Fix ossl_x509v3_cache_extensions(): EXFLAG_NO_FINGERPRINT is not an error
#16043
Conversation
DDvO
added
approval: otc review pending
|
Have you looked in history why this was made an error? What happens with OSSL_CMP_CTX_set1_srvCert()? It shouldn't accept an invalid certificate, should it? |
|
There's been a few changes over time... at some point, a certificate that was impossible to make a fingerprint from was regarded as invalid. Why should that no longer be the case? I find it deeply troublesome that, by being sloppy with this, functions like |
I had introduced this myself in commit 1e41dad
Actually the term 'invalid certificate' is very vague, and looks like I should have avoided that term in the implementation of The function
No need to worry here - my definition uses a rather strong name, but note that 'invalid' just covers very basic well-formedness of the cert structure. So the function |
|
OTC: This change is not for 3.0. It can be considered post 3.0. |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 244 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 275 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 306 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 337 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 368 days ago |
t8m
added
approval: review pending
t8m
removed
the
approval: otc review pending
|
Thanks @t8m for resuming the handling of this rather old PR - I was about to ask for that, but then saw your approval :) So now asking Committers for the 2nd review. |
DDvO
force-pushed
the
fix_ossl_x509v3_cache_extensions-NO_FINGERPRINT
branch
from
fb8a0dc
to
d2d6cf8
Compare
…be an error This allows reverting the recent workaround on cmp_ctx_test regarding X509_new()
DDvO
force-pushed
the
fix_ossl_x509v3_cache_extensions-NO_FINGERPRINT
branch
from
d2d6cf8
to
3b7d1ff
Compare
|
Rebased to fix merge conflict. |
…ld not be an error
|
@t8m could you please reconfirm? |
t8m
added
approval: done
openssl-machine
added
approval: ready to merge
|
This pull request is ready to merge |
|
Is this for master or master and 3.0? |
|
Master only as this kind of refactoring is IMO not a bug fix. |
…be an error This allows reverting the recent workaround on cmp_ctx_test regarding X509_new() Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from #16043)
Well, to me, removing a wrongly thrown error is a bug fix, though a minor one. |
|
I wouldn't recommend backporting this. It is really border-line on whether this is a bug fix or not. |
|
All right, so closing. |
…be an error This allows reverting the recent workaround on cmp_ctx_test regarding X509_new() Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from openssl#16043)
Upon closer inspection, it turns out that the root cause of the hickup discussed for #16036 is in
ossl_x509v3_cache_extensions():the case
EXFLAG_NO_FINGERPRINTsimply should not be regarded as an error.This PR fixes the problem and on this occasion cleans up the error handling of that function.
The fix allows reverting the recent workaround in commit 6bfd3e5 on
cmp_ctx_test.cregardingX509_new().