aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRob Austein <sra@hactrn.net>2007-09-19 20:42:31 +0000
committerRob Austein <sra@hactrn.net>2007-09-19 20:42:31 +0000
commitf02848f2d0ebcfe6ddbb695e8bc0bd8697c2e6d1 (patch)
tree93340fbf6763b142e635a24acc25a1e0e7867bf1
parent3442f7565e7be5df7ea170e2baa742e317049b51 (diff)
Checkpoint
svn path=/docs/left-right-xml; revision=995
Diffstat
-rw-r--r--docs/left-right-xml2
-rw-r--r--scripts/README8
-rw-r--r--scripts/left-right-protocol-samples/pdu.011.xml2
-rw-r--r--scripts/left-right-schema.rnc8
-rw-r--r--scripts/left-right-schema.rng14
-rw-r--r--scripts/rpki/left_right.py50
-rw-r--r--scripts/rpki/pkcs10.py35
-rw-r--r--scripts/rpki/x509.py14
8 files changed, 100 insertions, 33 deletions
diff --git a/docs/left-right-xml b/docs/left-right-xml
index 938892f6..6496eda6 100644
--- a/docs/left-right-xml
+++ b/docs/left-right-xml
@@ -76,7 +76,7 @@
<bsc action="create" type="query" self_id="42"
generate_keypair="yes"
key_type="rsa"
- hash_alg="sha1"
+ hash_alg="sha256"
key_length="2048">
<signing_cert>
MIIDHTCCAgWgAwIBAgIJAKUUCoKn9ovVMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV
diff --git a/scripts/README b/scripts/README
index 6b71191e..2d7fb7d0 100644
--- a/scripts/README
+++ b/scripts/README
@@ -69,3 +69,11 @@ triggers, a la interrupt handlers. Well, maybe. IRBE folks might
prefer a version that blocked response to the request until the whole
cycle is done, once we have an event system that can treat the query
and response phases of an rpc operation as two distinct events.
+
+
+
+Hmm, I seem to have goofed on the bsc table, need a column for the
+hash algorithm after all, as it's not intrinsic to the key. Probably
+ought to let it be set independently of the key too. But for the
+moment I'm only supporting 2048-bit RSA with SHA-256 digests, so
+fixing this is not urgent.
diff --git a/scripts/left-right-protocol-samples/pdu.011.xml b/scripts/left-right-protocol-samples/pdu.011.xml
index ca66dae7..5a061211 100644
--- a/scripts/left-right-protocol-samples/pdu.011.xml
+++ b/scripts/left-right-protocol-samples/pdu.011.xml
@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="US-ASCII"?>
<!--Automatically generated, do not edit.-->
<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
- <bsc action="create" type="query" self_id="42" generate_keypair="yes" key_type="rsa" hash_alg="sha1" key_length="2048">
+ <bsc action="create" type="query" self_id="42" generate_keypair="yes" key_type="rsa" hash_alg="sha256" key_length="2048">
<signing_cert>
MIIDHTCCAgWgAwIBAgIJAKUUCoKn9ovVMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV
BAMTG1Rlc3QgQ2VydGlmaWNhdGUgQWxpY2UgUm9vdDAeFw0wNzA4MDExOTUzMDda
diff --git a/scripts/left-right-schema.rnc b/scripts/left-right-schema.rnc
index a197230f..2ed54032 100644
--- a/scripts/left-right-schema.rnc
+++ b/scripts/left-right-schema.rnc
@@ -65,12 +65,12 @@ self_elt |= element self { ctl_lr, self_id, self_payload }
self_elt |= element self { ctl_dq, self_id }
self_elt |= element self { ctl_dr, self_id }
-# <bsc/> element
+# <bsc/> element. Key parameters hardwired for now.
bsc_bool = ((attribute generate_keypair { "yes" },
- attribute key_type { xsd:token { maxLength="1024" } }?,
- attribute hash_alg { xsd:token { maxLength="1024" } }?,
- attribute key_length { xsd:token { maxLength="1024" } }?)?,
+ attribute key_type { "rsa" }?,
+ attribute hash_alg { "sha256" }?,
+ attribute key_length { "2048" }?)?,
attribute clear_signing_certs { "yes" }?)
