From 37cdae3df320b508da15a0784449d0ca9d041c97 Mon Sep 17 00:00:00 2001 From: tb Date: Sat, 8 Jun 2024 13:32:30 +0000 Subject: [PATCH] Add a TODO item for BGPsec router certs It is currently assumed that there is only one extended key usage OID. RFC 8209 allows others. For example, it may well make sense for operators to include the anyExtendedKeyUsage OID to be able to use validators that don't recognize the BGPsec Router purpose. ok job --- usr.sbin/rpki-client/x509.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index 908778c1e82..c264b7327d3 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.96 2024/06/08 13:31:38 tb Exp $ */ +/* $OpenBSD: x509.c,v 1.97 2024/06/08 13:32:30 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Claudio Jeker @@ -351,6 +351,13 @@ x509_get_purpose(X509 *x, const char *fn) warnx("%s: EKU: extension must not be marked critical", fn); goto out; } + + /* + * XXX - this isn't quite correct: other EKU OIDs are allowed per + * RFC 8209, section 3.1.3.2, e.g., anyEKU could potentially help + * avoid tripping up validators that don't know about the BGPsec + * router purpose. Drop check or downgrade from error to warning? + */ if (sk_ASN1_OBJECT_num(eku) != 1) { warnx("%s: EKU: expected 1 purpose, have %d", fn, sk_ASN1_OBJECT_num(eku)); -- 2.20.1