From 9c51c1f5023788a0b66e2f8a53f39c46622f67f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vladimir.cunat@nic.cz>
Date: Tue, 14 Aug 2018 17:49:25 +0200
Subject: [PATCH] ta_sentinel: also consider static trust anchors

i.e. those not managed via RFC 5011.
The verbose log format is changed a bit, consequently.
---
 NEWS                                |  1 +
 modules/ta_sentinel/ta_sentinel.lua | 27 +++++++++++++++++++++------
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/NEWS b/NEWS
index b13fc13d9..68b0cd2ee 100644
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,7 @@ Incompatible changes
 Bugfixes
 --------
 - fix multi-process race condition in trust anchor maintenance (!643)
+- ta_sentinel: also consider static trust anchors not managed via RFC 5011
 
 Improvements
 ------------
diff --git a/modules/ta_sentinel/ta_sentinel.lua b/modules/ta_sentinel/ta_sentinel.lua
index e7500ea95..8a1f7ed33 100644
--- a/modules/ta_sentinel/ta_sentinel.lua
+++ b/modules/ta_sentinel/ta_sentinel.lua
@@ -51,12 +51,27 @@ function M.layer.finish(state, req, pkt)
 	end
 
 	local found = false
-	for keyidx = 1, #trust_anchors.keysets['\0'] do
-		local key = trust_anchors.keysets['\0'][keyidx]
-		if keytag == key.key_tag then
-			found = (key.state == "Valid")
-			if verbose() then
-				log('[ta_sentinel] found keytag ' .. keytag .. ', key state ' .. key.state)
+	local ds_set = ffi.C.kr_ta_get(kres.context().trust_anchors, '\0')
+	if ds_set ~= nil then
+		for i = 0, ds_set:rdcount() - 1 do
+			-- Find the key tag in rdata and compare
+			-- https://tools.ietf.org/html/rfc4034#section-5.1
+			local rdata = ds_set:rdata_pt(i)
+			local tag = rdata.data[0] * 256 + rdata.data[1]
+			if tag == keytag then
+				found = true
+			end
+		end
+	end
+	if verbose() then
+		log('[ta_sentinel] matching trusted TA found: ' .. tostring(found))
+		if not found then -- print matching TAs in *other* states than Valid
+			for i = 1, #(trust_anchors.keysets['\0'] or {}) do
+				local key = trust_anchors.keysets['\0'][i]
+				if key.key_tag == keytag and key.state ~= 'Valid' then
+					log('[ta_sentinel] matching UNtrusted TA found in state: '
+						.. key.state)
+				end
 			end
 		end
 	end
-- 
GitLab