Hi,
This changeset extends rpki-client to print more detail encapsulated
inside TAL files, of specific interest is printing the Subject Key
Identifier (SKI) of the Trust Anchor you'd find if you download the
referenced .cer file. The SPKI is printed as base64 encoded DER.
Example:
$ rpki-client -f /etc/rpki/ripe.tal
File: /etc/rpki/ripe.tal
Trust anchor name: ripe
Subject key identifier:
E8:55:2B:1F:D6:D1:A4:F7:E4:04:C6:D8:E5:68:0D:1E:BC:16:3F:C3
Trust anchor locations:
1: https://rpki.ripe.net/ta/ripe-ncc-ta.cer
2: rsync://rpki.ripe.net/ta/ripe-ncc-ta.cer
Subject public key information:
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQAB
OK?
Kind regards,
Job
Index: print.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/print.c,v
retrieving revision 1.6
diff -u -p -r1.6 print.c
--- print.c 21 Mar 2022 10:39:51 -0000 1.6
+++ print.c 11 Apr 2022 16:03:39 -0000
@@ -25,6 +25,8 @@
#include <string.h>
#include <time.h>
+#include <openssl/evp.h>
+
#include "extern.h"
static const char *
@@ -62,10 +64,46 @@ time2str(time_t t)
void
tal_print(const struct tal *p)
{
- size_t i;
+ char *talpkey, *ski;
+ EVP_PKEY *pk;
+ RSA *r;
+ unsigned char *der, *rder = NULL;
+ unsigned char md[SHA_DIGEST_LENGTH];
+ int rder_len;
+ size_t i;
+
+ printf("Trust anchor name: %s\n", p->descr);
+
+ der = p->pkey;
+ pk = d2i_PUBKEY(NULL, (const unsigned char **)&der, p->pkeysz);
+ if (pk == NULL)
+ errx(1, "d2i_PUBKEY failed in %s", __func__);
+
+ r = EVP_PKEY_get1_RSA(pk);
+ if (r == NULL)
+ errx(1, "EVP_PKEY_get0_RSA failed in %s", __func__);
+ if ((rder_len = i2d_RSAPublicKey(r, &rder)) <= 0)
+ errx(1, "i2d_RSAPublicKey failed in %s", __func__);
+
+ if (!EVP_Digest(rder, rder_len, md, NULL, EVP_sha1(), NULL))
+ errx(1, "EVP_Digest failed in %s", __func__);
+ ski = hex_encode(md, SHA_DIGEST_LENGTH);
+ printf("Subject key identifier: %s\n", pretty_key_id(ski));
+
+ printf("Trust anchor locations:\n");
for (i = 0; i < p->urisz; i++)
- printf("%5zu: URI: %s\n", i + 1, p->uri[i]);
+ printf("%5zu: %s\n", i + 1, p->uri[i]);
+
+ if (base64_encode(p->pkey, p->pkeysz, &talpkey) == -1)
+ errx(1, "base64_encode failed in %s", __func__);
+ printf("Subject public key information: %s\n", talpkey);
+
+ EVP_PKEY_free(pk);
+ RSA_free(r);
+ free(rder);
+ free(ski);
+ free(talpkey);
}
void
Index: rpki-client.8
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/rpki-client.8,v
retrieving revision 1.57
diff -u -p -r1.57 rpki-client.8
--- rpki-client.8 31 Mar 2022 17:27:31 -0000 1.57
+++ rpki-client.8 11 Apr 2022 16:03:39 -0000
@@ -99,7 +99,9 @@ and
.Fl -address
flags and connect with rsync-protocol locations.
.It Fl f Ar
-Validate the
+Decode the
+. Em TAL
+or validate the
.Em Signed Object
in
.Ar file
