From 491d18d9626742f04e8609b64c69f89887323e36 Mon Sep 17 00:00:00 2001
From: Job Snijders <job@cvs.openbsd.org>
Date: Wed, 10 Aug 2022 14:37:34 +0000
Subject: Disallow AS Resources extension on ROA EE certificates

The ROA specification (RFC 6482 section 4) is a bit underspecified, however
in the wild the RFC 3779 AS Resources extension never ever appears on ROA EE
certificates, as it serves no purpose in the validation process.

OK tb@
---
 usr.sbin/rpki-client/roa.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'usr.sbin/rpki-client/roa.c')

diff --git a/usr.sbin/rpki-client/roa.c b/usr.sbin/rpki-client/roa.c
index 0b5ff2832f7..b525a2bcf06 100644
--- a/usr.sbin/rpki-client/roa.c
+++ b/usr.sbin/rpki-client/roa.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: roa.c,v 1.47 2022/06/10 10:36:43 tb Exp $ */
+/*	$OpenBSD: roa.c,v 1.48 2022/08/10 14:37:33 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -229,6 +229,11 @@ roa_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
 		goto out;
 	}
 
+	if (X509_get_ext_by_NID(*x509, NID_sbgp_autonomousSysNum, -1) != -1) {
+		warnx("%s: superfluous AS Resources extension present", fn);
+		goto out;
+	}
+
 	at = X509_get0_notAfter(*x509);
 	if (at == NULL) {
 		warnx("%s: X509_get0_notAfter failed", fn);
-- 
cgit v1.2.3