On Wed, Aug 10, 2022 at 01:58:14PM +0000, Job Snijders wrote:
> Hi,
>
> The ROA specification (RFC 6482 § 4) is a bit underspecified, but in the
> wild the RFC 3779 AS Resources extension never ever appears on ROA EE
> certificates, as it serves no purpose in the validation process. I've
> seen it happen once, in the past, which was a CA mistake.
>
> Related reading material in the 3779 space:
>
> The BGPSec profile (RFC 8209 § 3.1.3.4) is better in this regard: it
> explicitly forbids NID_sbgp_ipAddrBlock from being present (rpki-client
> checks this), and the upcoming ASPA RFC will also be less ambigious,
> ASPA forbids NID_sbgp_ipAddrBlock too (my WIP ASPA code checks this).
>
> OK?
I'm fine with adding such a check. See below
>
> Kind regards,
>
> Job
>
> Index: roa.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/roa.c,v
> retrieving revision 1.47
> diff -u -p -r1.47 roa.c
> --- roa.c 10 Jun 2022 10:36:43 -0000 1.47
> +++ roa.c 10 Aug 2022 13:49:58 -0000
> @@ -229,6 +229,12 @@ roa_parse(X509 **x509, const char *fn, c
> goto out;
> }
>
> + if (X509_get_ext_d2i(*x509, NID_sbgp_autonomousSysNum, NULL, NULL)
> + != NULL) {
The pointer returned by X509_get_ext_d2i() needs to be freed, so this
would leak. You can check presence of an extension without allocating as
follows:
if (X509_get_ext_by_NID(*x509, NID_sbgp_autonomousSysNum, -1) != -1) {
> + warnx("%s: superfluous AS Resources extension present", fn);
> + goto out;
> + }
> +
> at = X509_get0_notAfter(*x509);
> if (at == NULL) {
> warnx("%s: X509_get0_notAfter failed", fn);
>
