rpki-client: fix incorrect use of ASN1_tag2str()

This goes back to the initial import in mft.c and was then copied to rsc.c.
ASN1_tag2str() doesn't take a nid but rather an ASN.1 tag. Use nid2str()
instead.

ok claudio (who helped me use nid2str() correctly)

Update references to new and not quite so new RFCs

Four warnings now contain "RFC 9582" rather than "RFC 6482bis".
Also update some references to I-Ds.

ok claudio

Instead of tracking certificates by SKI track them by an internal identifier.

The certificate SKI is not strictly unique so using it as a unique id is
problematic. It is also not really needed to do that since in theory we
already know the path (but this got lost in the privsep communication).
So add a cert id and pass this id back and forth between main process and
the parser. With this id we can lookup the authentication chain in the
parser and this even works with multiple paths to the same resource.
Since we no longer lookup by SKI the valid_aki_ski function is replaced
by find_issuer() which does the lookup by certid.

The loop protection is now extended to allow each TAL to reach each file
once but still triggers if a file is reaccessed by the tree of a TAL.

In filemode the lookup now uses an AIA uri based lookup tree. Again this
replaces the SKI based lookups from before.

Done together with tb@
OK tb@ job@

rpki-client: plug leak of the crl path

also, drop an unnecessary NULL check and make freeing have the same order
as the struct field so auditing for leaks is easier.

ok claudio

Display distinct errors for various problematic CRL/MFT situationships

RFC 6487 section 8 specifies only a single CRL is issued at a time, so
error when multiple .crl files are listed in a Manifest's FileList.

The CRLDP extension identifies the location of the CRL, so the CRL's
filename must match the CA's CRLDP's 'rsync://' entry, error if that
isn't the case. (RFC 6486 section 4.8.6)

with & OK tb@

Add support for RPKI Signed Prefix Lists

Signed Prefix List are a CMS protected content type for use with the
RPKI to carry the complete list of prefixes which an Autonomous System
may originate to all or any of its routing peers. The validation of a
Signed Prefix List confirms that the holder of the listed ASN produced
the object, and that this list is a current, accurate and complete
description of address prefixes that may be announced into the routing
system originated by this AS.

https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist

with and OK claudio@ tb@

rpki-client: remove the remaining struct parse

With the exception of mft.c where there is an additional boolean, this
struct carries a file name and a result. This means functions having
struct parse in the signature can't be shared between files, which has
been annoying. Simply pass file name and necessary info directly as a
function parameter and add a small dance to handle the boolean in mft.c.

ok job

Rename fn into file to avoid clash in upcoming diff

ok job

Use _asn1 suffix for some aspa/mft/roa/rsc/tak

This would otherwie clash with an upcoming replacement of struct parse.

ok job

Ensure that the FileAndHashes list in a mft has no duplicates

ok job

Add explicit ASN1_ITEM_EXP prototypes

In LibreSSL *_it are variables, in other implementations they might
be a function. This helps squash compiler warnings in -portable.

Related: https://github.com/openbsd/src/commit/65af98848fc7a42e34d470d10fc1db8e23f9db93

OK tb@

Check whether all data in eContent has been consumed

It is possible that a given ASN.1 template generated d2i_*() function
didn't consume all data, so there is a potential for malleability.
The econtent is a sequence (which means it could be the concatenation
of several DER "blobs"). d2i_*() would only deserialize the first one
and not notice blobs following it.

OK tb@

Use x509_get_time() to get the Manifest thisUpdate / nextUpdate

From the moment d2i_Manifest() was introduced, it was automatically
checked whether the thisUpdate/nextUpdate are ASN1_GENERALIZEDTIME.

Unfortunately, an additional check is needed, because OpenSSL doesn't
require RFC 5280 conformance for GeneralizedTime DER encoding.

OK tb@

Refactor handling of stale manifests

No need to hoist a staleness indicator through the whole process and
count it explicitly.

OK tb@

Remove old comment

OK tb@

Introduce and use mft_compare_issued()

Newly issued manifests should not only have a higher manifestNumber,
their issuance time should also be later. Add corresponding checks
and warnings when comparing a newly fetched manifest to a manifest
from the cache.

ok job (who noticed that such a check was missing)

Rename mft_compare() to mft_compare_seqnum()

This makes it clearer what exactly this function compares. Also drop some
NULL checks that made the semantics of this function tricky.

ok job

Log a warning when a manifest replay is detected

OK tb@ claudio@

Allow imposing constraints on RPKI trust anchors

The ability to constrain a RPKI Trust Anchor's effective signing
authority to a limited set of Internet Number Resources allows
Relying Parties to enjoy the potential benefits of assuming trust,
within a bounded scope.

Some examples: ARIN does not support inter-RIR IPv6 transfers, so
it wouldn't make any sense to see a ROA subordinate to ARIN's trust
anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't
make sense to observe a ROA covering ARIN-managed IPv6 space under
APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust
arc (a cryptographically valid certificate path) existed. Along these
same lines, AFRINIC doesn't support inter-RIR transfers of any kind,
and none of the RIRs have authority over private resources like
10.0.0.0/8 and 2001:db8::/32.

For more background see:
https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/
https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html

With and OK tb@, OK claudio@

Pass the talid to various parse functions

This will be needed by an upcoming feature where we will need to know
what trust anchor a given cert chains to. This doesn't change anything
except the size of the diff.

ok claudio job

Shuffle the order in which Manifest entries are processed

Previously work items were enqueued in the order the CA intended them
to appear on a Manifest. However, there is no obvious benefit to letting
third parties decide the order in which things are processed.

Instead, randomize: ordering has no meaning anyway, and the number of
concurrent repository synchronization operations is limited & timeboxed.
As they say, a fox is not taken twice in the same snare

OK tb@

Retire log.c

Convert all cryptowarnx() and cryptoerrx() to appropriate versions of
warn() and err{,x}(). Neither users nor developers benefit from them.
If we need better errors, we need to do some thinking. libcrypto won't
do that for us.

suggested by claudio
ok job

Add compliance checks for the version, KU, and EKU of TAK/MFT/GBR EE certs

OK tb@

In anticipation of a bump of the ASPA eContent profile version, update
valid_econtent_version() to allow for non-zero versions.

OK tb@

Convert generalizedtime_to_tm() to ASN1_TIME_to_tm()

Second step of moving away from ASN1_time_parse(). Being an OpenSSL API,
ASN1_TIME_to_tm() supports a variety of things. In this specific case we
don't really want it to parse anything but a GeneralizedTime expressed in
Zulu time. Unfortunately, OpenSSL make this annoying. So punt on this and
only do checks for the correct type and length. LibreSSL only accepts Zulu
time, so there is no change of behavior.

ok claudio job

Avoid use of LibreSSL-specific ASN1_time_tm_cmp() API

We convert these struct tm into time_t in the next few lines, so we can
simply use > instead.

ok claudio job

Improve accounting by tracking things by repo and tal.
This fixes some wrong accounting for repositories that are referenced
from more than one TAL. It changes the ometric lable output a little bit
since there are repository metrics that no longer include the 'name' label.
OK tb@

If the two mfts in mft_compare() are the same do not prefer the
first (DIR_VALID) but perfer the 2nd (DIR_TEMP) since this allows
rpki-client to move the equal files from .rrdp back into the valid
repo tree and so there are less unaccounted files for.
Problem noticed by and OK job@

Check that the CMS signing-time is not after the MFT's nextUpdate

Issuing manifests whose validity window is entirely in the past, as
observed from the purported CMS signing-time would be a form of backdating.

OK tb@

Revert accidental change from explicit to implicit tagging in r1.86.

ok job

Rename some data fields to closer match their provenance

OK tb@

Refactor expiration calculation

Unify common code paths which find the exact expiry moment into a new
helper function. Additionally, the new helper offers more accuracy by
checking more applicable CRLs whether their 'nextupdate' is 'sooner'.

tb@ noted: The helper adds a multiplier of log(#crls), but that's
certainly acceptable as it is still very cheap.

OK tb@

Initialize the local signtime variable in the individual *_parse()
functions

ok job

Unwrap a few lines and zap a tab

Show CMS signing-time signed attribute in filemode

OK tb@

Adjust comment for rtype_from_mftfile(). It is important that RTYPE_INVALID
is not an error. It marks file as not handled by rpki-client and they will
be ignored after checking that the provided hash matches.
New file types should only be added once the needed code in parse_entity() is
available.
OK tb@ job@

Remove unused ctype.h include

OK tb@

Only include stdarg.h, if we call any of va_{start,end}()

OK tb@

Add support for authenticating geofeed data CSV files in filemode

RFC 9092 describes a scheme in which an authenticator is appended to a
geofeed (RFC 8805) file. It is a digest of the main body of the file
signed by the private key of the relevant RPKI certificate for a covering
address range. The authenticator is a detached CMS signature.

with and OK tb@

Simplify use of strrchr()

with and OK tb@

Check the SIA signedObject in ROA/MFT/ASPA/TAK/GBR EE certificates

Unfortunately we can't yet error out when accessMethods other than
signedObject are encountered in the SubjectInformationAccess extension
because there is pollution in the ecosystem.

OK tb@

Add support for draft-ietf-sidrops-signed-tal-12

Add support validation of Signed Objects containing Trust Anchor Keys
(TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs
to distribute and sign the next Trust Anchor with the current Trust
Anchor. This might be an improvement over visiting RIR websites and
copy+pasting TAL data by hand.

OK tb@

All of ROA, MFT, ASPA, and RSC define their respective 'version' field
in ASN.1 as following: "version [0] INTEGER DEFAULT 0,". Each object
profile preamble contains "DEFINITIONS EXPLICIT TAGS ::=".

We didn't bump into any issue yet, because all Signed Objects are at
version 0, which means the field is entirely omitted (including the tag,
be it implicit or explicit). (From X.690 section 11.5: "The encoding of
a set value or a sequence value shall not include an encoding for any
component value which is equal to its default value.")

