diff options
| author | Rob Austein <sra@hactrn.net> | 2008-05-01 07:07:28 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2008-05-01 07:07:28 +0000 |
| commit | ac9ca8b4e7904365dd0e37b0599f2f66b289ed46 (patch) | |
| tree | 128d388c9c9aa8aad22cfa4d9998d994f5a46bf4 | |
| parent | dd4e65cc86b552daadc0d41408f8635236e182e0 (diff) | |
Simplify BSC and start adding BPKI CRL support; the latter doesn't
work yet due to an apparent bug in OpenSSL (CMS_add0_crl() dumps core).
If through some bizzare twist of fate we revive the idea of allowing
CA certs in CMS messages, this is the change that will need to be
(partly) backed out.
svn path=/docs/left-right-xml; revision=1730
| -rw-r--r-- | pow/POW-0.7/POW.c | 16 | ||||
| -rw-r--r-- | rpkid/Makefile | 4 | ||||
| -rwxr-xr-x | rpkid/irbe-cli.py | 6 | ||||
| -rw-r--r-- | rpkid/irbe-setup.py | 4 | ||||
| -rw-r--r-- | rpkid/left-right-protocol-samples.xml (renamed from docs/left-right-xml) | 61 | ||||
| -rw-r--r-- | rpkid/left-right-protocol-samples.xsl | 28 | ||||
| -rw-r--r-- | rpkid/left-right-protocol-samples/pdu.013.xml | 13 | ||||
| -rw-r--r-- | rpkid/left-right-protocol-samples/pdu.016.xml | 19 | ||||
| -rw-r--r-- | rpkid/left-right-protocol-samples/pdu.018.xml | 19 | ||||
| -rw-r--r-- | rpkid/left-right-schema.rnc | 6 | ||||
| -rw-r--r-- | rpkid/left-right-schema.rng | 14 | ||||
| -rw-r--r-- | rpkid/rpki/__init__.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/gctx.py | 18 | ||||
| -rw-r--r-- | rpkid/rpki/left_right.py | 69 | ||||
| -rw-r--r-- | rpkid/rpki/relaxng.py | 16 | ||||
| -rw-r--r-- | rpkid/rpki/x509.py | 22 | ||||
| -rw-r--r-- | rpkid/rpkid.sql | 12 | ||||
| -rw-r--r-- | rpkid/testbed.py | 27 | ||||
| -rwxr-xr-x | rpkid/xml-parse-test.py | 4 |
19 files changed, 161 insertions, 199 deletions
diff --git a/pow/POW-0.7/POW.c b/pow/POW-0.7/POW.c index ca6af89e..5a92acdb 100644 --- a/pow/POW-0.7/POW.c +++ b/pow/POW-0.7/POW.c @@ -6857,7 +6857,6 @@ CMS_object_sign(cms_object *self, PyObject *args) BIO *bio = NULL; CMS_ContentInfo *cms = NULL; ASN1_OBJECT *econtent_type = NULL; - X509_CRL *crl = NULL; if (!PyArg_ParseTuple(args, "O!O!s#|OOsI", &x509type, &signcert, @@ -6926,27 +6925,20 @@ CMS_object_sign(cms_object *self, PyObject *args) assert_no_unhandled_openssl_errors(); if (crl_sequence != Py_None) { - if (!PyTuple_Check(crl_sequence) && !PyList_Check(crl_sequence)) lose_type_error("inapropriate type"); - n = PySequence_Size( crl_sequence ); - for (i = 0; i < n; i++) { if ( !(crlobj = (x509_crl_object *) PySequence_GetItem(crl_sequence, i))) goto error; - if (!X_X509_crl_Check(crlobj)) lose_type_error("inappropriate type"); - - if ( !(crl = X509_CRL_dup(crlobj->crl))) - lose_type_error("couldn't clone CRL"); - + if (!crlobj->crl) + lose("CRL object with null crl field!"); assert_no_unhandled_openssl_errors(); - - if (!CMS_add0_crl(self->cms, crl)) + if (!CMS_add0_crl(self->cms, crlobj->crl)) lose_openssl_error("could not add CRL to CMS"); - + CRYPTO_add(&crlobj->crl->references, 1, CRYPTO_LOCK_X509_CRL); Py_DECREF(crlobj); crlobj = NULL; } diff --git a/rpkid/Makefile b/rpkid/Makefile index 9c565132..535bb261 100644 --- a/rpkid/Makefile +++ b/rpkid/Makefile @@ -7,8 +7,8 @@ all:: left-right-protocol-samples/.stamp -left-right-protocol-samples/.stamp: left-right-protocol-samples.xsl ../docs/left-right-xml - xsltproc left-right-protocol-samples.xsl ../docs/left-right-xml +left-right-protocol-samples/.stamp: left-right-protocol-samples.xsl left-right-protocol-samples.xml + xsltproc left-right-protocol-samples.xsl left-right-protocol-samples.xml touch $@ all:: left-right-schema.rng diff --git a/rpkid/irbe-cli.py b/rpkid/irbe-cli.py index 02c55a6c..eea87ff4 100755 --- a/rpkid/irbe-cli.py +++ b/rpkid/irbe-cli.py @@ -95,7 +95,11 @@ class bsc_elt(cmd_mixin, rpki.left_right.bsc_elt): def client_query_signing_cert(self, arg): """--signing_cert option.""" - self.signing_cert.append(rpki.x509.X509(Auto_file=arg)) + self.signing_cert = rpki.x509.X509(Auto_file=arg) + + def client_query_signing_cert_crl(self, arg): + """--signing_cert_crl option.""" + self.signing_cert_crl = rpki.x509.CRL(Auto_file=arg) def client_reply_decode(self): global pem_out diff --git a/rpkid/irbe-setup.py b/rpkid/irbe-setup.py index 1ded8e3e..9531cda7 100644 --- a/rpkid/irbe-setup.py +++ b/rpkid/irbe-setup.py @@ -62,7 +62,6 @@ self_id = pdu.self_id print "Create a business signing context" pdu = rpki.left_right.bsc_elt.make_pdu(action = "create", self_id = self_id, generate_keypair = True) -pdu.signing_cert.append(rpki.x509.X509(Auto_file = "biz-certs/Bob-CA.cer")) pdu = call_rpkid(pdu) bsc_id = pdu.bsc_id @@ -77,8 +76,7 @@ cer = rpki.x509.X509(PEM = o.read()) o.close() print "Set up the business cert chain" -pdu = rpki.left_right.bsc_elt.make_pdu(action = "set", self_id = self_id, bsc_id = bsc_id) -pdu.signing_cert.append(cer) +pdu = rpki.left_right.bsc_elt.make_pdu(action = "set", self_id = self_id, bsc_id = bsc_id, signing_cert = cer) call_rpkid(pdu) print "Create a repository context" diff --git a/docs/left-right-xml b/rpkid/left-right-protocol-samples.xml index e1d8a866..e6f5328b 100644 --- a/docs/left-right-xml +++ b/rpkid/left-right-protocol-samples.xml @@ -15,7 +15,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. - - - See left-right-protocol for comments. + - + - This is a collection of sample left-right protocol PDU samples + - to use as test cases for the left-right protocol RelaxNG schema. --> <completely_gratuitous_wrapper_element_to_let_me_run_this_through_xmllint> @@ -238,7 +240,7 @@ </msg> <msg version="1" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> - <bsc action="set" type="query" self_id="42" bsc_id="17" clear_signing_certs="yes"> + <bsc action="set" type="query" self_id="42" bsc_id="17"> <signing_cert> MIIDHTCCAgWgAwIBAgIJAKUUCoKn9ovVMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV BAMTG1Rlc3QgQ2VydGlmaWNhdGUgQWxpY2UgUm9vdDAeFw0wNzA4MDExOTUzMDda @@ -258,6 +260,17 @@ vvqVBYkoBWRbmcy6wVU8JpYegNNgVRbi6zeAq33gS75m9uy+4z8Ql6DqVF0s/y+/ 240tLCW62X98EzrALKsxhkqVZCtdc5HSRaOQr0K3I03S </signing_cert> + <signing_cert_crl> + MIIBfjBoAgEBMA0GCSqGSIb3DQEBCwUAMCYxJDAiBgNVBAMTG1Rlc3QgQ2VydGlm + aWNhdGUgUklSIFNFTEYtMRcNMDgwNTAxMDQ1MjAxWhcNMDgwNTMxMDQ1MjAxWqAO + MAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBACTbbaYh+f4EtXFIKPwH + K2NYq/MrhE2BnHDyA43siryddtac1E2bOtXPkC74nY5yGm4wZU07qPovJNGu1McG + J2hV2uUyAN00lJU3EikrS1ewz7vqjINar1ZUMDkh0wMYKLB9S8SdwNvCf1vcjshz + yasBRse9PCH1R0bmDaP8FZM47P55dKiijaN87HQKyZPOExFslnWH+Nr+mAF1xost + pwGcc3jreVZWbtQ2RdUDJYcNrSSCH8JYqd5ZgAYcE53xxy43rKcULz054GDFcS/B + rprwJgfrjkPttAl80cfrVOUl77ZFfFxzOeHCmQMl9VSoCxmWvnBCBBO4H7meJ7NO + gyc= + </signing_cert_crl> </bsc> </msg> @@ -290,25 +303,6 @@ vvqVBYkoBWRbmcy6wVU8JpYegNNgVRbi6zeAq33gS75m9uy+4z8Ql6DqVF0s/y+/ 240tLCW62X98EzrALKsxhkqVZCtdc5HSRaOQr0K3I03S </signing_cert> - <signing_cert> - MIIDGDCCAgCgAwIBAgIJANkdU8+R7K3fMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV - BAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxpY2UgQ0EwHhcNMDcwODAxMTk1MzA3WhcN - MDcwODMxMTk1MzA3WjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEFsaWNl - IEVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA64aCougbqPB/PjR9 - ipPd5c/QGlKh8QsCvh4ka3VjRp+zCUEiOI6W7hKUGVoNlqwFjZo2CsqX8qoW0e/S - sQp9RMH80jgYjfxVPvK3S+sMoXredH+PhOqttf1rCEXbvqP4t9FWUdKJz558oHbO - MXirP7MFUrWk96F/id+BFG01aKy9RE68DlkcPZAJjpcQ0kEYCIyAQckqgVrIaH2X - QiEtB5asHrvGH0N5fmUWDeBfHTGVI3dbc6nLU9RYlVo/RCo0C38fi44/PIdnJCZG - 4+m2ZXG+QbhNWVr4BsSIpF0oiQDelrebDrK4TYJ4skfwLHdlmJbtaeG7zwukDQkN - CIIXRwIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTjSaMtxysroFSek8cD - OTdc6+ZY0jAfBgNVHSMEGDAWgBReiOCEd94f7LzmuFbMNonD6PE4GjANBgkqhkiG - 9w0BAQUFAAOCAQEAH8ccePGVdGeytS14upV+20hxsGHLS66XxZJlQyQmYOwy4OL9 - F17VODm7UC3h6qnAGbNCvRa6TPah1gRWfwkZDlYC48whDlxi2QX23PcuVKstrv3i - MiVcTm6AuVyfDn4DJ89TDUY+bPFne46lpSBxt9xXg6UsHMSthoerTYVcaYNHoGpt - wQPCgrYT/bdQeUpAL7rtha+by0x74vUgO8W84MX0XjCWqXgyP/XBlqxjx7B9Gydw - 5tNbASf9blRIQcQ9uy+S8mOlHQWfOhe6nN++LhVxYlOzdDKFboTmCwYZwNJHhnRl - okQ8do5ItBt92MoJgI26PoOiE3xXVyuYb1b7vw== - </signing_cert> </bsc> </msg> @@ -337,25 +331,6 @@ vvqVBYkoBWRbmcy6wVU8JpYegNNgVRbi6zeAq33gS75m9uy+4z8Ql6DqVF0s/y+/ 240tLCW62X98EzrALKsxhkqVZCtdc5HSRaOQr0K3I03S </signing_cert> - <signing_cert> - MIIDGDCCAgCgAwIBAgIJANkdU8+R7K3fMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV - BAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxpY2UgQ0EwHhcNMDcwODAxMTk1MzA3WhcN - MDcwODMxMTk1MzA3WjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEFsaWNl - IEVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA64aCougbqPB/PjR9 - ipPd5c/QGlKh8QsCvh4ka3VjRp+zCUEiOI6W7hKUGVoNlqwFjZo2CsqX8qoW0e/S - sQp9RMH80jgYjfxVPvK3S+sMoXredH+PhOqttf1rCEXbvqP4t9FWUdKJz558oHbO - MXirP7MFUrWk96F/id+BFG01aKy9RE68DlkcPZAJjpcQ0kEYCIyAQckqgVrIaH2X - QiEtB5asHrvGH0N5fmUWDeBfHTGVI3dbc6nLU9RYlVo/RCo0C38fi44/PIdnJCZG - 4+m2ZXG+QbhNWVr4BsSIpF0oiQDelrebDrK4TYJ4skfwLHdlmJbtaeG7zwukDQkN - CIIXRwIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTjSaMtxysroFSek8cD - OTdc6+ZY0jAfBgNVHSMEGDAWgBReiOCEd94f7LzmuFbMNonD6PE4GjANBgkqhkiG - 9w0BAQUFAAOCAQEAH8ccePGVdGeytS14upV+20hxsGHLS66XxZJlQyQmYOwy4OL9 - F17VODm7UC3h6qnAGbNCvRa6TPah1gRWfwkZDlYC48whDlxi2QX23PcuVKstrv3i - MiVcTm6AuVyfDn4DJ89TDUY+bPFne46lpSBxt9xXg6UsHMSthoerTYVcaYNHoGpt - wQPCgrYT/bdQeUpAL7rtha+by0x74vUgO8W84MX0XjCWqXgyP/XBlqxjx7B9Gydw - 5tNbASf9blRIQcQ9uy+S8mOlHQWfOhe6nN++LhVxYlOzdDKFboTmCwYZwNJHhnRl - okQ8do5ItBt92MoJgI26PoOiE3xXVyuYb1b7vw== - </signing_cert> </bsc> </msg> @@ -1291,9 +1266,3 @@ </msg> </completely_gratuitous_wrapper_element_to_let_me_run_this_through_xmllint> - -<!-- - - Local Variables: - - compile-command: "xmllint -noout left-right-xml" - - End: - --> diff --git a/rpkid/left-right-protocol-samples.xsl b/rpkid/left-right-protocol-samples.xsl index da313544..a152fa0e 100644 --- a/rpkid/left-right-protocol-samples.xsl +++ b/rpkid/left-right-protocol-samples.xsl @@ -1,8 +1,24 @@ -<!-- $Id$ +<!-- -*- SGML -*- + - $Id$ + - + - Copyright (C) 2007-2008 American Registry for Internet Numbers ("ARIN") + - + - Permission to use, copy, modify, and distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. + - - - Generate test case PDUs for left-right protocol. Invoke thusly: - - - $ xsltproc left-right-protocol-samples.xsl ../docs/left-right-xml + - $ xsltproc left-right-protocol-samples.xsl left-right-protocol-samples.xml --> <xsl:transform xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0" @@ -27,11 +43,3 @@ </xsl:for-each> </xsl:template> </xsl:transform> - - -<!-- - - Local variables: - - mode: sgml - - compile-command: "xsltproc left-right-protocol-samples.xsl ../docs/left-right-xml" - - End: - --> diff --git a/rpkid/left-right-protocol-samples/pdu.013.xml b/rpkid/left-right-protocol-samples/pdu.013.xml index 3c1c5adc..708724c8 100644 --- a/rpkid/left-right-protocol-samples/pdu.013.xml +++ b/rpkid/left-right-protocol-samples/pdu.013.xml @@ -1,7 +1,7 @@ <?xml version="1.0" encoding="US-ASCII"?> <!--Automatically generated, do not edit.