diff options
| author | Rob Austein <sra@hactrn.net> | 2010-05-26 13:43:49 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2010-05-26 13:43:49 +0000 |
| commit | 0e40ba6483b4940616464dd5917dfee459572169 (patch) | |
| tree | a9a39b1cd14fdb9c7a172e7353f35b564a0cf0c7 | |
| parent | b83343098c9df5336f5e9b07a35b4b83e5782733 (diff) | |
indirect-trust-anchor
svn path=/rcynic/README; revision=3261
| -rw-r--r-- | rcynic/README | 29 | ||||
| -rw-r--r-- | rcynic/rcynic.c | 38 | ||||
| -rw-r--r-- | rcynic/sample-trust-anchors/testbed-apnic.ita | 8 | ||||
| -rw-r--r-- | rcynic/sample-trust-anchors/testbed-arin.ita | 8 | ||||
| -rw-r--r-- | rcynic/sample-trust-anchors/testbed-ripe.ita | 8 |
5 files changed, 72 insertions, 19 deletions
diff --git a/rcynic/README b/rcynic/README index 89adccd2..3367f9af 100644 --- a/rcynic/README +++ b/rcynic/README @@ -257,14 +257,27 @@ trust-anchor Specify one RPKI trust anchor, represented as pathname of the file. No default. trust-anchor-uri-with-key - Experimental. Specify one RPKI trust anchor, - represented as an rsync URI and a local file - containing the RSA public key of the X.509 - object specified by the URI. The RSA public - key should be in DER format. Value for this - option consists of the URI and the filename of - the public key, in that order, separated by - whitespace. No default. + Specify one RPKI trust anchor, represented as + an rsync URI and a local file containing the + RSA public key of the X.509 object specified + by the URI. The RSA public key should be in + DER format. Value for this option consists of + the URI and the filename of the public key, in + that order, separated by whitespace. No + default. + +indirect-trust-anchor + Specify one RPKI trust anchor, represented as + a local file containing an rsync URI and the + RSA public key of the X.509 object specified + by the URI. First line of the file is the + URI, remainder is the public key in Base64 + encoded DER format. Value of this option + is the pathname of the file. No default. + +trust-anchor-uri-with-key and indirect-trust-anchor are semantically +identical, the difference is just how the URI and public key are +stored. There's a companion XSLT template in rcynic.xsl, which translates what the xml-summary option writes into HTML. diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c index ec934e86..cc1ff83f 100644 --- a/rcynic/rcynic.c +++ b/rcynic/rcynic.c @@ -3116,22 +3116,40 @@ int main(int argc, char *argv[]) } } - if (!name_cmp(val->name, "trust-anchor-uri-with-key")) { + if (!name_cmp(val->name, "trust-anchor-uri-with-key") || + !name_cmp(val->name, "indirect-trust-anchor")) { /* - * Newfangled URI + public key method. + * Newfangled URI + public key method. Two different versions + * of essentially the same mechanism. * * NB: EVP_PKEY_cmp() returns 1 for success, not 0 like every * other xyz_cmp() function in the entire OpenSSL library. * Go figure. */ + int unified = !name_cmp(val->name, "indirect-trust-anchor"); EVP_PKEY *pkey = NULL, *xpkey = NULL; - j = strcspn(val->value, " \t"); - if (j >= sizeof(uri)) { - logmsg(&rc, log_usage_err, "Trust anchor URI too long %s", val->value); - goto done; + char *fn; + if (unified) { + fn = val->value; + bio = BIO_new_file(fn, "r"); + if (!bio || BIO_gets(bio, uri, sizeof(uri)) <= 0) { + logmsg(&rc, log_usage_err, "Couldn't