diff options
| author | Rob Austein <sra@hactrn.net> | 2014-02-25 20:46:05 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2014-02-25 20:46:05 +0000 |
| commit | de95fb9525bf5f1ced2fb90924b31b78494e1e87 (patch) | |
| tree | 7c529a242b334e38a0d78761a0dfad12c452bfcf | |
| parent | bf0b63854ec52df692a503eb78e270363f31ebfd (diff) | |
Something broke MySQLdb on my laptop during a recent upgrade, and I
have better things to do than shaving that particular yak today. So
I'm committing untested changes (to a development branch that nobody
but me is using) so I can test them on a working development platform.
svn path=/branches/tk671/; revision=5682
| -rw-r--r-- | rpkid/left-right-schema.rnc | 6 | ||||
| -rw-r--r-- | rpkid/left-right-schema.rng | 22 | ||||
| -rw-r--r-- | rpkid/rpki/irdb/models.py | 11 | ||||
| -rw-r--r-- | rpkid/rpki/irdb/zookeeper.py | 7 | ||||
| -rw-r--r-- | rpkid/rpki/irdbd.py | 4 | ||||
| -rw-r--r-- | rpkid/rpki/left_right.py | 9 | ||||
| -rw-r--r-- | rpkid/rpki/old_irdbd.py | 8 | ||||
| -rw-r--r-- | rpkid/rpki/relaxng.py | 22 | ||||
| -rw-r--r-- | rpkid/rpki/rpkid_tasks.py | 4 | ||||
| -rw-r--r-- | rpkid/tests/old_irdbd.sql | 4 | ||||
| -rw-r--r-- | rpkid/tests/smoketest.py | 16 | ||||
| -rw-r--r-- | rpkid/tests/yamltest.py | 4 |
12 files changed, 82 insertions, 35 deletions
diff --git a/rpkid/left-right-schema.rnc b/rpkid/left-right-schema.rnc index 2db048cf..22b0d29a 100644 --- a/rpkid/left-right-schema.rnc +++ b/rpkid/left-right-schema.rnc @@ -280,10 +280,12 @@ list_ee_certificate_requests_reply = element list_ee_certificate_requests { tag, self_handle, attribute gski { xsd:token { minLength="27" maxLength="27" } }, attribute valid_until { xsd:dateTime { pattern=".*Z" } }, - attribute asn { asn_list }?, + attribute asn { asn_list }?, attribute ipv4 { ipv4_list }?, attribute ipv6 { ipv6_list }?, - attribute router_id { xsd:unsignedInt }?, + attribute cn { xsd:string { maxLength="64" pattern="[\-0-9A-Za-z_ ]*" } }?, + attribute sn { xsd:string { maxLength="64" pattern="[0-9A-Fa-f]*" } }?, + attribute eku { xsd:string { maxLength="512000" pattern="[.0-9,]*" } }?, element pkcs10 { base64 } } diff --git a/rpkid/left-right-schema.rng b/rpkid/left-right-schema.rng index 532bdb8a..782f6587 100644 --- a/rpkid/left-right-schema.rng +++ b/rpkid/left-right-schema.rng @@ -232,6 +232,13 @@ <param name="pattern">[\-,0-9/:a-fA-F]*</param> </data> </define> + <!-- OID list for Extended Key Usage (EKU) --> + <define name="eku_list"> + <data type="string"> + <param name="maxLength">512000</param> + <param name="pattern">[.0-9,]*</param> + </data> + </define> <!-- <self/> element --> <define name="self_bool"> <optional> @@ -973,8 +980,19 @@ </attribute> </optional> <optional> - <attribute name="router_id"> - <data type="unsignedInt"/> + <attribute name="cn"> + <data type="string"> + <param name="maxLength">64</param> + <param name="pattern">[\-0-9A-Za-z_ ]*</param> + </data> + </attribute> + </optional> + <optional> + <attribute name="sn"> + <data type="string"> + <param name="maxLength">64</param> + <param name="pattern">[0-9A-Fa-f]*</param> + </data> </attribute> </optional> <element name="pkcs10"> diff --git a/rpkid/rpki/irdb/models.py