x509: corrected issue in the algorithm parameters comparison

Each certificate has two fields to set the signature algorithm and parameters used for the digital signature. One of the fields is authenticated and the other is not. It is required from RFC5280 to enforce the equality of these fields, but currently due to an issue we wouldn't enforce the equality of the parameters fields. This fix corrects the issue. We also move an RSA-PSS certificate in chainverify that was relying on invalid parameters, to this set of invalid certificates. Resolves: #698 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2019-02-11 09:18:46 +0100
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2019-02-14 11:21:57 +0100
commit: d9ba60419eb0224d623fe9205642107517678a72 (patch)
tree: 1baf2ee53fce29ad10b8561b23696c202b9ad878 /lib/x509
parent: dafe8285fd3911d25d5b4f0680d886c22b461ab2 (diff)
download: gnutls-d9ba60419eb0224d623fe9205642107517678a72.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index b5de7cb7c8..88aab5538e 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -338,7 +338,7 @@ static int compare_sig_algorithm(gnutls_x509_crt_t cert)
 		return ret;
 	}
 
-	ret = _gnutls_x509_read_value(cert->cert, "signatureAlgorithm.parameters", &sp2);
+	ret = _gnutls_x509_read_value(cert->cert, "tbsCertificate.signature.parameters", &sp2);
 	if (ret == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) {
 		empty2 = 1;
 	} else if (ret < 0) {
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2019-02-11 09:18:46 +0100
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2019-02-14 11:21:57 +0100
commit	d9ba60419eb0224d623fe9205642107517678a72 (patch)
tree	1baf2ee53fce29ad10b8561b23696c202b9ad878 /lib/x509
parent	dafe8285fd3911d25d5b4f0680d886c22b461ab2 (diff)
download	gnutls-d9ba60419eb0224d623fe9205642107517678a72.tar.gz