Re: rpki-client: enforce RFC7935 RSA params in outside-TBS signatures on .cer

[Job Snijders]

On Mon, Mar 06, 2023 at 10:19:36PM +, Job Snijders wrote:
> Am I using X509_get_X509_PUBKEY() properly?

I was not! Thanks for the clue tb@

rpki-client: enforce RFC7935 RSA params in outside-TBS signatures on .cer

[Job Snijders]

I think the newly introduced RSA parameter check valid_ca_pkey() can
also be applied to the outside-TBS RSA signature in .cer files.

Am I using X509_get_X509_PUBKEY() properly?

OK?

Kind regards,

Job

Index: cert.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
retrieving revision 1.104
diff -u -p -r1.104 cert.c
--- cert.c  6 Mar 2023 16:58:41 -   1.104
+++ cert.c  6 Mar 2023 22:15:18 -
@@ -651,6 +651,7 @@ cert_parse_pre(const char *fn, const uns
const ASN1_OBJECT   *cobj;
ASN1_OBJECT *obj;
EVP_PKEY*pkey;
+   X509_PUBKEY *pubkey;
struct parse p;
int  nid;
 
@@ -691,6 +692,17 @@ cert_parse_pre(const char *fn, const uns
OBJ_nid2ln(NID_sha256WithRSAEncryption));
goto out;
}
+
+   if ((pubkey = X509_get_X509_PUBKEY(x)) == NULL) {
+   warnx("%s: X509_get_X509_PUBKEY failed", fn);
+   goto out;
+   }
+   if ((pkey = X509_PUBKEY_get0(pubkey)) == NULL) {
+   warnx("%s: X509_PUBKEY_get failed", fn);
+   goto out;
+   }
+   if (!valid_ca_pkey(fn, pkey))
+   goto out;
 
/* Look for X509v3 extensions. */