Hi all,
An errata exists for RFC 6482, which informs us: """The EE certificate
MUST NOT use "inherit" elements as described in [RFC3779].""" Read the
full report here: https://www.rfc-editor.org/errata/eid3166
Although it might seem a bit 'wasteful' to d2i the IP Resources
extension in multiple places, noodling through parameters when to check
for inheritance and when not to check didn't improve code readability.
I'm open to suggestions how to perform this check differently.
OK?
Kind regards,
Job
Index: roa.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/roa.c,v
retrieving revision 1.49
diff -u -p -r1.49 roa.c
--- roa.c 10 Aug 2022 14:54:03 -0000 1.49
+++ roa.c 10 Aug 2022 15:02:05 -0000
@@ -206,6 +206,7 @@ roa_parse(X509 **x509, const char *fn, c
unsigned char *cms;
int rc = 0;
const ASN1_TIME *at;
+ STACK_OF(IPAddressFamily) *addrblk = NULL;
memset(&p, 0, sizeof(struct parse));
p.fn = fn;
@@ -234,6 +235,16 @@ roa_parse(X509 **x509, const char *fn, c
goto out;
}
+ addrblk = X509_get_ext_d2i(*x509, NID_sbgp_ipAddrBlock, NULL, NULL);
+ if (addrblk == NULL) {
+ warnx("%s: X509_get_ext_d2i NID_sbgp_ipAddrBlock failed", fn);
+ goto out;
+ }
+ if (X509v3_addr_inherits(addrblk)) {
+ warnx("%s: inherit is disallowed (IETF Errata ID 3166)", fn);
+ goto out;
+ }
+
at = X509_get0_notAfter(*x509);
if (at == NULL) {
warnx("%s: X509_get0_notAfter failed", fn);
@@ -255,6 +266,7 @@ out:
X509_free(*x509);
*x509 = NULL;
}
+ sk_IPAddressFamily_pop_free(addrblk, IPAddressFamily_free);
free(cms);
return p.res;
}
