From 4cf8d64cecce96df17fa5ad4a396e5ea88ad9b1f Mon Sep 17 00:00:00 2001 From: job Date: Sat, 15 Apr 2023 00:39:08 +0000 Subject: [PATCH] Disallow issuer and subject unique identifiers In 1992, the ITU-T - through X.509 version 2 - introduced subject and issuer unique identifier fields to handle the possibility of reuse of subject and/or issuer names over time. However, the standing recommendation is that names not be reused for different entities and that Internet certificates not make use of unique identifiers. Conforming RPKI CAs will never issue certificates with unique identifiers. OK tb@ claudio@ --- usr.sbin/rpki-client/cert.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 06523711e71..0ed702044d1 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.106 2023/03/10 12:44:56 job Exp $ */ +/* $OpenBSD: cert.c,v 1.107 2023/04/15 00:39:08 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Job Snijders @@ -648,6 +648,7 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len) X509 *x = NULL; X509_EXTENSION *ext = NULL; const X509_ALGOR *palg; + const ASN1_BIT_STRING *piuid = NULL, *psuid = NULL; const ASN1_OBJECT *cobj; ASN1_OBJECT *obj; EVP_PKEY *pkey; @@ -692,6 +693,13 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len) goto out; } + X509_get0_uids(x, &piuid, &psuid); + if (piuid != NULL || psuid != NULL) { + warnx("%s: issuer or subject unique identifiers not allowed", + fn); + goto out; + } + /* Look for X509v3 extensions. */ if ((extsz = X509_get_ext_count(x)) < 0) -- 2.20.1