-/* $OpenBSD: cert.c,v 1.130 2024/04/21 19:27:44 claudio Exp $ */
+/* $OpenBSD: cert.c,v 1.131 2024/05/20 15:51:43 claudio Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2021 Job Snijders <job@openbsd.org>
extern ASN1_OBJECT *manifest_oid; /* 1.3.6.1.5.5.7.48.10 (rpkiManifest) */
extern ASN1_OBJECT *notify_oid; /* 1.3.6.1.5.5.7.48.13 (rpkiNotify) */
+static int certid = TALSZ_MAX;
+
/*
* Append an IP address structure to our list of results.
* This will also constrain us to having at most one inheritance
io_simple_buffer(b, &p->notafter, sizeof(p->notafter));
io_simple_buffer(b, &p->purpose, sizeof(p->purpose));
io_simple_buffer(b, &p->talid, sizeof(p->talid));
+ io_simple_buffer(b, &p->certid, sizeof(p->certid));
io_simple_buffer(b, &p->repoid, sizeof(p->repoid));
io_simple_buffer(b, &p->ipsz, sizeof(p->ipsz));
io_simple_buffer(b, &p->asz, sizeof(p->asz));
io_read_buf(b, &p->notafter, sizeof(p->notafter));
io_read_buf(b, &p->purpose, sizeof(p->purpose));
io_read_buf(b, &p->talid, sizeof(p->talid));
+ io_read_buf(b, &p->certid, sizeof(p->certid));
io_read_buf(b, &p->repoid, sizeof(p->repoid));
io_read_buf(b, &p->ipsz, sizeof(p->ipsz));
io_read_buf(b, &p->asz, sizeof(p->asz));
static inline int
authcmp(struct auth *a, struct auth *b)
{
- return strcmp(a->cert->ski, b->cert->ski);
+ if (a->cert->certid > b->cert->certid)
+ return 1;
+ if (a->cert->certid < b->cert->certid)
+ return -1;
+ return 0;
}
RB_GENERATE_STATIC(auth_tree, auth, entry, authcmp);
}
struct auth *
-auth_find(struct auth_tree *auths, const char *aki)
+auth_find(struct auth_tree *auths, int id)
{
struct auth a;
struct cert c;
- /* we look up the cert where the ski == aki */
- c.ski = (char *)aki;
+ c.certid = id;
a.cert = &c;
return RB_FIND(auth_tree, auths, &a);
}
struct auth *
-auth_insert(struct auth_tree *auths, struct cert *cert, struct auth *issuer)
+auth_insert(const char *fn, struct auth_tree *auths, struct cert *cert,
+ struct auth *issuer)
{
struct auth *na;
- na = malloc(sizeof(*na));
+ na = calloc(1, sizeof(*na));
if (na == NULL)
err(1, NULL);
+ if (issuer == NULL) {
+ cert->certid = cert->talid;
+ } else {
+ cert->certid = ++certid;
+ if (certid > CERTID_MAX)
+ errx(1, "%s: too many certificates in store", fn);
+ na->depth = issuer->depth + 1;
+ }
+
+ if (na->depth >= MAX_CERT_DEPTH) {
+ warnx("%s: maximum certificate chain depth exhausted", fn);
+ free(na);
+ return NULL;
+ }
+
na->issuer = issuer;
na->cert = cert;
na->any_inherits = x509_any_inherits(cert->x509);
if (RB_INSERT(auth_tree, auths, na) != NULL)
- err(1, "auth tree corrupted");
+ errx(1, "auth tree corrupted");
return na;
}
-/* $OpenBSD: extern.h,v 1.217 2024/04/21 19:27:44 claudio Exp $ */
+/* $OpenBSD: extern.h,v 1.218 2024/05/20 15:51:43 claudio Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
#include <openssl/x509.h>
#include <openssl/x509v3.h>
+#define CTASSERT(x) extern char _ctassert[(x) ? 1 : -1 ] \
+ __attribute__((__unused__))
+
enum cert_as_type {
CERT_AS_ID, /* single identifier */
CERT_AS_INHERIT, /* inherit from issuer */
struct cert_as *as; /* list of AS numbers and ranges */
size_t asz; /* length of "asz" */
int talid; /* cert is covered by which TAL */
+ int certid;