bsc_id = attribute bsc_id { sql_id }
diff --git a/scripts/left-right-schema.rng b/scripts/left-right-schema.rng
index 12978650..90738f9a 100644
--- a/scripts/left-right-schema.rng
+++ b/scripts/left-right-schema.rng
@@ -248,7 +248,7 @@
<ref name="self_id"/>
</element>
</define>
- <!-- <bsc/> element -->
+ <!-- <bsc/> element. Key parameters hardwired for now. -->
<define name="bsc_bool">
<optional>
<attribute name="generate_keypair">
@@ -256,23 +256,17 @@
</attribute>
<optional>
<attribute name="key_type">
- <data type="token">
- <param name="maxLength">1024</param>
- </data>
+ <value>rsa</value>
</attribute>
</optional>
<optional>
<attribute name="hash_alg">
- <data type="token">
- <param name="maxLength">1024</param>
- </data>
+ <value>sha256</value>
</attribute>
</optional>
<optional>
<attribute name="key_length">
- <data type="token">
- <param name="maxLength">1024</param>
- </data>
+ <value>2048</value>
</attribute>
</optional>
</optional>
diff --git a/scripts/rpki/left_right.py b/scripts/rpki/left_right.py
index 05e067c1..985c61b8 100644
--- a/scripts/rpki/left_right.py
+++ b/scripts/rpki/left_right.py
@@ -77,32 +77,32 @@ class data_elt(base_elt, rpki.sql.sql_persistant):
r_pdu.type = "reply"
return r_pdu
- def serve_pre_save_hook(self, pdu):
+ def serve_pre_save_hook(self, q_pdu, r_pdu):
pass
- def serve_post_save_hook(self, pdu):
+ def serve_post_save_hook(self, q_pdu, r_pdu):
pass
def serve_create(self, db, cur, r_msg):
r_pdu = self.make_reply()
- self.serve_pre_save_hook(self)
+ self.serve_pre_save_hook(self, r_pdu)
self.sql_store(db, cur)
setattr(r_pdu, self.sql_template.index, getattr(self, self.sql_template.index))
- self.serve_post_save_hook(self)
+ self.serve_post_save_hook(self, r_pdu)
r_msg.append(r_pdu)
def serve_set(self, db, cur, r_msg):
db_pdu = self.sql_fetch(db, cur, getattr(self, self.sql_template.index))
if db_pdu is not None:
+ r_pdu = self.make_reply()
for a in db_pdu.sql_template.columns[1:]:
v = getattr(self, a)
if v is not None:
setattr(db_pdu, a, v)
db_pdu.sql_dirty = True
- db_pdu.serve_pre_save_hook(self)
+ db_pdu.serve_pre_save_hook(self, r_pdu)
db_pdu.sql_store(db, cur)
- db_pdu.serve_post_save_hook(self)
- r_pdu = self.make_reply()
+ db_pdu.serve_post_save_hook(self, r_pdu)
r_msg.append(r_pdu)
else:
r_msg.append(make_error_report(self))
@@ -187,11 +187,21 @@ class bsc_elt(data_elt):
def sql_delete_hook(self, db, cur):
cur.execute("DELETE FROM bsc_cert WHERE bsc_id = %s", self.bsc_id)
- def serve_pre_save_hook(self, pdu):
- if self is not pdu:
- if pdu.clear_signing_certs:
+ def serve_pre_save_hook(self, q_pdu, r_pdu):
+ if self is not q_pdu:
+ if q_pdu.clear_signing_certs:
self.signing_cert = []
- self.signing_cert.extend(pdu.signing_cert)
+ self.signing_cert.extend(q_pdu.signing_cert)
+ if self.generate_keypair:
+ #
+ # Hard wire 2048-bit RSA with SHA-256 in schema for now.
+ # Assume no HSM for now.
+ #
+ keypair = rpki.x509.RSA_Keypair()
+ keypair.generate(2048)
+ self.private_key_id = keypair.get_DER()
+ self.public_key = keypair.get_public_DER()
+ r_pdu.pkcs10_cert_request = rpki.pkcs10.make_request(keypair)
def startElement(self, stack, name, attrs):
"""Handle <bsc/> element."""
