]> git.ipfire.org Git - thirdparty/FORT-validator.git/commitdiff
General pre-release review and testing
authorAlberto Leiva Popper <ydahhrk@gmail.com>
Tue, 14 May 2024 23:51:59 +0000 (17:51 -0600)
committerAlberto Leiva Popper <ydahhrk@gmail.com>
Tue, 14 May 2024 23:51:59 +0000 (17:51 -0600)
- Employ libssl's OID parsing rather than implement it from scratch.
- Rename `struct signed_object_args` to `struct ee_cert`, since it's
  just a bunch of EE certificate data.
- Remove `struct signed_data`, because it wasn't actually contributing
  anything.

15 files changed:
src/asn1/asn1c/CMSAttribute.c
src/asn1/asn1c/ContentInfo.c
src/asn1/asn1c/EncapsulatedContentInfo.c
src/asn1/asn1c/OBJECT_IDENTIFIER.c
src/asn1/asn1c/OBJECT_IDENTIFIER.h
src/asn1/signed_data.c
src/asn1/signed_data.h
src/nid.c
src/nid.h
src/object/certificate.c
src/object/ghostbusters.c
src/object/manifest.c
src/object/roa.c
src/object/signed_object.c
src/object/signed_object.h

index 3b4b7223a40863d3b1bf74205d2a6890f23b2050..5a21ca1cdcdfd9092fad146e7c74547c23b8a695 100644 (file)
@@ -7,6 +7,7 @@
 
 #include "asn1/asn1c/CMSAttribute.h"
 
+#include <openssl/objects.h>
 #include "json_util.h"
 #include "asn1/asn1c/ContentType.h"
 #include "asn1/asn1c/MessageDigest.h"
@@ -50,14 +51,20 @@ CMSAttribute_encode_json(const asn_TYPE_descriptor_t *td, const void *sptr)
        if (json_object_add(root, "attrValues", array = json_array_new()))
                goto fail;
 
-       if (OBJECT_IDENTIFIER_is_ContentType(&cattr->attrType))
+       switch (OBJECT_IDENTIFIER_to_nid(&cattr->attrType)) {
+       case NID_pkcs9_contentType:
                td = &asn_DEF_ContentType;
-       else if (OBJECT_IDENTIFIER_is_MessageDigest(&cattr->attrType))
+               break;
+       case NID_pkcs9_messageDigest:
                td = &asn_DEF_MessageDigest;
-       else if (OBJECT_IDENTIFIER_is_SigningTime(&cattr->attrType))
+               break;
+       case NID_pkcs9_signingTime:
                td = &asn_DEF_SigningTime;
-       else
+               break;
+       default:
                td = &asn_DEF_ANY;
+               break;
+       }
 
        for (a = 0; a < cattr->attrValues.list.count; a++) {
                tmp = attr2json(td, cattr->attrValues.list.array[a]);
index fbc05a30723bd5a86ef35c43428f8eacfe7a54fc..bb3faf353f3d52f4dcd8fcb035389f792d1fc7c6 100644 (file)
@@ -7,6 +7,7 @@
 
 #include "asn1/asn1c/ContentInfo.h"
 
+#include <openssl/objects.h>
 #include "json_util.h"
 #include "asn1/asn1c/SignedData.h"
 
@@ -45,7 +46,7 @@ ContentInfo_encode_json(const asn_TYPE_descriptor_t *td, const void *sptr)
        if (json_object_add(parent, "contentType", child))
                goto fail;
 
-       if (OBJECT_IDENTIFIER_is_SignedData(&ci->contentType)) {
+       if (OBJECT_IDENTIFIER_to_nid(&ci->contentType) == NID_pkcs7_signed) {
                td = &asn_DEF_SignedData;
                child = content2json(td, &ci->content);
        } else {
index 2bec85014e25951bbfb2d7ccd5df5307e52fdf14..3c55149824e55f4ed632a2e3ee3409d6fd79c69d 100644 (file)
@@ -7,6 +7,7 @@
 
 #include "asn1/asn1c/EncapsulatedContentInfo.h"
 
+#include "nid.h"
 #include "json_util.h"
 #include "asn1/asn1c/Manifest.h"
 #include "asn1/asn1c/RouteOriginAttestation.h"
@@ -34,6 +35,7 @@ EncapsulatedContentInfo_encode_json(const asn_TYPE_descriptor_t *td,
        struct EncapsulatedContentInfo const *eci = sptr;
        json_t *parent;
        json_t *child;
+       int nid;
 
        if (!eci)
                return json_null();
@@ -47,19 +49,21 @@ EncapsulatedContentInfo_encode_json(const asn_TYPE_descriptor_t *td,
        if (json_object_add(parent, "eContentType", child))
                goto fail;
 
