artulab
projects / openbsd / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 87d557e) | patch
Implement most of the CMS related checks required by RFC 6488 section 3
authorclaudio <claudio@openbsd.org>
Fri, 25 Mar 2022 08:19:04 +0000 (08:19 +0000)
committerclaudio <claudio@openbsd.org>
Fri, 25 Mar 2022 08:19:04 +0000 (08:19 +0000)
commit9025e29518419813880e10ef0f5a45d602e9f2f1
tree5ddc97f41991c507257caa8628d1841b64515669tree | snapshot
parent87d557e066d7099ad39dbe09776d97571c009717commit | diff
Implement most of the CMS related checks required by RFC 6488 section 3

Verify that SignerInfo and Signed Attributes are set according to the RFC.
Especially enforce that the right attributes are signed. Check that there
are no unsigned attributes, no CRL and that the correct content-type,
digest and signature algorithm are used.

The OpenSSL API makes it impossible to verify the versions and some other
more suttle differences like detecting signle attributes vs a SET OF one.
Similarly OpenSSL accepts both DER and BER encoding in the payload.
These smaller differences to the RFC are not optimal but not a risk.

Lots of feedback and OK tb@
usr.sbin/rpki-client/cms.c diff | blob | history
usr.sbin/rpki-client/x509.c diff | blob | history
OpenBSD src
by Ahmet Artu Yildirim