diff options
| author | Rob Austein <sra@hactrn.net> | 2015-11-29 06:25:22 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2015-11-29 06:25:22 +0000 |
| commit | 1eb79410a1a445bc921a645ddc29e38b5ddbcbb0 (patch) | |
| tree | bd6e281ac5bbddd023283e86a965c8f897ee9284 | |
| parent | 3b93c02c1e50afc7ba5eebe9791f1ee71f10de0e (diff) | |
Move more trivial tests from C to Python.
svn path=/branches/tk705/; revision=6205
| -rw-r--r-- | ext/POW.c | 39 | ||||
| -rwxr-xr-x | rp/rcynic/rcynicng | 32 |
2 files changed, 31 insertions, 40 deletions
@@ -1419,11 +1419,6 @@ static int check_x509(X509 *x, unsigned ski_hashlen, afi; int i, ok, crit, loc, ex_count, is_ca, routercert = 0, ret = 0; -#warning Could be done in Python - if (ASN1_INTEGER_cmp(X509_get_serialNumber(x), asn1_zero) <= 0 || - ASN1_INTEGER_cmp(X509_get_serialNumber(x), asn1_twenty_octets) > 0) - lose_validation_error_from_code(status, BAD_CERTIFICATE_SERIAL_NUMBER); - #warning Should remain in C if (!check_allowed_time_encoding(X509_get_notBefore(x)) || !check_allowed_time_encoding(X509_get_notAfter(x))) @@ -1499,10 +1494,6 @@ static int check_x509(X509 *x, routercert |= OBJ_obj2nid(sk_ASN1_OBJECT_value(eku, i)) == NID_id_kp_bgpsec_router; } -#warning Could be done in Python - if (X509_get_version(x) != 2) - lose_validation_error_from_code(status, WRONG_OBJECT_VERSION); - #warning Should remain in C if (x->cert_info == NULL || x->cert_info->signature == NULL || @@ -1510,7 +1501,7 @@ static int check_x509(X509 *x, OBJ_obj2nid(x->cert_info->signature->algorithm) != NID_sha256WithRSAEncryption) lose_validation_error_from_code(status, NONCONFORMANT_SIGNATURE_ALGORITHM); -#warning Could be done in Python +#warning Part of this needs to remain in C if (x->skid) ex_count--; else @@ -1680,10 +1671,6 @@ static int check_crl(X509_CRL *crl, EVP_PKEY *pkey; int i, ret = 0; -#warning Could be done in Python - if (X509_CRL_get_version(crl) != 1) - lose_validation_error_from_code(status, WRONG_OBJECT_VERSION); - #warning Should be kept in C if (!crl->crl || !crl->crl->sig_alg || !crl->crl->sig_alg->algorithm || OBJ_obj2nid(crl->crl->sig_alg->algorithm) != NID_sha256WithRSAEncryption) @@ -1695,37 +1682,13 @@ static int check_crl(X509_CRL *crl, lose_validation_error_from_code(status, NONCONFORMANT_ASN1_TIME_VALUE); #warning Could be done in Python - if (X509_cmp_current_time(X509_CRL_get_lastUpdate(crl)) > 0) - lose_validation_error_from_code(status, CRL_NOT_YET_VALID); - -#warning Could be done in Python - if (X509_cmp_current_time(X509_CRL_get_nextUpdate(crl)) < 0) - lose_validation_error_from_code_maybe(allow_stale_crl, status, STALE_CRL_OR_MANIFEST); - -#warning Could be done in Python if (!check_aki(status, issuer, crl->akid)) goto error; -#warning Could be done in Python - if (crl->crl_number == NULL) - lose_validation_error_from_code(status, CRL_NUMBER_EXTENSION_MISSING); - -#warning Could be done in Python - if (ASN1_INTEGER_cmp(crl->crl_number, asn1_zero) < 0) - lose_validation_error_from_code(status, CRL_NUMBER_IS_NEGATIVE); - -#warning Could be done in Python - if (ASN1_INTEGER_cmp(crl->crl_number, asn1_twenty_octets) > 0) - lose_validation_error_from_code(status, CRL_NUMBER_OUT_OF_RANGE); - #warning Should be kept in C if (X509_CRL_get_ext_count(crl) != 2) lose_validation_error_from_code(status, DISALLOWED_X509V3_EXTENSION); -#warning Could be done in Python - if (X509_NAME_cmp(X509_CRL_get_issuer(crl), X509_get_subject_name(issuer))) - lose_validation_error_from_code(status, CRL_ISSUER_NAME_MISMATCH); - #warning Should be kept in C if (!check_allowed_dn(X509_CRL_get_issuer(crl))) lose_validation_error_from_code_maybe(allow_nonconformant_name, status, NONCONFORMANT_ISSUER_NAME); diff --git a/rp/rcynic/rcynicng b/rp/rcynic/rcynicng index 21cd9b6d..a29c0359 100755 --- a/rp/rcynic/rcynicng +++ b/rp/rcynic/rcynicng @@ -10,6 +10,7 @@ import os import sys import time import shutil +import errno import logging import argparse import subprocess @@ -115,10 +116,16 @@ class Status(object): def install_object(obj): fn = uri_to_filename(obj.uri, new_authenticated) dn = os.path.dirname(fn) - #logger.debug("Installing %r by linking %s to %s", obj, obj.fn, fn) + logger.debug("Installing %r by linking %s to %s", obj, obj.fn, fn) if not os.path.isdir(dn): os.makedirs(dn) - os.link(obj.fn, fn) + try: + os.link(obj.fn, fn) + except OSError as e: + if e.errno == errno.EEXIST and os.path.samefile(obj.fn, fn): + logger.exception("Installing same file again is harmless but silly") + else: + raise def final_install(): @@ -216,6 +223,11 @@ class X509(rpki.POW.X509): status.add(codes.CRLDP_EXTENSION_FORBIDDEN) if not is_ta and self.crldp is None: status.add(codes.CRLDP_EXTENSION_MISSING) + serial = self.getSerial() + if serial <= 0 or serial > 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF: + status.add(codes.BAD_CERTIFICATE_SERIAL_NUMBER) + if self.getVersion() != 2: + status.add(codes.WRONG_OBJECT_VERSION) n_rsync_caIssuers = self.count_uris(self.aia) n_rsync_caDirectory = self.count_uris(self.caDirectory) n_rsync_rpkiManifest = self.count_uris(self.rpkiManifest) @@ -278,6 +290,22 @@ class CRL(rpki.POW.CRL): logger.debug("%r rejected: %s", self, e) status.add(codes.OBJECT_REJECTED) codes.normalize(status) + if self.getVersion() != 1: + status.add(codes.WRONG_OBJECT_VERSION) + now = rpki.sundial.now() + if self.thisUpdate > now: + status.add(codes.CRL_NOT_YET_VALID) + if self.nextUpdate < now: + status.add(codes.STALE_CRL_OR_MANIFEST) + if self.number is None: + status.add(codes.CRL_NUMBER_EXTENSION_MISSING) + if self.number < 0: + status.add(codes.CRL_NUMBER_IS_NEGATIVE) + if self.number > 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF: + status.add(codes.CRL_NUMBER_OUT_OF_RANGE) + if self.getIssuer() != issuer.getSubject(): + status.add(codes.CRL_ISSUER_NAME_MISMATCH) + return not any(s.kind == "bad" for s in status) |