-       if (OBJECT_IDENTIFIER_is_mft(&eci->eContentType)) {
+       nid = OBJECT_IDENTIFIER_to_nid(&eci->eContentType);
+       if (nid == nid_ct_mft()) {
                td = &asn_DEF_Manifest;
                child = econtent2json(td, eci->eContent);
-       } else if (OBJECT_IDENTIFIER_is_roa(&eci->eContentType)) {
+       } else if (nid == nid_ct_roa()) {
                td = &asn_DEF_RouteOriginAttestation;
                child = econtent2json(td, eci->eContent);
-       } else if (OBJECT_IDENTIFIER_is_gbr(&eci->eContentType)) {
+       } else if (nid == nid_ct_gbr()) {
                td = &asn_DEF_OCTET_STRING;
                child = OCTET_STRING_encode_json_utf8(td, eci->eContent);
        } else {
                td = &asn_DEF_OCTET_STRING;
                child = td->op->json_encoder(td, eci->eContent);
        }
+
        if (json_object_add(parent, "eContent", child))
                goto fail;
 
index b805f450a1e20072094d924d02e498cc3c9f9a46..f5df8df45436a9fe0efed572ef7bb9f6b0ea0270 100644 (file)
@@ -8,6 +8,7 @@
 
 #include <assert.h>
 #include <errno.h>
+#include <openssl/objects.h>
 
 #include "json_util.h"
 #include "asn1/asn1c/INTEGER.h"
@@ -219,6 +220,22 @@ struct string_buffer {
        size_t len;
 };
 
+int
+OBJECT_IDENTIFIER_to_nid(OBJECT_IDENTIFIER_t const *oid)
+{
+       ASN1_OBJECT *ao;
+       int result;
+
+       ao = ASN1_OBJECT_create(NID_undef, oid->buf, oid->size, NULL, NULL);
+       if (ao == NULL)
+               return NID_undef;
+
+       result = OBJ_obj2nid(ao);
+
+       ASN1_OBJECT_free(ao);
+       return result;
+}
+
 static int
 bytes2str(const void *addend, size_t addlen, void *arg)
 {
@@ -250,42 +267,20 @@ OBJECT_IDENTIFIER_to_literal(OBJECT_IDENTIFIER_t const *oid, char *buf)
 char const *
 OBJECT_IDENTIFIER_to_string(OBJECT_IDENTIFIER_t const *oid, char *buf)
 {
-//     printf("\n===========================\n");
-//     for (ret = 0; ret < st->size; ret++)
-//             printf("%u ", st->buf[ret]);
-//     printf("\n===========================\n");
+       char const *sn;
 
        if (!oid || !oid->buf)
                return NULL;
-       if (OBJECT_IDENTIFIER_is_rsaEncryption(oid))
-               return "rsaEncryption";
-       if (OBJECT_IDENTIFIER_is_sha256WithRSAEncryption(oid))
-               return "sha256WithRSAEncryption";
-       if (OBJECT_IDENTIFIER_is_SignedData(oid))
-               return "signedData";
-       if (OBJECT_IDENTIFIER_is_ContentType(oid))
-               return "Content-Type";
-       if (OBJECT_IDENTIFIER_is_MessageDigest(oid))
-               return "Message-Digest";
-       if (OBJECT_IDENTIFIER_is_SigningTime(oid))
-               return "Signing-Time";
-       if (OBJECT_IDENTIFIER_is_roa(oid))
-               return "ROA";
-       if (OBJECT_IDENTIFIER_is_mft(oid))
-               return "Manifest";
-       if (OBJECT_IDENTIFIER_is_gbr(oid))
-               return "Ghostbusters";
-       if (OBJECT_IDENTIFIER_is_sha256(oid))
-               return "sha256";
-
-       return OBJECT_IDENTIFIER_to_literal(oid, buf);
+
+       sn = OBJ_nid2sn(OBJECT_IDENTIFIER_to_nid(oid));
+       return (sn != NULL) ? sn : OBJECT_IDENTIFIER_to_literal(oid, buf);
 }
 
 json_t *
 OBJECT_IDENTIFIER_encode_json(const struct asn_TYPE_descriptor_s *td,
     const void *sptr)
 {
-       const OBJECT_IDENTIFIER_t *oid = (const OBJECT_IDENTIFIER_t *)sptr;
+       const OBJECT_IDENTIFIER_t *oid = sptr;
        char buf[OID_STR_MAXLEN];
        char const *string;
 
