and skip this distinction between invalid and failed certificates.
The difference between the to is getting more and more blurry.
OK tb@
-/* $OpenBSD: cert.c,v 1.43 2021/10/28 09:02:19 beck Exp $ */
+/* $OpenBSD: cert.c,v 1.44 2021/11/01 17:00:34 claudio Exp $ */
/*
* Copyright (c) 2021 Job Snijders <job@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
{
size_t i;
- io_simple_buffer(b, &p->valid, sizeof(int));
io_simple_buffer(b, &p->expires, sizeof(time_t));
io_simple_buffer(b, &p->purpose, sizeof(enum cert_purpose));
io_simple_buffer(b, &p->ipsz, sizeof(size_t));
if ((p = calloc(1, sizeof(struct cert))) == NULL)
err(1, NULL);
- io_read_buf(b, &p->valid, sizeof(int));
io_read_buf(b, &p->expires, sizeof(time_t));
io_read_buf(b, &p->purpose, sizeof(enum cert_purpose));
io_read_buf(b, &p->ipsz, sizeof(size_t));
return RB_FIND(auth_tree, auths, &a);
}
+int
+auth_insert(struct auth_tree *auths, struct cert *cert, struct auth *parent)
+{
+ struct auth *na;
+
+ na = malloc(sizeof(*na));
+ if (na == NULL)
+ err(1, NULL);
+
+ na->parent = parent;
+ na->cert = cert;
+
+ if (RB_INSERT(auth_tree, auths, na) != NULL)
+ err(1, "auth tree corrupted");
+
+ return 1;
+}
+
static inline int
authcmp(struct auth *a, struct auth *b)
{
-/* $OpenBSD: extern.h,v 1.87 2021/11/01 09:12:18 claudio Exp $ */
+/* $OpenBSD: extern.h,v 1.88 2021/11/01 17:00:34 claudio Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
char *tal; /* basename of TAL for this cert */
enum cert_purpose purpose; /* Certificate Purpose (BGPSec or CA) */
char *pubkey; /* Subject Public Key Info */
- int valid; /* validated resources */
X509 *x509; /* the cert */
time_t expires; /* do not use after */
};
RB_HEAD(auth_tree, auth);
RB_PROTOTYPE(auth_tree, auth, entry, authcmp);
-struct auth *auth_find(struct auth_tree *, const char *);
+struct auth *auth_find(struct auth_tree *, const char *);
+int auth_insert(struct auth_tree *, struct cert *, struct auth *);
/*
* Resource types specified by the RPKI profiles.
size_t mfts_fail; /* failing syntactic parse */
size_t mfts_stale; /* stale manifests */
size_t certs; /* certificates */
- size_t certs_fail; /* failing syntactic parse */
- size_t certs_invalid; /* invalid resources */
+ size_t certs_fail; /* invalid certificate */
size_t roas; /* route origin authorizations */
size_t roas_fail; /* failing syntactic parse */
size_t roas_invalid; /* invalid resources */
size_t del_files; /* number of files removed in cleanup */
size_t del_dirs; /* number of directories removed in cleanup */
size_t brks; /* number of BGPsec Router Key (BRK) certificates */
- size_t brks_invalids; /* invalid BGPsec certs */
char *talnames;
struct timeval elapsed_time;
struct timeval user_time;
-/* $OpenBSD: main.c,v 1.159 2021/10/31 16:00:14 claudio Exp $ */
+/* $OpenBSD: main.c,v 1.160 2021/11/01 17:00:34 claudio Exp $ */
/*
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
}
cert = cert_read(b);
if (cert->purpose == CERT_PURPOSE_CA) {
- if (cert->valid) {
- /*
- * Process the revocation list from the
- * certificate *first*, since it might mark that
- * we're revoked and then we don't want to
- * process the MFT.
- */
- queue_add_from_cert(cert);
- } else
- st->certs_invalid++;
+ /*
+ * Process the revocation list from the
+ * certificate *first*, since it might mark that
+ * we're revoked and then we don't want to
+ * process the MFT.
