x509_get_purpose: check EXFLAG_SI and EXFLAG_SS for EE certs

botovq · botovq · commit 25d8c64de987 · 2025-06-19T06:46:56.000Z
ok claudio
diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509.c,v 1.105 2024/12/03 14:51:09 job Exp $ */
+/*	$OpenBSD: x509.c,v 1.106 2025/06/19 06:46:56 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -364,6 +364,11 @@ x509_get_purpose(X509 *x, const char *fn)
 		goto out;
 	}
 
+	if ((ext_flags & (EXFLAG_SI | EXFLAG_SS)) != 0) {
+		warnx("%s: EE cert must not be self-issued or self-signed", fn);
+		goto out;
+	}
+
 	if (X509_get_key_usage(x) != KU_DIGITAL_SIGNATURE) {
 		warnx("%s: RFC 6487 section 4.8.4: KU must be digitalSignature",
 		    fn);
