From: Theo Buehler <tb@theobuehler.org>
Subject: rpki-client: add self-issuance check for EE certs
To: tech@openbsd.org
Date: Thu, 19 Jun 2025 07:49:24 +0200

Next simple step of reworking the extension handling and in particular
making checks for EE certs stricter.

Tangentially, we never agreed on a better name for x509_get_purpose().
Since it does a decent amount of checking, x509_check_purpose() would
perhaps be better. This clashes with the related X509_check_purpose()
from libcrypto, which I'm sure will confuse me down the road. So I think
I want to move that function to cert.c, make it static and call it
cert_check_purpose().

Index: cert.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
diff -u -p -r1.159 cert.c
--- cert.c	4 Jun 2025 09:18:28 -0000	1.159
+++ cert.c	19 Jun 2025 05:34:40 -0000
@@ -762,6 +762,10 @@ cert_parse_ee_cert(const char *fn, int t
 	if (!x509_cache_extensions(x, fn))
 		goto out;
 
+	/*
+	 * Check issuance, basic constraints and (extended) key usage bits are
+	 * appropriate for an EE cert. Covers RFC 6487, 4.8.1, 4.8.4, 4.8.5.
+	 */
 	if ((cert->purpose = x509_get_purpose(x, fn)) != CERT_PURPOSE_EE) {
 		warnx("%s: expected EE cert, got %s", fn,
 		    purpose2str(cert->purpose));
Index: x509.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v
diff -u -p -r1.105 x509.c
--- x509.c	3 Dec 2024 14:51:09 -0000	1.105
+++ x509.c	19 Jun 2025 05:12:03 -0000
@@ -364,6 +364,11 @@ x509_get_purpose(X509 *x, const char *fn
 		goto out;
 	}
 
+	if ((ext_flags & (EXFLAG_SI | EXFLAG_SS)) != 0) {
+		warnx("%s: EE cert must not be self-issued or self-signed", fn);
+		goto out;
+	}
+
 	if (X509_get_key_usage(x) != KU_DIGITAL_SIGNATURE) {
 		warnx("%s: RFC 6487 section 4.8.4: KU must be digitalSignature",
 		    fn);