From 534b66744e524ce410e2e89e31afae364e1a3e71 Mon Sep 17 00:00:00 2001 From: job Date: Sun, 12 Mar 2023 11:54:56 +0000 Subject: [PATCH] Refactor expiration calculation Unify common code paths which find the exact expiry moment into a new helper function. Additionally, the new helper offers more accuracy by checking more applicable CRLs whether their 'nextupdate' is 'sooner'. tb@ noted: The helper adds a multiplier of log(#crls), but that's certainly acceptable as it is still very cheap. OK tb@ --- usr.sbin/rpki-client/aspa.c | 8 ++++---- usr.sbin/rpki-client/extern.h | 5 ++++- usr.sbin/rpki-client/mft.c | 4 ++-- usr.sbin/rpki-client/parser.c | 25 +++---------------------- usr.sbin/rpki-client/roa.c | 8 ++++---- usr.sbin/rpki-client/x509.c | 24 +++++++++++++++++++++++- 6 files changed, 40 insertions(+), 34 deletions(-) diff --git a/usr.sbin/rpki-client/aspa.c b/usr.sbin/rpki-client/aspa.c index bed7fe2d99d..79a98caea0a 100644 --- a/usr.sbin/rpki-client/aspa.c +++ b/usr.sbin/rpki-client/aspa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: aspa.c,v 1.15 2023/03/12 11:46:35 tb Exp $ */ +/* $OpenBSD: aspa.c,v 1.16 2023/03/12 11:54:56 job Exp $ */ /* * Copyright (c) 2022 Job Snijders * Copyright (c) 2022 Theo Buehler @@ -283,7 +283,7 @@ aspa_buffer(struct ibuf *b, const struct aspa *p) { io_simple_buffer(b, &p->valid, sizeof(p->valid)); io_simple_buffer(b, &p->custasid, sizeof(p->custasid)); - io_simple_buffer(b, &p->notafter, sizeof(p->notafter)); + io_simple_buffer(b, &p->expires, sizeof(p->expires)); io_simple_buffer(b, &p->providersz, sizeof(size_t)); io_simple_buffer(b, p->providers, @@ -309,7 +309,7 @@ aspa_read(struct ibuf *b) io_read_buf(b, &p->valid, sizeof(p->valid)); io_read_buf(b, &p->custasid, sizeof(p->custasid)); - io_read_buf(b, &p->notafter, sizeof(p->notafter)); + io_read_buf(b, &p->expires, sizeof(p->expires)); io_read_buf(b, &p->providersz, sizeof(size_t)); if ((p->providers = calloc(p->providersz, @@ -355,7 +355,7 @@ aspa_insert_vaps(struct vap_tree *tree, struct aspa *aspa, struct repo *rp) if ((v = calloc(1, sizeof(*v))) == NULL) err(1, NULL); v->custasid = aspa->custasid; - v->expires = aspa->notafter; + v->expires = aspa->expires; if ((found = RB_INSERT(vap_tree, tree, v)) != NULL) { if (found->expires > v->expires) diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index 8f0623e453d..4e6b956fd6f 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.172 2023/03/10 12:44:56 job Exp $ */ +/* $OpenBSD: extern.h,v 1.173 2023/03/12 11:54:56 job Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -248,6 +248,7 @@ struct roa { time_t signtime; /* CMS signing-time attribute */ time_t notbefore; /* EE cert's Not Before */ time_t notafter; /* EE cert's Not After */ + time_t expires; /* Transitive expiry moment */ }; struct rscfile { @@ -363,6 +364,7 @@ struct aspa { time_t signtime; /* CMS signing-time attribute */ time_t notbefore; /* EE cert's Not Before */ time_t notafter; /* notAfter of the ASPA EE cert */ + time_t expires; /* Transitive expiry moment */ }; /* @@ -825,6 +827,7 @@ int x509_location(const char *, const char *, const char *, GENERAL_NAME *, char **); int x509_inherits(X509 *); int x509_any_inherits(X509 *); +time_t x509_find_expires(time_t, struct auth *, struct crl_tree *); /* printers */ char *time2str(time_t); diff --git a/usr.sbin/rpki-client/mft.c b/usr.sbin/rpki-client/mft.c index 2345d0fc586..a8848ed4856 100644 --- a/usr.sbin/rpki-client/mft.c +++ b/usr.sbin/rpki-client/mft.