summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--usr.sbin/rpki-client/cert.c14
-rw-r--r--usr.sbin/rpki-client/extern.h6
-rw-r--r--usr.sbin/rpki-client/x509.c18
3 files changed, 20 insertions, 18 deletions
diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 625f0479301..bc517e60da5 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cert.c,v 1.133 2024/06/03 12:58:39 tb Exp $ */
+/* $OpenBSD: cert.c,v 1.134 2024/06/04 04:17:18 tb Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -529,7 +529,7 @@ sbgp_sia(const char *fn, struct cert *cert, X509_EXTENSION *ext)
oid = ad->method;
if (OBJ_cmp(oid, carepo_oid) == 0) {
- if (!x509_location(fn, "SIA: caRepository", NULL,
+ if (!x509_location(fn, "SIA: caRepository",
ad->location, &carepo))
goto out;
if (cert->repo == NULL && strncasecmp(carepo,
@@ -544,7 +544,7 @@ sbgp_sia(const char *fn, struct cert *cert, X509_EXTENSION *ext)
free(carepo);
carepo = NULL;
} else if (OBJ_cmp(oid, manifest_oid) == 0) {
- if (!x509_location(fn, "SIA: rpkiManifest", NULL,
+ if (!x509_location(fn, "SIA: rpkiManifest",
ad->location, &rpkimft))
goto out;
if (cert->mft == NULL && strncasecmp(rpkimft,
@@ -560,8 +560,14 @@ sbgp_sia(const char *fn, struct cert *cert, X509_EXTENSION *ext)
rpkimft = NULL;
} else if (OBJ_cmp(oid, notify_oid) == 0) {
if (!x509_location(fn, "SIA: rpkiNotify",
- HTTPS_PROTO, ad->location, &cert->notify))
+ ad->location, &cert->notify))
goto out;
+ if (strncasecmp(cert->notify, HTTPS_PROTO,
+ HTTPS_PROTO_LEN) != 0) {
+ warnx("%s: non-https uri in rpkiNotify: %s",
+ fn, cert->notify);
+ goto out;
+ }
}
}
diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index 46c64afc903..601d7d2893e 100644
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: extern.h,v 1.220 2024/05/31 02:45:15 tb Exp $ */
+/* $OpenBSD: extern.h,v 1.221 2024/06/04 04:17:18 tb Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -913,8 +913,8 @@ char *x509_pubkey_get_ski(X509_PUBKEY *, const char *);
enum cert_purpose x509_get_purpose(X509 *, const char *);
int x509_get_time(const ASN1_TIME *, time_t *);
char *x509_convert_seqnum(const char *, const ASN1_INTEGER *);
-int x509_location(const char *, const char *, const char *,
- GENERAL_NAME *, char **);
+int x509_location(const char *, const char *, GENERAL_NAME *,
+ char **);
int x509_inherits(X509 *);
int x509_any_inherits(X509 *);
int x509_valid_name(const char *, const char *, const X509_NAME *);
diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index 1aad594f318..39b16fcf2ee 100644
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.91 2024/06/03 12:58:39 tb Exp $ */
+/* $OpenBSD: x509.c,v 1.92 2024/06/04 04:17:18 tb Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -456,7 +456,7 @@ x509_get_aia(X509 *x, const char *fn, char **aia)
goto out;
}
- if (!x509_location(fn, "AIA: caIssuers", NULL, ad->location, aia))
+ if (!x509_location(fn, "AIA: caIssuers", ad->location, aia))
goto out;
rc = 1;
@@ -522,9 +522,7 @@ x509_get_sia(X509 *x, const char *fn, char **sia)
goto out;
}
- /* Don't fail on non-rsync URI, so check this afterward. */
- if (!x509_location(fn, "SIA: signedObject", NULL, ad->location,
- sia))
+ if (!x509_location(fn, "SIA: signedObject", ad->location, sia))
goto out;
if (rsync_found)
@@ -764,9 +762,7 @@ x509_get_crl(X509 *x, const char *fn, char **crl)
for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
name = sk_GENERAL_NAME_value(names, i);
- /* Don't fail on non-rsync URI, so check this afterward. */
- if (!x509_location(fn, "CRL distribution point", NULL, name,
- crl))
+ if (!x509_location(fn, "CRL distribution point", name, crl))
goto out;
if (strncasecmp(*crl, RSYNC_PROTO, RSYNC_PROTO_LEN) == 0) {
@@ -812,8 +808,8 @@ x509_get_time(const ASN1_TIME *at, time_t *t)
* Returns 0 on failure and 1 on success.
*/
int
-x509_location(const char *fn, const char *descr, const char *proto,
- GENERAL_NAME *location, char **out)
+x509_location(const char *fn, const char *descr, GENERAL_NAME *location,
+ char **out)
{
ASN1_IA5STRING *uri;
@@ -824,7 +820,7 @@ x509_location(const char *fn, const char *descr, const char *proto,
uri = location->d.uniformResourceIdentifier;
- if (!valid_uri(uri->data, uri->length, proto)) {
+ if (!valid_uri(uri->data, uri->length, NULL)) {
warnx("%s: RFC 6487 section 4.8: %s bad location", fn, descr);
return 0;
}