From: Theo Buehler Subject: Re: rpki-client: clean up aspa handling To: tech@openbsd.org Date: Fri, 18 Jul 2025 22:02:14 +0200 Here's the full diff for all CMS signed objects except manifests. It's again pretty big, but it's much simpler than the cert ** one. First, remove AIA, AKI, SIA (where available), SKI, notbefore, notafter from the signed object and .c files. The only special case here is .tak which gets a cert->aki check, matching its warning better. Since we no longer need these members, this reduces the memory footprint a bit and also pushes a bit less data across the privsep boundaries. I doubt this is easily measurable, but it is still nice. For parser.c we pass the cert->aki directly to find_issuer() rather than copying it to the signed object first then passing that. The only slightly tricky bit is to make sure we free the cert only after the expiry calculation. .gbr and .tak forget to handle their expiry member. I left an XXX for later. extern.h drops all the unused struct members and adjusts the printing functions to use a cert rather than an X509. The filemode is held completely stupid, the printing is entirely mechanical as is regress. There. The refactor finally reached the point where more code was removed than added in the last few weeks, while making many things stricter, more consistent and correct - hopefully without introducing too many new bugs. It's nice that we can ditch complexity from normal mode without really punishing file mode except perhapt the printers a little bit. Of course, file mode remains an eysore and a pool of endless silliness, but I think we got a bit closer to the point where we have a fighting chance of cleaning that horrid mess up. Index: usr.sbin/rpki-client/aspa.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/aspa.c,v diff -u -p -r1.33 aspa.c --- usr.sbin/rpki-client/aspa.c 18 Jul 2025 12:20:32 -0000 1.33 +++ usr.sbin/rpki-client/aspa.c 18 Jul 2025 18:32:00 -0000 @@ -183,17 +183,6 @@ aspa_parse(struct cert **out_cert, const aspa->signtime = signtime; - aspa->aia = strdup(cert->aia); - aspa->aki = strdup(cert->aki); - aspa->sia = strdup(cert->signedobj); - aspa->ski = strdup(cert->ski); - if (aspa->aia == NULL || aspa->aki == NULL || aspa->sia == NULL || - aspa->ski == NULL) - err(1, NULL); - - aspa->notbefore = cert->notbefore; - aspa->notafter = cert->notafter; - if (cert->num_ips > 0) { warnx("%s: superfluous IP Resources extension present", fn); goto out; @@ -233,10 +222,6 @@ aspa_free(struct aspa *p) if (p == NULL) return; - free(p->aia); - free(p->aki); - free(p->sia); - free(p->ski); free(p->providers); free(p); } @@ -256,10 +241,6 @@ aspa_buffer(struct ibuf *b, const struct io_simple_buffer(b, &p->num_providers, sizeof(size_t)); io_simple_buffer(b, p->providers, p->num_providers * sizeof(p->providers[0])); - - io_str_buffer(b, p->aia); - io_str_buffer(b, p->aki); - io_str_buffer(b, p->ski); } /* @@ -289,11 +270,6 @@ aspa_read(struct ibuf *b) io_read_buf(b, p->providers, p->num_providers * sizeof(p->providers[0])); } - - io_read_str(b, &p->aia); - io_read_str(b, &p->aki); - io_read_str(b, &p->ski); - assert(p->aia && p->aki && p->ski); return p; } Index: usr.sbin/rpki-client/gbr.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/gbr.c,v diff -u -p -r1.33 gbr.c --- usr.sbin/rpki-client/gbr.c 18 Jul 2025 12:20:32 -0000 1.33 +++ usr.sbin/rpki-client/gbr.c 18 Jul 2025 18:32:00 -0000 @@ -69,17 +69,6 @@ gbr_parse(struct cert **out_cert, const free(cms); cms = NULL; - gbr->aia = strdup(cert->aia); - gbr->aki = strdup(cert->aki); - gbr->sia = strdup(cert->signedobj); - gbr->ski = strdup(cert->ski); - if (gbr->aia == NULL || gbr->aki == NULL || gbr->sia == NULL || - gbr->ski == NULL) - err(1, NULL); - - gbr->notbefore = cert->notbefore; - gbr->notafter = cert->notafter; - if (!x509_inherits(cert->x509)) { warnx("%s: RFC 3779 extension not set to inherit", fn); goto out; @@ -103,13 +92,9 @@ gbr_parse(struct cert **out_cert, const void gbr_free(struct gbr *p) { - if (p == NULL) return; - free(p->aia); - free(p->aki); - free(p->sia); - free(p->ski); + free(p->vcard); free(p); } Index: usr.sbin/rpki-client/geofeed.