Hi all,
Since certificate mallebility no longer is a problem in the RPKI
ecosystem ... the SHA256 digest of a RPKI signed object input file is a
very stable identifier to associate to the decoded (validated) output
from filemode!
Example:
$ rpki-client -j -f rZWj66_V88W5B41mgMEm-TNr_EU.roa
{
"file": "rZWj66_V88W5B41mgMEm-TNr_EU.roa",
"hash_id": "SYWMTnEkWN5L+qD/TgYvMakQ1rSktXsgJrR1dLu8GTA=",
"type": "roa",
"ski":
"AD:95:A3:EB:AF:D5:F3:C5:B9:07:8D:66:80:C1:26:F9:33:6B:FC:45",
"cert_serial": "03",
"aki":
"38:E1:4F:92:FD:C7:CC:FB:FC:18:23:61:52:3A:E2:7D:69:7E:95:2F",
"aia":
"rsync://rpki.ripe.net/repository/DEFAULT/OOFPkv3HzPv8GCNhUjrifWl-lS8.cer",
"valid_until": 1656633600,
"vrps": [
{ "prefix": "2a0e:b240::/29", "asid": 0, "maxlen": 29 }
],
"validation": "OK"
}
'hash_id' could be used as a proper primary key in relational databases.
OK?
Kind regards,
Job
Index: filemode.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/filemode.c,v
retrieving revision 1.2
diff -u -p -r1.2 filemode.c
--- filemode.c 21 Apr 2022 12:59:03 -0000 1.2
+++ filemode.c 23 Apr 2022 19:02:19 -0000
@@ -265,6 +265,7 @@ proc_parser_file(char *file, unsigned ch
struct gbr *gbr = NULL;
struct tal *tal = NULL;
char *aia = NULL, *aki = NULL;
+ char filehash[SHA256_DIGEST_LENGTH], *hash = NULL;
enum rtype type;
int is_ta = 0;
@@ -284,10 +285,20 @@ proc_parser_file(char *file, unsigned ch
}
}
- if (outformats & FORMAT_JSON)
+
+ if (!EVP_Digest(buf, len, filehash, NULL, EVP_sha256(), NULL))
+ errx(1, "EVP_Digest failed in %s", __func__);
+
+ if (base64_encode(filehash, sizeof(filehash), &hash) == -1)
+ errx(1, "base64_encode failed in %s", __func__);
+
+ if (outformats & FORMAT_JSON) {
printf("{\n\t\"file\": \"%s\",\n", file);
- else
+ printf("\t\"hash_id\": \"%s\",\n", hash);
+ } else {
printf("File: %s\n", file);
+ printf("Hash identifier: %s\n", hash);
+ }
type = rtype_from_file_extension(file);
