aboutsummaryrefslogtreecommitdiff
path: root/rcynic/rcynic.c
AgeCommit message (Collapse)Author
2014-04-05Source tree reorg, phase 1. Almost everything moved, no file contents changed.Rob Austein
svn path=/branches/tk685/; revision=5757
2014-03-06Clang found a few issues.Rob Austein
svn path=/trunk/; revision=5698
2014-02-27More router certificate checks.Rob Austein
svn path=/trunk/; revision=5689
2014-02-26Add EKU checks for BGPSEC router certificates, now that we have aRob Austein
value for id-kp-bgpsec-router. svn path=/trunk/; revision=5687
2014-01-22Add --help and long option names to rcynic.Rob Austein
svn path=/trunk/; revision=5641
2014-01-09Update more copyrights, clean up module doc blocks.Rob Austein
svn path=/trunk/; revision=5624
2013-12-19Rewrite all uses of readdir() to avoid using on dirent d_type field.Rob Austein
Some of this code was fairly unreadable, so this turned into a general clean up of the affected functions. See #660. svn path=/trunk/; revision=5610
2013-11-23Emit better(?) error message when we hit can't open a TAL file. Fixes #113.Rob Austein
svn path=/trunk/; revision=5603
2013-11-22Conformance: Make sure CMS contains exactly one certificate and thatRob Austein
it matches the certificate specified by the SignerInfo. svn path=/trunk/; revision=5600
2013-11-22Check certificate policy for qualifiers: allow id-qt-cps with aRob Austein
warning, since there's a WG draft about that, reject anything else. Fixes #640. svn path=/trunk/; revision=5599
2013-11-22Add NIDs for OIDs OpenSSL doesn't know about, convert all use ofRob Austein
literal OIDs in rcynic to use the NID API. We could probably do something a bit prettier with a .h file built by a script, but this addresses the basic problem. Closes #263. svn path=/trunk/; revision=5598
2013-11-07More precise checking of attributes in CMS SignerInfos. Fixes #644.Rob Austein
svn path=/trunk/; revision=5588
2013-11-07Check manifest validity dates against its EE certificate. Fixes #651.Rob Austein
svn path=/trunk/; revision=5587
2013-11-07Don't allow EKU in signed objects. Fixes #645.Rob Austein
svn path=/trunk/; revision=5586
2013-11-06Check ROA max prefix length against prefix length. Fixes #648.Rob Austein
svn path=/trunk/; revision=5584
2013-11-06Check certificates for non-null SAFI. While we're at it, check forRob Austein
unknown AFI in case that somehow slips past OpenSSL. Fixes #641. svn path=/trunk/; revision=5583
2013-11-06Check for manifestNumber too big. Fixes #652.Rob Austein
svn path=/trunk/; revision=5582
2013-11-06Check for certificate serial number too big. Fixes #642.Rob Austein
svn path=/trunk/; revision=5581
2013-11-06RFC 5280 restriction to 20 octets is 20 octets in two's complement, soRob Austein
max value has to allow for sign bit. See #642. svn path=/trunk/; revision=5580
2013-07-30Log a warning if we accept an EE certificate whenRob Austein
allow_ee_without_signedObject is active. Fixes #591. svn path=/trunk/; revision=5445
2013-07-18GCC warning.Rob Austein
svn path=/trunk/; revision=5439
2013-06-27Report what we're doing before blocking select().Rob Austein
svn path=/trunk/; revision=5419
2013-06-27Flip default for allow-object-not-in-manifest to false.Rob Austein
svn path=/trunk/; revision=5418
2013-06-27Don't whine about stale CRLs and manifests that are only stale becauseRob Austein
we check them before running rsync when rsync-early is off. svn path=/trunk/; revision=5417
2013-06-14Pruning now keys off the validation_status database rather than theRob Austein
rsync_history database, which solves the problem of how to prune when we skip rsyncing publication points for which we have a cached current manifest. svn path=/trunk/; revision=5409
2013-06-14Experimental feature: skip rsync_tree() if we have a valid manifestRob Austein
