From: tb Date: Wed, 11 May 2022 16:13:05 +0000 (+0000) Subject: Cache X509v3 extensions as soon as we have a cert X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=b2d6bcdcc725552ca600d02cde5f41a93b8e02a8;p=openbsd Cache X509v3 extensions as soon as we have a cert X509 API functions such as X509_check_ca() or X509_get_extension_flags() can't be used reliably unless we know that X509v3 extensions are cached. Otherwise they try to cache the extensions themselves but can't report possible errors sensibly. They carry on and may return nonsense. An old trick is to call X509_check_purpose() with a purpose of -1 which is a wrapper around the internal x509v3_cache_extensions() that allows error checking. Do this when we have a new cert. This way the API functions affected by this can be relied upon. Another nice side effect of doing this is that with LibreSSL we then know that the RFC 3779 extensions are in canonical form. ok beck claudio --- diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index c4114f2c225..ab6c6d66f92 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.77 2022/05/11 09:40:00 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.78 2022/05/11 16:13:05 tb Exp $ */ /* * Copyright (c) 2021 Job Snijders * Copyright (c) 2019 Kristaps Dzonsons @@ -597,6 +597,12 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len) goto out; } + /* Cache X509v3 extensions, see X509_check_ca(3). */ + if (X509_check_purpose(x, -1, -1) <= 0) { + cryptowarnx("%s: could not cache X509v3 extensions", p.fn); + goto out; + } + /* Look for X509v3 extensions. */ if ((extsz = X509_get_ext_count(x)) < 0) diff --git a/usr.sbin/rpki-client/cms.c b/usr.sbin/rpki-client/cms.c index 24c7b903a6e..cd1d6c49e67 100644 --- a/usr.sbin/rpki-client/cms.c +++ b/usr.sbin/rpki-client/cms.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms.c,v 1.16 2022/03/28 13:04:01 claudio Exp $ */ +/* $OpenBSD: cms.c,v 1.17 2022/05/11 16:13:05 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -224,6 +224,12 @@ cms_parse_validate(X509 **xp, const char *fn, const unsigned char *der, } *xp = X509_dup(sk_X509_value(certs, 0)); + /* Cache X509v3 extensions, see X509_check_ca(3). */ + if (X509_check_purpose(*xp, -1, -1) <= 0) { + cryptowarnx("%s: could not cache X509v3 extensions", fn); + goto out; + } + if (CMS_SignerInfo_get0_signer_id(si, &kid, NULL, NULL) != 1 || kid == NULL) { warnx("%s: RFC 6488: could not extract SKI from SID", fn);