diff options
| author | Rob Austein <sra@hactrn.net> | 2015-12-07 00:14:06 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2015-12-07 00:14:06 +0000 |
| commit | 5230fd448e5c86c1bf285d5d16574af17fa65897 (patch) | |
| tree | dd2cf7cd545cbda7f72547c8b659cc7647474192 /rp/rcynic | |
| parent | e72ed120fd831aebd8443b3075651d3e48e593b0 (diff) | |
Move validation callback to Python.
svn path=/branches/tk705/; revision=6210
Diffstat (limited to 'rp/rcynic')
| -rwxr-xr-x | rp/rcynic/rcynicng | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/rp/rcynic/rcynicng b/rp/rcynic/rcynicng index b06154cb..fed75ab2 100755 --- a/rp/rcynic/rcynicng +++ b/rp/rcynic/rcynicng @@ -157,6 +157,28 @@ def final_install(): shutil.rmtree(path) +class X509StoreCTX(rpki.POW.X509StoreCTX): + + @classmethod + def subclass(cls, **kwargs): + return type(cls.__name__, (cls,), kwargs) + + status = None + + def verify_callback(self, ok): + err = self.getError() + if err in (codes.X509_V_OK.code, codes.X509_V_ERR_SUBJECT_ISSUER_MISMATCH.code): + return ok + elif err == codes.X509_V_ERR_CRL_HAS_EXPIRED.code: + return True + elif err == codes.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT.code: + self.status.add(codes.TRUST_ANCHOR_NOT_SELF_SIGNED) + return ok + else: + self.status.add(codes.find(err)) + return ok + + class X509(rpki.POW.X509): def __repr__(self): @@ -254,7 +276,8 @@ class X509(rpki.POW.X509): if not is_ta and self.count_uris(self.crldp) == 0: status.add(codes.MALFORMED_CRLDP_EXTENSION) try: - self.verify(trusted = [self] if trusted is None else trusted, crl = crl, status = status) + self.verify(trusted = [self] if trusted is None else trusted, crl = crl, status = status, + context_class = X509StoreCTX.subclass(status = status)) except rpki.POW.ValidationError as e: logger.debug("%r rejected: %s", self, e) status.add(codes.OBJECT_REJECTED) |