#
1.47 |
|
17-Jun-2024 |
tb |
Invalidate the right stack[] member
There was a shift of the index in the for loop, and invalidating the wrong member could result in a double free in auth_tree_free() on process exit.
ok claudio job
|
#
1.46 |
|
12-Jun-2024 |
tb |
rpki-client: avoid hard error when hitting the maximum cert id
Instead, continue processing what we can but avoid lots of warning noise. Error out at the end of the parser process to avoid loading a bad config into bgpd. This isn't great as it is and can be refined in tree.
ok claudio
|
#
1.45 |
|
08-Jun-2024 |
tb |
Improve the check for is_ta in filemode
Instead of checking for EXFLAG_SS use the more accurate information we already gathered.
ok job
|
#
1.44 |
|
08-Jun-2024 |
tb |
Improve x509_get_purpose()
Instead of only differentiating between CA and BGPsec Router certs, make it recognize TA and EE certs as well. TAs and CAs have the cA boolean in the basic constraints, while EE and BGPsec router certs do not.
TAs are self-signed, CAs not self-issued, all other certs with the cA boolean are invalid. EE certs do not have an extended key usage and BGPsec certs contain the id-kp-bgpsec-router OID.
Handle the new purposes where needed. ok job
|
#
1.43 |
|
06-Jun-2024 |
tb |
rpki-client: fix a crash in filemode
For an expired TA, cert is freed and zeroed in file mode and cert_print() crashes. For such TAs (and otherwise invalid ones) expired and notafter become dangling pointers. Invalidate them and set them only for valid TA certs.
with/ok claudio
|
#
1.42 |
|
20-May-2024 |
claudio |
Instead of tracking certificates by SKI track them by an internal identifier.
The certificate SKI is not strictly unique so using it as a unique id is problematic. It is also not really needed to do that since in theory we already know the path (but this got lost in the privsep communication). So add a cert id and pass this id back and forth between main process and the parser. With this id we can lookup the authentication chain in the parser and this even works with multiple paths to the same resource. Since we no longer lookup by SKI the valid_aki_ski function is replaced by find_issuer() which does the lookup by certid.
The loop protection is now extended to allow each TAL to reach each file once but still triggers if a file is reaccessed by the tree of a TAL.
In filemode the lookup now uses an AIA uri based lookup tree. Again this replaces the SKI based lookups from before.
Done together with tb@ OK tb@ job@
|
#
1.41 |
|
21-Apr-2024 |
claudio |
P-256 support is experimental so require -x to enable it.
Also clean up the externs a little bit by moving experimental and noop to extern.h. Reminded by and OK tb@
|
#
1.40 |
|
22-Mar-2024 |
job |
Replace protocol literal strings and strlen() calls with defined constants
OK tb@ claudio@
|
#
1.39 |
|
19-Mar-2024 |
tb |
Rename parent to issuer in struct auth
Parent is confusing and issuer is the appropriate terminology. This is a mechanical diff. The only remaining uses of 'parent' in this code base now mean 'parent process'.
discussed with beck and job ok job
|
Revision tags: OPENBSD_7_5_BASE
|
#
1.38 |
|
22-Feb-2024 |
job |
Add support for RPKI Signed Prefix Lists
Signed Prefix List are a CMS protected content type for use with the RPKI to carry the complete list of prefixes which an Autonomous System may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS.
https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist
with and OK claudio@ tb@
|
#
1.37 |
|
23-Jan-2024 |
job |
Warn about overclaiming intermediate CAs, but don't error
OK tb@
|
#
1.36 |
|
13-Oct-2023 |
job |
Allow imposing constraints on RPKI trust anchors
The ability to constrain a RPKI Trust Anchor's effective signing authority to a limited set of Internet Number Resources allows Relying Parties to enjoy the potential benefits of assuming trust, within a bounded scope.
Some examples: ARIN does not support inter-RIR IPv6 transfers, so it wouldn't make any sense to see a ROA subordinate to ARIN's trust anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense to observe a ROA covering ARIN-managed IPv6 space under APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust arc (a cryptographically valid certificate path) existed. Along these same lines, AFRINIC doesn't support inter-RIR transfers of any kind, and none of the RIRs have authority over private resources like 10.0.0.0/8 and 2001:db8::/32.
For more background see: https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/ https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html
With and OK tb@, OK claudio@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.35 |
|
25-Sep-2023 |
tb |
Pass the talid to various parse functions
This will be needed by an upcoming feature where we will need to know what trust anchor a given cert chains to. This doesn't change anything except the size of the diff.
ok claudio job
|
#
1.34 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.33 |
|
30-May-2023 |
job |
Fixup file modification timestamps to optimize failover from RRDP to RSYNC
In the RSYNC protocol a file's last modification time and its size are used to determine whether sending a (partial) copy over the wire is needed. Previously, when RRDP data structures are serialized to disk, the mtime of files in DIR_VALID ended up being UTIME_NOW.
Thus, the mtimes of files obtained through RRDP will never match the mtimes of the same files available through RSYNC - causing each and every file to be added to the file transfer list.
Instead, use the internal timestamps of RPKI files as the last modified timestamp. Specifically, for Signed Objects (ROAs, MFTs, GBRs, TAKs, ASPAs) the CMS signing-time, for .cer files the X.509 notBefore, and for .crl files the CRL lastUpdate. This results in a surprising optimization for the number files which have to be transfered.
OK claudio@
|
#
1.32 |
|
30-May-2023 |
claudio |
Convert all of filemode to use the json API as well. Output is mostly the same apart from some space differences. OK tb@ job@
|
#
1.31 |
|
03-May-2023 |
tb |
Fix a use-after-free in filemode
In case the TAL of a self-signed is unavailable, cert would be freed but we'd still hold a reference to its expired time in expires, so invalidate that pointer as well.
Found by, initial fix and ok job
|
#
1.30 |
|
26-Apr-2023 |
claudio |
Improve accounting by tracking things by repo and tal. This fixes some wrong accounting for repositories that are referenced from more than one TAL. It changes the ometric lable output a little bit since there are repository metrics that no longer include the 'name' label. OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.29 |
|
15-Mar-2023 |
job |
Show MFTs as part of the signature path
no objection tb@
|
#
1.28 |
|
13-Mar-2023 |
job |
Don't lookup the signature path's expiry for trust anchor certs
|
#
1.27 |
|
13-Mar-2023 |
job |
In filemode, also print details for .cer certificates
|
#
1.26 |
|
13-Mar-2023 |
job |
In filemode, display the moment the signature path will expire
Previously this was only shown for ROA+ASPA. Now also show for GBR, Geofeed, Certs, RSC, and TAK.
OK tb@
|
#
1.25 |
|
13-Mar-2023 |
job |
In filemode for ROAs/ASPAs display when the Signature path will expire
Also rename 'certification path' to 'signature path' for alignment
OK tb@
|
#
1.24 |
|
13-Mar-2023 |
job |
Merge calling print_certification_path() into adjacent else branch
OK tb@
|
#
1.23 |
|
13-Mar-2023 |
job |
Refactor whats printed when in filemode
OK tb@
|
#
1.22 |
|
12-Mar-2023 |
job |
Alphabetically sort various bits and pieces - mechanical change
Might make later refactors easier to follow
OK tb@
|
#
1.21 |
|
07-Mar-2023 |
job |
Improve decoded content printing in filemode
Looks reasonable claudio@
|
#
1.20 |
|
03-Mar-2023 |
job |
In filemode, print the certification path towards the Trust Anchor
with and OK tb@
|
#
1.19 |
|
06-Jan-2023 |
claudio |
Rework the main <-> parser/filemode communication protocol a bit.
Swap repo_id and filename to simplify the code in parser.c. In filemode both repo_id and filename are ignored. Additionally do not errx() in case of unknown file types. Instead send back enough info that the code can move on.
OK tb@
|
#
1.18 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.17 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.46 |
|
12-Jun-2024 |
tb |
rpki-client: avoid hard error when hitting the maximum cert id
Instead, continue processing what we can but avoid lots of warning noise. Error out at the end of the parser process to avoid loading a bad config into bgpd. This isn't great as it is and can be refined in tree.
ok claudio
|
#
1.45 |
|
08-Jun-2024 |
tb |
Improve the check for is_ta in filemode
Instead of checking for EXFLAG_SS use the more accurate information we already gathered.
ok job
|
#
1.44 |
|
08-Jun-2024 |
tb |
Improve x509_get_purpose()
Instead of only differentiating between CA and BGPsec Router certs, make it recognize TA and EE certs as well. TAs and CAs have the cA boolean in the basic constraints, while EE and BGPsec router certs do not.
TAs are self-signed, CAs not self-issued, all other certs with the cA boolean are invalid. EE certs do not have an extended key usage and BGPsec certs contain the id-kp-bgpsec-router OID.
Handle the new purposes where needed. ok job
|
#
1.43 |
|
06-Jun-2024 |
tb |
rpki-client: fix a crash in filemode
For an expired TA, cert is freed and zeroed in file mode and cert_print() crashes. For such TAs (and otherwise invalid ones) expired and notafter become dangling pointers. Invalidate them and set them only for valid TA certs.
with/ok claudio
|
#
1.42 |
|
20-May-2024 |
claudio |
Instead of tracking certificates by SKI track them by an internal identifier.
The certificate SKI is not strictly unique so using it as a unique id is problematic. It is also not really needed to do that since in theory we already know the path (but this got lost in the privsep communication). So add a cert id and pass this id back and forth between main process and the parser. With this id we can lookup the authentication chain in the parser and this even works with multiple paths to the same resource. Since we no longer lookup by SKI the valid_aki_ski function is replaced by find_issuer() which does the lookup by certid.
The loop protection is now extended to allow each TAL to reach each file once but still triggers if a file is reaccessed by the tree of a TAL.
In filemode the lookup now uses an AIA uri based lookup tree. Again this replaces the SKI based lookups from before.
Done together with tb@ OK tb@ job@
|
#
1.41 |
|
21-Apr-2024 |
claudio |
P-256 support is experimental so require -x to enable it.
