diff options
| author | Rob Austein <sra@hactrn.net> | 2010-10-07 00:59:39 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2010-10-07 00:59:39 +0000 |
| commit | 94bad6e5ca0045bb46093a3002e7c03ea6e0bee4 (patch) | |
| tree | b54b80610b8565a232167290010172cac6b0df2b /rpkid/rpki | |
| parent | 8ada594d05c4e79fc2e3a13b50489bb75bd90cae (diff) | |
Merge rpkid.without_tls/ branch to rpkid/ trunk.
svn path=/rpkid/Makefile; revision=3465
Diffstat (limited to 'rpkid/rpki')
| -rw-r--r-- | rpkid/rpki/__doc__.py.in | 77 | ||||
| -rw-r--r-- | rpkid/rpki/adns.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/async.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/config.py | 21 | ||||
| -rw-r--r-- | rpkid/rpki/exceptions.py | 16 | ||||
| -rw-r--r-- | rpkid/rpki/http.py (renamed from rpkid/rpki/https.py) | 338 | ||||
| -rw-r--r-- | rpkid/rpki/left_right.py | 65 | ||||
| -rw-r--r-- | rpkid/rpki/log.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/myrpki.py | 56 | ||||
| -rw-r--r-- | rpkid/rpki/publication.py | 30 | ||||
| -rw-r--r-- | rpkid/rpki/relaxng.py | 14 | ||||
| -rw-r--r-- | rpkid/rpki/resource_set.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/rpki_engine.py | 46 | ||||
| -rw-r--r-- | rpkid/rpki/sundial.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/up_down.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/x509.py | 10 |
16 files changed, 140 insertions, 545 deletions
diff --git a/rpkid/rpki/__doc__.py.in b/rpkid/rpki/__doc__.py.in index 420de455..7b2b280b 100644 --- a/rpkid/rpki/__doc__.py.in +++ b/rpkid/rpki/__doc__.py.in @@ -4,7 +4,7 @@ # # $Id$ # -# Copyright (C) 2009-2010 Internet Systems Consortium ("ISC") +# Copyright (C) 2009--2010 Internet Systems Consortium ("ISC") # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -790,8 +790,8 @@ # # @c myrpki use has two distinct phases: setup and data maintenance. # The setup phase is primarily about constructing the "business PKI" -# (BPKI) certificates that the daemons use to authenticate CMS and -# HTTPS messages and obtaining the service URLs needed to configure +# (BPKI) certificates that the daemons use to authenticate CMS +# messages and obtaining the service URLs needed to configure # the daemons. The data maintenance phase is about configuring local # data into the daemons. # @@ -1258,16 +1258,16 @@ # by irdbd. # # @par @c irdb-url: -# Service URL for irdbd. Must be a %https:// URL. +# Service URL for irdbd. Must be a %http:// URL. # # @par @c server-host: # Hostname or IP address on which to listen for -# HTTPS connections. Current default is +# HTTP connections. Current default is # INADDR_ANY (IPv4 0.0.0.0); this will need to # be hacked to support IPv6 for production. # # @par @c server-port: -# TCP port on which to listen for HTTPS +# TCP port on which to listen for HTTP # connections. ## @page pubdconf pubd.conf @@ -1309,12 +1309,12 @@ # # @par @c server-host: # Hostname or IP address on which to listen for -# HTTPS connections. Current default is +# HTTP connections. Current default is # INADDR_ANY (IPv4 0.0.0.0); this will need to # be hacked to support IPv6 for production. # # @par @c server-port: -# TCP port on which to listen for HTTPS +# TCP port on which to listen for HTTP # connections. # # @par @c publication-base: @@ -1355,10 +1355,10 @@ # # @par @c server-host: # Hostname or IP address on which to listen for -# HTTPS connections. Default is localhost. +# HTTP connections. Default is localhost. # # @par @c server-port: -# TCP port on which to listen for HTTPS +# TCP port on which to listen for HTTP # connections. # # @par @c rpki-root-key: @@ -1437,8 +1437,8 @@ # one and only by rpkid instance authorized to # contact this irdbd instance. # -# @par @c https-url: -# Service URL for irdbd. Must be a %https:// URL. +# @par @c http-url: +# Service URL for irdbd. Must be a %http:// URL. ## @page smoketestconf smoketest.conf # @@ -1583,7 +1583,7 @@ # Left-right protocol %objects are encoded as signed CMS messages # containing XML as eContent and using an eContentType OID of @c id-ct-xml # (1.2.840.113549.1.9.16.1.28). These CMS messages are in turn passed -# as the data for HTTPS POST operations, with an HTTP content type of +# as the data for HTTP POST operations, with an HTTP content type of # "application/x-rpki" for both the POST data and the response data. # # All