In most cases we already warn and continue if someone sends us malformed
x509 objects. This makes this consistent behaviour in all places
so that if someone passes in bogus X509, We end up failing their entry
and continuing rather than exiting.
We still exit on memory/system failures so that a future run of rpki
client can simply do better when the machine is perhaps less hammered
on
ok job@ claudio@
mish mash of poll, non-blocking writes and blocking reads. Using the
introduced ibuf size header in io_buf_new()/io_buf_close() the read
side can be changed to pull in a full ibuf and only start the un-marshal
once all data has been read.
OK benno@
io_buf_close(). These function will inject a size of the the buffer
at the beginning of the buffer and will allow the read size to be
switched to proper async IO.
OK benno@
Instead of converting the ASN1_OBJECT into a string and comparing the
strings, convert the string into an ASN1_OBJECT once and then compare
these objects with OBJ_cmp().
Makes the code a bit easier to read and removes some repetitive conversions.
With input and OK tb@
The 'expires' value contains a reasonable earliest moment a VRP would expire,
in light of the currently available set of CAs and CRLs. The 'expires' value
can be used to avoid route selection based on stale data when generating VRP
sets, when faced with loss of communication between consumer and valdiator,
or validator and CA repository.
OK claudio@
in rpki-client. For now it is off by default.
All XML processing is done in its own process with minimal pledge rights.
It uses the already present https process to fetch the xml files and uses
the master porcess to handle the file IO into the repositories.
RRDP data is stored in the cache under ./rrdp/ and the first directory
is the SHA256 hash of the notify URI.
Fetching snapshots and deltas works to bring the cache up to date.
If something goes wrong rpki-client will fall back to rsync.
RRDP was implemented by Nils Fisher and integrated into rpki-client by myself.
"Time to get it in" deraadt@
Since aia, aki and ski are all represented by char *, this is an
error-prone interface - as found by job. The function doesn't do
much anyway.
ok claudio
remove handling of 206 Partial Content (the client does not use range
headers). Report the Last-Modified timestamp back to the requestor and
switch OK to a enum value for (FAIL, OK and NOT MODIFIED).
OK tb@
be used to fetch TA certs and later on for RRDP. Kind of unreached for now
since the default TAL files don't include https URI.
The http client is fully asynchronous and can handle multiple downloads at
the same time. This code was based on the http client in ftp(1).
OK tb@, job@
Now x509_get_extensions() is no longer required to loop over all
extensions and the code becomes a lot simpler.
While there cleanup x509_get_crl(), as explained by tb@ X509_get_ext_d2i()
allocates memory so one needs to free the pointer at the end.
For x509_crl_get_aki() use X509_CRL_get_ext_d2i() and more or less
copy the rest over from x509_get_aki().
Warn if extensions are missing or present when not expected and also
check the the extensions are marked non-critical as required.
OK job@ tb@
ta_lookup() while regular repositories (to fetch .mft files) are handled
by repo_lookup(). Also the cache directory layout changed; moving the
trust anchors to ./ta/{tal basename}/ the other repositories end up in
./rsync/
OK tb@
In the context of the RPKI, the AIA extension identifies the publication
point of the certificate of the issuer of the certificate in which the
extension appears. A single reference to the publication point of the
immediate superior certificate MUST be present, except for a
"self-signed" certificate.
Thanks tb@ for review
OK claudio@
files referenced in MFT files during the validation of the MFT file.
An MFT is only valid if all files are present and their hashes are valid.
Because of this there is no longer the need to check the hash when
these files are parsed later on. Remove these checks for CRT, ROA and CRL
files. Use the presence of the pkey when parsing cert files to decide
if it is a root cert or not.
OK tb@
data between processes. This completely decouples the write side.
rpki-client can't really use the imsg framework but it can use the ibuf
bits wich imsg is built on.
OK benno@ job@
there in structs and prototypes. Remove the openssl/ssl.h and other strange
openssl includes in the .c files that don't use openssl specific functions.
OK beck@ and tb@
Extract the notify URL from the cert if it is available and pass it back to
the parent process. The parent process can then use this info to load the
repo via RRDP instead of rsync.
OK benno@ (some long time ago)
use the files referenced in the manifests to build up a list of files
to keep and remove anything that is not in the list after doing the
full computation.
OK job@ benno@
to check all files in a mft before failing and also the check is now done
after the embedded cert was checked.
This refactor was triggered because of a bug in mft_parse_econtent().
check_validity() altered rc but later failure code assumed that goto out
is good enough to return an error (rc == -1) but since rc was 1 success
was returned. This bug is now also fixed.
Bug report and OK job@
- bird v1 with IPv4 routes
- bird v1 with IPv6 routes
- bird v2
when using command line option -B.
BIRD v2 output from Robert Scheck, robert AT fedoraproject DOT org
time_t cast hint from jca@, and tested by job@
ok deraadt@ claudio@
rpki-client will use the defaults for cache and output directory. If not
started as root users need to provide both directories as arguments.
While there switch from absolute path names to relative ones. For this
the parser and rsync process do a chdir(2) to the cache directory on startup.
OK benno@
compute, based upon flags. OpenBGPD compatible format by default if
no options, to integrate with bgpd.conf and bgpctl reload. Adapt
mtree and stuff. This will receive further refactoring...
ok benno job
the parent auth struct is stored as a pointer so walking up the certificate
chain remains simple. Doing this replaces a few slow lookups and speeds up
rpki-client by a factor of 2.
OK benno@
against the CA one layer above it. This check just needs to use the
certificate revocation list published by that CA.
Instead of loading all CRLs we find into the trust store, we create a
STACK_OF(X509_CRL), push the onto it and use it with
X509_STORE_CTX_set0_crls(ctx, crls);
The x509_get_crl() function to retrieve a crl path from an X509 object
is written by claudio@.
ok claudio@
intermediate certificates for use in X509_STORE_CTX_init(). To do that
save the X509 cert in struct cert.
claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
parser process. This way the parser never needs to read outside of the
cache directory which makes the unveil simpler. Additionally rsync_uri_parse
no longer needs to know about .tal files so there is now no chance to sneak
in a .tal file later on.
OK deraadt@
data in JSON format. To make the JSON output the same as the output of the
RIPE rpki-validator the basename of the TAL had to be added and passed around
in rpki-client. Additinally the VRPs are now stored in an RB tree in the
main process instead of keeping them per ROA object. This changes the sort
order to be in network order and no longer just lexographical.
Agreed by job@ deraadt@
as arguments rpki-client will now load the TAL installed in /etc/rpki by
default. For debug reasons an option -t tal is added to pass in TAL files
by hand. The argument is now instead the filename of the output file.
Now `rpki-client roa.conf` will do what you need which is a lot nicer.
Agreed by deraadt@ job@ to be a step in the right direction.
and a count of how many bits of the last byte are unused switch to a much
more normal prefixlen in bits encoding for internal use. This makes the
code easier to understand. Also switch to inet_ntop() for converting a
struct ip_addr into a string.
OK job@
