[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
bernd.edlinger at hotmail.de
bernd.edlinger at hotmail.de
Mon Dec 31 08:51:18 UTC 2018
The branch OpenSSL_1_1_1-stable has been updated
via c25ae0fff78cb3cb784ef79167329d5cd55b62de (commit)
from 3be71a31a1dda204bb95462a92cf7f247e64b939 (commit)
- Log -----------------------------------------------------------------
commit c25ae0fff78cb3cb784ef79167329d5cd55b62de
Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
Date: Thu Dec 27 22:18:21 2018 +0100
Fix cert with rsa instead of rsaEncryption as public key algorithm
Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/7962)
(cherry picked from commit 1f483a69bce11c940309edc437eee6e32294d5f2)
-----------------------------------------------------------------------
Summary of changes:
crypto/rsa/rsa_ameth.c | 9 ++++++---
test/certs/root-cert-rsa2.pem | 18 ++++++++++++++++++
test/recipes/25-test_verify.t | 4 +++-
3 files changed, 27 insertions(+), 4 deletions(-)
create mode 100644 test/certs/root-cert-rsa2.pem
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
index a6595ae..75debb3 100644
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c
@@ -34,7 +34,7 @@ static int rsa_param_encode(const EVP_PKEY *pkey,
*pstr = NULL;
/* If RSA it's just NULL type */
- if (pkey->ameth->pkey_id == EVP_PKEY_RSA) {
+ if (pkey->ameth->pkey_id != EVP_PKEY_RSA_PSS) {
*pstrtype = V_ASN1_NULL;
return 1;
}
@@ -58,7 +58,7 @@ static int rsa_param_decode(RSA *rsa, const X509_ALGOR *alg)
int algptype;
X509_ALGOR_get0(&algoid, &algptype, &algp, alg);
- if (OBJ_obj2nid(algoid) == EVP_PKEY_RSA)
+ if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS)
return 1;
if (algptype == V_ASN1_UNDEF)
return 1;
@@ -109,7 +109,10 @@ static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
RSA_free(rsa);
return 0;
}
- EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
+ if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) {
+ RSA_free(rsa);
+ return 0;
+ }
return 1;
}
diff --git a/test/certs/root-cert-rsa2.pem b/test/certs/root-cert-rsa2.pem
new file mode 100644
index 0000000..b817fdf
--- /dev/null
+++ b/test/certs/root-cert-rsa2.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7DCCAdSgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjASMRAwDgYDVQQD
+DAdSb290IENBMIIBHTAIBgRVCAEBBQADggEPADCCAQoCggEBAOHmAPUGvKBGOHkP
+Px5xGRNtAt8rm3Zr/KywIe3WkQhCO6VjNexSW6CiSsXWAJQDl1o9uWco0n3jIVyk
+7cY8jY6E0Z1Uwz3ZdKKWdmdx+cYaUHez/XjuW+DjjIkjwpoi7D7UN54HzcArVREX
+OjRCHGkNOhiw7RWUXsb9nofGHOeUGpLAXwXBc0PlA94JkckkztiOi34u4DFI0YYq
+alUmeugLNk6XseCkydpcaUsDgAhWg6Mfsiq4wUz+xbFN1MABqu2+ziW97mmt9gfN
+biuhiVT1aOuYCe3JYGbLM2JKA7Bo1g6rX8E1VX79Ru6669y2oqPthX9337VoIkN+
+ZiQjr8UCAwEAAaNQME4wHQYDVR0OBBYEFI71Ja8em2uEPXyAmslTnE1y96NSMB8G
+A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ
+KoZIhvcNAQELBQADggEBAJ0OIdog3uQ1pmsjv1Qtf1w4If1geOn5uK0EOj2wYBHt
+NxlFn7l8d9+51QMZFO+RlQJ0s3Webyo1ReuaL2dMn2LGJhWMoSBAwrMALAENU3lv
+8jioRbfO2OamsdpJpKxQUyUJYudNe+BoKNX/ry3rxezmsFsRr9nDMiJZpmBCXiMm
+mFFJOJkG0CheexBbMkua4kyStIOwO4rb5bSHszVso/9ucdGHBSC7oRcJXoWSDjBx
+PdQPPBK5g4yqL8Lz26ehgsmhRKL9k32eVyjDKcIzgpmgcPTfTqNbd1KHQJKx4ssb
+7nEpGKHalSo5Oq5L9s9qYrUv37kwBY4OpJFtmGaodoI=
+-----END CERTIFICATE-----
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index 6c3deab..b80a1cd 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -27,7 +27,7 @@ sub verify {
run(app([@args]));
}
-plan tests => 134;
+plan tests => 135;
# Canonical success
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -361,6 +361,8 @@ ok(verify("some-names2", "sslserver", ["many-constraints"], ["many-constraints"]
"Not too many names and constraints to check (2)");
ok(verify("some-names2", "sslserver", ["many-constraints"], ["many-constraints"], ),
"Not too many names and constraints to check (3)");
+ok(verify("root-cert-rsa2", "sslserver", ["root-cert-rsa2"], [], "-check_ss_sig"),
+ "Public Key Algorithm rsa instead of rsaEncryption");
SKIP: {
skip "Ed25519 is not supported by this OpenSSL build", 1
More information about the openssl-commits
mailing list