aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--rcynic-ng/rcynic.c143
-rw-r--r--rcynic-ng/rcynic.xsl6
-rw-r--r--rcynic-ng/validation_status.xsl45
3 files changed, 115 insertions, 79 deletions
diff --git a/rcynic-ng/rcynic.c b/rcynic-ng/rcynic.c
index 5cc61a65..15c52504 100644
--- a/rcynic-ng/rcynic.c
+++ b/rcynic-ng/rcynic.c
@@ -869,6 +869,41 @@ static int oid_cmp(const ASN1_OBJECT *obj, const unsigned char *oid, const size_
}
/**
+ * Add a validation status entry to internal log.
+ */
+static void log_validation_status(const rcynic_ctx_t *rc,
+ const uri_t *uri,
+ const mib_counter_t code)
+{
+ validation_status_t *v = NULL;
+
+ assert(rc && uri);
+
+ if (!rc->validation_status)
+ return;
+
+ if ((v = validation_status_t_new()) == NULL) {
+ logmsg(rc, log_sys_err, "Couldn't allocate validation status entry for %s", uri->s);
+ goto punt;
+ }
+
+ v->timestamp = time(0);
+ v->code = code;
+ v->uri = *uri;
+
+ if (!sk_validation_status_t_push(rc->validation_status, v)) {
+ logmsg(rc, log_sys_err, "Couldn't store validation status entry for %s", uri->s);
+ goto punt;
+ }
+
+ v = NULL;
+
+ punt:
+ if (v)
+ free(v);
+}
+
+/**
* Host MIB counter comparision.
*/
static int host_mib_counter_cmp(const host_mib_counter_t * const *a, const host_mib_counter_t * const *b)
@@ -881,13 +916,15 @@ static int host_mib_counter_cmp(const host_mib_counter_t * const *a, const host_
*/
static void mib_increment(const rcynic_ctx_t *rc,
const uri_t *uri,
- const mib_counter_t counter)
+ const mib_counter_t code)
{
host_mib_counter_t *h = NULL, hn;
char *s;
assert(rc && uri);
+ log_validation_status(rc, uri, code);
+
if (!rc->host_counters)
return;
@@ -917,42 +954,7 @@ static void mib_increment(const rcynic_ctx_t *rc,
}
}
- h->counters[counter]++;
-}
-
-/**
- * Add a validation status entry to internal log.
- */
-static void log_validation_status(const rcynic_ctx_t *rc,
- const uri_t *uri,
- const mib_counter_t code)
-{
- validation_status_t *v = NULL;
-
- assert(rc && uri);
-
- if (!rc->validation_status)
- return;
-
- if ((v = validation_status_t_new()) == NULL) {
- logmsg(rc, log_sys_err, "Couldn't allocate validation status entry for %s", uri->s);
- goto punt;
- }
-
- v->timestamp = time(0);
- v->code = code;
- v->uri = *uri;
-
- if (!sk_validation_status_t_push(rc->validation_status, v)) {
- logmsg(rc, log_sys_err, "Couldn't store validation status entry for %s", uri->s);
- goto punt;
- }
-
- v = NULL;
-
- punt:
- if (v)
- free(v);
+ h->counters[code]++;
}
/**
@@ -968,7 +970,7 @@ static void reject(const rcynic_ctx_t *rc,
assert(fmt && strlen(fmt) + sizeof("Rejected %s") < sizeof(format));
snprintf(format, sizeof(format), "Rejected %s %s", uri->s, fmt);
- log_validation_status(rc, uri, code);
+ mib_increment(rc, uri, code);
va_start(ap, fmt);
vlogmsg(rc, log_data_err, format, ap);
va_end(ap);
@@ -1034,7 +1036,8 @@ static int cp_ln(const rcynic_ctx_t *rc, const path_t *source, const path_t *tar
*/
static int install_object(const rcynic_ctx_t *rc,
const uri_t *uri,
- const path_t *source)
+ const path_t *source,
+ const mib_counter_t code)
{
path_t target;
@@ -1050,7 +1053,7 @@ static int install_object(const rcynic_ctx_t *rc,
if (!cp_ln(rc, source, &target))
return 0;
- log_validation_status(rc, uri, validation_ok);
+ mib_increment(rc, uri, code);
logmsg(rc, log_telemetry, "Accepted %s", uri->s);
return 1;
}
@@ -2438,8 +2441,7 @@ static X509_CRL *check_crl(const rcynic_ctx_t *rc,