OK tb@

Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)

ASPA objects are published in the RPKI and can be used to detect and
mitigate BGP route leaks. Validated ASPA Payloads are visible through
filemode (-f) and the JSON output format (-j).

With feedback from tb@

OK claudio@ tb@

Remove dangling ASPA references until we land real support

OK tb@

Unify error messages on d2i failure for econtent

Dedup econtent version checks

Since the ASN.1 template conversions, we have three copies of mostly dead
code that validates that the econtent version is at its default value 0.
Until a new standard bumps this version and we decide to support that,
we're better off with only one copy of this code.

ok claudio

Fix off-by-one in MAX_MANIFEST_ENTRIES check

ok claudio job

I made non-trivial contributions to these files.

Improve #ifdefs for STACK_OF() helpers.

Discussed with claudio

Adjust or remove some stale comments

Rewrite mft.c and roa.c with ASN.1 templates

The ASN.1 templates are a rather direct translation of the ASN.1 in the
relevant RFCs and they allow deserializing the Manifest and ROA eContent
in a single step instead of numerous opaque d2i_ASN1_SEQUENCE_ANY() calls.
Once the eContent is deserialized, we can walk the structs, validate it
as before and populate the internal data structures.

Positive feedback job
ok claudio

whitespace spotted during read-thru

Verify MFT and GBR objects only carry RFC 3779 extensions set to 'inherit'

OK claudio@ tb@

Validate RSC filenames

Factor out POSIX portable filename check into a new valid_filename() and
rename the previous valid_filename() to valid_mft_filename(). Fixes and
supersedes imcomplete checks in the RSC code. Avoids truncation via
strndup() in case of embedded NULs.

input/ok claudio

Improve control flow readability by removing 'else if' stanzas

OK tb@ claudio@

Add preliminary support for decoding RSC objects in filemode

This implements decoding support for draft-ietf-sidrops-rpki-rsc-06

There are three major outstanding issues:

* The wire image might still change to conform to the more widely deployed
3779 API in libressl/openssl. IETF discussion ongoing.
* Whether the resources listed in the ResourceBlock are contained within
the EE's RFC 3779 extension is not hooked up yet.
* There is a fair bit of duplicity between rsc.c and cert.c, look for XXX

OK tb@

Add Concatenated JSON output in filemode (rpki-client -j -f *)

The schema is still work in progress.

OK claudio@

Avoid leaking crldp in mft_parse() if one of the crlfile checks fails.

ok claudio

Adjust on how CRL and MFT files are verified.

Verify the CRL referenced from the mft against the mft's fileAndHash info.
If the CRL matches then load it and use it to validate this mft. If the
mft validated OK add the now also valid CRL to the auth store for later use.

Before the newest CRL was always selected but that has negative consequences
because it is common practice to revoke the previous MFT's EE cert and with
that the cache is turned useless as soon as a new CRL is used. Also there
was a possibility that the CRL used for validation of the MFT was not the
one later used.

Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part
of the validation process. We opted in favor of the chached MFT.

With and OK tb@

Sort RTYPE in case alphabetically and mention ASPA in the comment.
No functional change.

All times in the x509 are UTC so use timegm() and not mktime().
The latter will apply the timezone offset and so the further west
the more probable you are to have problems with valid_from times.
Fix from tb@
OK job@, benno@ and me

Change x509_get_aki(), x509_get_ski(), x509_get_aia(), and x509_get_crl()
to work more like x509_get_expire(). They will return an error if the
extension extraction failed but not if it was not present. The callers
must now do that check but most did already.
With this cert_parse_inner() no longer cares about TA vs non-TA certs.
Feedback and OK tb@

Sync & permit ASPA objects to appear on Manifests

OK tb@ claudio@

Fix serial number printing in crl_print() for large serials.
Create a common x509_convert_seqnum() function to convert the various
ASN1_INTEGERs into hexnumbers and use this for mft and crl handling.
With and OK tb@, also OK job@

Properly handle .mft files as intended by the RFC. Instead of always
selecting the newest file this opens both the new (from rrdp or rsync)
and old (valid) MFT. It then compares the manifest number and based on
that the 'newer' MFT is selected.
The MFT file and hash check is also changed to always try both locations
and selecting whatever matches up with the hash. The selction is passed
back to the the main process and used later on to open exactly the same
file as was checked against the hash.
The MFT parsing code has been split up into multiple steps so that the
files can be parsed, compared and then fully validated.
In most cases this makes no difference but it prevents replay attacks
using old but still valid files.
With and OK tb@

Adjust code to handle unsupported file types a bit more graceful.
The file still needs to match its hash to make the MFT valid but then
there will only be a warning printed. Parsing of other files from that
MFT are not influenced.
OK tb@

Change valid_filename() ot return an enum rtype and rename it to
rtype_from_mftfile(). Move both rtype_from functions to mft.c.

ok beck claudio

Add function to determine the file type from the file name extension

rpki-client uses the same idiom to determine the file type in too many
places. Use one function that determines the appropriate RTYPE from the
file name. Add that type to struct mftfile and use this new member to
simplify queue_add_from_mft*().

input/ok claudio

Revert all the files that should have not been committed in last commit.

Kill extra newline

Cleanup the scattered OBJ_txt2obj() calls and move them into
x509_init_oid() to initalize all necessary OID objects at start.
OK tb@

Alter valid_filehash() to take a file descriptor instead of a path.
This is needed so that callers can allow a file to be in multiple
locations. Also move mft_check() from mft.c to parser.c.
OK tb@

Change the way the parser accesses files. It now builds the file path
based on information from the repository, a local path and the filename.
This simplifies some code both in the main process and the parser.
For this to work repositories are passed to the parser before any other
entity of this repository is passed. Struct entity is extended to include
the repoid and the path along the file(name).
Input and OK tb@ & job@

Cleanup mft file handling, especially the stale mft bits.
Move staleness check up into mft_parse_econtent() to simplify code.
Remove the big FIXME bits since they are no longer needed. The parent
process will only process MFTs that are not stale.
Cleanup a few other bits mainly unneccessary else if cascades and
use valid_filename() to check if the filename embedded in the mft
fileandhash is sensible.
OK tb@

Limit how many FileAndHash entries a single manifest may contain

OK claudio@

Change CMS and CRL d2i functions from their BIO version to passing the
der buffer instead. The file are loaded early in the entity processing
loop.
OK tb@

Restrict the characterset for filenames on Manifests

feedback from benno@

OK claudio@

Finnally move away from blocking reads in rpki-client. The code was a
mish mash of poll, non-blocking writes and blocking reads. Using the
introduced ibuf size header in io_buf_new()/io_buf_close() the read
side can be changed to pull in a full ibuf and only start the un-marshal
once all data has been read.
OK benno@

branches: 1.38.4;
Rework how various OIDs are compared in the code.

Instead of converting the ASN1_OBJECT into a string and comparing the
strings, convert the string into an ASN1_OBJECT once and then compare
these objects with OBJ_cmp().

Makes the code a bit easier to read and removes some repetitive conversions.
With input and OK tb@

The number of elements being processed is known upfront. So allocate the
storage needed outside of the loop. This reduces the number of recallocarray
calls.
OK tb@

Add more checks for eContent 'version' fields.

Input from deraadt@, tb@, claudio@

OK deraadt@ claudio@ tb@

Fix ROA & MFT version check handling

This check was incomplete: to correctly verify the ASN1 INTEGER holding
the version component, first the context specific explicit tag would need
to be checked.

However, the X.690 spec (section 11.5) states that if the one should not
encode a component if it is the default value. There are no RFCs specifying
new versions of ROA or MFT, so checking the content of the version component
should be skipped entirely.

Thus if the version component is present, something is wrong.

Before calling ASN1_time_parse() initialize the struct tm. While
recent libressl version initalise the struct tm properly older
versions did not and so -portable runs into problem on systems
with older libressl versions installed.
Problem found by job@
OK tb@

Garbage collect sz in mft_parse_filehash() which has been unused
since mft.c r1.20.

branches: 1.32.2;
Inline x509_get_extensions() and remove it

Since aia, aki and ski are all represented by char *, this is an
error-prone interface - as found by job. The function doesn't do
much anyway.

ok claudio

Add some restrictions to manifest object profile

OK tb@, feedback from claudio@

Send arguments in alphabetical order

OK tb@

Factor out the SHA256 hash checks into valid_filehash() so that it can
be used by the RRDP code as well.
OK tb@

Use the same way to error out in out of memory situation.
Just use 'err(1, NULL);' there is no need to include the type of function
that failed since it is still impossible to locate the right call.
Just use a debugger in that case.
OK tb@ deraadt@

Convert reallocarray + memset to recallocarray.

ok claudio

get Authority Information Access (AIA) from CA & EE certs

In the context of the RPKI, the AIA extension identifies the publication
point of the certificate of the issuer of the certificate in which the
extension appears. A single reference to the publication point of the
immediate superior certificate MUST be present, except for a
"self-signed" certificate.

Thanks tb@ for review

OK claudio@

Eventhough most openssl includes include everything try to be a bit more
explicit about what is used where. Seems to be the least worst solution.

A while ago rpki-client was changed to validate the sha256 hashes of
files referenced in MFT files during the validation of the MFT file.
An MFT is only valid if all files are present and their hashes are valid.
Because of this there is no longer the need to check the hash when
these files are parsed later on. Remove these checks for CRT, ROA and CRL
files. Use the presence of the pkey when parsing cert files to decide
if it is a root cert or not.
OK tb@

Start using the ibuf API (ibuf_dynamic, ibuf_add, ibuf_close) for writing
data between processes. This completely decouples the write side.
rpki-client can't really use the imsg framework but it can use the ibuf
bits wich imsg is built on.
OK benno@ job@

Now that a NULL string is marshalled as NULL again we can drop some
extra has_xyz integers to indicate if the following buffer is present
or not. At the same time sprinkle some asserts for strings which must
be not NULL.
OK tb@

Use asprintf with %.*s to construct the path based on the mft file
location and the filename of the referenced file. Use the same method
both in main.c and mft.c which is a fair bit simpler than using calloc
and strlcpy/strlcat to build the string by hand.
OK tb@

All files provided in a manifest needs to be checked against the provided
hash even if rpki-client ignores this file later on.
OK job@

Treat stale manifests as such, not as 'failed to parse'

There is currently dead code in mft_parse() that handles stale
manifests by setting the stale flag and removing all files they
reference. This code was made unreachable in a refactor that
fixed a logic error that made mft_parse() succeed despite its
error handling. check_validity() returns three possible values.
Report failures and stale mfts back immediately via rc. Success
needs to reset rc to -1, so subsequent errors are reported as
such.

