From: Job Snijders Subject: Re: rpki-client: introduce cert_parse_internal() To: Theo Buehler Cc: tech@openbsd.org Date: Wed, 2 Jul 2025 13:15:32 +0000 On Wed, Jul 02, 2025 at 02:07:54PM +0200, Theo Buehler wrote: > Apart from the extensions, EE certs are still insufficiently parsed. > The Certificate and the TBSCertificate are independent of the cert > purpose, so we need one function to deal with those. > > cert_parse_internal() does part of this: walk the TBSCertificate's > SEQUENCE per RFC 5280 and validate one entry after the other and check > the restrictions imposed by RFC 6487. Well, almost. Since we > deal with subject and issuer in one go, the order isn't 100% the same. > > cert_parse_internal() brings part of a simplification promised earlier. > It allocates struct cert itself and populates it, and takes ownership > of the cert passed in. > > The new cert_check_sigalg() and cert_check_validity_period() are > straightforward enough. Two missing bits are indicated in an XXX: > the SPKI and checking for completeness of extensions. I applied this diff on top of https://marc.info/?l=openbsd-tech&m=175145681427112&w=2 (that one is OK job@) Running regress I noticed: ==== run-regress-test-cert ==== ./test-cert -v /usr/src/regress/usr.sbin/rpki-client/libressl/../cer/*.cer test-cert: /usr/src/regress/usr.sbin/rpki-client/libressl/../cer/2a7dd1d787d793e4c8af56e197d4eed92af6ba13.cer: certificate has expired test-cert: test failed for /usr/src/regress/usr.sbin/rpki-client/libressl/../cer/2a7dd1d787d793e4c8af56e197d4eed92af6ba13.cer *** Error 1 in libressl (../Makefile.inc:43 'run-regress-test-cert') FAILED *** Error 1 in libressl (:105 'regress': if make -C /usr/src/regress/usr.sbin/rpki-client/libressl run-regress-test-cert; th...) *** Error 2 in /usr/src/regress/usr.sbin/rpki-client (:48 'all': @for entry in libressl openssl; do set -e; if test -d /usr/...) I suppose some thought needs to be given to filemode, with this diff we're bowing quite soon, but I'm not entirely sure "EE being expired" does rises to the level of "this was entirely unparsable" $ rpki-client -f cer/2a7dd1d787d793e4c8af56e197d4eed92af6ba13.cer File: cer/2a7dd1d787d793e4c8af56e197d4eed92af6ba13.cer Hash identifier: wVFG4E0OvINUE82U2P86vh7+JCYeihHk+IrqGBZgfxI= rpki-client: cer/2a7dd1d787d793e4c8af56e197d4eed92af6ba13.cer: certificate has expired Validation: N/A Thoughts?