From: job Date: Sat, 3 Sep 2022 14:40:09 +0000 (+0000) Subject: Introduce x509_any_inherit() for objects which may not have inherit elements X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=c9e39c95160a1f0d2ec224e1e053d13ada05409d;p=openbsd Introduce x509_any_inherit() for objects which may not have inherit elements Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of the X509 certificate. OK tb@ --- diff --git a/usr.sbin/rpki-client/aspa.c b/usr.sbin/rpki-client/aspa.c index 2bd528cc142..4085a82017f 100644 --- a/usr.sbin/rpki-client/aspa.c +++ b/usr.sbin/rpki-client/aspa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: aspa.c,v 1.1 2022/08/30 18:56:49 job Exp $ */ +/* $OpenBSD: aspa.c,v 1.2 2022/09/03 14:40:09 job Exp $ */ /* * Copyright (c) 2022 Job Snijders * Copyright (c) 2022 Theo Buehler @@ -230,6 +230,11 @@ aspa_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) goto out; } + if (x509_any_inherits(*x509)) { + warnx("%s: inherit elements not allowed", fn); + goto out; + } + if (!aspa_parse_econtent(cms, cmsz, &p)) goto out; diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index f86f611cb9e..76ceca7a0d3 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.87 2022/09/03 13:30:27 claudio Exp $ */ +/* $OpenBSD: cert.c,v 1.88 2022/09/03 14:40:09 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Job Snijders @@ -861,6 +861,10 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey, warnx("%s: BGPsec cert cannot be a trust anchor", fn); goto badcert; } + if (x509_any_inherits(p->x509)) { + warnx("%s: Trust anchor IP/AS resources may not inherit", fn); + goto badcert; + } EVP_PKEY_free(pk); return p; diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index bf5ee0fb91a..43ebfcc35bd 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.154 2022/09/03 13:30:27 claudio Exp $ */ +/* $OpenBSD: extern.h,v 1.155 2022/09/03 14:40:09 job Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -711,6 +711,7 @@ char *x509_convert_seqnum(const char *, const ASN1_INTEGER *); int x509_location(const char *, const char *, const char *, GENERAL_NAME *, char **); int x509_inherits(X509 *); +int x509_any_inherits(X509 *); /* printers */ char *time2str(time_t); diff --git a/usr.sbin/rpki-client/roa.c b/usr.sbin/rpki-client/roa.c index a147997e70e..4846d6fe26a 100644 --- a/usr.sbin/rpki-client/roa.c +++ b/usr.sbin/rpki-client/roa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roa.c,v 1.51 2022/08/30 18:56:49 job Exp $ */ +/* $OpenBSD: roa.c,v 1.52 2022/09/03 14:40:09 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2019 Kristaps Dzonsons @@ -243,6 +243,11 @@ roa_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) if (!roa_parse_econtent(cms, cmsz, &p)) goto out; + if (x509_any_inherits(*x509)) { + warnx("%s: inherit elements not allowed", fn); + goto out; + } + if ((cert = cert_parse_ee_cert(fn, *x509)) == NULL) goto out; diff --git a/usr.sbin/rpki-client/rsc.c b/usr.sbin/rpki-client/rsc.c index cc5a6644aab..6725287ea63 100644 --- a/usr.sbin/rpki-client/rsc.c +++ b/usr.sbin/rpki-client/rsc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsc.c,v 1.14 2022/08/22 10:25:58 tb Exp $ */ +/* $OpenBSD: rsc.c,v 1.15 2022/09/03 14:40:09 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2022 Job Snijders @@ -418,6 +418,11 @@ rsc_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) goto out; } + if (x509_any_inherits(*x509)) { + warnx("%s: inherit elements not allowed", fn); + goto out; + } + if (!rsc_parse_econtent(cms, cmsz, &p)) goto out; diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c index ae14fc5da3f..36f11fc15b9 100644 --- a/usr.sbin/rpki-client/validate.c +++ b/usr.sbin/rpki-client/validate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: validate.c,v 1.43 2022/09/03 13:01:43 tb Exp $ */ +/* $OpenBSD: validate.c,v 1.44 2022/09/03 14:40:09 job Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -106,28 +106,12 @@ valid_ski_aki(const char *fn, struct auth_tree *auths, } /* - * Authenticate a trust anchor by making sure its resources are not - * inheriting and that the SKI is unique. + * Validate a trust anchor by making sure that the SKI is unique. * Returns 1 if valid, 0 otherwise. */ int valid_ta(const char *fn, struct auth_tree *auths, const struct cert *cert) { - size_t i; - - /* AS and IP resources must not inherit. */ - if (cert->asz && cert->as[0].type == CERT_AS_INHERIT) { - warnx("%s: RFC 6487 (trust anchor): " - "inheriting AS resources", fn); - return 0; - } - for (i = 0; i < cert->ipsz; i++) - if (cert->ips[i].type == CERT_IP_INHERIT) { - warnx("%s: RFC 6487 (trust anchor): " - "inheriting IP resources", fn); - return 0; - } - /* SKI must not be a dupe. */ if (auth_find(auths, cert->ski) != NULL) { warnx("%s: RFC 6487: duplicate SKI", fn); diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index f49d0590974..19c60798464 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.49 2022/09/03 13:06:15 tb Exp $ */ +/* $OpenBSD: x509.c,v 1.50 2022/09/03 14:40:09 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Claudio Jeker @@ -352,7 +352,7 @@ x509_get_expire(X509 *x, const char *fn, time_t *tt) } /* - * Check whether the RFC 3779 extensions are set to inherit. + * Check whether all RFC 3779 extensions are set to inherit. * Return 1 if both AS & IP are set to inherit. * Return 0 on failure (such as missing extensions or no inheritance). */ @@ -396,6 +396,32 @@ x509_inherits(X509 *x) return rc; } +/* + * Check whether at least one RFC 3779 extension is set to inherit. + * Return 1 if an inherit element is encountered in AS or IP. + * Return 0 otherwise. + */ +int +x509_any_inherits(X509 *x) +{ + STACK_OF(IPAddressFamily) *addrblk = NULL; + ASIdentifiers *asidentifiers = NULL; + int rc = 0; + + addrblk = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL); + if (X509v3_addr_inherits(addrblk)) + rc = 1; + + asidentifiers = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, NULL, + NULL); + if (X509v3_asid_inherits(asidentifiers)) + rc = 1; + + ASIdentifiers_free(asidentifiers); + sk_IPAddressFamily_pop_free(addrblk, IPAddressFamily_free); + return rc; +} + /* * Parse the very specific subset of information in the CRL distribution * point extension.