Download raw body.
rpki-client: move cert_parse_ee_cert() to cms
Time to graduate from baby steps to slightly more serious business.
Lots of copy-paste in the past makes this diff a big one. This has
all grown into quite a tangle which I'm aiming to undo.
We currently parse the EE cert very late in every signed object handler
and we perform the actual cryptographic validation (via valid_x509())
even later. That's quite backwards and we need to fix that. I want to
avoid shortcuts, however, since that would create even more mess.
Make the CMS parsing function take a struct cert ** rather than an
X509 **. Also pass the talid. The point is: cert_parse_ee_cert() now
pulls all the information out of the X509 and ensure presence of
required fields in the extensions, so we don't need to do that again
in the signed object handlers. Things become a bit simpler in CMS
since we can directly use the cert->notafter and ditch the up-ref dance.
In aspa_parse() and most other signed object parsers, we can do similar
things: pass in struct cert, copy AIA/AKI/SIA/SKI from the cert (that's
mostly for filemode and can be improved later on), copy validity, drop
cert_parse_ee_cert() and assign the out_cert in the success path.
gbr_parse() is nearly identical.
geofeed_parse() handles a detached object, hence is slightly special,
but really is mostly more of the same.
For mft_parse() there's an extra twist with the CRLDP, the handling of
which gets a bit simpler. Nothing special about roas, rscs have no SIA,
and spl and tak are again more of the same.
In parser.c the changes are straightforward with a shift from X509 to
struct cert.
filemode becomes a bit simpler since the signed object parsers now give
us the EE cert, so we don't need to parse that by hand anymore (which,
incidentally, moves a triple warning in -vf back to a single warning).
Similarly to mft_parse, we can use the EE cert's CRLDP to parse the
crl uri and we no longer need to deal with the X509 directly. The
printers still do, but that's something to address later on.
Once this is in we can remove a lot of the x509_* functions. There's
many more things that can be fixed on top. I tried to keep this one
reasonably small. I may have failed.
There's ~330 lines of boring regress diff to go along with this. I
left that out.
Index: cms.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cms.c,v
diff -u -p -r1.52 cms.c
--- cms.c 11 Jul 2025 09:20:23 -0000 1.52
+++ cms.c 15 Jul 2025 17:46:54 -0000
@@ -15,6 +15,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+#include <assert.h>
#include <err.h>
#include <stdint.h>
#include <stdlib.h>
@@ -88,10 +89,11 @@ cms_get_signtime(const char *fn, X509_AT
}
static int
-cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der,
- size_t len, const ASN1_OBJECT *oid, BIO *bio, unsigned char **res,
- size_t *rsz, time_t *signtime)
+cms_parse_validate_internal(struct cert **out_cert, const char *fn, int talid,
+ const unsigned char *der, size_t len, const ASN1_OBJECT *oid, BIO *bio,
+ unsigned char **res, size_t *rsz, time_t *signtime)
{
+ struct cert *cert = NULL;
const unsigned char *oder;
char buf[128], obuf[128];
const ASN1_OBJECT *obj, *octype;
@@ -105,10 +107,10 @@ cms_parse_validate_internal(X509 **xp, c
X509_ALGOR *pdig, *psig;
int i, nattrs, nid;
int has_ct = 0, has_md = 0, has_st = 0;
- time_t notafter;
int rc = 0;
- *xp = NULL;
+ assert(*out_cert == NULL);
+
if (rsz != NULL)
*rsz = 0;
*signtime = 0;
@@ -327,18 +329,12 @@ cms_parse_validate_internal(X509 **xp, c
"want 1 signer, have %d", fn, sk_X509_num(certs));
goto out;
}
- *xp = sk_X509_value(certs, 0);
- if (!X509_up_ref(*xp)) {
- *xp = NULL;
- goto out;
- }
- if (!x509_cache_extensions(*xp, fn))
+ cert = cert_parse_ee_cert(fn, talid, sk_X509_value(certs, 0));
+ if (cert == NULL)
goto out;
- if (!x509_get_notafter(*xp, fn, ¬after))
- goto out;
- if (*signtime > notafter)
+ if (*signtime > cert->notafter)
warnx("%s: dating issue: CMS signing-time after X.509 notAfter",
fn);
@@ -347,7 +343,7 @@ cms_parse_validate_internal(X509 **xp, c
warnx("%s: RFC 6488: could not extract SKI from SID", fn);
goto out;
}
- if (CMS_SignerInfo_cert_cmp(si, *xp) != 0) {
+ if (CMS_SignerInfo_cert_cmp(si, cert->x509) != 0) {
warnx("%s: RFC 6488: wrong cert referenced by SignerInfo", fn);
goto out;
}
@@ -355,12 +351,12 @@ cms_parse_validate_internal(X509 **xp, c
if (!cms_extract_econtent(fn, cms, res, rsz))
goto out;
+ *out_cert = cert;
+ cert = NULL;
+
rc = 1;
out:
- if (rc == 0) {
- X509_free(*xp);
- *xp = NULL;
- }
+ cert_free(cert);
sk_X509_CRL_pop_free(crls, X509_CRL_free);
sk_X509_free(certs);
CMS_ContentInfo_free(cms);
@@ -374,13 +370,14 @@ cms_parse_validate_internal(X509 **xp, c
* Return the eContent as a string and set "rsz" to be its length.
*/
unsigned char *
-cms_parse_validate(X509 **xp, const char *fn, const unsigned char *der,
- size_t derlen, const ASN1_OBJECT *oid, size_t *rsz, time_t *st)
+cms_parse_validate(struct cert **out_cert, const char *fn, int talid,
+ const unsigned char *der, size_t derlen, const ASN1_OBJECT *oid,
+ size_t *rsz, time_t *st)
{
unsigned char *res = NULL;
- if (!cms_parse_validate_internal(xp, fn, der, derlen, oid, NULL, &res,
- rsz, st))
+ if (!cms_parse_validate_internal(out_cert, fn, talid, der, derlen, oid,
+ NULL, &res, rsz, st))
return NULL;
return res;
@@ -392,9 +389,10 @@ cms_parse_validate(X509 **xp, const char
* Return the 1 on success, 0 on failure.
*/
int
-cms_parse_validate_detached(X509 **xp, const char *fn, const unsigned char *der,
- size_t derlen, const ASN1_OBJECT *oid, BIO *bio, time_t *st)
+cms_parse_validate_detached(struct cert **out_cert, const char *fn, int talid,
+ const unsigned char *der, size_t derlen, const ASN1_OBJECT *oid, BIO *bio,
+ time_t *st)
{
- return cms_parse_validate_internal(xp, fn, der, derlen, oid, bio, NULL,
- NULL, st);
+ return cms_parse_validate_internal(out_cert, fn, talid, der, derlen,
+ oid, bio, NULL, NULL, st);
}
Index: aspa.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/aspa.c,v
diff -u -p -r1.32 aspa.c
--- aspa.c 13 Nov 2024 12:51:03 -0000 1.32
+++ aspa.c 17 Jul 2025 08:15:18 -0000
@@ -161,17 +161,19 @@ aspa_parse_econtent(const char *fn, stru
* Returns the payload or NULL if the file was malformed.
