diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2022-02-04 16:21:12 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2022-02-04 16:21:12 +0000 |
| commit | 542bd7961519dc8a44bd3ba9a133ccaa49f5aa7d (patch) | |
| tree | f750a4c87a14737efc9883d49c97e777e0659203 /usr.sbin | |
| parent | 10f7c295a5ef8d6b1500366c099527a9d684187f (diff) | |
Enforce Certificate Policy for RPKI
RFCs 6384 defines a certificate policy for RPKI. Ensure that the verifier
builds a certification path that follows this OID: set up a policy on the
X509_STORE_CTX's verify parameters and set initial-explicit-policy and
initial-policy-mapping-inhibit.
Pointed out by Ties de Kock
ok claudio
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/rpki-client/parser.c | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c index 37250f3c45d..40ded4f163c 100644 --- a/usr.sbin/rpki-client/parser.c +++ b/usr.sbin/rpki-client/parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: parser.c,v 1.58 2022/01/28 15:30:23 claudio Exp $ */ +/* $OpenBSD: parser.c,v 1.59 2022/02/04 16:21:11 tb Exp $ */ /* * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org> * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> @@ -47,6 +47,8 @@ static X509_STORE_CTX *ctx; static struct auth_tree auths = RB_INITIALIZER(&auths); static struct crl_tree crlt = RB_INITIALIZER(&crlt); +extern ASN1_OBJECT *certpol_oid; + struct parse_repo { RB_ENTRY(parse_repo) entry; char *path; @@ -206,6 +208,8 @@ static int valid_x509(char *file, X509 *x509, struct auth *a, struct crl *crl, unsigned long flags, int nowarn) { + X509_VERIFY_PARAM *params; + ASN1_OBJECT *cp_oid; STACK_OF(X509) *chain; STACK_OF(X509_CRL) *crls = NULL; int c; @@ -217,11 +221,19 @@ valid_x509(char *file, X509 *x509, struct auth *a, struct crl *crl, if (!X509_STORE_CTX_init(ctx, NULL, x509, NULL)) cryptoerrx("X509_STORE_CTX_init"); + if ((params = X509_STORE_CTX_get0_param(ctx)) == NULL) + cryptoerrx("X509_STORE_CTX_get0_param"); + if ((cp_oid = OBJ_dup(certpol_oid)) == NULL) + cryptoerrx("OBJ_dup"); + if (!X509_VERIFY_PARAM_add0_policy(params, cp_oid)) + cryptoerrx("X509_VERIFY_PARAM_add0_policy"); + X509_STORE_CTX_set_verify_cb(ctx, verify_cb); if (!X509_STORE_CTX_set_app_data(ctx, file)) cryptoerrx("X509_STORE_CTX_set_app_data"); - if (flags != 0) - X509_STORE_CTX_set_flags(ctx, flags); + flags |= X509_V_FLAG_EXPLICIT_POLICY; + flags |= X509_V_FLAG_INHIBIT_MAP; + X509_STORE_CTX_set_flags(ctx, flags); X509_STORE_CTX_set_depth(ctx, MAX_CERT_DEPTH); X509_STORE_CTX_set0_trusted_stack(ctx, chain); X509_STORE_CTX_set0_crls(ctx, crls); |