From: Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject: Re: rpki-client: fix BGPsec router EKU handling
To: Theo Buehler <tb@theobuehler.org>
Cc: tech@openbsd.org
Date: Mon, 10 Jun 2024 14:24:51 +0200

On Mon, Jun 10, 2024 at 01:17:41PM +0200, Theo Buehler wrote:
> On Sat, Jun 08, 2024 at 08:05:00PM +0200, Theo Buehler wrote:
> > The semantics of EKU is that we need to find the purpose we're looking
> > for, and not care about the others. There are legitimate reasons for
> > allowing other EKUs. The lot of the 3 BGPsec certs out there are still
> > recognized with this diff since all of them only have a single
> > keyPurposeId.
> 
> Rebased to apply cleanly on top of current.
> 
> Index: x509.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v
> diff -u -p -r1.98 x509.c
> --- x509.c	10 Jun 2024 10:50:13 -0000	1.98
> +++ x509.c	10 Jun 2024 11:16:26 -0000
> @@ -277,7 +277,7 @@ x509_get_purpose(X509 *x, const char *fn
>  	BASIC_CONSTRAINTS		*bc = NULL;
>  	EXTENDED_KEY_USAGE		*eku = NULL;
>  	const X509_EXTENSION		*ku;
> -	int				 crit, ext_flags, is_ca, ku_idx;
> +	int				 crit, ext_flags, i, is_ca, ku_idx;
>  	enum cert_purpose		 purpose = CERT_PURPOSE_INVALID;
>  
>  	if (!x509_cache_extensions(x, fn))
> @@ -388,20 +388,15 @@ x509_get_purpose(X509 *x, const char *fn
>  	}
>  
>  	/*
> -	 * XXX - this isn't quite correct: other EKU OIDs are allowed per
> -	 * RFC 8209, section 3.1.3.2, e.g., anyEKU could potentially help
> -	 * avoid tripping up validators that don't know about the BGPsec
> -	 * router purpose. Drop check or downgrade from error to warning?
> +	 * Per RFC 8209, section 3.1.3.2 the id-kp-bgpsec-router OID must be
> +	 * present and others are allowed, which we need not recognize. This
                                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
This reads strange to me. "which we may not recognize"?

> +	 * matches RFC 5280, section 4.2.1.12.
>  	 */
> -	if (sk_ASN1_OBJECT_num(eku) != 1) {
> -		warnx("%s: EKU: expected 1 purpose, have %d", fn,
> -		    sk_ASN1_OBJECT_num(eku));
> -		goto out;
> -	}
> -
> -	if (OBJ_cmp(bgpsec_oid, sk_ASN1_OBJECT_value(eku, 0)) == 0) {
> -		purpose = CERT_PURPOSE_BGPSEC_ROUTER;
> -		goto out;
> +	for (i = 0; i < sk_ASN1_OBJECT_num(eku); i++) {
> +		if (OBJ_cmp(bgpsec_oid, sk_ASN1_OBJECT_value(eku, i)) == 0) {
> +			purpose = CERT_PURPOSE_BGPSEC_ROUTER;
> +			break;
> +		}
>  	}
>  
>   out:
> 

Apart from that OK claudio@

-- 
:wq Claudio