-/* $OpenBSD: extern.h,v 1.136 2022/05/11 14:42:01 job Exp $ */
+/* $OpenBSD: extern.h,v 1.137 2022/05/11 21:19:06 job Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
char *x509_convert_seqnum(const char *, const ASN1_INTEGER *);
int x509_location(const char *, const char *, const char *,
GENERAL_NAME *, char **);
+int x509_inherits(X509 *);
/* printers */
char *time2str(time_t);
-/* $OpenBSD: gbr.c,v 1.15 2022/04/01 17:22:07 claudio Exp $ */
+/* $OpenBSD: gbr.c,v 1.16 2022/05/11 21:19:06 job Exp $ */
/*
* Copyright (c) 2020 Claudio Jeker <claudio@openbsd.org>
*
"missing AIA, AKI or SKI X509 extension", fn);
goto out;
}
+
+ if (!x509_inherits(*x509)) {
+ warnx("%s: RFC 3779 extension not set to inherit", fn);
+ goto out;
+ }
+
return p.res;
-out:
+ out:
gbr_free(p.res);
X509_free(*x509);
*x509 = NULL;
-/* $OpenBSD: mft.c,v 1.63 2022/05/10 07:41:37 tb Exp $ */
+/* $OpenBSD: mft.c,v 1.64 2022/05/11 21:19:06 job Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
goto out;
}
+ if (!x509_inherits(*x509)) {
+ warnx("%s: RFC 3779 extension not set to inherit", fn);
+ goto out;
+ }
+
/* get CRL info for later */
if (!x509_get_crl(*x509, fn, &crldp))
goto out;
-/* $OpenBSD: x509.c,v 1.43 2022/05/10 10:52:09 job Exp $ */
+/* $OpenBSD: x509.c,v 1.44 2022/05/11 21:19:06 job Exp $ */
/*
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
}
+/*
+ * Check whether the RFC 3779 extensions are set to inherit.
+ * Return 1 if both AS & IP are set to inherit.
+ * Return 0 on failure (such as missing extensions or no inheritance).
+ */
+int
+x509_inherits(X509 *x)
+{
+ STACK_OF(IPAddressFamily) *addrblk = NULL;
+ ASIdentifiers *asidentifiers = NULL;
+ const IPAddressFamily *af;
+ int i, rc = 0;
+
+ addrblk = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
+ if (addrblk == NULL)
+ goto out;
+
+ /*
+ * Check by hand, since X509v3_addr_inherits() success only means that
+ * at least one address family inherits, not all of them.
+ */
+ for (i = 0; i < sk_IPAddressFamily_num(addrblk); i++) {
+ af = sk_IPAddressFamily_value(addrblk, i);
+ if (af->ipAddressChoice->type != IPAddressChoice_inherit)
+ goto out;
+ }
+
+ asidentifiers = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, NULL,
+ NULL);
+ if (asidentifiers == NULL)
+ goto out;
+
+ /* We need to have AS numbers and don't want RDIs. */
+ if (asidentifiers->asnum == NULL || asidentifiers->rdi != NULL)
+ goto out;
+ if (!X509v3_asid_inherits(asidentifiers))
+ goto out;
+
+ rc = 1;
+ out:
+ ASIdentifiers_free(asidentifiers);
+ sk_IPAddressFamily_pop_free(addrblk, IPAddressFamily_free);
+ return rc;
+}
+
/*
* Parse the very specific subset of information in the CRL distribution
* point extension.
projects / openbsd / commitdiff