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mft.c,v 1.85 2023/03/12 11:46:35 tb Exp $ */ +/* $OpenBSD: mft.c,v 1.86 2023/03/12 11:54:56 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2019 Kristaps Dzonsons @@ -76,7 +76,7 @@ ASN1_SEQUENCE(FileAndHash) = { } ASN1_SEQUENCE_END(FileAndHash); ASN1_SEQUENCE(Manifest) = { - ASN1_EXP_OPT(Manifest, version, ASN1_INTEGER, 0), + ASN1_IMP_OPT(Manifest, version, ASN1_INTEGER, 0), ASN1_SIMPLE(Manifest, manifestNumber, ASN1_INTEGER), ASN1_SIMPLE(Manifest, thisUpdate, ASN1_GENERALIZEDTIME), ASN1_SIMPLE(Manifest, nextUpdate, ASN1_GENERALIZEDTIME), diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c index a38be796aa3..66fab3d4b02 100644 --- a/usr.sbin/rpki-client/parser.c +++ b/usr.sbin/rpki-client/parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: parser.c,v 1.87 2023/03/10 12:44:56 job Exp $ */ +/* $OpenBSD: parser.c,v 1.88 2023/03/12 11:54:56 job Exp $ */ /* * Copyright (c) 2019 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -149,20 +149,7 @@ proc_parser_roa(char *file, const unsigned char *der, size_t len) roa->talid = a->cert->talid; - /* - * Check CRL to figure out the soonest transitive expiry moment - */ - if (crl != NULL && roa->notafter > crl->nextupdate) - roa->notafter = crl->nextupdate; - - /* - * Scan the cert tree to figure out the soonest transitive - * expiry moment - */ - for (; a != NULL; a = a->parent) { - if (roa->notafter > a->cert->notafter) - roa->notafter = a->cert->notafter; - } + roa->expires = x509_find_expires(roa->notafter, a, &crlt); return roa; } @@ -541,13 +528,7 @@ proc_parser_aspa(char *file, const unsigned char *der, size_t len) aspa->talid = a->cert->talid; - if (crl != NULL && aspa->notafter > crl->nextupdate) - aspa->notafter = crl->nextupdate; - - for (; a != NULL; a = a->parent) { - if (aspa->notafter > a->cert->notafter) - aspa->notafter = a->cert->notafter; - } + aspa->expires = x509_find_expires(aspa->notafter, a, &crlt); return aspa; } diff --git a/usr.sbin/rpki-client/roa.c b/usr.sbin/rpki-client/roa.c index 0cc1143ad5b..eba2a474458 100644 --- a/usr.sbin/rpki-client/roa.c +++ b/usr.sbin/rpki-client/roa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roa.c,v 1.64 2023/03/12 11:46:35 tb Exp $ */ +/* $OpenBSD: roa.c,v 1.65 2023/03/12 11:54:56 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2019 Kristaps Dzonsons @@ -310,7 +310,7 @@ roa_buffer(struct ibuf *b, const struct roa *p) io_simple_buffer(b, &p->asid, sizeof(p->asid)); io_simple_buffer(b, &p->talid, sizeof(p->talid)); io_simple_buffer(b, &p->ipsz, sizeof(p->ipsz)); - io_simple_buffer(b, &p->notafter, sizeof(p->notafter)); + io_simple_buffer(b, &p->expires, sizeof(p->expires)); io_simple_buffer(b, p->ips, p->ipsz * sizeof(p->ips[0])); @@ -336,7 +336,7 @@ roa_read(struct ibuf *b) io_read_buf(b, &p->asid, sizeof(p->asid)); io_read_buf(b, &p->talid, sizeof(p->talid)); io_read_buf(b, &p->ipsz, sizeof(p->ipsz)); - io_read_buf(b, &p->notafter, sizeof(p->notafter)); + io_read_buf(b, &p->expires, sizeof(p->expires)); if ((p->ips = calloc(p->ipsz, sizeof(struct roa_ip))) == NULL) err(1, NULL); @@ -373,7 +373,7 @@ roa_insert_vrps(struct vrp_tree *tree, struct roa *roa, struct repo *rp) v->repoid = repo_id(rp); else v->repoid = 0; - v->expires = roa->notafter; + v->expires = roa->expires; /* * Check if a similar VRP already exists in the tree. diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index 24a01f8baee..cd53ecf9c85 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.68 2023/03/10 12:44:56 job Exp $ */ +/* $OpenBSD: x509.c,v 1.69 2023/03/12 11:54:56 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Claudio Jeker @@ -830,3 +830,25 @@ x509_convert_seqnum(const char *fn, const ASN1_INTEGER *i) BN_free(seqnum); return s; } + +/* + * Find the closest expiry moment by walking the chain of authorities. + */ +time_t +x509_find_expires(time_t notafter, struct auth *a, struct crl_tree *crlt) +{ + struct crl *crl; + time_t expires; + + expires = notafter; + + for (; a != NULL; a = a->parent) { + if (expires > a->cert->notafter) + expires = a->cert->notafter; + crl = crl_get(crlt, a); + if (crl != NULL && expires > crl->nextupdate) + expires = crl->nextupdate; + } + + return expires; +} -- 2.20.1