From 198a05209cc7e77997e959cc73ff71dadd0fca51 Mon Sep 17 00:00:00 2001
From: claudio <claudio@openbsd.org>
Date: Mon, 1 Nov 2021 17:00:34 +0000
Subject: [PATCH] Further simplify cert and auth handling. Move common code
 into auth_insert and skip this distinction between invalid and failed
 certificates. The difference between the to is getting more and more blurry.
 OK tb@

---
 usr.sbin/rpki-client/cert.c        | 22 +++++++++++--
 usr.sbin/rpki-client/extern.h      | 10 +++---
 usr.sbin/rpki-client/main.c        | 35 ++++++++------------
 usr.sbin/rpki-client/output-json.c |  7 ++--
 usr.sbin/rpki-client/output.c      |  9 +++--
 usr.sbin/rpki-client/parser.c      | 53 +++++++++++++-----------------
 6 files changed, 65 insertions(+), 71 deletions(-)

diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index c78f067563e..f6b862dc84d 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cert.c,v 1.43 2021/10/28 09:02:19 beck Exp $ */
+/*	$OpenBSD: cert.c,v 1.44 2021/11/01 17:00:34 claudio Exp $ */
 /*
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -1256,7 +1256,6 @@ cert_buffer(struct ibuf *b, const struct cert *p)
 {
 	size_t	 i;
 
-	io_simple_buffer(b, &p->valid, sizeof(int));
 	io_simple_buffer(b, &p->expires, sizeof(time_t));
 	io_simple_buffer(b, &p->purpose, sizeof(enum cert_purpose));
 	io_simple_buffer(b, &p->ipsz, sizeof(size_t));
@@ -1319,7 +1318,6 @@ cert_read(struct ibuf *b)
 	if ((p = calloc(1, sizeof(struct cert))) == NULL)
 		err(1, NULL);
 
-	io_read_buf(b, &p->valid, sizeof(int));
 	io_read_buf(b, &p->expires, sizeof(time_t));
 	io_read_buf(b, &p->purpose, sizeof(enum cert_purpose));
 	io_read_buf(b, &p->ipsz, sizeof(size_t));
@@ -1365,6 +1363,24 @@ auth_find(struct auth_tree *auths, const char *aki)
 	return RB_FIND(auth_tree, auths, &a);
 }
 
+int
+auth_insert(struct auth_tree *auths, struct cert *cert, struct auth *parent)
+{
+	struct auth *na;
+
+	na = malloc(sizeof(*na));
+	if (na == NULL)
+		err(1, NULL);
+
+	na->parent = parent;
+	na->cert = cert;
+
+	if (RB_INSERT(auth_tree, auths, na) != NULL)
+		err(1, "auth tree corrupted");
+
+	return 1;
+}
+
 static inline int
 authcmp(struct auth *a, struct auth *b)
 {
diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index 43858a5722c..70d5c7d9b4c 100644
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: extern.h,v 1.87 2021/11/01 09:12:18 claudio Exp $ */
+/*	$OpenBSD: extern.h,v 1.88 2021/11/01 17:00:34 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -128,7 +128,6 @@ struct cert {
 	char		*tal; /* basename of TAL for this cert */
 	enum cert_purpose	 purpose; /* Certificate Purpose (BGPSec or CA) */
 	char		*pubkey; /* Subject Public Key Info */
-	int		 valid; /* validated resources */
 	X509		*x509; /* the cert */
 	time_t		 expires; /* do not use after */
 };
@@ -277,7 +276,8 @@ struct auth {
 RB_HEAD(auth_tree, auth);
 RB_PROTOTYPE(auth_tree, auth, entry, authcmp);
 
-struct auth *auth_find(struct auth_tree *, const char *);
+struct auth	*auth_find(struct auth_tree *, const char *);
+int		 auth_insert(struct auth_tree *, struct cert *, struct auth *);
 
