@@ -493,6 +493,8 @@ static int asn1_get_x509(fmap_t *map, const void **asn1data, unsigned int *size,

 	if(asn1_expect_objtype(map, next, &tbs.size, &obj, 0x02)) /* serialNumber */

 	    break;

+	if(map_sha1(map, obj.content, obj.size, x509.serial))

+	    break;

 	if(asn1_expect_rsa(map, &obj.next, &tbs.size, &hashtype1)) /* algo = sha1WithRSAEncryption | md5WithRSAEncryption */

 	    break;

@@ -740,7 +742,7 @@ static int asn1_get_x509(fmap_t *map, const void **asn1data, unsigned int *size,

 static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmgr *cmgr, int embedded, const void **hashes, unsigned int *hashes_size) {

     struct cli_asn1 asn1, deep, deeper;

-    uint8_t sha1[SHA1_HASH_SIZE], issuer[SHA1_HASH_SIZE], md[SHA1_HASH_SIZE];

+    uint8_t sha1[SHA1_HASH_SIZE], issuer[SHA1_HASH_SIZE], md[SHA1_HASH_SIZE], serial[SHA1_HASH_SIZE];

     const uint8_t *message, *attrs;

     unsigned int dsize, message_size, attrs_size;

     cli_crt_hashtype hashtype;

@@ -887,6 +889,8 @@ static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmg

 	if(asn1_expect_objtype(map, deep.next, &dsize, &deep, 0x02)) /* serial */

 	    break;

+	if(map_sha1(map, deep.content, deep.size, serial))

+	    break;

 	if(dsize) {

 	    cli_dbgmsg("asn1_parse_mscat: extra data inside issuerAndSerialNumber\n");

 	    break;

@@ -1016,7 +1020,7 @@ static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmg

 	    cli_dbgmsg("asn1_parse_mscat: failed to read encryptedDigest\n");

 	    break;

 	}

-	if(crtmgr_verify_pkcs7(cmgr, issuer, asn1.content, asn1.size, CLI_SHA1RSA, sha1, VRFY_CODE)) {

+	if(crtmgr_verify_pkcs7(cmgr, issuer, serial, asn1.content, asn1.size, CLI_SHA1RSA, sha1, VRFY_CODE)) {

 	    cli_dbgmsg("asn1_parse_mscat: pkcs7 signature verification failed\n");

 	    break;

 	}

@@ -1077,6 +1081,9 @@ static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmg

 	if(asn1_expect_objtype(map, deep.next, &asn1.size, &deep, 0x02)) /* serial */

 	    break;

+	if(map_sha1(map, deep.content, deep.size, serial))

+	    break;

+

 	if(asn1.size) {

 	    cli_dbgmsg("asn1_parse_mscat: extra data inside countersignature issuer\n");

 	    break;

@@ -1257,7 +1264,7 @@ static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmg

 	    cli_dbgmsg("asn1_parse_mscat: failed to read countersignature encryptedDigest\n");

 	    break;

 	}

-	if(crtmgr_verify_pkcs7(cmgr, issuer, asn1.content, asn1.size, hashtype, sha1, VRFY_TIME)) {

+	if(crtmgr_verify_pkcs7(cmgr, issuer, serial, asn1.content, asn1.size, hashtype, sha1, VRFY_TIME)) {

 	    cli_dbgmsg("asn1_parse_mscat: pkcs7 countersignature verification failed\n");

 	    break;

 	}

@@ -50,6 +50,7 @@ cli_crt *crtmgr_lookup(crtmgr *m, cli_crt *x509) {

 	   (i->codeSign | x509->codeSign) == i->codeSign &&

 	   (i->timeSign | x509->timeSign) == i->timeSign &&

 	   !memcmp(x509->subject, i->subject, sizeof(i->subject)) &&

+	   !memcmp(x509->serial, i->serial, sizeof(i->subject)) &&

 	   !mp_cmp(&x509->n, &i->n) &&

 	   !mp_cmp(&x509->e, &i->e)) {

 	    return i;

@@ -64,6 +65,7 @@ int crtmgr_add(crtmgr *m, cli_crt *x509) {

     for(i = m->crts; i; i = i->next) {

 	if(!memcmp(x509->subject, i->subject, sizeof(i->subject)) &&

+	   !memcmp(x509->serial, i->subject, sizeof(i->serial)) &&

 	   !mp_cmp(&x509->n, &i->n) &&

 	   !mp_cmp(&x509->e, &i->e)) {

 	    if(x509->not_before >= i->not_before && x509->not_after <= i->not_after) {

@@ -104,6 +106,7 @@ int crtmgr_add(crtmgr *m, cli_crt *x509) {

 	return 1;

     }

     memcpy(i->subject, x509->subject, sizeof(i->subject));

+    memcpy(i->serial, x509->serial, sizeof(i->serial));

     memcpy(i->issuer, x509->issuer, sizeof(i->issuer));

     memcpy(i->tbshash, x509->tbshash, sizeof(i->tbshash));

     i->not_before = x509->not_before;

@@ -270,7 +273,7 @@ cli_crt *crtmgr_verify_crt(crtmgr *m, cli_crt *x509) {

     return NULL;

 }

-int crtmgr_verify_pkcs7(crtmgr *m, const uint8_t *issuer, const void *signature, unsigned int signature_len, cli_crt_hashtype hashtype, const uint8_t *refhash, cli_vrfy_type vrfytype) {

+int crtmgr_verify_pkcs7(crtmgr *m, const uint8_t *issuer, const uint8_t *serial, const void *signature, unsigned int signature_len, cli_crt_hashtype hashtype, const uint8_t *refhash, cli_vrfy_type vrfytype) {

     cli_crt *i;

     mp_int sig;

     int ret;

@@ -296,6 +299,7 @@ int crtmgr_verify_pkcs7(crtmgr *m, const uint8_t *issuer, const void *signature,

 	if(vrfytype == VRFY_TIME && !i->timeSign)

 	    continue;

 	if(!memcmp(i->issuer, issuer, sizeof(i->issuer)) &&

+	   !memcmp(i->serial, serial, sizeof(i->serial)) &&

 	   !crtmgr_rsa_verify(i, &sig, hashtype, refhash)) {

 	    ret = 0;

 	    break;

@@ -33,6 +33,7 @@ typedef struct cli_crt_t {

     uint8_t subject[SHA1_HASH_SIZE];

     uint8_t issuer[SHA1_HASH_SIZE];

     uint8_t tbshash[SHA1_HASH_SIZE];

+    uint8_t serial[SHA1_HASH_SIZE];

     mp_int n;

     mp_int e;

     mp_int sig;

@@ -60,7 +61,7 @@ int crtmgr_add(crtmgr *m, cli_crt *x509);

 cli_crt *crtmgr_lookup(crtmgr *m, cli_crt *x509);

 void crtmgr_del(crtmgr *m, cli_crt *x509);

 cli_crt *crtmgr_verify_crt(crtmgr *m, cli_crt *x509);

-int crtmgr_verify_pkcs7(crtmgr *m, const uint8_t *issuer, const void *signature, unsigned int signature_len, cli_crt_hashtype hashtype, const uint8_t *refhash, cli_vrfy_type vrfytype);

+int crtmgr_verify_pkcs7(crtmgr *m, const uint8_t *issuer, const uint8_t *serial, const void *signature, unsigned int signature_len, cli_crt_hashtype hashtype, const uint8_t *refhash, cli_vrfy_type vrfytype);

 int crtmgr_add_roots(crtmgr *m);