From: Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject: Re: rpki-client: validate TAK certificateURIs
To: Theo Buehler <tb@theobuehler.org>
Cc: tech@openbsd.org
Date: Tue, 2 Dec 2025 13:43:42 +0100

On Tue, Dec 02, 2025 at 01:41:17PM +0100, Theo Buehler wrote:
> As promised earlier, get rid of a forgotten XXX.
> 
> The URis must all be either rsync or https:
> https://www.rfc-editor.org/rfc/rfc9691#name-takey

Sure. OK claudio@
 
> Index: tak.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/tak.c,v
> diff -u -p -r1.28 tak.c
> --- tak.c	2 Dec 2025 10:34:48 -0000	1.28
> +++ tak.c	2 Dec 2025 12:32:35 -0000
> @@ -105,12 +105,12 @@ parse_takey(const char *fn, const TAKey 
>  		certURI = sk_ASN1_IA5STRING_value(takey->certificateURIs, i);
>  		data = ASN1_STRING_get0_data(certURI);
>  		length = ASN1_STRING_length(certURI);
> -		if (!valid_uri(data, length, NULL)) {
> +
> +		if (!valid_uri(data, length, HTTPS_PROTO) &&
> +		    !valid_uri(data, length, RSYNC_PROTO)) {
>  			warnx("%s: invalid TA URI", fn);
>  			goto err;
>  		}
> -
> -		/* XXX: enforce that protocol is rsync or https. */
>  
>  		res->uris[i] = strndup(data, length);
>  		if (res->uris[i] == NULL)
> 

-- 
:wq Claudio