Also clean up the externs a little bit by moving experimental and noop to extern.h. Reminded by and OK tb@
|
#
1.40 |
|
22-Mar-2024 |
job |
Replace protocol literal strings and strlen() calls with defined constants
OK tb@ claudio@
|
#
1.39 |
|
19-Mar-2024 |
tb |
Rename parent to issuer in struct auth
Parent is confusing and issuer is the appropriate terminology. This is a mechanical diff. The only remaining uses of 'parent' in this code base now mean 'parent process'.
discussed with beck and job ok job
|
Revision tags: OPENBSD_7_5_BASE
|
#
1.38 |
|
22-Feb-2024 |
job |
Add support for RPKI Signed Prefix Lists
Signed Prefix List are a CMS protected content type for use with the RPKI to carry the complete list of prefixes which an Autonomous System may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS.
https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist
with and OK claudio@ tb@
|
#
1.37 |
|
23-Jan-2024 |
job |
Warn about overclaiming intermediate CAs, but don't error
OK tb@
|
#
1.36 |
|
13-Oct-2023 |
job |
Allow imposing constraints on RPKI trust anchors
The ability to constrain a RPKI Trust Anchor's effective signing authority to a limited set of Internet Number Resources allows Relying Parties to enjoy the potential benefits of assuming trust, within a bounded scope.
Some examples: ARIN does not support inter-RIR IPv6 transfers, so it wouldn't make any sense to see a ROA subordinate to ARIN's trust anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense to observe a ROA covering ARIN-managed IPv6 space under APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust arc (a cryptographically valid certificate path) existed. Along these same lines, AFRINIC doesn't support inter-RIR transfers of any kind, and none of the RIRs have authority over private resources like 10.0.0.0/8 and 2001:db8::/32.
For more background see: https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/ https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html
With and OK tb@, OK claudio@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.35 |
|
25-Sep-2023 |
tb |
Pass the talid to various parse functions
This will be needed by an upcoming feature where we will need to know what trust anchor a given cert chains to. This doesn't change anything except the size of the diff.
ok claudio job
|
#
1.34 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.33 |
|
30-May-2023 |
job |
Fixup file modification timestamps to optimize failover from RRDP to RSYNC
In the RSYNC protocol a file's last modification time and its size are used to determine whether sending a (partial) copy over the wire is needed. Previously, when RRDP data structures are serialized to disk, the mtime of files in DIR_VALID ended up being UTIME_NOW.
Thus, the mtimes of files obtained through RRDP will never match the mtimes of the same files available through RSYNC - causing each and every file to be added to the file transfer list.
Instead, use the internal timestamps of RPKI files as the last modified timestamp. Specifically, for Signed Objects (ROAs, MFTs, GBRs, TAKs, ASPAs) the CMS signing-time, for .cer files the X.509 notBefore, and for .crl files the CRL lastUpdate. This results in a surprising optimization for the number files which have to be transfered.
OK claudio@
|
#
1.32 |
|
30-May-2023 |
claudio |
Convert all of filemode to use the json API as well. Output is mostly the same apart from some space differences. OK tb@ job@
|
#
1.31 |
|
03-May-2023 |
tb |
Fix a use-after-free in filemode
In case the TAL of a self-signed is unavailable, cert would be freed but we'd still hold a reference to its expired time in expires, so invalidate that pointer as well.
Found by, initial fix and ok job
|
#
1.30 |
|
26-Apr-2023 |
claudio |
Improve accounting by tracking things by repo and tal. This fixes some wrong accounting for repositories that are referenced from more than one TAL. It changes the ometric lable output a little bit since there are repository metrics that no longer include the 'name' label. OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.29 |
|
15-Mar-2023 |
job |
Show MFTs as part of the signature path
no objection tb@
|
#
1.28 |
|
13-Mar-2023 |
job |
Don't lookup the signature path's expiry for trust anchor certs
|
#
1.27 |
|
13-Mar-2023 |
job |
In filemode, also print details for .cer certificates
|
#
1.26 |
|
13-Mar-2023 |
job |
In filemode, display the moment the signature path will expire
Previously this was only shown for ROA+ASPA. Now also show for GBR, Geofeed, Certs, RSC, and TAK.
OK tb@
|
#
1.25 |
|
13-Mar-2023 |
job |
In filemode for ROAs/ASPAs display when the Signature path will expire
Also rename 'certification path' to 'signature path' for alignment
OK tb@
|
#
1.24 |
|
13-Mar-2023 |
job |
Merge calling print_certification_path() into adjacent else branch
OK tb@
|
#
1.23 |
|
13-Mar-2023 |
job |
Refactor whats printed when in filemode
OK tb@
|
#
1.22 |
|
12-Mar-2023 |
job |
Alphabetically sort various bits and pieces - mechanical change
Might make later refactors easier to follow
OK tb@
|
#
1.21 |
|
07-Mar-2023 |
job |
Improve decoded content printing in filemode
Looks reasonable claudio@
|
#
1.20 |
|
03-Mar-2023 |
job |
In filemode, print the certification path towards the Trust Anchor
with and OK tb@
|
#
1.19 |
|
06-Jan-2023 |
claudio |
Rework the main <-> parser/filemode communication protocol a bit.
Swap repo_id and filename to simplify the code in parser.c. In filemode both repo_id and filename are ignored. Additionally do not errx() in case of unknown file types. Instead send back enough info that the code can move on.
OK tb@
|
#
1.18 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.17 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.45 |
|
08-Jun-2024 |
tb |
Improve the check for is_ta in filemode
Instead of checking for EXFLAG_SS use the more accurate information we already gathered.
ok job
|
#
1.44 |
|
08-Jun-2024 |
tb |
Improve x509_get_purpose()
Instead of only differentiating between CA and BGPsec Router certs, make it recognize TA and EE certs as well. TAs and CAs have the cA boolean in the basic constraints, while EE and BGPsec router certs do not.
TAs are self-signed, CAs not self-issued, all other certs with the cA boolean are invalid. EE certs do not have an extended key usage and BGPsec certs contain the id-kp-bgpsec-router OID.
Handle the new purposes where needed. ok job
|
#
1.43 |
|
06-Jun-2024 |
tb |
rpki-client: fix a crash in filemode
For an expired TA, cert is freed and zeroed in file mode and cert_print() crashes. For such TAs (and otherwise invalid ones) expired and notafter become dangling pointers. Invalidate them and set them only for valid TA certs.
with/ok claudio
|
#
1.42 |
|
20-May-2024 |
claudio |
Instead of tracking certificates by SKI track them by an internal identifier.
The certificate SKI is not strictly unique so using it as a unique id is problematic. It is also not really needed to do that since in theory we already know the path (but this got lost in the privsep communication). So add a cert id and pass this id back and forth between main process and the parser. With this id we can lookup the authentication chain in the parser and this even works with multiple paths to the same resource. Since we no longer lookup by SKI the valid_aki_ski function is replaced by find_issuer() which does the lookup by certid.
The loop protection is now extended to allow each TAL to reach each file once but still triggers if a file is reaccessed by the tree of a TAL.
In filemode the lookup now uses an AIA uri based lookup tree. Again this replaces the SKI based lookups from before.
Done together with tb@ OK tb@ job@
|
#
1.41 |
|
21-Apr-2024 |
claudio |
P-256 support is experimental so require -x to enable it.
Also clean up the externs a little bit by moving experimental and noop to extern.h. Reminded by and OK tb@
|
#
1.40 |
|
22-Mar-2024 |
job |
Replace protocol literal strings and strlen() calls with defined constants
OK tb@ claudio@
|
#
1.39 |
|
19-Mar-2024 |
tb |
Rename parent to issuer in struct auth
Parent is confusing and issuer is the appropriate terminology. This is a mechanical diff. The only remaining uses of 'parent' in this code base now mean 'parent process'.
discussed with beck and job ok job
|
Revision tags: OPENBSD_7_5_BASE
|
#
1.38 |
|
22-Feb-2024 |
job |
Add support for RPKI Signed Prefix Lists
Signed Prefix List are a CMS protected content type for use with the RPKI to carry the complete list of prefixes which an Autonomous System may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS.
https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist
with and OK claudio@ tb@
|
#
1.37 |
|
23-Jan-2024 |
job |
Warn about overclaiming intermediate CAs, but don't error
OK tb@
|
#
1.36 |
|
13-Oct-2023 |
job |
Allow imposing constraints on RPKI trust anchors
The ability to constrain a RPKI Trust Anchor's effective signing authority to a limited set of Internet Number Resources allows Relying Parties to enjoy the potential benefits of assuming trust, within a bounded scope.
Some examples: ARIN does not support inter-RIR IPv6 transfers, so it wouldn't make any sense to see a ROA subordinate to ARIN's trust anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense to observe a ROA covering ARIN-managed IPv6 space under APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust arc (a cryptographically valid certificate path) existed. Along these same lines, AFRINIC doesn't support inter-RIR transfers of any kind, and none of the RIRs have authority over private resources like 10.0.0.0/8 and 2001:db8::/32.
For more background see: https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/ https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html
With and OK tb@, OK claudio@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.35 |
|
25-Sep-2023 |
tb |
Pass the talid to various parse functions
This will be needed by an upcoming feature where we will need to know what trust anchor a given cert chains to. This doesn't change anything except the size of the diff.
ok claudio job
|
#
1.34 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.33 |
|
30-May-2023 |
job |
Fixup file modification timestamps to optimize failover from RRDP to RSYNC
In the RSYNC protocol a file's last modification time and its size are used to determine whether sending a (partial) copy over the wire is needed. Previously, when RRDP data structures are serialized to disk, the mtime of files in DIR_VALID ended up being UTIME_NOW.
Thus, the mtimes of files obtained through RRDP will never match the mtimes of the same files available through RSYNC - causing each and every file to be added to the file transfer list.
Instead, use the internal timestamps of RPKI files as the last modified timestamp. Specifically, for Signed Objects (ROAs, MFTs, GBRs, TAKs, ASPAs) the CMS signing-time, for .cer files the X.509 notBefore, and for .crl files the CRL lastUpdate. This results in a surprising optimization for the number files which have to be transfered.