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/geofeed.c,v diff -u -p -r1.20 geofeed.c --- usr.sbin/rpki-client/geofeed.c 18 Jul 2025 12:20:32 -0000 1.20 +++ usr.sbin/rpki-client/geofeed.c 18 Jul 2025 18:32:00 -0000 @@ -233,20 +233,6 @@ geofeed_parse(struct cert **out_cert, co geofeed_oid, bio, &geofeed->signtime)) goto out; - /* - * Not distributed via RPKI repositories, so no SIA. Would've been nice - * if RFC 9632 had followed RFC 9323's example and made that explicit. - */ - geofeed->aia = strdup(cert->aia); - geofeed->aki = strdup(cert->aki); - geofeed->ski = strdup(cert->ski); - if (geofeed->aia == NULL || geofeed->aki == NULL || - geofeed->ski == NULL) - err(1, NULL); - - geofeed->notbefore = cert->notbefore; - geofeed->notafter = cert->notafter; - if (x509_any_inherits(cert->x509)) { warnx("%s: inherit elements not allowed in EE cert", fn); goto out; @@ -294,8 +280,5 @@ geofeed_free(struct geofeed *p) } free(p->geoips); - free(p->aia); - free(p->aki); - free(p->ski); free(p); } Index: usr.sbin/rpki-client/roa.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/roa.c,v diff -u -p -r1.81 roa.c --- usr.sbin/rpki-client/roa.c 18 Jul 2025 12:20:32 -0000 1.81 +++ usr.sbin/rpki-client/roa.c 18 Jul 2025 18:32:00 -0000 @@ -256,17 +256,6 @@ roa_parse(struct cert **out_cert, const err(1, NULL); roa->signtime = signtime; - roa->aia = strdup(cert->aia); - roa->aki = strdup(cert->aki); - roa->sia = strdup(cert->signedobj); - roa->ski = strdup(cert->ski); - if (roa->aia == NULL || roa->aki == NULL || roa->sia == NULL || - roa->ski == NULL) - err(1, NULL); - - roa->notbefore = cert->notbefore; - roa->notafter = cert->notafter; - if (!roa_parse_econtent(fn, roa, cms, cmsz)) goto out; @@ -315,10 +304,6 @@ roa_free(struct roa *p) if (p == NULL) return; - free(p->aia); - free(p->aki); - free(p->sia); - free(p->ski); free(p->ips); free(p); } @@ -337,10 +322,6 @@ roa_buffer(struct ibuf *b, const struct io_simple_buffer(b, &p->expires, sizeof(p->expires)); io_simple_buffer(b, p->ips, p->num_ips * sizeof(p->ips[0])); - - io_str_buffer(b, p->aia); - io_str_buffer(b, p->aki); - io_str_buffer(b, p->ski); } /* @@ -367,11 +348,6 @@ roa_read(struct ibuf *b) err(1, NULL); io_read_buf(b, p->ips, p->num_ips * sizeof(p->ips[0])); } - - io_read_str(b, &p->aia); - io_read_str(b, &p->aki); - io_read_str(b, &p->ski); - assert(p->aia && p->aki && p->ski); return p; } Index: usr.sbin/rpki-client/rsc.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/rsc.c,v diff -u -p -r1.38 rsc.c --- usr.sbin/rpki-client/rsc.c 18 Jul 2025 12:20:32 -0000 1.38 +++ usr.sbin/rpki-client/rsc.c 18 Jul 2025 18:32:00 -0000 @@ -401,21 +401,6 @@ rsc_parse(struct cert **out_cert, const err(1, NULL); rsc->signtime = signtime; - /* RFC 9323, 2: not distributed via RPKI repositories, hence no SIA. */ - rsc->aia = strdup(cert->aia); - rsc->aki = strdup(cert->aki); - rsc->ski = strdup(cert->ski); - if (rsc->aia == NULL || rsc->aki == NULL || rsc->ski == NULL) - err(1, NULL); - - rsc->notbefore = cert->notbefore; - rsc->notafter = cert->notafter; - - if (cert->signedobj != NULL) { - warnx("%s: RSC: EE cert must not have an SIA extension", fn); - goto out; - } - if (x509_any_inherits(cert->x509)) { warnx("%s: inherit elements not allowed in EE cert", fn); goto out; @@ -455,9 +440,6 @@ rsc_free(struct rsc *p) for (i = 0; i < p->num_files; i++) free(p->files[i].filename); - free(p->aia); - free(p->aki); - free(p->ski); free(p->ips); free(p->ases); free(p->files); Index: usr.sbin/rpki-client/spl.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/spl.c,v diff -u -p -r1.8 spl.c --- usr.sbin/rpki-client/spl.c 18 Jul 2025 12:20:32 -0000 1.8 +++ usr.sbin/rpki-client/spl.c 18 Jul 2025 18:32:00 -0000 @@ -263,17 +263,6 @@ spl_parse(struct cert **out_cert, const err(1, NULL); spl->signtime = signtime; - spl->aia = strdup(cert->aia); - spl->aki = strdup(cert->aki); - spl->sia = strdup(cert->signedobj); - spl->ski = strdup(cert->ski); - if (spl->aia == NULL || spl->aki == NULL || spl->sia == NULL || - spl->ski == NULL) - err(1, NULL); - - spl->notbefore = cert->notbefore; - spl->notafter = cert->notafter; - if (!spl_parse_econtent(fn, spl, cms, cmsz)) goto out; @@ -318,10 +307,6 @@ spl_free(struct spl *s) if (s == NULL) return; - free(s->aia); - free(s->aki); - free(s->sia); - free(s->ski); free(s->prefixes); free(s); } @@ -341,10 +326,6 @@ spl_buffer(struct ibuf *b, const struct io_simple_buffer(b, s->prefixes, s->num_prefixes * sizeof(s->prefixes[0])); - - io_str_buffer(b, s->aia); - io_str_buffer(b, s->aki); - io_str_buffer(b, s->ski); } /* @@ -373,11 +354,6 @@ spl_read(struct ibuf *b) io_read_buf(b, s->prefixes, s->num_prefixes * sizeof(s->prefixes[0])); } - - io_read_str(b, &s->aia); - io_read_str(b, &s->aki); - io_read_str(b, &s->ski); - assert(s->aia && s->aki && s->ski); return s; } Index: usr.sbin/rpki-client/tak.