From: Theo Buehler Subject: rpki-client: mft: stop copying AIA and SIA around To: Job Snijders Cc: tech@openbsd.org Date: Sun, 20 Jul 2025 10:24:19 +0200 The mft->aki needs to be pushed to the main process for entp->mftaki, which is handed back to the parser for the mftaki check in find_issuer(). I need to check more closely if this is still useful, but that would be for a separate diff anyway... The mft->aki is also needed a few layers down in the parser for checking it against the CRL's AKI. Similarly, the mft->sia is used for crl->mftpath and while this copy in mft could be avoided, doing so means handing the info through the layers somehow. Borrowing it from the cert to avoid the copy is a bit ugly and doing it differently and cleanly seems more work than it's worth right now. The rest is essentially identical to the other signed objects, with slight differences because the "validity" of manifests is part of the econtent. I adjusted the two checks for strdup() to individual checks which is what we normally do. Index: usr.sbin/rpki-client/extern.h =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v diff -u -p -r1.251 extern.h --- usr.sbin/rpki-client/extern.h 20 Jul 2025 07:48:31 -0000 1.251 +++ usr.sbin/rpki-client/extern.h 20 Jul 2025 08:20:47 -0000 @@ -229,10 +229,8 @@ struct mft { char *path; /* relative path to directory of the MFT */ struct mftfile *files; /* file and hash */ char *seqnum; /* manifestNumber */ - char *aia; /* AIA */ char *aki; /* AKI */ char *sia; /* SIA signedObject */ - char *ski; /* SKI */ char *crl; /* CRL file name */ unsigned char mfthash[SHA256_DIGEST_LENGTH]; unsigned char crlhash[SHA256_DIGEST_LENGTH]; @@ -933,7 +931,7 @@ void x509_print(const X509 *); void tal_print(const struct tal *); void cert_print(const struct cert *); void crl_print(const struct crl *); -void mft_print(const X509 *, const struct mft *); +void mft_print(const struct cert *, const struct mft *); void roa_print(const struct cert *, const struct roa *); void gbr_print(const struct cert *, const struct gbr *); void rsc_print(const struct cert *, const struct rsc *); Index: usr.sbin/rpki-client/filemode.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/filemode.c,v diff -u -p -r1.65 filemode.c --- usr.sbin/rpki-client/filemode.c 20 Jul 2025 07:48:31 -0000 1.65 +++ usr.sbin/rpki-client/filemode.c 20 Jul 2025 08:20:47 -0000 @@ -425,7 +425,7 @@ proc_parser_file(char *file, unsigned ch mft = mft_parse(&cert, file, -1, buf, len); if (mft == NULL) break; - aia = mft->aia; + aia = cert->aia; expires = &mft->expires; notbefore = &mft->thisupdate; notafter = &mft->nextupdate; @@ -565,7 +565,7 @@ proc_parser_file(char *file, unsigned ch geofeed_print(cert, geofeed); break; case RTYPE_MFT: - mft_print(cert->x509, mft); + mft_print(cert, mft); break; case RTYPE_ROA: roa_print(cert, roa); Index: usr.sbin/rpki-client/mft.