 /*
  * Resource types specified by the RPKI profiles.
@@ -359,8 +359,7 @@ struct stats {
 	size_t	 mfts_fail; /* failing syntactic parse */
 	size_t	 mfts_stale; /* stale manifests */
 	size_t	 certs; /* certificates */
-	size_t	 certs_fail; /* failing syntactic parse */
-	size_t	 certs_invalid; /* invalid resources */
+	size_t	 certs_fail; /* invalid certificate */
 	size_t	 roas; /* route origin authorizations */
 	size_t	 roas_fail; /* failing syntactic parse */
 	size_t	 roas_invalid; /* invalid resources */
@@ -378,7 +377,6 @@ struct stats {
 	size_t	 del_files; /* number of files removed in cleanup */
 	size_t	 del_dirs; /* number of directories removed in cleanup */
 	size_t	 brks; /* number of BGPsec Router Key (BRK) certificates */
-	size_t	 brks_invalids; /* invalid BGPsec certs */
 	char	*talnames;
 	struct timeval	elapsed_time;
 	struct timeval	user_time;
diff --git a/usr.sbin/rpki-client/main.c b/usr.sbin/rpki-client/main.c
index 33f9b0fb4d3..f05a4d01e3f 100644
--- a/usr.sbin/rpki-client/main.c
+++ b/usr.sbin/rpki-client/main.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.159 2021/10/31 16:00:14 claudio Exp $ */
+/*	$OpenBSD: main.c,v 1.160 2021/11/01 17:00:34 claudio Exp $ */
 /*
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -497,24 +497,18 @@ entity_process(struct ibuf *b, struct stats *st, struct vrp_tree *tree,
 		}
 		cert = cert_read(b);
 		if (cert->purpose == CERT_PURPOSE_CA) {
-			if (cert->valid) {
-				/*
-				 * Process the revocation list from the
-				 * certificate *first*, since it might mark that
-				 * we're revoked and then we don't want to
-				 * process the MFT.
-				 */
-				queue_add_from_cert(cert);
-			} else
-				st->certs_invalid++;
+			/*
+			 * Process the revocation list from the
+			 * certificate *first*, since it might mark that
+			 * we're revoked and then we don't want to
+			 * process the MFT.
+			 */
+			queue_add_from_cert(cert);
 		} else if (cert->purpose == CERT_PURPOSE_BGPSEC_ROUTER) {
-			if (cert->valid) {
-				cert_insert_brks(brktree, cert);
-				st->brks++;
-			} else
-				st->brks_invalids++;
+			cert_insert_brks(brktree, cert);
+			st->brks++;
 		} else
-			st->certs_invalid++;
+			st->certs_fail++;
 		cert_free(cert);
 		break;
 	case RTYPE_MFT:
@@ -1184,10 +1178,9 @@ main(int argc, char *argv[])
 	    (long long)stats.system_time.tv_sec);
 	logx("Route Origin Authorizations: %zu (%zu failed parse, %zu invalid)",
 	    stats.roas, stats.roas_fail, stats.roas_invalid);
-	logx("BGPsec Router Certificates: %zu (%zu invalid)",
-	    stats.brks, stats.brks_invalids);
-	logx("Certificates: %zu (%zu failed parse, %zu invalid)",
-	    stats.certs, stats.certs_fail, stats.certs_invalid);
+	logx("BGPsec Router Certificates: %zu", stats.brks);
+	logx("Certificates: %zu (%zu invalid)",
+	    stats.certs, stats.certs_fail);
 	logx("Trust Anchor Locators: %zu", stats.tals);
 	logx("Manifests: %zu (%zu failed parse, %zu stale)",
 	    stats.mfts, stats.mfts_fail, stats.mfts_stale);
diff --git a/usr.sbin/rpki-client/output-json.c b/usr.sbin/rpki-client/output-json.c
index 38c5422c22f..d390179112f 100644
--- a/usr.sbin/rpki-client/output-json.c
+++ b/usr.sbin/rpki-client/output-json.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: output-json.c,v 1.20 2021/10/15 08:48:18 job Exp $ */
+/*	$OpenBSD: output-json.c,v 1.21 2021/11/01 17:00:34 claudio Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  *
@@ -47,9 +47,7 @@ outputheader_json(FILE *out, struct stats *st)
 	    "\t\t\"failedroas\": %zu,\n"
 	    "\t\t\"invalidroas\": %zu,\n"
 	    "\t\t\"bgpsec_pubkeys\": %zu,\n"
-	    "\t\t\"invalidbgpsec_pubkeys\": %zu,\n"
 	    "\t\t\"certificates\": %zu,\n"
-	    "\t\t\"failcertificates\": %zu,\n"
 	    "\t\t\"invalidcertificates\": %zu,\n"
 	    "\t\t\"tals\": %zu,\n"
 	    "\t\t\"talfiles\": \"%s\",\n"
@@ -67,8 +65,7 @@ outputheader_json(FILE *out, struct stats *st)
 	    hn, tbuf, (long long)st->elapsed_time.tv_sec,
 	    (long long)st->user_time.tv_sec, (long long)st->system_time.tv_sec,
 	    st->roas, st->roas_fail, st->roas_invalid,
-	    st->brks, st->brks_invalids,
-	    st->certs, st->certs_fail, st->certs_invalid,
+	    st->brks, st->certs, st->certs_fail,
 	    st->tals, st->talnames,
 	    st->mfts, st->mfts_fail, st->mfts_stale,
 	    st->crls,
diff --git a/usr.sbin/rpki-client/output.c b/usr.sbin/rpki-client/output.c
index 5e4c64d04ab..7578e04d50d 100644
--- a/usr.sbin/rpki-client/output.c
+++ b/usr.sbin/rpki-client/output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: output.c,v 1.22 2021/10/11 16:50:03 job Exp $ */
+/*	$OpenBSD: output.c,v 1.23 2021/11/01 17:00:34 claudio Exp $ */
 /*
  * Copyright (c) 2019 Theo de Raadt <deraadt@openbsd.org>
  *
@@ -213,8 +213,8 @@ outputheader(FILE *out, struct stats *st)
 	    "# Generated on host %s at %s\n"
 	    "# Processing time %lld seconds (%lld seconds user, %lld seconds system)\n"
 	    "# Route Origin Authorizations: %zu (%zu failed parse, %zu invalid)\n"
-	    "# BGPsec Router Certificates: %zu (%zu invalid)\n"
-	    "# Certificates: %zu (%zu failed parse, %zu invalid)\n"
+	    "# BGPsec Router Certificates: %zu\n"
+	    "# Certificates: %zu (%zu invalid)\n"
 	    "# Trust Anchor Locators: %zu (%s)\n"
 	    "# Manifests: %zu (%zu failed parse, %zu stale)\n"
 	    "# Certificate revocation lists: %zu\n"
@@ -224,8 +224,7 @@ outputheader(FILE *out, struct stats *st)
 	    hn, tbuf, (long long)st->elapsed_time.tv_sec,
 	    (long long)st->user_time.tv_sec, (long long)st->system_time.tv_sec,
 	    st->roas, st->roas_fail, st->roas_invalid,
-	    st->brks, st->brks_invalids,
-	    st->certs, st->certs_fail, st->certs_invalid,
+	    st->brks, st->certs, st->certs_fail,
 	    st->tals, st->talnames,
 	    st->mfts, st->mfts_fail, st->mfts_stale,
 	    st->crls,
diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c
index 4818354f3bc..3b0b300ebcd 100644
--- a/usr.sbin/rpki-client/parser.c
+++ b/usr.sbin/rpki-client/parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parser.c,v 1.22 2021/11/01 09:12:18 claudio Exp $ */
+/*	$OpenBSD: parser.c,v 1.23 2021/11/01 17:00:34 claudio Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -195,7 +195,7 @@ proc_parser_cert(const struct entity *entp, const unsigned char *der,
 	struct cert		*cert;
 	X509			*x509;
 	int			 c;
-	struct auth		*a = NULL, *na;
+	struct auth		*a = NULL;
 	STACK_OF(X509)		*chain;
 	STACK_OF(X509_CRL)	*crls;
 
