mirror/nlnetlabs-routinator
1
0
Fork 0
mirror of https://github.com/NLnetLabs/routinator.git synced 2024-05-19 06:50:04 +00:00
Code Issues Releases Activity

Adjust error handling to rpki-rs 0.15. (#755)

Browse Source
This commit is contained in:
Martin Hoffmann
2022-08-09 15:47:09 +02:00
committed by GitHub
parent d8481b3639
commit 540421de97
9 changed files with 305 additions and 305 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/ci.yml vendored
View File

@ -13,7 +13,7 @@ jobs:
strategy:
matrix:
os: [ubuntu-latest, windows-latest, macOS-latest]
rust: [1.56.0, stable, beta]
rust: [1.56.1, stable, beta]
steps:
- name: Checkout repository
uses: actions/checkout@v2

461
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

7
Cargo.toml
View File

@ -33,8 +33,8 @@ pin-project-lite = "0.2.4"
rand = "0.8.1"
reqwest = { version = "0.11.0", default-features = false, features = ["blocking", "rustls-tls" ] }
ring = "0.16.12"
routecore = "0.1.1"
rpki = { version = "0.14.2", features = [ "repository", "rrdp", "rtr", "serde", "slurm" ] }
routecore = "0.2"
rpki = { version = "0.15", features = [ "repository", "rrdp", "rtr", "serde", "slurm" ] }
rustls-pemfile = "0.3.0"
serde = { version = "1.0.95", features = [ "derive" ] }
serde_json = "1.0.57"
@ -43,7 +43,7 @@ tokio = { version = "1.0", features = [ "io-util", "macros", "process"
tokio-rustls = "0.23.2"
tokio-stream = { version = "0.1", features = ["net"] }
toml = "0.5.6"
uuid = "0.8.1"
uuid = "1.1"
routinator-ui = { version = "0.3.4", optional = true }
@ -53,7 +53,6 @@ syslog = "5.0.0"
[features]
default = [ "socks", "ui"]
extra-debug = ["rpki/extra-debug"]
socks = [ "reqwest/socks" ]
rta = []
native-tls = [ "reqwest/native-tls", "tls" ]

2
doc/manual/source/building.rst
View File

@ -50,7 +50,7 @@ though not all of them are equally supported. The official `Rust Platform
Support`_ page provides an overview of the various support levels.
While some system distributions include Rust as system packages, Routinator
relies on a relatively new version of Rust, currently 1.56 or newer. We
relies on a relatively new version of Rust, currently 1.56.1 or newer. We
therefore suggest to use the canonical Rust installation via a tool called
:program:`rustup`.

2
src/collector/rrdp.rs
View File

@ -36,7 +36,7 @@ use reqwest::header;
use reqwest::{Certificate, Proxy, StatusCode};
use reqwest::blocking::{Client, ClientBuilder, RequestBuilder, Response};
use rpki::{rrdp, uri};
use rpki::repository::crypto::DigestAlgorithm;
use rpki::crypto::DigestAlgorithm;
use rpki::rrdp::{DeltaInfo, NotificationFile, ProcessDelta, ProcessSnapshot};
use uuid::Uuid;
use crate::config::Config;