+ */
+ queue_add_from_cert(cert);
} else if (cert->purpose == CERT_PURPOSE_BGPSEC_ROUTER) {
- if (cert->valid) {
- cert_insert_brks(brktree, cert);
- st->brks++;
- } else
- st->brks_invalids++;
+ cert_insert_brks(brktree, cert);
+ st->brks++;
} else
- st->certs_invalid++;
+ st->certs_fail++;
cert_free(cert);
break;
case RTYPE_MFT:
(long long)stats.system_time.tv_sec);
logx("Route Origin Authorizations: %zu (%zu failed parse, %zu invalid)",
stats.roas, stats.roas_fail, stats.roas_invalid);
- logx("BGPsec Router Certificates: %zu (%zu invalid)",
- stats.brks, stats.brks_invalids);
- logx("Certificates: %zu (%zu failed parse, %zu invalid)",
- stats.certs, stats.certs_fail, stats.certs_invalid);
+ logx("BGPsec Router Certificates: %zu", stats.brks);
+ logx("Certificates: %zu (%zu invalid)",
+ stats.certs, stats.certs_fail);
logx("Trust Anchor Locators: %zu", stats.tals);
logx("Manifests: %zu (%zu failed parse, %zu stale)",
stats.mfts, stats.mfts_fail, stats.mfts_stale);
-/* $OpenBSD: output-json.c,v 1.20 2021/10/15 08:48:18 job Exp $ */
+/* $OpenBSD: output-json.c,v 1.21 2021/11/01 17:00:34 claudio Exp $ */
/*
* Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
*
"\t\t\"failedroas\": %zu,\n"
"\t\t\"invalidroas\": %zu,\n"
"\t\t\"bgpsec_pubkeys\": %zu,\n"
- "\t\t\"invalidbgpsec_pubkeys\": %zu,\n"
"\t\t\"certificates\": %zu,\n"
- "\t\t\"failcertificates\": %zu,\n"
"\t\t\"invalidcertificates\": %zu,\n"
"\t\t\"tals\": %zu,\n"
"\t\t\"talfiles\": \"%s\",\n"
hn, tbuf, (long long)st->elapsed_time.tv_sec,
(long long)st->user_time.tv_sec, (long long)st->system_time.tv_sec,
st->roas, st->roas_fail, st->roas_invalid,
- st->brks, st->brks_invalids,
- st->certs, st->certs_fail, st->certs_invalid,
+ st->brks, st->certs, st->certs_fail,
st->tals, st->talnames,
st->mfts, st->mfts_fail, st->mfts_stale,
st->crls,
-/* $OpenBSD: output.c,v 1.22 2021/10/11 16:50:03 job Exp $ */
+/* $OpenBSD: output.c,v 1.23 2021/11/01 17:00:34 claudio Exp $ */
/*
* Copyright (c) 2019 Theo de Raadt <deraadt@openbsd.org>
*
"# Generated on host %s at %s\n"
"# Processing time %lld seconds (%lld seconds user, %lld seconds system)\n"
"# Route Origin Authorizations: %zu (%zu failed parse, %zu invalid)\n"
- "# BGPsec Router Certificates: %zu (%zu invalid)\n"
- "# Certificates: %zu (%zu failed parse, %zu invalid)\n"
+ "# BGPsec Router Certificates: %zu\n"
+ "# Certificates: %zu (%zu invalid)\n"
"# Trust Anchor Locators: %zu (%s)\n"
"# Manifests: %zu (%zu failed parse, %zu stale)\n"
"# Certificate revocation lists: %zu\n"
hn, tbuf, (long long)st->elapsed_time.tv_sec,
(long long)st->user_time.tv_sec, (long long)st->system_time.tv_sec,
st->roas, st->roas_fail, st->roas_invalid,
- st->brks, st->brks_invalids,
- st->certs, st->certs_fail, st->certs_invalid,
+ st->brks, st->certs, st->certs_fail,
st->tals, st->talnames,
st->mfts, st->mfts_fail, st->mfts_stale,
st->crls,
-/* $OpenBSD: parser.c,v 1.22 2021/11/01 09:12:18 claudio Exp $ */
+/* $OpenBSD: parser.c,v 1.23 2021/11/01 17:00:34 claudio Exp $ */
/*
* Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
struct cert *cert;
X509 *x509;
int c;
- struct auth *a = NULL, *na;
+ struct auth *a = NULL;
STACK_OF(X509) *chain;
STACK_OF(X509_CRL) *crls;
sk_X509_free(chain);
sk_X509_CRL_free(crls);
+ if ((cert->tal = strdup(a->cert->tal)) == NULL)
+ err(1, NULL);
+
/* Validate the cert to get the parent */
if (!valid_cert(entp->file, &auths, cert)) {
X509_free(x509); // needed? XXX
- return cert;
+ cert_free(cert);
+ return NULL;
}
/*
* Add validated certs to the RPKI auth tree.
*/
-
- cert->valid = 1;
- if ((cert->tal = strdup(a->cert->tal)) == NULL)
- err(1, NULL);
-
- na = malloc(sizeof(*na));
- if (na == NULL)
- err(1, NULL);
- na->parent = a;
- na->cert = cert;
-
- if (RB_INSERT(auth_tree, &auths, na) != NULL)
- err(1, "auth tree corrupted");
+ if (!auth_insert(&auths, cert, a)) {
+ X509_free(x509); // needed? XXX
+ cert_free(cert);
+ return NULL;
+ }
return cert;
}
X509_NAME *name;
struct cert *cert;
X509 *x509;
- struct auth *na;
assert(entp->has_data);
goto badcert;
}
- /*
- * Add valid roots to the RPKI auth tree.
- */
-
- cert->valid = 1;
if ((cert->tal = strdup(entp->descr)) == NULL)
err(1, NULL);
- na = malloc(sizeof(*na));
- if (na == NULL)
- err(1, NULL);
- na->parent = NULL;
- na->cert = cert;
-
- if (RB_INSERT(auth_tree, &auths, na) != NULL)
- err(1, "auth tree corrupted");
+ /*
+ * Add valid roots to the RPKI auth tree.
+ */
+ if (!auth_insert(&auths, cert, NULL)) {
+ X509_free(x509); // needed? XXX
+ cert_free(cert);
+ return NULL;
+ }
return cert;
badcert:
X509_free(x509); // needed? XXX
- return cert;
+ cert_free(cert);
+ return NULL;
}
/*
projects / openbsd / commitdiff