Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl spkac generates requests signed with MD5 only, but will verify other hashes too #15683

Closed
tomato42 opened this issue Jun 9, 2021 · 0 comments
Closed

openssl spkac generates requests signed with MD5 only, but will verify other hashes too #15683

tomato42 opened this issue Jun 9, 2021 · 0 comments
Labels
branch: master Merge to master branch triaged: feature The issue/pr requests/adds a feature

Comments

@tomato42
Copy link
Contributor

tomato42 commented Jun 9, 2021

When openssl spkac is used to create a challenge request it uses MD5 hash for the signature.
At the same time, if the input SPKAC is signed with SHA256, it will verify as valid.

Reproducer:

openssl genpkey -algorithm RSA -out key.pem
openssl spkac -key key.pem -out spkac.pem
openssl spkac -in spkac.pem

Output will be Signature Algorithm: md5WithRSAEncryption
@tomato42 tomato42 added the issue: bug report The issue was opened to report a bug label Jun 9, 2021
@paulidale paulidale added branch: master Merge to master branch triaged: feature The issue/pr requests/adds a feature and removed issue: bug report The issue was opened to report a bug labels Jun 9, 2021
paulidale added a commit to paulidale/openssl that referenced this issue Jun 10, 2021
@paulidale
spkac: allow digests other than MD5 to be used for signing
5e94f31 
Fixes openssl#15683
@paulidale paulidale mentioned this issue Jun 10, 2021
Closed
2 tasks
devnexen pushed a commit to devnexen/openssl that referenced this issue Jul 7, 2021
@paulidale @devnexen
spkac: allow digests other than MD5 to be used for signing
95e36d2 
Fixes openssl#15683

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#15687)
paulidale added a commit to paulidale/openssl that referenced this issue Jul 8, 2021
@paulidale
apps: add query to allow a command to know of a provider command line…
450cd87 
… option was processed

Better fixing:
Fixing openssl#15683
Fixing openssl#15686

Replacing rather than fixing:
Fixing openssl#15414

Since that claims to fix another:
Fixing openssl#15372
openssl-machine pushed a commit that referenced this issue Jul 11, 2021
@paulidale
apps: add query to allow a command to know of a provider command line…
242dfd8 
… option was processed

Better fixing:
Fixing #15683
Fixing #15686

Replacing rather than fixing:
Fixing #15414

Since that claims to fix another:
Fixing #15372

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from #16022)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
branch: master Merge to master branch triaged: feature The issue/pr requests/adds a feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tomato42 @paulidale