Index | Thread | Search

From:
Theo Buehler <tb@theobuehler.org>
Subject:
Re: rpki-client: split extension parsing out of cert_parse_pre()
To:
tech@openbsd.org
Date:
Mon, 30 Jun 2025 16:15:38 +0200

Download raw body.

Thread 
On Mon, Jun 30, 2025 at 01:34:33PM +0200, Theo Buehler wrote:
> Entirely straightforward refactor: extract a helper from cert_parse_pre()
> so it can be shared with cert_parse_ee_cert(). I haven't hooked this
> into cert_parse_ee_cert() yet because that makes the diff messy.
> It will be the next step.

Here's the followup which uses cert_parse_extensions() from
cert_parse_ee_cert() and deletes the now redundant extension parsing.
This means in particular that we now also parse and check the
certificate policy for EE certs.

(Requiring that cert policies are present will come after completing
the parsing switch in cert_parse_extensions())

diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 5477042a17..ec051634b2 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1219,8 +1219,6 @@
 cert_parse_ee_cert(const char *fn, int talid, X509 *x)
 {
 	struct cert		*cert;
-	X509_EXTENSION		*ext;
-	int			 index;
 
 	if ((cert = calloc(1, sizeof(struct cert))) == NULL)
 		err(1, NULL);
@@ -1233,38 +1231,15 @@
 	if (!cert_check_subject_and_issuer(fn, x))
 		goto out;
 
-	if (!x509_cache_extensions(x, fn))
+	if (!cert_parse_extensions(fn, cert, x))
 		goto out;
 
-	/*
-	 * Check issuance, basic constraints and (extended) key usage bits are
-	 * appropriate for an EE cert. Covers RFC 6487, 4.8.1, 4.8.4, 4.8.5.
-	 */
-	if ((cert->purpose = cert_check_purpose(fn, x)) != CERT_PURPOSE_EE) {
-		/* XXX - double warning */
+	if (cert->purpose != CERT_PURPOSE_EE) {
 		warnx("%s: expected EE cert, got %s", fn,
 		    purpose2str(cert->purpose));
 		goto out;
 	}
 
-	index = X509_get_ext_by_NID(x, NID_sinfo_access, -1);
-	if ((ext = X509_get_ext(x, index)) != NULL) {
-		if (!cert_sia(fn, cert, ext))
-			goto out;
-	}
-
-	index = X509_get_ext_by_NID(x, NID_sbgp_ipAddrBlock, -1);
-	if ((ext = X509_get_ext(x, index)) != NULL) {
-		if (!sbgp_ipaddrblk(fn, cert, ext))
-			goto out;
-	}
-
-	index = X509_get_ext_by_NID(x, NID_sbgp_autonomousSysNum, -1);
-	if ((ext = X509_get_ext(x, index)) != NULL) {
-		if (!sbgp_assysnum(fn, cert, ext))
-			goto out;
-	}
-
 	if (!X509_up_ref(x)) {
 		warnx("%s: X509_up_ref failed", fn);
 		goto out;