summaryrefslogtreecommitdiff
path: root/usr.sbin/rpki-client
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2024-06-07 08:36:55 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2024-06-07 08:36:55 +0000
commitddec6b5d79f7afb42a824b2e1b3449c2523de4d7 (patch)
tree30120dcf2d48dfed87b0f7d94f3a8f212ce10bc5 /usr.sbin/rpki-client
parentd46e9106c1d9265598ff57c58f9de706dc5b4275 (diff)
Add two related todo items for purpose handling
BGPsec certs are a bit weird and checks for them are all over the place, some of them in the TA handling, which makes very little sense. We'd be better off adding another purpose for trust anchors and use that instead. ok claudio job
Diffstat (limited to 'usr.sbin/rpki-client')
-rw-r--r--usr.sbin/rpki-client/cert.c6
-rw-r--r--usr.sbin/rpki-client/x509.c3
2 files changed, 7 insertions, 2 deletions
diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 0b07944125c..0faf997c454 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cert.c,v 1.140 2024/06/06 12:38:02 tb Exp $ */
+/* $OpenBSD: cert.c,v 1.141 2024/06/07 08:36:54 tb Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -1117,6 +1117,10 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey,
"trust anchor may not specify CRL resource", fn);
goto badcert;
}
+ /*
+ * XXX - this check for BGPsec router certs doesn't make all that much
+ * sense. Consider introducing a TA purpose for self-issued CA certs.
+ */
if (p->purpose == CERT_PURPOSE_BGPSEC_ROUTER) {
warnx("%s: BGPsec cert cannot be a trust anchor", fn);
goto badcert;
diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index 4082242e5c4..dc9ffcb7ca5 100644
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.93 2024/06/04 14:17:24 tb Exp $ */
+/* $OpenBSD: x509.c,v 1.94 2024/06/07 08:36:54 tb Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -279,6 +279,7 @@ x509_get_purpose(X509 *x, const char *fn)
goto out;
}
purpose = CERT_PURPOSE_CA;
+ /* XXX - we may want to check EXFLAG_SI and add a TA purpose. */
goto out;
}