@@ -591,98 +586,3 @@ OBJECT_IDENTIFIER_parse_arcs(const char *oid_text, ssize_t oid_txt_length,
        errno = EINVAL; /* Broken OID */
        return -1;
 }
-
-static bool
-is_raw(OBJECT_IDENTIFIER_t const *oid, unsigned char const *raw, size_t size)
-{
-       return (oid->size == size) && memcmp(oid->buf, raw, size) == 0;
-}
-
-/* FIXME ber_decode_primitive() */
-bool
-OBJECT_IDENTIFIER_is_rsaEncryption(OBJECT_IDENTIFIER_t const *oid)
-{
-       static const unsigned char RAW[] = {
-           42, 134, 72, 134, 247, 13, 1, 1, 1
-       };
-       return is_raw(oid, RAW, sizeof(RAW));
-}
-
-bool
-OBJECT_IDENTIFIER_is_sha256WithRSAEncryption(OBJECT_IDENTIFIER_t const *oid)
-{
-       static const unsigned char RAW[] = {
-           42, 134, 72, 134, 247, 13, 1, 1, 11
-       };
-       return is_raw(oid, RAW, sizeof(RAW));
-}
-
-bool
-OBJECT_IDENTIFIER_is_SignedData(OBJECT_IDENTIFIER_t const *oid)
-{
-       static const unsigned char RAW[] = {
-           42, 134, 72, 134, 247, 13, 1, 7, 2
-       };
-       return is_raw(oid, RAW, sizeof(RAW));
-}
-
-bool
-OBJECT_IDENTIFIER_is_ContentType(OBJECT_IDENTIFIER_t const *oid)
-{
-       static const unsigned char RAW[] = {
-           42, 134, 72, 134, 247, 13, 1, 9, 3
-       };
-       return is_raw(oid, RAW, sizeof(RAW));
-}
-
-bool
-OBJECT_IDENTIFIER_is_MessageDigest(OBJECT_IDENTIFIER_t const *oid)
-{
-       static const unsigned char RAW[] = {
-           42, 134, 72, 134, 247, 13, 1, 9, 4
-       };
-       return is_raw(oid, RAW, sizeof(RAW));
-}
-
-bool
-OBJECT_IDENTIFIER_is_SigningTime(OBJECT_IDENTIFIER_t const *oid)
-{
-       static const unsigned char RAW[] = {
-           42, 134, 72, 134, 247, 13, 1, 9, 5
-       };
-       return is_raw(oid, RAW, sizeof(RAW));
-}
-
-bool
-OBJECT_IDENTIFIER_is_roa(OBJECT_IDENTIFIER_t const *oid)
-{
-       static const unsigned char RAW[] = {
-           42, 134, 72, 134, 247, 13, 1, 9, 16, 1, 24
-       };
-       return is_raw(oid, RAW, sizeof(RAW));
-}
-
-bool
-OBJECT_IDENTIFIER_is_mft(OBJECT_IDENTIFIER_t const *oid)
-{
-       static const unsigned char RAW[] = {
-           42, 134, 72, 134, 247, 13, 1, 9, 16, 1, 26
-       };
-       return is_raw(oid, RAW, sizeof(RAW));
-}
-
-bool
-OBJECT_IDENTIFIER_is_gbr(OBJECT_IDENTIFIER_t const *oid)
-{
-       static const unsigned char RAW[] = {
-           42, 134, 72, 134, 247, 13, 1, 9, 16, 1, 35
-       };
-       return is_raw(oid, RAW, sizeof(RAW));
-}
-
-bool
-OBJECT_IDENTIFIER_is_sha256(OBJECT_IDENTIFIER_t const *oid)
-{
-       static const unsigned char RAW[] = { 96, 134, 72, 1, 101, 3, 4, 2, 1 };
-       return is_raw(oid, RAW, sizeof(RAW));
-}
index 00acb6e10374cb096005fcb129eccf5af92dc0f0..461e96324b7e833d09f3fc9f0e1d8d26e182ceea 100644 (file)
@@ -33,6 +33,8 @@ xer_type_encoder_f OBJECT_IDENTIFIER_encode_xer;
  * Some handy conversion routines *
  **********************************/
 
+int OBJECT_IDENTIFIER_to_nid(OBJECT_IDENTIFIER_t const *);
+
 #define OID_STR_MAXLEN 64 /* Null char included */
 char const *OBJECT_IDENTIFIER_to_string(OBJECT_IDENTIFIER_t const *, char *);
 
