From: Job Snijders <job@openbsd.org>
Subject: Re: rpki-client: extra check for invalid filename extensions in signed object EE certs?
To: Theo Buehler <tb@theobuehler.org>
Cc: tech@openbsd.org
Date: Wed, 18 Jun 2025 20:26:41 +0000

On Wed, Jun 18, 2025 at 09:43:32PM +0200, Theo Buehler wrote:
> On Wed, Jun 18, 2025 at 07:20:09PM +0000, Job Snijders wrote:
> > Add a check whether the filename extension in the SIA makes some kind of
> > sense.
> > 
> > In non-filemode, the "mismatch between pathname and SIA" check would
> > already catch this type of mis-issued object, so this only applies
> > to filemode.
> > 
> > Inspired by https://rpki-notify.site/ test_cases.json
> > 
> > Helpful?
> 
> IIRC the problem that we could not check fn against the SIA was that in file
> mode fn is mostly arbitrary, but we already rely on the filename extension to
> get there. Maybe a better, slightly stricter check that won't break things
> would be to check that the file extensions match?
> 
> 				if (rtype_from_file_extension(sia) !=
> 				    rtype_from_file_extension(fn))  {
> 					warnx("%s: unexpected file type in SIA", fn);
> 					goto out;
> 				}
> 
> might want to do that only in file mode, though.

Good idea


Index: x509.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v
diff -u -p -r1.105 x509.c
--- x509.c	3 Dec 2024 14:51:09 -0000	1.105
+++ x509.c	18 Jun 2025 20:26:34 -0000
@@ -641,6 +641,13 @@ x509_get_sia(X509 *x, const char *fn, ch
 			size_t fnlen, plen;
 
 			if (filemode) {
+				if (rtype_from_file_extension(sia) !=
+				    rtype_from_file_extension(fn))  {
+					warnx("%s: SIA signedObject contains "
+					    "unexpected filename extension",
+					    fn);
+					goto out;
+				}
 				*out_sia = sia;
 				continue;
 			}