This is mostly cosmetic and only changes the rpki-client output
in that the comment at the top of the config now actually shows
stale manifests. This makes regress pass again.

ok claudio job

typo

Fix checks for manifest validity interval

The check_validity() function used the X509_cmp_time() functions with
GeneralizedTime. This doesn't work with current dates since LibreSSL
enforces conformance with RFC 5280 in X509_cmp_time(), which requires
that dates before 2050 are represented with UTCTime. The functions
would return an error, but missing error checking led to failing to
detect expired or not yet valid manifests. Fix this by converting the
dates into struct tm and using ASN1_time_tm_cmp() instead.

With input from claudio, jsing

ok benno claudio jsing

branches: 1.16.4;
Include openssl/x509.h in extern.h since it uses a few of the typedefs from
there in structs and prototypes. Remove the openssl/ssl.h and other strange
openssl includes in the .c files that don't use openssl specific functions.
OK beck@ and tb@

Remove -f (force) option.

The -f option existed for some initial debugging work.

Thanks Weerd for review

OK claudio@

branches: 1.14.4;
Avoid using libc SHA256File(), just perform the operation inline to
make things easier for -portable
ok claudio

Split the mft file and hash check from the mft parsing. This makes it easier
to check all files in a mft before failing and also the check is now done
after the embedded cert was checked.
This refactor was triggered because of a bug in mft_parse_econtent().
check_validity() altered rc but later failure code assumed that goto out
is good enough to return an error (rc == -1) but since rc was 1 success
was returned. This bug is now also fixed.
Bug report and OK job@

Delay failure in mft parsing until all elements of FileAndHash have been
checked. This way all corrupted or missing files should show up in a
single run. This should help operators to get a better idea what and how
much is broken.
OK benno@

Check the hash and with it the presence of a file referenced in a MFT early
on. In case the file hash does not match or the file does not exist the full
MFT is considered invalid and dropped. With this partial ROA updates based
on a corrupt data set will produce less likely inconsistencies in the VRP
output.
With and OK job@

The code is more what you'd call 'guidelines' than actual rules.
s/EXIT_FAILURE/1/
ok claudio@

enable more warning flags and fix a few issues noticed.
ok claudio@ deraadt@

Rewrite the time validity check for mfts. Using ASN1_GENERALIZEDTIME_print
and strptime to convert the timestamp does not correctly account for the
timezone. Instead use X509_cmp_time which later on should be replaced with
ASN1_time_tm_cmp since the ASN1_STRING_cmp() check at the end will fail
around 2049.

Problem with timezone reported by Alexandre Hamada (hamada at registro.br).
He also tested this diff.
OK tb@

Show the most common warnings only if verbose is set. Most of these warnings
were shown because of an inconsistent rpki database and is no real problem.
OK florian@

Those changes should not have been in last commit. Revert them for now.

Don't use assert to validate user input. assert() is not for that, instead
check and error out like it is done one other parsing issues.
Agreed by deraadt@
Fixes another afl "crash" found by jsg@

use $OpenBSD$ headers

indentation adjustments, in particular near warn statements
ok claudio

Don't do -portable in base. It is better done outside the tree.
Imagine if we did it throughout the tree, how many copies of strlcpy
would we have, and how much time would all the configure shell scripts
and includes take? It would be ludicrous.

branches: 1.1.1;
Initial revision

Update references to new and not quite so new RFCs

Four warnings now contain "RFC 9582" rather than "RFC 6482bis".
Also update some references to I-Ds.

ok claudio

Instead of tracking certificates by SKI track them by an internal identifier.

The certificate SKI is not strictly unique so using it as a unique id is
problematic. It is also not really needed to do that since in theory we
already know the path (but this got lost in the privsep communication).
So add a cert id and pass this id back and forth between main process and
the parser. With this id we can lookup the authentication chain in the
parser and this even works with multiple paths to the same resource.
Since we no longer lookup by SKI the valid_aki_ski function is replaced
by find_issuer() which does the lookup by certid.

The loop protection is now extended to allow each TAL to reach each file
once but still triggers if a file is reaccessed by the tree of a TAL.

In filemode the lookup now uses an AIA uri based lookup tree. Again this
replaces the SKI based lookups from before.

Done together with tb@
OK tb@ job@

rpki-client: plug leak of the crl path

also, drop an unnecessary NULL check and make freeing have the same order
as the struct field so auditing for leaks is easier.

ok claudio

Display distinct errors for various problematic CRL/MFT situationships

RFC 6487 section 8 specifies only a single CRL is issued at a time, so
error when multiple .crl files are listed in a Manifest's FileList.

The CRLDP extension identifies the location of the CRL, so the CRL's
filename must match the CA's CRLDP's 'rsync://' entry, error if that
isn't the case. (RFC 6486 section 4.8.6)

with & OK tb@

Add support for RPKI Signed Prefix Lists

Signed Prefix List are a CMS protected content type for use with the
RPKI to carry the complete list of prefixes which an Autonomous System
may originate to all or any of its routing peers. The validation of a
Signed Prefix List confirms that the holder of the listed ASN produced
the object, and that this list is a current, accurate and complete
description of address prefixes that may be announced into the routing
system originated by this AS.

https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist

with and OK claudio@ tb@

rpki-client: remove the remaining struct parse

With the exception of mft.c where there is an additional boolean, this
struct carries a file name and a result. This means functions having
struct parse in the signature can't be shared between files, which has
been annoying. Simply pass file name and necessary info directly as a
function parameter and add a small dance to handle the boolean in mft.c.

ok job

Rename fn into file to avoid clash in upcoming diff

ok job

Use _asn1 suffix for some aspa/mft/roa/rsc/tak

This would otherwie clash with an upcoming replacement of struct parse.

ok job

Ensure that the FileAndHashes list in a mft has no duplicates

ok job

Add explicit ASN1_ITEM_EXP prototypes

In LibreSSL *_it are variables, in other implementations they might
be a function. This helps squash compiler warnings in -portable.

Related: https://github.com/openbsd/src/commit/65af98848fc7a42e34d470d10fc1db8e23f9db93

OK tb@

Check whether all data in eContent has been consumed

It is possible that a given ASN.1 template generated d2i_*() function
didn't consume all data, so there is a potential for malleability.
The econtent is a sequence (which means it could be the concatenation
of several DER "blobs"). d2i_*() would only deserialize the first one
and not notice blobs following it.

OK tb@

Use x509_get_time() to get the Manifest thisUpdate / nextUpdate

From the moment d2i_Manifest() was introduced, it was automatically
checked whether the thisUpdate/nextUpdate are ASN1_GENERALIZEDTIME.

Unfortunately, an additional check is needed, because OpenSSL doesn't
require RFC 5280 conformance for GeneralizedTime DER encoding.

OK tb@

Refactor handling of stale manifests

No need to hoist a staleness indicator through the whole process and
count it explicitly.

OK tb@

Remove old comment

OK tb@

Introduce and use mft_compare_issued()

Newly issued manifests should not only have a higher manifestNumber,
their issuance time should also be later. Add corresponding checks
and warnings when comparing a newly fetched manifest to a manifest
from the cache.

ok job (who noticed that such a check was missing)

Rename mft_compare() to mft_compare_seqnum()

This makes it clearer what exactly this function compares. Also drop some
NULL checks that made the semantics of this function tricky.

ok job

Log a warning when a manifest replay is detected

OK tb@ claudio@

Allow imposing constraints on RPKI trust anchors

The ability to constrain a RPKI Trust Anchor's effective signing
authority to a limited set of Internet Number Resources allows
Relying Parties to enjoy the potential benefits of assuming trust,
within a bounded scope.

Some examples: ARIN does not support inter-RIR IPv6 transfers, so
it wouldn't make any sense to see a ROA subordinate to ARIN's trust
anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't
make sense to observe a ROA covering ARIN-managed IPv6 space under
APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust
arc (a cryptographically valid certificate path) existed. Along these
same lines, AFRINIC doesn't support inter-RIR transfers of any kind,
and none of the RIRs have authority over private resources like
10.0.0.0/8 and 2001:db8::/32.

For more background see:
https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/
https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html

With and OK tb@, OK claudio@

Pass the talid to various parse functions

This will be needed by an upcoming feature where we will need to know
what trust anchor a given cert chains to. This doesn't change anything
except the size of the diff.

ok claudio job

Shuffle the order in which Manifest entries are processed

Previously work items were enqueued in the order the CA intended them
to appear on a Manifest. However, there is no obvious benefit to letting
third parties decide the order in which things are processed.

Instead, randomize: ordering has no meaning anyway, and the number of
concurrent repository synchronization operations is limited & timeboxed.
As they say, a fox is not taken twice in the same snare

OK tb@

Retire log.c

Convert all cryptowarnx() and cryptoerrx() to appropriate versions of
warn() and err{,x}(). Neither users nor developers benefit from them.
If we need better errors, we need to do some thinking. libcrypto won't
do that for us.

suggested by claudio
ok job

Add compliance checks for the version, KU, and EKU of TAK/MFT/GBR EE certs

OK tb@

In anticipation of a bump of the ASPA eContent profile version, update
valid_econtent_version() to allow for non-zero versions.

