Checkpoint

svn path=/scripts/rpki/left_right.py; revision=1121

3 files changed, 42 insertions, 33 deletions

diff --git a/scripts/rpki/left_right.py b/scripts/rpki/left_right.py
index e1bd2e1d..c567fa5d 100644
--- a/scripts/rpki/left_right.py
+++ b/scripts/rpki/left_right.py
@@ -65,13 +65,16 @@ class data_elt(base_elt, rpki.sql.sql_persistant):
       self.cms_ta = rpki.x509.X509(DER=vals["cms_ta"])
     if "https_ta" in vals:
       self.https_ta = rpki.x509.X509(DER=vals["https_ta"])
+    if "private_key_id" in vals:
+      self.private_key_id = rpki.x509.RSA(DER=vals["private_key_id"])
+    if "public_key" in vals:
+      self.public_key = rpki.x509.RSA(DER=vals["public_key"])
 
   def sql_encode(self):
     d = rpki.sql.sql_persistant.sql_encode(self)
-    if "cms_ta" in d:
-      d["cms_ta"] = self.cms_ta.get_DER()
-    if "https_ta" in d:
-      d["https_ta"] = self.https_ta.get_DER()
+    for i in ("cms_ta", "https_ta", "private_key_id", "public_key"):
+      if i in d:
+        d[i] = getattr(self, i).get_DER()
     return d
 
   def make_reply(self, r_pdu=None):
@@ -285,9 +288,9 @@ class bsc_elt(data_elt):
       # Assume no HSM for now.
       #
       keypair = rpki.x509.RSA()
-      keypair.generate(2048)
-      self.private_key_id = keypair.get_DER()
-      self.public_key = keypair.get_public_DER()
+      keypair.generate()
+      self.private_key_id = keypair
+      self.public_key = keypair.get_RSApublic()
       r_pdu.pkcs10_cert_request = rpki.x509.PKCS10.create(keypair)
 
   def startElement(self, stack, name, attrs):
@@ -301,7 +304,7 @@ class bsc_elt(data_elt):
     if name == "signing_cert":
       self.signing_cert.append(rpki.x509.X509(Base64=text))
     elif name == "public_key":
-      self.public_key = base64.b64decode(text)
+      self.public_key = rpki.x509.RSApublic(Base64=text)
     elif name == "pkcs10_cert_request":
       self.pkcs10_cert_request = rpki.x509.PKCS10(Base64=text)
     else:
@@ -315,7 +318,8 @@ class bsc_elt(data_elt):
       self.make_b64elt(elt, "signing_cert", cert.get_DER())
     if self.pkcs10_cert_request is not None:
       self.make_b64elt(elt, "pkcs10_cert_request", self.pkcs10_cert_request.get_DER())
-    self.make_b64elt(elt, "public_key")
+    if self.public_key is not None:
+      self.make_b64elt(elt, "public_key", self.public_key.get_DER())
     return elt
 
 class parent_elt(data_elt):
diff --git a/scripts/rpki/sql.py b/scripts/rpki/sql.py
index 115fbbe1..070e0c62 100644
--- a/scripts/rpki/sql.py
+++ b/scripts/rpki/sql.py
@@ -240,19 +240,19 @@ class ca_detail_obj(sql_persistant):
   def sql_decode(self, vals):
     sql_persistant.sql_decode(self, vals)
     self.private_key_id = rpki.x509.RSA(DER = self.private_key_id)
-    assert self.public_key is None or self.private_key_id.get_public_DER() == self.public_key
+    self.public_key = rpki.x509.RSApublic(DER = self.public_key)
+    assert self.public_key.get_DER() == self.private_key_id.get_public_DER()
     self.latest_ca_cert = rpki.x509.X509(DER = self.latest_ca_cert)
     self.manifest_private_key_id = rpki.x509.RSA(DER = self.manifest_private_key_id)
-    assert self.manifest_public_key is None or self.manifest_private_key_id.get_public_DER() == self.manifest_public_key
+    self.manifest_public_key = rpki.x509.RSApublic(DER = self.manifest_public_key)
+    assert self.manifest_public_key.get_DER() == self.manifest_private_key_id.get_public_DER()
     self.manifest_cert = rpki.x509.X509(DER = self.manifest_cert)
     raise NotImplementedError, "Still have to handle manifest and CRL"
 
   def sql_encode(self):
     d = sql_persistant.sql_encode(self)
-    d["private_key_id"] = self.private_key_id.get_DER()
-    d["latest_ca_cert"] = self.latest_ca_cert.get_DER()
-    d["manifest_private_key_id"] = self.manifest_private_key_id.get_DER()
-    d["manifest_cert"] = self.manifest_cert.get_DER()
+    for i in ("private_key_id", "public_key", "latest_ca_cert", "manifest_private_key_id", "manifest_public_key", "manifest_cert"):
+      d[i] = getattr(self, i).get_DER()
     raise NotImplementedError, "Still have to handle manifest and CRL"
     return d
 
