Hi, This changeset extends rpki-client to print more detail encapsulated inside TAL files, of specific interest is printing the Subject Key Identifier (SKI) of the Trust Anchor you'd find if you download the referenced .cer file. The SPKI is printed as base64 encoded DER.
Example: $ rpki-client -f /etc/rpki/ripe.tal File: /etc/rpki/ripe.tal Trust anchor name: ripe Subject key identifier: E8:55:2B:1F:D6:D1:A4:F7:E4:04:C6:D8:E5:68:0D:1E:BC:16:3F:C3 Trust anchor locations: 1: https://rpki.ripe.net/ta/ripe-ncc-ta.cer 2: rsync://rpki.ripe.net/ta/ripe-ncc-ta.cer Subject public key information: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQAB OK? Kind regards, Job Index: print.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/print.c,v retrieving revision 1.6 diff -u -p -r1.6 print.c --- print.c 21 Mar 2022 10:39:51 -0000 1.6 +++ print.c 11 Apr 2022 16:03:39 -0000 @@ -25,6 +25,8 @@ #include <string.h> #include <time.h> +#include <openssl/evp.h> + #include "extern.h" static const char * @@ -62,10 +64,46 @@ time2str(time_t t) void tal_print(const struct tal *p) { - size_t i; + char *talpkey, *ski; + EVP_PKEY *pk; + RSA *r; + unsigned char *der, *rder = NULL; + unsigned char md[SHA_DIGEST_LENGTH]; + int rder_len; + size_t i; + + printf("Trust anchor name: %s\n", p->descr); + + der = p->pkey; + pk = d2i_PUBKEY(NULL, (const unsigned char **)&der, p->pkeysz); + if (pk == NULL) + errx(1, "d2i_PUBKEY failed in %s", __func__); + + r = EVP_PKEY_get1_RSA(pk); + if (r == NULL) + errx(1, "EVP_PKEY_get0_RSA failed in %s", __func__); + if ((rder_len = i2d_RSAPublicKey(r, &rder)) <= 0) + errx(1, "i2d_RSAPublicKey failed in %s", __func__); + + if (!EVP_Digest(rder, rder_len, md, NULL, EVP_sha1(), NULL)) + errx(1, "EVP_Digest failed in %s", __func__); + ski = hex_encode(md, SHA_DIGEST_LENGTH); + printf("Subject key identifier: %s\n", pretty_key_id(ski)); + + printf("Trust anchor locations:\n"); for (i = 0; i < p->urisz; i++) - printf("%5zu: URI: %s\n", i + 1, p->uri[i]); + printf("%5zu: %s\n", i + 1, p->uri[i]); + + if (base64_encode(p->pkey, p->pkeysz, &talpkey) == -1) + errx(1, "base64_encode failed in %s", __func__); + printf("Subject public key information: %s\n", talpkey); + + EVP_PKEY_free(pk); + RSA_free(r); + free(rder); + free(ski); + free(talpkey); } void Index: rpki-client.8 =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/rpki-client.8,v retrieving revision 1.57 diff -u -p -r1.57 rpki-client.8 --- rpki-client.8 31 Mar 2022 17:27:31 -0000 1.57 +++ rpki-client.8 11 Apr 2022 16:03:39 -0000 @@ -99,7 +99,9 @@ and .Fl -address flags and connect with rsync-protocol locations. .It Fl f Ar -Validate the +Decode the +. Em TAL +or validate the .Em Signed Object in .Ar file