rpki-client -f is a great tool to figure out what is going in the repo.
I noticed that supporting rsync:// URI (like the one from Authority info
access or Manifest) is easy and it makes it so much easier to follow
the breadcrumbs up and down.
While doing that I noticed that instead of using valid_aki_ski() the file
handling code should just do the lookup with the aki. There is a chance
that the cert was already added before loading it via -f and then the
verification fails for no good reason.
The SKI lookup does not gain us anything here so just skip all the SKI
handling.
--
:wq Claudio
? msg.http
? msg.rrdp
? obj
Index: main.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/main.c,v
retrieving revision 1.185
diff -u -p -r1.185 main.c
--- main.c 24 Jan 2022 17:29:37 -0000 1.185
+++ main.c 26 Jan 2022 14:11:31 -0000
@@ -387,13 +387,15 @@ queue_add_from_mft_set(const struct mft
static void
queue_add_file(const char *file, enum rtype type, int talid)
{
- unsigned char *buf;
+ unsigned char *buf = NULL;
char *nfile;
- size_t len;
+ size_t len = 0;
- buf = load_file(file, &len);
- if (buf == NULL)
- err(1, "%s", file);
+ if (!filemode || strncmp(file, "rsync://", strlen("rsync://")) != 0) {
+ buf = load_file(file, &len);
+ if (buf == NULL)
+ err(1, "%s", file);
+ }
if ((nfile = strdup(file)) == NULL)
err(1, NULL);
Index: parser.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/parser.c,v
retrieving revision 1.55
diff -u -p -r1.55 parser.c
--- parser.c 26 Jan 2022 13:57:56 -0000 1.55
+++ parser.c 26 Jan 2022 14:11:31 -0000
@@ -901,11 +901,21 @@ proc_parser_file(char *file, unsigned ch
struct gbr *gbr = NULL;
struct tal *tal = NULL;
enum rtype type;
- char *aia = NULL, *aki = NULL, *ski = NULL;
+ char *aia = NULL, *aki = NULL;
unsigned long verify_flags = X509_V_FLAG_CRL_CHECK;
if (num++ > 0)
printf("--\n");
+
+ if (strncmp(file, "rsync://", strlen("rsync://")) == 0) {
+ file += strlen("rsync://");
+ buf = load_file(file, &len);
+ if (buf == NULL) {
+ warn("parse file %s", file);
+ return;
+ }
+ }
+
printf("File: %s\n", file);
type = rtype_from_file_extension(file);
@@ -918,7 +928,6 @@ proc_parser_file(char *file, unsigned ch
cert_print(cert);
aia = cert->aia;
aki = cert->aki;
- ski = cert->ski;
x509 = cert->x509;
if (X509_up_ref(x509) == 0)
errx(1, "%s: X509_up_ref failed", __func__);
@@ -930,7 +939,6 @@ proc_parser_file(char *file, unsigned ch
mft_print(mft);
aia = mft->aia;
aki = mft->aki;
- ski = mft->ski;
verify_flags = 0;
break;
case RTYPE_ROA:
@@ -940,7 +948,6 @@ proc_parser_file(char *file, unsigned ch
roa_print(roa);
aia = roa->aia;
aki = roa->aki;
- ski = roa->ski;
break;
case RTYPE_GBR:
gbr = gbr_parse(&x509, file, buf, len);
@@ -949,7 +956,6 @@ proc_parser_file(char *file, unsigned ch
gbr_print(gbr);
aia = gbr->aia;
aki = gbr->aki;
- ski = gbr->ski;
break;
case RTYPE_TAL:
tal = tal_parse(file, buf, len);
@@ -972,7 +978,7 @@ proc_parser_file(char *file, unsigned ch
parse_load_crl(c);
free(c);
parse_load_certchain(aia);
- a = valid_ski_aki(file, &auths, ski, aki);
+ a = auth_find(&auths, aki);
crl = get_crl(a);
if (valid_x509(file, x509, a, crl, verify_flags))
Index: rpki-client.8
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/rpki-client.8,v
retrieving revision 1.55
diff -u -p -r1.55 rpki-client.8
--- rpki-client.8 24 Jan 2022 06:54:15 -0000 1.55
+++ rpki-client.8 26 Jan 2022 14:11:31 -0000
@@ -106,6 +106,9 @@ in
against the RPKI cache stored in
.Ar cachedir
and print human-readable information about the object.
+If
+.Ar file
+is an rsync:// URI the corresponding file from the cache will be used.
This option implies
.Fl n .
.It Fl j
