Ensure the X.509 version is V3

author job <job@openbsd.org>

Tue, 20 Jun 2023 12:28:08 +0000 (12:28 +0000)

committer job <job@openbsd.org>

Tue, 20 Jun 2023 12:28:08 +0000 (12:28 +0000)
author job <job@openbsd.org>
Tue, 20 Jun 2023 12:28:08 +0000 (12:28 +0000)
committer job <job@openbsd.org>
Tue, 20 Jun 2023 12:28:08 +0000 (12:28 +0000)
diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c

index f8f7c42..b166ed0 100644 (file)
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: cert.c,v 1.108 2023/05/09 10:34:32 tb Exp $ */
+/*     $OpenBSD: cert.c,v 1.109 2023/06/20 12:28:08 job Exp $ */
  /*
   * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
   * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -596,6 +596,11 @@ cert_parse_ee_cert(const char *fn, X509 *x)
         if ((p.res = calloc(1, sizeof(struct cert))) == NULL)
                 err(1, NULL);
  
+       if (X509_get_version(x) != 2) {
+               warnx("%s: RFC 6487 4.1: X.509 version must be v3", fn);
+               goto out;
+       }
+
         if (X509_get_key_usage(x) != KU_DIGITAL_SIGNATURE) {
                 warnx("%s: RFC 6487 section 4.8.4: KU must be digitalSignature",
                     fn);
@@ -680,6 +685,11 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len)
                 goto out;
         }
  
+       if (X509_get_version(x) != 2) {
+               warnx("%s: RFC 6487 4.1: X.509 version must be v3", fn);
+               goto out;
+       }
+
         X509_get0_signature(NULL, &palg, x);
         if (palg == NULL) {
                 cryptowarnx("%s: X509_get0_signature", p.fn);
author	job <job@openbsd.org>
	Tue, 20 Jun 2023 12:28:08 +0000 (12:28 +0000)
committer	job <job@openbsd.org>
	Tue, 20 Jun 2023 12:28:08 +0000 (12:28 +0000)