176 lines
5.5 KiB
Rust
176 lines
5.5 KiB
Rust
use url::Url;
|
|
|
|
use crate::audit::PublicationPointAudit;
|
|
use crate::data_model::ta::TrustAnchor;
|
|
use crate::sync::rrdp::Fetcher;
|
|
use crate::validation::from_tal::{
|
|
DiscoveredRootCaInstance, FromTalError, discover_root_ca_instance_from_tal_and_ta_der,
|
|
discover_root_ca_instance_from_tal_url,
|
|
};
|
|
use crate::validation::tree::{
|
|
CaInstanceHandle, TreeRunAuditOutput, TreeRunConfig, TreeRunError, TreeRunOutput,
|
|
run_tree_serial, run_tree_serial_audit,
|
|
};
|
|
use crate::validation::tree_runner::Rpkiv1PublicationPointRunner;
|
|
|
|
#[derive(Clone, Debug, PartialEq, Eq)]
|
|
pub struct RunTreeFromTalOutput {
|
|
pub discovery: DiscoveredRootCaInstance,
|
|
pub tree: TreeRunOutput,
|
|
}
|
|
|
|
#[derive(Clone, Debug, PartialEq, Eq)]
|
|
pub struct RunTreeFromTalAuditOutput {
|
|
pub discovery: DiscoveredRootCaInstance,
|
|
pub tree: TreeRunOutput,
|
|
pub publication_points: Vec<PublicationPointAudit>,
|
|
}
|
|
|
|
#[derive(Debug, thiserror::Error)]
|
|
pub enum RunTreeFromTalError {
|
|
#[error("{0}")]
|
|
FromTal(#[from] FromTalError),
|
|
|
|
#[error("{0}")]
|
|
Tree(#[from] TreeRunError),
|
|
}
|
|
|
|
pub fn root_handle_from_trust_anchor(
|
|
trust_anchor: &TrustAnchor,
|
|
ca_certificate_rsync_uri: Option<String>,
|
|
ca_instance: &crate::validation::ca_instance::CaInstanceUris,
|
|
) -> CaInstanceHandle {
|
|
let ta_rc = trust_anchor.ta_certificate.rc_ca.clone();
|
|
CaInstanceHandle {
|
|
depth: 0,
|
|
ca_certificate_der: trust_anchor.ta_certificate.raw_der.clone(),
|
|
ca_certificate_rsync_uri,
|
|
effective_ip_resources: ta_rc.tbs.extensions.ip_resources.clone(),
|
|
effective_as_resources: ta_rc.tbs.extensions.as_resources.clone(),
|
|
rsync_base_uri: ca_instance.rsync_base_uri.clone(),
|
|
manifest_rsync_uri: ca_instance.manifest_rsync_uri.clone(),
|
|
publication_point_rsync_uri: ca_instance.publication_point_rsync_uri.clone(),
|
|
rrdp_notification_uri: ca_instance.rrdp_notification_uri.clone(),
|
|
}
|
|
}
|
|
|
|
pub fn run_tree_from_tal_url_serial(
|
|
store: &crate::storage::RocksStore,
|
|
policy: &crate::policy::Policy,
|
|
tal_url: &str,
|
|
http_fetcher: &dyn Fetcher,
|
|
rsync_fetcher: &dyn crate::fetch::rsync::RsyncFetcher,
|
|
validation_time: time::OffsetDateTime,
|
|
config: &TreeRunConfig,
|
|
) -> Result<RunTreeFromTalOutput, RunTreeFromTalError> {
|
|
let discovery = discover_root_ca_instance_from_tal_url(http_fetcher, tal_url)?;
|
|
|
|
let runner = Rpkiv1PublicationPointRunner {
|
|
store,
|
|
policy,
|
|
http_fetcher,
|
|
rsync_fetcher,
|
|
validation_time,
|
|
};
|
|
|
|
let root = root_handle_from_trust_anchor(&discovery.trust_anchor, None, &discovery.ca_instance);
|
|
let tree = run_tree_serial(root, &runner, config)?;
|
|
|
|
Ok(RunTreeFromTalOutput { discovery, tree })
