Simplify by removing almost everything to do with KeyName.

internet2 · Oct 21, 2014 · 2bbf90d · 2bbf90d
1 parent c83a1ac
commit 2bbf90d
Showing 1 changed file with 3 additions and 51 deletions.
diff --git a/build/check_embedded.pl b/build/check_embedded.pl
@@ -147,14 +147,12 @@ sub comment {
 		#
 		# Output header line.
 		#
-		$oline = "Entity $entity ";
+		$oline = "Entity $entity";
 		$hasKeyName = !($keyname eq '(none)');
+		push(@olines, $oline);
 		if ($hasKeyName) {
-			$oline .= "has KeyName $keyname";
-		} else {
-			$oline .= "has no KeyName";
+			error("descriptor has unexpected KeyName $keyname");
 		}
-		push(@olines, $oline);
 
 		#
 		# Start building a new blob.
@@ -280,7 +278,6 @@ sub comment {
 				#
 				if ($notAfter =~ /(\d\d\d\d)/) {
 					my $year = $1;
-					$expiryYear = $year;
 					if ($year > $maxYear) {
 						$maxYear = $year;
 					}
@@ -362,14 +359,6 @@ sub comment {
 		}
 
 
-		#
-		# Check KeyName if one has been supplied.
-		#
-		if ($hasKeyName && !defined($names{lc $keyname})) {
-			my $nameList = join ", ", sort keys %names;
-			error("KeyName mismatch: $keyname not in {$nameList}");
-		}
-
 		#
 		# Use openssl to ask whether this matches our trust fabric or not.
 		#
@@ -427,25 +416,6 @@ sub comment {
 			} elsif ($clientOK) {
 				# $error = "certificate matches trust fabric; add KeyName?";
 			}
-		} else {
-			#
-			# If a KeyName is present, we must match the trust fabric.
-			#
-			if ($error eq 'self signed certificate') {
-				$error = 'self signed certificate: remove KeyName?';
-			} elsif ($error eq 'unable to get local issuer certificate') {
-				$error = "non trust fabric issuer: $issuerCN: remove KeyName?";
-			}
-
-			#
-			# KeyName with an expired certificate indicates some kind of misconfiguration.
-			# Either the KeyDescriptor isn't working, or the expired certificate is still
-			# in use (in which case the KeyName is superfluous) or a different certificate
-			# is in use via PKIX (which means we have the wrong one).
-			#
-			if ($days < 0) {
-				error("expired certificate has KeyName; acquire/ensure correct certificate and remove KeyName");
-			}
 		}
 
 		if ($error eq 'certificate has expired' && $days < 0) {
@@ -478,13 +448,6 @@ sub comment {
 				warning("issuer '$issuerCN' suspect; verify");
 			}
 		}
-		if ($hasKeyName && ($issuerCN =~ /(Global|Veri)Sign/)) {
-			warning("issuer \"$issuerCN\" to be retired; certificate expires $notAfter; remove KeyName?");
-			$issuerMark{$issuerCN} = '*';
-		}
-		if ($hasKeyName && ($expiryYear > 2014)) {
-			warning("expires $notAfter, which is later than 2014");
-		}
 
 		#
 		# Count issuers.
@@ -497,9 +460,6 @@ sub comment {
 			} else {
 				$issuers{$issuerCN}++;
 			}
-			if ($hasKeyName) {
-				$knIssuers{$issuerCN}++;
-			}
 		}
 
 		#
@@ -544,14 +504,6 @@ sub comment {
 	}
 	print "\n";
 
-	print "KeyName certificate issuers:\n";
-	foreach $issuer (sort keys %knIssuers) {
-		my $count = $knIssuers{$issuer};
-		my $mark = $issuerMark{$issuer} ? $issuerMark{$issuer}: ' ';
-		print " $mark $issuer: $count\n";
-	}
-	print "\n";
-
 	my $first = 1;
 	foreach $fingerprint (sort keys %expiry_whitelist) {
 		if ($expiry_whitelist{$fingerprint} eq 'unused') {