From: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date: Fri, 8 Jan 2021 06:43:56 +0000 (+0100)
Subject: apps/cmp.c: Check self-signature on CSR input and warn on failure
X-Git-Tag: openssl-3.0.0-alpha11~46
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6b63b7b61e50eadee6b274f7c0d1abd2e3fca3af;p=thirdparty%2Fopenssl.git

apps/cmp.c: Check self-signature on CSR input and warn on failure

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13841)
---

diff --git a/apps/cmp.c b/apps/cmp.c
index 223a6ae3d16..464b3473584 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -673,6 +673,14 @@ static X509_REQ *load_csr_autofmt(const char *infile, const char *desc)
         ERR_print_errors(bio_err);
         BIO_printf(bio_err, "error: unable to load %s from file '%s'\n", desc,
                    infile);
+    } else {
+        EVP_PKEY *pkey = X509_REQ_get0_pubkey(csr);
+        int ret = do_X509_REQ_verify(csr, pkey, NULL /* vfyopts */);
+
+        if (pkey == NULL || ret < 0)
+            CMP_warn("error while verifying CSR self-signature");
+        else if (ret == 0)
+            CMP_warn("CSR self-signature does not match the contents");
     }
     return csr;
 }