Index | Thread | Search

From:
Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject:
Re: rpki-client: rename ta_parse() to ta_validate()
To:
Theo Buehler <tb@theobuehler.org>
Cc:
tech@openbsd.org
Date:
Wed, 28 Jan 2026 08:56:12 +0100

Download raw body.

Thread 
On Wed, Jan 28, 2026 at 08:41:36AM +0100, Theo Buehler wrote:
> Trivial renaming diff that adds a bit of documentation. As already
> mentioned, ta_parse() doesn't parse the TA, it deserializes the TAL's
> SPKI and compares internal representations. This isn't quite right but
> libcrypto often makes things that should be easy almost impossible.
> Since I forgot this and wasted a lot of time at least twice in this
> specific instance, leave an explicit comment on this in ta_check_pubkey().

Ok claudio@
 
> Index: usr.sbin/rpki-client/cert.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
> diff -u -p -r1.218 cert.c
> --- usr.sbin/rpki-client/cert.c	27 Jan 2026 08:40:29 -0000	1.218
> +++ usr.sbin/rpki-client/cert.c	28 Jan 2026 07:30:56 -0000
> @@ -1991,7 +1991,11 @@ ta_check_pubkey(const char *fn, struct c
>  	EVP_PKEY	*cert_pkey, *tal_pkey;
>  	int		 rv = 0;
>  
> -	/* first check pubkey against the one from the TAL */
> +	/*
> +	 * We should really verify that the TAL's SPKI is byte-identical with
> +	 * the cert's SPKI. There's no sane way to access the original DER, so
> +	 * comparing internal representations is the best we can do.
> +	 */
>  	tal_pkey = d2i_PUBKEY(NULL, &spki, spkisz);
>  	if (tal_pkey == NULL) {
>  		warnx("%s: RFC 6487 (trust anchor): bad TAL pubkey", fn);
> @@ -2039,9 +2043,15 @@ ta_check_validity(const char *fn, struct
>  	return 1;
>  }
>  
> +/*
> + * Validate a TA against the subjectPublicKeyInfo from the TAL.
> + * Check that the SPKIs match, and that the cert is self-signed
> + * and currently valid.
> + * Returns cert passed in on success or NULL on failure.
> + */
>  struct cert *
> -ta_parse(const char *fn, struct cert *p, const unsigned char *spki,
> -    size_t spkisz)
> +ta_validate(const char *fn, struct cert *p, const unsigned char *spki,
> +     size_t spkisz)
>  {
>  	if (p == NULL)
>  		return NULL;
> @@ -2082,7 +2092,7 @@ cert_parse_ta(const char *fn, const unsi
>  	if ((cert = cert_deserialize_and_parse(fn, der, len)) == NULL)
>  		return NULL;
>  
> -	return ta_parse(fn, cert, spki, spkisz);
> +	return ta_validate(fn, cert, spki, spkisz);
>  }
>  
>  /*
> Index: usr.sbin/rpki-client/extern.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
> diff -u -p -r1.275 extern.h
> --- usr.sbin/rpki-client/extern.h	27 Jan 2026 08:40:29 -0000	1.275
> +++ usr.sbin/rpki-client/extern.h	28 Jan 2026 07:30:56 -0000
> @@ -720,7 +720,7 @@ struct cert	*cert_parse_ee_cert(const ch
>  struct cert	*cert_parse_ta(const char *, const unsigned char *, size_t,
>  		    const unsigned char *, size_t);
>  struct cert	*cert_parse(const char *, const unsigned char *, size_t);
> -struct cert	*ta_parse(const char *, struct cert *, const unsigned char *,
> +struct cert	*ta_validate(const char *, struct cert *, const unsigned char *,
>  		    size_t);
>  struct cert	*cert_read(struct ibuf *);
>  void		 cert_insert_brks(struct brk_tree *, struct cert *);
> Index: usr.sbin/rpki-client/filemode.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/filemode.c,v
> diff -u -p -r1.79 filemode.c
> --- usr.sbin/rpki-client/filemode.c	27 Jan 2026 08:40:29 -0000	1.79
> +++ usr.sbin/rpki-client/filemode.c	28 Jan 2026 07:30:56 -0000
> @@ -612,7 +612,7 @@ proc_parser_file(char *file, unsigned ch
>  		expires = NULL;
>  		notafter = NULL;
>  		if ((tal = find_tal(cert)) != NULL) {
> -			cert = ta_parse(file, cert, tal->spki, tal->spkisz);
> +			cert = ta_validate(file, cert, tal->spki, tal->spkisz);
>  			status = (cert != NULL);
>  			if (status) {
>  				expires = &cert->expires;
> Index: regress/usr.sbin/rpki-client/test-cert.c
> ===================================================================
> RCS file: /cvs/src/regress/usr.sbin/rpki-client/test-cert.c,v
> diff -u -p -r1.28 test-cert.c
> --- regress/usr.sbin/rpki-client/test-cert.c	20 Jan 2026 16:49:44 -0000	1.28
> +++ regress/usr.sbin/rpki-client/test-cert.c	28 Jan 2026 07:30:56 -0000
> @@ -85,7 +85,7 @@ main(int argc, char *argv[])
>  			free(buf);
>  			if (p == NULL)
>  				break;
> -			p = ta_parse(cert_path, p, tal->spki, tal->spkisz);
> +			p = ta_validate(cert_path, p, tal->spki, tal->spkisz);
>  			tal_free(tal);
>  			if (p == NULL)
>  				break;
> 

-- 
:wq Claudio