| Age | Commit message (Collapse) | Author |
|---|
|
proc_parser_cert_validate() and proc_parser_root_cert() adjust
parse_load_certchain() and parse_load_ta() respectivly.
Also cleanup the functions in parser.c and make it possible to call
ta_parse and cert_parse with a NULL cert.
OK tb@
|
|
makes sense to totally split it out. Duplicate proc_parser_cert_validate()
and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c.
The crl_tree code moved into crl.c similar to the auth_tree handling in
cert.c. All the proc functions are now tagged with __attribute(noreturn)
which allows to remove the errx() after them.
OK tb@
|
|
OK tb@
|
|
The schema is still work in progress.
OK claudio@
|
|
parse_filepath(). If that happens something went very wrong and
it is better to fail hard then to limp along.
OK tb@
|
|
Verify the CRL referenced from the mft against the mft's fileAndHash info.
If the CRL matches then load it and use it to validate this mft. If the
mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences
because it is common practice to revoke the previous MFT's EE cert and with
that the cache is turned useless as soon as a new CRL is used. Also there
was a possibility that the CRL used for validation of the MFT was not the
one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part
of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
|
Move the unveil and pledges to the actuall subprocesses and put all the
common code to start these into process_start(). Reduces the lenght of
main() a fair bit.
OK tb@
|
|
the parse and some checks and cert_parse() or ta_parse() to do the
additional checks for regular certs or TAs.
With this adjust the cert parser in -f mode to identify TAs (by checking
if it is self signed) and adjust the validation in that case. Now -f
should be able to parse and show all object correctly.
With and OK tb@
|
|
to work more like x509_get_expire(). They will return an error if the
extension extraction failed but not if it was not present. The callers
must now do that check but most did already.
With this cert_parse_inner() no longer cares about TA vs non-TA certs.
Feedback and OK tb@
|
|
For this introduce x509_get_time() that converts a ASN1_TIME to time_t.
Also move time2str() to print.c where it makes more sense.
This needs more work but that will happen in tree.
OK tb@
|
|
There is a chicken-egg here since manifests reference the CRL themselves.
We may also have two CRLs available, in which case we check against the
one with the newer thisUpdate time.
The RFC situation is a bit of a mess with abundant complexity, unclear
recommendations and requirements and draft specs that also need to be
considered. This is a first version that works with future improvements
to be landed later.
Joint work with claudio, prompted by a question by job
ok claudio job
|
|
if the AKI cert is not already present. This fixes a problem when a top
level MFT is displayed.
Report and OK job@, OK tb@
|
|
parsing the CRL, so it makes more sense to have it there. It will also
make an upcoming change easier. While there, rename free_crl() into
crl_free() for consistency with all other *_free() functions.
input/ok claudio
|
|
|
|
RFCs 6384 defines a certificate policy for RPKI. Ensure that the verifier
builds a certification path that follows this OID: set up a policy on the
X509_STORE_CTX's verify parameters and set initial-explicit-policy and
initial-policy-mapping-inhibit.
Pointed out by Ties de Kock
ok claudio
|
|
selecting the newest file this opens both the new (from rrdp or rsync)
and old (valid) MFT. It then compares the manifest number and based on
that the 'newer' MFT is selected.
The MFT file and hash check is also changed to always try both locations
and selecting whatever matches up with the hash. The selction is passed
back to the the main process and used later on to open exactly the same
file as was checked against the hash.
The MFT parsing code has been split up into multiple steps so that the
files can be parsed, compared and then fully validated.
In most cases this makes no difference but it prevents replay attacks
using old but still valid files.
With and OK tb@
|
|
apostrophe.
|
|
rpki repositories by following AIA and manifest URIs.
Also stop checking the the loaded file is not part of the auth tree,
it is possible that this file was loaded before as a dependency.
OK tb@
|
|
that was in that directory is now in the chachedir root. The rsync and
rrdp directories are now .rsync/ and .rrdp/. The ta/ directory still
remains because TAs are special.
Idea and most of the diff from job@
OK tb@ and benno@
|
|
The file still needs to match its hash to make the MFT valid but then
there will only be a warning printed. Parsing of other files from that
MFT are not influenced.
OK tb@
|
|
poll loop. In the main process move the timeout handling for repositories
into a single function that does the timeouts and the calculation of the
timeout in one go.
OK tb@
|
|
Change -f to be a mode flag and pass one or multiple files as arguments
to rpki-client. Some extra checks need to be done to not load the same
certificate or CRL multiple times.
Input and OK tb@
|
|
of looking it up again. For this valid_roa() needs to be moved up in
proc_parser_roa() also move out the assignment of the TAL id. Not the
right thing to alter an object in a validation function.