unsigned int repoid; /* repository of this cert file */
char *repo; /* CA repository (rsync:// uri) */
char *mft; /* manifest (rsync:// uri) */
size_t filesz; /* number of filenames */
unsigned int repoid;
int talid;
+ int certid;
};
/*
struct cert *cert; /* owner information */
struct auth *issuer; /* pointer to issuer or NULL for TA cert */
int any_inherits;
+ int depth;
};
/*
* Tree of auth sorted by ski
*/
RB_HEAD(auth_tree, auth);
-struct auth *auth_find(struct auth_tree *, const char *);
-struct auth *auth_insert(struct auth_tree *, struct cert *, struct auth *);
+struct auth *auth_find(struct auth_tree *, int);
+struct auth *auth_insert(const char *, struct auth_tree *, struct cert *,
+ struct auth *);
enum http_result {
HTTP_FAILED, /* anything else */
size_t datasz; /* length of optional data blob */
unsigned int repoid; /* repository identifier */
int talid; /* tal identifier */
+ int certid;
enum rtype type; /* type of entity (not RTYPE_EOF) */
enum location location; /* which directory the file lives in */
};
/* Validation of our objects. */
-struct auth *valid_ski_aki(const char *, struct auth_tree *,
- const char *, const char *, const char *);
-int valid_ta(const char *, struct auth_tree *,
- const struct cert *);
int valid_cert(const char *, struct auth *, const struct cert *);
int valid_roa(const char *, struct cert *, struct roa *);
int valid_filehash(int, const char *, size_t);
void proc_rrdp(int) __attribute__((noreturn));
/* Repository handling */
-int filepath_add(struct filepath_tree *, char *, time_t);
+int filepath_add(struct filepath_tree *, char *, int, time_t);
void rrdp_clear(unsigned int);
void rrdp_session_save(unsigned int, struct rrdp_session *);
void rrdp_session_free(struct rrdp_session *);
/* Maximum number of TAL files we'll load. */
#define TALSZ_MAX 8
+#define CERTID_MAX 1000000
/*
* Maximum number of elements in the sbgp-ipAddrBlock (IP) and
-/* $OpenBSD: filemode.c,v 1.41 2024/04/21 19:27:44 claudio Exp $ */
+/* $OpenBSD: filemode.c,v 1.42 2024/05/20 15:51:43 claudio Exp $ */
/*
* Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
struct tal *talobj[TALSZ_MAX];
+struct uripath {
+ RB_ENTRY(uripath) entry;
+ const char *uri;
+ struct cert *cert;
+};
+
+static RB_HEAD(uripath_tree, uripath) uritree;
+
+static inline int
+uripathcmp(const struct uripath *a, const struct uripath *b)
+{
+ return strcmp(a->uri, b->uri);
+}
+
+RB_PROTOTYPE(uripath_tree, uripath, entry, uripathcmp);
+
+static void
+uripath_add(const char *uri, struct cert *cert)
+{
+ struct uripath *up;
+
+ if ((up = calloc(1, sizeof(*up))) == NULL)
+ err(1, NULL);
+ if ((up->uri = strdup(uri)) == NULL)
+ err(1, NULL);
+ up->cert = cert;
+ if (RB_INSERT(uripath_tree, &uritree, up) != NULL)
+ errx(1, "corrupt AIA lookup tree");
+}
+
+static struct cert *
+uripath_lookup(const char *uri)
+{
+ struct uripath needle = { .uri = uri };
+ struct uripath *up;
+
+ up = RB_FIND(uripath_tree, &uritree, &needle);
+ if (up == NULL)
+ return NULL;
+ return up->cert;
+}
+
+RB_GENERATE(uripath_tree, uripath, entry, uripathcmp);
+
/*
* Use the X509 CRL Distribution Points to locate the CRL needed for
* verification.
* tree. Once the TA is located in the chain the chain is validated in
* reverse order.
