summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJob Snijders <job@cvs.openbsd.org>2022-11-03 00:00:54 +0000
committerJob Snijders <job@cvs.openbsd.org>2022-11-03 00:00:54 +0000
commit17c3f5fb4f25bdfecce2507082914bacd56f6d94 (patch)
tree68e67b15280ed12ecb729342461edec6f0bf92d5
parent71b0dedf1ddd8068eebae0fdb5a05ff96a085c87 (diff)
Permit only keyCertSign and CRLSign in CA KeyUsage extension
OK tb@
Diffstat
-rw-r--r--usr.sbin/rpki-client/cert.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 19ec62bf138..c6fcec3cd30 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cert.c,v 1.90 2022/11/02 23:20:59 job Exp $ */
+/* $OpenBSD: cert.c,v 1.91 2022/11/03 00:00:53 job Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -721,6 +721,11 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len)
switch (p.res->purpose) {
case CERT_PURPOSE_CA:
+ if (X509_get_key_usage(x) != (KU_KEY_CERT_SIGN | KU_CRL_SIGN)) {
+ warnx("%s: RFC 6487 section 4.8.4: key usage violation",
+ p.fn);
+ goto out;
+ }
if (p.res->mft == NULL) {
warnx("%s: RFC 6487 section 4.8.8: missing SIA", p.fn);
goto out;
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-22 18:24:30 +0000