On Sat, Sep 03, 2022 at 01:08:35PM +0000, Job Snijders wrote:
> RPKI Trust Anchors (self-signed root certificates) MAY NOT contain
> 'inherit' elements in their RFC 3779 resource extensions according to
> RFC 6490 section 2.2.
>
> We could check way earlier on in the validation process whether the TA
> certificate conforms to this constraint. The below changeset moves the
> check from be applied on a 'struct cert'; to apply on a 'struct X509'.
I'm not against this although I think it makes sense how it curently is.
It is not really that much earlier. We do ta_parse() and almost
immediately afterward valid_ta() in both paths.
In general, the split between parse and validate is not super clear cut,
and more of a result of how filemode was added.
> @@ -391,6 +391,34 @@ x509_inherits(X509 *x)
>
> rc = 1;
> out:
> + ASIdentifiers_free(asidentifiers);
> + sk_IPAddressFamily_pop_free(addrblk, IPAddressFamily_free);
> + return rc;
> +}
> +
> +/*
> + * Check whether at least one RFC 3779 extension is set to inherit.
> + * Return 1 if an inherit element is encountered in AS or IP.
> + * Return 0 otherwise.
> + */
> +int
> +x509_any_inherits(X509 *x)
> +{
> + STACK_OF(IPAddressFamily) *addrblk = NULL;
> + ASIdentifiers *asidentifiers = NULL;
> + int rc = 0;
> +
> + addrblk = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
> + if (addrblk != NULL)
This NULL check is not needed. X509v3_addr_inherits() returns 0 on NULL.
> + if (X509v3_addr_inherits(addrblk))
> + rc = 1;
> +
> + asidentifiers = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, NULL,
> + NULL);
> + if (asidentifiers != NULL)
Same here.
> + if (X509v3_asid_inherits(asidentifiers))
> + rc = 1;
> +
> ASIdentifiers_free(asidentifiers);
> sk_IPAddressFamily_pop_free(addrblk, IPAddressFamily_free);
> return rc;
>
