diff options
| -rw-r--r-- | rcynic/rcynic.c | 2 | ||||
| -rw-r--r-- | rpkid/rpki/exceptions.py | 10 | ||||
| -rw-r--r-- | rpkid/rpki/x509.py | 8 |
3 files changed, 18 insertions, 2 deletions
diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c index 90f0db91..9480a6ae 100644 --- a/rcynic/rcynic.c +++ b/rcynic/rcynic.c @@ -381,6 +381,7 @@ typedef struct walk_ctx { certinfo_t certinfo; X509 *cert; Manifest *manifest; + object_generation_t manifest_generation; STACK_OF(OPENSSL_STRING) *filenames; int manifest_iteration, filename_iteration, stale_manifest; walk_state_t state; @@ -3509,6 +3510,7 @@ static int check_manifest(const rcynic_ctx_t *rc, w->manifest = result; if (crldp) w->crldp = *crldp; + w->manifest_generation = generation; return ok; } diff --git a/rpkid/rpki/exceptions.py b/rpkid/rpki/exceptions.py index b1948337..4e4bc42a 100644 --- a/rpkid/rpki/exceptions.py +++ b/rpkid/rpki/exceptions.py @@ -331,3 +331,13 @@ class CMSCertHasExpired(RPKI_Exception): """ CMS certificate has expired. """ + +class TrustedCMSCertHasExpired(RPKI_Exception): + """ + Trusted CMS certificate has expired. + """ + +class MultipleCMSEECert(RPKI_Exception): + """ + Can't have more than one CMS EE certificate in validation chain. + """ diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index 3b64c907..bcaa3646 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -926,13 +926,18 @@ class CMS_object(DER_object): store = rpki.POW.X509Store() + now = rpki.sundial.now() + trusted_ee = None for x in X509.normalize_chain(ta): if self.debug_cms_certs: rpki.log.debug("CMS trusted cert issuer %s subject %s SKI %s" % (x.getIssuer(), x.getSubject(), x.hSKI())) + if x.getNotAfter() < now: + raise rpki.exceptions.TrustedCMSCertHasExpired if not x.is_CA(): - assert trusted_ee is None, "Can't have two EE certs in the same validation chain" + if trusted_ee is not None: + raise rpki.exceptions.MultipleCMSEECert trusted_ee = x store.addTrust(x.get_POW()) @@ -956,7 +961,6 @@ class CMS_object(DER_object): if len(crls) > 1: raise rpki.exceptions.UnexpectedCMSCRLs # , crls - now = rpki.sundial.now() for x in certs: if x.getNotAfter() < now: raise rpki.exceptions.CMSCertHasExpired # , x |