OK claudio@
|
#
1.32 |
|
30-May-2023 |
claudio |
Convert all of filemode to use the json API as well. Output is mostly the same apart from some space differences. OK tb@ job@
|
#
1.31 |
|
03-May-2023 |
tb |
Fix a use-after-free in filemode
In case the TAL of a self-signed is unavailable, cert would be freed but we'd still hold a reference to its expired time in expires, so invalidate that pointer as well.
Found by, initial fix and ok job
|
#
1.30 |
|
26-Apr-2023 |
claudio |
Improve accounting by tracking things by repo and tal. This fixes some wrong accounting for repositories that are referenced from more than one TAL. It changes the ometric lable output a little bit since there are repository metrics that no longer include the 'name' label. OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.29 |
|
15-Mar-2023 |
job |
Show MFTs as part of the signature path
no objection tb@
|
#
1.28 |
|
13-Mar-2023 |
job |
Don't lookup the signature path's expiry for trust anchor certs
|
#
1.27 |
|
13-Mar-2023 |
job |
In filemode, also print details for .cer certificates
|
#
1.26 |
|
13-Mar-2023 |
job |
In filemode, display the moment the signature path will expire
Previously this was only shown for ROA+ASPA. Now also show for GBR, Geofeed, Certs, RSC, and TAK.
OK tb@
|
#
1.25 |
|
13-Mar-2023 |
job |
In filemode for ROAs/ASPAs display when the Signature path will expire
Also rename 'certification path' to 'signature path' for alignment
OK tb@
|
#
1.24 |
|
13-Mar-2023 |
job |
Merge calling print_certification_path() into adjacent else branch
OK tb@
|
#
1.23 |
|
13-Mar-2023 |
job |
Refactor whats printed when in filemode
OK tb@
|
#
1.22 |
|
12-Mar-2023 |
job |
Alphabetically sort various bits and pieces - mechanical change
Might make later refactors easier to follow
OK tb@
|
#
1.21 |
|
07-Mar-2023 |
job |
Improve decoded content printing in filemode
Looks reasonable claudio@
|
#
1.20 |
|
03-Mar-2023 |
job |
In filemode, print the certification path towards the Trust Anchor
with and OK tb@
|
#
1.19 |
|
06-Jan-2023 |
claudio |
Rework the main <-> parser/filemode communication protocol a bit.
Swap repo_id and filename to simplify the code in parser.c. In filemode both repo_id and filename are ignored. Additionally do not errx() in case of unknown file types. Instead send back enough info that the code can move on.
OK tb@
|
#
1.18 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.17 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.43 |
|
06-Jun-2024 |
tb |
rpki-client: fix a crash in filemode
For an expired TA, cert is freed and zeroed in file mode and cert_print() crashes. For such TAs (and otherwise invalid ones) expired and notafter become dangling pointers. Invalidate them and set them only for valid TA certs.
with/ok claudio
|
#
1.42 |
|
20-May-2024 |
claudio |
Instead of tracking certificates by SKI track them by an internal identifier.
The certificate SKI is not strictly unique so using it as a unique id is problematic. It is also not really needed to do that since in theory we already know the path (but this got lost in the privsep communication). So add a cert id and pass this id back and forth between main process and the parser. With this id we can lookup the authentication chain in the parser and this even works with multiple paths to the same resource. Since we no longer lookup by SKI the valid_aki_ski function is replaced by find_issuer() which does the lookup by certid.
The loop protection is now extended to allow each TAL to reach each file once but still triggers if a file is reaccessed by the tree of a TAL.
In filemode the lookup now uses an AIA uri based lookup tree. Again this replaces the SKI based lookups from before.
Done together with tb@ OK tb@ job@
|
#
1.41 |
|
21-Apr-2024 |
claudio |
P-256 support is experimental so require -x to enable it.
Also clean up the externs a little bit by moving experimental and noop to extern.h. Reminded by and OK tb@
|
#
1.40 |
|
22-Mar-2024 |
job |
Replace protocol literal strings and strlen() calls with defined constants
OK tb@ claudio@
|
#
1.39 |
|
19-Mar-2024 |
tb |
Rename parent to issuer in struct auth
Parent is confusing and issuer is the appropriate terminology. This is a mechanical diff. The only remaining uses of 'parent' in this code base now mean 'parent process'.
discussed with beck and job ok job
|
Revision tags: OPENBSD_7_5_BASE
|
#
1.38 |
|
22-Feb-2024 |
job |
Add support for RPKI Signed Prefix Lists
Signed Prefix List are a CMS protected content type for use with the RPKI to carry the complete list of prefixes which an Autonomous System may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS.
https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist
with and OK claudio@ tb@
|
#
1.37 |
|
23-Jan-2024 |
job |
Warn about overclaiming intermediate CAs, but don't error
OK tb@
|
#
1.36 |
|
13-Oct-2023 |
job |
Allow imposing constraints on RPKI trust anchors
The ability to constrain a RPKI Trust Anchor's effective signing authority to a limited set of Internet Number Resources allows Relying Parties to enjoy the potential benefits of assuming trust, within a bounded scope.
Some examples: ARIN does not support inter-RIR IPv6 transfers, so it wouldn't make any sense to see a ROA subordinate to ARIN's trust anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense to observe a ROA covering ARIN-managed IPv6 space under APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust arc (a cryptographically valid certificate path) existed. Along these same lines, AFRINIC doesn't support inter-RIR transfers of any kind, and none of the RIRs have authority over private resources like 10.0.0.0/8 and 2001:db8::/32.
For more background see: https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/ https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html
With and OK tb@, OK claudio@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.35 |
|
25-Sep-2023 |
tb |
Pass the talid to various parse functions
This will be needed by an upcoming feature where we will need to know what trust anchor a given cert chains to. This doesn't change anything except the size of the diff.
ok claudio job
|
#
1.34 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.33 |
|
30-May-2023 |
job |
Fixup file modification timestamps to optimize failover from RRDP to RSYNC
In the RSYNC protocol a file's last modification time and its size are used to determine whether sending a (partial) copy over the wire is needed. Previously, when RRDP data structures are serialized to disk, the mtime of files in DIR_VALID ended up being UTIME_NOW.
Thus, the mtimes of files obtained through RRDP will never match the mtimes of the same files available through RSYNC - causing each and every file to be added to the file transfer list.
Instead, use the internal timestamps of RPKI files as the last modified timestamp. Specifically, for Signed Objects (ROAs, MFTs, GBRs, TAKs, ASPAs) the CMS signing-time, for .cer files the X.509 notBefore, and for .crl files the CRL lastUpdate. This results in a surprising optimization for the number files which have to be transfered.
OK claudio@
|
#
1.32 |
|
30-May-2023 |
claudio |
Convert all of filemode to use the json API as well. Output is mostly the same apart from some space differences. OK tb@ job@
|
#
1.31 |
|
03-May-2023 |
tb |
Fix a use-after-free in filemode
In case the TAL of a self-signed is unavailable, cert would be freed but we'd still hold a reference to its expired time in expires, so invalidate that pointer as well.
Found by, initial fix and ok job
|
#
1.30 |
|
26-Apr-2023 |
claudio |
Improve accounting by tracking things by repo and tal. This fixes some wrong accounting for repositories that are referenced from more than one TAL. It changes the ometric lable output a little bit since there are repository metrics that no longer include the 'name' label. OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.29 |
|
15-Mar-2023 |
job |
Show MFTs as part of the signature path
no objection tb@
|
#
1.28 |
|
13-Mar-2023 |
job |
Don't lookup the signature path's expiry for trust anchor certs
|
#
1.27 |
|
13-Mar-2023 |
job |
In filemode, also print details for .cer certificates
|
#
1.26 |
|
13-Mar-2023 |
job |
In filemode, display the moment the signature path will expire
Previously this was only shown for ROA+ASPA. Now also show for GBR, Geofeed, Certs, RSC, and TAK.
OK tb@
|
#
1.25 |
|
13-Mar-2023 |
job |
In filemode for ROAs/ASPAs display when the Signature path will expire
Also rename 'certification path' to 'signature path' for alignment
OK tb@
|
#
1.24 |
|
13-Mar-2023 |
job |
Merge calling print_certification_path() into adjacent else branch
OK tb@
|
#
1.23 |
|
13-Mar-2023 |
job |
Refactor whats printed when in filemode
OK tb@
|
#
1.22 |
|
12-Mar-2023 |
job |
Alphabetically sort various bits and pieces - mechanical change
Might make later refactors easier to follow
OK tb@
|
#
1.21 |
|
07-Mar-2023 |
job |
Improve decoded content printing in filemode
Looks reasonable claudio@
|
#
1.20 |
|
03-Mar-2023 |
job |
In filemode, print the certification path towards the Trust Anchor
with and OK tb@
|
#
1.19 |
|
06-Jan-2023 |
claudio |
Rework the main <-> parser/filemode communication protocol a bit.
Swap repo_id and filename to simplify the code in parser.c. In filemode both repo_id and filename are ignored. Additionally do not errx() in case of unknown file types. Instead send back enough info that the code can move on.
OK tb@
|
#
1.18 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.17 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.42 |
|
20-May-2024 |
claudio |
Instead of tracking certificates by SKI track them by an internal identifier.
The certificate SKI is not strictly unique so using it as a unique id is problematic. It is also not really needed to do that since in theory we already know the path (but this got lost in the privsep communication). So add a cert id and pass this id back and forth between main process and the parser. With this id we can lookup the authentication chain in the parser and this even works with multiple paths to the same resource. Since we no longer lookup by SKI the valid_aki_ski function is replaced by find_issuer() which does the lookup by certid.
The loop protection is now extended to allow each TAL to reach each file once but still triggers if a file is reaccessed by the tree of a TAL.
In filemode the lookup now uses an AIA uri based lookup tree. Again this replaces the SKI based lookups from before.
Done together with tb@ OK tb@ job@
|
#
1.41 |
|
21-Apr-2024 |
claudio |
P-256 support is experimental so require -x to enable it.
