diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2017-04-24 19:16:16 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2017-04-25 22:12:34 +0100 |
commit | c3c8823c879d90b93108b9e76db5ed5690724c9c (patch) | |
tree | 1b937a5319e05ad0ee5d4f689b6af180a629b1bd /crypto/x509/x509_vfy.c | |
parent | 786dd2c22c71081492e209d93beee3ff4fe66357 (diff) | |
download | openssl-c3c8823c879d90b93108b9e76db5ed5690724c9c.tar.gz |
Use X509_get_signature_info() when checking security levels.
Make signature security level checking more flexible by using
X509_get_signaure_info(): some signature methods (e.g. PSS, ED25519)
do not indicate the signing digest (if any) in the signature OID.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3301)
Diffstat (limited to 'crypto/x509/x509_vfy.c')
-rw-r--r-- | crypto/x509/x509_vfy.c | 12 |
1 files changed, 2 insertions, 10 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 2f1cd1ae3a..70ce606522 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -3201,8 +3201,6 @@ static int check_key_level(X509_STORE_CTX *ctx, X509 *cert) */ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert) { - int nid = X509_get_signature_nid(cert); - int mdnid = NID_undef; int secbits = -1; int level = ctx->param->auth_level; @@ -3211,14 +3209,8 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert) if (level > NUM_AUTH_LEVELS) level = NUM_AUTH_LEVELS; - /* Lookup signature algorithm digest */ - if (nid && OBJ_find_sigid_algs(nid, &mdnid, NULL)) { - const EVP_MD *md; - - /* Assume 4 bits of collision resistance for each hash octet */ - if (mdnid != NID_undef && (md = EVP_get_digestbynid(mdnid)) != NULL) - secbits = EVP_MD_size(md) * 4; - } + if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL)) + return 0; return secbits >= minbits_table[level - 1]; } |