| Age | Commit message (Collapse) | Author |
|---|
|
The standards contain somewhat ambiguous language as to what the largest
acceptable value for a crlNumber or manifestNumber could be, due to a
limitation to 20 octets. The question is what 20 octets specifically are
meant...
Consensus seems to have emerged that the largest value is 2^159-1 since
2^160-1 would encode to 21 octets due to a padding octet to disambiguate
ff .. ff from -7f ff .. ff (iow the top bit of the first octet is a sign
bit).
Thus, switch from 2^160 - 1 to 2^159 - 1 as an upper bound by checking
the length of the value portion of the DER encoded ASN.1 integer to be
at most 20 octets.
Thanks to Martin Hoffmann, Tom Harrison, and Ben Maddison for raising and
discussing the issue. Thanks also to the spec authors for making me waste
a few hours of my life on a single bit.
ok job
|
|
OK tb@ claudio@
|
|
Verify whether the filename as presented by the publication point (which
is unsigned information) matches the filename in the SIA attribute
(which is signed information). Based on RFC 6487 section 4.8.8.
with and OK tb@
|
|
Parent is confusing and issuer is the appropriate terminology. This is
a mechanical diff. The only remaining uses of 'parent' in this code
base now mean 'parent process'.
discussed with beck and job
ok job
|
|
This was used in rsc.c prior to the switch to ASN.1 templates.
ok job
|
|
|
|
Requested by Ties de Kock (RIPE NCC)
OK tb@
|
|
Isolate resources from different RRDP servers to avoid
inappropriately increasing resource consumption for both
RRDP clients and the referenced server.
OK claudio@ tb@
|
|
|
|
OK tb@ claudio@
|
|
Instead of burning one letter for each new file format (sidrops is known
to crank out new things faster than a normal person can read), use -x to
opt into parsing and processing file formats that aren't yet considered
stable. This is currently only the Signed Prefix List. While a repetition
of the ASPA debacle, this code hasn't yet seen enough stress testing to be
enabled by default.
ok claudio job
|
|
ok claudio job (as part of a larger diff)
|
|
OK tb@
|
|
The OpenMetrics output shows per-repository counters for new files
added, the main process and JSON output emit the sum of all new files.
OK claudio@
|
|
OK claudio@
|
|
|
|
|
|
|
|
Signed Prefix List are a CMS protected content type for use with the
RPKI to carry the complete list of prefixes which an Autonomous System
may originate to all or any of its routing peers. The validation of a
Signed Prefix List confirms that the holder of the listed ASN produced
the object, and that this list is a current, accurate and complete
description of address prefixes that may be announced into the routing
system originated by this AS.
https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist
with and OK claudio@ tb@
|
|
Fix their indent in extern.h, move the X509_TIME_* macros to main.c since
they aren't (and can't really be) used elsewhere, document the meaning of
the magic numbers. Also move get_current_time() out of the middle of entity
handlers.
ok claudio job
|
|
|
|
These functions never existed.
ok claudio job
|
|
With the exception of mft.c where there is an additional boolean, this
struct carries a file name and a result. This means functions having
struct parse in the signature can't be shared between files, which has
been annoying. Simply pass file name and necessary info directly as a
function parameter and add a small dance to handle the boolean in mft.c.
ok job
|
|
ok job
|
|
ok job
|
|
Should have been part of the previous commit.
ok job
|
|
This would otherwie clash with an upcoming replacement of struct parse.
ok job
|
|
This is one of those weird things that metastasized throughout the code
base. job is about to introduce the 9th incompatible copy of it. Enough
is enough. It doesn't help anything.
looks good to claudio
ok clang
|
|
|
|
|
|
This is a straightforward deduplication and simplification made more
obvious by prior refactoring by job.
"sure" claudio
|
|
ok job
|
|
Use X509_public_digest() to calculate the SKI to get rid of a few dances
and weirdly named variables.
ok claudio
|
|
In LibreSSL *_it are variables, in other implementations they might
be a function. This helps squash compiler warnings in -portable.
Related: https://github.com/openbsd/src/commit/65af98848fc7a42e34d470d10fc1db8e23f9db93
OK tb@
|
|
Avoid i2d_RSAPublicKey() to help with future portability efforts.
Avoid a complication related to size_t/int for the return value
of i2d_X509_PUBKEY. While there, change the out label to 'err'.
OK tb@
|
|
OK tb@
|
|
This changeset makes the output align more with the TAL file syntax.
OK tb@
|
|
OK tb@
|
|
This should help with future portability efforts, and perhaps
makes the code a bit more readable.
OK tb@
|
|
OK tb@
|
|
It is possible that a given ASN.1 template generated d2i_*() function
didn't consume all data, so there is a potential for malleability.
The econtent is a sequence (which means it could be the concatenation
of several DER "blobs"). d2i_*() would only deserialize the first one
and not notice blobs following it.
OK tb@
|
|
The compiler can't know that the count doesn't change, so avoid evaluating
X509_get_ext_count() in each iteration. Also use a separate loop variable
in the ASid non-inheritance check to avoid a silly cast.
ok claudio
|
|
From the moment d2i_Manifest() was introduced, it was automatically
checked whether the thisUpdate/nextUpdate are ASN1_GENERALIZEDTIME.
Unfortunately, an additional check is needed, because OpenSSL doesn't
require RFC 5280 conformance for GeneralizedTime DER encoding.
OK tb@
|
|
It doesn't return a value < 0. If it did, someone could feed rpki-client
a bad cert that makes it error out, which is bad. There are various checks
that will reject a cert without extensions, so we don't need to check this
explicitly.
ok job
|
|
No need to hoist a staleness indicator through the whole process and
count it explicitly.
OK tb@
|
|
This aligns the mft2 case with mft1. There's still a bunch of cleanup
needed in here, but the logic seems to converge to something mere mortals
can follow.
ok job
|
|
By making proc_parser_mft_check() fail on a NULL manifest, we can
simplify the manifest selection logic further. This way we can see if
the new manifest has all the files it lists with correct hashes and
fall back to mft2 if not. This is still more complicated and uglier
than it should be, but far les convoluted and mind-bending than a day
ago.
ok job
|
|
|
|
OK tb@
|
|
invert logic for readability
OK tb@
|
