Allow imposing constraints on RPKI trust anchors

The ability to constrain a RPKI Trust Anchor's effective signing
authority to a limited set of Internet Number Resources allows
Relying Parties to enjoy the potential benefits of assuming trust,
within a bounded scope.

Some examples: ARIN does not support inter-RIR IPv6 transfers, so
it wouldn't make any sense to see a ROA subordinate to ARIN's trust
anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't
make sense to observe a ROA covering ARIN-managed IPv6 space under
APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust
arc (a cryptographically valid certificate path) existed. Along these
same lines, AFRINIC doesn't support inter-RIR transfers of any kind,
and none of the RIRs have authority over private resources like
10.0.0.0/8 and 2001:db8::/32.

For more background see:
https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/
https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html

With and OK tb@, OK claudio@

1 files changed, 32 insertions, 2 deletions

diff --git a/usr.sbin/rpki-client/as.c b/usr.sbin/rpki-client/as.c
index 2f4aabda0b9..dd8039521cc 100644
--- a/usr.sbin/rpki-client/as.c
+++ b/usr.sbin/rpki-client/as.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: as.c,v 1.12 2023/05/23 06:39:31 tb Exp $ */
+/*	$OpenBSD: as.c,v 1.13 2023/10/13 12:06:49 job Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -45,7 +45,7 @@ as_id_parse(const ASN1_INTEGER *v, uint32_t *out)
  */
 int
 as_check_overlap(const struct cert_as *a, const char *fn,
-    const struct cert_as *as, size_t asz)
+    const struct cert_as *as, size_t asz, int quiet)
 {
 	size_t	 i;
 
@@ -53,6 +53,8 @@ as_check_overlap(const struct cert_as *a, const char *fn,
 
 	if (asz &&
 	    (a->type == CERT_AS_INHERIT || as[0].type == CERT_AS_INHERIT)) {
+		if (quiet)
+			return 0;
 		warnx("%s: RFC 3779 section 3.2.3.3: "
 		    "cannot have inheritance and multiple ASnum or "
 		    "multiple inheritance", fn);
@@ -68,6 +70,8 @@ as_check_overlap(const struct cert_as *a, const char *fn,
 			case CERT_AS_ID:
 				if (a->id != as[i].id)
 					break;
+				if (quiet)
+					return 0;
 				warnx("%s: RFC 3779 section 3.2.3.4: "
 				    "cannot have overlapping ASnum", fn);
 				return 0;
@@ -75,6 +79,8 @@ as_check_overlap(const struct cert_as *a, const char *fn,
 				if (as->range.min > as[i].id ||
 				    as->range.max < as[i].id)
 					break;
+				if (quiet)
+					return 0;
 				warnx("%s: RFC 3779 section 3.2.3.4: "
 				    "cannot have overlapping ASnum", fn);
 				return 0;
@@ -88,6 +94,8 @@ as_check_overlap(const struct cert_as *a, const char *fn,
 				if (as[i].range.min > a->id ||
 				    as[i].range.max < a->id)
 					break;
+				if (quiet)
+					return 0;
 				warnx("%s: RFC 3779 section 3.2.3.4: "
 				    "cannot have overlapping ASnum", fn);
 				return 0;
@@ -95,6 +103,8 @@ as_check_overlap(const struct cert_as *a, const char *fn,
 				if (a->range.max < as[i].range.min ||
 				    a->range.min > as[i].range.max)
 					break;
+				if (quiet)
+					return 0;
 				warnx("%s: RFC 3779 section 3.2.3.4: "
 				    "cannot have overlapping ASnum", fn);
 				return 0;
@@ -135,3 +145,23 @@ as_check_covered(uint32_t min, uint32_t max,
 
 	return -1;
 }
+
+void
+as_warn(const char *fn, const struct cert_as *cert, const char *msg)
+{
+	switch (cert->type) {
+	case CERT_AS_ID:
+		warnx("%s: AS %u: %s", fn, cert->id, msg);
+		break;
+	case CERT_AS_INHERIT:
+		warnx("%s: AS (inherit): %s", fn, msg);
+		break;
+	case CERT_AS_RANGE:
+		warnx("%s: AS range %u--%u: %s", fn, cert->range.min,
+		    cert->range.max, msg);
+		break;
+	default:
+		warnx("%s: corrupt cert", fn);
+		break;
+	}
+}