From cb94f1b5e7e5fbeefad134c139e9668f1e88355d Mon Sep 17 00:00:00 2001 From: tb Date: Mon, 22 Aug 2022 10:25:58 +0000 Subject: [PATCH] An RSC's EE cert mustn't have a SIA extension Explicitly forbidden in sections 2 and 5 of draft-ietf-sidrops-rpki-rsc-10. looks good to claudio --- usr.sbin/rpki-client/rsc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/usr.sbin/rpki-client/rsc.c b/usr.sbin/rpki-client/rsc.c index 4db9fc68a24..cc5a6644aab 100644 --- a/usr.sbin/rpki-client/rsc.c +++ b/usr.sbin/rpki-client/rsc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsc.c,v 1.13 2022/08/19 12:45:53 tb Exp $ */ +/* $OpenBSD: rsc.c,v 1.14 2022/08/22 10:25:58 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2022 Job Snijders @@ -413,7 +413,10 @@ rsc_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) goto out; } - /* XXX - check that SIA is absent. */ + if (X509_get_ext_by_NID(*x509, NID_sinfo_access, -1) != -1) { + warnx("%s: RSC: EE cert must not have an SIA extension", fn); + goto out; + } if (!rsc_parse_econtent(cms, cmsz, &p)) goto out; -- 2.20.1