@@ -281,18 +281,30 @@ class ca_detail_obj(sql_persistant):
     - ca.sia_uri changed, probably need to frob all children.
     """
 
+    raise NotImplementedError, "NIY"
+
     if undersized:
       # If we do end up processing undersized before oversized, we
       # should re-compute our resource sets before oversize processing
       raise NotImplementedError, "Need to issue new PKCS #10 to parent here then recompute resource sets"
 
-    if oversized:
+    if oversized or sia_uri_changed:
       for child_cert in child_cert_obj.sql_fetch_where(gctx, "ca_detail_id = %s" % self.ca_detail_id):
         child_as, child_v4, child_v6 = child_cert.cert.get_3779resources()
-        if not child_as.issubset(as) or not child_v4.issubset(v4) or not child_v6.issubset(v6):
+        if sia_uri_changed or not child_as.issubset(as) or not child_v4.issubset(v4) or not child_v6.issubset(v6):
           child_cert.reissue(gctx, self, as, v4, v6)
 
-    raise NotImplementedError, "NIY"
+  @classmethod
+  def create(cls, gctx, ca_id):
+    """Create a new ca_detail object for a specified CA."""
+    keypair = rpki.x509.RSA()
+    keypair.generate()
+    self = cls()
+    self.ca_id = ca_id
+    self.private_key_id = keypair
+    self.public_key = keypair.get_RSApublic()
+    self.state = "pending"
+    return self
 
 class child_cert_obj(sql_persistant):
   """Certificate that has been issued to a child."""
diff --git a/scripts/rpki/x509.py b/scripts/rpki/x509.py
index d4c2d9d3..99fa922b 100644
--- a/scripts/rpki/x509.py
+++ b/scripts/rpki/x509.py
@@ -156,7 +156,6 @@ class X509(DER_object):
 
   formats = ("DER", "POW", "POWpkix", "tlslite")
   pem_converter = PEM_converter("CERTIFICATE")
-  other_clear = ("POW_extensions",)
   
   def get_DER(self):
     """Get the DER value of this certificate."""
@@ -212,20 +211,6 @@ class X509(DER_object):
     """Get the expiration time of this certificate."""
     return POW.pkix.utc2time(self.get_POW().getNotAfter())
 
-  def _get_POW_extensions(self):
-    """Parse extensions from the POW value of this certificate.
-
-    Build a dictionary to ease lookup, and cache the result.
-    """
-    if not self.POW_extensions:
-      cert = self.get_POW()
-      exts = {}
-      for i in range(cert.countExtensions()):
-        x = cert.getExtension(i)
-        exts[x[0]] = x[2]
-      self.POW_extensions = exts
-    return self.POW_extensions
-    
   def get_AKI(self):
     """Get the AKI extension from this certificate."""
     return (self.get_POWpkix().getExtension((2, 5, 29, 35)) or ((), 0, None))[2]
@@ -234,6 +219,14 @@ class X509(DER_object):
     """Get the SKI extension from this certificate."""
     return (self.get_POWpkix().getExtension((2, 5, 29, 14)) or ((), 0, None))[2]
 
+  def get_SIA(self):
+    """Get the SIA extension from this certificate."""
+    return (self.get_POWpkix().getExtension((1, 3, 6, 1, 5, 5, 7, 1, 11)) or ((), 0, None))[2]
+
+  def get_AIA(self):
+    """Get the SIA extension from this certificate."""
+    return (self.get_POWpkix().getExtension((1, 3, 6, 1, 5, 5, 7, 1, 1)) or ((), 0, None))[2]
+
   def get_3779resources(self, as_intersector = None, v4_intersector = None, v6_intersector = None):
     """Get RFC 3779 resources as rpki.resource_set objects."""
     as, v4, v6 = rpki.resource_set.parse_extensions(self.get_POWpkix().getExtensions())