From: Claudio Jeker Subject: Re: rpki-client: rename ta_parse() to ta_validate() To: Theo Buehler Cc: tech@openbsd.org Date: Wed, 28 Jan 2026 08:56:12 +0100 On Wed, Jan 28, 2026 at 08:41:36AM +0100, Theo Buehler wrote: > Trivial renaming diff that adds a bit of documentation. As already > mentioned, ta_parse() doesn't parse the TA, it deserializes the TAL's > SPKI and compares internal representations. This isn't quite right but > libcrypto often makes things that should be easy almost impossible. > Since I forgot this and wasted a lot of time at least twice in this > specific instance, leave an explicit comment on this in ta_check_pubkey(). Ok claudio@ > Index: usr.sbin/rpki-client/cert.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v > diff -u -p -r1.218 cert.c > --- usr.sbin/rpki-client/cert.c 27 Jan 2026 08:40:29 -0000 1.218 > +++ usr.sbin/rpki-client/cert.c 28 Jan 2026 07:30:56 -0000 > @@ -1991,7 +1991,11 @@ ta_check_pubkey(const char *fn, struct c > EVP_PKEY *cert_pkey, *tal_pkey; > int rv = 0; > > - /* first check pubkey against the one from the TAL */ > + /* > + * We should really verify that the TAL's SPKI is byte-identical with > + * the cert's SPKI. There's no sane way to access the original DER, so > + * comparing internal representations is the best we can do. > + */ > tal_pkey = d2i_PUBKEY(NULL, &spki, spkisz); > if (tal_pkey == NULL) { > warnx("%s: RFC 6487 (trust anchor): bad TAL pubkey", fn); > @@ -2039,9 +2043,15 @@ ta_check_validity(const char *fn, struct > return 1; > } > > +/* > + * Validate a TA against the subjectPublicKeyInfo from the TAL. > + * Check that the SPKIs match, and that the cert is self-signed > + * and currently valid. > + * Returns cert passed in on success or NULL on failure. > + */ > struct cert * > -ta_parse(const char *fn, struct cert *p, const unsigned char *spki, > - size_t spkisz) > +ta_validate(const char *fn, struct cert *p, const unsigned char *spki, > + size_t spkisz) > { > if (p == NULL) > return NULL; > @@ -2082,7 +2092,7 @@ cert_parse_ta(const char *fn, const unsi > if ((cert = cert_deserialize_and_parse(fn, der, len)) == NULL) > return NULL; > > - return ta_parse(fn, cert, spki, spkisz); > + return ta_validate(fn, cert, spki, spkisz); > } > > /* > Index: usr.sbin/rpki-client/extern.h > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v > diff -u -p -r1.275 extern.h > --- usr.sbin/rpki-client/extern.h 27 Jan 2026 08:40:29 -0000 1.275 > +++ usr.sbin/rpki-client/extern.h 28 Jan 2026 07:30:56 -0000 > @@ -720,7 +720,7 @@ struct cert *cert_parse_ee_cert(const ch > struct cert *cert_parse_ta(const char *, const unsigned char *, size_t, > const unsigned char *, size_t); > struct cert *cert_parse(const char *, const unsigned char *, size_t); > -struct cert *ta_parse(const char *, struct cert *, const unsigned char *, > +struct cert *ta_validate(const char *, struct cert *, const unsigned char *, > size_t); > struct cert *cert_read(struct ibuf *); > void cert_insert_brks(struct brk_tree *, struct cert *); > Index: usr.sbin/rpki-client/filemode.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/filemode.c,v > diff -u -p -r1.79 filemode.c > --- usr.sbin/rpki-client/filemode.c 27 Jan 2026 08:40:29 -0000 1.79 > +++ usr.sbin/rpki-client/filemode.c 28 Jan 2026 07:30:56 -0000 > @@ -612,7 +612,7 @@ proc_parser_file(char *file, unsigned ch > expires = NULL; > notafter = NULL; > if ((tal = find_tal(cert)) != NULL) { > - cert = ta_parse(file, cert, tal->spki, tal->spkisz); > + cert = ta_validate(file, cert, tal->spki, tal->spkisz); > status = (cert != NULL); > if (status) { > expires = &cert->expires; > Index: regress/usr.sbin/rpki-client/test-cert.c > =================================================================== > RCS file: /cvs/src/regress/usr.sbin/rpki-client/test-cert.c,v > diff -u -p -r1.28 test-cert.c > --- regress/usr.sbin/rpki-client/test-cert.c 20 Jan 2026 16:49:44 -0000 1.28 > +++ regress/usr.sbin/rpki-client/test-cert.c 28 Jan 2026 07:30:56 -0000 > @@ -85,7 +85,7 @@ main(int argc, char *argv[]) > free(buf); > if (p == NULL) > break; > - p = ta_parse(cert_path, p, tal->spki, tal->spkisz); > + p = ta_validate(cert_path, p, tal->spki, tal->spkisz); > tal_free(tal); > if (p == NULL) > break; > -- :wq Claudio