From: Theo Buehler <tb@theobuehler.org>
Subject: Re: rpki-client: updates for roas (RFC 9582)
To: Claudio Jeker <cjeker@diehard.n-r-g.com>
Cc: tech@openbsd.org
Date: Sun, 24 Aug 2025 14:06:12 +0200

> Typo here. This should be RFC 9582 not 6582 (The NewReno Modification to
> TCP's Fast Recovery Algorithm).

Thanks. Fixed before commit.

Here's the analogous diff for manifests. Unlike for ROAs, the relevant
section numbers still match in the new RFC.

Index: extern.h
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
diff -u -p -r1.259 extern.h
--- extern.h	24 Aug 2025 11:52:20 -0000	1.259
+++ extern.h	24 Aug 2025 11:59:21 -0000
@@ -221,7 +221,7 @@ struct mftfile {
 };
 
 /*
- * A manifest, RFC 6486.
+ * A manifest, RFC 9286.
  * This consists of a bunch of files found in the same directory as the
  * manifest file.
  */
Index: main.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/main.c,v
diff -u -p -r1.294 main.c
--- main.c	23 Aug 2025 09:13:14 -0000	1.294
+++ main.c	24 Aug 2025 11:59:21 -0000
@@ -408,7 +408,7 @@ rrdp_http_done(unsigned int id, enum htt
 }
 
 /*
- * Add a file (CER, ROA, CRL) from an MFT file, RFC 6486.
+ * Add a file (CER, ROA, CRL, ...) from a manifest fileList, RFC 9286.
  * These are always relative to the directory in which "mft" sits.
  */
 static void
Index: mft.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/mft.c,v
diff -u -p -r1.129 mft.c
--- mft.c	23 Aug 2025 09:13:14 -0000	1.129
+++ mft.c	24 Aug 2025 11:59:21 -0000
@@ -39,13 +39,8 @@
  * Manifest eContent definition in RFC 9286, section 4.2.
  */
 
-ASN1_ITEM_EXP FileAndHash_it;
 ASN1_ITEM_EXP Manifest_it;
-
-ASN1_SEQUENCE(FileAndHash) = {
-	ASN1_SIMPLE(FileAndHash, file, ASN1_IA5STRING),
-	ASN1_SIMPLE(FileAndHash, hash, ASN1_BIT_STRING),
-} ASN1_SEQUENCE_END(FileAndHash);
+ASN1_ITEM_EXP FileAndHash_it;
 
 ASN1_SEQUENCE(Manifest) = {
 	ASN1_EXP_OPT(Manifest, version, ASN1_INTEGER, 0),
@@ -58,6 +53,10 @@ ASN1_SEQUENCE(Manifest) = {
 
 IMPLEMENT_ASN1_FUNCTIONS(Manifest);
 
+ASN1_SEQUENCE(FileAndHash) = {
+	ASN1_SIMPLE(FileAndHash, file, ASN1_IA5STRING),
+	ASN1_SIMPLE(FileAndHash, hash, ASN1_BIT_STRING),
+} ASN1_SEQUENCE_END(FileAndHash);
 
 #define GENTIME_LENGTH 15
 
@@ -146,7 +145,7 @@ rtype_from_mftfile(const char *fn)
 }
 
 /*
- * Parse an individual "FileAndHash", RFC 6486, sec. 4.2.
+ * Parse an individual "FileAndHash", RFC 9286, sec. 4.2.
  * Return zero on failure, non-zero on success.
  */
 static int
@@ -160,7 +159,7 @@ mft_parse_filehash(const char *fn, struc
 	size_t			 new_idx = 0;
 
 	if (!valid_mft_filename(fh->file->data, fh->file->length)) {
-		warnx("%s: RFC 6486 section 4.2.2: bad filename", fn);
+		warnx("%s: RFC 9286 section 4.2.2: bad filename", fn);
 		goto out;
 	}
 	file = strndup(fh->file->data, fh->file->length);
@@ -168,7 +167,7 @@ mft_parse_filehash(const char *fn, struc
 		err(1, NULL);
 
 	if (fh->hash->length != SHA256_DIGEST_LENGTH) {
-		warnx("%s: RFC 6486 section 4.2.1: hash: "
+		warnx("%s: RFC 9286 section 4.2.1: hash: "
 		    "invalid SHA256 length, have %d", fn, fh->hash->length);
 		goto out;
 	}
@@ -280,7 +279,7 @@ mft_has_unique_names_and_hashes(const ch
 }
 
 /*
- * Handle the eContent of the manifest object, RFC 6486 sec. 4.2.
+ * Handle the eContent of the manifest object, RFC 9286 sec. 4.2.
  * Returns 0 on failure and 1 on success.
  */
 static int
@@ -294,7 +293,7 @@ mft_parse_econtent(const char *fn, struc
 
 	oder = d;
 	if ((mft_asn1 = d2i_Manifest(NULL, &d, dsz)) == NULL) {
-		warnx("%s: RFC 6486 section 4: failed to parse Manifest", fn);
+		warnx("%s: RFC 9286 section 4: failed to parse Manifest", fn);
 		goto out;
 	}
 	if (d != oder + dsz) {
@@ -339,7 +338,7 @@ mft_parse_econtent(const char *fn, struc
 	}
 
 	if (OBJ_obj2nid(mft_asn1->fileHashAlg) != NID_sha256) {
-		warnx("%s: RFC 6486 section 4.2.1: fileHashAlg: "
+		warnx("%s: RFC 9286 section 4.2.1: fileHashAlg: "
 		    "want SHA256 object, have %s", fn,
 		    nid2str(OBJ_obj2nid(mft_asn1->fileHashAlg)));
 		goto out;
@@ -384,7 +383,7 @@ mft_parse_econtent(const char *fn, struc
 
 /*
  * Parse the objects that have been published in the manifest.
- * Return mft if it conforms to RFC 6486, otherwise NULL.
+ * Return mft if it conforms to RFC 9286, otherwise NULL.
  */
 struct mft *
 mft_parse(struct cert **out_cert, const char *fn, int talid,