From: tb <tb@openbsd.org>
Date: Fri, 31 May 2024 11:27:34 +0000 (+0000)
Subject: Document a weird decision in RFC 8209
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=51f875f766a3bbb7f211154ac45282267493b28c;p=openbsd

Document a weird decision in RFC 8209

The subject commonName of a BGPsec Router Certificate is RECOMMENDED to
be "CN=ROUTER-%08x", asn. It thus made perfect sense to deviate from
RFC 6487 and support encoding this as a UTF8String... We have three such
certs in the wild, so punt on complicating the logic at least until the
point where we need more than the fingers of one hand to count them.

ok claudio
---

diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index 9eabdac9d33..0b28d6ee451 100644
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509.c,v 1.89 2024/05/31 02:45:15 tb Exp $ */
+/*	$OpenBSD: x509.c,v 1.90 2024/05/31 11:27:34 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -882,6 +882,10 @@ x509_valid_name(const char *fn, const char *descr, const X509_NAME *xn)
  * https://lists.afrinic.net/pipermail/dbwg/2023-March/000436.html
  */
 #if 0
+			/*
+			 * XXX - For some reason RFC 8209, section 3.1.1 decided
+			 * to allow UTF8String for BGPsec Router Certificates.
+			 */
 			if (ASN1_STRING_type(as) != V_ASN1_PRINTABLESTRING) {
 				warnx("%s: RFC 6487 section 4.5: commonName is"
 				    " not PrintableString", fn);