@@ -142,15 +144,4 @@ ssize_t OBJECT_IDENTIFIER_get_single_arc(const uint8_t *arcbuf,
 ssize_t OBJECT_IDENTIFIER_set_single_arc(uint8_t *arcbuf, size_t arcbuf_len,
                                          asn_oid_arc_t arc_value);
 
-bool OBJECT_IDENTIFIER_is_rsaEncryption(OBJECT_IDENTIFIER_t const *oid);
-bool OBJECT_IDENTIFIER_is_sha256WithRSAEncryption(OBJECT_IDENTIFIER_t const *oid);
-bool OBJECT_IDENTIFIER_is_SignedData(OBJECT_IDENTIFIER_t const *oid);
-bool OBJECT_IDENTIFIER_is_ContentType(OBJECT_IDENTIFIER_t const *oid);
-bool OBJECT_IDENTIFIER_is_MessageDigest(OBJECT_IDENTIFIER_t const *oid);
-bool OBJECT_IDENTIFIER_is_SigningTime(OBJECT_IDENTIFIER_t const *oid);
-bool OBJECT_IDENTIFIER_is_roa(OBJECT_IDENTIFIER_t const *oid);
-bool OBJECT_IDENTIFIER_is_mft(OBJECT_IDENTIFIER_t const *oid);
-bool OBJECT_IDENTIFIER_is_gbr(OBJECT_IDENTIFIER_t const *oid);
-bool OBJECT_IDENTIFIER_is_sha256(OBJECT_IDENTIFIER_t const *oid);
-
 #endif /* _OBJECT_IDENTIFIER_H_ */
index 301ae23de095f133a42e955953a809c95cea3b0c..0fbaf89bae7abe6b14552e778ee9f30228cc7dc4 100644 (file)
@@ -20,22 +20,18 @@ static const OID oid_sta = OID_SIGNING_TIME_ATTR;
 static const OID oid_bsta = OID_BINARY_SIGNING_TIME_ATTR;
 
 void
-signed_object_args_init(struct signed_object_args *args,
-    struct rpki_uri *uri,
-    STACK_OF(X509_CRL) *crls,
-    bool force_inherit)
+eecert_init(struct ee_cert *ee, STACK_OF(X509_CRL) *crls, bool force_inherit)
 {
-       args->res = resources_create(RPKI_POLICY_RFC6484, force_inherit);
-       args->uri = uri;
-       args->crls = crls;
-       memset(&args->refs, 0, sizeof(args->refs));
+       ee->res = resources_create(RPKI_POLICY_RFC6484, force_inherit);
+       ee->crls = crls;
+       memset(&ee->refs, 0, sizeof(ee->refs));
 }
 
 void
-signed_object_args_cleanup(struct signed_object_args *args)
+eecert_cleanup(struct ee_cert *ee)
 {
-       resources_destroy(args->res);
-       refs_cleanup(&args->refs);
+       resources_destroy(ee->res);
+       refs_cleanup(&ee->refs);
 }
 
 static int
@@ -55,7 +51,7 @@ get_sid(struct SignerInfo *sinfo, OCTET_STRING_t **result)
 }
 
 static int
-handle_sdata_certificate(ANY_t *cert_encoded, struct signed_object_args *args,
+handle_sdata_certificate(ANY_t *cert_encoded, struct ee_cert *ee,
     OCTET_STRING_t *sid, ANY_t *signedData, SignatureValue_t *signature)
 {
        const unsigned char *otmp, *tmp;
@@ -91,25 +87,25 @@ handle_sdata_certificate(ANY_t *cert_encoded, struct signed_object_args *args,
 
        x509_name_pr_debug("Issuer", X509_get_issuer_name(cert));
 
-       error = certificate_validate_chain(cert, args->crls);
+       error = certificate_validate_chain(cert, ee->crls);
        if (error)
                goto end2;
        error = certificate_validate_rfc6487(cert, CERTYPE_EE);
        if (error)
                goto end2;
-       error = certificate_validate_extensions_ee(cert, sid, &args->refs,
+       error = certificate_validate_extensions_ee(cert, sid, &ee->refs,
            &policy);
        if (error)
                goto end2;
-       error = certificate_validate_aia(args->refs.caIssuers, cert);
+       error = certificate_validate_aia(ee->refs.caIssuers, cert);
        if (error)
                goto end2;
        error = certificate_validate_signature(cert, signedData, signature);
        if (error)
                goto end2;
 
-       resources_set_policy(args->res, policy);
-       error = certificate_get_resources(cert, args->res, CERTYPE_EE);
+       resources_set_policy(ee->res, policy);
+       error = certificate_get_resources(cert, ee->res, CERTYPE_EE);
        if (error)
                goto end2;
 