|
|
}
|
|
|
|
pub fn run_tree_from_tal_url_serial_audit(
|
|
store: &crate::storage::RocksStore,
|
|
policy: &crate::policy::Policy,
|
|
tal_url: &str,
|
|
http_fetcher: &dyn Fetcher,
|
|
rsync_fetcher: &dyn crate::fetch::rsync::RsyncFetcher,
|
|
validation_time: time::OffsetDateTime,
|
|
config: &TreeRunConfig,
|
|
) -> Result<RunTreeFromTalAuditOutput, RunTreeFromTalError> {
|
|
let discovery = discover_root_ca_instance_from_tal_url(http_fetcher, tal_url)?;
|
|
|
|
let runner = Rpkiv1PublicationPointRunner {
|
|
store,
|
|
policy,
|
|
http_fetcher,
|
|
rsync_fetcher,
|
|
validation_time,
|
|
};
|
|
|
|
let root = root_handle_from_trust_anchor(&discovery.trust_anchor, None, &discovery.ca_instance);
|
|
let TreeRunAuditOutput {
|
|
tree,
|
|
publication_points,
|
|
} = run_tree_serial_audit(root, &runner, config)?;
|
|
|
|
Ok(RunTreeFromTalAuditOutput {
|
|
discovery,
|
|
tree,
|
|
publication_points,
|
|
})
|
|
}
|
|
|
|
pub fn run_tree_from_tal_and_ta_der_serial(
|
|
store: &crate::storage::RocksStore,
|
|
policy: &crate::policy::Policy,
|
|
tal_bytes: &[u8],
|
|
ta_der: &[u8],
|
|
resolved_ta_uri: Option<&Url>,
|
|
http_fetcher: &dyn Fetcher,
|
|
rsync_fetcher: &dyn crate::fetch::rsync::RsyncFetcher,
|
|
validation_time: time::OffsetDateTime,
|
|
config: &TreeRunConfig,
|
|
) -> Result<RunTreeFromTalOutput, RunTreeFromTalError> {
|
|
let discovery =
|
|
discover_root_ca_instance_from_tal_and_ta_der(tal_bytes, ta_der, resolved_ta_uri)?;
|
|
|
|
let runner = Rpkiv1PublicationPointRunner {
|
|
store,
|
|
policy,
|
|
http_fetcher,
|
|
rsync_fetcher,
|
|
validation_time,
|
|
};
|
|
|
|
let root = root_handle_from_trust_anchor(&discovery.trust_anchor, None, &discovery.ca_instance);
|
|
let tree = run_tree_serial(root, &runner, config)?;
|
|
|
|
Ok(RunTreeFromTalOutput { discovery, tree })
|
|
}
|
|
|
|
pub fn run_tree_from_tal_and_ta_der_serial_audit(
|
|
store: &crate::storage::RocksStore,
|
|
policy: &crate::policy::Policy,
|
|
tal_bytes: &[u8],
|
|
ta_der: &[u8],
|
|
resolved_ta_uri: Option<&Url>,
|
|
http_fetcher: &dyn Fetcher,
|
|
rsync_fetcher: &dyn crate::fetch::rsync::RsyncFetcher,
|
|
validation_time: time::OffsetDateTime,
|
|
config: &TreeRunConfig,
|
|
) -> Result<RunTreeFromTalAuditOutput, RunTreeFromTalError> {
|
|
let discovery =
|
|
discover_root_ca_instance_from_tal_and_ta_der(tal_bytes, ta_der, resolved_ta_uri)?;
|
|
|
|
let runner = Rpkiv1PublicationPointRunner {
|
|
store,
|
|
policy,
|
|
http_fetcher,
|
|
rsync_fetcher,
|
|
validation_time,
|
|
};
|
|
|
|
let root = root_handle_from_trust_anchor(&discovery.trust_anchor, None, &discovery.ca_instance);
|
|
let TreeRunAuditOutput {
|
|
tree,
|
|
publication_points,
|
|
} = run_tree_serial_audit(root, &runner, config)?;
|
|
|
|
Ok(RunTreeFromTalAuditOutput {
|
|
discovery,
|
|
tree,
|
|
publication_points,
|
|
})
|
|
}
|