diff options
| author | Rob Austein <sra@hactrn.net> | 2011-09-15 20:04:54 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2011-09-15 20:04:54 +0000 |
| commit | 77b435ad4ac5e991f8208335c15195b6a7338d37 (patch) | |
| tree | 038a6a1b424832c8b0429365a04813b34881f1a9 | |
| parent | c4725f15a312eed801130d36c4a45768f0462652 (diff) | |
Consolidate and rationalize validation status codes. (#81)
svn path=/rcynic/rcynic.c; revision=3988
| -rw-r--r-- | rcynic/rcynic.c | 171 |
1 files changed, 80 insertions, 91 deletions
diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c index abab25d8..55ba1d69 100644 --- a/rcynic/rcynic.c +++ b/rcynic/rcynic.c @@ -196,64 +196,48 @@ static const struct { #define MIB_COUNTERS \ MIB_COUNTERS_FROM_OPENSSL \ - QB(aia_mismatch, "Mismatched AIA extension") \ - QB(aia_missing, "AIA extension missing") \ - QB(certificate_bad_crl, "Bad certificate CRL") \ + QB(aia_doesnt_match_issuer, "AIA doesn't match issuer") \ + QB(aia_uri_missing, "AIA URI missing") \ + QB(bad_cms_econtenttype, "Bad CMS eContentType") \ + QB(bad_crl, "Bad CRL") \ QB(certificate_bad_signature, "Bad certificate signature") \ - QB(certificate_digest_mismatch, "Certificate digest mismatch") \ QB(certificate_failed_validation, "Certificate failed validation") \ - QB(crl_digest_mismatch, "CRL digest mismatch") \ + QB(cms_econtent_decode_error, "CMS eContent decode error") \ + QB(cms_signer_missing, "CMS signer missing") \ + QB(cms_validation_failure, "CMS validation failure") \ QB(crl_not_in_manifest, "CRL not listed in manifest") \ QB(crl_not_yet_valid, "CRL not yet valid") \ - QB(crldp_mismatch, "CRLDP doesn't match issuer's SIA") \ - QB(crldp_missing, "CRLDP extension missing") \ - QB(disallowed_extension, "Disallowed X.509v3 extension") \ - QB(ghostbuster_bad_crl, "Ghostbuster EE has bad CRL") \ - QB(ghostbuster_bad_econtenttype, "Bad Ghostbuster eContentType") \ - QB(ghostbuster_digest_mismatch, "Ghostbuster digest mismatch") \ - QB(ghostbuster_invalid_cms, "Ghostbuster validation failure") \ - QB(ghostbuster_invalid_ee, "Invalid Ghostbuster certificate") \ - QB(ghostbuster_missing_signer, "Missing Ghostbuster signer") \ - QB(hash_too_long, "Hash value is too long") \ - QB(malformed_crldp, "Malformed CRDLP extension") \ + QB(crldp_doesnt_match_issuer_sia, "CRLDP doesn't match issuer's SIA") \ + QB(crldp_uri_missing, "CRLDP URI missing") \ + QB(digest_mismatch, "Digest mismatch") \ + QB(disallowed_x509v3_extension, "Disallowed X.509v3 extension") \ + QB(hash_value_too_long, "Hash value is too long") \ + QB(invalid_cms_ee_certificate, "Invalid CMS EE certificate") \ + QB(malformed_cadirectory_uri, "Malformed caDirectory URI") \ + QB(malformed_crldp_extension, "Malformed CRDLP extension") \ + QB(malformed_crldp_uri, "Malformed CRDLP URI") \ QB(malformed_roa_addressfamily, "Malformed ROA addressFamily") \ - QB(malformed_sia, "Malformed SIA extension") \ QB(malformed_tal_uri, "Malformed TAL URI") \ - QB(manifest_bad_econtenttype, "Bad manifest eContentType") \ - QB(manifest_decode_error, "Manifest decode error") \ - QB(manifest_invalid_cms, "Manifest validation failure") \ - QB(manifest_invalid_ee, "Invalid manifest certificate") \ - QB(manifest_malformed_crldp, "Malformed manifest CRLDP") \ - QB(manifest_mismatch, "Manifest doesn't match SIA") \ - QB(manifest_missing, "Manifest pointer missing") \ - QB(manifest_missing_crldp, "Missing manifest CRLDP") \ - QB(manifest_missing_signer, "Missing manifest signer") \ + QB(manifest_carepository_mismatch, "Manifest caRepository mismatch") \ QB(manifest_not_yet_valid, "Manifest not yet valid") \ QB(manifest_wrong_version, "Wrong manifest version") \ QB(object_rejected, "Object rejected") \ - QB(roa_bad_afi, "ROA contains bad AFI value") \ - QB(roa_bad_crl, "ROA EE has bad CRL") \ - QB(roa_bad_econtenttype, "Bad ROA eContentType") \ - QB(roa_decode_error, "ROA decode error") \ - QB(roa_digest_mismatch, "ROA digest mismatch") \ - QB(roa_invalid_cms, "ROA validation failure") \ - QB(roa_invalid_ee, "Invalid ROA certificate") \ - QB(roa_missing_signer, "Missing ROA signer") \ - QB(roa_not_nested, "ROA resource not in EE") \ + QB(roa_contains_bad_afi_value, "ROA contains bad AFI value") \ + QB(roa_resource_not_in_ee, "ROA resource not in EE") \ QB(roa_resources_malformed, "ROA resources malformed") \ QB(roa_wrong_version, "Wrong ROA version") \ - QB(rsync_failed, "rsync transfer failed") \ - QB(rsync_timed_out, "rsync transfer timed out") \ - QB(sia_missing, "SIA extension missing") \ + QB(rsync_transfer_failed, "rsync transfer failed") \ + QB(rsync_transfer_timed_out, "rsync transfer timed out") \ + QB(sia_cadirectory_uri_missing, "SIA caDirectory URI missing") \ + QB(sia_manifest_uri_missing, "SIA manifest URI missing") \ QB(trust_anchor_key_mismatch, "Trust anchor key mismatch") \ QB(trust_anchor_with_crldp, "Trust anchor can't have CRLDP") \ - QB(unknown_verify_error, "Unknown OpenSSL verify error") \ + QB(unknown_openssl_verify_error, "Unknown OpenSSL verify error") \ QB(unreadable_trust_anchor, "Unreadable trust anchor") \ QB(unreadable_trust_anchor_locator, "Unreadable trust anchor locator") \ - QB(uri_too_long, "URI too long") \ QW(nonconformant_issuer_name, "Nonconformant X.509 issuer name") \ QW(nonconformant_subject_name, "Nonconformant X.509 subject name") \ - QW(rsync_skipped, "rsync transfer skipped") \ + QW(rsync_transfer_skipped, "rsync transfer skipped") \ QW(stale_crl, "Stale CRL") \ QW(stale_manifest, "Stale manifest") \ QW(tainted_by_stale_crl, "Tainted by stale CRL") \ @@ -261,6 +245,7 @@ static const struct { QW(tainted_by_not_being_in_manifest, "Tainted by not being in manifest") \ QW(trust_anchor_not_self_signed, "Trust anchor not self-signed") \ QW(unknown_object_type_skipped, "Unknown object type skipped") \ + QW(uri_too_long, "URI too long") \ QG(current_cert_recheck, "Certificate rechecked") \ QG(object_accepted, "Object accepted") \ QG(rsync_succeeded, "rsync transfer succeeded") \ @@ -2095,7 +2080,7 @@ static void rsync_mgr(const rcynic_ctx_t *rc) case 0: log_validation_status(rc, &ctx->uri, (ctx->problem == rsync_problem_timed_out - ? rsync_timed_out + ? rsync_transfer_timed_out : rsync_succeeded), object_generation_null); break; @@ -2139,8 +2124,8 @@ static void rsync_mgr(const rcynic_ctx_t *rc) (unsigned) pid, WEXITSTATUS(pid_status), ctx->uri.s); log_validation_status(rc, &ctx->uri, (rc->rsync_timeout && now >= ctx->deadline - ? rsync_timed_out - : rsync_failed), + ? rsync_transfer_timed_out + : rsync_transfer_failed), object_generation_null); break; } @@ -2489,7 +2474,8 @@ static CMS_ContentInfo *read_cms(const path_t *filename, hashbuf_t *hash) /** - * Extract CRLDP data from a certificate. + * Extract CRLDP data from a certificate. Stops looking after finding + * the first rsync URI. */ static void extract_crldp_uri(const rcynic_ctx_t *rc, const uri_t *uri, @@ -2503,14 +2489,14 @@ static void extract_crldp_uri(const rcynic_ctx_t *rc, assert(crldp); if (sk_DIST_POINT_num(crldp) != 1) { - log_validation_status(rc, uri, malformed_crldp, generation); + log_validation_status(rc, uri, malformed_crldp_extension, generation); return; } d = sk_DIST_POINT_value(crldp, 0); if (d->reasons || d->CRLissuer || !d->distpoint || d->distpoint->type != 0) { - log_validation_status(rc, uri, malformed_crldp, generation); + log_validation_status(rc, uri, malformed_crldp_extension, generation); return; } @@ -2518,7 +2504,7 @@ static void extract_crldp_uri(const rcynic_ctx_t *rc, GENERAL_NAME *n = sk_GENERAL_NAME_value(d->distpoint->name.fullname, i); assert(n != NULL); if (n->type != GEN_URI) { - log_validation_status(rc, uri, malformed_crldp, generation); + log_validation_status(rc, uri, malformed_crldp_extension, generation); return; } if (!is_rsync((char *) n->d.uniformResourceIdentifier->data)) { @@ -2630,7 +2616,7 @@ static X509_CRL *check_crl_1(const rcynic_ctx_t *rc, goto punt; if (hashlen > sizeof(hashbuf.h)) { - log_validation_status(rc, uri, hash_too_long, generation); + log_validation_status(rc, uri, hash_value_too_long, generation); goto punt; } @@ -2643,7 +2629,7 @@ static X509_CRL *check_crl_1(const rcynic_ctx_t *rc, goto punt; if (hash && memcmp(hashbuf.h, hash, hashlen)) { - log_validation_status(rc, uri, crl_digest_mismatch, generation); + log_validation_status(rc, uri, digest_mismatch, generation); goto punt; } @@ -2864,7 +2850,7 @@ static int check_x509_cb(int ok, X509_STORE_CTX *ctx) #undef QV default: - code = unknown_verify_error; + code = unknown_openssl_verify_error; break; } @@ -2901,37 +2887,37 @@ static int check_x509(const rcynic_ctx_t *rc, assert(issuer != NULL); if (subject->sia.s[0] && subject->sia.s[strlen(subject->sia.s) - 1] != '/') { - log_validation_status(rc, &subject->uri, malformed_sia, subject->generation); + log_validation_status(rc, &subject->uri, malformed_cadirectory_uri, subject->generation); goto done; } if (!subject->ta && !subject->aia.s[0]) { - log_validation_status(rc, &subject->uri, aia_missing, subject->generation); + log_validation_status(rc, &subject->uri, aia_uri_missing, subject->generation); goto done; } if (!issuer_certinfo->ta && strcmp(issuer_certinfo->uri.s, subject->aia.s)) { - log_validation_status(rc, &subject->uri, aia_mismatch, subject->generation); + log_validation_status(rc, &subject->uri, aia_doesnt_match_issuer, subject->generation); goto done; } if (subject->ca && !subject->sia.s[0]) { - log_validation_status(rc, &subject->uri, sia_missing, subject->generation); + log_validation_status(rc, &subject->uri, sia_cadirectory_uri_missing, subject->generation); goto done; } if (subject->ca && !subject->manifest.s[0]) { - log_validation_status(rc, &subject->uri, manifest_missing, subject->generation); + log_validation_status(rc, &subject->uri, sia_manifest_uri_missing, subject->generation); goto