124
src/engine.rs
View File

@ -29,14 +29,15 @@ use bytes::Bytes;
use crossbeam_queue::{ArrayQueue, SegQueue};
use crossbeam_utils::thread;
use log::{debug, error, warn};
use rpki::crypto::keys::KeyIdentifier;
use rpki::repository::cert::{Cert, KeyUsage, ResourceCert};
use rpki::repository::crl::Crl;
use rpki::repository::crypto::keys::KeyIdentifier;
use rpki::repository::error::{InspectionError, ValidationError};
use rpki::repository::manifest::{Manifest, ManifestContent, ManifestHash};
use rpki::repository::roa::{Roa, RouteOriginAttestation};
use rpki::repository::sigobj::SignedObject;
use rpki::repository::tal::{Tal, TalInfo, TalUri};
use rpki::repository::x509::{Time, ValidationError, Validity};
use rpki::repository::x509::{Time, Validity};
use rpki::uri;
use crate::{collector, store};
use crate::config::{Config, FilterPolicy};
@ -472,8 +473,8 @@ impl<'a, P: ProcessRun> Run<'a, P> {
task.tal.info().clone(), self.validation.strict
) {
Ok(cert) => CaCert::root(cert, uri.clone(), task.index),
Err(_) => {
warn!("Trust anchor {}: doesnt validate.", uri);
Err(err) => {
warn!("Trust anchor {}: {}.", uri, err);
continue;
}
};
@ -793,9 +794,9 @@ impl<'a, P: ProcessRun> PubPoint<'a, P> {
manifest_bytes.clone(), self.run.validation.strict
) {
Ok(manifest) => manifest,
Err(_) => {
Err(err) => {
self.metrics.invalid_manifests += 1;
warn!("{}: failed to decode", self.cert.rpki_manifest());
warn!("{}: {}.", self.cert.rpki_manifest(), err);
return Ok(None)
}
};
@ -803,9 +804,9 @@ impl<'a, P: ProcessRun> PubPoint<'a, P> {
self.cert.cert(), self.run.validation.strict
) {
Ok(some) => some,
Err(_) => {
Err(err) => {
self.metrics.invalid_manifests += 1;
warn!("{}: failed to validate", self.cert.rpki_manifest());
warn!("{}: {}.", self.cert.rpki_manifest(), err);
return Ok(None)
}
};
@ -920,15 +921,17 @@ impl<'a, P: ProcessRun> PubPoint<'a, P> {
// Decode and validate the CRL.
let mut crl = match Crl::decode(crl_bytes.clone()) {
Ok(crl) => crl,
Err(_) => {
Err(err) => {
self.metrics.invalid_crls += 1;
warn!("{}: failed to decode.", crl_uri);
warn!("{}: {}.", crl_uri, err);
return Ok(None)
}
};
if crl.validate(self.cert.cert().subject_public_key_info()).is_err() {
if let Err(err) = crl.verify_signature(
self.cert.cert().subject_public_key_info()
) {
self.metrics.invalid_crls += 1;
warn!("{}: failed to validate.", crl_uri);
warn!("{}: {}.", crl_uri, err);
return Ok(None)
}
if crl.is_stale() {
@ -982,7 +985,7 @@ impl<'a, P: ProcessRun> PubPoint<'a, P> {
// We dont seem to have this point in the store either.
// Warn and return.
warn!(
"{}: No valid manifest found.",
"{}: no valid manifest found.",
self.cert.rpki_manifest()
);
self.metrics.missing_manifests += 1;
@ -1024,26 +1027,26 @@ impl<'a, P: ProcessRun> PubPoint<'a, P> {
fn validate_stored_manifest(
&mut self,
stored_manifest: StoredManifest,
) -> Result<ValidPointManifest, ValidationError> {
) -> Result<ValidPointManifest, Failed> {
// Decode and validate the manifest.
let manifest = match Manifest::decode(
stored_manifest.manifest().clone(), self.run.validation.strict
) {
Ok(manifest) => manifest,
Err(_) => {
warn!("{}: failed to decode", self.cert.rpki_manifest());
Err(err) => {
warn!("{}: {}.", self.cert.rpki_manifest(), err);
self.metrics.invalid_manifests += 1;
return Err(ValidationError);
return Err(Failed);
}
};
let (ee_cert, content) = match manifest.validate(
self.cert.cert(), self.run.validation.strict
) {
Ok(some) => some,
Err(_) => {
warn!("{}: failed to validate", self.cert.rpki_manifest());
Err(err) => {
warn!("{}: {}.", self.cert.rpki_manifest(), err);
self.metrics.invalid_manifests += 1;
return Err(ValidationError);
return Err(Failed);
}
};
if content.is_stale() {
@ -1052,7 +1055,7 @@ impl<'a, P: ProcessRun> PubPoint<'a, P> {
FilterPolicy::Reject => {
warn!("{}: stale manifest", self.cert.rpki_manifest());
self.metrics.invalid_manifests += 1;
return Err(ValidationError);
return Err(Failed);
}
FilterPolicy::Warn => {
warn!("{}: stale manifest", self.cert.rpki_manifest());
@ -1071,25 +1074,27 @@ impl<'a, P: ProcessRun> PubPoint<'a, P> {
self.cert.rpki_manifest()
);
self.metrics.invalid_manifests += 1;
return Err(ValidationError)
return Err(Failed)
}
};
// Decode and validate the CRL.
let mut crl = match Crl::decode(stored_manifest.crl().clone()) {
Ok(crl) => crl,
Err(_) => {
warn!("{}: failed to decode.", crl_uri);
Err(err) => {
warn!("{}: {}.", crl_uri, err);
self.metrics.invalid_manifests += 1;
self.metrics.invalid_crls += 1;
return Err(ValidationError)
return Err(Failed)
}
};
