diff options
| author | Rob Austein <sra@hactrn.net> | 2012-06-24 15:31:28 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2012-06-24 15:31:28 +0000 |
| commit | 72d5c18cb464bdbe57b99d3a5cebb027a1c968c3 (patch) | |
| tree | a6eee5e2b56548ba5cdb8febcabea895901650b1 /rcynic | |
| parent | c03e081ecdcf5ea92a7e701dbbb56c56d3489d13 (diff) | |
RFC 6485 contradicts RFCs 2630 and 3370, which make rsaEncryption the
mandatory-to-support CMS signatureAlgorithm OID. All known existing
RPKI engines and validators use CMS engines which follow the base CMS
specifications, so this is almost certainly an error in RFC 6485.
Allow either rsaEncryption or sha256WithRSAEncryption, pending
resolution of this issue by the IETF SIDR WG.
svn path=/trunk/; revision=4554
Diffstat (limited to 'rcynic')
| -rw-r--r-- | rcynic/rcynic.c | 17 |
1 files changed, 5 insertions, 12 deletions
diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c index 35901aaf..bdbeff55 100644 --- a/rcynic/rcynic.c +++ b/rcynic/rcynic.c @@ -545,8 +545,7 @@ struct rcynic_ctx { int max_parallel_fetches, max_retries, retry_wait_min, run_rsync; int allow_digest_mismatch, allow_crl_digest_mismatch; int allow_nonconformant_name, allow_ee_without_signedObject; - int allow_1024_bit_ee_key; - int allow_wrong_cms_si_algorithms, allow_wrong_cms_si_attributes; + int allow_1024_bit_ee_key, allow_wrong_cms_si_attributes; unsigned max_select_time, validation_status_creation_order; log_level_t log_level; X509_STORE *x509_store; @@ -3751,17 +3750,16 @@ static int check_cms(rcynic_ctx_t *rc, } X509_ALGOR_get0(&oid, NULL, NULL, signature_alg); - if (OBJ_obj2nid(oid) != NID_sha256WithRSAEncryption) { + i = OBJ_obj2nid(oid); + if (i != NID_sha256WithRSAEncryption && i != NID_rsaEncryption) { log_validation_status(rc, uri, wrong_cms_si_signature_algorithm, generation); - if (!rc->allow_wrong_cms_si_algorithms) - goto error; + goto error; } X509_ALGOR_get0(&oid, NULL, NULL, digest_alg); if (OBJ_obj2nid(oid) != NID_sha256) { log_validation_status(rc, uri, wrong_cms_si_digest_algorithm, generation); - if (!rc->allow_wrong_cms_si_algorithms) - goto error; + goto error; } i = CMS_signed_get_attr_count(si); @@ -4873,7 +4871,6 @@ int main(int argc, char *argv[]) rc.allow_nonconformant_name = 1; rc.allow_ee_without_signedObject = 1; rc.allow_1024_bit_ee_key = 1; - rc.allow_wrong_cms_si_algorithms = 1; rc.allow_wrong_cms_si_attributes = 1; rc.max_parallel_fetches = 1; rc.max_retries = 3; @@ -5086,10 +5083,6 @@ int main(int argc, char *argv[]) !configure_boolean(&rc, &rc.allow_1024_bit_ee_key, val->value)) goto done; - else if (!name_cmp(val->name, "allow-wrong-cms-si-algorithms") && - !configure_boolean(&rc, &rc.allow_wrong_cms_si_algorithms, val->value)) - goto done; - else if (!name_cmp(val->name, "allow-wrong-cms-si-attributes") && !configure_boolean(&rc, &rc.allow_wrong_cms_si_attributes, val->value)) goto done; |