Now that we have accessors for the SignedData and SignerInfo version in libcrypto, let's put them to their intended use. For portable I have made a PR to provide compat shims.
Index: cms.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/cms.c,v retrieving revision 1.38 diff -u -p -r1.38 cms.c --- cms.c 29 Jun 2023 10:28:25 -0000 1.38 +++ cms.c 31 Jul 2023 08:31:10 -0000 @@ -100,6 +100,7 @@ cms_parse_validate_internal(X509 **xp, c const ASN1_OBJECT *obj, *octype; ASN1_OCTET_STRING *kid = NULL; CMS_ContentInfo *cms; + long version; STACK_OF(X509) *certs = NULL; STACK_OF(X509_CRL) *crls; STACK_OF(CMS_SignerInfo) *sinfos; @@ -142,7 +143,6 @@ cms_parse_validate_internal(X509 **xp, c } /* RFC 6488 section 3 verify the CMS */ - /* the version of SignedData and SignerInfos can't be verified */ /* Should only return NULL if cms is not of type SignedData. */ if ((sinfos = CMS_get0_SignerInfos(cms)) == NULL) { @@ -160,6 +160,23 @@ cms_parse_validate_internal(X509 **xp, c goto out; } si = sk_CMS_SignerInfo_value(sinfos, 0); + + if (!CMS_get_version(cms, &version)) { + warnx("%s: Failed to retrieve SignedData version", fn); + goto out; + } + if (version != 3) { + warnx("%s: SignedData version %ld != 3", fn, version); + goto out; + } + if (!CMS_SignerInfo_get_version(si, &version)) { + warnx("%s: Failed to retrieve SignerInfo version", fn); + goto out; + } + if (version != 3) { + warnx("%s: SignerInfo version %ld != 3", fn, version); + goto out; + } nattrs = CMS_signed_get_attr_count(si); if (nattrs <= 0) {