From 570c95799d61d6022f40a4d6064cd52bd13b300e Mon Sep 17 00:00:00 2001
From: claudio <claudio@openbsd.org>
Date: Mon, 28 Mar 2022 13:04:01 +0000
Subject: [PATCH] Compare the SKI of the embedded EE certificate of the CMS
 message with the SID of the Signer Info structure. RFC6488 mandates this. OK
 job@ tb@

---
 usr.sbin/rpki-client/cms.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/usr.sbin/rpki-client/cms.c b/usr.sbin/rpki-client/cms.c
index 5594785ad49..24c7b903a6e 100644
--- a/usr.sbin/rpki-client/cms.c
+++ b/usr.sbin/rpki-client/cms.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cms.c,v 1.15 2022/03/28 08:19:15 tb Exp $ */
+/*	$OpenBSD: cms.c,v 1.16 2022/03/28 13:04:01 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -45,7 +45,7 @@ cms_parse_validate(X509 **xp, const char *fn, const unsigned char *der,
 {
 	char				 buf[128], obuf[128];
 	const ASN1_OBJECT		*obj, *octype;
-	ASN1_OCTET_STRING		**os = NULL;
+	ASN1_OCTET_STRING		**os = NULL, *kid = NULL;
 	CMS_ContentInfo			*cms;
 	int				 rc = 0;
 	STACK_OF(X509)			*certs = NULL;
@@ -224,6 +224,16 @@ cms_parse_validate(X509 **xp, const char *fn, const unsigned char *der,
 	}
 	*xp = X509_dup(sk_X509_value(certs, 0));
 
+	if (CMS_SignerInfo_get0_signer_id(si, &kid, NULL, NULL) != 1 ||
+	    kid == NULL) {
+		warnx("%s: RFC 6488: could not extract SKI from SID", fn);
+		goto out;
+	}
+	if (CMS_SignerInfo_cert_cmp(si, *xp) != 0) {
+		warnx("%s: RFC 6488: wrong cert referenced by SignerInfo", fn);
+		goto out;
+	}
+
 	/* Verify that we have eContent to disseminate. */
 
 	if ((os = CMS_get0_content(cms)) == NULL || *os == NULL) {
-- 
2.20.1