aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--rcynic/rcynic.c11
1 files changed, 11 insertions, 0 deletions
diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c
index bdbeff55..b60ff665 100644
--- a/rcynic/rcynic.c
+++ b/rcynic/rcynic.c
@@ -256,6 +256,7 @@ static const struct {
QB(nonconformant_public_key_algorithm,"Nonconformant public key algorithm")\
QB(nonconformant_signature_algorithm, "Nonconformant signature algorithm")\
QB(nonconformant_digest_algorithm, "Nonconformant digest algorithm") \
+ QB(nonconformant_certificate_uid, "Nonconformant certificate UID") \
QB(object_rejected, "Object rejected") \
QB(rfc3779_inheritance_required, "RFC 3779 inheritance required") \
QB(roa_contains_bad_afi_value, "ROA contains bad AFI value") \
@@ -3306,6 +3307,16 @@ static int check_x509(rcynic_ctx_t *rc,
}
/*
+ * Apparently nothing ever looks at these fields, so there are no
+ * API functions for them. We wouldn't bother either if they
+ * weren't forbidden by the RPKI certificate profile.
+ */
+ if (!x->cert_info || x->cert_info->issuerUID || x->cert_info->subjectUID) {
+ log_validation_status(rc, uri, nonconformant_certificate_uid, generation);
+ goto done;
+ }
+
+ /*
* Keep track of allowed extensions we've seen. Once we've
* processed all the ones we expect, anything left is an error.
*/
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-19 23:34:55 +0000