The first warning cannot be hit because the X509v3_asid_is_canonical()
errors on empty asIdsOrRanges sequences. This is not the case for
IPAddrBlocks...
There is some ambiguity in RFC 6487, 4.8.10 whether empty
ipAddressesOrRanges are allowed or not. I opted for the stricter
interpretation matching AS numbers and likely the intent.
Index: cert.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
retrieving revision 1.108
diff -u -p -r1.108 cert.c
--- cert.c 9 May 2023 10:34:32 -0000 1.108
+++ cert.c 20 Jun 2023 20:05:44 -0000
@@ -204,6 +204,11 @@ sbgp_assysnum(struct parse *p, X509_EXTE
goto out;
}
+ if (asz == 0) {
+ warnx("%s: RFC 6487 section 4.8.11: empty asIdsOrRanges",
+ p->fn);
+ goto out;
+ }
if (asz >= MAX_AS_SIZE) {
warnx("%s: too many AS number entries: limit %d",
p->fn, MAX_AS_SIZE);
@@ -371,6 +376,11 @@ sbgp_ipaddrblk(struct parse *p, X509_EXT
p->fn, af->ipAddressChoice->type);
goto out;
}
+ if (ipsz == p->res->ipsz) {
+ warnx("%s: RFC 6487 4.8.10: empty ipAddressesOrRanges",
+ p->fn);
+ goto out;
+ }
if (ipsz >= MAX_IP_SIZE)
goto out;
@@ -410,6 +420,11 @@ sbgp_ipaddrblk(struct parse *p, X509_EXT
goto out;
}
}
+ }
+
+ if (p->res->ipsz == 0) {
+ warnx("%s: RFC 6487 section 4.8.10: empty ipAddrBlock", p->fn);
+ goto out;
}
rc = 1;
