From: tb Date: Thu, 6 Jun 2024 11:53:09 +0000 (+0000) Subject: Check that TA certs are correctly signed X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=b6a9c519f92dfae089b645d66e81f8c90e11ec8b;p=openbsd Check that TA certs are correctly signed We know the pubkey from the TAL, so check that the signature is right as required by RFC 6487, section 7, additional condition 1, applied to self-issued certs. Make the error check weird since OpenSSL 3 broke yet another API (thanks claudio for making me go look). ok claudio job --- diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 83c7e42051a..56eef09194f 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.138 2024/06/06 07:20:15 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.139 2024/06/06 11:53:09 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Job Snijders @@ -1121,6 +1121,10 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey, warnx("%s: BGPsec cert cannot be a trust anchor", fn); goto badcert; } + if (X509_verify(p->x509, pk) != 1) { + warnx("%s: failed to verify signature", fn); + goto badcert; + } if (x509_any_inherits(p->x509)) { warnx("%s: Trust anchor IP/AS resources may not inherit", fn); goto badcert;