diff options
-rw-r--r-- | usr.sbin/rpki-client/cert.c | 140 |
1 files changed, 70 insertions, 70 deletions
diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 2eb1601fb25..8e75c620ce5 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.67 2022/04/12 08:45:34 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.68 2022/04/12 09:32:23 tb Exp $ */ /* * Copyright (c) 2021 Job Snijders <job@openbsd.org> * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> @@ -125,75 +125,6 @@ sbgp_addr(struct parse *p, } /* - * Parse "Subject Information Access" extension, RFC 6487 4.8.8. - * Returns zero on failure, non-zero on success. - */ -static int -sbgp_sia(struct parse *p, X509_EXTENSION *ext) -{ - AUTHORITY_INFO_ACCESS *sia = NULL; - ACCESS_DESCRIPTION *ad; - ASN1_OBJECT *oid; - int i, rc = 0; - - if (X509_EXTENSION_get_critical(ext)) { - warnx("%s: RFC 6487 section 4.8.8: SIA: " - "extension not non-critical", p->fn); - goto out; - } - - if ((sia = X509V3_EXT_d2i(ext)) == NULL) { - cryptowarnx("%s: RFC 6487 section 4.8.8: SIA: " - "failed extension parse", p->fn); - goto out; - } - - for (i = 0; i < sk_ACCESS_DESCRIPTION_num(sia); i++) { - ad = sk_ACCESS_DESCRIPTION_value(sia, i); - - oid = ad->method; - - if (OBJ_cmp(oid, carepo_oid) == 0) { - if (!x509_location(p->fn, "SIA: caRepository", - "rsync://", ad->location, &p->res->repo)) - goto out; - } else if (OBJ_cmp(oid, manifest_oid) == 0) { - if (!x509_location(p->fn, "SIA: rpkiManifest", - "rsync://", ad->location, &p->res->mft)) - goto out; - } else if (OBJ_cmp(oid, notify_oid) == 0) { - if (!x509_location(p->fn, "SIA: rpkiNotify", - "https://", ad->location, &p->res->notify)) - goto out; - } - } - - if (p->res->mft == NULL || p->res->repo == NULL) { - warnx("%s: RFC 6487 section 4.8.8: SIA missing caRepository " - "or rpkiManifest", p->fn); - goto out; - } - - if (strstr(p->res->mft, p->res->repo) != p->res->mft) { - warnx("%s: RFC 6487 section 4.8.8: SIA: " - "conflicting URIs for caRepository and rpkiManifest", - p->fn); - goto out; - } - - if (rtype_from_file_extension(p->res->mft) != RTYPE_MFT) { - warnx("%s: RFC 6487 section 4.8.8: SIA: " - "not an MFT file", p->fn); - goto out; - } - - rc = 1; - out: - AUTHORITY_INFO_ACCESS_free(sia); - return rc; -} - -/* * Parse a range of addresses as in 3.2.3.8. * Returns zero on failure, non-zero on success. */ @@ -777,6 +708,75 @@ out: } /* + * Parse "Subject Information Access" extension, RFC 6487 4.8.8. + * Returns zero on failure, non-zero on success. + */ +static int +sbgp_sia(struct parse *p, X509_EXTENSION *ext) +{ + AUTHORITY_INFO_ACCESS *sia = NULL; + ACCESS_DESCRIPTION *ad; + ASN1_OBJECT *oid; + int i, rc = 0; + + if (X509_EXTENSION_get_critical(ext)) { + warnx("%s: RFC 6487 section 4.8.8: SIA: " + "extension not non-critical", p->fn); + goto out; + } + + if ((sia = X509V3_EXT_d2i(ext)) == NULL) { + cryptowarnx("%s: RFC 6487 section 4.8.8: SIA: " + "failed extension parse", p->fn); + goto out; + } + + for (i = 0; i < sk_ACCESS_DESCRIPTION_num(sia); i++) { + ad = sk_ACCESS_DESCRIPTION_value(sia, i); + + oid = ad->method; + + if (OBJ_cmp(oid, carepo_oid) == 0) { + if (!x509_location(p->fn, "SIA: caRepository", + "rsync://", ad->location, &p->res->repo)) + goto out; + } else if (OBJ_cmp(oid, manifest_oid) == 0) { + if (!x509_location(p->fn, "SIA: rpkiManifest", + "rsync://", ad->location, &p->res->mft)) + goto out; + } else if (OBJ_cmp(oid, notify_oid) == 0) { + if (!x509_location(p->fn, "SIA: rpkiNotify", + "https://", ad->location, &p->res->notify)) + goto out; + } + } + + if (p->res->mft == NULL || p->res->repo == NULL) { + warnx("%s: RFC 6487 section 4.8.8: SIA missing caRepository " + "or rpkiManifest", p->fn); + goto out; + } + + if (strstr(p->res->mft, p->res->repo) != p->res->mft) { + warnx("%s: RFC 6487 section 4.8.8: SIA: " + "conflicting URIs for caRepository and rpkiManifest", + p->fn); + goto out; + } + + if (rtype_from_file_extension(p->res->mft) != RTYPE_MFT) { + warnx("%s: RFC 6487 section 4.8.8: SIA: " + "not an MFT file", p->fn); + goto out; + } + + rc = 1; + out: + AUTHORITY_INFO_ACCESS_free(sia); + return rc; +} + +/* * Parse the certificate policies extension and check that it follows RFC 7318. * Returns zero on failure, non-zero on success. */ |