From 977bcac2d56a8793ed93b4aac7016ef36b51a07f Mon Sep 17 00:00:00 2001 From: Dimitri Staessens Date: Fri, 12 Jun 2026 19:34:27 +0200 Subject: irmd: Add issuer and digest pinning to OAP A peer certificate that verifies against the CA store could have been issued by any trusted CA, and a peer could pick any supported digest for its signature. Tighten the authentication contract with two local policies. cacert= pins the issuing CA: a peer certificate, if presented, must chain through the pinned CA. Whether a certificate is mandatory at all remains controlled by auth= alone. digest= now also pins the signature digest: a classical peer must sign with the locally configured digest, and may not omit the digest NID to fall back to the key's default digest. PQC signatures (ML-DSA, SLH-DSA) have an intrinsic digest and may be NID_undef. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders --- src/irmd/oap/cli.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) (limited to 'src/irmd/oap/cli.c') diff --git a/src/irmd/oap/cli.c b/src/irmd/oap/cli.c index d38f38dd..113abc4c 100644 --- a/src/irmd/oap/cli.c +++ b/src/irmd/oap/cli.c @@ -534,17 +534,11 @@ int oap_cli_complete(void * ctx, } /* Authenticate server */ - if (oap_auth_peer(peer, &s->local_hdr, &peer_hdr) < 0) { + if (oap_auth_peer(peer, &s->kcfg, &s->local_hdr, &peer_hdr) < 0) { log_err_id(id, "Failed to authenticate server."); goto fail_oap; } - /* Required peer auth makes sig and name binding mandatory */ - if (s->kcfg.req_auth && peer_hdr.crt.len == 0) { - log_err_id(id, "Server did not provide a certificate."); - goto fail_oap; - } - /* Verify request hash in authenticated response */ if (peer_hdr.req_hash.len == 0) { log_err_id(id, "Response missing req_hash."); -- cgit v1.2.3