Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Red Hat Customer
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – Attachment 1723047 Details for
Bug 1861495
F33/Rawhide: crypto-policies update causes JSS's OCSP Leaf and Chain checking to fail with Unknown Error
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh90 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Skip the signature check if the cert is self-signed.
libpkix_ocps_sha1_fix.patch (text/plain), 3.05 KB, created by
Bob Relyea
on 2020-10-20 23:07:20 UTC
(
hide
)
Description:
Skip the signature check if the cert is self-signed.
Filename:
MIME Type:
Creator:
Bob Relyea
Created:
2020-10-20 23:07:20 UTC
Size:
3.05 KB
patch
obsolete
>diff --git a/lib/libpkix/pkix/checker/pkix_signaturechecker.c b/lib/libpkix/pkix/checker/pkix_signaturechecker.c >--- a/lib/libpkix/pkix/checker/pkix_signaturechecker.c >+++ b/lib/libpkix/pkix/checker/pkix_signaturechecker.c >@@ -174,16 +174,17 @@ pkix_SignatureChecker_Check( > PKIX_PL_PublicKey *prevPubKey = NULL; > PKIX_PL_PublicKey *currPubKey = NULL; > PKIX_PL_PublicKey *newPubKey = NULL; > PKIX_PL_PublicKey *pKey = NULL; > PKIX_PL_CertBasicConstraints *basicConstraints = NULL; > PKIX_Error *checkKeyUsageFail = NULL; > PKIX_Error *verifyFail = NULL; > PKIX_Boolean certVerified = PKIX_FALSE; >+ PKIX_Boolean selfIssued = PKIX_FALSE; > > PKIX_ENTER(CERTCHAINCHECKER, "pkix_SignatureChecker_Check"); > PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext); > > *pNBIOContext = NULL; /* we never block on pending I/O */ > > PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState > (checker, (PKIX_PL_Object **)&state, plContext), >@@ -199,19 +200,24 @@ pkix_SignatureChecker_Check( > * verification and it is not a self-issued Cert so there is no > * old key saved. This is considered error. > */ > if (state->prevCertCertSign == PKIX_FALSE && > state->prevPublicKeyList == NULL) { > PKIX_ERROR(PKIX_KEYUSAGEKEYCERTSIGNBITNOTON); > } > >+ PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext), >+ PKIX_ISCERTSELFISSUEFAILED); >+ > /* Previous Cert is valid for signature verification, try it first */ > if (state->prevCertCertSign == PKIX_TRUE) { >- verifyFail = PKIX_PL_Cert_VerifySignature >+ /* If cert is selfissued, then ignore the signature */ >+ verifyFail = selfIssued ? NULL : >+ PKIX_PL_Cert_VerifySignature > (cert, prevPubKey, plContext); > if (verifyFail == NULL) { > certVerified = PKIX_TRUE; > } else { > certVerified = PKIX_FALSE; > } > } > >@@ -280,18 +286,16 @@ pkix_SignatureChecker_Check( > PKIX_ERROR(PKIX_VALIDATIONFAILEDCERTSIGNATURECHECKING); > } > > #ifdef NIST_TEST_4_5_4_AND_4_5_6 > /* > * Check if Cert is self-issued. If so, the old key(s) is saved, in > * conjunction to the new key, for verifying CERT validity later. > */ >- PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext), >- PKIX_ISCERTSELFISSUEFAILED); > > /* > * Check if Cert is self-issued. If so, the public key of the Cert > * that issues this Cert (old key) can be used together with this > * current key (new key) for key verification. If there are multiple > * self-issued certs, keys of those Certs (old keys) can also be used > * for key verification. Old key(s) is saved in a list (PrevPublickKey- > * List) and cleared when a Cert is no longer self-issued. PrevPublic-
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1723047">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1861495
:
1710381
| 1723047