rpki-client -f is a great tool to figure out what is going in the repo. I noticed that supporting rsync:// URI (like the one from Authority info access or Manifest) is easy and it makes it so much easier to follow the breadcrumbs up and down.
While doing that I noticed that instead of using valid_aki_ski() the file handling code should just do the lookup with the aki. There is a chance that the cert was already added before loading it via -f and then the verification fails for no good reason. The SKI lookup does not gain us anything here so just skip all the SKI handling. -- :wq Claudio ? msg.http ? msg.rrdp ? obj Index: main.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/main.c,v retrieving revision 1.185 diff -u -p -r1.185 main.c --- main.c 24 Jan 2022 17:29:37 -0000 1.185 +++ main.c 26 Jan 2022 14:11:31 -0000 @@ -387,13 +387,15 @@ queue_add_from_mft_set(const struct mft static void queue_add_file(const char *file, enum rtype type, int talid) { - unsigned char *buf; + unsigned char *buf = NULL; char *nfile; - size_t len; + size_t len = 0; - buf = load_file(file, &len); - if (buf == NULL) - err(1, "%s", file); + if (!filemode || strncmp(file, "rsync://", strlen("rsync://")) != 0) { + buf = load_file(file, &len); + if (buf == NULL) + err(1, "%s", file); + } if ((nfile = strdup(file)) == NULL) err(1, NULL); Index: parser.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/parser.c,v retrieving revision 1.55 diff -u -p -r1.55 parser.c --- parser.c 26 Jan 2022 13:57:56 -0000 1.55 +++ parser.c 26 Jan 2022 14:11:31 -0000 @@ -901,11 +901,21 @@ proc_parser_file(char *file, unsigned ch struct gbr *gbr = NULL; struct tal *tal = NULL; enum rtype type; - char *aia = NULL, *aki = NULL, *ski = NULL; + char *aia = NULL, *aki = NULL; unsigned long verify_flags = X509_V_FLAG_CRL_CHECK; if (num++ > 0) printf("--\n"); + + if (strncmp(file, "rsync://", strlen("rsync://")) == 0) { + file += strlen("rsync://"); + buf = load_file(file, &len); + if (buf == NULL) { + warn("parse file %s", file); + return; + } + } + printf("File: %s\n", file); type = rtype_from_file_extension(file); @@ -918,7 +928,6 @@ proc_parser_file(char *file, unsigned ch cert_print(cert); aia = cert->aia; aki = cert->aki; - ski = cert->ski; x509 = cert->x509; if (X509_up_ref(x509) == 0) errx(1, "%s: X509_up_ref failed", __func__); @@ -930,7 +939,6 @@ proc_parser_file(char *file, unsigned ch mft_print(mft); aia = mft->aia; aki = mft->aki; - ski = mft->ski; verify_flags = 0; break; case RTYPE_ROA: @@ -940,7 +948,6 @@ proc_parser_file(char *file, unsigned ch roa_print(roa); aia = roa->aia; aki = roa->aki; - ski = roa->ski; break; case RTYPE_GBR: gbr = gbr_parse(&x509, file, buf, len); @@ -949,7 +956,6 @@ proc_parser_file(char *file, unsigned ch gbr_print(gbr); aia = gbr->aia; aki = gbr->aki; - ski = gbr->ski; break; case RTYPE_TAL: tal = tal_parse(file, buf, len); @@ -972,7 +978,7 @@ proc_parser_file(char *file, unsigned ch parse_load_crl(c); free(c); parse_load_certchain(aia); - a = valid_ski_aki(file, &auths, ski, aki); + a = auth_find(&auths, aki); crl = get_crl(a); if (valid_x509(file, x509, a, crl, verify_flags)) Index: rpki-client.8 =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/rpki-client.8,v retrieving revision 1.55 diff -u -p -r1.55 rpki-client.8 --- rpki-client.8 24 Jan 2022 06:54:15 -0000 1.55 +++ rpki-client.8 26 Jan 2022 14:11:31 -0000 @@ -106,6 +106,9 @@ in against the RPKI cache stored in .Ar cachedir and print human-readable information about the object. +If +.Ar file +is an rsync:// URI the corresponding file from the cache will be used. This option implies .Fl n . .It Fl j