read trust anchor URI from %s", fn); + goto done; + } + uri[strcspn(uri, " \t\r\n")] = '\0'; + bio = BIO_push(BIO_new(BIO_f_base64()), bio); + } else { + j = strcspn(val->value, " \t"); + if (j >= sizeof(uri)) { + logmsg(&rc, log_usage_err, "Trust anchor URI too long %s", val->value); + goto done; + } + memcpy(uri, val->value, j); + uri[j] = '\0'; + j += strspn(val->value + j, " \t"); + fn = val->value + j; + bio = BIO_new_file(fn, "rb"); } - memcpy(uri, val->value, j); - uri[j] = '\0'; if (!uri_to_filename(&rc, uri, path1, sizeof(path1), rc.unauthenticated) || !uri_to_filename(&rc, uri, path2, sizeof(path2), rc.authenticated)) { logmsg(&rc, log_usage_err, "Couldn't convert trust anchor URI %s to filename", uri); @@ -3142,13 +3160,11 @@ int main(int argc, char *argv[]) logmsg(&rc, log_data_err, "Could not fetch trust anchor from %s", uri); continue; } - j += strspn(val->value + j, " \t"); - bio = BIO_new_file(val->value + j, "rb"); if (bio) pkey = d2i_PUBKEY_bio(bio, NULL); BIO_free(bio); if (!pkey) { - logmsg(&rc, log_usage_err, "Couldn't read trust anchor public key for %s from %s", uri, val->value + j); + logmsg(&rc, log_usage_err, "Couldn't read trust anchor public key for %s from %s", uri, fn); goto done; } if ((x = read_cert(path1, NULL, 0)) == NULL) diff --git a/rcynic/sample-trust-anchors/testbed-apnic.ita b/rcynic/sample-trust-anchors/testbed-apnic.ita new file mode 100644 index 00000000..3e57b05e --- /dev/null +++ b/rcynic/sample-trust-anchors/testbed-apnic.ita @@ -0,0 +1,8 @@ +rsync://apnic.rpki.net/rpki/apnic/root.cer +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAovWQL2lh6knDx +GUG5hbtCXvvh4AOzjhDkSHlj22gn/1oiM9IeDATIwP44vhQ6L/xvuk7W6 +Kfa5ygmqQ+xOZOwTWPcrUbqaQyPNxokuivzyvqVZVDecOEqs78q58mSp9 +nbtxmLRW7B67SJCBSzfa5XpVyXYEgYAjkk3fpmefU+AcxtxvvHB5OVPIa +BfPcs80ICMgHQX+fphvute9XLxjfJKJWkhZqZ0v7pZm2uhkcPx1PMGcrG +ee0WSDC3fr3erLueagpiLsFjwwpX6F+Ms8vqz45H+DKmYKvPSstZjCCq9 +aJ0qANT9OtnfSDOS+aLRPjZryCNyvvBHxZXqj5YCGKtwIDAQAB diff --git a/rcynic/sample-trust-anchors/testbed-arin.ita b/rcynic/sample-trust-anchors/testbed-arin.ita new file mode 100644 index 00000000..5ec14f36 --- /dev/null +++ b/rcynic/sample-trust-anchors/testbed-arin.ita @@ -0,0 +1,8 @@ +rsync://arin.rpki.net/rpki/arin/root.cer +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAovWQL2lh6knDx +GUG5hbtCXvvh4AOzjhDkSHlj22gn/1oiM9IeDATIwP44vhQ6L/xvuk7W6 +Kfa5ygmqQ+xOZOwTWPcrUbqaQyPNxokuivzyvqVZVDecOEqs78q58mSp9 +nbtxmLRW7B67SJCBSzfa5XpVyXYEgYAjkk3fpmefU+AcxtxvvHB5OVPIa +BfPcs80ICMgHQX+fphvute9XLxjfJKJWkhZqZ0v7pZm2uhkcPx1PMGcrG +ee0WSDC3fr3erLueagpiLsFjwwpX6F+Ms8vqz45H+DKmYKvPSstZjCCq9 +aJ0qANT9OtnfSDOS+aLRPjZryCNyvvBHxZXqj5YCGKtwIDAQAB diff --git a/rcynic/sample-trust-anchors/testbed-ripe.ita b/rcynic/sample-trust-anchors/testbed-ripe.ita new file mode 100644 index 00000000..d52aba62 --- /dev/null +++ b/rcynic/sample-trust-anchors/testbed-ripe.ita @@ -0,0 +1,8 @@ +rsync://ripe.rpki.net/rpki/ripe/root.cer +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAovWQL2lh6knDx +GUG5hbtCXvvh4AOzjhDkSHlj22gn/1oiM9IeDATIwP44vhQ6L/xvuk7W6 +Kfa5ygmqQ+xOZOwTWPcrUbqaQyPNxokuivzyvqVZVDecOEqs78q58mSp9 +nbtxmLRW7B67SJCBSzfa5XpVyXYEgYAjkk3fpmefU+AcxtxvvHB5OVPIa +BfPcs80ICMgHQX+fphvute9XLxjfJKJWkhZqZ0v7pZm2uhkcPx1PMGcrG +ee0WSDC3fr3erLueagpiLsFjwwpX6F+Ms8vqz45H+DKmYKvPSstZjCCq9 +aJ0qANT9OtnfSDOS+aLRPjZryCNyvvBHxZXqj5YCGKtwIDAQAB |