*/
-static void
+static struct auth *
parse_load_certchain(char *uri)
{
struct cert *stack[MAX_CERT_DEPTH] = { 0 };
int i;
for (i = 0; i < MAX_CERT_DEPTH; i++) {
+ if ((cert = uripath_lookup(uri)) != NULL) {
+ a = auth_find(&auths, cert->certid);
+ break;
+ }
filestack[i] = uri;
stack[i] = cert = parse_load_cert(uri);
if (cert == NULL || cert->purpose != CERT_PURPOSE_CA) {
- warnx("failed to build authority chain");
+ warnx("failed to build authority chain: %s", uri);
goto fail;
}
- if (auth_find(&auths, cert->ski) != NULL) {
- assert(i == 0);
- goto fail;
- }
- if ((a = auth_find(&auths, cert->aki)) != NULL)
- break; /* found chain to TA */
uri = cert->aia;
}
}
/* TA found play back the stack and add all certs */
- for (; i >= 0; i--) {
- cert = stack[i];
- uri = filestack[i];
+ for (; i > 0; i--) {
+ cert = stack[i - 1];
+ uri = filestack[i - 1];
crl = crl_get(&crlt, a);
if (!valid_x509(uri, ctx, cert->x509, a, crl, &errstr) ||
goto fail;
}
cert->talid = a->cert->talid;
- a = auth_insert(&auths, cert, a);
+ a = auth_insert(uri, &auths, cert, a);
+ uripath_add(uri, cert);
stack[i] = NULL;
}
- return;
+ return a;
fail:
for (i = 0; i < MAX_CERT_DEPTH; i++)
cert_free(stack[i]);
+ return NULL;
}
static void
struct cert *cert;
unsigned char *f = NULL;
char *file;
- size_t flen;
+ size_t flen, i;
/* does not matter which URI, all end with same filename */
filename = strrchr(tal->uri[0], '/');
goto out;
cert->talid = tal->id;
+ auth_insert(file, &auths, cert, NULL);
+ for (i = 0; i < tal->urisz; i++) {
+ if (strncasecmp(tal->uri[i], RSYNC_PROTO, RSYNC_PROTO_LEN) != 0)
+ continue;
+ /* Add all rsync uri since any of them could be used as AIA. */
+ uripath_add(tal->uri[i], cert);
+ }
- if (!valid_ta(file, &auths, cert))
- cert_free(cert);
- else
- auth_insert(&auths, cert, NULL);
out:
free(file);
free(f);
struct spl *spl = NULL;
struct tak *tak = NULL;
struct tal *tal = NULL;
- char *aia = NULL, *aki = NULL;
+ char *aia = NULL;
char *crl_uri = NULL;
time_t *expires = NULL, *notafter = NULL;
struct auth *a;
if (aspa == NULL)
break;
aia = aspa->aia;
- aki = aspa->aki;
expires = &aspa->expires;
notafter = &aspa->notafter;
break;
if (cert == NULL)
break;
aia = cert->aia;
- aki = cert->aki;
x509 = cert->x509;
if (X509_up_ref(x509) == 0)
errx(1, "%s: X509_up_ref failed", __func__);
if (mft == NULL)
break;
aia = mft->aia;
- aki = mft->aki;
expires = &mft->expires;
notafter = &mft->nextupdate;
break;
if (gbr == NULL)
break;
aia = gbr->aia;
- aki = gbr->aki;
expires = &gbr->expires;
notafter = &gbr->notafter;
break;
if (geofeed == NULL)
break;
aia = geofeed->aia;
- aki = geofeed->aki;
expires = &geofeed->expires;
notafter = &geofeed->notafter;
break;
if (roa == NULL)
break;
aia = roa->aia;
- aki = roa->aki;
expires = &roa->expires;
notafter = &roa->notafter;
break;
if (rsc == NULL)
break;
aia = rsc->aia;
- aki = rsc->aki;
expires = &rsc->expires;
notafter = &rsc->notafter;
break;
if (spl == NULL)
break;
aia = spl->aia;
- aki = spl->aki;
expires = &spl->expires;
notafter = &spl->notafter;
break;
if (tak == NULL)
break;
aia = tak->aia;
- aki = tak->aki;
expires = &tak->expires;
notafter = &tak->notafter;
break;
if (aia != NULL) {
x509_get_crl(x509, file, &crl_uri);
parse_load_crl(crl_uri);
- if (auth_find(&auths, aki) == NULL)
- parse_load_certchain(aia);
- a = auth_find(&auths, aki);
+ a = parse_load_certchain(aia);
c = crl_get(&crlt, a);
if ((status = valid_x509(file, ctx, x509, a, c, &errstr))) {
-/* $OpenBSD: main.c,v 1.257 2024/04/08 14:02:13 tb Exp $ */
