diff options
| author | Rob Austein <sra@hactrn.net> | 2006-10-23 20:42:13 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2006-10-23 20:42:13 +0000 |
| commit | 0de29de53d2b1e55b02ea952de5ede06a557f911 (patch) | |
| tree | df5ed7ed68798dce6197e2c5736702cab43cc2d0 /rcynic/rcynic.c | |
| parent | 0724ac6e00c9eda64f839439e54224f69d21ba22 (diff) | |
More stats. Disable EE SIA check per design team discussion.
svn path=/rcynic/rcynic.c; revision=426
Diffstat (limited to 'rcynic/rcynic.c')
| -rw-r--r-- | rcynic/rcynic.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c index 1a57506a..82b3cfc1 100644 --- a/rcynic/rcynic.c +++ b/rcynic/rcynic.c @@ -107,7 +107,12 @@ static const struct { QQ(rsync_failed, "rsync transfers failed", " -rsy") \ QQ(rsync_succeeded, "rsync transfers succeeded", " +rsy") \ QQ(rsync_timed_out, "rsync transfers timed out", " ?rsy") \ - QQ(stale_crl, "stale CRLs", "stale") + QQ(stale_crl, "stale CRLs", "stale") \ + QQ(malformed_sia, "malcormed SIA extensionss", "badsi") \ + QQ(sia_missing, "SIA extensions missing", "nosia") \ + QQ(aia_missing, "AIA extensions missing", "noaia") \ + QQ(crldp_missing, "CRLDP extensions missing", "nocrl") \ + QQ(aia_mismatch, "mismatched AIA extensions", "badai") #define QQ(x,y,z) x , typedef enum mib_counter { MIB_COUNTERS MIB_COUNTER_T_MAX } mib_counter_t; @@ -1213,32 +1218,42 @@ static X509 *check_cert_1(const rcynic_ctx_t *rc, if (subj->sia[0] && subj->sia[strlen(subj->sia) - 1] != '/') { logmsg(rc, log_data_err, "Malformed SIA %s for %s", subj->sia, uri); + mib_increment(rc, uri, malformed_sia); goto punt; } if (!subj->aia[0]) { logmsg(rc, log_data_err, "AIA missing for %s", uri); + mib_increment(rc, uri, aia_missing); goto punt; } if (!issuer->ta && strcmp(issuer->uri, subj->aia)) { logmsg(rc, log_data_err, "AIA %s of %s doesn't match parent", subj->aia, uri); + mib_increment(rc, uri, aia_mismatch); goto punt; } if (subj->ca && !subj->sia[0]) { logmsg(rc, log_data_err, "CA certificate %s without SIA extension", uri); + mib_increment(rc, uri, sia_missing); goto punt; } +#if 0 + /* + * Ongoing discussion about removing this restriction from the profile. + */ if (!subj->ca && subj->sia[0]) { logmsg(rc, log_data_err, "EE certificate %s with SIA extension", uri); goto punt; } +#endif if (!subj->crldp[0]) { logmsg(rc, log_data_err, "Missing CRLDP extension for %s", uri); + mib_increment(rc, uri, crldp_missing); goto punt; } |