In verbose filemode print details about encapsulated certificates.

Add command line flag to print the certificate in PEM format.

OK tb@

3 files changed, 36 insertions, 7 deletions

diff --git a/usr.sbin/rpki-client/filemode.c b/usr.sbin/rpki-client/filemode.c
index 32121eec637..86a82038637 100644
--- a/usr.sbin/rpki-client/filemode.c
+++ b/usr.sbin/rpki-client/filemode.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: filemode.c,v 1.10 2022/08/25 17:11:34 job Exp $ */
+/*	$OpenBSD: filemode.c,v 1.11 2022/08/25 17:31:26 job Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -34,11 +34,15 @@
 #include <openssl/asn1.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
+#include <openssl/pem.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
 #include "extern.h"
 
+extern int		 printpem;
+extern int		 verbose;
+
 static X509_STORE_CTX	*ctx;
 static struct auth_tree	 auths = RB_INITIALIZER(&auths);
 static struct crl_tree	 crlt = RB_INITIALIZER(&crlt);
@@ -419,9 +423,26 @@ proc_parser_file(char *file, unsigned char *buf, size_t len)
 
 	if (outformats & FORMAT_JSON)
 		printf("\"\n}\n");
-	else
+	else {
 		printf("\n");
 
+		if (x509 == NULL)
+			goto out;
+		if (type == RTYPE_TAL || type == RTYPE_CRL)
+			goto out;
+
+		if (verbose) {
+			if (!X509_print_fp(stdout, x509))
+				errx(1, "X509_print_fp");
+		}
+
+		if (printpem) {
+			if (!PEM_write_X509(stdout, x509))
+				errx(1, "PEM_write_X509");
+		}
+	}
+
+ out:
 	X509_free(x509);
 	cert_free(cert);
 	crl_free(crl);
diff --git a/usr.sbin/rpki-client/main.c b/usr.sbin/rpki-client/main.c
index 91a15c820f7..a96345007e2 100644
--- a/usr.sbin/rpki-client/main.c
+++ b/usr.sbin/rpki-client/main.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.209 2022/08/04 13:44:07 claudio Exp $ */
+/*	$OpenBSD: main.c,v 1.210 2022/08/25 17:31:26 job Exp $ */
 /*
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -64,6 +64,7 @@ const char	*bird_tablename = "ROAS";
 int	verbose;
 int	noop;
 int	filemode;
+int	printpem;
 int	rrdpon = 1;
 int	repo_timeout;
 
@@ -819,7 +820,7 @@ main(int argc, char *argv[])
 	    "proc exec unveil", NULL) == -1)
 		err(1, "pledge");
 
-	while ((c = getopt(argc, argv, "b:Bcd:e:fjnorRs:S:t:T:vV")) != -1)
+	while ((c = getopt(argc, argv, "b:Bcd:e:fjnoprRs:S:t:T:vV")) != -1)
 		switch (c) {
 		case 'b':
 			bind_addr = optarg;
@@ -849,6 +850,9 @@ main(int argc, char *argv[])
 		case 'o':
 			outformats |= FORMAT_OPENBGPD;
 			break;
+		case 'p':
+			printpem = 1;
+			break;
 		case 'R':
 			rrdpon = 0;
 			break;
@@ -1278,6 +1282,7 @@ usage:
 	    " [-e rsync_prog]\n"
 	    "                   [-S skiplist] [-s timeout] [-T table] [-t tal]"
 	    " [outputdir]\n"
-	    "       rpki-client [-Vv] [-d cachedir] [-t tal] -f file ...\n");
+	    "       rpki-client [-Vv] [-d cachedir] [-j | -p] [-t tal] -f file"
+	    " ...\n");
 	return 1;
 }
diff --git a/usr.sbin/rpki-client/rpki-client.8 b/usr.sbin/rpki-client/rpki-client.8
index 5c30428fb4a..a363d4cdede 100644
--- a/usr.sbin/rpki-client/rpki-client.8
+++ b/usr.sbin/rpki-client/rpki-client.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: rpki-client.8,v 1.68 2022/06/30 10:27:52 job Exp $
+.\"	$OpenBSD: rpki-client.8,v 1.69 2022/08/25 17:31:26 job Exp $
 .\"
 .\" Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 30 2022 $
+.Dd $Mdocdate: August 25 2022 $
 .Dt RPKI-CLIENT 8
 .Os
 .Sh NAME
@@ -34,6 +34,7 @@
 .Nm
 .Op Fl Vv
 .Op Fl d Ar cachedir
+.Op Fl j | p
 .Op Fl t Ar tal
 .Fl f
 .Ar
@@ -144,6 +145,8 @@ If the
 and
 .Fl j
 options are not specified this is the default.
+.It Fl p
+Print the encapsulated X.509 certificate in PEM format.
 .It Fl R
 Synchronize via RSYNC only.
 .It Fl r