Put back NULL checks in crl_get() and build_chain()

Turns out filemode still relies on these. Rather than adding to the
spaghetti in filemode.c, begrudgingly put back the NULL checks with
an additional XXX.

ok claudio job

rpki-client: avoid hard error when hitting the maximum cert id

Instead, continue processing what we can but avoid lots of warning noise.
Error out at the end of the parser process to avoid loading a bad config
into bgpd. This isn't great as it is and can be refined in tree.

ok claudio

Instead of tracking certificates by SKI track them by an internal identifier.

The certificate SKI is not strictly unique so using it as a unique id is
problematic. It is also not really needed to do that since in theory we
already know the path (but this got lost in the privsep communication).
So add a cert id and pass this id back and forth between main process and
the parser. With this id we can lookup the authentication chain in the
parser and this even works with multiple paths to the same resource.
Since we no longer lookup by SKI the valid_aki_ski function is replaced
by find_issuer() which does the lookup by certid.

The loop protection is now extended to allow each TAL to reach each file
once but still triggers if a file is reaccessed by the tree of a TAL.

In filemode the lookup now uses an AIA uri based lookup tree. Again this
replaces the SKI based lookups from before.

Done together with tb@
OK tb@ job@

Rename parent to issuer in struct auth

Parent is confusing and issuer is the appropriate terminology. This is
a mechanical diff. The only remaining uses of 'parent' in this code
base now mean 'parent process'.

discussed with beck and job
ok job

Add support for RPKI Signed Prefix Lists

Signed Prefix List are a CMS protected content type for use with the
RPKI to carry the complete list of prefixes which an Autonomous System
may originate to all or any of its routing peers. The validation of a
Signed Prefix List confirms that the holder of the listed ASN produced
the object, and that this list is a current, accurate and complete
description of address prefixes that may be announced into the routing
system originated by this AS.

https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist

with and OK claudio@ tb@

Normalize the nid printing

OBJ_nid2* can return NULL if the gloriously consistent objects.txt
database doesn't specify a long or a short name. So try the long name
first, fall back to the short name, and if both fail, use "unknown".
Always include the nid as a decimal.

ok claudio

rpki-client: print revocation time in filemode

If a certificate was revoked, extract the revocation timestamp and
update the warning message in filemode to include it.

ok job

Rework the warnings on internet resources

Unify the printing of warnings about AS numbers and IP address blocks to
use a call to as_warn() and ip_warn(). Fix a bug in the latter where the
upper bound of an IP range didn't take the RFC 3779 encoding into account
and passed the address directly to inet_pton() rather than filling the
missing bits with 1. Switch the argument order to match the warnings and
tweak some warning messages.

ok claudio job

Add experimental support for secp256r1 aka P-256 aka prime256v1

ECDSA signatures are much smaller than RSA signatures while offering
similar security. Adding support for P-256 now allows CA developers
to test their implementations, and paving the way for signers in the
production environment in the future to take advantage of ECDSA.

OK tb@

Introduce ip_addr_range_print() to avoid code repetition

OK tb@

Retire log.c

Convert all cryptowarnx() and cryptoerrx() to appropriate versions of
warn() and err{,x}(). Neither users nor developers benefit from them.
If we need better errors, we need to do some thinking. libcrypto won't
do that for us.

suggested by claudio
ok job

Cosmetic tweak for previous

Once we expect ASPA version 1 and someone sends us version 0, make that
explicit instead of complaining about ASN1_INTEGER_get_uint64() failing.

ok job

In anticipation of a bump of the ASPA eContent profile version, update
valid_econtent_version() to allow for non-zero versions.

OK tb@

Revert commitid ANSBO0rBvIUtTi45:
Make rpki-client choose the verification time of the time it is invoked
rather than always getting the current system time for every certificate
verification. This will result in output that is not variable on run-time.

Using the time of invocation does not work well with fast publishing CAs. It
can take a few minutes to reach a repo and that CA may have issued certificates
that are not yet valid if that startup time of rpki-client is used to validate.

This still keeps the -P option to specify a fixed validation time.
OK beck@ job@ tb@

Convert ASN1_INTEGER_get() to ASN1_INTEGER_get_uint64()

The former is broken by design and should not be used. The latter allows
for unambiguous error checking. Add a few casts to print uint64_t without
the PRIu64 monstrosity.

ok claudio

In valid_cert() also skip the check for CERT_IP_INHERIT objects like
it is done for CERT_AS_INHERIT.

Without this inheritance of IP address resources does not work. Problem
noticed by Ties de Kock (tdekock (at) ripe.net)

OK job@ tb@ benno@

rpki-client: use partial chains in certificate validation

The generally rather poor quality RFC 3779 code in libcrypto also performs
abysmally. Flame graphs show that nearly 20% of the parser process is spent
in addr_contains() alone. There is room for improvement in addr_contains()
itself - the containment check for prefixes could be optimized quite a bit.
We can avoid a lot of the most expensive work for certificates with tons of
resources close to the TA by using the verifier's partial chains flag.

More precisely, in the tree of already validated certs look for the first
one that has no inherited RFC 3779 resources and use that as 'trust anchor'
for our chains via the X509_V_FLAG_PARTIAL_CHAIN flag. This way we can be
sure that a leaf's delegated resources are properly covered and at the same
time significantly shorten most paths validated.

Job's and my testing indicates that this avoids 30-50% of overhead and works
equally well with LibreSSL and OpenSSL >= 1.1. The main bottlenecks in the
parser process now appear to be SHA-2 and RSA/BIGNUM, two well-known pain
points in libcrypto.

This is based on a hint by beck and was discussed extensively with beck,
claudio and job during and after m2k23.

ok claudio job

Make rpki-client choose the verification time of the time it is invoked
rather than always getting the current system time for every certificate
verification. This will result in output that is not variable on run-time.

ok tb@ claudio@

Add a -P option to rpki-client to specify the evaluation time

This is intended to be able to test rpki-client in a reproducable
way without worrying about the system time changing the results

ok claudio@

A tab snuck in

Check whether products listed on a manifest were issued by the same authority as the manifest itself

OK tb@

branches: 1.55.4;
Add check for RSA key pair modulus & public exponent

Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS
must be RSA, with mod 2048 & (e) 0x10001

OK tb@

Require version 4 UUIDs as RRDP session IDs

OK tb@

rpki-client: explicitly enable policy checks

In x509_verify.c r1.62, beck disabled policy checks by default in the new
X.509 verifier to match the behavior of the legacy validator and OpenSSL.
In order to keep policy checks as mandated by RFC 7318, we need to opt
into them explicitly.

ok beck

Validate the session_id to be a real UUID.

RFC 8182 requires the session_id to be a version 4 random UUID (using
variant 1). Now checking the version and variant is currently disabled
because there is at least one CA with a session_id that is all random
and therefor the version check triggers there.
Joint work with job@. OK job@, tb@

Remove unused sys/socket.h include

OK claudio@

Only include stdarg.h, if we call any of va_{start,end}()

OK tb@

Update valid_x509 comment to reality. crl is no longer optional.
OK tb@

Return an error string instead of surpressing the warning in valid_x509.
This way manifests can should a better error message when something fails.
With and OK tb@

Add support for authenticating geofeed data CSV files in filemode

RFC 9092 describes a scheme in which an authenticator is appended to a
geofeed (RFC 8805) file. It is a digest of the main body of the file
signed by the private key of the relevant RPKI certificate for a covering
address range. The authenticator is a detached CMS signature.

with and OK tb@

Length check URI before strncasecmp()

A priori URI is not NUL terminated, so we should first check it is long
enough before comparing it against proto. As a side effect, this now
rejects "https://" and "rsync://", which are invalid due to the missing
host in the authority section.

ok claudio

branches: 1.45.2;
Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements

The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option
because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.

OK tb@

Introduce x509_any_inherit() for objects which may not have inherit elements

Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which
may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of
the X509 certificate.

OK tb@

Move non-inheritance check for BGPsec certs into cert_parse_pre()

ok claudio job (as part of a larger diff)

Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)

ASPA objects are published in the RPKI and can be used to detect and
mitigate BGP route leaks. Validated ASPA Payloads are visible through
filemode (-f) and the JSON output format (-j).

With feedback from tb@

OK claudio@ tb@

Check the resources in ROAs and RSCs against EE certs

The resources delegated in the RFC 3779 extensions of the EE cert for
ROAs or RSCs can be a subset of the resources in the auth chain. So far
we compared that the resources of ROAs and RSCs are covered by the auth
chain, which is not entirely correct. Extract the necessary data from
the EE cert into rpki-client's own data structures, then verify that
the EE cert's resources cover the ones claimed in the ROA or RSC.

Do this as part or ROA and RSC parsing, that the EE cert's resources are
covered by the auth chain is checked in valid_x509() later on.

All this is a bit more annoying and intrusive than it should be...

ok claudio job

Dedup econtent version checks

Since the ASN.1 template conversions, we have three copies of mostly dead
code that validates that the econtent version is at its default value 0.
Until a new standard bumps this version and we decide to support that,
we're better off with only one copy of this code.

ok claudio

Fix path validation of AS numbers

If a certificate along the chain does not have an AS numbers extension,
this is a failure condition according to RFC 3779, section 3.3.

ok job

More KNF and whitespace fixes.

