mirrors/openssl
0
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-23 10:03:32 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add Version Check for CSR Verification

Browse Source 
Fixes #5738: This change introduces a check for the version number of a CSR document before its signature is verified. If the version number is not 1 (encoded as zero), the verification function fails with an `X509_R_UNSUPPORTED_VERSION` error.

To minimize impact, this check is only applied when verifying a certificate signing request using the `-verify` argument, resulting in a `X509_REQ_verify` call. This ensures that malformed certificate requests are rejected by a certification authority, enhancing security and preventing potential issues.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24677)
This commit is contained in:
erbsland-dev 2024-06-19 14:02:06 +02:00 committed by Neil Horman
parent 03448ba21b
commit 7fab3c7d61
4 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
crypto/err/openssl.txt
View File

@ -1841,5 +1841,6 @@ X509_R_UNKNOWN_PURPOSE_ID:121:unknown purpose id
X509_R_UNKNOWN_SIGID_ALGS:144:unknown sigid algs
X509_R_UNKNOWN_TRUST_ID:120:unknown trust id
X509_R_UNSUPPORTED_ALGORITHM:111:unsupported algorithm
X509_R_UNSUPPORTED_VERSION:145:unsupported version
X509_R_WRONG_LOOKUP_TYPE:112:wrong lookup type
X509_R_WRONG_TYPE:122:wrong type

4
crypto/x509/x509_err.c
View File

@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -79,6 +79,8 @@ static const ERR_STRING_DATA X509_str_reasons[] = {
{ERR_PACK(ERR_LIB_X509, 0, X509_R_UNKNOWN_TRUST_ID), "unknown trust id"},
{ERR_PACK(ERR_LIB_X509, 0, X509_R_UNSUPPORTED_ALGORITHM),
"unsupported algorithm"},
{ERR_PACK(ERR_LIB_X509, 0, X509_R_UNSUPPORTED_VERSION),
"unsupported version"},
{ERR_PACK(ERR_LIB_X509, 0, X509_R_WRONG_LOOKUP_TYPE), "wrong lookup type"},
{ERR_PACK(ERR_LIB_X509, 0, X509_R_WRONG_TYPE), "wrong type"},
{0, NULL}

5
crypto/x509/x_all.c
View File

@ -43,6 +43,11 @@ int X509_verify(X509 *a, EVP_PKEY *r)
int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *r, OSSL_LIB_CTX *libctx,
const char *propq)
{
if (X509_REQ_get_version(a) != X509_REQ_VERSION_1) {
ERR_raise(ERR_LIB_X509, X509_R_UNSUPPORTED_VERSION);
return -1;
}
return ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_REQ_INFO), &a->sig_alg,
a->signature, &a->req_info, a->distinguishing_id,
r, libctx, propq);

3
include/openssl/x509err.h
View File

@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -63,6 +63,7 @@
# define X509_R_UNKNOWN_SIGID_ALGS 144
# define X509_R_UNKNOWN_TRUST_ID 120
# define X509_R_UNSUPPORTED_ALGORITHM 111
# define X509_R_UNSUPPORTED_VERSION 145
# define X509_R_WRONG_LOOKUP_TYPE 112
# define X509_R_WRONG_TYPE 122