Check that TA certs are correctly signed

We know the pubkey from the TAL, so check that the signature is right
as required by RFC 6487, section 7, additional condition 1, applied to
self-issued certs. Make the error check weird since OpenSSL 3 broke yet
another API (thanks claudio for making me go look).

ok claudio job

diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 83c7e42..56eef09 100644 (file)
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: cert.c,v 1.138 2024/06/06 07:20:15 tb Exp $ */
+/*     $OpenBSD: cert.c,v 1.139 2024/06/06 11:53:09 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -1121,6 +1121,10 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey,
                warnx("%s: BGPsec cert cannot be a trust anchor", fn);
                goto badcert;
        }
+       if (X509_verify(p->x509, pk) != 1) {
+               warnx("%s: failed to verify signature", fn);
+               goto badcert;
+       }
        if (x509_any_inherits(p->x509)) {
                warnx("%s: Trust anchor IP/AS resources may not inherit", fn);
                goto badcert;