]> granicus.if.org Git - openssl/commit
Fix bogus check for EVP_PKEY_supports_digest_nid() in check_cert_usable()
authorDavid Woodhouse <dwmw2@infradead.org>
Thu, 22 Aug 2019 17:09:11 +0000 (18:09 +0100)
committerMatt Caswell <matt@openssl.org>
Tue, 27 Aug 2019 14:32:59 +0000 (15:32 +0100)
commitb5a276884b8e945815732845540af3c8143e8457
tree7585880453531c2dfaf353885e211c6b18ec6a69
parent8b138d3fe4d9dbbc632511d4ac8b7099b793630b
Fix bogus check for EVP_PKEY_supports_digest_nid() in check_cert_usable()

In commit 2d263a4a73 ("Honour mandatory digest on private key in
has_usable_cert()" I added two checks for the capabilities of the
EVP_PKEY being used. One of them was wrong, as it should only be
checking the signature of the X.509 cert (by its issuer) against the
sigalgs given in a TLS v1.3 signature_algorithms_cert extension.

Remove it and provide the code comments which, if they'd been present
in the first place, would hopefully have prevented the mistake.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9672)
ssl/t1_lib.c