diff options
| author | Rob Austein <sra@hactrn.net> | 2015-10-16 04:56:43 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2015-10-16 04:56:43 +0000 |
| commit | a89d88e2503368e0d662c57d7c0827d6d064b7b9 (patch) | |
| tree | 8e5c9eff3bbe29cd2ce9c2d075ec51955d37f93d | |
| parent | aedcb72ef383dd9c2a146903f9fbdac9915e9af0 (diff) | |
Replace RRDP wired-in-URL kludge with proper support in OOB and
left-right protocol and irdb and rpkidb models.
Not fully working yet, RRDP URI isn't yet showing up everywhere it
should, but this is probably more an indication that the previous hack
was incomplete than that the replacement broke something.
svn path=/branches/tk705/; revision=6120
| -rw-r--r-- | Makefile.in | 5 | ||||
| -rw-r--r-- | ca/rpki-confgen.xml | 16 | ||||
| -rw-r--r-- | ca/tests/smoketest.py | 4 | ||||
| -rw-r--r-- | ca/tests/xml-parse-test.py | 8 | ||||
| -rw-r--r-- | ca/tests/yamltest.py | 8 | ||||
| -rw-r--r-- | rpki/irdb/migrations/0003_repository_rrdp_notification_uri.py | 19 | ||||
| -rw-r--r-- | rpki/irdb/models.py | 1 | ||||
| -rw-r--r-- | rpki/irdb/zookeeper.py | 22 | ||||
| -rw-r--r-- | rpki/left_right.py | 23 | ||||
| -rw-r--r-- | rpki/publication.py | 5 | ||||
| -rw-r--r-- | rpki/relaxng.py | 9 | ||||
| -rw-r--r-- | rpki/rootd.py | 4 | ||||
| -rw-r--r-- | rpki/rpkid.py | 10 | ||||
| -rw-r--r-- | rpki/rpkidb/migrations/0002_auto_20151015_2213.py | 29 | ||||
| -rw-r--r-- | rpki/rpkidb/models.py | 27 | ||||
| -rw-r--r-- | rpki/sql_schemas.py | 5 | ||||
| -rw-r--r-- | schemas/relaxng/left-right.rnc | 5 | ||||
| -rw-r--r-- | schemas/relaxng/left-right.rng | 9 | ||||
| -rw-r--r-- | schemas/sql/rpkid.sql | 5 |
19 files changed, 152 insertions, 62 deletions
diff --git a/Makefile.in b/Makefile.in index d688ef04..1e06fb8e 100644 --- a/Makefile.in +++ b/Makefile.in @@ -226,4 +226,9 @@ tags: Makefile .FORCE ! -name relaxng.py ! -name sql_schemas.py -print | \ etags - +# This isn't all that useful until SQL has been set up. Might want to +# hack up something using ca/rpki-confgen and ca/rpki-sql-setup. +makemigrations: + for i in rpkid pubd irdb; do RPKI_CONF=ca/examples/rpki.conf ca/rpki-manage makemigrations --settings rpki.django_settings.$$i; done + .FORCE: diff --git a/ca/rpki-confgen.xml b/ca/rpki-confgen.xml index 14f160ab..63e9d793 100644 --- a/ca/rpki-confgen.xml +++ b/ca/rpki-confgen.xml @@ -217,6 +217,15 @@ </doc> </option> + <option name = "publication_rrdp_notification_uri" + value = "https://${myrpki::pubd_server_host}/rrdp/notify.xml"> + + <doc> + URI for RRDP notification file. In most cases this should be + a HTTPS URL for the notify.xml file on the publication server. + </doc> + </option> + <option name = "start_rpkid" value = "${myrpki::run_rpkid}"> <doc> @@ -857,6 +866,13 @@ </doc> </option> + <option name = "rrdp-notification-uri" + value = "${myrpki::publication_rrdp_notification_uri"> + <doc> + RRDP URI for inclusion in generated objects. + </doc> + </option> + </section> <section name = "web_portal"> diff --git a/ca/tests/smoketest.py b/ca/tests/smoketest.py index fb121525..f52ce984 100644 --- a/ca/tests/smoketest.py +++ b/ca/tests/smoketest.py @@ -1018,7 +1018,7 @@ class allocation(object): bsc_handle = "b", repository_handle = "r", sia_base = s.sia_base, - bpki_cms_cert = rootd_cert, + bpki_cert = rootd_cert, sender_name = s.name, recipient_name = "rootd", peer_contact_uri = "http://localhost:%s/" % rootd_port)) @@ -1030,7 +1030,7 @@ class allocation(object): bsc_handle = "b", repository_handle = "r", sia_base = s.sia_base, - bpki_cms_cert = s.cross_certify(s.parent.name + "-SELF"), + bpki_cert = s.cross_certify(s.parent.name + "-SELF"), sender_name = s.name, recipient_name = s.parent.name, peer_contact_uri = "http://localhost:%s/up-down/%s/%s" % (s.parent.get_rpki_port(), diff --git a/ca/tests/xml-parse-test.py b/ca/tests/xml-parse-test.py index ac276eb4..90c80775 100644 --- a/ca/tests/xml-parse-test.py +++ b/ca/tests/xml-parse-test.py @@ -83,11 +83,11 @@ def lr_tester(elt_in, elt_out, msg): (obj.signing_cert_crl, "Signing certificate CRL"))) # (obj.pkcs10_request, "PKCS #10 request") if isinstance(obj, rpki.left_right.parent_elt): - pprint(((obj.bpki_cms_cert, "CMS certificate"), - (obj.bpki_cms_glue, "CMS glue"))) + pprint(((obj.bpki_cert, "BPKI certificate"), + (obj.bpki_glue, "BPKI glue"))) if isinstance(obj, (rpki.left_right.child_elt, rpki.left_right.repository_elt)): - pprint(((obj.bpki_cert, "Certificate"), - (obj.bpki_glue, "Glue"))) + pprint(((obj.bpki_cert, "BPKI certificate"), + (obj.bpki_glue, "BPKI glue"))) def pp_tester(elt_in, elt_out, msg): assert isinstance(msg, rpki.publication.msg) diff --git a/ca/tests/yamltest.py b/ca/tests/yamltest.py index 44b7b6bf..a279b530 100644 --- a/ca/tests/yamltest.py +++ b/ca/tests/yamltest.py @@ -208,6 +208,7 @@ class allocation(object): pubd_port = -1 rsync_port = -1 rootd_port = -1 + rrdp_port = -1 rpkic_counter = 0L @classmethod @@ -274,6 +275,7 @@ class allocation(object): if self.runs_pubd: self.pubd_port = self.allocate_port() self.rsync_port = self.allocate_port() + self.rrdp_port = self.allocate_port() if self.is_root: self.rootd_port = self.allocate_port() @@ -502,6 +504,7 @@ class allocation(object): pubd_server_host = "localhost", pubd_server_port = str(self.pubd.pubd_port), publication_rsync_server = "localhost:%s" % self.pubd.rsync_port, + publication_rrdp_notification_uri = "http://localhost:%s/rrdp/notify.xml" % self.pubd.rrdp_port, bpki_servers_directory = self.path(), publication_base_directory = self.path("publication"), rrdp_publication_base_directory = self.path("rrdp-publication"), @@ -698,8 +701,9 @@ def create_root_certificate(db_root): root_uri = "rsync://localhost:%d/rpki/%s-root/root" % (db_root.pubd.rsync_port, db_root.name) - from rpki.publication import rrdp_sia_uri_kludge - root_sia = (root_uri + "/", root_uri + "/root.mft", None, rrdp_sia_uri_kludge) + rrdp_uri = "http://localhost:%s/rrdp/notify.xml" % db.root.pubd.rrdp_port + + root_sia = (root_uri + "/", root_uri + "/root.mft", None, rrdp_uri) root_cert = rpki.x509.X509.self_certify( keypair = root_key, diff --git a/rpki/irdb/migrations/0003_repository_rrdp_notification_uri.py b/rpki/irdb/migrations/0003_repository_rrdp_notification_uri.py new file mode 100644 index 00000000..1e0e43c2 --- /dev/null +++ b/rpki/irdb/migrations/0003_repository_rrdp_notification_uri.py @@ -0,0 +1,19 @@ +# -*- coding: utf-8 -*- +from __future__ import unicode_literals + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('irdb', '0002_remove_client_parent_handle'), + ] + + operations = [ + migrations.AddField( + model_name='repository', + name='rrdp_notification_uri', + field=models.TextField(null=True), + ), + ] diff --git a/rpki/irdb/models.py b/rpki/irdb/models.py index c8e47717..0911d7aa 100644 --- a/rpki/irdb/models.py +++ b/rpki/irdb/models.py @@ -528,6 +528,7 @@ class