rpki-client portable makes sure that libcrypto has RFC 3779 support.
Therefore the X509_verify_cert() call in valid_x509() will already
perform the checks that the RFC 3779 extensions are covered along the
chain. While valid_cert()'s errors would be nicer than the validator's,
they can't be reached anymore.

The check that a BGPsec cert's AS numbers must not be inherited can be
done in cert_parse_pre() like most of the other checks for BGPsec certs.

With the removal of valid_cert(), valid_as() and valid_ip() are unused
and can also go.

Index: cert.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
retrieving revision 1.85
diff -u -p -r1.85 cert.c
--- cert.c      19 Aug 2022 12:45:53 -0000      1.85
+++ cert.c      22 Aug 2022 09:52:07 -0000
@@ -736,6 +736,13 @@ cert_parse_pre(const char *fn, const uns
                            p.fn);
                        goto out;
                }
+               for (i = 0; i < p.res->asz; i++) {
+                       if (p.res->as[i].type == CERT_AS_INHERIT) {
+                               warnx("%s: inherited AS numbers in BGPsec cert",
+                                   p.fn);
+                               goto out;
+                       }
+               }
                if (sia_present) {
                        warnx("%s: unexpected SIA extension in BGPsec cert",
                            p.fn);
Index: filemode.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/filemode.c,v
retrieving revision 1.8
diff -u -p -r1.8 filemode.c
--- filemode.c  19 Aug 2022 12:45:53 -0000      1.8
+++ filemode.c  19 Aug 2022 19:53:17 -0000
@@ -168,8 +168,7 @@ parse_load_certchain(char *uri)
                uri = filestack[i];
 
                crl = crl_get(&crlt, a);
-               if (!valid_x509(uri, ctx, cert->x509, a, crl, 0) ||
-                   !valid_cert(uri, a, cert))
+               if (!valid_x509(uri, ctx, cert->x509, a, crl, 0))
                        goto fail;
                cert->talid = a->cert->talid;
                a = auth_insert(&auths, cert, a);
Index: parser.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/parser.c,v
retrieving revision 1.74
diff -u -p -r1.74 parser.c
--- parser.c    19 Aug 2022 12:45:53 -0000      1.74
+++ parser.c    19 Aug 2022 19:52:53 -0000
@@ -404,8 +404,7 @@ proc_parser_cert(char *file, const unsig
        a = valid_ski_aki(file, &auths, cert->ski, cert->aki);
        crl = crl_get(&crlt, a);
 
-       if (!valid_x509(file, ctx, cert->x509, a, crl, 0) ||
-           !valid_cert(file, a, cert)) {
+       if (!valid_x509(file, ctx, cert->x509, a, crl, 0)) {
                cert_free(cert);
                return NULL;
        }
Index: validate.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/validate.c,v
retrieving revision 1.41
diff -u -p -r1.41 validate.c
--- validate.c  19 Aug 2022 12:45:53 -0000      1.41
+++ validate.c  19 Aug 2022 19:52:22 -0000
@@ -33,56 +33,6 @@
 extern ASN1_OBJECT     *certpol_oid;
 
 /*
- * Walk up the chain of certificates trying to match our AS number to
- * one of the allocations in that chain.
- * Returns 1 if covered or 0 if not.
- */
-static int
-valid_as(struct auth *a, uint32_t min, uint32_t max)
-{
-       int      c;
-
-       if (a == NULL)
-               return 0;
-
-       /* Does this certificate cover our AS number? */
-       c = as_check_covered(min, max, a->cert->as, a->cert->asz);
-       if (c > 0)
-               return 1;
-       else if (c < 0)
-               return 0;
-
-       /* If it inherits, walk up the chain. */
-       return valid_as(a->parent, min, max);
-}
-
-/*
- * Walk up the chain of certificates (really just the last one, but in
- * the case of inheritance, the ones before) making sure that our IP
- * prefix is covered in the first non-inheriting specification.
- * Returns 1 if covered or 0 if not.
- */
-static int
-valid_ip(struct auth *a, enum afi afi,
-    const unsigned char *min, const unsigned char *max)
-{
-       int      c;
-
-       if (a == NULL)
-               return 0;
-
-       /* Does this certificate cover our IP prefix? */
-       c = ip_addr_check_covered(afi, min, max, a->cert->ips, a->cert->ipsz);
-       if (c > 0)
-               return 1;
-       else if (c < 0)
-               return 0;
-
-       /* If it inherits, walk up the chain. */
-       return valid_ip(a->parent, afi, min, max);
-}
-
-/*
  * Make sure that the SKI doesn't already exist and return the parent by
  * its AKI.
  * Returns the parent auth or NULL on failure.
@@ -131,65 +81,6 @@ valid_ta(const char *fn, struct auth_tre
        /* SKI must not be a dupe. */
        if (auth_find(auths, cert->ski) != NULL) {
                warnx("%s: RFC 6487: duplicate SKI", fn);
-               return 0;
-       }
-
-       return 1;
-}
-
-/*
- * Validate a non-TA certificate: make sure its IP and AS resources are
- * fully covered by those in the authority key (which must exist).
- * Returns 1 if valid, 0 otherwise.
- */
-int
-valid_cert(const char *fn, struct auth *a, const struct cert *cert)
-{
-       size_t           i;
-       uint32_t         min, max;
-       char             buf1[64], buf2[64];
-
-       for (i = 0; i < cert->asz; i++) {
-               if (cert->as[i].type == CERT_AS_INHERIT) {
-                       if (cert->purpose == CERT_PURPOSE_BGPSEC_ROUTER)
-                               return 0; /* BGPsec doesn't permit inheriting */
-                       continue;
-               }
-               min = cert->as[i].type == CERT_AS_ID ?
-                   cert->as[i].id : cert->as[i].range.min;
-               max = cert->as[i].type == CERT_AS_ID ?
-                   cert->as[i].id : cert->as[i].range.max;
-               if (valid_as(a, min, max))
-                       continue;
-               warnx("%s: RFC 6487: uncovered AS: "
-                   "%u--%u", fn, min, max);
-               return 0;
-       }
-
-       for (i = 0; i < cert->ipsz; i++) {
-               if (valid_ip(a, cert->ips[i].afi, cert->ips[i].min,
-                   cert->ips[i].max))
-                       continue;
-               switch (cert->ips[i].type) {
-               case CERT_IP_RANGE:
-                       ip_addr_print(&cert->ips[i].range.min,
-                           cert->ips[i].afi, buf1, sizeof(buf1));
-                       ip_addr_print(&cert->ips[i].range.max,
-                           cert->ips[i].afi, buf2, sizeof(buf2));
-                       warnx("%s: RFC 6487: uncovered IP: "
-                           "%s--%s", fn, buf1, buf2);
-                       break;
-               case CERT_IP_ADDR:
-                       ip_addr_print(&cert->ips[i].ip,
-                           cert->ips[i].afi, buf1, sizeof(buf1));
-                       warnx("%s: RFC 6487: uncovered IP: "
-                           "%s", fn, buf1);
-                       break;
-               case CERT_IP_INHERIT:
-                       warnx("%s: RFC 6487: uncovered IP: "
-                           "(inherit)", fn);
-                       break;
-               }
                return 0;
        }
 

Reply via email to