![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / usr.sbin / rpki-client
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.20 / (download) - annotate - [select for diffs], Wed May 15 09:01:36 2024 UTC (3 weeks, 5 days ago) by tb
Branch: MAIN
CVS Tags: HEAD
Changes since 1.19: +2 -1 lines
Diff to previous 1.19 (colored)
rpki-client: don't leak sia from struct tak. ok claudio
Revision 1.19 / (download) - annotate - [select for diffs], Wed Feb 21 09:17:06 2024 UTC (3 months, 2 weeks ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5
Changes since 1.18: +26 -39 lines
Diff to previous 1.18 (colored)
rpki-client: remove the remaining struct parse With the exception of mft.c where there is an additional boolean, this struct carries a file name and a result. This means functions having struct parse in the signature can't be shared between files, which has been annoying. Simply pass file name and necessary info directly as a function parameter and add a small dance to handle the boolean in mft.c. ok job
Revision 1.18 / (download) - annotate - [select for diffs], Fri Feb 16 15:13:49 2024 UTC (3 months, 3 weeks ago) by tb
Branch: MAIN
Changes since 1.17: +10 -10 lines
Diff to previous 1.17 (colored)
Use _asn1 suffix for some aspa/mft/roa/rsc/tak This would otherwie clash with an upcoming replacement of struct parse. ok job
Revision 1.17 / (download) - annotate - [select for diffs], Fri Feb 16 05:18:29 2024 UTC (3 months, 3 weeks ago) by tb
Branch: MAIN
Changes since 1.16: +9 -26 lines
Diff to previous 1.16 (colored)
Factor SKI calculation into a helper This is a straightforward deduplication and simplification made more obvious by prior refactoring by job. "sure" claudio
Revision 1.16 / (download) - annotate - [select for diffs], Tue Feb 13 22:44:21 2024 UTC (3 months, 3 weeks ago) by job
Branch: MAIN
Changes since 1.15: +4 -1 lines
Diff to previous 1.15 (colored)
Add explicit ASN1_ITEM_EXP prototypes In LibreSSL *_it are variables, in other implementations they might be a function. This helps squash compiler warnings in -portable. Related: https://github.com/openbsd/src/commit/65af98848fc7a42e34d470d10fc1db8e23f9db93 OK tb@
Revision 1.15 / (download) - annotate - [select for diffs], Tue Feb 13 21:18:55 2024 UTC (3 months, 3 weeks ago) by job
Branch: MAIN
Changes since 1.14: +28 -35 lines
Diff to previous 1.14 (colored)
Refactor parse_takey() Avoid i2d_RSAPublicKey() to help with future portability efforts. Avoid a complication related to size_t/int for the return value of i2d_X509_PUBKEY. While there, change the out label to 'err'. OK tb@
Revision 1.14 / (download) - annotate - [select for diffs], Mon Feb 5 19:23:58 2024 UTC (4 months ago) by job
Branch: MAIN
Changes since 1.13: +11 -4 lines
Diff to previous 1.13 (colored)
Check whether all data in eContent has been consumed It is possible that a given ASN.1 template generated d2i_*() function didn't consume all data, so there is a potential for malleability. The econtent is a sequence (which means it could be the concatenation of several DER "blobs"). d2i_*() would only deserialize the first one and not notice blobs following it. OK tb@
Revision 1.13 / (download) - annotate - [select for diffs], Fri Oct 13 12:06:49 2023 UTC (7 months, 4 weeks ago) by job
Branch: MAIN
Changes since 1.12: +2 -2 lines
Diff to previous 1.12 (colored)
Allow imposing constraints on RPKI trust anchors The ability to constrain a RPKI Trust Anchor's effective signing authority to a limited set of Internet Number Resources allows Relying Parties to enjoy the potential benefits of assuming trust, within a bounded scope. Some examples: ARIN does not support inter-RIR IPv6 transfers, so it wouldn't make any sense to see a ROA subordinate to ARIN's trust anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense to observe a ROA covering ARIN-managed IPv6 space under APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust arc (a cryptographically valid certificate path) existed. Along these same lines, AFRINIC doesn't support inter-RIR transfers of any kind, and none of the RIRs have authority over private resources like 10.0.0.0/8 and 2001:db8::/32. For more background see: https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/ https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html With and OK tb@, OK claudio@
Revision 1.12 / (download) - annotate - [select for diffs], Mon Sep 25 11:08:45 2023 UTC (8 months, 2 weeks ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.11: +3 -2 lines
Diff to previous 1.11 (colored)
Pass the talid to various parse functions This will be needed by an upcoming feature where we will need to know what trust anchor a given cert chains to. This doesn't change anything except the size of the diff. ok claudio job
Revision 1.11 / (download) - annotate - [select for diffs], Thu Jun 29 10:28:25 2023 UTC (11 months, 1 week ago) by tb
Branch: MAIN
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored)
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of
warn() and err{,x}(). Neither users nor developers benefit from them.