Also clean up the externs a little bit by moving experimental and noop to extern.h. Reminded by and OK tb@
|
#
1.40 |
|
22-Mar-2024 |
job |
Replace protocol literal strings and strlen() calls with defined constants
OK tb@ claudio@
|
#
1.39 |
|
19-Mar-2024 |
tb |
Rename parent to issuer in struct auth
Parent is confusing and issuer is the appropriate terminology. This is a mechanical diff. The only remaining uses of 'parent' in this code base now mean 'parent process'.
discussed with beck and job ok job
|
Revision tags: OPENBSD_7_5_BASE
|
#
1.38 |
|
22-Feb-2024 |
job |
Add support for RPKI Signed Prefix Lists
Signed Prefix List are a CMS protected content type for use with the RPKI to carry the complete list of prefixes which an Autonomous System may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS.
https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist
with and OK claudio@ tb@
|
#
1.37 |
|
23-Jan-2024 |
job |
Warn about overclaiming intermediate CAs, but don't error
OK tb@
|
#
1.36 |
|
13-Oct-2023 |
job |
Allow imposing constraints on RPKI trust anchors
The ability to constrain a RPKI Trust Anchor's effective signing authority to a limited set of Internet Number Resources allows Relying Parties to enjoy the potential benefits of assuming trust, within a bounded scope.
Some examples: ARIN does not support inter-RIR IPv6 transfers, so it wouldn't make any sense to see a ROA subordinate to ARIN's trust anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense to observe a ROA covering ARIN-managed IPv6 space under APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust arc (a cryptographically valid certificate path) existed. Along these same lines, AFRINIC doesn't support inter-RIR transfers of any kind, and none of the RIRs have authority over private resources like 10.0.0.0/8 and 2001:db8::/32.
For more background see: https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/ https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html
With and OK tb@, OK claudio@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.35 |
|
25-Sep-2023 |
tb |
Pass the talid to various parse functions
This will be needed by an upcoming feature where we will need to know what trust anchor a given cert chains to. This doesn't change anything except the size of the diff.
ok claudio job
|
#
1.34 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.33 |
|
30-May-2023 |
job |
Fixup file modification timestamps to optimize failover from RRDP to RSYNC
In the RSYNC protocol a file's last modification time and its size are used to determine whether sending a (partial) copy over the wire is needed. Previously, when RRDP data structures are serialized to disk, the mtime of files in DIR_VALID ended up being UTIME_NOW.
Thus, the mtimes of files obtained through RRDP will never match the mtimes of the same files available through RSYNC - causing each and every file to be added to the file transfer list.
Instead, use the internal timestamps of RPKI files as the last modified timestamp. Specifically, for Signed Objects (ROAs, MFTs, GBRs, TAKs, ASPAs) the CMS signing-time, for .cer files the X.509 notBefore, and for .crl files the CRL lastUpdate. This results in a surprising optimization for the number files which have to be transfered.
OK claudio@
|
#
1.32 |
|
30-May-2023 |
claudio |
Convert all of filemode to use the json API as well. Output is mostly the same apart from some space differences. OK tb@ job@
|
#
1.31 |
|
03-May-2023 |
tb |
Fix a use-after-free in filemode
In case the TAL of a self-signed is unavailable, cert would be freed but we'd still hold a reference to its expired time in expires, so invalidate that pointer as well.
Found by, initial fix and ok job
|
#
1.30 |
|
26-Apr-2023 |
claudio |
Improve accounting by tracking things by repo and tal. This fixes some wrong accounting for repositories that are referenced from more than one TAL. It changes the ometric lable output a little bit since there are repository metrics that no longer include the 'name' label. OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.29 |
|
15-Mar-2023 |
job |
Show MFTs as part of the signature path
no objection tb@
|
#
1.28 |
|
13-Mar-2023 |
job |
Don't lookup the signature path's expiry for trust anchor certs
|
#
1.27 |
|
13-Mar-2023 |
job |
In filemode, also print details for .cer certificates
|
#
1.26 |
|
13-Mar-2023 |
job |
In filemode, display the moment the signature path will expire
Previously this was only shown for ROA+ASPA. Now also show for GBR, Geofeed, Certs, RSC, and TAK.
OK tb@
|
#
1.25 |
|
13-Mar-2023 |
job |
In filemode for ROAs/ASPAs display when the Signature path will expire
Also rename 'certification path' to 'signature path' for alignment
OK tb@
|
#
1.24 |
|
13-Mar-2023 |
job |
Merge calling print_certification_path() into adjacent else branch
OK tb@
|
#
1.23 |
|
13-Mar-2023 |
job |
Refactor whats printed when in filemode
OK tb@
|
#
1.22 |
|
12-Mar-2023 |
job |
Alphabetically sort various bits and pieces - mechanical change
Might make later refactors easier to follow
OK tb@
|
#
1.21 |
|
07-Mar-2023 |
job |
Improve decoded content printing in filemode
Looks reasonable claudio@
|
#
1.20 |
|
03-Mar-2023 |
job |
In filemode, print the certification path towards the Trust Anchor
with and OK tb@
|
#
1.19 |
|
06-Jan-2023 |
claudio |
Rework the main <-> parser/filemode communication protocol a bit.
Swap repo_id and filename to simplify the code in parser.c. In filemode both repo_id and filename are ignored. Additionally do not errx() in case of unknown file types. Instead send back enough info that the code can move on.
OK tb@
|
#
1.18 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.17 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.41 |
|
21-Apr-2024 |
claudio |
P-256 support is experimental so require -x to enable it.
Also clean up the externs a little bit by moving experimental and noop to extern.h. Reminded by and OK tb@
|
#
1.40 |
|
22-Mar-2024 |
job |
Replace protocol literal strings and strlen() calls with defined constants
OK tb@ claudio@
|
#
1.39 |
|
19-Mar-2024 |
tb |
Rename parent to issuer in struct auth
Parent is confusing and issuer is the appropriate terminology. This is a mechanical diff. The only remaining uses of 'parent' in this code base now mean 'parent process'.
discussed with beck and job ok job
|
Revision tags: OPENBSD_7_5_BASE
|
#
1.38 |
|
22-Feb-2024 |
job |
Add support for RPKI Signed Prefix Lists
Signed Prefix List are a CMS protected content type for use with the RPKI to carry the complete list of prefixes which an Autonomous System may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS.
https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist
with and OK claudio@ tb@
|
#
1.37 |
|
23-Jan-2024 |
job |
Warn about overclaiming intermediate CAs, but don't error
OK tb@
|
#
1.36 |
|
13-Oct-2023 |
job |
Allow imposing constraints on RPKI trust anchors
The ability to constrain a RPKI Trust Anchor's effective signing authority to a limited set of Internet Number Resources allows Relying Parties to enjoy the potential benefits of assuming trust, within a bounded scope.
Some examples: ARIN does not support inter-RIR IPv6 transfers, so it wouldn't make any sense to see a ROA subordinate to ARIN's trust anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense to observe a ROA covering ARIN-managed IPv6 space under APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust arc (a cryptographically valid certificate path) existed. Along these same lines, AFRINIC doesn't support inter-RIR transfers of any kind, and none of the RIRs have authority over private resources like 10.0.0.0/8 and 2001:db8::/32.
For more background see: https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/ https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html
With and OK tb@, OK claudio@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.35 |
|
25-Sep-2023 |
tb |
Pass the talid to various parse functions
This will be needed by an upcoming feature where we will need to know what trust anchor a given cert chains to. This doesn't change anything except the size of the diff.
ok claudio job
|
#
1.34 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.33 |
|
30-May-2023 |
job |
Fixup file modification timestamps to optimize failover from RRDP to RSYNC
In the RSYNC protocol a file's last modification time and its size are used to determine whether sending a (partial) copy over the wire is needed. Previously, when RRDP data structures are serialized to disk, the mtime of files in DIR_VALID ended up being UTIME_NOW.
Thus, the mtimes of files obtained through RRDP will never match the mtimes of the same files available through RSYNC - causing each and every file to be added to the file transfer list.
Instead, use the internal timestamps of RPKI files as the last modified timestamp. Specifically, for Signed Objects (ROAs, MFTs, GBRs, TAKs, ASPAs) the CMS signing-time, for .cer files the X.509 notBefore, and for .crl files the CRL lastUpdate. This results in a surprising optimization for the number files which have to be transfered.
OK claudio@
|
#
1.32 |
|
30-May-2023 |
claudio |
Convert all of filemode to use the json API as well. Output is mostly the same apart from some space differences. OK tb@ job@
|
#
1.31 |
|
03-May-2023 |
tb |
Fix a use-after-free in filemode
In case the TAL of a self-signed is unavailable, cert would be freed but we'd still hold a reference to its expired time in expires, so invalidate that pointer as well.
Found by, initial fix and ok job
|
#
1.30 |
|
26-Apr-2023 |
claudio |
Improve accounting by tracking things by repo and tal. This fixes some wrong accounting for repositories that are referenced from more than one TAL. It changes the ometric lable output a little bit since there are repository metrics that no longer include the 'name' label. OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.29 |
|
15-Mar-2023 |
job |
Show MFTs as part of the signature path
no objection tb@
|
#
1.28 |
|
13-Mar-2023 |
job |
Don't lookup the signature path's expiry for trust anchor certs
|
#
1.27 |
|
13-Mar-2023 |
job |
In filemode, also print details for .cer certificates
|
#
1.26 |
|
13-Mar-2023 |
job |
In filemode, display the moment the signature path will expire
Previously this was only shown for ROA+ASPA. Now also show for GBR, Geofeed, Certs, RSC, and TAK.