OK tb@

Convert generalizedtime_to_tm() to ASN1_TIME_to_tm()

Second step of moving away from ASN1_time_parse(). Being an OpenSSL API,
ASN1_TIME_to_tm() supports a variety of things. In this specific case we
don't really want it to parse anything but a GeneralizedTime expressed in
Zulu time. Unfortunately, OpenSSL make this annoying. So punt on this and
only do checks for the correct type and length. LibreSSL only accepts Zulu
time, so there is no change of behavior.

ok claudio job

Avoid use of LibreSSL-specific ASN1_time_tm_cmp() API

We convert these struct tm into time_t in the next few lines, so we can
simply use > instead.

ok claudio job

Improve accounting by tracking things by repo and tal.
This fixes some wrong accounting for repositories that are referenced
from more than one TAL. It changes the ometric lable output a little bit
since there are repository metrics that no longer include the 'name' label.
OK tb@

If the two mfts in mft_compare() are the same do not prefer the
first (DIR_VALID) but perfer the 2nd (DIR_TEMP) since this allows
rpki-client to move the equal files from .rrdp back into the valid
repo tree and so there are less unaccounted files for.
Problem noticed by and OK job@

Check that the CMS signing-time is not after the MFT's nextUpdate

Issuing manifests whose validity window is entirely in the past, as
observed from the purported CMS signing-time would be a form of backdating.

OK tb@

Revert accidental change from explicit to implicit tagging in r1.86.

ok job

Rename some data fields to closer match their provenance

OK tb@

Refactor expiration calculation

Unify common code paths which find the exact expiry moment into a new
helper function. Additionally, the new helper offers more accuracy by
checking more applicable CRLs whether their 'nextupdate' is 'sooner'.

tb@ noted: The helper adds a multiplier of log(#crls), but that's
certainly acceptable as it is still very cheap.

OK tb@

Initialize the local signtime variable in the individual *_parse()
functions

ok job

Unwrap a few lines and zap a tab

Show CMS signing-time signed attribute in filemode

OK tb@

Adjust comment for rtype_from_mftfile(). It is important that RTYPE_INVALID
is not an error. It marks file as not handled by rpki-client and they will
be ignored after checking that the provided hash matches.
New file types should only be added once the needed code in parse_entity() is
available.
OK tb@ job@

Remove unused ctype.h include

OK tb@

Only include stdarg.h, if we call any of va_{start,end}()

OK tb@

Add support for authenticating geofeed data CSV files in filemode

RFC 9092 describes a scheme in which an authenticator is appended to a
geofeed (RFC 8805) file. It is a digest of the main body of the file
signed by the private key of the relevant RPKI certificate for a covering
address range. The authenticator is a detached CMS signature.

with and OK tb@

Simplify use of strrchr()

with and OK tb@

Check the SIA signedObject in ROA/MFT/ASPA/TAK/GBR EE certificates

Unfortunately we can't yet error out when accessMethods other than
signedObject are encountered in the SubjectInformationAccess extension
because there is pollution in the ecosystem.

OK tb@

Add support for draft-ietf-sidrops-signed-tal-12

Add support validation of Signed Objects containing Trust Anchor Keys
(TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs
to distribute and sign the next Trust Anchor with the current Trust
Anchor. This might be an improvement over visiting RIR websites and
copy+pasting TAL data by hand.

OK tb@

All of ROA, MFT, ASPA, and RSC define their respective 'version' field
in ASN.1 as following: "version [0] INTEGER DEFAULT 0,". Each object
profile preamble contains "DEFINITIONS EXPLICIT TAGS ::=".

We didn't bump into any issue yet, because all Signed Objects are at
version 0, which means the field is entirely omitted (including the tag,
be it implicit or explicit). (From X.690 section 11.5: "The encoding of
a set value or a sequence value shall not include an encoding for any
component value which is equal to its default value.")

OK tb@

Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)

ASPA objects are published in the RPKI and can be used to detect and
mitigate BGP route leaks. Validated ASPA Payloads are visible through
filemode (-f) and the JSON output format (-j).

With feedback from tb@

OK claudio@ tb@

Remove dangling ASPA references until we land real support

OK tb@

Unify error messages on d2i failure for econtent

Dedup econtent version checks

Since the ASN.1 template conversions, we have three copies of mostly dead
code that validates that the econtent version is at its default value 0.
Until a new standard bumps this version and we decide to support that,
we're better off with only one copy of this code.

ok claudio

Fix off-by-one in MAX_MANIFEST_ENTRIES check

ok claudio job

I made non-trivial contributions to these files.

Improve #ifdefs for STACK_OF() helpers.

Discussed with claudio

Adjust or remove some stale comments

Rewrite mft.c and roa.c with ASN.1 templates

The ASN.1 templates are a rather direct translation of the ASN.1 in the
relevant RFCs and they allow deserializing the Manifest and ROA eContent
in a single step instead of numerous opaque d2i_ASN1_SEQUENCE_ANY() calls.
Once the eContent is deserialized, we can walk the structs, validate it
as before and populate the internal data structures.

Positive feedback job
ok claudio

whitespace spotted during read-thru

Verify MFT and GBR objects only carry RFC 3779 extensions set to 'inherit'

OK claudio@ tb@

Validate RSC filenames

Factor out POSIX portable filename check into a new valid_filename() and
rename the previous valid_filename() to valid_mft_filename(). Fixes and
supersedes imcomplete checks in the RSC code. Avoids truncation via
strndup() in case of embedded NULs.

input/ok claudio

Improve control flow readability by removing 'else if' stanzas

OK tb@ claudio@

Add preliminary support for decoding RSC objects in filemode

This implements decoding support for draft-ietf-sidrops-rpki-rsc-06

There are three major outstanding issues:

* The wire image might still change to conform to the more widely deployed
3779 API in libressl/openssl. IETF discussion ongoing.
* Whether the resources listed in the ResourceBlock are contained within
the EE's RFC 3779 extension is not hooked up yet.
* There is a fair bit of duplicity between rsc.c and cert.c, look for XXX

OK tb@

Add Concatenated JSON output in filemode (rpki-client -j -f *)

The schema is still work in progress.

OK claudio@

Avoid leaking crldp in mft_parse() if one of the crlfile checks fails.

ok claudio

Adjust on how CRL and MFT files are verified.

Verify the CRL referenced from the mft against the mft's fileAndHash info.
If the CRL matches then load it and use it to validate this mft. If the
mft validated OK add the now also valid CRL to the auth store for later use.

Before the newest CRL was always selected but that has negative consequences
because it is common practice to revoke the previous MFT's EE cert and with
that the cache is turned useless as soon as a new CRL is used. Also there
was a possibility that the CRL used for validation of the MFT was not the
one later used.

Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part
of the validation process. We opted in favor of the chached MFT.

With and OK tb@

Sort RTYPE in case alphabetically and mention ASPA in the comment.
No functional change.

All times in the x509 are UTC so use timegm() and not mktime().
The latter will apply the timezone offset and so the further west
the more probable you are to have problems with valid_from times.
Fix from tb@
OK job@, benno@ and me

Change x509_get_aki(), x509_get_ski(), x509_get_aia(), and x509_get_crl()
to work more like x509_get_expire(). They will return an error if the
extension extraction failed but not if it was not present. The callers
must now do that check but most did already.
With this cert_parse_inner() no longer cares about TA vs non-TA certs.
Feedback and OK tb@

Sync & permit ASPA objects to appear on Manifests

OK tb@ claudio@

Fix serial number printing in crl_print() for large serials.
Create a common x509_convert_seqnum() function to convert the various
ASN1_INTEGERs into hexnumbers and use this for mft and crl handling.
With and OK tb@, also OK job@

Properly handle .mft files as intended by the RFC. Instead of always
selecting the newest file this opens both the new (from rrdp or rsync)
and old (valid) MFT. It then compares the manifest number and based on
that the 'newer' MFT is selected.
The MFT file and hash check is also changed to always try both locations
and selecting whatever matches up with the hash. The selction is passed
back to the the main process and used later on to open exactly the same
file as was checked against the hash.
The MFT parsing code has been split up into multiple steps so that the
files can be parsed, compared and then fully validated.
In most cases this makes no difference but it prevents replay attacks
using old but still valid files.
With and OK tb@

Adjust code to handle unsupported file types a bit more graceful.
The file still needs to match its hash to make the MFT valid but then
there will only be a warning printed. Parsing of other files from that
MFT are not influenced.
OK tb@

Change valid_filename() ot return an enum rtype and rename it to
rtype_from_mftfile(). Move both rtype_from functions to mft.c.

ok beck claudio

Add function to determine the file type from the file name extension

rpki-client uses the same idiom to determine the file type in too many
places. Use one function that determines the appropriate RTYPE from the
file name. Add that type to struct mftfile and use this new member to
simplify queue_add_from_mft*().

input/ok claudio

Revert all the files that should have not been committed in last commit.

Kill extra newline

Cleanup the scattered OBJ_txt2obj() calls and move them into
x509_init_oid() to initalize all necessary OID objects at start.
OK tb@

Alter valid_filehash() to take a file descriptor instead of a path.
This is needed so that callers can allow a file to be in multiple
locations. Also move mft_check() from mft.c to parser.c.
OK tb@

Change the way the parser accesses files. It now builds the file path
based on information from the repository, a local path and the filename.
This simplifies some code both in the main process and the parser.
For this to work repositories are passed to the parser before any other
entity of this repository is passed. Struct entity is extended to include
the repoid and the path along the file(name).
Input and OK tb@ & job@

Cleanup mft file handling, especially the stale mft bits.
Move staleness check up into mft_parse_econtent() to simplify code.
Remove the big FIXME bits since they are no longer needed. The parent
process will only process MFTs that are not stale.
Cleanup a few other bits mainly unneccessary else if cascades and
use valid_filename() to check if the filename embedded in the mft
fileandhash is sensible.
OK tb@

Limit how many FileAndHash entries a single manifest may contain

OK claudio@

Change CMS and CRL d2i functions from their BIO version to passing the
der buffer instead. The file are loaded early in the entity processing
loop.
OK tb@

Restrict the characterset for filenames on Manifests

feedback from benno@

OK claudio@

Finnally move away from blocking reads in rpki-client. The code was a
mish mash of poll, non-blocking writes and blocking reads. Using the
introduced ibuf size header in io_buf_new()/io_buf_close() the read
side can be changed to pull in a full ibuf and only start the un-marshal
once all data has been read.
OK benno@

branches: 1.38.4;
Rework how various OIDs are compared in the code.

