Download raw body.
rpki-client: extra check for invalid filename extensions in signed object EE certs?
Add a check whether the filename extension in the SIA makes some kind of
sense.
In non-filemode, the "mismatch between pathname and SIA" check would
already catch this type of mis-issued object, so this only applies
to filemode.
Inspired by https://rpki-notify.site/ test_cases.json
Helpful?
Index: x509.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v
diff -u -p -r1.105 x509.c
--- x509.c 3 Dec 2024 14:51:09 -0000 1.105
+++ x509.c 18 Jun 2025 19:13:53 -0000
@@ -640,6 +640,11 @@ x509_get_sia(X509 *x, const char *fn, ch
const char *p = sia + RSYNC_PROTO_LEN;
size_t fnlen, plen;
+ if (rtype_from_file_extension(sia) == RTYPE_INVALID) {
+ warnx("%s: invalid filename in EE cert", fn);
+ goto out;
+ }
+
if (filemode) {
*out_sia = sia;
continue;
rpki-client: extra check for invalid filename extensions in signed object EE certs?