I would like to get rid of the ta flag on cert_parse_inner() and only do
the basic cert parse bits there. Then cert_parse() and ta_parse() do the
other bits.
This moves the easy checks to the right place.
--
:wq Claudio
Index: cert.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
retrieving revision 1.56
diff -u -p -r1.56 cert.c
--- cert.c 4 Feb 2022 16:50:49 -0000 1.56
+++ cert.c 1 Apr 2022 12:20:31 -0000
@@ -1171,11 +1171,6 @@ cert_parse_inner(const char *fn, const u
p.fn);
goto out;
}
- if (ta) {
- warnx("%s: BGPsec cert can not be a trust anchor",
- p.fn);
- goto out;
- }
break;
default:
warnx("%s: x509_get_purpose failed in %s", p.fn, __func__);
@@ -1187,38 +1182,6 @@ cert_parse_inner(const char *fn, const u
goto out;
}
- if (ta && p.res->aki != NULL && strcmp(p.res->aki, p.res->ski)) {
- warnx("%s: RFC 6487 section 8.4.2: "
- "trust anchor AKI, if specified, must match SKI", p.fn);
- goto out;
- }
-
- if (!ta && p.res->aki == NULL) {
- warnx("%s: RFC 6487 section 8.4.2: "
- "non-trust anchor missing AKI", p.fn);
- goto out;
- } else if (!ta && strcmp(p.res->aki, p.res->ski) == 0) {
- warnx("%s: RFC 6487 section 8.4.2: "
- "non-trust anchor AKI may not match SKI", p.fn);
- goto out;
- }
-
- if (!ta && p.res->aia == NULL) {
- warnx("%s: RFC 6487 section 8.4.7: "
- "non-trust anchor missing AIA", p.fn);
- goto out;
- } else if (ta && p.res->aia != NULL) {
- warnx("%s: RFC 6487 section 8.4.7: "
- "trust anchor must not have AIA", p.fn);
- goto out;
- }
-
- if (ta && p.res->crl != NULL) {
- warnx("%s: RFC 6487 section 8.4.2: "
- "trust anchor may not specify CRL resource", p.fn);
- goto out;
- }
-
p.res->x509 = x;
rc = 1;
@@ -1233,7 +1196,31 @@ out:
struct cert *
cert_parse(const char *fn, const unsigned char *der, size_t len)
{
- return cert_parse_inner(fn, der, len, 0);
+ struct cert *p;
+
+ if ((p = cert_parse_inner(fn, der, len, 0)) == NULL)
+ return NULL;
+
+ if (p->aki == NULL) {
+ warnx("%s: RFC 6487 section 8.4.2: "
+ "non-trust anchor missing AKI", fn);
+ goto badcert;
+ }
+ if (strcmp(p->aki, p->ski) == 0) {
+ warnx("%s: RFC 6487 section 8.4.2: "
+ "non-trust anchor AKI may not match SKI", fn);
+ goto badcert;
+ }
+ if (p->aia == NULL) {
+ warnx("%s: RFC 6487 section 8.4.7: "
+ "non-trust anchor missing AIA", fn);
+ goto badcert;
+ }
+ return p;
+
+badcert:
+ cert_free(p);
+ return NULL;
}
struct cert *
@@ -1243,7 +1230,6 @@ ta_parse(const char *fn, const unsigned
ASN1_TIME *notBefore, *notAfter;
EVP_PKEY *pk = NULL, *opk = NULL;
struct cert *p;
- int rc = 0;
if ((p = cert_parse_inner(fn, der, len, 1)) == NULL)
return NULL;
@@ -1279,17 +1265,33 @@ ta_parse(const char *fn, const unsigned
warnx("%s: certificate has expired", fn);
goto badcert;
}
+ if (p->aki != NULL && strcmp(p->aki, p->ski)) {
+ warnx("%s: RFC 6487 section 8.4.2: "
+ "trust anchor AKI, if specified, must match SKI", fn);
+ goto badcert;
+ }
+ if (p->aia != NULL) {
+ warnx("%s: RFC 6487 section 8.4.7: "
+ "trust anchor must not have AIA", fn);
+ goto badcert;
+ }
+ if (p->crl != NULL) {
+ warnx("%s: RFC 6487 section 8.4.2: "
+ "trust anchor may not specify CRL resource", fn);
+ goto badcert;
+ }
+ if (p->purpose == CERT_PURPOSE_BGPSEC_ROUTER) {
+ warnx("%s: BGPsec cert can not be a trust anchor", fn);
+ goto badcert;
+ }
- rc = 1;
+ EVP_PKEY_free(pk);
+ return p;
badcert:
EVP_PKEY_free(pk);
- if (rc == 0) {
- cert_free(p);
- p = NULL;
- }
-
- return p;
+ cert_free(p);
+ return NULL;
}
/*