@@ -237,28 +237,24 @@ proc_parser_cert(const struct entity *entp, const unsigned char *der,
 	sk_X509_free(chain);
 	sk_X509_CRL_free(crls);
 
+	if ((cert->tal = strdup(a->cert->tal)) == NULL)
+		err(1, NULL);
+
 	/* Validate the cert to get the parent */
 	if (!valid_cert(entp->file, &auths, cert)) {
 		X509_free(x509); // needed? XXX
-		return cert;
+		cert_free(cert);
+		return NULL;
 	}
 
 	/*
 	 * Add validated certs to the RPKI auth tree.
 	 */
-
-	cert->valid = 1;
-	if ((cert->tal = strdup(a->cert->tal)) == NULL)
-		err(1, NULL);
-
-	na = malloc(sizeof(*na));
-	if (na == NULL)
-		err(1, NULL);
-	na->parent = a;
-	na->cert = cert;
-
-	if (RB_INSERT(auth_tree, &auths, na) != NULL)
-		err(1, "auth tree corrupted");
+	if (!auth_insert(&auths, cert, a)) {
+		X509_free(x509); // needed? XXX
+		cert_free(cert);
+		return NULL;
+	}
 
 	return cert;
 }
@@ -282,7 +278,6 @@ proc_parser_root_cert(const struct entity *entp, const unsigned char *der,
 	X509_NAME		*name;
 	struct cert		*cert;
 	X509			*x509;
-	struct auth		*na;
 
 	assert(entp->has_data);
 
@@ -327,27 +322,23 @@ proc_parser_root_cert(const struct entity *entp, const unsigned char *der,
 		goto badcert;
 	}
 
-	/*
-	 * Add valid roots to the RPKI auth tree.
-	 */
-
-	cert->valid = 1;
 	if ((cert->tal = strdup(entp->descr)) == NULL)
 		err(1, NULL);
 
-	na = malloc(sizeof(*na));
-	if (na == NULL)
-		err(1, NULL);
-	na->parent = NULL;
-	na->cert = cert;
-
-	if (RB_INSERT(auth_tree, &auths, na) != NULL)
-		err(1, "auth tree corrupted");
+	/*
+	 * Add valid roots to the RPKI auth tree.
+	 */
+	if (!auth_insert(&auths, cert, NULL)) {
+		X509_free(x509); // needed? XXX
+		cert_free(cert);
+		return NULL;
+	}
 
 	return cert;
  badcert:
 	X509_free(x509); // needed? XXX
-	return cert;
+	cert_free(cert);
+	return NULL;
 }
 
 /*
-- 
2.20.1