aboutsummaryrefslogtreecommitdiff
path: root/rpki/rpkidb/models.py
diff options
context:
space:
mode:
authorRob Austein <sra@hactrn.net>2015-10-25 23:41:42 +0000
committerRob Austein <sra@hactrn.net>2015-10-25 23:41:42 +0000
commit924f08b8f22239f688920e554fcd37ef924e4d29 (patch)
tree4fdca5bdb53ec3167ce1a8304386622f7f348e08 /rpki/rpkidb/models.py
parent2c749a18db7886b7c9931f2b98eac6f099d304d2 (diff)
All SKI operations on issued certificates are really g(SKI)
operations, so simplify code and schema by removing gratuitous transformations to and from binary format. svn path=/branches/tk705/; revision=6150
Diffstat (limited to 'rpki/rpkidb/models.py')
-rw-r--r--rpki/rpkidb/models.py59
1 files changed, 26 insertions, 33 deletions
diff --git a/rpki/rpkidb/models.py b/rpki/rpkidb/models.py
index 32028a1f..1a293360 100644
--- a/rpki/rpkidb/models.py
+++ b/rpki/rpkidb/models.py
@@ -552,6 +552,10 @@ class Parent(models.Model):
Result is a dictionary with the resource class name as key and a
set of SKIs as value.
+
+ This, like everything else dealing with SKIs in the up-down
+ protocol, is mis-named: we're really dealing with g(SKI) values,
+ not raw SKI values. Sorry.
"""
r_msg = yield self.up_down_list_query(rpkid = rpkid)
@@ -574,7 +578,7 @@ class Parent(models.Model):
"""
for ski in skis_to_revoke:
- logger.debug("Asking parent %r to revoke class %r, SKI %s", self, rc_name, ski)
+ logger.debug("Asking parent %r to revoke class %r, g(SKI) %s", self, rc_name, ski)
yield self.up_down_revoke_query(rpkid = rpkid, class_name = rc_name, ski = ski)
@@ -776,7 +780,7 @@ class CA(models.Model):
rc_cert, rc_cert_uri = cert_map.pop(ca_detail.public_key.gSKI(), (None, None))
if rc_cert is None:
- logger.warning("SKI %s in resource class %s is in database but missing from list_response to %s from %s, "
+ logger.warning("g(SKI) %s in resource class %s is in database but missing from list_response to %s from %s, "
"maybe parent certificate went away?",
ca_detail.public_key.gSKI(), class_name, parent.tenant.tenant_handle, parent.parent_handle)
publisher = rpki.rpkid.publication_queue(rpkid)
@@ -813,7 +817,7 @@ class CA(models.Model):
old_resources = current_resources)
if cert_map:
- logger.warning("Unknown certificate SKI%s %s in resource class %s in list_response to %s from %s, maybe you want to \"revoke_forgotten\"?",
+ logger.warning("Unknown certificate g(SKI)%s %s in resource class %s in list_response to %s from %s, maybe you want to \"revoke_forgotten\"?",
"" if len(cert_map) == 1 else "s", ", ".join(cert_map), class_name, parent.tenant.tenant_handle, parent.parent_handle)
@@ -1093,7 +1097,7 @@ class CADetail(models.Model):
@tornado.gen.coroutine
def revoke(self, rpkid):
"""
- Request revocation of all certificates whose SKI matches the key
+ Request revocation of all certificates whose g(SKI) matches the key
for this ca_detail.
