diff options
| author | Rob Austein <sra@hactrn.net> | 2010-11-10 04:12:22 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2010-11-10 04:12:22 +0000 |
| commit | 3d7748a4283d6bcc89f373307a6dba967f7faf32 (patch) | |
| tree | 578ec271a07cb353b285590c05fb2ec25106b67c /rpkid/rpki | |
| parent | 78b47e58845c28f629a065133257ee9062d7021c (diff) | |
Fix handling of inheritance in EE certs
svn path=/rpkid/rootd.py; revision=3544
Diffstat (limited to 'rpkid/rpki')
| -rw-r--r-- | rpkid/rpki/resource_set.py | 15 | ||||
| -rw-r--r-- | rpkid/rpki/rpki_engine.py | 6 | ||||
| -rw-r--r-- | rpkid/rpki/x509.py | 16 |
3 files changed, 27 insertions, 10 deletions
diff --git a/rpkid/rpki/resource_set.py b/rpkid/rpki/resource_set.py index 08a577c9..611f1f44 100644 --- a/rpkid/rpki/resource_set.py +++ b/rpkid/rpki/resource_set.py @@ -703,6 +703,21 @@ class resource_bag(object): not other.v6.issubset(self.v6) @classmethod + def from_inheritance(cls): + """ + Build a resource bag that just inherits everything from its + parent. + """ + self = cls() + self.asn = resource_set_as() + self.v4 = resource_set_ipv4() + self.v6 = resource_set_ipv6() + self.asn.inherit = True + self.v4.inherit = True + self.v6.inherit = True + return self + + @classmethod def from_rfc3779_tuples(cls, exts): """ Build a resource_bag from intermediate form generated by RFC 3779 diff --git a/rpkid/rpki/rpki_engine.py b/rpkid/rpki/rpki_engine.py index f31e1df7..ba7f1cf7 100644 --- a/rpkid/rpki/rpki_engine.py +++ b/rpkid/rpki/rpki_engine.py @@ -774,11 +774,7 @@ class ca_detail_obj(rpki.sql.sql_persistent): Generate a new manifest certificate for this ca_detail. """ - resources = rpki.resource_set.resource_bag( - asn = rpki.resource_set.resource_set_as(rpki.resource_set.inherit_token), - v4 = rpki.resource_set.resource_set_ipv4(rpki.resource_set.inherit_token), - v6 = rpki.resource_set.resource_set_ipv6(rpki.resource_set.inherit_token)) - + resources = rpki.resource_set.resource_bag.from_inheritance() self.latest_manifest_cert = self.issue_ee(ca, resources, self.manifest_public_key) def issue(self, ca, child, subject_key, sia, resources, publisher, child_cert = None): diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index d013d247..61b5fef7 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -509,11 +509,17 @@ class X509(DER_object): else: assert not is_ca - if resources is not None and resources.asn: - exts.append(["sbgp-autonomousSysNum", True, (resources.asn.to_rfc3779_tuple(), None)]) - - if resources is not None and (resources.v4 or resources.v6): - exts.append(["sbgp-ipAddrBlock", True, [x for x in (resources.v4.to_rfc3779_tuple(), resources.v6.to_rfc3779_tuple()) if x is not None]]) + # This next bit suggests that perhaps .to_rfc3779_tuple() should + # be raising an exception when there are no resources rather than + # returning None. Maybe refactor later. + + if resources is not None: + r = resources.asn.to_rfc3779_tuple() + if r is not None: + exts.append(["sbgp-autonomousSysNum", True, (r, None)]) + r = [x for x in (resources.v4.to_rfc3779_tuple(), resources.v6.to_rfc3779_tuple()) if x is not None] + if r: + exts.append(["sbgp-ipAddrBlock", True, r]) for x in exts: x[0] = rpki.oids.name2oid[x[0]] |