artulab
projects / openbsd / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 52f6c0e) | patch
Ensure that certificate policies follow RFC 7318
authortb <tb@openbsd.org>
Fri, 4 Feb 2022 16:28:20 +0000 (16:28 +0000)
committertb <tb@openbsd.org>
Fri, 4 Feb 2022 16:28:20 +0000 (16:28 +0000)
commitf9f55a97ffd0d7bd289af50a191b2df27cfd73a6
treebfc2355c369debb7da194fc0c750d48ec5223007tree | snapshot
parent52f6c0ea555c5b9a6096aedef5f4cfca711c2f5acommit | diff
Ensure that certificate policies follow RFC 7318

RFC 7318 makes requirements on the certificate policy extension imposed
by RFC 6487 a bit stricter. It requires that exactly one policy OID is
present and that it be id-cp-ipAddr-asNumber and if there is a policy
qualifier it must be id-qt-cps. These are requirements that the X.509
verifier's policy code can't enforce, so unpack the certificate policy
extension by hand and check that it matches expectations.

ok claudio
usr.sbin/rpki-client/cert.c diff | blob | history
OpenBSD src
by Ahmet Artu Yildirim