From 0a039610e5c4b7daf64dc12006cb3a02dacf5c7f Mon Sep 17 00:00:00 2001 From: claudio Date: Fri, 1 Apr 2022 13:27:38 +0000 Subject: [PATCH] Move the TA specific checks from cert_parse_inner() to ta_parse() and the regular cert checks from cert_parse_inner() to cert_parse(). OK tb@ --- usr.sbin/rpki-client/cert.c | 96 +++++++++++++++++++------------------ 1 file changed, 49 insertions(+), 47 deletions(-) diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 1b288512049..c2f2f814fae 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.57 2022/04/01 10:00:41 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.58 2022/04/01 13:27:38 claudio Exp $ */ /* * Copyright (c) 2021 Job Snijders * Copyright (c) 2019 Kristaps Dzonsons @@ -1171,11 +1171,6 @@ cert_parse_inner(const char *fn, const unsigned char *der, size_t len, int ta) p.fn); goto out; } - if (ta) { - warnx("%s: BGPsec cert can not be a trust anchor", - p.fn); - goto out; - } break; default: warnx("%s: x509_get_purpose failed in %s", p.fn, __func__); @@ -1187,38 +1182,6 @@ cert_parse_inner(const char *fn, const unsigned char *der, size_t len, int ta) goto out; } - if (ta && p.res->aki != NULL && strcmp(p.res->aki, p.res->ski)) { - warnx("%s: RFC 6487 section 8.4.2: " - "trust anchor AKI, if specified, must match SKI", p.fn); - goto out; - } - - if (!ta && p.res->aki == NULL) { - warnx("%s: RFC 6487 section 8.4.2: " - "non-trust anchor missing AKI", p.fn); - goto out; - } else if (!ta && strcmp(p.res->aki, p.res->ski) == 0) { - warnx("%s: RFC 6487 section 8.4.2: " - "non-trust anchor AKI may not match SKI", p.fn); - goto out; - } - - if (!ta && p.res->aia == NULL) { - warnx("%s: RFC 6487 section 8.4.7: " - "non-trust anchor missing AIA", p.fn); - goto out; - } else if (ta && p.res->aia != NULL) { - warnx("%s: RFC 6487 section 8.4.7: " - "trust anchor must not have AIA", p.fn); - goto out; - } - - if (ta && p.res->crl != NULL) { - warnx("%s: RFC 6487 section 8.4.2: " - "trust anchor may not specify CRL resource", p.fn); - goto out; - } - p.res->x509 = x; rc = 1; @@ -1233,7 +1196,31 @@ out: struct cert * cert_parse(const char *fn, const unsigned char *der, size_t len) { - return cert_parse_inner(fn, der, len, 0); + struct cert *p; + + if ((p = cert_parse_inner(fn, der, len, 0)) == NULL) + return NULL; + + if (p->aki == NULL) { + warnx("%s: RFC 6487 section 8.4.2: " + "non-trust anchor missing AKI", fn); + goto badcert; + } + if (strcmp(p->aki, p->ski) == 0) { + warnx("%s: RFC 6487 section 8.4.2: " + "non-trust anchor AKI may not match SKI", fn); + goto badcert; + } + if (p->aia == NULL) { + warnx("%s: RFC 6487 section 8.4.7: " + "non-trust anchor missing AIA", fn); + goto badcert; + } + return p; + +badcert: + cert_free(p); + return NULL; } struct cert * @@ -1243,7 +1230,6 @@ ta_parse(const char *fn, const unsigned char *der, size_t len, ASN1_TIME *notBefore, *notAfter; EVP_PKEY *pk = NULL, *opk = NULL; struct cert *p; - int rc = 0; if ((p = cert_parse_inner(fn, der, len, 1)) == NULL) return NULL; @@ -1279,17 +1265,33 @@ ta_parse(const char *fn, const unsigned char *der, size_t len, warnx("%s: certificate has expired", fn); goto badcert; } + if (p->aki != NULL && strcmp(p->aki, p->ski)) { + warnx("%s: RFC 6487 section 8.4.2: " + "trust anchor AKI, if specified, must match SKI", fn); + goto badcert; + } + if (p->aia != NULL) { + warnx("%s: RFC 6487 section 8.4.7: " + "trust anchor must not have AIA", fn); + goto badcert; + } + if (p->crl != NULL) { + warnx("%s: RFC 6487 section 8.4.2: " + "trust anchor may not specify CRL resource", fn); + goto badcert; + } + if (p->purpose == CERT_PURPOSE_BGPSEC_ROUTER) { + warnx("%s: BGPsec cert cannot be a trust anchor", fn); + goto badcert; + } - rc = 1; + EVP_PKEY_free(pk); + return p; badcert: EVP_PKEY_free(pk); - if (rc == 0) { - cert_free(p); - p = NULL; - } - - return p; + cert_free(p); + return NULL; } /* -- 2.20.1