diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-01-08 07:43:56 +0100 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-01-21 17:53:26 +0100 |
commit | 6b63b7b61e50eadee6b274f7c0d1abd2e3fca3af (patch) | |
tree | c375d5ae4002de4edcd5949edf9b4c71bea86bfc /apps/cmp.c | |
parent | 92d619450ad70a81252028d1daa0b8f2efb51a1d (diff) | |
download | openssl-6b63b7b61e50eadee6b274f7c0d1abd2e3fca3af.tar.gz |
apps/cmp.c: Check self-signature on CSR input and warn on failure
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13841)
Diffstat (limited to 'apps/cmp.c')
-rw-r--r-- | apps/cmp.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/apps/cmp.c b/apps/cmp.c index 223a6ae3d1..464b347358 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -673,6 +673,14 @@ static X509_REQ *load_csr_autofmt(const char *infile, const char *desc) ERR_print_errors(bio_err); BIO_printf(bio_err, "error: unable to load %s from file '%s'\n", desc, infile); + } else { + EVP_PKEY *pkey = X509_REQ_get0_pubkey(csr); + int ret = do_X509_REQ_verify(csr, pkey, NULL /* vfyopts */); + + if (pkey == NULL || ret < 0) + CMP_warn("error while verifying CSR self-signature"); + else if (ret == 0) + CMP_warn("CSR self-signature does not match the contents"); } return csr; } |