X509_check_issued: check that signature algo matches signing key algo

This implements 3.5.18 "Consistent Public Key and Signature Algorithms" from RFC 4158 "Internet X.509 Public Key Infrastructure: Certification Path Building" Ref: https://tools.ietf.org/html/rfc4158#section-3.5.18 Fixes #7899 Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/7919)
author: Richard Levitte <levitte@openssl.org> 2018-12-18 09:14:51 +0100
committer: Richard Levitte <levitte@openssl.org> 2018-12-19 13:33:54 +0100
commit: ffd2df135a5d9f6d2627bd125f362298430fdc06 (patch)
tree: 5c13617bd3bbaaef09863e84a444b07d2a9eb5d1 /crypto/x509/x509_txt.c
parent: 5aa2a7ea41d7137640cb0914807fd1202b920543 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c
index 299c355123..767d33b48a 100644
--- a/crypto/x509/x509_txt.c
+++ b/crypto/x509/x509_txt.c
@@ -174,6 +174,10 @@ const char *X509_verify_cert_error_string(long n)
         return "OCSP verification failed";
     case X509_V_ERR_OCSP_CERT_UNKNOWN:
         return "OCSP unknown cert";
+    case X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH:
+        return "Subject signature algorithm and issuer public key algorithm mismatch";
+    case X509_V_ERR_NO_ISSUER_PUBLIC_KEY:
+        return "Issuer certificate doesn't have a public key";
 
     default:
         /* Printing an error number into a static buffer is not thread-safe */
author	Richard Levitte <levitte@openssl.org>	2018-12-18 09:14:51 +0100
committer	Richard Levitte <levitte@openssl.org>	2018-12-19 13:33:54 +0100
commit	ffd2df135a5d9f6d2627bd125f362298430fdc06 (patch)
tree	5c13617bd3bbaaef09863e84a444b07d2a9eb5d1 /crypto/x509/x509_txt.c
parent	5aa2a7ea41d7137640cb0914807fd1202b920543 (diff)