Repository(CrossCertification): client_handle = HandleField() service_uri = django.db.models.CharField(max_length = 255) sia_base = django.db.models.TextField() + rrdp_notification_uri = django.db.models.TextField(null = True) turtle = django.db.models.OneToOneField(Turtle, related_name = "repository") # This shouldn't be necessary diff --git a/rpki/irdb/zookeeper.py b/rpki/irdb/zookeeper.py index 98201f95..d0597e86 100644 --- a/rpki/irdb/zookeeper.py +++ b/rpki/irdb/zookeeper.py @@ -537,7 +537,7 @@ class Zookeeper(object): tag = "%s__parent__%s" % (parent.issuer.handle, parent.handle), self_handle = parent.issuer.handle, parent_handle = parent.handle) - SubElement(q_pdu, rpki.left_right.tag_bpki_cms_cert).text = parent.certificate.get_Base64() + SubElement(q_pdu, rpki.left_right.tag_bpki_cert).text = parent.certificate.get_Base64() for rootd in rpki.irdb.models.Rootd.objects.all(): q_pdu = SubElement(q_msg, rpki.left_right.tag_parent, @@ -545,7 +545,7 @@ class Zookeeper(object): tag = "%s__rootd" % rootd.issuer.handle, self_handle = rootd.issuer.handle, parent_handle = rootd.issuer.handle) - SubElement(q_pdu, rpki.left_right.tag_bpki_cms_cert).text = rootd.certificate.get_Base64() + SubElement(q_pdu, rpki.left_right.tag_bpki_cert).text = rootd.certificate.get_Base64() for child in rpki.irdb.models.Child.objects.all(): q_pdu = SubElement(q_msg, rpki.left_right.tag_child, @@ -831,12 +831,16 @@ class Zookeeper(object): port = self.cfg.get("pubd_server_port", section = myrpki_section), handle = client.handle) + rrdp_uri = self.cfg.get("publication_rrdp_notification_uri", section = myrpki_section, + default = "") or None + e = Element(tag_oob_repository_response, nsmap = oob_nsmap, version = oob_version, service_uri = service_uri, publisher_handle = client.handle, sia_base = client.sia_base) - # This is where we'd insert the rrdp_notification_uri attribute + if rrdp_uri is not None: + e.set("rrdp_notification_uri", rrdp_uri) B64Element(e, tag_oob_repository_bpki_ta, self.server_ca.certificate) return etree_wrapper(e, msg = "Send this file back to the publication client you just configured") @@ -905,6 +909,7 @@ class Zookeeper(object): client_handle = x.get("publisher_handle"), service_uri = x.get("service_uri"), sia_base = x.get("sia_base"), + rrdp_notification_uri = x.get("rrdp_notification_uri"), ta = rpki.x509.X509(Base64 = x.findtext(tag_oob_repository_bpki_ta)), turtle = turtle) @@ -1439,6 +1444,7 @@ class Zookeeper(object): if (repository_pdu is None or repository_pdu.get("bsc_handle") != bsc_handle or repository_pdu.get("peer_contact_uri") != repository.service_uri or + repository_pdu.get("rrdp_notification_uri") != repository.rrdp_notification_uri or repository_pdu.findtext(rpki.left_right.tag_bpki_cert, "").decode("base64") != repository.certificate.get_DER()): q_pdu = SubElement(q_msg, rpki.left_right.tag_repository, action = "create" if repository_pdu is None else "set", @@ -1447,6 +1453,8 @@ class Zookeeper(object): repository_handle = repository.handle, bsc_handle = bsc_handle, peer_contact_uri = repository.service_uri) + if repository.rrdp_notification_uri: + q_pdu.set("rrdp_notification_uri", repository.rrdp_notification_uri) SubElement(q_pdu, rpki.left_right.tag_bpki_cert).text = repository.certificate.get_Base64() for repository_handle in repository_pdus: @@ -1473,7 +1481,7 @@ class Zookeeper(object): parent_pdu.get("sia_base") != parent.repository.sia_base or