Add compliance checks for the version, KU, and EKU of TAK/MFT/GBR EE certs

OK tb@

diff --git a/usr.sbin/rpki-client/gbr.c b/usr.sbin/rpki-client/gbr.c
index 3d27224..214bf32 100644 (file)
--- a/usr.sbin/rpki-client/gbr.c
+++ b/usr.sbin/rpki-client/gbr.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: gbr.c,v 1.26 2023/03/12 11:46:35 tb Exp $ */
+/*     $OpenBSD: gbr.c,v 1.27 2023/06/20 12:39:50 job Exp $ */
 /*
  * Copyright (c) 2020 Claudio Jeker <claudio@openbsd.org>
  *
@@ -43,6 +43,7 @@ struct gbr *
 gbr_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
 {
        struct parse     p;
+       struct cert     *cert = NULL;
        size_t           cmsz;
        unsigned char   *cms;
        time_t           signtime = 0;
@@ -86,12 +87,16 @@ gbr_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
                goto out;
        }
 
+       if ((cert = cert_parse_ee_cert(fn, *x509)) == NULL)
+               goto out;
+
        return p.res;
 
  out:
        gbr_free(p.res);
        X509_free(*x509);
        *x509 = NULL;
+       cert_free(cert);
        return NULL;
 }
 

diff --git a/usr.sbin/rpki-client/mft.c b/usr.sbin/rpki-client/mft.c
index 75ad639..2f4761e 100644 (file)
--- a/usr.sbin/rpki-client/mft.c
+++ b/usr.sbin/rpki-client/mft.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: mft.c,v 1.94 2023/06/07 10:46:34 job Exp $ */
+/*     $OpenBSD: mft.c,v 1.95 2023/06/20 12:39:50 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -353,6 +353,7 @@ struct mft *
 mft_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
 {
        struct parse     p;
+       struct cert     *cert = NULL;
        int              rc = 0;
        size_t           cmsz;
        unsigned char   *cms;
@@ -418,6 +419,9 @@ mft_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
        if (mft_parse_econtent(cms, cmsz, &p) == 0)
                goto out;
 
+       if ((cert = cert_parse_ee_cert(fn, *x509)) == NULL)
+               goto out;
+
        if (p.res->signtime > p.res->nextupdate) {
                warnx("%s: dating issue: CMS signing-time after MFT nextUpdate",
                    fn);
@@ -433,6 +437,7 @@ out:
                *x509 = NULL;
        }
        free(crldp);
+       cert_free(cert);
        free(cms);
        return p.res;
 }

diff --git a/usr.sbin/rpki-client/tak.c b/usr.sbin/rpki-client/tak.c
index 4805fa0..b841e9a 100644 (file)
--- a/usr.sbin/rpki-client/tak.c
+++ b/usr.sbin/rpki-client/tak.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: tak.c,v 1.9 2023/06/07 10:46:34 job Exp $ */
+/*     $OpenBSD: tak.c,v 1.10 2023/06/20 12:39:50 job Exp $ */
 /*
  * Copyright (c) 2022 Job Snijders <job@fastly.com>
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@@ -228,6 +228,7 @@ struct tak *
 tak_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
 {
        struct parse             p;
+       struct cert             *cert = NULL;
        unsigned char           *cms;
        size_t                   cmsz;
        time_t                   signtime = 0;
@@ -272,6 +273,9 @@ tak_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
        if (!tak_parse_econtent(cms, cmsz, &p))
                goto out;
 
+       if ((cert = cert_parse_ee_cert(fn, *x509)) == NULL)
+               goto out;
+
        if (strcmp(p.res->aki, p.res->current->ski) != 0) {
                warnx("%s: current TAKey's SKI does not match EE AKI", fn);
                goto out;
@@ -285,6 +289,7 @@ tak_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
                X509_free(*x509);
                *x509 = NULL;
        }
+       cert_free(cert);
        free(cms);
        return p.res;
 }