artulab
projects / openbsd / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 41c63c6)
Enforce Certificate Policy for RPKI
authortb <tb@openbsd.org>
Fri, 4 Feb 2022 16:21:11 +0000 (16:21 +0000)
committertb <tb@openbsd.org>
Fri, 4 Feb 2022 16:21:11 +0000 (16:21 +0000)
RFCs 6384 defines a certificate policy for RPKI. Ensure that the verifier
builds a certification path that follows this OID: set up a policy on the
X509_STORE_CTX's verify parameters and set initial-explicit-policy and
initial-policy-mapping-inhibit.

Pointed out by Ties de Kock

ok claudio

usr.sbin/rpki-client/parser.c patch | blob | history

diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c
index 37250f3..40ded4f 100644 (file)
--- a/usr.sbin/rpki-client/parser.c
+++ b/usr.sbin/rpki-client/parser.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: parser.c,v 1.58 2022/01/28 15:30:23 claudio Exp $ */
+/*     $OpenBSD: parser.c,v 1.59 2022/02/04 16:21:11 tb Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -47,6 +47,8 @@ static X509_STORE_CTX *ctx;
 static struct auth_tree  auths = RB_INITIALIZER(&auths);
 static struct crl_tree  crlt = RB_INITIALIZER(&crlt);
 
+extern ASN1_OBJECT     *certpol_oid;
+
 struct parse_repo {
        RB_ENTRY(parse_repo)     entry;
        char                    *path;
@@ -206,6 +208,8 @@ static int
 valid_x509(char *file, X509 *x509, struct auth *a, struct crl *crl,
     unsigned long flags, int nowarn)
 {
+       X509_VERIFY_PARAM       *params;
+       ASN1_OBJECT             *cp_oid;
        STACK_OF(X509)          *chain;
        STACK_OF(X509_CRL)      *crls = NULL;
        int                      c;
@@ -217,11 +221,19 @@ valid_x509(char *file, X509 *x509, struct auth *a, struct crl *crl,
        if (!X509_STORE_CTX_init(ctx, NULL, x509, NULL))
                cryptoerrx("X509_STORE_CTX_init");
 
+       if ((params = X509_STORE_CTX_get0_param(ctx)) == NULL)
+               cryptoerrx("X509_STORE_CTX_get0_param");
+       if ((cp_oid = OBJ_dup(certpol_oid)) == NULL)
+               cryptoerrx("OBJ_dup");
+       if (!X509_VERIFY_PARAM_add0_policy(params, cp_oid))
+               cryptoerrx("X509_VERIFY_PARAM_add0_policy");
+
        X509_STORE_CTX_set_verify_cb(ctx, verify_cb);
        if (!X509_STORE_CTX_set_app_data(ctx, file))
                cryptoerrx("X509_STORE_CTX_set_app_data");
-       if (flags != 0)
-               X509_STORE_CTX_set_flags(ctx, flags);
+       flags |= X509_V_FLAG_EXPLICIT_POLICY;
+       flags |= X509_V_FLAG_INHIBIT_MAP;
+       X509_STORE_CTX_set_flags(ctx, flags);
        X509_STORE_CTX_set_depth(ctx, MAX_CERT_DEPTH);
        X509_STORE_CTX_set0_trusted_stack(ctx, chain);
        X509_STORE_CTX_set0_crls(ctx, crls);
OpenBSD src
by Ahmet Artu Yildirim