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/mft.c,v diff -u -p -r1.124 mft.c --- usr.sbin/rpki-client/mft.c 18 Jul 2025 12:20:32 -0000 1.124 +++ usr.sbin/rpki-client/mft.c 20 Jul 2025 08:20:47 -0000 @@ -436,12 +436,9 @@ mft_parse(struct cert **out_cert, const err(1, NULL); mft->signtime = signtime; - mft->aia = strdup(cert->aia); - mft->aki = strdup(cert->aki); - mft->sia = strdup(cert->signedobj); - mft->ski = strdup(cert->ski); - if (mft->aia == NULL || mft->aki == NULL || mft->sia == NULL || - mft->ski == NULL) + if ((mft->aki = strdup(cert->aki)) == NULL) + err(1, NULL); + if ((mft->sia = strdup(cert->signedobj)) == NULL) err(1, NULL); if (!x509_inherits(cert->x509)) { @@ -506,10 +503,8 @@ mft_free(struct mft *p) free(p->path); free(p->files); free(p->seqnum); - free(p->aia); free(p->aki); free(p->sia); - free(p->ski); free(p->crl); free(p); } @@ -529,9 +524,7 @@ mft_buffer(struct ibuf *b, const struct io_simple_buffer(b, &p->seqnum_gap, sizeof(p->seqnum_gap)); io_str_buffer(b, p->path); - io_str_buffer(b, p->aia); io_str_buffer(b, p->aki); - io_str_buffer(b, p->ski); io_simple_buffer(b, &p->filesz, sizeof(size_t)); for (i = 0; i < p->filesz; i++) { @@ -563,10 +556,8 @@ mft_read(struct ibuf *b) io_read_buf(b, &p->seqnum_gap, sizeof(p->seqnum_gap)); io_read_str(b, &p->path); - io_read_str(b, &p->aia); io_read_str(b, &p->aki); - io_read_str(b, &p->ski); - assert(p->aia && p->aki && p->ski); + assert(p->aki != NULL); io_read_buf(b, &p->filesz, sizeof(size_t)); if ((p->files = calloc(p->filesz, sizeof(struct mftfile))) == NULL) Index: usr.sbin/rpki-client/print.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/print.c,v diff -u -p -r1.62 print.c --- usr.sbin/rpki-client/print.c 20 Jul 2025 07:48:31 -0000 1.62 +++ usr.sbin/rpki-client/print.c 20 Jul 2025 08:20:47 -0000 @@ -448,18 +448,18 @@ crl_print(const struct crl *p) } void -mft_print(const X509 *x, const struct mft *p) +mft_print(const struct cert *c, const struct mft *p) { size_t i; char *hash; if (outformats & FORMAT_JSON) { json_do_string("type", "manifest"); - json_do_string("ski", p->ski); - x509_print(x); - json_do_string("aki", p->aki); - json_do_string("aia", p->aia); - json_do_string("sia", p->sia); + json_do_string("ski", c->ski); + x509_print(c->x509); + json_do_string("aki", c->aki); + json_do_string("aia", c->aia); + json_do_string("sia", c->signedobj); json_do_string("manifest_number", p->seqnum); if (p->signtime != 0) json_do_int("signing_time", p->signtime); @@ -468,11 +468,11 @@ mft_print(const X509 *x, const struct mf if (p->expires) json_do_int("expires", p->expires); } else { - printf("Subject key identifier: %s\n", pretty_key_id(p->ski)); - printf("Authority key identifier: %s\n", pretty_key_id(p->aki)); - x509_print(x); - printf("Authority info access: %s\n", p->aia); - printf("Subject info access: %s\n", p->sia); + printf("Subject key identifier: %s\n", pretty_key_id(c->ski)); + printf("Authority key identifier: %s\n", pretty_key_id(c->aki)); + x509_print(c->x509); + printf("Authority info access: %s\n", c->aia); + printf("Subject info access: %s\n", c->signedobj); printf("Manifest number: %s\n", p->seqnum); if (p->signtime != 0) printf("Signing time: %s\n", Index: regress/usr.sbin/rpki-client/test-mft.c =================================================================== RCS file: /cvs/src/regress/usr.sbin/rpki-client/test-mft.c,v diff -u -p -r1.30 test-mft.c --- regress/usr.sbin/rpki-client/test-mft.c 18 Jul 2025 12:22:07 -0000 1.30 +++ regress/usr.sbin/rpki-client/test-mft.c 20 Jul 2025 08:20:47 -0000 @@ -79,7 +79,7 @@ main(int argc, char *argv[]) break; } if (verb) - mft_print(cert->x509, p); + mft_print(cert, p); if (ppem) { if (!PEM_write_X509(stdout, cert->x509)) errx(1, "PEM_write_X509: unable to write cert");