OK tb@
|
|
rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
|
rpki-client uses the same idiom to determine the file type in too many
places. Use one function that determines the appropriate RTYPE from the
file name. Add that type to struct mftfile and use this new member to
simplify queue_add_from_mft*().
input/ok claudio
|
|
contain an extension of length four.
ok claudio
|
|
to ta_parse(). This fits better there. Also drop extracting and
printing the x509 subject of the TAs. The subject is more or less
the filename anyway which is already printed.
OK tb@
|
|
|
|
printed in human readable form and is also verified against the valid
cache of rpki-client.
To validate the file the chain is explored backwards by looking at the
Authority Information Access URI and X509v3 CRL Distribution Point of
the cert. Once the trust anchor is found this chain can be verified.
Feedback and OK job@ tb@
|
|
For mfts this flag is cleared since the CRL is referenced by the MFT itself.
Also remove some if (crl != NULL) checks since they are not needed.
The functions protected by it are all handling NULL as an input.
OK job@ tb@
|
|
argument. The x509 cert is also inside struct cert and easy to access.
Also switch auth_insert() to a void function since it can't fail.
OK tb@
|
|
|
|
|
|
|
|
it into its own function valid_x509(). Simplifies the code substantially.
This may report a few more errors for .roa and .gbr files but IMO that
special case was a left-over from long time ago.
OK tb@
|
|
x509_init_oid() to initalize all necessary OID objects at start.
OK tb@
|
|
successfully been verified by rpki-client.
With this the rsync and rrdp directories are more of a temporary storage
location. New files are downloaded there and then moved to the valid
directory at the end. In -n mode only the valid directory is looked at with
the exception of the ta directory holding the trust anchors.
A file can now be in two different locations so adjust all the code paths
that open files to check both locations.
One nice side-effect of this is that the RRDP handling in the main process
got simplified. There is no longer the need for temporary RRDP directories.
OK tb@
|
|
Also skip mft_check() if the mft is stale because at least in -n mode
the files to check are probably not around.
OK tb@
|
|
This is needed so that callers can allow a file to be in multiple
locations. Also move mft_check() from mft.c to parser.c.
OK tb@
|
|
based on information from the repository, a local path and the filename.
This simplifies some code both in the main process and the parser.
For this to work repositories are passed to the parser before any other
entity of this repository is passed. Struct entity is extended to include
the repoid and the path along the file(name).
Input and OK tb@ & job@
|
|
file, pkey and tal id. This is the last proc_parser function that needed
to be converted.
OK job@
|
|
The parent will then add the filename to the filepath tree instead
of doing that in entity_write_req(). In the parser pass the filename
instead of the full entity object to various proc_parser functions.
With this it will be possible to check more then one file in the parser.
OK tb@, earlyer version OK benno@
|
|
The final warnx() is very noisy and essentially a remnant of earlier
debugging code. By ditching it and erroring directly on encountering
an unknown critical extension, the code becomes a bit simpler.
ok claudio
|
|
Since the last bump, libcrypto knows about the RFC 3779 extensions.
Therefore, setting X509_V_FLAG_IGNORE_CRITICAL is no longer needed.
In fact, we want to error on critical extensions neither rpki-client
nor libcrypto knows about.
On older LibreSSL versions with the default verify callback, this
causes verification failures. Implement a verify callback that
intercepts X509_V_ERR_UNHANDLED_CRITICAL_EXTENSIONS and checks that
the cert doesn't contain critical extensions not supported by libcrypto
other than the expected RFC 3779 extensions.
Tested with LibreSSL 3.3 and 3.4 on OpenBSD 6.9 and 7.0-stable by me
and with LibreSSL 3.2 on Linux by claudio.
input/ok claudio
|
|
information can be figured out by looking at the data pointer itself.
It is NULL when there is no data and not-NULL if there is data.
OK benno@
|
|
x509 object from the call and that reference needs to be freed. There is
a second inside of struct cert but that reference is still held.
So the X509_free() calls are indeed needed and by moving them up a bit
the code gets a bit simpler too.
With and OK tb@
|
|
use a small lookup table to print the description in the output path.
OK tb@
|
|
a bit.
|
|
the auth tree (including the TA) and be more careful to not dereference
NULL pointers. Both valid_ski_aki() and get_crl() can return NULL
pointers. In these situations X509_verify_cert() should fail and
the affected code should be not reachable but better be prepared.
With and OK tb@
|
|
Also make sure that trust anchors are not BGPsec certs.
While there fix some overly long lines.
OK benno@
|
