Now that we have accessors for the SignedData and SignerInfo version
in libcrypto, let's put them to their intended use. For portable I have
made a PR to provide compat shims.
Index: cms.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cms.c,v
retrieving revision 1.38
diff -u -p -r1.38 cms.c
--- cms.c 29 Jun 2023 10:28:25 -0000 1.38
+++ cms.c 31 Jul 2023 08:31:10 -0000
@@ -100,6 +100,7 @@ cms_parse_validate_internal(X509 **xp, c
const ASN1_OBJECT *obj, *octype;
ASN1_OCTET_STRING *kid = NULL;
CMS_ContentInfo *cms;
+ long version;
STACK_OF(X509) *certs = NULL;
STACK_OF(X509_CRL) *crls;
STACK_OF(CMS_SignerInfo) *sinfos;
@@ -142,7 +143,6 @@ cms_parse_validate_internal(X509 **xp, c
}
/* RFC 6488 section 3 verify the CMS */
- /* the version of SignedData and SignerInfos can't be verified */
/* Should only return NULL if cms is not of type SignedData. */
if ((sinfos = CMS_get0_SignerInfos(cms)) == NULL) {
@@ -160,6 +160,23 @@ cms_parse_validate_internal(X509 **xp, c
goto out;
}
si = sk_CMS_SignerInfo_value(sinfos, 0);
+
+ if (!CMS_get_version(cms, &version)) {
+ warnx("%s: Failed to retrieve SignedData version", fn);
+ goto out;
+ }
+ if (version != 3) {
+ warnx("%s: SignedData version %ld != 3", fn, version);
+ goto out;
+ }
+ if (!CMS_SignerInfo_get_version(si, &version)) {
+ warnx("%s: Failed to retrieve SignerInfo version", fn);
+ goto out;
+ }
+ if (version != 3) {
+ warnx("%s: SignerInfo version %ld != 3", fn, version);
+ goto out;
+ }
nattrs = CMS_signed_get_attr_count(si);
if (nattrs <= 0) {
