From: Theo Buehler <tb@theobuehler.org>
Subject: rpki-client: reject certs with unknown critical extensions
To: tech@openbsd.org
Date: Thu, 26 Jun 2025 20:33:59 +0200

The validator will reject these anyway, but this has been bothering me
for a while: let's not ignore critical extensions we don't know. It's
the whole point of the critical BOOLEAN that we don't.

The code is the default case of a switch (nid = OBJ_obj2nid(obj)),
so we can just reuse the nid without recomputing it.

Index: cert.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
diff -u -p -r1.170 cert.c
--- cert.c	25 Jun 2025 16:10:18 -0000	1.170
+++ cert.c	26 Jun 2025 11:59:19 -0000
@@ -1096,9 +1096,15 @@ cert_parse_pre(const char *fn, const uns
 			/* unexpected extensions warrant investigation */
 			{
 				char objn[64];
+
 				OBJ_obj2txt(objn, sizeof(objn), obj, 0);
+				if (X509_EXTENSION_get_critical(ext)) {
+					warnx("%s: unknown critical extension "
+					    "%s (NID %d)", fn, objn, nid);
+					goto out;
+				}
 				warnx("%s: ignoring %s (NID %d)",
-				    fn, objn, OBJ_obj2nid(obj));
+				    fn, objn, nid);
 			}
 			break;
 		}