diff options
| author | Job Snijders <job@cvs.openbsd.org> | 2023-06-20 12:28:09 +0000 |
|---|---|---|
| committer | Job Snijders <job@cvs.openbsd.org> | 2023-06-20 12:28:09 +0000 |
| commit | cfddf62e9afe4571ddb9d8b729b43316c26a8ff5 (patch) | |
| tree | 595466dc64ec6a5cce912eaa673503fba10800fd /usr.sbin | |
| parent | 1e8488019e458de98a00582e0970221a3379dc8f (diff) | |
Ensure the X.509 version is V3
OK tb@
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/rpki-client/cert.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index f8f7c42b912..b166ed063b1 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.108 2023/05/09 10:34:32 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.109 2023/06/20 12:28:08 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler <tb@openbsd.org> * Copyright (c) 2021 Job Snijders <job@openbsd.org> @@ -596,6 +596,11 @@ cert_parse_ee_cert(const char *fn, X509 *x) if ((p.res = calloc(1, sizeof(struct cert))) == NULL) err(1, NULL); + if (X509_get_version(x) != 2) { + warnx("%s: RFC 6487 4.1: X.509 version must be v3", fn); + goto out; + } + if (X509_get_key_usage(x) != KU_DIGITAL_SIGNATURE) { warnx("%s: RFC 6487 section 4.8.4: KU must be digitalSignature", fn); @@ -680,6 +685,11 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len) goto out; } + if (X509_get_version(x) != 2) { + warnx("%s: RFC 6487 4.1: X.509 version must be v3", fn); + goto out; + } + X509_get0_signature(NULL, &palg, x); if (palg == NULL) { cryptowarnx("%s: X509_get0_signature", p.fn); |