From 894936b4b8452577a3563b18a19de62c56fe4c4d Mon Sep 17 00:00:00 2001 From: job Date: Mon, 13 Mar 2023 19:51:49 +0000 Subject: [PATCH] In filemode, display the moment the signature path will expire Previously this was only shown for ROA+ASPA. Now also show for GBR, Geofeed, Certs, RSC, and TAK. OK tb@ --- usr.sbin/rpki-client/extern.h | 12 ++++++++--- usr.sbin/rpki-client/filemode.c | 35 ++++++++++++++++++++++++++------- usr.sbin/rpki-client/print.c | 12 ++++++++++- 3 files changed, 48 insertions(+), 11 deletions(-) diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index 74119a55112..cb8994ecee5 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.174 2023/03/13 09:24:37 job Exp $ */ +/* $OpenBSD: extern.h,v 1.175 2023/03/13 19:51:49 job Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -141,6 +141,7 @@ struct cert { X509 *x509; /* the cert */ time_t notbefore; /* cert's Not Before */ time_t notafter; /* cert's Not After */ + time_t expires; /* when the signature path expires */ }; /* @@ -213,6 +214,7 @@ struct mft { time_t signtime; /* CMS signing-time attribute */ time_t thisupdate; /* from the eContent */ time_t nextupdate; /* from the eContent */ + time_t expires; /* when the signature path expires */ size_t filesz; /* number of filenames */ unsigned int repoid; int stale; /* if a stale manifest */ @@ -248,7 +250,7 @@ struct roa { time_t signtime; /* CMS signing-time attribute */ time_t notbefore; /* EE cert's Not Before */ time_t notafter; /* EE cert's Not After */ - time_t expires; /* Transitive expiry moment */ + time_t expires; /* when the signature path expires */ }; struct rscfile { @@ -274,6 +276,7 @@ struct rsc { time_t signtime; /* CMS signing-time attribute */ time_t notbefore; /* EE cert's Not Before */ time_t notafter; /* Not After of the RSC EE */ + time_t expires; /* when the signature path expires */ }; /* @@ -304,6 +307,7 @@ struct tak { time_t signtime; /* CMS signing-time attribute */ time_t notbefore; /* EE cert's Not Before */ time_t notafter; /* Not After of the TAK EE */ + time_t expires; /* when the signature path expires */ }; /* @@ -326,6 +330,7 @@ struct geofeed { time_t signtime; /* CMS signing-time attribute */ time_t notbefore; /* EE cert's Not Before */ time_t notafter; /* Not After of the Geofeed EE */ + time_t expires; /* when the signature path expires */ int valid; /* all resources covered */ }; @@ -341,6 +346,7 @@ struct gbr { time_t signtime; /* CMS signing-time attribute */ time_t notbefore; /* EE cert's Not Before */ time_t notafter; /* Not After of the GBR EE */ + time_t expires; /* when the signature path expires */ }; struct aspa_provider { @@ -364,7 +370,7 @@ struct aspa { time_t signtime; /* CMS signing-time attribute */ time_t notbefore; /* EE cert's Not Before */ time_t notafter; /* notAfter of the ASPA EE cert */ - time_t expires; /* Transitive expiry moment */ + time_t expires; /* when the signature path expires */ }; /* diff --git a/usr.sbin/rpki-client/filemode.c b/usr.sbin/rpki-client/filemode.c index 12649f2f27a..4aaec7f091e 100644 --- a/usr.sbin/rpki-client/filemode.c +++ b/usr.sbin/rpki-client/filemode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: filemode.c,v 1.25 2023/03/13 18:02:58 job Exp $ */ +/* $OpenBSD: filemode.c,v 1.26 2023/03/13 19:51:49 job Exp $ */ /* * Copyright (c) 2019 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -354,12 +354,13 @@ proc_parser_file(char *file, unsigned char *buf, size_t len) cert = cert_parse(file, cert); if (cert == NULL) break; - cert_print(cert); aia = cert->aia; aki = cert->aki; x509 = cert->x509; if (X509_up_ref(x509) == 0) errx(1, "%s: X509_up_ref failed", __func__); + expires = &cert->expires; + notafter = &cert->notafter; break; case RTYPE_CRL: crl = crl_parse(file, buf, len); @@ -371,25 +372,28 @@ proc_parser_file(char *file, unsigned char *buf, size_t len) mft = mft_parse(&x509, file, buf, len); if (mft == NULL) break; - mft_print(x509, mft); aia = mft->aia; aki = mft->aki; + expires = &mft->expires; + notafter = &mft->nextupdate; break; case RTYPE_GBR: gbr = gbr_parse(&x509, file, buf, len); if (gbr == NULL) break; - gbr_print(x509, gbr); aia = gbr->aia; aki = gbr->aki; + expires = &gbr->expires; + notafter = &gbr->notafter; break; case RTYPE_GEOFEED: geofeed = geofeed_parse(&x509, file, buf, len); if (geofeed == NULL) break; - geofeed_print(x509, geofeed); aia = geofeed->aia; aki = geofeed->aki; + expires = &geofeed->expires; + notafter = &geofeed->notafter; break; case RTYPE_ROA: roa = roa_parse(&x509, file, buf, len); @@ -404,17 +408,19 @@ proc_parser_file(char *file, unsigned char *buf, size_t len) rsc = rsc_parse(&x509, file, buf, len); if (rsc == NULL) break; - rsc_print(x509, rsc); aia = rsc->aia; aki = rsc->aki; + expires = &rsc->expires; + notafter = &rsc->notafter; break; case RTYPE_TAK: tak = tak_parse(&x509, file, buf, len); if (tak == NULL) break; - tak_print(x509, tak); aia = tak->aia; aki = tak->aki; + expires = &tak->expires; + notafter = &tak->notafter; break; case RTYPE_TAL: tal = tal_parse(file, buf, len); @@ -478,9 +484,24 @@ proc_parser_file(char *file, unsigned char *buf, size_t len) case RTYPE_ASPA: aspa_print(x509, aspa); break; + case RTYPE_GBR: + gbr_print(x509, gbr); + break; + case RTYPE_GEOFEED: + geofeed_print(x509, geofeed); + break; + case RTYPE_MFT: + mft_print(x509, mft); + break; case RTYPE_ROA: roa_print(x509, roa); break; + case RTYPE_RSC: + rsc_print(x509, rsc); + break; + case RTYPE_TAK: + tak_print(x509, tak); + break; default: break; } diff --git a/usr.sbin/rpki-client/print.c b/usr.sbin/rpki-client/print.c index 63b7ff9b944..4c7cabbaf7f 100644 --- a/usr.sbin/rpki-client/print.c +++ b/usr.sbin/rpki-client/print.c @@ -1,4 +1,4 @@ -/* $OpenBSD: print.c,v 1.33 2023/03/13 18:02:58 job Exp $ */ +/* $OpenBSD: print.c,v 1.34 2023/03/13 19:51:49 job Exp $ */ /* * Copyright (c) 2021 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -184,6 +184,8 @@ cert_print(const struct cert *p) printf("\t\"router_key\": \"%s\",\n", p->pubkey); printf("\t\"valid_since\": %lld,\n", (long long)p->notbefore); printf("\t\"valid_until\": %lld,\n", (long long)p->notafter); + if (p->expires) + printf("\t\"expires\": %lld,\n", (long long)p->expires); printf("\t\"subordinate_resources\": [\n"); } else { printf("Subject key identifier: %s\n", pretty_key_id(p->ski)); @@ -392,6 +394,8 @@ mft_print(const X509 *x, const struct mft *p) (long long)p->signtime); printf("\t\"valid_since\": %lld,\n", (long long)p->thisupdate); printf("\t\"valid_until\": %lld,\n", (long long)p->nextupdate); + if (p->expires) + printf("\t\"expires\": %lld,\n", (long long)p->expires); } else { printf("Subject key identifier: %s\n", pretty_key_id(p->ski)); printf("Authority key identifier: %s\n", pretty_key_id(p->aki)); @@ -513,6 +517,8 @@ gbr_print(const X509 *x, const struct gbr *p) (long long)p->signtime); printf("\t\"valid_since\": %lld,\n", (long long)p->notbefore); printf("\t\"valid_until\": %lld,\n", (long long)p->notafter); + if (p->expires) + printf("\t\"expires\": %lld,\n", (long long)p->expires); printf("\t\"vcard\": \""); for (i = 0; i < strlen(p->vcard); i++) { if (p->vcard[i] == '"') @@ -559,6 +565,8 @@ rsc_print(const X509 *x, const struct rsc *p) (long long)p->signtime); printf("\t\"valid_since\": %lld,\n", (long long)p->notbefore); printf("\t\"valid_until\": %lld,\n", (long long)p->notafter); + if (p->expires) + printf("\t\"expires\": %lld,\n", (long long)p->expires); printf("\t\"signed_with_resources\": [\n"); } else { printf("Subject key identifier: %s\n", pretty_key_id(p->ski)); @@ -810,6 +818,8 @@ tak_print(const X509 *x, const struct tak *p) (long long)p->signtime); printf("\t\"valid_since\": %lld,\n", (long long)p->notbefore); printf("\t\"valid_until\": %lld,\n", (long long)p->notafter); + if (p->expires) + printf("\t\"expires\": %lld,\n", (long long)p->expires); printf("\t\"takeys\": [\n"); } else { printf("Subject key identifier: %s\n", pretty_key_id(p->ski)); -- 2.20.1