From: Alberto Leiva Popper <ydahhrk@gmail.com>
Date: Mon, 29 Sep 2025 23:50:53 +0000 (-0600)
Subject: Fix caIssuers validation for TA children
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0924f3dccb9debf1212267e302bb032a69a9af47;p=thirdparty%2FFORT-validator.git

Fix caIssuers validation for TA children

It was comparing the caIssuers URI to the parent's URL.
The problem was that caIssuers is always an rsync URI, and the TA is the only
file that can be downloaded directly via HTTP (using an HTTP URL).

It's one of those rare situations in which URI != URL.
---

diff --git a/src/object/certificate.c b/src/object/certificate.c
index 00747cfd..2255e988 100644
--- a/src/object/certificate.c
+++ b/src/object/certificate.c
@@ -1720,12 +1720,21 @@ handle_cp(void *ext, void *arg)
 static int
 validate_aia(struct rpki_certificate *cert)
 {
-	if (!uri_equals(&cert->parent->map.url, &cert->uris.caIssuers))
-		return pr_err("Certificate's caIssuers (%s) does not match parent certificate's URL (%s).",
-		    uri_str(&cert->parent->map.url),
-		    uri_str(&cert->uris.caIssuers));
+	struct uri *uri;
 
-	return 0;
+	if (cert->parent->type == CERTYPE_TA) {
+		ARRAYLIST_FOREACH(&cert->parent->tal->urls, uri)
+			if (uri_equals(&cert->uris.caIssuers, uri))
+				return 0;
+		return pr_err("Certificate's caIssuers (%s) does not match any of the TAL's rsync URIs.",
+		    uri_str(&cert->uris.caIssuers));
+	} else {
+		if (uri_equals(&cert->uris.caIssuers, &cert->parent->map.url))
+			return 0;
+		return pr_err("Certificate's caIssuers (%s) does not match parent certificate's URI (%s).",
+		    uri_str(&cert->uris.caIssuers),
+		    uri_str(&cert->parent->uris.caRepository));
+	}
 }
 
 static int