CVSROOT: /cvs
Module name: src
Changes by: t...@cvs.openbsd.org 2022/02/04 09:28:20
Modified files:
usr.sbin/rpki-client: cert.c
Log message:
Ensure that certificate policies follow RFC 7318
RFC 7318 makes requirements on the certificate policy extension imposed
by RFC 6487 a bit stricter. It requires that exactly one policy OID is
present and that it be id-cp-ipAddr-asNumber and if there is a policy
qualifier it must be id-qt-cps. These are requirements that the X.509
verifier's policy code can't enforce, so unpack the certificate policy
extension by hand and check that it matches expectations.
ok claudio