--> <msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1"> - <bsc action="set" type="query" self_id="42" bsc_id="17" clear_signing_certs="yes"> + <bsc action="set" type="query" self_id="42" bsc_id="17"> <signing_cert> MIIDHTCCAgWgAwIBAgIJAKUUCoKn9ovVMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV BAMTG1Rlc3QgQ2VydGlmaWNhdGUgQWxpY2UgUm9vdDAeFw0wNzA4MDExOTUzMDda @@ -21,5 +21,16 @@ vvqVBYkoBWRbmcy6wVU8JpYegNNgVRbi6zeAq33gS75m9uy+4z8Ql6DqVF0s/y+/ 240tLCW62X98EzrALKsxhkqVZCtdc5HSRaOQr0K3I03S </signing_cert> + <signing_cert_crl> + MIIBfjBoAgEBMA0GCSqGSIb3DQEBCwUAMCYxJDAiBgNVBAMTG1Rlc3QgQ2VydGlm + aWNhdGUgUklSIFNFTEYtMRcNMDgwNTAxMDQ1MjAxWhcNMDgwNTMxMDQ1MjAxWqAO + MAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBACTbbaYh+f4EtXFIKPwH + K2NYq/MrhE2BnHDyA43siryddtac1E2bOtXPkC74nY5yGm4wZU07qPovJNGu1McG + J2hV2uUyAN00lJU3EikrS1ewz7vqjINar1ZUMDkh0wMYKLB9S8SdwNvCf1vcjshz + yasBRse9PCH1R0bmDaP8FZM47P55dKiijaN87HQKyZPOExFslnWH+Nr+mAF1xost + pwGcc3jreVZWbtQ2RdUDJYcNrSSCH8JYqd5ZgAYcE53xxy43rKcULz054GDFcS/B + rprwJgfrjkPttAl80cfrVOUl77ZFfFxzOeHCmQMl9VSoCxmWvnBCBBO4H7meJ7NO + gyc= + </signing_cert_crl> </bsc> </msg> diff --git a/rpkid/left-right-protocol-samples/pdu.016.xml b/rpkid/left-right-protocol-samples/pdu.016.xml index 2abf3bac..7e3d1485 100644 --- a/rpkid/left-right-protocol-samples/pdu.016.xml +++ b/rpkid/left-right-protocol-samples/pdu.016.xml @@ -21,24 +21,5 @@ vvqVBYkoBWRbmcy6wVU8JpYegNNgVRbi6zeAq33gS75m9uy+4z8Ql6DqVF0s/y+/ 240tLCW62X98EzrALKsxhkqVZCtdc5HSRaOQr0K3I03S </signing_cert> - <signing_cert> - MIIDGDCCAgCgAwIBAgIJANkdU8+R7K3fMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV - BAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxpY2UgQ0EwHhcNMDcwODAxMTk1MzA3WhcN - MDcwODMxMTk1MzA3WjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEFsaWNl - IEVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA64aCougbqPB/PjR9 - ipPd5c/QGlKh8QsCvh4ka3VjRp+zCUEiOI6W7hKUGVoNlqwFjZo2CsqX8qoW0e/S - sQp9RMH80jgYjfxVPvK3S+sMoXredH+PhOqttf1rCEXbvqP4t9FWUdKJz558oHbO - MXirP7MFUrWk96F/id+BFG01aKy9RE68DlkcPZAJjpcQ0kEYCIyAQckqgVrIaH2X - QiEtB5asHrvGH0N5fmUWDeBfHTGVI3dbc6nLU9RYlVo/RCo0C38fi44/PIdnJCZG - 4+m2ZXG+QbhNWVr4BsSIpF0oiQDelrebDrK4TYJ4skfwLHdlmJbtaeG7zwukDQkN - CIIXRwIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTjSaMtxysroFSek8cD - OTdc6+ZY0jAfBgNVHSMEGDAWgBReiOCEd94f7LzmuFbMNonD6PE4GjANBgkqhkiG - 9w0BAQUFAAOCAQEAH8ccePGVdGeytS14upV+20hxsGHLS66XxZJlQyQmYOwy4OL9 - F17VODm7UC3h6qnAGbNCvRa6TPah1gRWfwkZDlYC48whDlxi2QX23PcuVKstrv3i - MiVcTm6AuVyfDn4DJ89TDUY+bPFne46lpSBxt9xXg6UsHMSthoerTYVcaYNHoGpt - wQPCgrYT/bdQeUpAL7rtha+by0x74vUgO8W84MX0XjCWqXgyP/XBlqxjx7B9Gydw - 5tNbASf9blRIQcQ9uy+S8mOlHQWfOhe6nN++LhVxYlOzdDKFboTmCwYZwNJHhnRl - okQ8do5ItBt92MoJgI26PoOiE3xXVyuYb1b7vw== - </signing_cert> </bsc> </msg> diff --git a/rpkid/left-right-protocol-samples/pdu.018.xml b/rpkid/left-right-protocol-samples/pdu.018.xml index 2abf3bac..7e3d1485 100644 --- a/rpkid/left-right-protocol-samples/pdu.018.xml +++ b/rpkid/left-right-protocol-samples/pdu.018.xml @@ -21,24 +21,5 @@ vvqVBYkoBWRbmcy6wVU8JpYegNNgVRbi6zeAq33gS75m9uy+4z8Ql6DqVF0s/y+/ 240tLCW62X98EzrALKsxhkqVZCtdc5HSRaOQr0K3I03S </signing_cert> - <signing_cert> - MIIDGDCCAgCgAwIBAgIJANkdU8+R7K3fMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV - BAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxpY2UgQ0EwHhcNMDcwODAxMTk1MzA3WhcN - MDcwODMxMTk1MzA3WjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEFsaWNl - IEVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA64aCougbqPB/PjR9 - ipPd5c/QGlKh8QsCvh4ka3VjRp+zCUEiOI6W7hKUGVoNlqwFjZo2CsqX8qoW0e/S - sQp9RMH80jgYjfxVPvK3S+sMoXredH+PhOqttf1rCEXbvqP4t9FWUdKJz558oHbO - MXirP7MFUrWk96F/id+BFG01aKy9RE68DlkcPZAJjpcQ0kEYCIyAQckqgVrIaH2X - QiEtB5asHrvGH0N5fmUWDeBfHTGVI3dbc6nLU9RYlVo/RCo0C38fi44/PIdnJCZG - 4+m2ZXG+QbhNWVr4BsSIpF0oiQDelrebDrK4TYJ4skfwLHdlmJbtaeG7zwukDQkN - CIIXRwIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTjSaMtxysroFSek8cD - OTdc6+ZY0jAfBgNVHSMEGDAWgBReiOCEd94f7LzmuFbMNonD6PE4GjANBgkqhkiG - 