From c39877f08d2607e7a4e3f0d5b9a815ef4006c9b3 Mon Sep 17 00:00:00 2001 From: tb Date: Fri, 4 Nov 2022 23:42:56 +0000 Subject: [PATCH] In very verbose mode, log unexpected accessMethods While RFC 6487, 4.8.2.2 is very explicit about allowing id-ad-signedObject as the only accessMethod, the clear language was lost during the RFC 8182 editing process. APNIC, TWNIC and JPNIC and a few others are currently known to have an id-ad-rpkiNotify. The verbose logging allows us to check the ecosystem while waiting for the point in time where we can turn this into an error. See also https://www.rfc-editor.org/errata/eid7239. ok job --- usr.sbin/rpki-client/x509.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index efa9d691a38..4276588ab19 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.54 2022/11/04 09:43:13 job Exp $ */ +/* $OpenBSD: x509.c,v 1.55 2022/11/04 23:42:56 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Claudio Jeker @@ -400,16 +400,25 @@ x509_get_sia(X509 *x, const char *fn, char **sia) goto out; } - /* - * RFC 6487 4.8.8.2 disallows other accessMethods, however they - * do exist in the wild. - */ for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) { ad = sk_ACCESS_DESCRIPTION_value(info, i); oid = ad->method; - if (OBJ_cmp(oid, signedobj_oid) != 0) + /* + * XXX: RFC 6487 4.8.8.2 disallows other accessMethods, however + * they do exist in the wild. Consider making this an error. + * See also https://www.rfc-editor.org/errata/eid7239. + */ + if (OBJ_cmp(oid, signedobj_oid) != 0) { + if (verbose > 1) { + char buf[128]; + + OBJ_obj2txt(buf, sizeof(buf), oid, 0); + warnx("%s: RFC 6487 section 4.8.8.2: unexpected" + " accessMethod: %s", fn, buf); + } continue; + } /* XXX: correctly deal with other (non-rsync) protocols. */ if (!x509_location(fn, "SIA: signedObject", "rsync://", -- 2.20.1