if ((crl = check_crl_1(rc, uri, &path, &rc->unauthenticated,
issuer, hash, hashlen))) {
- install_object(rc, uri, &path);
- mib_increment(rc, uri, current_crl_accepted);
+ install_object(rc, uri, &path, current_crl_accepted);
return crl;
} else if (!access(path.s, F_OK)) {
mib_increment(rc, uri, current_crl_rejected);
@@ -2447,8 +2449,7 @@ static X509_CRL *check_crl(const rcynic_ctx_t *rc,
if ((crl = check_crl_1(rc, uri, &path, &rc->old_authenticated,
issuer, hash, hashlen))) {
- install_object(rc, uri, &path);
- mib_increment(rc, uri, backup_crl_accepted);
+ install_object(rc, uri, &path, backup_crl_accepted);
return crl;
} else if (!access(path.s, F_OK)) {
mib_increment(rc, uri, backup_crl_rejected);
@@ -2540,9 +2541,9 @@ static int check_x509_cb(int ok, X509_STORE_CTX *ctx)
}
logmsg(rctx->rc, log_data_err, "Stale CRL %s", rctx->subject->crldp.s);
if (ok)
- mib_increment(rctx->rc, &rctx->subject->uri, stale_crl);
+ mib_increment(rctx->rc, &rctx->subject->crldp, stale_crl);
else
- reject(rctx->rc, &rctx->subject->uri, stale_crl, "due to stale CRL %s", rctx->subject->crldp.s);
+ reject(rctx->rc, &rctx->subject->crldp, stale_crl, "due to stale CRL %s", rctx->subject->crldp.s);
return ok;
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
@@ -2855,8 +2856,7 @@ static X509 *check_cert(rcynic_ctx_t *rc,
return NULL;
if ((x = check_cert_1(rc, uri, &path, prefix, certs, issuer, subject, hash, hashlen)) != NULL) {
- install_object(rc, uri, &path);
- mib_increment(rc, uri, accept_code);
+ install_object(rc, uri, &path, accept_code);
if (w->state == walk_state_current)
sk_OPENSSL_STRING_remove(rc->backup_cache, uri->s);
else if (!sk_OPENSSL_STRING_push_strdup(rc->backup_cache, uri->s))
@@ -3027,8 +3027,7 @@ static Manifest *check_manifest_1(const rcynic_ctx_t *rc,
/*
* Redundant error message?
*/
- logmsg(rc, log_data_err, "Validation failure for manifest %s EE certificate", uri->s);
- mib_increment(rc, uri, manifest_invalid_ee);
+ reject(rc, &uri->s, manifest_invalid_ee, "because manifest EE certificate is invalid");
goto done;
}
@@ -3088,22 +3087,20 @@ static Manifest *check_manifest(const rcynic_ctx_t *rc,
if ((certs = walk_ctx_stack_certs(wsk)) == NULL)
return NULL;
- if (manifest == NULL &&
- (manifest = check_manifest_1(rc, uri, &path,
- &rc->unauthenticated, certs))) {
- install_object(rc, uri, &path);
- mib_increment(rc, uri, current_manifest_accepted);
- } else if (!access(path.s, F_OK)) {
- mib_increment(rc, uri, current_manifest_rejected);
+ if (manifest == NULL) {
+ if ((manifest = check_manifest_1(rc, uri, &path,
+ &rc->unauthenticated, certs)) != NULL)
+ install_object(rc, uri, &path, current_manifest_accepted);
+ else if (!access(path.s, F_OK))
+ mib_increment(rc, uri, current_manifest_rejected);
}
- if (manifest == NULL &&
- (manifest = check_manifest_1(rc, uri, &path,
- &rc->old_authenticated, certs))) {
- install_object(rc, uri, &path);
- mib_increment(rc, uri, backup_manifest_accepted);
- } else if (!access(path.s, F_OK)) {
- mib_increment(rc, uri, backup_manifest_rejected);
+ if (manifest == NULL) {
+ if ((manifest = check_manifest_1(rc, uri, &path,
+ &rc->old_authenticated, certs)) != NULL)
+ install_object(rc, uri, &path, backup_manifest_accepted);
+ else if (!access(path.s, F_OK))
+ mib_increment(rc, uri, backup_manifest_rejected);
}
sk_X509_free(certs);
@@ -3365,8 +3362,7 @@ static int check_roa_1(const rcynic_ctx_t *rc,
/*
* Redundant error message?
