From 138af1eb9ef63077800df20a97008de18946728d Mon Sep 17 00:00:00 2001
From: job <job@openbsd.org>
Date: Tue, 20 Jun 2023 12:28:08 +0000
Subject: [PATCH] Ensure the X.509 version is V3

OK tb@
---
 usr.sbin/rpki-client/cert.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index f8f7c42b912..b166ed063b1 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cert.c,v 1.108 2023/05/09 10:34:32 tb Exp $ */
+/*	$OpenBSD: cert.c,v 1.109 2023/06/20 12:28:08 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -596,6 +596,11 @@ cert_parse_ee_cert(const char *fn, X509 *x)
 	if ((p.res = calloc(1, sizeof(struct cert))) == NULL)
 		err(1, NULL);
 
+	if (X509_get_version(x) != 2) {
+		warnx("%s: RFC 6487 4.1: X.509 version must be v3", fn);
+		goto out;
+	}
+
 	if (X509_get_key_usage(x) != KU_DIGITAL_SIGNATURE) {
 		warnx("%s: RFC 6487 section 4.8.4: KU must be digitalSignature",
 		    fn);
@@ -680,6 +685,11 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len)
 		goto out;
 	}
 
+	if (X509_get_version(x) != 2) {
+		warnx("%s: RFC 6487 4.1: X.509 version must be v3", fn);
+		goto out;
+	}
+
 	X509_get0_signature(NULL, &palg, x);
 	if (palg == NULL) {
 		cryptowarnx("%s: X509_get0_signature", p.fn);
-- 
2.20.1