From b454bae8c23bf4bcee71cda8ae39dca932e25fd0 Mon Sep 17 00:00:00 2001
From: job <job@openbsd.org>
Date: Tue, 20 Jun 2023 12:39:50 +0000
Subject: [PATCH] Add compliance checks for the version, KU, and EKU of
 TAK/MFT/GBR EE certs

OK tb@
---
 usr.sbin/rpki-client/gbr.c | 7 ++++++-
 usr.sbin/rpki-client/mft.c | 7 ++++++-
 usr.sbin/rpki-client/tak.c | 7 ++++++-
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/usr.sbin/rpki-client/gbr.c b/usr.sbin/rpki-client/gbr.c
index 3d27224cbb5..214bf3231f4 100644
--- a/usr.sbin/rpki-client/gbr.c
+++ b/usr.sbin/rpki-client/gbr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: gbr.c,v 1.26 2023/03/12 11:46:35 tb Exp $ */
+/*	$OpenBSD: gbr.c,v 1.27 2023/06/20 12:39:50 job Exp $ */
 /*
  * Copyright (c) 2020 Claudio Jeker <claudio@openbsd.org>
  *
@@ -43,6 +43,7 @@ struct gbr *
 gbr_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
 {
 	struct parse	 p;
+	struct cert	*cert = NULL;
 	size_t		 cmsz;
 	unsigned char	*cms;
 	time_t		 signtime = 0;
@@ -86,12 +87,16 @@ gbr_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
 		goto out;
 	}
 
+	if ((cert = cert_parse_ee_cert(fn, *x509)) == NULL)
+		goto out;
+
 	return p.res;
 
  out:
 	gbr_free(p.res);
 	X509_free(*x509);
 	*x509 = NULL;
+	cert_free(cert);
 	return NULL;
 }
 
diff --git a/usr.sbin/rpki-client/mft.c b/usr.sbin/rpki-client/mft.c
index 75ad639d8d3..2f4761e0228 100644
--- a/usr.sbin/rpki-client/mft.c
+++ b/usr.sbin/rpki-client/mft.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mft.c,v 1.94 2023/06/07 10:46:34 job Exp $ */
+/*	$OpenBSD: mft.c,v 1.95 2023/06/20 12:39:50 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -353,6 +353,7 @@ struct mft *
 mft_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
 {
 	struct parse	 p;
+	struct cert	*cert = NULL;
 	int		 rc = 0;
 	size_t		 cmsz;
 	unsigned char	*cms;
@@ -418,6 +419,9 @@ mft_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
 	if (mft_parse_econtent(cms, cmsz, &p) == 0)
 		goto out;
 
+	if ((cert = cert_parse_ee_cert(fn, *x509)) == NULL)
+		goto out;
+
 	if (p.res->signtime > p.res->nextupdate) {
 		warnx("%s: dating issue: CMS signing-time after MFT nextUpdate",
 		    fn);
@@ -433,6 +437,7 @@ out:
 		*x509 = NULL;
 	}
 	free(crldp);
+	cert_free(cert);
 	free(cms);
 	return p.res;
 }
diff --git a/usr.sbin/rpki-client/tak.c b/usr.sbin/rpki-client/tak.c
index 4805fa0edd1..b841e9abcad 100644
--- a/usr.sbin/rpki-client/tak.c
+++ b/usr.sbin/rpki-client/tak.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tak.c,v 1.9 2023/06/07 10:46:34 job Exp $ */
+/*	$OpenBSD: tak.c,v 1.10 2023/06/20 12:39:50 job Exp $ */
 /*
  * Copyright (c) 2022 Job Snijders <job@fastly.com>
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@@ -228,6 +228,7 @@ struct tak *
 tak_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
 {
 	struct parse		 p;
+	struct cert		*cert = NULL;
 	unsigned char		*cms;
 	size_t			 cmsz;
 	time_t			 signtime = 0;
@@ -272,6 +273,9 @@ tak_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
 	if (!tak_parse_econtent(cms, cmsz, &p))
 		goto out;
 
+	if ((cert = cert_parse_ee_cert(fn, *x509)) == NULL)
+		goto out;
+
 	if (strcmp(p.res->aki, p.res->current->ski) != 0) {
 		warnx("%s: current TAKey's SKI does not match EE AKI", fn);
 		goto out;
@@ -285,6 +289,7 @@ tak_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
 		X509_free(*x509);
 		*x509 = NULL;
 	}
+	cert_free(cert);
 	free(cms);
 	return p.res;
 }
-- 
2.20.1