From: Theo Buehler <tb@theobuehler.org>
Subject: Re: rpki-client: extra check for invalid filename extensions in signed object EE certs?
To: Job Snijders <job@openbsd.org>
Cc: tech@openbsd.org
Date: Wed, 18 Jun 2025 21:43:32 +0200

On Wed, Jun 18, 2025 at 07:20:09PM +0000, Job Snijders wrote:
> Add a check whether the filename extension in the SIA makes some kind of
> sense.
> 
> In non-filemode, the "mismatch between pathname and SIA" check would
> already catch this type of mis-issued object, so this only applies
> to filemode.
> 
> Inspired by https://rpki-notify.site/ test_cases.json
> 
> Helpful?

IIRC the problem that we could not check fn against the SIA was that in file
mode fn is mostly arbitrary, but we already rely on the filename extension to
get there. Maybe a better, slightly stricter check that won't break things
would be to check that the file extensions match?

				if (rtype_from_file_extension(sia) !=
				    rtype_from_file_extension(fn))  {
					warnx("%s: unexpected file type in SIA", fn);
					goto out;
				}

might want to do that only in file mode, though.

> 
> Index: x509.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v
> diff -u -p -r1.105 x509.c
> --- x509.c	3 Dec 2024 14:51:09 -0000	1.105
> +++ x509.c	18 Jun 2025 19:13:53 -0000
> @@ -640,6 +640,11 @@ x509_get_sia(X509 *x, const char *fn, ch
>  			const char *p = sia + RSYNC_PROTO_LEN;
>  			size_t fnlen, plen;
>  
> +			if (rtype_from_file_extension(sia) == RTYPE_INVALID) {
> +				warnx("%s: invalid filename in EE cert", fn);
> +				goto out;
> +			}
> +
>  			if (filemode) {
>  				*out_sia = sia;
>  				continue;
>