On Sat, Jan 22, 2022 at 08:45:21PM +0000, Job Snijders wrote: > On Sat, Jan 22, 2022 at 03:09:52PM +0100, Theo Buehler wrote: > > The diff below would be what we both expect, but it means we diverge > > from OpenSSL's behavior. > > AFAIK the OpenSSL implementation doesn't apply constraints in accordance > with the procedures referenced in the IANA "SMI Security for PKIX > Certificate Policies" in context of the RPKI. In the sense that strictly > speaking, the cert validator should apply different validation > algorithms (based on the 1.3.6.1.5.5.7.14.X value) > https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.14
Yes. This is not currently the case. > Perhaps it is worth exploring whether the libressl validator can check > for ipAddr-asNumber or ipAddr-asNumberv2, and if either of those two > policies is in play, diverge from the OpenSSL behavior? Maybe. I believe this is going to far into complex territory for the issue at hand. I have no problem with committing the diff I sent for x509_addr.c. It would align the ASid and IPAddrBlock path validation with one another. The only reason I brought up divergence from OpenSSL as an issue is that we need to be mindful of changes in behavior that we can't rely on if we want to keep rpki-client -portable working correctly with OpenSSL's validator. Some of the bugs I fixed will need to be brought to OpenSSL's attention anyway. I consider this just another one of them.
