These extensions MUST be marked critical by the sections of the spec
mentioned in the cryptowarnx(). That's determined by the ASN1_BOOLEAN
that is extracted and ignored after the FIXME a few lines below each of
the two hunks. Rather than getting the info from there, it's easier to
use an API call that checks what was already parsed by d2i_X509().
Index: cert.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
retrieving revision 1.47
diff -u -p -r1.47 cert.c
--- cert.c 5 Nov 2021 10:50:41 -0000 1.47
+++ cert.c 24 Dec 2021 23:40:55 -0000
@@ -588,6 +588,12 @@ sbgp_assysnum(struct parse *p, X509_EXTE
int dsz, rc = 0, i, ptag;
long plen;
+ if (!X509_EXTENSION_get_critical(ext)) {
+ cryptowarnx("%s: RFC 6487 section 4.8.11: autonomousSysNum: "
+ "extension not critical", p->fn);
+ goto out;
+ }
+
if ((dsz = i2d_X509_EXTENSION(ext, &sv)) < 0) {
cryptowarnx("%s: RFC 6487 section 4.8.11: autonomousSysNum: "
"failed extension parse", p->fn);
@@ -890,6 +896,12 @@ sbgp_ipaddrblk(struct parse *p, X509_EXT
ASN1_SEQUENCE_ANY *seq = NULL, *sseq = NULL;
const ASN1_TYPE *t = NULL;
int i;
+
+ if (!X509_EXTENSION_get_critical(ext)) {
+ cryptowarnx("%s: RFC 6487 section 4.8.10: sbgp-ipAddrBlock: "
+ "extension not critical", p->fn);
+ goto out;
+ }
if ((dsz = i2d_X509_EXTENSION(ext, &sv)) < 0) {
cryptowarnx("%s: RFC 6487 section 4.8.10: sbgp-ipAddrBlock: "
