From: Job Snijders Subject: rpki-client: mandate presence of CMS signing-time and disallow binary-signing-time To: tech@openbsd.org Date: Sat, 20 Apr 2024 23:52:45 +0000 Dear all, For the last 13 months, rpki-client would've emitted a warning if the CMS signing-time attribute were to be missing from a RPKI Signed Object, and if the binary-signing-time attribute were to be present. A retrospective based on rpkiviews.org data from June 2022 onwards indicates neither condition ever existed in recent years. RFC-to-be draft-ietf-sidrops-cms-signing-time updates RFC 6488 by mandating the presence of the CMS signing-time attribute and disallowing the use of the CMS binary-signing-time attribute. There was consensus in SIDROPS for time now, and - as of this week - also approval from the IESG for RFC publication of this internet-draft. I think it is time to flip from warning to fatal error. We'll need to part ways with the RSC test file c6938fc00af6496d9d4e6e2d876e4b4811887b60f4f1bc9cd0b3cdb7c57c6d5e.sig in regress, which lacks the CMS signing-time attribute. OK? Index: x509.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v diff -u -p -r1.86 x509.c --- x509.c 3 Apr 2024 04:20:13 -0000 1.86 +++ x509.c 20 Apr 2024 23:22:56 -0000 @@ -39,7 +39,6 @@ ASN1_OBJECT *bgpsec_oid; /* id-kp-bgpsec ASN1_OBJECT *cnt_type_oid; /* pkcs-9 id-contentType */ ASN1_OBJECT *msg_dgst_oid; /* pkcs-9 id-messageDigest */ ASN1_OBJECT *sign_time_oid; /* pkcs-9 id-signingTime */ -ASN1_OBJECT *bin_sign_time_oid; /* pkcs-9 id-aa-binarySigningTime */ ASN1_OBJECT *rsc_oid; /* id-ct-signedChecklist */ ASN1_OBJECT *aspa_oid; /* id-ct-ASPA */ ASN1_OBJECT *tak_oid; /* id-ct-SignedTAL */ @@ -97,10 +96,6 @@ static const struct { { .oid = "1.2.840.113549.1.9.5", .ptr = &sign_time_oid, - }, - { - .oid = "1.2.840.113549.1.9.16.2.46", - .ptr = &bin_sign_time_oid, }, { .oid = "1.2.840.113549.1.9.16.1.47", Index: cms.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/cms.c,v diff -u -p -r1.42 cms.c --- cms.c 1 Feb 2024 15:11:38 -0000 1.42 +++ cms.c 20 Apr 2024 23:22:56 -0000 @@ -30,7 +30,6 @@ extern ASN1_OBJECT *cnt_type_oid; extern ASN1_OBJECT *msg_dgst_oid; extern ASN1_OBJECT *sign_time_oid; -extern ASN1_OBJECT *bin_sign_time_oid; static int cms_extract_econtent(const char *fn, CMS_ContentInfo *cms, unsigned char **res, @@ -108,8 +107,7 @@ cms_parse_validate_internal(X509 **xp, c EVP_PKEY *pkey; X509_ALGOR *pdig, *psig; int i, nattrs, nid; - int has_ct = 0, has_md = 0, has_st = 0, - has_bst = 0; + int has_ct = 0, has_md = 0, has_st = 0; time_t notafter; int rc = 0; @@ -218,12 +216,6 @@ cms_parse_validate_internal(X509 **xp, c } if (!cms_get_signtime(fn, attr, signtime)) goto out; - } else if (OBJ_cmp(obj, bin_sign_time_oid) == 0) { - if (has_bst++ != 0) { - warnx("%s: RFC 6488: duplicate " - "signed attribute", fn); - goto out; - } } else { OBJ_obj2txt(buf, sizeof(buf), obj, 1); warnx("%s: RFC 6488: " @@ -239,11 +231,11 @@ cms_parse_validate_internal(X509 **xp, c goto out; } - if (has_bst) - warnx("%s: unsupported CMS signing-time attribute", fn); - - if (!has_st) + if (!has_st) { + /* RFC-to-be draft-ietf-sidrops-cms-signing-time */ warnx("%s: missing CMS signing-time attribute", fn); + goto out; + } if (CMS_unsigned_get_attr_count(si) != -1) { warnx("%s: RFC 6488: CMS has unsignedAttrs", fn);