Instead of converting the ASN1_OBJECT into a string and comparing the
strings, convert the string into an ASN1_OBJECT once and then compare
these objects with OBJ_cmp().

Makes the code a bit easier to read and removes some repetitive conversions.
With input and OK tb@

The number of elements being processed is known upfront. So allocate the
storage needed outside of the loop. This reduces the number of recallocarray
calls.
OK tb@

Add more checks for eContent 'version' fields.

Input from deraadt@, tb@, claudio@

OK deraadt@ claudio@ tb@

Fix ROA & MFT version check handling

This check was incomplete: to correctly verify the ASN1 INTEGER holding
the version component, first the context specific explicit tag would need
to be checked.

However, the X.690 spec (section 11.5) states that if the one should not
encode a component if it is the default value. There are no RFCs specifying
new versions of ROA or MFT, so checking the content of the version component
should be skipped entirely.

Thus if the version component is present, something is wrong.

Before calling ASN1_time_parse() initialize the struct tm. While
recent libressl version initalise the struct tm properly older
versions did not and so -portable runs into problem on systems
with older libressl versions installed.
Problem found by job@
OK tb@

Garbage collect sz in mft_parse_filehash() which has been unused
since mft.c r1.20.

branches: 1.32.2;
Inline x509_get_extensions() and remove it

Since aia, aki and ski are all represented by char *, this is an
error-prone interface - as found by job. The function doesn't do
much anyway.

ok claudio

Add some restrictions to manifest object profile

OK tb@, feedback from claudio@

Send arguments in alphabetical order

OK tb@

Factor out the SHA256 hash checks into valid_filehash() so that it can
be used by the RRDP code as well.
OK tb@

Use the same way to error out in out of memory situation.
Just use 'err(1, NULL);' there is no need to include the type of function
that failed since it is still impossible to locate the right call.
Just use a debugger in that case.
OK tb@ deraadt@

Convert reallocarray + memset to recallocarray.

ok claudio

get Authority Information Access (AIA) from CA & EE certs

In the context of the RPKI, the AIA extension identifies the publication
point of the certificate of the issuer of the certificate in which the
extension appears. A single reference to the publication point of the
immediate superior certificate MUST be present, except for a
"self-signed" certificate.

Thanks tb@ for review

OK claudio@

Eventhough most openssl includes include everything try to be a bit more
explicit about what is used where. Seems to be the least worst solution.

A while ago rpki-client was changed to validate the sha256 hashes of
files referenced in MFT files during the validation of the MFT file.
An MFT is only valid if all files are present and their hashes are valid.
Because of this there is no longer the need to check the hash when
these files are parsed later on. Remove these checks for CRT, ROA and CRL
files. Use the presence of the pkey when parsing cert files to decide
if it is a root cert or not.
OK tb@

Start using the ibuf API (ibuf_dynamic, ibuf_add, ibuf_close) for writing
data between processes. This completely decouples the write side.
rpki-client can't really use the imsg framework but it can use the ibuf
bits wich imsg is built on.
OK benno@ job@

Now that a NULL string is marshalled as NULL again we can drop some
extra has_xyz integers to indicate if the following buffer is present
or not. At the same time sprinkle some asserts for strings which must
be not NULL.
OK tb@

Use asprintf with %.*s to construct the path based on the mft file
location and the filename of the referenced file. Use the same method
both in main.c and mft.c which is a fair bit simpler than using calloc
and strlcpy/strlcat to build the string by hand.
OK tb@

All files provided in a manifest needs to be checked against the provided
hash even if rpki-client ignores this file later on.
OK job@

Treat stale manifests as such, not as 'failed to parse'

There is currently dead code in mft_parse() that handles stale
manifests by setting the stale flag and removing all files they
reference. This code was made unreachable in a refactor that
fixed a logic error that made mft_parse() succeed despite its
error handling. check_validity() returns three possible values.
Report failures and stale mfts back immediately via rc. Success
needs to reset rc to -1, so subsequent errors are reported as
such.

This is mostly cosmetic and only changes the rpki-client output
in that the comment at the top of the config now actually shows
stale manifests. This makes regress pass again.

ok claudio job

typo

Fix checks for manifest validity interval

The check_validity() function used the X509_cmp_time() functions with
GeneralizedTime. This doesn't work with current dates since LibreSSL
enforces conformance with RFC 5280 in X509_cmp_time(), which requires
that dates before 2050 are represented with UTCTime. The functions
would return an error, but missing error checking led to failing to
detect expired or not yet valid manifests. Fix this by converting the
dates into struct tm and using ASN1_time_tm_cmp() instead.

With input from claudio, jsing

ok benno claudio jsing

branches: 1.16.4;
Include openssl/x509.h in extern.h since it uses a few of the typedefs from
there in structs and prototypes. Remove the openssl/ssl.h and other strange
openssl includes in the .c files that don't use openssl specific functions.
OK beck@ and tb@

Remove -f (force) option.

The -f option existed for some initial debugging work.

Thanks Weerd for review

OK claudio@

branches: 1.14.4;
Avoid using libc SHA256File(), just perform the operation inline to
make things easier for -portable
ok claudio

Split the mft file and hash check from the mft parsing. This makes it easier
to check all files in a mft before failing and also the check is now done
after the embedded cert was checked.
This refactor was triggered because of a bug in mft_parse_econtent().
check_validity() altered rc but later failure code assumed that goto out
is good enough to return an error (rc == -1) but since rc was 1 success
was returned. This bug is now also fixed.
Bug report and OK job@

Delay failure in mft parsing until all elements of FileAndHash have been
checked. This way all corrupted or missing files should show up in a
single run. This should help operators to get a better idea what and how
much is broken.
OK benno@

Check the hash and with it the presence of a file referenced in a MFT early
on. In case the file hash does not match or the file does not exist the full
MFT is considered invalid and dropped. With this partial ROA updates based
on a corrupt data set will produce less likely inconsistencies in the VRP
output.
With and OK job@

The code is more what you'd call 'guidelines' than actual rules.
s/EXIT_FAILURE/1/
ok claudio@

enable more warning flags and fix a few issues noticed.
ok claudio@ deraadt@

Rewrite the time validity check for mfts. Using ASN1_GENERALIZEDTIME_print
and strptime to convert the timestamp does not correctly account for the
timezone. Instead use X509_cmp_time which later on should be replaced with
ASN1_time_tm_cmp since the ASN1_STRING_cmp() check at the end will fail
around 2049.

Problem with timezone reported by Alexandre Hamada (hamada at registro.br).
He also tested this diff.
OK tb@

Show the most common warnings only if verbose is set. Most of these warnings
were shown because of an inconsistent rpki database and is no real problem.
OK florian@

Those changes should not have been in last commit. Revert them for now.

Don't use assert to validate user input. assert() is not for that, instead
check and error out like it is done one other parsing issues.
Agreed by deraadt@
Fixes another afl "crash" found by jsg@

use $OpenBSD$ headers

indentation adjustments, in particular near warn statements
ok claudio

Don't do -portable in base. It is better done outside the tree.
Imagine if we did it throughout the tree, how many copies of strlcpy
would we have, and how much time would all the configure shell scripts
and includes take? It would be ludicrous.

branches: 1.1.1;
Initial revision

Instead of tracking certificates by SKI track them by an internal identifier.

The certificate SKI is not strictly unique so using it as a unique id is
problematic. It is also not really needed to do that since in theory we
already know the path (but this got lost in the privsep communication).
So add a cert id and pass this id back and forth between main process and
the parser. With this id we can lookup the authentication chain in the
parser and this even works with multiple paths to the same resource.
Since we no longer lookup by SKI the valid_aki_ski function is replaced
by find_issuer() which does the lookup by certid.

The loop protection is now extended to allow each TAL to reach each file
once but still triggers if a file is reaccessed by the tree of a TAL.

In filemode the lookup now uses an AIA uri based lookup tree. Again this
replaces the SKI based lookups from before.

Done together with tb@
OK tb@ job@

rpki-client: plug leak of the crl path

also, drop an unnecessary NULL check and make freeing have the same order
as the struct field so auditing for leaks is easier.

ok claudio

Display distinct errors for various problematic CRL/MFT situationships

RFC 6487 section 8 specifies only a single CRL is issued at a time, so
error when multiple .crl files are listed in a Manifest's FileList.

The CRLDP extension identifies the location of the CRL, so the CRL's
filename must match the CA's CRLDP's 'rsync://' entry, error if that
isn't the case. (RFC 6486 section 4.8.6)

with & OK tb@

Add support for RPKI Signed Prefix Lists

Signed Prefix List are a CMS protected content type for use with the
RPKI to carry the complete list of prefixes which an Autonomous System
may originate to all or any of its routing peers. The validation of a
Signed Prefix List confirms that the holder of the listed ASN produced
the object, and that this list is a current, accurate and complete
description of address prefixes that may be announced into the routing
system originated by this AS.

https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist

with and OK claudio@ tb@

rpki-client: remove the remaining struct parse

With the exception of mft.c where there is an additional boolean, this
struct carries a file name and a result. This means functions having
struct parse in the signature can't be shared between files, which has
been annoying. Simply pass file name and necessary info directly as a
function parameter and add a small dance to handle the boolean in mft.c.

ok job

Rename fn into file to avoid clash in upcoming diff

ok job

Use _asn1 suffix for some aspa/mft/roa/rsc/tak

This would otherwie clash with an upcoming replacement of struct parse.

ok job

Ensure that the FileAndHashes list in a mft has no duplicates

ok job

Add explicit ASN1_ITEM_EXP prototypes

In LibreSSL *_it are variables, in other implementations they might
be a function. This helps squash compiler warnings in -portable.

Related: https://github.com/openbsd/src/commit/65af98848fc7a42e34d470d10fc1db8e23f9db93

OK tb@

Check whether all data in eContent has been consumed

It is possible that a given ASN.1 template generated d2i_*() function
didn't consume all data, so there is a potential for malleability.
The econtent is a sequence (which means it could be the concatenation
of several DER "blobs"). d2i_*() would only deserialize the first one
and not notice blobs following it.

OK tb@

Use x509_get_time() to get the Manifest thisUpdate / nextUpdate

From the moment d2i_Manifest() was introduced, it was automatically
checked whether the thisUpdate/nextUpdate are ASN1_GENERALIZEDTIME.

Unfortunately, an additional check is needed, because OpenSSL doesn't
require RFC 5280 conformance for GeneralizedTime DER encoding.

OK tb@

Refactor handling of stale manifests

No need to hoist a staleness indicator through the whole process and
count it explicitly.

OK tb@

Remove old comment

OK tb@

Introduce and use mft_compare_issued()

Newly issued manifests should not only have a higher manifestNumber,
their issuance time should also be later. Add corresponding checks
and warnings when comparing a newly fetched manifest to a manifest
from the cache.

ok job (who noticed that such a check was missing)

Rename mft_compare() to mft_compare_seqnum()

This makes it clearer what exactly this function compares. Also drop some
NULL checks that made the semantics of this function tricky.

ok job

Log a warning when a manifest replay is detected

OK tb@ claudio@

Allow imposing constraints on RPKI trust anchors

The ability to constrain a RPKI Trust Anchor's effective signing
authority to a limited set of Internet Number Resources allows
Relying Parties to enjoy the potential benefits of assuming trust,
within a bounded scope.

Some examples: ARIN does not support inter-RIR IPv6 transfers, so
it wouldn't make any sense to see a ROA subordinate to ARIN's trust
anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't
make sense to observe a ROA covering ARIN-managed IPv6 space under
APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust
arc (a cryptographically valid certificate path) existed. Along these
same lines, AFRINIC doesn't support inter-RIR transfers of any kind,
and none of the RIRs have authority over private resources like
10.0.0.0/8 and 2001:db8::/32.

For more background see:
https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/
https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html

With and OK tb@, OK claudio@

Pass the talid to various parse functions

This will be needed by an upcoming feature where we will need to know
what trust anchor a given cert chains to. This doesn't change anything
except the size of the diff.

ok claudio job

Shuffle the order in which Manifest entries are processed

Previously work items were enqueued in the order the CA intended them
to appear on a Manifest. However, there is no obvious benefit to letting
third parties decide the order in which things are processed.

Instead, randomize: ordering has no meaning anyway, and the number of
concurrent repository synchronization operations is limited & timeboxed.
As they say, a fox is not taken twice in the same snare

OK tb@

Retire log.c

Convert all cryptowarnx() and cryptoerrx() to appropriate versions of
warn() and err{,x}(). Neither users nor developers benefit from them.
If we need better errors, we need to do some thinking. libcrypto won't
do that for us.

suggested by claudio
ok job

Add compliance checks for the version, KU, and EKU of TAK/MFT/GBR EE certs

OK tb@

In anticipation of a bump of the ASPA eContent profile version, update
valid_econtent_version() to allow for non-zero versions.

OK tb@

Convert generalizedtime_to_tm() to ASN1_TIME_to_tm()

Second step of moving away from ASN1_time_parse(). Being an OpenSSL API,
ASN1_TIME_to_tm() supports a variety of things. In this specific case we
don't really want it to parse anything but a GeneralizedTime expressed in
Zulu time. Unfortunately, OpenSSL make this annoying. So punt on this and
only do checks for the correct type and length. LibreSSL only accepts Zulu
time, so there is no change of behavior.

ok claudio job

Avoid use of LibreSSL-specific ASN1_time_tm_cmp() API

We convert these struct tm into time_t in the next few lines, so we can
simply use > instead.

ok claudio job

Improve accounting by tracking things by repo and tal.
This fixes some wrong accounting for repositories that are referenced
from more than one TAL. It changes the ometric lable output a little bit
since there are repository metrics that no longer include the 'name' label.
OK tb@

If the two mfts in mft_compare() are the same do not prefer the
first (DIR_VALID) but perfer the 2nd (DIR_TEMP) since this allows
rpki-client to move the equal files from .rrdp back into the valid
repo tree and so there are less unaccounted files for.
Problem noticed by and OK job@

Check that the CMS signing-time is not after the MFT's nextUpdate

Issuing manifests whose validity window is entirely in the past, as
observed from the purported CMS signing-time would be a form of backdating.

OK tb@

Revert accidental change from explicit to implicit tagging in r1.86.

ok job

Rename some data fields to closer match their provenance

OK tb@

Refactor expiration calculation

Unify common code paths which find the exact expiry moment into a new
helper function. Additionally, the new helper offers more accuracy by
checking more applicable CRLs whether their 'nextupdate' is 'sooner'.

tb@ noted: The helper adds a multiplier of log(#crls), but that's
certainly acceptable as it is still very cheap.

OK tb@

Initialize the local signtime variable in the individual *_parse()
functions

ok job

Unwrap a few lines and zap a tab

Show CMS signing-time signed attribute in filemode

OK tb@

Adjust comment for rtype_from_mftfile(). It is important that RTYPE_INVALID
is not an error. It marks file as not handled by rpki-client and they will
be ignored after checking that the provided hash matches.
New file types should only be added once the needed code in parse_entity() is
available.
OK tb@ job@

Remove unused ctype.h include

OK tb@

Only include stdarg.h, if we call any of va_{start,end}()

OK tb@

Add support for authenticating geofeed data CSV files in filemode

RFC 9092 describes a scheme in which an authenticator is appended to a
geofeed (RFC 8805) file. It is a digest of the main body of the file
signed by the private key of the relevant RPKI certificate for a covering
address range. The authenticator is a detached CMS signature.

with and OK tb@

Simplify use of strrchr()

with and OK tb@

Check the SIA signedObject in ROA/MFT/ASPA/TAK/GBR EE certificates

Unfortunately we can't yet error out when accessMethods other than
signedObject are encountered in the SubjectInformationAccess extension
because there is pollution in the ecosystem.

OK tb@

Add support for draft-ietf-sidrops-signed-tal-12

Add support validation of Signed Objects containing Trust Anchor Keys
(TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs
to distribute and sign the next Trust Anchor with the current Trust
Anchor. This might be an improvement over visiting RIR websites and
copy+pasting TAL data by hand.

OK tb@

All of ROA, MFT, ASPA, and RSC define their respective 'version' field
in ASN.1 as following: "version [0] INTEGER DEFAULT 0,". Each object
profile preamble contains "DEFINITIONS EXPLICIT TAGS ::=".

We didn't bump into any issue yet, because all Signed Objects are at
version 0, which means the field is entirely omitted (including the tag,
be it implicit or explicit). (From X.690 section 11.5: "The encoding of
a set value or a sequence value shall not include an encoding for any
component value which is equal to its default value.")

OK tb@

Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)

ASPA objects are published in the RPKI and can be used to detect and
mitigate BGP route leaks. Validated ASPA Payloads are visible through
filemode (-f) and the JSON output format (-j).

With feedback from tb@

OK claudio@ tb@

Remove dangling ASPA references until we land real support

OK tb@

Unify error messages on d2i failure for econtent

Dedup econtent version checks

Since the ASN.1 template conversions, we have three copies of mostly dead
code that validates that the econtent version is at its default value 0.
Until a new standard bumps this version and we decide to support that,
we're better off with only one copy of this code.

ok claudio

Fix off-by-one in MAX_MANIFEST_ENTRIES check

ok claudio job

I made non-trivial contributions to these files.

Improve #ifdefs for STACK_OF() helpers.

Discussed with claudio

Adjust or remove some stale comments

Rewrite mft.c and roa.c with ASN.1 templates

The ASN.1 templates are a rather direct translation of the ASN.1 in the
relevant RFCs and they allow deserializing the Manifest and ROA eContent
in a single step instead of numerous opaque d2i_ASN1_SEQUENCE_ANY() calls.
Once the eContent is deserialized, we can walk the structs, validate it
as before and populate the internal data structures.

Positive feedback job
ok claudio

whitespace spotted during read-thru

Verify MFT and GBR objects only carry RFC 3779 extensions set to 'inherit'

OK claudio@ tb@

Validate RSC filenames

Factor out POSIX portable filename check into a new valid_filename() and
rename the previous valid_filename() to valid_mft_filename(). Fixes and
supersedes imcomplete checks in the RSC code. Avoids truncation via
strndup() in case of embedded NULs.

input/ok claudio

Improve control flow readability by removing 'else if' stanzas

OK tb@ claudio@

Add preliminary support for decoding RSC objects in filemode

This implements decoding support for draft-ietf-sidrops-rpki-rsc-06

There are three major outstanding issues:

* The wire image might still change to conform to the more widely deployed
3779 API in libressl/openssl. IETF discussion ongoing.
* Whether the resources listed in the ResourceBlock are contained within
the EE's RFC 3779 extension is not hooked up yet.
* There is a fair bit of duplicity between rsc.c and cert.c, look for XXX

OK tb@

Add Concatenated JSON output in filemode (rpki-client -j -f *)

The schema is still work in progress.

OK claudio@

Avoid leaking crldp in mft_parse() if one of the crlfile checks fails.

ok claudio

Adjust on how CRL and MFT files are verified.

Verify the CRL referenced from the mft against the mft's fileAndHash info.
If the CRL matches then load it and use it to validate this mft. If the
mft validated OK add the now also valid CRL to the auth store for later use.

Before the newest CRL was always selected but that has negative consequences
because it is common practice to revoke the previous MFT's EE cert and with
that the cache is turned useless as soon as a new CRL is used. Also there
was a possibility that the CRL used for validation of the MFT was not the
one later used.

Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part
of the validation process. We opted in favor of the chached MFT.

With and OK tb@

Sort RTYPE in case alphabetically and mention ASPA in the comment.
No functional change.

