artulab
projects / openbsd / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6530cf1)
In very verbose mode, log unexpected accessMethods
authortb <tb@openbsd.org>
Fri, 4 Nov 2022 23:42:56 +0000 (23:42 +0000)
committertb <tb@openbsd.org>
Fri, 4 Nov 2022 23:42:56 +0000 (23:42 +0000)
While RFC 6487, 4.8.2.2 is very explicit about allowing id-ad-signedObject
as the only accessMethod, the clear language was lost during the RFC 8182
editing process. APNIC, TWNIC and JPNIC and a few others are currently
known to have an id-ad-rpkiNotify. The verbose logging allows us to check
the ecosystem while waiting for the point in time where we can turn this
into an error. See also https://www.rfc-editor.org/errata/eid7239.

ok job

usr.sbin/rpki-client/x509.c patch | blob | history

diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index efa9d69..4276588 100644 (file)
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: x509.c,v 1.54 2022/11/04 09:43:13 job Exp $ */
+/*     $OpenBSD: x509.c,v 1.55 2022/11/04 23:42:56 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -400,16 +400,25 @@ x509_get_sia(X509 *x, const char *fn, char **sia)
                goto out;
        }
 
-       /*
-        * RFC 6487 4.8.8.2 disallows other accessMethods, however they
-        * do exist in the wild.
-        */
        for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
                ad = sk_ACCESS_DESCRIPTION_value(info, i);
                oid = ad->method;
 
-               if (OBJ_cmp(oid, signedobj_oid) != 0)
+               /*
+                * XXX: RFC 6487 4.8.8.2 disallows other accessMethods, however
+                * they do exist in the wild.  Consider making this an error.
+                * See also https://www.rfc-editor.org/errata/eid7239.
+                */
+               if (OBJ_cmp(oid, signedobj_oid) != 0) {
+                       if (verbose > 1) {
+                               char buf[128];
+
+                               OBJ_obj2txt(buf, sizeof(buf), oid, 0);
+                               warnx("%s: RFC 6487 section 4.8.8.2: unexpected"
+                                   " accessMethod: %s", fn, buf);
+                       }
                        continue;
+               }
 
                /* XXX: correctly deal with other (non-rsync) protocols. */
                if (!x509_location(fn, "SIA: signedObject", "rsync://",
OpenBSD src
by Ahmet Artu Yildirim