)]}'
{
  "commit": "ec45e104a608ba556be73a0776cfb495c6c8ae44",
  "tree": "5615330e4d930e276763e849fb25a81b955668be",
  "parents": [
    "440c51317bcbc15aec372bc78cf6fbf59d7eb435"
  ],
  "author": {
    "name": "David Benjamin",
    "email": "davidben@google.com",
    "time": "Sun Mar 17 16:15:48 2024 +1000"
  },
  "committer": {
    "name": "Boringssl LUCI CQ",
    "email": "boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com",
    "time": "Sun Mar 17 07:42:18 2024 +0000"
  },
  "message": "X509_ALGOR_set_md is a mess, document it\n\ntb noticed that our X509_ALGOR_set_md differs from OpenSSL because we\nnever set EVP_MD_FLAG_DIGALGID_ABSENT. That is, we include an explicit\nNULL parameter, while OpenSSL omits it.\n\nRFC 4055, section 2.1 says:\n\n   There are two possible encodings for the AlgorithmIdentifier\n   parameters field associated with these object identifiers.  The two\n   alternatives arise from the loss of the OPTIONAL associated with the\n   algorithm identifier parameters when the 1988 syntax for\n   AlgorithmIdentifier was translated into the 1997 syntax.  Later the\n   OPTIONAL was recovered via a defect report, but by then many people\n   thought that algorithm parameters were mandatory.  Because of this\n   history some implementations encode parameters as a NULL element\n   while others omit them entirely.  The correct encoding is to omit the\n   parameters field; however, when RSASSA-PSS and RSAES-OAEP were\n   defined, it was done using the NULL parameters rather than absent\n   parameters.\n\n   ...\n\n   To be clear, the following algorithm identifiers are used when a NULL\n   parameter MUST be present:\n\n   ...\n\nMy read of this text is:\n\n1. The correct encoding of, say, SHA-256 as an AlgorithmIdentifer *was*\n   to omit the parameter. So if you\u0027re using it in, I dunno, CMS, you\n   should omit it.\n\n2. Due to a mishap, RSASSA-PSS originally said otherwise and included\n   it. Additionally, there are some implementations that only work if\n   you include it.\n\n3. Once the mistake was discovered, PSS chose to preserve the mistake,\n   rather than undo it.\n\nThis means that the correct encoding of SHA-256 as an AlgorithmIdentifer\nis *different* depending on whether you\u0027re doing PSS or CMS.\nFortunately, there are only two users of this function, one inside the\nlibrary and one in Android. Both are trying to encode PSS, so the\ncurrent behavior is correct. Nonetheless, we should document this.\n\nAlso, because this is a huge mess, we should also add an API for\nspecifically encoding RSA-PSS. From there, we can update Android to call\nthat function and remove X509_ALGOR_set_md.\n\nAmusingly, RSASSA-PKCS1-v1_5 *also* differs from the \"correct\" encoding.\nRFC 8017, Appendix B.1 says:\n\n   The parameters field associated with id-sha1, id-sha224, id-sha256,\n   id-sha384, id-sha512, id-sha512/224, and id-sha512/256 should\n   generally be omitted, but if present, it shall have a value of type\n   NULL.\n\n   This is to align with the definitions originally promulgated by NIST.\n   For the SHA algorithms, implementations MUST accept\n   AlgorithmIdentifier values both without parameters and with NULL\n   parameters.\n\n   Exception: When formatting the DigestInfoValue in EMSA-PKCS1-v1_5\n   (see Section 9.2), the parameters field associated with id-sha1,\n   id-sha224, id-sha256, id-sha384, id-sha512, id-sha512/224, and\n   id-sha512/256 shall have a value of type NULL.  This is to maintain\n   compatibility with existing implementations and with the numeric\n   information values already published for EMSA-PKCS1-v1_5, which are\n   also reflected in IEEE 1363a [IEEE1363A].\n\nFinally, there\u0027s EVP_marshal_digest_algorithm, used in PKCS#8 and OCSP.\nI suspect we\u0027re doing that one wrong. I\u0027ve left a TODO there to dig into\nthat one.\n\nBug: 710\nChange-Id: I46b11f8c56442a9badd186c7f04bb366147ed98f\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/67088\nAuto-Submit: David Benjamin \u003cdavidben@google.com\u003e\nReviewed-by: Bob Beck \u003cbbe@google.com\u003e\nCommit-Queue: Bob Beck \u003cbbe@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "08ed671a8095566e6c87ea846a95c59efdd7f42b",
      "old_mode": 33188,
      "old_path": "crypto/digest_extra/digest_extra.c",
      "new_id": "f5750354956ed9fa72d45f60ebcd7784ac0920f8",
      "new_mode": 33188,
      "new_path": "crypto/digest_extra/digest_extra.c"
    },
    {
      "type": "modify",
      "old_id": "32e09335cf83aedaef53b8b3bb9caff97b6dbcb9",
      "old_mode": 33188,
      "old_path": "include/openssl/x509.h",
      "new_id": "414451f85bdd424a2e40886a4421838fe53369c7",
      "new_mode": 33188,
      "new_path": "include/openssl/x509.h"
    }
  ]
}