Add support for RPKI Signed Prefix Lists

Signed Prefix List are a CMS protected content type for use with the
RPKI to carry the complete list of prefixes which an Autonomous System
may originate to all or any of its routing peers. The validation of a
Signed Prefix List confirms that the holder of the listed ASN produced
the object, and that this list is a current, accurate and complete
description of address prefixes that may be announced into the routing
system originated by this AS.

https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist

with and OK claudio@ tb@

1 files changed, 50 insertions, 1 deletions

diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c
index e1ef9b973fd..62ebcade65e 100644
--- a/usr.sbin/rpki-client/parser.c
+++ b/usr.sbin/rpki-client/parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parser.c,v 1.128 2024/02/03 14:30:47 job Exp $ */
+/*	$OpenBSD: parser.c,v 1.129 2024/02/22 12:49:42 job Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -158,6 +158,41 @@ proc_parser_roa(char *file, const unsigned char *der, size_t len,
 }
 
 /*
+ * Parse and validate a draft-ietf-sidrops-rpki-prefixlist SPL.
+ * Returns the spl on success, NULL on failure.
+ */
+static struct spl *
+proc_parser_spl(char *file, const unsigned char *der, size_t len,
+    const struct entity *entp)
+{
+	struct spl		*spl;
+	struct auth		*a;
+	struct crl		*crl;
+	X509			*x509;
+	const char		*errstr;
+
+	if ((spl = spl_parse(&x509, file, entp->talid, der, len)) == NULL)
+		return NULL;
+
+	a = valid_ski_aki(file, &auths, spl->ski, spl->aki, entp->mftaki);
+	crl = crl_get(&crlt, a);
+
+	if (!valid_x509(file, ctx, x509, a, crl, &errstr)) {
+		warnx("%s: %s", file, errstr);
+		X509_free(x509);
+		spl_free(spl);
+		return NULL;
+	}
+	X509_free(x509);
+
+	spl->talid = a->cert->talid;
+
+	spl->expires = x509_find_expires(spl->notafter, a, &crlt);
+
+	return spl;
+}
+
+/*
  * Check all files and their hashes in a MFT structure.
  * Return zero on failure, non-zero on success.
  */
@@ -681,6 +716,7 @@ parse_entity(struct entityq *q, struct msgbuf *msgq)
 	struct aspa	*aspa;
 	struct gbr	*gbr;
 	struct tak	*tak;
+	struct spl	*spl;
 	struct ibuf	*b;
 	unsigned char	*f;
 	time_t		 mtime, crlmtime;
@@ -822,6 +858,19 @@ parse_entity(struct entityq *q, struct msgbuf *msgq)
 			io_simple_buffer(b, &mtime, sizeof(mtime));
 			tak_free(tak);
 			break;
+		case RTYPE_SPL:
+			file = parse_load_file(entp, &f, &flen);
+			io_str_buffer(b, file);
+			spl = proc_parser_spl(file, f, flen, entp);
+			if (spl != NULL)
+				mtime = spl->signtime;
+			io_simple_buffer(b, &mtime, sizeof(mtime));
+			c = (spl != NULL);
+			io_simple_buffer(b, &c, sizeof(int));
+			if (spl != NULL)
+				spl_buffer(b, spl);
+			spl_free(spl);
+			break;
 		case RTYPE_CRL:
 		default:
 			file = parse_filepath(entp->repoid, entp->path,