*/
struct aspa *
-aspa_parse(X509 **x509, const char *fn, int talid, const unsigned char *der,
- size_t len)
+aspa_parse(struct cert **out_cert, const char *fn, int talid,
+ const unsigned char *der, size_t len)
{
struct aspa *aspa;
+ struct cert *cert = NULL;
size_t cmsz;
unsigned char *cms;
- struct cert *cert = NULL;
time_t signtime = 0;
int rc = 0;
- cms = cms_parse_validate(x509, fn, der, len, aspa_oid, &cmsz,
+ assert(*out_cert == NULL);
+
+ cms = cms_parse_validate(&cert, fn, talid, der, len, aspa_oid, &cmsz,
&signtime);
if (cms == NULL)
return NULL;
@@ -181,32 +183,23 @@ aspa_parse(X509 **x509, const char *fn,
aspa->signtime = signtime;
- if (!x509_get_aia(*x509, fn, &aspa->aia))
- goto out;
- if (!x509_get_aki(*x509, fn, &aspa->aki))
- goto out;
- if (!x509_get_sia(*x509, fn, &aspa->sia))
- goto out;
- if (!x509_get_ski(*x509, fn, &aspa->ski))
- goto out;
+ aspa->aia = strdup(cert->aia);
+ aspa->aki = strdup(cert->aki);
+ aspa->sia = strdup(cert->signedobj);
+ aspa->ski = strdup(cert->ski);
if (aspa->aia == NULL || aspa->aki == NULL || aspa->sia == NULL ||
- aspa->ski == NULL) {
- warnx("%s: RFC 6487 section 4.8: "
- "missing AIA, AKI, SIA, or SKI X509 extension", fn);
- goto out;
- }
+ aspa->ski == NULL)
+ err(1, NULL);
+
+ aspa->notbefore = cert->notbefore;
+ aspa->notafter = cert->notafter;
- if (X509_get_ext_by_NID(*x509, NID_sbgp_ipAddrBlock, -1) != -1) {
+ if (cert->num_ips > 0) {
warnx("%s: superfluous IP Resources extension present", fn);
goto out;
}
- if (!x509_get_notbefore(*x509, fn, &aspa->notbefore))
- goto out;
- if (!x509_get_notafter(*x509, fn, &aspa->notafter))
- goto out;
-
- if (x509_any_inherits(*x509)) {
+ if (x509_any_inherits(cert->x509)) {
warnx("%s: inherit elements not allowed in EE cert", fn);
goto out;
}
@@ -214,18 +207,16 @@ aspa_parse(X509 **x509, const char *fn,
if (!aspa_parse_econtent(fn, aspa, cms, cmsz))
goto out;
- if ((cert = cert_parse_ee_cert(fn, talid, *x509)) == NULL)
- goto out;
-
aspa->valid = valid_aspa(fn, cert, aspa);
+ *out_cert = cert;
+ cert = NULL;
+
rc = 1;
out:
if (rc == 0) {
aspa_free(aspa);
aspa = NULL;
- X509_free(*x509);
- *x509 = NULL;
}
cert_free(cert);
free(cms);
Index: gbr.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/gbr.c,v
diff -u -p -r1.32 gbr.c
--- gbr.c 12 Jun 2025 16:59:48 -0000 1.32
+++ gbr.c 17 Jul 2025 08:15:29 -0000
@@ -15,6 +15,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+#include <assert.h>
#include <err.h>
#include <stdlib.h>
#include <string.h>
@@ -36,8 +37,8 @@ extern ASN1_OBJECT *gbr_oid;
* Returns the payload or NULL if the document was malformed.
*/
struct gbr *
-gbr_parse(X509 **x509, const char *fn, int talid, const unsigned char *der,
- size_t len)
+gbr_parse(struct cert **out_cert, const char *fn, int talid,
+ const unsigned char *der, size_t len)
{
struct gbr *gbr;
struct cert *cert = NULL;
@@ -45,7 +46,10 @@ gbr_parse(X509 **x509, const char *fn, i
unsigned char *cms;
time_t signtime = 0;
- cms = cms_parse_validate(x509, fn, der, len, gbr_oid, &cmsz, &signtime);
+ assert(*out_cert == NULL);
+
+ cms = cms_parse_validate(&cert, fn, talid, der, len, gbr_oid, &cmsz,
+ &signtime);
if (cms == NULL)
return NULL;
@@ -65,42 +69,29 @@ gbr_parse(X509 **x509, const char *fn, i
free(cms);
cms = NULL;
- if (!x509_get_aia(*x509, fn, &gbr->aia))
- goto out;
- if (!x509_get_aki(*x509, fn, &gbr->aki))
- goto out;
- if (!x509_get_sia(*x509, fn, &gbr->sia))
- goto out;
- if (!x509_get_ski(*x509, fn, &gbr->ski))
- goto out;
+ gbr->aia = strdup(cert->aia);
+ gbr->aki = strdup(cert->aki);
+ gbr->sia = strdup(cert->signedobj);
+ gbr->ski = strdup(cert->ski);
if (gbr->aia == NULL || gbr->aki == NULL || gbr->sia == NULL ||
- gbr->ski == NULL) {
- warnx("%s: RFC 6487 section 4.8: "
- "missing AIA, AKI, SIA or SKI X509 extension", fn);
- goto out;
- }
+ gbr->ski == NULL)
+ err(1, NULL);
- if (!x509_get_notbefore(*x509, fn, &gbr->notbefore))
- goto out;
- if (!x509_get_notafter(*x509, fn, &gbr->notafter))
- goto out;
+ gbr->notbefore = cert->notbefore;
+ gbr->notafter = cert->notafter;
- if (!x509_inherits(*x509)) {
+ if (!x509_inherits(cert->x509)) {
warnx("%s: RFC 3779 extension not set to inherit", fn);
goto out;
}
- if ((cert = cert_parse_ee_cert(fn, talid, *x509)) == NULL)
- goto out;
- cert_free(cert);
+ *out_cert = cert;
return gbr;
out:
free(cms);
gbr_free(gbr);
- X509_free(*x509);
- *x509 = NULL;
cert_free(cert);
return NULL;
}
Index: geofeed.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/geofeed.c,v
diff -u -p -r1.19 geofeed.c
--- geofeed.c 27 Jun 2025 09:40:34 -0000 1.19
+++ geofeed.c 15 Jul 2025 17:46:54 -0000
@@ -20,6 +20,7 @@
#include <arpa/inet.h>
+#include <assert.h>
#include <ctype.h>
#include <err.h>
#include <stdlib.h>
@@ -97,9 +98,11 @@ geofeed_parse_geoip(struct geofeed *geof
* Returns the Geofeed, or NULL if the object was malformed.
