Add two related todo items for purpose handling

BGPsec certs are a bit weird and checks for them are all over the place,
some of them in the TA handling, which makes very little sense. We'd be
better off adding another purpose for trust anchors and use that instead.

ok claudio job

diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 0b07944..0faf997 100644 (file)
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: cert.c,v 1.140 2024/06/06 12:38:02 tb Exp $ */
+/*     $OpenBSD: cert.c,v 1.141 2024/06/07 08:36:54 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -1117,6 +1117,10 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey,
                    "trust anchor may not specify CRL resource", fn);
                goto badcert;
        }
+       /*
+        * XXX - this check for BGPsec router certs doesn't make all that much
+        * sense. Consider introducing a TA purpose for self-issued CA certs.
+        */
        if (p->purpose == CERT_PURPOSE_BGPSEC_ROUTER) {
                warnx("%s: BGPsec cert cannot be a trust anchor", fn);
                goto badcert;

diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index 4082242..dc9ffcb 100644 (file)
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: x509.c,v 1.93 2024/06/04 14:17:24 tb Exp $ */
+/*     $OpenBSD: x509.c,v 1.94 2024/06/07 08:36:54 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -279,6 +279,7 @@ x509_get_purpose(X509 *x, const char *fn)
                        goto out;
                }
                purpose = CERT_PURPOSE_CA;
+               /* XXX - we may want to check EXFLAG_SI and add a TA purpose. */
                goto out;
        }