I'm trying to understand CVE-2021-43527 and how it impacts verifying an untrusted end cert starting with a trusted root cert.
In the blog https://googleprojectzero.blogspot.com/2021/12/this-shouldnt-have-happened.html the example uses a self signed certificate. This means we have: vfy_CreateContext(key=untrusted, sig=untrusted) sigLen = SECKEY_SignatureLen(key); ... if (sig->len != sigLen) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); i.e., both SECKEY_SignatureLen(key) and sig-len are coming from the wire (untrusted source). However, when calling this function via CERT_PKIXVerifyCert(), the calls look more like: vfy_CreateContext(key=trusted, sig=untrusted) (trusted is either the root cert, or a previously authenticated certificate) which would mean that the (sig->len != sigLen) does the right thing? -- You received this message because you are subscribed to the Google Groups "dev-tech-crypto@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-tech-crypto+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/CAJeAr6s3cXmZj6%3DaLw0XPC5puWWoTxBzCA9cO1KRhR8fO7q4pg%40mail.gmail.com.
