-/* $OpenBSD: cert.c,v 1.102 2023/02/21 10:18:47 tb Exp $ */
+/* $OpenBSD: cert.c,v 1.103 2023/03/06 16:04:52 job Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2021 Job Snijders <job@openbsd.org>
X509 *x = NULL;
X509_EXTENSION *ext = NULL;
ASN1_OBJECT *obj;
+ EVP_PKEY *pkey;
struct parse p;
/* just fail for empty buffers, the warning was printed elsewhere */
switch (p.res->purpose) {
case CERT_PURPOSE_CA:
+ if ((pkey = X509_get0_pubkey(x)) == NULL) {
+ warnx("%s: X509_get0_pubkey failed", p.fn);
+ goto out;
+ }
+ if (!valid_ca_pkey(p.fn, pkey))
+ goto out;
+
if (X509_get_key_usage(x) != (KU_KEY_CERT_SIGN | KU_CRL_SIGN)) {
warnx("%s: RFC 6487 section 4.8.4: key usage violation",
p.fn);
-/* $OpenBSD: cms.c,v 1.28 2023/03/06 09:14:29 job Exp $ */
+/* $OpenBSD: cms.c,v 1.29 2023/03/06 16:04:52 job Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
STACK_OF(X509_CRL) *crls;
STACK_OF(CMS_SignerInfo) *sinfos;
CMS_SignerInfo *si;
+ EVP_PKEY *pkey;
X509_ALGOR *pdig, *psig;
int i, nattrs, nid;
int has_ct = 0, has_md = 0, has_st = 0,
goto out;
}
- /* Check digest and signature algorithms */
- CMS_SignerInfo_get0_algs(si, NULL, NULL, &pdig, &psig);
+ /* Check digest and signature algorithms (RFC 7935) */
+ CMS_SignerInfo_get0_algs(si, &pkey, NULL, &pdig, &psig);
+ if (!valid_ca_pkey(fn, pkey))
+ goto out;
+
X509_ALGOR_get0(&obj, NULL, NULL, pdig);
nid = OBJ_obj2nid(obj);
if (nid != NID_sha256) {
-/* $OpenBSD: extern.h,v 1.167 2023/01/13 08:58:36 claudio Exp $ */
+/* $OpenBSD: extern.h,v 1.168 2023/03/06 16:04:52 job Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
int valid_aspa(const char *, struct cert *, struct aspa *);
int valid_geofeed(const char *, struct cert *, struct geofeed *);
int valid_uuid(const char *);
+int valid_ca_pkey(const char *, EVP_PKEY *);
/* Working with CMS. */
unsigned char *cms_parse_validate(X509 **, const char *,
-.\" $OpenBSD: rpki-client.8,v 1.90 2023/03/06 15:50:33 job Exp $
+.\" $OpenBSD: rpki-client.8,v 1.91 2023/03/06 16:04:52 job Exp $
.\"
.\" Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
.\"
.Re
.Pp
.Rs
+.%T The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure
+.%R RFC 7935
+.%A Geoff Huston
+.%A George Michaelson
+.%U https://www.rfc-editor.org/rfc/rfc7935
+.%D Aug, 2016
+.%I IETF
+.Re
+.Pp
+.Rs
.%T The RPKI Repository Delta Protocol (RRDP)
.%R RFC 8182
.%A Tim Bruijnzeels
-/* $OpenBSD: validate.c,v 1.54 2023/01/18 18:12:20 job Exp $ */
+/* $OpenBSD: validate.c,v 1.55 2023/03/06 16:04:52 job Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
}
}
+int
+valid_ca_pkey(const char *fn, EVP_PKEY *pkey)
+{
+ RSA *rsa;
+ const BIGNUM *rsa_e;
+ int key_bits;
+
+ if (pkey == NULL) {
+ warnx("%s: failure, pkey is NULL", fn);
+ return 0;
+ }
+
+ if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA) {
+ warnx("%s: Expected EVP_PKEY_RSA, got %d", fn,
+ EVP_PKEY_base_id(pkey));
+ return 0;
+ }
+
+ if ((key_bits = EVP_PKEY_bits(pkey)) != 2048) {
+ warnx("%s: RFC 7935: expected 2048-bit modulus, got %d bits",
+ fn, key_bits);
+ return 0;
+ }
+
+ if ((rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
+ warnx("%s: failed to extract RSA public key", fn);
+ return 0;
+ }
+
+ if ((rsa_e = RSA_get0_e(rsa)) == NULL) {
+ warnx("%s: failed to get RSA exponent", fn);
+ return 0;
+ }
+
+ if (!BN_is_word(rsa_e, 65537)) {
+ warnx("%s: incorrect exponent (e) in RSA public key", fn);
+ return 0;
+ }
+
+ return 1;
+}
projects / openbsd / commitdiff