From 9f416a4b5fadecada01f7b9b0ada8419ad543eeb Mon Sep 17 00:00:00 2001
From: job <job@openbsd.org>
Date: Thu, 3 Nov 2022 00:00:53 +0000
Subject: [PATCH] Permit only keyCertSign and CRLSign in CA KeyUsage extension

OK tb@
---
 usr.sbin/rpki-client/cert.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 19ec62bf138..c6fcec3cd30 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cert.c,v 1.90 2022/11/02 23:20:59 job Exp $ */
+/*	$OpenBSD: cert.c,v 1.91 2022/11/03 00:00:53 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -721,6 +721,11 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len)
 
 	switch (p.res->purpose) {
 	case CERT_PURPOSE_CA:
+		if (X509_get_key_usage(x) != (KU_KEY_CERT_SIGN | KU_CRL_SIGN)) {
+			warnx("%s: RFC 6487 section 4.8.4: key usage violation",
+			    p.fn);
+			goto out;
+		}
 		if (p.res->mft == NULL) {
 			warnx("%s: RFC 6487 section 4.8.8: missing SIA", p.fn);
 			goto out;
-- 
2.20.1