This installs stuff in the right places to run anchor from the
included startup scripts. The config is installed into /etc/anchor
This will work from within a venv or without.
The anchor config.py file has been moved into the project package
so that it will install with the other stuff. Eventually we should
strip it out as much as possible and move the details into the JSON
file.
Change-Id: Iffaa7669ce8118fbd41011f9e965704c2ad51b44
In Python 3 __ne__ by default delegates to __eq__ and inverts the
result, but in Python 2 they urge you to define __ne__ when you
define __eq__ for it to work properly [1].There are no implied
relationships among the comparison operators. The truth of x==y
does not imply that x!=y is false. Accordingly, when defining __eq__(),
one should also define __ne__() so that the operators will behave
as expected.
[1]https://docs.python.org/2/reference/datamodel.html#object.__ne__
Change-Id: Iebabc4deea0aadbec4e73aae52e78bfd84209379
Original validator checked for domain labels as defined by RFC1034, however real
internet deals with other domains as well - starting with digits or symbols.
This change allows modifying the pattern to allow custom / relaxed rules.
Validation has been removed from adding a domain to a new extension, since it's
only used in fixups and the domain should be already validated. (or not, if not
configured)
Closes-bug: 1592489
Change-Id: Ib453054ba5f554bab28cff392c539e713fa28918
For known, but deprecated algorithms (md{2,4,5}, sha1), log a better message
rather than just the OID of the rejected algorithm.
Change-Id: I004cbfe486657a80f482e506e4e1fc9396564391
The olso_utils library already contains a constant_time_compare
function and the Anchor version is nearly identical. Might as
well use the global util rather than have a copy of its own.
Change-Id: Iaf02c20560ca244d244a88127996139f8abcce9b
Move signature validation to standards validators. Remove old validator entries
from the setup.cfg.
Partial-Bug: #1548610
Change-Id: I667b0ad1a49766c2df09489ea3a11e0e77bc4333
Prepare for new signing backend implementations which reuse the existing
functionality. This abstracts most of the current signing function, so that the
signature generation itself can be replaced.
Change-Id: I99a28f4bcb08f010f397faf49e23276672977bc1
Don't return a name which points back to the certificate internals anymore. Use
copies of the name everywhere.
Change-Id: I578df2de4128f5865c6c2363fee6f75a219bf9c7
Closes-bug: 1491083
If the subjectAlternativeKey is available in the CA, use it as authority key on
the new certificate. Otherwise embed the serial number.
The key id is included in the signed certificates according to
RFC5280 section-4.2.1.1. Anchor uses the first recommended method of keyid
generation. The behaviour matches openssl.
Change-Id: I883f8d5d9dc3430443aa08fdf2448bf385575557
Incoming CMC requests should be stripped of all wrappers, then the internal
pkcs10 request is processed as usual. No verification is done on the SignedData
wrapper, because there's no known certificate to trust.
Response is just the bare certificate for now.
Change-Id: I92c76df775e5f339ac2fae95582097e3afe138af
Names cannot be parsed if the type is unknown. Just return the string "UNKNOWN"
as a value in that case.
Change-Id: I12889b139907e0bd852ad842ad5b7d027adb0949
Add the support for actually sending the audit messages, or logging them
using the standard logging mechanisms.
Change-Id: I98067da8db4987f9f9859a8c6d5443a94677f856
Previous name validators have multiple issues. They do not prevent
unknown entires from passing through. They require repeating rules for
various name locations (cn, san). They also disregard wildcards when
matching only the suffix. The inflexible configuration also makes
specific validators like server_group required.
The new validator whitelist_names solves all those issues and allows to
deprecate old validators.
Implements: blueprint validator-improvement
Change-Id: Id31889f735eb34323f21a91d68a50602351f6611
Add a validator for the public key sizes. This allows to reject a
request with a 512b long RSA key for example.
Change-Id: Ib4988e595c4c5cdc643af56e9529e8c0de31d993
Remove a validator which has been marked for an update for some time.
CA certificate signing should not be handled by Anchor at all.
Change-Id: Ib13a0ca3445956e35c23c559f59f37e6721c1a33
Closes-bug: 1508776
lhinds