Implement forgotten requirement from RFC6493

"This EE certificate MUST describe its Internet Number Resources
using the "inherit" attribute, rather than explicit description of
a resource set; see [RFC3779]."

diff --git a/src/asn1/signed_data.c b/src/asn1/signed_data.c
index 39b47f28c55921c6f1357ade9c612d10e4e4de47..26790feb6ff12cd638161ed92295b05555cb4564 100644 (file)
--- a/src/asn1/signed_data.c
+++ b/src/asn1/signed_data.c
@@ -19,9 +19,11 @@ static const OID oid_bsta = OID_BINARY_SIGNING_TIME_ATTR;
 
 int
 signed_object_args_init(struct signed_object_args *args,
-    struct rpki_uri const *uri, STACK_OF(X509_CRL) *crls)
+    struct rpki_uri const *uri,
+    STACK_OF(X509_CRL) *crls,
+    bool force_inherit)
 {
-       args->res = resources_create();
+       args->res = resources_create(force_inherit);
        if (args->res == NULL)
                return pr_enomem();
 

diff --git a/src/asn1/signed_data.h b/src/asn1/signed_data.h
index bf31fb83744494d31625fcdc1b46b46274776ff7..75ca70899b324afb8a6d5186962870419eb58fd9 100644 (file)
--- a/src/asn1/signed_data.h
+++ b/src/asn1/signed_data.h
@@ -26,7 +26,7 @@ struct signed_object_args {
 };
 
 int signed_object_args_init(struct signed_object_args *,
-    struct rpki_uri const *, STACK_OF(X509_CRL) *);
+    struct rpki_uri const *, STACK_OF(X509_CRL) *, bool);
 void signed_object_args_cleanup(struct signed_object_args *);
 
 int signed_data_decode(ANY_t *, struct signed_object_args *args,

diff --git a/src/object/ghostbusters.c b/src/object/ghostbusters.c
index 83fb7ae66a03e1b270288b2f776c5344aebf5c9f..26ea77b5c8883a40739b3c36e40f4236bfbad136 100644 (file)
--- a/src/object/ghostbusters.c
+++ b/src/object/ghostbusters.c
@@ -25,7 +25,7 @@ handle_ghostbusters(struct rpki_uri const *uri, struct rpp *pp,
        pr_debug_add("Ghostbusters %s {", uri->global);
        fnstack_push(uri->global);
 
-       error = signed_object_args_init(&sobj_args, uri, crls);
+       error = signed_object_args_init(&sobj_args, uri, crls, true);
        if (error)
                goto end1;
 

diff --git a/src/object/manifest.c b/src/object/manifest.c
index 534a32cad64ab891baed8e9940e6830752fe77bc..c9f766ce46bab34f49430283c593cb8d4a614a3d 100644 (file)
--- a/src/object/manifest.c
+++ b/src/object/manifest.c
@@ -188,7 +188,7 @@ handle_manifest(struct rpki_uri const *uri, STACK_OF(X509_CRL) *crls,
        pr_debug_add("Manifest %s {", uri->global);
        fnstack_push(uri->global);
 
-       error = signed_object_args_init(&sobj_args, uri, crls);
+       error = signed_object_args_init(&sobj_args, uri, crls, false);
        if (error)
                goto end1;
        mft.file_path = uri->global;

diff --git a/src/object/roa.c b/src/object/roa.c
index c4339880e442ccd4b488974ff7e3685e6fae8538..2a51685ae01db632842a5002c429f5a4d6aaebd5 100644 (file)
--- a/src/object/roa.c
+++ b/src/object/roa.c
@@ -212,7 +212,7 @@ handle_roa(struct rpki_uri const *uri, struct rpp *pp,
        pr_debug_add("ROA %s {", uri->global);
        fnstack_push(uri->global);
 
