p->res->mft and p->res->repo are populated in sbgp_sia_resouce_entry().
Nothing guarantees that the resources are present. With our current
strstr() implementation we would let a cert with a missing mft through
while we would crash on a missing repo.
Also, we don't check that the SIA extension isn't critical.
Index: cert.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
retrieving revision 1.61
diff -u -p -r1.61 cert.c
--- cert.c 4 Apr 2022 13:15:11 -0000 1.61
+++ cert.c 4 Apr 2022 18:12:23 -0000
@@ -305,6 +305,12 @@ sbgp_sia_resource(struct parse *p, const
goto out;
}
+ if (p->res->mft == NULL || p->res->repo == NULL) {
+ warnx("%s: RFC 6487 section 4.8.8: SIA missing caRepository "
+ "or rpkiManifest", p->fn);
+ goto out;
+ }
+
if (strstr(p->res->mft, p->res->repo) != p->res->mft) {
warnx("%s: RFC 6487 section 4.8.8: SIA: "
"conflicting URIs for caRepository and rpkiManifest",
@@ -329,6 +335,12 @@ sbgp_sia(struct parse *p, X509_EXTENSION
ASN1_SEQUENCE_ANY *seq = NULL;
const ASN1_TYPE *t;
int dsz, rc = 0;
+
+ if (X509_EXTENSION_get_critical(ext)) {
+ warnx("%s: RFC 6487 section 4.8.8: SIA: "
+ "extension not non-critical", p->fn);
+ goto out;
+ }
if ((dsz = i2d_X509_EXTENSION(ext, &sv)) < 0) {
cryptowarnx("%s: RFC 6487 section 4.8.8: SIA: "
