Checkpoint

svn path=/myrpki.rototill/myrpki.py; revision=3077

2 files changed, 112 insertions, 0 deletions

diff --git a/myrpki.rototill/myrpki.py b/myrpki.rototill/myrpki.py
index cabdc4ef..83d032ac 100644
--- a/myrpki.rototill/myrpki.py
+++ b/myrpki.rototill/myrpki.py
@@ -1068,6 +1068,52 @@ class main(rpki.cli.Cmd):
     # be after reading client's XML, but before deciding what the
     # client's sia_base and handle will be.
 
+    # Ok, so we end up with four cases in terms of our checking:
+    #
+    # - Signed referral provided.  Must be signed by existing client
+    #   (somebody already listed in entitydb/pubclients/, suggesting
+    #   that it might be useful to include ski there as an XML field?
+    #   or maybe just outer unsigned XML wrapper that expresses the
+    #   hint include handle of referrer so we can look up directly?
+    #   yeah, that).  sia_base offered (within inner signed referral
+    #   XML) must be underneath signing client's space (so we'd have
+    #   to look up the signing client entitydb data for that anyway).
+    #
+    #   Case trivially detectable by presence of signed referral.
+    #
+    # - Client is direct child of entity running pubd, so entity
+    #   running pubd clearly has the right to offer service to its
+    #   children.  So just assign publication location to child after
+    #   checking that this really is a child of ours (ie, must be in
+    #   entitydb/children).
+    #
+    #   Detectable by handle being listed in entitydb/children.
+    #
+    # - Client is self, ie, entity that runs pubd is its own client.
+    #   Trivial to check (handle and BPKI match).  This gets top-level
+    #   (rsyncd module) name.
+    #
+    #   Detectable by handle matching ours.
+    #
+    # - All other cases get top-level directories of their own, no
+    #   nesting.  I guess such can go under an APNIC-style customers
+    #   rsyncd module, or something like that.
+    #
+    #   Detectable by none of the other cases matching.
+
+    # All of which would be OK except that I don't know how to map it
+    # into Randy's view of a single pubd running multiple rsyncd
+    # modules.  Part of the problem there is that rsyncd.conf has to
+    # be updated whenever a new module is added, we can't do it
+    # automatically.
+    #
+    # Perhaps (just suggested on testbed list) our rsync URIs should look like:
+    #
+    #   rsync://host[:port]/arbitrarymodule/client_handle
+    #
+    # where arbitrarymodule defaults to "rpki" and has no particular
+    # relationship to any client_handle.
+
     # For the moment we cheat egregiously, no crypto, blind trust of
     # what we're sent, while I focus on the basic semantics.
 
diff --git a/myrpki.rototill/test-myrpki-cms.py b/myrpki.rototill/test-myrpki-cms.py
new file mode 100644
index 00000000..29bea39c
--- /dev/null
+++ b/myrpki.rototill/test-myrpki-cms.py
@@ -0,0 +1,66 @@
+"""
+Scratch pad for working out what CMS referral code looks like.
+
+This is only in subversion for archival and backup, I don't expect
+users to run this, and will delete it in the near future.
+
+
+$Id$
+
+Copyright (C) 2010  Internet Systems Consortium ("ISC")
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
+"""
+
+import subprocess, os, sys, myrpki
+
+original_xml = '''\
+<publication_referral xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"
+                      sia_base=rsync://repository.example/path/to/me/space-i-give-to-my-child">
+  Base64 encoded BPKI TA of resource holding aspect of my child xxx blah blah blah blah xxx
+</publication_referral>
+'''
+
+f = open("original.xml", "w")
+f.write(original_xml)
+f.close()
+
+myrpki.openssl = "/u/sra/rpki/subvert-rpki.hactrn.net/openssl/openssl/apps/openssl"
+os.putenv("OPENSSL_CONF", "/dev/null")
+
+bpki = myrpki.CA("test/Alice/myrpki.conf", "test/Alice/bpki/resources")
+bpki.ee("/CN=Alice Signed Referral CMS Test EE Certificate", "CMSEE")
+
+# "id-ct-xml" from rpki.oids
+oid = ".".join(map(str, (1, 2, 840, 113549, 1, 9, 16, 1, 28)))
+
+format = "DER"                          # PEM or DER
+
+subprocess.check_call((myrpki.openssl, "cms", "-sign",
+                       "-binary", "-nodetach", "-nosmimecap", "-keyid", "-outform", format,
+                       "-econtent_type", oid, "-md", "sha256",
+                       "-inkey",  "test/Alice/bpki/resources/CMSEE.key",
+                       "-signer", "test/Alice/bpki/resources/CMSEE.cer",
+                       "-in",  "original.xml",
+                       "-out", "original.%s" % format.lower()))
+
+if format == "DER":
+  subprocess.call(("dumpasn1", "-a", "original.cms"))
+
+# verifying may not be necessary here, that might be pubd's job.  or
+# at least we can make it the job of the code formerly known as irdbd,
+# where we have full libraries available to us.  but blunder ahead...
+
+subprocess.check_call((myrpki.openssl, "cms", "-verify", "-inform", format,
+                       "-CAfile", "test/Alice/bpki/resources/ca.cer",
+                       "-in",     "original.%s" % format.lower()))