@@ -259,9 +255,9 @@ illegal_attrType:
        return -EINVAL;
 }
 
-static int
-validate(struct SignedData *sdata, ANY_t *sdata_encoded,
-    struct signed_object_args *args)
+int
+signed_data_validate(ANY_t *encoded, struct SignedData *sdata,
+                    struct ee_cert *ee)
 {
        struct SignerInfo *sinfo;
        OCTET_STRING_t *sid = NULL;
@@ -387,7 +383,7 @@ validate(struct SignedData *sdata, ANY_t *sdata_encoded,
        }
 
        error = handle_sdata_certificate(sdata->certificates->list.array[0],
-           args, sid, sdata_encoded, &sinfo->signature);
+           ee, sid, encoded, &sinfo->signature);
        if (error)
                return error;
 
@@ -446,38 +442,20 @@ release_sdata:
 }
 
 int
-signed_data_decode(struct signed_data *sdata, ANY_t *coded)
+signed_data_decode(ANY_t *encoded, struct SignedData **decoded)
 {
        int error;
 
-       sdata->encoded = coded;
-
-       error = asn1_decode_any(coded, &asn_DEF_SignedData,
-           (void **) &sdata->decoded, false, false);
+       error = asn1_decode_any(encoded, &asn_DEF_SignedData,
+           (void **) decoded, false, false);
        if (error) {
                /* Try to decode as PKCS content (RFC 5652 section 5.2.1) */
-               error = signed_data_decode_pkcs7(coded, &sdata->decoded);
+               error = signed_data_decode_pkcs7(encoded, decoded);
        }
 
        return error;
 }
 
-int
-signed_data_validate(struct signed_data *sdata, struct signed_object_args *args)
-{
-       /*
-        * TODO (fine) maybe collapse this wrapper,
-        * since there's no point to it anymore.
-        */
-       return validate(sdata->decoded, sdata->encoded, args);
-}
-
-void
-signed_data_cleanup(struct signed_data *sdata)
-{
-       ASN_STRUCT_FREE(asn_DEF_SignedData, sdata->decoded);
-}
-
 /* Caller must free *@result. */
 int
 get_content_type_attr(struct SignedData *sdata, OBJECT_IDENTIFIER_t **result)
index 0504cd9ed1a1fc2d5bcf6ea67adc03b976226899..9bf4107294748d16e5d25a4f0e4ff2c67d2ed445 100644 (file)
@@ -7,37 +7,23 @@
 #include "asn1/asn1c/SignedData.h"
 #include "object/certificate.h"
 
-/*
- * This only exists to reduce argument lists.
- * TODO (fine) rename to signed_data_args, since it has nothing to do with
- * signed objects anymore.
- */
-struct signed_object_args {
-       /** Location of the signed object. */
-       struct rpki_uri *uri;
-       /** CRL that might or might not revoke the embedded certificate. */
+struct ee_cert {
+       /** CRL that might or might not revoke the EE certificate. */
        STACK_OF(X509_CRL) *crls;
-       /** A copy of the resources carried by the embedded certificate. */
+       /** A copy of the resources carried by the EE certificate. */
        struct resources *res;
        /**
-        * A bunch of URLs found in the embedded certificate's extensions,
+        * A bunch of URLs found in the EE certificate's extensions,
         * recorded for future validation.
         */
        struct certificate_refs refs;
 };
 
-void signed_object_args_init(struct signed_object_args *, struct rpki_uri *,
-    STACK_OF(X509_CRL) *, bool);
-void signed_object_args_cleanup(struct signed_object_args *);
+void eecert_init(struct ee_cert *, STACK_OF(X509_CRL) *, bool);
+void eecert_cleanup(struct ee_cert *);
 
-struct signed_data {
-       ANY_t *encoded;
-       struct SignedData *decoded;
-};
-
-int signed_data_decode(struct signed_data *, ANY_t *);
-int signed_data_validate(struct signed_data *, struct signed_object_args *);
-void signed_data_cleanup(struct signed_data *);
+int signed_data_decode(ANY_t *, struct SignedData **);
+int signed_data_validate(ANY_t *, struct SignedData *, struct ee_cert *);
 
 int get_content_type_attr(struct SignedData *, OBJECT_IDENTIFIER_t **);
 
index 4fc380f8a8f568241c244d3c7541a71bfd4571b6..74816d8c8f970786b459951cb19eacd2baece3d2 100644 (file)
--- a/src/nid.c
+++ b/src/nid.c
@@ -5,6 +5,9 @@
 
