-#include "bgpsec.h"
+#include "object/bgpsec.h"
#include "alloc.h"
#include "log.h"
#include "validation_handler.h"
+#include "object/certificate.h"
struct resource_params {
unsigned char const *ski;
}
int
-handle_bgpsec(X509 *cert, unsigned char const *ski, struct resources *resources)
+handle_bgpsec(X509 *cert, struct resources *parent_resources, struct rpp *pp)
{
- struct resource_params res_params;
+ unsigned char *ski;
+ enum rpki_policy policy;
+ struct resources *resources;
X509_PUBKEY *pub_key;
unsigned char *cert_spk, *tmp;
int cert_spk_len;
+ struct resource_params res_params;
int error;
+ error = certificate_validate_rfc6487(cert, CERTYPE_BGPSEC);
+ if (error)
+ return error;
+ error = certificate_validate_extensions_bgpsec(cert, &ski, &policy, pp);
+ if (error)
+ return error;
+
+ resources = resources_create(policy, false);
+ if (resources == NULL)
+ goto revert_ski;
+ error = certificate_get_resources(cert, resources, CERTYPE_BGPSEC);
+ if (error)
+ goto revert_resources;
+
pub_key = X509_get_X509_PUBKEY(cert);
- if (pub_key == NULL)
- return val_crypto_err("X509_get_X509_PUBKEY() returned NULL at BGPsec");
+ if (pub_key == NULL) {
+ error = val_crypto_err("X509_get_X509_PUBKEY() returned NULL at BGPsec");
+ goto revert_resources;
+ }
cert_spk = pmalloc(RK_SPKI_LEN);
/* Use a temporal pointer, since i2d_X509_PUBKEY moves it */
tmp = cert_spk;
cert_spk_len = i2d_X509_PUBKEY(pub_key, &tmp);
- if(cert_spk_len < 0)
- return val_crypto_err("i2d_X509_PUBKEY() returned error");
+ if (cert_spk_len != RK_SPKI_LEN) {
+ error = val_crypto_err("i2d_X509_PUBKEY() returned %d",
+ cert_spk_len);
+ goto revert_spk;
+ }
res_params.spk = cert_spk;
res_params.ski = ski;
res_params.parent_resources = resources;
error = resources_foreach_asn(resources, asn_cb, &res_params);
+ /* Fall through */
+
+revert_spk:
free(cert_spk);
+revert_resources:
+ resources_destroy(resources);
+revert_ski:
+ free(ski);
return error;
}
*/
static int
certificate_validate_extensions_ca(X509 *cert, struct sia_ca_uris *sia_uris,
- struct certificate_refs *refs, enum rpki_policy *policy)
+ enum rpki_policy *policy, struct rpp *rpp_parent)
{
+ struct certificate_refs refs = { 0 };
struct extension_handler handlers[] = {
/* ext reqd handler arg */
{ ext_bc(), true, handle_bc, },
{ ext_ski(), true, handle_ski_ca, cert },
{ ext_aki(), true, handle_aki, },
{ ext_ku(), true, handle_ku_ca, },
- { ext_cdp(), true, handle_cdp, refs },
- { ext_aia(), true, handle_aia, refs },
+ { ext_cdp(), true, handle_cdp, &refs },
+ { ext_aia(), true, handle_aia, &refs },
{ ext_sia(), true, handle_sia_ca, sia_uris },
{ ext_cp(), true, handle_cp, policy },
{ ext_ir(), false, handle_ir, },
{ ext_ar2(), false, handle_ar, },
{ NULL },
};
+ int error;
- return handle_extensions(handlers, X509_get0_extensions(cert));
+ error = handle_extensions(handlers, X509_get0_extensions(cert));
+ if (error)
+ goto end;
+ error = certificate_validate_aia(refs.caIssuers, cert);
+ if (error)
+ goto end;
+ error = refs_validate_ca(&refs, rpp_parent);
+
+end:
+ refs_cleanup(&refs);
+ return error;
}
int
return handle_extensions(handlers, X509_get0_extensions(cert));
}
+int
+certificate_validate_extensions_bgpsec(X509 *cert, unsigned char **ski,
+ enum rpki_policy *policy, struct rpp *pp)
+{
+ return 0; /* TODO (#58) */
+}
+
static bool
has_bgpsec_router_eku(X509 *cert)
{
int
certificate_traverse(struct rpp *rpp_parent, struct rpki_uri *cert_uri)
{
-/** Is the CA certificate the TA certificate? */
-#define IS_TA (rpp_parent == NULL)
-
struct validation *state;
int total_parents;
STACK_OF(X509_CRL) *rpp_parent_crl;
X509 *cert;
struct sia_ca_uris sia_uris;
- struct certificate_refs refs;
enum rpki_policy policy;
- enum cert_type type;
+ enum cert_type certype;
struct rpp *pp;
bool repo_retry;
int error;
return pr_val_err("Certificate chain maximum depth exceeded.");
/* Debug cert type */
- if (IS_TA)
+ if (rpp_parent == NULL)
pr_val_debug("TA Certificate '%s' {",
uri_val_get_printable(cert_uri));
else
if (error)
goto revert_cert;
- error = get_certificate_type(cert, IS_TA, &type);
+ error = get_certificate_type(cert, rpp_parent == NULL, &certype);
if (error)
goto revert_cert;
/* Debug cert type */
- switch (type) {
+ switch (certype) {
case CERTYPE_TA:
break;
case CERTYPE_CA:
break;
case CERTYPE_BGPSEC:
pr_val_debug("Type: BGPsec EE. Ignoring...");
+// error = handle_bgpsec(cert, x509stack_peek_resources(
+// validation_certstack(state)), rpp_parent);
+ goto revert_cert;
+ default:
+ pr_val_debug("Type: Unknown. Ignoring...");
goto revert_cert;
- case CERTYPE_EE:
- pr_val_debug("Type: unexpected, validated as CA");
- break;
}
- error = certificate_validate_rfc6487(cert, type);
+ error = certificate_validate_rfc6487(cert, certype);
if (error)
goto revert_cert;
sia_ca_uris_init(&sia_uris);
- memset(&refs, 0, sizeof(refs));
-
- switch (type) {
- case CERTYPE_TA:
- error = certificate_validate_extensions_ta(cert, &sia_uris,
- &policy);
- break;
- default:
- /* Validate as a CA */
- error = certificate_validate_extensions_ca(cert, &sia_uris,
- &refs, &policy);
- break;
- }
- if (error)
- goto revert_uris;
-
- if (!IS_TA) {
- error = certificate_validate_aia(refs.caIssuers, cert);
- if (error)
- goto revert_uris;
- }
-
- error = refs_validate_ca(&refs, rpp_parent);
+ error = (certype == CERTYPE_TA)
+ ? certificate_validate_extensions_ta(cert, &sia_uris, &policy)
+ : certificate_validate_extensions_ca(cert, &sia_uris, &policy, rpp_parent);
if (error)
goto revert_uris;
do {
/* Validate the manifest (@mft) pointed by the certificate */
error = x509stack_push(validation_certstack(state), cert_uri,
- cert, policy, IS_TA);
+ cert, policy, certype);
if (error)
goto revert_uris;
rpp_refput(pp);
revert_uris:
sia_ca_uris_cleanup(&sia_uris);
- refs_cleanup(&refs);
revert_cert:
if (cert != NULL)
X509_free(cert);
projects / thirdparty / FORT-validator.git / commitdiff
