diff options
| author | Rob Austein <sra@hactrn.net> | 2008-04-07 21:39:17 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2008-04-07 21:39:17 +0000 |
| commit | 14bd2769a9392101fd34b33ffa7d5d211511d97e (patch) | |
| tree | b6b7c7e8c9a7fef715018ae2f80ee43748817037 | |
| parent | fc8fb08d155a9b30f04cc67ba351725ef4051881 (diff) | |
Checkpoint. Add (untested) ability to call out for a dynamic
x509Store verifier object.
svn path=/rpkid/cronjob.py; revision=1627
| -rw-r--r-- | rpkid/cronjob.py | 10 | ||||
| -rwxr-xr-x | rpkid/irbe-cli.py | 10 | ||||
| -rw-r--r-- | rpkid/irbe-setup.py | 14 | ||||
| -rwxr-xr-x | rpkid/irdbd.py | 12 | ||||
| -rwxr-xr-x | rpkid/rootd.py | 12 | ||||
| -rw-r--r-- | rpkid/rpki/gctx.py | 10 | ||||
| -rw-r--r-- | rpkid/rpki/https.py | 60 | ||||
| -rw-r--r-- | rpkid/rpki/left_right.py | 10 | ||||
| -rwxr-xr-x | rpkid/rpkid.py | 16 | ||||
| -rw-r--r-- | rpkid/testbed.py | 20 | ||||
| -rw-r--r-- | rpkid/testpoke.py | 6 |
11 files changed, 94 insertions, 86 deletions
diff --git a/rpkid/cronjob.py b/rpkid/cronjob.py index c21caf05..65056c40 100644 --- a/rpkid/cronjob.py +++ b/rpkid/cronjob.py @@ -40,8 +40,8 @@ if argv: cfg = rpki.config.parser(cfg_file, "cronjob") -print rpki.https.client(privateKey = rpki.x509.RSA(Auto_file = cfg.get("https-key")), - certChain = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert")), - x509TrustList = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta")), - url = cfg.get("https-url"), - msg = "Please run cron now.") +print rpki.https.client(client_key = rpki.x509.RSA(Auto_file = cfg.get("https-key")), + client_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert")), + server_ta = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta")), + url = cfg.get("https-url"), + msg = "Please run cron now.") diff --git a/rpkid/irbe-cli.py b/rpkid/irbe-cli.py index af75d430..9031afe1 100755 --- a/rpkid/irbe-cli.py +++ b/rpkid/irbe-cli.py @@ -181,11 +181,11 @@ q_cms = rpki.cms.sign(q_xml, rpki.x509.RSA(Auto_file = cfg.get("cms-key")), rpki.x509.X509_chain(Auto_files = cfg.multiget("cms-cert"))) -r_cms = rpki.https.client(privateKey = rpki.x509.RSA(Auto_file = cfg.get("https-key")), - certChain = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert")), - x509TrustList = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta")), - url = cfg.get("https-url"), - msg = q_cms) +r_cms = rpki.https.client(client_key = rpki.x509.RSA(Auto_file = cfg.get("https-key")), + client_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert")), + server_ta = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta")), + url = cfg.get("https-url"), + msg = q_cms) r_xml = rpki.cms.verify(r_cms, rpki.x509.X509(Auto_file = cfg.get("cms-ta"))) diff --git a/rpkid/irbe-setup.py b/rpkid/irbe-setup.py index 90ea5113..0011bb09 100644 --- a/rpkid/irbe-setup.py +++ b/rpkid/irbe-setup.py @@ -53,13 +53,13 @@ def call_rpkid(pdu): except lxml.etree.DocumentInvalid: print lxml.etree.tostring(elt, pretty_print = True, encoding = "us-ascii") raise - elt = rpki.cms.xml_verify(cms = rpki.https.client(privateKey = https_key, - certChain = https_certs, - x509TrustList = https_tas, - url = https_url, - msg = rpki.cms.xml_sign(elt = elt, - key = cms_key, - certs = cms_certs)), + elt = rpki.cms.xml_verify(cms = rpki.https.client(client_key = https_key, + client_certs = https_certs, + server_ta = https_tas, + url = https_url, + msg = rpki.cms.xml_sign(elt = elt, + key = cms_key, + certs = cms_certs)), ta = cms_ta) try: rpki.relaxng.left_right.assertValid(elt) diff --git a/rpkid/irdbd.py b/rpkid/irdbd.py index 18c75bff..5b8c72a3 100755 --- a/rpkid/irdbd.py +++ b/rpkid/irdbd.py @@ -124,9 +124,9 @@ assert u.scheme in ("", "https") and \ u.query == "" and \ u.fragment == "" -rpki.https.server(privateKey = rpki.x509.RSA(Auto_file = cfg.get("https-key")), - certChain = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert")), - x509TrustList = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta")), - host = u.hostname or "localhost", - port = u.port or 443, - handlers = ((u.path, handler),)) +rpki.https.server(server_key = rpki.x509.RSA(Auto_file = cfg.get("https-key")), + server_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert")), + client_ta = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta")), + host = u.hostname or "localhost", + port = u.port or 443, + handlers = ((u.path, handler),)) diff --git a/rpkid/rootd.py b/rpkid/rootd.py index 8f113938..9e2991ac 100755 --- a/rpkid/rootd.py +++ b/rpkid/rootd.py @@ -196,9 +196,9 @@ rootd_name = cfg.get("rootd_name", "wombat") rootd_base = cfg.get("rootd_base", "rsync://" + rootd_name + ".invalid/") rootd_cert = cfg.get("rootd_cert", rootd_base + "rootd.cer") -rpki.https.server(privateKey = https_key, - certChain = https_certs, - x509TrustList = https_ta, - host = https_server_host, - port = https_server_port, - handlers = up_down_handler) +rpki.https.server(server_key = https_key, + server_certs = https_certs, + client_ta = https_ta, + host = https_server_host, + port = https_server_port, + handlers = up_down_handler) diff --git a/rpkid/rpki/gctx.py b/rpkid/rpki/gctx.py index 33bded85..b1ecdcd0 100644 --- a/rpkid/rpki/gctx.py +++ b/rpkid/rpki/gctx.py @@ -75,11 +75,11 @@ class global_context(object): rpki.relaxng.left_right.assertValid(q_elt) q_cms = rpki.cms.xml_sign(q_elt, self.cms_key, self.cms_certs) r_cms = rpki.https.client( - privateKey = self.https_key, - certChain = self.https_certs, - x509TrustList = self.https_ta_irdb, - url = self.irdb_url, - msg = q_cms) + client_key = self.https_key, + client_certs = self.https_certs, + server_ta = self.https_ta_irdb, + url = self.irdb_url, + msg = q_cms) r_elt = rpki.cms.xml_verify(r_cms, self.cms_ta_irdb) rpki.relaxng.left_right.assertValid(r_elt) r_msg = rpki.left_right.sax_handler.saxify(r_elt) diff --git a/rpkid/rpki/https.py b/rpkid/rpki/https.py index c3b96f5e..9659fe73 100644 --- a/rpkid/rpki/https.py +++ b/rpkid/rpki/https.py @@ -35,15 +35,23 @@ rpki_content_type = "application/x-rpki" class Checker(tlslite.api.Checker): """Derived class to handle X.509 client certificate checking.""" - def __init__(self, x509TrustList = None): + def __init__(self, trust_anchors = None, dynamic_x509store = None): """Initialize our modified certificate checker.""" - self.x509store = POW.X509Store() - if x509TrustList is not None: - for x in x509TrustList: + self.dynamic_x509store = dynamic_x509store + + if dynamic_x509store is None: + self.x509store = POW.X509Store() + for x in trust_anchors: rpki.log.debug("HTTPS trust anchor %s" % x.getSubject()) self.x509store.addTrust(x.get_POW()) + def x509store_thunk(self): + if self.dynamic_x509store is not None: + return self.dynamic_x509store() + else: + return self.x509store + def __call__(self, tlsConnection): """POW/OpenSSL-based certificate checker.""" @@ -57,9 +65,9 @@ class Checker(tlslite.api.Checker): chain = [rpki.x509.X509(tlslite = chain.x509List[i]) for i in range(chain.getNumCerts())] for i in range(len(chain)): - rpki.log.debug("Received cert[%d] %s from %s" % (i, chain[i].getSubject(), peer)) + rpki.log.debug("Received %s TLS cert[%d] %s" % (peer, i, chain[i].getSubject())) - if not self.x509store.verifyChain(chain[0].get_POW(), [x.get_POW() for x in chain[1:]]): + if not self.x509store_thunk().verifyChain(chain[0].get_POW(), [x.get_POW() for x in chain[1:]]): if disable_tls_certificate_validation_exceptions: rpki.log.warn("DANGER WILL ROBINSON! IGNORING TLS VALIDATION FAILURE!") else: @@ -69,17 +77,17 @@ class httpsClient(tlslite.api.HTTPTLSConnection): """Derived class to let us replace the default Checker.""" def __init__(self, host, port = None, - certChain = None, privateKey = None, - x509TrustList = None, settings = None): + client_certs = None, client_key = None, + server_ta = None, settings = None): """Create a new httpsClient.""" tlslite.api.HTTPTLSConnection.