diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-02-11 09:18:46 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-02-14 11:21:57 +0100 |
commit | d9ba60419eb0224d623fe9205642107517678a72 (patch) | |
tree | 1baf2ee53fce29ad10b8561b23696c202b9ad878 /lib/x509/x509.c | |
parent | dafe8285fd3911d25d5b4f0680d886c22b461ab2 (diff) | |
download | gnutls-d9ba60419eb0224d623fe9205642107517678a72.tar.gz |
x509: corrected issue in the algorithm parameters comparison
Each certificate has two fields to set the signature algorithm
and parameters used for the digital signature. One of the fields is
authenticated and the other is not. It is required from RFC5280 to
enforce the equality of these fields, but currently due to an issue
we wouldn't enforce the equality of the parameters fields. This
fix corrects the issue.
We also move an RSA-PSS certificate in chainverify that was relying
on invalid parameters, to this set of invalid certificates.
Resolves: #698
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib/x509/x509.c')
-rw-r--r-- | lib/x509/x509.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/x509/x509.c b/lib/x509/x509.c index b5de7cb7c8..88aab5538e 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -338,7 +338,7 @@ static int compare_sig_algorithm(gnutls_x509_crt_t cert) return ret; } - ret = _gnutls_x509_read_value(cert->cert, "signatureAlgorithm.parameters", &sp2); + ret = _gnutls_x509_read_value(cert->cert, "tbsCertificate.signature.parameters", &sp2); if (ret == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) { empty2 = 1; } else if (ret < 0) { |