Chain building fails in version 1.1.1i if CA uses RSASSA-PSS for signing EE cert
weber at infotech.de
weber at infotech.de
Thu Feb 4 12:08:49 UTC 2021
Dear OpenSSL users,
we just bumped into a case we assume as a bug in version 1.1.1i.
Building a (partial) chain fails if an enduser cert is signed by a ca
using RSASSA-PSS algorithm.
Chain building works with version 1.1.1g.
Tracing the issue down, we found that the check_issued (source
x509_vfy.c) is changed.
The method is extended to compare the X509_NAMEs, AKIDs and algorithms
match.
The latter fails in check_sig_alg_match (source v3_purp.c) returning
X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH, which is wrong.
Is this issue and / or the proper solution known?
Thanks in advance
--
Christian Weber
More information about the openssl-users
mailing list