summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2022-02-04 16:21:12 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2022-02-04 16:21:12 +0000
commit542bd7961519dc8a44bd3ba9a133ccaa49f5aa7d (patch)
treef750a4c87a14737efc9883d49c97e777e0659203
parent10f7c295a5ef8d6b1500366c099527a9d684187f (diff)
Enforce Certificate Policy for RPKI
RFCs 6384 defines a certificate policy for RPKI. Ensure that the verifier builds a certification path that follows this OID: set up a policy on the X509_STORE_CTX's verify parameters and set initial-explicit-policy and initial-policy-mapping-inhibit. Pointed out by Ties de Kock ok claudio
-rw-r--r--usr.sbin/rpki-client/parser.c18
1 files changed, 15 insertions, 3 deletions
diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c
index 37250f3c45d..40ded4f163c 100644
--- a/usr.sbin/rpki-client/parser.c
+++ b/usr.sbin/rpki-client/parser.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: parser.c,v 1.58 2022/01/28 15:30:23 claudio Exp $ */
+/* $OpenBSD: parser.c,v 1.59 2022/02/04 16:21:11 tb Exp $ */
/*
* Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -47,6 +47,8 @@ static X509_STORE_CTX *ctx;
static struct auth_tree auths = RB_INITIALIZER(&auths);
static struct crl_tree crlt = RB_INITIALIZER(&crlt);
+extern ASN1_OBJECT *certpol_oid;
+
struct parse_repo {
RB_ENTRY(parse_repo) entry;
char *path;
@@ -206,6 +208,8 @@ static int
valid_x509(char *file, X509 *x509, struct auth *a, struct crl *crl,
unsigned long flags, int nowarn)
{
+ X509_VERIFY_PARAM *params;
+ ASN1_OBJECT *cp_oid;
STACK_OF(X509) *chain;
STACK_OF(X509_CRL) *crls = NULL;
int c;
@@ -217,11 +221,19 @@ valid_x509(char *file, X509 *x509, struct auth *a, struct crl *crl,
if (!X509_STORE_CTX_init(ctx, NULL, x509, NULL))
cryptoerrx("X509_STORE_CTX_init");
+ if ((params = X509_STORE_CTX_get0_param(ctx)) == NULL)
+ cryptoerrx("X509_STORE_CTX_get0_param");
+ if ((cp_oid = OBJ_dup(certpol_oid)) == NULL)
+ cryptoerrx("OBJ_dup");
+ if (!X509_VERIFY_PARAM_add0_policy(params, cp_oid))
+ cryptoerrx("X509_VERIFY_PARAM_add0_policy");
+
X509_STORE_CTX_set_verify_cb(ctx, verify_cb);
if (!X509_STORE_CTX_set_app_data(ctx, file))
cryptoerrx("X509_STORE_CTX_set_app_data");
- if (flags != 0)
- X509_STORE_CTX_set_flags(ctx, flags);
+ flags |= X509_V_FLAG_EXPLICIT_POLICY;
+ flags |= X509_V_FLAG_INHIBIT_MAP;
+ X509_STORE_CTX_set_flags(ctx, flags);
X509_STORE_CTX_set_depth(ctx, MAX_CERT_DEPTH);
X509_STORE_CTX_set0_trusted_stack(ctx, chain);
X509_STORE_CTX_set0_crls(ctx, crls);