Further simplify cert and auth handling. Move common code into auth_insert
and skip this distinction between invalid and failed certificates.
The difference between the to is getting more and more bl

Further simplify cert and auth handling. Move common code into auth_insert
and skip this distinction between invalid and failed certificates.
The difference between the to is getting more and more blurry.
OK tb@

show more ...

Don't exit in certain cases on failures to parse x509 objects.

In most cases we already warn and continue if someone sends us malformed
x509 objects. This makes this consistent behaviour in all plac

Don't exit in certain cases on failures to parse x509 objects.

In most cases we already warn and continue if someone sends us malformed
x509 objects. This makes this consistent behaviour in all places
so that if someone passes in bogus X509, We end up failing their entry
and continuing rather than exiting.

We still exit on memory/system failures so that a future run of rpki
client can simply do better when the machine is perhaps less hammered
on

ok job@ claudio@

show more ...

Add limits on size of certain untrusted inputs

ok job@

Also move the cert parser code away from using BIO.
OK beck@

Finnally move away from blocking reads in rpki-client. The code was a
mish mash of poll, non-blocking writes and blocking reads. Using the
introduced ibuf size header in io_buf_new()/io_buf_close() t

Finnally move away from blocking reads in rpki-client. The code was a
mish mash of poll, non-blocking writes and blocking reads. Using the
introduced ibuf size header in io_buf_new()/io_buf_close() the read
side can be changed to pull in a full ibuf and only start the un-marshal
once all data has been read.
OK benno@

show more ...

zap 3 comments

Emit SKI in the JSON output and improve flow in x509_get_pubkey()

OK claudio@

Add support for BGPsec Router Certificates (RFC 8209)

BGPsec router keys are extracted from RPKI certificates and
emitted via the JSON output in base64 encoded form.

OK tb@ claudio@

Make sure BGPsec router certs don't have a SIA

OK claudio@

Clarify error message

OK benno@

Add x509_get_expire() to extract the not-after time from a certificate
as a epoch time_t. Store the expire time for certs, crls will follow after.
OK tb@

Add rudimentary support for BGPsec router certificates

OK claudio@

Rework how various OIDs are compared in the code.

Instead of converting the ASN1_OBJECT into a string and comparing the
strings, convert the string into an ASN1_OBJECT once and then compare
these ob

Rework how various OIDs are compared in the code.

Instead of converting the ASN1_OBJECT into a string and comparing the
strings, convert the string into an ASN1_OBJECT once and then compare
these objects with OBJ_cmp().

Makes the code a bit easier to read and removes some repetitive conversions.
With input and OK tb@

show more ...

Add more checks for eContent 'version' fields.

Input from deraadt@, tb@, claudio@

OK deraadt@ claudio@ tb@

Fix more warnings

OK tb@

Fix warning

OK tb@

Factor out the URI check we do in various places into valid_uri().
RRDP will add a bunch more checks so this makes even more sense.
With and OK tb@

Use X509_get_ext_d2i() also for x509_get_aki() and x509_get_ski().
Now x509_get_extensions() is no longer required to loop over all
extensions and the code becomes a lot simpler.
While there cleanup

Use X509_get_ext_d2i() also for x509_get_aki() and x509_get_ski().
Now x509_get_extensions() is no longer required to loop over all
extensions and the code becomes a lot simpler.
While there cleanup x509_get_crl(), as explained by tb@ X509_get_ext_d2i()
allocates memory so one needs to free the pointer at the end.
For x509_crl_get_aki() use X509_CRL_get_ext_d2i() and more or less
copy the rest over from x509_get_aki().
Warn if extensions are missing or present when not expected and also
check the the extensions are marked non-critical as required.
OK job@ tb@

show more ...

get Authority Information Access (AIA) from CA & EE certs

In the context of the RPKI, the AIA extension identifies the publication
point of the certificate of the issuer of the certificate in which

get Authority Information Access (AIA) from CA & EE certs

In the context of the RPKI, the AIA extension identifies the publication
point of the certificate of the issuer of the certificate in which the
extension appears. A single reference to the publication point of the
immediate superior certificate MUST be present, except for a
"self-signed" certificate.

Thanks tb@ for review

OK claudio@

show more ...

Extract the 1.3.6.1.5.5.7.48.5 (caRepository) SIA from the certificate.
Make sure that the caRepository matches the start of the URI of rpkiManifest.
The MFT must be a file inside the caRepository.
O

Extract the 1.3.6.1.5.5.7.48.5 (caRepository) SIA from the certificate.
Make sure that the caRepository matches the start of the URI of rpkiManifest.
The MFT must be a file inside the caRepository.
OK tb@

show more ...

Eventhough most openssl includes include everything try to be a bit more
explicit about what is used where. Seems to be the least worst solution.

A while ago rpki-client was changed to validate the sha256 hashes of
files referenced in MFT files during the validation of the MFT file.
An MFT is only valid if all files are present and their hashe

A while ago rpki-client was changed to validate the sha256 hashes of
files referenced in MFT files during the validation of the MFT file.
An MFT is only valid if all files are present and their hashes are valid.
Because of this there is no longer the need to check the hash when
these files are parsed later on. Remove these checks for CRT, ROA and CRL
files. Use the presence of the pkey when parsing cert files to decide
if it is a root cert or not.
OK tb@

show more ...

Start using the ibuf API (ibuf_dynamic, ibuf_add, ibuf_close) for writing
data between processes. This completely decouples the write side.
rpki-client can't really use the imsg framework but it can

Start using the ibuf API (ibuf_dynamic, ibuf_add, ibuf_close) for writing
data between processes. This completely decouples the write side.
rpki-client can't really use the imsg framework but it can use the ibuf
bits wich imsg is built on.
OK benno@ job@

show more ...

Now that a NULL string is marshalled as NULL again we can drop some
extra has_xyz integers to indicate if the following buffer is present
or not. At the same time sprinkle some asserts for strings wh

Now that a NULL string is marshalled as NULL again we can drop some
extra has_xyz integers to indicate if the following buffer is present
or not. At the same time sprinkle some asserts for strings which must
be not NULL.
OK tb@

show more ...

Limit the URL embedded in .cer files to only consist out of isalnum or
ispunct characters. Everything else is fishy and so block those early on.
OK millert@ job@