done; } if (subject->ca && !startswith(subject->manifest.s, subject->sia.s)) { - log_validation_status(rc, &subject->uri, manifest_mismatch, subject->generation); + log_validation_status(rc, &subject->uri, manifest_carepository_mismatch, subject->generation); goto done; } if (!check_allowed_extensions(x, !subject->ca)) { - log_validation_status(rc, &subject->uri, disallowed_extension, subject->generation); + log_validation_status(rc, &subject->uri, disallowed_x509v3_extension, subject->generation); goto done; } @@ -2951,12 +2937,12 @@ static int check_x509(const rcynic_ctx_t *rc, } else { if (!subject->crldp.s[0]) { - log_validation_status(rc, &subject->uri, crldp_missing, subject->generation); + log_validation_status(rc, &subject->uri, crldp_uri_missing, subject->generation); goto done; } if (!subject->ca && !startswith(subject->crldp.s, issuer_certinfo->sia.s)) { - log_validation_status(rc, &subject->uri, crldp_mismatch, subject->generation); + log_validation_status(rc, &subject->uri, crldp_doesnt_match_issuer_sia, subject->generation); goto done; } @@ -2968,7 +2954,7 @@ static int check_x509(const rcynic_ctx_t *rc, } if ((crl = check_crl(rc, &subject->crldp, issuer, NULL, 0)) == NULL) { - log_validation_status(rc, &subject->uri, certificate_bad_crl, subject->generation); + log_validation_status(rc, &subject->uri, bad_crl, subject->generation); goto done; } @@ -3033,7 +3019,7 @@ static X509 *check_cert_1(const rcynic_ctx_t *rc, return NULL; if (hashlen > sizeof(hashbuf.h)) { - log_validation_status(rc, uri, hash_too_long, generation); + log_validation_status(rc, uri, hash_value_too_long, generation); goto punt; } @@ -3048,7 +3034,7 @@ static X509 *check_cert_1(const rcynic_ctx_t *rc, } if (hash && memcmp(hashbuf.h, hash, hashlen)) { - log_validation_status(rc, uri, certificate_digest_mismatch, generation); + log_validation_status(rc, uri, digest_mismatch, generation); goto punt; } @@ -3167,7 +3153,7 @@ static Manifest *check_manifest_1(const rcynic_ctx_t *rc, if ((eContentType = CMS_get0_eContentType(cms)) == NULL || oid_cmp(eContentType, id_ct_rpkiManifest, sizeof(id_ct_rpkiManifest))) { - log_validation_status(rc, uri, manifest_bad_econtenttype, generation); + log_validation_status(rc, uri, bad_cms_econtenttype, generation); goto done; } @@ -3177,30 +3163,30 @@ static Manifest *check_manifest_1(const rcynic_ctx_t *rc, } if (CMS_verify(cms, NULL, NULL, NULL, bio, CMS_NO_SIGNER_CERT_VERIFY) <= 0) { - log_validation_status(rc, uri, manifest_invalid_cms, generation); + log_validation_status(rc, uri, cms_validation_failure, generation); goto done; } if ((signers = CMS_get0_signers(cms)) == NULL || sk_X509_num(signers) != 1) { - log_validation_status(rc, uri, manifest_missing_signer, generation); + log_validation_status(rc, uri, cms_signer_missing, generation); goto done; } parse_cert(rc, sk_X509_value(signers, 0), &certinfo, uri, generation); if (!certinfo.crldp.s[0]) { - log_validation_status(rc, uri, manifest_missing_crldp, generation); + log_validation_status(rc, uri, crldp_uri_missing, generation); goto done; } if ((crl_tail = strrchr(certinfo.crldp.s, '/')) == NULL) { - log_validation_status(rc, uri, manifest_malformed_crldp, generation); + log_validation_status(rc, uri, malformed_crldp_uri, generation); goto done; } crl_tail++; if ((manifest = ASN1_item_d2i_bio(ASN1_ITEM_rptr(Manifest), bio, NULL)) == NULL) { - log_validation_status(rc, uri, manifest_decode_error, generation); + log_validation_status(rc, uri, cms_econtent_decode_error, generation); goto done; } @@ -3270,7 +3256,7 @@ static Manifest *check_manifest_1(const rcynic_ctx_t *rc, /* * Redundant error message? */ - log_validation_status(rc, uri, manifest_invalid_ee, generation); + log_validation_status(rc, uri, invalid_cms_ee_certificate, generation); goto done; } @@ -3421,7 +3407,7 @@ static int check_roa_1(const rcynic_ctx_t *rc, goto error; if (hashlen > sizeof(hashbuf.h)) { - log_validation_status(rc, uri, hash_too_long, generation); + log_validation_status(rc, uri, hash_value_too_long, generation); goto error; } @@ -3434,14 +3420,14 @@ static int check_roa_1(const rcynic_ctx_t *rc, goto error; if (hash && memcmp(hashbuf.h, hash, hashlen)) { - log_validation_status(rc, uri, roa_digest_mismatch, generation); + log_validation_status(rc, uri, digest_mismatch, generation); goto error; } if (!(eContentType = CMS_get0_eContentType(cms)) || oid_cmp(eContentType, id_ct_routeOriginAttestation, sizeof(id_ct_routeOriginAttestation))) { - log_validation_status(rc, uri, roa_bad_econtenttype, generation); + log_validation_status(rc, uri, bad_cms_econtenttype, generation); goto error; } @@ -3451,19 +3437,19 @@ static int check_roa_1(const rcynic_ctx_t *rc, } if (CMS_verify(cms, NULL, NULL, NULL, bio, CMS_NO_SIGNER_CERT_VERIFY) <= 0) { - log_validation_status(rc, uri, roa_invalid_cms, generation); + log_validation_status(rc, uri, cms_validation_failure, generation); goto error; } if (!(signers = CMS_get0_signers(cms)) || sk_X509_num(signers) != 1) { - log_validation_status(rc, uri, roa_missing_signer, generation); + log_validation_status(rc, uri, cms_signer_missing, generation); goto error; } parse_cert(rc, sk_X509_value(signers, 0), &certinfo, uri, generation); if (!(roa = ASN1_item_d2i_bio(ASN1_ITEM_rptr(ROA), bio, NULL))) { - log_validation_status(rc, uri, roa_decode_error, generation); + log_validation_status(rc, uri, cms_econtent_decode_error, generation); goto error; } @@ -3520,7 +3506,7 @@ static int check_roa_1(const rcynic_ctx_t *rc, IPAddressFamily *f = sk_IPAddressFamily_value(roa_resources, i); if ((afi = v3_addr_get_afi(f)) == 0) { - log_validation_status(rc, uri, roa_bad_afi, generation); + log_validation_status(rc, uri, roa_contains_bad_afi_value, generation); goto error; } @@ -3557,12 +3543,12 @@ static int check_roa_1(const rcynic_ctx_t *rc, } if (!v3_addr_subset(roa_resources, ee_resources)) { - log_validation_status(rc, uri, roa_not_nested, generation); + log_validation_status(rc, uri, roa_resource_not_in_ee, generation); goto error; } if (!