From: Alberto Leiva Popper Date: Thu, 15 May 2025 02:48:35 +0000 (-0600) Subject: Resolve several simple critical TODOs X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=80d1699c62a0b3b432ac4e6a4425247720e292c5;p=thirdparty%2FFORT-validator.git Resolve several simple critical TODOs - Rename `struct sia_uris` into `struct extension_uris` - Merge `certificate_refs` module into `certificate` (Includes a bunch of API review all over `certificate_refs`, `certificate`, `signed_object` and `signed_data`.) - Deprecate rsync and HTTP configuration priorities (HTTP/RRDP is hardcoded to preferred to simplify things.) - Add some comments to `struct cache_mapping` --- diff --git a/src/Makefile.am b/src/Makefile.am index 23650321..548584a4 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -11,7 +11,6 @@ fort_SOURCES += asn1/signed_data.h asn1/signed_data.c fort_SOURCES += base64.h base64.c fort_SOURCES += cache.c cache.h fort_SOURCES += cachetmp.c cachetmp.h -fort_SOURCES += certificate_refs.h certificate_refs.c fort_SOURCES += common.c common.h fort_SOURCES += config/boolean.c config/boolean.h fort_SOURCES += config/filename_format.h config/filename_format.c diff --git a/src/algorithm.c b/src/algorithm.c index edd07fc0..cf400c60 100644 --- a/src/algorithm.c +++ b/src/algorithm.c @@ -90,14 +90,14 @@ validate_certificate_public_key_algorithm_bgpsec(X509_ALGOR *pa) } int -validate_cms_hashing_algorithm(AlgorithmIdentifier_t *id, char const *what) +validate_cms_hash_algorithm(AlgorithmIdentifier_t *id, char const *what) { int error; if (id == NULL) return pr_val_err("The hash algorithm of the '%s' is absent", what); - error = validate_cms_hashing_algorithm_oid(&id->algorithm, what); + error = validate_cms_hash_algorithm_oid(&id->algorithm, what); if (error) return error; @@ -127,7 +127,7 @@ validate_cms_hashing_algorithm(AlgorithmIdentifier_t *id, char const *what) } int -validate_cms_hashing_algorithm_oid(OBJECT_IDENTIFIER_t *oid, char const *what) +validate_cms_hash_algorithm_oid(OBJECT_IDENTIFIER_t *oid, char const *what) { /* * RFC 7935: diff --git a/src/algorithm.h b/src/algorithm.h index d028657f..3baa22dc 100644 --- a/src/algorithm.h +++ b/src/algorithm.h @@ -13,8 +13,8 @@ int validate_certificate_signature_algorithm(int, char const *); int validate_certificate_public_key_algorithm(X509_ALGOR *); int validate_certificate_public_key_algorithm_bgpsec(X509_ALGOR *); -int validate_cms_hashing_algorithm(AlgorithmIdentifier_t *, char const *); -int validate_cms_hashing_algorithm_oid(OBJECT_IDENTIFIER_t *, char const *); +int validate_cms_hash_algorithm(AlgorithmIdentifier_t *, char const *); +int validate_cms_hash_algorithm_oid(OBJECT_IDENTIFIER_t *, char const *); int validate_cms_signature_algorithm(AlgorithmIdentifier_t *); #endif /* SRC_ALGORITHM_H_ */ diff --git a/src/asn1/signed_data.c b/src/asn1/signed_data.c index 36384e8e..960f2023 100644 --- a/src/asn1/signed_data.c +++ b/src/asn1/signed_data.c @@ -10,6 +10,7 @@ #include "hash.h" #include "log.h" #include "object/certificate.h" +#include "object/signed_object.h" #include "types/name.h" static const OID oid_cta = OID_CONTENT_TYPE_ATTR; @@ -17,7 +18,7 @@ static const OID oid_mda = OID_MESSAGE_DIGEST_ATTR; static const OID oid_sta = OID_SIGNING_TIME_ATTR; static int -get_sid(struct SignerInfo *sinfo, OCTET_STRING_t **result) +get_sid(struct SignerInfo *sinfo, OCTET_STRING_t const **result) { switch (sinfo->sid.present) { case SignerIdentifier_PR_subjectKeyIdentifier: @@ -29,15 +30,15 @@ get_sid(struct SignerInfo *sinfo, OCTET_STRING_t **result) break; } + *result = NULL; return pr_val_err("Signer Info's sid is not a SubjectKeyIdentifier."); } static int -handle_sdata_certificate(ANY_t *cert_encoded, struct rpki_certificate *ee, - OCTET_STRING_t *sid, ANY_t *signedData, SignatureValue_t *signature) +handle_sdata_ee(struct signed_object *so, struct rpki_certificate *ee, + ANY_t *cer_encoded) { const unsigned char *otmp, *tmp; - int error; /* * No need to validate certificate chain length, since we just arrived @@ -51,33 +52,15 @@ handle_sdata_certificate(ANY_t *cert_encoded, struct rpki_certificate *ee, * We definitely don't want @any->buf to be modified, so use a dummy * pointer. */ - tmp = (const unsigned char *) cert_encoded->buf; + tmp = (const unsigned char *)cer_encoded->buf; otmp = tmp; - ee->x509 = d2i_X509(NULL, &tmp, cert_encoded->size); + ee->x509 = d2i_X509(NULL, &tmp, cer_encoded->size); if (ee->x509 == NULL) return val_crypto_err("Signed object's 'certificate' element does not decode into a Certificate"); - if (tmp != otmp + cert_encoded->size) + if (tmp != otmp + cer_encoded->size) return val_crypto_err("Signed object's 'certificate' element contains trailing garbage"); - x509_name_pr_clutter("Issuer", X509_get_issuer_name(ee->x509)); - - error = certificate_validate_chain(ee); - if (error) - return error; - error = certificate_validate_rfc6487(ee); - if (error) - return error; - error = certificate_validate_extensions_ee(ee, sid); - if (error) - return error; - error = certificate_validate_aia(ee); - if (error) - return error; - error = certificate_validate_signature(ee->x509, signedData, signature); - if (error) - return error; - resources_set_policy(ee->resources, ee->policy); - return certificate_get_resources(ee); + return cer_validate_ee(ee, so); } /* rfc6488#section-2.1.6.4.1 */ @@ -213,15 +196,15 @@ illegal_attrType: } int -signed_data_validate(ANY_t *encoded, struct SignedData *sdata, - struct rpki_certificate *ee) +signed_data_validate(struct signed_object *so, struct rpki_certificate *ee) { + struct SignedData *sdata; struct SignerInfo *sinfo; - OCTET_STRING_t *sid = NULL; unsigned long version; int error; /* rfc6488#section-2.1 */ + sdata = so->sdata; if (sdata->signerInfos.list.count != 1) { return pr_val_err("The SignedData's SignerInfo set is supposed to have only one element. (%d given.)", sdata->signerInfos.list.count); @@ -255,7 +238,7 @@ signed_data_validate(ANY_t *encoded, struct SignedData *sdata, * AlgorithmIdentifier instead. There's no API. * This seems to work fine. */ - error = validate_cms_hashing_algorithm( + error = validate_cms_hash_algorithm( (AlgorithmIdentifier_t *) sdata->digestAlgorithms.list.array[0], "SignedData"); if (error) @@ -280,6 +263,7 @@ signed_data_validate(ANY_t *encoded, struct SignedData *sdata, sinfo = sdata->signerInfos.list.array[0]; if (sinfo == NULL) return pr_val_err("The SignerInfo object is NULL."); + so->signature = &sinfo->signature; error = asn_INTEGER2ulong(&sinfo->version, &version); if (error) { @@ -297,13 +281,13 @@ signed_data_validate(ANY_t *encoded, struct SignedData *sdata, /* rfc6488#section-2.1.6.2 */ /* rfc6488#section-3.1.c 2/2 */ /* (Most of this requirement is in handle_ski_ee().) */ - error = get_sid(sinfo, &sid); + error = get_sid(sinfo, &so->sid); if (error) return error; /* rfc6488#section-2.1.6.3 */ /* rfc6488#section-3.1.j 2/2 */ - error = validate_cms_hashing_algorithm(&sinfo->digestAlgorithm, + error = validate_cms_hash_algorithm(&sinfo->digestAlgorithm, "SignerInfo"); if (error) return error; @@ -339,8 +323,7 @@ signed_data_validate(ANY_t *encoded, struct SignedData *sdata, sdata->certificates->list.count); } - return handle_sdata_certificate(sdata->certificates->list.array[0], - ee, sid, encoded, &sinfo->signature); + return handle_sdata_ee(so, ee, sdata->certificates->list.array[0]); } /* diff --git a/src/asn1/signed_data.h b/src/asn1/signed_data.h index fc22061c..675a7577 100644 --- a/src/asn1/signed_data.h +++ b/src/asn1/signed_data.h @@ -4,11 +4,12 @@ /* Some wrappers for asn1/asn1c/SignedData.h. */ #include "asn1/asn1c/SignedData.h" -#include "object/certificate.h" + +struct rpki_certificate; +struct signed_object; int signed_data_decode(ANY_t *, struct SignedData **); -int signed_data_validate(ANY_t *, struct SignedData *, - struct rpki_certificate *); +int signed_data_validate(struct signed_object *, struct rpki_certificate *); int get_content_type_attr(struct SignedData *, OBJECT_IDENTIFIER_t **); diff --git a/src/cache.c b/src/cache.c index 3ff41f09..f21cb0b6 100644 --- a/src/cache.c +++ b/src/cache.c @@ -971,15 +971,15 @@ ongoing: mutex_unlock(&tbl->lock); } static struct cache_node * -find_rrdp_fallback_node(struct sia_uris *sias) +find_rrdp_fallback_node(struct extension_uris *uris) { struct node_key key; struct cache_node *result; - if (!uri_str(&sias->rpkiNotify) || !uri_str(&sias->caRepository)) + if (!uri_str(&uris->rpkiNotify) || !uri_str(&uris->caRepository)) return NULL; - init_rrdp_fallback_key(&key, &sias->rpkiNotify, &sias->caRepository); + init_rrdp_fallback_key(&key, &uris->rpkiNotify, &uris->caRepository); result = find_node(&cache.fallback, key.id, key.idlen); free(key.id); @@ -987,14 +987,14 @@ find_rrdp_fallback_node(struct sia_uris *sias) } static struct cache_node * -get_fallback(struct sia_uris *sias) +get_fallback(struct extension_uris *uris) { struct cache_node *rrdp; struct cache_node *rsync; - rrdp = find_rrdp_fallback_node(sias); - rsync = find_node(&cache.fallback, uri_str(&sias->caRepository), - uri_len(&sias->caRepository)); + rrdp = find_rrdp_fallback_node(uris); + rsync = find_node(&cache.fallback, uri_str(&uris->caRepository), + uri_len(&uris->caRepository)); if (rrdp == NULL) return rsync; @@ -1051,7 +1051,7 @@ cache_get_fallback(struct uri const *url) * XXX Fallback only if parent is fallback */ validation_verdict -cache_refresh_by_sias(struct sia_uris *sias, struct cache_cage **result) +cache_refresh_by_uris(struct extension_uris *uris, struct cache_cage **result) { struct cache_node *node; struct cache_cage *cage; @@ -1059,13 +1059,12 @@ cache_refresh_by_sias(struct sia_uris *sias, struct cache_cage **result) validation_verdict vv; // XXX Make sure somewhere validates rpkiManifest matches caRepository. - // XXX review result signs /* Try RRDP + optional fallback */ - if (uri_str(&sias->rpkiNotify) != NULL) { - vv = do_refresh(&cache.rrdp, &sias->rpkiNotify, &node); + if (uri_str(&uris->rpkiNotify) != NULL) { + vv = do_refresh(&cache.rrdp, &uris->rpkiNotify, &node); if (vv == VV_CONTINUE) { - rpkiNotify = sias->rpkiNotify; + rpkiNotify = uris->rpkiNotify; goto refresh_success; } if (vv == VV_BUSY) @@ -1073,7 +1072,7 @@ cache_refresh_by_sias(struct sia_uris *sias, struct cache_cage **result) } /* Try rsync + optional fallback */ - vv = do_refresh(&cache.rsync, &sias->caRepository, &node); + vv = do_refresh(&cache.rsync, &uris->caRepository, &node); if (vv == VV_CONTINUE) { memset(&rpkiNotify, 0, sizeof(rpkiNotify)); goto refresh_success; @@ -1082,7 +1081,7 @@ cache_refresh_by_sias(struct sia_uris *sias, struct cache_cage **result) return VV_BUSY; /* Try fallback only */ - node = get_fallback(sias); + node = get_fallback(uris); if (!node) return VV_FAIL; /* Nothing to work with */ @@ -1094,7 +1093,7 @@ refresh_success: *result = cage = pzalloc(sizeof(struct cache_cage)); cage->rpkiNotify = rpkiNotify; cage->refresh = node; - cage->fallback = get_fallback(sias); + cage->fallback = get_fallback(uris); return VV_CONTINUE; } @@ -1517,18 +1516,18 @@ cache_commit(void) } void -sias_init(struct sia_uris *sias) +exturis_init(struct extension_uris *uris) { - memset(sias, 0, sizeof(*sias)); + memset(uris, 0, sizeof(*uris)); } void -sias_cleanup(struct sia_uris *sias) +exturis_cleanup(struct extension_uris *uris) { - uri_cleanup(&sias->caRepository); - uri_cleanup(&sias->rpkiNotify); - uri_cleanup(&sias->rpkiManifest); - uri_cleanup(&sias->crldp); - uri_cleanup(&sias->caIssuers); - uri_cleanup(&sias->signedObject); + uri_cleanup(&uris->caRepository); + uri_cleanup(&uris->rpkiNotify); + uri_cleanup(&uris->rpkiManifest); + uri_cleanup(&uris->crldp); + uri_cleanup(&uris->caIssuers); + uri_cleanup(&uris->signedObject); } diff --git a/src/cache.h b/src/cache.h index b12fa85e..eaf1092a 100644 --- a/src/cache.h +++ b/src/cache.h @@ -13,8 +13,7 @@ void cache_atexit(void); int cache_prepare(void); /* Prepare cache for new validation cycle */ void cache_commit(void); /* Finish validation cycle */ -/* XXX might wanna rename */ -struct sia_uris { +struct extension_uris { struct uri caRepository; /* RPP cage */ struct uri rpkiNotify; /* RRDP Notification */ struct uri rpkiManifest; @@ -36,14 +35,14 @@ struct sia_uris { struct uri signedObject; }; -void sias_init(struct sia_uris *); -void sias_cleanup(struct sia_uris *); +void exturis_init(struct extension_uris *); +void exturis_cleanup(struct extension_uris *); char *cache_refresh_by_url(struct uri const *); char *cache_get_fallback(struct uri const *); struct cache_cage; -validation_verdict cache_refresh_by_sias(struct sia_uris *, +validation_verdict cache_refresh_by_uris(struct extension_uris *, struct cache_cage **); char const *cage_map_file(struct cache_cage *, struct uri const *); bool cage_disable_refresh(struct cache_cage *); diff --git a/src/certificate_refs.c b/src/certificate_refs.c deleted file mode 100644 index 93c3aa14..00000000 --- a/src/certificate_refs.c +++ /dev/null @@ -1,56 +0,0 @@ -#include "certificate_refs.h" - -#include -#include -#include - -#include "log.h" - -int -validate_cdp(struct sia_uris const *sias, struct uri const *crl_url) -{ - if (uri_str(&sias->crldp) == NULL) - pr_crit("Certificate's CRL Distribution Point was not recorded."); - if (uri_str(crl_url) == NULL) - pr_crit("Manifest's CRL was not recorded."); - - if (uri_equals(&sias->crldp, crl_url) != 0) { - return pr_val_err("Certificate's CRL Distribution Point ('%s') does not match manifest's CRL ('%s').", - uri_str(&sias->crldp), uri_str(crl_url)); - } - - return 0; -} - -static int -validate_signedObject(struct sia_uris const *sias, struct uri const *url) -{ - if (uri_str(&sias->signedObject) == NULL) - pr_crit("Certificate's signedObject was not recorded."); - - if (!uri_equals(&sias->signedObject, url)) - return pr_val_err("Certificate's signedObject ('%s') does not match the URI of its own signed object (%s).", - uri_str(&sias->signedObject), uri_str(url)); - - return 0; -} - -/** - * Ensures the @refs URIs match the Manifest URIs. Assumes @refs came from an - * EE certificate. - * - * @refs: References you want validated. - * @url: URL of the signed object that contains the EE certificate. - */ -int -refs_validate_ee(struct sia_uris const *sias, struct uri const *crl_url, - struct uri const *url) -{ - int error; - - error = validate_cdp(sias, crl_url); - if (error) - return error; - - return validate_signedObject(sias, url); -} diff --git a/src/certificate_refs.h b/src/certificate_refs.h deleted file mode 100644 index 851f8a5e..00000000 --- a/src/certificate_refs.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef SRC_CERTIFICATE_REFS_H_ -#define SRC_CERTIFICATE_REFS_H_ - -/* XXX delete this */ - -#include "cache.h" - -int validate_cdp(struct sia_uris const *, struct uri const *); -int refs_validate_ee(struct sia_uris const *, struct uri const *, - struct uri const *); - -#endif /* SRC_CERTIFICATE_REFS_H_ */ diff --git a/src/common.h b/src/common.h index d5e68384..7068281e 100644 --- a/src/common.h +++ b/src/common.h @@ -11,9 +11,9 @@ #define ENOTIMPLEMENTED 3173 typedef char const *validation_verdict; -extern validation_verdict const VV_CONTINUE; -extern validation_verdict const VV_FAIL; -extern validation_verdict const VV_BUSY; +extern validation_verdict const VV_CONTINUE; /* "No issues yet" */ +extern validation_verdict const VV_FAIL; /* "Validation failed" */ +extern validation_verdict const VV_BUSY; /* "Try again later" */ bool str_starts_with(char const *, char const *); bool str_ends_with(char const *, char const *); diff --git a/src/config.c b/src/config.c index 58875248..de0f8dc4 100644 --- a/src/config.c +++ b/src/config.c @@ -85,7 +85,7 @@ struct rpki_config { struct { /* Enables the protocol */ bool enabled; - /* Protocol preference; compared to http.priority */ + /* Deprecated; does nothing. */ unsigned int priority; /* Maximum simultaneous rsyncs */ unsigned int max; @@ -99,7 +99,7 @@ struct rpki_config { struct { /* Enables the protocol */ bool enabled; - /* Protocol preference; compared to rsync.priority */ + /* Deprecated; does nothing. */ unsigned int priority; /* HTTP User-Agent request header */ char *user_agent; @@ -464,7 +464,7 @@ static const struct option_field options[] = { .doc = "rsync's priority for repository file fetching. Higher value means higher priority.", .min = 0, .max = 100, - /* XXX deprecated? */ + .deprecated = true, }, { .id = 3002, .name = "rsync.strategy", @@ -523,7 +523,7 @@ static const struct option_field options[] = { .doc = "HTTP's priority for repository file fetching. Higher value means higher priority.", .min = 0, .max = 100, - /* XXX deprecated? */ + .deprecated = true, }, { .id = 9004, .name = "http.user-agent", @@ -968,7 +968,6 @@ set_default_values(void) string_array_init(&rpki_config.rsync.args, trash, ARRAY_LEN(trash)); rpki_config.http.enabled = true; - /* Higher priority than rsync by default */ rpki_config.http.priority = 60; rpki_config.http.user_agent = pstrdup(PACKAGE_NAME "/" PACKAGE_VERSION); rpki_config.http.max_redirs = 10; @@ -1386,12 +1385,6 @@ config_get_rsync_enabled(void) return !rpki_config.work_offline && rpki_config.rsync.enabled; } -unsigned int -config_get_rsync_priority(void) -{ - return rpki_config.rsync.priority; -} - unsigned int config_rsync_max(void) { @@ -1416,12 +1409,6 @@ config_get_http_enabled(void) return !rpki_config.work_offline && rpki_config.http.enabled; } -unsigned int -config_get_http_priority(void) -{ - return rpki_config.http.priority; -} - char const * config_get_http_user_agent(void) { diff --git a/src/config.h b/src/config.h index a9caee0a..fe42658e 100644 --- a/src/config.h +++ b/src/config.h @@ -44,12 +44,10 @@ long config_get_http_max_file_size(void); char const *config_get_http_ca_path(void); unsigned int config_get_rrdp_delta_threshold(void); bool config_get_rsync_enabled(void); -unsigned int config_get_rsync_priority(void); unsigned int config_rsync_max(void); long config_rsync_timeout(void); char const *config_get_rsync_program(void); bool config_get_http_enabled(void); -unsigned int config_get_http_priority(void); char const *config_get_output_roa(void); char const *config_get_output_bgpsec(void); enum output_format config_get_output_format(void); diff --git a/src/object/bgpsec.c b/src/object/bgpsec.c index 32345415..0eba44bb 100644 --- a/src/object/bgpsec.c +++ b/src/object/bgpsec.c @@ -44,7 +44,7 @@ handle_bgpsec(X509 *cert, struct resources *parent_resources, struct rpp *pp) resources = resources_create(policy, false); if (resources == NULL) goto revert_ski; - error = certificate_get_resources(cert, resources, CERTYPE_BGPSEC); + error = cer_get_resources(cert, resources, CERTYPE_BGPSEC); if (error) goto revert_resources; diff --git a/src/object/certificate.c b/src/object/certificate.c index 2f490fb1..4eb82822 100644 --- a/src/object/certificate.c +++ b/src/object/certificate.c @@ -24,6 +24,7 @@ #include "object/ghostbusters.h" #include "object/manifest.h" #include "object/roa.h" +#include "object/signed_object.h" #include "object/tal.h" #include "task.h" #include "thread_var.h" @@ -44,7 +45,7 @@ SLIST_HEAD(cert_stack, rpki_certificate); struct ski_arguments { X509 *cert; - OCTET_STRING_t *sid; + OCTET_STRING_t const *sid; }; struct bgpsec_ski { @@ -53,7 +54,7 @@ struct bgpsec_ski { }; /* Callback method to fetch repository objects */ -typedef int (access_method_exec)(struct sia_uris *); +typedef int (access_method_exec)(struct extension_uris *); struct ad_metadata { char const *name; @@ -445,8 +446,9 @@ validate_public_key(struct rpki_certificate *cert) return 0; } -int -certificate_validate_rfc6487(struct rpki_certificate *cert) +/* Validates RFC 6487 compliance (except extensions) */ +static int +validate_rfc6487(struct rpki_certificate *cert) { int error; @@ -643,9 +645,9 @@ find_signedAttrs(ANY_t *signedData, struct encoded_signedAttrs *result) * skips unnecessary validations when using the PKCS7 API. Maybe the methods * we're using have something similar. */ -int -certificate_validate_signature(X509 *cert, ANY_t *signedData, - SignatureValue_t *signature) +static int +validate_signature(X509 *cert, ANY_t *signedData, + SignatureValue_t const *signature) { static const uint8_t EXPLICIT_SET_OF_TAG = 0x31; @@ -748,7 +750,7 @@ end: } static X509 * -certificate_load(char const *path) +load_certificate(char const *path) { X509 *cert = NULL; BIO *bio; @@ -774,8 +776,8 @@ end: BIO_free(bio); } void -rpki_certificate_init_ee(struct rpki_certificate *ee, - struct rpki_certificate *parent, bool force_inherit) +cer_init_ee(struct rpki_certificate *ee, struct rpki_certificate *parent, + bool force_inherit) { memset(ee, 0, sizeof(*ee)); ee->type = CERTYPE_EE; @@ -788,24 +790,24 @@ rpki_certificate_init_ee(struct rpki_certificate *ee, } void -rpki_certificate_cleanup(struct rpki_certificate *cert) +cer_cleanup(struct rpki_certificate *cert) { map_cleanup(&cert->map); if (cert->x509 != NULL) X509_free(cert->x509); resources_destroy(cert->resources); - sias_cleanup(&cert->sias); + exturis_cleanup(&cert->uris); // XXX Recursive. Try refcounting the resources. if (cert->parent) - rpki_certificate_free(cert->parent); + cer_free(cert->parent); rpp_cleanup(&cert->rpp); } void -rpki_certificate_free(struct rpki_certificate *cert) +cer_free(struct rpki_certificate *cert) { if (atomic_fetch_sub(&cert->refcount, 1) == 1) { - rpki_certificate_cleanup(cert); + cer_cleanup(cert); free(cert); } } @@ -919,8 +921,12 @@ complain_crl_stale(X509_CRL *crl) free(nu); } -int -certificate_validate_chain(struct rpki_certificate *cert) +/* + * Performs the basic (RFC 5280, presumably) chain validation. + * (Ignores the IP and AS extensions.) + */ +static int +validate_chain(struct rpki_certificate *cert) { /* Reference: openbsd/src/usr.bin/openssl/verify.c */ @@ -1098,7 +1104,7 @@ handle_asn_extension(struct rpki_certificate *cert, X509_EXTENSION *ext) } static int -__certificate_get_resources(struct rpki_certificate *cert, +__convert_resources(struct rpki_certificate *cert, int addr_nid, int asn_nid, int bad_addr_nid, int bad_asn_nid, char const *policy_rfc, char const *bad_ext_rfc) { @@ -1155,30 +1161,39 @@ __certificate_get_resources(struct rpki_certificate *cert, return 0; } -/* Copies the resources from @cert to @resources. */ -int -certificate_get_resources(struct rpki_certificate *cert) +/** + * Copies the resources from cert->x509 into cert->resources. + * + * Note: One reason why this is separate from the validate_extensions functions + * is because it needs to be handled after the policy has been extracted from + * the certificate policies extension, and handle_extensions() currently does + * not care about order. I don't know if you'll find other reasons if you choose + * to migrate it. + */ +static int +convert_resources(struct rpki_certificate *cert) { switch (cert->policy) { case RPKI_POLICY_RFC6484: - return __certificate_get_resources(cert, + return __convert_resources(cert, NID_sbgp_ipAddrBlock, NID_sbgp_autonomousSysNum, nid_ipAddrBlocksv2(), nid_autonomousSysIdsv2(), "6484", "8360"); case RPKI_POLICY_RFC8360: - return __certificate_get_resources(cert, + return __convert_resources(cert, nid_ipAddrBlocksv2(), nid_autonomousSysIdsv2(), NID_sbgp_ipAddrBlock, NID_sbgp_autonomousSysNum, "8360", "6484"); } pr_crit("Unknown policy: %u", cert->policy); + return EINVAL; } static int handle_rpkiManifest(struct uri const *uri, void *arg) { - struct sia_uris *uris = arg; + struct extension_uris *uris = arg; char const *rm; rm = uri_str(uri); @@ -1201,7 +1216,7 @@ handle_rpkiManifest(struct uri const *uri, void *arg) static int handle_caRepository(struct uri const *uri, void *arg) { - struct sia_uris *uris = arg; + struct extension_uris *uris = arg; char const *cr; cr = uri_str(uri); @@ -1224,7 +1239,7 @@ handle_caRepository(struct uri const *uri, void *arg) static int handle_rpkiNotify(struct uri const *uri, void *arg) { - struct sia_uris *uris = arg; + struct extension_uris *uris = arg; char const *rn; rn = uri_str(uri); @@ -1247,7 +1262,7 @@ handle_rpkiNotify(struct uri const *uri, void *arg) static int handle_signedObject(struct uri const *uri, void *arg) { - struct sia_uris *sias = arg; + struct extension_uris *sias = arg; char const *so; so = uri_str(uri); @@ -1295,7 +1310,7 @@ handle_ski_ee(void *ext, void *arg) { ASN1_OCTET_STRING *ski = ext; struct ski_arguments *args = arg; - OCTET_STRING_t *sid; + OCTET_STRING_t const *sid; int error; error = validate_public_key_hash(args->cert, ski, "SKI"); @@ -1424,7 +1439,7 @@ static int handle_cdp(void *ext, void *arg) { STACK_OF(DIST_POINT) *crldp = ext; - struct sia_uris *sias = arg; + struct extension_uris *sias = arg; DIST_POINT *dp; GENERAL_NAMES *names; int i; @@ -1559,7 +1574,7 @@ handle_ad(int nid, struct ad_metadata const *meta, SIGNATURE_INFO_ACCESS *ia, static int handle_caIssuers(struct uri const *uri, void *arg) { - struct sia_uris *sias = arg; + struct extension_uris *sias = arg; if (!uri_is_rsync(uri)) { pr_val_debug("Ignoring non-rsync caIssuers '%s'.", uri_str(uri)); @@ -1586,7 +1601,7 @@ static int handle_sia_ca(void *ext, void *arg) { SIGNATURE_INFO_ACCESS *sia = ext; - struct sia_uris *uris = arg; + struct extension_uris *uris = arg; int error; /* rsync */ @@ -1661,6 +1676,36 @@ handle_cp(void *ext, void *arg) return 0; } +/* rfc6487#section-4.8.7 */ +static int +validate_aia(struct rpki_certificate *cert) +{ + if (!uri_equals(&cert->parent->map.url, &cert->uris.caIssuers)) + return pr_val_err("Certificate's caIssuers (%s) does not match parent certificate's URL (%s).", + uri_str(&cert->parent->map.url), + uri_str(&cert->uris.caIssuers)); + + return 0; +} + +static int +validate_cdp(struct rpki_certificate *cer) +{ + struct uri *crl_url = &cer->parent->rpp.crl.map->url; + + if (uri_str(&cer->uris.crldp) == NULL) + pr_crit("Certificate's CRL Distribution Point was not recorded."); + if (uri_str(crl_url) == NULL) + pr_crit("Manifest's CRL was not recorded."); + + if (!uri_equals(&cer->uris.crldp, crl_url)) { + return pr_val_err("Certificate's CRL Distribution Point ('%s') does not match manifest's CRL ('%s').", + uri_str(&cer->uris.crldp), uri_str(crl_url)); + } + + return 0; +} + /* Validates the certificate extensions, Trust Anchor style. */ static int validate_ta_extensions(struct rpki_certificate *cert) @@ -1671,9 +1716,9 @@ validate_ta_extensions(struct rpki_certificate *cert) { ext_ski(), true, handle_ski_ca, cert->x509 }, { ext_aki(), false, handle_aki_ta, cert->x509 }, { ext_ku(), true, handle_ku_ca, }, - { ext_sia(), true, handle_sia_ca, &cert->sias }, + { ext_sia(), true, handle_sia_ca, &cert->uris }, { ext_cp(), true, handle_cp, &cert->policy }, - /* These are handled by certificate_get_resources(). */ + /* These are handled by convert_resources(). */ { ext_ir(), false, }, { ext_ar(), false, }, { ext_ir2(), false, }, @@ -1700,11 +1745,11 @@ validate_ca_extensions(struct rpki_certificate *cert) { ext_ski(), true, handle_ski_ca, cert->x509 }, { ext_aki(), true, handle_aki, cert->parent->x509 }, { ext_ku(), true, handle_ku_ca, }, - { ext_cdp(), true, handle_cdp, &cert->sias }, - { ext_aia(), true, handle_aia, &cert->sias }, - { ext_sia(), true, handle_sia_ca, &cert->sias }, + { ext_cdp(), true, handle_cdp, &cert->uris }, + { ext_aia(), true, handle_aia, &cert->uris }, + { ext_sia(), true, handle_sia_ca, &cert->uris }, { ext_cp(), true, handle_cp, &cert->policy }, - /* These are handled by certificate_get_resources(). */ + /* These are handled by convert_resources(). */ { ext_ir(), false, }, { ext_ar(), false, }, { ext_ir2(), false, }, @@ -1716,15 +1761,20 @@ validate_ca_extensions(struct rpki_certificate *cert) error = handle_extensions(handlers, X509_get0_extensions(cert->x509)); if (error) return error; - error = certificate_validate_aia(cert); + error = validate_aia(cert); if (error) return error; - return validate_cdp(&cert->sias, &cert->parent->rpp.crl.map->url); + return validate_cdp(cert); } -int -certificate_validate_extensions_ee(struct rpki_certificate *cert, - OCTET_STRING_t *sid) +/* + * Validates the certificate extensions, End-Entity style. + * + * Also initializes the second argument with the references found in the + * extensions. + */ +static int +validate_extensions_ee(struct rpki_certificate *cert, OCTET_STRING_t const *sid) { struct ski_arguments ski_args; struct extension_handler handlers[] = { @@ -1732,9 +1782,9 @@ certificate_validate_extensions_ee(struct rpki_certificate *cert, { ext_ski(), true, handle_ski_ee, &ski_args }, { ext_aki(), true, handle_aki, cert->parent->x509 }, { ext_ku(), true, handle_ku_ee, }, - { ext_cdp(), true, handle_cdp, &cert->sias }, - { ext_aia(), true, handle_aia, &cert->sias }, - { ext_sia(), true, handle_sia_ee, &cert->sias }, + { ext_cdp(), true, handle_cdp, &cert->uris }, + { ext_aia(), true, handle_aia, &cert->uris }, + { ext_sia(), true, handle_sia_ee, &cert->uris }, { ext_cp(), true, handle_cp, &cert->policy }, { ext_ir(), false, }, { ext_ar(), false, }, @@ -1749,12 +1799,6 @@ certificate_validate_extensions_ee(struct rpki_certificate *cert, return handle_extensions(handlers, X509_get0_extensions(cert->x509)); } -int -certificate_validate_extensions_bgpsec(void) -{ - return 0; /* TODO (#58) */ -} - static bool has_bgpsec_router_eku(X509 *cert) { @@ -1784,7 +1828,7 @@ has_bgpsec_router_eku(X509 *cert) * certificate. */ static enum cert_type -get_certificate_type(struct rpki_certificate *cert) +get_cert_type(struct rpki_certificate *cert) { if (cert->parent == NULL) return CERTYPE_TA; @@ -1801,17 +1845,6 @@ get_certificate_type(struct rpki_certificate *cert) return CERTYPE_UNKNOWN; } -int -certificate_validate_aia(struct rpki_certificate *cert) -{ - if (!uri_equals(&cert->parent->map.url, &cert->sias.caIssuers)) - return pr_val_err("Certificate's caIssuers (%s) does not match parent certificate's URL (%s).", - uri_str(&cert->parent->map.url), - uri_str(&cert->sias.caIssuers)); - - return 0; -} - static unsigned int chain_length(struct rpki_certificate *cert) { @@ -1828,7 +1861,7 @@ init_resources(struct rpki_certificate *cert) cert->resources = resources_create(cert->policy, false); - error = certificate_get_resources(cert); + error = convert_resources(cert); if (error) return error; @@ -1837,7 +1870,7 @@ init_resources(struct rpki_certificate *cert) * "The INR extension(s) of this TA MUST contain a non-empty set of * number resources." * The "It MUST NOT use the "inherit" form of the INR extension(s)" - * part is already handled in certificate_get_resources(). + * part is already handled in convert_resources(). */ if (cert->type == CERTYPE_TA && resources_empty(cert->resources)) return pr_val_err("Trust Anchor certificate does not define any number resources."); @@ -1846,7 +1879,7 @@ init_resources(struct rpki_certificate *cert) } static int -certificate_validate(struct rpki_certificate *cert) +validate_certificate(struct rpki_certificate *cert) { int error; @@ -1855,14 +1888,14 @@ certificate_validate(struct rpki_certificate *cert) fnstack_push_map(&cert->map); - cert->x509 = certificate_load(cert->map.path); + cert->x509 = load_certificate(cert->map.path); if (!cert->x509) { error = EINVAL; goto end; } - cert->type = get_certificate_type(cert); + cert->type = get_cert_type(cert); - error = certificate_validate_chain(cert); + error = validate_chain(cert); if (error) goto end; @@ -1883,7 +1916,7 @@ certificate_validate(struct rpki_certificate *cert) goto end; } - error = certificate_validate_rfc6487(cert); + error = validate_rfc6487(cert); if (error) goto end; @@ -1900,7 +1933,7 @@ end: fnstack_pop(); } validation_verdict -certificate_traverse(struct rpki_certificate *ca) +cer_traverse(struct rpki_certificate *ca) { struct cache_cage *cage; struct cache_mapping mft; @@ -1910,30 +1943,30 @@ certificate_traverse(struct rpki_certificate *ca) validation_verdict vv; if (!ca->x509) { - if (certificate_validate(ca) != 0) + if (validate_certificate(ca) != 0) return VV_FAIL; if (ca->type != CERTYPE_TA && ca->type != CERTYPE_CA) return VV_CONTINUE; } /* else "we already did this, and returned VV_BUSY" */ - vv = cache_refresh_by_sias(&ca->sias, &cage); + vv = cache_refresh_by_uris(&ca->uris, &cage); if (vv == VV_BUSY) return VV_BUSY; if (vv == VV_FAIL) { pr_val_err("caRepository '%s' could not be refreshed, " "and there is no fallback in the cache. " "I'm going to have to skip it.", - uri_str(&ca->sias.caRepository)); + uri_str(&ca->uris.caRepository)); return VV_FAIL; } - mft.url = ca->sias.rpkiManifest; + mft.url = ca->uris.rpkiManifest; retry: mft.path = (char *)cage_map_file(cage, &mft.url); /* Will not edit */ if (!mft.path) { if (cage_disable_refresh(cage)) goto retry; pr_val_err("caRepository '%s' is missing a manifest.", - uri_str(&ca->sias.caRepository)); + uri_str(&ca->uris.caRepository)); vv = VV_FAIL; goto end; } @@ -1958,9 +1991,70 @@ retry: mft.path = (char *)cage_map_file(cage, &mft.url); /* Will not edit */ if (queued > 0) task_wakeup(); - cache_commit_rpp(cage_rpkiNotify(cage), &ca->sias.caRepository, + cache_commit_rpp(cage_rpkiNotify(cage), &ca->uris.caRepository, &ca->rpp); end: free(cage); return vv; } + +static int +validate_signedObject(struct extension_uris const *exts, struct uri const *url) +{ + if (uri_str(&exts->signedObject) == NULL) + pr_crit("Certificate's signedObject was not recorded."); + + if (!uri_equals(&exts->signedObject, url)) + return pr_val_err("Certificate's signedObject ('%s') does not match the URI of its own signed object (%s).", + uri_str(&exts->signedObject), uri_str(url)); + + return 0; +} + +/** + * Ensures the extension URIs of @ee match the actual URIs. + * + * @so_url: URL of the signed object that contains the EE certificate. + */ +static int +validate_ee_refs(struct rpki_certificate *ee, struct signed_object *so) +{ + int error; + + error = validate_cdp(ee); + if (error) + return error; + + return validate_signedObject(&ee->uris, &so->map->url); +} + +int +cer_validate_ee(struct rpki_certificate *ee, struct signed_object *so) +{ + int error; + + x509_name_pr_clutter("Issuer", X509_get_issuer_name(ee->x509)); + + error = validate_chain(ee); + if (error) + return error; + error = validate_rfc6487(ee); + if (error) + return error; + error = validate_extensions_ee(ee, so->sid); + if (error) + return error; + error = validate_aia(ee); + if (error) + return error; + error = validate_signature(ee->x509, &so->cinfo->content, so->signature); + if (error) + return error; + + resources_set_policy(ee->resources, ee->policy); + error = convert_resources(ee); + if (error) + return error; + + return validate_ee_refs(ee, so); +} diff --git a/src/object/certificate.h b/src/object/certificate.h index 514692b6..db3c704b 100644 --- a/src/object/certificate.h +++ b/src/object/certificate.h @@ -8,7 +8,6 @@ #include "asn1/asn1c/ANY.h" #include "asn1/asn1c/SignatureValue.h" #include "cache.h" -#include "certificate_refs.h" #include "resource.h" #include "types/rpp.h" @@ -26,9 +25,9 @@ struct rpki_certificate { X509 *x509; /* Initializes after dequeue */ enum cert_type type; - enum rpki_policy policy; /* XXX seems redundant */ + enum rpki_policy policy; struct resources *resources; - struct sia_uris sias; + struct extension_uris uris; struct tal *tal; /* Only needed by TAs for now */ struct rpki_certificate *parent; @@ -38,51 +37,13 @@ struct rpki_certificate { atomic_uint refcount; }; -void rpki_certificate_init_ee(struct rpki_certificate *, - struct rpki_certificate *, bool); -void rpki_certificate_cleanup(struct rpki_certificate *); -void rpki_certificate_free(struct rpki_certificate *); +void cer_init_ee(struct rpki_certificate *, struct rpki_certificate *, bool); +void cer_cleanup(struct rpki_certificate *); +void cer_free(struct rpki_certificate *); -/** - * Performs the basic (RFC 5280, presumably) chain validation. - * (Ignores the IP and AS extensions.) - */ -int certificate_validate_chain(struct rpki_certificate *); -/** - * Validates RFC 6487 compliance. - * (Except extensions.) - */ -int certificate_validate_rfc6487(struct rpki_certificate *); +validation_verdict cer_traverse(struct rpki_certificate *); -int certificate_validate_signature(X509 *, ANY_t *coded, SignatureValue_t *); - -/** - * Extracts the resources from cert->x509 into cert->resources. - * - * Note: One reason why this is separate from the validate_extensions functions - * is because it needs to be handled after the policy has been extracted from - * the certificate policies extension, and handle_extensions() currently does - * not care about order. I don't know if you'll find other reasons if you choose - * to migrate it. - */ -int certificate_get_resources(struct rpki_certificate *cert); - -/** - * Validates the certificate extensions, End-Entity style. - * - * Also initializes the second argument with the references found in the - * extensions. - */ -int certificate_validate_extensions_ee(struct rpki_certificate *, - OCTET_STRING_t *); -int certificate_validate_extensions_bgpsec(void); - -/* - * Specific validation of AIA (rfc6487#section-4.8.7) extension, public so that - * CAs and EEs can access it. - */ -int certificate_validate_aia(struct rpki_certificate *); - -validation_verdict certificate_traverse(struct rpki_certificate *); +struct signed_object; +int cer_validate_ee(struct rpki_certificate *, struct signed_object *); #endif /* SRC_OBJECT_CERTIFICATE_H_ */ diff --git a/src/object/ghostbusters.c b/src/object/ghostbusters.c index d9cffc85..900e66b7 100644 --- a/src/object/ghostbusters.c +++ b/src/object/ghostbusters.c @@ -8,10 +8,10 @@ #include "thread_var.h" static int -handle_vcard(struct signed_object *sobj) +handle_vcard(struct signed_object *so) { return handle_ghostbusters_vcard( - sobj->sdata->encapContentInfo.eContent + so->sdata->encapContentInfo.eContent ); } @@ -21,7 +21,7 @@ ghostbusters_traverse(struct cache_mapping *map, { static OID oid = OID_GHOSTBUSTERS; struct oid_arcs arcs = OID2ARCS("ghostbusters", oid); - struct signed_object sobj; + struct signed_object