summaryrefslogtreecommitdiff
path: root/usr.sbin/bgplgd
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2022-08-19 12:45:54 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2022-08-19 12:45:54 +0000
commitb1173eba134e45ed667af7eb737a1b188b35f10c (patch)
tree516a709c69383eff8eed36282bb9a28442848b9c /usr.sbin/bgplgd
parent0bb941214e1ebd5f2444a4012b67cda053c85eaf (diff)
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC. Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on. All this is a bit more annoying and intrusive than it should be... ok claudio job
Diffstat (limited to 'usr.sbin/bgplgd')
0 files changed, 0 insertions, 0 deletions