if crl.validate(self.cert.cert().subject_public_key_info()).is_err() {
warn!("{}: failed to validate.", crl_uri);
if let Err(err) = crl.verify_signature(
self.cert.cert().subject_public_key_info()
) {
warn!("{}: {}.", crl_uri, err);
self.metrics.invalid_manifests += 1;
self.metrics.invalid_crls += 1;
return Err(ValidationError)
return Err(Failed)
}
if crl.is_stale() {
self.metrics.stale_crls += 1;
@ -1098,7 +1103,7 @@ impl<'a, P: ProcessRun> PubPoint<'a, P> {
warn!("{}: stale CRL.", crl_uri);
self.metrics.invalid_manifests += 1;
self.metrics.invalid_crls += 1;
return Err(ValidationError)
return Err(Failed)
}
FilterPolicy::Warn => {
warn!("{}: stale CRL.", crl_uri);
@ -1122,7 +1127,7 @@ impl<'a, P: ProcessRun> PubPoint<'a, P> {
self.cert.rpki_manifest()
);
self.metrics.invalid_manifests += 1;
return Err(ValidationError)
return Err(Failed)
}
self.metrics.valid_manifests += 1;
@ -1219,8 +1224,8 @@ impl<'a, P: ProcessRun> PubPoint<'a, P> {
) -> Result<(), Failed> {
let cert = match Cert::decode(content) {
Ok(cert) => cert,
Err(_) => {
warn!("{}: failed to decode.", uri);
Err(err) => {
warn!("{}: {}.", uri, err);
manifest.metrics.invalid_certs += 1;
return Ok(())
}
@ -1250,13 +1255,14 @@ impl<'a, P: ProcessRun> PubPoint<'a, P> {
self.cert.cert(), self.run.validation.strict
) {
Ok(cert) => cert,
Err(_) => {
warn!("{}: CA certificate failed to validate.", uri);
Err(err) => {
warn!("{}: {}.", uri, err);
manifest.metrics.invalid_certs += 1;
return Ok(())
}
};
if manifest.check_crl(uri, &cert).is_err() {
if let Err(err) = manifest.check_crl(&cert) {
warn!("{}: {}.", uri, err);
manifest.metrics.invalid_certs += 1;
return Ok(())
}
@ -1307,14 +1313,15 @@ impl<'a, P: ProcessRun> PubPoint<'a, P> {
&mut self, uri: &uri::Rsync, cert: Cert,
manifest: &mut ValidPointManifest,
) -> Result<(), Failed> {
if cert.validate_router(
if let Err(err) = cert.validate_router(
self.cert.cert(), self.run.validation.strict
).is_err() {
warn!("{}: router certificate failed to validate.", uri);
) {
warn!("{}: {}.", uri, err);
manifest.metrics.invalid_certs += 1;
return Ok(())
};
if manifest.check_crl(uri, &cert).is_err() {
if let Err(err) = manifest.check_crl(&cert) {
warn!("{}: {}.", uri, err);
manifest.metrics.invalid_certs += 1;
return Ok(())
}
@ -1332,8 +1339,8 @@ impl<'a, P: ProcessRun> PubPoint<'a, P> {
content, self.run.validation.strict
) {
Ok(roa) => roa,
Err(_) => {
warn!("{}: decoding failed.", uri);
Err(err) => {
warn!("{}: {}.", uri, err);
manifest.metrics.invalid_roas += 1;
return Ok(())
}
@ -1341,15 +1348,15 @@ impl<'a, P: ProcessRun> PubPoint<'a, P> {
match roa.process(
self.cert.cert(),
self.run.validation.strict,
|cert| manifest.check_crl(uri, cert)
|cert| manifest.check_crl(cert)
) {
Ok((cert, route)) => {
manifest.metrics.valid_roas += 1;
self.processor.process_roa(uri, cert, route)?
}
Err(_) => {
Err(err) => {
manifest.metrics.invalid_roas += 1;
warn!("{}: validation failed.", uri)
warn!("{}: {}.", uri, err)
}
}
Ok(())
@ -1364,8 +1371,8 @@ impl<'a, P: ProcessRun> PubPoint<'a, P> {
content, self.run.validation.strict
) {
Ok(obj) => obj,
Err(_) => {
warn!("{}: decoding failed.", uri);
Err(err) => {
warn!("{}: {}.", uri, err);
manifest.metrics.invalid_gbrs += 1;
return Ok(())
}
@ -1373,15 +1380,15 @@ impl<'a, P: ProcessRun> PubPoint<'a, P> {
match obj.process(
self.cert.cert(),
self.run.validation.strict,
|cert| manifest.check_crl(uri, cert)
|cert| manifest.check_crl(cert)
) {
Ok((cert, content)) => {
manifest.metrics.valid_gbrs += 1;
self.processor.process_gbr(uri, cert, content)?
}
Err(_) => {
Err(err) => {
manifest.metrics.invalid_gbrs += 1;
warn!("{}: validation failed.", uri)
warn!("{}: {}.", uri, err)
}
}
Ok(())
@ -1424,25 +1431,26 @@ struct ValidPointManifest {
impl ValidPointManifest {
/// Checks whether `cert` has been revoked.
fn check_crl(
&self, uri: &uri::Rsync, cert: &Cert
) -> Result<(), ValidationError> {
fn check_crl(&self, cert: &Cert) -> Result<(), ValidationError> {
let crl_uri = match cert.crl_uri() {
Some(some) => some,
None => {
warn!("{}: certificate has no CRL URI", uri);
return Err(ValidationError)
return Err(InspectionError::new(
"certificate has no CRL URI"
).into())
}
};
if *crl_uri != self.crl_uri {
warn!("{}: certifacte's CRL differs from manifest's.", uri);
return Err(ValidationError)
return Err(InspectionError::new(
"certifacte's CRL differs from manifest's"
).into())
}
if self.crl.contains(cert.serial_number()) {
warn!("{}: certificate has been revoked.", uri);
return Err(ValidationError)
return Err(InspectionError::new(
"certifacte has been revoked"
).into())
}
Ok(())

