Re: rpki-client patch submission

Thu, 17 Oct 2019 05:06:59 -0700 

Hi Claudio,
I've picked up a manifest file from rsync://rpki-repository.nic.ad.jp/ap/A91A73810000/131/L8CZI7Bafo8a3ZpZhO3BkyDbl0s.mft 

The original version returned (i'm at BRT/GMT-3)

~/tmp/rpki-client/test-mft -fv L8CZI7Bafo8a3ZpZhO3BkyDbl0s.mft

test-mft: L8CZI7Bafo8a3ZpZhO3BkyDbl0s.mft: before date interval (clock 
drift?)


Then I recompiled with the patch

~/tmp/rpki-client/test-mft -fv L8CZI7Bafo8a3ZpZhO3BkyDbl0s.mft

Subject key identifier: 
EE:5D:98:F8:26:D1:CB:74:51:66:33:19:CF:0A:3D:07:93:16:0B:73
Authority key identifier: 
2F:C0:99:23:B0:5A:7E:8F:1A:DD:9A:59:84:ED:C1:93:20:DB:97:4B

    1: 0ZTSWTHKM6DAI-7X7vKA4Dsl0QA.roa
    2: CEWdZa_wPWlIQFjORnCFsISzzDU.roa
    3: DFkQyvXRONF1IbHjMuKJg6ba9cQ.roa
    4: DbWquhW0v3em_pNviWFlwF7gvew.roa
    5: L8CZI7Bafo8a3ZpZhO3BkyDbl0s.crl
    6: W-2EIMQvUkht96ZljxZUZaXrK1g.roa

More details about this mft:

EE Certificate 
===============================================================================================

                       Version: 3
                        Serial: 0B

                        Issuer: 
/CN=2FC09923B05A7E8F1ADD9A5984EDC19320DB974B
                       Subject: 
/CN=EE5D98F826D1CB7451663319CF0A3D0793160B73

                    Not Before: 2019-08-27 08:27:42 UTC
                     Not After: 2020-06-19 08:41:09 UTC

           Subject Info Access: 
rsync://rpki-repository.nic.ad.jp/ap/A91A73810000/131/L8CZI7Bafo8a3ZpZhO3BkyDbl0s.mft
        Subject key identifier: 
EE:5D:98:F8:26:D1:CB:74:51:66:33:19:CF:0A:3D:07:93:16:0B:73
      Authority key identifier: 
2F:C0:99:23:B0:5A:7E:8F:1A:DD:9A:59:84:ED:C1:93:20:DB:97:4B
Manifest 
=====================================================================================================

               Manifest Number: 1771
                   This Update: 2019-10-17 09:50:00 UTC
                   Next Update: 2019-10-17 15:50:00 UTC

605f9f2aabffcb4836c1de1162f5e45dceea7d231e8141fc5e6545dda978be02 
0ZTSWTHKM6DAI-7X7vKA4Dsl0QA.roa
437c82214bb75aa0fafd68b42f84c790d2f3408021123ebd1af4896dd41bbcd0 
CEWdZa_wPWlIQFjORnCFsISzzDU.roa
5511d23b3927e6b388c518ea742fea889c581c27b457f1cd89fcef7d9bbb3b65 
DFkQyvXRONF1IbHjMuKJg6ba9cQ.roa
2134e5ecb8484bc45bdaf45d94f5476311ead9d9321aa2d8930b402810442199 
DbWquhW0v3em_pNviWFlwF7gvew.roa
85f385500f59a47782e6bd970d507f8345199576be0db7a74fbfcce4162cb62b 
L8CZI7Bafo8a3ZpZhO3BkyDbl0s.crl
71c701bf391c6d65cf9527bab7c0e5344851f658f175314e7cfadfd6ec1e9485 
W-2EIMQvUkht96ZljxZUZaXrK1g.roa



Regards,
Alexandre Hamada

On 17/10/2019 08:47, Claudio Jeker wrote:

On Thu, Oct 17, 2019 at 08:07:18AM -0300, Alexandre Hamada wrote:

Hi Claudio,

Thanks for this, much appreciated.

This is a much cleaner solution, I really liked it.

I've tested both versions against a brand new manifest, and it is working
well.

Thanks for testing. Did you manage to trigger warnings with the original
version (the one using mktime())? I was not really abel to trigger them
but my guess is that CEST is just to close to GMT.

  

One thing about this patch, at mft_parse_econtent() there are some unused
variables left (this, next, now and buf[64]).

Good point. I removed them in my tree.

  

Thanks again and regards,
Alexandre Hamada


On 16/10/2019 17:47, Claudio Jeker wrote:

On Wed, Oct 16, 2019 at 07:26:25AM -0300, Alexandre Hamada wrote:

Hi Tech,
I would like to suggest to use UTC functions on all date/time convertions,
to avoid some clock drift errors.

Kind regards,
Alexandre Hamada

https://patch-diff.githubusercontent.com/raw/kristapsdz/rpki-client/pull/9.patch

  From a463f8cb23375f15b74eff49a06e8934423e3dbf Mon Sep 17 00:00:00 2001
From: dev-gto <43351700+dev-...@users.noreply.github.com>
Date: Wed, 16 Oct 2019 07:22:46 -0300
Subject: [PATCH] Avoid local time conversion

---
   mft.c | 4 ++--
   1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mft.c b/mft.c
index f9176b4..738f3ff 100644
--- a/mft.c
+++ b/mft.c
@@ -75,8 +75,8 @@ gentime2time(struct parse *p, const ASN1_GENERALIZEDTIME *tp)
        memset(&tm, 0, sizeof(struct tm));
        if (strptime(buf, "%b %d %T %Y %Z", &tm) == NULL)
                errx(EXIT_FAILURE, "%s: strptime", buf);
-       if ((t = mktime(&tm)) == -1)
-               errx(EXIT_FAILURE, "%s: mktime", buf);
+       if ((t = timegm(&tm)) == -1)
+               errx(EXIT_FAILURE, "%s: timegm", buf);
        return t;
   }


Hi Alexandre,

How about this diff instead. This is inspired by OCSP_check_validity() and
uses ASN1_GENERALIZEDTIME_check() and X509_cmp_time() to do the validity
check. I think this has a way better chance to produce the expected
results. My quick testing seems to indicate that it works but review and
testing is very welcome.

























					Reply via email to