 #include "log.h"
 
+static int ct_roa_nid;
+static int ct_mft_nid;
+static int ct_gbr_nid;
 static int rpki_manifest_nid;
 static int signed_object_nid;
 static int rpki_notify_nid;
@@ -43,6 +46,24 @@ register_oid(const char *oid, const char *sn, const char *ln)
 int
 nid_init(void)
 {
+       ct_roa_nid = register_oid("1.2.840.113549.1.9.16.1.24",
+           "id-ct-routeOriginAuthz",
+           "RPKI ROA (Content type)");
+       if (ct_roa_nid == 0)
+               return -EINVAL;
+
+       ct_mft_nid = register_oid("1.2.840.113549.1.9.16.1.26",
+           "id-ct-rpkiManifest",
+           "RPKI Manifest (Content type)");
+       if (ct_mft_nid == 0)
+               return -EINVAL;
+
+       ct_gbr_nid = register_oid("1.2.840.113549.1.9.16.1.35",
+           "id-ct-rpkiGhostbusters",
+           "RPKI Ghostbusters (Content type)");
+       if (ct_gbr_nid == 0)
+               return -EINVAL;
+
        rpki_manifest_nid = register_oid("1.3.6.1.5.5.7.48.10",
            "rpkiManifest",
            "RPKI Manifest (RFC 6487)");
@@ -100,42 +121,68 @@ nid_destroy(void)
        OBJ_cleanup();
 }
 
-int nid_rpkiManifest(void)
+int
+nid_ct_roa(void)
+{
+       return ct_roa_nid;
+}
+
+int
+nid_ct_mft(void)
+{
+       return ct_mft_nid;
+}
+
+int
+nid_ct_gbr(void)
+{
+       return ct_gbr_nid;
+}
+
+int
+nid_ad_mft(void)
 {
        return rpki_manifest_nid;
 }
 
-int nid_signedObject(void)
+int
+nid_ad_so(void)
 {
        return signed_object_nid;
 }
 
-int nid_rpkiNotify(void)
+int
+nid_ad_notify(void)
 {
        return rpki_notify_nid;
 }
 
-int nid_certPolicyRpki(void)
+int
+nid_certPolicyRpki(void)
 {
        return cert_policy_rpki_nid;
 }
 
-int nid_certPolicyRpkiV2(void)
+int
+nid_certPolicyRpkiV2(void)
 {
        return cert_policy_rpki_v2_nid;
 }
 
-int nid_ipAddrBlocksv2(void)
+int
+nid_ipAddrBlocksv2(void)
 {
        return ip_addr_blocks_v2_nid;
 }
 
-int nid_autonomousSysIdsv2(void)
+int
+nid_autonomousSysIdsv2(void)
 {
        return autonomous_sys_ids_v2_nid;
 }
 
-int nid_bgpsecRouter(void)
+int
+nid_bgpsecRouter(void)
 {
        return bgpsec_router_nid;
 }
index 3d0f643d80ab57783e2df10f255e79f27b4cdda1..f1d87a0507ce7be87814a1a449a3a5b90cbe8183 100644 (file)
--- a/src/nid.h
+++ b/src/nid.h
@@ -4,9 +4,12 @@
 int nid_init(void);
 void nid_destroy(void);
 
-int nid_rpkiManifest(void);
-int nid_signedObject(void);
-int nid_rpkiNotify(void);
+int nid_ct_roa(void);
+int nid_ct_mft(void);
+int nid_ct_gbr(void);
+int nid_ad_mft(void);
+int nid_ad_so(void);
+int nid_ad_notify(void);
 int nid_certPolicyRpki(void);
 int nid_certPolicyRpkiV2(void);
 int nid_ipAddrBlocksv2(void);
index 360b7e4ebb54c00595c2e0ba393beb3971bd9c90..67c328a22c139ba7117eab291879476cf7295fab 100644 (file)
@@ -1641,13 +1641,13 @@ handle_sia_ca(X509_EXTENSION *ext, void *arg)
                goto end;
 
        /* RRDP */
-       error = handle_ad(nid_rpkiNotify(), &RPKI_NOTIFY, sia,
+       error = handle_ad(nid_ad_notify(), &RPKI_NOTIFY, sia,
            handle_rpkiNotify, uris);
        if (error)
                goto end;
 
