X509_verify(): sync with X509_CRL_verify()

Check X509_ALGOR_cmp() explicitly against 0 and add an explanatory comment referring to the relevant RFC 5280 sections. ok beck kenjiro
author: tb <> 2025-07-10 18:50:23 +0000
committer: tb <> 2025-07-10 18:50:23 +0000
commit: d9deeb54499d42c1216437ac4884db22c3b696a1 (patch)
tree: d003b473b2b8dc8dfccc04a9fd3d34191e7b3eee /src
parent: 7271e56bc7f8882f1d22ce1a617330e4fd975593 (diff)
download: openbsd-d9deeb54499d42c1216437ac4884db22c3b696a1.tar.gz
openbsd-d9deeb54499d42c1216437ac4884db22c3b696a1.tar.bz2
openbsd-d9deeb54499d42c1216437ac4884db22c3b696a1.zip
1 files changed, 6 insertions, 2 deletions
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
index 5997714061..b5d50ae4ee 100644
--- a/src/lib/libcrypto/x509/x_all.c
+++ b/src/lib/libcrypto/x509/x_all.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_all.c,v 1.32 2024/06/19 08:00:53 tb Exp $ */
+/* $OpenBSD: x_all.c,v 1.33 2025/07/10 18:50:23 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -399,7 +399,11 @@ LCRYPTO_ALIAS(i2d_PKCS8PrivateKeyInfo_fp);
 int
 X509_verify(X509 *a, EVP_PKEY *r)
 {
-        if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature))
+        /*
+         * The Certificate's signature AlgorithmIdentifier must match the one
+         * inside the TBSCertificate, see RFC 5280, 4.1.1.2, 4.1.2.3.
+         */
+        if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature) != 0)
                return 0;
        return ASN1_item_verify(&X509_CINF_it, a->sig_alg,
            a->signature, a->cert_info, r);
author	tb <>	2025-07-10 18:50:23 +0000
committer	tb <>	2025-07-10 18:50:23 +0000
commit	d9deeb54499d42c1216437ac4884db22c3b696a1 (patch)
tree	d003b473b2b8dc8dfccc04a9fd3d34191e7b3eee /src
parent	7271e56bc7f8882f1d22ce1a617330e4fd975593 (diff)
download	openbsd-d9deeb54499d42c1216437ac4884db22c3b696a1.tar.gz openbsd-d9deeb54499d42c1216437ac4884db22c3b696a1.tar.bz2 openbsd-d9deeb54499d42c1216437ac4884db22c3b696a1.zip