On Sat, Jan 22, 2022 at 10:22:02AM +0100, Theo Buehler wrote:
> On Sat, Jan 22, 2022 at 10:11:36AM +0100, Claudio Jeker wrote:
> > On Fri, Jan 21, 2022 at 03:22:51PM +0100, Claudio Jeker wrote:
> > > I would like to change -f into a real mode and with that support to
> > > show more then one file at a time.
> > >
> > > This is doing most of that. The output may need some extra fixing but the
> > > logic itself works.
> > >
> > > Yay or nay?
> >
> > Updated diff after the changes from tb@
>
> still ok
Sorry here is a better version that does not print warnings when running
like this:
cd /var/cache/rpki-client/valid/chloe.sobornost.net/rpki/RIPE-nljobsnijders
rpki-client -v -f *.*
Before it tried to readd the same cert and crl multiple times and warnings
about duplicate AKI / SKI were printed. Now the code suppresses the
warning in proc_parser_crl() and checks in parse_load_certchain() if the
cert was already loaded and exits in that case.
--
:wq Claudio
Index: main.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/main.c,v
retrieving revision 1.181
diff -u -p -r1.181 main.c
--- main.c 21 Jan 2022 18:49:44 -0000 1.181
+++ main.c 22 Jan 2022 08:54:53 -0000
@@ -726,7 +726,6 @@ main(int argc, char *argv[])
char *bind_addr = NULL;
const char *cachedir = NULL, *outputdir = NULL;
const char *errs, *name;
- const char *file = NULL;
struct vrp_tree vrps = RB_INITIALIZER(&vrps);
struct brk_tree brks = RB_INITIALIZER(&brks);
struct rusage ru;
@@ -754,7 +753,7 @@ main(int argc, char *argv[])
"proc exec unveil", NULL) == -1)
err(1, "pledge");
- while ((c = getopt(argc, argv, "b:Bcd:e:f:jnorRs:t:T:vV")) != -1)
+ while ((c = getopt(argc, argv, "b:Bcd:e:fjnorRs:t:T:vV")) != -1)
switch (c) {
case 'b':
bind_addr = optarg;
@@ -772,7 +771,6 @@ main(int argc, char *argv[])
rsync_prog = optarg;
break;
case 'f':
- file = optarg;
filemode = 1;
noop = 1;
break;
@@ -823,26 +821,29 @@ main(int argc, char *argv[])
argv += optind;
argc -= optind;
- if (argc == 1)
- outputdir = argv[0];
- else if (argc > 1)
- goto usage;
- signal(SIGPIPE, SIG_IGN);
+ if (!filemode) {
+ if (argc == 1)
+ outputdir = argv[0];
+ else if (argc > 1)
+ goto usage;
+
+ if (outputdir == NULL) {
+ warnx("output directory required");
+ goto usage;
+ }
+ } else {
+ if (argc == 0)
+ goto usage;
+ outputdir = NULL;
+ }
if (cachedir == NULL) {
warnx("cache directory required");
goto usage;
}
- if (file != NULL) {
- if (rtype_from_file_extension(file) == RTYPE_INVALID)
- errx(1, "unsupported or invalid file: %s", file);
- outputdir = NULL;
- } else if (outputdir == NULL) {
- warnx("output directory required");
- goto usage;
- }
+ signal(SIGPIPE, SIG_IGN);
if ((cachefd = open(cachedir, O_RDONLY | O_DIRECTORY)) == -1)
err(1, "cache directory %s", cachedir);
@@ -1059,8 +1060,10 @@ main(int argc, char *argv[])
for (i = 0; i < talsz; i++)
queue_add_file(tals[i], RTYPE_TAL, i);
- if (file != NULL)
- queue_add_file(file, RTYPE_FILE, 0);
+ if (filemode) {
+ while (*argv != NULL)
+ queue_add_file(*argv++, RTYPE_FILE, 0);
+ }
/* change working directory to the cache directory */