OK tb@
|
#
1.25 |
|
13-Mar-2023 |
job |
In filemode for ROAs/ASPAs display when the Signature path will expire
Also rename 'certification path' to 'signature path' for alignment
OK tb@
|
#
1.24 |
|
13-Mar-2023 |
job |
Merge calling print_certification_path() into adjacent else branch
OK tb@
|
#
1.23 |
|
13-Mar-2023 |
job |
Refactor whats printed when in filemode
OK tb@
|
#
1.22 |
|
12-Mar-2023 |
job |
Alphabetically sort various bits and pieces - mechanical change
Might make later refactors easier to follow
OK tb@
|
#
1.21 |
|
07-Mar-2023 |
job |
Improve decoded content printing in filemode
Looks reasonable claudio@
|
#
1.20 |
|
03-Mar-2023 |
job |
In filemode, print the certification path towards the Trust Anchor
with and OK tb@
|
#
1.19 |
|
06-Jan-2023 |
claudio |
Rework the main <-> parser/filemode communication protocol a bit.
Swap repo_id and filename to simplify the code in parser.c. In filemode both repo_id and filename are ignored. Additionally do not errx() in case of unknown file types. Instead send back enough info that the code can move on.
OK tb@
|
#
1.18 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.17 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.40 |
|
22-Mar-2024 |
job |
Replace protocol literal strings and strlen() calls with defined constants
OK tb@ claudio@
|
#
1.39 |
|
19-Mar-2024 |
tb |
Rename parent to issuer in struct auth
Parent is confusing and issuer is the appropriate terminology. This is a mechanical diff. The only remaining uses of 'parent' in this code base now mean 'parent process'.
discussed with beck and job ok job
|
Revision tags: OPENBSD_7_5_BASE
|
#
1.38 |
|
22-Feb-2024 |
job |
Add support for RPKI Signed Prefix Lists
Signed Prefix List are a CMS protected content type for use with the RPKI to carry the complete list of prefixes which an Autonomous System may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS.
https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist
with and OK claudio@ tb@
|
#
1.37 |
|
23-Jan-2024 |
job |
Warn about overclaiming intermediate CAs, but don't error
OK tb@
|
#
1.36 |
|
13-Oct-2023 |
job |
Allow imposing constraints on RPKI trust anchors
The ability to constrain a RPKI Trust Anchor's effective signing authority to a limited set of Internet Number Resources allows Relying Parties to enjoy the potential benefits of assuming trust, within a bounded scope.
Some examples: ARIN does not support inter-RIR IPv6 transfers, so it wouldn't make any sense to see a ROA subordinate to ARIN's trust anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense to observe a ROA covering ARIN-managed IPv6 space under APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust arc (a cryptographically valid certificate path) existed. Along these same lines, AFRINIC doesn't support inter-RIR transfers of any kind, and none of the RIRs have authority over private resources like 10.0.0.0/8 and 2001:db8::/32.
For more background see: https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/ https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html
With and OK tb@, OK claudio@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.35 |
|
25-Sep-2023 |
tb |
Pass the talid to various parse functions
This will be needed by an upcoming feature where we will need to know what trust anchor a given cert chains to. This doesn't change anything except the size of the diff.
ok claudio job
|
#
1.34 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.33 |
|
30-May-2023 |
job |
Fixup file modification timestamps to optimize failover from RRDP to RSYNC
In the RSYNC protocol a file's last modification time and its size are used to determine whether sending a (partial) copy over the wire is needed. Previously, when RRDP data structures are serialized to disk, the mtime of files in DIR_VALID ended up being UTIME_NOW.
Thus, the mtimes of files obtained through RRDP will never match the mtimes of the same files available through RSYNC - causing each and every file to be added to the file transfer list.
Instead, use the internal timestamps of RPKI files as the last modified timestamp. Specifically, for Signed Objects (ROAs, MFTs, GBRs, TAKs, ASPAs) the CMS signing-time, for .cer files the X.509 notBefore, and for .crl files the CRL lastUpdate. This results in a surprising optimization for the number files which have to be transfered.
OK claudio@
|
#
1.32 |
|
30-May-2023 |
claudio |
Convert all of filemode to use the json API as well. Output is mostly the same apart from some space differences. OK tb@ job@
|
#
1.31 |
|
03-May-2023 |
tb |
Fix a use-after-free in filemode
In case the TAL of a self-signed is unavailable, cert would be freed but we'd still hold a reference to its expired time in expires, so invalidate that pointer as well.
Found by, initial fix and ok job
|
#
1.30 |
|
26-Apr-2023 |
claudio |
Improve accounting by tracking things by repo and tal. This fixes some wrong accounting for repositories that are referenced from more than one TAL. It changes the ometric lable output a little bit since there are repository metrics that no longer include the 'name' label. OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.29 |
|
15-Mar-2023 |
job |
Show MFTs as part of the signature path
no objection tb@
|
#
1.28 |
|
13-Mar-2023 |
job |
Don't lookup the signature path's expiry for trust anchor certs
|
#
1.27 |
|
13-Mar-2023 |
job |
In filemode, also print details for .cer certificates
|
#
1.26 |
|
13-Mar-2023 |
job |
In filemode, display the moment the signature path will expire
Previously this was only shown for ROA+ASPA. Now also show for GBR, Geofeed, Certs, RSC, and TAK.
OK tb@
|
#
1.25 |
|
13-Mar-2023 |
job |
In filemode for ROAs/ASPAs display when the Signature path will expire
Also rename 'certification path' to 'signature path' for alignment
OK tb@
|
#
1.24 |
|
13-Mar-2023 |
job |
Merge calling print_certification_path() into adjacent else branch
OK tb@
|
#
1.23 |
|
13-Mar-2023 |
job |
Refactor whats printed when in filemode
OK tb@
|
#
1.22 |
|
12-Mar-2023 |
job |
Alphabetically sort various bits and pieces - mechanical change
Might make later refactors easier to follow
OK tb@
|
#
1.21 |
|
07-Mar-2023 |
job |
Improve decoded content printing in filemode
Looks reasonable claudio@
|
#
1.20 |
|
03-Mar-2023 |
job |
In filemode, print the certification path towards the Trust Anchor
with and OK tb@
|
#
1.19 |
|
06-Jan-2023 |
claudio |
Rework the main <-> parser/filemode communication protocol a bit.
Swap repo_id and filename to simplify the code in parser.c. In filemode both repo_id and filename are ignored. Additionally do not errx() in case of unknown file types. Instead send back enough info that the code can move on.
OK tb@
|
#
1.18 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.17 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.39 |
|
19-Mar-2024 |
tb |
Rename parent to issuer in struct auth
Parent is confusing and issuer is the appropriate terminology. This is a mechanical diff. The only remaining uses of 'parent' in this code base now mean 'parent process'.
discussed with beck and job ok job
|
Revision tags: OPENBSD_7_5_BASE
|
#
1.38 |
|
22-Feb-2024 |
job |
Add support for RPKI Signed Prefix Lists
Signed Prefix List are a CMS protected content type for use with the RPKI to carry the complete list of prefixes which an Autonomous System may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS.
https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist
with and OK claudio@ tb@
|
#
1.37 |
|
23-Jan-2024 |
job |
Warn about overclaiming intermediate CAs, but don't error
OK tb@
|
#
1.36 |
|
13-Oct-2023 |
job |
Allow imposing constraints on RPKI trust anchors
The ability to constrain a RPKI Trust Anchor's effective signing authority to a limited set of Internet Number Resources allows Relying Parties to enjoy the potential benefits of assuming trust, within a bounded scope.
Some examples: ARIN does not support inter-RIR IPv6 transfers, so it wouldn't make any sense to see a ROA subordinate to ARIN's trust anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense to observe a ROA covering ARIN-managed IPv6 space under APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust arc (a cryptographically valid certificate path) existed. Along these same lines, AFRINIC doesn't support inter-RIR transfers of any kind, and none of the RIRs have authority over private resources like 10.0.0.0/8 and 2001:db8::/32.
For more background see: https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/ https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html
With and OK tb@, OK claudio@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.35 |
|
25-Sep-2023 |
tb |
Pass the talid to various parse functions
This will be needed by an upcoming feature where we will need to know what trust anchor a given cert chains to. This doesn't change anything except the size of the diff.
ok claudio job
|
#
1.34 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.33 |
|
30-May-2023 |
job |
Fixup file modification timestamps to optimize failover from RRDP to RSYNC
In the RSYNC protocol a file's last modification time and its size are used to determine whether sending a (partial) copy over the wire is needed. Previously, when RRDP data structures are serialized to disk, the mtime of files in DIR_VALID ended up being UTIME_NOW.
Thus, the mtimes of files obtained through RRDP will never match the mtimes of the same files available through RSYNC - causing each and every file to be added to the file transfer list.
Instead, use the internal timestamps of RPKI files as the last modified timestamp. Specifically, for Signed Objects (ROAs, MFTs, GBRs, TAKs, ASPAs) the CMS signing-time, for .cer files the X.509 notBefore, and for .crl files the CRL lastUpdate. This results in a surprising optimization for the number files which have to be transfered.
OK claudio@
|
#
1.32 |
|
30-May-2023 |
claudio |
Convert all of filemode to use the json API as well. Output is mostly the same apart from some space differences. OK tb@ job@
|
#
1.31 |
|
03-May-2023 |
tb |
Fix a use-after-free in filemode
In case the TAL of a self-signed is unavailable, cert would be freed but we'd still hold a reference to its expired time in expires, so invalidate that pointer as well.
Found by, initial fix and ok job
|
#
1.30 |
|
26-Apr-2023 |
claudio |
Improve accounting by tracking things by repo and tal. This fixes some wrong accounting for repositories that are referenced from more than one TAL. It changes the ometric lable output a little bit since there are repository metrics that no longer include the 'name' label. OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.29 |
|
15-Mar-2023 |
job |
Show MFTs as part of the signature path
no objection tb@
|
#
1.28 |
|
13-Mar-2023 |
job |
Don't lookup the signature path's expiry for trust anchor certs
|
#
1.27 |
|
13-Mar-2023 |
job |
In filemode, also print details for .cer certificates
|
#
1.26 |
|
13-Mar-2023 |
job |
In filemode, display the moment the signature path will expire
Previously this was only shown for ROA+ASPA. Now also show for GBR, Geofeed, Certs, RSC, and TAK.
