Index | Thread | Search

From:
Theo Buehler <tb@theobuehler.org>
Subject:
rpki-client: mft: stop copying AIA and SIA around
To:
Job Snijders <job@openbsd.org>
Cc:
tech@openbsd.org
Date:
Sun, 20 Jul 2025 10:24:19 +0200

Download raw body.

Thread 
The mft->aki needs to be pushed to the main process for entp->mftaki,
which is handed back to the parser for the mftaki check in find_issuer().
I need to check more closely if this is still useful, but that would be
for a separate diff anyway...

The mft->aki is also needed a few layers down in the parser for checking
it against the CRL's AKI. Similarly, the mft->sia is used for crl->mftpath
and while this copy in mft could be avoided, doing so means handing the
info through the layers somehow. Borrowing it from the cert to avoid the
copy is a bit ugly and doing it differently and cleanly seems more work
than it's worth right now.

The rest is essentially identical to the other signed objects, with
slight differences because the "validity" of manifests is part of the
econtent. I adjusted the two checks for strdup() to individual checks
which is what we normally do.

Index: usr.sbin/rpki-client/extern.h
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
diff -u -p -r1.251 extern.h
--- usr.sbin/rpki-client/extern.h	20 Jul 2025 07:48:31 -0000	1.251
+++ usr.sbin/rpki-client/extern.h	20 Jul 2025 08:20:47 -0000
@@ -229,10 +229,8 @@ struct mft {
 	char		*path; /* relative path to directory of the MFT */
 	struct mftfile	*files; /* file and hash */
 	char		*seqnum; /* manifestNumber */
-	char		*aia; /* AIA */
 	char		*aki; /* AKI */
 	char		*sia; /* SIA signedObject */
-	char		*ski; /* SKI */
 	char		*crl; /* CRL file name */
 	unsigned char	 mfthash[SHA256_DIGEST_LENGTH];
 	unsigned char	 crlhash[SHA256_DIGEST_LENGTH];
@@ -933,7 +931,7 @@ void		 x509_print(const X509 *);
 void		 tal_print(const struct tal *);
 void		 cert_print(const struct cert *);
 void		 crl_print(const struct crl *);
-void		 mft_print(const X509 *, const struct mft *);
+void		 mft_print(const struct cert *, const struct mft *);
 void		 roa_print(const struct cert *, const struct roa *);
 void		 gbr_print(const struct cert *, const struct gbr *);
 void		 rsc_print(const struct cert *, const struct rsc *);
Index: usr.sbin/rpki-client/filemode.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/filemode.c,v
diff -u -p -r1.65 filemode.c
--- usr.sbin/rpki-client/filemode.c	20 Jul 2025 07:48:31 -0000	1.65
+++ usr.sbin/rpki-client/filemode.c	20 Jul 2025 08:20:47 -0000
@@ -425,7 +425,7 @@ proc_parser_file(char *file, unsigned ch
 		mft = mft_parse(&cert, file, -1, buf, len);
 		if (mft == NULL)
 			break;
-		aia = mft->aia;
+		aia = cert->aia;
 		expires = &mft->expires;
 		notbefore = &mft->thisupdate;
 		notafter = &mft->nextupdate;
@@ -565,7 +565,7 @@ proc_parser_file(char *file, unsigned ch
 			geofeed_print(cert, geofeed);
 			break;
 		case RTYPE_MFT:
-			mft_print(cert->x509, mft);
+			mft_print(cert, mft);
 			break;
 		case RTYPE_ROA:
 			roa_print(cert, roa);
Index: usr.sbin/rpki-client/mft.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/mft.c,v
diff -u -p -r1.124 mft.c
--- usr.sbin/rpki-client/mft.c	18 Jul 2025 12:20:32 -0000	1.124
+++ usr.sbin/rpki-client/mft.c	20 Jul 2025 08:20:47 -0000
@@ -436,12 +436,9 @@ mft_parse(struct cert **out_cert, const 
 		err(1, NULL);
 	mft->signtime = signtime;
 
