From: Matt Caswell <matt@openssl.org>
Date: Tue, 25 May 2021 13:39:29 +0000 (+0100)
Subject: Update check_sig_alg_match() to work with provided keys
X-Git-Tag: openssl-3.0.0-beta1~301
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0a4e660a273d6d33cfc1608ed48d6e560ae970ed;p=thirdparty%2Fopenssl.git

Update check_sig_alg_match() to work with provided keys

Use EVP_PKEY_is_a() to check whether an EVP_PKEY is compatible with the
given signature.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15528)
---

diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c
index ede556d8ef0..bcec4194faf 100644
--- a/crypto/x509/v3_purp.c
+++ b/crypto/x509/v3_purp.c
@@ -366,16 +366,15 @@ static int setup_crldp(X509 *x)
 /* Check that issuer public key algorithm matches subject signature algorithm */
 static int check_sig_alg_match(const EVP_PKEY *issuer_key, const X509 *subject)
 {
-    int signer_nid, subj_sig_nid;
+    int subj_sig_nid;
 
     if (issuer_key == NULL)
         return X509_V_ERR_NO_ISSUER_PUBLIC_KEY;
-    signer_nid = EVP_PKEY_base_id(issuer_key);
     if (OBJ_find_sigid_algs(OBJ_obj2nid(subject->cert_info.signature.algorithm),
                             NULL, &subj_sig_nid) == 0)
          return X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM;
-    if (signer_nid == EVP_PKEY_type(subj_sig_nid)
-        || (signer_nid == NID_rsaEncryption && subj_sig_nid == NID_rsassaPss))
+    if (EVP_PKEY_is_a(issuer_key, OBJ_nid2sn(subj_sig_nid))
+        || (EVP_PKEY_is_a(issuer_key, "RSA") && subj_sig_nid == NID_rsassaPss))
         return X509_V_OK;
     return X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH;
 }