Start decoupling RPKI profile conformance checks from object

verification per se. Clean up nasty mess in profile conformance checks for router certificates. svn path=/branches/tk705/; revision=6211
author: Rob Austein <sra@hactrn.net> 2015-12-07 07:36:29 +0000
committer: Rob Austein <sra@hactrn.net> 2015-12-07 07:36:29 +0000
commit: c99c8c4181f05c1d38455a2e78541afb43aee16e (patch)
tree: 4b4e8e11dc659e5c95f3adde0fd6b4257d5457ff /rp/rcynic
parent: 5230fd448e5c86c1bf285d5d16574af17fa65897 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/rp/rcynic/rcynicng b/rp/rcynic/rcynicng
index fed75ab2..68b2781b 100755
--- a/rp/rcynic/rcynicng
+++ b/rp/rcynic/rcynicng
@@ -275,8 +275,9 @@ class X509(rpki.POW.X509):
             status.add(codes.MALFORMED_SIA_EXTENSION)
         if not is_ta and self.count_uris(self.crldp) == 0:
             status.add(codes.MALFORMED_CRLDP_EXTENSION)
+        self.checkRPKIConformance(status = status, eku = id_kp_bgpsec_router if is_routercert else None)
         try:
-            self.verify(trusted = [self] if trusted is None else trusted, crl = crl, status = status,
+            self.verify(trusted = [self] if trusted is None else trusted, crl = crl, policy = "1.3.6.1.5.5.7.14.2",
                         context_class = X509StoreCTX.subclass(status = status))
         except rpki.POW.ValidationError as e:
             logger.debug("%r rejected: %s", self, e)
author	Rob Austein <sra@hactrn.net>	2015-12-07 07:36:29 +0000
committer	Rob Austein <sra@hactrn.net>	2015-12-07 07:36:29 +0000
commit	c99c8c4181f05c1d38455a2e78541afb43aee16e (patch)
tree	4b4e8e11dc659e5c95f3adde0fd6b4257d5457ff /rp/rcynic
parent	5230fd448e5c86c1bf285d5d16574af17fa65897 (diff)