*/
- logmsg(rc, log_data_err, "Validation failure for ROA %s EE certificate", uri->s);
- mib_increment(rc, uri, roa_invalid_ee);
+ reject(rc, uri, roa_invalid_ee, "because ROA EE certificate is invalid");
goto error;
}
@@ -3414,8 +3410,7 @@ static void check_roa(const rcynic_ctx_t *rc,
if (check_roa_1(rc, uri, &path, &rc->unauthenticated,
certs, hash, hashlen)) {
- install_object(rc, uri, &path);
- mib_increment(rc, uri, current_roa_accepted);
+ install_object(rc, uri, &path, current_roa_accepted);
goto done;
} else if (!access(path.s, F_OK)) {
mib_increment(rc, uri, current_roa_rejected);
@@ -3423,8 +3418,7 @@ static void check_roa(const rcynic_ctx_t *rc,
if (check_roa_1(rc, uri, &path, &rc->old_authenticated,
certs, hash, hashlen)) {
- install_object(rc, uri, &path);
- mib_increment(rc, uri, backup_roa_accepted);
+ install_object(rc, uri, &path, backup_roa_accepted);
goto done;
} else if (!access(path.s, F_OK)) {
mib_increment(rc, uri, backup_roa_rejected);
@@ -3554,8 +3548,7 @@ static int check_ghostbuster_1(const rcynic_ctx_t *rc,
/*
* Redundant error message?
*/
- logmsg(rc, log_data_err, "Validation failure for Ghostbuster record %s EE certificate", uri->s);
- mib_increment(rc, uri, ghostbuster_invalid_ee);
+ reject(rc, uri, ghostbuster_invalid_ee, "because Ghostbuster EE certificate is invalid");
goto error;
}
@@ -3600,8 +3593,7 @@ static void check_ghostbuster(const rcynic_ctx_t *rc,
if (check_ghostbuster_1(rc, uri, &path, &rc->unauthenticated,
certs, hash, hashlen)) {
- install_object(rc, uri, &path);
- mib_increment(rc, uri, current_ghostbuster_accepted);
+ install_object(rc, uri, &path, current_ghostbuster_accepted);
goto done;
} else if (!access(path.s, F_OK)) {
mib_increment(rc, uri, current_ghostbuster_rejected);
@@ -3609,8 +3601,7 @@ static void check_ghostbuster(const rcynic_ctx_t *rc,
if (check_ghostbuster_1(rc, uri, &path, &rc->old_authenticated,
certs, hash, hashlen)) {
- install_object(rc, uri, &path);
- mib_increment(rc, uri, backup_ghostbuster_accepted);
+ install_object(rc, uri, &path, backup_ghostbuster_accepted);
goto done;
} else if (!access(path.s, F_OK)) {
mib_increment(rc, uri, backup_ghostbuster_rejected);
diff --git a/rcynic-ng/rcynic.xsl b/rcynic-ng/rcynic.xsl
index 25aa7b2c..4e18c806 100644
--- a/rcynic-ng/rcynic.xsl
+++ b/rcynic-ng/rcynic.xsl
@@ -54,9 +54,9 @@
<xsl:param name="suppress-zero-columns" select="1"/>
<xsl:param name="show-total" select="1"/>
<xsl:param name="use-colors" select="1"/>
- <xsl:param name="show-detailed-status" select="0"/>
- <xsl:param name="show-problems" select="1"/>
- <xsl:param name="show-summary" select="1"/>
+ <xsl:param name="show-detailed-status" select="1"/>
+ <xsl:param name="show-problems" select="0"/>
+ <xsl:param name="show-summary" select="0"/>
<xsl:variable name="sums">
<xsl:for-each select="rcynic-summary/labels/*">
diff --git a/rcynic-ng/validation_status.xsl b/rcynic-ng/validation_status.xsl
new file mode 100644
index 00000000..6154e70a
--- /dev/null
+++ b/rcynic-ng/validation_status.xsl
@@ -0,0 +1,45 @@
+<?xml version="1.0"?>
+<!--
+ - Copyright (C) 2010-2011 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+ -->
+
+<!-- $Id$ -->
+
+<!--
+ - XSL stylesheet to render rcynic's xml-summary output as tab-delimited text.
+ -->
+
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
+
+ <xsl:output method="text" encoding="US-ASCII"/>
+
+ <xsl:template match="/">
+ <xsl:for-each select="rcynic-summary/validation_status">
+ <xsl:value-of select="@timestamp"/>
+ <xsl:text>&#9;</xsl:text>
+ <xsl:value-of select="@status"/>
+ <xsl:text>&#9;</xsl:text>
+ <xsl:value-of select="."/>
+ <xsl:text>&#10;</xsl:text>
+ </xsl:for-each>
+ </xsl:template>
+
+</xsl:stylesheet>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+ -->
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-25 21:58:06 +0000