diff options
author | Theo Buehler <tb@cvs.openbsd.org> | 2024-06-08 13:32:31 +0000 |
---|---|---|
committer | Theo Buehler <tb@cvs.openbsd.org> | 2024-06-08 13:32:31 +0000 |
commit | 83ef450522890cec0a4a9240a7480b7c56f80abf (patch) | |
tree | 6913e6c0c81d5c3f4059b75b46bf2c1d7ab48a0f /usr.sbin/rpki-client | |
parent | 48b255b45801cb855d735efff59a007e02ca069c (diff) |
Add a TODO item for BGPsec router certs
It is currently assumed that there is only one extended key usage OID.
RFC 8209 allows others. For example, it may well make sense for operators
to include the anyExtendedKeyUsage OID to be able to use validators that
don't recognize the BGPsec Router purpose.
ok job
Diffstat (limited to 'usr.sbin/rpki-client')
-rw-r--r-- | usr.sbin/rpki-client/x509.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index 908778c1e82..c264b7327d3 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.96 2024/06/08 13:31:38 tb Exp $ */ +/* $OpenBSD: x509.c,v 1.97 2024/06/08 13:32:30 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler <tb@openbsd.org> * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org> @@ -351,6 +351,13 @@ x509_get_purpose(X509 *x, const char *fn) warnx("%s: EKU: extension must not be marked critical", fn); goto out; } + + /* + * XXX - this isn't quite correct: other EKU OIDs are allowed per + * RFC 8209, section 3.1.3.2, e.g., anyEKU could potentially help + * avoid tripping up validators that don't know about the BGPsec + * router purpose. Drop check or downgrade from error to warning? + */ if (sk_ASN1_OBJECT_num(eku) != 1) { warnx("%s: EKU: expected 1 purpose, have %d", fn, sk_ASN1_OBJECT_num(eku)); |