From 5c0c839c3d8f38ab4746fe3b59614a2a8fbfb29b Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Tue, 20 Jan 2026 16:51:44 +0000
Subject: [PATCH] rpki-client: check SPKI in TAL for trailing garbage

On deserializing, ensure that the entire DER blob decoded from base64 has
been consumed.

ok job
---
 usr.sbin/rpki-client/tal.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/usr.sbin/rpki-client/tal.c b/usr.sbin/rpki-client/tal.c
index fba95ba8ee1..b364c425055 100644
--- a/usr.sbin/rpki-client/tal.c
+++ b/usr.sbin/rpki-client/tal.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tal.c,v 1.44 2026/01/20 16:49:03 tb Exp $ */
+/*	$OpenBSD: tal.c,v 1.45 2026/01/20 16:51:44 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -141,6 +141,11 @@ tal_parse_buffer(const char *fn, char *buf, size_t len)
 		    "failed public key parse", fn);
 		goto out;
 	}
+	if (der != tal->spki + tal->spkisz) {
+		warnx("%s: RFC 8630 section 2.1: subjectPublicKeyInfo: "
+		    "%td bytes of trailing garbage", fn,
+		    tal->spki + tal->spkisz - der);
+	}
 	rc = 1;
 out:
 	if (rc == 0) {