Mailing List Archive

On Tue, Jan 20, 2026 at 12:50:05PM +0000, Job Snijders wrote: > On Tue, Jan 20, 2026 at 09:02:12AM +0100, Theo Buehler wrote: > > This is an almost entirely mechanical diff. The pkey hanging off > > struct tal always confuses me since pkey always makes me think of > > EVP_PKEY. The combo with pk and opk in a couple of functions makes > > this worse. > > > > So: rename tal->pkey{,sz} to tal->spki{,sz} and pk/opk to pkey/opkey > > and adjust a couple of nearby comments. Update from RFC 7730 to RFC > > 8630 while there. > > To me it is not immediately clear from the new (or old) variable names > 'pkey' and 'opkey' what those variables might contain, perhaps the names > 'tal_pkey' and 'cert_pkey' would've been more descriptive? Anyhow... So here's the rename you requested. I will do a %s/badcert/out followup in cert.c to get that out of the way. Index: cert.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v diff -u -p -r1.212 cert.c --- cert.c 20 Jan 2026 16:49:03 -0000 1.212 +++ cert.c 20 Jan 2026 16:52:10 -0000 @@ -1937,20 +1937,20 @@ static int ta_check_pubkey(const char *fn, struct cert *cert, const unsigned char *spki, size_t spkisz) { - EVP_PKEY *pk, *opk; + EVP_PKEY *cert_pkey, *tal_pkey; int rv = 0; /* first check pubkey against the one from the TAL */ - pk = d2i_PUBKEY(NULL, &spki, spkisz); - if (pk == NULL) { + tal_pkey = d2i_PUBKEY(NULL, &spki, spkisz); + if (tal_pkey == NULL) { warnx("%s: RFC 6487 (trust anchor): bad TAL pubkey", fn); goto badcert; } - if ((opk = X509_get0_pubkey(cert->x509)) == NULL) { + if ((cert_pkey = X509_get0_pubkey(cert->x509)) == NULL) { warnx("%s: RFC 6487 (trust anchor): missing pubkey", fn); goto badcert; } - if (EVP_PKEY_cmp(pk, opk) != 1) { + if (EVP_PKEY_cmp(cert_pkey, tal_pkey) != 1) { warnx("%s: RFC 6487 (trust anchor): " "pubkey does not match TAL pubkey", fn); goto badcert; @@ -1960,14 +1960,14 @@ ta_check_pubkey(const char *fn, struct c * Do not replace with a <= 0 check since OpenSSL 3 broke that: * https://github.com/openssl/openssl/issues/24575 */ - if (X509_verify(cert->x509, pk) != 1) { + if (X509_verify(cert->x509, tal_pkey) != 1) { warnx("%s: failed to verify signature", fn); goto badcert; } rv = 1; badcert: - EVP_PKEY_free(pk); + EVP_PKEY_free(tal_pkey); return rv; } Index: filemode.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/filemode.c,v diff -u -p -r1.77 filemode.c --- filemode.c 20 Jan 2026 16:49:03 -0000 1.77 +++ filemode.c 20 Jan 2026 16:52:10 -0000 @@ -283,11 +283,11 @@ out: static struct tal * find_tal(struct cert *cert) { - EVP_PKEY *pk, *opk; + EVP_PKEY *cert_pkey, *tal_pkey; struct tal *tal; int i; - if ((opk = X509_get0_pubkey(cert->x509)) == NULL) + if ((cert_pkey = X509_get0_pubkey(cert->x509)) == NULL) return NULL; for (i = 0; i < TALSZ_MAX; i++) { @@ -297,14 +297,14 @@ find_tal(struct cert *cert) break; tal = talobj[i]; spki = tal->spki; - pk = d2i_PUBKEY(NULL, &spki, tal->spkisz); - if (pk == NULL) + tal_pkey = d2i_PUBKEY(NULL, &spki, tal->spkisz); + if (tal_pkey == NULL) continue; - if (EVP_PKEY_cmp(pk, opk) == 1) { - EVP_PKEY_free(pk); + if (EVP_PKEY_cmp(cert_pkey, tal_pkey) == 1) { + EVP_PKEY_free(tal_pkey); return tal; } - EVP_PKEY_free(pk); + EVP_PKEY_free(tal_pkey); } return NULL; }

2026-01-20 12:50 Job Snijders:
rpki-client: SPKI in TALs
- 2026-01-20 12:55 Theo Buehler:
  rpki-client: SPKI in TALs
- 2026-01-20 16:57 Theo Buehler:
  rpki-client: SPKI in TALs
- - 2026-01-23 12:11 Claudio Jeker:
    rpki-client: SPKI in TALs