CVSROOT: /cvs
Module name: src
Changes by: t...@cvs.openbsd.org 2025/03/26 23:03:09
Modified files:
usr.sbin/rpki-client: cert.c extern.h main.c output-bgpd.c
output-bird.c output-csv.c output-json.c
output-ometric.c output.c parser.c
Log message:
rpki-client: collect non-functional CAs
A non-functional CA is a CA which has not signed any currently valid
Manifest. Such a CA does not meaningfully participate in the RPKI and
only consumes resources. This commit collects these CAs and adds
support code for outputting some info on them into the JSON dump. This
is motivated by Job's policy proposal on revoking persistently
non-functional CAs on the the RIPE-NCC routing-wg list:
https://mailman.ripe.net/archives/list/routing...@ripe.net/thread/USQUMNOE3L3UUD3JZVI6LH7VMDRPL7K4/
The strategy is straightforward: build a tree of TA/CA certs sorted by
certid and when we encounter a mft issued by the CA with certid remove
that from the tree. This will also make it straightforward to add that
to stats/ometrics.
One slightly tricky bit is to avoid flagging CAs that were skipped or
not shortlisted. That's why the call to cert_insert_nca() is where it
is and not in entity_process() like for most other trees.
The other annoying bit is to get the path of the cert without .rsync/
and .rrdp/*/ artifacts prepended to it. While this can be obtained by
chopping up the file in entity_process(), it's cleaner to construct the
DIR_VALID path and pass that over the pipe. This should be revisited.
The third annoying bit is the number of trees we need to pass to the
output functions. We should really hang all the trees off a single
struct so we can avoid this churn when we add the next tree.
with/ok claudio job