-	mft->aia = strdup(cert->aia);
-	mft->aki = strdup(cert->aki);
-	mft->sia = strdup(cert->signedobj);
-	mft->ski = strdup(cert->ski);
-	if (mft->aia == NULL || mft->aki == NULL || mft->sia == NULL ||
-	    mft->ski == NULL)
+	if ((mft->aki = strdup(cert->aki)) == NULL)
+		err(1, NULL);
+	if ((mft->sia = strdup(cert->signedobj)) == NULL)
 		err(1, NULL);
 
 	if (!x509_inherits(cert->x509)) {
@@ -506,10 +503,8 @@ mft_free(struct mft *p)
 	free(p->path);
 	free(p->files);
 	free(p->seqnum);
-	free(p->aia);
 	free(p->aki);
 	free(p->sia);
-	free(p->ski);
 	free(p->crl);
 	free(p);
 }
@@ -529,9 +524,7 @@ mft_buffer(struct ibuf *b, const struct 
 	io_simple_buffer(b, &p->seqnum_gap, sizeof(p->seqnum_gap));
 	io_str_buffer(b, p->path);
 
-	io_str_buffer(b, p->aia);
 	io_str_buffer(b, p->aki);
-	io_str_buffer(b, p->ski);
 
 	io_simple_buffer(b, &p->filesz, sizeof(size_t));
 	for (i = 0; i < p->filesz; i++) {
@@ -563,10 +556,8 @@ mft_read(struct ibuf *b)
 	io_read_buf(b, &p->seqnum_gap, sizeof(p->seqnum_gap));
 	io_read_str(b, &p->path);
 
-	io_read_str(b, &p->aia);
 	io_read_str(b, &p->aki);
-	io_read_str(b, &p->ski);
-	assert(p->aia && p->aki && p->ski);
+	assert(p->aki != NULL);
 
 	io_read_buf(b, &p->filesz, sizeof(size_t));
 	if ((p->files = calloc(p->filesz, sizeof(struct mftfile))) == NULL)
Index: usr.sbin/rpki-client/print.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/print.c,v
diff -u -p -r1.62 print.c
--- usr.sbin/rpki-client/print.c	20 Jul 2025 07:48:31 -0000	1.62
+++ usr.sbin/rpki-client/print.c	20 Jul 2025 08:20:47 -0000
@@ -448,18 +448,18 @@ crl_print(const struct crl *p)
 }
 
 void
-mft_print(const X509 *x, const struct mft *p)
+mft_print(const struct cert *c, const struct mft *p)
 {
 	size_t i;
 	char *hash;
 
 	if (outformats & FORMAT_JSON) {
 		json_do_string("type", "manifest");
-		json_do_string("ski", p->ski);
-		x509_print(x);
-		json_do_string("aki", p->aki);
-		json_do_string("aia", p->aia);
-		json_do_string("sia", p->sia);
+		json_do_string("ski", c->ski);
+		x509_print(c->x509);
+		json_do_string("aki", c->aki);
+		json_do_string("aia", c->aia);
+		json_do_string("sia", c->signedobj);
 		json_do_string("manifest_number", p->seqnum);
 		if (p->signtime != 0)
 			json_do_int("signing_time", p->signtime);
@@ -468,11 +468,11 @@ mft_print(const X509 *x, const struct mf
 		if (p->expires)
 			json_do_int("expires", p->expires);
 	} else {
-		printf("Subject key identifier:   %s\n", pretty_key_id(p->ski));
-		printf("Authority key identifier: %s\n", pretty_key_id(p->aki));
-		x509_print(x);
-		printf("Authority info access:    %s\n", p->aia);
-		printf("Subject info access:      %s\n", p->sia);
+		printf("Subject key identifier:   %s\n", pretty_key_id(c->ski));
+		printf("Authority key identifier: %s\n", pretty_key_id(c->aki));
+		x509_print(c->x509);
+		printf("Authority info access:    %s\n", c->aia);
+		printf("Subject info access:      %s\n", c->signedobj);
 		printf("Manifest number:          %s\n", p->seqnum);
 		if (p->signtime != 0)
 			printf("Signing time:             %s\n",
Index: regress/usr.sbin/rpki-client/test-mft.c
===================================================================
RCS file: /cvs/src/regress/usr.sbin/rpki-client/test-mft.c,v
diff -u -p -r1.30 test-mft.c
--- regress/usr.sbin/rpki-client/test-mft.c	18 Jul 2025 12:22:07 -0000	1.30
+++ regress/usr.sbin/rpki-client/test-mft.c	20 Jul 2025 08:20:47 -0000
@@ -79,7 +79,7 @@ main(int argc, char *argv[])
 			break;
 		}
 		if (verb)
-			mft_print(cert->x509, p);
+			mft_print(cert, p);
 		if (ppem) {
 			if (!PEM_write_X509(stdout, cert->x509))
 				errx(1, "PEM_write_X509: unable to write cert");