CVSROOT: /cvs
Module name: src
Changes by: t...@cvs.openbsd.org 2022/08/19 06:45:53
Modified files:
usr.sbin/rpki-client: cert.c extern.h filemode.c parser.c roa.c
rsc.c validate.c
Log message:
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for
ROAs or RSCs can be a subset of the resources in the auth chain. So far
we compared that the resources of ROAs and RSCs are covered by the auth
chain, which is not entirely correct. Extract the necessary data from
the EE cert into rpki-client's own data structures, then verify that
the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are
covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