OK tb@
|
#
1.25 |
|
13-Mar-2023 |
job |
In filemode for ROAs/ASPAs display when the Signature path will expire
Also rename 'certification path' to 'signature path' for alignment
OK tb@
|
#
1.24 |
|
13-Mar-2023 |
job |
Merge calling print_certification_path() into adjacent else branch
OK tb@
|
#
1.23 |
|
13-Mar-2023 |
job |
Refactor whats printed when in filemode
OK tb@
|
#
1.22 |
|
12-Mar-2023 |
job |
Alphabetically sort various bits and pieces - mechanical change
Might make later refactors easier to follow
OK tb@
|
#
1.21 |
|
07-Mar-2023 |
job |
Improve decoded content printing in filemode
Looks reasonable claudio@
|
#
1.20 |
|
03-Mar-2023 |
job |
In filemode, print the certification path towards the Trust Anchor
with and OK tb@
|
#
1.19 |
|
06-Jan-2023 |
claudio |
Rework the main <-> parser/filemode communication protocol a bit.
Swap repo_id and filename to simplify the code in parser.c. In filemode both repo_id and filename are ignored. Additionally do not errx() in case of unknown file types. Instead send back enough info that the code can move on.
OK tb@
|
#
1.18 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.17 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.38 |
|
22-Feb-2024 |
job |
Add support for RPKI Signed Prefix Lists
Signed Prefix List are a CMS protected content type for use with the RPKI to carry the complete list of prefixes which an Autonomous System may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS.
https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist
with and OK claudio@ tb@
|
#
1.37 |
|
23-Jan-2024 |
job |
Warn about overclaiming intermediate CAs, but don't error
OK tb@
|
#
1.36 |
|
13-Oct-2023 |
job |
Allow imposing constraints on RPKI trust anchors
The ability to constrain a RPKI Trust Anchor's effective signing authority to a limited set of Internet Number Resources allows Relying Parties to enjoy the potential benefits of assuming trust, within a bounded scope.
Some examples: ARIN does not support inter-RIR IPv6 transfers, so it wouldn't make any sense to see a ROA subordinate to ARIN's trust anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense to observe a ROA covering ARIN-managed IPv6 space under APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust arc (a cryptographically valid certificate path) existed. Along these same lines, AFRINIC doesn't support inter-RIR transfers of any kind, and none of the RIRs have authority over private resources like 10.0.0.0/8 and 2001:db8::/32.
For more background see: https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/ https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html
With and OK tb@, OK claudio@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.35 |
|
25-Sep-2023 |
tb |
Pass the talid to various parse functions
This will be needed by an upcoming feature where we will need to know what trust anchor a given cert chains to. This doesn't change anything except the size of the diff.
ok claudio job
|
#
1.34 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.33 |
|
30-May-2023 |
job |
Fixup file modification timestamps to optimize failover from RRDP to RSYNC
In the RSYNC protocol a file's last modification time and its size are used to determine whether sending a (partial) copy over the wire is needed. Previously, when RRDP data structures are serialized to disk, the mtime of files in DIR_VALID ended up being UTIME_NOW.
Thus, the mtimes of files obtained through RRDP will never match the mtimes of the same files available through RSYNC - causing each and every file to be added to the file transfer list.
Instead, use the internal timestamps of RPKI files as the last modified timestamp. Specifically, for Signed Objects (ROAs, MFTs, GBRs, TAKs, ASPAs) the CMS signing-time, for .cer files the X.509 notBefore, and for .crl files the CRL lastUpdate. This results in a surprising optimization for the number files which have to be transfered.
OK claudio@
|
#
1.32 |
|
30-May-2023 |
claudio |
Convert all of filemode to use the json API as well. Output is mostly the same apart from some space differences. OK tb@ job@
|
#
1.31 |
|
03-May-2023 |
tb |
Fix a use-after-free in filemode
In case the TAL of a self-signed is unavailable, cert would be freed but we'd still hold a reference to its expired time in expires, so invalidate that pointer as well.
Found by, initial fix and ok job
|
#
1.30 |
|
26-Apr-2023 |
claudio |
Improve accounting by tracking things by repo and tal. This fixes some wrong accounting for repositories that are referenced from more than one TAL. It changes the ometric lable output a little bit since there are repository metrics that no longer include the 'name' label. OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.29 |
|
15-Mar-2023 |
job |
Show MFTs as part of the signature path
no objection tb@
|
#
1.28 |
|
13-Mar-2023 |
job |
Don't lookup the signature path's expiry for trust anchor certs
|
#
1.27 |
|
13-Mar-2023 |
job |
In filemode, also print details for .cer certificates
|
#
1.26 |
|
13-Mar-2023 |
job |
In filemode, display the moment the signature path will expire
Previously this was only shown for ROA+ASPA. Now also show for GBR, Geofeed, Certs, RSC, and TAK.
OK tb@
|
#
1.25 |
|
13-Mar-2023 |
job |
In filemode for ROAs/ASPAs display when the Signature path will expire
Also rename 'certification path' to 'signature path' for alignment
OK tb@
|
#
1.24 |
|
13-Mar-2023 |
job |
Merge calling print_certification_path() into adjacent else branch
OK tb@
|
#
1.23 |
|
13-Mar-2023 |
job |
Refactor whats printed when in filemode
OK tb@
|
#
1.22 |
|
12-Mar-2023 |
job |
Alphabetically sort various bits and pieces - mechanical change
Might make later refactors easier to follow
OK tb@
|
#
1.21 |
|
07-Mar-2023 |
job |
Improve decoded content printing in filemode
Looks reasonable claudio@
|
#
1.20 |
|
03-Mar-2023 |
job |
In filemode, print the certification path towards the Trust Anchor
with and OK tb@
|
#
1.19 |
|
06-Jan-2023 |
claudio |
Rework the main <-> parser/filemode communication protocol a bit.
Swap repo_id and filename to simplify the code in parser.c. In filemode both repo_id and filename are ignored. Additionally do not errx() in case of unknown file types. Instead send back enough info that the code can move on.
OK tb@
|
#
1.18 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.17 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.37 |
|
23-Jan-2024 |
job |
Warn about overclaiming intermediate CAs, but don't error
OK tb@
|
#
1.36 |
|
13-Oct-2023 |
job |
Allow imposing constraints on RPKI trust anchors
The ability to constrain a RPKI Trust Anchor's effective signing authority to a limited set of Internet Number Resources allows Relying Parties to enjoy the potential benefits of assuming trust, within a bounded scope.
Some examples: ARIN does not support inter-RIR IPv6 transfers, so it wouldn't make any sense to see a ROA subordinate to ARIN's trust anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense to observe a ROA covering ARIN-managed IPv6 space under APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust arc (a cryptographically valid certificate path) existed. Along these same lines, AFRINIC doesn't support inter-RIR transfers of any kind, and none of the RIRs have authority over private resources like 10.0.0.0/8 and 2001:db8::/32.
For more background see: https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/ https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html
With and OK tb@, OK claudio@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.35 |
|
25-Sep-2023 |
tb |
Pass the talid to various parse functions
This will be needed by an upcoming feature where we will need to know what trust anchor a given cert chains to. This doesn't change anything except the size of the diff.
ok claudio job
|
#
1.34 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.33 |
|
30-May-2023 |
job |
Fixup file modification timestamps to optimize failover from RRDP to RSYNC
In the RSYNC protocol a file's last modification time and its size are used to determine whether sending a (partial) copy over the wire is needed. Previously, when RRDP data structures are serialized to disk, the mtime of files in DIR_VALID ended up being UTIME_NOW.
Thus, the mtimes of files obtained through RRDP will never match the mtimes of the same files available through RSYNC - causing each and every file to be added to the file transfer list.
Instead, use the internal timestamps of RPKI files as the last modified timestamp. Specifically, for Signed Objects (ROAs, MFTs, GBRs, TAKs, ASPAs) the CMS signing-time, for .cer files the X.509 notBefore, and for .crl files the CRL lastUpdate. This results in a surprising optimization for the number files which have to be transfered.
OK claudio@
|
#
1.32 |
|
30-May-2023 |
claudio |
Convert all of filemode to use the json API as well. Output is mostly the same apart from some space differences. OK tb@ job@
|
#
1.31 |
|
03-May-2023 |
tb |
Fix a use-after-free in filemode
In case the TAL of a self-signed is unavailable, cert would be freed but we'd still hold a reference to its expired time in expires, so invalidate that pointer as well.
Found by, initial fix and ok job
|
#
1.30 |
|
26-Apr-2023 |
claudio |
Improve accounting by tracking things by repo and tal. This fixes some wrong accounting for repositories that are referenced from more than one TAL. It changes the ometric lable output a little bit since there are repository metrics that no longer include the 'name' label. OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.29 |
|
15-Mar-2023 |
job |
Show MFTs as part of the signature path
no objection tb@
|
#
1.28 |
|
13-Mar-2023 |
job |
Don't lookup the signature path's expiry for trust anchor certs
|
#
1.27 |
|
13-Mar-2023 |
job |
In filemode, also print details for .cer certificates
|
#
1.26 |
|
13-Mar-2023 |
job |
In filemode, display the moment the signature path will expire
Previously this was only shown for ROA+ASPA. Now also show for GBR, Geofeed, Certs, RSC, and TAK.
OK tb@
|
#
1.25 |
|
13-Mar-2023 |
job |
In filemode for ROAs/ASPAs display when the Signature path will expire
Also rename 'certification path' to 'signature path' for alignment
OK tb@
|
#
1.24 |
|
13-Mar-2023 |
job |
Merge calling print_certification_path() into adjacent else branch
OK tb@
|
#
1.23 |
|
13-Mar-2023 |
job |
Refactor whats printed when in filemode
OK tb@
|
#
1.22 |
|
12-Mar-2023 |
job |
Alphabetically sort various bits and pieces - mechanical change
Might make later refactors easier to follow
OK tb@
|
#
1.21 |
|
07-Mar-2023 |
job |
Improve decoded content printing in filemode
Looks reasonable claudio@
|
#
1.20 |
|
03-Mar-2023 |
job |
In filemode, print the certification path towards the Trust Anchor
with and OK tb@
|
#
1.19 |
|
06-Jan-2023 |
claudio |
Rework the main <-> parser/filemode communication protocol a bit.
