231cb82145
Estonian IDs issued between September 2014 to September 2015 are broken and use negative moduli. They last five years and are common enough that we need to work around this bug. Add parallel "buggy" versions of BN_cbs2unsigned and RSA_parse_public_key which tolerate this mistake, to align with OpenSSL's previous behavior. This code is currently hooked up to rsa_pub_decode in RSA_ASN1_METHOD so that d2i_X509 is tolerant. (This isn't a huge deal as the rest of that stack still uses the legacy ASN.1 code which is overly lenient in many other ways.) In future, when Chromium isn't using crypto/x509 and has more unified certificate handling code, we can put client certificates under a slightly different codepath, so this needn't hold for all certificates forever. Then in September 2019, when the broken Estonian certificates all expire, we can purge this codepath altogether. BUG=532048 Change-Id: Iadb245048c71dba2eec45dd066c4a6e077140751 Reviewed-on: https://boringssl-review.googlesource.com/5894 Reviewed-by: Adam Langley <agl@google.com> |
||
---|---|---|
.. | ||
openssl |