Certificate UID fields forbidden by RPKI profile.

svn path=/trunk/; revision=4560
author: Rob Austein <sra@hactrn.net> 2012-06-26 19:25:15 +0000
committer: Rob Austein <sra@hactrn.net> 2012-06-26 19:25:15 +0000
commit: c060653704be50406487bc0a6a09a36ec1d9491a (patch)
tree: 0374f0e2d382da25cf0b2ca3ff8f2447e5edefc2
parent: 89971b8aa40a1c7f4b64614ffd90af563122da9e (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c
index bdbeff55..b60ff665 100644
--- a/rcynic/rcynic.c
+++ b/rcynic/rcynic.c
@@ -256,6 +256,7 @@ static const struct {
   QB(nonconformant_public_key_algorithm,"Nonconformant public key algorithm")\
   QB(nonconformant_signature_algorithm,	"Nonconformant signature algorithm")\
   QB(nonconformant_digest_algorithm,	"Nonconformant digest algorithm")   \
+  QB(nonconformant_certificate_uid,	"Nonconformant certificate UID")    \
   QB(object_rejected,			"Object rejected")		    \
   QB(rfc3779_inheritance_required,	"RFC 3779 inheritance required")    \
   QB(roa_contains_bad_afi_value,	"ROA contains bad AFI value")	    \
@@ -3306,6 +3307,16 @@ static int check_x509(rcynic_ctx_t *rc,
   }
 
   /*
+   * Apparently nothing ever looks at these fields, so there are no
+   * API functions for them.  We wouldn't bother either if they
+   * weren't forbidden by the RPKI certificate profile.
+   */
+  if (!x->cert_info || x->cert_info->issuerUID || x->cert_info->subjectUID) {
+    log_validation_status(rc, uri, nonconformant_certificate_uid, generation);
+    goto done;
+  }
+
+  /*
    * Keep track of allowed extensions we've seen.  Once we've
    * processed all the ones we expect, anything left is an error.
    */
author	Rob Austein <sra@hactrn.net>	2012-06-26 19:25:15 +0000
committer	Rob Austein <sra@hactrn.net>	2012-06-26 19:25:15 +0000
commit	c060653704be50406487bc0a6a09a36ec1d9491a (patch)
tree	0374f0e2d382da25cf0b2ca3ff8f2447e5edefc2
parent	89971b8aa40a1c7f4b64614ffd90af563122da9e (diff)