From 0924f3dccb9debf1212267e302bb032a69a9af47 Mon Sep 17 00:00:00 2001 From: Alberto Leiva Popper Date: Mon, 29 Sep 2025 17:50:53 -0600 Subject: [PATCH] Fix caIssuers validation for TA children It was comparing the caIssuers URI to the parent's URL. The problem was that caIssuers is always an rsync URI, and the TA is the only file that can be downloaded directly via HTTP (using an HTTP URL). It's one of those rare situations in which URI != URL. --- src/object/certificate.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/src/object/certificate.c b/src/object/certificate.c index 00747cfd..2255e988 100644 --- a/src/object/certificate.c +++ b/src/object/certificate.c @@ -1720,12 +1720,21 @@ handle_cp(void *ext, void *arg) static int validate_aia(struct rpki_certificate *cert) { - if (!uri_equals(&cert->parent->map.url, &cert->uris.caIssuers)) - return pr_err("Certificate's caIssuers (%s) does not match parent certificate's URL (%s).", - uri_str(&cert->parent->map.url), - uri_str(&cert->uris.caIssuers)); + struct uri *uri; - return 0; + if (cert->parent->type == CERTYPE_TA) { + ARRAYLIST_FOREACH(&cert->parent->tal->urls, uri) + if (uri_equals(&cert->uris.caIssuers, uri)) + return 0; + return pr_err("Certificate's caIssuers (%s) does not match any of the TAL's rsync URIs.", + uri_str(&cert->uris.caIssuers)); + } else { + if (uri_equals(&cert->uris.caIssuers, &cert->parent->map.url)) + return 0; + return pr_err("Certificate's caIssuers (%s) does not match parent certificate's URI (%s).", + uri_str(&cert->uris.caIssuers), + uri_str(&cert->parent->uris.caRepository)); + } } static int -- 2.47.3