Index | Thread | Search

From:
Theo Buehler <tb@theobuehler.org>
Subject:
rpki-client: improve SIA handling
To:
tech@openbsd.org
Date:
Sun, 2 Jun 2024 16:56:51 +0200

Download raw body.

Thread 
The way I read 4.8.8.1 of RFC 6487, the current handling of the SIA
extension is not entirely correct for CA certs. We reject non-rsync URI
for the caRepository and rpkiManifest access methods while the spec only
requires that an rsync URI be present for both of them, not that all
URIs use the rsync scheme. So accept all valid URIs and retain the first
rsync one we encounter. If there's no rsync URI we will reject the cert.
In contrast, RFC 8182 3.2 only allows https URI for rpkiNotify.

Also make it clearer that sbgp_sia() is for CA certs and x509_get_sia()
for EE certs.

Index: cert.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
diff -u -p -r1.132 cert.c
--- cert.c	31 May 2024 02:45:15 -0000	1.132
+++ cert.c	2 Jun 2024 14:34:56 -0000
@@ -495,7 +495,8 @@ sbgp_ipaddrblk(const char *fn, struct ce
 }
 
 /*
- * Parse "Subject Information Access" extension, RFC 6487 4.8.8.
+ * Parse "Subject Information Access" extension for a CA cert,
+ * RFC 6487, section 4.8.8.1 and RFC 8182, section 3.2.
  * Returns zero on failure, non-zero on success.
  */
 static int
@@ -525,13 +526,23 @@ sbgp_sia(const char *fn, struct cert *ce
 		oid = ad->method;
 
 		if (OBJ_cmp(oid, carepo_oid) == 0) {
-			if (!x509_location(fn, "SIA: caRepository",
-			    RSYNC_PROTO, ad->location, &cert->repo))
+			if (!x509_location(fn, "SIA: caRepository", NULL,
+			    ad->location, &cert->repo))
 				goto out;
+			if (strncasecmp(cert->repo, RSYNC_PROTO,
+			    RSYNC_PROTO_LEN) == 0)
+				continue;
+			free(cert->repo);
+			cert->repo = NULL;
 		} else if (OBJ_cmp(oid, manifest_oid) == 0) {
-			if (!x509_location(fn, "SIA: rpkiManifest",
-			    RSYNC_PROTO, ad->location, &cert->mft))
+			if (!x509_location(fn, "SIA: rpkiManifest", NULL,
+			    ad->location, &cert->mft))
 				goto out;
+			if (strncasecmp(cert->mft, RSYNC_PROTO,
+			    RSYNC_PROTO_LEN) == 0)
+				continue;
+			free(cert->mft);
+			cert->mft = NULL;
 		} else if (OBJ_cmp(oid, notify_oid) == 0) {
 			if (!x509_location(fn, "SIA: rpkiNotify",
 			    HTTPS_PROTO, ad->location, &cert->notify))
Index: x509.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v
diff -u -p -r1.90 x509.c
--- x509.c	31 May 2024 11:27:34 -0000	1.90
+++ x509.c	2 Jun 2024 14:13:14 -0000
@@ -467,8 +467,8 @@ out:
 }
 
 /*
- * Parse the Subject Information Access (SIA) extension
- * See RFC 6487, section 4.8.8 for details.
+ * Parse the Subject Information Access (SIA) extension for an EE cert.
+ * See RFC 6487, section 4.8.8.2 for details.
  * Returns NULL on failure, on success returns the SIA signedObject URI
  * (which has to be freed after use).
  */