CVSROOT: /cvs
Module name: src
Changes by: t...@cvs.openbsd.org 2025/07/08 06:19:08
Modified files:
usr.sbin/rpki-client: cert.c
Log message:
rpki-client: more complete signature checks for certs
So far we relied on the X.509 verifier to check that the two
signature algorithm identifiers in a certificate are identical.
Let's do it ourselves since this is very cheap (in well-formed
certificates this is a few NULL checks plus comparing nid and
type).
An algorithm identifier contains an OID and optional parameters.
We've ignored the parameters so far, so let's check them. There is
some fun ASN.1 history here so there are two possible encodings
we need to accept for RSA, which is annoying. In fact, roughly
1600 ROAs issued by ARIN before end of 2020 have an EE cert with
incorrect encoding.
tweaks/ok job
