From: Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject: Re: rpki-client: better extension order in cert_parse_pre
To: Theo Buehler <tb@theobuehler.org>
Cc: tech@openbsd.org
Date: Thu, 19 Jun 2025 07:52:33 +0200

On Thu, Jun 19, 2025 at 07:27:35AM +0200, Theo Buehler wrote:
> On Thu, Jun 19, 2025 at 07:14:55AM +0200, Claudio Jeker wrote:
> > On Thu, Jun 19, 2025 at 12:55:54AM +0200, Theo Buehler wrote:
> > > The random order in which cert_parse_pre's switch handles extensions
> > > has confused me too many times. I'd like this to match the order in
> > > RFC 6487, section 4.8. This isn't perfect either - ski comes before aki
> > > and aia comes before sia. Still, it's better.
> > > 
> > > To make this easy to review, I'll do it in a couple of steps. Here's
> > > the first one, covering sections 4.8.1-4.8.7.
> > > 
> > >        4.8.1.  Basic Constraints  . . . . . . . . . . . . . . . . . .  8
> > >        4.8.2.  Subject Key Identifier . . . . . . . . . . . . . . . .  9
> > >        4.8.3.  Authority Key Identifier . . . . . . . . . . . . . . .  9
> > >        4.8.4.  Key Usage  . . . . . . . . . . . . . . . . . . . . . .  9
> > >        4.8.5.  Extended Key Usage . . . . . . . . . . . . . . . . . .  9
> > >        4.8.6.  CRL Distribution Points  . . . . . . . . . . . . . . . 10
> > >        4.8.7.  Authority Information Access . . . . . . . . . . . . . 10
> > 
> > Go for it. OK claudio@
> 
> And here's the second step, moving the two sbgp extensions to their
> proper spot:
> 
>        4.8.7.  Authority Information Access . . . . . . . . . . . . . 10
>        4.8.8.  Subject Information Access . . . . . . . . . . . . . . 11
>        4.8.9.  Certificate Policies . . . . . . . . . . . . . . . . . 12
>        4.8.10. IP Resources . . . . . . . . . . . . . . . . . . . . . 12
>        4.8.11. AS Resources . . . . . . . . . . . . . . . . . . . . . 12

Sure. Do you want to add a comment how this is sorted?
 
> Index: cert.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
> diff -u -p -U7 -r1.160 cert.c
> --- cert.c	19 Jun 2025 05:20:37 -0000	1.160
> +++ cert.c	19 Jun 2025 05:21:57 -0000
> @@ -905,40 +905,40 @@ cert_parse_pre(const char *fn, const uns
>  			if (crldp++ > 0)
>  				goto dup;
>  			break;
>  		case NID_info_access:
>  			if (aia++ > 0)
>  				goto dup;
>  			break;
> -		case NID_sbgp_ipAddrBlock:
> -			if (ip++ > 0)
> -				goto dup;
> -			if (!sbgp_ipaddrblk(fn, cert, ext))
> -				goto out;
> -			break;
> -		case NID_sbgp_autonomousSysNum:
> -			if (as++ > 0)
> -				goto dup;
> -			if (!sbgp_assysnum(fn, cert, ext))
> -				goto out;
> -			break;
>  		case NID_sinfo_access:
>  			if (sia++ > 0)
>  				goto dup;
>  			/*
>  			 * This will fail for BGPsec certs, but they must omit
>  			 * this extension anyway (RFC 8209, section 3.1.3.3).
>  			 */
>  			if (!sbgp_sia(fn, cert, ext))
>  				goto out;
>  			break;
>  		case NID_certificate_policies:
>  			if (cp++ > 0)
>  				goto dup;
>  			if (!certificate_policies(fn, cert, ext))
> +				goto out;
> +			break;
> +		case NID_sbgp_ipAddrBlock:
> +			if (ip++ > 0)
> +				goto dup;
> +			if (!sbgp_ipaddrblk(fn, cert, ext))
> +				goto out;
> +			break;
> +		case NID_sbgp_autonomousSysNum:
> +			if (as++ > 0)
> +				goto dup;
> +			if (!sbgp_assysnum(fn, cert, ext))
>  				goto out;
>  			break;
>  		default:
>  			/* unexpected extensions warrant investigation */
>  			{
>  				char objn[64];
>  				OBJ_obj2txt(objn, sizeof(objn), obj, 0);
> 

-- 
:wq Claudio