@@ -232,6 +242,10 @@ class parent_elt(data_elt):
peer_ta = None
+ def serve_post_save_hook(self, q_pdu, r_pdu):
+ if self.rekey or self.reissue or self.revoke:
+ raise NotImplementedError
+
def startElement(self, stack, name, attrs):
"""Handle <bsc/> element."""
if name != "peer_ta":
@@ -281,6 +295,10 @@ class child_elt(data_elt):
peer_ta = None
+ def serve_post_save_hook(self, q_pdu, r_pdu):
+ if self.reissue:
+ raise NotImplementedError
+
def startElement(self, stack, name, attrs):
"""Handle <child/> element."""
if name != "peer_ta":
@@ -370,6 +388,10 @@ class route_origin_elt(data_elt):
cur.execute("DELETE FROM route_origin_range WHERE route_origin_id = %s", self.route_origin_id)
cur.execute("DELETE FROM roa WHERE route_origin_id = %s", self.route_origin_id)
+ def serve_post_save_hook(self, q_pdu, r_pdu):
+ if self.suppress_publication:
+ raise NotImplementedError
+
def startElement(self, stack, name, attrs):
"""Handle <route_origin/> element."""
assert name == "route_origin", "Unexpected name %s, stack %s" % (name, stack)
@@ -421,12 +443,16 @@ class self_elt(data_elt):
def sql_delete_hook(self, db, cur):
cur.execute("DELETE FROM self_pref WHERE self_id = %s", self.self_id)
- def serve_pre_save_hook(self, pdu):
+ def serve_pre_save_hook(self, q_pdu, r_pdu):
if self is not pdu:
if pdu.clear_extension_preferences:
self.prefs = []
self.prefs.extend(pdu.prefs)
+ def serve_post_save_hook(self, q_pdu, r_pdu):
+ if self.rekey or self.reissue or self.revoke or self.run_now or self.publish_world_now:
+ raise NotImplementedError
+
def startElement(self, stack, name, attrs):
"""Handle <self/> element."""
if name == "extension_preference":
diff --git a/scripts/rpki/pkcs10.py b/scripts/rpki/pkcs10.py
new file mode 100644
index 00000000..4d6a024a
--- /dev/null
+++ b/scripts/rpki/pkcs10.py
@@ -0,0 +1,35 @@
+# $Id$
+
+import POW, rpki.x509, os, rpki.exceptions, binascii
+
+req_fmt = '''
+[ req ]
+distinguished_name = req_dn
+prompt = no
+
+[ req_dn ]
+CN = %s
+'''
+
+def make_request(keypair):
+
+ digest = POW.Digest(POW.SHA1_DIGEST)
+ digest.update(keypair.get_POW().derWrite(POW.RSA_PUBLIC_KEY))
+ commonName = "0x" + binascii.hexify(digest.digest())
+
+ try:
+ config_filename = "req.tmp.conf"
+ f = open(config_filename, "w")
+ f.write(req_fmt % commonName)
+ f.close()
+
+ i,o = os.popen2(["openssl", "req", "-config", config_filename, "-new", "-key", "/dev/stdin", "-outform", "DER"])
+ i.write(keypair.get_PEM())
+ i.close()
+ pkcs10 = o.read()
+ o.close()
+
+ finally:
+ os.unlink(config_filename)
+
+ return pkcs10
diff --git a/scripts/rpki/x509.py b/scripts/rpki/x509.py
index 3e352baf..56ba8df1 100644
--- a/scripts/rpki/x509.py
+++ b/scripts/rpki/x509.py
@@ -286,10 +286,7 @@ class PKCS10_Request(DER_object):
return self.POWpkix
class RSA_Keypair(DER_object):
- """Class to hold an RSA key pair.
-
- This may need to be split into public and private key classes.
- """
+ """Class to hold an RSA key pair."""
formats = ("DER", "POW", "tlslite")
pem_converter = PEM_converter("RSA PRIVATE KEY")
@@ -299,7 +296,7 @@ class RSA_Keypair(DER_object):
if self.DER:
return self.DER
if self.POW:
- self.DER = self.POW.derWrite()
+ self.DER = self.POW.derWrite(POW.RSA_PRIVATE_KEY)
return self.get_DER()
raise rpki.exceptions.DERObjectConversionError, "No conversion path to DER available"
@@ -314,3 +311,10 @@ class RSA_Keypair(DER_object):
if not self.tlslite:
self.tlslite = tlslite.api.parsePEMKey(self.get_PEM(), private=True)
return self.tlslite
+
+ def generate(self, keylength):
+ self.clear()
+ self.set(POW=POW.Assymetric(POW.RSA_CIPHER, keylength))
+
+ def get_public_DER(self):
+ return self.get_POW().derWrite(POW.RSA_PUBLIC_KEY)
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-14 14:49:47 +0000