Lines Matching refs:fn
51 append_ip(const char *fn, struct cert_ip *ips, size_t *num_ips, in append_ip() argument
54 if (!ip_addr_check_overlap(ip, fn, ips, *num_ips, 0)) in append_ip()
66 append_as(const char *fn, struct cert_as *ases, size_t *num_ases, in append_as() argument
69 if (!as_check_overlap(as, fn, ases, *num_ases, 0)) in append_as()
80 sbgp_as_range(const char *fn, struct cert_as *ases, size_t *num_ases, in sbgp_as_range() argument
90 "malformed AS identifier", fn); in sbgp_as_range()
96 "malformed AS identifier", fn); in sbgp_as_range()
102 "range is singular", fn); in sbgp_as_range()
106 "range is out of order", fn); in sbgp_as_range()
110 return append_as(fn, ases, num_ases, &as); in sbgp_as_range()
117 sbgp_as_id(const char *fn, struct cert_as *ases, size_t *num_ases, in sbgp_as_id() argument
127 "malformed AS identifier", fn); in sbgp_as_id()
132 "AS identifier zero is reserved", fn); in sbgp_as_id()
136 return append_as(fn, ases, num_ases, &as); in sbgp_as_id()
140 sbgp_as_inherit(const char *fn, struct cert_as *ases, size_t *num_ases) in sbgp_as_inherit() argument
147 return append_as(fn, ases, num_ases, &as); in sbgp_as_inherit()
151 sbgp_parse_assysnum(const char *fn, const ASIdentifiers *asidentifiers, in sbgp_parse_assysnum() argument
163 "should not have RDI values", fn); in sbgp_parse_assysnum()
169 "no AS number resource set", fn); in sbgp_parse_assysnum()
183 "unknown type %d", fn, asidentifiers->asnum->type); in sbgp_parse_assysnum()
188 warnx("%s: RFC 6487 section 4.8.11: empty asIdsOrRanges", fn); in sbgp_parse_assysnum()
193 fn, MAX_AS_SIZE); in sbgp_parse_assysnum()
201 if (!sbgp_as_inherit(fn, as, &num_ases)) in sbgp_parse_assysnum()
211 if (!sbgp_as_id(fn, as, &num_ases, aor->u.id)) in sbgp_parse_assysnum()
215 if (!sbgp_as_range(fn, as, &num_ases, aor->u.range)) in sbgp_parse_assysnum()
220 "unknown type %d", fn, aor->type); in sbgp_parse_assysnum()
242 sbgp_assysnum(const char *fn, struct cert *cert, X509_EXTENSION *ext) in sbgp_assysnum() argument
249 "extension not critical", fn); in sbgp_assysnum()
255 "failed extension parse", fn); in sbgp_assysnum()
259 if (!sbgp_parse_assysnum(fn, asidentifiers, &cert->ases, in sbgp_assysnum()
274 sbgp_addr(const char *fn, struct cert_ip *ips, size_t *num_ips, enum afi afi, in sbgp_addr() argument
284 if (!ip_addr_parse(bs, afi, fn, &ip.ip)) { in sbgp_addr()
286 "invalid IP address", fn); in sbgp_addr()
292 "IP address range reversed", fn); in sbgp_addr()
296 return append_ip(fn, ips, num_ips, &ip); in sbgp_addr()
304 sbgp_addr_range(const char *fn, struct cert_ip *ips, size_t *num_ips, in sbgp_addr_range() argument
314 if (!ip_addr_parse(range->min, afi, fn, &ip.range.min)) { in sbgp_addr_range()
316 "invalid IP address", fn); in sbgp_addr_range()
320 if (!ip_addr_parse(range->max, afi, fn, &ip.range.max)) { in sbgp_addr_range()
322 "invalid IP address", fn); in sbgp_addr_range()
328 "IP address range reversed", fn); in sbgp_addr_range()
332 return append_ip(fn, ips, num_ips, &ip); in sbgp_addr_range()
336 sbgp_addr_inherit(const char *fn, struct cert_ip *ips, size_t *num_ips, in sbgp_addr_inherit() argument
346 return append_ip(fn, ips, num_ips, &ip); in sbgp_addr_inherit()
350 sbgp_parse_ipaddrblk(const char *fn, const IPAddrBlocks *addrblk, in sbgp_parse_ipaddrblk() argument
368 fn, ipaddrblocksz); in sbgp_parse_ipaddrblk()
386 fn, af->ipAddressChoice->type); in sbgp_parse_ipaddrblk()
391 "empty ipAddressesOrRanges", fn); in sbgp_parse_ipaddrblk()
401 if (!ip_addr_afi_parse(fn, af->addressFamily, &afi)) { in sbgp_parse_ipaddrblk()
402 warnx("%s: RFC 3779: invalid AFI", fn); in sbgp_parse_ipaddrblk()
410 "IPv4 appears twice", fn); in sbgp_parse_ipaddrblk()
417 "IPv6 appears twice", fn); in sbgp_parse_ipaddrblk()
