diff options
author | Theo Buehler <tb@cvs.openbsd.org> | 2024-06-07 13:24:36 +0000 |
---|---|---|
committer | Theo Buehler <tb@cvs.openbsd.org> | 2024-06-07 13:24:36 +0000 |
commit | 6b4434cd0a36541ad02c9b4804ac2fb0e71d5245 (patch) | |
tree | 8df0b8732341f99e438c66eb16fea86dbea85353 /usr.sbin/rpki-client | |
parent | 9368cd843ba12fa623b8d61081146439a555ee84 (diff) |
rpki-client: if anything changed, choose the freshly-fetched TA
Instead of just looking at the serial number it's easier to use X509_cmp().
This compares the certs' hashes computed during the extension caching. This
is currently SHA-512 for LibreSSL and SHA-1 for OpenSSL, which is good
enough. After all, the TA certs were signed by a trusted source and if you
choose to use OpenSSL this won't be the worst of your problems.
ok job
Diffstat (limited to 'usr.sbin/rpki-client')
-rw-r--r-- | usr.sbin/rpki-client/parser.c | 17 |
1 files changed, 7 insertions, 10 deletions
diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c index 50f0ee72465..10f7975a917 100644 --- a/usr.sbin/rpki-client/parser.c +++ b/usr.sbin/rpki-client/parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: parser.c,v 1.138 2024/06/07 11:48:05 job Exp $ */ +/* $OpenBSD: parser.c,v 1.139 2024/06/07 13:24:35 tb Exp $ */ /* * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org> * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> @@ -573,8 +573,6 @@ proc_parser_cert(char *file, const unsigned char *der, size_t len, static int proc_parser_ta_cmp(const struct cert *cert1, const struct cert *cert2) { - const ASN1_INTEGER *serial1, *serial2; - if (cert1 == NULL) return -1; if (cert2 == NULL) @@ -603,15 +601,14 @@ proc_parser_ta_cmp(const struct cert *cert1, const struct cert *cert2) return 1; /* - * The serialNumber isn't monotonic and some TAs use semi-random ones. - * If the freshly-fetched cert's serial number is different from the - * cached one, prefer the freshly-fetched cert. + * Both certs are valid from our perspective. If anything changed, + * prefer the freshly-fetched one. We rely on cert_parse_pre() having + * cached the extensions and thus libcrypto has already computed the + * certs' hashes (SHA-1 for OpenSSL, SHA-512 for LibreSSL). The below + * compares them. */ - serial1 = X509_get0_serialNumber(cert1->x509); - serial2 = X509_get0_serialNumber(cert2->x509); - - return ASN1_INTEGER_cmp(serial1, serial2) != 0; + return X509_cmp(cert1->x509, cert2->x509) != 0; } /* |