CVSROOT: /cvs
Module name: src
Changes by: t...@cvs.openbsd.org 2025/07/08 07:25:54
Modified files:
usr.sbin/rpki-client: cert.c crl.c extern.h x509.c
Log message:
rpki-client: more thorough CRL signature checking
This uses the LibreSSL-specific X509_CRL_get0_tbs_sigalg() to check
that the signatureAlgorithm in a CRL's signature and the one in the
tbsCertList are byte-for-byte identical.
Splits the bulk of cert_check_sigalg() out into a helper called from
both cert_check_sigalg() and crl_check_sigalg().
This also fixes a small gap in the CRL verification in that the two
algorithm identifiers in CRLs have not been checked to be identical
in the X.509 verifier so far (I'll fix this soon).
Another fun API consistency bit is how X509_get0_signature() has
the cert last while X509_CRL_get0_signature() has the crl first.
You can't make this stuff up.
tweak/ok job
