On Fri, Aug 19, 2022 at 05:03:30PM +0200, Theo Buehler wrote:
> This implements this bit from section 2 (also mentioned in section 5) of
> the latest RSC draft:
>
> because RSCs MUST NOT be distributed through the
> global RPKI Repository system, the Subject Information Access (SIA)
> extension MUST be omitted from the RSC's X.509 End-Entity (EE)
> certificate.
>
> Index: rsc.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/rsc.c,v
> retrieving revision 1.13
> diff -u -p -r1.13 rsc.c
> --- rsc.c 19 Aug 2022 12:45:53 -0000 1.13
> +++ rsc.c 19 Aug 2022 14:57:20 -0000
> @@ -413,7 +413,10 @@ rsc_parse(X509 **x509, const char *fn, c
> goto out;
> }
>
> - /* XXX - check that SIA is absent. */
> + if (X509_get_ext_by_NID(*x509, NID_sinfo_access, -1) != -1) {
> + warnx("%s: RSC: EE cert must not have an SIA extension", fn);
> + goto out;
> + }
>
> if (!rsc_parse_econtent(cms, cmsz, &p))
> goto out;
>
Looks good to me.
--
:wq Claudio