Tasks:
@@ -1116,7 +1120,7 @@ class CADetail(models.Model):
gski = self.latest_ca_cert.gSKI()
- logger.debug("Asking parent to revoke CA certificate %s", gski)
+ logger.debug("Asking parent to revoke CA certificate matching g(SKI) = %s", gski)
r_msg = yield self.ca.parent.up_down_revoke_query(rpkid = rpkid, class_name = self.ca.parent_resource_class, ski = gski)
@@ -1126,7 +1130,7 @@ class CADetail(models.Model):
if r_msg[0].get("ski") != gski:
raise rpki.exceptions.SKIMismatch
- logger.debug("Parent revoked %s, starting cleanup", gski)
+ logger.debug("Parent revoked g(SKI) %s, starting cleanup", gski)
crl_interval = rpki.sundial.timedelta(seconds = self.ca.parent.tenant.crl_interval)
@@ -1299,7 +1303,7 @@ class CADetail(models.Model):
child_cert.cert = cert
child_cert.ca_detail = self
logger.debug("Reusing existing child_cert %r", child_cert)
- child_cert.ski = cert.get_SKI()
+ child_cert.gski = cert.gSKI()
child_cert.published = rpki.sundial.now()
child_cert.save()
publisher.queue(
@@ -1622,7 +1626,7 @@ class Child(models.Model):
publisher = rpki.rpkid.publication_queue(rpkid)
try:
- child_cert = self.child_certs.get(ca_detail = ca_detail, ski = req_key.get_SKI())
+ child_cert = self.child_certs.get(ca_detail = ca_detail, gski = req_key.gSKI())
except ChildCert.DoesNotExist:
child_cert = ca_detail.issue(
@@ -1659,11 +1663,10 @@ class Child(models.Model):
key = q_msg[0]
assert key.tag == rpki.up_down.tag_key
class_name = key.get("class_name")
- ski = base64.urlsafe_b64decode(key.get("ski") + "=")
publisher = rpki.rpkid.publication_queue(rpkid)
for child_cert in ChildCert.objects.filter(ca_detail__ca__parent__tenant = self.tenant,
ca_detail__ca__parent_resource_class = class_name,
- ski = ski):
+ gski = key.get("ski")):
child_cert.revoke(publisher = publisher)
yield publisher.call_pubd()
SubElement(r_msg, key.tag, class_name = class_name, ski = key.get("ski"))
@@ -1705,7 +1708,7 @@ class Child(models.Model):
class ChildCert(models.Model):
cert = CertificateField()
published = SundialField(null = True)
- ski = models.BinaryField()
+ gski = models.CharField(max_length = 27) # Assumes SHA-1 -- SHA-256 would be 43, SHA-512 would be 86, etc.
child = models.ForeignKey(Child, related_name = "child_certs")
ca_detail = models.ForeignKey(CADetail, related_name = "child_certs")
@@ -1716,7 +1719,7 @@ class ChildCert(models.Model):
Return the tail (filename) portion of the URI for this child_cert.
"""
- return self.cert.gSKI() + ".cer"
+ return self.gski + ".cer"
@property
@@ -1792,7 +1795,7 @@ class ChildCert(models.Model):
logger.debug("No change to %r", self)
return self
if must_revoke:
- for x in child.child_certs.filter(ca_detail = ca_detail, ski = self.ski):
+ for x in child.child_certs.filter(ca_detail = ca_detail, gski = self.gski):
logger.debug("Revoking child_cert %r", x)
x.revoke(publisher = publisher)
ca_detail.generate_crl(publisher = publisher)
@@ -1820,7 +1823,7 @@ class ChildCert(models.Model):
class EECertificate(models.Model):
- ski = models.BinaryField()
+ gski = models.CharField(max_length = 27) # Assumes SHA-1 -- SHA-256 would be 43, SHA-512 would be 86, etc.
cert = CertificateField()
published = SundialField(null = True)
tenant = models.ForeignKey(Tenant, related_name = "ee_certificates")
@@ -1828,22 +1831,6 @@ class EECertificate(models.Model):
@property
- def gski(self):
- """
- Calculate g(SKI), for ease of comparison with XML.
-
- Although, really, one has to ask why we don't just store g(SKI)
- instead of SKI....
- """
-
- return base64.urlsafe_b64encode(self.ski).rstrip("=")
-
- @gski.setter
- def gski(self, val):
- self.ski = base64.urlsafe_b64decode(val + ("=" * ((4 - len(val)) % 4)))
-
-
- @property
def uri(self):
"""
Return the publication URI for this ee_cert_obj.
@@ -1859,7 +1846,7 @@ class EECertificate(models.Model):
ee_cert_obj.
"""
- return self.cert.gSKI() + ".cer"
+ return self.gski + ".cer"
@classmethod
@@ -1868,8 +1855,14 @@ class EECertificate(models.Model):
Generate a new EE certificate.
"""
+ # The low-level X.509 code really ought to supply the singleton
+ # tuple wrapper when handed a string, but that yak will need to
+ # wait until another day for its shave.
+
cn, sn = subject_name.extract_cn_and_sn()
- sia = (None, None, ca_detail.ca.sia_uri + subject_key.gSKI() + ".cer", ca_detail.ca.parent.repository.rrdp_notification_uri)
+ sia = (None, None,
+ (ca_detail.ca.sia_uri + subject_key.gSKI() + ".cer",),
+ (ca_detail.ca.parent.repository.rrdp_notification_uri,))
cert = ca_detail.issue_ee(
ca = ca_detail.ca,
subject_key = subject_key,
@@ -1879,7 +1872,7 @@ class EECertificate(models.Model):
cn = cn,
sn = sn,
eku = eku)
- self = cls(tenant = ca_detail.ca.parent.tenant, ca_detail = ca_detail, cert = cert, ski = subject_key.get_SKI())
+ self = cls(tenant = ca_detail.ca.parent.tenant, ca_detail = ca_detail, cert = cert, gski = subject_key.gSKI())
publisher.queue(
uri = self.uri,
new_obj = self.cert,
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-10 18:05:22 +0000