On Mon, Aug 30, 2010, Goran Rakic wrote:

> ?? ??????, 30. 08 2010. ?? 20:38 +0200, Dr. Stephen Henson ????????:
> >
> > I wouldn't advise changing the code in that way (FYI I wrote it). The normal
> > workaround in OpenSSL for broken encodings is to use the original encoding
> > by caching it. The attached three line patch adds this workaround for
> > certificates.
> Thanks Stephen. This preprocessor black magic looks very interesting, I
> will spend some free time trying to understand it in the following days.

Well it is buried in the ASN1 code. All it does is uses an extra structure to
save the received encoding. Then when signatures are calculated that is used
instead of re-encoding the parsed out structure. 

> I read your message on openssl-dev about the issue with a dirty cache.
> As a naive code reader, I am wondering could not the "modified" field in
> the cached data be set whenever certificate data is modified to
> invalidate the cache? Will this allow integrating this patch upstream?

It isn't possible to cover all cases where the certificate data is modified as
some don't keep a reference to the parent certificate structure.

However it is possible to always re-encode when a certificate is signed (this
is done for CRLs) which should cover all cases except pathological ones where
a certificate is modified and not re-signed to deliberately produce invalid

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to