From: Job Snijders <job@openbsd.org>
Subject: rpki-client: extra check for invalid filename extensions in signed object EE certs?
To: tech@openbsd.org
Date: Wed, 18 Jun 2025 19:20:09 +0000

Add a check whether the filename extension in the SIA makes some kind of
sense.

In non-filemode, the "mismatch between pathname and SIA" check would
already catch this type of mis-issued object, so this only applies
to filemode.

Inspired by https://rpki-notify.site/ test_cases.json

Helpful?

Index: x509.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v
diff -u -p -r1.105 x509.c
--- x509.c	3 Dec 2024 14:51:09 -0000	1.105
+++ x509.c	18 Jun 2025 19:13:53 -0000
@@ -640,6 +640,11 @@ x509_get_sia(X509 *x, const char *fn, ch
 			const char *p = sia + RSYNC_PROTO_LEN;
 			size_t fnlen, plen;
 
+			if (rtype_from_file_extension(sia) == RTYPE_INVALID) {
+				warnx("%s: invalid filename in EE cert", fn);
+				goto out;
+			}
+
 			if (filemode) {
 				*out_sia = sia;
 				continue;