summaryrefslogtreecommitdiff
path: root/usr.sbin/rpki-client/mft.c
diff options
context:
space:
mode:
authorClaudio Jeker <claudio@cvs.openbsd.org>2024-05-20 15:51:44 +0000
committerClaudio Jeker <claudio@cvs.openbsd.org>2024-05-20 15:51:44 +0000
commita4a26d1667c36dbf9f93b1ac0d9023fe500b6a09 (patch)
tree469c03e4c1392b7a8cccf9794ac626588cff0549 /usr.sbin/rpki-client/mft.c
parent430afa57740c88145d912ebd5e605ebf738485d1 (diff)
Instead of tracking certificates by SKI track them by an internal identifier.
The certificate SKI is not strictly unique so using it as a unique id is problematic. It is also not really needed to do that since in theory we already know the path (but this got lost in the privsep communication). So add a cert id and pass this id back and forth between main process and the parser. With this id we can lookup the authentication chain in the parser and this even works with multiple paths to the same resource. Since we no longer lookup by SKI the valid_aki_ski function is replaced by find_issuer() which does the lookup by certid. The loop protection is now extended to allow each TAL to reach each file once but still triggers if a file is reaccessed by the tree of a TAL. In filemode the lookup now uses an AIA uri based lookup tree. Again this replaces the SKI based lookups from before. Done together with tb@ OK tb@ job@
Diffstat (limited to 'usr.sbin/rpki-client/mft.c')
-rw-r--r--usr.sbin/rpki-client/mft.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/usr.sbin/rpki-client/mft.c b/usr.sbin/rpki-client/mft.c
index 8b6bf28d01e..64db5f6ff8e 100644
--- a/usr.sbin/rpki-client/mft.c
+++ b/usr.sbin/rpki-client/mft.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mft.c,v 1.114 2024/05/15 09:19:48 tb Exp $ */
+/* $OpenBSD: mft.c,v 1.115 2024/05/20 15:51:43 claudio Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -537,6 +537,7 @@ mft_buffer(struct ibuf *b, const struct mft *p)
io_simple_buffer(b, &p->repoid, sizeof(p->repoid));
io_simple_buffer(b, &p->talid, sizeof(p->talid));
+ io_simple_buffer(b, &p->certid, sizeof(p->certid));
io_str_buffer(b, p->path);
io_str_buffer(b, p->aia);
@@ -569,6 +570,7 @@ mft_read(struct ibuf *b)
io_read_buf(b, &p->repoid, sizeof(p->repoid));
io_read_buf(b, &p->talid, sizeof(p->talid));
+ io_read_buf(b, &p->certid, sizeof(p->certid));
io_read_str(b, &p->path);
io_read_str(b, &p->aia);