All times in the x509 are UTC so use timegm() and not mktime().
The latter will apply the timezone offset and so the further west
the more probable you are to have problems with valid_from times.
Fix from tb@
OK job@, benno@ and me

Change x509_get_aki(), x509_get_ski(), x509_get_aia(), and x509_get_crl()
to work more like x509_get_expire(). They will return an error if the
extension extraction failed but not if it was not present. The callers
must now do that check but most did already.
With this cert_parse_inner() no longer cares about TA vs non-TA certs.
Feedback and OK tb@

Sync & permit ASPA objects to appear on Manifests

OK tb@ claudio@

Fix serial number printing in crl_print() for large serials.
Create a common x509_convert_seqnum() function to convert the various
ASN1_INTEGERs into hexnumbers and use this for mft and crl handling.
With and OK tb@, also OK job@

Properly handle .mft files as intended by the RFC. Instead of always
selecting the newest file this opens both the new (from rrdp or rsync)
and old (valid) MFT. It then compares the manifest number and based on
that the 'newer' MFT is selected.
The MFT file and hash check is also changed to always try both locations
and selecting whatever matches up with the hash. The selction is passed
back to the the main process and used later on to open exactly the same
file as was checked against the hash.
The MFT parsing code has been split up into multiple steps so that the
files can be parsed, compared and then fully validated.
In most cases this makes no difference but it prevents replay attacks
using old but still valid files.
With and OK tb@

Adjust code to handle unsupported file types a bit more graceful.
The file still needs to match its hash to make the MFT valid but then
there will only be a warning printed. Parsing of other files from that
MFT are not influenced.
OK tb@

Change valid_filename() ot return an enum rtype and rename it to
rtype_from_mftfile(). Move both rtype_from functions to mft.c.

ok beck claudio

Add function to determine the file type from the file name extension

rpki-client uses the same idiom to determine the file type in too many
places. Use one function that determines the appropriate RTYPE from the
file name. Add that type to struct mftfile and use this new member to
simplify queue_add_from_mft*().

input/ok claudio

Revert all the files that should have not been committed in last commit.

Kill extra newline

Cleanup the scattered OBJ_txt2obj() calls and move them into
x509_init_oid() to initalize all necessary OID objects at start.
OK tb@

Alter valid_filehash() to take a file descriptor instead of a path.
This is needed so that callers can allow a file to be in multiple
locations. Also move mft_check() from mft.c to parser.c.
OK tb@

Change the way the parser accesses files. It now builds the file path
based on information from the repository, a local path and the filename.
This simplifies some code both in the main process and the parser.
For this to work repositories are passed to the parser before any other
entity of this repository is passed. Struct entity is extended to include
the repoid and the path along the file(name).
Input and OK tb@ & job@

Cleanup mft file handling, especially the stale mft bits.
Move staleness check up into mft_parse_econtent() to simplify code.
Remove the big FIXME bits since they are no longer needed. The parent
process will only process MFTs that are not stale.
Cleanup a few other bits mainly unneccessary else if cascades and
use valid_filename() to check if the filename embedded in the mft
fileandhash is sensible.
OK tb@

Limit how many FileAndHash entries a single manifest may contain

OK claudio@

Change CMS and CRL d2i functions from their BIO version to passing the
der buffer instead. The file are loaded early in the entity processing
loop.
OK tb@

Restrict the characterset for filenames on Manifests

feedback from benno@

OK claudio@

Finnally move away from blocking reads in rpki-client. The code was a
mish mash of poll, non-blocking writes and blocking reads. Using the
introduced ibuf size header in io_buf_new()/io_buf_close() the read
side can be changed to pull in a full ibuf and only start the un-marshal
once all data has been read.
OK benno@

branches: 1.38.4;
Rework how various OIDs are compared in the code.

Instead of converting the ASN1_OBJECT into a string and comparing the
strings, convert the string into an ASN1_OBJECT once and then compare
these objects with OBJ_cmp().

Makes the code a bit easier to read and removes some repetitive conversions.
With input and OK tb@

The number of elements being processed is known upfront. So allocate the
storage needed outside of the loop. This reduces the number of recallocarray
calls.
OK tb@

Add more checks for eContent 'version' fields.

Input from deraadt@, tb@, claudio@

OK deraadt@ claudio@ tb@

Fix ROA & MFT version check handling

This check was incomplete: to correctly verify the ASN1 INTEGER holding
the version component, first the context specific explicit tag would need
to be checked.

However, the X.690 spec (section 11.5) states that if the one should not
encode a component if it is the default value. There are no RFCs specifying
new versions of ROA or MFT, so checking the content of the version component
should be skipped entirely.

Thus if the version component is present, something is wrong.

Before calling ASN1_time_parse() initialize the struct tm. While
recent libressl version initalise the struct tm properly older
versions did not and so -portable runs into problem on systems
with older libressl versions installed.
Problem found by job@
OK tb@

Garbage collect sz in mft_parse_filehash() which has been unused
since mft.c r1.20.

branches: 1.32.2;
Inline x509_get_extensions() and remove it

Since aia, aki and ski are all represented by char *, this is an
error-prone interface - as found by job. The function doesn't do
much anyway.

ok claudio

Add some restrictions to manifest object profile

OK tb@, feedback from claudio@

Send arguments in alphabetical order

OK tb@

Factor out the SHA256 hash checks into valid_filehash() so that it can
be used by the RRDP code as well.
OK tb@

Use the same way to error out in out of memory situation.
Just use 'err(1, NULL);' there is no need to include the type of function
that failed since it is still impossible to locate the right call.
Just use a debugger in that case.
OK tb@ deraadt@

Convert reallocarray + memset to recallocarray.

ok claudio

get Authority Information Access (AIA) from CA & EE certs

In the context of the RPKI, the AIA extension identifies the publication
point of the certificate of the issuer of the certificate in which the
extension appears. A single reference to the publication point of the
immediate superior certificate MUST be present, except for a
"self-signed" certificate.

Thanks tb@ for review

OK claudio@

Eventhough most openssl includes include everything try to be a bit more
explicit about what is used where. Seems to be the least worst solution.

A while ago rpki-client was changed to validate the sha256 hashes of
files referenced in MFT files during the validation of the MFT file.
An MFT is only valid if all files are present and their hashes are valid.
Because of this there is no longer the need to check the hash when
these files are parsed later on. Remove these checks for CRT, ROA and CRL
files. Use the presence of the pkey when parsing cert files to decide
if it is a root cert or not.
OK tb@

Start using the ibuf API (ibuf_dynamic, ibuf_add, ibuf_close) for writing
data between processes. This completely decouples the write side.
rpki-client can't really use the imsg framework but it can use the ibuf
bits wich imsg is built on.
OK benno@ job@

Now that a NULL string is marshalled as NULL again we can drop some
extra has_xyz integers to indicate if the following buffer is present
or not. At the same time sprinkle some asserts for strings which must
be not NULL.
OK tb@

Use asprintf with %.*s to construct the path based on the mft file
location and the filename of the referenced file. Use the same method
both in main.c and mft.c which is a fair bit simpler than using calloc
and strlcpy/strlcat to build the string by hand.
OK tb@

All files provided in a manifest needs to be checked against the provided
hash even if rpki-client ignores this file later on.
OK job@

Treat stale manifests as such, not as 'failed to parse'

There is currently dead code in mft_parse() that handles stale
manifests by setting the stale flag and removing all files they
reference. This code was made unreachable in a refactor that
fixed a logic error that made mft_parse() succeed despite its
error handling. check_validity() returns three possible values.
Report failures and stale mfts back immediately via rc. Success
needs to reset rc to -1, so subsequent errors are reported as
such.

This is mostly cosmetic and only changes the rpki-client output
in that the comment at the top of the config now actually shows
stale manifests. This makes regress pass again.

ok claudio job

typo

Fix checks for manifest validity interval

The check_validity() function used the X509_cmp_time() functions with
GeneralizedTime. This doesn't work with current dates since LibreSSL
enforces conformance with RFC 5280 in X509_cmp_time(), which requires
that dates before 2050 are represented with UTCTime. The functions
would return an error, but missing error checking led to failing to
detect expired or not yet valid manifests. Fix this by converting the
dates into struct tm and using ASN1_time_tm_cmp() instead.

With input from claudio, jsing

ok benno claudio jsing

branches: 1.16.4;
Include openssl/x509.h in extern.h since it uses a few of the typedefs from
there in structs and prototypes. Remove the openssl/ssl.h and other strange
openssl includes in the .c files that don't use openssl specific functions.
OK beck@ and tb@

Remove -f (force) option.

The -f option existed for some initial debugging work.

Thanks Weerd for review

OK claudio@

branches: 1.14.4;
Avoid using libc SHA256File(), just perform the operation inline to
make things easier for -portable
ok claudio

Split the mft file and hash check from the mft parsing. This makes it easier
to check all files in a mft before failing and also the check is now done
after the embedded cert was checked.
This refactor was triggered because of a bug in mft_parse_econtent().
check_validity() altered rc but later failure code assumed that goto out
is good enough to return an error (rc == -1) but since rc was 1 success
was returned. This bug is now also fixed.
Bug report and OK job@

Delay failure in mft parsing until all elements of FileAndHash have been
checked. This way all corrupted or missing files should show up in a
single run. This should help operators to get a better idea what and how
much is broken.
OK benno@

Check the hash and with it the presence of a file referenced in a MFT early
on. In case the file hash does not match or the file does not exist the full
MFT is considered invalid and dropped. With this partial ROA updates based
on a corrupt data set will produce less likely inconsistencies in the VRP
output.
With and OK job@

The code is more what you'd call 'guidelines' than actual rules.
s/EXIT_FAILURE/1/
ok claudio@

enable more warning flags and fix a few issues noticed.
ok claudio@ deraadt@

Rewrite the time validity check for mfts. Using ASN1_GENERALIZEDTIME_print
and strptime to convert the timestamp does not correctly account for the
timezone. Instead use X509_cmp_time which later on should be replaced with
ASN1_time_tm_cmp since the ASN1_STRING_cmp() check at the end will fail
around 2049.

Problem with timezone reported by Alexandre Hamada (hamada at registro.br).
He also tested this diff.
OK tb@

Show the most common warnings only if verbose is set. Most of these warnings
were shown because of an inconsistent rpki database and is no real problem.
OK florian@

Those changes should not have been in last commit. Revert them for now.