        /* Manifest */
-       error = handle_ad(nid_rpkiManifest(), &RPKI_MANIFEST, sia,
+       error = handle_ad(nid_ad_mft(), &RPKI_MANIFEST, sia,
            handle_rpkiManifest, uris);
 
 end:
@@ -1665,7 +1665,7 @@ handle_sia_ee(X509_EXTENSION *ext, void *arg)
        if (sia == NULL)
                return cannot_decode(ext_sia());
 
-       error = handle_ad(nid_signedObject(), &SIGNED_OBJECT, sia,
+       error = handle_ad(nid_ad_so(), &SIGNED_OBJECT, sia,
            handle_signedObject, arg);
 
        AUTHORITY_INFO_ACCESS_free(sia);
index 797e28991db85f48f4e380e8065149f91b59b127..19a1b1b63337506e3063d058d76c65b19c38d882 100644 (file)
@@ -10,7 +10,7 @@ static int
 handle_vcard(struct signed_object *sobj)
 {
        return handle_ghostbusters_vcard(
-               sobj->sdata.decoded->encapContentInfo.eContent
+               sobj->sdata->encapContentInfo.eContent
        );
 }
 
@@ -20,7 +20,7 @@ ghostbusters_traverse(struct rpki_uri *uri, struct rpp *pp)
        static OID oid = OID_GHOSTBUSTERS;
        struct oid_arcs arcs = OID2ARCS("ghostbusters", oid);
        struct signed_object sobj;
-       struct signed_object_args sobj_args;
+       struct ee_cert ee;
        STACK_OF(X509_CRL) *crl;
        int error;
 
@@ -37,19 +37,19 @@ ghostbusters_traverse(struct rpki_uri *uri, struct rpp *pp)
        error = rpp_crl(pp, &crl);
        if (error)
                goto revert_sobj;
-       signed_object_args_init(&sobj_args, uri, crl, true);
+       eecert_init(&ee, crl, true);
 
        /* Validate everything */
-       error = signed_object_validate(&sobj, &arcs, &sobj_args);
+       error = signed_object_validate(&sobj, &arcs, &ee);
        if (error)
                goto revert_args;
        error = handle_vcard(&sobj);
        if (error)
                goto revert_args;
-       error = refs_validate_ee(&sobj_args.refs, pp, sobj_args.uri);
+       error = refs_validate_ee(&ee.refs, pp, uri);
 
 revert_args:
-       signed_object_args_cleanup(&sobj_args);
+       eecert_cleanup(&ee);
 revert_sobj:
        signed_object_cleanup(&sobj);
 revert_log:
index 3d1739d89002e518855bd32cb63b0cc7d4aea2c0..9d42dc72bb6a9d41c492ae5bcdb2afe7af4edd31 100644 (file)
@@ -32,7 +32,7 @@ static int
 decode_manifest(struct signed_object *sobj, struct Manifest **result)
 {
        return asn1_decode_octet_string(
-               sobj->sdata.decoded->encapContentInfo.eContent,
+               sobj->sdata->encapContentInfo.eContent,
                &asn_DEF_Manifest,
                (void **) result,
                true,
@@ -274,7 +274,7 @@ handle_manifest(struct rpki_uri *uri, struct rpki_uri *notif, struct rpp **pp)
        static OID oid = OID_MANIFEST;
        struct oid_arcs arcs = OID2ARCS("manifest", oid);
        struct signed_object sobj;
-       struct signed_object_args sobj_args;
+       struct ee_cert ee;
        struct Manifest *mft;
        STACK_OF(X509_CRL) *crl;
        int error;
@@ -303,25 +303,25 @@ handle_manifest(struct rpki_uri *uri, struct rpki_uri *notif, struct rpp **pp)
        error = rpp_crl(*pp, &crl);
        if (error)
                goto revert_rpp;
-       signed_object_args_init(&sobj_args, uri, crl, false);
+       eecert_init(&ee, crl, false);
 
        /* Validate everything */
-       error = signed_object_validate(&sobj, &arcs, &sobj_args);
+       error = signed_object_validate(&sobj, &arcs, &ee);
        if (error)
                goto revert_args;
        error = validate_manifest(mft);
        if (error)
                goto revert_args;
-       error = refs_validate_ee(&sobj_args.refs, *pp, uri);
+       error = refs_validate_ee(&ee.refs, *pp, uri);
        if (error)
                goto revert_args;
 
