diff options
| author | Rob Austein <sra@hactrn.net> | 2014-11-12 21:46:41 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2014-11-12 21:46:41 +0000 |
| commit | 48a4efb31e97c5cfbdd72cc5826ff16de9eafedb (patch) | |
| tree | 6edd7717337c346c16637a241cd35014d5b9181e /rp | |
| parent | d7ab5e8ae127cb4879b4a4c5b87f6a433635bdec (diff) | |
Add minimal RRDP support. This isn't enough to use RRDP, just enough
to allow rcynic to accept certificates containing certificates
containing RRDP SIA URIs, which it would otherwise reject as profile
violations.
svn path=/trunk/; revision=6020
Diffstat (limited to 'rp')
| -rw-r--r-- | rp/rcynic/rcynic.c | 45 |
1 files changed, 34 insertions, 11 deletions
diff --git a/rp/rcynic/rcynic.c b/rp/rcynic/rcynic.c index 8db15e55..c5b82266 100644 --- a/rp/rcynic/rcynic.c +++ b/rp/rcynic/rcynic.c @@ -83,6 +83,9 @@ #define SCHEME_RSYNC ("rsync://") #define SIZEOF_RSYNC (sizeof(SCHEME_RSYNC) - 1) +#define SCHEME_HTTP ("http://") +#define SIZEOF_HTTP (sizeof(SCHEME_HTTP) - 1) + /** * Maximum length of a hostname. */ @@ -410,7 +413,7 @@ DECLARE_STACK_OF(validation_status_t) typedef struct certinfo { int ca, ta; object_generation_t generation; - uri_t uri, sia, aia, crldp, manifest, signedobject; + uri_t uri, sia, aia, crldp, manifest, signedobject, rrdpnotify; } certinfo_t; typedef struct rcynic_ctx rcynic_ctx_t; @@ -592,6 +595,10 @@ static int NID_ad_rpkiManifest; static int NID_ad_signedObject; #endif +#ifndef NID_ad_rpkiNotify +static int NID_ad_rpkiNotify; +#endif + #ifndef NID_ct_ROA static int NID_ct_ROA; #endif @@ -630,6 +637,10 @@ static const struct { {&NID_ad_signedObject, "1.3.6.1.5.5.7.48.11", "id-ad-signedObject", "Signed Object"}, #endif +#ifndef NID_ad_rpkiNotify + {&NID_ad_rpkiNotify, "1.3.6.1.5.5.7.48.13", "id-ad-rpkiNotify", "RPKI RRDP Notification"}, +#endif + #ifndef NID_ct_ROA {&NID_ct_ROA, "1.2.840.113549.1.9.16.1.24", "id-ct-routeOriginAttestation", "ROA eContent"}, #endif @@ -1043,6 +1054,14 @@ static int is_rsync(const char *uri) } /** + * Is string an http URI? + */ +static int is_http(const char *uri) +{ + return uri && !strncmp(uri, SCHEME_HTTP, SIZEOF_HTTP); +} + +/** * Convert an rsync URI to a filename, checking for evil character * sequences. NB: This routine can't call mib_increment(), because * mib_increment() calls it, so errors detected here only go into @@ -3155,7 +3174,8 @@ static int extract_access_uri(rcynic_ctx_t *rc, const AUTHORITY_INFO_ACCESS *xia, const int nid, uri_t *result, - int *count) + int *count, + int (*relevant)(const char *)) { int i; @@ -3168,9 +3188,9 @@ static int extract_access_uri(rcynic_ctx_t *rc, if (OBJ_obj2nid(a->method) != nid) continue; ++*count; - if (!is_rsync((char *) a->location->d.uniformResourceIdentifier->data)) - log_validation_status(rc, uri, non_rsync_uri_in_extension, generation); - else if (sizeof(result->s) <= a->location->d.uniformResourceIdentifier->length) + if (!relevant((char *) a->location->d.uniformResourceIdentifier->data)) + continue; + if (sizeof(result->s) <= a->location->d.uniformResourceIdentifier->length) log_validation_status(rc, uri, uri_too_long, generation); else if (result->s[0]) log_validation_status(rc, uri, multiple_rsync_uris_in_extension, generation); @@ -3685,7 +3705,7 @@ static int check_x509(rcynic_ctx_t *rc, int n_caIssuers = 0; ex_count--; if (!extract_access_uri(rc, uri, generation, aia, NID_ad_ca_issuers, - &certinfo->aia, &n_caIssuers) || + &certinfo->aia, &n_caIssuers, is_rsync) || !certinfo->aia.s[0] || sk_ACCESS_DESCRIPTION_num(aia) != n_caIssuers) { log_validation_status(rc, uri, malformed_aia_extension, generation); @@ -3715,18 +3735,21 @@ static int check_x509(rcynic_ctx_t *rc, if ((sia = X509_get_ext_d2i(x, NID_sinfo_access, NULL, NULL)) != NULL) { int got_caDirectory, got_rpkiManifest, got_signedObject; - int n_caDirectory = 0, n_rpkiManifest = 0, n_signedObject = 0; + int n_caDirectory = 0, n_rpkiManifest = 0, n_signedObject = 0, n_rpkiNotify = 0; ex_count--; ok = (extract_access_uri(rc, uri, generation, sia, NID_caRepository, - &certinfo->sia, &n_caDirectory) && + &certinfo->sia, &n_caDirectory, is_rsync) && extract_access_uri(rc, uri, generation, sia, NID_ad_rpkiManifest, - &certinfo->manifest, &n_rpkiManifest) && + &certinfo->manifest, &n_rpkiManifest, is_rsync) && extract_access_uri(rc, uri, generation, sia, NID_ad_signedObject, - &certinfo->signedobject, &n_signedObject)); + &certinfo->signedobject, &n_signedObject, is_rsync) && + extract_access_uri(rc, uri, generation, sia, NID_ad_rpkiNotify, + &certinfo->rrdpnotify, &n_rpkiNotify, is_http)); got_caDirectory = certinfo->sia.s[0] != '\0'; got_rpkiManifest = certinfo->manifest.s[0] != '\0'; got_signedObject = certinfo->signedobject.s[0] != '\0'; - ok &= sk_ACCESS_DESCRIPTION_num(sia) == n_caDirectory + n_rpkiManifest + n_signedObject; + ok &= (sk_ACCESS_DESCRIPTION_num(sia) == + n_caDirectory + n_rpkiManifest + n_signedObject + n_rpkiNotify); if (certinfo->ca) ok &= got_caDirectory && got_rpkiManifest && !got_signedObject; else if (rc->allow_ee_without_signedObject) |