From: tb Date: Tue, 4 Jun 2024 14:10:53 +0000 (+0000) Subject: rpki-client: reject certs with unexpected SIA accessMethods X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=78268cf82339967be4573ca1c53c04816d2ee01c;p=openbsd rpki-client: reject certs with unexpected SIA accessMethods RFC 6487, section 4.8.8.1 only lists caRepository and rpkiManifest, and RFC 8182 added rpkiNotify for RRDP. All other access methods (which would be children of id-ad), are not allowed and do not really make sense here. ok claudio --- diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index b565434a1aa..76d4e4eb816 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.135 2024/06/04 14:07:10 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.136 2024/06/04 14:10:53 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Job Snijders @@ -577,6 +577,13 @@ sbgp_sia(const char *fn, struct cert *cert, X509_EXTENSION *ext) } cert->notify = notify; notify = NULL; + } else { + char buf[128]; + + OBJ_obj2txt(buf, sizeof(buf), oid, 0); + warnx("%s: RFC 6487 section 4.8.8.1: unexpected" + " accessMethod: %s", fn, buf); + goto out; } }