Chain building fails in version 1.1.1i if CA uses RSASSA-PSS for signing EE cert

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear OpenSSL users,

we just bumped into a case we assume as a bug in version 1.1.1i.
Building a (partial) chain fails if an enduser cert is signed by a ca using RSASSA-PSS algorithm. 
Chain building works with version 1.1.1g.
Tracing the issue down, we found that the check_issued (source x509_vfy.c) is changed. The method is extended to compare the X509_NAMEs, AKIDs and algorithms match. 
The latter fails in check_sig_alg_match (source v3_purp.c) returning
X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH, which is wrong.

Is this issue and / or the proper solution known?

Thanks in advance
--
Christian Weber
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux