Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Investigate if RSA issue can happen with ECDSA/ECDH on OpenSSL < 3.0 #105175

Closed
krwq opened this issue Jul 20, 2024 · 1 comment · Fixed by #106397
Closed

Investigate if RSA issue can happen with ECDSA/ECDH on OpenSSL < 3.0 #105175

krwq opened this issue Jul 20, 2024 · 1 comment · Fixed by #106397
Assignees
@krwq
Labels
area-System.Security blocking-release in-pr There is an active PR which will close this issue when it is merged
Milestone
9.0.0

Comments

@krwq
Copy link
Member

krwq commented Jul 20, 2024
edited
Loading

In #104961 we've changed OpenSSL implementation of ECDsa and ECDH to be similar to RSA. RSA implementation had a workaround for OpenSSL issue which occurs only on some low versions of OpenSSL and it requires us checking if key is a private key explicitly rather than relying on OpenSSL API. See: #53345 (comment) - we've added HasNoPrivateKey check in the Sign/Decrypt operations.

We need to verify if:

  • is that code still needed (i.e. has OpenSSL fixed the bug)
  • do we need similar check in ECDSA/ECDH? (the most likely answer is "no" but we need to confirm)

As part of this it would be good to add provider test cases as suggested per #104961 (review)
@krwq krwq added this to the 9.0.0 milestone Jul 20, 2024
@krwq krwq self-assigned this Jul 20, 2024
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@krwq krwq mentioned this issue Jul 20, 2024
Merged
@krwq krwq mentioned this issue Aug 14, 2024
Merged
@dotnet-policy-service dotnet-policy-service bot added the in-pr There is an active PR which will close this issue when it is merged label Aug 14, 2024
@github-actions github-actions bot locked and limited conversation to collaborators Sep 20, 2024
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees

@krwq krwq

Labels
area-System.Security blocking-release in-pr There is an active PR which will close this issue when it is merged
Projects
None yet
Milestone
9.0.0
Development

Successfully merging a pull request may close this issue.

Make SafeEvpPKeyHandle.OpenKeyFromProvider throw PNSE on OSSL less than 3.0 krwq/runtime-1
2 participants
@krwq @jeffhandley