Introduce x509_any_inherit() for objects which may not have inherit elements

Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which
may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of
the X509 certificate.

OK tb@

diff --git a/usr.sbin/rpki-client/aspa.c b/usr.sbin/rpki-client/aspa.c
index 2bd528c..4085a82 100644 (file)
--- a/usr.sbin/rpki-client/aspa.c
+++ b/usr.sbin/rpki-client/aspa.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: aspa.c,v 1.1 2022/08/30 18:56:49 job Exp $ */
+/*     $OpenBSD: aspa.c,v 1.2 2022/09/03 14:40:09 job Exp $ */
 /*
  * Copyright (c) 2022 Job Snijders <job@fastly.com>
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@@ -230,6 +230,11 @@ aspa_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
                goto out;
        }
 
+       if (x509_any_inherits(*x509)) {
+               warnx("%s: inherit elements not allowed", fn);
+               goto out;
+       }
+
        if (!aspa_parse_econtent(cms, cmsz, &p))
                goto out;
 

diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index f86f611..76ceca7 100644 (file)
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: cert.c,v 1.87 2022/09/03 13:30:27 claudio Exp $ */
+/*     $OpenBSD: cert.c,v 1.88 2022/09/03 14:40:09 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -861,6 +861,10 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey,
                warnx("%s: BGPsec cert cannot be a trust anchor", fn);
                goto badcert;
        }
+       if (x509_any_inherits(p->x509)) {
+               warnx("%s: Trust anchor IP/AS resources may not inherit", fn);
+               goto badcert;
+       }
 
        EVP_PKEY_free(pk);
        return p;

diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index bf5ee0f..43ebfcc 100644 (file)
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: extern.h,v 1.154 2022/09/03 13:30:27 claudio Exp $ */
+/*     $OpenBSD: extern.h,v 1.155 2022/09/03 14:40:09 job Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -711,6 +711,7 @@ char                *x509_convert_seqnum(const char *, const ASN1_INTEGER *);
 int             x509_location(const char *, const char *, const char *,
                    GENERAL_NAME *, char **);
 int             x509_inherits(X509 *);
+int             x509_any_inherits(X509 *);
 
 /* printers */
 char           *time2str(time_t);

diff --git a/usr.sbin/rpki-client/roa.c b/usr.sbin/rpki-client/roa.c
index a147997..4846d6f 100644 (file)
--- a/usr.sbin/rpki-client/roa.c
+++ b/usr.sbin/rpki-client/roa.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: roa.c,v 1.51 2022/08/30 18:56:49 job Exp $ */
+/*     $OpenBSD: roa.c,v 1.52 2022/09/03 14:40:09 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -243,6 +243,11 @@ roa_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
        if (!roa_parse_econtent(cms, cmsz, &p))
                goto out;
 
+       if (x509_any_inherits(*x509)) {
+               warnx("%s: inherit elements not allowed", fn);
+               goto out;
+       }
+
        if ((cert = cert_parse_ee_cert(fn, *x509)) == NULL)
                goto out;
 

diff --git a/usr.sbin/rpki-client/rsc.c b/usr.sbin/rpki-client/rsc.c
index cc5a664..6725287 100644 (file)
--- a/usr.sbin/rpki-client/rsc.c
+++ b/usr.sbin/rpki-client/rsc.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: rsc.c,v 1.14 2022/08/22 10:25:58 tb Exp $ */
+/*     $OpenBSD: rsc.c,v 1.15 2022/09/03 14:40:09 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2022 Job Snijders <job@fastly.com>
@@ -418,6 +418,11 @@ rsc_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
                goto out;
        }
 
+       if (x509_any_inherits(*x509)) {
+               warnx("%s: inherit elements not allowed", fn);
+               goto out;
+       }
+
        if (!rsc_parse_econtent(cms, cmsz, &p))
                goto out;
 

diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c
index ae14fc5..36f11fc 100644 (file)
--- a/usr.sbin/rpki-client/validate.c
+++ b/usr.sbin/rpki-client/validate.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: validate.c,v 1.43 2022/09/03 13:01:43 tb Exp $ */
+/*     $OpenBSD: validate.c,v 1.44 2022/09/03 14:40:09 job Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -106,28 +106,12 @@ valid_ski_aki(const char *fn, struct auth_tree *auths,
 }
 
 /*
- * Authenticate a trust anchor by making sure its resources are not
- * inheriting and that the SKI is unique.
+ * Validate a trust anchor by making sure that the SKI is unique.
  * Returns 1 if valid, 0 otherwise.
  */
 int
 valid_ta(const char *fn, struct auth_tree *auths, const struct cert *cert)
 {
-       size_t   i;
-
-       /* AS and IP resources must not inherit. */
-       if (cert->asz && cert->as[0].type == CERT_AS_INHERIT) {
-               warnx("%s: RFC 6487 (trust anchor): "
-                   "inheriting AS resources", fn);
-               return 0;
-       }
-       for (i = 0; i < cert->ipsz; i++)
-               if (cert->ips[i].type == CERT_IP_INHERIT) {
-                       warnx("%s: RFC 6487 (trust anchor): "
-                           "inheriting IP resources", fn);
-                       return 0;
-               }
-
        /* SKI must not be a dupe. */
        if (auth_find(auths, cert->ski) != NULL) {
                warnx("%s: RFC 6487: duplicate SKI", fn);

diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index f49d059..19c6079 100644 (file)
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: x509.c,v 1.49 2022/09/03 13:06:15 tb Exp $ */
+/*     $OpenBSD: x509.c,v 1.50 2022/09/03 14:40:09 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -352,7 +352,7 @@ x509_get_expire(X509 *x, const char *fn, time_t *tt)
 }
 
 /*
- * Check whether the RFC 3779 extensions are set to inherit.
+ * Check whether all RFC 3779 extensions are set to inherit.
  * Return 1 if both AS & IP are set to inherit.
  * Return 0 on failure (such as missing extensions or no inheritance).
  */
@@ -396,6 +396,32 @@ x509_inherits(X509 *x)
        return rc;
 }
 
+/*
+ * Check whether at least one RFC 3779 extension is set to inherit.
+ * Return 1 if an inherit element is encountered in AS or IP.
+ * Return 0 otherwise.
+ */
+int
+x509_any_inherits(X509 *x)
+{
+       STACK_OF(IPAddressFamily)       *addrblk = NULL;
+       ASIdentifiers                   *asidentifiers = NULL;
+       int                              rc = 0;
+
+       addrblk = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
+       if (X509v3_addr_inherits(addrblk))
+               rc = 1;
+
+       asidentifiers = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, NULL,
+           NULL);
+       if (X509v3_asid_inherits(asidentifiers))
+               rc = 1;
+
+       ASIdentifiers_free(asidentifiers);
+       sk_IPAddressFamily_pop_free(addrblk, IPAddressFamily_free);
+       return rc;
+}
+
 /*
  * Parse the very specific subset of information in the CRL distribution
  * point extension.