-
-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Creation of Oakley EC keypair produces garbled output #5723
Comments
It appears there are no OIDs defined for those objects: https://github.com/openssl/openssl/blob/master/crypto/objects/objects.txt#L1230 This should probably have bailed out when it tried to write out the oid and found there wasn't one. |
The syntax is valid, tho. Look at lines 948, 1424, etc... |
Yes, the syntax is valid. We can create and use objects of this type internally. But when we try to write out an OID for this the OID data is missing. It should fail at that point I think. |
I misiunderstood when it should bail out. I thought you meant at build time. I don't understand why those curves are in objects.txt without OID's. That should be a build error. |
Presumably so we can have NIDs for them. This enables us to use them - we just can't write out any ASN.1 for them. That might be perfectly valid if the application using the curve doesn't need to write out an ASN.1 encoding (perhaps it is using some application specific encoding). |
If we don't have OID data for an object then we should fail if we are asked to encode the ASN.1 for that OID. Fixes openssl#5723
Fix in #5725. That at least means we fail when we try to write the key in the first place. |
I noticed today (tested with 5900679, i.e., latest master) that producing Oakley EC keypair (the ones with the questional extension field) fail because apparantly no OID is encoded into the optional part of the EC key, but garbled (?) data. This leads to the following (OpenSSL cannot read the keys it generated itself):
Also, this is the output of asn1parse:
I don't know if anyone is actually using those curves, but I feel that OpenSSL should rather refuse to generate keypairs instead of creating broken ones.
The text was updated successfully, but these errors were encountered: