From: Alberto Leiva Popper Date: Tue, 14 May 2024 23:51:59 +0000 (-0600) Subject: General pre-release review and testing X-Git-Tag: 1.6.2~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=295d0cf51934058036a7aca3c8f526ee5272a4d2;p=thirdparty%2FFORT-validator.git General pre-release review and testing - Employ libssl's OID parsing rather than implement it from scratch. - Rename `struct signed_object_args` to `struct ee_cert`, since it's just a bunch of EE certificate data. - Remove `struct signed_data`, because it wasn't actually contributing anything. --- diff --git a/src/asn1/asn1c/CMSAttribute.c b/src/asn1/asn1c/CMSAttribute.c index 3b4b7223..5a21ca1c 100644 --- a/src/asn1/asn1c/CMSAttribute.c +++ b/src/asn1/asn1c/CMSAttribute.c @@ -7,6 +7,7 @@ #include "asn1/asn1c/CMSAttribute.h" +#include #include "json_util.h" #include "asn1/asn1c/ContentType.h" #include "asn1/asn1c/MessageDigest.h" @@ -50,14 +51,20 @@ CMSAttribute_encode_json(const asn_TYPE_descriptor_t *td, const void *sptr) if (json_object_add(root, "attrValues", array = json_array_new())) goto fail; - if (OBJECT_IDENTIFIER_is_ContentType(&cattr->attrType)) + switch (OBJECT_IDENTIFIER_to_nid(&cattr->attrType)) { + case NID_pkcs9_contentType: td = &asn_DEF_ContentType; - else if (OBJECT_IDENTIFIER_is_MessageDigest(&cattr->attrType)) + break; + case NID_pkcs9_messageDigest: td = &asn_DEF_MessageDigest; - else if (OBJECT_IDENTIFIER_is_SigningTime(&cattr->attrType)) + break; + case NID_pkcs9_signingTime: td = &asn_DEF_SigningTime; - else + break; + default: td = &asn_DEF_ANY; + break; + } for (a = 0; a < cattr->attrValues.list.count; a++) { tmp = attr2json(td, cattr->attrValues.list.array[a]); diff --git a/src/asn1/asn1c/ContentInfo.c b/src/asn1/asn1c/ContentInfo.c index fbc05a30..bb3faf35 100644 --- a/src/asn1/asn1c/ContentInfo.c +++ b/src/asn1/asn1c/ContentInfo.c @@ -7,6 +7,7 @@ #include "asn1/asn1c/ContentInfo.h" +#include #include "json_util.h" #include "asn1/asn1c/SignedData.h" @@ -45,7 +46,7 @@ ContentInfo_encode_json(const asn_TYPE_descriptor_t *td, const void *sptr) if (json_object_add(parent, "contentType", child)) goto fail; - if (OBJECT_IDENTIFIER_is_SignedData(&ci->contentType)) { + if (OBJECT_IDENTIFIER_to_nid(&ci->contentType) == NID_pkcs7_signed) { td = &asn_DEF_SignedData; child = content2json(td, &ci->content); } else { diff --git a/src/asn1/asn1c/EncapsulatedContentInfo.c b/src/asn1/asn1c/EncapsulatedContentInfo.c index 2bec8501..3c551498 100644 --- a/src/asn1/asn1c/EncapsulatedContentInfo.c +++ b/src/asn1/asn1c/EncapsulatedContentInfo.c @@ -7,6 +7,7 @@ #include "asn1/asn1c/EncapsulatedContentInfo.h" +#include "nid.h" #include "json_util.h" #include "asn1/asn1c/Manifest.h" #include "asn1/asn1c/RouteOriginAttestation.h" @@ -34,6 +35,7 @@ EncapsulatedContentInfo_encode_json(const asn_TYPE_descriptor_t *td, struct EncapsulatedContentInfo const *eci = sptr; json_t *parent; json_t *child; + int nid; if (!eci) return json_null(); @@ -47,19 +49,21 @@ EncapsulatedContentInfo_encode_json(const asn_TYPE_descriptor_t *td, if (json_object_add(parent, "eContentType", child)) goto fail; - if (OBJECT_IDENTIFIER_is_mft(&eci->eContentType)) { + nid = OBJECT_IDENTIFIER_to_nid(&eci->eContentType); + if (nid == nid_ct_mft()) { td = &asn_DEF_Manifest; child = econtent2json(td, eci->eContent); - } else if (OBJECT_IDENTIFIER_is_roa(&eci->eContentType)) { + } else if (nid == nid_ct_roa()) { td = &asn_DEF_RouteOriginAttestation; child = econtent2json(td, eci->eContent); - } else if (OBJECT_IDENTIFIER_is_gbr(&eci->eContentType)) { + } else if (nid == nid_ct_gbr()) { td = &asn_DEF_OCTET_STRING; child = OCTET_STRING_encode_json_utf8(td, eci->eContent); } else { td = &asn_DEF_OCTET_STRING; child = td->op->json_encoder(td, eci->eContent); } + if (json_object_add(parent, "eContent", child)) goto fail; diff --git a/src/asn1/asn1c/OBJECT_IDENTIFIER.c b/src/asn1/asn1c/OBJECT_IDENTIFIER.c index b805f450..f5df8df4 100644 --- a/src/asn1/asn1c/OBJECT_IDENTIFIER.c +++ b/src/asn1/asn1c/OBJECT_IDENTIFIER.c @@ -8,6 +8,7 @@ #include #include +#include #include "json_util.h" #include "asn1/asn1c/INTEGER.h" @@ -219,6 +220,22 @@ struct string_buffer { size_t len; }; +int +OBJECT_IDENTIFIER_to_nid(OBJECT_IDENTIFIER_t const *oid) +{ + ASN1_OBJECT *ao; + int result; + + ao = ASN1_OBJECT_create(NID_undef, oid->buf, oid->size, NULL, NULL); + if (ao == NULL) + return NID_undef; + + result = OBJ_obj2nid(ao); + + ASN1_OBJECT_free(ao); + return result; +} + static int bytes2str(const void *addend, size_t addlen, void *arg) { @@ -250,42 +267,20 @@ OBJECT_IDENTIFIER_to_literal(OBJECT_IDENTIFIER_t const *oid, char *buf) char const * OBJECT_IDENTIFIER_to_string(OBJECT_IDENTIFIER_t const *oid, char *buf) { -// printf("\n===========================\n"); -// for (ret = 0; ret < st->size; ret++) -// printf("%u ", st->buf[ret]); -// printf("\n===========================\n"); + char const *sn; if (!oid || !oid->buf) return NULL; - if (OBJECT_IDENTIFIER_is_rsaEncryption(oid)) - return "rsaEncryption"; - if (OBJECT_IDENTIFIER_is_sha256WithRSAEncryption(oid)) - return "sha256WithRSAEncryption"; - if (OBJECT_IDENTIFIER_is_SignedData(oid)) - return "signedData"; - if (OBJECT_IDENTIFIER_is_ContentType(oid)) - return "Content-Type"; - if (OBJECT_IDENTIFIER_is_MessageDigest(oid)) - return "Message-Digest"; - if (OBJECT_IDENTIFIER_is_SigningTime(oid)) - return "Signing-Time"; - if (OBJECT_IDENTIFIER_is_roa(oid)) - return "ROA"; - if (OBJECT_IDENTIFIER_is_mft(oid)) - return "Manifest"; - if (OBJECT_IDENTIFIER_is_gbr(oid)) - return "Ghostbusters"; - if (OBJECT_IDENTIFIER_is_sha256(oid)) - return "sha256"; - - return OBJECT_IDENTIFIER_to_literal(oid, buf); + + sn = OBJ_nid2sn(OBJECT_IDENTIFIER_to_nid(oid)); + return (sn != NULL) ? sn : OBJECT_IDENTIFIER_to_literal(oid, buf); } json_t * OBJECT_IDENTIFIER_encode_json(const struct asn_TYPE_descriptor_s *td, const void *sptr) { - const OBJECT_IDENTIFIER_t *oid = (const OBJECT_IDENTIFIER_t *)sptr; + const OBJECT_IDENTIFIER_t *oid = sptr; char buf[OID_STR_MAXLEN]; char const *string; @@ -591,98 +586,3 @@ OBJECT_IDENTIFIER_parse_arcs(const char *oid_text, ssize_t oid_txt_length, errno = EINVAL; /* Broken OID */ return -1; } - -static bool -is_raw(OBJECT_IDENTIFIER_t const *oid, unsigned char const *raw, size_t size) -{ - return (oid->size == size) && memcmp(oid->buf, raw, size) == 0; -} - -/* FIXME ber_decode_primitive() */ -bool -OBJECT_IDENTIFIER_is_rsaEncryption(OBJECT_IDENTIFIER_t const *oid) -{ - static const unsigned char RAW[] = { - 42, 134, 72, 134, 247, 13, 1, 1, 1 - }; - return is_raw(oid, RAW, sizeof(RAW)); -} - -bool -OBJECT_IDENTIFIER_is_sha256WithRSAEncryption(OBJECT_IDENTIFIER_t const *oid) -{ - static const unsigned char RAW[] = { - 42, 134, 72, 134, 247, 13, 1, 1, 11 - }; - return is_raw(oid, RAW, sizeof(RAW)); -} - -bool -OBJECT_IDENTIFIER_is_SignedData(OBJECT_IDENTIFIER_t const *oid) -{ - static const unsigned char RAW[] = { - 42, 134, 72, 134, 247, 13, 1, 7, 2 - }; - return is_raw(oid, RAW, sizeof(RAW)); -} - -bool -OBJECT_IDENTIFIER_is_ContentType(OBJECT_IDENTIFIER_t const *oid) -{ - static const unsigned char RAW[] = { - 42, 134, 72, 134, 247, 13, 1, 9, 3 - }; - return is_raw(oid, RAW, sizeof(RAW)); -} - -bool -OBJECT_IDENTIFIER_is_MessageDigest(OBJECT_IDENTIFIER_t const *oid) -{ - static const unsigned char RAW[] = { - 42, 134, 72, 134, 247, 13, 1, 9, 4 - }; - return is_raw(oid, RAW, sizeof(RAW)); -} - -bool -OBJECT_IDENTIFIER_is_SigningTime(OBJECT_IDENTIFIER_t const *oid) -{ - static const unsigned char RAW[] = { - 42, 134, 72, 134, 247, 13, 1, 9, 5 - }; - return is_raw(oid, RAW, sizeof(RAW)); -} - -bool -OBJECT_IDENTIFIER_is_roa(OBJECT_IDENTIFIER_t const *oid) -{ - static const unsigned char RAW[] = { - 42, 134, 72, 134, 247, 13, 1, 9, 16, 1, 24 - }; - return is_raw(oid, RAW, sizeof(RAW)); -} - -bool -OBJECT_IDENTIFIER_is_mft(OBJECT_IDENTIFIER_t const *oid) -{ - static const unsigned char RAW[] = { - 42, 134, 72, 134, 247, 13, 1, 9, 16, 1, 26 - }; - return is_raw(oid, RAW, sizeof(RAW)); -} - -bool -OBJECT_IDENTIFIER_is_gbr(OBJECT_IDENTIFIER_t const *oid) -{ - static const unsigned char RAW[] = { - 42, 134, 72, 134, 247, 13, 1, 9, 16, 1, 35 - }; - return is_raw(oid, RAW, sizeof(RAW)); -} - -bool -OBJECT_IDENTIFIER_is_sha256(OBJECT_IDENTIFIER_t const *oid) -{ - static const unsigned char RAW[] = { 96, 134, 72, 1, 101, 3, 4, 2, 1 }; - return is_raw(oid, RAW, sizeof(RAW)); -} diff --git a/src/asn1/asn1c/OBJECT_IDENTIFIER.h b/src/asn1/asn1c/OBJECT_IDENTIFIER.h index 00acb6e1..461e9632 100644 --- a/src/asn1/asn1c/OBJECT_IDENTIFIER.h +++ b/src/asn1/asn1c/OBJECT_IDENTIFIER.h @@ -33,6 +33,8 @@ xer_type_encoder_f OBJECT_IDENTIFIER_encode_xer; * Some handy conversion routines * **********************************/ +int OBJECT_IDENTIFIER_to_nid(OBJECT_IDENTIFIER_t const *); + #define OID_STR_MAXLEN 64 /* Null char included */ char const *OBJECT_IDENTIFIER_to_string(OBJECT_IDENTIFIER_t const *, char *); @@ -142,15 +144,4 @@ ssize_t OBJECT_IDENTIFIER_get_single_arc(const uint8_t *arcbuf, ssize_t OBJECT_IDENTIFIER_set_single_arc(uint8_t *arcbuf, size_t arcbuf_len, asn_oid_arc_t arc_value); -bool OBJECT_IDENTIFIER_is_rsaEncryption(OBJECT_IDENTIFIER_t const *oid); -bool OBJECT_IDENTIFIER_is_sha256WithRSAEncryption(OBJECT_IDENTIFIER_t const *oid); -bool OBJECT_IDENTIFIER_is_SignedData(OBJECT_IDENTIFIER_t const *oid); -bool OBJECT_IDENTIFIER_is_ContentType(OBJECT_IDENTIFIER_t const *oid); -bool OBJECT_IDENTIFIER_is_MessageDigest(OBJECT_IDENTIFIER_t const *oid); -bool OBJECT_IDENTIFIER_is_SigningTime(OBJECT_IDENTIFIER_t const *oid); -bool OBJECT_IDENTIFIER_is_roa(OBJECT_IDENTIFIER_t const *oid); -bool OBJECT_IDENTIFIER_is_mft(OBJECT_IDENTIFIER_t const *oid); -bool OBJECT_IDENTIFIER_is_gbr(OBJECT_IDENTIFIER_t const *oid); -bool OBJECT_IDENTIFIER_is_sha256(OBJECT_IDENTIFIER_t const *oid); - #endif /* _OBJECT_IDENTIFIER_H_ */ diff --git a/src/asn1/signed_data.c b/src/asn1/signed_data.c index 301ae23d..0fbaf89b 100644 --- a/src/asn1/signed_data.c +++ b/src/asn1/signed_data.c @@ -20,22 +20,18 @@ static const OID oid_sta = OID_SIGNING_TIME_ATTR; static const OID oid_bsta = OID_BINARY_SIGNING_TIME_ATTR; void -signed_object_args_init(struct signed_object_args *args, - struct rpki_uri *uri, - STACK_OF(X509_CRL) *crls, - bool force_inherit) +eecert_init(struct ee_cert *ee, STACK_OF(X509_CRL) *crls, bool force_inherit) { - args->res = resources_create(RPKI_POLICY_RFC6484, force_inherit); - args->uri = uri; - args->crls = crls; - memset(&args->refs, 0, sizeof(args->refs)); + ee->res = resources_create(RPKI_POLICY_RFC6484, force_inherit); + ee->crls = crls; + memset(&ee->refs, 0, sizeof(ee->refs)); } void -signed_object_args_cleanup(struct signed_object_args *args) +eecert_cleanup(struct ee_cert *ee) { - resources_destroy(args->res); - refs_cleanup(&args->refs); + resources_destroy(ee->res); + refs_cleanup(&ee->refs); } static int @@ -55,7 +51,7 @@ get_sid(struct SignerInfo *sinfo, OCTET_STRING_t **result) } static int -handle_sdata_certificate(ANY_t *cert_encoded, struct signed_object_args *args, +handle_sdata_certificate(ANY_t *cert_encoded, struct ee_cert *ee, OCTET_STRING_t *sid, ANY_t *signedData, SignatureValue_t *signature) { const unsigned char *otmp, *tmp; @@ -91,25 +87,25 @@ handle_sdata_certificate(ANY_t *cert_encoded, struct signed_object_args *args, x509_name_pr_debug("Issuer", X509_get_issuer_name(cert)); - error = certificate_validate_chain(cert, args->crls); + error = certificate_validate_chain(cert, ee->crls); if (error) goto end2; error = certificate_validate_rfc6487(cert, CERTYPE_EE); if (error) goto end2; - error = certificate_validate_extensions_ee(cert, sid, &args->refs, + error = certificate_validate_extensions_ee(cert, sid, &ee->refs, &policy); if (error) goto end2; - error = certificate_validate_aia(args->refs.caIssuers, cert); + error = certificate_validate_aia(ee->refs.caIssuers, cert); if (error) goto end2; error = certificate_validate_signature(cert, signedData, signature); if (error) goto end2; - resources_set_policy(args->res, policy); - error = certificate_get_resources(cert, args->res, CERTYPE_EE); + resources_set_policy(ee->res, policy); + error = certificate_get_resources(cert, ee->res, CERTYPE_EE); if (error) goto end2; @@ -259,9 +255,9 @@ illegal_attrType: return -EINVAL; } -static int -validate(struct SignedData *sdata, ANY_t *sdata_encoded, - struct signed_object_args *args) +int +signed_data_validate(ANY_t *encoded, struct SignedData *sdata, + struct ee_cert *ee) { struct SignerInfo *sinfo; OCTET_STRING_t *sid = NULL; @@ -387,7 +383,7 @@ validate(struct SignedData *sdata, ANY_t *sdata_encoded, } error = handle_sdata_certificate(sdata->certificates->list.array[0], - args, sid, sdata_encoded, &sinfo->signature); + ee, sid, encoded, &sinfo->signature); if (error) return error; @@ -446,38 +442,20 @@ release_sdata: } int -signed_data_decode(struct signed_data *sdata, ANY_t *coded) +signed_data_decode(ANY_t *encoded, struct SignedData **decoded) { int error; - sdata->encoded = coded; - - error = asn1_decode_any(coded, &asn_DEF_SignedData, - (void **) &sdata->decoded, false, false); + error = asn1_decode_any(encoded, &asn_DEF_SignedData, + (void **) decoded, false, false); if (error) { /* Try to decode as PKCS content (RFC 5652 section 5.2.1) */ - error = signed_data_decode_pkcs7(coded, &sdata->decoded); + error = signed_data_decode_pkcs7(encoded, decoded); } return error; } -int -signed_data_validate(struct signed_data *sdata, struct signed_object_args *args) -{ - /* - * TODO (fine) maybe collapse this wrapper, - * since there's no point to it anymore. - */ - return validate(sdata->decoded, sdata->encoded, args); -} - -void -signed_data_cleanup(struct signed_data *sdata) -{ - ASN_STRUCT_FREE(asn_DEF_SignedData, sdata->decoded); -} - /* Caller must free *@result. */ int get_content_type_attr(struct SignedData *sdata, OBJECT_IDENTIFIER_t **result) diff --git a/src/asn1/signed_data.h b/src/asn1/signed_data.h index 0504cd9e..9bf41072 100644 --- a/src/asn1/signed_data.h +++ b/src/asn1/signed_data.h @@ -7,37 +7,23 @@ #include "asn1/asn1c/SignedData.h" #include "object/certificate.h" -/* - * This only exists to reduce argument lists. - * TODO (fine) rename to signed_data_args, since it has nothing to do with - * signed objects anymore. - */ -struct signed_object_args { - /** Location of the signed object. */ - struct rpki_uri *uri; - /** CRL that might or might not revoke the embedded certificate. */ +struct ee_cert { + /** CRL that might or might not revoke the EE certificate. */ STACK_OF(X509_CRL) *crls; - /** A copy of the resources carried by the embedded certificate. */ + /** A copy of the resources carried by the EE certificate. */ struct resources *res; /** - * A bunch of URLs found in the embedded certificate's extensions, + * A bunch of URLs found in the EE certificate's extensions, * recorded for future validation. */ struct certificate_refs refs; }; -void signed_object_args_init(struct signed_object_args *, struct rpki_uri *, - STACK_OF(X509_CRL) *, bool); -void signed_object_args_cleanup(struct signed_object_args *); +void eecert_init(struct ee_cert *, STACK_OF(X509_CRL) *, bool); +void eecert_cleanup(struct ee_cert *); -struct signed_data { - ANY_t *encoded; - struct SignedData *decoded; -}; - -int signed_data_decode(struct signed_data *, ANY_t *); -int signed_data_validate(struct signed_data *, struct signed_object_args *); -void signed_data_cleanup(struct signed_data *); +int signed_data_decode(ANY_t *, struct SignedData **); +int signed_data_validate(ANY_t *, struct SignedData *, struct ee_cert *); int get_content_type_attr(struct SignedData *, OBJECT_IDENTIFIER_t **); diff --git a/src/nid.c b/src/nid.c index 4fc380f8..74816d8c 100644 --- a/src/nid.c +++ b/src/nid.c @@ -5,6 +5,9 @@ #include "log.h" +static int ct_roa_nid; +static int ct_mft_nid; +static int ct_gbr_nid; static int rpki_manifest_nid; static int signed_object_nid; static int rpki_notify_nid; @@ -43,6 +46,24 @@ register_oid(const char *oid, const char *sn, const char *ln) int nid_init(void) { + ct_roa_nid = register_oid("1.2.840.113549.1.9.16.1.24", + "id-ct-routeOriginAuthz", + "RPKI ROA (Content type)"); + if (ct_roa_nid == 0) + return -EINVAL; + + ct_mft_nid = register_oid("1.2.840.113549.1.9.16.1.26", + "id-ct-rpkiManifest", + "RPKI Manifest (Content type)"); + if (ct_mft_nid == 0) + return -EINVAL; + + ct_gbr_nid = register_oid("1.2.840.113549.1.9.16.1.35", + "id-ct-rpkiGhostbusters", + "RPKI Ghostbusters (Content type)"); + if (ct_gbr_nid == 0) + return -EINVAL; + rpki_manifest_nid = register_oid("1.3.6.1.5.5.7.48.10", "rpkiManifest", "RPKI Manifest (RFC 6487)"); @@ -100,42 +121,68 @@ nid_destroy(void) OBJ_cleanup(); } -int nid_rpkiManifest(void) +int +nid_ct_roa(void) +{ + return ct_roa_nid; +} + +int +nid_ct_mft(void) +{ + return ct_mft_nid; +} + +int +nid_ct_gbr(void) +{ + return ct_gbr_nid; +} + +int +nid_ad_mft(void) { return rpki_manifest_nid; } -int nid_signedObject(void) +int +nid_ad_so(void) { return signed_object_nid; } -int nid_rpkiNotify(void) +int +nid_ad_notify(void) { return rpki_notify_nid; } -int nid_certPolicyRpki(void) +int +nid_certPolicyRpki(void) { return cert_policy_rpki_nid; } -int nid_certPolicyRpkiV2(void) +int +nid_certPolicyRpkiV2(void) { return cert_policy_rpki_v2_nid; } -int nid_ipAddrBlocksv2(void) +int +nid_ipAddrBlocksv2(void) { return ip_addr_blocks_v2_nid; } -int nid_autonomousSysIdsv2(void) +int +nid_autonomousSysIdsv2(void) { return autonomous_sys_ids_v2_nid; } -int nid_bgpsecRouter(void) +int +nid_bgpsecRouter(void) { return bgpsec_router_nid; } diff --git a/src/nid.h b/src/nid.h index 3d0f643d..f1d87a05 100644 --- a/src/nid.h +++ b/src/nid.h @@ -4,9 +4,12 @@ int nid_init(void); void nid_destroy(void); -int nid_rpkiManifest(void); -int nid_signedObject(void); -int nid_rpkiNotify(void); +int nid_ct_roa(void); +int nid_ct_mft(void); +int nid_ct_gbr(void); +int nid_ad_mft(void); +int nid_ad_so(void); +int nid_ad_notify(void); int nid_certPolicyRpki(void); int nid_certPolicyRpkiV2(void); int nid_ipAddrBlocksv2(void); diff --git a/src/object/certificate.c b/src/object/certificate.c index 360b7e4e..67c328a2 100644 --- a/src/object/certificate.c +++ b/src/object/certificate.c @@ -1641,13 +1641,13 @@ handle_sia_ca(X509_EXTENSION *ext, void *arg) goto end; /* RRDP */ - error = handle_ad(nid_rpkiNotify(), &RPKI_NOTIFY, sia, + error = handle_ad(nid_ad_notify(), &RPKI_NOTIFY, sia, handle_rpkiNotify, uris); if (error) goto end; /* Manifest */ - error = handle_ad(nid_rpkiManifest(), &RPKI_MANIFEST, sia, + error = handle_ad(nid_ad_mft(), &RPKI_MANIFEST, sia, handle_rpkiManifest, uris); end: @@ -1665,7 +1665,7 @@ handle_sia_ee(X509_EXTENSION *ext, void *arg) if (sia == NULL) return cannot_decode(ext_sia()); - error = handle_ad(nid_signedObject(), &SIGNED_OBJECT, sia, + error = handle_ad(nid_ad_so(), &SIGNED_OBJECT, sia, handle_signedObject, arg); AUTHORITY_INFO_ACCESS_free(sia); diff --git a/src/object/ghostbusters.c b/src/object/ghostbusters.c index 797e2899..19a1b1b6 100644 --- a/src/object/ghostbusters.c +++ b/src/object/ghostbusters.c @@ -10,7 +10,7 @@ static int handle_vcard(struct signed_object *sobj) { return handle_ghostbusters_vcard( - sobj->sdata.decoded->encapContentInfo.eContent + sobj->sdata->encapContentInfo.eContent ); } @@ -20,7 +20,7 @@ ghostbusters_traverse(struct rpki_uri *uri, struct rpp *pp) static OID oid = OID_GHOSTBUSTERS; struct oid_arcs arcs = OID2ARCS("ghostbusters", oid); struct signed_object sobj; - struct signed_object_args sobj_args; + struct ee_cert ee; STACK_OF(X509_CRL) *crl; int error; @@ -37,19 +37,19 @@ ghostbusters_traverse(struct rpki_uri *uri, struct rpp *pp) error = rpp_crl(pp, &crl); if (error) goto revert_sobj; - signed_object_args_init(&sobj_args, uri, crl, true); + eecert_init(&ee, crl, true); /* Validate everything */ - error = signed_object_validate(&sobj, &arcs, &sobj_args); + error = signed_object_validate(&sobj, &arcs, &ee); if (error) goto revert_args; error = handle_vcard(&sobj); if (error) goto revert_args; - error = refs_validate_ee(&sobj_args.refs, pp, sobj_args.uri); + error = refs_validate_ee(&ee.refs, pp, uri); revert_args: - signed_object_args_cleanup(&sobj_args); + eecert_cleanup(&ee); revert_sobj: signed_object_cleanup(&sobj); revert_log: diff --git a/src/object/manifest.c b/src/object/manifest.c index 3d1739d8..9d42dc72 100644 --- a/src/object/manifest.c +++ b/src/object/manifest.c @@ -32,7 +32,7 @@ static int decode_manifest(struct signed_object *sobj, struct Manifest **result) { return asn1_decode_octet_string( - sobj->sdata.decoded->encapContentInfo.eContent, + sobj->sdata->encapContentInfo.eContent, &asn_DEF_Manifest, (void **) result, true, @@ -274,7 +274,7 @@ handle_manifest(struct rpki_uri *uri, struct rpki_uri *notif, struct rpp **pp) static OID oid = OID_MANIFEST; struct oid_arcs arcs = OID2ARCS("manifest", oid); struct signed_object sobj; - struct signed_object_args sobj_args; + struct ee_cert ee; struct Manifest *mft; STACK_OF(X509_CRL) *crl; int error; @@ -303,25 +303,25 @@ handle_manifest(struct rpki_uri *uri, struct rpki_uri *notif, struct rpp **pp) error = rpp_crl(*pp, &crl); if (error) goto revert_rpp; - signed_object_args_init(&sobj_args, uri, crl, false); + eecert_init(&ee, crl, false); /* Validate everything */ - error = signed_object_validate(&sobj, &arcs, &sobj_args); + error = signed_object_validate(&sobj, &arcs, &ee); if (error) goto revert_args; error = validate_manifest(mft); if (error) goto revert_args; - error = refs_validate_ee(&sobj_args.refs, *pp, uri); + error = refs_validate_ee(&ee.refs, *pp, uri); if (error) goto revert_args; /* Success */ - signed_object_args_cleanup(&sobj_args); + eecert_cleanup(&ee); goto revert_manifest; revert_args: - signed_object_args_cleanup(&sobj_args); + eecert_cleanup(&ee); revert_rpp: rpp_refput(*pp); revert_manifest: diff --git a/src/object/roa.c b/src/object/roa.c index 95066f8b..eeda8108 100644 --- a/src/object/roa.c +++ b/src/object/roa.c @@ -12,7 +12,7 @@ static int decode_roa(struct signed_object *sobj, struct RouteOriginAttestation **result) { return asn1_decode_octet_string( - sobj->sdata.decoded->encapContentInfo.eContent, + sobj->sdata->encapContentInfo.eContent, &asn_DEF_RouteOriginAttestation, (void **) result, true, @@ -253,7 +253,7 @@ roa_traverse(struct rpki_uri *uri, struct rpp *pp) static OID oid = OID_ROA; struct oid_arcs arcs = OID2ARCS("roa", oid); struct signed_object sobj; - struct signed_object_args sobj_args; + struct ee_cert ee; struct RouteOriginAttestation *roa; STACK_OF(X509_CRL) *crl; int error; @@ -274,19 +274,19 @@ roa_traverse(struct rpki_uri *uri, struct rpp *pp) error = rpp_crl(pp, &crl); if (error) goto revert_roa; - signed_object_args_init(&sobj_args, uri, crl, false); + eecert_init(&ee, crl, false); /* Validate and handle everything */ - error = signed_object_validate(&sobj, &arcs, &sobj_args); + error = signed_object_validate(&sobj, &arcs, &ee); if (error) goto revert_args; - error = __handle_roa(roa, sobj_args.res); + error = __handle_roa(roa, ee.res); if (error) goto revert_args; - error = refs_validate_ee(&sobj_args.refs, pp, sobj_args.uri); + error = refs_validate_ee(&ee.refs, pp, uri); revert_args: - signed_object_args_cleanup(&sobj_args); + eecert_cleanup(&ee); revert_roa: ASN_STRUCT_FREE(asn_DEF_RouteOriginAttestation, roa); revert_sobj: diff --git a/src/object/signed_object.c b/src/object/signed_object.c index 5f00e538..0efd1f0a 100644 --- a/src/object/signed_object.c +++ b/src/object/signed_object.c @@ -12,7 +12,7 @@ signed_object_decode(struct signed_object *sobj, struct rpki_uri *uri) if (error) return error; - error = signed_data_decode(&sobj->sdata, &sobj->cinfo->content); + error = signed_data_decode(&sobj->cinfo->content, &sobj->sdata); if (error) { content_info_free(sobj->cinfo); return error; @@ -68,29 +68,29 @@ validate_content_type(struct SignedData *sdata, struct oid_arcs const *oid) int signed_object_validate(struct signed_object *sobj, struct oid_arcs const *oid, - struct signed_object_args *args) + struct ee_cert *ee) { int error; /* rfc6482#section-2 */ /* rfc6486#section-4.1 */ /* rfc6486#section-4.4.1 */ - error = validate_eContentType(sobj->sdata.decoded, oid); + error = validate_eContentType(sobj->sdata, oid); if (error) return error; /* rfc6482#section-2 */ /* rfc6486#section-4.3 */ - error = validate_content_type(sobj->sdata.decoded, oid); + error = validate_content_type(sobj->sdata, oid); if (error) return error; - return signed_data_validate(&sobj->sdata, args); + return signed_data_validate(&sobj->cinfo->content, sobj->sdata, ee); } void signed_object_cleanup(struct signed_object *sobj) { content_info_free(sobj->cinfo); - signed_data_cleanup(&sobj->sdata); + ASN_STRUCT_FREE(asn_DEF_SignedData, sobj->sdata); } diff --git a/src/object/signed_object.h b/src/object/signed_object.h index 41404d74..07cfdf1a 100644 --- a/src/object/signed_object.h +++ b/src/object/signed_object.h @@ -6,12 +6,12 @@ struct signed_object { struct ContentInfo *cinfo; - struct signed_data sdata; + struct SignedData *sdata; }; int signed_object_decode(struct signed_object *, struct rpki_uri *); int signed_object_validate(struct signed_object *, struct oid_arcs const *, - struct signed_object_args *); + struct ee_cert *); void signed_object_cleanup(struct signed_object *); #endif /* SRC_OBJECT_SIGNED_OBJECT_H_ */