From: Claudio Jeker Subject: Re: rpki-client: add self-issuance check for EE certs To: Theo Buehler Cc: tech@openbsd.org Date: Thu, 19 Jun 2025 07:54:55 +0200 On Thu, Jun 19, 2025 at 07:49:24AM +0200, Theo Buehler wrote: > Next simple step of reworking the extension handling and in particular > making checks for EE certs stricter. > > Tangentially, we never agreed on a better name for x509_get_purpose(). > Since it does a decent amount of checking, x509_check_purpose() would > perhaps be better. This clashes with the related X509_check_purpose() > from libcrypto, which I'm sure will confuse me down the road. So I think > I want to move that function to cert.c, make it static and call it > cert_check_purpose(). OK claudio@, also for the plan to move the function. > Index: cert.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v > diff -u -p -r1.159 cert.c > --- cert.c 4 Jun 2025 09:18:28 -0000 1.159 > +++ cert.c 19 Jun 2025 05:34:40 -0000 > @@ -762,6 +762,10 @@ cert_parse_ee_cert(const char *fn, int t > if (!x509_cache_extensions(x, fn)) > goto out; > > + /* > + * Check issuance, basic constraints and (extended) key usage bits are > + * appropriate for an EE cert. Covers RFC 6487, 4.8.1, 4.8.4, 4.8.5. > + */ > if ((cert->purpose = x509_get_purpose(x, fn)) != CERT_PURPOSE_EE) { > warnx("%s: expected EE cert, got %s", fn, > purpose2str(cert->purpose)); > Index: x509.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v > diff -u -p -r1.105 x509.c > --- x509.c 3 Dec 2024 14:51:09 -0000 1.105 > +++ x509.c 19 Jun 2025 05:12:03 -0000 > @@ -364,6 +364,11 @@ x509_get_purpose(X509 *x, const char *fn > goto out; > } > > + if ((ext_flags & (EXFLAG_SI | EXFLAG_SS)) != 0) { > + warnx("%s: EE cert must not be self-issued or self-signed", fn); > + goto out; > + } > + > if (X509_get_key_usage(x) != KU_DIGITAL_SIGNATURE) { > warnx("%s: RFC 6487 section 4.8.4: KU must be digitalSignature", > fn); > -- :wq Claudio