RPKI Trust Anchors (self-signed root certificates) MAY NOT contain
'inherit' elements in their RFC 3779 resource extensions according to
RFC 6490 section 2.2.
We could check way earlier on in the validation process whether the TA
certificate conforms to this constraint. The below changeset moves the
check from be applied on a 'struct cert'; to apply on a 'struct X509'.
Kind regards,
Job
Index: cert.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
retrieving revision 1.86
diff -u -p -r1.86 cert.c
--- cert.c 3 Sep 2022 13:01:43 - 1.86
+++ cert.c 3 Sep 2022 13:07:06 -
@@ -861,6 +861,10 @@ ta_parse(const char *fn, struct cert *p,
warnx("%s: BGPsec cert cannot be a trust anchor", fn);
goto badcert;
}
+ if (x509_any_inherits(p->x509)) {
+ warnx("%s: Trust anchor IP/AS resources may not inherit", fn);
+ goto badcert;
+ }
EVP_PKEY_free(pk);
return p;
Index: extern.h
===
RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
retrieving revision 1.153
diff -u -p -r1.153 extern.h
--- extern.h2 Sep 2022 19:10:36 - 1.153
+++ extern.h3 Sep 2022 13:07:06 -
@@ -710,6 +710,7 @@ char*x509_convert_seqnum(const char *,
int x509_location(const char *, const char *, const char *,
GENERAL_NAME *, char **);
int x509_inherits(X509 *);
+int x509_any_inherits(X509 *);
/* printers */
char *time2str(time_t);
Index: validate.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/validate.c,v
retrieving revision 1.43
diff -u -p -r1.43 validate.c
--- validate.c 3 Sep 2022 13:01:43 - 1.43
+++ validate.c 3 Sep 2022 13:07:06 -
@@ -106,28 +106,12 @@ valid_ski_aki(const char *fn, struct aut
}
/*
- * Authenticate a trust anchor by making sure its resources are not
- * inheriting and that the SKI is unique.
+ * Validate a trust anchor by making sure that the SKI is unique.
* Returns 1 if valid, 0 otherwise.
*/
int
valid_ta(const char *fn, struct auth_tree *auths, const struct cert *cert)
{
- size_t i;
-
- /* AS and IP resources must not inherit. */
- if (cert->asz && cert->as[0].type == CERT_AS_INHERIT) {
- warnx("%s: RFC 6487 (trust anchor): "
- "inheriting AS resources", fn);
- return 0;
- }
- for (i = 0; i < cert->ipsz; i++)
- if (cert->ips[i].type == CERT_IP_INHERIT) {
- warnx("%s: RFC 6487 (trust anchor): "
- "inheriting IP resources", fn);
- return 0;
- }
-
/* SKI must not be a dupe. */
if (auth_find(auths, cert->ski) != NULL) {
warnx("%s: RFC 6487: duplicate SKI", fn);
Index: x509.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v
retrieving revision 1.49
diff -u -p -r1.49 x509.c
--- x509.c 3 Sep 2022 13:06:15 - 1.49
+++ x509.c 3 Sep 2022 13:07:06 -
@@ -352,7 +352,7 @@ x509_get_expire(X509 *x, const char *fn,
}
/*
- * Check whether the RFC 3779 extensions are set to inherit.
+ * Check whether all RFC 3779 extensions are set to inherit.
* Return 1 if both AS & IP are set to inherit.
* Return 0 on failure (such as missing extensions or no inheritance).
*/
@@ -391,6 +391,34 @@ x509_inherits(X509 *x)
rc = 1;
out:
+ ASIdentifiers_free(asidentifiers);
+ sk_IPAddressFamily_pop_free(addrblk, IPAddressFamily_free);
+ return rc;
+}
+
+/*
+ * Check whether at least one RFC 3779 extension is set to inherit.
+ * Return 1 if an inherit element is encountered in AS or IP.
+ * Return 0 otherwise.
+ */
+int
+x509_any_inherits(X509 *x)
+{
+ STACK_OF(IPAddressFamily) *addrblk = NULL;
+ ASIdentifiers *asidentifiers = NULL;
+ int rc = 0;
+
+ addrblk = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
+ if (addrblk != NULL)
+ if (X509v3_addr_inherits(addrblk))
+ rc = 1;
+
+ asidentifiers = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, NULL,
+ NULL);
+ if (asidentifiers != NULL)
+ if (X509v3_asid_inherits(asidentifiers))
+ rc = 1;
+
ASIdentifiers_free(asidentifiers);
sk_IPAddressFamily_pop_free(addrblk, IPAddressFamily_free);
return rc;