On Sat, Apr 23, 2022 at 07:10:06PM +0000, Job Snijders wrote: > Hi all, > > Since certificate mallebility no longer is a problem in the RPKI > ecosystem ... the SHA256 digest of a RPKI signed object input file is a > very stable identifier to associate to the decoded (validated) output > from filemode! > > Example: > > $ rpki-client -j -f rZWj66_V88W5B41mgMEm-TNr_EU.roa > { > "file": "rZWj66_V88W5B41mgMEm-TNr_EU.roa", > "hash_id": "SYWMTnEkWN5L+qD/TgYvMakQ1rSktXsgJrR1dLu8GTA=", > "type": "roa", > "ski": > "AD:95:A3:EB:AF:D5:F3:C5:B9:07:8D:66:80:C1:26:F9:33:6B:FC:45", > "cert_serial": "03", > "aki": > "38:E1:4F:92:FD:C7:CC:FB:FC:18:23:61:52:3A:E2:7D:69:7E:95:2F", > "aia": > "rsync://rpki.ripe.net/repository/DEFAULT/OOFPkv3HzPv8GCNhUjrifWl-lS8.cer", > "valid_until": 1656633600, > "vrps": [ > { "prefix": "2a0e:b240::/29", "asid": 0, "maxlen": 29 } > ], > "validation": "OK" > } > > 'hash_id' could be used as a proper primary key in relational databases.
I'm fine with Base64, but I wonder if it should not be hex encoded like the other hashes (ski/aki). > > OK? You leak hash, see below. With that fixed, I'm ok with this. > > Kind regards, > > Job > > Index: filemode.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/filemode.c,v > retrieving revision 1.2 > diff -u -p -r1.2 filemode.c > --- filemode.c 21 Apr 2022 12:59:03 -0000 1.2 > +++ filemode.c 23 Apr 2022 19:02:19 -0000 > @@ -265,6 +265,7 @@ proc_parser_file(char *file, unsigned ch > struct gbr *gbr = NULL; > struct tal *tal = NULL; > char *aia = NULL, *aki = NULL; > + char filehash[SHA256_DIGEST_LENGTH], *hash = NULL; Initialization of hash isn't needed. > enum rtype type; > int is_ta = 0; > > @@ -284,10 +285,20 @@ proc_parser_file(char *file, unsigned ch > } > } > > - if (outformats & FORMAT_JSON) > + > + if (!EVP_Digest(buf, len, filehash, NULL, EVP_sha256(), NULL)) > + errx(1, "EVP_Digest failed in %s", __func__); > + > + if (base64_encode(filehash, sizeof(filehash), &hash) == -1) > + errx(1, "base64_encode failed in %s", __func__); > + > + if (outformats & FORMAT_JSON) { > printf("{\n\t\"file\": \"%s\",\n", file); > - else > + printf("\t\"hash_id\": \"%s\",\n", hash); > + } else { > printf("File: %s\n", file); > + printf("Hash identifier: %s\n", hash); > + } free(hash); > > type = rtype_from_file_extension(file); > >