__init__( self, host = host, port = port, settings = settings, - certChain = certChain, privateKey = privateKey) + certChain = client_certs, privateKey = client_key) - self.checker = Checker(x509TrustList = x509TrustList) + self.checker = Checker(trust_anchors = server_ta) -def client(msg, privateKey, certChain, x509TrustList, url, timeout = 300): +def client(msg, client_key, client_certs, server_ta, url, timeout = 300): """Open client HTTPS connection, send a message, wait for response. This function wraps most of what one needs to do to send a message @@ -101,11 +109,11 @@ def client(msg, privateKey, certChain, x509TrustList, url, timeout = 300): # pass in a tlslite.HandshakeSettings object that would let us # insist on, eg, particular SSL/TLS versions. - httpc = httpsClient(host = u.hostname or "localhost", - port = u.port or 443, - privateKey = privateKey.get_tlslite(), - certChain = certChain.tlslite_certChain(), - x509TrustList = x509TrustList) + httpc = httpsClient(host = u.hostname or "localhost", + port = u.port or 443, + client_key = client_key.get_tlslite(), + client_certs = client_certs.tlslite_certChain(), + server_ta = server_ta) httpc.connect() httpc.sock.settimeout(timeout) httpc.request("POST", u.path, msg, {"Content-Type" : rpki_content_type}) @@ -160,14 +168,14 @@ class httpsServer(tlslite.api.TLSSocketServerMixIn, BaseHTTPServer.HTTPServer): """Derived type to handle TLS aspects of HTTPS.""" rpki_sessionCache = None - rpki_privateKey = None - rpki_certChain = None + rpki_server_key = None + rpki_server_certs = None rpki_checker = None def handshake(self, tlsConnection): """TLS handshake handler.""" - assert self.rpki_certChain is not None - assert self.rpki_privateKey is not None + assert self.rpki_server_certs is not None + assert self.rpki_server_key is not None assert self.rpki_sessionCache is not None try: # @@ -175,8 +183,8 @@ class httpsServer(tlslite.api.TLSSocketServerMixIn, BaseHTTPServer.HTTPServer): # to pass in a tlslite.HandshakeSettings object that would let # us insist on, eg, particular SSL/TLS versions. # - tlsConnection.handshakeServer(certChain = self.rpki_certChain, - privateKey = self.rpki_privateKey, + tlsConnection.handshakeServer(certChain = self.rpki_server_certs, + privateKey = self.rpki_server_key, sessionCache = self.rpki_sessionCache, checker = self.rpki_checker, reqCert = True) @@ -186,7 +194,7 @@ class httpsServer(tlslite.api.TLSSocketServerMixIn, BaseHTTPServer.HTTPServer): rpki.log.warn("TLS handshake failure: " + str(error)) return False -def server(handlers, privateKey, certChain, port = 4433, host = "", x509TrustList = None): +def server(handlers, server_key, server_certs, port = 4433, host = "", client_ta = None): """Run an HTTPS server and wait (forever) for connections.""" if not isinstance(handlers, (tuple, list)): @@ -197,9 +205,9 @@ def server(handlers, privateKey, certChain, port = 4433, host = "", x509TrustLis httpd = httpsServer((host, port), boundRequestHandler) - httpd.rpki_privateKey = privateKey.get_tlslite() - httpd.rpki_certChain = certChain.tlslite_certChain() + httpd.rpki_server_key = server_key.get_tlslite() + httpd.rpki_server_certs = server_certs.tlslite_certChain() httpd.rpki_sessionCache = tlslite.api.SessionCache() - httpd.rpki_checker = Checker(x509TrustList = x509TrustList) + httpd.rpki_checker = Checker(trust_anchors = client_ta) httpd.serve_forever() diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py index 462f5e65..bc4e1858 100644 --- a/rpkid/rpki/left_right.py +++ b/rpkid/rpki/left_right.py @@ -612,11 +612,11 @@ class parent_elt(data_elt): # The following certs look wrong for what we're doing here. # We should be using a bsc, shouldn't we? - r_cms = rpki.https.client(x509TrustList = rpki.x509.X509_chain(self.https_ta), - privateKey = self.gctx.https_key, - certChain = self.gctx.https_certs, - msg = q_cms, - url = self.peer_contact_uri) + r_cms = rpki.https.client(server_ta = rpki.x509.X509_chain(self.https_ta), + client_key = self.gctx.https_key, + client_certs = self.gctx.https_certs, + msg = q_cms, + url = self.peer_contact_uri) r_elt = rpki.cms.xml_verify(r_cms, self.cms_ta) rpki.relaxng.up_down.assertValid(r_elt) r_msg = rpki.up_down.sax_handler.saxify(r_elt) diff --git a/rpkid/rpkid.py b/rpkid/rpkid.py index 6b356c90..e6fbb370 100755 --- a/rpkid/rpkid.py +++ b/rpkid/rpkid.py @@ -52,11 +52,11 @@ if startup_msg: gctx = rpki.gctx.global_context(cfg) -rpki.https.server(privateKey = gctx.https_key, - certChain = gctx.https_certs, - x509TrustList = gctx.https_ta_irbe, - host = gctx.https_server_host, - port = gctx.https_server_port, - handlers=(("/left-right", gctx.left_right_handler), - ("/up-down/", gctx.up_down_handler), - ("/cronjob", gctx.cronjob_handler))) +rpki.https.server(server_key = gctx.https_key, + server_certs = gctx.https_certs, + client_ta = gctx.https_ta_irbe, + host = gctx.https_server_host, + port = gctx.https_server_port, + handlers = (("/left-right", gctx.left_right_handler), + ("/up-down/", gctx.up_down_handler), + ("/cronjob", gctx.cronjob_handler))) diff --git a/rpkid/testbed.py b/rpkid/testbed.py index 5c3099d5..daa73f50 100644 --- a/rpkid/testbed.py +++ b/rpkid/testbed.py @@ -532,11 +532,11 @@ class allocation(object): url = "https://localhost:%d/left-right" % self.rpki_port rpki.log.debug("Attempting to connect to %s" % url) cms = rpki.https.client( - privateKey = testbed_key, - certChain = testbed_certs, - x509TrustList = rpki.x509.X509_chain(self.rpkid_ta), - url = url, - msg = cms) + client_key = testbed_key, + client_certs = testbed_certs, + server_ta = rpki.x509.X509_chain(self.rpkid_ta), + url = url, + msg = cms) elt = rpki.cms.xml_verify(cms = cms, ta = self.rpkid_ta) rpki.relaxng.left_right.assertValid(elt) rpki.log.debug(lxml.etree.tostring(elt, pretty_print = True, encoding = "us-ascii")) @@ -625,11 +625,11 @@ class allocation(object): """Trigger cron run for this engine.""" rpki.log.info("Running cron for %s" % self.name) - rpki.https.client(privateKey = testbed_key, - certChain = testbed_certs, - x509TrustList = rpki.x509.X509_chain(self.rpkid_ta), - url = "https://localhost:%d/cronjob" % self.rpki_port, - msg = "Run cron now, please") + rpki.https.client(client_key = testbed_key, + client_certs = testbed_certs, + server_ta = rpki.x509.X509_chain(self.rpkid_ta), + url = "https://localhost:%d/cronjob" % self.rpki_port, + msg = "Run cron now, please") def run_yaml(self): """Run YAML scripts for this leaf entity.""" diff --git a/rpkid/testpoke.py b/rpkid/testpoke.py index 3d23751b..185c99ea 100644 --- a/rpkid/testpoke.py +++ b/rpkid/testpoke.py @@ -90,9 +90,9 @@ def query_up_down(q_pdu): rpki.relaxng.up_down.assertValid(q_elt) q_cms = rpki.cms.xml_sign(q_elt, cms_key, cms_certs, encoding = "UTF-8") r_cms = rpki.https.client( - x509TrustList = https_ta, - privateKey = https_key, - certChain = https_certs, + server_ta = https_ta, + client_key = https_key, + client_certs = https_certs, msg = q_cms, url = yaml_data["posturl"]) r_xml = rpki.cms.verify(r_cms, cms_ta) |