From b058bac1848470a4713b904cf51a98c36082485d Mon Sep 17 00:00:00 2001 From: job Date: Sat, 26 Nov 2022 17:06:43 +0000 Subject: [PATCH] Disallow 'inherit' elements in geofeed authenticators RFC 9092 is underspecified in this regard, but other signed objects relating to Internet number resources (ROA, BGPsec, ASPA, RSC) all disallow inherit. See https://mailarchive.ietf.org/arch/msg/opsawg/JXjxCA14BkW4DWyVoUMwqDvB17I/ OK tb@ --- usr.sbin/rpki-client/geofeed.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/usr.sbin/rpki-client/geofeed.c b/usr.sbin/rpki-client/geofeed.c index d555dd1e493..bf8eef12a71 100644 --- a/usr.sbin/rpki-client/geofeed.c +++ b/usr.sbin/rpki-client/geofeed.c @@ -1,4 +1,4 @@ -/* $OpenBSD: geofeed.c,v 1.3 2022/11/26 16:42:04 job Exp $ */ +/* $OpenBSD: geofeed.c,v 1.4 2022/11/26 17:06:43 job Exp $ */ /* * Copyright (c) 2022 Job Snijders * Copyright (c) 2019 Kristaps Dzonsons @@ -250,6 +250,11 @@ geofeed_parse(X509 **x509, const char *fn, char *buf, size_t len) if ((cert = cert_parse_ee_cert(fn, *x509)) == NULL) goto out; + if (x509_any_inherits(*x509)) { + warnx("%s: inherit elements not allowed in EE cert", fn); + goto out; + } + if (cert->asz > 0) { warnx("%s: superfluous AS Resources extension present", fn); goto out; -- 2.20.1