diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2024-06-06 11:53:10 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2024-06-06 11:53:10 +0000 |
| commit | e4ecf9818d2c9b07494e99fdd0fcf9efd0a36b89 (patch) | |
| tree | e7e17dd1f404e5feb173a4af18f6bcf06e694495 /usr.sbin/rpki-client | |
| parent | ca60546aef6c3c2df70e95b0f670d9e1d02def07 (diff) | |
Check that TA certs are correctly signed
We know the pubkey from the TAL, so check that the signature is right
as required by RFC 6487, section 7, additional condition 1, applied to
self-issued certs. Make the error check weird since OpenSSL 3 broke yet
another API (thanks claudio for making me go look).
ok claudio job
Diffstat (limited to 'usr.sbin/rpki-client')
| -rw-r--r-- | usr.sbin/rpki-client/cert.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 83c7e42051a..56eef09194f 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.138 2024/06/06 07:20:15 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.139 2024/06/06 11:53:09 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler <tb@openbsd.org> * Copyright (c) 2021 Job Snijders <job@openbsd.org> @@ -1121,6 +1121,10 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey, warnx("%s: BGPsec cert cannot be a trust anchor", fn); goto badcert; } + if (X509_verify(p->x509, pk) != 1) { + warnx("%s: failed to verify signature", fn); + goto badcert; + } if (x509_any_inherits(p->x509)) { warnx("%s: Trust anchor IP/AS resources may not inherit", fn); goto badcert; |