+/* $OpenBSD: main.c,v 1.258 2024/05/20 15:51:43 claudio Exp $ */
/*
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
io_read_buf(b, &ent->location, sizeof(ent->location));
io_read_buf(b, &ent->repoid, sizeof(ent->repoid));
io_read_buf(b, &ent->talid, sizeof(ent->talid));
+ io_read_buf(b, &ent->certid, sizeof(ent->certid));
io_read_str(b, &ent->path);
io_read_str(b, &ent->file);
io_read_str(b, &ent->mftaki);
io_simple_buffer(b, &ent->location, sizeof(ent->location));
io_simple_buffer(b, &ent->repoid, sizeof(ent->repoid));
io_simple_buffer(b, &ent->talid, sizeof(ent->talid));
+ io_simple_buffer(b, &ent->certid, sizeof(ent->certid));
io_str_buffer(b, ent->path);
io_str_buffer(b, ent->file);
io_str_buffer(b, ent->mftaki);
enum location loc = DIR_UNKNOWN;
unsigned int repoid;
char *path, *altpath;
- int talid = 0;
+ int talid = 0, certid = 0;
repoid = repo_id(rp);
path = repo_basedir(rp, 0);
io_simple_buffer(b, &loc, sizeof(loc));
io_simple_buffer(b, &repoid, sizeof(repoid));
io_simple_buffer(b, &talid, sizeof(talid));
+ io_simple_buffer(b, &certid, sizeof(certid));
io_str_buffer(b, path);
io_str_buffer(b, altpath);
io_buf_buffer(b, NULL, 0); /* ent->mftaki */
*/
static void
entityq_add(char *path, char *file, enum rtype type, enum location loc,
- struct repo *rp, unsigned char *data, size_t datasz, int talid,
+ struct repo *rp, unsigned char *data, size_t datasz, int talid, int certid,
char *mftaki)
{
struct entity *p;
p->type = type;
p->location = loc;
p->talid = talid;
+ p->certid = certid;
p->mftaki = mftaki;
p->path = path;
if (rp != NULL)
if ((mftaki = strdup(mft->aki)) == NULL)
err(1, NULL);
entityq_add(npath, nfile, f->type, f->location, rp, NULL, 0,
- mft->talid, mftaki);
+ mft->talid, mft->certid, mftaki);
}
}
if ((nfile = strdup(file)) == NULL)
err(1, NULL);
/* Not in a repository, so directly add to queue. */
- entityq_add(NULL, nfile, type, DIR_UNKNOWN, NULL, buf, len, talid,
+ entityq_add(NULL, nfile, type, DIR_UNKNOWN, NULL, buf, len, talid, 0,
NULL);
}
data = tal->pkey;
tal->pkey = NULL;
entityq_add(NULL, nfile, RTYPE_CER, DIR_VALID, repo, data,
- tal->pkeysz, tal->id, NULL);
+ tal->pkeysz, tal->id, tal->id, NULL);
}
/*
}
entityq_add(npath, nfile, RTYPE_MFT, DIR_UNKNOWN, repo, NULL, 0,
- cert->talid, NULL);
+ cert->talid, cert->certid, NULL);
}
/*
if (filemode)
goto done;
- if (filepath_add(&fpt, file, mtime) == 0) {
+ if (filepath_add(&fpt, file, talid, mtime) == 0) {
warnx("%s: File already visited", file);
goto done;
}
-/* $OpenBSD: mft.c,v 1.114 2024/05/15 09:19:48 tb Exp $ */
+/* $OpenBSD: mft.c,v 1.115 2024/05/20 15:51:43 claudio Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
io_simple_buffer(b, &p->repoid, sizeof(p->repoid));
io_simple_buffer(b, &p->talid, sizeof(p->talid));
+ io_simple_buffer(b, &p->certid, sizeof(p->certid));
io_str_buffer(b, p->path);
io_str_buffer(b, p->aia);
io_read_buf(b, &p->repoid, sizeof(p->repoid));
io_read_buf(b, &p->talid, sizeof(p->talid));
+ io_read_buf(b, &p->certid, sizeof(p->certid));
io_read_str(b, &p->path);
io_read_str(b, &p->aia);
-/* $OpenBSD: parser.c,v 1.135 2024/04/21 19:27:44 claudio Exp $ */
+/* $OpenBSD: parser.c,v 1.136 2024/05/20 15:51:43 claudio Exp $ */
/*
* Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
errx(1, "repository already added: id %d, %s", id, path);
}
+/*
+ * Return the issuer by its certificate id, or NULL on failure.
+ * Make sure the AKI is the same as the AKI listed on the Manifest,
+ * and that the SKI of the cert matches with the AKI.
