diff options
author | Simon Josefsson <simon@josefsson.org> | 2007-04-18 11:59:26 +0000 |
---|---|---|
committer | Simon Josefsson <simon@josefsson.org> | 2007-04-18 11:59:26 +0000 |
commit | 6bcea395eca2bb33cf4b9bd6cf216d39efc95ce8 (patch) | |
tree | 5f30d704f55da88136adb8c015538895aac5ab6a | |
parent | 3b6f07265886c54bdce2a5b9146a2b24de99c66d (diff) | |
download | gnutls-6bcea395eca2bb33cf4b9bd6cf216d39efc95ce8.tar.gz |
Write NULL in parameters for RSA signing, backported from the 1.7.x branch.
-rw-r--r-- | NEWS | 8 | ||||
-rw-r--r-- | lib/x509/sign.c | 10 |
2 files changed, 16 insertions, 2 deletions
@@ -5,6 +5,14 @@ See the end for copying conditions. * Version 1.6.2 (unreleased) +** Fix X.509 signing with RSA-PKCS#1 to set a NULL parameters fields. +Before, we remove the parameters field, which resulted in a slightly +different DER encoding which in turn caused signature verification +failures of GnuTLS-generated RSA certificates in some other +implementations (e.g., GnuPG 2.x's gpgsm). Depending on which RFCs +you read, this may or may not be correct, but our new behaviour appear +to be consistent with other widely used implementations. + ** Regenerate the PKIX ASN.1 syntax tree. For some reason, after changing the ASN.1 type of ldap-UID in the last release, the generated C file built from the ASN.1 schema was not diff --git a/lib/x509/sign.c b/lib/x509/sign.c index 714781966d..c1c230f7ff 100644 --- a/lib/x509/sign.c +++ b/lib/x509/sign.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2003, 2004, 2005, 2006 Free Software Foundation + * Copyright (C) 2003, 2004, 2005, 2006, 2007 Free Software Foundation * * Author: Nikos Mavroyanopoulos * @@ -79,7 +79,13 @@ encode_ber_digest_info (gnutls_digest_algorithm_t hash, return _gnutls_asn2err (result); } - result = asn1_write_value (dinfo, "digestAlgorithm.parameters", NULL, 0); + /* Write an ASN.1 NULL in the parameters field. This matches RFC + 3279 and RFC 4055, although is arguable incorrect from a historic + perspective (see those documents for more information). + Regardless of what is correct, this appears to be what most + implementations do. */ + result = asn1_write_value (dinfo, "digestAlgorithm.parameters", + "\x05\x00", 2); if (result != ASN1_SUCCESS) { gnutls_assert (); |