ensure oid_and_value references OID-Tree

diff --git a/src/protocols/der/base.c b/src/protocols/der/base.c
index 1c94ac0dfb7785b3093f74ae57db894aa296c72f..79c17616d0cbddab26288538aaae78870a3b8922 100644 (file)
--- a/src/protocols/der/base.c
+++ b/src/protocols/der/base.c
@@ -692,6 +692,14 @@ static bool attr_valid(fr_dict_attr_t *da)
 {
        fr_der_attr_flags_t *flags = fr_dict_attr_ext(da->parent, FR_DICT_ATTR_EXT_PROTOCOL_SPECIFIC);
 
+       /*
+        *      sequence_of=oid_and_value has to have a reference to the OID tree.
+        */
+       if (flags->is_pair && !fr_dict_attr_ref(da)) {
+               fr_strerror_const("Flag has 'oid_and_value' set, but is missing 'ref=OID-Tree'");
+               return false;
+       }
+
        if (flags->is_sequence_of || flags->is_set_of) {
                fr_der_tag_t of_type = (flags->is_sequence_of ?
                                        flags->sequence_of :
@@ -742,6 +750,19 @@ static bool attr_valid(fr_dict_attr_t *da)
                        return false;
                }
 
+#if 0
+               /*
+                *      Group refs are added as unresolved refs, see dict_flag_ref(), and are resolved later
+                *      in dict_fixup_group_apply().
+                *
+                *      @todo - have a function called from dict_attr_finalize() ?
+                */
+               if (!fr_dict_attr_ref(da)) {
+                       fr_strerror_const("Attribute is 'x509_extensions', but is missing 'ref=OID-Tree'");
+                       return false;
+               }
+#endif
+
                /*
                 *      Avoid run-time checks.
                 */