WIP: Check for compatible signature vs. key on ss cert#7943
Closed
bernd-edlinger wants to merge 3 commits intoopenssl:masterfrom
Closed
WIP: Check for compatible signature vs. key on ss cert#7943bernd-edlinger wants to merge 3 commits intoopenssl:masterfrom
bernd-edlinger wants to merge 3 commits intoopenssl:masterfrom
Conversation
Trying to check CA usage in x509v3_cache_extensions wasn't a good idea. Fixes openssl#1418 This reverts commit f51e5ed.
RFC 5280 says this in 4.2.1.3 "Key Usage":
The keyCertSign bit is asserted when the subject public key is
used for verifying signatures on public key certificates. If the
keyCertSign bit is asserted, then the cA bit in the basic
constraints extension (Section 4.2.1.9) MUST also be asserted.
check_ca did check these relevant combinations:
1. keyCertSign bit set in keyUsage, no check of basicConstraints.
2. cA bit set in basicConstraints, no check of keyUsage.
3. basicConstraints not present => keyCertSign bit set in keyUsage.
Now we change 1 to:
1. keyCertSign bit set in keyUsage => cA bit set in basicConstraints.
Fixes openssl#1418
Only set EXFLAG_SS if both are compatible. [extended tests]
anwarsadad18
approved these changes
Dec 26, 2018
2 tasks
DDvO
added a commit
to siemens/openssl
that referenced
this pull request
Dec 8, 2019
further improve code of x509v3_cache_extensions() in v3_purp.c as in PR openssl#7943
DDvO
added a commit
to mpeylo/cmpossl
that referenced
this pull request
Dec 24, 2019
further improve code of x509v3_cache_extensions() in v3_purp.c as in PR openssl#7943
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
@levitte I played a bit with your pull request. I don't know if it is too much of a hack,
but I think I have a fairly general check which does not only cover X25519 vs. ED25519
but also RSA key vs. ECDSA signature, etc.
This is based on PR #7918