+ */
+static struct auth *
+find_issuer(const char *fn, int id, const char *aki, const char *mftaki)
+{
+ struct auth *a;
+
+ a = auth_find(&auths, id);
+ if (a == NULL) {
+ warnx("%s: RFC 6487: unknown cert with SKI %s", fn, aki);
+ return NULL;
+ }
+
+ if (mftaki != NULL) {
+ if (strcmp(aki, mftaki) != 0) {
+ warnx("%s: AKI %s doesn't match Manifest AKI %s", fn,
+ aki, mftaki);
+ return NULL;
+ }
+ }
+
+ if (strcmp(aki, a->cert->ski) != 0) {
+ warnx("%s: AKI %s doesn't match issuer SKI %s", fn,
+ aki, a->cert->ski);
+ return NULL;
+ }
+
+ return a;
+}
+
/*
* Build access path to file based on repoid, path, location and file values.
*/
if ((roa = roa_parse(&x509, file, entp->talid, der, len)) == NULL)
return NULL;
- a = valid_ski_aki(file, &auths, roa->ski, roa->aki, entp->mftaki);
+ a = find_issuer(file, entp->certid, roa->aki, entp->mftaki);
crl = crl_get(&crlt, a);
if (!valid_x509(file, ctx, x509, a, crl, &errstr)) {
if ((spl = spl_parse(&x509, file, entp->talid, der, len)) == NULL)
return NULL;
- a = valid_ski_aki(file, &auths, spl->ski, spl->aki, entp->mftaki);
+ a = find_issuer(file, entp->certid, spl->aki, entp->mftaki);
crl = crl_get(&crlt, a);
if (!valid_x509(file, ctx, x509, a, crl, &errstr)) {
if (*crl == NULL)
*crl = parse_load_crl_from_mft(entp, mft, DIR_VALID, crlfile);
- a = valid_ski_aki(file, &auths, mft->ski, mft->aki, NULL);
+ a = find_issuer(file, entp->certid, mft->aki, NULL);
if (!valid_x509(file, ctx, x509, a, *crl, errstr))
goto err;
X509_free(x509);
mft->repoid = entp->repoid;
mft->talid = a->cert->talid;
+ mft->certid = entp->certid;
now = get_current_time();
/* check that now is not before from */
*/
static struct cert *
proc_parser_cert(char *file, const unsigned char *der, size_t len,
- const char *mftaki)
+ const struct entity *entp)
{
struct cert *cert;
struct crl *crl;
if (cert == NULL)
return NULL;
- a = valid_ski_aki(file, &auths, cert->ski, cert->aki, mftaki);
+ a = find_issuer(file, entp->certid, cert->aki, entp->mftaki);
crl = crl_get(&crlt, a);
if (!valid_x509(file, ctx, cert->x509, a, crl, &errstr) ||
* Add validated CA certs to the RPKI auth tree.
*/
if (cert->purpose == CERT_PURPOSE_CA)
- auth_insert(&auths, cert, a);
+ auth_insert(file, &auths, cert, a);
return cert;
}
cert = ta_parse(file, cert, pkey, pkeysz);
if (cert == NULL)
return NULL;
-
- if (!valid_ta(file, &auths, cert)) {
- warnx("%s: certificate not a valid ta", file);
- cert_free(cert);
- return NULL;
- }
-
cert->talid = talid;
/*
* Add valid roots to the RPKI auth tree.
*/
- auth_insert(&auths, cert, NULL);
+ auth_insert(file, &auths, cert, NULL);
return cert;
}
if ((gbr = gbr_parse(&x509, file, entp->talid, der, len)) == NULL)
return NULL;
- a = valid_ski_aki(file, &auths, gbr->ski, gbr->aki, entp->mftaki);
+ a = find_issuer(file, entp->certid, gbr->aki, entp->mftaki);
crl = crl_get(&crlt, a);
/* return value can be ignored since nothing happens here */
if ((aspa = aspa_parse(&x509, file, entp->talid, der, len)) == NULL)
return NULL;
- a = valid_ski_aki(file, &auths, aspa->ski, aspa->aki, entp->mftaki);
+ a = find_issuer(file, entp->certid, aspa->aki, entp->mftaki);
crl = crl_get(&crlt, a);
if (!valid_x509(file, ctx, x509, a, crl, &errstr)) {
if ((tak = tak_parse(&x509, file, entp->talid, der, len)) == NULL)
return NULL;
- a = valid_ski_aki(file, &auths, tak->ski, tak->aki, entp->mftaki);
+ a = find_issuer(file, entp->certid, tak->aki, entp->mftaki);
crl = crl_get(&crlt, a);
if (!valid_x509(file, ctx, x509, a, crl, &errstr)) {
f, flen, entp->data, entp->datasz,
entp->talid);
else
- cert = proc_parser_cert(file, f, flen,
- entp->mftaki);
+ cert = proc_parser_cert(file, f, flen, entp);
if (cert != NULL)
mtime = cert->notbefore;
io_simple_buffer(b, &mtime, sizeof(mtime));
-/* $OpenBSD: repo.c,v 1.57 2024/04/21 19:27:44 claudio Exp $ */
+/* $OpenBSD: repo.c,v 1.58 2024/05/20 15:51:43 claudio Exp $ */
/*
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
* Database of all file path accessed during a run.