Don't use assert to validate user input. assert() is not for that, instead
check and error out like it is done one other parsing issues.
Agreed by deraadt@
Fixes another afl "crash" found by jsg@

use $OpenBSD$ headers

indentation adjustments, in particular near warn statements
ok claudio

Don't do -portable in base. It is better done outside the tree.
Imagine if we did it throughout the tree, how many copies of strlcpy
would we have, and how much time would all the configure shell scripts
and includes take? It would be ludicrous.

branches: 1.1.1;
Initial revision

rpki-client: plug leak of the crl path

also, drop an unnecessary NULL check and make freeing have the same order
as the struct field so auditing for leaks is easier.

ok claudio

Display distinct errors for various problematic CRL/MFT situationships

RFC 6487 section 8 specifies only a single CRL is issued at a time, so
error when multiple .crl files are listed in a Manifest's FileList.

The CRLDP extension identifies the location of the CRL, so the CRL's
filename must match the CA's CRLDP's 'rsync://' entry, error if that
isn't the case. (RFC 6486 section 4.8.6)

with & OK tb@

Add support for RPKI Signed Prefix Lists

Signed Prefix List are a CMS protected content type for use with the
RPKI to carry the complete list of prefixes which an Autonomous System
may originate to all or any of its routing peers. The validation of a
Signed Prefix List confirms that the holder of the listed ASN produced
the object, and that this list is a current, accurate and complete
description of address prefixes that may be announced into the routing
system originated by this AS.

https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist

with and OK claudio@ tb@

rpki-client: remove the remaining struct parse

With the exception of mft.c where there is an additional boolean, this
struct carries a file name and a result. This means functions having
struct parse in the signature can't be shared between files, which has
been annoying. Simply pass file name and necessary info directly as a
function parameter and add a small dance to handle the boolean in mft.c.

ok job

Rename fn into file to avoid clash in upcoming diff

ok job

Use _asn1 suffix for some aspa/mft/roa/rsc/tak

This would otherwie clash with an upcoming replacement of struct parse.

ok job

Ensure that the FileAndHashes list in a mft has no duplicates

ok job

Add explicit ASN1_ITEM_EXP prototypes

In LibreSSL *_it are variables, in other implementations they might
be a function. This helps squash compiler warnings in -portable.

Related: https://github.com/openbsd/src/commit/65af98848fc7a42e34d470d10fc1db8e23f9db93

OK tb@

Check whether all data in eContent has been consumed

It is possible that a given ASN.1 template generated d2i_*() function
didn't consume all data, so there is a potential for malleability.
The econtent is a sequence (which means it could be the concatenation
of several DER "blobs"). d2i_*() would only deserialize the first one
and not notice blobs following it.

OK tb@

Use x509_get_time() to get the Manifest thisUpdate / nextUpdate

From the moment d2i_Manifest() was introduced, it was automatically
checked whether the thisUpdate/nextUpdate are ASN1_GENERALIZEDTIME.

Unfortunately, an additional check is needed, because OpenSSL doesn't
require RFC 5280 conformance for GeneralizedTime DER encoding.

OK tb@

Refactor handling of stale manifests

No need to hoist a staleness indicator through the whole process and
count it explicitly.

OK tb@

Remove old comment

OK tb@

Introduce and use mft_compare_issued()

Newly issued manifests should not only have a higher manifestNumber,
their issuance time should also be later. Add corresponding checks
and warnings when comparing a newly fetched manifest to a manifest
from the cache.

ok job (who noticed that such a check was missing)

Rename mft_compare() to mft_compare_seqnum()

This makes it clearer what exactly this function compares. Also drop some
NULL checks that made the semantics of this function tricky.

ok job

Log a warning when a manifest replay is detected

OK tb@ claudio@

Allow imposing constraints on RPKI trust anchors

The ability to constrain a RPKI Trust Anchor's effective signing
authority to a limited set of Internet Number Resources allows
Relying Parties to enjoy the potential benefits of assuming trust,
within a bounded scope.

Some examples: ARIN does not support inter-RIR IPv6 transfers, so
it wouldn't make any sense to see a ROA subordinate to ARIN's trust
anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't
make sense to observe a ROA covering ARIN-managed IPv6 space under
APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust
arc (a cryptographically valid certificate path) existed. Along these
same lines, AFRINIC doesn't support inter-RIR transfers of any kind,
and none of the RIRs have authority over private resources like
10.0.0.0/8 and 2001:db8::/32.

For more background see:
https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/
https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html

With and OK tb@, OK claudio@

Pass the talid to various parse functions

This will be needed by an upcoming feature where we will need to know
what trust anchor a given cert chains to. This doesn't change anything
except the size of the diff.

ok claudio job

Shuffle the order in which Manifest entries are processed

Previously work items were enqueued in the order the CA intended them
to appear on a Manifest. However, there is no obvious benefit to letting
third parties decide the order in which things are processed.

Instead, randomize: ordering has no meaning anyway, and the number of
concurrent repository synchronization operations is limited & timeboxed.
As they say, a fox is not taken twice in the same snare

OK tb@

Retire log.c

Convert all cryptowarnx() and cryptoerrx() to appropriate versions of
warn() and err{,x}(). Neither users nor developers benefit from them.
If we need better errors, we need to do some thinking. libcrypto won't
do that for us.

suggested by claudio
ok job

Add compliance checks for the version, KU, and EKU of TAK/MFT/GBR EE certs

OK tb@

In anticipation of a bump of the ASPA eContent profile version, update
valid_econtent_version() to allow for non-zero versions.

OK tb@

Convert generalizedtime_to_tm() to ASN1_TIME_to_tm()

Second step of moving away from ASN1_time_parse(). Being an OpenSSL API,
ASN1_TIME_to_tm() supports a variety of things. In this specific case we
don't really want it to parse anything but a GeneralizedTime expressed in
Zulu time. Unfortunately, OpenSSL make this annoying. So punt on this and
only do checks for the correct type and length. LibreSSL only accepts Zulu
time, so there is no change of behavior.

ok claudio job

Avoid use of LibreSSL-specific ASN1_time_tm_cmp() API

We convert these struct tm into time_t in the next few lines, so we can
simply use > instead.

ok claudio job

Improve accounting by tracking things by repo and tal.
This fixes some wrong accounting for repositories that are referenced
from more than one TAL. It changes the ometric lable output a little bit
since there are repository metrics that no longer include the 'name' label.
OK tb@

If the two mfts in mft_compare() are the same do not prefer the
first (DIR_VALID) but perfer the 2nd (DIR_TEMP) since this allows
rpki-client to move the equal files from .rrdp back into the valid
repo tree and so there are less unaccounted files for.
Problem noticed by and OK job@

Check that the CMS signing-time is not after the MFT's nextUpdate

Issuing manifests whose validity window is entirely in the past, as
observed from the purported CMS signing-time would be a form of backdating.

OK tb@

Revert accidental change from explicit to implicit tagging in r1.86.

ok job

Rename some data fields to closer match their provenance

OK tb@

Refactor expiration calculation

Unify common code paths which find the exact expiry moment into a new
helper function. Additionally, the new helper offers more accuracy by
checking more applicable CRLs whether their 'nextupdate' is 'sooner'.

tb@ noted: The helper adds a multiplier of log(#crls), but that's
certainly acceptable as it is still very cheap.

OK tb@

Initialize the local signtime variable in the individual *_parse()
functions

ok job

Unwrap a few lines and zap a tab

Show CMS signing-time signed attribute in filemode

OK tb@

Adjust comment for rtype_from_mftfile(). It is important that RTYPE_INVALID
is not an error. It marks file as not handled by rpki-client and they will
be ignored after checking that the provided hash matches.
New file types should only be added once the needed code in parse_entity() is
available.
OK tb@ job@

Remove unused ctype.h include

OK tb@

Only include stdarg.h, if we call any of va_{start,end}()

OK tb@

Add support for authenticating geofeed data CSV files in filemode

RFC 9092 describes a scheme in which an authenticator is appended to a
geofeed (RFC 8805) file. It is a digest of the main body of the file
signed by the private key of the relevant RPKI certificate for a covering
address range. The authenticator is a detached CMS signature.

with and OK tb@

Simplify use of strrchr()

with and OK tb@

Check the SIA signedObject in ROA/MFT/ASPA/TAK/GBR EE certificates

Unfortunately we can't yet error out when accessMethods other than
signedObject are encountered in the SubjectInformationAccess extension
because there is pollution in the ecosystem.

OK tb@

Add support for draft-ietf-sidrops-signed-tal-12

Add support validation of Signed Objects containing Trust Anchor Keys
(TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs
to distribute and sign the next Trust Anchor with the current Trust
Anchor. This might be an improvement over visiting RIR websites and
copy+pasting TAL data by hand.

OK tb@

All of ROA, MFT, ASPA, and RSC define their respective 'version' field
in ASN.1 as following: "version [0] INTEGER DEFAULT 0,". Each object
profile preamble contains "DEFINITIONS EXPLICIT TAGS ::=".

We didn't bump into any issue yet, because all Signed Objects are at
version 0, which means the field is entirely omitted (including the tag,
be it implicit or explicit). (From X.690 section 11.5: "The encoding of
a set value or a sequence value shall not include an encoding for any
component value which is equal to its default value.")

OK tb@

Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)

ASPA objects are published in the RPKI and can be used to detect and
mitigate BGP route leaks. Validated ASPA Payloads are visible through
filemode (-f) and the JSON output format (-j).

With feedback from tb@

OK claudio@ tb@

Remove dangling ASPA references until we land real support

OK tb@

Unify error messages on d2i failure for econtent

Dedup econtent version checks

Since the ASN.1 template conversions, we have three copies of mostly dead
code that validates that the econtent version is at its default value 0.
Until a new standard bumps this version and we decide to support that,
we're better off with only one copy of this code.

ok claudio

Fix off-by-one in MAX_MANIFEST_ENTRIES check

ok claudio job