diff options
| author | Rob Austein <sra@hactrn.net> | 2008-04-22 22:51:01 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2008-04-22 22:51:01 +0000 |
| commit | 25bbbe4bd0506408fb81f1112c9a933972f05a9a (patch) | |
| tree | 191bd890f5e8efebad3414d7b3afc929556b857c | |
| parent | 6a53848e91c5b071d16f7e4e696f8e2a8c8ea450 (diff) | |
Checkpoinit (trust anchor cleanup)
svn path=/rpkid/rpki/gctx.py; revision=1697
| -rw-r--r-- | rpkid/rpki/gctx.py | 40 | ||||
| -rwxr-xr-x | rpkid/rpkid.py | 6 | ||||
| -rw-r--r-- | rpkid/testbed.py | 133 |
3 files changed, 90 insertions, 89 deletions
diff --git a/rpkid/rpki/gctx.py b/rpkid/rpki/gctx.py index aad7643a..139270f8 100644 --- a/rpkid/rpki/gctx.py +++ b/rpkid/rpki/gctx.py @@ -36,15 +36,23 @@ class global_context(object): passwd = cfg.get("sql-password")) self.cur = self.db.cursor() - self.cms_ta_irdb = rpki.x509.X509(Auto_file = cfg.get("cms-ta-irdb")) - self.cms_ta_irbe = rpki.x509.X509(Auto_file = cfg.get("cms-ta-irbe")) - self.cms_key = rpki.x509.RSA(Auto_file = cfg.get("cms-key")) - self.cms_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("cms-cert")) + if False: + self.cms_ta_irdb = rpki.x509.X509(Auto_file = cfg.get("cms-ta-irdb")) + self.cms_ta_irbe = rpki.x509.X509(Auto_file = cfg.get("cms-ta-irbe")) + self.cms_key = rpki.x509.RSA(Auto_file = cfg.get("cms-key")) + self.cms_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("cms-cert")) - self.https_ta_irdb = rpki.x509.X509(Auto_file = cfg.get("https-ta-irdb")) - self.https_ta_irbe = rpki.x509.X509(Auto_file = cfg.get("https-ta-irbe")) - self.https_key = rpki.x509.RSA(Auto_file = cfg.get("https-key")) - self.https_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert")) + self.https_ta_irdb = rpki.x509.X509(Auto_file = cfg.get("https-ta-irdb")) + self.https_ta_irbe = rpki.x509.X509(Auto_file = cfg.get("https-ta-irbe")) + self.https_key = rpki.x509.RSA(Auto_file = cfg.get("https-key")) + self.https_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert")) + + else: + + self.ta_irdb = rpki.x509.X509(Auto_file = cfg.get("ta-irdb")) + self.ta_irbe = rpki.x509.X509(Auto_file = cfg.get("ta-irbe")) + self.ee_key = rpki.x509.RSA(Auto_file = cfg.get("ee-key")) + self.cert_chain = rpki.x509.X509_chain(Auto_files = cfg.multiget("cert-chain")) self.irdb_url = cfg.get("irdb-url") @@ -74,14 +82,14 @@ class global_context(object): q_msg[0].type = "query" q_msg[0].self_id = self_id q_msg[0].child_id = child_id - q_cms = rpki.left_right.cms_msg.wrap(q_msg, self.cms_key, self.cms_certs) + q_cms = rpki.left_right.cms_msg.wrap(q_msg, self.ee_key, self.cert_chain) der = rpki.https.client( - client_key = self.https_key, - client_certs = self.https_certs, - server_ta = self.https_ta_irdb, + client_key = self.ee_key, + client_certs = self.cert_chain, + server_ta = self.ta_irdb, url = self.irdb_url, msg = q_cms) - r_msg = rpki.left_right.cms_msg.unwrap(der, self.cms_ta_irdb) + r_msg = rpki.left_right.cms_msg.unwrap(der, self.ta_irdb) if len(r_msg) == 0 or not isinstance(r_msg[0], rpki.left_right.list_resources_elt) or r_msg[0].type != "reply": raise rpki.exceptions.BadIRDBReply, "Unexpected response to IRDB query: %s" % lxml.etree.tostring(r_msg.toXML(), pretty_print = True, encoding = "us-ascii") return rpki.resource_set.resource_bag( @@ -112,9 +120,9 @@ class global_context(object): """Process one left-right PDU.""" rpki.log.trace() try: - q_msg = rpki.left_right.cms_msg.unwrap(query, self.cms_ta_irbe) + q_msg = rpki.left_right.cms_msg.unwrap(query, self.ta_irbe) r_msg = q_msg.serve_top_level(self) - reply = rpki.left_right.cms_msg.wrap(r_msg, self.cms_key, self.cms_certs) + reply = rpki.left_right.cms_msg.wrap(r_msg, self.ee_key, self.cert_chain) self.sql_sweep() return 200, reply except Exception, data: @@ -178,7 +186,7 @@ class global_context(object): children = rpki.left_right.child_elt.sql_fetch_all(self) certs = [c.peer_biz_cert for c in children if c.peer_biz_cert is not None] + \ [c.peer_biz_glue for c in children if c.peer_biz_glue is not None] + \ - [ self.https_ta_irbe ] + [ self.ta_irbe ] for x in certs: if rpki.https.debug_tls_certs: rpki.log.debug("HTTPS dynamic trust anchor %s" % x.getSubject()) diff --git a/rpkid/rpkid.py b/rpkid/rpkid.py index c61826d7..103a24f6 100755 --- a/rpkid/rpkid.py +++ b/rpkid/rpkid.py @@ -54,9 +54,9 @@ gctx = rpki.gctx.global_context(cfg) rpki.https.server(host = gctx.https_server_host, port = gctx.https_server_port, - server_key = gctx.https_key, - server_certs = gctx.https_certs, - client_ta = gctx.https_ta_irbe, + server_key = gctx.ee_key, + server_certs = gctx.cert_chain, + client_ta = gctx.ta_irbe, dynamic_x509store = gctx.build_x509store, handlers = (("/left-right", gctx.left_right_handler), ("/up-down/", gctx.up_down_handler), diff --git a/rpkid/testbed.py b/rpkid/testbed.py index 8d3e86c0..043a4219 100644 --- a/rpkid/testbed.py +++ b/rpkid/testbed.py @@ -772,18 +772,18 @@ def mangle_sql(filename): biz_cert_fmt_1 = '''\ [ req ] -distinguished_name = req_dn -x509_extensions = req_x509_ext -prompt = no -default_md = sha256 +distinguished_name = req_dn +x509_extensions = req_x509_ext +prompt = no +default_md = sha256 [ req_dn ] -CN = Test Certificate %(name)s %(kind)s +CN = Test Certificate %(name)s %(kind)s [ req_x509_ext ] -basicConstraints = CA:%(ca)s -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always +basicConstraints = CA:%(ca)s +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always ''' biz_cert_fmt_2 = '''\ @@ -835,59 +835,52 @@ conf_fmt_1 = '''\ startup-message = This is %(my_name)s irdbd -sql-database = %(irdb_db_name)s -sql-username = irdb -sql-password = %(irdb_db_pass)s +sql-database = %(irdb_db_name)s +sql-username = irdb +sql-password = %(irdb_db_pass)s -cms-key = %(my_name)s-IRDB-EE.key -cms-cert.0 = %(my_name)s-IRDB-EE.cer -cms-cert.1 = %(my_name)s-IRDB-CA.cer -cms-ta = %(my_name)s-RPKI-TA.cer +cms-key = %(my_name)s-IRDB-EE.key +cms-cert.0 = %(my_name)s-IRDB-EE.cer +cms-cert.1 = %(my_name)s-IRDB-CA.cer +cms-ta = %(my_name)s-RPKI-TA.cer -https-key = %(my_name)s-IRDB-EE.key -https-cert.0 = %(my_name)s-IRDB-EE.cer -https-cert.1 = %(my_name)s-IRDB-CA.cer -https-ta = %(my_name)s-RPKI-TA.cer +https-key = %(my_name)s-IRDB-EE.key +https-cert.0 = %(my_name)s-IRDB-EE.cer +https-cert.1 = %(my_name)s-IRDB-CA.cer +https-ta = %(my_name)s-RPKI-TA.cer -https-url = https://localhost:%(irdb_port)d/ +https-url = https://localhost:%(irdb_port)d/ [irbe-cli] -cms-key = %(testbed_name)s-EE.key -cms-cert.0 = %(testbed_name)s-EE.cer -cms-cert.1 = %(testbed_name)s-CA.cer -cms-ta = %(my_name)s-RPKI-TA.cer +cms-key = %(testbed_name)s-EE.key +cms-cert.0 = %(testbed_name)s-EE.cer +cms-cert.1 = %(testbed_name)s-CA.cer +cms-ta = %(my_name)s-RPKI-TA.cer -https-key = %(testbed_name)s-EE.key -https-cert.0 = %(testbed_name)s-EE.cer -https-cert.1 = %(testbed_name)s-CA.cer -https-ta = %(my_name)s-RPKI-TA.cer +https-key = %(testbed_name)s-EE.key +https-cert.0 = %(testbed_name)s-EE.cer +https-cert.1 = %(testbed_name)s-CA.cer +https-ta = %(my_name)s-RPKI-TA.cer -https-url = https://localhost:%(rpki_port)d/left-right +https-url = https://localhost:%(rpki_port)d/left-right [rpkid] startup-message = This is %(my_name)s rpkid -sql-database = %(rpki_db_name)s -sql-username = rpki -sql-password = %(rpki_db_pass)s +sql-database = %(rpki_db_name)s +sql-username = rpki +sql-password = %(rpki_db_pass)s -cms-key = %(my_name)s-RPKI-EE.key -cms-cert.0 = %(my_name)s-RPKI-EE.cer -cms-cert.1 = %(my_name)s-RPKI-CA.cer +ee-key = %(my_name)s-RPKI-EE.key +cert-chain.0 = %(my_name)s-RPKI-EE.cer +cert-chain.1 = %(my_name)s-RPKI-CA.cer -cms-ta-irdb = %(my_name)s-IRDB-TA.cer -cms-ta-irbe = %(testbed_name)s-TA.cer +ta-irdb = %(my_name)s-IRDB-TA.cer +ta-irbe = %(testbed_name)s-TA.cer -https-key = %(my_name)s-RPKI-EE.key -https-cert.0 = %(my_name)s-RPKI-EE.cer -https-cert.1 = %(my_name)s-RPKI-CA.cer - -https-ta-irdb = %(my_name)s-IRDB-TA.cer -https-ta-irbe = %(testbed_name)s-TA.cer - -irdb-url = https://localhost:%(irdb_port)d/ +irdb-url = https://localhost:%(irdb_port)d/ server-host = localhost server-port = %(rpki_port)d @@ -897,44 +890,44 @@ rootd_fmt_1 = '''\ [rootd] -cms-key = %(rootd_name)s-EE.key -cms-cert.0 = %(rootd_name)s-EE.cer -cms-cert.1 = %(rootd_name)s-CA.cer -cms-ta = %(rpkid_name)s-RPKI-TA.cer +cms-key = %(rootd_name)s-EE.key +cms-cert.0 = %(rootd_name)s-EE.cer +cms-cert.1 = %(rootd_name)s-CA.cer +cms-ta = %(rpkid_name)s-RPKI-TA.cer -https-key = %(rootd_name)s-EE.key -https-cert.0 = %(rootd_name)s-EE.cer -https-cert.1 = %(rootd_name)s-CA.cer -https-ta = %(rpkid_name)s-RPKI-TA.cer +https-key = %(rootd_name)s-EE.key +https-cert.0 = %(rootd_name)s-EE.cer +https-cert.1 = %(rootd_name)s-CA.cer +https-ta = %(rpkid_name)s-RPKI-TA.cer -server-port = %(rootd_port)s +server-port = %(rootd_port)s rootd_base = %(rootd_sia)s rootd_cert = %(rootd_sia)sWOMBAT.cer -rpki-subject-filename = %(rsyncd_dir)sWOMBAT.cer +rpki-subject-filename = %(rsyncd_dir)sWOMBAT.cer -rpki-key = %(rootd_name)s.key -rpki-issuer = %(rootd_name)s.cer -rpki-pkcs10-filename = %(rootd_name)s.subject.pkcs10 +rpki-key = %(rootd_name)s.key +rpki-issuer = %(rootd_name)s.cer +rpki-pkcs10-filename = %(rootd_name)s.subject.pkcs10 [req] -default_bits = 2048 -encrypt_key = no -distinguished_name = req_dn -req_extensions = req_x509_ext -prompt = no +default_bits = 2048 +encrypt_key = no +distinguished_name = req_dn +req_extensions = req_x509_ext +prompt = no [req_dn] -CN = Completely Bogus Test Root (NOT FOR PRODUCTION USE) +CN = Completely Bogus Test Root (NOT FOR PRODUCTION USE) [req_x509_ext] -basicConstraints = critical,CA:true -subjectKeyIdentifier = hash -keyUsage = critical,keyCertSign,cRLSign -subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:%(rootd_sia)s -sbgp-autonomousSysNum = critical,AS:0-4294967295 -sbgp-ipAddrBlock = critical,IPv4:0.0.0.0/0,IPv6:0::/0 +basicConstraints = critical,CA:true +subjectKeyIdentifier = hash +keyUsage = critical,keyCertSign,cRLSign +subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:%(rootd_sia)s +sbgp-autonomousSysNum = critical,AS:0-4294967295 +sbgp-ipAddrBlock = critical,IPv4:0.0.0.0/0,IPv6:0::/0 ''' rootd_fmt_2 = '''\ |