File xca-OpenSSL3-Simplify-key-checking-algorithm.patch of Package xca.37307
From ab17dfd52fb5acc6aa023a9cebb65de2b4eb361d Mon Sep 17 00:00:00 2001
From: Christian Hohnstaedt <christian@hohnstaedt.de>
Date: Mon, 15 May 2023 15:39:23 +0200
Subject: [PATCH] Simplify key checking algorithm
Since we dropped OpenSSL < 1.1.1 support, we can use
EVP_PKEY_public_check() and EVP_PKEY_check()
Thanks to discussion in:
https://github.com/ya-isakov/xca/commit/acb75afa6d33a150ab998e16bbb3159113e141a2
---
lib/pki_evp.cpp | 45 +++++++--------------------------------------
lib/pki_evp.h | 2 +-
lib/pki_key.cpp | 29 ++++++-----------------------
lib/pki_key.h | 3 +--
4 files changed, 15 insertions(+), 64 deletions(-)
--- lib/pki_evp.cpp
+++ lib/pki_evp.cpp
@@ -811,47 +811,16 @@ void pki_evp::writeKey(XFile &file, cons
pki_openssl_error();
}
-bool pki_evp::verify_priv(EVP_PKEY *pkey) const
+bool pki_evp::verify(EVP_PKEY *pkey) const
{
- bool verify = true;
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
- unsigned char md[32], sig[1024];
- size_t mdlen = sizeof md, siglen = sizeof sig;
- EVP_PKEY_CTX *ctx = NULL;
-
if (!EVP_PKEY_isPrivKey(pkey))
- return true;
- do {
- ctx = EVP_PKEY_CTX_new(pkey, NULL);
- pki_ign_openssl_error();
- RAND_bytes(md, mdlen);
- check_oom(ctx);
- verify = false;
+ return pki_key::verify(pkey);
+
+ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ Q_CHECK_PTR(ctx);
+ bool verify = EVP_PKEY_check(ctx);
+ EVP_PKEY_CTX_free(ctx);
- /* Sign some random data in "md" */
- if (EVP_PKEY_sign_init(ctx) <= 0)
- break;
- if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA)
- EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING);
- if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0)
- break;
- if (EVP_PKEY_sign(ctx, sig, &siglen, md, mdlen) <= 0)
- break;
- /* Verify the signature */
- if (EVP_PKEY_verify_init(ctx) <= 0)
- break;
- if (EVP_PKEY_verify(ctx, sig, siglen, md, mdlen) <= 0)
- break;
- verify = true;
- } while (0);
- if (ctx)
- EVP_PKEY_CTX_free(ctx);
-#endif
- if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA && EVP_PKEY_isPrivKey(pkey)) {
- const RSA *rsa = EVP_PKEY_get0_RSA(pkey);
- if (RSA_check_key(rsa) != 1)
- verify = false;
- }
pki_openssl_error();
return verify;
}
--- lib/pki_evp.h
+++ lib/pki_evp.h
@@ -69,7 +69,7 @@ class pki_evp: public pki_key
void writePKCS8(XFile &file, const EVP_CIPHER *enc,
pem_password_cb *cb, bool pem) const;
void writePVKprivate(XFile &file, pem_password_cb *cb) const;
- bool verify_priv(EVP_PKEY *pkey) const;
+ bool verify(EVP_PKEY *pkey) const;
QVariant getIcon(const dbheader *hd) const;
bool sqlUpdatePrivateKey();
QSqlError insertSqlData();
--- lib/pki_key.cpp
+++ lib/pki_key.cpp
@@ -737,38 +737,21 @@ void pki_key::writeSSH2public(XFile &fil
bool pki_key::verify(EVP_PKEY *pkey) const
{
- bool verify = true;
- const BIGNUM *a = NULL;
- const BIGNUM *b = NULL;
- const BIGNUM *c = NULL;
+ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ Q_CHECK_PTR(ctx);
+ bool verify = EVP_PKEY_public_check(ctx);
+ EVP_PKEY_CTX_free(ctx);
- switch (EVP_PKEY_type(EVP_PKEY_id(pkey))) {
- case EVP_PKEY_RSA:
- RSA_get0_key(EVP_PKEY_get0_RSA(pkey), &a, &b, NULL);
- verify = a && b;
- break;
- case EVP_PKEY_DSA:
- DSA_get0_pqg(EVP_PKEY_get0_DSA(pkey), &a, &b, &c);
- verify = a && b && c;
- break;
-#ifndef OPENSSL_NO_EC
- case EVP_PKEY_EC:
- verify = EC_KEY_check_key(EVP_PKEY_get0_EC_KEY(pkey)) == 1;
- break;
-#endif
- default:
- verify = false;
- }
- if (verify)
- verify = verify_priv(pkey);
pki_openssl_error();
return verify;
}
+#if 0
bool pki_key::verify_priv(EVP_PKEY *) const
{
return true;
}
+#endif
QString pki_key::fingerprint(const QString &format) const
{
--- lib/pki_key.h
+++ lib/pki_key.h
@@ -66,8 +66,7 @@ class pki_key: public pki_base
bool compare(const pki_base *ref) const;
int getKeyType() const;
bool isPrivKey() const;
- bool verify(EVP_PKEY *pkey) const;
- virtual bool verify_priv(EVP_PKEY *pkey) const;
+ virtual bool verify(EVP_PKEY *pkey) const;
int getUcount() const;
void setUcount(int c)
{
