From 78268cf82339967be4573ca1c53c04816d2ee01c Mon Sep 17 00:00:00 2001 From: tb Date: Tue, 4 Jun 2024 14:10:53 +0000 Subject: [PATCH] rpki-client: reject certs with unexpected SIA accessMethods RFC 6487, section 4.8.8.1 only lists caRepository and rpkiManifest, and RFC 8182 added rpkiNotify for RRDP. All other access methods (which would be children of id-ad), are not allowed and do not really make sense here. ok claudio --- usr.sbin/rpki-client/cert.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index b565434a1aa..76d4e4eb816 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.135 2024/06/04 14:07:10 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.136 2024/06/04 14:10:53 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Job Snijders @@ -577,6 +577,13 @@ sbgp_sia(const char *fn, struct cert *cert, X509_EXTENSION *ext) } cert->notify = notify; notify = NULL; + } else { + char buf[128]; + + OBJ_obj2txt(buf, sizeof(buf), oid, 0); + warnx("%s: RFC 6487 section 4.8.8.1: unexpected" + " accessMethod: %s", fn, buf); + goto out; } } -- 2.20.1