This implements this bit from section 2 (also mentioned in section 5) of
the latest RSC draft:
because RSCs MUST NOT be distributed through the
global RPKI Repository system, the Subject Information Access (SIA)
extension MUST be omitted from the RSC's X.509 End-Entity (EE)
certificate.
Index: rsc.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/rsc.c,v
retrieving revision 1.13
diff -u -p -r1.13 rsc.c
--- rsc.c 19 Aug 2022 12:45:53 -0000 1.13
+++ rsc.c 19 Aug 2022 14:57:20 -0000
@@ -413,7 +413,10 @@ rsc_parse(X509 **x509, const char *fn, c
goto out;
}
- /* XXX - check that SIA is absent. */
+ if (X509_get_ext_by_NID(*x509, NID_sinfo_access, -1) != -1) {
+ warnx("%s: RSC: EE cert must not have an SIA extension", fn);
+ goto out;
+ }
if (!rsc_parse_econtent(cms, cmsz, &p))
goto out;
