From: tb Date: Tue, 14 Mar 2023 07:09:11 +0000 (+0000) Subject: rpki-client: disallow AIA in self-signed certs X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=f31ce3c9b2726c25a5697e4c398f48b203ad8788;p=openbsd rpki-client: disallow AIA in self-signed certs Per RFC 6487, 4.8.7, self-signed certificates must not have an Authority Info Access extension. In normal operation this is ensured by ta_parse() and cert_parse(), respectively. In filemode, only partial checks are performed, so this is not guaranteed. Issue flagged by and ok job --- diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index cd53ecf9c85..0ab646984b8 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.69 2023/03/12 11:54:56 job Exp $ */ +/* $OpenBSD: x509.c,v 1.70 2023/03/14 07:09:11 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Claudio Jeker @@ -375,11 +375,18 @@ x509_get_aia(X509 *x, const char *fn, char **aia) if (info == NULL) return 1; + if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) { + warnx("%s: RFC 6487 section 4.8.7: AIA must be absent from " + "a self-signed certificate", fn); + goto out; + } + if (crit != 0) { warnx("%s: RFC 6487 section 4.8.7: " "AIA: extension not non-critical", fn); goto out; } + if (sk_ACCESS_DESCRIPTION_num(info) != 1) { warnx("%s: RFC 6487 section 4.8.7: AIA: " "want 1 element, have %d", fn,