-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix ossl_x509v3_cache_extensions()
: EXFLAG_NO_FINGERPRINT
is not an error
#16043
Fix ossl_x509v3_cache_extensions()
: EXFLAG_NO_FINGERPRINT
is not an error
#16043
Conversation
Have you looked in history why this was made an error? What happens with OSSL_CMP_CTX_set1_srvCert()? It shouldn't accept an invalid certificate, should it? |
There's been a few changes over time... at some point, a certificate that was impossible to make a fingerprint from was regarded as invalid. Why should that no longer be the case? I find it deeply troublesome that, by being sloppy with this, functions like |
I had introduced this myself in commit 1e41dad
Actually the term 'invalid certificate' is very vague, and looks like I should have avoided that term in the implementation of The function
No need to worry here - my definition
uses a rather strong name, but note that 'invalid' just covers very basic well-formedness of the cert structure.
So the function |
OTC: This change is not for 3.0. It can be considered post 3.0. |
This PR is in a state where it requires action by @openssl/otc but the last update was 244 days ago |
This PR is in a state where it requires action by @openssl/otc but the last update was 275 days ago |
This PR is in a state where it requires action by @openssl/otc but the last update was 306 days ago |
This PR is in a state where it requires action by @openssl/otc but the last update was 337 days ago |
This PR is in a state where it requires action by @openssl/otc but the last update was 368 days ago |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK for master if CI passes.
Thanks @t8m for resuming the handling of this rather old PR - I was about to ask for that, but then saw your approval :) So now asking Committers for the 2nd review. |
fb8a0dc
to
d2d6cf8
Compare
…be an error This allows reverting the recent workaround on cmp_ctx_test regarding X509_new()
d2d6cf8
to
3b7d1ff
Compare
Rebased to fix merge conflict. |
…ld not be an error
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM if tests passed
@t8m could you please reconfirm? |
This pull request is ready to merge |
Is this for master or master and 3.0? |
Master only as this kind of refactoring is IMO not a bug fix. |
…be an error This allows reverting the recent workaround on cmp_ctx_test regarding X509_new() Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from #16043)
Well, to me, removing a wrongly thrown error is a bug fix, though a minor one. |
I wouldn't recommend backporting this. It is really border-line on whether this is a bug fix or not. |
All right, so closing. |
…be an error This allows reverting the recent workaround on cmp_ctx_test regarding X509_new() Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from openssl#16043)
Upon closer inspection, it turns out that the root cause of the hickup discussed for #16036 is in
ossl_x509v3_cache_extensions()
:the case
EXFLAG_NO_FINGERPRINT
simply should not be regarded as an error.This PR fixes the problem and on this occasion cleans up the error handling of that function.
The fix allows reverting the recent workaround in commit 6bfd3e5 on
cmp_ctx_test.c
regardingX509_new()
.