On Sat, Sep 03, 2022 at 01:08:35PM +0000, Job Snijders wrote: > RPKI Trust Anchors (self-signed root certificates) MAY NOT contain > 'inherit' elements in their RFC 3779 resource extensions according to > RFC 6490 section 2.2. > > We could check way earlier on in the validation process whether the TA > certificate conforms to this constraint. The below changeset moves the > check from be applied on a 'struct cert'; to apply on a 'struct X509'.
I'm not against this although I think it makes sense how it curently is. It is not really that much earlier. We do ta_parse() and almost immediately afterward valid_ta() in both paths. In general, the split between parse and validate is not super clear cut, and more of a result of how filemode was added. > @@ -391,6 +391,34 @@ x509_inherits(X509 *x) > > rc = 1; > out: > + ASIdentifiers_free(asidentifiers); > + sk_IPAddressFamily_pop_free(addrblk, IPAddressFamily_free); > + return rc; > +} > + > +/* > + * Check whether at least one RFC 3779 extension is set to inherit. > + * Return 1 if an inherit element is encountered in AS or IP. > + * Return 0 otherwise. > + */ > +int > +x509_any_inherits(X509 *x) > +{ > + STACK_OF(IPAddressFamily) *addrblk = NULL; > + ASIdentifiers *asidentifiers = NULL; > + int rc = 0; > + > + addrblk = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL); > + if (addrblk != NULL) This NULL check is not needed. X509v3_addr_inherits() returns 0 on NULL. > + if (X509v3_addr_inherits(addrblk)) > + rc = 1; > + > + asidentifiers = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, NULL, > + NULL); > + if (asidentifiers != NULL) Same here. > + if (X509v3_asid_inherits(asidentifiers)) > + rc = 1; > + > ASIdentifiers_free(asidentifiers); > sk_IPAddressFamily_pop_free(addrblk, IPAddressFamily_free); > return rc; >