        /* Success */
-       signed_object_args_cleanup(&sobj_args);
+       eecert_cleanup(&ee);
        goto revert_manifest;
 
 revert_args:
-       signed_object_args_cleanup(&sobj_args);
+       eecert_cleanup(&ee);
 revert_rpp:
        rpp_refput(*pp);
 revert_manifest:
index 95066f8b3122d4074ebda486461db1286c33cd65..eeda8108a503b1335c74364c514e0e3326daa504 100644 (file)
@@ -12,7 +12,7 @@ static int
 decode_roa(struct signed_object *sobj, struct RouteOriginAttestation **result)
 {
        return asn1_decode_octet_string(
-               sobj->sdata.decoded->encapContentInfo.eContent,
+               sobj->sdata->encapContentInfo.eContent,
                &asn_DEF_RouteOriginAttestation,
                (void **) result,
                true,
@@ -253,7 +253,7 @@ roa_traverse(struct rpki_uri *uri, struct rpp *pp)
        static OID oid = OID_ROA;
        struct oid_arcs arcs = OID2ARCS("roa", oid);
        struct signed_object sobj;
-       struct signed_object_args sobj_args;
+       struct ee_cert ee;
        struct RouteOriginAttestation *roa;
        STACK_OF(X509_CRL) *crl;
        int error;
@@ -274,19 +274,19 @@ roa_traverse(struct rpki_uri *uri, struct rpp *pp)
        error = rpp_crl(pp, &crl);
        if (error)
                goto revert_roa;
-       signed_object_args_init(&sobj_args, uri, crl, false);
+       eecert_init(&ee, crl, false);
 
        /* Validate and handle everything */
-       error = signed_object_validate(&sobj, &arcs, &sobj_args);
+       error = signed_object_validate(&sobj, &arcs, &ee);
        if (error)
                goto revert_args;
-       error = __handle_roa(roa, sobj_args.res);
+       error = __handle_roa(roa, ee.res);
        if (error)
                goto revert_args;
-       error = refs_validate_ee(&sobj_args.refs, pp, sobj_args.uri);
+       error = refs_validate_ee(&ee.refs, pp, uri);
 
 revert_args:
-       signed_object_args_cleanup(&sobj_args);
+       eecert_cleanup(&ee);
 revert_roa:
        ASN_STRUCT_FREE(asn_DEF_RouteOriginAttestation, roa);
 revert_sobj:
index 5f00e538007a3904d8ddc81029f3fe1bb9c6c821..0efd1f0a922baf0d338314170b81f85e8a687315 100644 (file)
@@ -12,7 +12,7 @@ signed_object_decode(struct signed_object *sobj, struct rpki_uri *uri)
        if (error)
                return error;
 
-       error = signed_data_decode(&sobj->sdata, &sobj->cinfo->content);
+       error = signed_data_decode(&sobj->cinfo->content, &sobj->sdata);
        if (error) {
                content_info_free(sobj->cinfo);
                return error;
@@ -68,29 +68,29 @@ validate_content_type(struct SignedData *sdata, struct oid_arcs const *oid)
 
 int
 signed_object_validate(struct signed_object *sobj, struct oid_arcs const *oid,
-    struct signed_object_args *args)
+    struct ee_cert *ee)
 {
        int error;
 
        /* rfc6482#section-2 */
        /* rfc6486#section-4.1 */
        /* rfc6486#section-4.4.1 */
-       error = validate_eContentType(sobj->sdata.decoded, oid);
+       error = validate_eContentType(sobj->sdata, oid);
        if (error)
                return error;
 
        /* rfc6482#section-2 */
        /* rfc6486#section-4.3 */
-       error = validate_content_type(sobj->sdata.decoded, oid);
+       error = validate_content_type(sobj->sdata, oid);
        if (error)
                return error;
 
-       return signed_data_validate(&sobj->sdata, args);
+       return signed_data_validate(&sobj->cinfo->content, sobj->sdata, ee);
 }
 
 void
 signed_object_cleanup(struct signed_object *sobj)
 {
        content_info_free(sobj->cinfo);
-       signed_data_cleanup(&sobj->sdata);
+       ASN_STRUCT_FREE(asn_DEF_SignedData, sobj->sdata);
 }
index 41404d74e30cee402dd0b792f348385d1236a742..07cfdf1ab54ce6786a2e705cc63d0e5be50a12d3 100644 (file)
@@ -6,12 +6,12 @@
 
 struct signed_object {
        struct ContentInfo *cinfo;
-       struct signed_data sdata;
+       struct SignedData *sdata;
 };
 
 int signed_object_decode(struct signed_object *, struct rpki_uri *);
 int signed_object_validate(struct signed_object *, struct oid_arcs const *,
-    struct signed_object_args *);
+    struct ee_cert *);
 void signed_object_cleanup(struct signed_object *);
 
 #endif /* SRC_OBJECT_SIGNED_OBJECT_H_ */