Closed
Bug 1531739
Opened 6 years ago
Closed 6 years ago
The NSS S/MIME signature verification function should use a whitelist of acceptable digest algorithms
Categories
(NSS :: Libraries, enhancement)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: KaiE, Assigned: KaiE)
References
Details
Attachments
(1 file)
|
1.10 KB,
patch
|
Details | Diff | Splinter Review |
Looking at NSS_CMSSignerInfo_Verify, I don't see a restriction for acceptable digest algorithms.
It might be good to add a whitelist, and disable those we don't want to support.
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → kaie
|
|
Assignee | |
Updated•6 years ago
|
|
|
Assignee | |
Comment 1•6 years ago
|
||
This patch disables both MD2 and MD5 digests.
|
|
Assignee | |
Updated•6 years ago
|
Attachment #9047695 -
Flags: review?(rrelyea)
|
||
Comment 2•6 years ago
|
||
Comment on attachment 9047695 [details] [diff] [review]
1531739-v1.patch
r-
breaks processing of data at rest
|
|
Assignee | |
Updated•6 years ago
|
Attachment #9047695 -
Flags: review?(rrelyea)
|
|
Assignee | |
Comment 3•6 years ago
|
||
I have to agree with Hubert. The function that I suggested to modify is used to check the signature of a message, nothing else.
The decision, whether a message with a MD5 digest is considered acceptable or insecure should probably be implemented at a different place. I couldn't find a better NSS function yet. Maybe it should be implemented at the Thunderbird application code level.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Summary: S/MIME signature verification should use a whitelist of acceptable digest algorithms → The NSS S/MIME signature verification function should use a whitelist of acceptable digest algorithms
You need to log in
before you can comment on or make changes to this bug.
Description
•