9w0BAQUFAAOCAQEAH8ccePGVdGeytS14upV+20hxsGHLS66XxZJlQyQmYOwy4OL9 - F17VODm7UC3h6qnAGbNCvRa6TPah1gRWfwkZDlYC48whDlxi2QX23PcuVKstrv3i - MiVcTm6AuVyfDn4DJ89TDUY+bPFne46lpSBxt9xXg6UsHMSthoerTYVcaYNHoGpt - wQPCgrYT/bdQeUpAL7rtha+by0x74vUgO8W84MX0XjCWqXgyP/XBlqxjx7B9Gydw - 5tNbASf9blRIQcQ9uy+S8mOlHQWfOhe6nN++LhVxYlOzdDKFboTmCwYZwNJHhnRl - okQ8do5ItBt92MoJgI26PoOiE3xXVyuYb1b7vw== - </signing_cert> </bsc> </msg> diff --git a/rpkid/left-right-schema.rnc b/rpkid/left-right-schema.rnc index 243990cc..35917c1d 100644 --- a/rpkid/left-right-schema.rnc +++ b/rpkid/left-right-schema.rnc @@ -75,12 +75,12 @@ self_elt |= element self { ctl_dr, self_id } bsc_bool = ((attribute generate_keypair { "yes" }, attribute key_type { "rsa" }?, attribute hash_alg { "sha256" }?, - attribute key_length { "2048" }?)?, - attribute clear_signing_certs { "yes" }?) + attribute key_length { "2048" }?)?) bsc_id = attribute bsc_id { sql_id } -bsc_payload = (element signing_cert { base64 }*) +bsc_payload = (element signing_cert { base64 }?, + element signing_cert_crl { base64 }?) bsc_pkcs10 = element pkcs10_request { base64 }? diff --git a/rpkid/left-right-schema.rng b/rpkid/left-right-schema.rng index b548a079..0068ca32 100644 --- a/rpkid/left-right-schema.rng +++ b/rpkid/left-right-schema.rng @@ -312,11 +312,6 @@ </attribute> </optional> </optional> - <optional> - <attribute name="clear_signing_certs"> - <value>yes</value> - </attribute> - </optional> </define> <define name="bsc_id"> <attribute name="bsc_id"> @@ -324,11 +319,16 @@ </attribute> </define> <define name="bsc_payload"> - <zeroOrMore> + <optional> <element name="signing_cert"> <ref name="base64"/> </element> - </zeroOrMore> + </optional> + <optional> + <element name="signing_cert_crl"> + <ref name="base64"/> + </element> + </optional> </define> <define name="bsc_pkcs10"> <optional> diff --git a/rpkid/rpki/__init__.py b/rpkid/rpki/__init__.py index 8d088c65..9852d0b0 100644 --- a/rpkid/rpki/__init__.py +++ b/rpkid/rpki/__init__.py @@ -502,7 +502,7 @@ ## ## bsc --action= --type= --tag= --self_id= --bsc_id= ## --key_type= --hash_alg= --key_length= --signing_cert= -## --generate_keypair --clear_signing_certs +## --signing_cert_crl= --generate_keypair ## @endverbatim ## ## Global options (@c --config, @c --help, @c --pem_out) come first, then zero or diff --git a/rpkid/rpki/gctx.py b/rpkid/rpki/gctx.py index f3c8c4b4..995dede1 100644 --- a/rpkid/rpki/gctx.py +++ b/rpkid/rpki/gctx.py @@ -140,13 +140,17 @@ class global_context(object): """ rpki.log.trace() - for s in rpki.left_right.self_elt.sql_fetch_all(self): - s.client_poll() - s.update_children() - s.update_roas() - s.regenerate_crls_and_manifests() - self.sql_sweep() - return 200, "OK" + try: + for s in rpki.left_right.self_elt.sql_fetch_all(self): + s.client_poll() + s.update_children() + s.update_roas() + s.regenerate_crls_and_manifests() + self.sql_sweep() + return 200, "OK" + except Exception, data: + rpki.log.error(traceback.format_exc()) + return 500, "Unhandled exception %s" % data ## @var https_ta_cache # HTTPS trust anchor cache, to avoid regenerating it for every TLS connection. diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py index 1d87c195..1289e16a 100644 --- a/rpkid/rpki/left_right.py +++ b/rpkid/rpki/left_right.py @@ -443,34 +443,19 @@ class bsc_elt(data_elt): element_name = "bsc" attributes = ("action", "type", "tag", "self_id", "bsc_id", "key_type", "hash_alg", "key_length") - elements = ('signing_cert',) - booleans = ("generate_keypair", "clear_signing_certs") + elements = ("signing_cert", "signing_cert_crl") + booleans = ("generate_keypair",) sql_template = rpki.sql.template("bsc", "bsc_id", "self_id", "hash_alg", ("private_key_id", rpki.x509.RSA), - ("pkcs10_request", rpki.x509.PKCS10)) + ("pkcs10_request", rpki.x509.PKCS10), + ("signing_cert", rpki.x509.X509), + ("signing_cert_crl", rpki.x509.CRL)) private_key_id = None pkcs10_request = None - - def __init__(self): - """Initialize bsc_elt.""" - self.signing_cert = [] - - def sql_fetch_hook(self): - """Extra SQL fetch actions for bsc_elt -- handle signing certs.""" - self.gctx.cur.execute("SELECT cert FROM bsc_cert WHERE bsc_id = %s", (self.bsc_id,)) - self.signing_cert = [rpki.x509.X509(DER = x) for (x,) in self.gctx.cur.fetchall()] - - def sql_insert_hook(self): - """Extra SQL insert actions for bsc_elt -- handle signing certs.""" - if self.signing_cert: - self.gctx.cur.executemany("INSERT bsc_cert (cert, bsc_id) VALUES (%s, %s)", - ((x.get_DER(), self.bsc_id) for x in self.signing_cert)) - - def sql_delete_hook(self): - """Extra SQL delete actions for bsc_elt -- handle signing certs.""" - self.gctx.cur.execute("DELETE FROM bsc_cert WHERE bsc_id = %s", (self.bsc_id,)) + signing_cert = None + signing_cert_crl = None def repositories(self): """Fetch all repository objects that link to this BSC object.""" @@ -485,36 +470,29 @@ class bsc_elt(data_elt): return child_elt.sql_fetch_where(self.gctx, "bsc_id = %s", (self.bsc_id,)) def serve_pre_save_hook(self, q_pdu, r_pdu): - """Extra server actions for bsc_elt -- handle signing certs and key generation.""" - if self is not q_pdu: - if q_pdu.clear_signing_certs: - self.signing_cert[:] = [] - self.signing_cert.extend(q_pdu.signing_cert) + """Extra server actions for bsc_elt -- handle key generation. + For now this only allows RSA with SHA-256. + """ if q_pdu.generate_keypair: - # - # For the moment we only support 2048-bit RSA with SHA-256, no - # HSM. Assertion just checks that the schema hasn't changed out - # from under this code. - # - assert (q_pdu.key_type is None or q_pdu.key_type == "rsa") and \ - (q_pdu.hash_alg is None or q_pdu.hash_alg == "sha256") and \ - (q_pdu.key_length is None or q_pdu.key_length == 2048) + assert q_pdu.key_type in (None, "rsa") and q_pdu.hash_alg in (None, "sha256") keypair = rpki.x509.RSA() - keypair.generate() + keypair.generate(keylength = q_pdu.key_length or 2048) self.private_key_id = keypair self.pkcs10_request = rpki.x509.PKCS10.create(keypair) r_pdu.pkcs10_request = self.pkcs10_request def startElement(self, stack, name, attrs): """Handle <bsc/> element.""" - if not name in ("signing_cert", "pkcs10_request"): + if name not in ("pkcs10_request", "signing_cert", "signing_cert_crl"): assert name == "bsc", "Unexpected name %s, stack %s" % (name, stack) self.read_attrs(attrs) def endElement(self, stack, name, text): """Handle <bsc/> element.""" if name == "signing_cert": - self.signing_cert.append(rpki.x509.X509(Base64 = text)) + self.signing_cert = rpki.x509.X509(Base64 = text) + elif name == "signing_cert_crl": + self.signing_cert_crl = rpki.x509.CRL(Base64 = text) elif name == "pkcs10_request": self.pkcs10_request = rpki.x509.PKCS10(Base64 = text) else: @@ -524,8 +502,10 @@ class bsc_elt(data_elt): def toXML(self): """Generate <bsc/> element.""" elt = self.make_elt() - for cert in self.signing_cert: - self.make_b64elt(elt, "signing_cert", cert.get_DER()) + if self.signing_cert is not None: + self.make_b64elt(elt, "signing_cert", self.signing_cert.get_DER()) + if self.signing_cert_crl is not None: + self.make_b64elt(elt, "signing_cert_crl", self.signing_cert_crl.get_DER()) if self.pkcs10_request is not None: self.make_b64elt(elt, "pkcs10_request", self.pkcs10_request.get_DER()) return elt @@ -632,7 +612,10 @@ class parent_elt(data_elt): payload = q_pdu, sender = self.sender_name, recipient = self.recipient_name) - q_cms = rpki.up_down.cms_msg.wrap(q_msg, bsc.private_key_id, bsc.signing_cert) + + q_cms = rpki.up_down.cms_msg.wrap(q_msg, bsc.private_key_id, + bsc.signing_cert, + bsc.signing_cert_crl) der = rpki.https.client(server_ta = (self.gctx.bpki_ta, self.self().bpki_cert, self.self().bpki_glue, @@ -645,6 +628,7 @@ class parent_elt(data_elt): r_msg = rpki.up_down.cms_msg.unwrap(der, (self.gctx.bpki_ta, self.self().bpki_cert, self.self().bpki_glue, self.bpki_cms_cert, self.bpki_cms_glue)) + r_msg.payload.check_response() return r_msg @@ -741,7 +725,8 @@ class child_elt(data_elt): # sane way of reporting errors in the error reporting mechanism. # May require refactoring, ignore the issue for now. # - r_cms = rpki.up_down.cms_msg.wrap(r_msg, bsc.private_key_id, bsc.signing_cert) + r_cms = rpki.up_down.cms_msg.wrap(r_msg, bsc.private_key_id, + bsc.signing_cert, bsc.signing_cert_crl) return r_cms class repository_elt(data_elt): diff --git a/rpkid/rpki/relaxng.py b/rpkid/rpki/relaxng.py index 1a2592c3..1cef68d9 100644 --- a/rpkid/rpki/relaxng.py +++ b/rpkid/rpki/relaxng.py @@ -6,7 +6,7 @@ import lxml.etree ## Parsed RelaxNG left_right schema left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" encoding="UTF-8"?> <!-- - $Id: left-right-schema.rng 1704 2008-04-25 06:45:10Z sra $ + $Id: left-right-schema.rnc 1704 2008-04-25 06:45:10Z sra $ RelaxNG (Compact Syntax) Schema for RPKI left-right protocol. @@ -318,11 +318,6 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" enc </attribute> </optional> </optional> - <optional> - <attribute name="clear_signing_certs"> - <value>yes</value> - </attribute> - </optional> </define> <define name="bsc_id"> <attribute name="bsc_id"> @@ -330,11 +325,16 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" enc </attribute> </define> <define name="bsc_payload"> - <zeroOrMore> + <optional> <element name="signing_cert"> <ref name="base64"/> </element> - </zeroOrMore> + </optional> + <optional> + <element name="signing_cert_crl"> + <ref name="base64"/> + </element> + </optional> </define> <define name="bsc_pkcs10"> <optional> diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index d8544562..70c7fc85 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -511,7 +511,7 @@ class RSA(DER_object): def generate(self, keylength = 2048): """Generate a new keypair.""" self.clear() - self.set(POW=POW.Asymmetric(POW.RSA_CIPHER, keylength)) + self.set(POW = POW.Asymmetric(POW.RSA_CIPHER, keylength)) def get_public_DER(self): """Get the DER encoding of the public key from this keypair.""" @@ -659,6 +659,8 @@ class CMS_object(DER_object): def sign(self, keypair, certs, crls = None, no_certs = False): """Sign and wrap inner content.""" + rpki.log.trace() + if isinstance(certs, X509): cert = certs certs = () @@ -666,14 +668,25 @@ class CMS_object(DER_object): cert = certs[0] certs = certs[1:] + if crls: + rpki.log.warn("CMS CRL support disabled due to an OpenSSL bug I haven't tracked down yet, ignoring CRL") + crls = () + + if crls is None: + crls = () + elif isinstance(crls, CRL): + crls = (crls,) + cms = POW.CMS() + cms.sign(cert.get_POW(), keypair.get_POW(), self.encode(), [x.get_POW() for x in certs], - crls, + [c.get_POW() for c in crls], self.econtent_oid, POW.CMS_NOCERTS if no_certs else 0) + self.DER = cms.derWrite() class DER_CMS_object(CMS_object): @@ -771,12 +784,13 @@ class XML_CMS_object(CMS_object): raise @classmethod - def wrap(cls, msg, keypair, certs, pretty_print = False): + def wrap(cls, msg, keypair, certs, crls = None, pretty_print = False): """Build a CMS-wrapped XML PDU and return its DER encoding.""" + rpki.log.trace() self = cls() self.set_content(msg.toXML()) self.schema_check() - self.sign(keypair, certs) + self.sign(keypair, certs, crls) if pretty_print: return self.get_DER(), self.pretty_print_content() else: diff --git a/rpkid/rpkid.sql b/rpkid/rpkid.sql index 