leahneukirchen
commented
1 year ago Seems like a good solution, but how long will these deprecated API be provided?
Closed Duncaen closed 1 year ago
leahneukirchen
commented
1 year ago Seems like a good solution, but how long will these deprecated API be provided?
Duncaen
commented
1 year ago I think I should do the opposite, add support for creating those signatures with RSA_encrypt manually and then create new signatures under a new name for new xbps versions.
We can create both signatures under different names at the same time, updated systems will use new less broken signatures and old systems can still update xbps and its dependencies without trouble.
The main issue is that our signatures contain a sha1 id in the ASN1 but a sha256 checksum length and message. Prior to openssl 3 this worked and the full sha256 checksum was used, because the ASN1 was decoded on the fly and the whole message is compared against the checksum. With version 3 openssl switched to just compare hard coded prefixes and since our prefix is broken its not there. So we work around this by also hard-coding our broken prefix and instead of using the RSA signature apis, we use the public key to decrypt the signature and compare the content manually with our broken prefix.
This is fucking cursed and uses the deprecated apis, but works. Doing this is not possible with the new api's can't use a public key to independently decrypt the signature.