rpki-client: disallow AIA in self-signed certs

Per RFC 6487, 4.8.7, self-signed certificates must not have an Authority
Info Access extension. In normal operation this is ensured by ta_parse()
and cert_parse(), respectively. In filemode, only partial checks are
performed, so this is not guaranteed.

Issue flagged by and ok job

1 files changed, 8 insertions, 1 deletions

diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index cd53ecf9c85..0ab646984b8 100644
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509.c,v 1.69 2023/03/12 11:54:56 job Exp $ */
+/*	$OpenBSD: x509.c,v 1.70 2023/03/14 07:09:11 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -375,11 +375,18 @@ x509_get_aia(X509 *x, const char *fn, char **aia)
 	if (info == NULL)
 		return 1;
 
+	if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) {
+		warnx("%s: RFC 6487 section 4.8.7: AIA must be absent from "
+		    "a self-signed certificate", fn);
+		goto out;
+	}
+
 	if (crit != 0) {
 		warnx("%s: RFC 6487 section 4.8.7: "
 		    "AIA: extension not non-critical", fn);
 		goto out;
 	}
+
 	if (sk_ACCESS_DESCRIPTION_num(info) != 1) {
 		warnx("%s: RFC 6487 section 4.8.7: AIA: "
 		    "want 1 element, have %d", fn,