1 files changed, 10 insertions, 0 deletions

diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c
index cb19734b..10f5f55d 100644
--- a/rcynic/rcynic.c
+++ b/rcynic/rcynic.c
@@ -216,6 +216,7 @@ static const struct {
   QB(bad_certificate_policy,		"Bad certificate policy")	    \
   QB(bad_cms_econtenttype,		"Bad CMS eContentType")		    \
   QB(bad_cms_si_contenttype,		"Bad CMS SI ContentType")	    \
+  QB(bad_cms_signer,			"Bad CMS signer")		    \
   QB(bad_cms_signer_infos,		"Bad CMS signerInfos")		    \
   QB(bad_crl,				"Bad CRL")			    \
   QB(bad_ipaddrblocks,			"Bad IPAddrBlocks extension")	    \
@@ -4116,6 +4117,7 @@ static int check_cms(rcynic_ctx_t *rc,
   X509_NAME *si_issuer = NULL;
   ASN1_INTEGER *si_serial = NULL;
   STACK_OF(X509_CRL) *crls = NULL;
+  STACK_OF(X509) *certs = NULL;
   X509_ALGOR *signature_alg = NULL, *digest_alg = NULL;
   ASN1_OBJECT *oid = NULL;
   hashbuf_t hashbuf;
@@ -4178,6 +4180,13 @@ static int check_cms(rcynic_ctx_t *rc,
     goto error;
   }
 
+  if ((certs = CMS_get1_certs(cms)) == NULL ||
+      sk_X509_num(certs) != 1 ||
+      X509_cmp(x, sk_X509_value(certs, 0))) {
+    log_validation_status(rc, uri, bad_cms_signer, generation);
+    goto error;
+  }
+
   X509_ALGOR_get0(&oid, NULL, NULL, signature_alg);
   i = OBJ_obj2nid(oid);
   if (i != NID_sha256WithRSAEncryption && i != NID_rsaEncryption) {
@@ -4246,6 +4255,7 @@ static int check_cms(rcynic_ctx_t *rc,
  error:
   CMS_ContentInfo_free(cms);
   sk_X509_CRL_pop_free(crls, X509_CRL_free);
+  sk_X509_pop_free(certs, X509_free);
 
   return result;
 }