From: tb Date: Fri, 7 Jun 2024 08:36:54 +0000 (+0000) Subject: Add two related todo items for purpose handling X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=35889ce554af2ef2a59424d398385fe5c2fea3e8;p=openbsd Add two related todo items for purpose handling BGPsec certs are a bit weird and checks for them are all over the place, some of them in the TA handling, which makes very little sense. We'd be better off adding another purpose for trust anchors and use that instead. ok claudio job --- diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 0b07944125c..0faf997c454 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.140 2024/06/06 12:38:02 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.141 2024/06/07 08:36:54 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Job Snijders @@ -1117,6 +1117,10 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey, "trust anchor may not specify CRL resource", fn); goto badcert; } + /* + * XXX - this check for BGPsec router certs doesn't make all that much + * sense. Consider introducing a TA purpose for self-issued CA certs. + */ if (p->purpose == CERT_PURPOSE_BGPSEC_ROUTER) { warnx("%s: BGPsec cert cannot be a trust anchor", fn); goto badcert; diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index 4082242e5c4..dc9ffcb7ca5 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.93 2024/06/04 14:17:24 tb Exp $ */ +/* $OpenBSD: x509.c,v 1.94 2024/06/07 08:36:54 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Claudio Jeker @@ -279,6 +279,7 @@ x509_get_purpose(X509 *x, const char *fn) goto out; } purpose = CERT_PURPOSE_CA; + /* XXX - we may want to check EXFLAG_SI and add a TA purpose. */ goto out; }