diff options
| author | Rob Austein <sra@hactrn.net> | 2010-09-10 02:57:34 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2010-09-10 02:57:34 +0000 |
| commit | 444389ab7c099b5f2dc663bc10d2f9992bd4afeb (patch) | |
| tree | 44ea6eeb4a625d842e71266e7ff0a7249c0239a0 | |
| parent | 3eeab24a534366dfcdc560d58a0a060c04e7c51e (diff) | |
Refactor .wrap()/.unwrap() code prior to adding CMS timestamp checks.
svn path=/rpkid/irdbd.py; revision=3445
| -rw-r--r-- | rpkid/irdbd.py | 4 | ||||
| -rw-r--r-- | rpkid/pubd.py | 4 | ||||
| -rw-r--r-- | rpkid/rootd.py | 17 | ||||
| -rw-r--r-- | rpkid/rpki/https.py | 30 | ||||
| -rw-r--r-- | rpkid/rpki/left_right.py | 40 | ||||
| -rw-r--r-- | rpkid/rpki/rpki_engine.py | 25 | ||||
| -rw-r--r-- | rpkid/rpki/x509.py | 21 | ||||
| -rw-r--r-- | rpkid/tests/smoketest.py | 72 | ||||
| -rw-r--r-- | rpkid/tests/testpoke.py | 12 |
9 files changed, 110 insertions, 115 deletions
diff --git a/rpkid/irdbd.py b/rpkid/irdbd.py index f7724d89..805166dc 100644 --- a/rpkid/irdbd.py +++ b/rpkid/irdbd.py @@ -125,7 +125,7 @@ def handler(query, path, cb): try: - q_msg = rpki.left_right.cms_msg.unwrap(query, (bpki_ta, rpkid_cert)) + q_msg = rpki.left_right.cms_msg(DER = query).unwrap((bpki_ta, rpkid_cert)) if not isinstance(q_msg, rpki.left_right.msg) or not q_msg.is_query(): raise rpki.exceptions.BadQuery, "Unexpected %r PDU" % q_msg @@ -151,7 +151,7 @@ def handler(query, path, cb): rpki.log.traceback() r_msg.append(rpki.left_right.report_error_elt.from_exception(data)) - cb(200, rpki.left_right.cms_msg.wrap(r_msg, irdbd_key, irdbd_cert)) + cb(200, rpki.left_right.cms_msg().wrap(r_msg, irdbd_key, irdbd_cert)) except (rpki.async.ExitNow, SystemExit): raise diff --git a/rpkid/pubd.py b/rpkid/pubd.py index a9ddca6b..ecb9446b 100644 --- a/rpkid/pubd.py +++ b/rpkid/pubd.py @@ -70,11 +70,11 @@ class pubd_context(object): """ def done(r_msg): - reply = rpki.publication.cms_msg.wrap(r_msg, self.pubd_key, self.pubd_cert, crl) + reply = rpki.publication.cms_msg().wrap(r_msg, self.pubd_key, self.pubd_cert, crl) self.sql.sweep() cb(reply) - q_msg = rpki.publication.cms_msg.unwrap(query, certs) + q_msg = rpki.publication.cms_msg(DER = query).unwrap(certs) q_msg.serve_top_level(self, client, done) def control_handler(self, query, path, cb): diff --git a/rpkid/rootd.py b/rpkid/rootd.py index 7643aafd..8e1ae2d4 100644 --- a/rpkid/rootd.py +++ b/rpkid/rootd.py @@ -237,30 +237,29 @@ class cms_msg(rpki.up_down.cms_msg): def up_down_handler(query, path, cb): try: - q_msg = cms_msg.unwrap(query, (bpki_ta, child_bpki_cert)) + q_msg = cms_msg(DER = query).unwrap((bpki_ta, child_bpki_cert)) except (rpki.async.ExitNow, SystemExit): raise - except Exception, data: + except Exception, e: rpki.log.traceback() - return cb(400, "Could not process PDU: %s" % data) + return cb(400, "Could not process PDU: %s" % e) def done(r_msg): - r_cms = cms_msg.wrap(r_msg, rootd_bpki_key, rootd_bpki_cert, rootd_bpki_crl) - cb(200, r_cms) + cb(200, cms_msg().wrap(r_msg, rootd_bpki_key, rootd_bpki_cert, rootd_bpki_crl)) try: q_msg.serve_top_level(None, done) except (rpki.async.ExitNow, SystemExit): raise - except Exception, data: + except Exception, e: rpki.log.traceback() try: - done(q_msg.serve_error(data)) + done(q_msg.serve_error(e)) except (rpki.async.ExitNow, SystemExit): raise - except Exception, data: + except Exception, e: rpki.log.traceback() - cb(500, "Could not process PDU: %s" % data) + cb(500, "Could not process PDU: %s" % e) os.environ["TZ"] = "UTC" time.tzset() diff --git a/rpkid/rpki/https.py b/rpkid/rpki/https.py index a291f771..8592b578 100644 --- a/rpkid/rpki/https.py +++ b/rpkid/rpki/https.py @@ -1075,10 +1075,12 @@ class http_queue(object): processing this result, kick off next message in the queue, if any. """ - if not self.queue: + try: + req = self.queue.pop(0) + except IndexError: self.log("No caller, this should not happen. Dropping result %r" % result) + return - req = self.queue.pop(0) self.log("Dequeuing request %r" % req) try: @@ -1215,33 +1217,29 @@ class caller(object): def __call__(self, cb, eb, *pdus): - def done(cms): + def done(r_der): """ Handle CMS-wrapped XML response message. """ - result = self.proto.cms_msg.unwrap(cms, (self.server_ta, self.server_cert), pretty_print = self.debug) + r_cms = self.proto.cms_msg(DER = r_der) + r_msg = r_cms.unwrap((self.server_ta, self.server_cert)) if self.debug: - msg, xml = result print "<!-- Reply -->" - print xml - else: - msg = result - cb(msg) + print r_cms.pretty_print_content() + cb(r_msg) - msg = self.proto.msg.query(*pdus) - result = self.proto.cms_msg.wrap(msg, self.client_key, self.client_cert, pretty_print = self.debug) + q_msg = self.proto.msg.query(*pdus) + q_cms = self.proto.cms_msg() + q_der = q_cms.wrap(q_msg, self.client_key, self.client_cert) if self.debug: - cms, xml = result print "<!-- Query -->" - print xml - else: - cms = result + print q_cms.pretty_print_content() client( client_key = self.client_key, client_cert = self.client_cert, server_ta = self.server_ta, url = self.url, - msg = cms, + msg = q_der, callback = done, errback = eb) diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py index 63ab9f87..8d2bf0ad 100644 --- a/rpkid/rpki/left_right.py +++ b/rpkid/rpki/left_right.py @@ -667,12 +667,12 @@ class repository_elt(data_elt): rpki.log.info("Sending <%s %r %r> to pubd" % (q_pdu.action, q_pdu.uri, q_pdu.payload)) bsc = self.bsc() - q_cms = rpki.publication.cms_msg.wrap(q_msg, bsc.private_key_id, bsc.signing_cert, bsc.signing_cert_crl) + q_der = rpki.publication.cms_msg().wrap(q_msg, bsc.private_key_id, bsc.signing_cert, bsc.signing_cert_crl) bpki_ta_path = (self.gctx.bpki_ta, self.self().bpki_cert, self.self().bpki_glue, self.bpki_cert, self.bpki_glue) - def done(r_cms): + def done(r_der): try: - r_msg = rpki.publication.cms_msg.unwrap(r_cms, bpki_ta_path) + r_msg = rpki.publication.cms_msg(DER = r_der).unwrap(bpki_ta_path) for r_pdu in r_msg: handler = handlers.get(r_pdu.tag, self.default_pubd_handler) if handler: @@ -690,7 +690,7 @@ class repository_elt(data_elt): client_cert = bsc.signing_cert, server_ta = bpki_ta_path, url = self.peer_contact_uri, - msg = q_cms, + msg = q_der, callback = done, errback = errback) @@ -821,15 +821,17 @@ class parent_elt(data_elt): sender = self.sender_name, recipient = self.recipient_name) - q_cms = rpki.up_down.cms_msg.wrap(q_msg, bsc.private_key_id, - bsc.signing_cert, - bsc.signing_cert_crl) + q_der = rpki.up_down.cms_msg().wrap(q_msg, bsc.private_key_id, + bsc.signing_cert, + bsc.signing_cert_crl) - def unwrap(der): + def unwrap(r_der): try: - r_msg = rpki.up_down.cms_msg.unwrap(der, (self.gctx.bpki_ta, - self.self().bpki_cert, self.self().bpki_glue, - self.bpki_cms_cert, self.bpki_cms_glue)) + r_msg = rpki.up_down.cms_msg(DER = r_der).unwrap((self.gctx.bpki_ta, + self.self().bpki_cert, + self.self().bpki_glue, + self.bpki_cms_cert, + self.bpki_cms_glue)) r_msg.payload.check_response() except (SystemExit, rpki.async.ExitNow): raise @@ -843,7 +845,7 @@ class parent_elt(data_elt): self.bpki_https_cert, self.bpki_https_glue), client_key = bsc.private_key_id, client_cert = bsc.signing_cert, - msg = q_cms, + msg = q_der, url = self.peer_contact_uri, callback = unwrap, errback = eb) @@ -931,9 +933,11 @@ class child_elt(data_elt): bsc = self.bsc() if bsc is None: raise rpki.exceptions.BSCNotFound, "Could not find BSC %s" % self.bsc_id - q_msg = rpki.up_down.cms_msg.unwrap(query, (self.gctx.bpki_ta, - self.self().bpki_cert, self.self().bpki_glue, - self.bpki_cert, self.bpki_glue)) + q_msg = rpki.up_down.cms_msg(DER = query).unwrap((self.gctx.bpki_ta, + self.self().bpki_cert, + self.self().bpki_glue, + self.bpki_cert, + self.bpki_glue)) q_msg.payload.gctx = self.gctx if enforce_strict_up_down_xml_sender and q_msg.sender != str(self.child_id): raise rpki.exceptions.BadSender, "Unexpected XML sender %s" % q_msg.sender @@ -944,9 +948,9 @@ class child_elt(data_elt): # sane way of reporting errors in the error reporting mechanism. # May require refactoring, ignore the issue for now. # - r_cms = rpki.up_down.cms_msg.wrap(r_msg, bsc.private_key_id, - bsc.signing_cert, bsc.signing_cert_crl) - callback(r_cms) + reply = rpki.up_down.cms_msg().wrap(r_msg, bsc.private_key_id, + bsc.signing_cert, bsc.signing_cert_crl) + callback(reply) try: q_msg.serve_top_level(self, done) diff --git a/rpkid/rpki/rpki_engine.py b/rpkid/rpki/rpki_engine.py index 36b53616..f3326939 100644 --- a/rpkid/rpki/rpki_engine.py +++ b/rpkid/rpki/rpki_engine.py @@ -83,7 +83,7 @@ class rpkid_context(object): else: rpki.log.debug("Not using internal clock, start_cron() call ignored") - def irdb_query(self, q_pdu, callback, errback): + def irdb_query(self, q_pdu, callback, errback, expected_pdu_count = None): """ Perform an IRDB callback query. """ @@ -92,12 +92,17 @@ class rpkid_context(object): q_msg = rpki.left_right.msg.query() q_msg.append(q_pdu) - q_cms = rpki.left_right.cms_msg.wrap(q_msg, self.rpkid_key, self.rpkid_cert) + q_der = rpki.left_right.cms_msg().wrap(q_msg, self.rpkid_key, self.rpkid_cert) - def unwrap(der): - r_msg = rpki.left_right.cms_msg.unwrap(der, (self.bpki_ta, self.irdb_cert)) + def unwrap(r_der): + r_cms = rpki.left_right.cms_msg(DER = r_der) + r_msg = r_cms.unwrap((self.bpki_ta, self.irdb_cert)) if not r_msg.is_reply() or not all(type(r_pdu) is type(q_pdu) for r_pdu in r_msg): - raise rpki.exceptions.BadIRDBReply, "Unexpected response to IRDB query: %s" % lxml.etree.tostring(r_msg.toXML(), pretty_print = True, encoding = "us-ascii") + raise rpki.exceptions.BadIRDBReply, "Unexpected response to IRDB query: %s" % r_cms.pretty_print_content() + if expected_pdu_count is not None and len(r_msg) != expected_pdu_count: + assert isinstance(expected_pdu_count, (int, long)) + raise rpki.exceptions.BadIRDBReply, "Expected exactly %d PDU%s from IRDB: %s" ( + expected_pdu_count, "" if expected_pdu_count == 1 else "s", r_cms.pretty_print_content()) callback(r_msg) rpki.https.client( @@ -105,7 +110,7 @@ class rpkid_context(object): client_key = self.rpkid_key, client_cert = self.rpkid_cert, url = self.irdb_url, - msg = q_cms, + msg = q_der, callback = unwrap, errback = errback) @@ -121,15 +126,13 @@ class rpkid_context(object): q_pdu.child_handle = child_handle def done(r_msg): - if len(r_msg) != 1: - raise rpki.exceptions.BadIRDBReply, "Expected exactly one PDU from IRDB: %s" % lxml.etree.tostring(r_msg.toXML(), pretty_print = True, encoding = "us-ascii") callback(rpki.resource_set.resource_bag( asn = r_msg[0].asn, v4 = r_msg[0].ipv4, v6 = r_msg[0].ipv6, valid_until = r_msg[0].valid_until)) - self.irdb_query(q_pdu, done, errback) + self.irdb_query(q_pdu, done, errback, expected_pdu_count = 1) def irdb_query_roa_requests(self, self_handle, callback, errback): """ @@ -151,13 +154,13 @@ class rpkid_context(object): rpki.log.trace() def done(r_msg): - reply = rpki.left_right.cms_msg.wrap(r_msg, self.rpkid_key, self.rpkid_cert) + reply = rpki.left_right.cms_msg().wrap(r_msg, self.rpkid_key, self.rpkid_cert) self.sql.sweep() cb(200, reply) try: self.sql.ping() - q_msg = rpki.left_right.cms_msg.unwrap(query, (self.bpki_ta, self.irbe_cert)) + q_msg = rpki.left_right.cms_msg(DER = query).unwrap((self.bpki_ta, self.irbe_cert)) if not q_msg.is_query(): raise rpki.exceptions.BadQuery, "Message type is not query" q_msg.serve_top_level(self, done) diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index dcbf3b20..317ef334 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -1146,38 +1146,27 @@ class XML_CMS_object(CMS_object): f.write(self.get_DER()) f.close() - @classmethod - def wrap(cls, msg, keypair, certs, crls = None, pretty_print = False): + def wrap(self, msg, keypair, certs, crls = None): """ - Build a CMS-wrapped XML PDU and return its DER encoding. + Wrap an XML PDU in CMS and return its DER encoding. """ rpki.log.trace() - self = cls() self.set_content(msg.toXML()) self.schema_check() self.sign(keypair, certs, crls) if self.dump_outbound_cms: self.dump_outbound_cms.dump(self) - if pretty_print: - return self.get_DER(), self.pretty_print_content() - else: - return self.get_DER() + return self.get_DER() - @classmethod - def unwrap(cls, der, ta, pretty_print = False): + def unwrap(self, ta): """ Unwrap a CMS-wrapped XML PDU and return Python objects. """ - self = cls(DER = der) if self.dump_inbound_cms: self.dump_inbound_cms.dump(self) self.verify(ta) self.schema_check() - msg = self.saxify(self.get_content()) - if pretty_print: - return msg, self.pretty_print_content() - else: - return msg + return self.saxify(self.get_content()) class CRL(DER_object): """ diff --git a/rpkid/tests/smoketest.py b/rpkid/tests/smoketest.py index 56c3f40b..335f73a8 100644 --- a/rpkid/tests/smoketest.py +++ b/rpkid/tests/smoketest.py @@ -779,36 +779,37 @@ class allocation(object): self = self.hosted_by assert not self.is_hosted() - assert isinstance(pdus, (list, tuple)) assert self.rpki_port is not None - msg = rpki.left_right.msg.query(*pdus) - cms, xml = rpki.left_right.cms_msg.wrap(msg, self.irbe_key, self.irbe_cert, - pretty_print = True) - rpki.log.debug(xml) - url = "https://localhost:%d/left-right" % self.rpki_port + q_msg = rpki.left_right.msg.query(*pdus) + q_cms = rpki.left_right.cms_msg() + q_der = q_cms.wrap(q_msg, self.irbe_key, self.irbe_cert) + q_url = "https://localhost:%d/left-right" % self.rpki_port + + rpki.log.debug(q_cms.pretty_print_content()) - def done(val): + def done(r_der): rpki.log.info("Callback from rpkid %s" % self.name) - if isinstance(val, Exception): - raise