From: Alberto Leiva Popper Date: Thu, 29 Jun 2023 20:27:02 +0000 (-0600) Subject: Remove the AIA validation X-Git-Tag: 1.6.0~80^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b110c296e268f2e8d86a299f69be786bb39d3863;p=thirdparty%2FFORT-validator.git Remove the AIA validation As discovered in 566835e8da0ce52b6bded39db72667eeb2e41001, this validation was implemented incorrectly. Fort should locate the parent certificate in the local cache by URI, not force-redownload by rsync. The URI indexing will be implemented as part of #78. I'll reimplement the validation properly then. --- diff --git a/src/object/certificate.c b/src/object/certificate.c index 0a3867e7..91d544e8 100644 --- a/src/object/certificate.c +++ b/src/object/certificate.c @@ -757,7 +757,7 @@ end: return error; } -int +static int certificate_load(struct rpki_uri *uri, X509 **result) { X509 *cert = NULL; @@ -1818,114 +1818,15 @@ err: return pr_val_err("Certificate is not TA, CA nor BGPsec. Ignoring..."); } -/* - * It does some of the things from validate_issuer(), but we can not wait for - * such validation, since at this point the RSYNC URI at AIA extension must be - * verified to comply with rfc6487#section-4.8.7 - */ -static int -force_aia_validation(struct rpki_uri *caIssuers, X509 *son) -{ - X509 *parent; - struct rfc5280_name *son_name; - struct rfc5280_name *parent_name; - int error; - - pr_val_debug("AIA's URI didn't matched parent URI, trying to SYNC"); - - /* TODO (#78) RFC misunderstanding; do not rsync here. */ - /* RSYNC is still the preferred access mechanism, force the sync */ - do { - error = rsync_download_files(caIssuers, false, true); - if (!error) - break; - if (error == EREQFAILED) { - pr_val_info("AIA URI couldn't be downloaded, trying to search locally"); - break; - } - return error; - } while (0); - - error = certificate_load(caIssuers, &parent); - if (error) - return error; - - error = x509_name_decode(X509_get_subject_name(parent), "subject", - &parent_name); - if (error) - goto free_parent; - - error = x509_name_decode(X509_get_issuer_name(son), "issuer", - &son_name); - if (error) - goto free_parent_name; - - if (x509_name_equals(parent_name, son_name)) - error = 0; /* Everything its ok */ - else - error = pr_val_err("Certificate subject from AIA ('%s') isn't issuer of this certificate.", - uri_val_get_printable(caIssuers)); - - x509_name_put(son_name); -free_parent_name: - x509_name_put(parent_name); -free_parent: - X509_free(parent); - return error; -} - int certificate_validate_aia(struct rpki_uri *caIssuers, X509 *cert) { - struct validation *state; - struct rpki_uri *parent; - - if (caIssuers == NULL) - pr_crit("Certificate's AIA was not recorded."); - - state = state_retrieve(); - - parent = x509stack_peek_uri(validation_certstack(state)); - if (parent == NULL) - pr_crit("Certificate has no parent."); - - /* - * There are two possible issues here, specifically at first level root - * certificate's childs: - * - * - Considering that the root certificate can be published at one or - * more rsync or HTTPS URIs (RFC 8630), the validation is done - * considering the first valid downloaded certificate URI from the - * list of URIs; so, that URI doesn't necessarily matches AIA. And - * this issue is more likely to happen if the 'shuffle-uris' flag - * is active an a TAL has more than one rsync/HTTPS uri. - * - * - If the TAL has only one URI, and such URI is HTTPS, the root - * certificate will be located at a distinct point that what it's - * expected, so this might be an error if such certificate (root - * certificate) isn't published at an rsync repository. See RFC 6487 - * section-4.8.7: - * - * "The preferred URI access mechanisms is "rsync", and an rsync URI - * [RFC5781] MUST be specified with an accessMethod value of - * id-ad-caIssuers. The URI MUST reference the point of publication - * of the certificate where this Issuer is the subject (the issuer's - * immediate superior certificate)." - * - * As of today, this is a common scenario, since most of the TALs have - * an HTTPS URI. - */ - if (uri_equals(caIssuers, parent)) - return 0; - /* - * Avoid the check at direct TA childs, otherwise try to match the - * immediate superior subject with the current issuer. This will force - * an RSYNC of AIA's URI, load the certificate and do the comparison. + * TODO (#78) Compare the AIA to the parent's URI. + * We're currently not recording the URI, so this can't be solved until + * the #78 refactor. */ - return certstack_get_x509_num(validation_certstack(state)) == 1 ? - 0 : - force_aia_validation(caIssuers, cert); + return 0; } /* diff --git a/src/object/certificate.h b/src/object/certificate.h index b6a18b59..d6f2e018 100644 --- a/src/object/certificate.h +++ b/src/object/certificate.h @@ -18,8 +18,6 @@ enum cert_type { EE, /* End Entity certificates */ }; -int certificate_load(struct rpki_uri *, X509 **); - /** * Performs the basic (RFC 5280, presumably) chain validation. * (Ignores the IP and AS extensions.)