CVSROOT: /cvs Module name: src Changes by: clau...@cvs.openbsd.org 2022/03/25 02:19:04
Modified files: usr.sbin/rpki-client: cms.c x509.c Log message: Implement most of the CMS related checks required by RFC 6488 section 3 Verify that SignerInfo and Signed Attributes are set according to the RFC. Especially enforce that the right attributes are signed. Check that there are no unsigned attributes, no CRL and that the correct content-type, digest and signature algorithm are used. The OpenSSL API makes it impossible to verify the versions and some other more suttle differences like detecting signle attributes vs a SET OF one. Similarly OpenSSL accepts both DER and BER encoding in the payload. These smaller differences to the RFC are not optimal but not a risk. Lots of feedback and OK tb@