apps/cmp.c: Check self-signature on CSR input and warn on failure

Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13841)
author: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2021-01-08 07:43:56 +0100
committer: Dr. David von Oheimb <dev@ddvo.net> 2021-01-21 17:53:26 +0100
commit: 6b63b7b61e50eadee6b274f7c0d1abd2e3fca3af (patch)
tree: c375d5ae4002de4edcd5949edf9b4c71bea86bfc /apps
parent: 92d619450ad70a81252028d1daa0b8f2efb51a1d (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/apps/cmp.c b/apps/cmp.c
index 223a6ae3d1..464b347358 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -673,6 +673,14 @@ static X509_REQ *load_csr_autofmt(const char *infile, const char *desc)
         ERR_print_errors(bio_err);
         BIO_printf(bio_err, "error: unable to load %s from file '%s'\n", desc,
                    infile);
+    } else {
+        EVP_PKEY *pkey = X509_REQ_get0_pubkey(csr);
+        int ret = do_X509_REQ_verify(csr, pkey, NULL /* vfyopts */);
+
+        if (pkey == NULL || ret < 0)
+            CMP_warn("error while verifying CSR self-signature");
+        else if (ret == 0)
+            CMP_warn("CSR self-signature does not match the contents");
     }
     return csr;
 }
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2021-01-08 07:43:56 +0100
committer	Dr. David von Oheimb <dev@ddvo.net>	2021-01-21 17:53:26 +0100
commit	6b63b7b61e50eadee6b274f7c0d1abd2e3fca3af (patch)
tree	c375d5ae4002de4edcd5949edf9b4c71bea86bfc /apps
parent	92d619450ad70a81252028d1daa0b8f2efb51a1d (diff)