Validate certificate policies extension

diff --git a/src/common.c b/src/common.c
index c9138aa4f7f1231723e12b4502a8351f607a22e9..df54b9d2532112aed9e62be40199299dc6195efb 100644 (file)
--- a/src/common.c
+++ b/src/common.c
@@ -7,6 +7,8 @@
 int NID_rpkiManifest;
 int NID_signedObject;
 int NID_rpkiNotify;
+int NID_certPolicyRpki;
+int NID_certPolicyRpkiV2;
 
 int
 string_clone(void const *string, size_t size, char **clone)

diff --git a/src/common.h b/src/common.h
index e50f7d3605677d856697b0a656719ef35eaf9da5..07024f03da6976ad7e63aff97c933a01d8f9093a 100644 (file)
--- a/src/common.h
+++ b/src/common.h
@@ -19,6 +19,8 @@
 extern int NID_rpkiManifest;
 extern int NID_signedObject;
 extern int NID_rpkiNotify;
+extern int NID_certPolicyRpki;
+extern int NID_certPolicyRpkiV2;
 
 #define ARRAY_LEN(array) (sizeof(array) / sizeof(array[0]))
 

diff --git a/src/main.c b/src/main.c
index a1594254213251c1b6b51e67f9df4ffd2d4e1676..d4417712f56c56f164b103c081585ffdfe05cbf3 100644 (file)
--- a/src/main.c
+++ b/src/main.c
@@ -35,6 +35,17 @@ add_rpki_oids(void)
            "rpkiNotify",
            "RPKI Update Notification File (RFC 8182)");
        printf("rpkiNotify registered. Its nid is %d.\n", NID_rpkiNotify);
+
+       NID_certPolicyRpki = OBJ_create("1.3.6.1.5.5.7.14.2",
+           "id-cp-ipAddr-asNumber (RFC 6484)",
+           "Certificate Policy (CP) for the Resource PKI (RPKI)");
+       printf("certPolicyRpki registered. Its nid is %d.\n", NID_certPolicyRpki);
+
+       NID_certPolicyRpkiV2 = OBJ_create("1.3.6.1.5.5.7.14.3",
+           "id-cp-ipAddr-asNumber-v2 (RFC 8360)",
+           "Certificate Policy for Use with Validation Reconsidered in the RPKI");
+       printf("certPolicyRpkiV2 registered. Its nid is %d.\n",
+           NID_certPolicyRpkiV2);
 }
 
 /**

diff --git a/src/object/certificate.c b/src/object/certificate.c
index db2cb9cb8dde025df77ecd9581620f5fb64cf8a0..c46019206a32cbef5368485a50fbcb9700c998d7 100644 (file)
--- a/src/object/certificate.c
+++ b/src/object/certificate.c
@@ -1150,7 +1150,51 @@ handle_sia_ee(X509_EXTENSION *ext, void *arg)
 static int
 handle_cp(X509_EXTENSION *ext, void *arg)
 {
-       return 0; /* TODO (certext) Implement */
+       CERTIFICATEPOLICIES *cp;
+       POLICYINFO *pi;
+       POLICYQUALINFO *pqi;
+       int error, nid_cp, nid_qt_cps, pqi_num;
+
+       error = 0;
+       cp = X509V3_EXT_d2i(ext);
+       if (cp == NULL)
+               return cannot_decode(&CP);
+
+       if (sk_POLICYINFO_num(cp) != 1) {
+               error = pr_err("The %s extension has %u policy information's. (1 expected)",
+                   CP.name, sk_POLICYINFO_num(cp));
+               goto end;
+       }
+
+       /* rfc7318#section-2 and consider rfc8360#section-4.2.1 */
+       pi = sk_POLICYINFO_value(cp, 0);
+       nid_cp = OBJ_obj2nid(pi->policyid);
+       if (nid_cp != NID_certPolicyRpki && nid_cp != NID_certPolicyRpkiV2) {
+               error = pr_err("Invalid certificate policy OID, isn't 'id-cp-ipAddr-asNumber' nor 'id-cp-ipAddr-asNumber-v2'");
+               goto end;
+       }
+       /* Exactly one policy qualifier MAY be included (so none is also valid) */
+       if (pi->qualifiers == NULL)
+               goto end;
+
+       pqi_num = sk_POLICYQUALINFO_num(pi->qualifiers);
+       if (pqi_num == 0)
+               goto end;
+       if (pqi_num != 1) {
+               error = pr_err("The %s extension has %d policy qualifiers. (none or only 1 expected)",
+                   CP.name, pqi_num);
+               goto end;
+       }
+
+       pqi = sk_POLICYQUALINFO_value(pi->qualifiers, 0);
+       nid_qt_cps = OBJ_obj2nid(pqi->pqualid);
+       if (nid_qt_cps != NID_id_qt_cps) {
+               error = pr_err("Policy qualifier ID isn't Certification Practice Statement (CPS)");
+               goto end;
+       }
+end:
+       CERTIFICATEPOLICIES_free(cp);
+       return error;
 }
 
 static int