Up to [local] / src / usr.sbin / rpki-client
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.16 / (download) - annotate - [select for diffs], Wed Feb 21 09:17:06 2024 UTC (3 months, 1 week ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
HEAD
Changes since 1.15: +21 -28 lines
Diff to previous 1.15 (colored)
rpki-client: remove the remaining struct parse With the exception of mft.c where there is an additional boolean, this struct carries a file name and a result. This means functions having struct parse in the signature can't be shared between files, which has been annoying. Simply pass file name and necessary info directly as a function parameter and add a small dance to handle the boolean in mft.c. ok job
Revision 1.15 / (download) - annotate - [select for diffs], Fri Oct 13 12:06:49 2023 UTC (7 months, 2 weeks ago) by job
Branch: MAIN
Changes since 1.14: +2 -2 lines
Diff to previous 1.14 (colored)
Allow imposing constraints on RPKI trust anchors The ability to constrain a RPKI Trust Anchor's effective signing authority to a limited set of Internet Number Resources allows Relying Parties to enjoy the potential benefits of assuming trust, within a bounded scope. Some examples: ARIN does not support inter-RIR IPv6 transfers, so it wouldn't make any sense to see a ROA subordinate to ARIN's trust anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense to observe a ROA covering ARIN-managed IPv6 space under APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust arc (a cryptographically valid certificate path) existed. Along these same lines, AFRINIC doesn't support inter-RIR transfers of any kind, and none of the RIRs have authority over private resources like 10.0.0.0/8 and 2001:db8::/32. For more background see: https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/ https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html With and OK tb@, OK claudio@
Revision 1.14 / (download) - annotate - [select for diffs], Mon Sep 25 11:08:45 2023 UTC (8 months, 1 week ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.13: +2 -2 lines
Diff to previous 1.13 (colored)
Pass the talid to various parse functions This will be needed by an upcoming feature where we will need to know what trust anchor a given cert chains to. This doesn't change anything except the size of the diff. ok claudio job
Revision 1.13 / (download) - annotate - [select for diffs], Fri Mar 10 12:44:56 2023 UTC (14 months, 3 weeks ago) by job
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.12: +2 -2 lines
Diff to previous 1.12 (colored)
mechanical change, rename struct members to match the original X509 names OK tb@
Revision 1.12 / (download) - annotate - [select for diffs], Fri Mar 10 12:02:11 2023 UTC (14 months, 3 weeks ago) by job
Branch: MAIN
Changes since 1.11: +3 -9 lines
Diff to previous 1.11 (colored)
Show the X.509 notBefore in filemode OK tb@
Revision 1.11 / (download) - annotate - [select for diffs], Thu Mar 9 09:46:21 2023 UTC (14 months, 3 weeks ago) by job
Branch: MAIN
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored)
Show CMS signing-time signed attribute in filemode OK tb@
Revision 1.10 / (download) - annotate - [select for diffs], Wed Dec 28 13:21:11 2022 UTC (17 months ago) by tb
Branch: MAIN
Changes since 1.9: +5 -3 lines
Diff to previous 1.9 (colored)
style(9) for includes
Revision 1.9 / (download) - annotate - [select for diffs], Wed Dec 28 12:16:35 2022 UTC (17 months ago) by tb
Branch: MAIN
Changes since 1.8: +13 -7 lines
Diff to previous 1.8 (colored)
Properly ignore comments in geofeed files Do not consider comments and whitespace leading up to a comment as part of the line. ok claudio job
Revision 1.8 / (download) - annotate - [select for diffs], Wed Dec 14 10:45:34 2022 UTC (17 months, 2 weeks ago) by job
Branch: MAIN
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored)
Always initialize b64sz OK tb@
Revision 1.7 / (download) - annotate - [select for diffs], Mon Nov 28 15:22:13 2022 UTC (18 months ago) by tb
Branch: MAIN
Changes since 1.6: +2 -2 lines
Diff to previous 1.6 (colored)
Use ssize_t instead of int as requested on review discussed with job
Revision 1.6 / (download) - annotate - [select for diffs], Sun Nov 27 20:50:09 2022 UTC (18 months ago) by job
Branch: MAIN
Changes since 1.5: +4 -3 lines
Diff to previous 1.5 (colored)
BIO_puts return values can be ambiguous, improve the check OK tb@
Revision 1.5 / (download) - annotate - [select for diffs], Sat Nov 26 23:05:22 2022 UTC (18 months ago) by tb
Branch: MAIN
Changes since 1.4: +3 -1 lines
Diff to previous 1.4 (colored)
Missing return value check for BIO_new()
Revision 1.4 / (download) - annotate - [select for diffs], Sat Nov 26 17:06:43 2022 UTC (18 months ago) by job
Branch: MAIN
Changes since 1.3: +6 -1 lines
Diff to previous 1.3 (colored)
Disallow 'inherit' elements in geofeed authenticators RFC 9092 is underspecified in this regard, but other signed objects relating to Internet number resources (ROA, BGPsec, ASPA, RSC) all disallow inherit. See https://mailarchive.ietf.org/arch/msg/opsawg/JXjxCA14BkW4DWyVoUMwqDvB17I/ OK tb@
Revision 1.3 / (download) - annotate - [select for diffs], Sat Nov 26 16:42:04 2022 UTC (18 months ago) by job
Branch: MAIN
Changes since 1.2: +2 -2 lines
Diff to previous 1.2 (colored)
Fix warning message (Geofeed authenticators don't have a SIA)
Revision 1.2 / (download) - annotate - [select for diffs], Sat Nov 26 15:45:47 2022 UTC (18 months ago) by tb
Branch: MAIN
Changes since 1.1: +12 -11 lines
Diff to previous 1.1 (colored)
Two small tweaks to the geofeed code Only allocate b64 when it is needed. This way we can avoid allocating extra memory for the signed data itself. Also, only check for the end signature marker when it is actually expected. It's not forbidden - if stupid - to have a comment '# End Signature:' in the signed data. ok job
Revision 1.1 / (download) - annotate - [select for diffs], Sat Nov 26 12:02:37 2022 UTC (18 months ago) by job
Branch: MAIN
Add support for authenticating geofeed data CSV files in filemode RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature. with and OK tb@