CVSROOT:        /cvs
Module name:    src
Changes by:     t...@cvs.openbsd.org    2025/07/11 03:18:32

Modified files:
        usr.sbin/rpki-client: cert.c 

Log message:
rpki-client: check required presence/absence of extensions

cert_parse_extensions() keeps track of all the extensions expected in a
resource certificate. It is the natural place to check completeness
against RFC 6487, section 4.8 and RFC 8209, section 3.1.3. Some of this
is currently in cert_parse_pre(). Some of it in cert_parse(), ta_parse(),
or sprinkled throughout the signed object handlers.

As mentioned in the comment, the checks are deliberately kept simple-minded
and systematic. If an extension is present, the extension handler is
assumed to have checked that the extension is valid and the required info
is present, so we don't do much more than presence/absence except for a few
things where more than one extension is involved (e.g., ski vs aki,
presence of INRs).

Some of this wasn't checked at all (e.g., presence of a CRLDP for most
EE certs) or we left that to the X.509 validator (e.g., presence of the
certificate policy).

The last check on INRs in BGPsec router certs can be extended a bit. For
example, we can add checks there that TA and BGPsec router certs don't
inherit and perhaps add some other things like checking we have the
BRK. That's for later.

This essentially completes the reorganization and unification of the
cert parsing proper. We still have a few loose ends like issuer/subjects
having incomplete checks, but first I want to simplify a few things and
then finally remove some of the duplication (the bulk of the x509_* API
can soon be deleted).

ok job

Reply via email to