From 2bbf90d3c9276825dbc0a362b9de5e0b50128c62 Mon Sep 17 00:00:00 2001 From: Ian Young Date: Tue, 21 Oct 2014 10:51:49 +0000 Subject: [PATCH] Simplify by removing almost everything to do with KeyName. --- build/check_embedded.pl | 54 +++-------------------------------------- 1 file changed, 3 insertions(+), 51 deletions(-) diff --git a/build/check_embedded.pl b/build/check_embedded.pl index 8268a246..a0515531 100755 --- a/build/check_embedded.pl +++ b/build/check_embedded.pl @@ -147,14 +147,12 @@ sub comment { # # Output header line. # - $oline = "Entity $entity "; + $oline = "Entity $entity"; $hasKeyName = !($keyname eq '(none)'); + push(@olines, $oline); if ($hasKeyName) { - $oline .= "has KeyName $keyname"; - } else { - $oline .= "has no KeyName"; + error("descriptor has unexpected KeyName $keyname"); } - push(@olines, $oline); # # Start building a new blob. @@ -280,7 +278,6 @@ sub comment { # if ($notAfter =~ /(\d\d\d\d)/) { my $year = $1; - $expiryYear = $year; if ($year > $maxYear) { $maxYear = $year; } @@ -362,14 +359,6 @@ sub comment { } - # - # Check KeyName if one has been supplied. - # - if ($hasKeyName && !defined($names{lc $keyname})) { - my $nameList = join ", ", sort keys %names; - error("KeyName mismatch: $keyname not in {$nameList}"); - } - # # Use openssl to ask whether this matches our trust fabric or not. # @@ -427,25 +416,6 @@ sub comment { } elsif ($clientOK) { # $error = "certificate matches trust fabric; add KeyName?"; } - } else { - # - # If a KeyName is present, we must match the trust fabric. - # - if ($error eq 'self signed certificate') { - $error = 'self signed certificate: remove KeyName?'; - } elsif ($error eq 'unable to get local issuer certificate') { - $error = "non trust fabric issuer: $issuerCN: remove KeyName?"; - } - - # - # KeyName with an expired certificate indicates some kind of misconfiguration. - # Either the KeyDescriptor isn't working, or the expired certificate is still - # in use (in which case the KeyName is superfluous) or a different certificate - # is in use via PKIX (which means we have the wrong one). - # - if ($days < 0) { - error("expired certificate has KeyName; acquire/ensure correct certificate and remove KeyName"); - } } if ($error eq 'certificate has expired' && $days < 0) { @@ -478,13 +448,6 @@ sub comment { warning("issuer '$issuerCN' suspect; verify"); } } - if ($hasKeyName && ($issuerCN =~ /(Global|Veri)Sign/)) { - warning("issuer \"$issuerCN\" to be retired; certificate expires $notAfter; remove KeyName?"); - $issuerMark{$issuerCN} = '*'; - } - if ($hasKeyName && ($expiryYear > 2014)) { - warning("expires $notAfter, which is later than 2014"); - } # # Count issuers. @@ -497,9 +460,6 @@ sub comment { } else { $issuers{$issuerCN}++; } - if ($hasKeyName) { - $knIssuers{$issuerCN}++; - } } # @@ -544,14 +504,6 @@ sub comment { } print "\n"; - print "KeyName certificate issuers:\n"; - foreach $issuer (sort keys %knIssuers) { - my $count = $knIssuers{$issuer}; - my $mark = $issuerMark{$issuer} ? $issuerMark{$issuer}: ' '; - print " $mark $issuer: $count\n"; - } - print "\n"; - my $first = 1; foreach $fingerprint (sort keys %expiry_whitelist) { if ($expiry_whitelist{$fingerprint} eq 'unused') {