[erlang-patches] support md2WithRSAEncryption certificates
Christian von Roques
roques@REDACTED
Wed Sep 28 10:16:33 CEST 2011
Sverker Eriksson <sverker@REDACTED> writes:
> Bad news. It looks like we will not include this patch in R14B04 after all.
> It caused problem on our build machines that uses version 1.0.0 of
> OpenSSL. MD2 hash has been excluded from 1.0.0 because it is not
> considered cryptographically secure.
Bad news, indeed :-(
I'm currently swamped with other work and am unable to find the time
required for the correct solution. I've written a trivial patch making
usage of MD2 (and all other digests) conditional on
#ifndef OPENSSL_NO_MD2 respectively #ifndef OPENSSL_NO_<digest>
However, this is NOT the correct long-term solution. Adding #ifdef
OPENSSL_NO_MD2 only solves our problem (crashing verification of
Verisign's root-certificate) as long as Erlang is linked with an old
release of OpenSSL, which still builds support for md2 by default.
The right solution would be something like:
http://cvs.openssl.org/chngview?cn=18260
http://cvs.openssl.org/chngview?cn=18317
When removing my patchset, please make sure to retain
commit 6cd2fa9346d51ab936873d96b5c96bf5c15ddcf0
Author: Christian von Roques <roques@REDACTED>
Date: Tue Sep 6 19:30:10 2011 +0200
Document crypto:sha_mac_96/2 to compute an SHA MAC, not MD5
As well as the following change in public_key.erl:
@@ -335,7 +335,9
%%--------------------------------------------------------------------
verify(PlainText, DigestType, Signature,
#'RSAPublicKey'{modulus = Mod, publicExponent = Exp})
- when is_binary (PlainText), DigestType == sha; DigestType == md5 ->
+ when is_binary(PlainText),
+ (DigestType == md5 orelse
+ DigestType == sha) ->
crypto:rsa_verify(DigestType,
sized_binary(PlainText),
sized_binary(Signature),
@@ -335,7 +335,9
%%--------------------------------------------------------------------
verify(PlainText, DigestType, Signature,
#'RSAPublicKey'{modulus = Mod, publicExponent = Exp})
- when is_binary (PlainText), DigestType == sha; DigestType == md5 ->
+ when is_binary(PlainText),
+ (DigestType == md5 orelse
+ DigestType == sha) ->
crypto:rsa_verify(DigestType,
sized_binary(PlainText),
sized_binary(Signature),
Sorry for not completing the job,
Christian.
> Christian von Roques wrote:
>> Henrik Nord <henrik@REDACTED> writes:
>>> On 08/06/2011 08:47 PM, Christian von Roques wrote:
>>>
>>>> I've added support for md2WithRSAEncryption certificates to public_key
>>>> and the necessary support for md2 to crypto:rsa_sign/3 and
>>>> crypto:rsa_verify/4.
>>>> [...]
>>>>
>>
>>
>>> we would like you to correct the following for us to include this branch.
>>>
>>> * add documentation for crypto
>>> * add test case for crypto
>>> * Split into two commits (crypto and public_key)
>>>
>>
>> done.
>>
>> Please re-fetch
>>
>> git fetch git://github.com/roques/otp.git md2WithRSAEncryption
>>
>> The branch now consists of the requested two commits and an additional
>> trivial third commit documenting crypto:sha_mac_96/2 to compute an SHA
>> MAC, not MD5.
>>
>> Christian.
>>
>> _______________________________________________
>> erlang-patches mailing list
>> erlang-patches@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-patches
>>
>>
More information about the erlang-patches
mailing list