From: job <job@openbsd.org>
Date: Sun, 21 Apr 2024 09:03:22 +0000 (+0000)
Subject: Mandate presence of CMS signing-time and disallow binary-signing-time
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=968e24948cc91e830e41af90577b1c1c8405f2d0;p=openbsd

Mandate presence of CMS signing-time and disallow binary-signing-time

RFC-to-be draft-ietf-sidrops-cms-signing-time updates RFC 6488 by
mandating the presence of the CMS signing-time attribute and disallowing
the use of the CMS binary-signing-time attribute in RPKI Signed Objects.
The ecosystem has behaved this way for a number of years now.

Flip from warning to erroring for non-compliant objects.

OK tb@
---

diff --git a/usr.sbin/rpki-client/cms.c b/usr.sbin/rpki-client/cms.c
index 8b9485caac8..40cf8e1785a 100644
--- a/usr.sbin/rpki-client/cms.c
+++ b/usr.sbin/rpki-client/cms.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cms.c,v 1.42 2024/02/01 15:11:38 tb Exp $ */
+/*	$OpenBSD: cms.c,v 1.43 2024/04/21 09:03:22 job Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -30,7 +30,6 @@
 extern ASN1_OBJECT	*cnt_type_oid;
 extern ASN1_OBJECT	*msg_dgst_oid;
 extern ASN1_OBJECT	*sign_time_oid;
-extern ASN1_OBJECT	*bin_sign_time_oid;
 
 static int
 cms_extract_econtent(const char *fn, CMS_ContentInfo *cms, unsigned char **res,
@@ -108,8 +107,7 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der,
 	EVP_PKEY			*pkey;
 	X509_ALGOR			*pdig, *psig;
 	int				 i, nattrs, nid;
-	int				 has_ct = 0, has_md = 0, has_st = 0,
-					 has_bst = 0;
+	int				 has_ct = 0, has_md = 0, has_st = 0;
 	time_t				 notafter;
 	int				 rc = 0;
 
@@ -218,12 +216,6 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der,
 			}
 			if (!cms_get_signtime(fn, attr, signtime))
 				goto out;
-		} else if (OBJ_cmp(obj, bin_sign_time_oid) == 0) {
-			if (has_bst++ != 0) {
-				warnx("%s: RFC 6488: duplicate "
-				    "signed attribute", fn);
-				goto out;
-			}
 		} else {
 			OBJ_obj2txt(buf, sizeof(buf), obj, 1);
 			warnx("%s: RFC 6488: "
@@ -239,11 +231,11 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der,
 		goto out;
 	}
 
-	if (has_bst)
-		warnx("%s: unsupported CMS signing-time attribute", fn);
-
-	if (!has_st)
+	if (!has_st) {
+		/* RFC-to-be draft-ietf-sidrops-cms-signing-time */
 		warnx("%s: missing CMS signing-time attribute", fn);
+		goto out;
+	}
 
 	if (CMS_unsigned_get_attr_count(si) != -1) {
 		warnx("%s: RFC 6488: CMS has unsignedAttrs", fn);
diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index 7d56f0c8bc4..8ce43b3dfdb 100644
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509.c,v 1.86 2024/04/03 04:20:13 tb Exp $ */
+/*	$OpenBSD: x509.c,v 1.87 2024/04/21 09:03:22 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -39,7 +39,6 @@ ASN1_OBJECT	*bgpsec_oid;	/* id-kp-bgpsec-router Key Purpose */
 ASN1_OBJECT	*cnt_type_oid;	/* pkcs-9 id-contentType */
 ASN1_OBJECT	*msg_dgst_oid;	/* pkcs-9 id-messageDigest */
 ASN1_OBJECT	*sign_time_oid;	/* pkcs-9 id-signingTime */
-ASN1_OBJECT	*bin_sign_time_oid;	/* pkcs-9 id-aa-binarySigningTime */
 ASN1_OBJECT	*rsc_oid;	/* id-ct-signedChecklist */
 ASN1_OBJECT	*aspa_oid;	/* id-ct-ASPA */
 ASN1_OBJECT	*tak_oid;	/* id-ct-SignedTAL */
@@ -98,10 +97,6 @@ static const struct {
 		.oid = "1.2.840.113549.1.9.5",
 		.ptr = &sign_time_oid,
 	},
-	{
-		.oid = "1.2.840.113549.1.9.16.2.46",
-		.ptr = &bin_sign_time_oid,
-	},
 	{
 		.oid = "1.2.840.113549.1.9.16.1.47",
 		.ptr = &geofeed_oid,