From: Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject: Re: rpki-client: reject certs with unknown critical extensions
To: Theo Buehler <tb@theobuehler.org>
Cc: tech@openbsd.org
Date: Thu, 26 Jun 2025 20:46:11 +0200

On Thu, Jun 26, 2025 at 08:33:59PM +0200, Theo Buehler wrote:
> The validator will reject these anyway, but this has been bothering me
> for a while: let's not ignore critical extensions we don't know. It's
> the whole point of the critical BOOLEAN that we don't.
> 
> The code is the default case of a switch (nid = OBJ_obj2nid(obj)),
> so we can just reuse the nid without recomputing it.
> 
> Index: cert.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
> diff -u -p -r1.170 cert.c
> --- cert.c	25 Jun 2025 16:10:18 -0000	1.170
> +++ cert.c	26 Jun 2025 11:59:19 -0000
> @@ -1096,9 +1096,15 @@ cert_parse_pre(const char *fn, const uns
>  			/* unexpected extensions warrant investigation */
>  			{
>  				char objn[64];
> +
>  				OBJ_obj2txt(objn, sizeof(objn), obj, 0);
> +				if (X509_EXTENSION_get_critical(ext)) {
> +					warnx("%s: unknown critical extension "
> +					    "%s (NID %d)", fn, objn, nid);
> +					goto out;
> +				}
>  				warnx("%s: ignoring %s (NID %d)",
> -				    fn, objn, OBJ_obj2nid(obj));
> +				    fn, objn, nid);
>  			}
>  			break;
>  		}
> 

Totally makes sense to me. OK claudio@

-- 
:wq Claudio