summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorClaudio Jeker <claudio@cvs.openbsd.org>2022-04-01 13:27:39 +0000
committerClaudio Jeker <claudio@cvs.openbsd.org>2022-04-01 13:27:39 +0000
commitb3247f6c71c312e174a2261d155f4891f524eec4 (patch)
tree9eca41b4cf4140e389bd9020751028e3e4468ae5
parentb8bb549a485d344d71053485a7d7929f20751989 (diff)
Move the TA specific checks from cert_parse_inner() to ta_parse() and
the regular cert checks from cert_parse_inner() to cert_parse(). OK tb@
-rw-r--r--usr.sbin/rpki-client/cert.c96
1 files changed, 49 insertions, 47 deletions
diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 1b288512049..c2f2f814fae 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cert.c,v 1.57 2022/04/01 10:00:41 tb Exp $ */
+/* $OpenBSD: cert.c,v 1.58 2022/04/01 13:27:38 claudio Exp $ */
/*
* Copyright (c) 2021 Job Snijders <job@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -1171,11 +1171,6 @@ cert_parse_inner(const char *fn, const unsigned char *der, size_t len, int ta)
p.fn);
goto out;
}
- if (ta) {
- warnx("%s: BGPsec cert can not be a trust anchor",
- p.fn);
- goto out;
- }
break;
default:
warnx("%s: x509_get_purpose failed in %s", p.fn, __func__);
@@ -1187,38 +1182,6 @@ cert_parse_inner(const char *fn, const unsigned char *der, size_t len, int ta)
goto out;
}
- if (ta && p.res->aki != NULL && strcmp(p.res->aki, p.res->ski)) {
- warnx("%s: RFC 6487 section 8.4.2: "
- "trust anchor AKI, if specified, must match SKI", p.fn);
- goto out;
- }
-
- if (!ta && p.res->aki == NULL) {
- warnx("%s: RFC 6487 section 8.4.2: "
- "non-trust anchor missing AKI", p.fn);
- goto out;
- } else if (!ta && strcmp(p.res->aki, p.res->ski) == 0) {
- warnx("%s: RFC 6487 section 8.4.2: "
- "non-trust anchor AKI may not match SKI", p.fn);
- goto out;
- }
-
- if (!ta && p.res->aia == NULL) {
- warnx("%s: RFC 6487 section 8.4.7: "
- "non-trust anchor missing AIA", p.fn);
- goto out;
- } else if (ta && p.res->aia != NULL) {
- warnx("%s: RFC 6487 section 8.4.7: "
- "trust anchor must not have AIA", p.fn);
- goto out;
- }
-
- if (ta && p.res->crl != NULL) {
- warnx("%s: RFC 6487 section 8.4.2: "
- "trust anchor may not specify CRL resource", p.fn);
- goto out;
- }
-
p.res->x509 = x;
rc = 1;
@@ -1233,7 +1196,31 @@ out:
struct cert *
cert_parse(const char *fn, const unsigned char *der, size_t len)
{
- return cert_parse_inner(fn, der, len, 0);
+ struct cert *p;
+
+ if ((p = cert_parse_inner(fn, der, len, 0)) == NULL)
+ return NULL;
+
+ if (p->aki == NULL) {
+ warnx("%s: RFC 6487 section 8.4.2: "
+ "non-trust anchor missing AKI", fn);
+ goto badcert;
+ }
+ if (strcmp(p->aki, p->ski) == 0) {
+ warnx("%s: RFC 6487 section 8.4.2: "
+ "non-trust anchor AKI may not match SKI", fn);
+ goto badcert;
+ }
+ if (p->aia == NULL) {
+ warnx("%s: RFC 6487 section 8.4.7: "
+ "non-trust anchor missing AIA", fn);
+ goto badcert;
+ }
+ return p;
+
+badcert:
+ cert_free(p);
+ return NULL;
}
struct cert *
@@ -1243,7 +1230,6 @@ ta_parse(const char *fn, const unsigned char *der, size_t len,
ASN1_TIME *notBefore, *notAfter;
EVP_PKEY *pk = NULL, *opk = NULL;
struct cert *p;
- int rc = 0;
if ((p = cert_parse_inner(fn, der, len, 1)) == NULL)
return NULL;
@@ -1279,17 +1265,33 @@ ta_parse(const char *fn, const unsigned char *der, size_t len,
warnx("%s: certificate has expired", fn);
goto badcert;
}
+ if (p->aki != NULL && strcmp(p->aki, p->ski)) {
+ warnx("%s: RFC 6487 section 8.4.2: "
+ "trust anchor AKI, if specified, must match SKI", fn);
+ goto badcert;
+ }
+ if (p->aia != NULL) {
+ warnx("%s: RFC 6487 section 8.4.7: "
+ "trust anchor must not have AIA", fn);
+ goto badcert;
+ }
+ if (p->crl != NULL) {
+ warnx("%s: RFC 6487 section 8.4.2: "
+ "trust anchor may not specify CRL resource", fn);
+ goto badcert;
+ }
+ if (p->purpose == CERT_PURPOSE_BGPSEC_ROUTER) {
+ warnx("%s: BGPsec cert cannot be a trust anchor", fn);
+ goto badcert;
+ }
- rc = 1;
+ EVP_PKEY_free(pk);
+ return p;
badcert:
EVP_PKEY_free(pk);
- if (rc == 0) {
- cert_free(p);
- p = NULL;
- }
-
- return p;
+ cert_free(p);
+ return NULL;
}
/*