diff options
| author | Job Snijders <job@cvs.openbsd.org> | 2021-10-07 12:59:30 +0000 |
|---|---|---|
| committer | Job Snijders <job@cvs.openbsd.org> | 2021-10-07 12:59:30 +0000 |
| commit | a77a4d9e29d341bda7156e4f8f60155661f5ed5e (patch) | |
| tree | eeff1ec851999b061d1b65ec2827adf2ed48e610 | |
| parent | 88b75da4fafb59e7fd50e32e5a5fb106c7ede070 (diff) | |
Make sure BGPsec router certs don't have a SIA
OK claudio@
| -rw-r--r-- | usr.sbin/rpki-client/cert.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 71d7480bb24..5331d9f1932 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.35 2021/10/07 11:18:54 job Exp $ */ +/* $OpenBSD: cert.c,v 1.36 2021/10/07 12:59:29 job Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -978,6 +978,7 @@ static struct cert * cert_parse_inner(X509 **xp, const char *fn, int ta) { int rc = 0, extsz, c; + int sia_present = 0; size_t i; X509 *x = NULL; X509_EXTENSION *ext = NULL; @@ -1029,6 +1030,7 @@ cert_parse_inner(X509 **xp, const char *fn, int ta) c = sbgp_assysnum(&p, ext); break; case NID_sinfo_access: + sia_present = 1; c = sbgp_sia(&p, ext); break; case NID_crl_distribution_points: @@ -1116,15 +1118,16 @@ cert_parse_inner(X509 **xp, const char *fn, int ta) goto out; } + if (p.res->purpose == CERT_PURPOSE_BGPSEC_ROUTER && sia_present) { + warnx("%s: BGPsec Router Certificate must not have SIA", p.fn); + goto out; + } + if (p.res->purpose == CERT_PURPOSE_CA && p.res->mft == NULL) { warnx("%s: RFC 6487 section 4.8.8: missing SIA", p.fn); goto out; } - /* - * XXX: also add opposite check: is any SIA present? - */ - if (X509_up_ref(x) == 0) errx(1, "%s: X509_up_ref failed", __func__); |