so; struct rpki_certificate ee; int error; @@ -29,24 +29,21 @@ ghostbusters_traverse(struct cache_mapping *map, fnstack_push_map(map); /* Decode */ - error = signed_object_decode(&sobj, map->path); + error = signed_object_decode(&so, map); if (error) goto end1; /* Prepare validation arguments */ - rpki_certificate_init_ee(&ee, parent, true); + cer_init_ee(&ee, parent, true); /* Validate everything */ - error = signed_object_validate(&sobj, &arcs, &ee); + error = signed_object_validate(&so, &ee, &arcs); if (error) goto end3; - error = handle_vcard(&sobj); - if (error) - goto end3; - error = refs_validate_ee(&ee.sias, &parent->rpp.crl.map->url, &map->url); + error = handle_vcard(&so); -end3: rpki_certificate_cleanup(&ee); - signed_object_cleanup(&sobj); +end3: cer_cleanup(&ee); + signed_object_cleanup(&so); end1: fnstack_pop(); return error; } diff --git a/src/object/manifest.c b/src/object/manifest.c index ef8ef05c..87fe274f 100644 --- a/src/object/manifest.c +++ b/src/object/manifest.c @@ -18,10 +18,10 @@ #include "types/uri.h" static int -decode_manifest(struct signed_object *sobj, struct Manifest **result) +decode_manifest(struct signed_object *so, struct Manifest **result) { return asn1_decode_octet_string( - sobj->sdata->encapContentInfo.eContent, + so->sdata->encapContentInfo.eContent, &asn_DEF_Manifest, (void **) result, true @@ -192,7 +192,7 @@ validate_manifest(struct Manifest *mft, struct cache_cage *cage, * I'm going with the signed object hash function, since it appears to * be the closest match. */ - error = validate_cms_hashing_algorithm_oid(&mft->fileHashAlg, + error = validate_cms_hash_algorithm_oid(&mft->fileHashAlg, "manifest file"); if (error) return error; @@ -411,7 +411,7 @@ manifest_traverse(struct cache_mapping const *map, struct cache_cage *cage, { static OID oid = OID_MANIFEST; struct oid_arcs arcs = OID2ARCS("manifest", oid); - struct signed_object sobj; + struct signed_object so; struct rpki_certificate ee; struct Manifest *mft; int error; @@ -420,10 +420,10 @@ manifest_traverse(struct cache_mapping const *map, struct cache_cage *cage, fnstack_push_map(map); /* Decode */ - error = signed_object_decode(&sobj, map->path); + error = signed_object_decode(&so, map); if (error) goto end1; - error = decode_manifest(&sobj, &mft); + error = decode_manifest(&so, &mft); if (error) goto end2; @@ -433,22 +433,19 @@ manifest_traverse(struct cache_mapping const *map, struct cache_cage *cage, goto end3; /* Prepare validation arguments */ - rpki_certificate_init_ee(&ee, parent, false); + cer_init_ee(&ee, parent, false); /* Validate everything */ - error = signed_object_validate(&sobj, &arcs, &ee); + error = signed_object_validate(&so, &ee, &arcs); if (error) goto end5; error = validate_manifest(mft, cage, &parent->rpp.mft); - if (error) - goto end5; - error = refs_validate_ee(&ee.sias, &parent->rpp.crl.map->url, &map->url); -end5: rpki_certificate_cleanup(&ee); +end5: cer_cleanup(&ee); if (error) rpp_cleanup(&parent->rpp); end3: ASN_STRUCT_FREE(asn_DEF_Manifest, mft); -end2: signed_object_cleanup(&sobj); +end2: signed_object_cleanup(&so); end1: fnstack_pop(); return error; } diff --git a/src/object/roa.c b/src/object/roa.c index 9907f426..1fcfe0f1 100644 --- a/src/object/roa.c +++ b/src/object/roa.c @@ -8,10 +8,10 @@ #include "validation_handler.h" static int -decode_roa(struct signed_object *sobj, struct RouteOriginAttestation **result) +decode_roa(struct signed_object *so, struct RouteOriginAttestation **result) { return asn1_decode_octet_string( - sobj->sdata->encapContentInfo.eContent, + so->sdata->encapContentInfo.eContent, &asn_DEF_RouteOriginAttestation, (void **) result, true @@ -207,7 +207,7 @@ roa_traverse(struct cache_mapping *map, struct rpki_certificate *parent) { static OID oid = OID_ROA; struct oid_arcs arcs = OID2ARCS("roa", oid); - struct signed_object sobj; + struct signed_object so; struct rpki_certificate ee; struct RouteOriginAttestation *roa; int error; @@ -216,28 +216,25 @@ roa_traverse(struct cache_mapping *map, struct rpki_certificate *parent) fnstack_push_map(map); /* Decode */ - error = signed_object_decode(&sobj, map->path); + error = signed_object_decode(&so, map); if (error) goto end1; - error = decode_roa(&sobj, &roa); + error = decode_roa(&so, &roa); if (error) goto end2; /* Prepare validation arguments */ - rpki_certificate_init_ee(&ee, parent, false); + cer_init_ee(&ee, parent, false); /* Validate and handle everything */ - error = signed_object_validate(&sobj, &arcs, &ee); + error = signed_object_validate(&so, &ee, &arcs); if (error) goto end4; error = __handle_roa(roa, ee.resources); - if (error) - goto end4; - error = refs_validate_ee(&ee.sias, &parent->rpp.crl.map->url, &map->url); -end4: rpki_certificate_cleanup(&ee); +end4: cer_cleanup(&ee); ASN_STRUCT_FREE(asn_DEF_RouteOriginAttestation, roa); -end2: signed_object_cleanup(&sobj); +end2: signed_object_cleanup(&so); end1: fnstack_pop(); return error; } diff --git a/src/object/signed_object.c b/src/object/signed_object.c index 8947a4e1..45008839 100644 --- a/src/object/signed_object.c +++ b/src/object/signed_object.c @@ -1,20 +1,23 @@ #include "object/signed_object.h" #include "asn1/content_info.h" +#include "asn1/signed_data.h" #include "log.h" int -signed_object_decode(struct signed_object *sobj, char const *path) +signed_object_decode(struct signed_object *so, struct cache_mapping const *map) { int error; - error = content_info_load(path, &sobj->cinfo); + so->map = map; + + error = content_info_load(map->path, &so->cinfo); if (error) return error; - error = signed_data_decode(&sobj->cinfo->content, &sobj->sdata); + error = signed_data_decode(&so->cinfo->content, &so->sdata); if (error) { - content_info_free(sobj->cinfo); + content_info_free(so->cinfo); return error; } @@ -67,30 +70,30 @@ validate_content_type(struct SignedData *sdata, struct oid_arcs const *oid) } int -signed_object_validate(struct signed_object *sobj, struct oid_arcs const *oid, - struct rpki_certificate *ee) +signed_object_validate(struct signed_object *so, struct rpki_certificate *ee, + struct oid_arcs const *oid) { int error; /* rfc6482#section-2 */ /* rfc6486#section-4.1 */ /* rfc6486#section-4.4.1 */ - error = validate_eContentType(sobj->sdata, oid); + error = validate_eContentType(so->sdata, oid); if (error) return error; /* rfc6482#section-2 */ /* rfc6486#section-4.3 */ - error = validate_content_type(sobj->sdata, oid); + error = validate_content_type(so->sdata, oid); if (error) return error; - return signed_data_validate(&sobj->cinfo->content, sobj->sdata, ee); + return signed_data_validate(so, ee); } void -signed_object_cleanup(struct signed_object *sobj) +signed_object_cleanup(struct signed_object *so) { - content_info_free(sobj->cinfo); - ASN_STRUCT_FREE(asn_DEF_SignedData, sobj->sdata); + content_info_free(so->cinfo); + ASN_STRUCT_FREE(asn_DEF_SignedData, so->sdata); } diff --git a/src/object/signed_object.h b/src/object/signed_object.h index 35670ab0..6d8657ce 100644 --- a/src/object/signed_object.h +++ b/src/object/signed_object.h @@ -2,17 +2,24 @@ #define SRC_OBJECT_SIGNED_OBJECT_H_ #include "asn1/asn1c/ContentInfo.h" +#include "asn1/asn1c/SignedData.h" #include "asn1/oid.h" -#include "asn1/signed_data.h" +#include "types/map.h" struct signed_object { + struct cache_mapping const *map; struct ContentInfo *cinfo; struct SignedData *sdata; + OCTET_STRING_t const *sid; + SignatureValue_t const *signature; }; -int signed_object_decode(struct signed_object *, char const *); -int signed_object_validate(struct signed_object *, struct oid_arcs const *, - struct rpki_certificate *); +int signed_object_decode(struct signed_object *, struct cache_mapping const *); + +struct rpki_certificate; +int signed_object_validate(struct signed_object *, struct rpki_certificate *, + struct oid_arcs const *); + void signed_object_cleanup(struct signed_object *); #endif /* SRC_OBJECT_SIGNED_OBJECT_H_ */ diff --git a/src/object/tal.c b/src/object/tal.c index 5d389c5a..9102bf1e 100644 --- a/src/object/tal.c +++ b/src/object/tal.c @@ -167,9 +167,9 @@ validate_ta(struct tal *tal, struct cache_mapping const *ta_map) ta->tal = tal; atomic_init(&ta->refcount, 1); - vv = certificate_traverse(ta); + vv = cer_traverse(ta); - rpki_certificate_free(ta); + cer_free(ta); return vv; } @@ -245,7 +245,7 @@ pick_up_work(void *arg) while ((task = task_dequeue(task)) != NULL) { switch (task->type) { case VTT_RPP: - if (certificate_traverse(task->u.ca) == VV_BUSY) { + if (cer_traverse(task->u.ca) == VV_BUSY) { task_requeue_dormant(task); task = NULL; } diff --git a/src/task.c b/src/task.c index db4d6549..33f5ae2e 100644 --- a/src/task.c +++ b/src/task.c @@ -28,7 +28,7 @@ task_free(struct validation_task *task) { switch (task->type) { case VTT_RPP: - rpki_certificate_free(task->u.ca); + cer_free(task->u.ca); break; case VTT_TAL: free(task->u.tal); diff --git a/src/types/map.h b/src/types/map.h index 0e95428e..4dac978c 100644 --- a/src/types/map.h +++ b/src/types/map.h @@ -3,10 +3,11 @@ #include "types/uri.h" -// XXX document this better struct cache_mapping { - struct uri url; /* Normalized */ - char *path; /* Normalized */ + /* Global identifier of a file */ + struct uri url; + /* Cache location where the file was (or will be) downloaded */ + char *path; }; char const *map_val_get_printable(struct cache_mapping const *); diff --git a/test/cache_test.c b/test/cache_test.c index 9c26703a..893960d3 100644 --- a/test/cache_test.c +++ b/test/cache_test.c @@ -109,7 +109,7 @@ static struct cache_cage * run_dl_rsync(char *caRepository, validation_verdict vv, unsigned int expected_calls) { - struct sia_uris sias = { 0 }; + struct extension_uris sias = { 0 }; struct cache_cage *cage; ck_assert_ptr_eq(NULL, uri_init(&sias.caRepository, caRepository)); @@ -118,7 +118,7 @@ run_dl_rsync(char *caRepository, validation_verdict vv, rsync_counter = 0; https_counter = 0; printf("---- Downloading... ----\n"); - ck_assert_str_eq(vv, cache_refresh_by_sias(&sias, &cage)); + ck_assert_str_eq(vv, cache_refresh_by_uris(&sias, &cage)); printf("---- Downloaded. ----\n"); ck_assert_uint_eq(expected_calls, rsync_counter); ck_assert_uint_eq(0, https_counter); @@ -801,7 +801,7 @@ START_TEST(test_context) char *FILE_RRDP_PATH = "rrdp/0/0"; char *FILE_RSYNC_PATH = "rsync/0/rpp3/a.cer"; - struct sia_uris sias = { 0 }; + struct extension_uris sias = { 0 }; struct uri file_url; struct cache_cage *cage; struct rpp rpp = { 0 }; @@ -823,7 +823,7 @@ START_TEST(test_context) print_tree(); ck_assert_ptr_eq(NULL, uri_init(&sias.rpkiNotify, RPKI_NOTIFY)); ck_assert_ptr_eq(NULL, uri_init(&sias.caRepository, CA_REPOSITORY)); - ck_assert_str_eq(VV_CONTINUE, cache_refresh_by_sias(&sias, &cage)); + ck_assert_str_eq(VV_CONTINUE, cache_refresh_by_uris(&sias, &cage)); ck_assert_str_eq(RPKI_NOTIFY, uri_str(&cage->rpkiNotify)); ck_assert_str_eq(FILE_RRDP_PATH, cage_map_file(cage, &file_url)); ck_assert_int_eq(false, cage_disable_refresh(cage)); @@ -834,9 +834,9 @@ START_TEST(test_context) print_tree(); uri_cleanup(&sias.rpkiNotify); - ck_assert_str_eq(VV_BUSY, cache_refresh_by_sias(&sias, &cage)); + ck_assert_str_eq(VV_BUSY, cache_refresh_by_uris(&sias, &cage)); finish_rsync(); - ck_assert_str_eq(VV_CONTINUE, cache_refresh_by_sias(&sias, &cage)); + ck_assert_str_eq(VV_CONTINUE, cache_refresh_by_uris(&sias, &cage)); ck_assert_ptr_eq(NULL, uri_str(&cage->rpkiNotify)); ck_assert_str_eq(FILE_RSYNC_PATH, cage_map_file(cage, &file_url)); @@ -864,14 +864,14 @@ START_TEST(test_context) printf("4. Redo both CAs, check the fallbacks too\n"); print_tree(); - ck_assert_str_eq(VV_CONTINUE, cache_refresh_by_sias(&sias, &cage)); + ck_assert_str_eq(VV_CONTINUE, cache_refresh_by_uris(&sias, &cage)); ck_assert_ptr_eq(NULL, uri_str(&cage->rpkiNotify)); ck_assert_str_eq(FILE_RSYNC_PATH, cage_map_file(cage, &file_url)); ck_assert_int_eq(true, cage_disable_refresh(cage)); ck_assert_str_eq("fallback/1/0", cage_map_file(cage, &file_url)); ck_assert_ptr_eq(NULL, uri_init(&sias.rpkiNotify, RPKI_NOTIFY)); - ck_assert_str_eq(VV_CONTINUE, cache_refresh_by_sias(&sias, &cage)); + ck_assert_str_eq(VV_CONTINUE, cache_refresh_by_uris(&sias, &cage)); ck_assert_str_eq(RPKI_NOTIFY, uri_str(&cage->rpkiNotify)); ck_assert_str_eq(FILE_RRDP_PATH, cage_map_file(cage, &file_url)); ck_assert_int_eq(true, cage_disable_refresh(cage)); diff --git a/test/task_test.c b/test/task_test.c index 136a4220..2e53e2f5 100644 --- a/test/task_test.c +++ b/test/task_test.c @@ -10,7 +10,7 @@ #include "types/uri.c" void -rpki_certificate_free(struct rpki_certificate *cert) +cer_free(struct rpki_certificate *cert) { if (atomic_fetch_sub(&cert->refcount, 1) == 1) { map_cleanup(&cert->map);