Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix bogus check for EVP_PKEY mandatory digest in check_cert_usable() #9705

Closed
wants to merge 1 commit into from

Conversation

@dwmw2
Copy link
Contributor

dwmw2 commented Aug 27, 2019

In commit 6aca8d1a5 ("Honour mandatory digest on private key in
has_usable_cert()") I added two checks for the capabilities of the
EVP_PKEY being used. One of them was wrong, as it should only be
checking the signature of the X.509 cert (by its issuer) against the
sigalgs given in a TLS v1.3 signature_algorithms_cert extension.

Remove it.

This is the version of PR #9672 for 1.1.1.

In commit 6aca8d1 ("Honour mandatory digest on private key in
has_usable_cert()") I added two checks for the capabilities of the
EVP_PKEY being used. One of them was wrong, as it should only be
checking the signature of the X.509 cert (by its issuer) against the
sigalgs given in a TLS v1.3 signature_algorithms_cert extension.

Remove it.
@mattcaswell

This comment has been minimized.

Copy link
Member

mattcaswell commented Aug 27, 2019

Ping @t8m since you approved the master version of this.

@kaduk
kaduk approved these changes Aug 27, 2019
@t8m
t8m approved these changes Sep 4, 2019
levitte pushed a commit that referenced this pull request Sep 4, 2019
In commit 6aca8d1 ("Honour mandatory digest on private key in
has_usable_cert()") I added two checks for the capabilities of the
EVP_PKEY being used. One of them was wrong, as it should only be
checking the signature of the X.509 cert (by its issuer) against the
sigalgs given in a TLS v1.3 signature_algorithms_cert extension.

Remove it.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from #9705)
@t8m

This comment has been minimized.

Copy link
Member

t8m commented Sep 4, 2019

Merged

@t8m t8m closed this Sep 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.