I think the newly introduced RSA parameter check valid_ca_pkey() can
also be applied to the outside-TBS RSA signature in .cer files.
Am I using X509_get_X509_PUBKEY() properly?
OK?
Kind regards,
Job
Index: cert.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
retrieving revision 1.104
diff -u -p -r1.104 cert.c
--- cert.c 6 Mar 2023 16:58:41 -0000 1.104
+++ cert.c 6 Mar 2023 22:15:18 -0000
@@ -651,6 +651,7 @@ cert_parse_pre(const char *fn, const uns
const ASN1_OBJECT *cobj;
ASN1_OBJECT *obj;
EVP_PKEY *pkey;
+ X509_PUBKEY *pubkey;
struct parse p;
int nid;
@@ -691,6 +692,17 @@ cert_parse_pre(const char *fn, const uns
OBJ_nid2ln(NID_sha256WithRSAEncryption));
goto out;
}
+
+ if ((pubkey = X509_get_X509_PUBKEY(x)) == NULL) {
+ warnx("%s: X509_get_X509_PUBKEY failed", fn);
+ goto out;
+ }
+ if ((pkey = X509_PUBKEY_get0(pubkey)) == NULL) {
+ warnx("%s: X509_PUBKEY_get failed", fn);
+ goto out;
+ }
+ if (!valid_ca_pkey(fn, pkey))
+ goto out;
/* Look for X509v3 extensions. */