Remove misplaced continue

ok job

whitespace spotted during read-thru

Remove verify callback

It is no longer possible to build rpki-client with LibreSSL < 3.5 or with
OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.

ok claudio job

nuke tabs

In filemode check whether ROA & RSC resources are properly contained

with and OK tb@ claudio@

Validate RSC filenames

Factor out POSIX portable filename check into a new valid_filename() and
rename the previous valid_filename() to valid_mft_filename(). Fixes and
supersedes imcomplete checks in the RSC code. Avoids truncation via
strndup() in case of embedded NULs.

input/ok claudio

The filemode code is enough different from the regular parser code that it
makes sense to totally split it out. Duplicate proc_parser_cert_validate()
and proc_parser_root_cert() for now.

The valid_x509() plus the required static functions are moved to validate.c.
The crl_tree code moved into crl.c similar to the auth_tree handling in
cert.c. All the proc functions are now tagged with __attribute(noreturn)
which allows to remove the errx() after them.

OK tb@

Adjust on how CRL and MFT files are verified.

Verify the CRL referenced from the mft against the mft's fileAndHash info.
If the CRL matches then load it and use it to validate this mft. If the
mft validated OK add the now also valid CRL to the auth store for later use.

Before the newest CRL was always selected but that has negative consequences
because it is common practice to revoke the previous MFT's EE cert and with
that the cache is turned useless as soon as a new CRL is used. Also there
was a possibility that the CRL used for validation of the MFT was not the
one later used.

Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part
of the validation process. We opted in favor of the chached MFT.

With and OK tb@

Fix outdated comment

Nowadays SKI/AKI validation happens in proc_parser_roa()

zap extra blank line

Simplify valid_cert() and valid_roa() by passing in struct auth instead
of looking it up again. For this valid_roa() needs to be moved up in
proc_parser_roa() also move out the assignment of the TAL id. Not the
right thing to alter an object in a validation function.
OK tb@

Change valid_filename() ot return an enum rtype and rename it to
rtype_from_mftfile(). Move both rtype_from functions to mft.c.

ok beck claudio

Add function to determine the file type from the file name extension

rpki-client uses the same idiom to determine the file type in too many
places. Use one function that determines the appropriate RTYPE from the
file name. Add that type to struct mftfile and use this new member to
simplify queue_add_from_mft*().

input/ok claudio

Alter valid_filehash() to take a file descriptor instead of a path.
This is needed so that callers can allow a file to be in multiple
locations. Also move mft_check() from mft.c to parser.c.
OK tb@

fix spelling of inheritance

Instead of passing tal descriptions around just pass a tal id and
use a small lookup table to print the description in the output path.
OK tb@

Cleanup struct auth a bit. The tal description is also stored in the cert
and the filename is only used in tracewarn which is not that helpful.
OK tb@

Ensure that RRDP snapshot and delta files are fetched from the same host
as the notification file.
OK tb@ job@

Add limits on size of certain untrusted inputs

ok job@

Limit length on URIs

OK beck@

Restrict the characterset for filenames on Manifests

feedback from benno@

OK claudio@

Add support for BGPsec Router Certificates (RFC 8209)

BGPsec router keys are extracted from RPKI certificates and
emitted via the JSON output in base64 encoded form.

OK tb@ claudio@

branches: 1.15.4;
add missing break
ok claudio@

code review results in KNF, and moving local variables into lowest scope
ok claudio

branches: 1.13.2;
Factor out the URI check we do in various places into valid_uri().
RRDP will add a bunch more checks so this makes even more sense.
With and OK tb@

Factor out the SHA256 hash checks into valid_filehash() so that it can
be used by the RRDP code as well.
OK tb@

Include openssl/x509.h in extern.h since it uses a few of the typedefs from
there in structs and prototypes. Remove the openssl/ssl.h and other strange
openssl includes in the .c files that don't use openssl specific functions.
OK beck@ and tb@

e2k19 - above par
s/EXIT_FAILURE/1/
ok claudio@

valid_as() should be as strict as valid_ip() when it comes to not-covered
blocks. No longer bubble up the chain in the hope that something is covered.
If this causes issues people need to fix the repository where it causes
errors.

Convert the auths array into an RB tree indexed by SKI. For fast lookups
the parent auth struct is stored as a pointer so walking up the certificate
chain remains simple. Doing this replaces a few slow lookups and speeds up
rpki-client by a factor of 2.
OK benno@

Only store ta certs in the trust store and build chains of the
intermediate certificates for use in X509_STORE_CTX_init(). To do that
save the X509 cert in struct cert.
claudio sees > 2x speed increase.

ok claudio@ and feedback from jsing@ and beck@.

Add and fix some comments.
From kristaps@

Rewrite the output handling of rpki-client and add an option to dump the
data in JSON format. To make the JSON output the same as the output of the
RIPE rpki-validator the basename of the TAL had to be added and passed around
in rpki-client. Additinally the VRPs are now stored in an RB tree in the
main process instead of keeping them per ROA object. This changes the sort
order to be in network order and no longer just lexographical.
Agreed by job@ deraadt@

use $OpenBSD$ headers

indentation adjustments, in particular near warn statements
ok claudio

Don't do -portable in base. It is better done outside the tree.
Imagine if we did it throughout the tree, how many copies of strlcpy
would we have, and how much time would all the configure shell scripts
and includes take? It would be ludicrous.

branches: 1.1.1;
Initial revision

rpki-client: avoid hard error when hitting the maximum cert id

Instead, continue processing what we can but avoid lots of warning noise.
Error out at the end of the parser process to avoid loading a bad config
into bgpd. This isn't great as it is and can be refined in tree.

ok claudio

Instead of tracking certificates by SKI track them by an internal identifier.

The certificate SKI is not strictly unique so using it as a unique id is
problematic. It is also not really needed to do that since in theory we
already know the path (but this got lost in the privsep communication).
So add a cert id and pass this id back and forth between main process and
the parser. With this id we can lookup the authentication chain in the
parser and this even works with multiple paths to the same resource.
Since we no longer lookup by SKI the valid_aki_ski function is replaced
by find_issuer() which does the lookup by certid.

The loop protection is now extended to allow each TAL to reach each file
once but still triggers if a file is reaccessed by the tree of a TAL.

In filemode the lookup now uses an AIA uri based lookup tree. Again this
replaces the SKI based lookups from before.

Done together with tb@
OK tb@ job@

Rename parent to issuer in struct auth

Parent is confusing and issuer is the appropriate terminology. This is
a mechanical diff. The only remaining uses of 'parent' in this code
base now mean 'parent process'.

discussed with beck and job
ok job

Add support for RPKI Signed Prefix Lists

Signed Prefix List are a CMS protected content type for use with the
RPKI to carry the complete list of prefixes which an Autonomous System
may originate to all or any of its routing peers. The validation of a
Signed Prefix List confirms that the holder of the listed ASN produced
the object, and that this list is a current, accurate and complete
description of address prefixes that may be announced into the routing
system originated by this AS.

https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist

with and OK claudio@ tb@

Normalize the nid printing

OBJ_nid2* can return NULL if the gloriously consistent objects.txt
database doesn't specify a long or a short name. So try the long name
first, fall back to the short name, and if both fail, use "unknown".
Always include the nid as a decimal.

ok claudio

rpki-client: print revocation time in filemode

If a certificate was revoked, extract the revocation timestamp and
update the warning message in filemode to include it.

ok job

Rework the warnings on internet resources

Unify the printing of warnings about AS numbers and IP address blocks to
use a call to as_warn() and ip_warn(). Fix a bug in the latter where the
upper bound of an IP range didn't take the RFC 3779 encoding into account
and passed the address directly to inet_pton() rather than filling the
missing bits with 1. Switch the argument order to match the warnings and
tweak some warning messages.

ok claudio job

Add experimental support for secp256r1 aka P-256 aka prime256v1

ECDSA signatures are much smaller than RSA signatures while offering
similar security. Adding support for P-256 now allows CA developers
to test their implementations, and paving the way for signers in the
production environment in the future to take advantage of ECDSA.

OK tb@

Introduce ip_addr_range_print() to avoid code repetition

OK tb@

Retire log.c

Convert all cryptowarnx() and cryptoerrx() to appropriate versions of
warn() and err{,x}(). Neither users nor developers benefit from them.
If we need better errors, we need to do some thinking. libcrypto won't
do that for us.

suggested by claudio
ok job

Cosmetic tweak for previous

Once we expect ASPA version 1 and someone sends us version 0, make that
explicit instead of complaining about ASN1_INTEGER_get_uint64() failing.

ok job

In anticipation of a bump of the ASPA eContent profile version, update
valid_econtent_version() to allow for non-zero versions.

OK tb@

Revert commitid ANSBO0rBvIUtTi45:
Make rpki-client choose the verification time of the time it is invoked
rather than always getting the current system time for every certificate
verification. This will result in output that is not variable on run-time.

Using the time of invocation does not work well with fast publishing CAs. It
can take a few minutes to reach a repo and that CA may have issued certificates
that are not yet valid if that startup time of rpki-client is used to validate.

This still keeps the -P option to specify a fixed validation time.
OK beck@ job@ tb@

Convert ASN1_INTEGER_get() to ASN1_INTEGER_get_uint64()

The former is broken by design and should not be used. The latter allows
for unambiguous error checking. Add a few casts to print uint64_t without
the PRIu64 monstrosity.

ok claudio

In valid_cert() also skip the check for CERT_IP_INHERIT objects like
it is done for CERT_AS_INHERIT.

Without this inheritance of IP address resources does not work. Problem
noticed by Ties de Kock (tdekock (at) ripe.net)

OK job@ tb@ benno@

rpki-client: use partial chains in certificate validation

The generally rather poor quality RFC 3779 code in libcrypto also performs
abysmally. Flame graphs show that nearly 20% of the parser process is spent
in addr_contains() alone. There is room for improvement in addr_contains()
itself - the containment check for prefixes could be optimized quite a bit.
We can avoid a lot of the most expensive work for certificates with tons of
resources close to the TA by using the verifier's partial chains flag.

More precisely, in the tree of already validated certs look for the first
one that has no inherited RFC 3779 resources and use that as 'trust anchor'
for our chains via the X509_V_FLAG_PARTIAL_CHAIN flag. This way we can be
sure that a leaf's delegated resources are properly covered and at the same
time significantly shorten most paths validated.

Job's and my testing indicates that this avoids 30-50% of overhead and works
equally well with LibreSSL and OpenSSL >= 1.1. The main bottlenecks in the
parser process now appear to be SHA-2 and RSA/BIGNUM, two well-known pain
points in libcrypto.

This is based on a hint by beck and was discussed extensively with beck,
claudio and job during and after m2k23.

ok claudio job

Make rpki-client choose the verification time of the time it is invoked
rather than always getting the current system time for every certificate
verification. This will result in output that is not variable on run-time.

ok tb@ claudio@

Add a -P option to rpki-client to specify the evaluation time

This is intended to be able to test rpki-client in a reproducable
way without worrying about the system time changing the results

ok claudio@

A tab snuck in

Check whether products listed on a manifest were issued by the same authority as the manifest itself

OK tb@

branches: 1.55.4;
Add check for RSA key pair modulus & public exponent

Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS
must be RSA, with mod 2048 & (e) 0x10001

OK tb@

Require version 4 UUIDs as RRDP session IDs

OK tb@

rpki-client: explicitly enable policy checks

In x509_verify.c r1.62, beck disabled policy checks by default in the new
X.509 verifier to match the behavior of the legacy validator and OpenSSL.
In order to keep policy checks as mandated by RFC 7318, we need to opt
into them explicitly.

ok beck

Validate the session_id to be a real UUID.

RFC 8182 requires the session_id to be a version 4 random UUID (using
variant 1). Now checking the version and variant is currently disabled
because there is at least one CA with a session_id that is all random
and therefor the version check triggers there.
Joint work with job@. OK job@, tb@

Remove unused sys/socket.h include

OK claudio@

Only include stdarg.h, if we call any of va_{start,end}()

OK tb@

Update valid_x509 comment to reality. crl is no longer optional.
OK tb@

Return an error string instead of surpressing the warning in valid_x509.
This way manifests can should a better error message when something fails.
With and OK tb@

Add support for authenticating geofeed data CSV files in filemode

RFC 9092 describes a scheme in which an authenticator is appended to a
geofeed (RFC 8805) file. It is a digest of the main body of the file
signed by the private key of the relevant RPKI certificate for a covering
address range. The authenticator is a detached CMS signature.

with and OK tb@

Length check URI before strncasecmp()

A priori URI is not NUL terminated, so we should first check it is long
enough before comparing it against proto. As a side effect, this now
rejects "https://" and "rsync://", which are invalid due to the missing
host in the authority section.

ok claudio

branches: 1.45.2;
Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements

The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option
because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.

OK tb@

Introduce x509_any_inherit() for objects which may not have inherit elements

Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which
may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of
the X509 certificate.

OK tb@

Move non-inheritance check for BGPsec certs into cert_parse_pre()

ok claudio job (as part of a larger diff)

Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)

ASPA objects are published in the RPKI and can be used to detect and
mitigate BGP route leaks. Validated ASPA Payloads are visible through
filemode (-f) and the JSON output format (-j).

With feedback from tb@

OK claudio@ tb@

Check the resources in ROAs and RSCs against EE certs

The resources delegated in the RFC 3779 extensions of the EE cert for
ROAs or RSCs can be a subset of the resources in the auth chain. So far
we compared that the resources of ROAs and RSCs are covered by the auth
chain, which is not entirely correct. Extract the necessary data from
the EE cert into rpki-client's own data structures, then verify that
the EE cert's resources cover the ones claimed in the ROA or RSC.

Do this as part or ROA and RSC parsing, that the EE cert's resources are
covered by the auth chain is checked in valid_x509() later on.

All this is a bit more annoying and intrusive than it should be...

ok claudio job

Dedup econtent version checks

Since the ASN.1 template conversions, we have three copies of mostly dead
code that validates that the econtent version is at its default value 0.
Until a new standard bumps this version and we decide to support that,
we're better off with only one copy of this code.

ok claudio

Fix path validation of AS numbers

If a certificate along the chain does not have an AS numbers extension,
this is a failure condition according to RFC 3779, section 3.3.

ok job

More KNF and whitespace fixes.

Remove misplaced continue

ok job

whitespace spotted during read-thru

Remove verify callback

It is no longer possible to build rpki-client with LibreSSL < 3.5 or with
OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.

ok claudio job

nuke tabs

In filemode check whether ROA & RSC resources are properly contained

with and OK tb@ claudio@

Validate RSC filenames

Factor out POSIX portable filename check into a new valid_filename() and
rename the previous valid_filename() to valid_mft_filename(). Fixes and
supersedes imcomplete checks in the RSC code. Avoids truncation via
strndup() in case of embedded NULs.

input/ok claudio

The filemode code is enough different from the regular parser code that it
makes sense to totally split it out. Duplicate proc_parser_cert_validate()
and proc_parser_root_cert() for now.

The valid_x509() plus the required static functions are moved to validate.c.
The crl_tree code moved into crl.c similar to the auth_tree handling in
cert.c. All the proc functions are now tagged with __attribute(noreturn)
which allows to remove the errx() after them.

OK tb@

Adjust on how CRL and MFT files are verified.

Verify the CRL referenced from the mft against the mft's fileAndHash info.
If the CRL matches then load it and use it to validate this mft. If the
mft validated OK add the now also valid CRL to the auth store for later use.

Before the newest CRL was always selected but that has negative consequences
because it is common practice to revoke the previous MFT's EE cert and with
that the cache is turned useless as soon as a new CRL is used. Also there
was a possibility that the CRL used for validation of the MFT was not the
one later used.

Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part
of the validation process. We opted in favor of the chached MFT.

With and OK tb@

Fix outdated comment

Nowadays SKI/AKI validation happens in proc_parser_roa()

zap extra blank line

Simplify valid_cert() and valid_roa() by passing in struct auth instead
of looking it up again. For this valid_roa() needs to be moved up in
proc_parser_roa() also move out the assignment of the TAL id. Not the
right thing to alter an object in a validation function.
OK tb@

Change valid_filename() ot return an enum rtype and rename it to
rtype_from_mftfile(). Move both rtype_from functions to mft.c.

ok beck claudio

Add function to determine the file type from the file name extension

rpki-client uses the same idiom to determine the file type in too many
places. Use one function that determines the appropriate RTYPE from the
file name. Add that type to struct mftfile and use this new member to
simplify queue_add_from_mft*().

input/ok claudio

Alter valid_filehash() to take a file descriptor instead of a path.
This is needed so that callers can allow a file to be in multiple
locations. Also move mft_check() from mft.c to parser.c.
OK tb@

fix spelling of inheritance

Instead of passing tal descriptions around just pass a tal id and
use a small lookup table to print the description in the output path.
OK tb@

Cleanup struct auth a bit. The tal description is also stored in the cert
and the filename is only used in tracewarn which is not that helpful.
OK tb@

Ensure that RRDP snapshot and delta files are fetched from the same host
as the notification file.
OK tb@ job@

Add limits on size of certain untrusted inputs

ok job@

Limit length on URIs

OK beck@

Restrict the characterset for filenames on Manifests

feedback from benno@

OK claudio@

Add support for BGPsec Router Certificates (RFC 8209)

BGPsec router keys are extracted from RPKI certificates and
emitted via the JSON output in base64 encoded form.

OK tb@ claudio@

branches: 1.15.4;
add missing break
ok claudio@

code review results in KNF, and moving local variables into lowest scope
ok claudio

branches: 1.13.2;
Factor out the URI check we do in various places into valid_uri().
RRDP will add a bunch more checks so this makes even more sense.
With and OK tb@

Factor out the SHA256 hash checks into valid_filehash() so that it can
be used by the RRDP code as well.
OK tb@

Include openssl/x509.h in extern.h since it uses a few of the typedefs from
there in structs and prototypes. Remove the openssl/ssl.h and other strange
openssl includes in the .c files that don't use openssl specific functions.
OK beck@ and tb@

e2k19 - above par
s/EXIT_FAILURE/1/
ok claudio@

valid_as() should be as strict as valid_ip() when it comes to not-covered
blocks. No longer bubble up the chain in the hope that something is covered.
If this causes issues people need to fix the repository where it causes
errors.

Convert the auths array into an RB tree indexed by SKI. For fast lookups
the parent auth struct is stored as a pointer so walking up the certificate
chain remains simple. Doing this replaces a few slow lookups and speeds up
rpki-client by a factor of 2.
OK benno@

Only store ta certs in the trust store and build chains of the
intermediate certificates for use in X509_STORE_CTX_init(). To do that
save the X509 cert in struct cert.
claudio sees > 2x speed increase.

ok claudio@ and feedback from jsing@ and beck@.

Add and fix some comments.
From kristaps@

Rewrite the output handling of rpki-client and add an option to dump the
data in JSON format. To make the JSON output the same as the output of the
RIPE rpki-validator the basename of the TAL had to be added and passed around
in rpki-client. Additinally the VRPs are now stored in an RB tree in the
main process instead of keeping them per ROA object. This changes the sort
order to be in network order and no longer just lexographical.
Agreed by job@ deraadt@

use $OpenBSD$ headers

indentation adjustments, in particular near warn statements
ok claudio

Don't do -portable in base. It is better done outside the tree.
Imagine if we did it throughout the tree, how many copies of strlcpy
would we have, and how much time would all the configure shell scripts
and includes take? It would be ludicrous.

branches: 1.1.1;
Initial revision

Instead of tracking certificates by SKI track them by an internal identifier.

The certificate SKI is not strictly unique so using it as a unique id is
problematic. It is also not really needed to do that since in theory we
already know the path (but this got lost in the privsep communication).
So add a cert id and pass this id back and forth between main process and
the parser. With this id we can lookup the authentication chain in the
parser and this even works with multiple paths to the same resource.
Since we no longer lookup by SKI the valid_aki_ski function is replaced
by find_issuer() which does the lookup by certid.

The loop protection is now extended to allow each TAL to reach each file
once but still triggers if a file is reaccessed by the tree of a TAL.

In filemode the lookup now uses an AIA uri based lookup tree. Again this
replaces the SKI based lookups from before.

Done together with tb@
OK tb@ job@

Rename parent to issuer in struct auth

Parent is confusing and issuer is the appropriate terminology. This is
a mechanical diff. The only remaining uses of 'parent' in this code
base now mean 'parent process'.

discussed with beck and job
ok job

Add support for RPKI Signed Prefix Lists

Signed Prefix List are a CMS protected content type for use with the
RPKI to carry the complete list of prefixes which an Autonomous System
may originate to all or any of its routing peers. The validation of a
Signed Prefix List confirms that the holder of the listed ASN produced
the object, and that this list is a current, accurate and complete
description of address prefixes that may be announced into the routing
system originated by this AS.

https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist

with and OK claudio@ tb@

Normalize the nid printing

OBJ_nid2* can return NULL if the gloriously consistent objects.txt
database doesn't specify a long or a short name. So try the long name
first, fall back to the short name, and if both fail, use "unknown".
Always include the nid as a decimal.

ok claudio

rpki-client: print revocation time in filemode

If a certificate was revoked, extract the revocation timestamp and
update the warning message in filemode to include it.

ok job

Rework the warnings on internet resources

Unify the printing of warnings about AS numbers and IP address blocks to
use a call to as_warn() and ip_warn(). Fix a bug in the latter where the
upper bound of an IP range didn't take the RFC 3779 encoding into account
and passed the address directly to inet_pton() rather than filling the
missing bits with 1. Switch the argument order to match the warnings and
tweak some warning messages.

ok claudio job

Add experimental support for secp256r1 aka P-256 aka prime256v1

ECDSA signatures are much smaller than RSA signatures while offering
similar security. Adding support for P-256 now allows CA developers
to test their implementations, and paving the way for signers in the
production environment in the future to take advantage of ECDSA.

OK tb@

Introduce ip_addr_range_print() to avoid code repetition

OK tb@

Retire log.c

Convert all cryptowarnx() and cryptoerrx() to appropriate versions of
warn() and err{,x}(). Neither users nor developers benefit from them.
If we need better errors, we need to do some thinking. libcrypto won't
do that for us.

suggested by claudio
ok job

Cosmetic tweak for previous

Once we expect ASPA version 1 and someone sends us version 0, make that
explicit instead of complaining about ASN1_INTEGER_get_uint64() failing.

ok job

In anticipation of a bump of the ASPA eContent profile version, update
valid_econtent_version() to allow for non-zero versions.

OK tb@

Revert commitid ANSBO0rBvIUtTi45:
Make rpki-client choose the verification time of the time it is invoked
rather than always getting the current system time for every certificate
verification. This will result in output that is not variable on run-time.

Using the time of invocation does not work well with fast publishing CAs. It
can take a few minutes to reach a repo and that CA may have issued certificates
that are not yet valid if that startup time of rpki-client is used to validate.

This still keeps the -P option to specify a fixed validation time.
OK beck@ job@ tb@

Convert ASN1_INTEGER_get() to ASN1_INTEGER_get_uint64()

The former is broken by design and should not be used. The latter allows
for unambiguous error checking. Add a few casts to print uint64_t without
the PRIu64 monstrosity.

ok claudio

In valid_cert() also skip the check for CERT_IP_INHERIT objects like
it is done for CERT_AS_INHERIT.

Without this inheritance of IP address resources does not work. Problem
noticed by Ties de Kock (tdekock (at) ripe.net)

OK job@ tb@ benno@

rpki-client: use partial chains in certificate validation

The generally rather poor quality RFC 3779 code in libcrypto also performs
abysmally. Flame graphs show that nearly 20% of the parser process is spent
in addr_contains() alone. There is room for improvement in addr_contains()
itself - the containment check for prefixes could be optimized quite a bit.
We can avoid a lot of the most expensive work for certificates with tons of
resources close to the TA by using the verifier's partial chains flag.

More precisely, in the tree of already validated certs look for the first
one that has no inherited RFC 3779 resources and use that as 'trust anchor'
for our chains via the X509_V_FLAG_PARTIAL_CHAIN flag. This way we can be
sure that a leaf's delegated resources are properly covered and at the same
time significantly shorten most paths validated.

Job's and my testing indicates that this avoids 30-50% of overhead and works
equally well with LibreSSL and OpenSSL >= 1.1. The main bottlenecks in the
parser process now appear to be SHA-2 and RSA/BIGNUM, two well-known pain
points in libcrypto.

This is based on a hint by beck and was discussed extensively with beck,
claudio and job during and after m2k23.

ok claudio job

Make rpki-client choose the verification time of the time it is invoked
rather than always getting the current system time for every certificate
verification. This will result in output that is not variable on run-time.

ok tb@ claudio@

Add a -P option to rpki-client to specify the evaluation time

This is intended to be able to test rpki-client in a reproducable
way without worrying about the system time changing the results

ok claudio@

A tab snuck in

Check whether products listed on a manifest were issued by the same authority as the manifest itself

OK tb@

branches: 1.55.4;
Add check for RSA key pair modulus & public exponent

Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS
must be RSA, with mod 2048 & (e) 0x10001

OK tb@

Require version 4 UUIDs as RRDP session IDs

OK tb@

rpki-client: explicitly enable policy checks

In x509_verify.c r1.62, beck disabled policy checks by default in the new
X.509 verifier to match the behavior of the legacy validator and OpenSSL.
In order to keep policy checks as mandated by RFC 7318, we need to opt
into them explicitly.

ok beck

Validate the session_id to be a real UUID.

RFC 8182 requires the session_id to be a version 4 random UUID (using
variant 1). Now checking the version and variant is currently disabled
because there is at least one CA with a session_id that is all random
and therefor the version check triggers there.
Joint work with job@. OK job@, tb@

Remove unused sys/socket.h include

OK claudio@

Only include stdarg.h, if we call any of va_{start,end}()

OK tb@

Update valid_x509 comment to reality. crl is no longer optional.
OK tb@

Return an error string instead of surpressing the warning in valid_x509.
This way manifests can should a better error message when something fails.
With and OK tb@

Add support for authenticating geofeed data CSV files in filemode

RFC 9092 describes a scheme in which an authenticator is appended to a
geofeed (RFC 8805) file. It is a digest of the main body of the file
signed by the private key of the relevant RPKI certificate for a covering
address range. The authenticator is a detached CMS signature.

with and OK tb@

Length check URI before strncasecmp()

A priori URI is not NUL terminated, so we should first check it is long
enough before comparing it against proto. As a side effect, this now
rejects "https://" and "rsync://", which are invalid due to the missing
host in the authority section.

ok claudio

branches: 1.45.2;
Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements

The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option
because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.

OK tb@

Introduce x509_any_inherit() for objects which may not have inherit elements

Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which
may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of
the X509 certificate.

OK tb@

Move non-inheritance check for BGPsec certs into cert_parse_pre()

ok claudio job (as part of a larger diff)

Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)

ASPA objects are published in the RPKI and can be used to detect and
mitigate BGP route leaks. Validated ASPA Payloads are visible through
filemode (-f) and the JSON output format (-j).

With feedback from tb@

OK claudio@ tb@

Check the resources in ROAs and RSCs against EE certs

The resources delegated in the RFC 3779 extensions of the EE cert for
ROAs or RSCs can be a subset of the resources in the auth chain. So far
we compared that the resources of ROAs and RSCs are covered by the auth
chain, which is not entirely correct. Extract the necessary data from
the EE cert into rpki-client's own data structures, then verify that
the EE cert's resources cover the ones claimed in the ROA or RSC.

Do this as part or ROA and RSC parsing, that the EE cert's resources are
covered by the auth chain is checked in valid_x509() later on.

All this is a bit more annoying and intrusive than it should be...

ok claudio job

Dedup econtent version checks

Since the ASN.1 template conversions, we have three copies of mostly dead
code that validates that the econtent version is at its default value 0.
Until a new standard bumps this version and we decide to support that,
we're better off with only one copy of this code.

ok claudio

Fix path validation of AS numbers

If a certificate along the chain does not have an AS numbers extension,
this is a failure condition according to RFC 3779, section 3.3.

ok job

More KNF and whitespace fixes.

Remove misplaced continue

ok job

whitespace spotted during read-thru

Remove verify callback

It is no longer possible to build rpki-client with LibreSSL < 3.5 or with
OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.

ok claudio job

nuke tabs

In filemode check whether ROA & RSC resources are properly contained

with and OK tb@ claudio@

Validate RSC filenames

Factor out POSIX portable filename check into a new valid_filename() and
rename the previous valid_filename() to valid_mft_filename(). Fixes and
supersedes imcomplete checks in the RSC code. Avoids truncation via
strndup() in case of embedded NULs.

input/ok claudio

The filemode code is enough different from the regular parser code that it
makes sense to totally split it out. Duplicate proc_parser_cert_validate()
and proc_parser_root_cert() for now.

The valid_x509() plus the required static functions are moved to validate.c.
The crl_tree code moved into crl.c similar to the auth_tree handling in
cert.c. All the proc functions are now tagged with __attribute(noreturn)
which allows to remove the errx() after them.

OK tb@

Adjust on how CRL and MFT files are verified.

Verify the CRL referenced from the mft against the mft's fileAndHash info.
If the CRL matches then load it and use it to validate this mft. If the
mft validated OK add the now also valid CRL to the auth store for later use.

Before the newest CRL was always selected but that has negative consequences
because it is common practice to revoke the previous MFT's EE cert and with
that the cache is turned useless as soon as a new CRL is used. Also there
was a possibility that the CRL used for validation of the MFT was not the
one later used.

Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part
of the validation process. We opted in favor of the chached MFT.

With and OK tb@

Fix outdated comment

Nowadays SKI/AKI validation happens in proc_parser_roa()

zap extra blank line

Simplify valid_cert() and valid_roa() by passing in struct auth instead
of looking it up again. For this valid_roa() needs to be moved up in
proc_parser_roa() also move out the assignment of the TAL id. Not the
right thing to alter an object in a validation function.
OK tb@

Change valid_filename() ot return an enum rtype and rename it to
rtype_from_mftfile(). Move both rtype_from functions to mft.c.

ok beck claudio

Add function to determine the file type from the file name extension

rpki-client uses the same idiom to determine the file type in too many
places. Use one function that determines the appropriate RTYPE from the
file name. Add that type to struct mftfile and use this new member to
simplify queue_add_from_mft*().

input/ok claudio

Alter valid_filehash() to take a file descriptor instead of a path.
This is needed so that callers can allow a file to be in multiple
locations. Also move mft_check() from mft.c to parser.c.
OK tb@

fix spelling of inheritance

Instead of passing tal descriptions around just pass a tal id and
use a small lookup table to print the description in the output path.
OK tb@

Cleanup struct auth a bit. The tal description is also stored in the cert
and the filename is only used in tracewarn which is not that helpful.
OK tb@

Ensure that RRDP snapshot and delta files are fetched from the same host
as the notification file.
OK tb@ job@

Add limits on size of certain untrusted inputs

ok job@

Limit length on URIs

OK beck@

Restrict the characterset for filenames on Manifests

feedback from benno@

OK claudio@

Add support for BGPsec Router Certificates (RFC 8209)

BGPsec router keys are extracted from RPKI certificates and
emitted via the JSON output in base64 encoded form.

OK tb@ claudio@

branches: 1.15.4;
add missing break
ok claudio@

code review results in KNF, and moving local variables into lowest scope
ok claudio

branches: 1.13.2;
Factor out the URI check we do in various places into valid_uri().
RRDP will add a bunch more checks so this makes even more sense.
With and OK tb@

Factor out the SHA256 hash checks into valid_filehash() so that it can
be used by the RRDP code as well.
OK tb@

Include openssl/x509.h in extern.h since it uses a few of the typedefs from
there in structs and prototypes. Remove the openssl/ssl.h and other strange
openssl includes in the .c files that don't use openssl specific functions.
OK beck@ and tb@

e2k19 - above par
s/EXIT_FAILURE/1/
ok claudio@

valid_as() should be as strict as valid_ip() when it comes to not-covered
blocks. No longer bubble up the chain in the hope that something is covered.
If this causes issues people need to fix the repository where it causes
errors.

Convert the auths array into an RB tree indexed by SKI. For fast lookups
the parent auth struct is stored as a pointer so walking up the certificate
chain remains simple. Doing this replaces a few slow lookups and speeds up
rpki-client by a factor of 2.
OK benno@

Only store ta certs in the trust store and build chains of the
intermediate certificates for use in X509_STORE_CTX_init(). To do that
save the X509 cert in struct cert.
claudio sees > 2x speed increase.

ok claudio@ and feedback from jsing@ and beck@.

Add and fix some comments.
From kristaps@

Rewrite the output handling of rpki-client and add an option to dump the
data in JSON format. To make the JSON output the same as the output of the
RIPE rpki-validator the basename of the TAL had to be added and passed around
in rpki-client. Additinally the VRPs are now stored in an RB tree in the
main process instead of keeping them per ROA object. This changes the sort
order to be in network order and no longer just lexographical.
Agreed by job@ deraadt@

use $OpenBSD$ headers

indentation adjustments, in particular near warn statements
ok claudio

Don't do -portable in base. It is better done outside the tree.
Imagine if we did it throughout the tree, how many copies of strlcpy
would we have, and how much time would all the configure shell scripts
and includes take? It would be ludicrous.

branches: 1.1.1;
Initial revision

Rename parent to issuer in struct auth

Parent is confusing and issuer is the appropriate terminology. This is
a mechanical diff. The only remaining uses of 'parent' in this code
base now mean 'parent process'.

discussed with beck and job
ok job

Add support for RPKI Signed Prefix Lists

Signed Prefix List are a CMS protected content type for use with the
RPKI to carry the complete list of prefixes which an Autonomous System
may originate to all or any of its routing peers. The validation of a
Signed Prefix List confirms that the holder of the listed ASN produced
the object, and that this list is a current, accurate and complete
description of address prefixes that may be announced into the routing
system originated by this AS.

https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist

with and OK claudio@ tb@

Normalize the nid printing

OBJ_nid2* can return NULL if the gloriously consistent objects.txt
database doesn't specify a long or a short name. So try the long name
first, fall back to the short name, and if both fail, use "unknown".
Always include the nid as a decimal.

ok claudio

rpki-client: print revocation time in filemode

If a certificate was revoked, extract the revocation timestamp and
update the warning message in filemode to include it.

ok job

Rework the warnings on internet resources

Unify the printing of warnings about AS numbers and IP address blocks to
use a call to as_warn() and ip_warn(). Fix a bug in the latter where the
upper bound of an IP range didn't take the RFC 3779 encoding into account
and passed the address directly to inet_pton() rather than filling the
missing bits with 1. Switch the argument order to match the warnings and
tweak some warning messages.

ok claudio job

Add experimental support for secp256r1 aka P-256 aka prime256v1

ECDSA signatures are much smaller than RSA signatures while offering
similar security. Adding support for P-256 now allows CA developers
to test their implementations, and paving the way for signers in the
production environment in the future to take advantage of ECDSA.

OK tb@

Introduce ip_addr_range_print() to avoid code repetition

OK tb@

Retire log.c

Convert all cryptowarnx() and cryptoerrx() to appropriate versions of
warn() and err{,x}(). Neither users nor developers benefit from them.
If we need better errors, we need to do some thinking. libcrypto won't
do that for us.

suggested by claudio
ok job

Cosmetic tweak for previous

Once we expect ASPA version 1 and someone sends us version 0, make that
explicit instead of complaining about ASN1_INTEGER_get_uint64() failing.

ok job

In anticipation of a bump of the ASPA eContent profile version, update
valid_econtent_version() to allow for non-zero versions.

OK tb@

Revert commitid ANSBO0rBvIUtTi45:
Make rpki-client choose the verification time of the time it is invoked
rather than always getting the current system time for every certificate
verification. This will result in output that is not variable on run-time.

Using the time of invocation does not work well with fast publishing CAs. It
can take a few minutes to reach a repo and that CA may have issued certificates
that are not yet valid if that startup time of rpki-client is used to validate.

This still keeps the -P option to specify a fixed validation time.
OK beck@ job@ tb@

Convert ASN1_INTEGER_get() to ASN1_INTEGER_get_uint64()

The former is broken by design and should not be used. The latter allows
for unambiguous error checking. Add a few casts to print uint64_t without
the PRIu64 monstrosity.

ok claudio

In valid_cert() also skip the check for CERT_IP_INHERIT objects like
it is done for CERT_AS_INHERIT.

Without this inheritance of IP address resources does not work. Problem
noticed by Ties de Kock (tdekock (at) ripe.net)

OK job@ tb@ benno@

rpki-client: use partial chains in certificate validation

The generally rather poor quality RFC 3779 code in libcrypto also performs
abysmally. Flame graphs show that nearly 20% of the parser process is spent
in addr_contains() alone. There is room for improvement in addr_contains()
itself - the containment check for prefixes could be optimized quite a bit.
We can avoid a lot of the most expensive work for certificates with tons of
resources close to the TA by using the verifier's partial chains flag.

More precisely, in the tree of already validated certs look for the first
one that has no inherited RFC 3779 resources and use that as 'trust anchor'
for our chains via the X509_V_FLAG_PARTIAL_CHAIN flag. This way we can be
sure that a leaf's delegated resources are properly covered and at the same
time significantly shorten most paths validated.

Job's and my testing indicates that this avoids 30-50% of overhead and works
equally well with LibreSSL and OpenSSL >= 1.1. The main bottlenecks in the
parser process now appear to be SHA-2 and RSA/BIGNUM, two well-known pain
points in libcrypto.

This is based on a hint by beck and was discussed extensively with beck,
claudio and job during and after m2k23.

ok claudio job

Make rpki-client choose the verification time of the time it is invoked
rather than always getting the current system time for every certificate
verification. This will result in output that is not variable on run-time.

ok tb@ claudio@

Add a -P option to rpki-client to specify the evaluation time

This is intended to be able to test rpki-client in a reproducable
way without worrying about the system time changing the results

ok claudio@

A tab snuck in

Check whether products listed on a manifest were issued by the same authority as the manifest itself

OK tb@

branches: 1.55.4;
Add check for RSA key pair modulus & public exponent

Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS
must be RSA, with mod 2048 & (e) 0x10001

OK tb@

Require version 4 UUIDs as RRDP session IDs

OK tb@

rpki-client: explicitly enable policy checks

In x509_verify.c r1.62, beck disabled policy checks by default in the new
X.509 verifier to match the behavior of the legacy validator and OpenSSL.
In order to keep policy checks as mandated by RFC 7318, we need to opt
into them explicitly.

ok beck

Validate the session_id to be a real UUID.

RFC 8182 requires the session_id to be a version 4 random UUID (using
variant 1). Now checking the version and variant is currently disabled
because there is at least one CA with a session_id that is all random
and therefor the version check triggers there.
Joint work with job@. OK job@, tb@

Remove unused sys/socket.h include

OK claudio@

Only include stdarg.h, if we call any of va_{start,end}()

OK tb@

Update valid_x509 comment to reality. crl is no longer optional.
OK tb@

Return an error string instead of surpressing the warning in valid_x509.
This way manifests can should a better error message when something fails.
With and OK tb@

Add support for authenticating geofeed data CSV files in filemode

RFC 9092 describes a scheme in which an authenticator is appended to a
geofeed (RFC 8805) file. It is a digest of the main body of the file
signed by the private key of the relevant RPKI certificate for a covering
address range. The authenticator is a detached CMS signature.

with and OK tb@

Length check URI before strncasecmp()

A priori URI is not NUL terminated, so we should first check it is long
enough before comparing it against proto. As a side effect, this now
rejects "https://" and "rsync://", which are invalid due to the missing
host in the authority section.

ok claudio

branches: 1.45.2;
Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements

The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option
because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.

OK tb@

Introduce x509_any_inherit() for objects which may not have inherit elements

Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which
may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of
the X509 certificate.

OK tb@

Move non-inheritance check for BGPsec certs into cert_parse_pre()

ok claudio job (as part of a larger diff)

Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)

ASPA objects are published in the RPKI and can be used to detect and
mitigate BGP route leaks. Validated ASPA Payloads are visible through
filemode (-f) and the JSON output format (-j).

With feedback from tb@

OK claudio@ tb@

Check the resources in ROAs and RSCs against EE certs

The resources delegated in the RFC 3779 extensions of the EE cert for
ROAs or RSCs can be a subset of the resources in the auth chain. So far
we compared that the resources of ROAs and RSCs are covered by the auth
chain, which is not entirely correct. Extract the necessary data from
the EE cert into rpki-client's own data structures, then verify that
the EE cert's resources cover the ones claimed in the ROA or RSC.

Do this as part or ROA and RSC parsing, that the EE cert's resources are
covered by the auth chain is checked in valid_x509() later on.

All this is a bit more annoying and intrusive than it should be...

ok claudio job

Dedup econtent version checks

Since the ASN.1 template conversions, we have three copies of mostly dead
code that validates that the econtent version is at its default value 0.
Until a new standard bumps this version and we decide to support that,
we're better off with only one copy of this code.

ok claudio

Fix path validation of AS numbers

If a certificate along the chain does not have an AS numbers extension,
this is a failure condition according to RFC 3779, section 3.3.

ok job

More KNF and whitespace fixes.

Remove misplaced continue

ok job

whitespace spotted during read-thru

Remove verify callback

It is no longer possible to build rpki-client with LibreSSL < 3.5 or with
OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.

ok claudio job

nuke tabs

In filemode check whether ROA & RSC resources are properly contained

with and OK tb@ claudio@

Validate RSC filenames

Factor out POSIX portable filename check into a new valid_filename() and
rename the previous valid_filename() to valid_mft_filename(). Fixes and
supersedes imcomplete checks in the RSC code. Avoids truncation via
strndup() in case of embedded NULs.

input/ok claudio

The filemode code is enough different from the regular parser code that it
makes sense to totally split it out. Duplicate proc_parser_cert_validate()
and proc_parser_root_cert() for now.

The valid_x509() plus the required static functions are moved to validate.c.
The crl_tree code moved into crl.c similar to the auth_tree handling in
cert.c. All the proc functions are now tagged with __attribute(noreturn)
which allows to remove the errx() after them.

OK tb@

Adjust on how CRL and MFT files are verified.

Verify the CRL referenced from the mft against the mft's fileAndHash info.
If the CRL matches then load it and use it to validate this mft. If the
mft validated OK add the now also valid CRL to the auth store for later use.

Before the newest CRL was always selected but that has negative consequences
because it is common practice to revoke the previous MFT's EE cert and with
that the cache is turned useless as soon as a new CRL is used. Also there
was a possibility that the CRL used for validation of the MFT was not the
one later used.

Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part
of the validation process. We opted in favor of the chached MFT.

With and OK tb@

Fix outdated comment

Nowadays SKI/AKI validation happens in proc_parser_roa()

zap extra blank line

Simplify valid_cert() and valid_roa() by passing in struct auth instead
of looking it up again. For this valid_roa() needs to be moved up in
proc_parser_roa() also move out the assignment of the TAL id. Not the
right thing to alter an object in a validation function.
OK tb@

Change valid_filename() ot return an enum rtype and rename it to
rtype_from_mftfile(). Move both rtype_from functions to mft.c.

ok beck claudio

Add function to determine the file type from the file name extension

rpki-client uses the same idiom to determine the file type in too many
places. Use one function that determines the appropriate RTYPE from the
file name. Add that type to struct mftfile and use this new member to
simplify queue_add_from_mft*().

input/ok claudio

Alter valid_filehash() to take a file descriptor instead of a path.
This is needed so that callers can allow a file to be in multiple
locations. Also move mft_check() from mft.c to parser.c.
OK tb@

fix spelling of inheritance

Instead of passing tal descriptions around just pass a tal id and
use a small lookup table to print the description in the output path.
OK tb@

Cleanup struct auth a bit. The tal description is also stored in the cert
and the filename is only used in tracewarn which is not that helpful.
OK tb@

Ensure that RRDP snapshot and delta files are fetched from the same host
as the notification file.
OK tb@ job@

Add limits on size of certain untrusted inputs

ok job@

Limit length on URIs

OK beck@

Restrict the characterset for filenames on Manifests

feedback from benno@

OK claudio@

Add support for BGPsec Router Certificates (RFC 8209)

BGPsec router keys are extracted from RPKI certificates and
emitted via the JSON output in base64 encoded form.

OK tb@ claudio@

branches: 1.15.4;
add missing break
ok claudio@

code review results in KNF, and moving local variables into lowest scope
ok claudio

branches: 1.13.2;
Factor out the URI check we do in various places into valid_uri().
RRDP will add a bunch more checks so this makes even more sense.
With and OK tb@

Factor out the SHA256 hash checks into valid_filehash() so that it can
be used by the RRDP code as well.
OK tb@

Include openssl/x509.h in extern.h since it uses a few of the typedefs from
there in structs and prototypes. Remove the openssl/ssl.h and other strange
openssl includes in the .c files that don't use openssl specific functions.
OK beck@ and tb@

e2k19 - above par
s/EXIT_FAILURE/1/
ok claudio@

valid_as() should be as strict as valid_ip() when it comes to not-covered
blocks. No longer bubble up the chain in the hope that something is covered.
If this causes issues people need to fix the repository where it causes
errors.

Convert the auths array into an RB tree indexed by SKI. For fast lookups
the parent auth struct is stored as a pointer so walking up the certificate
chain remains simple. Doing this replaces a few slow lookups and speeds up
rpki-client by a factor of 2.
OK benno@

Only store ta certs in the trust store and build chains of the
intermediate certificates for use in X509_STORE_CTX_init(). To do that
save the X509 cert in struct cert.
claudio sees > 2x speed increase.

ok claudio@ and feedback from jsing@ and beck@.

Add and fix some comments.
From kristaps@

Rewrite the output handling of rpki-client and add an option to dump the
data in JSON format. To make the JSON output the same as the output of the
RIPE rpki-validator the basename of the TAL had to be added and passed around
in rpki-client. Additinally the VRPs are now stored in an RB tree in the
main process instead of keeping them per ROA object. This changes the sort
order to be in network order and no longer just lexographical.
Agreed by job@ deraadt@

use $OpenBSD$ headers

indentation adjustments, in particular near warn statements
ok claudio

Don't do -portable in base. It is better done outside the tree.
Imagine if we did it throughout the tree, how many copies of strlcpy
would we have, and how much time would all the configure shell scripts
and includes take? It would be ludicrous.

branches: 1.1.1;
Initial revision

Add support for RPKI Signed Prefix Lists

Signed Prefix List are a CMS protected content type for use with the
RPKI to carry the complete list of prefixes which an Autonomous System
may originate to all or any of its routing peers. The validation of a
Signed Prefix List confirms that the holder of the listed ASN produced
the object, and that this list is a current, accurate and complete
description of address prefixes that may be announced into the routing
system originated by this AS.

https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist

with and OK claudio@ tb@

Normalize the nid printing

OBJ_nid2* can return NULL if the gloriously consistent objects.txt
database doesn't specify a long or a short name. So try the long name
first, fall back to the short name, and if both fail, use "unknown".
Always include the nid as a decimal.

ok claudio

rpki-client: print revocation time in filemode

If a certificate was revoked, extract the revocation timestamp and
update the warning message in filemode to include it.

ok job

Rework the warnings on internet resources

Unify the printing of warnings about AS numbers and IP address blocks to
use a call to as_warn() and ip_warn(). Fix a bug in the latter where the
upper bound of an IP range didn't take the RFC 3779 encoding into account
and passed the address directly to inet_pton() rather than filling the
missing bits with 1. Switch the argument order to match the warnings and
tweak some warning messages.

ok claudio job

Add experimental support for secp256r1 aka P-256 aka prime256v1

ECDSA signatures are much smaller than RSA signatures while offering
similar security. Adding support for P-256 now allows CA developers
to test their implementations, and paving the way for signers in the
production environment in the future to take advantage of ECDSA.

OK tb@

Introduce ip_addr_range_print() to avoid code repetition

OK tb@

Retire log.c

Convert all cryptowarnx() and cryptoerrx() to appropriate versions of
warn() and err{,x}(). Neither users nor developers benefit from them.
If we need better errors, we need to do some thinking. libcrypto won't
do that for us.

suggested by claudio
ok job

Cosmetic tweak for previous

Once we expect ASPA version 1 and someone sends us version 0, make that
explicit instead of complaining about ASN1_INTEGER_get_uint64() failing.

ok job

In anticipation of a bump of the ASPA eContent profile version, update
valid_econtent_version() to allow for non-zero versions.

OK tb@

Revert commitid ANSBO0rBvIUtTi45:
Make rpki-client choose the verification time of the time it is invoked
rather than always getting the current system time for every certificate
verification. This will result in output that is not variable on run-time.

Using the time of invocation does not work well with fast publishing CAs. It
can take a few minutes to reach a repo and that CA may have issued certificates
that are not yet valid if that startup time of rpki-client is used to validate.

This still keeps the -P option to specify a fixed validation time.
OK beck@ job@ tb@

Convert ASN1_INTEGER_get() to ASN1_INTEGER_get_uint64()

The former is broken by design and should not be used. The latter allows
for unambiguous error checking. Add a few casts to print uint64_t without
the PRIu64 monstrosity.

ok claudio

In valid_cert() also skip the check for CERT_IP_INHERIT objects like
it is done for CERT_AS_INHERIT.

Without this inheritance of IP address resources does not work. Problem
noticed by Ties de Kock (tdekock (at) ripe.net)

OK job@ tb@ benno@

rpki-client: use partial chains in certificate validation

The generally rather poor quality RFC 3779 code in libcrypto also performs
abysmally. Flame graphs show that nearly 20% of the parser process is spent
in addr_contains() alone. There is room for improvement in addr_contains()
itself - the containment check for prefixes could be optimized quite a bit.
We can avoid a lot of the most expensive work for certificates with tons of
resources close to the TA by using the verifier's partial chains flag.

More precisely, in the tree of already validated certs look for the first
one that has no inherited RFC 3779 resources and use that as 'trust anchor'
for our chains via the X509_V_FLAG_PARTIAL_CHAIN flag. This way we can be
sure that a leaf's delegated resources are properly covered and at the same
time significantly shorten most paths validated.

Job's and my testing indicates that this avoids 30-50% of overhead and works
equally well with LibreSSL and OpenSSL >= 1.1. The main bottlenecks in the
parser process now appear to be SHA-2 and RSA/BIGNUM, two well-known pain
points in libcrypto.

This is based on a hint by beck and was discussed extensively with beck,
claudio and job during and after m2k23.

ok claudio job

Make rpki-client choose the verification time of the time it is invoked
rather than always getting the current system time for every certificate
verification. This will result in output that is not variable on run-time.

ok tb@ claudio@

Add a -P option to rpki-client to specify the evaluation time

This is intended to be able to test rpki-client in a reproducable
way without worrying about the system time changing the results

ok claudio@

A tab snuck in

Check whether products listed on a manifest were issued by the same authority as the manifest itself

OK tb@

branches: 1.55.4;
Add check for RSA key pair modulus & public exponent

Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS
must be RSA, with mod 2048 & (e) 0x10001

OK tb@

Require version 4 UUIDs as RRDP session IDs

OK tb@

rpki-client: explicitly enable policy checks

In x509_verify.c r1.62, beck disabled policy checks by default in the new
X.509 verifier to match the behavior of the legacy validator and OpenSSL.
In order to keep policy checks as mandated by RFC 7318, we need to opt
into them explicitly.

ok beck

Validate the session_id to be a real UUID.

RFC 8182 requires the session_id to be a version 4 random UUID (using
variant 1). Now checking the version and variant is currently disabled
because there is at least one CA with a session_id that is all random
and therefor the version check triggers there.
Joint work with job@. OK job@, tb@

Remove unused sys/socket.h include

OK claudio@

Only include stdarg.h, if we call any of va_{start,end}()

OK tb@

Update valid_x509 comment to reality. crl is no longer optional.
OK tb@

Return an error string instead of surpressing the warning in valid_x509.
This way manifests can should a better error message when something fails.
With and OK tb@

Add support for authenticating geofeed data CSV files in filemode

RFC 9092 describes a scheme in which an authenticator is appended to a
geofeed (RFC 8805) file. It is a digest of the main body of the file
signed by the private key of the relevant RPKI certificate for a covering
address range. The authenticator is a detached CMS signature.

with and OK tb@

Length check URI before strncasecmp()

A priori URI is not NUL terminated, so we should first check it is long
enough before comparing it against proto. As a side effect, this now
rejects "https://" and "rsync://", which are invalid due to the missing
host in the authority section.

ok claudio

branches: 1.45.2;
Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements

The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option
because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.

OK tb@

Introduce x509_any_inherit() for objects which may not have inherit elements

Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which
may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of
the X509 certificate.

OK tb@

Move non-inheritance check for BGPsec certs into cert_parse_pre()

ok claudio job (as part of a larger diff)

Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)

ASPA objects are published in the RPKI and can be used to detect and
mitigate BGP route leaks. Validated ASPA Payloads are visible through
filemode (-f) and the JSON output format (-j).

With feedback from tb@

OK claudio@ tb@

Check the resources in ROAs and RSCs against EE certs

The resources delegated in the RFC 3779 extensions of the EE cert for
ROAs or RSCs can be a subset of the resources in the auth chain. So far
we compared that the resources of ROAs and RSCs are covered by the auth
chain, which is not entirely correct. Extract the necessary data from
the EE cert into rpki-client's own data structures, then verify that
the EE cert's resources cover the ones claimed in the ROA or RSC.

Do this as part or ROA and RSC parsing, that the EE cert's resources are
covered by the auth chain is checked in valid_x509() later on.

All this is a bit more annoying and intrusive than it should be...

ok claudio job

Dedup econtent version checks

Since the ASN.1 template conversions, we have three copies of mostly dead
code that validates that the econtent version is at its default value 0.
Until a new standard bumps this version and we decide to support that,
we're better off with only one copy of this code.

ok claudio

Fix path validation of AS numbers

If a certificate along the chain does not have an AS numbers extension,
this is a failure condition according to RFC 3779, section 3.3.

ok job

More KNF and whitespace fixes.

Remove misplaced continue

ok job

whitespace spotted during read-thru

Remove verify callback

It is no longer possible to build rpki-client with LibreSSL < 3.5 or with
OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.

ok claudio job

nuke tabs

In filemode check whether ROA & RSC resources are properly contained

with and OK tb@ claudio@

Validate RSC filenames

Factor out POSIX portable filename check into a new valid_filename() and
rename the previous valid_filename() to valid_mft_filename(). Fixes and
supersedes imcomplete checks in the RSC code. Avoids truncation via
strndup() in case of embedded NULs.

input/ok claudio

The filemode code is enough different from the regular parser code that it
makes sense to totally split it out. Duplicate proc_parser_cert_validate()
and proc_parser_root_cert() for now.

The valid_x509() plus the required static functions are moved to validate.c.
The crl_tree code moved into crl.c similar to the auth_tree handling in
cert.c. All the proc functions are now tagged with __attribute(noreturn)
which allows to remove the errx() after them.

OK tb@

Adjust on how CRL and MFT files are verified.

Verify the CRL referenced from the mft against the mft's fileAndHash info.
If the CRL matches then load it and use it to validate this mft. If the
mft validated OK add the now also valid CRL to the auth store for later use.

Before the newest CRL was always selected but that has negative consequences
because it is common practice to revoke the previous MFT's EE cert and with
that the cache is turned useless as soon as a new CRL is used. Also there
was a possibility that the CRL used for validation of the MFT was not the
one later used.

Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part
of the validation process. We opted in favor of the chached MFT.

With and OK tb@

Fix outdated comment

Nowadays SKI/AKI validation happens in proc_parser_roa()

zap extra blank line

Simplify valid_cert() and valid_roa() by passing in struct auth instead
of looking it up again. For this valid_roa() needs to be moved up in
proc_parser_roa() also move out the assignment of the TAL id. Not the
right thing to alter an object in a validation function.
OK tb@

Change valid_filename() ot return an enum rtype and rename it to
rtype_from_mftfile(). Move both rtype_from functions to mft.c.

ok beck claudio

Add function to determine the file type from the file name extension

rpki-client uses the same idiom to determine the file type in too many
places. Use one function that determines the appropriate RTYPE from the
file name. Add that type to struct mftfile and use this new member to
simplify queue_add_from_mft*().

input/ok claudio

Alter valid_filehash() to take a file descriptor instead of a path.
This is needed so that callers can allow a file to be in multiple
locations. Also move mft_check() from mft.c to parser.c.
OK tb@

fix spelling of inheritance

Instead of passing tal descriptions around just pass a tal id and
use a small lookup table to print the description in the output path.
OK tb@

Cleanup struct auth a bit. The tal description is also stored in the cert
and the filename is only used in tracewarn which is not that helpful.
OK tb@

Ensure that RRDP snapshot and delta files are fetched from the same host
as the notification file.
OK tb@ job@

Add limits on size of certain untrusted inputs

ok job@

Limit length on URIs

OK beck@

Restrict the characterset for filenames on Manifests

feedback from benno@

OK claudio@

Add support for BGPsec Router Certificates (RFC 8209)

BGPsec router keys are extracted from RPKI certificates and
emitted via the JSON output in base64 encoded form.

OK tb@ claudio@

branches: 1.15.4;
add missing break
ok claudio@

code review results in KNF, and moving local variables into lowest scope
ok claudio

branches: 1.13.2;
Factor out the URI check we do in various places into valid_uri().
RRDP will add a bunch more checks so this makes even more sense.
With and OK tb@

Factor out the SHA256 hash checks into valid_filehash() so that it can
be used by the RRDP code as well.
OK tb@

Include openssl/x509.h in extern.h since it uses a few of the typedefs from
there in structs and prototypes. Remove the openssl/ssl.h and other strange
openssl includes in the .c files that don't use openssl specific functions.
OK beck@ and tb@

e2k19 - above par
s/EXIT_FAILURE/1/
ok claudio@

valid_as() should be as strict as valid_ip() when it comes to not-covered
blocks. No longer bubble up the chain in the hope that something is covered.
If this causes issues people need to fix the repository where it causes
errors.

Convert the auths array into an RB tree indexed by SKI. For fast lookups
the parent auth struct is stored as a pointer so walking up the certificate
chain remains simple. Doing this replaces a few slow lookups and speeds up
rpki-client by a factor of 2.
OK benno@

Only store ta certs in the trust store and build chains of the
intermediate certificates for use in X509_STORE_CTX_init(). To do that
save the X509 cert in struct cert.
claudio sees > 2x speed increase.

ok claudio@ and feedback from jsing@ and beck@.

Add and fix some comments.
From kristaps@

Rewrite the output handling of rpki-client and add an option to dump the
data in JSON format. To make the JSON output the same as the output of the
RIPE rpki-validator the basename of the TAL had to be added and passed around
in rpki-client. Additinally the VRPs are now stored in an RB tree in the
main process instead of keeping them per ROA object. This changes the sort
order to be in network order and no longer just lexographical.
Agreed by job@ deraadt@

use $OpenBSD$ headers

indentation adjustments, in particular near warn statements
ok claudio

Don't do -portable in base. It is better done outside the tree.
Imagine if we did it throughout the tree, how many copies of strlcpy
would we have, and how much time would all the configure shell scripts
and includes take? It would be ludicrous.

branches: 1.1.1;
Initial revision

Normalize the nid printing

OBJ_nid2* can return NULL if the gloriously consistent objects.txt
database doesn't specify a long or a short name. So try the long name
first, fall back to the short name, and if both fail, use "unknown".
Always include the nid as a decimal.

ok claudio

rpki-client: print revocation time in filemode

If a certificate was revoked, extract the revocation timestamp and
update the warning message in filemode to include it.

ok job

Rework the warnings on internet resources

Unify the printing of warnings about AS numbers and IP address blocks to
use a call to as_warn() and ip_warn(). Fix a bug in the latter where the
upper bound of an IP range didn't take the RFC 3779 encoding into account
and passed the address directly to inet_pton() rather than filling the
missing bits with 1. Switch the argument order to match the warnings and
tweak some warning messages.

ok claudio job

Add experimental support for secp256r1 aka P-256 aka prime256v1

ECDSA signatures are much smaller than RSA signatures while offering
similar security. Adding support for P-256 now allows CA developers
to test their implementations, and paving the way for signers in the
production environment in the future to take advantage of ECDSA.

OK tb@

Introduce ip_addr_range_print() to avoid code repetition

OK tb@

Retire log.c

Convert all cryptowarnx() and cryptoerrx() to appropriate versions of
warn() and err{,x}(). Neither users nor developers benefit from them.
If we need better errors, we need to do some thinking. libcrypto won't
do that for us.

suggested by claudio
ok job

Cosmetic tweak for previous

Once we expect ASPA version 1 and someone sends us version 0, make that
explicit instead of complaining about ASN1_INTEGER_get_uint64() failing.

ok job

In anticipation of a bump of the ASPA eContent profile version, update
valid_econtent_version() to allow for non-zero versions.

OK tb@

Revert commitid ANSBO0rBvIUtTi45:
Make rpki-client choose the verification time of the time it is invoked
rather than always getting the current system time for every certificate
verification. This will result in output that is not variable on run-time.

Using the time of invocation does not work well with fast publishing CAs. It
can take a few minutes to reach a repo and that CA may have issued certificates
that are not yet valid if that startup time of rpki-client is used to validate.

This still keeps the -P option to specify a fixed validation time.
OK beck@ job@ tb@

Convert ASN1_INTEGER_get() to ASN1_INTEGER_get_uint64()

The former is broken by design and should not be used. The latter allows
for unambiguous error checking. Add a few casts to print uint64_t without
the PRIu64 monstrosity.

ok claudio

In valid_cert() also skip the check for CERT_IP_INHERIT objects like
it is done for CERT_AS_INHERIT.

Without this inheritance of IP address resources does not work. Problem
noticed by Ties de Kock (tdekock (at) ripe.net)

OK job@ tb@ benno@

rpki-client: use partial chains in certificate validation

The generally rather poor quality RFC 3779 code in libcrypto also performs
abysmally. Flame graphs show that nearly 20% of the parser process is spent
in addr_contains() alone. There is room for improvement in addr_contains()
itself - the containment check for prefixes could be optimized quite a bit.
We can avoid a lot of the most expensive work for certificates with tons of
resources close to the TA by using the verifier's partial chains flag.

More precisely, in the tree of already validated certs look for the first
one that has no inherited RFC 3779 resources and use that as 'trust anchor'
for our chains via the X509_V_FLAG_PARTIAL_CHAIN flag. This way we can be
sure that a leaf's delegated resources are properly covered and at the same
time significantly shorten most paths validated.

Job's and my testing indicates that this avoids 30-50% of overhead and works
equally well with LibreSSL and OpenSSL >= 1.1. The main bottlenecks in the
parser process now appear to be SHA-2 and RSA/BIGNUM, two well-known pain
points in libcrypto.

This is based on a hint by beck and was discussed extensively with beck,
claudio and job during and after m2k23.

ok claudio job

Make rpki-client choose the verification time of the time it is invoked
rather than always getting the current system time for every certificate
verification. This will result in output that is not variable on run-time.

ok tb@ claudio@

Add a -P option to rpki-client to specify the evaluation time

This is intended to be able to test rpki-client in a reproducable
way without worrying about the system time changing the results

ok claudio@

A tab snuck in

Check whether products listed on a manifest were issued by the same authority as the manifest itself

OK tb@

branches: 1.55.4;
Add check for RSA key pair modulus & public exponent

Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS
must be RSA, with mod 2048 & (e) 0x10001

OK tb@

Require version 4 UUIDs as RRDP session IDs

OK tb@

rpki-client: explicitly enable policy checks

In x509_verify.c r1.62, beck disabled policy checks by default in the new
X.509 verifier to match the behavior of the legacy validator and OpenSSL.
In order to keep policy checks as mandated by RFC 7318, we need to opt
into them explicitly.

ok beck

Validate the session_id to be a real UUID.

RFC 8182 requires the session_id to be a version 4 random UUID (using
variant 1). Now checking the version and variant is currently disabled
because there is at least one CA with a session_id that is all random
and therefor the version check triggers there.
Joint work with job@. OK job@, tb@

Remove unused sys/socket.h include

OK claudio@

Only include stdarg.h, if we call any of va_{start,end}()

OK tb@

Update valid_x509 comment to reality. crl is no longer optional.
OK tb@

Return an error string instead of surpressing the warning in valid_x509.
This way manifests can should a better error message when something fails.
With and OK tb@