*/
struct geofeed *
-geofeed_parse(X509 **x509, const char *fn, int talid, char *buf, size_t len)
+geofeed_parse(struct cert **out_cert, const char *fn, int talid, char *buf,
+ size_t len)
{
struct geofeed *geofeed;
+ struct cert *cert = NULL;
char *delim, *line, *loc, *nl;
ssize_t linelen;
BIO *bio;
@@ -107,10 +110,11 @@ geofeed_parse(X509 **x509, const char *f
size_t b64sz = 0;
unsigned char *der = NULL;
size_t dersz;
- struct cert *cert = NULL;
int rpki_signature_seen = 0, end_signature_seen = 0;
int rc = 0;
+ assert(*out_cert == NULL);
+
bio = BIO_new(BIO_s_mem());
if (bio == NULL)
errx(1, "BIO_new");
@@ -225,32 +229,25 @@ geofeed_parse(X509 **x509, const char *f
goto out;
}
- if (!cms_parse_validate_detached(x509, fn, der, dersz, geofeed_oid,
- bio, &geofeed->signtime))
- goto out;
-
- if (!x509_get_aia(*x509, fn, &geofeed->aia))
- goto out;
- if (!x509_get_aki(*x509, fn, &geofeed->aki))
- goto out;
- if (!x509_get_ski(*x509, fn, &geofeed->ski))
+ if (!cms_parse_validate_detached(&cert, fn, talid, der, dersz,
+ geofeed_oid, bio, &geofeed->signtime))
goto out;
+ /*
+ * Not distributed via RPKI repositories, so no SIA. Would've been nice
+ * if RFC 9632 had followed RFC 9323's example and made that explicit.
+ */
+ geofeed->aia = strdup(cert->aia);
+ geofeed->aki = strdup(cert->aki);
+ geofeed->ski = strdup(cert->ski);
if (geofeed->aia == NULL || geofeed->aki == NULL ||
- geofeed->ski == NULL) {
- warnx("%s: missing AIA, AKI, or SKI X509 extension", fn);
- goto out;
- }
-
- if (!x509_get_notbefore(*x509, fn, &geofeed->notbefore))
- goto out;
- if (!x509_get_notafter(*x509, fn, &geofeed->notafter))
- goto out;
+ geofeed->ski == NULL)
+ err(1, NULL);
- if ((cert = cert_parse_ee_cert(fn, talid, *x509)) == NULL)
- goto out;
+ geofeed->notbefore = cert->notbefore;
+ geofeed->notafter = cert->notafter;
- if (x509_any_inherits(*x509)) {
+ if (x509_any_inherits(cert->x509)) {
warnx("%s: inherit elements not allowed in EE cert", fn);
goto out;
}
@@ -262,13 +259,14 @@ geofeed_parse(X509 **x509, const char *f
geofeed->valid = valid_geofeed(fn, cert, geofeed);
+ *out_cert = cert;
+ cert = NULL;
+
rc = 1;
out:
if (rc == 0) {
geofeed_free(geofeed);
geofeed = NULL;
- X509_free(*x509);
- *x509 = NULL;
}
cert_free(cert);
BIO_free(bio);
Index: mft.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/mft.c,v
diff -u -p -r1.123 mft.c
--- mft.c 22 Jun 2025 12:56:42 -0000 1.123
+++ mft.c 17 Jul 2025 08:16:11 -0000
@@ -414,55 +414,42 @@ mft_parse_econtent(const char *fn, struc
* Return mft if it conforms to RFC 6486, otherwise NULL.
*/
struct mft *
-mft_parse(X509 **x509, const char *fn, int talid, const unsigned char *der,
- size_t len)
+mft_parse(struct cert **out_cert, const char *fn, int talid,
+ const unsigned char *der, size_t len)
{
struct mft *mft;
struct cert *cert = NULL;
int rc = 0;
size_t cmsz;
unsigned char *cms;
- char *crldp = NULL, *crlfile;
+ char *crlfile;
time_t signtime = 0;
- cms = cms_parse_validate(x509, fn, der, len, mft_oid, &cmsz, &signtime);
+ assert(*out_cert == NULL);
+
+ cms = cms_parse_validate(&cert, fn, talid, der, len, mft_oid, &cmsz,
+ &signtime);
if (cms == NULL)
return NULL;
- assert(*x509 != NULL);
if ((mft = calloc(1, sizeof(*mft))) == NULL)
err(1, NULL);
mft->signtime = signtime;
- if (!x509_get_aia(*x509, fn, &mft->aia))
- goto out;
- if (!x509_get_aki(*x509, fn, &mft->aki))
- goto out;
- if (!x509_get_sia(*x509, fn, &mft->sia))
- goto out;
- if (!x509_get_ski(*x509, fn, &mft->ski))
- goto out;
+ mft->aia = strdup(cert->aia);
+ mft->aki = strdup(cert->aki);
+ mft->sia = strdup(cert->signedobj);
+ mft->ski = strdup(cert->ski);
if (mft->aia == NULL || mft->aki == NULL || mft->sia == NULL ||
- mft->ski == NULL) {
- warnx("%s: RFC 6487 section 4.8: "
- "missing AIA, AKI, SIA, or SKI X509 extension", fn);
- goto out;
- }
+ mft->ski == NULL)
+ err(1, NULL);
- if (!x509_inherits(*x509)) {
+ if (!x509_inherits(cert->x509)) {
warnx("%s: RFC 3779 extension not set to inherit", fn);
goto out;
}
- /* get CRL info for later */
- if (!x509_get_crl(*x509, fn, &crldp))
- goto out;
- if (crldp == NULL) {
- warnx("%s: RFC 6487 section 4.8.6: CRL: "
- "missing CRL distribution point extension", fn);
- goto out;
- }
- crlfile = strrchr(crldp, '/');
+ crlfile = strrchr(cert->crl, '/');
if (crlfile == NULL) {
warnx("%s: RFC 6487 section 4.8.6: "
"invalid CRL distribution point", fn);
@@ -481,24 +468,21 @@ mft_parse(X509 **x509, const char *fn, i
if (mft_parse_econtent(fn, mft, cms, cmsz) == 0)
goto out;
- if ((cert = cert_parse_ee_cert(fn, talid, *x509)) == NULL)
- goto out;
-
if (mft->signtime > mft->nextupdate) {
warnx("%s: dating issue: CMS signing-time after MFT nextUpdate",
fn);
goto out;
}
+ *out_cert = cert;
+ cert = NULL;
+
rc = 1;
out:
if (rc == 0) {
mft_free(mft);
mft = NULL;
- X509_free(*x509);
- *x509 = NULL;
}
- free(crldp);
cert_free(cert);
free(cms);
return mft;
Index: roa.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/roa.c,v
diff -u -p -r1.80 roa.c
--- roa.c 12 Nov 2024 09:23:07 -0000 1.80
+++ roa.c 15 Jul 2025 17:46:54 -0000
@@ -235,17 +235,20 @@ roa_parse_econtent(const char *fn, struc
* Returns the ROA or NULL if the document was malformed.
*/
struct roa *
-roa_parse(X509 **x509, const char *fn, int talid, const unsigned char *der,
- size_t len)
+roa_parse(struct cert **out_cert, const char *fn, int talid,
+ const unsigned char *der, size_t len)
{
struct roa *roa;
+ struct cert *cert = NULL;
size_t cmsz;
unsigned char *cms;
- struct cert *cert = NULL;
time_t signtime = 0;
int rc = 0;
- cms = cms_parse_validate(x509, fn, der, len, roa_oid, &cmsz, &signtime);
+ assert(*out_cert == NULL);
+
+ cms = cms_parse_validate(&cert, fn, talid, der, len, roa_oid, &cmsz,
+ &signtime);
if (cms == NULL)
return NULL;
@@ -253,37 +256,25 @@ roa_parse(X509 **x509, const char *fn, i
err(1, NULL);
roa->signtime = signtime;
- if (!x509_get_aia(*x509, fn, &roa->aia))
- goto out;
- if (!x509_get_aki(*x509, fn, &roa->aki))
- goto out;
- if (!x509_get_sia(*x509, fn, &roa->sia))
- goto out;
- if (!x509_get_ski(*x509, fn, &roa->ski))
- goto out;
+ roa->aia = strdup(cert->aia);
+ roa->aki = strdup(cert->aki);
+ roa->sia = strdup(cert->signedobj);
+ roa->ski = strdup(cert->ski);
if (roa->aia == NULL || roa->aki == NULL || roa->sia == NULL ||
- roa->ski == NULL) {
- warnx("%s: RFC 6487 section 4.8: "
- "missing AIA, AKI, SIA, or SKI X509 extension", fn);
- goto out;
- }
+ roa->ski == NULL)
+ err(1, NULL);
- if (!x509_get_notbefore(*x509, fn, &roa->notbefore))
- goto out;
- if (!x509_get_notafter(*x509, fn, &roa->notafter))
- goto out;
+ roa->notbefore = cert->notbefore;
+ roa->notafter = cert->notafter;
if (!roa_parse_econtent(fn, roa, cms, cmsz))
goto out;
- if (x509_any_inherits(*x509)) {
+ if (x509_any_inherits(cert->x509)) {
warnx("%s: inherit elements not allowed in EE cert", fn);
goto out;
}
- if ((cert = cert_parse_ee_cert(fn, talid, *x509)) == NULL)
- goto out;
-
if (cert->num_ases > 0) {
warnx("%s: superfluous AS Resources extension present", fn);
goto out;
@@ -300,13 +291,14 @@ roa_parse(X509 **x509, const char *fn, i
*/
roa->valid = valid_roa(fn, cert, roa);
+ *out_cert = cert;
+ cert = NULL;
+
rc = 1;
out:
if (rc == 0) {
roa_free(roa);
roa = NULL;
- X509_free(*x509);
- *x509 = NULL;
}
cert_free(cert);
free(cms);
Index: rsc.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/rsc.c,v
diff -u -p -r1.37 rsc.c
--- rsc.c 13 Nov 2024 12:51:04 -0000 1.37
+++ rsc.c 15 Jul 2025 17:46:54 -0000
@@ -17,6 +17,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+#include <assert.h>
#include <err.h>
#include <stdlib.h>
#include <string.h>
@@ -379,17 +380,19 @@ rsc_parse_econtent(const char *fn, struc
* Returns the RSC or NULL if the object was malformed.
*/
struct rsc *
-rsc_parse(X509 **x509, const char *fn, int talid, const unsigned char *der,
- size_t len)
+rsc_parse(struct cert **out_cert, const char *fn, int talid,
+ const unsigned char *der, size_t len)
{
struct rsc *rsc;
+ struct cert *cert = NULL;
unsigned char *cms;
size_t cmsz;
- struct cert *cert = NULL;
time_t signtime = 0;
int rc = 0;
- cms = cms_parse_validate(x509, fn, der, len, rsc_oid, &cmsz,
+ assert(*out_cert == NULL);
+
+ cms = cms_parse_validate(&cert, fn, talid, der, len, rsc_oid, &cmsz,
&signtime);
if (cms == NULL)
return NULL;
@@ -398,29 +401,22 @@ rsc_parse(X509 **x509, const char *fn, i
err(1, NULL);
rsc->signtime = signtime;
- if (!x509_get_aia(*x509, fn, &rsc->aia))
- goto out;
- if (!x509_get_aki(*x509, fn, &rsc->aki))
- goto out;
- if (!x509_get_ski(*x509, fn, &rsc->ski))
- goto out;
- if (rsc->aia == NULL || rsc->aki == NULL || rsc->ski == NULL) {
- warnx("%s: RFC 6487 section 4.8: "
- "missing AIA, AKI or SKI X509 extension", fn);
- goto out;
- }
+ /* RFC 9323, 2: not distributed via RPKI repositories, hence no SIA. */
+ rsc->aia = strdup(cert->aia);
+ rsc->aki = strdup(cert->aki);
+ rsc->ski = strdup(cert->ski);
+ if (rsc->aia == NULL || rsc->aki == NULL || rsc->ski == NULL)
+ err(1, NULL);
- if (!x509_get_notbefore(*x509, fn, &rsc->notbefore))
- goto out;
- if (!x509_get_notafter(*x509, fn, &rsc->notafter))
- goto out;
+ rsc->notbefore = cert->notbefore;
+ rsc->notafter = cert->notafter;
- if (X509_get_ext_by_NID(*x509, NID_sinfo_access, -1) != -1) {
+ if (cert->signedobj != NULL) {
warnx("%s: RSC: EE cert must not have an SIA extension", fn);
goto out;
}
- if (x509_any_inherits(*x509)) {
+ if (x509_any_inherits(cert->x509)) {
warnx("%s: inherit elements not allowed in EE cert", fn);
goto out;
}
@@ -428,18 +424,16 @@ rsc_parse(X509 **x509, const char *fn, i
if (!rsc_parse_econtent(fn, rsc, cms, cmsz))
goto out;
- if ((cert = cert_parse_ee_cert(fn, talid, *x509)) == NULL)
- goto out;
-
rsc->valid = valid_rsc(fn, cert, rsc);
+ *out_cert = cert;
+ cert = NULL;
+
rc = 1;
out:
if (rc == 0) {
rsc_free(rsc);
rsc = NULL;
- X509_free(*x509);
- *x509 = NULL;
}
cert_free(cert);
free(cms);
Index: spl.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/spl.c,v
diff -u -p -r1.7 spl.c
--- spl.c 13 Nov 2024 12:51:04 -0000 1.7
+++ spl.c 15 Jul 2025 17:46:54 -0000
@@ -242,17 +242,20 @@ spl_parse_econtent(const char *fn, struc
* Returns the SPL, or NULL if the object was malformed.
*/
struct spl *
-spl_parse(X509 **x509, const char *fn, int talid, const unsigned char *der,
- size_t len)
+spl_parse(struct cert **out_cert, const char *fn, int talid,
+ const unsigned char *der, size_t len)
{
struct spl *spl;
+ struct cert *cert = NULL;
size_t cmsz;
unsigned char *cms;
- struct cert *cert = NULL;
time_t signtime = 0;
int rc = 0;
- cms = cms_parse_validate(x509, fn, der, len, spl_oid, &cmsz, &signtime);
+ assert(*out_cert == NULL);
+
+ cms = cms_parse_validate(&cert, fn, talid, der, len, spl_oid, &cmsz,
+ &signtime);
if (cms == NULL)
return NULL;
@@ -260,37 +263,25 @@ spl_parse(X509 **x509, const char *fn, i
err(1, NULL);
spl->signtime = signtime;
- if (!x509_get_aia(*x509, fn, &spl->aia))
- goto out;
- if (!x509_get_aki(*x509, fn, &spl->aki))
- goto out;
- if (!x509_get_sia(*x509, fn, &spl->sia))
- goto out;
- if (!x509_get_ski(*x509, fn, &spl->ski))
- goto out;
+ spl->aia = strdup(cert->aia);
+ spl->aki = strdup(cert->aki);
+ spl->sia = strdup(cert->signedobj);
+ spl->ski = strdup(cert->ski);
if (spl->aia == NULL || spl->aki == NULL || spl->sia == NULL ||
- spl->ski == NULL) {
- warnx("%s: RFC 6487 section 4.8: "
- "missing AIA, AKI, SIA, or SKI X509 extension", fn);
- goto out;
- }
+ spl->ski == NULL)
+ err(1, NULL);
- if (!x509_get_notbefore(*x509, fn, &spl->notbefore))
- goto out;
- if (!x509_get_notafter(*x509, fn, &spl->notafter))
- goto out;
+ spl->notbefore = cert->notbefore;
+ spl->notafter = cert->notafter;
if (!spl_parse_econtent(fn, spl, cms, cmsz))
goto out;
- if (x509_any_inherits(*x509)) {
+ if (x509_any_inherits(cert->x509)) {
warnx("%s: inherit elements not allowed in EE cert", fn);
goto out;
}
- if ((cert = cert_parse_ee_cert(fn, talid, *x509)) == NULL)
- goto out;
-
if (cert->num_ases == 0) {
warnx("%s: AS Resources extension missing", fn);
goto out;
@@ -307,13 +298,14 @@ spl_parse(X509 **x509, const char *fn, i
*/
spl->valid = valid_spl(fn, cert, spl);
+ *out_cert = cert;
+ cert = NULL;
+
rc = 1;
out:
if (rc == 0) {
spl_free(spl);
spl = NULL;
- X509_free(*x509);
- *x509 = NULL;
}
cert_free(cert);
free(cms);
Index: tak.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/tak.c,v
diff -u -p -r1.22 tak.c
--- tak.c 2 Apr 2025 09:42:57 -0000 1.22
+++ tak.c 15 Jul 2025 17:46:54 -0000
@@ -17,6 +17,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+#include <assert.h>
#include <err.h>
#include <stdlib.h>
#include <string.h>
@@ -204,8 +205,8 @@ tak_parse_econtent(const char *fn, struc
* Returns the TAK or NULL if the object was malformed.
*/
struct tak *
-tak_parse(X509 **x509, const char *fn, int talid, const unsigned char *der,
- size_t len)
+tak_parse(struct cert **out_cert, const char *fn, int talid,
+ const unsigned char *der, size_t len)
{
struct tak *tak;
struct cert *cert = NULL;
@@ -214,7 +215,10 @@ tak_parse(X509 **x509, const char *fn, i
time_t signtime = 0;
int rc = 0;
- cms = cms_parse_validate(x509, fn, der, len, tak_oid, &cmsz, &signtime);
+ assert(*out_cert == NULL);
+
+ cms = cms_parse_validate(&cert, fn, talid, der, len, tak_oid, &cmsz,
+ &signtime);
if (cms == NULL)
return NULL;
@@ -222,27 +226,18 @@ tak_parse(X509 **x509, const char *fn, i
err(1, NULL);
tak->signtime = signtime;
- if (!x509_get_aia(*x509, fn, &tak->aia))
- goto out;
- if (!x509_get_aki(*x509, fn, &tak->aki))
- goto out;
- if (!x509_get_sia(*x509, fn, &tak->sia))
- goto out;
- if (!x509_get_ski(*x509, fn, &tak->ski))
- goto out;
+ tak->aia = strdup(cert->aia);
+ tak->aki = strdup(cert->aki);
+ tak->sia = strdup(cert->signedobj);
+ tak->ski = strdup(cert->ski);
if (tak->aia == NULL || tak->aki == NULL || tak->sia == NULL ||
- tak->ski == NULL) {
- warnx("%s: RFC 6487 section 4.8: "
- "missing AIA, AKI, SIA, or SKI X509 extension", fn);
- goto out;
- }
+ tak->ski == NULL)
+ err(1, NULL);
- if (!x509_get_notbefore(*x509, fn, &tak->notbefore))
- goto out;
- if (!x509_get_notafter(*x509, fn, &tak->notafter))
- goto out;
+ tak->notbefore = cert->notbefore;
+ tak->notafter = cert->notafter;
- if (!x509_inherits(*x509)) {
+ if (!x509_inherits(cert->x509)) {
warnx("%s: RFC 3779 extension not set to inherit", fn);
goto out;
}
@@ -250,21 +245,19 @@ tak_parse(X509 **x509, const char *fn, i
if (!tak_parse_econtent(fn, tak, cms, cmsz))
goto out;
- if ((cert = cert_parse_ee_cert(fn, talid, *x509)) == NULL)
- goto out;
-
if (strcmp(tak->aki, tak->current->ski) != 0) {
warnx("%s: current TAKey's SKI does not match EE AKI", fn);
goto out;
}
+ *out_cert = cert;
+ cert = NULL;
+
rc = 1;
out:
if (rc == 0) {
tak_free(tak);
tak = NULL;
- X509_free(*x509);
- *x509 = NULL;
}
cert_free(cert);
free(cms);
Index: parser.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/parser.c,v
diff -u -p -r1.163 parser.c
--- parser.c 15 Jul 2025 07:23:39 -0000 1.163
+++ parser.c 15 Jul 2025 17:46:54 -0000
@@ -187,12 +187,12 @@ proc_parser_roa(char *file, const unsign
const struct entity *entp, X509_STORE_CTX *ctx)
{
struct roa *roa;
- X509 *x509 = NULL;
+ struct cert *cert = NULL;
struct auth *a;
struct crl *crl;
const char *errstr;
- if ((roa = roa_parse(&x509, file, entp->talid, der, len)) == NULL)
+ if ((roa = roa_parse(&cert, file, entp->talid, der, len)) == NULL)
goto out;
a = find_issuer(file, entp->certid, roa->aki, entp->mftaki);
@@ -200,12 +200,12 @@ proc_parser_roa(char *file, const unsign
goto out;
crl = crl_get(&crls, a);
- if (!valid_x509(file, ctx, x509, a, crl, &errstr)) {
+ if (!valid_x509(file, ctx, cert->x509, a, crl, &errstr)) {
warnx("%s: %s", file, errstr);
goto out;
}
- X509_free(x509);
- x509 = NULL;
+ cert_free(cert);
+ cert = NULL;
roa->talid = a->cert->talid;
@@ -215,7 +215,7 @@ proc_parser_roa(char *file, const unsign
out:
roa_free(roa);
- X509_free(x509);
+ cert_free(cert);
return NULL;
}
@@ -229,12 +229,12 @@ proc_parser_spl(char *file, const unsign
const struct entity *entp, X509_STORE_CTX *ctx)
{
struct spl *spl;
- X509 *x509 = NULL;
+ struct cert *cert = NULL;
struct auth *a;
struct crl *crl;
const char *errstr;
- if ((spl = spl_parse(&x509, file, entp->talid, der, len)) == NULL)
+ if ((spl = spl_parse(&cert, file, entp->talid, der, len)) == NULL)
goto out;
a = find_issuer(file, entp->certid, spl->aki, entp->mftaki);
@@ -242,12 +242,12 @@ proc_parser_spl(char *file, const unsign
goto out;
crl = crl_get(&crls, a);
- if (!valid_x509(file, ctx, x509, a, crl, &errstr)) {
+ if (!valid_x509(file, ctx, cert->x509, a, crl, &errstr)) {
warnx("%s: %s", file, errstr);
goto out;
}
- X509_free(x509);
- x509 = NULL;
+ cert_free(cert);
+ cert = NULL;
spl->talid = a->cert->talid;
@@ -257,7 +257,7 @@ proc_parser_spl(char *file, const unsign
out:
spl_free(spl);
- X509_free(x509);
+ cert_free(cert);
return NULL;
}
@@ -372,7 +372,7 @@ proc_parser_mft_pre(struct entity *entp,
X509_STORE_CTX *ctx, BN_CTX *bn_ctx)
{
struct mft *mft;
- X509 *x509;
+ struct cert *cert = NULL;
struct auth *a;
unsigned char *der;
size_t len;
@@ -390,7 +390,7 @@ proc_parser_mft_pre(struct entity *entp,
if (der == NULL && errno != ENOENT)
warn("parse file %s", file);
- if ((mft = mft_parse(&x509, file, entp->talid, der, len)) == NULL) {
+ if ((mft = mft_parse(&cert, file, entp->talid, der, len)) == NULL) {
free(der);
return NULL;
}
@@ -412,10 +412,10 @@ proc_parser_mft_pre(struct entity *entp,
a = find_issuer(file, entp->certid, mft->aki, NULL);
if (a == NULL)
goto err;
- if (!valid_x509(file, ctx, x509, a, *crl, errstr))
+ if (!valid_x509(file, ctx, cert->x509, a, *crl, errstr))
goto err;
- X509_free(x509);
- x509 = NULL;
+ cert_free(cert);
+ cert = NULL;
mft->repoid = entp->repoid;
mft->talid = a->cert->talid;
@@ -486,7 +486,7 @@ proc_parser_mft_pre(struct entity *entp,
return mft;
err:
- X509_free(x509);
+ cert_free(cert);
mft_free(mft);
crl_free(*crl);
*crl = NULL;
@@ -743,12 +743,12 @@ proc_parser_gbr(char *file, const unsign
const struct entity *entp, X509_STORE_CTX *ctx)
{
struct gbr *gbr;
- X509 *x509 = NULL;
+ struct cert *cert = NULL;
struct crl *crl;
struct auth *a;
const char *errstr;
- if ((gbr = gbr_parse(&x509, file, entp->talid, der, len)) == NULL)
+ if ((gbr = gbr_parse(&cert, file, entp->talid, der, len)) == NULL)
goto out;
a = find_issuer(file, entp->certid, gbr->aki, entp->mftaki);
@@ -756,12 +756,12 @@ proc_parser_gbr(char *file, const unsign
goto out;
crl = crl_get(&crls, a);
- if (!valid_x509(file, ctx, x509, a, crl, &errstr)) {
+ if (!valid_x509(file, ctx, cert->x509, a, crl, &errstr)) {
warnx("%s: %s", file, errstr);
goto out;
}
- X509_free(x509);
- x509 = NULL;
+ cert_free(cert);
+ cert = NULL;
gbr->talid = a->cert->talid;
@@ -769,7 +769,7 @@ proc_parser_gbr(char *file, const unsign
out:
gbr_free(gbr);
- X509_free(x509);
+ cert_free(cert);
return NULL;
}
@@ -782,12 +782,12 @@ proc_parser_aspa(char *file, const unsig
const struct entity *entp, X509_STORE_CTX *ctx)
{
struct aspa *aspa;
- X509 *x509 = NULL;
+ struct cert *cert = NULL;
struct auth *a;
struct crl *crl;
const char *errstr;
- if ((aspa = aspa_parse(&x509, file, entp->talid, der, len)) == NULL)
+ if ((aspa = aspa_parse(&cert, file, entp->talid, der, len)) == NULL)
goto out;
a = find_issuer(file, entp->certid, aspa->aki, entp->mftaki);
@@ -795,12 +795,12 @@ proc_parser_aspa(char *file, const unsig
goto out;
crl = crl_get(&crls, a);
- if (!valid_x509(file, ctx, x509, a, crl, &errstr)) {
+ if (!valid_x509(file, ctx, cert->x509, a, crl, &errstr)) {
warnx("%s: %s", file, errstr);
goto out;
}
- X509_free(x509);
- x509 = NULL;
+ cert_free(cert);
+ cert = NULL;
aspa->talid = a->cert->talid;
@@ -810,7 +810,7 @@ proc_parser_aspa(char *file, const unsig
out:
aspa_free(aspa);
- X509_free(x509);
+ cert_free(cert);
return NULL;
}
@@ -823,12 +823,12 @@ proc_parser_tak(char *file, const unsign
const struct entity *entp, X509_STORE_CTX *ctx)
{
struct tak *tak;
- X509 *x509 = NULL;
+ struct cert *cert;
struct crl *crl;
struct auth *a;
const char *errstr;
- if ((tak = tak_parse(&x509, file, entp->talid, der, len)) == NULL)
+ if ((tak = tak_parse(&cert, file, entp->talid, der, len)) == NULL)
goto out;
a = find_issuer(file, entp->certid, tak->aki, entp->mftaki);
@@ -836,12 +836,12 @@ proc_parser_tak(char *file, const unsign
goto out;
crl = crl_get(&crls, a);
- if (!valid_x509(file, ctx, x509, a, crl, &errstr)) {
+ if (!valid_x509(file, ctx, cert->x509, a, crl, &errstr)) {
warnx("%s: %s", file, errstr);
goto out;
}
- X509_free(x509);
- x509 = NULL;
+ cert_free(cert);
+ cert = NULL;
/* TAK EE must be signed by self-signed CA */
if (a->issuer != NULL)
@@ -853,7 +853,7 @@ proc_parser_tak(char *file, const unsign
out:
tak_free(tak);
- X509_free(x509);
+ cert_free(cert);
return NULL;
}
Index: filemode.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/filemode.c,v
diff -u -p -r1.63 filemode.c
--- filemode.c 15 Jul 2025 07:23:39 -0000 1.63
+++ filemode.c 15 Jul 2025 17:46:54 -0000
@@ -336,7 +336,6 @@ static void
proc_parser_file(char *file, unsigned char *buf, size_t len)
{
static int num;
- X509 *x509 = NULL;
struct aspa *aspa = NULL;
struct cert *cert = NULL;
struct crl *crl = NULL;
@@ -349,7 +348,6 @@ proc_parser_file(char *file, unsigned ch
struct tak *tak = NULL;
struct tal *tal = NULL;
char *aia = NULL;
- char *crl_uri = NULL;
time_t *notbefore = NULL, *expires = NULL, *notafter = NULL;
time_t now;
struct auth *a = NULL;
@@ -399,7 +397,7 @@ proc_parser_file(char *file, unsigned ch
switch (type) {
case RTYPE_ASPA:
- aspa = aspa_parse(&x509, file, -1, buf, len);
+ aspa = aspa_parse(&cert, file, -1, buf, len);
if (aspa == NULL)
break;
aia = aspa->aia;
@@ -413,9 +411,6 @@ proc_parser_file(char *file, unsigned ch
break;
is_ta = (cert->purpose == CERT_PURPOSE_TA);
aia = cert->aia;
- x509 = cert->x509;
- if (X509_up_ref(x509) == 0)
- errx(1, "%s: X509_up_ref failed", __func__);
expires = &cert->expires;
notbefore = &cert->notbefore;
notafter = &cert->notafter;
@@ -427,7 +422,7 @@ proc_parser_file(char *file, unsigned ch
crl_print(crl);
break;
case RTYPE_MFT:
- mft = mft_parse(&x509, file, -1, buf, len);
+ mft = mft_parse(&cert, file, -1, buf, len);
if (mft == NULL)
break;
aia = mft->aia;
@@ -436,7 +431,7 @@ proc_parser_file(char *file, unsigned ch
notafter = &mft->nextupdate;
break;
case RTYPE_GBR:
- gbr = gbr_parse(&x509, file, -1, buf, len);
+ gbr = gbr_parse(&cert, file, -1, buf, len);
if (gbr == NULL)
break;
aia = gbr->aia;
@@ -445,7 +440,7 @@ proc_parser_file(char *file, unsigned ch
notafter = &gbr->notafter;
break;
case RTYPE_GEOFEED:
- geofeed = geofeed_parse(&x509, file, -1, buf, len);
+ geofeed = geofeed_parse(&cert, file, -1, buf, len);
if (geofeed == NULL)
break;
aia = geofeed->aia;
@@ -454,7 +449,7 @@ proc_parser_file(char *file, unsigned ch
notafter = &geofeed->notafter;
break;
case RTYPE_ROA:
- roa = roa_parse(&x509, file, -1, buf, len);
+ roa = roa_parse(&cert, file, -1, buf, len);
if (roa == NULL)
break;
aia = roa->aia;
@@ -463,7 +458,7 @@ proc_parser_file(char *file, unsigned ch
notafter = &roa->notafter;
break;
case RTYPE_RSC:
- rsc = rsc_parse(&x509, file, -1, buf, len);
+ rsc = rsc_parse(&cert, file, -1, buf, len);
if (rsc == NULL)
break;
aia = rsc->aia;
@@ -472,7 +467,7 @@ proc_parser_file(char *file, unsigned ch
notafter = &rsc->notafter;
break;
case RTYPE_SPL:
- spl = spl_parse(&x509, file, -1, buf, len);
+ spl = spl_parse(&cert, file, -1, buf, len);
if (spl == NULL)
break;
aia = spl->aia;
@@ -481,7 +476,7 @@ proc_parser_file(char *file, unsigned ch
notafter = &spl->notafter;
break;
case RTYPE_TAK:
- tak = tak_parse(&x509, file, -1, buf, len);
+ tak = tak_parse(&cert, file, -1, buf, len);
if (tak == NULL)
break;
aia = tak->aia;
@@ -501,12 +496,11 @@ proc_parser_file(char *file, unsigned ch
}
if (aia != NULL) {
- x509_get_crl(x509, file, &crl_uri);
- parse_load_crl(crl_uri);
+ parse_load_crl(cert->crl);
a = parse_load_certchain(aia);
c = crl_get(&crls, a);
- if ((status = valid_x509(file, ctx, x509, a, c, &errstr))) {
+ if ((status = valid_x509(file, ctx, cert->x509, a, c, &errstr))) {
switch (type) {
case RTYPE_ASPA:
status = aspa->valid;
@@ -526,14 +520,7 @@ proc_parser_file(char *file, unsigned ch
break;
}
}
- if (status && cert == NULL) {
- struct cert *eecert;
-
- eecert = cert_parse_ee_cert(file, a->cert->talid, x509);
- if (eecert == NULL)
- status = 0;
- cert_free(eecert);
- } else if (status) {
+ if (status) {
cert->talid = a->cert->talid;
constraints_validate(file, cert);
}
@@ -566,31 +553,31 @@ proc_parser_file(char *file, unsigned ch
switch (type) {
case RTYPE_ASPA:
- aspa_print(x509, aspa);
+ aspa_print(cert->x509, aspa);
break;
case RTYPE_CER:
cert_print(cert);
break;
case RTYPE_GBR:
- gbr_print(x509, gbr);
+ gbr_print(cert->x509, gbr);
break;
case RTYPE_GEOFEED:
- geofeed_print(x509, geofeed);
+ geofeed_print(cert->x509, geofeed);
break;
case RTYPE_MFT:
- mft_print(x509, mft);
+ mft_print(cert->x509, mft);
break;
case RTYPE_ROA:
- roa_print(x509, roa);
+ roa_print(cert->x509, roa);
break;
case RTYPE_RSC:
- rsc_print(x509, rsc);
+ rsc_print(cert->x509, rsc);
break;
case RTYPE_SPL:
- spl_print(x509, spl);
+ spl_print(cert->x509, spl);
break;
case RTYPE_TAK:
- tak_print(x509, tak);
+ tak_print(cert->x509, tak);
break;
default:
break;
@@ -627,32 +614,30 @@ proc_parser_file(char *file, unsigned ch
printf("\n");
if (aia != NULL && status) {
- print_signature_path(crl_uri, aia, a);
+ print_signature_path(cert->crl, aia, a);
if (expires != NULL)
printf("Signature path expires: %s\n",
time2str(*expires));
}
- if (x509 == NULL)
+ if (cert == NULL)
goto out;
if (type == RTYPE_TAL || type == RTYPE_CRL)
goto out;
if (verbose) {
- if (!X509_print_ex_fp(stdout, x509, XN_FLAG_COMPAT,
- X509V3_EXT_DUMP_UNKNOWN))
+ if (!X509_print_ex_fp(stdout, cert->x509,
+ XN_FLAG_COMPAT, X509V3_EXT_DUMP_UNKNOWN))
errx(1, "X509_print_fp");
}
if (verbose > 1) {
- if (!PEM_write_X509(stdout, x509))
+ if (!PEM_write_X509(stdout, cert->x509))
errx(1, "PEM_write_X509");
}
}
out:
- free(crl_uri);
- X509_free(x509);
aspa_free(aspa);
cert_free(cert);
crl_free(crl);
Index: extern.h
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
diff -u -p -r1.248 extern.h
--- extern.h 15 Jul 2025 07:23:39 -0000 1.248
+++ extern.h 15 Jul 2025 17:46:54 -0000
@@ -728,8 +728,8 @@ void cert_remove_nca(struct nca_tree *
enum rtype rtype_from_file_extension(const char *);
void mft_buffer(struct ibuf *, const struct mft *);
void mft_free(struct mft *);
-struct mft *mft_parse(X509 **, const char *, int, const unsigned char *,
- size_t);
+struct mft *mft_parse(struct cert **, const char *, int,
+ const unsigned char *, size_t);
struct mft *mft_read(struct ibuf *);
int mft_compare_issued(const struct mft *, const struct mft *);
int mft_compare_seqnum(const struct mft *, const struct mft *);
@@ -738,42 +738,43 @@ int mft_seqnum_gap_present(const struc
void roa_buffer(struct ibuf *, const struct roa *);
void roa_free(struct roa *);
-struct roa *roa_parse(X509 **, const char *, int, const unsigned char *,
- size_t);
+struct roa *roa_parse(struct cert **, const char *, int,
+ const unsigned char *, size_t);
struct roa *roa_read(struct ibuf *);
void roa_insert_vrps(struct vrp_tree *, struct roa *,
struct repo *);
void spl_buffer(struct ibuf *, const struct spl *);
void spl_free(struct spl *);
-struct spl *spl_parse(X509 **, const char *, int, const unsigned char *,
- size_t);
+struct spl *spl_parse(struct cert **, const char *, int,
+ const unsigned char *, size_t);
struct spl *spl_read(struct ibuf *);
void spl_insert_vsps(struct vsp_tree *, struct spl *,
struct repo *);
void gbr_free(struct gbr *);
-struct gbr *gbr_parse(X509 **, const char *, int, const unsigned char *,
- size_t);
+struct gbr *gbr_parse(struct cert **, const char *, int,
+ const unsigned char *, size_t);
void geofeed_free(struct geofeed *);
-struct geofeed *geofeed_parse(X509 **, const char *, int, char *, size_t);
+struct geofeed *geofeed_parse(struct cert **, const char *, int, char *,
+ size_t);
void rsc_free(struct rsc *);
-struct rsc *rsc_parse(X509 **, const char *, int, const unsigned char *,
- size_t);
+struct rsc *rsc_parse(struct cert **, const char *, int,
+ const unsigned char *, size_t);
void takey_free(struct takey *);
void tak_free(struct tak *);
-struct tak *tak_parse(X509 **, const char *, int, const unsigned char *,
- size_t);
+struct tak *tak_parse(struct cert **, const char *, int,
+ const unsigned char *, size_t);
void aspa_buffer(struct ibuf *, const struct aspa *);
void aspa_free(struct aspa *);
void aspa_insert_vaps(char *, struct vap_tree *, struct aspa *,
struct repo *);
-struct aspa *aspa_parse(X509 **, const char *, int, const unsigned char *,
- size_t);
+struct aspa *aspa_parse(struct cert **, const char *, int,
+ const unsigned char *, size_t);
struct aspa *aspa_read(struct ibuf *);
/* crl.c */
@@ -803,12 +804,12 @@ int valid_uuid(const char *);
int valid_spl(const char *, struct cert *, struct spl *);
/* Working with CMS. */
-unsigned char *cms_parse_validate(X509 **, const char *,
- const unsigned char *, size_t,
- const ASN1_OBJECT *, size_t *, time_t *);
-int cms_parse_validate_detached(X509 **, const char *,
- const unsigned char *, size_t,
- const ASN1_OBJECT *, BIO *, time_t *);
+unsigned char *cms_parse_validate(struct cert **, const char *, int,
+ const unsigned char *, size_t, const ASN1_OBJECT *,
+ size_t *, time_t *);
+int cms_parse_validate_detached(struct cert **, const char *, int,
+ const unsigned char *, size_t, const ASN1_OBJECT *, BIO *,
+ time_t *);
/* Work with RFC 3779 IP addresses, prefixes, ranges. */
rpki-client: move cert_parse_ee_cert() to cms