Swap repo_id and filename to simplify the code in parser.c. In filemode both repo_id and filename are ignored. Additionally do not errx() in case of unknown file types. Instead send back enough info that the code can move on.
OK tb@
|
#
1.18 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.17 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.36 |
|
13-Oct-2023 |
job |
Allow imposing constraints on RPKI trust anchors
The ability to constrain a RPKI Trust Anchor's effective signing authority to a limited set of Internet Number Resources allows Relying Parties to enjoy the potential benefits of assuming trust, within a bounded scope.
Some examples: ARIN does not support inter-RIR IPv6 transfers, so it wouldn't make any sense to see a ROA subordinate to ARIN's trust anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense to observe a ROA covering ARIN-managed IPv6 space under APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust arc (a cryptographically valid certificate path) existed. Along these same lines, AFRINIC doesn't support inter-RIR transfers of any kind, and none of the RIRs have authority over private resources like 10.0.0.0/8 and 2001:db8::/32.
For more background see: https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/ https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html
With and OK tb@, OK claudio@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.35 |
|
25-Sep-2023 |
tb |
Pass the talid to various parse functions
This will be needed by an upcoming feature where we will need to know what trust anchor a given cert chains to. This doesn't change anything except the size of the diff.
ok claudio job
|
#
1.34 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.33 |
|
30-May-2023 |
job |
Fixup file modification timestamps to optimize failover from RRDP to RSYNC
In the RSYNC protocol a file's last modification time and its size are used to determine whether sending a (partial) copy over the wire is needed. Previously, when RRDP data structures are serialized to disk, the mtime of files in DIR_VALID ended up being UTIME_NOW.
Thus, the mtimes of files obtained through RRDP will never match the mtimes of the same files available through RSYNC - causing each and every file to be added to the file transfer list.
Instead, use the internal timestamps of RPKI files as the last modified timestamp. Specifically, for Signed Objects (ROAs, MFTs, GBRs, TAKs, ASPAs) the CMS signing-time, for .cer files the X.509 notBefore, and for .crl files the CRL lastUpdate. This results in a surprising optimization for the number files which have to be transfered.
OK claudio@
|
#
1.32 |
|
30-May-2023 |
claudio |
Convert all of filemode to use the json API as well. Output is mostly the same apart from some space differences. OK tb@ job@
|
#
1.31 |
|
03-May-2023 |
tb |
Fix a use-after-free in filemode
In case the TAL of a self-signed is unavailable, cert would be freed but we'd still hold a reference to its expired time in expires, so invalidate that pointer as well.
Found by, initial fix and ok job
|
#
1.30 |
|
26-Apr-2023 |
claudio |
Improve accounting by tracking things by repo and tal. This fixes some wrong accounting for repositories that are referenced from more than one TAL. It changes the ometric lable output a little bit since there are repository metrics that no longer include the 'name' label. OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.29 |
|
15-Mar-2023 |
job |
Show MFTs as part of the signature path
no objection tb@
|
#
1.28 |
|
13-Mar-2023 |
job |
Don't lookup the signature path's expiry for trust anchor certs
|
#
1.27 |
|
13-Mar-2023 |
job |
In filemode, also print details for .cer certificates
|
#
1.26 |
|
13-Mar-2023 |
job |
In filemode, display the moment the signature path will expire
Previously this was only shown for ROA+ASPA. Now also show for GBR, Geofeed, Certs, RSC, and TAK.
OK tb@
|
#
1.25 |
|
13-Mar-2023 |
job |
In filemode for ROAs/ASPAs display when the Signature path will expire
Also rename 'certification path' to 'signature path' for alignment
OK tb@
|
#
1.24 |
|
13-Mar-2023 |
job |
Merge calling print_certification_path() into adjacent else branch
OK tb@
|
#
1.23 |
|
13-Mar-2023 |
job |
Refactor whats printed when in filemode
OK tb@
|
#
1.22 |
|
12-Mar-2023 |
job |
Alphabetically sort various bits and pieces - mechanical change
Might make later refactors easier to follow
OK tb@
|
#
1.21 |
|
07-Mar-2023 |
job |
Improve decoded content printing in filemode
Looks reasonable claudio@
|
#
1.20 |
|
03-Mar-2023 |
job |
In filemode, print the certification path towards the Trust Anchor
with and OK tb@
|
#
1.19 |
|
06-Jan-2023 |
claudio |
Rework the main <-> parser/filemode communication protocol a bit.
Swap repo_id and filename to simplify the code in parser.c. In filemode both repo_id and filename are ignored. Additionally do not errx() in case of unknown file types. Instead send back enough info that the code can move on.
OK tb@
|
#
1.18 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.17 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.35 |
|
25-Sep-2023 |
tb |
Pass the talid to various parse functions
This will be needed by an upcoming feature where we will need to know what trust anchor a given cert chains to. This doesn't change anything except the size of the diff.
ok claudio job
|
#
1.34 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.33 |
|
30-May-2023 |
job |
Fixup file modification timestamps to optimize failover from RRDP to RSYNC
In the RSYNC protocol a file's last modification time and its size are used to determine whether sending a (partial) copy over the wire is needed. Previously, when RRDP data structures are serialized to disk, the mtime of files in DIR_VALID ended up being UTIME_NOW.
Thus, the mtimes of files obtained through RRDP will never match the mtimes of the same files available through RSYNC - causing each and every file to be added to the file transfer list.
Instead, use the internal timestamps of RPKI files as the last modified timestamp. Specifically, for Signed Objects (ROAs, MFTs, GBRs, TAKs, ASPAs) the CMS signing-time, for .cer files the X.509 notBefore, and for .crl files the CRL lastUpdate. This results in a surprising optimization for the number files which have to be transfered.
OK claudio@
|
#
1.32 |
|
30-May-2023 |
claudio |
Convert all of filemode to use the json API as well. Output is mostly the same apart from some space differences. OK tb@ job@
|
#
1.31 |
|
03-May-2023 |
tb |
Fix a use-after-free in filemode
In case the TAL of a self-signed is unavailable, cert would be freed but we'd still hold a reference to its expired time in expires, so invalidate that pointer as well.
Found by, initial fix and ok job
|
#
1.30 |
|
26-Apr-2023 |
claudio |
Improve accounting by tracking things by repo and tal. This fixes some wrong accounting for repositories that are referenced from more than one TAL. It changes the ometric lable output a little bit since there are repository metrics that no longer include the 'name' label. OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.29 |
|
15-Mar-2023 |
job |
Show MFTs as part of the signature path
no objection tb@
|
#
1.28 |
|
13-Mar-2023 |
job |
Don't lookup the signature path's expiry for trust anchor certs
|
#
1.27 |
|
13-Mar-2023 |
job |
In filemode, also print details for .cer certificates
|
#
1.26 |
|
13-Mar-2023 |
job |
In filemode, display the moment the signature path will expire
Previously this was only shown for ROA+ASPA. Now also show for GBR, Geofeed, Certs, RSC, and TAK.
OK tb@
|
#
1.25 |
|
13-Mar-2023 |
job |
In filemode for ROAs/ASPAs display when the Signature path will expire
Also rename 'certification path' to 'signature path' for alignment
OK tb@
|
#
1.24 |
|
13-Mar-2023 |
job |
Merge calling print_certification_path() into adjacent else branch
OK tb@
|
#
1.23 |
|
13-Mar-2023 |
job |
Refactor whats printed when in filemode
OK tb@
|
#
1.22 |
|
12-Mar-2023 |
job |
Alphabetically sort various bits and pieces - mechanical change
Might make later refactors easier to follow
OK tb@
|
#
1.21 |
|
07-Mar-2023 |
job |
Improve decoded content printing in filemode
Looks reasonable claudio@
|
#
1.20 |
|
03-Mar-2023 |
job |
In filemode, print the certification path towards the Trust Anchor
with and OK tb@
|
#
1.19 |
|
06-Jan-2023 |
claudio |
Rework the main <-> parser/filemode communication protocol a bit.
Swap repo_id and filename to simplify the code in parser.c. In filemode both repo_id and filename are ignored. Additionally do not errx() in case of unknown file types. Instead send back enough info that the code can move on.
OK tb@
|
#
1.18 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.17 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.34 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.33 |
|
30-May-2023 |
job |
Fixup file modification timestamps to optimize failover from RRDP to RSYNC
In the RSYNC protocol a file's last modification time and its size are used to determine whether sending a (partial) copy over the wire is needed. Previously, when RRDP data structures are serialized to disk, the mtime of files in DIR_VALID ended up being UTIME_NOW.
Thus, the mtimes of files obtained through RRDP will never match the mtimes of the same files available through RSYNC - causing each and every file to be added to the file transfer list.
Instead, use the internal timestamps of RPKI files as the last modified timestamp. Specifically, for Signed Objects (ROAs, MFTs, GBRs, TAKs, ASPAs) the CMS signing-time, for .cer files the X.509 notBefore, and for .crl files the CRL lastUpdate. This results in a surprising optimization for the number files which have to be transfered.
OK claudio@
|
#
1.32 |
|
30-May-2023 |
claudio |
Convert all of filemode to use the json API as well. Output is mostly the same apart from some space differences. OK tb@ job@
|
#
1.31 |
|
03-May-2023 |
tb |
Fix a use-after-free in filemode
In case the TAL of a self-signed is unavailable, cert would be freed but we'd still hold a reference to its expired time in expires, so invalidate that pointer as well.
Found by, initial fix and ok job
|
#
1.30 |
|
26-Apr-2023 |
claudio |
Improve accounting by tracking things by repo and tal. This fixes some wrong accounting for repositories that are referenced from more than one TAL. It changes the ometric lable output a little bit since there are repository metrics that no longer include the 'name' label. OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.29 |
|
15-Mar-2023 |
job |
Show MFTs as part of the signature path
no objection tb@
|
#
1.28 |
|
13-Mar-2023 |
job |
Don't lookup the signature path's expiry for trust anchor certs
|
#
1.27 |
|
13-Mar-2023 |
job |
In filemode, also print details for .cer certificates
|
#
1.26 |
|
13-Mar-2023 |
job |
In filemode, display the moment the signature path will expire
Previously this was only shown for ROA+ASPA. Now also show for GBR, Geofeed, Certs, RSC, and TAK.