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/tak.c,v diff -u -p -r1.23 tak.c --- usr.sbin/rpki-client/tak.c 18 Jul 2025 12:20:32 -0000 1.23 +++ usr.sbin/rpki-client/tak.c 18 Jul 2025 18:32:00 -0000 @@ -226,17 +226,6 @@ tak_parse(struct cert **out_cert, const err(1, NULL); tak->signtime = signtime; - tak->aia = strdup(cert->aia); - tak->aki = strdup(cert->aki); - tak->sia = strdup(cert->signedobj); - tak->ski = strdup(cert->ski); - if (tak->aia == NULL || tak->aki == NULL || tak->sia == NULL || - tak->ski == NULL) - err(1, NULL); - - tak->notbefore = cert->notbefore; - tak->notafter = cert->notafter; - if (!x509_inherits(cert->x509)) { warnx("%s: RFC 3779 extension not set to inherit", fn); goto out; @@ -245,7 +234,7 @@ tak_parse(struct cert **out_cert, const if (!tak_parse_econtent(fn, tak, cms, cmsz)) goto out; - if (strcmp(tak->aki, tak->current->ski) != 0) { + if (strcmp(cert->aki, tak->current->ski) != 0) { warnx("%s: current TAKey's SKI does not match EE AKI", fn); goto out; } @@ -301,10 +290,5 @@ tak_free(struct tak *t) takey_free(t->current); takey_free(t->predecessor); takey_free(t->successor); - - free(t->aia); - free(t->aki); - free(t->sia); - free(t->ski); free(t); } Index: usr.sbin/rpki-client/parser.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/parser.c,v diff -u -p -r1.164 parser.c --- usr.sbin/rpki-client/parser.c 18 Jul 2025 12:20:32 -0000 1.164 +++ usr.sbin/rpki-client/parser.c 18 Jul 2025 18:32:00 -0000 @@ -195,7 +195,7 @@ proc_parser_roa(char *file, const unsign if ((roa = roa_parse(&cert, file, entp->talid, der, len)) == NULL) goto out; - a = find_issuer(file, entp->certid, roa->aki, entp->mftaki); + a = find_issuer(file, entp->certid, cert->aki, entp->mftaki); if (a == NULL) goto out; crl = crl_get(&crls, a); @@ -204,12 +204,11 @@ proc_parser_roa(char *file, const unsign warnx("%s: %s", file, errstr); goto out; } - cert_free(cert); - cert = NULL; roa->talid = a->cert->talid; - roa->expires = x509_find_expires(roa->notafter, a, &crls); + roa->expires = x509_find_expires(cert->notafter, a, &crls); + cert_free(cert); return roa; @@ -237,7 +236,7 @@ proc_parser_spl(char *file, const unsign if ((spl = spl_parse(&cert, file, entp->talid, der, len)) == NULL) goto out; - a = find_issuer(file, entp->certid, spl->aki, entp->mftaki); + a = find_issuer(file, entp->certid, cert->aki, entp->mftaki); if (a == NULL) goto out; crl = crl_get(&crls, a); @@ -246,12 +245,11 @@ proc_parser_spl(char *file, const unsign warnx("%s: %s", file, errstr); goto out; } - cert_free(cert); - cert = NULL; spl->talid = a->cert->talid; - spl->expires = x509_find_expires(spl->notafter, a, &crls); + spl->expires = x509_find_expires(cert->notafter, a, &crls); + cert_free(cert); return spl; @@ -751,7 +749,7 @@ proc_parser_gbr(char *file, const unsign if ((gbr = gbr_parse(&cert, file, entp->talid, der, len)) == NULL) goto out; - a = find_issuer(file, entp->certid, gbr->aki, entp->mftaki); + a = find_issuer(file, entp->certid, cert->aki, entp->mftaki); if (a == NULL) goto out; crl = crl_get(&crls, a); @@ -760,11 +758,12 @@ proc_parser_gbr(char *file, const unsign warnx("%s: %s", file, errstr); goto out; } - cert_free(cert); - cert = NULL; gbr->talid = a->cert->talid; + /* XXX - gbr->expires? */ + cert_free(cert); + return gbr; out: @@ -790,7 +789,7 @@ proc_parser_aspa(char *file, const unsig if ((aspa = aspa_parse(&cert, file, entp->talid, der, len)) == NULL) goto out; - a = find_issuer(file, entp->certid, aspa->aki, entp->mftaki); + a = find_issuer(file, entp->certid, cert->aki, entp->mftaki); if (a == NULL) goto out; crl = crl_get(&crls, a); @@ -799,12 +798,11 @@ proc_parser_aspa(char *file, const unsig warnx("%s: %s", file, errstr); goto out; } - cert_free(cert); - cert = NULL; aspa->talid = a->cert->talid; - aspa->expires = x509_find_expires(aspa->notafter, a, &crls); + aspa->expires = x509_find_expires(cert->notafter, a, &crls); + cert_free(cert); return aspa; @@ -831,7 +829,7 @@ proc_parser_tak(char *file, const unsign if ((tak = tak_parse(&cert, file, entp->talid, der, len)) == NULL) goto out; - a = find_issuer(file, entp->certid, tak->aki, entp->mftaki); + a = find_issuer(file, entp->certid, cert->aki, entp->mftaki); if (a == NULL) goto out; crl = crl_get(&crls, a); @@ -840,14 +838,15 @@ proc_parser_tak(char *file, const unsign warnx("%s: %s", file, errstr); goto out; } - cert_free(cert); - cert = NULL; /* TAK EE must be signed by self-signed CA */ if (a->issuer != NULL) goto out; tak->talid = a->cert->talid; + + /* XXX - tak->expires? */ + cert_free(cert); return tak; Index: usr.sbin/rpki-client/extern.h =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v diff -u -p -r1.250 extern.h --- usr.sbin/rpki-client/extern.h 18 Jul 2025 13:19:59 -0000 1.250 +++ usr.sbin/rpki-client/extern.h 18 Jul 2025 18:32:00 -0000 @@ -270,13 +270,7 @@ struct roa { size_t num_ips; int talid; /* ROAs are