Mailing List Archive

On Tue, Nov 18, 2025 at 01:53:37PM +0100, Theo Buehler wrote: > On Tue, Nov 18, 2025 at 01:29:03PM +0100, Claudio Jeker wrote: > > On Tue, Nov 18, 2025 at 12:22:53PM +0100, Theo Buehler wrote: > > > The diff below allows BGPsec router certs to have a UTF8String in > > > their subject's commonName, making sure we won't reject those once we > > > enable the check for the PrintableString type. Since no certs with > > > UTF8String currently exist, I'm not keen on adding additional checks, a > > > few possibilities are listed in a comment. > > > > I really think that SIDROPS and the IETF need to fix this. BGPsec has > > currently no users and so this error in the spec should be fixed before it > > spreads. > > Not sure what you suggest concretely. I do not think SIDROPS will manage > to decide anything useful in the foreseeable future since they've > atrophied themselves with the charter update and a lot of other > bureaucratic nonsense. Yes, SIDROPS is a headless chicken. Still I think it is their job to fix this inconsistency in the BGPsec spec. > In any case, I think the current logic is error prone since this > mis-specification is about the subject. Can we do this small refactor > which is the bulk of the original diff? Sorry, I forgot to add that I'm OK with your original diff. There is not much else we can do about this in rpki-client right now. > Index: cert.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v > diff -u -p -r1.206 cert.c > --- cert.c 16 Oct 2025 06:46:31 -0000 1.206 > +++ cert.c 18 Nov 2025 12:47:43 -0000 > @@ -227,14 +227,14 @@ cert_check_subject_and_issuer(const char > warnx("%s: X509_get_subject_name", fn); > return 0; > } > - if (!x509_valid_name(fn, "subject", name)) > + if (!x509_valid_subject_name(fn, name)) > return 0; > > if ((name = X509_get_issuer_name(cert->x509)) == NULL) { > warnx("%s: X509_get_issuer_name", fn); > return 0; > } > - if (!x509_valid_name(fn, "issuer", name)) > + if (!x509_valid_issuer_name(fn, name)) > return 0; > > return 1; > Index: crl.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/crl.c,v > diff -u -p -r1.50 crl.c > --- crl.c 8 Jul 2025 13:25:54 -0000 1.50 > +++ crl.c 18 Nov 2025 12:47:56 -0000 > @@ -234,7 +234,7 @@ crl_parse(const char *fn, const unsigned > warnx("%s: X509_CRL_get_issuer", fn); > goto out; > } > - if (!x509_valid_name(fn, "issuer", name)) > + if (!x509_valid_issuer_name(fn, name)) > goto out; > > if (!crl_check_sigalg(fn, crl)) > Index: extern.h > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v > diff -u -p -r1.267 extern.h > --- extern.h 13 Nov 2025 15:18:53 -0000 1.267 > +++ extern.h 18 Nov 2025 12:47:32 -0000 > @@ -981,7 +981,8 @@ int x509_location(const char *, const > char **); > int x509_inherits(X509 *); > int x509_any_inherits(X509 *); > -int x509_valid_name(const char *, const char *, const X509_NAME *); > +int x509_valid_subject_name(const char *, const X509_NAME *); > +int x509_valid_issuer_name(const char *, const X509_NAME *); > time_t x509_find_expires(time_t, struct auth *, struct crl_tree *); > > /* printers */ > Index: x509.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v > diff -u -p -r1.122 x509.c > --- x509.c 18 Nov 2025 09:18:20 -0000 1.122 > +++ x509.c 18 Nov 2025 12:48:23 -0000 > @@ -403,8 +403,8 @@ valid_printable_string(const char *fn, c > * Check that subject or issuer only contain commonName and serialNumber. > * Return 0 on failure. > */ > -int > -x509_valid_name(const char *fn, const char *descr, const X509_NAME *xn) > +static int > +x509_valid_name_internal(const char *fn, const char *descr, const X509_NAME *xn) > { > const X509_NAME_ENTRY *ne; > const ASN1_OBJECT *ao; > @@ -437,7 +437,9 @@ x509_valid_name(const char *fn, const ch > } > /* > * XXX - For some reason RFC 8209, section 3.1.1 decided > - * to allow UTF8String for BGPsec Router Certificates. > + * to allow UTF8String for the subject of BGPsec Router > + * Certificates, although RECOMMENDED contents fit in > + * a PrintableString. > */ > if (!valid_printable_string(fn, descr, as)) > return 0; > @@ -466,6 +468,18 @@ x509_valid_name(const char *fn, const ch > } > > return 1; > +} > + > +int > +x509_valid_subject_name(const char *fn, const X509_NAME *xn) > +{ > + return x509_valid_name_internal(fn, "subject", xn); > +} > + > +int > +x509_valid_issuer_name(const char *fn, const X509_NAME *xn) > +{ > + return x509_valid_name_internal(fn, "issuer", xn); > } > > /* > -- :wq Claudio

2025-11-18 12:29 Claudio Jeker:
rpki-client: allow UTF8String for BGPsec router cert subjects
- 2025-11-18 12:53 Theo Buehler:
  rpki-client: allow UTF8String for BGPsec router cert subjects
- - 2025-11-18 13:02 Claudio Jeker:
    rpki-client: allow UTF8String for BGPsec router cert subjects
  - - 2025-11-18 13:18 Job Snijders:
      rpki-client: allow UTF8String for BGPsec router cert subjects
    - - 2025-11-18 13:25 Theo Buehler:
        rpki-client: allow UTF8String for BGPsec router cert subjects