rpki-client: disallow AIA in self-signed certs

Per RFC 6487, 4.8.7, self-signed certificates must not have an Authority
Info Access extension. In normal operation this is ensured by ta_parse()
and cert_parse(), respectively. In filemode, only partial checks are
performed, so this is not guaranteed.

Issue flagged by and ok job

diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index cd53ecf..0ab6469 100644 (file)
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: x509.c,v 1.69 2023/03/12 11:54:56 job Exp $ */
+/*     $OpenBSD: x509.c,v 1.70 2023/03/14 07:09:11 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -375,11 +375,18 @@ x509_get_aia(X509 *x, const char *fn, char **aia)
        if (info == NULL)
                return 1;
 
+       if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) {
+               warnx("%s: RFC 6487 section 4.8.7: AIA must be absent from "
+                   "a self-signed certificate", fn);
+               goto out;
+       }
+
        if (crit != 0) {
                warnx("%s: RFC 6487 section 4.8.7: "
                    "AIA: extension not non-critical", fn);
                goto out;
        }
+
        if (sk_ACCESS_DESCRIPTION_num(info) != 1) {
                warnx("%s: RFC 6487 section 4.8.7: AIA: "
                    "want 1 element, have %d", fn,