summaryrefslogtreecommitdiff
path: root/usr.sbin/rpki-client
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2024-06-08 13:32:31 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2024-06-08 13:32:31 +0000
commit83ef450522890cec0a4a9240a7480b7c56f80abf (patch)
tree6913e6c0c81d5c3f4059b75b46bf2c1d7ab48a0f /usr.sbin/rpki-client
parent48b255b45801cb855d735efff59a007e02ca069c (diff)
Add a TODO item for BGPsec router certs
It is currently assumed that there is only one extended key usage OID. RFC 8209 allows others. For example, it may well make sense for operators to include the anyExtendedKeyUsage OID to be able to use validators that don't recognize the BGPsec Router purpose. ok job
Diffstat (limited to 'usr.sbin/rpki-client')
-rw-r--r--usr.sbin/rpki-client/x509.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index 908778c1e82..c264b7327d3 100644
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.96 2024/06/08 13:31:38 tb Exp $ */
+/* $OpenBSD: x509.c,v 1.97 2024/06/08 13:32:30 tb Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -351,6 +351,13 @@ x509_get_purpose(X509 *x, const char *fn)
warnx("%s: EKU: extension must not be marked critical", fn);
goto out;
}
+
+ /*
+ * XXX - this isn't quite correct: other EKU OIDs are allowed per
+ * RFC 8209, section 3.1.3.2, e.g., anyEKU could potentially help
+ * avoid tripping up validators that don't know about the BGPsec
+ * router purpose. Drop check or downgrade from error to warning?
+ */
if (sk_ASN1_OBJECT_num(eku) != 1) {
warnx("%s: EKU: expected 1 purpose, have %d", fn,
sk_ASN1_OBJECT_num(eku));