covered by which TAL */ int valid; /* validated resources */ - char *aia; /* AIA */ - char *aki; /* AKI */ - char *sia; /* SIA signedObject */ - char *ski; /* SKI */ time_t signtime; /* CMS signing-time attribute */ - time_t notbefore; /* EE cert's Not Before */ - time_t notafter; /* EE cert's Not After */ time_t expires; /* when the signature path expires */ }; @@ -297,12 +291,7 @@ struct rsc { size_t num_ases; struct rscfile *files; /* FileAndHashes in the RSC */ size_t num_files; - char *aia; /* AIA */ - char *aki; /* AKI */ - char *ski; /* SKI */ time_t signtime; /* CMS signing-time attribute */ - time_t notbefore; /* EE cert's Not Before */ - time_t notafter; /* Not After of the RSC EE */ time_t expires; /* when the signature path expires */ }; @@ -323,13 +312,7 @@ struct spl { struct spl_pfx *prefixes; size_t num_prefixes; int talid; - char *aia; - char *aki; - char *sia; - char *ski; time_t signtime; /* CMS signing-time attribute */ - time_t notbefore; /* EE cert's Not Before */ - time_t notafter; /* EE cert's Not After */ time_t expires; /* when the certification path expires */ int valid; }; @@ -355,13 +338,7 @@ struct tak { struct takey *current; struct takey *predecessor; struct takey *successor; - char *aia; /* AIA */ - char *aki; /* AKI */ - char *sia; /* SIA signed Object */ - char *ski; /* SKI */ time_t signtime; /* CMS signing-time attribute */ - time_t notbefore; /* EE cert's Not Before */ - time_t notafter; /* Not After of the TAK EE */ time_t expires; /* when the signature path expires */ }; @@ -379,12 +356,7 @@ struct geoip { struct geofeed { struct geoip *geoips; /* Prefix + location entry in the CSV */ size_t num_geoips; - char *aia; /* AIA */ - char *aki; /* AKI */ - char *ski; /* SKI */ time_t signtime; /* CMS signing-time attribute */ - time_t notbefore; /* EE cert's Not Before */ - time_t notafter; /* Not After of the Geofeed EE */ time_t expires; /* when the signature path expires */ int valid; /* all resources covered */ }; @@ -394,13 +366,7 @@ struct geofeed { */ struct gbr { char *vcard; - char *aia; /* AIA */ - char *aki; /* AKI */ - char *sia; /* SIA signedObject */ - char *ski; /* SKI */ time_t signtime; /* CMS signing-time attribute */ - time_t notbefore; /* EE cert's Not Before */ - time_t notafter; /* Not After of the GBR EE */ time_t expires; /* when the signature path expires */ int talid; /* TAL the GBR is chained up to */ }; @@ -411,16 +377,10 @@ struct gbr { struct aspa { int valid; /* contained in issuer auth */ int talid; /* TAL the ASPA is chained up to */ - char *aia; /* AIA */ - char *aki; /* AKI */ - char *sia; /* SIA signedObject */ - char *ski; /* SKI */ uint32_t custasid; /* the customerASID */ uint32_t *providers; /* the providers */ size_t num_providers; time_t signtime; /* CMS signing-time attribute */ - time_t notbefore; /* EE cert's Not Before */ - time_t notafter; /* notAfter of the ASPA EE cert */ time_t expires; /* when the signature path expires */ }; @@ -974,13 +934,13 @@ void tal_print(const struct tal *); void cert_print(const struct cert *); void crl_print(const struct crl *); void mft_print(const X509 *, const struct mft *); -void roa_print(const X509 *, const struct roa *); -void gbr_print(const X509 *, const struct gbr *); -void rsc_print(const X509 *, const struct rsc *); -void aspa_print(const X509 *, const struct aspa *); -void tak_print(const X509 *, const struct tak *); -void geofeed_print(const X509 *, const struct geofeed *); -void spl_print(const X509 *, const struct spl *); +void roa_print(const struct cert *, const struct roa *); +void gbr_print(const struct cert *, const struct gbr *); +void rsc_print(const struct cert *, const struct rsc *); +void aspa_print(const struct cert *, const struct aspa *); +void tak_print(const struct cert *, const struct tak *); +void geofeed_print(const struct cert *, const struct geofeed *); +void spl_print(const struct cert *, const struct spl *); /* Missing RFC 3779 API */ IPAddrBlocks *IPAddrBlocks_new(void); Index: usr.sbin/rpki-client/filemode.