[openssl-dev] Bug in SSL_CTX_check_private_key?
Dmitry Belyavsky
beldmit at gmail.com
Wed May 6 21:09:52 UTC 2015
Hello Viktor,
On Wednesday, May 6, 2015, Viktor Dukhovni <openssl-users at dukhovni.org>
wrote:
> On Wed, May 06, 2015 at 08:33:37PM +0300, Dmitry Belyavsky wrote:
>
> > > > I would like to suggest a small patch providing the necessary check
> for
> > > > RSA_METHOD_FLAG_NO_CHECK here.
> > >
> > > I am not convinced this change is correct. The function would then
> > > not do what it is supposed to do. The flag suppresses implicit
> > > checks only, but suppressing explicit checks seems unexpected.
> > >
> >
> > Well, but what is the correct way to provide, for example, HSM key if we
> > have to check match without access to a private key?
>
> Well, one might argue that the checking function should support
> performing the check via engines. Or that explicit checks should
> not be called when you don't want to check. Perhaps openssl(1)
> should have a command-line option to suppress the explicit check.
>
> I'd still be surprised if calling the explicit check did nothing.
> However, I might not know enough of the history/intent. Perhaps
> someone will comment...
>
> https://www.mail-archive.com/openssl-dev@openssl.org/msg04370.html - a
very old thread concerning using smartcards with OpenSSL.
http://code.google.com/p/chromium/issues/detail?id=395279 - the solution
selected in BoringSSL.
--
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150507/42275818/attachment-0001.html>
More information about the openssl-dev
mailing list