(crl = check_crl(rc, &certinfo.crldp, sk_X509_value(certs, sk_X509_num(certs) - 1), NULL, 0))) { - log_validation_status(rc, uri, roa_bad_crl, generation); + log_validation_status(rc, uri, bad_crl, generation); goto error; } @@ -3592,7 +3578,7 @@ static int check_roa_1(const rcynic_ctx_t *rc, /* * Redundant error message? */ - log_validation_status(rc, uri, roa_invalid_ee, generation); + log_validation_status(rc, uri, invalid_cms_ee_certificate, generation); goto error; } @@ -3687,7 +3673,7 @@ static int check_ghostbuster_1(const rcynic_ctx_t *rc, goto error; if (hashlen > sizeof(hashbuf.h)) { - log_validation_status(rc, uri, hash_too_long, generation); + log_validation_status(rc, uri, hash_value_too_long, generation); goto error; } @@ -3700,14 +3686,14 @@ static int check_ghostbuster_1(const rcynic_ctx_t *rc, goto error; if (hash && memcmp(hashbuf.h, hash, hashlen)) { - log_validation_status(rc, uri, ghostbuster_digest_mismatch, generation); + log_validation_status(rc, uri, digest_mismatch, generation); goto error; } if (!(eContentType = CMS_get0_eContentType(cms)) || oid_cmp(eContentType, id_ct_rpkiGhostbusters, sizeof(id_ct_rpkiGhostbusters))) { - log_validation_status(rc, uri, ghostbuster_bad_econtenttype, generation); + log_validation_status(rc, uri, bad_cms_econtenttype, generation); goto error; } @@ -3723,12 +3709,12 @@ static int check_ghostbuster_1(const rcynic_ctx_t *rc, #endif if (CMS_verify(cms, NULL, NULL, NULL, bio, CMS_NO_SIGNER_CERT_VERIFY) <= 0) { - log_validation_status(rc, uri, ghostbuster_invalid_cms, generation); + log_validation_status(rc, uri, cms_validation_failure, generation); goto error; } if (!(signers = CMS_get0_signers(cms)) || sk_X509_num(signers) != 1) { - log_validation_status(rc, uri, ghostbuster_missing_signer, generation); + log_validation_status(rc, uri, cms_signer_missing, generation); goto error; } @@ -3742,7 +3728,7 @@ static int check_ghostbuster_1(const rcynic_ctx_t *rc, #endif if (!(crl = check_crl(rc, &certinfo.crldp, sk_X509_value(certs, sk_X509_num(certs) - 1), NULL, 0))) { - log_validation_status(rc, uri, ghostbuster_bad_crl, generation); + log_validation_status(rc, uri, bad_crl, generation); goto error; } @@ -3769,7 +3755,10 @@ static int check_ghostbuster_1(const rcynic_ctx_t *rc, X509_VERIFY_PARAM_add0_policy(rctx.ctx.param, OBJ_txt2obj(rpki_policy_oid, 1)); if (X509_verify_cert(&rctx.ctx) <= 0) { - log_validation_status(rc, uri, ghostbuster_invalid_ee, generation); + /* + * Redundant error message? + */ + log_validation_status(rc, uri, invalid_cms_ee_certificate, generation); goto error; } @@ -3865,15 +3854,15 @@ static void rsync_sia_callback(const rcynic_ctx_t *rc, return; case rsync_status_failed: - log_validation_status(rc, uri, rsync_failed, object_generation_null); + log_validation_status(rc, uri, rsync_transfer_failed, object_generation_null); break; case rsync_status_timed_out: - log_validation_status(rc, uri, rsync_timed_out, object_generation_null); + log_validation_status(rc, uri, rsync_transfer_timed_out, object_generation_null); break; case rsync_status_skipped: - log_validation_status(rc, uri, rsync_skipped, object_generation_null); + log_validation_status(rc, uri, rsync_transfer_skipped, object_generation_null); break; case rsync_status_done: @@ -3931,7 +3920,7 @@ static void walk_cert(rcynic_ctx_t *rc, STACK_OF(walk_ctx_t) *wsk) } if (!w->certinfo.manifest.s[0]) { - log_validation_status(rc, &w->certinfo.uri, manifest_missing, w->certinfo.generation); + log_validation_status(rc, &w->certinfo.uri, sia_manifest_uri_missing, w->certinfo.generation); w->state = walk_state_done; continue; } |