Use error check to ensure we have SignedData in CMS

CMS_get0_SignerInfos() only returns a non-NULL pointer if the CMS object
contains SignedData. The subsequent assert can trigger if we parse an
object that is not of this type. Nothing ensures this up to this point,
so we have no way of knowing that the assertion is actually true. If we
get a CMS object without SignedData, we should ignore it, not abort the
rpki-client run. With this check in place it is also clear that we
actually check point 1a of the list of things to check in RFC 6488,
section 3.

ok claudio job

diff --git a/usr.sbin/rpki-client/cms.c b/usr.sbin/rpki-client/cms.c
index 681a9c8..eb8a201 100644 (file)
--- a/usr.sbin/rpki-client/cms.c
+++ b/usr.sbin/rpki-client/cms.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: cms.c,v 1.33 2023/03/13 19:46:55 job Exp $ */
+/*     $OpenBSD: cms.c,v 1.34 2023/05/30 11:09:08 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -144,8 +144,17 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der,
        /* RFC 6488 section 3 verify the CMS */
        /* the version of SignedData and SignerInfos can't be verified */
 
-       sinfos = CMS_get0_SignerInfos(cms);
-       assert(sinfos != NULL);
+       /* Should only return NULL if cms is not of type SignedData. */
+       if ((sinfos = CMS_get0_SignerInfos(cms)) == NULL) {
+               if ((obj = CMS_get0_type(cms)) == NULL) {
+                       warnx("%s: RFC 6488: missing content-type", fn);
+                       goto out;
+               }
+               OBJ_obj2txt(buf, sizeof(buf), obj, 1);
+               warnx("%s: RFC 6488: no signerInfo in CMS object of type %s",
+                   fn, buf);
+               goto out;
+       }
        if (sk_CMS_SignerInfo_num(sinfos) != 1) {
                cryptowarnx("%s: RFC 6488: CMS has multiple signerInfos", fn);
                goto out;