Disallow issuer and subject unique identifiers

In 1992, the ITU-T - through X.509 version 2 - introduced subject and
issuer unique identifier fields to handle the possibility of reuse
of subject and/or issuer names over time. However, the standing
recommendation is that names not be reused for different entities and
that Internet certificates not make use of unique identifiers.
Conforming RPKI CAs will never issue certificates with unique identifiers.

OK tb@ claudio@

diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 0652371..0ed7020 100644 (file)
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: cert.c,v 1.106 2023/03/10 12:44:56 job Exp $ */
+/*     $OpenBSD: cert.c,v 1.107 2023/04/15 00:39:08 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -648,6 +648,7 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len)
        X509                    *x = NULL;
        X509_EXTENSION          *ext = NULL;
        const X509_ALGOR        *palg;
+       const ASN1_BIT_STRING   *piuid = NULL, *psuid = NULL;
        const ASN1_OBJECT       *cobj;
        ASN1_OBJECT             *obj;
        EVP_PKEY                *pkey;
@@ -692,6 +693,13 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len)
                goto out;
        }
 
+       X509_get0_uids(x, &piuid, &psuid);
+       if (piuid != NULL || psuid != NULL) {
+               warnx("%s: issuer or subject unique identifiers not allowed",
+                   fn);
+               goto out;
+       }
+
        /* Look for X509v3 extensions. */
 
        if ((extsz = X509_get_ext_count(x)) < 0)