1b4005f1..d13eb370 100644 --- a/rpkid/rpkid.sql +++ b/rpkid/rpkid.sql @@ -45,21 +45,13 @@ CREATE TABLE bsc ( private_key_id LONGBLOB, pkcs10_request LONGBLOB, hash_alg ENUM ('sha256'), + signing_cert LONGBLOB, + signing_cert_crl LONGBLOB, self_id BIGINT unsigned NOT NULL, PRIMARY KEY (bsc_id), FOREIGN KEY (self_id) REFERENCES self ); -DROP TABLE IF EXISTS bsc_cert; - -CREATE TABLE bsc_cert ( - bsc_cert_id SERIAL NOT NULL, - cert LONGBLOB, - bsc_id BIGINT unsigned NOT NULL, - PRIMARY KEY (bsc_cert_id), - FOREIGN KEY (bsc_id) REFERENCES bsc -); - DROP TABLE IF EXISTS repository; CREATE TABLE repository ( diff --git a/rpkid/testbed.py b/rpkid/testbed.py index bdc54a56..fc3e6328 100644 --- a/rpkid/testbed.py +++ b/rpkid/testbed.py @@ -584,7 +584,6 @@ class allocation(object): else: certifier = self.name + "-SELF-1" certfile = certifier + "-" + certificant + ".cer" - rpki.log.trace() rpki.log.info("Cross certifying %s into %s's BPKI (%s)" % (certificant, certifier, certfile)) signer = subprocess.Popen((prog_openssl, "x509", "-req", "-sha256", "-text", "-extensions", "req_x509_ext", "-CAcreateserial", @@ -638,9 +637,10 @@ class allocation(object): rpki.log.error(signed[1]) raise RuntimeError, "Couldn't issue BSC EE certificate" bsc_ee = rpki.x509.X509(PEM = signed[0]) + bsc_crl = rpki.x509.CRL(PEM_file = self.name + "-SELF-1.crl") rpki.log.info("Installing BSC EE cert for %s" % self.name) - self.call_rpkid(rpki.left_right.bsc_elt.make_pdu(action = "set", self_id = self.self_id, bsc_id = self.bsc_id, signing_cert = (bsc_ee,))) + self.call_rpkid(rpki.left_right.bsc_elt.make_pdu(action = "set", self_id = self.self_id, bsc_id = self.bsc_id, signing_cert = bsc_ee, signing_cert_crl = bsc_crl)) # Once we have a real repository protocol we'll have to do cross-certification here rpki.log.info("Creating rpkid repository object for %s" % self.name) @@ -745,6 +745,9 @@ def setup_bpki_cert_chain(name, ee = (), ca = ()): for kind in ee + ca: d["kind"] = kind s += bpki_cert_fmt_5 % d + for kind in ("TA",) + ca: + d["kind"] = kind + s += bpki_cert_fmt_6 % d subprocess.check_call(s, shell = True) def setup_rootd(rpkid_name, rpkid_tag): @@ -828,6 +831,20 @@ CN = Test Certificate %(name)s %(kind)s basicConstraints = CA:%(ca)s subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always + + +[ ca ] +default_ca = ca_default + +[ ca_default ] + +certificate = %(name)s-%(kind)s.cer +serial = %(name)s-%(kind)s.srl +private_key = %(name)s-%(kind)s.key +database = %(name)s-%(kind)s.idx +crlnumber = %(name)s-%(kind)s.cnm +default_crl_days = 30 +default_md = sha256 ''' bpki_cert_fmt_2 = '''\ @@ -836,6 +853,8 @@ bpki_cert_fmt_2 = '''\ bpki_cert_fmt_3 = '''\ %(openssl)s req -new -sha256 -key %(name)s-%(kind)s.key -out %(name)s-%(kind)s.req -config %(name)s-%(kind)s.conf && +touch %(name)s-%(kind)s.idx && +echo >%(name)s-%(kind)s.cnm 01 && ''' bpki_cert_fmt_4 = '''\ @@ -847,6 +866,10 @@ bpki_cert_fmt_5 = ''' && \ -CA %(name)s-TA.cer -CAkey %(name)s-TA.key -CAcreateserial \ ''' +bpki_cert_fmt_6 = ''' && \ +%(openssl)s ca -batch -gencrl -out %(name)s-%(kind)s.crl -config %(name)s-%(kind)s.conf \ +''' + yaml_fmt_1 = '''--- version: 1 posturl: https://localhost:%(https_port)s/up-down/%(child_id)s diff --git a/rpkid/xml-parse-test.py b/rpkid/xml-parse-test.py index bf49ad28..3e3b20ef 100755 --- a/rpkid/xml-parse-test.py +++ b/rpkid/xml-parse-test.py @@ -52,8 +52,8 @@ def lr_tester(elt_in, elt_out, msg): assert isinstance(msg, rpki.left_right.msg) if verbose: for bsc in [x for x in msg if isinstance(x, rpki.left_right.bsc_elt)]: - for cert in bsc.signing_cert: - pprint_cert(cert) + if bsc.signing_cert is not None: + pprint_cert(bsc.signing_cert) test(fileglob = "up-down-protocol-samples/*.xml", rng = rpki.relaxng.up_down, |