parent_pdu.get("sender_name") != parent.child_handle or parent_pdu.get("recipient_name") != parent.parent_handle or - parent_pdu.findtext(rpki.left_right.tag_bpki_cms_cert, "").decode("base64") != parent.certificate.get_DER()): + parent_pdu.findtext(rpki.left_right.tag_bpki_cert, "").decode("base64") != parent.certificate.get_DER()): q_pdu = SubElement(q_msg, rpki.left_right.tag_parent, action = "create" if parent_pdu is None else "set", tag = parent.handle, @@ -1485,7 +1493,7 @@ class Zookeeper(object): sia_base = parent.repository.sia_base, sender_name = parent.child_handle, recipient_name = parent.parent_handle) - SubElement(q_pdu, rpki.left_right.tag_bpki_cms_cert).text = parent.certificate.get_Base64() + SubElement(q_pdu, rpki.left_right.tag_bpki_cert).text = parent.certificate.get_Base64() except rpki.irdb.models.Repository.DoesNotExist: pass @@ -1501,7 +1509,7 @@ class Zookeeper(object): parent_pdu.get("sia_base") != ca.rootd.repository.sia_base or parent_pdu.get("sender_name") != ca.handle or parent_pdu.get("recipient_name") != ca.handle or - parent_pdu.findtext(rpki.left_right.tag_bpki_cms_cert).decode("base64") != ca.rootd.certificate.get_DER()): + parent_pdu.findtext(rpki.left_right.tag_bpki_cert).decode("base64") != ca.rootd.certificate.get_DER()): q_pdu = SubElement(q_msg, rpki.left_right.tag_parent, action = "create" if parent_pdu is None else "set", tag = ca.handle, @@ -1513,7 +1521,7 @@ class Zookeeper(object): sia_base = ca.rootd.repository.sia_base, sender_name = ca.handle, recipient_name = ca.handle) - SubElement(q_pdu, rpki.left_right.tag_bpki_cms_cert).text = ca.rootd.certificate.get_Base64() + SubElement(q_pdu, rpki.left_right.tag_bpki_cert).text = ca.rootd.certificate.get_Base64() except rpki.irdb.models.Rootd.DoesNotExist: pass diff --git a/rpki/left_right.py b/rpki/left_right.py index 3367d102..1b5cf5b8 100644 --- a/rpki/left_right.py +++ b/rpki/left_right.py @@ -47,8 +47,6 @@ nsmap = rpki.relaxng.left_right.nsmap version = rpki.relaxng.left_right.version tag_bpki_cert = xmlns + "bpki_cert" -tag_bpki_cms_cert = xmlns + "bpki_cms_cert" -tag_bpki_cms_glue = xmlns + "bpki_cms_glue" tag_bpki_glue = xmlns + "bpki_glue" tag_bsc = xmlns + "bsc" tag_child = xmlns + "child" @@ -584,7 +582,7 @@ class repository_elt(base_elt): """ element_name = xmlns + "repository" - attributes = ("action", "tag", "self_handle", "repository_handle", "bsc_handle", "peer_contact_uri") + attributes = ("action", "tag", "self_handle", "repository_handle", "bsc_handle", "peer_contact_uri", "rrdp_notification_uri") booleans = ("clear_replay_protection",) elements = collections.OrderedDict(( @@ -608,6 +606,7 @@ class repository_elt(base_elt): bpki_cert = None bpki_glue = None last_cms_timestamp = None + rrdp_notification_uri = None def __repr__(self): return rpki.log.log_repr(self, self.repository_handle) @@ -700,8 +699,8 @@ class parent_elt(base_elt): booleans = ("rekey", "reissue", "revoke", "revoke_forgotten", "clear_replay_protection") elements = collections.OrderedDict(( - (tag_bpki_cms_cert, rpki.x509.X509), - (tag_bpki_cms_glue, rpki.x509.X509))) + (tag_bpki_cert, rpki.x509.X509), + (tag_bpki_glue, rpki.x509.X509))) sql_template = rpki.sql.template( "parent", @@ -714,16 +713,16 @@ class parent_elt(base_elt): "sia_base", "sender_name", "recipient_name", - ("bpki_cms_cert", rpki.x509.X509), - ("bpki_cms_glue", rpki.x509.X509), + ("bpki_cert", rpki.x509.X509), + ("bpki_glue", rpki.x509.X509), ("last_cms_timestamp", rpki.sundial.datetime)) handles = (("self", self_elt), ("bsc", bsc_elt), ("repository", repository_elt)) - bpki_cms_cert = None - bpki_cms_glue = None + bpki_cert = None + bpki_glue = None last_cms_timestamp = None def __repr__(self): @@ -883,7 +882,7 @@ class parent_elt(base_elt): is_ca = True, caRepository = ca.sia_uri, rpkiManifest = ca_detail.manifest_uri, - rpkiNotify = rpki.publication.rrdp_sia_uri_kludge) + rpkiNotify = ca.parent.repository.rrdp_notification_uri) q_msg = self._compose_up_down_query("issue") q_pdu = SubElement(q_msg, rpki.up_down.tag_request, class_name = ca.parent_resource_class) q_pdu.text = pkcs10.get_Base64() @@ -915,8 +914,8 @@ class parent_elt(base_elt): r_msg = r_cms.unwrap((self.gctx.bpki_ta, self.self.bpki_cert, self.self.bpki_glue, - self.bpki_cms_cert, - self.bpki_cms_glue)) + self.bpki_cert, + self.bpki_glue)) r_cms.check_replay_sql(self, self.peer_contact_uri) rpki.up_down.check_response(r_msg, q_msg.get("type")) diff --git a/rpki/publication.py b/rpki/publication.py index 58c52d34..117bd0ef 100644 --- a/rpki/publication.py +++ b/rpki/publication.py @@ -44,11 +44,6 @@ tag_withdraw = rpki.relaxng.publication.xmlns + "withdraw" tag_report_error = rpki.relaxng.publication.xmlns + "report_error" -# Horrible kludge: static RRDP URI for testing, this needs to be fixed -from socket import getfqdn -rrdp_sia_uri_kludge = "http://%s/rrdp/notify.xml" % getfqdn() - - def raise_if_error(pdu): """ Raise an appropriate error if this is a <report_error/> PDU. diff --git a/rpki/relaxng.py b/rpki/relaxng.py index 829cddc2..1b16073b 100644 --- a/rpki/relaxng.py +++ b/rpki/relaxng.py @@ -552,12 +552,12 @@ left_right = RelaxNGParser(r'''<?xml version="1.0" encoding="UTF-8"?> </attribute> </optional> <optional> - <element name="bpki_cms_cert"> + <element name="bpki_cert"> <ref name="base64"/> </element> </optional> <optional> - <element name="bpki_cms_glue"> + <element name="bpki_glue"> <ref name="base64"/> </element> </optional> @@ -768,6 +768,11 @@ left_right = RelaxNGParser(r'''<?xml version="1.0" encoding="UTF-8"?> <ref name="bsc_handle"/> </optional> <optional> + <attribute name="rrdp_notification_uri"> + <ref name="uri"/> + </attribute> + </optional> + <optional> <element name="bpki_cert"> <ref name="base64"/> </element> diff --git a/rpki/rootd.py b/rpki/rootd.py index 5a84b5df..1a669b97 100644 --- a/rpki/rootd.py +++ b/rpki/rootd.py @@ -189,7 +189,7 @@ class main(object): keypair = self.rpki_root_key, subject_key = manifest_keypair.get_public(), serial = self.serial_number, - sia = (None, None, self.rpki_root_manifest_uri, rpki.publication.rrdp_sia_uri_kludge), + sia = (None, None, self.rpki_root_manifest_uri, self.rrdp_notification_uri), aia = self.rpki_root_cert_uri, crldp = self.rpki_root_crl_uri, resources = manifest_resources, @@ -452,6 +452,8 @@ class main(object): self.pubd_url = self.cfg.get("pubd-contact-uri") + self.rrdp_notification_uri = self.cfg.get("rrdp-notification-uri") + rpki.http_simple.server(host = self.http_server_host, port = self.http_server_port, handlers = (("/", self.handler, rpki.up_down.allowed_content_types),)) diff --git a/rpki/rpkid.py b/rpki/rpkid.py index 24f92a46..79fbcca2 100644 --- a/rpki/rpkid.py +++ b/rpki/rpkid.py @@ -1435,7 +1435,7 @@ class ca_detail_obj(rpki.sql.sql_persistent): ca = self.ca, resources = resources, subject_key = self.manifest_public_key, - sia = (None, None, self.manifest_uri, rpki.publication.rrdp_sia_uri_kludge)) + sia = (None, None, self.manifest_uri, self.ca.parent.repository.rrdp_notification_uri)) def issue(self, ca, child, subject_key, sia, resources, publisher, child_cert = None): """ @@ -2199,7 +2199,7 @@ class roa_obj(rpki.sql.sql_persistent): ca = ca, resources = resources, subject_key = keypair.get_public(), - sia = (None, None, self.uri_from_key(keypair), rpki.publication.rrdp_sia_uri_kludge)) + sia = (None, None, self.uri_from_key(keypair), ca.parent.repository.rrdp_notification_uri)) self.roa = rpki.x509.ROA.build(self.asn, self.ipv4, self.ipv6, keypair, (self.cert,)) self.published = rpki.sundial.now() self.sql_store() @@ -2409,7 +2409,7 @@ class ghostbuster_obj(rpki.sql.sql_persistent): ca = ca, resources = resources, subject_key = keypair.get_public(), - sia = (None, None, self.uri_from_key(keypair), rpki.publication.rrdp_sia_uri_kludge)) + sia = (None, None, self.uri_from_key(keypair), ca.parent.repository.rrdp_notification_uri)) self.ghostbuster = rpki.x509.Ghostbuster.build(self.vcard, keypair, (self.cert,)) self.published = rpki.sundial.now() self.sql_store() @@ -2604,7 +2604,7 @@ class ee_cert_obj(rpki.sql.sql_persistent): cn, sn = subject_name.extract_cn_and_sn() ca = ca_detail.ca - sia = (None, None, ca_detail.ca.sia_uri + subject_key.gSKI() + ".cer", rpki.publication.rrdp_sia_uri_kludge) + sia = (None, None, ca_detail.ca.sia_uri + subject_key.gSKI() + ".cer", ca.parent.repository.rrdp_notification_uri) cert = ca_detail.issue_ee( ca = ca, @@ -2721,7 +2721,7 @@ class ee_cert_obj(rpki.sql.sql_persistent): ca = ca_detail.ca, subject_key = self.cert.getPublicKey(), eku = self.cert.get_EKU(), - sia = (None, None, self.uri, rpki.publication.rrdp_sia_uri_kludge), + sia = (None, None, self.uri, ca_detail.ca.parent.repository.rrdp_notification_uri), resources = resources, notAfter = resources.valid_until, cn = cn, diff --git a/rpki/rpkidb/migrations/0002_auto_20151015_2213.py b/rpki/rpkidb/migrations/0002_auto_20151015_2213.py new file mode 100644 index 00000000..f602b42b --- /dev/null +++ b/rpki/rpkidb/migrations/0002_auto_20151015_2213.py @@ -0,0 +1,29 @@ +# -*- coding: utf-8 -*- +from __future__ import unicode_literals + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('rpkidb', '0001_initial'), + ] + + operations = [ + migrations.RenameField( + model_name='parent', + old_name='bpki_cms_cert', + new_name='bpki_cert', + ), + migrations.RenameField( + model_name='parent', + old_name='bpki_cms_glue', + new_name='bpki_glue', + ), + migrations.AddField( + model_name='repository', + name='rrdp_notification_uri', + field=models.TextField(null=True), + ), + ] diff --git a/rpki/rpkidb/models.py b/rpki/rpkidb/models.py index 26be729d..3e5bad44 100644 --- a/rpki/rpkidb/models.py +++ b/rpki/rpkidb/models.py @@ -44,8 +44,6 @@ class XMLTemplate(object): element_type = dict(bpki_cert = rpki.x509.X509, bpki_glue = rpki.x509.X509, - bpki_cms_cert = rpki.x509.X509, - bpki_cms_glue = rpki.x509.X509, pkcs10_request = rpki.x509.PKCS10, signing_cert = rpki.x509.X509, signing_cert_crl = rpki.x509.CRL) @@ -345,6 +343,7 @@ class BSC(models.Model): class Repository(models.Model): repository_handle = models.SlugField(max_length = 255) peer_contact_uri = models.TextField(null = True) + rrdp_notification_uri = models.TextField(null = True) bpki_cert = CertificateField(null = True) bpki_glue = CertificateField(null = True) last_cms_timestamp = SundialField(null = True) @@ -358,7 +357,7 @@ class Repository(models.Model): xml_template = XMLTemplate( name = "repository", handles = (BSC,), - attributes = ("peer_contact_uri",), + attributes = ("peer_contact_uri", "rrdp_notification_uri"), elements = ("bpki_cert", "bpki_glue")) @@ -432,8 +431,8 @@ class Repository(models.Model): class Parent(models.Model): parent_handle = models.SlugField(max_length = 255) - bpki_cms_cert = CertificateField(null = True) - bpki_cms_glue = CertificateField(null = True) + bpki_cert = CertificateField(null = True) + bpki_glue = CertificateField(null = True) peer_contact_uri = models.TextField(null = True) sia_base = models.TextField(null = True) sender_name = models.TextField(null = True) @@ -451,7 +450,7 @@ class Parent(models.Model): name = "parent", handles = (BSC, Repository), attributes = ("peer_contact_uri", "sia_base", "sender_name", "recipient_name"), - elements = ("bpki_cms_cert", "bpki_cms_glue")) + elements = ("bpki_cert", "bpki_glue")) def xml_pre_delete_hook(self, cb, eb): @@ -594,7 +593,7 @@ class Parent(models.Model): is_ca = True, caRepository = ca.sia_uri, rpkiManifest = ca_detail.manifest_uri, - rpkiNotify = rpki.publication.rrdp_sia_uri_kludge) + rpkiNotify = ca.parent.repository.rrdp_notification_uri) q_msg = self._compose_up_down_query("issue") q_pdu = SubElement(q_msg, rpki.up_down.tag_request, class_name = ca.parent_resource_class) q_pdu.text = pkcs10.get_Base64() @@ -626,8 +625,8 @@ class Parent(models.Model): r_msg = r_cms.unwrap((self.gctx.bpki_ta, self.self.bpki_cert, self.self.bpki_glue, - self.bpki_cms_cert, - self.bpki_cms_glue)) + self.bpki_cert, + self.bpki_glue)) r_cms.check_replay_sql(self, self.peer_contact_uri) rpki.up_down.check_response(r_msg, q_msg.get("type")) @@ -1166,7 +1165,7 @@ class CADetail(models.Model): ca = self.ca, resources = resources, subject_key = self.manifest_public_key, - sia = (None, None, self.manifest_uri, rpki.publication.rrdp_sia_uri_kludge)) + sia = (None, None, self.manifest_uri, self.ca.parent.repository.rrdp_notification_uri)) def issue(self, ca, child, subject_key, sia, resources, publisher, child_cert = None): @@ -1769,7 +1768,7 @@ class EECert(models.Model): cn, sn = subject_name.extract_cn_and_sn() ca = ca_detail.ca - sia = (None, None, ca_detail.ca.sia_uri + subject_key.gSKI() + ".cer", rpki.publication.rrdp_sia_uri_kludge) + sia = (None, None, ca_detail.ca.sia_uri + subject_key.gSKI() + ".cer", ca_detail.ca.parent.repository.rrdp_notification_uri) cert = ca_detail.issue_ee( ca = ca_detail.ca, subject_key = subject_key, @@ -1853,7 +1852,7 @@ class EECert(models.Model): ca = ca_detail.ca, subject_key = self.cert.getPublicKey(), eku = self.cert.get_EKU(), - sia = (None, None, self.uri, rpki.publication.rrdp_sia_uri_kludge), + sia = (None, None, self.uri, ca_detail.ca.parent.repository.rrdp_notification_uri), resources = resources, notAfter = resources.valid_until, cn = cn, @@ -1935,7 +1934,7 @@ class Ghostbuster(models.Model): ca = self.ca_detail.ca, resources = resources, subject_key = keypair.get_public(), - sia = (None, None, self.uri_from_key(keypair), rpki.publication.rrdp_sia_uri_kludge)) + sia = (None, None, self.uri_from_key(keypair), self.ca_detail.ca.parent.repository.rrdp_notification_uri)) self.ghostbuster = rpki.x509.Ghostbuster.build(self.vcard, keypair, (self.cert,)) self.published = rpki.sundial.now() self.save() @@ -2155,7 +2154,7 @@ class ROA(models.Model): ca = self.ca_detail.ca, resources = resources, subject_key = keypair.get_public(), - sia = (None, None, self.uri_from_key(keypair), rpki.publication.rrdp_sia_uri_kludge)) + sia = (None, None, self.uri_from_key(keypair), self.ca_detail.ca.parent.repository.rrdp_notification_uri)) self.roa = rpki.x509.ROA.build(self.asn, self.ipv4, self.ipv6, keypair, (self.cert,)) self.published = rpki.sundial.now() self.save() diff --git a/rpki/sql_schemas.py b/rpki/sql_schemas.py index fc262f12..a3c039af 100644 --- a/rpki/sql_schemas.py +++ b/rpki/sql_schemas.py @@ -71,6 +71,7 @@ CREATE TABLE repository ( repository_id SERIAL NOT NULL, repository_handle VARCHAR(255) NOT NULL, peer_contact_uri TEXT, + rrdp_notification_uri TEXT, bpki_cert LONGBLOB, bpki_glue LONGBLOB, last_cms_timestamp DATETIME, @@ -87,8 +88,8 @@ CREATE TABLE repository ( CREATE TABLE parent ( parent_id SERIAL NOT NULL, parent_handle VARCHAR(255) NOT NULL, - bpki_cms_cert LONGBLOB, - bpki_cms_glue LONGBLOB, + bpki_cert LONGBLOB, + bpki_glue LONGBLOB, peer_contact_uri TEXT, sia_base TEXT, sender_name TEXT, diff --git a/schemas/relaxng/left-right.rnc b/schemas/relaxng/left-right.rnc index 22d971f0..b5ab56a7 100644 --- a/schemas/relaxng/left-right.rnc +++ b/schemas/relaxng/left-right.rnc @@ -162,8 +162,8 @@ parent_payload = (attribute peer_contact_uri { uri }?, repository_handle?, attribute sender_name { up_down_name }?, attribute recipient_name { up_down_name }?, - element bpki_cms_cert { base64 }?, - element bpki_cms_glue { base64 }?) + element bpki_cert { base64 }?, + element bpki_glue { base64 }?) parent_query |= element parent { ctl_create, self_handle, parent_handle, parent_bool, parent_payload } parent_reply |= element parent { ctl_create, self_handle, parent_handle } @@ -206,6 +206,7 @@ repository_bool = attribute clear_replay_protection { "yes" }? repository_payload = (attribute peer_contact_uri { uri }?, bsc_handle?, + attribute rrdp_notification_uri { uri }?, element bpki_cert { base64 }?, element bpki_glue { base64 }?) diff --git a/schemas/relaxng/left-right.rng b/schemas/relaxng/left-right.rng index bd63410e..24804af2 100644 --- a/schemas/relaxng/left-right.rng +++ b/schemas/relaxng/left-right.rng @@ -546,12 +546,12 @@ </attribute> </optional> <optional> - <element name="bpki_cms_cert"> + <element name="bpki_cert"> <ref name="base64"/> </element> </optional> <optional> - <element name="bpki_cms_glue"> + <element name="bpki_glue"> <ref name="base64"/> </element> </optional> @@ -762,6 +762,11 @@ <ref name="bsc_handle"/> </optional> <optional> + <attribute name="rrdp_notification_uri"> + <ref name="uri"/> + </attribute> + </optional> + <optional> <element name="bpki_cert"> <ref name="base64"/> </element> diff --git a/schemas/sql/rpkid.sql b/schemas/sql/rpkid.sql index f3b899ee..14499091 100644 --- a/schemas/sql/rpkid.sql +++ b/schemas/sql/rpkid.sql @@ -67,6 +67,7 @@ CREATE TABLE repository ( repository_id SERIAL NOT NULL, repository_handle VARCHAR(255) NOT NULL, peer_contact_uri TEXT, + rrdp_notification_uri TEXT, bpki_cert LONGBLOB, bpki_glue LONGBLOB, last_cms_timestamp DATETIME, @@ -83,8 +84,8 @@ CREATE TABLE repository ( CREATE TABLE parent ( parent_id SERIAL NOT NULL, parent_handle VARCHAR(255) NOT NULL, - bpki_cms_cert LONGBLOB, - bpki_cms_glue LONGBLOB, + bpki_cert LONGBLOB, + bpki_glue LONGBLOB, peer_contact_uri TEXT, sia_base TEXT, sender_name TEXT, |