| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
RFC 7318 makes requirements on the certificate policy extension imposed
by RFC 6487 a bit stricter. It requires that exactly one policy OID is
present and that it be id-cp-ipAddr-asNumber and if there is a policy
qualifier it must be id-qt-cps. These are requirements that the X.509
verifier's policy code can't enforce, so unpack the certificate policy
extension by hand and check that it matches expectations.
ok claudio
|
|
to ta_parse(). This fits better there. Also drop extracting and
printing the x509 subject of the TAs. The subject is more or less
the filename anyway which is already printed.
OK tb@
|
|
Suggested by and OK tb@
|
|
argument. The x509 cert is also inside struct cert and easy to access.
Also switch auth_insert() to a void function since it can't fail.
OK tb@
|
|
x509_init_oid() to initalize all necessary OID objects at start.
OK tb@
|
|
|
|
These extensions MUST be marked critical. Criticality is determined by the
ASN1_BOOLEAN that is extracted and ignored after the FIXME a few lines
below each of the two hunks. Rather than getting the info from there, it's
easier to use an API call that checks what was already parsed by d2i_X509().
ok claudio job
|
|
Since they are stored in an array just blast the full array in and out
of the io buffers at once instead of iterating element by element.
It also allows to remove a lot of extra code.
OK benno@ job@
|
|
use a small lookup table to print the description in the output path.
OK tb@
|
|
Also make sure that trust anchors are not BGPsec certs.
While there fix some overly long lines.
OK benno@
|
|
and skip this distinction between invalid and failed certificates.
The difference between the to is getting more and more blurry.
OK tb@
|
|
In most cases we already warn and continue if someone sends us malformed
x509 objects. This makes this consistent behaviour in all places
so that if someone passes in bogus X509, We end up failing their entry
and continuing rather than exiting.
We still exit on memory/system failures so that a future run of rpki
client can simply do better when the machine is perhaps less hammered
on
ok job@ claudio@
|
|
ok job@
|
|
OK beck@
|
|
mish mash of poll, non-blocking writes and blocking reads. Using the
introduced ibuf size header in io_buf_new()/io_buf_close() the read
side can be changed to pull in a full ibuf and only start the un-marshal
once all data has been read.
OK benno@
|
|
|
|
OK claudio@
|
|
BGPsec router keys are extracted from RPKI certificates and
emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
|
OK claudio@
|
|
OK benno@
|
|
as a epoch time_t. Store the expire time for certs, crls will follow after.
OK tb@
|
|
OK claudio@
|
|
Instead of converting the ASN1_OBJECT into a string and comparing the
strings, convert the string into an ASN1_OBJECT once and then compare
these objects with OBJ_cmp().
Makes the code a bit easier to read and removes some repetitive conversions.
With input and OK tb@
|
|
Input from deraadt@, tb@, claudio@
OK deraadt@ claudio@ tb@
|
|
OK tb@
|
|
OK tb@
|
|
RRDP will add a bunch more checks so this makes even more sense.
With and OK tb@
|
|
Now x509_get_extensions() is no longer required to loop over all
extensions and the code becomes a lot simpler.
While there cleanup x509_get_crl(), as explained by tb@ X509_get_ext_d2i()
allocates memory so one needs to free the pointer at the end.
For x509_crl_get_aki() use X509_CRL_get_ext_d2i() and more or less
copy the rest over from x509_get_aki().
Warn if extensions are missing or present when not expected and also
check the the extensions are marked non-critical as required.
OK job@ tb@
|
|
In the context of the RPKI, the AIA extension identifies the publication
point of the certificate of the issuer of the certificate in which the
extension appears. A single reference to the publication point of the
immediate superior certificate MUST be present, except for a
"self-signed" certificate.
Thanks tb@ for review
OK claudio@
|
|
Make sure that the caRepository matches the start of the URI of rpkiManifest.
The MFT must be a file inside the caRepository.
OK tb@
|
|
explicit about what is used where. Seems to be the least worst solution.
|
|
files referenced in MFT files during the validation of the MFT file.
An MFT is only valid if all files are present and their hashes are valid.
Because of this there is no longer the need to check the hash when
these files are parsed later on. Remove these checks for CRT, ROA and CRL
files. Use the presence of the pkey when parsing cert files to decide
if it is a root cert or not.
OK tb@
|
|
data between processes. This completely decouples the write side.
rpki-client can't really use the imsg framework but it can use the ibuf
bits wich imsg is built on.
OK benno@ job@
|
|
extra has_xyz integers to indicate if the following buffer is present
or not. At the same time sprinkle some asserts for strings which must
be not NULL.
OK tb@
|
|
ispunct characters. Everything else is fishy and so block those early on.
OK millert@ job@
|
|
Instead of rsync_uri_parse() check the start of the uri for rsync:// and
also check that the uri ends in .mft.
OK tb@
|
|
there in structs and prototypes. Remove the openssl/ssl.h and other strange
openssl includes in the .c files that don't use openssl specific functions.
OK beck@ and tb@
|
|
Extract the notify URL from the cert if it is available and pass it back to
the parent process. The parent process can then use this info to load the
repo via RRDP instead of rsync.
OK benno@ (some long time ago)
|
|
Feedback and ok cladio@
ok patrick@, tb@
|
|
open error can be better logged to the operator. The cryptowarnx function
logs warnings is a less optimal way (mainly because of OpenSSL error stacks).
OK benno@ deraadt@
|
|
|
|
s/EXIT_FAILURE/1/
ok claudio@
|
|
the parent auth struct is stored as a pointer so walking up the certificate
chain remains simple. Doing this replaces a few slow lookups and speeds up
rpki-client by a factor of 2.
OK benno@
|
|
try to fetch it.
OK benno@ (part of a larger diff)
|
|
Simplifies the code a fair bit.
|
|
against the CA one layer above it. This check just needs to use the
certificate revocation list published by that CA.
Instead of loading all CRLs we find into the trust store, we create a
STACK_OF(X509_CRL), push the onto it and use it with
X509_STORE_CTX_set0_crls(ctx, crls);
The x509_get_crl() function to retrieve a crl path from an X509 object
is written by claudio@.
ok claudio@
|
|
intermediate certificates for use in X509_STORE_CTX_init(). To do that
save the X509 cert in struct cert.
claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
|
were shown because of an inconsistent rpki database and is no real problem.
OK florian@
|
