Browse code
Fix blacklist CRB rules not working against certs using e!=65537
CRB rules allow the exponent to be specified, but currently this value
gets ignored and hardcoded to 65537. It turns out that most certs I
tested against (12,000 from VT) use e==65537, but a handful don't.
Andrew authored on 2019/10/12 06:03:38Showing 1 changed files
| ... | ... |
@@ -141,6 +141,10 @@ cli_crt *crtmgr_blacklist_lookup(crtmgr *m, cli_crt *x509) |
| 141 | 141 |
// which we could also match on, but we just ignore those fields |
| 142 | 142 |
// for blacklist certs for now |
| 143 | 143 |
|
| 144 |
+ // TODO the rule format allows the exponent to be specified as well, |
|
| 145 |
+ // but that gets ignored when CRB rules are parsed (and set to a fixed |
|
| 146 |
+ // value), so ignore that field when looking at certs |
|
| 147 |
+ |
|
| 144 | 148 |
// TODO Handle the case where these items aren't specified in a CRB |
| 145 | 149 |
// rule entry - substitute in default values instead (or make the |
| 146 | 150 |
// crb parser not permit leaving these fields blank). |
| ... | ... |
@@ -148,8 +152,7 @@ cli_crt *crtmgr_blacklist_lookup(crtmgr *m, cli_crt *x509) |
| 148 | 148 |
if (i->isBlacklisted && |
| 149 | 149 |
!memcmp(i->subject, x509->subject, sizeof(i->subject)) && |
| 150 | 150 |
!memcmp(i->serial, x509->serial, sizeof(i->serial)) && |
| 151 |
- !mp_cmp(&x509->n, &i->n) && |
|
| 152 |
- !mp_cmp(&x509->e, &i->e)) {
|
|
| 151 |
+ !mp_cmp(&x509->n, &i->n)) {
|
|
| 153 | 152 |
return i; |
| 154 | 153 |
} |
| 155 | 154 |
} |