424 if (!sbgp_addr_inherit(fn, ips, &num_ips, afi)) in sbgp_parse_ipaddrblk()
433 if (!sbgp_addr(fn, ips, &num_ips, afi, in sbgp_parse_ipaddrblk()
438 if (!sbgp_addr_range(fn, ips, &num_ips, afi, in sbgp_parse_ipaddrblk()
444 "unknown type %d", fn, aor->type); in sbgp_parse_ipaddrblk()
467 sbgp_ipaddrblk(const char *fn, struct cert *cert, X509_EXTENSION *ext) in sbgp_ipaddrblk() argument
474 "extension not critical", fn); in sbgp_ipaddrblk()
480 "failed extension parse", fn); in sbgp_ipaddrblk()
484 if (!sbgp_parse_ipaddrblk(fn, addrblk, &cert->ips, &cert->num_ips)) in sbgp_ipaddrblk()
488 warnx("%s: RFC 6487 section 4.8.10: empty ipAddrBlock", fn); in sbgp_ipaddrblk()
504 sbgp_sia(const char *fn, struct cert *cert, X509_EXTENSION *ext) in sbgp_sia() argument
517 "extension not non-critical", fn); in sbgp_sia()
523 fn); in sbgp_sia()
533 if (!x509_location(fn, "SIA: caRepository", in sbgp_sia()
554 "ignoring location %s", fn, carepo); in sbgp_sia()
558 if (!x509_location(fn, "SIA: rpkiManifest", in sbgp_sia()
569 "ignoring location %s", fn, rpkimft); in sbgp_sia()
573 if (!x509_location(fn, "SIA: rpkiNotify", in sbgp_sia()
579 fn, cert->notify); in sbgp_sia()
585 fn); in sbgp_sia()
596 " accessMethod: %s", fn, buf); in sbgp_sia()
603 "or rpkiManifest", fn); in sbgp_sia()
609 warnx("%s: SIA: invalid rpkiManifest entry", fn); in sbgp_sia()
615 "characters", fn); in sbgp_sia()
622 "conflicting URIs for caRepository and rpkiManifest", fn); in sbgp_sia()
627 warnx("%s: RFC 6487 section 4.8.8: SIA: not an MFT file", fn); in sbgp_sia()
642 certificate_policies(const char *fn, struct cert *cert, X509_EXTENSION *ext) in certificate_policies() argument
653 "extension not critical", fn); in certificate_policies()
659 "failed extension parse", fn); in certificate_policies()
665 "want 1 policy, got %d", fn, sk_POLICYINFO_num(policies)); in certificate_policies()
678 "unexpected OID: %s, want %s", fn, pbuf, cbuf); in certificate_policies()
690 "want 1 policy qualifier, got %d", fn, in certificate_policies()
700 "want CPS, got %s", fn, nid2str(nid)); in certificate_policies()
705 warnx("%s: CPS %.*s", fn, qualifier->d.cpsuri->length, in certificate_policies()
715 cert_check_subject_and_issuer(const char *fn, const X509 *x) in cert_check_subject_and_issuer() argument
720 warnx("%s: X509_get_subject_name", fn); in cert_check_subject_and_issuer()
723 if (!x509_valid_name(fn, "subject", name)) in cert_check_subject_and_issuer()
727 warnx("%s: X509_get_issuer_name", fn); in cert_check_subject_and_issuer()
730 if (!x509_valid_name(fn, "issuer", name)) in cert_check_subject_and_issuer()
742 cert_parse_ee_cert(const char *fn, int talid, X509 *x) in cert_parse_ee_cert() argument
752 warnx("%s: RFC 6487 4.1: X.509 version must be v3", fn); in cert_parse_ee_cert()
756 if (!cert_check_subject_and_issuer(fn, x)) in cert_parse_ee_cert()
759 if (!x509_cache_extensions(x, fn)) in cert_parse_ee_cert()
762 if ((cert->purpose = x509_get_purpose(x, fn)) != CERT_PURPOSE_EE) { in cert_parse_ee_cert()
763 warnx("%s: expected EE cert, got %s", fn, in cert_parse_ee_cert()
770 if (!sbgp_ipaddrblk(fn, cert, ext)) in cert_parse_ee_cert()
776 if (!sbgp_assysnum(fn, cert, ext)) in cert_parse_ee_cert()
781 warnx("%s: X509_up_ref failed", fn); in cert_parse_ee_cert()
788 if (!constraints_validate(fn, cert)) in cert_parse_ee_cert()
804 cert_parse_pre(const char *fn, const unsigned char *der, size_t len) in cert_parse_pre() argument
829 warnx("%s: d2i_X509", fn); in cert_parse_pre()
833 warnx("%s: %td bytes trailing garbage", fn, oder + len - der); in cert_parse_pre()
837 if (!x509_cache_extensions(x, fn)) in cert_parse_pre()
841 warnx("%s: RFC 6487 4.1: X.509 version must be v3", fn); in cert_parse_pre()
846 warnx("%s: unknown signature type", fn); in cert_parse_pre()
