Document a weird decision in RFC 8209

The subject commonName of a BGPsec Router Certificate is RECOMMENDED to
be "CN=ROUTER-%08x", asn. It thus made perfect sense to deviate from
RFC 6487 and support encoding this as a UTF8String... We have three such
certs in the wild, so punt on complicating the logic at least until the
point where we need more than the fingers of one hand to count them.

ok claudio

diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index 9eabdac..0b28d6e 100644 (file)
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: x509.c,v 1.89 2024/05/31 02:45:15 tb Exp $ */
+/*     $OpenBSD: x509.c,v 1.90 2024/05/31 11:27:34 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -882,6 +882,10 @@ x509_valid_name(const char *fn, const char *descr, const X509_NAME *xn)
  * https://lists.afrinic.net/pipermail/dbwg/2023-March/000436.html
  */
 #if 0
+                       /*
+                        * XXX - For some reason RFC 8209, section 3.1.1 decided
+                        * to allow UTF8String for BGPsec Router Certificates.
+                        */
                        if (ASN1_STRING_type(as) != V_ASN1_PRINTABLESTRING) {
                                warnx("%s: RFC 6487 section 4.5: commonName is"
                                    " not PrintableString", fn);