On Mon, Apr 11, 2022 at 04:05:27PM +0000, Job Snijders wrote:
> Hi,
>
> This changeset extends rpki-client to print more detail encapsulated
> inside TAL files, of specific interest is printing the Subject Key
> Identifier (SKI) of the Trust Anchor you'd find if you download the
> referenced .cer file. The SPKI is printed as base64 encoded DER.
>
> Example:
>
> $ rpki-client -f /etc/rpki/ripe.tal
> File: /etc/rpki/ripe.tal
> Trust anchor name: ripe
> Subject key identifier:
> E8:55:2B:1F:D6:D1:A4:F7:E4:04:C6:D8:E5:68:0D:1E:BC:16:3F:C3
> Trust anchor locations:
> 1: https://rpki.ripe.net/ta/ripe-ncc-ta.cer
> 2: rsync://rpki.ripe.net/ta/ripe-ncc-ta.cer
> Subject public key information:
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQAB
Is this base64 blob really useful? The exact same thing is contained in
a more readable fashion (i.e. with line breaks) in the .tal file itself.
Apart from that, I'm fine with having something like this. Couple
comments inline
>
> OK?
>
> Kind regards,
>
> Job
>
> Index: print.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/print.c,v
> retrieving revision 1.6
> diff -u -p -r1.6 print.c
> --- print.c 21 Mar 2022 10:39:51 -0000 1.6
> +++ print.c 11 Apr 2022 16:03:39 -0000
> @@ -25,6 +25,8 @@
> #include <string.h>
> #include <time.h>
>
> +#include <openssl/evp.h>
> +
> #include "extern.h"
>
> static const char *
> @@ -62,10 +64,46 @@ time2str(time_t t)
> void
> tal_print(const struct tal *p)
> {
> - size_t i;
> + char *talpkey, *ski;
> + EVP_PKEY *pk;
> + RSA *r;
> + unsigned char *der, *rder = NULL;
I'd make der a 'const unsigned char *' and drop the cast in d2i_PUBKEY().
> + unsigned char md[SHA_DIGEST_LENGTH];
> + int rder_len;
> + size_t i;
> +
> + printf("Trust anchor name: %s\n", p->descr);
> +
> + der = p->pkey;
> + pk = d2i_PUBKEY(NULL, (const unsigned char **)&der, p->pkeysz);
> + if (pk == NULL)
> + errx(1, "d2i_PUBKEY failed in %s", __func__);
> +
> + r = EVP_PKEY_get1_RSA(pk);
No need to use get1. Use get0, then it also matches the error message
below. If you change this, drop the RSA_free() at the end.
> + if (r == NULL)
> + errx(1, "EVP_PKEY_get0_RSA failed in %s", __func__);
> + if ((rder_len = i2d_RSAPublicKey(r, &rder)) <= 0)
> + errx(1, "i2d_RSAPublicKey failed in %s", __func__);
> +
> + if (!EVP_Digest(rder, rder_len, md, NULL, EVP_sha1(), NULL))
> + errx(1, "EVP_Digest failed in %s", __func__);
>
> + ski = hex_encode(md, SHA_DIGEST_LENGTH);
> + printf("Subject key identifier: %s\n", pretty_key_id(ski));
> +
> + printf("Trust anchor locations:\n");
> for (i = 0; i < p->urisz; i++)
> - printf("%5zu: URI: %s\n", i + 1, p->uri[i]);
> + printf("%5zu: %s\n", i + 1, p->uri[i]);
> +
> + if (base64_encode(p->pkey, p->pkeysz, &talpkey) == -1)
> + errx(1, "base64_encode failed in %s", __func__);
> + printf("Subject public key information: %s\n", talpkey);
> +
> + EVP_PKEY_free(pk);
> + RSA_free(r);
> + free(rder);
> + free(ski);
> + free(talpkey);
> }
>
> void
> Index: rpki-client.8
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/rpki-client.8,v
> retrieving revision 1.57
> diff -u -p -r1.57 rpki-client.8
> --- rpki-client.8 31 Mar 2022 17:27:31 -0000 1.57
> +++ rpki-client.8 11 Apr 2022 16:03:39 -0000
> @@ -99,7 +99,9 @@ and
> .Fl -address
> flags and connect with rsync-protocol locations.
> .It Fl f Ar
> -Validate the
> +Decode the
> +. Em TAL
> +or validate the
> .Em Signed Object
> in
> .Ar file
>