851 warnx("%s: P-256 support is experimental", fn); in cert_parse_pre()
854 fn, nid2str(nid), LN_sha256WithRSAEncryption); in cert_parse_pre()
861 fn); in cert_parse_pre()
865 if (!cert_check_subject_and_issuer(fn, x)) in cert_parse_pre()
870 warnx("%s: certificate without X.509v3 extensions", fn); in cert_parse_pre()
884 if (!sbgp_ipaddrblk(fn, cert, ext)) in cert_parse_pre()
890 if (!sbgp_assysnum(fn, cert, ext)) in cert_parse_pre()
900 if (!sbgp_sia(fn, cert, ext)) in cert_parse_pre()
906 if (!certificate_policies(fn, cert, ext)) in cert_parse_pre()
943 fn, objn, OBJ_obj2nid(obj)); in cert_parse_pre()
949 if (!x509_get_aki(x, fn, &cert->aki)) in cert_parse_pre()
951 if (!x509_get_ski(x, fn, &cert->ski)) in cert_parse_pre()
953 if (!x509_get_aia(x, fn, &cert->aia)) in cert_parse_pre()
955 if (!x509_get_crl(x, fn, &cert->crl)) in cert_parse_pre()
957 if (!x509_get_notbefore(x, fn, &cert->notbefore)) in cert_parse_pre()
959 if (!x509_get_notafter(x, fn, &cert->notafter)) in cert_parse_pre()
963 cert->purpose = x509_get_purpose(x, fn); in cert_parse_pre()
969 warnx("%s: X509_get0_pubkey failed", fn); in cert_parse_pre()
972 if (!valid_ca_pkey(fn, pkey)) in cert_parse_pre()
976 warnx("%s: RFC 6487 section 4.8.8: missing SIA", fn); in cert_parse_pre()
980 warnx("%s: missing IP or AS resources", fn); in cert_parse_pre()
985 cert->pubkey = x509_get_pubkey(x, fn); in cert_parse_pre()
987 warnx("%s: x509_get_pubkey failed", fn); in cert_parse_pre()
991 warnx("%s: unexpected IP resources in BGPsec cert", fn); in cert_parse_pre()
997 " cert", fn); in cert_parse_pre()
1003 fn); in cert_parse_pre()
1008 warn("%s: unexpected EE cert", fn); in cert_parse_pre()
1011 warnx("%s: x509_get_purpose failed in %s", fn, __func__); in cert_parse_pre()
1016 warnx("%s: RFC 6487 section 8.4.2: missing SKI", fn); in cert_parse_pre()
1024 warnx("%s: RFC 5280 section 4.2: duplicate extension: %s", fn, in cert_parse_pre()
1033 cert_parse(const char *fn, struct cert *p) in cert_parse() argument
1040 "non-trust anchor missing AKI", fn); in cert_parse()
1045 "non-trust anchor AKI may not match SKI", fn); in cert_parse()
1049 warnx("%s: RFC 6487 section 8.4.7: AIA: extension missing", fn); in cert_parse()
1054 "no CRL distribution point extension", fn); in cert_parse()
1076 ta_check_validity(const char *fn, const struct cert *p, time_t now) in ta_check_validity() argument
1109 if (verbose == 0 && strncmp(fn, "ta/", strlen("ta/")) == 0) in ta_check_validity()
1115 "shorter validity period.", fn, warn_years); in ta_check_validity()
1121 "certificate will be rejected.", fn, warn_years, in ta_check_validity()
1131 ta_parse(const char *fn, struct cert *p, const unsigned char *pkey, in ta_parse() argument
1143 warnx("%s: RFC 6487 (trust anchor): bad TAL pubkey", fn); in ta_parse()
1147 warnx("%s: RFC 6487 (trust anchor): missing pubkey", fn); in ta_parse()
1152 "pubkey does not match TAL pubkey", fn); in ta_parse()
1157 warnx("%s: certificate not yet valid", fn); in ta_parse()
1161 warnx("%s: certificate has expired", fn); in ta_parse()
1164 if (!ta_check_validity(fn, p, now)) in ta_parse()
1169 "trust anchor AKI, if specified, must match SKI", fn); in ta_parse()
1174 "trust anchor must not have AIA", fn); in ta_parse()
1179 "trust anchor may not specify CRL resource", fn); in ta_parse()
1183 warnx("%s: expected trust anchor purpose, got %s", fn, in ta_parse()
1192 warnx("%s: failed to verify signature", fn); in ta_parse()
1196 warnx("%s: Trust anchor IP/AS resources may not inherit", fn); in ta_parse()
1345 auth_insert(const char *fn, struct auth_tree *auths, struct cert *cert, in auth_insert() argument
1360 warnx("%s: too many certificates in store", fn); in auth_insert()
1368 warnx("%s: maximum certificate chain depth exhausted", fn); in auth_insert()