From cce301860d846262d590eda9542c4f6772d2e9c4 Mon Sep 17 00:00:00 2001 From: Alberto Leiva Popper Date: Wed, 20 Feb 2019 14:03:39 -0600 Subject: [PATCH] Implement forgotten requirement from RFC6493 "This EE certificate MUST describe its Internet Number Resources using the "inherit" attribute, rather than explicit description of a resource set; see [RFC3779]." --- src/asn1/signed_data.c | 6 +++-- src/asn1/signed_data.h | 2 +- src/object/ghostbusters.c | 2 +- src/object/manifest.c | 2 +- src/object/roa.c | 2 +- src/resource.c | 48 ++++++++++++++++++++++++++++----------- src/resource.h | 2 +- src/state.c | 2 +- 8 files changed, 45 insertions(+), 21 deletions(-) diff --git a/src/asn1/signed_data.c b/src/asn1/signed_data.c index 39b47f28..26790feb 100644 --- a/src/asn1/signed_data.c +++ b/src/asn1/signed_data.c @@ -19,9 +19,11 @@ static const OID oid_bsta = OID_BINARY_SIGNING_TIME_ATTR; int signed_object_args_init(struct signed_object_args *args, - struct rpki_uri const *uri, STACK_OF(X509_CRL) *crls) + struct rpki_uri const *uri, + STACK_OF(X509_CRL) *crls, + bool force_inherit) { - args->res = resources_create(); + args->res = resources_create(force_inherit); if (args->res == NULL) return pr_enomem(); diff --git a/src/asn1/signed_data.h b/src/asn1/signed_data.h index bf31fb83..75ca7089 100644 --- a/src/asn1/signed_data.h +++ b/src/asn1/signed_data.h @@ -26,7 +26,7 @@ struct signed_object_args { }; int signed_object_args_init(struct signed_object_args *, - struct rpki_uri const *, STACK_OF(X509_CRL) *); + struct rpki_uri const *, STACK_OF(X509_CRL) *, bool); void signed_object_args_cleanup(struct signed_object_args *); int signed_data_decode(ANY_t *, struct signed_object_args *args, diff --git a/src/object/ghostbusters.c b/src/object/ghostbusters.c index 83fb7ae6..26ea77b5 100644 --- a/src/object/ghostbusters.c +++ b/src/object/ghostbusters.c @@ -25,7 +25,7 @@ handle_ghostbusters(struct rpki_uri const *uri, struct rpp *pp, pr_debug_add("Ghostbusters %s {", uri->global); fnstack_push(uri->global); - error = signed_object_args_init(&sobj_args, uri, crls); + error = signed_object_args_init(&sobj_args, uri, crls, true); if (error) goto end1; diff --git a/src/object/manifest.c b/src/object/manifest.c index 534a32ca..c9f766ce 100644 --- a/src/object/manifest.c +++ b/src/object/manifest.c @@ -188,7 +188,7 @@ handle_manifest(struct rpki_uri const *uri, STACK_OF(X509_CRL) *crls, pr_debug_add("Manifest %s {", uri->global); fnstack_push(uri->global); - error = signed_object_args_init(&sobj_args, uri, crls); + error = signed_object_args_init(&sobj_args, uri, crls, false); if (error) goto end1; mft.file_path = uri->global; diff --git a/src/object/roa.c b/src/object/roa.c index c4339880..2a51685a 100644 --- a/src/object/roa.c +++ b/src/object/roa.c @@ -212,7 +212,7 @@ handle_roa(struct rpki_uri const *uri, struct rpp *pp, pr_debug_add("ROA %s {", uri->global); fnstack_push(uri->global); - error = signed_object_args_init(&sobj_args, uri, crls); + error = signed_object_args_init(&sobj_args, uri, crls, false); if (error) goto end1; diff --git a/src/resource.c b/src/resource.c index 5366f6ed..99b2d55c 100644 --- a/src/resource.c +++ b/src/resource.c @@ -17,10 +17,19 @@ struct resources { struct resources_ipv6 *ip6s; struct resources_asn *asns; enum rpki_policy policy; + /** + * Should we ban the embedded certificate from defining its own + * resources? (Otherwise it's only allowed to inherit them.) + * + * This should not be implemented as a separate policy, because @policy + * still has to decide whether the certificate is allowed to contain + * classic or revised extensions. + */ + bool force_inherit; }; struct resources * -resources_create(void) +resources_create(bool force_inherit) { struct resources *result; @@ -32,6 +41,7 @@ resources_create(void) result->ip6s = NULL; result->asns = NULL; result->policy = RPKI_POLICY_RFC6484; + result->force_inherit = force_inherit; return result; } @@ -327,6 +337,8 @@ add_aors(struct resources *resources, int family, int i; int error; + if (resources->force_inherit) + return pr_err("Certificate is only allowed to inherit resources, but defines its own IP addresses or ranges."); if (aors->list.count == 0) return pr_err("IP extension's set of IP address records is empty."); @@ -495,13 +507,32 @@ add_asior(struct resources *resources, struct ASIdOrRange *obj) return pr_err("Unknown ASIdOrRange type: %u", obj->present); } -int -resources_add_asn(struct resources *resources, struct ASIdentifiers *ids) +static int +add_asiors(struct resources *resources, struct ASIdentifiers *ids) { struct ASIdentifierChoice__asIdsOrRanges *iors; int i; int error; + if (resources->force_inherit) + return pr_err("Certificate is only allowed to inherit resources, but defines its own AS numbers."); + + iors = &ids->asnum->choice.asIdsOrRanges; + if (iors->list.count == 0) + return pr_err("AS extension's set of AS number records is empty."); + + for (i = 0; i < iors->list.count; i++) { + error = add_asior(resources, iors->list.array[i]); + if (error) + return error; + } + + return 0; +} + +int +resources_add_asn(struct resources *resources, struct ASIdentifiers *ids) +{ if (ids->asnum == NULL) return pr_err("ASN extension lacks 'asnum' element."); if (ids->rdi != NULL) @@ -511,16 +542,7 @@ resources_add_asn(struct resources *resources, struct ASIdentifiers *ids) case ASIdentifierChoice_PR_inherit: return inherit_asiors(resources); case ASIdentifierChoice_PR_asIdsOrRanges: - iors = &ids->asnum->choice.asIdsOrRanges; - if (iors->list.count == 0) - return pr_err("AS extension's set of AS number records is empty."); - for (i = 0; i < iors->list.count; i++) { - error = add_asior(resources, iors->list.array[i]); - if (error) - return error; - } - return 0; - + return add_asiors(resources, ids); case ASIdentifierChoice_PR_NOTHING: break; } diff --git a/src/resource.h b/src/resource.h index 62101da5..b4a5655d 100644 --- a/src/resource.h +++ b/src/resource.h @@ -23,7 +23,7 @@ int get_addr_family(OCTET_STRING_t *); struct resources; -struct resources *resources_create(void); +struct resources *resources_create(bool); void resources_destroy(struct resources *); int resources_add_ip(struct resources *, struct IPAddressFamily *); diff --git a/src/state.c b/src/state.c index 07ba2032..179df39a 100644 --- a/src/state.c +++ b/src/state.c @@ -253,7 +253,7 @@ validation_push_cert(struct validation *state, struct rpki_uri const *cert_uri, error = subjects_init(&cert->subjects); if (error) goto end3; - cert->resources = resources_create(); + cert->resources = resources_create(false); if (cert->resources == NULL) { error = pr_enomem(); goto end4; -- 2.47.3