On Wed, Jan 26, 2022 at 03:18:54PM +0100, Claudio Jeker wrote:
> rpki-client -f is a great tool to figure out what is going in the repo.
> I noticed that supporting rsync:// URI (like the one from Authority info
> access or Manifest) is easy and it makes it so much easier to follow
> the breadcrumbs up and down.
Nice.
> While doing that I noticed that instead of using valid_aki_ski() the file
> handling code should just do the lookup with the aki. There is a chance
> that the cert was already added before loading it via -f and then the
> verification fails for no good reason.
> The SKI lookup does not gain us anything here so just skip all the SKI
> handling.
Makes sense.
ok tb
>
> --
> :wq Claudio
>
> ? msg.http
> ? msg.rrdp
> ? obj
> Index: main.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/main.c,v
> retrieving revision 1.185
> diff -u -p -r1.185 main.c
> --- main.c 24 Jan 2022 17:29:37 -0000 1.185
> +++ main.c 26 Jan 2022 14:11:31 -0000
> @@ -387,13 +387,15 @@ queue_add_from_mft_set(const struct mft
> static void
> queue_add_file(const char *file, enum rtype type, int talid)
> {
> - unsigned char *buf;
> + unsigned char *buf = NULL;
> char *nfile;
> - size_t len;
> + size_t len = 0;
>
> - buf = load_file(file, &len);
> - if (buf == NULL)
> - err(1, "%s", file);
> + if (!filemode || strncmp(file, "rsync://", strlen("rsync://")) != 0) {
> + buf = load_file(file, &len);
> + if (buf == NULL)
> + err(1, "%s", file);
> + }
>
> if ((nfile = strdup(file)) == NULL)
> err(1, NULL);
> Index: parser.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/parser.c,v
> retrieving revision 1.55
> diff -u -p -r1.55 parser.c
> --- parser.c 26 Jan 2022 13:57:56 -0000 1.55
> +++ parser.c 26 Jan 2022 14:11:31 -0000
> @@ -901,11 +901,21 @@ proc_parser_file(char *file, unsigned ch
> struct gbr *gbr = NULL;
> struct tal *tal = NULL;
> enum rtype type;
> - char *aia = NULL, *aki = NULL, *ski = NULL;
> + char *aia = NULL, *aki = NULL;
> unsigned long verify_flags = X509_V_FLAG_CRL_CHECK;
>
> if (num++ > 0)
> printf("--\n");
> +
> + if (strncmp(file, "rsync://", strlen("rsync://")) == 0) {
> + file += strlen("rsync://");
> + buf = load_file(file, &len);
> + if (buf == NULL) {
> + warn("parse file %s", file);
> + return;
> + }
> + }
> +
> printf("File: %s\n", file);
>
> type = rtype_from_file_extension(file);
> @@ -918,7 +928,6 @@ proc_parser_file(char *file, unsigned ch
> cert_print(cert);
> aia = cert->aia;
> aki = cert->aki;
> - ski = cert->ski;
> x509 = cert->x509;
> if (X509_up_ref(x509) == 0)
> errx(1, "%s: X509_up_ref failed", __func__);
> @@ -930,7 +939,6 @@ proc_parser_file(char *file, unsigned ch
> mft_print(mft);
> aia = mft->aia;
> aki = mft->aki;
> - ski = mft->ski;
> verify_flags = 0;
> break;
> case RTYPE_ROA:
> @@ -940,7 +948,6 @@ proc_parser_file(char *file, unsigned ch
> roa_print(roa);
> aia = roa->aia;
> aki = roa->aki;
> - ski = roa->ski;
> break;
> case RTYPE_GBR:
> gbr = gbr_parse(&x509, file, buf, len);
> @@ -949,7 +956,6 @@ proc_parser_file(char *file, unsigned ch
> gbr_print(gbr);
> aia = gbr->aia;
> aki = gbr->aki;
> - ski = gbr->ski;
> break;
> case RTYPE_TAL:
> tal = tal_parse(file, buf, len);
> @@ -972,7 +978,7 @@ proc_parser_file(char *file, unsigned ch
> parse_load_crl(c);
> free(c);
> parse_load_certchain(aia);
> - a = valid_ski_aki(file, &auths, ski, aki);
> + a = auth_find(&auths, aki);
> crl = get_crl(a);
>
> if (valid_x509(file, x509, a, crl, verify_flags))
> Index: rpki-client.8
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/rpki-client.8,v
> retrieving revision 1.55
> diff -u -p -r1.55 rpki-client.8
> --- rpki-client.8 24 Jan 2022 06:54:15 -0000 1.55
> +++ rpki-client.8 26 Jan 2022 14:11:31 -0000
> @@ -106,6 +106,9 @@ in
> against the RPKI cache stored in
> .Ar cachedir
> and print human-readable information about the object.
> +If
> +.Ar file
> +is an rsync:// URI the corresponding file from the cache will be used.
> This option implies
> .Fl n .
> .It Fl j
>