-       error = signed_object_args_init(&sobj_args, uri, crls);
+       error = signed_object_args_init(&sobj_args, uri, crls, false);
        if (error)
                goto end1;
 

diff --git a/src/resource.c b/src/resource.c
index 5366f6ed7b6c3185ad68edb16bb63e570d45fda0..99b2d55cd61141c0e62a581cea48ea7cb8c00d8f 100644 (file)
--- a/src/resource.c
+++ b/src/resource.c
@@ -17,10 +17,19 @@ struct resources {
        struct resources_ipv6 *ip6s;
        struct resources_asn *asns;
        enum rpki_policy policy;
+       /**
+        * Should we ban the embedded certificate from defining its own
+        * resources? (Otherwise it's only allowed to inherit them.)
+        *
+        * This should not be implemented as a separate policy, because @policy
+        * still has to decide whether the certificate is allowed to contain
+        * classic or revised extensions.
+        */
+       bool force_inherit;
 };
 
 struct resources *
-resources_create(void)
+resources_create(bool force_inherit)
 {
        struct resources *result;
 
@@ -32,6 +41,7 @@ resources_create(void)
        result->ip6s = NULL;
        result->asns = NULL;
        result->policy = RPKI_POLICY_RFC6484;
+       result->force_inherit = force_inherit;
 
        return result;
 }
@@ -327,6 +337,8 @@ add_aors(struct resources *resources, int family,
        int i;
        int error;
 
+       if (resources->force_inherit)
+               return pr_err("Certificate is only allowed to inherit resources, but defines its own IP addresses or ranges.");
        if (aors->list.count == 0)
                return pr_err("IP extension's set of IP address records is empty.");
 
@@ -495,13 +507,32 @@ add_asior(struct resources *resources, struct ASIdOrRange *obj)
        return pr_err("Unknown ASIdOrRange type: %u", obj->present);
 }
 
-int
-resources_add_asn(struct resources *resources, struct ASIdentifiers *ids)
+static int
+add_asiors(struct resources *resources, struct ASIdentifiers *ids)
 {
        struct ASIdentifierChoice__asIdsOrRanges *iors;
        int i;
        int error;
 
+       if (resources->force_inherit)
+               return pr_err("Certificate is only allowed to inherit resources, but defines its own AS numbers.");
+
+       iors = &ids->asnum->choice.asIdsOrRanges;
+       if (iors->list.count == 0)
+               return pr_err("AS extension's set of AS number records is empty.");
+
+       for (i = 0; i < iors->list.count; i++) {
+               error = add_asior(resources, iors->list.array[i]);
+               if (error)
+                       return error;
+       }
+
+       return 0;
+}
+
+int
+resources_add_asn(struct resources *resources, struct ASIdentifiers *ids)
+{
        if (ids->asnum == NULL)
                return pr_err("ASN extension lacks 'asnum' element.");
        if (ids->rdi != NULL)
@@ -511,16 +542,7 @@ resources_add_asn(struct resources *resources, struct ASIdentifiers *ids)
        case ASIdentifierChoice_PR_inherit:
                return inherit_asiors(resources);
        case ASIdentifierChoice_PR_asIdsOrRanges:
-               iors = &ids->asnum->choice.asIdsOrRanges;
-               if (iors->list.count == 0)
-                       return pr_err("AS extension's set of AS number records is empty.");
-               for (i = 0; i < iors->list.count; i++) {
-                       error = add_asior(resources, iors->list.array[i]);
-                       if (error)
-                               return error;
-               }
-               return 0;
-
+               return add_asiors(resources, ids);
        case ASIdentifierChoice_PR_NOTHING:
                break;
        }

diff --git a/src/resource.h b/src/resource.h
index 62101da5097779145f8443b928ddf3c20c115ad0..b4a5655d0546e71667108761b19f76e312f6e8c0 100644 (file)
--- a/src/resource.h
+++ b/src/resource.h
@@ -23,7 +23,7 @@ int get_addr_family(OCTET_STRING_t *);
 
 struct resources;
 
-struct resources *resources_create(void);
+struct resources *resources_create(bool);
 void resources_destroy(struct resources *);
 
 int resources_add_ip(struct resources *, struct IPAddressFamily *);

diff --git a/src/state.c b/src/state.c
index 07ba2032de336dc98f7400411551efd48f92f182..179df39ade9ca6254bdc91cddf5c40fc0e811e71 100644 (file)
--- a/src/state.c
+++ b/src/state.c
@@ -253,7 +253,7 @@ validation_push_cert(struct validation *state, struct rpki_uri const *cert_uri,
        error = subjects_init(&cert->subjects);
        if (error)
                goto end3;
-       cert->resources = resources_create();
+       cert->resources = resources_create(false);
        if (cert->resources == NULL) {
                error = pr_enomem();
                goto end4;