Is the signature validated with the signature key?
diggyk opened this issue · comments
I was looking at the code but was not able to confirm. However, it seems the signature is never validated, is it? So could someone then potentially use a certificate that lists a bogus signature or signature_key?
Hey @diggyk ,
I was just checking the code as well, since I haven't touched it for a long time and wasn't sure about the signature validation too.
Apparently, signature doesn't seem to be validated as you've mentioned already, which is a big gap from my side for not having this implemented initially.
Unfortunately, I don't have enough spare time to work on this one at the moment and have it fixed.
Would you be interested in submitting a PR for this one?
Thanks!
I can do that if I can get it to work. So far my attempts have failed. I’m
checking with the OpenSSL dev list to see what I might be doing wrong.
…On Tuesday, February 9, 2021, Marin Atanasov Nikolov < ***@***.***> wrote:
Hey @diggyk <https://github.com/diggyk> ,
I was just checking the code as well, since I haven't touched it for a
long time and wasn't sure about the signature validation too.
Apparently, signature doesn't seem to be validated as you've mentioned
already, which is a big gap from my side for not having this implemented
initially.
Unfortunately, I don't have enough spare time to work on this one at the
moment and have it fixed.
Would you be interested in submitting a PR for this one?
Thanks!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#4 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AC2UAQB7BKO7QOKTKOLNR7LS6FLS5ANCNFSM4XID6TNA>
.
--
Digant Chimanlal "DC" Kasundra