checkX509Signature static method
Checks the signature of the given pem
by using the public key from the given parent
.
If the parent
parameter is null, the public key of the given pem
will be used.
Both parameters pem
and parent
should represent a X509Certificate in PEM format.
Implementation
static bool checkX509Signature(String pem, {String? parent}) {
var result = false;
parent ??= pem;
var data = x509CertificateFromPem(pem);
var parentData = x509CertificateFromPem(parent);
var algorithm = _getDigestFromOi(data.signatureAlgorithmReadableName ?? '');
// Check if key and algorithm matches
if (data.signatureAlgorithmReadableName!.toLowerCase().contains('rsa') &&
parentData.tbsCertificate!.subjectPublicKeyInfo.algorithmReadableName!
.contains('ecPublicKey')) {
// Algorithm does not match
return false;
}
if (data.signatureAlgorithmReadableName!.toLowerCase().contains('ec') &&
parentData.tbsCertificate!.subjectPublicKeyInfo.algorithmReadableName!
.contains('rsaEncryption')) {
// Algorithm does not match
return false;
}
if (data.signatureAlgorithmReadableName!.toLowerCase().contains('rsa')) {
var publicKey = CryptoUtils.rsaPublicKeyFromDERBytes(_stringAsBytes(
parentData.tbsCertificate!.subjectPublicKeyInfo.bytes!));
result = CryptoUtils.rsaVerify(
publicKey,
base64.decode(data.tbsCertificateSeqAsString!),
_stringAsBytes(data.signature!),
algorithm: '$algorithm/RSA',
);
} else {
var publicKey = CryptoUtils.ecPublicKeyFromDerBytes(_stringAsBytes(
parentData.tbsCertificate!.subjectPublicKeyInfo.bytes!));
var sigBytes = _stringAsBytes(data.signature!);
if (sigBytes.first == 0) {
sigBytes = sigBytes.sublist(1);
}
result = CryptoUtils.ecVerify(
publicKey,
base64.decode(data.tbsCertificateSeqAsString!),
CryptoUtils.ecSignatureFromDerBytes(
sigBytes,
),
algorithm: '$algorithm/ECDSA',
);
}
return result;
}