val - msg, xml = rpki.left_right.cms_msg.unwrap(val, (self.rpkid_ta, self.rpkid_cert), - pretty_print = True) - rpki.log.debug(xml) - assert msg.is_reply() - for pdu in msg: - assert not isinstance(pdu, rpki.left_right.report_error_elt) - cb(msg) + r_cms = rpki.left_right.cms_msg(DER = r_der) + r_msg = r_cms.unwrap((self.rpkid_ta, self.rpkid_cert)) + rpki.log.debug(r_cms.pretty_print_content()) + assert r_msg.is_reply() + for r_pdu in r_msg: + assert not isinstance(r_pdu, rpki.left_right.report_error_elt) + cb(r_msg) + + def lose(e): + raise rpki.https.client( client_key = self.irbe_key, client_cert = self.irbe_cert, server_ta = self.rpkid_ta, - url = url, - msg = cms, + url = q_url, + msg = q_der, callback = done, - errback = done) + errback = lose) def cross_certify(self, certificant, reverse = False): """ @@ -1180,20 +1181,21 @@ def call_pubd(pdus, cb): response. """ rpki.log.info("Calling pubd") - msg = rpki.publication.msg.query(*pdus) - cms, xml = rpki.publication.cms_msg.wrap(msg, pubd_irbe_key, pubd_irbe_cert, - pretty_print = True) - rpki.log.debug(xml) - url = "https://localhost:%d/control" % pubd_port - - def call_pubd_cb(val): - msg, xml = rpki.publication.cms_msg.unwrap(val, (pubd_ta, pubd_pubd_cert), - pretty_print = True) - rpki.log.debug(xml) - assert msg.is_reply() - for pdu in msg: - assert not isinstance(pdu, rpki.publication.report_error_elt) - cb(msg) + q_msg = rpki.publication.msg.query(*pdus) + q_cms = rpki.publication.cms_msg() + q_der = q_cms.wrap(q_msg, pubd_irbe_key, pubd_irbe_cert) + q_url = "https://localhost:%d/control" % pubd_port + + rpki.log.debug(q_cms.pretty_print_content()) + + def call_pubd_cb(r_der): + r_cms = rpki.publication.cms_msg(DER = r_der) + r_msg = r_cms.unwrap((pubd_ta, pubd_pubd_cert)) + rpki.log.debug(r_cms.pretty_print_content()) + assert r_msg.is_reply() + for r_pdu in r_msg: + assert not isinstance(r_pdu, rpki.publication.report_error_elt) + cb(r_msg) def call_pubd_eb(e): rpki.log.warn("Problem calling pubd: %s" % e) @@ -1203,8 +1205,8 @@ def call_pubd(pdus, cb): client_key = pubd_irbe_key, client_cert = pubd_irbe_cert, server_ta = pubd_ta, - url = url, - msg = cms, + url = q_url, + msg = q_der, callback = call_pubd_cb, errback = call_pubd_eb) diff --git a/rpkid/tests/testpoke.py b/rpkid/tests/testpoke.py index 949cd464..633f0251 100644 --- a/rpkid/tests/testpoke.py +++ b/rpkid/tests/testpoke.py @@ -95,18 +95,18 @@ def query_up_down(q_pdu): payload = q_pdu, sender = yaml_data["sender-id"], recipient = yaml_data["recipient-id"]) - q_cms = rpki.up_down.cms_msg.wrap(q_msg, cms_key, cms_certs, cms_crl) + q_der = rpki.up_down.cms_msg().wrap(q_msg, cms_key, cms_certs, cms_crl) - def done(der): - r_msg, r_xml = rpki.up_down.cms_msg.unwrap(der, [cms_ta] + cms_ca_certs, pretty_print = True) - print r_xml + def done(r_der): + r_cms = rpki.up_down.cms_msg(DER = r_der) + r_msg = r_cms.unwrap([cms_ta] + cms_ca_certs) + print r_cms.pretty_print_content() try: r_msg.payload.check_response() except (rpki.async.ExitNow, SystemExit): raise except Exception, e: fail(e) - #rpki.async.exit_event_loop() rpki.https.want_persistent_client = False @@ -114,7 +114,7 @@ def query_up_down(q_pdu): server_ta = [https_ta] + https_ca_certs, client_key = https_key, client_cert = https_cert, - msg = q_cms, + msg = q_der, url = yaml_data["posturl"], callback = done, errback = fail) |