rpki-client: check issuer for certs and CRLs

Per RFC 6487, the subject and issuer fields of a certificate and the issuer
field of a CRL are subject to the same restrictions: only a commonName and
an optional serialNumber may be present and the commonName must be an ASN.1
printable string.

So far we've only checked the subject of certificates, which covers almost
everything by relying on the verifier to check that the issuer's subject is
identical to the subject's issuer, also for CRLs per X509_V_FLAG_CRL_CHECK.
The only thing missing this way is the TA's issuer.

Since the check is cheap and simple, we're better off doing it ourselves:
Refactor the x509_vaild_subject() helper to take an X509_NAME (which is of
course the appropriate name for a type representing an X.501 distinguished
name). This checks the details of RFC 6487, section 4.4, except that we
still can't check for a printable string since afrinic has ~3000 EE certs
that don't follow the spec, which would knock out ~45% of their ROAs. We're
told that this is going to be fixed this year.

looks good to claudio
ok job

1 files changed, 2 insertions, 2 deletions

diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index 6a871baad8a..46c64afc903 100644
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: extern.h,v 1.219 2024/05/29 13:26:24 tb Exp $ */
+/*	$OpenBSD: extern.h,v 1.220 2024/05/31 02:45:15 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -917,7 +917,7 @@ int		 x509_location(const char *, const char *, const char *,
 		    GENERAL_NAME *, char **);
 int		 x509_inherits(X509 *);
 int		 x509_any_inherits(X509 *);
-int		 x509_valid_subject(const char *, const X509 *);
+int		 x509_valid_name(const char *, const char *, const X509_NAME *);
 time_t		 x509_find_expires(time_t, struct auth *, struct crl_tree *);
 
 /* printers */