if (fchdir(cachefd) == -1)
@@ -1279,7 +1282,8 @@ usage:
fprintf(stderr,
"usage: rpki-client [-BcjnoRrVv] [-b sourceaddr] [-d cachedir]"
" [-e rsync_prog]\n"
- " [-f file] [-s timeout] [-T table] [-t tal]"
- " [outputdir]\n");
+ " [-s timeout] [-T table] [-t tal]"
+ " [outputdir]\n"
+ " rpki-client -f [-Vv] [-d cachedir] [-t tal] file ...\n");
return 1;
}
Index: parser.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/parser.c,v
retrieving revision 1.49
diff -u -p -r1.49 parser.c
--- parser.c 21 Jan 2022 18:49:44 -0000 1.49
+++ parser.c 22 Jan 2022 10:05:33 -0000
@@ -492,8 +492,7 @@ proc_parser_crl(char *file, const unsign
if ((x509_crl = crl_parse(file, der, len)) != NULL) {
if ((crl = malloc(sizeof(*crl))) == NULL)
err(1, NULL);
- if ((crl->aki = x509_crl_get_aki(x509_crl, file)) ==
- NULL) {
+ if ((crl->aki = x509_crl_get_aki(x509_crl, file)) == NULL) {
warnx("x509_crl_get_aki failed");
goto err;
}
@@ -516,7 +515,8 @@ proc_parser_crl(char *file, const unsign
errx(1, "%s: mktime failed", file);
if (RB_INSERT(crl_tree, &crlt, crl) != NULL) {
- warnx("%s: duplicate AKI %s", file, crl->aki);
+ if (!filemode)
+ warnx("%s: duplicate AKI %s", file, crl->aki);
goto err;
}
}
@@ -844,10 +844,14 @@ parse_load_certchain(char *uri)
warnx("failed to build authority chain");
return;
}
+ if (auth_find(&auths, cert->ski) != NULL) {
+ cert_free(cert);
+ return; /* cert already added */
+ }
stack[i] = cert;
filestack[i] = uri;
if (auth_find(&auths, cert->aki) != NULL)
- break; /* found the TA */
+ break; /* found chain to TA */
uri = cert->aia;
}
@@ -904,6 +908,7 @@ parse_load_ta(struct tal *tal)
static void
proc_parser_file(char *file, unsigned char *buf, size_t len)
{
+ static int num;
X509 *x509 = NULL;
struct cert *cert = NULL;
struct mft *mft = NULL;
@@ -914,8 +919,11 @@ proc_parser_file(char *file, unsigned ch
char *aia = NULL, *aki = NULL, *ski = NULL;
unsigned long verify_flags = X509_V_FLAG_CRL_CHECK;
- if ((type = rtype_from_file_extension(file)) == RTYPE_INVALID)
- errx(1, "%s: unsupported file type", file);
+ if (num++ > 0)
+ printf("--\n");
+ printf("File: %s\n", file);
+
+ type = rtype_from_file_extension(file);
switch (type) {
case RTYPE_CER:
@@ -966,6 +974,7 @@ proc_parser_file(char *file, unsigned ch
break;
case RTYPE_CRL: /* XXX no printer yet */
default:
+ printf("%s: unsupported file type\n", file);
break;
}
Index: rpki-client.8
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/rpki-client.8,v
retrieving revision 1.52
diff -u -p -r1.52 rpki-client.8
--- rpki-client.8 19 Jan 2022 16:33:36 -0000 1.52
+++ rpki-client.8 22 Jan 2022 09:08:48 -0000
@@ -26,11 +26,16 @@
.Op Fl b Ar sourceaddr
.Op Fl d Ar cachedir
.Op Fl e Ar rsync_prog
-.Op Fl f Ar file
.Op Fl s Ar timeout
.Op Fl T Ar table
.Op Fl t Ar tal
.Op Ar outputdir
+.Nm
+.Fl f
+.Op Fl Vv
+.Op Fl d Ar cachedir
+.Op Fl t Ar tal
+.Ar file ...
.Sh DESCRIPTION
The
.Nm
@@ -93,7 +98,7 @@ It must accept the
and
.Fl -address
flags and connect with rsync-protocol locations.
-.It Fl f Ar file
+.It Fl f
Validate the
.Em Signed Object
in
