| Age | Commit message (Collapse) | Author |
|---|
|
Populate struct ip in the leaf functions instead of handing it through
several layers and copying it along the way. Pass in the afi instead of
letting struct ip carry it.
ok claudio
|
|
needed for append_as() is done upfront.
OK tb@
|
|
OK claudio@ tb@
|
|
|
|
X509 API functions such as X509_check_ca() or X509_get_extension_flags()
can't be used reliably unless we know that X509v3 extensions are cached.
Otherwise they try to cache the extensions themselves but can't report
possible errors sensibly. They carry on and may return nonsense.
An old trick is to call X509_check_purpose() with a purpose of -1 which
is a wrapper around the internal x509v3_cache_extensions() that allows
error checking. Do this when we have a new cert. This way the API
functions affected by this can be relied upon. Another nice side effect
of doing this is that with LibreSSL we then know that the RFC 3779
extensions are in canonical form.
ok beck claudio
|
|
with and OK tb@ claudio@
|
|
|
|
ok claudio job
|
|
Let the RFC 3779 code in libcrypto do its job: deserialize the ASIdentifiers
extension using X509V3_EXT_d2i() and then simply walk the returned struct.
This replaces quite a bit of low level ASN.1 fiddling with much simpler
reaching into structs with names that have some meaning.
Additionally, RFC 6487, 4.8.10 forbids RDI entries, so throw an error
instead of ignoring them.
ok claudio
|
|
|
|
Let the RFC 3779 code in libcrypto do its job: deserialize the IPAddrBlocks
extension using X509V3_EXT_d2i() and then simply walk the returned struct.
This replaces quite a bit of low level ASN.1 fiddling with much simpler
reaching into structs with names that have some meaning.
ok claudio
|
|
ok claudio job
|
|
with and OK tb@
|
|
Factor out POSIX portable filename check into a new valid_filename() and
rename the previous valid_filename() to valid_mft_filename(). Fixes and
supersedes imcomplete checks in the RSC code. Avoids truncation via
strndup() in case of embedded NULs.
input/ok claudio
|
|
OK tb@ claudio@
|
|
|
|
|
|
This implements decoding support for draft-ietf-sidrops-rpki-rsc-06
There are three major outstanding issues:
* The wire image might still change to conform to the more widely deployed
3779 API in libressl/openssl. IETF discussion ongoing.
* Whether the resources listed in the ResourceBlock are contained within
the EE's RFC 3779 extension is not hooked up yet.
* There is a fair bit of duplicity between rsc.c and cert.c, look for XXX
OK tb@
|
|
ok claudio
|
|
|
|
|
|
|
|
Thanks Marco D'Itri
|
|
|
|
|
|
|
|
RPKI Signed Objects are not malleable; this means the SHA256 digest
of an input file containing a signed object is a very stable identifier
to associate with the decoded (validated) output shown in filemode.
The SHA256 in hash_id is base64 encoded (just like hashes on manifest listings).
OK tb@
|
|
proc_parser_cert_validate() and proc_parser_root_cert() adjust
parse_load_certchain() and parse_load_ta() respectivly.
Also cleanup the functions in parser.c and make it possible to call
ta_parse and cert_parse with a NULL cert.
OK tb@
|
|
makes sense to totally split it out. Duplicate proc_parser_cert_validate()
and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c.
The crl_tree code moved into crl.c similar to the auth_tree handling in
cert.c. All the proc functions are now tagged with __attribute(noreturn)
which allows to remove the errx() after them.
OK tb@
|
|
|
|
|
|
|
|
This replaces a strange hack that sets TZ=UTC and calls localtime().
Tweak format string to keep printing UTC.
ok claudio
|
|
OK tb@
|
|
The schema is still work in progress.
OK claudio@
|
|
If timeout != 0 and 0 <= timeout <= 24*60*60, then timeout < 1 is
impossible.
ok
|
|
|
|
Make this work concurrently by allocating and freeing the EVP_ENCODE_CTX
for every call to base64_decode(). This is not a hot path so the impact
is negligible.
OK tb@
|
|
ok claudio
|
|
already stored as int and and talsz is the limit for these ids.
OK tb@
|
|
parse_filepath(). If that happens something went very wrong and
it is better to fail hard then to limp along.
OK tb@
|
|
|
|
Verify the CRL referenced from the mft against the mft's fileAndHash info.
If the CRL matches then load it and use it to validate this mft. If the
mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences
because it is common practice to revoke the previous MFT's EE cert and with
that the cache is turned useless as soon as a new CRL is used. Also there
was a possibility that the CRL used for validation of the MFT was not the
one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part
of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
|
The spec (RFC 6487, 4.8.6) expresses a preference for a single rsync URI
but allows for other URIs in the CRL distributionPoint. This doesn't
currently happen in practice but could come at some point. So look for
the rsync URI and skip over others, which is more correct and might help
in the future.
Pointed out by & ok claudio
|
|
|
|
"fine" claudio@ tb@
|
|
|
|
ok claudio
|
|
AIA and CRL URIs can reuse the code in sbgp_sia_location and thus get the
same checks as the SIA locations. This eliminates some more duplication
and makes the checks more stringent in that embedded NULs and "./" are no
longer allowed.
ok claudio
|
|
Move the unveil and pledges to the actuall subprocesses and put all the
common code to start these into process_start(). Reduces the lenght of
main() a fair bit.
OK tb@
|
