From: Alberto Leiva Popper <ydahhrk@gmail.com>
Date: Thu, 3 Feb 2022 22:14:40 +0000 (-0600)
Subject: Certificate: Enforce rsync in certain Access Descriptions
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2b0bba796abfa17f5ddd57d6f770de1aa32b339e;p=thirdparty%2FFORT-validator.git

Certificate: Enforce rsync in certain Access Descriptions

Access Descriptions in which only rsync is currently meaningful:

1. rpkiManifest
2. caIssuer
3. signedObject

URIs other than rsync are ignored.

I think this was also removed during the
f5b1b456b9c8123a10c24be8c5d5f6c02ebe46b4 refactor. It's back now.
---

diff --git a/src/object/certificate.c b/src/object/certificate.c
index 1fad192d..4205911f 100644
--- a/src/object/certificate.c
+++ b/src/object/certificate.c
@@ -1450,10 +1450,16 @@ asnstr2str(ASN1_STRING *asnstr, char **result)
 	return string_clone(ASN1_STRING_get0_data(asnstr), str_len, result);
 }
 
+static bool
+starts_with(char *str, char *pfx)
+{
+	return strncmp(str, pfx, strlen(pfx)) == 0;
+}
+
 /* Create @uri from @ad */
 static int
 add_ad(struct uri_list *uris, ACCESS_DESCRIPTION *ad,
-    enum rpki_uri_type uri_type)
+    enum rpki_uri_type uri_type, bool rsync_only)
 {
 	ASN1_STRING *asn1_string;
 	char *cstring;
@@ -1490,13 +1496,18 @@ add_ad(struct uri_list *uris, ACCESS_DESCRIPTION *ad,
 	if (error)
 		return error;
 
+	if (rsync_only && !starts_with(cstring, "rsync://")) {
+		free(cstring);
+		return ENOTSUPPORTED;
+	}
+
 	return uris_add_str(uris, cstring, uri_type);
 }
 
 static int
 ia2uris(AUTHORITY_INFO_ACCESS *ia, char const *ext_name,
     struct ad_metadata const *ad_metas, char const *ad_name,
-    struct uri_list *uris)
+    bool rsync_only, struct uri_list *uris)
 {
 	ACCESS_DESCRIPTION *ad;
 	struct ad_metadata const *meta;
@@ -1510,7 +1521,8 @@ ia2uris(AUTHORITY_INFO_ACCESS *ia, char const *ext_name,
 
 		for (meta = ad_metas; meta->nid != 0; meta++) {
 			if (ad_nid == meta->nid) {
-				error = add_ad(uris, ad, meta->uri_type);
+				error = add_ad(uris, ad, meta->uri_type,
+				    rsync_only);
 				if (error == ENOTSUPPORTED)
 					break;
 				if (error)
@@ -1558,9 +1570,7 @@ ext2uris(X509_EXTENSION *ext, char const *ext_name,
 	if (ia == NULL)
 		return cannot_decode(ext_aia());
 
-	error = ia2uris(ia, ext_name, ad_metas, ad_name, uris);
-
-	/* TODO (aaaa) force rsync only */
+	error = ia2uris(ia, ext_name, ad_metas, ad_name, true, uris);
 
 	AUTHORITY_INFO_ACCESS_free(ia);
 	return error;
@@ -1607,10 +1617,11 @@ handle_sia_ca(X509_EXTENSION *ext, void *arg)
 	 */
 
 	uris = arg;
-	error = ia2uris(sia, "SIA", sia_metadata, "source", &uris->src);
+	error = ia2uris(sia, "SIA", sia_metadata, "source", false, &uris->src);
 	if (error)
 		goto end;
-	error = ia2uris(sia, "SIA", mft_metadata, "rpkiManifest", &uris->mft);
+	error = ia2uris(sia, "SIA", mft_metadata, "rpkiManifest", true,
+	    &uris->mft);
 	if (error)
 		goto end;