*/
struct filepath {
- RB_ENTRY(filepath) entry;
+ RB_ENTRY(filepath) entry;
char *file;
time_t mtime;
+ unsigned int talmask;
};
static inline int
-filepathcmp(struct filepath *a, struct filepath *b)
+filepathcmp(const struct filepath *a, const struct filepath *b)
{
return strcmp(a->file, b->file);
}
* Functions to lookup which files have been accessed during computation.
*/
int
-filepath_add(struct filepath_tree *tree, char *file, time_t mtime)
+filepath_add(struct filepath_tree *tree, char *file, int id, time_t mtime)
{
- struct filepath *fp;
+ struct filepath *fp, *rfp;
+
+ CTASSERT(TALSZ_MAX < 8 * sizeof(fp->talmask));
+ assert(id >= 0 && id < 8 * (int)sizeof(fp->talmask));
- if ((fp = malloc(sizeof(*fp))) == NULL)
+ if ((fp = calloc(1, sizeof(*fp))) == NULL)
err(1, NULL);
- fp->mtime = mtime;
if ((fp->file = strdup(file)) == NULL)
err(1, NULL);
+ fp->mtime = mtime;
- if (RB_INSERT(filepath_tree, tree, fp) != NULL) {
+ if ((rfp = RB_INSERT(filepath_tree, tree, fp)) != NULL) {
/* already in the tree */
free(fp->file);
free(fp);
- return 0;
+ if (rfp->talmask & (1 << id))
+ return 0;
+ fp = rfp;
}
+ fp->talmask |= (1 << id);
return 1;
}
/* write new content or mark uri as deleted. */
if (pt == PUB_DEL) {
- filepath_add(&rr->deleted, uri, 0);
+ filepath_add(&rr->deleted, uri, 0, 0);
} else {
fp = filepath_find(&rr->deleted, uri);
if (fp != NULL) {
-/* $OpenBSD: validate.c,v 1.73 2024/03/19 05:04:13 tb Exp $ */
+/* $OpenBSD: validate.c,v 1.74 2024/05/20 15:51:43 claudio Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
return valid_ip(a->issuer, afi, min, max);
}
-/*
- * Make sure the AKI is the same as the AKI listed on the Manifest,
- * and that the SKI doesn't already exist.
- * Return the issuer by its AKI, or NULL on failure.
- */
-struct auth *
-valid_ski_aki(const char *fn, struct auth_tree *auths,
- const char *ski, const char *aki, const char *mftaki)
-{
- struct auth *a;
-
- if (mftaki != NULL) {
- if (strcmp(aki, mftaki) != 0) {
- warnx("%s: AKI doesn't match Manifest AKI", fn);
- return NULL;
- }
- }
-
- if (auth_find(auths, ski) != NULL) {
- warnx("%s: RFC 6487: duplicate SKI", fn);
- return NULL;
- }
-
- a = auth_find(auths, aki);
- if (a == NULL)
- warnx("%s: RFC 6487: unknown AKI", fn);
-
- return a;
-}
-
-/*
- * Validate a trust anchor by making sure that the SKI is unique.
- * Returns 1 if valid, 0 otherwise.
- */
-int
-valid_ta(const char *fn, struct auth_tree *auths, const struct cert *cert)
-{
- /* SKI must not be a dupe. */
- if (auth_find(auths, cert->ski) != NULL) {
- warnx("%s: RFC 6487: duplicate SKI", fn);
- return 0;
- }
-
- return 1;
-}
-
/*
* Validate a non-TA certificate: make sure its IP and AS resources are
* fully covered by those in the authority key (which must exist).
projects / openbsd / commitdiff