Catch bad characters in rpkiManifest filenames earlier on

This improves the hard-to-read error:

rpki-client: .rrdp/59B96A4C078FDCEDBB776D5BE8DF45EAC0149157547270EA7D4647A76611E145/rpki-rsync.us-east-2.amazonaws.com/volume/220c3ec2-ccf9-4b8a-bf61-fd4d1e151271/LAXNBPgDnLLjagP8++RFIoaMCGo.mft: RFC 6487 section 4.8.6: CRL: bad CRL distribution point extension
rpki-client: rpki-rsync.us-east-2.amazonaws.com/volume/220c3ec2-ccf9-4b8a-bf61-fd4d1e151271/LAXNBPgDnLLjagP8++RFIoaMCGo.mft: no valid mft available

to:

rpki-client: rpki.ripe.net/repository/DEFAULT/ZMvVW3ZpjFaCVe2TtDEqMlyFk3E.cer: SIA: rpkiManifest filename contains invalid characters

OK tb@

diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 32a9a25..641a5d6 100644 (file)
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: cert.c,v 1.93 2022/11/04 09:45:19 job Exp $ */
+/*     $OpenBSD: cert.c,v 1.94 2022/11/04 10:09:09 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -433,6 +433,7 @@ sbgp_sia(struct parse *p, X509_EXTENSION *ext)
        AUTHORITY_INFO_ACCESS   *sia = NULL;
        ACCESS_DESCRIPTION      *ad;
        ASN1_OBJECT             *oid;
+       const char              *mftfilename;
        int                      i, rc = 0;
 
        if (X509_EXTENSION_get_critical(ext)) {
@@ -473,6 +474,14 @@ sbgp_sia(struct parse *p, X509_EXTENSION *ext)
                goto out;
        }
 
+       mftfilename = strrchr(p->res->mft, '/');
+       if (mftfilename == NULL || !valid_filename(mftfilename + 1,
+           strlen(mftfilename) - 1)) {
+               warnx("%s: SIA: rpkiManifest filename contains invalid "
+                   "characters", p->fn);
+               goto out;
+       }
+       
        if (strstr(p->res->mft, p->res->repo) != p->res->mft) {
                warnx("%s: RFC 6487 section 4.8.8: SIA: "
                    "conflicting URIs for caRepository and rpkiManifest",