operations allow an optional "tag" attribute which can be any @@ -1684,7 +1684,7 @@ # @subsection bsc_obj <bsc/> object # # The @c <bsc/> ("business signing context") %object represents all the BPKI -# data needed to sign outgoing CMS or HTTPS messages. Various other +# data needed to sign outgoing CMS messages. Various other # %objects include pointers to a @c <bsc/> %object. Whether a particular # @c <self/> uses only one @c <bsc/> or multiple is a configuration decision # based on external requirements: the RPKI engine code doesn't care, it @@ -1754,7 +1754,7 @@ # Payload data which can be configured in a @c <parent/> %object: # # @par @c peer_contact_uri (attribute): -# HTTPS URI used to contact this parent. +# HTTP URI used to contact this parent. # # @par @c sia_base (attribute): # The leading portion of an rsync URI that the RPKI engine should @@ -1788,16 +1788,6 @@ # certificate in the @c <self/> %object; if not needed, the # bpki_cms_glue certificate should be left unset. # -# @par @c bpki_https_cert (element): -# BPKI HTTPS CA certificate for this @c <parent/>. This is like the -# bpki_cms_cert %object, only used for validating incoming TLS -# messages rather than CMS. -# -# @par @c bpki_cms_glue (element): -# Another BPKI HTTPS CA certificate for this @c <parent/>, usually not -# needed. This is like the bpki_cms_glue certificate, only used for -# validating incoming TLS messages rather than CMS. -# # Control attributes that can be set to "yes" to force actions: # # @par @c rekey: @@ -1859,7 +1849,7 @@ # Payload data which can be configured in a @c <repository/> %object: # # @par @c peer_contact_uri (attribute): -# HTTPS URI used to contact this repository. +# HTTP URI used to contact this repository. # # @par @c bpki_cms_cert (element): # BPKI CMS CA certificate for this @c <repository/>. This is used as part @@ -1878,16 +1868,6 @@ # certificate in the @c <self/> %object; if not needed, the # bpki_cms_glue certificate should be left unset. # -# @par @c bpki_https_cert (element): -# BPKI HTTPS CA certificate for this @c <repository/>. This is like the -# bpki_cms_cert %object, only used for validating incoming TLS -# messages rather than CMS. -# -# @par @c bpki_cms_glue (element): -# Another BPKI HTTPS CA certificate for this @c <repository/>, usually not -# needed. This is like the bpki_cms_glue certificate, only used for -# validating incoming TLS messages rather than CMS. -# # At present there are no control attributes for @c <repository/> %objects. # # @subsection route_origin_obj <route_origin/> object @@ -1962,7 +1942,7 @@ # back to the IRDB. These queries do not follow the message-passing # pattern used in the IRBE-initiated part of the protocol. Instead, # there's a single query back to the IRDB, with a corresponding -# response. The CMS and HTTPS encoding are the same as in the rest of +# response. The CMS encoding are the same as in the rest of # the protocol, but the BPKI certificates will be different as the # back-queries and responses form a separate communication channel. # @@ -2014,7 +1994,7 @@ # # Error in this protocol are handled at two levels. # -# Since all messages in this protocol are conveyed over HTTPS +# Since all messages in this protocol are conveyed over HTTP # connections, basic errors are indicated via the HTTP response code. # 4xx and 5xx responses indicate that something bad happened. Errors # that make it impossible to decode a query or encode a response are @@ -2056,12 +2036,12 @@ # Much of the architecture of the %publication protocol is borrowed # from the @ref Left-Right "left-right protocol": like the # left-right protocol, the %publication protocol uses CMS-wrapped XML -# over HTTPS with the same eContentType OID and the same HTTPS +# over HTTP with the same eContentType OID and the same HTTP # content-type, and the overall style of the XML messages is very # similar to the left-right protocol. All operations allow an # optional "tag" attribute to allow batching. # -# The %publication engine operates a single HTTPS server which serves +# The %publication engine operates a single HTTP server which serves # both of these subprotocols. The two subprotocols share a single # server port, but use distinct URLs to allow demultiplexing. # @@ -2172,7 +2152,7 @@ # # Error in this protocol are handled at two levels. # -# Since