diff options
| author | Job Snijders <job@cvs.openbsd.org> | 2022-08-10 14:37:34 +0000 |
|---|---|---|
| committer | Job Snijders <job@cvs.openbsd.org> | 2022-08-10 14:37:34 +0000 |
| commit | 491d18d9626742f04e8609b64c69f89887323e36 (patch) | |
| tree | a77e5be7a8623be1329dac13ee1f6b187187fcfc | |
| parent | 70f52e578b54c2e9d80f2255bb9c3130088a13e6 (diff) | |
Disallow AS Resources extension on ROA EE certificates
The ROA specification (RFC 6482 section 4) is a bit underspecified, however
in the wild the RFC 3779 AS Resources extension never ever appears on ROA EE
certificates, as it serves no purpose in the validation process.
OK tb@
| -rw-r--r-- | usr.sbin/rpki-client/roa.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/usr.sbin/rpki-client/roa.c b/usr.sbin/rpki-client/roa.c index 0b5ff2832f7..b525a2bcf06 100644 --- a/usr.sbin/rpki-client/roa.c +++ b/usr.sbin/rpki-client/roa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roa.c,v 1.47 2022/06/10 10:36:43 tb Exp $ */ +/* $OpenBSD: roa.c,v 1.48 2022/08/10 14:37:33 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler <tb@openbsd.org> * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> @@ -229,6 +229,11 @@ roa_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) goto out; } + if (X509_get_ext_by_NID(*x509, NID_sbgp_autonomousSysNum, -1) != -1) { + warnx("%s: superfluous AS Resources extension present", fn); + goto out; + } + at = X509_get0_notAfter(*x509); if (at == NULL) { warnx("%s: X509_get0_notAfter failed", fn); |