and haven't yet reached its nextUpdate time. Disabled by default, doesn't yet handle pruning correctly, may give surprising results. svn path=/trunk/; revision=5408
2013-06-07NitRob Austein
svn path=/trunk/; revision=5379
2013-06-07Forgot a globfree().Rob Austein
svn path=/trunk/; revision=5378
2013-06-06Consolidate to a single event loop, queue up all TALs at start. ThisRob Austein
makes things run a lot faster with multiple trust anchors. svn path=/trunk/; revision=5377
2013-06-06Type signatures of rsync_*() and task_*() frameworkss should not be soRob Austein
tightly coupled to walk_cert(). Checkpoint along the way to adding handlers for the check_ta*() functions so that we can run multiple trust anchors in parallel. svn path=/trunk/; revision=5374
2013-06-06Reorganize TA handling code, add trust-anchor-directory directive.Rob Austein
Latter is not yet fully tested, so not yet ready for prime time. svn path=/trunk/; revision=5373
2013-03-25The URI in a TAL MUST be a certificate matching the RPKI profile,Rob Austein
which implies that its name must end in ".cer". Fixes #492. svn path=/trunk/; revision=5215
2013-03-21Examine both thisUpdate timestamp and number when comparing CRLs orRob Austein
manifests: report discrepancies, and blunder ahead with current generation when timestamp and number checks disagree, on theory that this indicates fat fingers rather than an attack. Closes #409. svn path=/trunk/; revision=5189
2013-03-11Check CRL issuer nae against issuing CA's subject name. Closes #459.Rob Austein
svn path=/trunk/; revision=5133
2013-01-29Check for empty RFC 3779 extensions. See #406.Rob Austein
svn path=/trunk/; revision=4981
2012-11-28Check signedObject URI when present. Closes #173.Rob Austein
svn path=/trunk/; revision=4922
2012-09-29Simplify loop.Rob Austein
svn path=/branches/tk274/; revision=4738
2012-09-29Clean up AVL_PARANOIA code.Rob Austein
svn path=/branches/tk274/; revision=4736
2012-09-19Move ASN.1 definitions for ROAs and Manifests to common header filesRob Austein
used by all the C programs. svn path=/branches/tk274/; revision=4725
2012-09-14Disable AVL_PARANOIA code.Rob Austein
svn path=/branches/tk274/; revision=4714
2012-09-14Add AVL index of validation_status database.Rob Austein
svn path=/branches/tk274/; revision=4713
2012-07-30Add -x option to control "XML summary" file name from command line.Rob Austein
Consolidate code that generates file:// URIs from filenames. svn path=/trunk/; revision=4613
2012-06-26Certificate UID fields forbidden by RPKI profile.Rob Austein
svn path=/trunk/; revision=4560
2012-06-24RFC 6485 contradicts RFCs 2630 and 3370, which make rsaEncryption theRob Austein
mandatory-to-support CMS signatureAlgorithm OID. All known existing RPKI engines and validators use CMS engines which follow the base CMS specifications, so this is almost certainly an error in RFC 6485. Allow either rsaEncryption or sha256WithRSAEncryption, pending resolution of this issue by the IETF SIDR WG. svn path=/trunk/; revision=4554
2012-06-23Check OID in CMS SignerInfo contentType attribute (conformance).Rob Austein
svn path=/trunk/; revision=4553
2012-06-22More CMS conformance checks, and fix a couple I got wrong yesterday.Rob Austein
svn path=/trunk/; revision=4551
2012-06-22Check CMS SignerInfo algorithm OIDs (conformance).Rob Austein
svn path=/trunk/; revision=4550
2012-06-22Check CMS for presence of CRLs (conformance).Rob Austein
svn path=/trunk/; revision=4549
2012-06-21Check for duplicate names in manifest (conformance).Rob Austein
svn path=/trunk/; revision=4548
2012-06-21Tighter checking of integer values in input data (conformance).Rob Austein
svn path=/trunk/; revision=4547
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-07 15:43:40 +0000