From e6a231f03c6348b158d9a9b0faf6bcc7258d1411 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Fri, 4 Nov 2022 23:52:59 +0000
Subject: [PATCH] Do not fail on non-rsync URIs in EE cert SIA extensions

The spec allows multiple accessMethod entries, ordered by preference.
While an rsync URI must be present, others are allowed. Do not fail
in that situation and pick the first rsync URI encountered. The logic
is very similar to the one in x509_get_crl().

ok job
---
 usr.sbin/rpki-client/x509.c | 35 ++++++++++++++++++++++++-----------
 1 file changed, 24 insertions(+), 11 deletions(-)

diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index 4276588ab19..a489189eb47 100644
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509.c,v 1.55 2022/11/04 23:42:56 tb Exp $ */
+/*	$OpenBSD: x509.c,v 1.56 2022/11/04 23:52:59 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -386,7 +386,7 @@ x509_get_sia(X509 *x, const char *fn, char **sia)
 	ACCESS_DESCRIPTION		*ad;
 	AUTHORITY_INFO_ACCESS		*info;
 	ASN1_OBJECT			*oid;
-	int				 i, crit, rc = 0;
+	int				 i, crit, rsync_found = 0;
 
 	*sia = NULL;
 
@@ -420,16 +420,26 @@ x509_get_sia(X509 *x, const char *fn, char **sia)
 			continue;
 		}
 
-		/* XXX: correctly deal with other (non-rsync) protocols. */
-		if (!x509_location(fn, "SIA: signedObject", "rsync://",
-		    ad->location, sia))
+		/* Don't fail on non-rsync URI, so check this afterward. */
+		if (!x509_location(fn, "SIA: signedObject", NULL, ad->location,
+		    sia))
 			goto out;
+
+		if (rsync_found)
+			continue;
+
+		if (strncasecmp(*sia, "rsync://", 8) == 0) {
+			rsync_found = 1;
+			continue;
+		}
+
+		free(*sia);
+		*sia = NULL;
 	}
 
-	rc = 1;
  out:
 	AUTHORITY_INFO_ACCESS_free(info);
-	return rc;
+	return rsync_found;
 }
 
 /*
@@ -537,7 +547,7 @@ x509_get_crl(X509 *x, const char *fn, char **crl)
 	DIST_POINT		*dp;
 	GENERAL_NAMES		*names;
 	GENERAL_NAME		*name;
-	int			 i, crit, rc = 0;
+	int			 i, crit, rsync_found = 0;
 
 	*crl = NULL;
 	crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, &crit, NULL);
@@ -572,14 +582,17 @@ x509_get_crl(X509 *x, const char *fn, char **crl)
 	names = dp->distpoint->name.fullname;
 	for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
 		name = sk_GENERAL_NAME_value(names, i);
-		/* Don't warn on non-rsync URI, so check this afterward. */
+
+		/* Don't fail on non-rsync URI, so check this afterward. */
 		if (!x509_location(fn, "CRL distribution point", NULL, name,
 		    crl))
 			goto out;
+
 		if (strncasecmp(*crl, "rsync://", 8) == 0) {
-			rc = 1;
+			rsync_found = 1;
 			goto out;
 		}
+
 		free(*crl);
 		*crl = NULL;
 	}
@@ -589,7 +602,7 @@ x509_get_crl(X509 *x, const char *fn, char **crl)
 
  out:
 	CRL_DIST_POINTS_free(crldp);
-	return rc;
+	return rsync_found;
 }
 
 /*
-- 
2.20.1