From 6b63b7b61e50eadee6b274f7c0d1abd2e3fca3af Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
Date: Fri, 8 Jan 2021 07:43:56 +0100
Subject: [PATCH] apps/cmp.c: Check self-signature on CSR input and warn on
 failure

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13841)
---
 apps/cmp.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/apps/cmp.c b/apps/cmp.c
index 223a6ae3d16..464b3473584 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -673,6 +673,14 @@ static X509_REQ *load_csr_autofmt(const char *infile, const char *desc)
         ERR_print_errors(bio_err);
         BIO_printf(bio_err, "error: unable to load %s from file '%s'\n", desc,
                    infile);
+    } else {
+        EVP_PKEY *pkey = X509_REQ_get0_pubkey(csr);
+        int ret = do_X509_REQ_verify(csr, pkey, NULL /* vfyopts */);
+
+        if (pkey == NULL || ret < 0)
+            CMP_warn("error while verifying CSR self-signature");
+        else if (ret == 0)
+            CMP_warn("CSR self-signature does not match the contents");
     }
     return csr;
 }
-- 
2.47.3