[openssl-dev] [openssl.org #3665] Bug report and a patch for OpenSSL 1.0.1l (and 1.0.1k)
Stephen Henson via RT
rt at openssl.org
Mon Jan 19 13:46:27 UTC 2015
On Mon Jan 19 09:30:24 2015, a.yousar at informatik.hu-berlin.de wrote:
>
> RFC 4055 as well as RFC 5754 do not make this difference, both say:
> When any of these four object identifiers appears within an
> AlgorithmIdentifier, the parameters MUST be NULL. Implementations
> MUST accept the parameters being absent as well as present.
>
> If OpenSSL declines an empty paramter field then this is non-conformant
> with theses RFCs.
>
OpenSSL will tolerate both an absent parameter list and a NULL one. It did
before this change and still does after it. This specific case rejects a
certificate where the two AlgorithmIdentifier values in the certificate
(signature and signatureAlgorithm) do not match.
It seems odd that an implementation having decided it should represent an
algorithm in one way for one field should then decide to represent an identical
algorithm in a different way for another.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list