rcynicng caught a bug in rpkid! Router certificates are forbidden

from having SIA extensions, unlike all other RPKI certificates which are required to have them. Start moving RPKI conformance checks which can be performed in Python out of POW.c, tag a bunch more for consideration. svn path=/branches/tk705/; revision=6204
author: Rob Austein <sra@hactrn.net> 2015-11-29 03:58:51 +0000
committer: Rob Austein <sra@hactrn.net> 2015-11-29 03:58:51 +0000
commit: 3b93c02c1e50afc7ba5eebe9791f1ee71f10de0e (patch)
tree: 535c42233f2825a4c1f8bc520b6439e81818e75a /rpki
parent: 2eebc88ed0692b1bb48ab11dde3ed45ed8298096 (diff)
3 files changed, 5 insertions, 8 deletions
diff --git a/rpki/rpkid_tasks.py b/rpki/rpkid_tasks.py
index 9759deff..9fe193ae 100644
--- a/rpki/rpkid_tasks.py
+++ b/rpki/rpkid_tasks.py
@@ -586,13 +586,10 @@ class UpdateEECertificatesTask(AbstractTask):
                 for ca_detail in covering:
                     logger.debug("%r: No existing EE certificate for %s %s", self, gski, resources)
                     cn, sn = subject_name.extract_cn_and_sn()
-                    sia = (None, None,
-                           ca_detail.ca.sia_uri + subject_key.gSKI() + ".cer",
-                           ca_detail.ca.parent.repository.rrdp_notification_uri)
                     cert = ca_detail.issue_ee(
                         ca          = ca_detail.ca,
                         subject_key = subject_key,
-                        sia         = sia,
+                        sia         = None,
                         resources   = resources,
                         notAfter    = resources.valid_until,
                         cn          = cn,
diff --git a/rpki/rpkidb/models.py b/rpki/rpkidb/models.py
index c2488738..5fd5785f 100644
--- a/rpki/rpkidb/models.py
+++ b/rpki/rpkidb/models.py
@@ -1845,7 +1845,7 @@ class EECertificate(models.Model):
             ca          = ca_detail.ca,
             subject_key = self.cert.getPublicKey(),
             eku         = self.cert.get_EKU(),
-            sia         = (None, None, self.uri, ca_detail.ca.parent.repository.rrdp_notification_uri),
+            sia         = None,
             resources   = resources,
             notAfter    = resources.valid_until,
             cn          = cn,
diff --git a/rpki/x509.py b/rpki/x509.py
index 67a597e6..0acb3859 100644
--- a/rpki/x509.py
+++ b/rpki/x509.py
@@ -776,9 +776,9 @@ class X509(DER_object):
         Common code to issue an RPKI certificate.
         """
 
-        assert sia and len(sia) == 4 and sia[3]
-
-        sia = tuple((str(s),) if isinstance(s, (str, unicode)) else s for s in sia)
+        if sia is not None:
+            assert len(sia) == 4 and sia[3]
+            sia = tuple((str(s),) if isinstance(s, (str, unicode)) else s for s in sia)
 
         now = rpki.sundial.now()
         ski = subject_key.get_SKI()
author	Rob Austein <sra@hactrn.net>	2015-11-29 03:58:51 +0000
committer	Rob Austein <sra@hactrn.net>	2015-11-29 03:58:51 +0000
commit	3b93c02c1e50afc7ba5eebe9791f1ee71f10de0e (patch)
tree	535c42233f2825a4c1f8bc520b6439e81818e75a /rpki
parent	2eebc88ed0692b1bb48ab11dde3ed45ed8298096 (diff)