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/filemode.c,v diff -u -p -r1.64 filemode.c --- usr.sbin/rpki-client/filemode.c 18 Jul 2025 12:20:32 -0000 1.64 +++ usr.sbin/rpki-client/filemode.c 18 Jul 2025 18:32:00 -0000 @@ -400,10 +400,10 @@ proc_parser_file(char *file, unsigned ch aspa = aspa_parse(&cert, file, -1, buf, len); if (aspa == NULL) break; - aia = aspa->aia; + aia = cert->aia; expires = &aspa->expires; - notbefore = &aspa->notbefore; - notafter = &aspa->notafter; + notbefore = &cert->notbefore; + notafter = &cert->notafter; break; case RTYPE_CER: cert = cert_parse(file, buf, len); @@ -434,55 +434,55 @@ proc_parser_file(char *file, unsigned ch gbr = gbr_parse(&cert, file, -1, buf, len); if (gbr == NULL) break; - aia = gbr->aia; + aia = cert->aia; expires = &gbr->expires; - notbefore = &gbr->notbefore; - notafter = &gbr->notafter; + notbefore = &cert->notbefore; + notafter = &cert->notafter; break; case RTYPE_GEOFEED: geofeed = geofeed_parse(&cert, file, -1, buf, len); if (geofeed == NULL) break; - aia = geofeed->aia; + aia = cert->aia; expires = &geofeed->expires; - notbefore = &geofeed->notbefore; - notafter = &geofeed->notafter; + notbefore = &cert->notbefore; + notafter = &cert->notafter; break; case RTYPE_ROA: roa = roa_parse(&cert, file, -1, buf, len); if (roa == NULL) break; - aia = roa->aia; + aia = cert->aia; expires = &roa->expires; - notbefore = &roa->notbefore; - notafter = &roa->notafter; + notbefore = &cert->notbefore; + notafter = &cert->notafter; break; case RTYPE_RSC: rsc = rsc_parse(&cert, file, -1, buf, len); if (rsc == NULL) break; - aia = rsc->aia; + aia = cert->aia; expires = &rsc->expires; - notbefore = &rsc->notbefore; - notafter = &rsc->notafter; + notbefore = &cert->notbefore; + notafter = &cert->notafter; break; case RTYPE_SPL: spl = spl_parse(&cert, file, -1, buf, len); if (spl == NULL) break; - aia = spl->aia; + aia = cert->aia; expires = &spl->expires; - notbefore = &spl->notbefore; - notafter = &spl->notafter; + notbefore = &cert->notbefore; + notafter = &cert->notafter; break; case RTYPE_TAK: tak = tak_parse(&cert, file, -1, buf, len); if (tak == NULL) break; - aia = tak->aia; + aia = cert->aia; expires = &tak->expires; - notbefore = &tak->notbefore; - notafter = &tak->notafter; + notbefore = &cert->notbefore; + notafter = &cert->notafter; break; case RTYPE_TAL: tal = tal_parse(file, buf, len); @@ -553,31 +553,31 @@ proc_parser_file(char *file, unsigned ch switch (type) { case RTYPE_ASPA: - aspa_print(cert->x509, aspa); + aspa_print(cert, aspa); break; case RTYPE_CER: cert_print(cert); break; case RTYPE_GBR: - gbr_print(cert->x509, gbr); + gbr_print(cert, gbr); break; case RTYPE_GEOFEED: - geofeed_print(cert->x509, geofeed); + geofeed_print(cert, geofeed); break; case RTYPE_MFT: mft_print(cert->x509, mft); break; case RTYPE_ROA: - roa_print(cert->x509, roa); + roa_print(cert, roa); break; case RTYPE_RSC: - rsc_print(cert->x509, rsc); + rsc_print(cert, rsc); break; case RTYPE_SPL: - spl_print(cert->x509, spl); + spl_print(cert, spl); break; case RTYPE_TAK: - tak_print(cert->x509, tak); + tak_print(cert, tak); break; default: break; Index: usr.sbin/rpki-client/print.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/print.c,v diff -u -p -r1.61 print.c --- usr.sbin/rpki-client/print.c 16 Jun 2025 14:50:56 -0000 1.61 +++ usr.sbin/rpki-client/print.c 18 Jul 2025 18:32:00 -0000 @@ -508,36 +508,36 @@ mft_print(const X509 *x, const struct mf } void -roa_print(const X509 *x, const struct roa *p) +roa_print(const struct cert *c, const struct roa *p) { char buf[128]; size_t i; if (outformats & FORMAT_JSON) { json_do_string("type", "roa"); - json_do_string("ski", p->ski); - x509_print(x); - json_do_string("aki", p->aki); - json_do_string("aia", p->aia); - json_do_string("sia", p->sia); + json_do_string("ski", c->ski); + x509_print(c->x509); + json_do_string("aki", c->aki); + json_do_string("aia", c->aia); + json_do_string("sia", c->signedobj); if (p->signtime != 0) json_do_int("signing_time", p->signtime); - json_do_int("valid_since", p->notbefore); - json_do_int("valid_until", p->notafter); + json_do_int("valid_since", c->notbefore); + json_do_int("valid_until", c->notafter); if (p->expires) json_do_int("expires", p->expires); } else { - printf("Subject key identifier: %s\n", pretty_key_id(p->ski)); - x509_print(x); - printf("Authority key identifier: %s\n", pretty_key_id(p->aki)); - printf("Authority info access: %s\n", p->aia); - printf("Subject info access: %s\n", p->sia); + printf("Subject key identifier: %s\n", pretty_key_id(c->ski)); + x509_print(c->x509); + printf("Authority key identifier: %s\n", pretty_key_id(c->aki)); + printf("Authority info access: %s\n", c->aia); + printf("Subject info access: %s\n", c->signedobj); if (p->signtime != 0) printf("Signing time: %s\n", time2str(p->signtime)); printf("ROA not before: %s\n", - time2str(p->notbefore)); - printf("ROA not after: %s\n", time2str(p->notafter)); + time2str(c->notbefore)); + printf("ROA not after: %s\n", time2str(c->notafter)); printf("asID: %u\n", p->asid); printf("IP address blocks: "); } @@ -564,37 +564,37 @@ roa_print(const X509 *x, const struct ro } void -spl_print(const X509 *x, const struct spl *s) +spl_print(const