CVSROOT: /cvs
Module name: src
Changes by: j...@cvs.openbsd.org 2023/03/06 09:58:41
Modified files:
usr.sbin/rpki-client: cert.c crl.c
Log message:
Ensure .cer and .crl outside-TBS signatures are sha256WithRSAEncryption
Note: there is a potential for confusion in RFC 7935, the specification
differentiates between 2 contexts: "in the certificate" and "CMS SignedData".
In the CMS context, either rsaEncryption or sha256WithRSAEncryption can
appear (and both *do* appear in the wild).
However, RFC 7935 section 2 fourth paragraph starting with "In certificates,
CRLs, ..." mandates that sha256WithRSAEncryption is used to sign .cer and
.crl files:
"The Object Identifier (OID) sha256WithRSAEncryption from RFC4055 MUST
be used in these products."
The above requirement matches observations on existing RPKI deployments.
OK tb@
