From: Theo Buehler <tb@theobuehler.org>
Subject: rpki-client: validate TAK certificateURIs
To: tech@openbsd.org
Date: Tue, 2 Dec 2025 13:41:17 +0100

As promised earlier, get rid of a forgotten XXX.

The URis must all be either rsync or https:
https://www.rfc-editor.org/rfc/rfc9691#name-takey

Index: tak.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/tak.c,v
diff -u -p -r1.28 tak.c
--- tak.c	2 Dec 2025 10:34:48 -0000	1.28
+++ tak.c	2 Dec 2025 12:32:35 -0000
@@ -105,12 +105,12 @@ parse_takey(const char *fn, const TAKey 
 		certURI = sk_ASN1_IA5STRING_value(takey->certificateURIs, i);
 		data = ASN1_STRING_get0_data(certURI);
 		length = ASN1_STRING_length(certURI);
-		if (!valid_uri(data, length, NULL)) {
+
+		if (!valid_uri(data, length, HTTPS_PROTO) &&
+		    !valid_uri(data, length, RSYNC_PROTO)) {
 			warnx("%s: invalid TA URI", fn);
 			goto err;
 		}
-
-		/* XXX: enforce that protocol is rsync or https. */
 
 		res->uris[i] = strndup(data, length);
 		if (res->uris[i] == NULL)