In filemode, add extra check for the filename extension contained in the EE cert

job · job · commit 41ec7eb6c1a1 · 2025-06-19T08:21:56.000Z
OK tb@
diff --git a/regress/usr.sbin/rpki-client/test-seqnum.c b/regress/usr.sbin/rpki-client/test-seqnum.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: test-seqnum.c,v 1.1 2024/10/07 12:27:27 tb Exp $ */
+/*	$OpenBSD: test-seqnum.c,v 1.2 2025/06/19 08:21:56 job Exp $ */
 
 /*
  * Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
@@ -27,6 +27,12 @@
 
 #define MAX_DER 25
 
+enum rtype
+rtype_from_file_extension(const char *fn)
+{
+	return RTYPE_INVALID;
+}
+
 static const struct seqnum {
 	const char *descr;
 	const unsigned char der[MAX_DER];
diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509.c,v 1.106 2025/06/19 06:46:56 tb Exp $ */
+/*	$OpenBSD: x509.c,v 1.107 2025/06/19 08:21:56 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -646,6 +646,13 @@ x509_get_sia(X509 *x, const char *fn, char **out_sia)
 			size_t fnlen, plen;
 
 			if (filemode) {
+				if (rtype_from_file_extension(sia) !=
+				    rtype_from_file_extension(fn)) {
+					warnx("%s: SIA signedObject contains "
+					    "unexpected filename extension",
+					    fn);
+					goto out;
+				}
 				*out_sia = sia;
 				continue;
 			}
