From 0220530ba546b5939e0f100f351e5ce471c4463d Mon Sep 17 00:00:00 2001
From: tb <>
Date: Thu, 10 Jul 2025 18:50:23 +0000
Subject: X509_verify(): sync with X509_CRL_verify()

Check X509_ALGOR_cmp() explicitly against 0 and add an explanatory comment
referring to the relevant RFC 5280 sections.

ok beck kenjiro
---
 src/lib/libcrypto/x509/x_all.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
index 5997714061..b5d50ae4ee 100644
--- a/src/lib/libcrypto/x509/x_all.c
+++ b/src/lib/libcrypto/x509/x_all.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_all.c,v 1.32 2024/06/19 08:00:53 tb Exp $ */
+/* $OpenBSD: x_all.c,v 1.33 2025/07/10 18:50:23 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -399,7 +399,11 @@ LCRYPTO_ALIAS(i2d_PKCS8PrivateKeyInfo_fp);
 int
 X509_verify(X509 *a, EVP_PKEY *r)
 {
-	if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature))
+	/*
+	 * The Certificate's signature AlgorithmIdentifier must match the one
+	 * inside the TBSCertificate, see RFC 5280, 4.1.1.2, 4.1.2.3.
+	 */
+	if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature) != 0)
 		return 0;
 	return ASN1_item_verify(&X509_CINF_it, a->sig_alg,
 	    a->signature, a->cert_info, r);
-- 
cgit v1.2.3-55-g6feb