OCSP sign does not RSA_METHOD_FLAG_NO_CHECK 2 #12419
Closed
Conversation
OCSP_basic_sign_ctx() in ocsp_srv.c , does not check for RSA_METHOD_FLAG_NO_CHECK. If RSA_set_flags() to enable RSA_METHOD_FLAG_NO_CHECK, then OCSP sign operations can fail because the X509_check_private_key(). After discussions with OpenSSL the check was moved to crypto/rsa/rsa_ameth.c as a common place to check. Checks in ssl_rsa.c were removed.
|
LGTM. Needs second review. |
|
Travis failures are not relevant. |
|
This PR is in a state where it requires action by @openssl/committers but the last update was 30 days ago |
|
This PR is in a state where it requires action by @openssl/committers but the last update was 61 days ago |
|
This pull request is ready to merge |
openssl-machine
pushed a commit
that referenced
this pull request
Sep 21, 2020
OCSP_basic_sign_ctx() in ocsp_srv.c , does not check for RSA_METHOD_FLAG_NO_CHECK. If a key has RSA_METHOD_FLAG_NO_CHECK set, OCSP sign operations can fail because the X509_check_private_key() can fail. The check for the RSA_METHOD_FLAG_NO_CHECK was moved to crypto/rsa/rsa_ameth.c as a common place to check. Checks in ssl_rsa.c were removed. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from #12419)
openssl-machine
pushed a commit
that referenced
this pull request
Sep 21, 2020
OCSP_basic_sign_ctx() in ocsp_srv.c , does not check for RSA_METHOD_FLAG_NO_CHECK. If a key has RSA_METHOD_FLAG_NO_CHECK set, OCSP sign operations can fail because the X509_check_private_key() can fail. The check for the RSA_METHOD_FLAG_NO_CHECK was moved to crypto/rsa/rsa_ameth.c as a common place to check. Checks in ssl_rsa.c were removed. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from #12419) (cherry picked from commit 56e8fe0)
|
I've amended the commit message slightly to clarify and merged to both master and 1.1.1 branches. Thank you for the contribution. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
OCSP_basic_sign_ctx() in ocsp_srv.c , does not check for RSA_METHOD_FLAG_NO_CHECK. If RSA_set_flags() to enable RSA_METHOD_FLAG_NO_CHECK, then OCSP sign operations can fail because the X509_check_private_key().
After discussions with OpenSSL the check was moved to crypto/rsa/rsa_ameth.c as a common place to check. Checks in ssl_rsa.c were removed.
Fixes #12087
Checklist