- if (!OBJ_find_sigid_by_algs(&algNID, ctx->digest,
- EVP_PKEY_id(ctx->pkey))) {
- CMPerr(0, CMP_R_UNSUPPORTED_KEY_TYPE);
- goto err;
- }
- if ((alg = OBJ_nid2obj(algNID)) == NULL)
- goto err;
- if (!X509_ALGOR_set0(msg->header->protectionAlg,
- alg, V_ASN1_UNDEF, NULL)) {
- ASN1_OBJECT_free(alg);
- goto err;
- }
-
- /*
- * set senderKID to keyIdentifier of the used certificate according
- * to section 5.1.1
- */
- subjKeyIDStr = X509_get0_subject_key_id(ctx->clCert);
- if (subjKeyIDStr == NULL)
- subjKeyIDStr = ctx->referenceValue; /* fallback */
- if (subjKeyIDStr != NULL
- && !ossl_cmp_hdr_set1_senderKID(msg->header, subjKeyIDStr))
- goto err;
+ /* make sure that key and certificate match */
+ if (!X509_check_private_key(ctx->clCert, ctx->pkey)) {
+ CMPerr(0, CMP_R_CERT_AND_KEY_DO_NOT_MATCH);
+ goto err;
+ }