struct cert *c, const struct spl *s) { char buf[128]; size_t i; if (outformats & FORMAT_JSON) { json_do_string("type", "spl"); - json_do_string("ski", s->ski); - x509_print(x); - json_do_string("aki", s->aki); - json_do_string("aia", s->aia); - json_do_string("sia", s->sia); + json_do_string("ski", c->ski); + x509_print(c->x509); + json_do_string("aki", c->aki); + json_do_string("aia", c->aia); + json_do_string("sia", c->signedobj); if (s->signtime != 0) json_do_int("signing_time", s->signtime); - json_do_int("valid_since", s->notbefore); - json_do_int("valid_until", s->notafter); + json_do_int("valid_since", c->notbefore); + json_do_int("valid_until", c->notafter); if (s->expires) json_do_int("expires", s->expires); json_do_int("asid", s->asid); } else { - printf("Subject key identifier: %s\n", pretty_key_id(s->ski)); - x509_print(x); - printf("Authority key identifier: %s\n", pretty_key_id(s->aki)); - printf("Authority info access: %s\n", s->aia); - printf("Subject info access: %s\n", s->sia); + printf("Subject key identifier: %s\n", pretty_key_id(c->ski)); + x509_print(c->x509); + printf("Authority key identifier: %s\n", pretty_key_id(c->aki)); + printf("Authority info access: %s\n", c->aia); + printf("Subject info access: %s\n", c->signedobj); if (s->signtime != 0) printf("Signing time: %s\n", time2str(s->signtime)); printf("SPL not before: %s\n", - time2str(s->notbefore)); - printf("SPL not after: %s\n", time2str(s->notafter)); + time2str(c->notbefore)); + printf("SPL not after: %s\n", time2str(c->notafter)); printf("asID: %u\n", s->asid); printf("Originated IP Prefixes: "); } @@ -618,68 +618,68 @@ spl_print(const X509 *x, const struct sp } void -gbr_print(const X509 *x, const struct gbr *p) +gbr_print(const struct cert *c, const struct gbr *p) { if (outformats & FORMAT_JSON) { json_do_string("type", "gbr"); - json_do_string("ski", p->ski); - x509_print(x); - json_do_string("aki", p->aki); - json_do_string("aia", p->aia); - json_do_string("sia", p->sia); + json_do_string("ski", c->ski); + x509_print(c->x509); + json_do_string("aki", c->aki); + json_do_string("aia", c->aia); + json_do_string("sia", c->signedobj); if (p->signtime != 0) json_do_int("signing_time", p->signtime); - json_do_int("valid_since", p->notbefore); - json_do_int("valid_until", p->notafter); + json_do_int("valid_since", c->notbefore); + json_do_int("valid_until", c->notafter); if (p->expires) json_do_int("expires", p->expires); json_do_string("vcard", p->vcard); } else { - printf("Subject key identifier: %s\n", pretty_key_id(p->ski)); - x509_print(x); - printf("Authority key identifier: %s\n", pretty_key_id(p->aki)); - printf("Authority info access: %s\n", p->aia); - printf("Subject info access: %s\n", p->sia); + printf("Subject key identifier: %s\n", pretty_key_id(c->ski)); + x509_print(c->x509); + printf("Authority key identifier: %s\n", pretty_key_id(c->aki)); + printf("Authority info access: %s\n", c->aia); + printf("Subject info access: %s\n", c->signedobj); if (p->signtime != 0) printf("Signing time: %s\n", time2str(p->signtime)); printf("GBR not before: %s\n", - time2str(p->notbefore)); - printf("GBR not after: %s\n", time2str(p->notafter)); + time2str(c->notbefore)); + printf("GBR not after: %s\n", time2str(c->notafter)); printf("vcard:\n%s", p->vcard); } } void -rsc_print(const X509 *x, const struct rsc *p) +rsc_print(const struct cert *c, const struct rsc *p) { char *hash; size_t i; if (outformats & FORMAT_JSON) { json_do_string("type", "rsc"); - json_do_string("ski", p->ski); - x509_print(x); - json_do_string("aki", p->aki); - json_do_string("aia", p->aia); + json_do_string("ski", c->ski); + x509_print(c->x509); + json_do_string("aki", c->aki); + json_do_string("aia", c->aia); if (p->signtime != 0) json_do_int("signing_time", p->signtime); - json_do_int("valid_since", p->notbefore); - json_do_int("valid_until", p->notafter); + json_do_int("valid_since", c->notbefore); + json_do_int("valid_until", c->notafter); if (p->expires) - json_do_int("expires", p->expires); + json_do_int("expires", c->expires); json_do_array("signed_with_resources"); } else { - printf("Subject key identifier: %s\n", pretty_key_id(p->ski)); - printf("Authority key identifier: %s\n", pretty_key_id(p->aki)); - x509_print(x); - printf("Authority info access: %s\n", p->aia); + printf("Subject key identifier: %s\n", pretty_key_id(c->ski)); + printf("Authority key identifier: %s\n", pretty_key_id(c->aki)); + x509_print(c->x509); + printf("Authority info access: %s\n", c->aia); if (p->signtime != 0) printf("Signing time: %s\n", time2str(p->signtime)); printf("RSC not before: %s\n", - time2str(p->notbefore)); - printf("RSC not after: %s\n", time2str(p->notafter)); + time2str(c->notbefore)); + printf("RSC not after: %s\n", time2str(c->notafter)); printf("Signed with resources: "); } @@ -720,37 +720,37 @@ rsc_print(const X509 *x, const struct rs } void -aspa_print(const X509 *x, const struct aspa *p) +aspa_print(const struct cert *c, const struct aspa *p) { size_t i; if (outformats & FORMAT_JSON) { json_do_string("type", "aspa"); - json_do_string("ski", p->ski); - x509_print(x); - json_do_string("aki", p->aki); - json_do_string("aia", p->aia); - json_do_string("sia", p->sia); + json_do_string("ski", c->ski); + x509_print(c->x509); + json_do_string("aki", c->aki); + json_do_string("aia", c->aia); + json_do_string("sia", c->signedobj); if (p->signtime != 0) json_do_int("signing_time", p->signtime); - json_do_int("valid_since", p->notbefore); - json_do_int("valid_until", p->notafter); + json_do_int("valid_since", c->notbefore); + json_do_int("valid_until", c->notafter); if (p->expires) json_do_int("expires", p->expires); json_do_uint("customer_asid", p->custasid); json_do_array("providers"); } else { - printf("Subject key identifier: %s\n", pretty_key_id(p->ski)); - x509_print(x); - printf("Authority key identifier: %s\n", pretty_key_id(p->aki)); - printf("Authority info access: %s\n", p->aia); - printf("Subject info access: %s\n", p->sia); + printf("Subject key identifier: %s\n", pretty_key_id(c->ski)); + x509_print(c->x509); + printf("Authority key identifier: %s\n", pretty_key_id(c->aki)); + printf("Authority info access: %s\n", c->aia); + printf("Subject info access: %s\n", c->signedobj); if (p->signtime != 0) printf("Signing time: %s\n", time2str(p->signtime)); printf("ASPA not before: %s\n", - time2str(p->notbefore)); - printf("ASPA not after: %s\n", time2str(p->notafter)); + time2str(c->notbefore)); + printf("ASPA not after: %s\n", time2str(c->notafter)); printf("Customer ASID: %u\n", p->custasid); printf("Providers: "); } @@ -811,34 +811,34 @@ takey_print(char *name, const struct tak } void -tak_print(const X509 *x, const struct tak *p) +tak_print(const struct cert *c, const struct tak *p) { if (outformats & FORMAT_JSON) { json_do_string("type", "tak"); - json_do_string("ski", p->ski); - x509_print(x); - json_do_string("aki", p->aki); - json_do_string("aia", p->aia); - json_do_string("sia", p->sia); + json_do_string("ski", c->ski); + x509_print(c->x509); + json_do_string("aki", c->aki); + json_do_string("aia", c->aia); + json_do_string("sia", c->signedobj); if (p->signtime != 0) json_do_int("signing_time", p->signtime); - json_do_int("valid_since", p->notbefore); - json_do_int("valid_until", p->notafter); + json_do_int("valid_since", c->notbefore); + json_do_int("valid_until", c->notafter); if (p->expires) json_do_int("expires", p->expires); json_do_array("takeys"); } else { - printf("Subject key identifier: %s\n", pretty_key_id(p->ski)); - x509_print(x); - printf("Authority key identifier: %s\n", pretty_key_id(p->aki)); - printf("Authority info access: %s\n", p->aia); - printf("Subject info access: %s\n", p->sia); + printf("Subject key identifier: %s\n", pretty_key_id(c->ski)); + x509_print(c->x509); + printf("Authority key identifier: %s\n", pretty_key_id(c->aki)); + printf("Authority info access: %s\n", c->aia); + printf("Subject info access: %s\n", c->signedobj); if (p->signtime != 0) printf("Signing time: %s\n", time2str(p->signtime)); printf("TAK not before: %s\n", - time2str(p->notbefore)); - printf("TAK not after: %s\n", time2str(p->notafter)); + time2str(c->notbefore)); + printf("TAK not after: %s\n", time2str(c->notafter)); } takey_print("current", p->current); @@ -852,35 +852,35 @@ tak_print(const X509 *x, const struct ta } void -geofeed_print(const X509 *x, const struct geofeed *p) +geofeed_print(const struct cert *c, const struct geofeed *p) { char buf[128]; size_t i; if (outformats & FORMAT_JSON) { json_do_string("type", "geofeed"); - json_do_string("ski", p->ski); - x509_print(x); - json_do_string("aki", p->aki); - json_do_string("aia", p->aia); + json_do_string("ski", c->ski); + x509_print(c->x509); + json_do_string("aki", c->aki); + json_do_string("aia", c->aia); if (p->signtime != 0) json_do_int("signing_time", p->signtime); - json_do_int("valid_since", p->notbefore); - json_do_int("valid_until", p->notafter); + json_do_int("valid_since", c->notbefore); + json_do_int("valid_until", c->notafter); if (p->expires) json_do_int("expires", p->expires); json_do_array("records"); } else { - printf("Subject key identifier: %s\n", pretty_key_id(p->ski)); - x509_print(x); - printf("Authority key identifier: %s\n", pretty_key_id(p->aki)); - printf("Authority info access: %s\n", p->aia); + printf("Subject key identifier: %s\n", pretty_key_id(c->ski)); + x509_print(c->x509); + printf("Authority key identifier: %s\n", pretty_key_id(c->aki)); + printf("Authority info access: %s\n", c->aia); if (p->signtime != 0) printf("Signing time: %s\n", time2str(p->signtime)); printf("Geofeed not before: %s\n", - time2str(p->notbefore)); - printf("Geofeed not after: %s\n", time2str(p->notafter)); + time2str(c->notbefore)); + printf("Geofeed not after: %s\n", time2str(c->notafter)); printf("Geofeed CSV records: "); } Index: regress/usr.sbin/rpki-client/test-aspa.c =================================================================== RCS file: /cvs/src/regress/usr.sbin/rpki-client/test-aspa.c,v diff -u -p -r1.9 test-aspa.c --- regress/usr.sbin/rpki-client/test-aspa.c 18 Jul 2025 12:22:07 -0000 1.9 +++ regress/usr.sbin/rpki-client/test-aspa.c 18 Jul 2025 18:32:00 -0000 @@ -77,7 +77,7 @@ main(int argc, char *argv[]) break; } if (verb) - aspa_print(cert->x509, p); + aspa_print(cert, p); if (ppem) { if (!PEM_write_X509(stdout, cert->x509)) errx(1, "PEM_write_X509: unable to write cert"); Index: regress/usr.sbin/rpki-client/test-gbr.c =================================================================== RCS file: /cvs/src/regress/usr.sbin/rpki-client/test-gbr.c,v diff -u -p -r1.19 test-gbr.c --- regress/usr.sbin/rpki-client/test-gbr.c 18 Jul 2025 12:22:07 -0000 1.19 +++ regress/usr.sbin/rpki-client/test-gbr.c 18 Jul 2025 18:32:00 -0000 @@ -77,7 +77,7 @@ main(int argc, char *argv[]) break; } if (verb) - gbr_print(cert->x509, p); + gbr_print(cert, p); if (ppem) { if (!PEM_write_X509(stdout, cert->x509)) errx(1, "PEM_write_X509: unable to write cert"); Index: regress/usr.sbin/rpki-client/test-geofeed.c =================================================================== RCS file: /cvs/src/regress/usr.sbin/rpki-client/test-geofeed.c,v diff -u -p -r1.8 test-geofeed.c --- regress/usr.sbin/rpki-client/test-geofeed.c 18 Jul 2025 12:22:07 -0000 1.8 +++ regress/usr.sbin/rpki-client/test-geofeed.c 18 Jul 2025 18:32:00 -0000 @@ -77,7 +77,7 @@ main(int argc, char *argv[]) break; } if (verb) - geofeed_print(cert->x509, p); + geofeed_print(cert, p); if (ppem) { if (!PEM_write_X509(stdout, cert->x509)) errx(1, "PEM_write_X509: unable to write cert"); Index: regress/usr.sbin/rpki-client/test-roa.c =================================================================== RCS file: /cvs/src/regress/usr.sbin/rpki-client/test-roa.c,v diff -u -p -r1.27 test-roa.c --- regress/usr.sbin/rpki-client/test-roa.c 18 Jul 2025 12:22:07 -0000 1.27 +++ regress/usr.sbin/rpki-client/test-roa.c 18 Jul 2025 18:32:00 -0000 @@ -76,7 +76,7 @@ main(int argc, char *argv[]) break; } if (verb) - roa_print(cert->x509, p); + roa_print(cert, p); if (ppem) { if (!PEM_write_X509(stdout, cert->x509)) errx(1, "PEM_write_X509: unable to write cert"); Index: regress/usr.sbin/rpki-client/test-rsc.c =================================================================== RCS file: /cvs/src/regress/usr.sbin/rpki-client/test-rsc.c,v diff -u -p -r1.12 test-rsc.c --- regress/usr.sbin/rpki-client/test-rsc.c 18 Jul 2025 12:22:07 -0000 1.12 +++ regress/usr.sbin/rpki-client/test-rsc.c 18 Jul 2025 18:32:00 -0000 @@ -79,7 +79,7 @@ main(int argc, char *argv[]) break; } if (verb) - rsc_print(cert->x509, p); + rsc_print(cert, p); if (ppem) { if (!PEM_write_X509(stdout, cert->x509)) errx(1, "PEM_write_X509: unable to write cert"); Index: regress/usr.sbin/rpki-client/test-spl.c =================================================================== RCS file: /cvs/src/regress/usr.sbin/rpki-client/test-spl.c,v diff -u -p -r1.4 test-spl.c --- regress/usr.sbin/rpki-client/test-spl.c 18 Jul 2025 12:22:07 -0000 1.4 +++ regress/usr.sbin/rpki-client/test-spl.c 18 Jul 2025 18:32:00 -0000 @@ -77,7 +77,7 @@ main(int argc, char *argv[]) break; } if (verb) - spl_print(cert->x509, p); + spl_print(cert, p); if (ppem) { if (!PEM_write_X509(stdout, cert->x509)) errx(1, "PEM_write_X509: unable to write cert"); Index: regress/usr.sbin/rpki-client/test-tak.c =================================================================== RCS file: /cvs/src/regress/usr.sbin/rpki-client/test-tak.c,v diff -u -p -r1.9 test-tak.c --- regress/usr.sbin/rpki-client/test-tak.c 18 Jul 2025 12:22:07 -0000 1.9 +++ regress/usr.sbin/rpki-client/test-tak.c 18 Jul 2025 18:32:00 -0000 @@ -77,7 +77,7 @@ main(int argc, char *argv[]) break; } if (verb) - tak_print(cert->x509, p); + tak_print(cert, p); if (ppem) { if (!PEM_write_X509(stdout, cert->x509)) errx(1, "PEM_write_X509: unable to write cert");