From: Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject: Re: rpki-client: allow UTF8String for BGPsec router cert subjects
To: Theo Buehler <tb@theobuehler.org>
Cc: tech@openbsd.org
Date: Tue, 18 Nov 2025 14:02:28 +0100

On Tue, Nov 18, 2025 at 01:53:37PM +0100, Theo Buehler wrote:
> On Tue, Nov 18, 2025 at 01:29:03PM +0100, Claudio Jeker wrote:
> > On Tue, Nov 18, 2025 at 12:22:53PM +0100, Theo Buehler wrote:
> > > The diff below allows BGPsec router certs to have a UTF8String in
> > > their subject's commonName, making sure we won't reject those once we
> > > enable the check for the PrintableString type. Since no certs with
> > > UTF8String currently exist, I'm not keen on adding additional checks, a
> > > few possibilities are listed in a comment.
> > 
> > I really think that SIDROPS and the IETF need to fix this. BGPsec has
> > currently no users and so this error in the spec should be fixed before it
> > spreads.
> 
> Not sure what you suggest concretely. I do not think SIDROPS will manage
> to decide anything useful in the foreseeable future since they've
> atrophied themselves with the charter update and a lot of other
> bureaucratic nonsense.

Yes, SIDROPS is a headless chicken. Still I think it is their job to fix
this inconsistency in the BGPsec spec.
 
> In any case, I think the current logic is error prone since this
> mis-specification is about the subject. Can we do this small refactor
> which is the bulk of the original diff?

Sorry, I forgot to add that I'm OK with your original diff. There is not
much else we can do about this in rpki-client right now.
 
> Index: cert.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
> diff -u -p -r1.206 cert.c
> --- cert.c	16 Oct 2025 06:46:31 -0000	1.206
> +++ cert.c	18 Nov 2025 12:47:43 -0000
> @@ -227,14 +227,14 @@ cert_check_subject_and_issuer(const char
>  		warnx("%s: X509_get_subject_name", fn);
>  		return 0;
>  	}
> -	if (!x509_valid_name(fn, "subject", name))
> +	if (!x509_valid_subject_name(fn, name))
>  		return 0;
>  
>  	if ((name = X509_get_issuer_name(cert->x509)) == NULL) {
>  		warnx("%s: X509_get_issuer_name", fn);
>  		return 0;
>  	}
> -	if (!x509_valid_name(fn, "issuer", name))
> +	if (!x509_valid_issuer_name(fn, name))
>  		return 0;
>  
>  	return 1;
> Index: crl.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/crl.c,v
> diff -u -p -r1.50 crl.c
> --- crl.c	8 Jul 2025 13:25:54 -0000	1.50
> +++ crl.c	18 Nov 2025 12:47:56 -0000
> @@ -234,7 +234,7 @@ crl_parse(const char *fn, const unsigned
>  		warnx("%s: X509_CRL_get_issuer", fn);
>  		goto out;
>  	}
> -	if (!x509_valid_name(fn, "issuer", name))
> +	if (!x509_valid_issuer_name(fn, name))
>  		goto out;
>  
>  	if (!crl_check_sigalg(fn, crl))
> Index: extern.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
> diff -u -p -r1.267 extern.h
> --- extern.h	13 Nov 2025 15:18:53 -0000	1.267
> +++ extern.h	18 Nov 2025 12:47:32 -0000
> @@ -981,7 +981,8 @@ int		 x509_location(const char *, const 
>  		    char **);
>  int		 x509_inherits(X509 *);
>  int		 x509_any_inherits(X509 *);
> -int		 x509_valid_name(const char *, const char *, const X509_NAME *);
> +int		 x509_valid_subject_name(const char *, const X509_NAME *);
> +int		 x509_valid_issuer_name(const char *, const X509_NAME *);
>  time_t		 x509_find_expires(time_t, struct auth *, struct crl_tree *);
>  
>  /* printers */
> Index: x509.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v
> diff -u -p -r1.122 x509.c
> --- x509.c	18 Nov 2025 09:18:20 -0000	1.122
> +++ x509.c	18 Nov 2025 12:48:23 -0000
> @@ -403,8 +403,8 @@ valid_printable_string(const char *fn, c
>   * Check that subject or issuer only contain commonName and serialNumber.
>   * Return 0 on failure.
>   */
> -int
> -x509_valid_name(const char *fn, const char *descr, const X509_NAME *xn)
> +static int
> +x509_valid_name_internal(const char *fn, const char *descr, const X509_NAME *xn)
>  {
>  	const X509_NAME_ENTRY *ne;
>  	const ASN1_OBJECT *ao;
> @@ -437,7 +437,9 @@ x509_valid_name(const char *fn, const ch
>  			}
>  			/*
>  			 * XXX - For some reason RFC 8209, section 3.1.1 decided
> -			 * to allow UTF8String for BGPsec Router Certificates.
> +			 * to allow UTF8String for the subject of BGPsec Router
> +			 * Certificates, although RECOMMENDED contents fit in
> +			 * a PrintableString.
>  			 */
>  			if (!valid_printable_string(fn, descr, as))
>  				return 0;
> @@ -466,6 +468,18 @@ x509_valid_name(const char *fn, const ch
>  	}
>  
>  	return 1;
> +}
> +
> +int
> +x509_valid_subject_name(const char *fn, const X509_NAME *xn)
> +{
> +	return x509_valid_name_internal(fn, "subject", xn);
> +}
> +
> +int
> +x509_valid_issuer_name(const char *fn, const X509_NAME *xn)
> +{
> +	return x509_valid_name_internal(fn, "issuer", xn);
>  }
>  
>  /*
> 

-- 
:wq Claudio