git.ipfire.org Git - thirdparty/FORT-validator.git/commit

author	Alberto Leiva Popper <ydahhrk@gmail.com>
	Tue, 22 Nov 2022 18:14:34 +0000 (12:14 -0600)
committer	Alberto Leiva Popper <ydahhrk@gmail.com>
	Tue, 22 Nov 2022 18:17:41 +0000 (12:17 -0600)
commit	298a534652b695a3f443438149a4280514409b82
tree	14506e096fee95501736ab8d1f22ac3161f3b7f1	tree
parent	52ec6e1632ed29cc5ba0038bee2e4746e8cf0142	commit \| diff

Certificate: Remove subject name uniqueness validation

RFC 6487:

> An issuer SHOULD use a different subject name if the subject's key
> pair has changed (i.e., when the CA issues a certificate as part of
> re-keying the subject.)

Fort's implementation was problematic. The code was comparing the
certificate's subject name and public key to siblings that had
potentially not been validated yet. It seems to me this would make it
possible for attackers to crash FORT (by posting invalid objects) or to
invalidate legitimate objects (by publishing siblings that contained
conflicting subject names and public keys, without having to worry about
the rest of the fields).

This would be somewhat difficult o fix. I asked on the mailing list and
Discord ("RPKI Community"), and it seems the concensus is "don't
validate it." Subject Names don't really matter that much, because
RPKI's primary concern is resource ownership, not identity. Furthermore,
I'm not convinced that chopping off branches off the tree because of a
clumsy key rollover is a good idea.

https://mailarchive.ietf.org/arch/msg/sidrops/mXWbCwh6RO8pAtt7N30Q9m6jUws/

Manually cherry-picked from 0a6a80b558e12304ba0e68c021848e292bfe3ce6.

Hopefully f1xes #86.

.gitignore		diff \| blob \| blame \| history
src/cert_stack.c		diff \| blob \| blame \| history
src/object/certificate.c		diff \| blob \| blame \| history
src/slurm/slurm_parser.c		diff \| blob \| blame \| history
test/rsync_test.c		diff \| blob \| blame \| history
test/rtr/primitive_reader_test.c		diff \| blob \| blame \| history