From: tb Date: Sat, 8 Jun 2024 13:32:30 +0000 (+0000) Subject: Add a TODO item for BGPsec router certs X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=37cdae3df320b508da15a0784449d0ca9d041c97;p=openbsd Add a TODO item for BGPsec router certs It is currently assumed that there is only one extended key usage OID. RFC 8209 allows others. For example, it may well make sense for operators to include the anyExtendedKeyUsage OID to be able to use validators that don't recognize the BGPsec Router purpose. ok job --- diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index 908778c1e82..c264b7327d3 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.96 2024/06/08 13:31:38 tb Exp $ */ +/* $OpenBSD: x509.c,v 1.97 2024/06/08 13:32:30 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Claudio Jeker @@ -351,6 +351,13 @@ x509_get_purpose(X509 *x, const char *fn) warnx("%s: EKU: extension must not be marked critical", fn); goto out; } + + /* + * XXX - this isn't quite correct: other EKU OIDs are allowed per + * RFC 8209, section 3.1.3.2, e.g., anyEKU could potentially help + * avoid tripping up validators that don't know about the BGPsec + * router purpose. Drop check or downgrade from error to warning? + */ if (sk_ASN1_OBJECT_num(eku) != 1) { warnx("%s: EKU: expected 1 purpose, have %d", fn, sk_ASN1_OBJECT_num(eku));