h hash_whitelist && h = algo && Cstruct.equal hash (Hash.digest algo raw)
+        match Certificate.decode_pkcs1_digest_info signature with
+        | Ok (a, hash) -> siga = a && Cstruct.equal hash (Hash.digest a raw)
         | _ -> false )
   | _ -> false
 
@@ -359,13 +356,9 @@ let verify_single_chain ?time ?(revoked = fun ~issuer:_ ~cert:_ -> false) hash a
   let rec climb pathlen = function
     | cert :: issuer :: certs ->
       is_cert_valid time issuer >>= fun () ->
-      if revoked ~issuer ~cert then
-        Error (`Revoked cert)
-      else begin
-        Ok () >>= fun () ->
-        signs hash pathlen issuer cert >>= fun () ->
-        climb (succ pathlen) (issuer :: certs)
-      end
+      (if revoked ~issuer ~cert then Error (`Revoked cert) else Ok ()) >>= fun () ->
+      signs hash pathlen issuer cert >>= fun () ->
+      climb (succ pathlen) (issuer :: certs)
     | [c] ->
       let anchors = issuer anchors c in
       validate_anchors revoked hash pathlen c anchors