Re: rpki-client: extend -f to print TAL details

Mon, 11 Apr 2022 10:12:05 -0700 

On Mon, Apr 11, 2022 at 06:46:20PM +0200, Theo Buehler wrote:
> Is this base64 blob really useful? The exact same thing is contained in
> a more readable fashion (i.e. with line breaks) in the .tal file itself.

OK, cat(1) can also be used indeed :-)

> Apart from that, I'm fine with having something like this. Couple
> comments inline

$ rpki-client -f /etc/rpki/ripe.tal
File: /etc/rpki/ripe.tal
Trust anchor name: ripe
Subject key identifier: 
E8:55:2B:1F:D6:D1:A4:F7:E4:04:C6:D8:E5:68:0D:1E:BC:16:3F:C3
Trust anchor locations:
    1: https://rpki.ripe.net/ta/ripe-ncc-ta.cer
    2: rsync://rpki.ripe.net/ta/ripe-ncc-ta.cer

How about the below?

Index: print.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/print.c,v
retrieving revision 1.6
diff -u -p -r1.6 print.c
--- print.c     21 Mar 2022 10:39:51 -0000      1.6
+++ print.c     11 Apr 2022 17:08:14 -0000
@@ -25,6 +25,8 @@
 #include <string.h>
 #include <time.h>
 
+#include <openssl/evp.h>
+
 #include "extern.h"
 
 static const char *
@@ -62,10 +64,41 @@ time2str(time_t t)
 void
 tal_print(const struct tal *p)
 {
-       size_t   i;
+       char                    *ski;
+       EVP_PKEY                *pk;
+       RSA                     *r;
+       const unsigned char     *der;
+       unsigned char           *rder = NULL;
+       unsigned char            md[SHA_DIGEST_LENGTH];
+       int                      rder_len;
+       size_t                   i;
+
+       printf("Trust anchor name: %s\n", p->descr);
+
+       der = p->pkey;
+       pk = d2i_PUBKEY(NULL, &der, p->pkeysz);
+       if (pk == NULL)
+               errx(1, "d2i_PUBKEY failed in %s", __func__);
+
+       r = EVP_PKEY_get0_RSA(pk);
+       if (r == NULL)
+               errx(1, "EVP_PKEY_get0_RSA failed in %s", __func__);
+       if ((rder_len = i2d_RSAPublicKey(r, &rder)) <= 0)
+               errx(1, "i2d_RSAPublicKey failed in %s", __func__);
+
+       if (!EVP_Digest(rder, rder_len, md, NULL, EVP_sha1(), NULL))
+               errx(1, "EVP_Digest failed in %s", __func__);
 
+       ski = hex_encode(md, SHA_DIGEST_LENGTH);
+       printf("Subject key identifier: %s\n", pretty_key_id(ski));
+
+       printf("Trust anchor locations:\n");
        for (i = 0; i < p->urisz; i++)
-               printf("%5zu: URI: %s\n", i + 1, p->uri[i]);
+               printf("%5zu: %s\n", i + 1, p->uri[i]);
+
+       EVP_PKEY_free(pk);
+       free(rder);
+       free(ski);
 }
 
 void
Index: rpki-client.8
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/rpki-client.8,v
retrieving revision 1.57
diff -u -p -r1.57 rpki-client.8
--- rpki-client.8       31 Mar 2022 17:27:31 -0000      1.57
+++ rpki-client.8       11 Apr 2022 17:08:14 -0000
@@ -99,7 +99,9 @@ and
 .Fl -address
 flags and connect with rsync-protocol locations.
 .It Fl f Ar
-Validate the
+Decode the
+. Em TAL
+or validate the
 .Em Signed Object
 in
 .Ar file

Reply via email to