Tigthen cert_parse_ee_cert() and ta_parse()

Require that a cert fed to cert_parse_ee_cert() have an EE cert purpose.
Instead of throwing a warning for BGPsec router certs, check for the TA
purpose in ta_parse() and reject everything else.

ok job

1 files changed, 10 insertions, 7 deletions

diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 5cf6011d7aa..ba29b7e48ea 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cert.c,v 1.143 2024/06/08 13:31:37 tb Exp $ */
+/*	$OpenBSD: cert.c,v 1.144 2024/06/08 13:33:49 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -747,6 +747,12 @@ cert_parse_ee_cert(const char *fn, int talid, X509 *x)
 	if (!x509_cache_extensions(x, fn))
 		goto out;
 
+	if ((cert->purpose = x509_get_purpose(x, fn)) != CERT_PURPOSE_EE) {
+		warnx("%s: expected EE cert, got %s", fn,
+		    purpose2str(cert->purpose));
+		goto out;
+	}
+
 	if (X509_get_key_usage(x) != KU_DIGITAL_SIGNATURE) {
 		warnx("%s: RFC 6487 section 4.8.4: KU must be digitalSignature",
 		    fn);
@@ -1121,12 +1127,9 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey,
 		    "trust anchor may not specify CRL resource", fn);
 		goto badcert;
 	}
-	/*
-	 * XXX - this check for BGPsec router certs doesn't make all that much
-	 * sense. Consider introducing a TA purpose for self-issued CA certs.
-	 */
-	if (p->purpose == CERT_PURPOSE_BGPSEC_ROUTER) {
-		warnx("%s: BGPsec cert cannot be a trust anchor", fn);
+	if (p->purpose != CERT_PURPOSE_TA) {
+		warnx("%s: expected trust anchor purpose, got %s", fn,
+		    purpose2str(p->purpose));
 		goto badcert;
 	}
 	/*