diff options
author | Theo Buehler <tb@cvs.openbsd.org> | 2024-06-10 12:44:07 +0000 |
---|---|---|
committer | Theo Buehler <tb@cvs.openbsd.org> | 2024-06-10 12:44:07 +0000 |
commit | 918af189bc1360dd804156c36252723888f1b77b (patch) | |
tree | 79cd38dd5498f8464d49ae8848058315ba07e131 /usr.sbin/rpki-client | |
parent | f8e513c330e0638348d655d61e10e1b74b17f0c8 (diff) |
rpki-client: allow multiple EKU OIDs for BGPsec certs
Nothing says there may be only one purpose. We only need to find
id-kp-bgpsec-router among them. This matches the intention of the
extended key usage extension in RFCs 5280 and 8209 more closely.
ok claudio
Diffstat (limited to 'usr.sbin/rpki-client')
-rw-r--r-- | usr.sbin/rpki-client/x509.c | 25 |
1 files changed, 10 insertions, 15 deletions
diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index 0b29ea4f8bb..049dd78ea9e 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.98 2024/06/10 10:50:13 tb Exp $ */ +/* $OpenBSD: x509.c,v 1.99 2024/06/10 12:44:06 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler <tb@openbsd.org> * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org> @@ -277,7 +277,7 @@ x509_get_purpose(X509 *x, const char *fn) BASIC_CONSTRAINTS *bc = NULL; EXTENDED_KEY_USAGE *eku = NULL; const X509_EXTENSION *ku; - int crit, ext_flags, is_ca, ku_idx; + int crit, ext_flags, i, is_ca, ku_idx; enum cert_purpose purpose = CERT_PURPOSE_INVALID; if (!x509_cache_extensions(x, fn)) @@ -388,20 +388,15 @@ x509_get_purpose(X509 *x, const char *fn) } /* - * XXX - this isn't quite correct: other EKU OIDs are allowed per - * RFC 8209, section 3.1.3.2, e.g., anyEKU could potentially help - * avoid tripping up validators that don't know about the BGPsec - * router purpose. Drop check or downgrade from error to warning? + * Per RFC 8209, section 3.1.3.2 the id-kp-bgpsec-router OID must be + * present and others are allowed, which we don't need to recognize. + * This matches RFC 5280, section 4.2.1.12. */ - if (sk_ASN1_OBJECT_num(eku) != 1) { - warnx("%s: EKU: expected 1 purpose, have %d", fn, - sk_ASN1_OBJECT_num(eku)); - goto out; - } - - if (OBJ_cmp(bgpsec_oid, sk_ASN1_OBJECT_value(eku, 0)) == 0) { - purpose = CERT_PURPOSE_BGPSEC_ROUTER; - goto out; + for (i = 0; i < sk_ASN1_OBJECT_num(eku); i++) { + if (OBJ_cmp(bgpsec_oid, sk_ASN1_OBJECT_value(eku, i)) == 0) { + purpose = CERT_PURPOSE_BGPSEC_ROUTER; + break; + } } out: |