From a582643462dde6fbad3115058b7092d202cc242b Mon Sep 17 00:00:00 2001 From: tb Date: Sat, 8 Jun 2024 13:33:49 +0000 Subject: [PATCH] Tigthen cert_parse_ee_cert() and ta_parse() Require that a cert fed to cert_parse_ee_cert() have an EE cert purpose. Instead of throwing a warning for BGPsec router certs, check for the TA purpose in ta_parse() and reject everything else. ok job --- usr.sbin/rpki-client/cert.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 5cf6011d7aa..ba29b7e48ea 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.143 2024/06/08 13:31:37 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.144 2024/06/08 13:33:49 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Job Snijders @@ -747,6 +747,12 @@ cert_parse_ee_cert(const char *fn, int talid, X509 *x) if (!x509_cache_extensions(x, fn)) goto out; + if ((cert->purpose = x509_get_purpose(x, fn)) != CERT_PURPOSE_EE) { + warnx("%s: expected EE cert, got %s", fn, + purpose2str(cert->purpose)); + goto out; + } + if (X509_get_key_usage(x) != KU_DIGITAL_SIGNATURE) { warnx("%s: RFC 6487 section 4.8.4: KU must be digitalSignature", fn); @@ -1121,12 +1127,9 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey, "trust anchor may not specify CRL resource", fn); goto badcert; } - /* - * XXX - this check for BGPsec router certs doesn't make all that much - * sense. Consider introducing a TA purpose for self-issued CA certs. - */ - if (p->purpose == CERT_PURPOSE_BGPSEC_ROUTER) { - warnx("%s: BGPsec cert cannot be a trust anchor", fn); + if (p->purpose != CERT_PURPOSE_TA) { + warnx("%s: expected trust anchor purpose, got %s", fn, + purpose2str(p->purpose)); goto badcert; } /* -- 2.20.1