-/* $OpenBSD: cert.c,v 1.103 2023/03/06 16:04:52 job Exp $ */
+/* $OpenBSD: cert.c,v 1.104 2023/03/06 16:58:41 job Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2021 Job Snijders <job@openbsd.org>
size_t i;
X509 *x = NULL;
X509_EXTENSION *ext = NULL;
+ const X509_ALGOR *palg;
+ const ASN1_OBJECT *cobj;
ASN1_OBJECT *obj;
EVP_PKEY *pkey;
struct parse p;
+ int nid;
/* just fail for empty buffers, the warning was printed elsewhere */
if (der == NULL)
goto out;
}
+ X509_get0_signature(NULL, &palg, x);
+ if (palg == NULL) {
+ cryptowarnx("%s: X509_get0_signature", p.fn);
+ goto out;
+ }
+ X509_ALGOR_get0(&cobj, NULL, NULL, palg);
+ if ((nid = OBJ_obj2nid(cobj)) != NID_sha256WithRSAEncryption) {
+ warnx("%s: RFC 7935: wrong signature algorithm %s, want %s",
+ fn, OBJ_nid2ln(nid),
+ OBJ_nid2ln(NID_sha256WithRSAEncryption));
+ goto out;
+ }
+
/* Look for X509v3 extensions. */
if ((extsz = X509_get_ext_count(x)) < 0)
-/* $OpenBSD: crl.c,v 1.22 2023/02/21 10:18:47 tb Exp $ */
+/* $OpenBSD: crl.c,v 1.23 2023/03/06 16:58:41 job Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
#include <string.h>
#include <unistd.h>
+#include <openssl/x509.h>
+
#include "extern.h"
struct crl *
{
const unsigned char *oder;
struct crl *crl;
+ const X509_ALGOR *palg;
+ const ASN1_OBJECT *cobj;
const ASN1_TIME *at;
- int rc = 0;
+ int nid, rc = 0;
/* just fail for empty buffers, the warning was printed elsewhere */
if (der == NULL)
goto out;
}
+ X509_CRL_get0_signature(crl->x509_crl, NULL, &palg);
+ if (palg == NULL) {
+ cryptowarnx("%s: X509_CRL_get0_signature", fn);
+ goto out;
+ }
+ X509_ALGOR_get0(&cobj, NULL, NULL, palg);
+ if ((nid = OBJ_obj2nid(cobj)) != NID_sha256WithRSAEncryption) {
+ warnx("%s: RFC 7935: wrong signature algorithm %s, want %s",
+ fn, OBJ_nid2ln(nid),
+ OBJ_nid2ln(NID_sha256WithRSAEncryption));
+ goto out;
+ }
+
if ((crl->aki = x509_crl_get_aki(crl->x509_crl, fn)) == NULL) {
warnx("x509_crl_get_aki failed");
goto out;
projects / openbsd / commitdiff