Check for bad DN qualifiers on signer certificates (#2716).

author: Carl Hetherington <cth@carlh.net> 2024-01-08 19:01:21 +0100
committer: Carl Hetherington <cth@carlh.net> 2024-01-09 11:54:17 +0100
commit: 69a84c50d0e1196c3a83883173e4a301ff550364 (patch)
tree: 2d9342d791e46d04223f5ed589114f637ab077cf /src/lib/config.cc
parent: 12d1abf033654727d6ab6278087ff7cfc65d63f6 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/src/lib/config.cc b/src/lib/config.cc
index 45fc61923..1bb2f3c6a 100644
--- a/src/lib/config.cc
+++ b/src/lib/config.cc
@@ -501,6 +501,7 @@ try
 			case BAD_SIGNER_UTF8_STRINGS:
 			case BAD_SIGNER_INCONSISTENT:
 			case BAD_SIGNER_VALIDITY_TOO_LONG:
+			case BAD_SIGNER_DN_QUALIFIER:
 				_signer_chain = create_certificate_chain ();
 				break;
 			case BAD_DECRYPTION_INCONSISTENT:
@@ -1590,6 +1591,9 @@ Config::check_certificates () const
 		if ((i.not_after().year() - i.not_before().year()) > 15) {
 			bad = BAD_SIGNER_VALIDITY_TOO_LONG;
 		}
+		if (dcp::escape_digest(i.subject_dn_qualifier()) != dcp::public_key_digest(i.public_key())) {
+			bad = BAD_SIGNER_DN_QUALIFIER;
+		}
 	}
 
 	if (!_signer_chain->chain_valid() || !_signer_chain->private_key_valid()) {
author	Carl Hetherington <cth@carlh.net>	2024-01-08 19:01:21 +0100
committer	Carl Hetherington <cth@carlh.net>	2024-01-09 11:54:17 +0100
commit	69a84c50d0e1196c3a83883173e4a301ff550364 (patch)
tree	2d9342d791e46d04223f5ed589114f637ab077cf /src/lib/config.cc
parent	12d1abf033654727d6ab6278087ff7cfc65d63f6 (diff)