Download raw body.
rpki-client: rename ta_parse() to ta_validate()
Trivial renaming diff that adds a bit of documentation. As already
mentioned, ta_parse() doesn't parse the TA, it deserializes the TAL's
SPKI and compares internal representations. This isn't quite right but
libcrypto often makes things that should be easy almost impossible.
Since I forgot this and wasted a lot of time at least twice in this
specific instance, leave an explicit comment on this in ta_check_pubkey().
Index: usr.sbin/rpki-client/cert.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
diff -u -p -r1.218 cert.c
--- usr.sbin/rpki-client/cert.c 27 Jan 2026 08:40:29 -0000 1.218
+++ usr.sbin/rpki-client/cert.c 28 Jan 2026 07:30:56 -0000
@@ -1991,7 +1991,11 @@ ta_check_pubkey(const char *fn, struct c
EVP_PKEY *cert_pkey, *tal_pkey;
int rv = 0;
- /* first check pubkey against the one from the TAL */
+ /*
+ * We should really verify that the TAL's SPKI is byte-identical with
+ * the cert's SPKI. There's no sane way to access the original DER, so
+ * comparing internal representations is the best we can do.
+ */
tal_pkey = d2i_PUBKEY(NULL, &spki, spkisz);
if (tal_pkey == NULL) {
warnx("%s: RFC 6487 (trust anchor): bad TAL pubkey", fn);
@@ -2039,9 +2043,15 @@ ta_check_validity(const char *fn, struct
return 1;
}
+/*
+ * Validate a TA against the subjectPublicKeyInfo from the TAL.
+ * Check that the SPKIs match, and that the cert is self-signed
+ * and currently valid.
+ * Returns cert passed in on success or NULL on failure.
+ */
struct cert *
-ta_parse(const char *fn, struct cert *p, const unsigned char *spki,
- size_t spkisz)
+ta_validate(const char *fn, struct cert *p, const unsigned char *spki,
+ size_t spkisz)
{
if (p == NULL)
return NULL;
@@ -2082,7 +2092,7 @@ cert_parse_ta(const char *fn, const unsi
if ((cert = cert_deserialize_and_parse(fn, der, len)) == NULL)
return NULL;
- return ta_parse(fn, cert, spki, spkisz);
+ return ta_validate(fn, cert, spki, spkisz);
}
/*
Index: usr.sbin/rpki-client/extern.h
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
diff -u -p -r1.275 extern.h
--- usr.sbin/rpki-client/extern.h 27 Jan 2026 08:40:29 -0000 1.275
+++ usr.sbin/rpki-client/extern.h 28 Jan 2026 07:30:56 -0000
@@ -720,7 +720,7 @@ struct cert *cert_parse_ee_cert(const ch
struct cert *cert_parse_ta(const char *, const unsigned char *, size_t,
const unsigned char *, size_t);
struct cert *cert_parse(const char *, const unsigned char *, size_t);
-struct cert *ta_parse(const char *, struct cert *, const unsigned char *,
+struct cert *ta_validate(const char *, struct cert *, const unsigned char *,
size_t);
struct cert *cert_read(struct ibuf *);
void cert_insert_brks(struct brk_tree *, struct cert *);
Index: usr.sbin/rpki-client/filemode.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/filemode.c,v
diff -u -p -r1.79 filemode.c
--- usr.sbin/rpki-client/filemode.c 27 Jan 2026 08:40:29 -0000 1.79
+++ usr.sbin/rpki-client/filemode.c 28 Jan 2026 07:30:56 -0000
@@ -612,7 +612,7 @@ proc_parser_file(char *file, unsigned ch
expires = NULL;
notafter = NULL;
if ((tal = find_tal(cert)) != NULL) {
- cert = ta_parse(file, cert, tal->spki, tal->spkisz);
+ cert = ta_validate(file, cert, tal->spki, tal->spkisz);
status = (cert != NULL);
if (status) {
expires = &cert->expires;
Index: regress/usr.sbin/rpki-client/test-cert.c
===================================================================
RCS file: /cvs/src/regress/usr.sbin/rpki-client/test-cert.c,v
diff -u -p -r1.28 test-cert.c
--- regress/usr.sbin/rpki-client/test-cert.c 20 Jan 2026 16:49:44 -0000 1.28
+++ regress/usr.sbin/rpki-client/test-cert.c 28 Jan 2026 07:30:56 -0000
@@ -85,7 +85,7 @@ main(int argc, char *argv[])
free(buf);
if (p == NULL)
break;
- p = ta_parse(cert_path, p, tal->spki, tal->spkisz);
+ p = ta_validate(cert_path, p, tal->spki, tal->spkisz);
tal_free(tal);
if (p == NULL)
break;
rpki-client: rename ta_parse() to ta_validate()