On 2017-01-28 07:51, Peter Gutmann wrote:
Jakob Bohm <jb-mozi...@wisemo.com> writes:
DSA and ECDSA signatures are only secure if the hash algorithm is specified
in the certificate, presumably as part of the AlgorithmIdentifier in the
SubjectPublicKeyInfo.
It's in the (badly-named) signature field of the cert, if it was in the
signatureAlgorithm it wouldn't be covered by the sig. Having said that, I
don't know how many implementations actually check whether what's in the
signature corresponds to the signatureAlgorithm, I tried it many years ago
(md5With... vs sha1With...) and nothing much seemed to notice, as long as the
signatureAlgorithm was the one that was correct for the signature.
At least OpenSSL changed this, CVE-2014-8275.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