2
src/rta.rs
View File

@ -3,9 +3,9 @@ use std::sync::atomic::{AtomicBool, Ordering};
use rpki::uri;
use rpki::repository::rta;
use rpki::repository::cert::ResourceCert;
use rpki::repository::error::ValidationError;
use rpki::repository::rta::{ResourceTaggedAttestation, Rta};
use rpki::repository::tal::{Tal, TalUri};
use rpki::repository::x509::ValidationError;
use crate::config::Config;
use crate::engine::{CaCert, ProcessPubPoint, ProcessRun, Engine};
use crate::error::Failed;

8
src/store.rs
View File

@ -70,11 +70,11 @@ use bytes::Bytes;
use chrono::{TimeZone, Utc};
use log::{debug, error, warn};
use rand::random;
use rpki::repository::Cert;
use rpki::repository::crypto::digest::DigestAlgorithm;
use rpki::crypto::digest::DigestAlgorithm;
use rpki::repository::cert::Cert;
use rpki::repository::manifest::ManifestHash;
use rpki::repository::tal::TalUri;
use rpki::repository::x509::{Time, ValidationError};
use rpki::repository::x509::Time;
use rpki::uri;
use crate::collector;
use crate::config::Config;
@ -1066,6 +1066,7 @@ impl StoredObject {
Ok(())
}
/* XXX WHY DOES THIS EXIST BUT IS UNUSED?
/// Verifies that the object matches the given hash.
///
/// This will be a simple comparison if both hashes use the same algorithm
@ -1087,6 +1088,7 @@ impl StoredObject {
hash.verify(&self.content)
}
*/
/// Returns the URI of the object.
pub fn uri(&self) -> &uri::Rsync {

2
src/utils/uri.rs
View File

@ -5,7 +5,7 @@ use std::net::IpAddr;
use std::path::PathBuf;
use std::str::FromStr;
use rpki::uri;
use rpki::repository::crypto::{Digest, DigestAlgorithm};
use rpki::crypto::{Digest, DigestAlgorithm};
//------------ UriExt --------------------------------------------------------