summaryrefslogtreecommitdiff
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* DNSSEC validation improvements.Linus Nordberg2016-04-133-65/+146
| | | | | | Use DS signature inception time as the DNSSEC validation time. Validate input data a bit more. Set TTL in DS to "Original TTL" of RRSIG (this time for real).
* Make unit tests work again and move rrset files.Linus Nordberg2016-04-111-4/+4
|
* Get submitting and storing working.Linus Nordberg2016-04-083-34/+34
| | | | | | | | | | | | | Add README.dnssec. Do start the dnssecport server. Add config option 'trust_anchors_file'. Pass correct data to validation server. Change URL for submitting to match draft (add-rr-chain). Make add-rr-chain take a base64-encoded string of RR's instead of JSON list with one RR per entry. TODO: Make the python tools know enough DNS to be able to verify SCT's and such (i.e. 'make tests').
* Add knot config dir for local root, for testing.Linus Nordberg2016-04-071-1/+1
|
* Canonicalise DS RR and refactor dns a bit.Linus Nordberg2016-04-073-33/+70
| | | | | | Rename split_rrset/1 -> decode_rrset/1. Add type rr() and use it. Canonicalise DS RR.
* Add unit test for validation, from dnssecport:handle_call().Linus Nordberg2016-04-073-46/+153
| | | | | | | | - The port now returns the RRset (DS, chain, trust root and all RRSIG's). This in preparatino for when this data will be normalised. - dnssecport decodes and encodes DNS data. - v1 stores the DS RR in the leaf and the rest, including the DS RRSIG, in the chain.
* WIPLinus Nordberg2016-04-073-26/+163
|
* Allow larger HTTP requests.gaol6Linus Nordberg2016-02-211-1/+1
| | | | 1MB -> 4MB.
* Add config knob max_submit_size.Linus Nordberg2016-02-011-1/+12
| | | | | If a blob is larger than this, in octets, after Base64 decoding, the submission is rejected with 400.
* Change application URL to open/gaol/v1.Linus Nordberg2016-02-011-1/+1
|
* Base64-decode submitted blobs and treat them as leaf certs.Linus Nordberg2016-02-012-19/+20
|
* Accept any kind of submitted data, not only X.509 certificate chains.Linus Nordberg2016-02-012-39/+13
| | | | | | | | Have add_chain() take a blob instead of a cert leaf and a chain. Rename ct/v1/add-chain -> add-blob. Remove ct/v1/add-pre-chain. Remove chain checking code. Generate allowed_client config matching new HTTP API.
* No need to strip "/" from path really.parametrise_urlLinus Nordberg2015-11-131-5/+5
|
* Parametrise "application part" of URL.Linus Nordberg2015-11-132-15/+28
| | | | | Breaking out "ct/v1" to a separate argument to request(). Good for other applications.
* Whitespace.Linus Nordberg2015-11-132-16/+26
|
* Verify MTL against leaf hash before returning get-entries.Linus Nordberg2015-09-151-3/+4
| | | | Closes CATLFISH-50.
* Wrap entries in plop wrapperMagnus Ahltorp2015-08-191-12/+11
|
* Don't cons an improper list when serialising extra data for a precert.Linus Nordberg2015-08-191-1/+1
|
* Rename extra_data/3 and move it some.Linus Nordberg2015-08-071-14/+14
|
* Return correct extra-data for precerts too (closes CATLFISH-56).Linus Nordberg2015-08-061-57/+60
| | | | Verify precerts in make tests too.
* Always store and return root certificate (closes CATLFISH-55).Linus Nordberg2015-08-031-8/+7
|
* Implement rate limiting of add_chainMagnus Ahltorp2015-06-123-27/+135
|
* Don't answer public requests if STH is too old or nonexistentMagnus Ahltorp2015-06-121-0/+28
|
* Remove unused temporary variable.Linus Nordberg2015-06-101-9/+7
|
* Add verification of whole entry. Implement library call for plop verification.Magnus Ahltorp2015-06-101-6/+44
|
* Fix CATLFISH-45.Linus Nordberg2015-05-111-6/+4
| | | | https://project.nordu.net/browse/CATLFISH-45
* Rename html/2 to err400/2.Linus Nordberg2015-05-061-17/+17
|
* Dialyzer clean.Linus Nordberg2015-05-063-20/+23
|
* Remove an extra annoying debug log printout.Linus Nordberg2015-04-101-3/+0
|
* Fix copyright strings.Linus Nordberg2015-04-096-6/+6
|
* Verify that database entry actually contains the certificateMagnus Ahltorp2015-04-071-3/+6
|
* Cleanup tests and use urllib2.build_openerMagnus Ahltorp2015-03-311-2/+14
| | | | | | | | | Remove unused files Generate test config files directly in release directory Move test database files to "tests" directory Generate log key when preparing tests Report error when STH not found in v1.erl Make merge, fetchallcerts, submitcert, verifysct, and testcase1 take log key as argument
* Allow non-TLS httpMagnus Ahltorp2015-03-312-17/+23
| | | | Closes CATLFISH-31
* Provide function for calculating entryhash from entryMagnus Ahltorp2015-03-271-0/+25
|
* Store rejected certificates.Linus Nordberg2015-03-251-52/+94
| | | | | | | Not storing the full chain, which would be even more useful. No rate limiting, which would be good. Also, reorganise some in x509.erl and add tests.
* Clarify that 0.test.pem is not a valid #'OTPCertificate'{}.Linus Nordberg2015-03-241-14/+14
| | | | Also some cosmetic changes.
* Add spec's for most functions.Linus Nordberg2015-03-232-11/+9
| | | | NOTE: We're not dialyzer clean yet.
* Formatting; remove debug printouts.Linus Nordberg2015-03-232-49/+21
|
* Add precert handling.Linus Nordberg2015-03-233-160/+382
|
* Cache SCT:sMagnus Ahltorp2015-03-081-12/+31
|
* Save STH instead of calculating a new one each time.Magnus Ahltorp2015-03-041-10/+2
|
* Added authentication between frontend and storage nodesMagnus Ahltorp2015-02-271-4/+28
|
* Fix a bug where verification of EC signatures made us crash.Linus Nordberg2015-02-271-33/+40
| | | | | Also, have valid_chain_p return boolean, add some debug logging and detect invalid signature types instead of crashing.
* Verify that known roots are indeed signing themselves.Linus Nordberg2015-02-272-22/+52
| | | | | | | This filters out certificates with signing algorithms that we can't handle. Also, make unit tests better.
* Even more debug logging.Linus Nordberg2015-02-251-0/+3
|
* Add debug logging.Linus Nordberg2015-02-251-0/+5
| | | | Trying to figure out why public_key:verify isn't found in docker images.
* Log time spent serving a requestMagnus Ahltorp2015-02-201-0/+3
|
* Make mochiweb pool size configurableMagnus Ahltorp2015-02-201-0/+1
|
* Stop validating that cert.issuer matches issuer.subject.Linus Nordberg2015-02-201-46/+27
| | | | | | | | | | Even canoncalized versions of this data mismatch in otherwise proper chains. Since we're not here to validate chains for any other reasons than attribution and spam control, let's stop validate cert.issuer==candidate.subject. We still verify the cryptographic chain with signatures of tbsCertificates of course. Resolves CATLFISH-19.
* Make unit tests work again.Linus Nordberg2015-02-194-28/+32
| | | | Makefile target 'check' runs them.