On Sat, Jan 22, 2022 at 02:49:24PM +0100, Theo Buehler wrote:
> On Sat, Jan 22, 2022 at 01:29:19PM +0000, Job Snijders wrote:
> > On Sat, Jan 22, 2022 at 11:16:14AM +0100, Theo Buehler wrote:
> > > +The error indicates that this is not the case or that the leaf tries
> > > +to inherit resources that the trust anchor itself inherits.
> >
> > I unable to understand the second part of the sentence: a leaf
> > inheriting resources that the trust anchor inherits?
> >
> > AFAIK RPKI (and thus RFC 3779) trust anchors are not permitted to use
> > 'inherit': they have to explicitly specify the list ASNs and/or prefixes
> > that are considered subordinate.
>
> Yes, I agree. This is handled correctly for AS numbers, but for
> IP addresses the current behavior is what I document.
>
> > Can you elaborate?
>
> It is what the code currently checks after 'Trust anchor can't inherit'
> comment in x509_addr.c addr_validate_path_internal(). The trust anchor
> is permitted to have inheritance, just not for resources that cover
> resources in the leaf.
The diff below would be what we both expect, but it means we diverge
from OpenSSL's behavior.
Index: x509/x509_addr.c
===================================================================
RCS file: /cvs/src/lib/libcrypto/x509/x509_addr.c,v
retrieving revision 1.76
diff -u -p -r1.76 x509_addr.c
--- x509/x509_addr.c 6 Jan 2022 14:08:15 -0000 1.76
+++ x509/x509_addr.c 22 Jan 2022 14:05:27 -0000
@@ -1899,9 +1899,6 @@ addr_validate_path_internal(X509_STORE_C
if (IPAddressFamily_inheritance(parent_af) == NULL)
continue;
- if (sk_IPAddressFamily_find(child, parent_af) < 0)
- continue;
-
if ((ret = verify_error(ctx, cert,
X509_V_ERR_UNNESTED_RESOURCE, depth)) == 0)
goto done;
Index: man/X509_STORE_CTX_get_error.3
===================================================================
RCS file: /cvs/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3,v
retrieving revision 1.20
diff -u -p -r1.20 X509_STORE_CTX_get_error.3
--- man/X509_STORE_CTX_get_error.3 17 Nov 2021 16:08:32 -0000 1.20
+++ man/X509_STORE_CTX_get_error.3 22 Jan 2022 14:06:25 -0000
@@ -509,6 +509,13 @@ A name constraint violation occurred in
No name constraints minimum and maximum not supported
A certificate name constraints extension included a minimum or maximum
field: this is not supported.
+.It Dv X509_V_ERR_UNNESTED_RESOURCE : \
+ RFC 3779 resource not subset of parent's resources
+When walking up a certificate chain, all resources specified in
+RFC 3779 extensions must be contained in the resources delegated in
+the issuer's RFC 3779 extensions.
+The error indicates that this is not the case or that the trust anchor
+has inheritance.
.It Dv X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE : \
No unsupported name constraint type
An unsupported name constraint type was encountered.
