CRB rules allow the exponent to be specified, but currently this value
gets ignored and hardcoded to 65537. It turns out that most certs I
tested against (12,000 from VT) use e==65537, but a handful don't.
... | ... |
@@ -141,6 +141,10 @@ cli_crt *crtmgr_blacklist_lookup(crtmgr *m, cli_crt *x509) |
141 | 141 |
// which we could also match on, but we just ignore those fields |
142 | 142 |
// for blacklist certs for now |
143 | 143 |
|
144 |
+ // TODO the rule format allows the exponent to be specified as well, |
|
145 |
+ // but that gets ignored when CRB rules are parsed (and set to a fixed |
|
146 |
+ // value), so ignore that field when looking at certs |
|
147 |
+ |
|
144 | 148 |
// TODO Handle the case where these items aren't specified in a CRB |
145 | 149 |
// rule entry - substitute in default values instead (or make the |
146 | 150 |
// crb parser not permit leaving these fields blank). |
... | ... |
@@ -148,8 +152,7 @@ cli_crt *crtmgr_blacklist_lookup(crtmgr *m, cli_crt *x509) |
148 | 148 |
if (i->isBlacklisted && |
149 | 149 |
!memcmp(i->subject, x509->subject, sizeof(i->subject)) && |
150 | 150 |
!memcmp(i->serial, x509->serial, sizeof(i->serial)) && |
151 |
- !mp_cmp(&x509->n, &i->n) && |
|
152 |
- !mp_cmp(&x509->e, &i->e)) { |
|
151 |
+ !mp_cmp(&x509->n, &i->n)) { |
|
153 | 152 |
return i; |
154 | 153 |
} |
155 | 154 |
} |