[openssl-dev] [openssl.org #3837] Bug in SSL_CTX_check_private_key?
Viktor Dukhovni
openssl-users at dukhovni.org
Wed May 6 18:17:40 UTC 2015
On Wed, May 06, 2015 at 08:33:37PM +0300, Dmitry Belyavsky wrote:
> > > I would like to suggest a small patch providing the necessary check for
> > > RSA_METHOD_FLAG_NO_CHECK here.
> >
> > I am not convinced this change is correct. The function would then
> > not do what it is supposed to do. The flag suppresses implicit
> > checks only, but suppressing explicit checks seems unexpected.
> >
>
> Well, but what is the correct way to provide, for example, HSM key if we
> have to check match without access to a private key?
Well, one might argue that the checking function should support
performing the check via engines. Or that explicit checks should
not be called when you don't want to check. Perhaps openssl(1)
should have a command-line option to suppress the explicit check.
I'd still be surprised if calling the explicit check did nothing.
However, I might not know enough of the history/intent. Perhaps
someone will comment...
--
Viktor.
More information about the openssl-dev
mailing list