CVSROOT: /cvs Module name: src Changes by: t...@cvs.openbsd.org 2025/07/11 03:18:32
Modified files: usr.sbin/rpki-client: cert.c Log message: rpki-client: check required presence/absence of extensions cert_parse_extensions() keeps track of all the extensions expected in a resource certificate. It is the natural place to check completeness against RFC 6487, section 4.8 and RFC 8209, section 3.1.3. Some of this is currently in cert_parse_pre(). Some of it in cert_parse(), ta_parse(), or sprinkled throughout the signed object handlers. As mentioned in the comment, the checks are deliberately kept simple-minded and systematic. If an extension is present, the extension handler is assumed to have checked that the extension is valid and the required info is present, so we don't do much more than presence/absence except for a few things where more than one extension is involved (e.g., ski vs aki, presence of INRs). Some of this wasn't checked at all (e.g., presence of a CRLDP for most EE certs) or we left that to the X.509 validator (e.g., presence of the certificate policy). The last check on INRs in BGPsec router certs can be extended a bit. For example, we can add checks there that TA and BGPsec router certs don't inherit and perhaps add some other things like checking we have the BRK. That's for later. This essentially completes the reorganization and unification of the cert parsing proper. We still have a few loose ends like issuer/subjects having incomplete checks, but first I want to simplify a few things and then finally remove some of the duplication (the bulk of the x509_* API can soon be deleted). ok job