If we need better errors, we need to do some thinking. libcrypto won't
do that for us.
suggested by claudio
ok job
Revision 1.10 / (download) - annotate - [select for diffs], Tue Jun 20 12:39:50 2023 UTC (11 months, 3 weeks ago) by job
Branch: MAIN
Changes since 1.9: +6 -1 lines
Diff to previous 1.9 (colored)
Add compliance checks for the version, KU, and EKU of TAK/MFT/GBR EE certs OK tb@
Revision 1.9 / (download) - annotate - [select for diffs], Wed Jun 7 10:46:34 2023 UTC (12 months ago) by job
Branch: MAIN
Changes since 1.8: +2 -2 lines
Diff to previous 1.8 (colored)
In anticipation of a bump of the ASPA eContent profile version, update valid_econtent_version() to allow for non-zero versions. OK tb@
Revision 1.8 / (download) - annotate - [select for diffs], Sun Mar 12 11:46:35 2023 UTC (14 months, 4 weeks ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored)
Initialize the local signtime variable in the individual *_parse() functions ok job
Revision 1.7 / (download) - annotate - [select for diffs], Fri Mar 10 12:44:56 2023 UTC (15 months ago) by job
Branch: MAIN
Changes since 1.6: +2 -2 lines
Diff to previous 1.6 (colored)
mechanical change, rename struct members to match the original X509 names OK tb@
Revision 1.6 / (download) - annotate - [select for diffs], Fri Mar 10 12:02:11 2023 UTC (15 months ago) by job
Branch: MAIN
Changes since 1.5: +3 -9 lines
Diff to previous 1.5 (colored)
Show the X.509 notBefore in filemode OK tb@
Revision 1.5 / (download) - annotate - [select for diffs], Thu Mar 9 18:53:24 2023 UTC (15 months ago) by tb
Branch: MAIN
Changes since 1.4: +2 -3 lines
Diff to previous 1.4 (colored)
Unwrap a few lines and zap a tab
Revision 1.4 / (download) - annotate - [select for diffs], Thu Mar 9 15:48:51 2023 UTC (15 months ago) by job
Branch: MAIN
Changes since 1.3: +4 -2 lines
Diff to previous 1.3 (colored)
Fix segfault in filemode for TAK objects
Revision 1.3 / (download) - annotate - [select for diffs], Thu Mar 9 09:46:21 2023 UTC (15 months ago) by job
Branch: MAIN
Changes since 1.2: +3 -2 lines
Diff to previous 1.2 (colored)
Show CMS signing-time signed attribute in filemode OK tb@
Revision 1.2 / (download) - annotate - [select for diffs], Fri Nov 4 09:43:13 2022 UTC (19 months ago) by job
Branch: MAIN
Changes since 1.1: +6 -3 lines
Diff to previous 1.1 (colored)
Check the SIA signedObject in ROA/MFT/ASPA/TAK/GBR EE certificates Unfortunately we can't yet error out when accessMethods other than signedObject are encountered in the SubjectInformationAccess extension because there is pollution in the ecosystem. OK tb@
Revision 1.1 / (download) - annotate - [select for diffs], Wed Nov 2 12:43:02 2022 UTC (19 months, 1 week ago) by job
Branch: MAIN
Add support for draft-ietf-sidrops-signed-tal-12 Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand. OK tb@