b/rpkid/rpki/irdb/models.py index e29e332e..7a3c8521 100644 --- a/rpkid/rpki/irdb/models.py +++ b/rpkid/rpki/irdb/models.py @@ -583,14 +583,9 @@ class EECertificateRequest(ResourceSet): issuer = django.db.models.ForeignKey(ResourceHolderCA, related_name = "ee_certificate_requests") pkcs10 = PKCS10Field() gski = django.db.models.CharField(max_length = 27) - router_id = django.db.models.BigIntegerField(null = True) - - # Subject name isn't allowed in the PKCS #10, so we need to carry - # either a subject name or a router-id as a separate field. - # Carrying subject name would be more flexible, but is also a swamp - # if we start allowing more than just CN and SN. - # - # For the moment we just do router-id. + cn = django.db-models.CharField(max_length = 64) + sn = django.db-models.CharField(max_length = 64) + eku = django.db.models.TextField(null = True) def _select_resource_bag(self): ee_asn = rpki.irdb.EECertificateRequestASN.objects.raw(""" diff --git a/rpkid/rpki/irdb/zookeeper.py b/rpkid/rpki/irdb/zookeeper.py index 339503fb..87875fd5 100644 --- a/rpkid/rpki/irdb/zookeeper.py +++ b/rpkid/rpki/irdb/zookeeper.py @@ -1656,11 +1656,16 @@ class Zookeeper(object): pkcs10.check_valid_request_router() + cn = "ROUTER-%08x" % asns[0].min + sn = "%08x" % router_id + ee_request = self.resource_ca.ee_certificate_requests.create( pkcs10 = pkcs10, gski = pkcs10.gSKI(), valid_until = valid_until, - router_id = router_id) + cn = cn, + sn = sn, + eku = rpki.oids.id_kp_bgpsec_router) for range in asns: ee_request.asns.create(start_as = str(range.min), end_as = str(range.max)) diff --git a/rpkid/rpki/irdbd.py b/rpkid/rpki/irdbd.py index 1fec3cbc..41739dc4 100644 --- a/rpkid/rpki/irdbd.py +++ b/rpkid/rpki/irdbd.py @@ -96,7 +96,9 @@ class main(object): r_pdu.asn = resources.asn r_pdu.ipv4 = resources.v4 r_pdu.ipv6 = resources.v6 - r_pdu.router_id = ee_req.router_id + r_pdu.cn = ee_req.cn + r_pdu.sn = ee_req.sn + r_pdu.eku = ee_req.eku r_pdu.pkcs10 = ee_req.pkcs10 r_msg.append(r_pdu) diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py index dcfc5f40..1913fc7a 100644 --- a/rpkid/rpki/left_right.py +++ b/rpkid/rpki/left_right.py @@ -1063,14 +1063,15 @@ class list_ee_certificate_requests_elt(rpki.xml_utils.base_elt, left_right_names """ element_name = "list_ee_certificate_requests" - attributes = ("self_handle", "tag", "gski", "valid_until", "asn", "ipv4", "ipv6", "router_id") + attributes = ("self_handle", "tag", "gski", "valid_until", "asn", "ipv4", "ipv6", "cn", "sn", "eku") elements = ("pkcs10",) pkcs10 = None valid_until = None + eku = None def __repr__(self): - return rpki.log.log_repr(self, self.self_handle, self.gski, self.router_id, self.asn, self.ipv4, self.ipv6) + return rpki.log.log_repr(self, self.self_handle, self.gski, self.cn, self.sn, self.asn, self.ipv4, self.ipv6) def startElement(self, stack, name, attrs): """ @@ -1088,6 +1089,8 @@ class list_ee_certificate_requests_elt(rpki.xml_utils.base_elt, left_right_names self.ipv4 = rpki.resource_set.resource_set_ipv4(self.ipv4) if self.ipv6 is not None: self.ipv6 = rpki.resource_set.resource_set_ipv6(self.ipv6) + if self.eku is not None: + self.eku = self.eku.split(",") def endElement(self, stack, name, text): """ @@ -1105,6 +1108,8 @@ class list_ee_certificate_requests_elt(rpki.xml_utils.base_elt, left_right_names Generate <list_ee_certificate_requests/> element. This requires special handling due to the data types of some of the attributes. """ + if isinstance(self.eku, (tuple, list)): + self.eku = ",".join(self.eku) elt = self.make_elt() for i in self.elements: self.make_b64elt(elt, i, getattr(self, i, None)) diff --git a/rpkid/rpki/old_irdbd.py b/rpkid/rpki/old_irdbd.py index 25ceb656..41060344 100644 --- a/rpkid/rpki/old_irdbd.py +++ b/rpkid/rpki/old_irdbd.py @@ -170,13 +170,13 @@ class main(object): self.cur.execute( """ - SELECT ee_certificate_id, pkcs10, gski, router_id, valid_until + SELECT ee_certificate_id, pkcs10, gski, cn, sn, eku, valid_until FROM ee_certificate WHERE self_handle = %s """, (q_pdu.self_handle,)) - for ee_certificate_id, pkcs10, gski, router_id, valid_until in self.cur.fetchall(): + for ee_certificate_id, pkcs10, gski, cn, sn, eku, valid_until in self.cur.fetchall(): r_pdu = rpki.left_right.list_ee_certificate_requests_elt() r_pdu.tag = q_pdu.tag @@ -184,7 +184,9 @@ class main(object): r_pdu.valid_until = valid_until.strftime("%Y-%m-%dT%H:%M:%SZ") r_pdu.pkcs10 = rpki.x509.PKCS10(DER = pkcs10) r_pdu.gski = gski - r_pdu.router_id = router_id + r_pdu.cn = cn + r_pdu.sn = sn + r_pdu.eku = eku r_pdu.asn = rpki.resource_set.resource_set_as.from_sql( self.cur, diff --git a/rpkid/rpki/relaxng.py b/rpkid/rpki/relaxng.py index e85655e4..9162fdfa 100644 --- a/rpkid/rpki/relaxng.py +++ b/rpkid/rpki/relaxng.py @@ -238,6 +238,13 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''<?xml version="1.0" en <param name="pattern">[\-,0-9/:a-fA-F]*</param> </data> </define> + <!-- OID list for Extended Key Usage (EKU) --> + <define name="eku_list"> + <data type="string"> + <param name="maxLength">512000</param> + <param name="pattern">[.0-9,]*</param> + </data> + </define> <!-- <self/> element --> <define name="self_bool"> <optional> @@ -979,8 +986,19 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''<?xml version="1.0" en </attribute> </optional> <optional> - <attribute name="router_id"> - <data type="unsignedInt"/> + <attribute name="cn"> + <data type="string"> + <param name="maxLength">64</param> + <param name="pattern">[\-0-9A-Za-z_ ]*</param> + </data> + </attribute> + </optional> + <optional> + <attribute name="sn"> + <data type="string"> + <param name="maxLength">64</param> + <param name="pattern">[0-9A-Fa-f]*</param> + </data> </attribute> </optional> <element name="pkcs10"> diff --git a/rpkid/rpki/rpkid_tasks.py b/rpkid/rpki/rpkid_tasks.py index 8889aa64..fe08b7cc 100644 --- a/rpkid/rpki/rpkid_tasks.py +++ b/rpkid/rpki/rpkid_tasks.py @@ -630,11 +630,11 @@ class UpdateEECertificatesTask(AbstractTask): rpki.log.debug("No existing EE certificate for %s %s" % (req.gski, resources)) rpki.rpkid.ee_cert_obj.create( ca_detail = ca_detail, - subject_name = req.pkcs10.getSubject(), + subject_name = rpki.x509.X501DN.from_cn(req.cn, req.dn), subject_key = req.pkcs10.getPublicKey(), resources = resources, publisher = publisher, - eku = eku) + eku = req.eku or None) # Anything left is an orphan for ees in existing.values(): diff --git a/rpkid/tests/old_irdbd.sql b/rpkid/tests/old_irdbd.sql index 1e5b6d28..cef319a4 100644 --- a/rpkid/tests/old_irdbd.sql +++ b/rpkid/tests/old_irdbd.sql @@ -109,7 +109,9 @@ CREATE TABLE ee_certificate ( self_handle VARCHAR(255) NOT NULL, pkcs10 LONGBLOB NOT NULL, gski VARCHAR(27) NOT NULL, - router_id INT UNSIGNED, + cn VARCHAR(64), + sn VARCHAR(64), + eku TEXT, valid_until DATETIME NOT NULL, PRIMARY KEY (ee_certificate_id), UNIQUE (self_handle, gski) diff --git a/rpkid/tests/smoketest.py b/rpkid/tests/smoketest.py index b81117ae..1d9e600a 100644 --- a/rpkid/tests/smoketest.py +++ b/rpkid/tests/smoketest.py @@ -396,20 +396,20 @@ class router_cert(object): self.keypair = rpki.x509.ECDSA.generate(self.ecparams()) self.pkcs10 = rpki.x509.PKCS10.create( keypair = self.keypair, - cn = "ROUTER-%d" % self.asn[0].min, - sn = self.router_id, eku = (rpki.oids.id_kp_bgpsec_router,)) self.gski = self.pkcs10.gSKI() + self.cn = "ROUTER-%08x" % self.asn[0].min + self.sn = "%08x" % self.router_id def __eq__(self, other): - return self.asn == other.asn and self.router_id == other.router_id and self.gski == other.gski + return self.asn == other.asn and self.sn == other.sn and self.gski == other.gski def __hash__(self): v6 = tuple(self.v6) if self.v6 is not None else None - return tuple(self.asn).__hash__() + router_id.__hash__() + self.gski.__hash__() + return tuple(self.asn).__hash__() + sn.__hash__() + self.gski.__hash__() def __str__(self): - return "%s: %s: %s" % (self.asn, self.router_id, self.gski) + return "%s: %s: %s" % (self.asn, self.cn, self.sn, self.gski) @classmethod def parse(cls, yaml): @@ -817,9 +817,9 @@ class allocation(object): ((roa_request_id, x.prefix, x.prefixlen, x.max_prefixlen, version) for x in prefix_set)) for r in s.router_certs: - cur.execute("INSERT ee_certificate (self_handle, pkcs10, gski, router_id, valid_until) " - "VALUES (%s, %s, %s, %s, %s)", - (s.name, r.pkcs10.get_DER(), r.gski, r.router_id, s.resources.valid_until)) + cur.execute("INSERT ee_certificate (self_handle, pkcs10, gski, cn, sn, valid_until) " + "VALUES (%s, %s, %s, %s, %s, %s)", + (s.name, r.pkcs10.get_DER(), r.gski, r.cn, r.sn, s.resources.valid_until)) ee_certificate_id = cur.lastrowid cur.executemany("INSERT ee_certificate_asn (ee_certificate_id, start_as, end_as) VALUES (%s, %s, %s)", ((ee_certificate_id, a.min, a.max) for a in r.asn)) diff --git a/rpkid/tests/yamltest.py b/rpkid/tests/yamltest.py index 1b52ced6..9525a048 100644 --- a/rpkid/tests/yamltest.py +++ b/rpkid/tests/yamltest.py @@ -131,8 +131,6 @@ class router_cert(object): self.keypair = rpki.x509.ECDSA.generate(self.ecparams()) self.pkcs10 = rpki.x509.PKCS10.create( keypair = self.keypair, - cn = "ROUTER-%d" % self.asn[0].min, - sn = self.router_id, eku = (rpki.oids.id_kp_bgpsec_router,)) self.gski = self.pkcs10.gSKI() @@ -141,7 +139,7 @@ class router_cert(object): def __hash__(self): v6 = tuple(self.v6) if self.v6 is not None else None - return tuple(self.asn).__hash__() + router_id.__hash__() + self.gski.__hash__() + return tuple(self.asn).__hash__() + self.router_id.__hash__() + self.gski.__hash__() def __str__(self): return "%s: %s: %s" % (self.asn, self.router_id, self.gski) |