On Thu, Jun 19, 2025 at 07:14:55AM +0200, Claudio Jeker wrote:
> On Thu, Jun 19, 2025 at 12:55:54AM +0200, Theo Buehler wrote:
> > The random order in which cert_parse_pre's switch handles extensions
> > has confused me too many times. I'd like this to match the order in
> > RFC 6487, section 4.8. This isn't perfect either - ski comes before aki
> > and aia comes before sia. Still, it's better.
> > 
> > To make this easy to review, I'll do it in a couple of steps. Here's
> > the first one, covering sections 4.8.1-4.8.7.
> > 
> >        4.8.1.  Basic Constraints  . . . . . . . . . . . . . . . . . .  8
> >        4.8.2.  Subject Key Identifier . . . . . . . . . . . . . . . .  9
> >        4.8.3.  Authority Key Identifier . . . . . . . . . . . . . . .  9
> >        4.8.4.  Key Usage  . . . . . . . . . . . . . . . . . . . . . .  9
> >        4.8.5.  Extended Key Usage . . . . . . . . . . . . . . . . . .  9
> >        4.8.6.  CRL Distribution Points  . . . . . . . . . . . . . . . 10
> >        4.8.7.  Authority Information Access . . . . . . . . . . . . . 10
> 
> Go for it. OK claudio@

And here's the second step, moving the two sbgp extensions to their
proper spot:

       4.8.7.  Authority Information Access . . . . . . . . . . . . . 10
       4.8.8.  Subject Information Access . . . . . . . . . . . . . . 11
       4.8.9.  Certificate Policies . . . . . . . . . . . . . . . . . 12
       4.8.10. IP Resources . . . . . . . . . . . . . . . . . . . . . 12
       4.8.11. AS Resources . . . . . . . . . . . . . . . . . . . . . 12

Index: cert.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
diff -u -p -U7 -r1.160 cert.c
--- cert.c	19 Jun 2025 05:20:37 -0000	1.160
+++ cert.c	19 Jun 2025 05:21:57 -0000
@@ -905,40 +905,40 @@ cert_parse_pre(const char *fn, const uns
 			if (crldp++ > 0)
 				goto dup;
 			break;
 		case NID_info_access:
 			if (aia++ > 0)
 				goto dup;
 			break;
-		case NID_sbgp_ipAddrBlock:
-			if (ip++ > 0)
-				goto dup;
-			if (!sbgp_ipaddrblk(fn, cert, ext))
-				goto out;
-			break;
-		case NID_sbgp_autonomousSysNum:
-			if (as++ > 0)
-				goto dup;
-			if (!sbgp_assysnum(fn, cert, ext))
-				goto out;
-			break;
 		case NID_sinfo_access:
 			if (sia++ > 0)
 				goto dup;
 			/*
 			 * This will fail for BGPsec certs, but they must omit
 			 * this extension anyway (RFC 8209, section 3.1.3.3).
 			 */
 			if (!sbgp_sia(fn, cert, ext))
 				goto out;
 			break;
 		case NID_certificate_policies:
 			if (cp++ > 0)
 				goto dup;
 			if (!certificate_policies(fn, cert, ext))
+				goto out;
+			break;
+		case NID_sbgp_ipAddrBlock:
+			if (ip++ > 0)
+				goto dup;
+			if (!sbgp_ipaddrblk(fn, cert, ext))
+				goto out;
+			break;
+		case NID_sbgp_autonomousSysNum:
+			if (as++ > 0)
+				goto dup;
+			if (!sbgp_assysnum(fn, cert, ext))
 				goto out;
 			break;
 		default:
 			/* unexpected extensions warrant investigation */
 			{
 				char objn[64];
 				OBJ_obj2txt(objn, sizeof(objn), obj, 0);