The branch master has been updated
via 0a4e660a273d6d33cfc1608ed48d6e560ae970ed (commit)
from 3811e0019aa8340b413e65fcf81d4b726f437c93 (commit)
- Log -----------------------------------------------------------------
commit 0a4e660a273d6d33cfc1608ed48d6e560ae970ed
Author: Matt Caswell <m...@openssl.org>
Date: Tue May 25 14:39:29 2021 +0100
Update check_sig_alg_match() to work with provided keys
Use EVP_PKEY_is_a() to check whether an EVP_PKEY is compatible with the
given signature.
Reviewed-by: Shane Lontis <shane.lon...@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15528)
-----------------------------------------------------------------------
Summary of changes:
crypto/x509/v3_purp.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c
index ede556d8ef..bcec4194fa 100644
--- a/crypto/x509/v3_purp.c
+++ b/crypto/x509/v3_purp.c
@@ -366,16 +366,15 @@ static int setup_crldp(X509 *x)
/* Check that issuer public key algorithm matches subject signature algorithm
*/
static int check_sig_alg_match(const EVP_PKEY *issuer_key, const X509 *subject)
{
- int signer_nid, subj_sig_nid;
+ int subj_sig_nid;
if (issuer_key == NULL)
return X509_V_ERR_NO_ISSUER_PUBLIC_KEY;
- signer_nid = EVP_PKEY_base_id(issuer_key);
if
(OBJ_find_sigid_algs(OBJ_obj2nid(subject->cert_info.signature.algorithm),
NULL, &subj_sig_nid) == 0)
return X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM;
- if (signer_nid == EVP_PKEY_type(subj_sig_nid)
- || (signer_nid == NID_rsaEncryption && subj_sig_nid == NID_rsassaPss))
+ if (EVP_PKEY_is_a(issuer_key, OBJ_nid2sn(subj_sig_nid))
+ || (EVP_PKEY_is_a(issuer_key, "RSA") && subj_sig_nid == NID_rsassaPss))
return X509_V_OK;
return X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH;
}