OK tb@
|
#
1.25 |
|
13-Mar-2023 |
job |
In filemode for ROAs/ASPAs display when the Signature path will expire
Also rename 'certification path' to 'signature path' for alignment
OK tb@
|
#
1.24 |
|
13-Mar-2023 |
job |
Merge calling print_certification_path() into adjacent else branch
OK tb@
|
#
1.23 |
|
13-Mar-2023 |
job |
Refactor whats printed when in filemode
OK tb@
|
#
1.22 |
|
12-Mar-2023 |
job |
Alphabetically sort various bits and pieces - mechanical change
Might make later refactors easier to follow
OK tb@
|
#
1.21 |
|
07-Mar-2023 |
job |
Improve decoded content printing in filemode
Looks reasonable claudio@
|
#
1.20 |
|
03-Mar-2023 |
job |
In filemode, print the certification path towards the Trust Anchor
with and OK tb@
|
#
1.19 |
|
06-Jan-2023 |
claudio |
Rework the main <-> parser/filemode communication protocol a bit.
Swap repo_id and filename to simplify the code in parser.c. In filemode both repo_id and filename are ignored. Additionally do not errx() in case of unknown file types. Instead send back enough info that the code can move on.
OK tb@
|
#
1.18 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.17 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
26-Apr-2023 |
claudio |
Improve accounting by tracking things by repo and tal. This fixes some wrong accounting for repositories that are referenced from more than one TAL. It changes the ometric lable output a little bit since there are repository metrics that no longer include the 'name' label. OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.29 |
|
15-Mar-2023 |
job |
Show MFTs as part of the signature path
no objection tb@
|
#
1.28 |
|
13-Mar-2023 |
job |
Don't lookup the signature path's expiry for trust anchor certs
|
#
1.27 |
|
13-Mar-2023 |
job |
In filemode, also print details for .cer certificates
|
#
1.26 |
|
13-Mar-2023 |
job |
In filemode, display the moment the signature path will expire
Previously this was only shown for ROA+ASPA. Now also show for GBR, Geofeed, Certs, RSC, and TAK.
OK tb@
|
#
1.25 |
|
13-Mar-2023 |
job |
In filemode for ROAs/ASPAs display when the Signature path will expire
Also rename 'certification path' to 'signature path' for alignment
OK tb@
|
#
1.24 |
|
13-Mar-2023 |
job |
Merge calling print_certification_path() into adjacent else branch
OK tb@
|
#
1.23 |
|
13-Mar-2023 |
job |
Refactor whats printed when in filemode
OK tb@
|
#
1.22 |
|
12-Mar-2023 |
job |
Alphabetically sort various bits and pieces - mechanical change
Might make later refactors easier to follow
OK tb@
|
#
1.21 |
|
07-Mar-2023 |
job |
Improve decoded content printing in filemode
Looks reasonable claudio@
|
#
1.20 |
|
03-Mar-2023 |
job |
In filemode, print the certification path towards the Trust Anchor
with and OK tb@
|
#
1.19 |
|
06-Jan-2023 |
claudio |
Rework the main <-> parser/filemode communication protocol a bit.
Swap repo_id and filename to simplify the code in parser.c. In filemode both repo_id and filename are ignored. Additionally do not errx() in case of unknown file types. Instead send back enough info that the code can move on.
OK tb@
|
#
1.18 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.17 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.29 |
|
15-Mar-2023 |
job |
Show MFTs as part of the signature path
no objection tb@
|
#
1.28 |
|
13-Mar-2023 |
job |
Don't lookup the signature path's expiry for trust anchor certs
|
#
1.27 |
|
13-Mar-2023 |
job |
In filemode, also print details for .cer certificates
|
#
1.26 |
|
13-Mar-2023 |
job |
In filemode, display the moment the signature path will expire
Previously this was only shown for ROA+ASPA. Now also show for GBR, Geofeed, Certs, RSC, and TAK.
OK tb@
|
#
1.25 |
|
13-Mar-2023 |
job |
In filemode for ROAs/ASPAs display when the Signature path will expire
Also rename 'certification path' to 'signature path' for alignment
OK tb@
|
#
1.24 |
|
13-Mar-2023 |
job |
Merge calling print_certification_path() into adjacent else branch
OK tb@
|
#
1.23 |
|
13-Mar-2023 |
job |
Refactor whats printed when in filemode
OK tb@
|
#
1.22 |
|
12-Mar-2023 |
job |
Alphabetically sort various bits and pieces - mechanical change
Might make later refactors easier to follow
OK tb@
|
#
1.21 |
|
07-Mar-2023 |
job |
Improve decoded content printing in filemode
Looks reasonable claudio@
|
#
1.20 |
|
03-Mar-2023 |
job |
In filemode, print the certification path towards the Trust Anchor
with and OK tb@
|
#
1.19 |
|
06-Jan-2023 |
claudio |
Rework the main <-> parser/filemode communication protocol a bit.
Swap repo_id and filename to simplify the code in parser.c. In filemode both repo_id and filename are ignored. Additionally do not errx() in case of unknown file types. Instead send back enough info that the code can move on.
OK tb@
|
#
1.18 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.17 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.28 |
|
13-Mar-2023 |
job |
Don't lookup the signature path's expiry for trust anchor certs
|
#
1.27 |
|
13-Mar-2023 |
job |
In filemode, also print details for .cer certificates
|
#
1.26 |
|
13-Mar-2023 |
job |
In filemode, display the moment the signature path will expire
Previously this was only shown for ROA+ASPA. Now also show for GBR, Geofeed, Certs, RSC, and TAK.
OK tb@
|
#
1.25 |
|
13-Mar-2023 |
job |
In filemode for ROAs/ASPAs display when the Signature path will expire
Also rename 'certification path' to 'signature path' for alignment
OK tb@
|
#
1.24 |
|
13-Mar-2023 |
job |
Merge calling print_certification_path() into adjacent else branch
OK tb@
|
#
1.23 |
|
13-Mar-2023 |
job |
Refactor whats printed when in filemode
OK tb@
|
#
1.22 |
|
12-Mar-2023 |
job |
Alphabetically sort various bits and pieces - mechanical change
Might make later refactors easier to follow
OK tb@
|
#
1.21 |
|
07-Mar-2023 |
job |
Improve decoded content printing in filemode
Looks reasonable claudio@
|
#
1.20 |
|
03-Mar-2023 |
job |
In filemode, print the certification path towards the Trust Anchor
with and OK tb@
|
#
1.19 |
|
06-Jan-2023 |
claudio |
Rework the main <-> parser/filemode communication protocol a bit.
Swap repo_id and filename to simplify the code in parser.c. In filemode both repo_id and filename are ignored. Additionally do not errx() in case of unknown file types. Instead send back enough info that the code can move on.
OK tb@
|
#
1.18 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.17 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.21 |
|
07-Mar-2023 |
job |
Improve decoded content printing in filemode
Looks reasonable claudio@
|
#
1.20 |
|
03-Mar-2023 |
job |
In filemode, print the certification path towards the Trust Anchor
with and OK tb@
|
#
1.19 |
|
06-Jan-2023 |
claudio |
Rework the main <-> parser/filemode communication protocol a bit.
Swap repo_id and filename to simplify the code in parser.c. In filemode both repo_id and filename are ignored. Additionally do not errx() in case of unknown file types. Instead send back enough info that the code can move on.
OK tb@
|
#
1.18 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.17 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.20 |
|
03-Mar-2023 |
job |
In filemode, print the certification path towards the Trust Anchor
with and OK tb@
|
#
1.19 |
|
06-Jan-2023 |
claudio |
Rework the main <-> parser/filemode communication protocol a bit.
Swap repo_id and filename to simplify the code in parser.c. In filemode both repo_id and filename are ignored. Additionally do not errx() in case of unknown file types. Instead send back enough info that the code can move on.
OK tb@
|
#
1.18 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.17 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.19 |
|
06-Jan-2023 |
claudio |
Rework the main <-> parser/filemode communication protocol a bit.
Swap repo_id and filename to simplify the code in parser.c. In filemode both repo_id and filename are ignored. Additionally do not errx() in case of unknown file types. Instead send back enough info that the code can move on.
OK tb@
|
#
1.18 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.17 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.18 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.17 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.17 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.16 |
|
04-Nov-2022 |
job |
Format filemode output in a tabular fashion to improve readability
OK tb@ claudio@
|
#
1.15 |
|
02-Nov-2022 |
job |
Add support for draft-ietf-sidrops-signed-tal-12
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand.
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.14 |
|
06-Sep-2022 |
job |
Properly free memory in filemode
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.13 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.12 |
|
25-Aug-2022 |
job |
Make PEM printing available through increased verbosity (-vvf)
Suggestion from claudio@
OK tb@
|
#
1.11 |
|
25-Aug-2022 |
job |
In verbose filemode print details about encapsulated certificates. Add command line flag to print the certificate in PEM format.
OK tb@
|
#
1.10 |
|
25-Aug-2022 |
job |
Fix newline in JSON filemode
OK tb@
|
#
1.9 |
|
25-Aug-2022 |
job |
Plug memory leak in filemode
OK tb@ claudio@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.8 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.7 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.6 |
|
09-May-2022 |
job |
Add preliminary support for decoding RSC objects in filemode
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.5 |
|
24-Apr-2022 |
tb |
zap extra blank line
|
#
1.4 |
|
24-Apr-2022 |
tb |
trailing whitespace
|
#
1.3 |
|
24-Apr-2022 |
job |
In filemode emit the hash which uniquely identifies a given Signed Object
RPKI Signed Objects are not malleable; this means the SHA256 digest of an input file containing a signed object is a very stable identifier to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
#
1.2 |
|
21-Apr-2022 |
claudio |
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
|
#
1.1 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|