|
1 | | -/* $OpenBSD: x509.c,v 1.116 2025/07/21 11:00:49 tb Exp $ */ |
| 1 | +/* $OpenBSD: x509.c,v 1.117 2025/08/01 17:29:30 tb Exp $ */ |
2 | 2 | /* |
3 | 3 | * Copyright (c) 2022 Theo Buehler <[email protected]> |
4 | 4 | * Copyright (c) 2021 Claudio Jeker <[email protected]> |
@@ -144,24 +144,58 @@ x509_init_oid(void) |
144 | 144 | char * |
145 | 145 | x509_pubkey_get_ski(X509_PUBKEY *pubkey, const char *fn) |
146 | 146 | { |
147 | | - ASN1_OBJECT *obj; |
| 147 | + X509_ALGOR *alg = NULL; |
| 148 | + const ASN1_OBJECT *aobj = NULL; |
| 149 | + int ptype = 0; |
| 150 | + const void *pval = NULL; |
148 | 151 | const unsigned char *der; |
149 | | - int der_len, nid; |
| 152 | + int der_len; |
150 | 153 | unsigned char md[EVP_MAX_MD_SIZE]; |
151 | 154 | unsigned int md_len = EVP_MAX_MD_SIZE; |
| 155 | + unsigned char buf[80]; |
152 | 156 |
|
153 | | - if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pubkey)) { |
| 157 | + /* XXX - dedup with cert_check_spki(), add more validity checks? */ |
| 158 | + |
| 159 | + if (!X509_PUBKEY_get0_param(NULL, &der, &der_len, &alg, pubkey)) { |
154 | 160 | warnx("%s: X509_PUBKEY_get0_param failed", fn); |
155 | 161 | return NULL; |
156 | 162 | } |
| 163 | + X509_ALGOR_get0(&aobj, &ptype, &pval, alg); |
| 164 | + |
| 165 | + if (OBJ_obj2nid(aobj) == NID_rsaEncryption) { |
| 166 | + if (ptype != V_ASN1_NULL || pval != NULL) { |
| 167 | + warnx("%s: RFC 4055, 1.2, rsaEncryption " |
| 168 | + "parameters not NULL", fn); |
| 169 | + return NULL; |
| 170 | + } |
| 171 | + |
| 172 | + goto done; |
| 173 | + } |
157 | 174 |
|
158 | | - /* XXX - should allow other keys as well. */ |
159 | | - if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption) { |
160 | | - warnx("%s: RFC 7935: wrong signature algorithm %s, want %s", |
161 | | - fn, nid2str(nid), LN_rsaEncryption); |
| 175 | + if (!experimental) { |
| 176 | + warnx("%s: RFC 7935, 3.1 SPKI not RSAPublicKey", fn); |
162 | 177 | return NULL; |
163 | 178 | } |
164 | 179 |
|
| 180 | + if (OBJ_obj2nid(aobj) == NID_X9_62_id_ecPublicKey) { |
| 181 | + if (ptype != V_ASN1_OBJECT) { |
| 182 | + warnx("%s: RFC 5480, 2.1.1, ecPublicKey " |
| 183 | + "parameters not namedCurve", fn); |
| 184 | + return NULL; |
| 185 | + } |
| 186 | + if (OBJ_obj2nid(pval) != NID_X9_62_prime256v1) { |
| 187 | + warnx("%s: RFC 8608, 3.1, named curve not P-256", fn); |
| 188 | + return NULL; |
| 189 | + } |
| 190 | + |
| 191 | + goto done; |
| 192 | + } |
| 193 | + |
| 194 | + OBJ_obj2txt(buf, sizeof(buf), aobj, 0); |
| 195 | + warnx("%s: unsupported public key type %s", fn, buf); |
| 196 | + return NULL; |
| 197 | + |
| 198 | + done: |
165 | 199 | if (!EVP_Digest(der, der_len, md, &md_len, EVP_sha1(), NULL)) { |
166 | 200 | warnx("%s: EVP_Digest failed", fn); |
167 | 201 | return NULL; |
|
0 commit comments