From b6a9c519f92dfae089b645d66e81f8c90e11ec8b Mon Sep 17 00:00:00 2001 From: tb Date: Thu, 6 Jun 2024 11:53:09 +0000 Subject: [PATCH] Check that TA certs are correctly signed We know the pubkey from the TAL, so check that the signature is right as required by RFC 6487, section 7, additional condition 1, applied to self-issued certs. Make the error check weird since OpenSSL 3 broke yet another API (thanks claudio for making me go look). ok claudio job --- usr.sbin/rpki-client/cert.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 83c7e42051a..56eef09194f 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.138 2024/06/06 07:20:15 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.139 2024/06/06 11:53:09 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Job Snijders @@ -1121,6 +1121,10 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey, warnx("%s: BGPsec cert cannot be a trust anchor", fn); goto badcert; } + if (X509_verify(p->x509, pk) != 1) { + warnx("%s: failed to verify signature", fn); + goto badcert; + } if (x509_any_inherits(p->x509)) { warnx("%s: Trust anchor IP/AS resources may not inherit", fn); goto badcert; -- 2.20.1