From: Alberto Leiva Popper <ydahhrk@gmail.com>
Date: Fri, 3 Feb 2023 17:56:22 +0000 (-0600)
Subject: Downgrade the "modulus too long" error to warning.
X-Git-Tag: 1.5.4~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dacf43852e75027e0cd9f3c4d3c4ed3bdb33b868;p=thirdparty%2FFORT-validator.git

Downgrade the "modulus too long" error to warning.

Mirrors the new public key code's small forward compatibility gimmic
in the old code.
---

diff --git a/src/object/certificate.c b/src/object/certificate.c
index 377f5199..c6f61efd 100644
--- a/src/object/certificate.c
+++ b/src/object/certificate.c
@@ -391,9 +391,12 @@ validate_subject_public_key(X509_PUBKEY *pubkey)
 		return val_crypto_err("EVP_PKEY_get0_RSA() returned NULL");
 
 	modulus = RSA_bits(rsa);
-	if (modulus != MODULUS)
+	if (modulus < MODULUS)
 		return pr_val_err("Certificate's subjectPublicKey (RSAPublicKey) modulus is %d bits, not %d bits.",
 		    modulus, MODULUS);
+	if (modulus > MODULUS)
+		pr_val_warn("Certificate's subjectPublicKey (RSAPublicKey) modulus lengths %d bits, not %d bits",
+		    modulus, MODULUS);
 
 	RSA_get0_key(rsa, NULL, &exp, NULL);
 	if (exp == NULL)