all messages in this protocol are conveyed over HTTPS +# Since all messages in this protocol are conveyed over HTTP # connections, basic errors are indicated via the HTTP response code. # 4xx and 5xx responses indicate that something bad happened. Errors # that make it impossible to decode a query or encode a response are @@ -2344,21 +2324,8 @@ # during certificate validation, dotted arrows show the origin of the # EE certificates that rpkid uses to sign CMS and TLS messages. # -# There's one nasty bit where the model had to bend to fit the current -# state of the underlying protocols: it's not possible to use exactly -# the same BPKI keys and certificates for HTTPS and CMS. The reason -# for this is simple: each hosted entity has its own BPKI, as does the -# hosting entity, but the HTTPS listener is shared. The only ways to -# avoid sharing the HTTPS server certificate would be to use separate -# listeners for each hosted entity, which scales poorly, or to rely on -# the TLS "Server Name Indication" extension (RFC 4366 3.1) which is -# not yet widely implemented. -# # The certificate tree looks complicated, but the set of certificates -# needed to build any particular validation chain is obvious, again -# excepting the HTTPS server case, where the client certificate is the -# first hint that the engine has of the client's identity, so the -# server must be prepared to accept any current client certificate. +# needed to build any particular validation chain is obvious. # # Detailed instructions on how to build a BPKI are beyond the scope of # this document, but one can handle simple cases using the OpenSSL diff --git a/rpkid/rpki/adns.py b/rpkid/rpki/adns.py index e634a30d..f627ac7a 100644 --- a/rpkid/rpki/adns.py +++ b/rpkid/rpki/adns.py @@ -18,7 +18,7 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -Portions copyright (C) 2003-2007, 2009, 2010 Nominum, Inc. +Portions copyright (C) 2003--2007, 2009, 2010 Nominum, Inc. Permission to use, copy, modify, and distribute this software and its documentation for any purpose with or without fee is hereby granted, diff --git a/rpkid/rpki/async.py b/rpkid/rpki/async.py index e0f9f84c..5bff4d45 100644 --- a/rpkid/rpki/async.py +++ b/rpkid/rpki/async.py @@ -3,7 +3,7 @@ Utilities for event-driven programming. $Id$ -Copyright (C) 2009-2010 Internet Systems Consortium ("ISC") +Copyright (C) 2009--2010 Internet Systems Consortium ("ISC") Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above diff --git a/rpkid/rpki/config.py b/rpkid/rpki/config.py index 87554a53..2bdc160c 100644 --- a/rpkid/rpki/config.py +++ b/rpkid/rpki/config.py @@ -4,7 +4,7 @@ ConfigParser module. $Id$ -Copyright (C) 2009-2010 Internet Systems Consortium ("ISC") +Copyright (C) 2009--2010 Internet Systems Consortium ("ISC") Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above @@ -156,40 +156,35 @@ class parser(object): its data is less silly than the available alternatives. """ - import rpki.https, rpki.x509, rpki.sql, rpki.async + import rpki.http, rpki.x509, rpki.sql, rpki.async try: - rpki.https.debug_http = self.getboolean("debug_http") + rpki.http.debug_http = self.getboolean("debug_http") except ConfigParser.NoOptionError: pass try: - rpki.https.debug_tls_certs = self.getboolean("debug_tls_certs") + rpki.http.want_persistent_client = self.getboolean("want_persistent_client") except ConfigParser.NoOptionError: pass try: - rpki.https.want_persistent_client = self.getboolean("want_persistent_client") + rpki.http.want_persistent_server = self.getboolean("want_persistent_server") except ConfigParser.NoOptionError: pass try: - rpki.https.want_persistent_server = self.getboolean("want_persistent_server") + rpki.http.use_adns = self.getboolean("use_adns") except ConfigParser.NoOptionError: pass try: - rpki.https.use_adns = self.getboolean("use_adns") + rpki.http.enable_ipv6_clients = self.getboolean("enable_ipv6_clients") except ConfigParser.NoOptionError: pass try: - rpki.https.enable_ipv6_clients = self.getboolean("enable_ipv6_clients") - except ConfigParser.NoOptionError: - pass - - try: - rpki.https.enable_ipv6_servers = self.getboolean("enable_ipv6_servers") + rpki.http.enable_ipv6_servers = self.getboolean("enable_ipv6_servers") except ConfigParser.NoOptionError: pass diff --git a/rpkid/rpki/exceptions.py b/rpkid/rpki/exceptions.py index 8e77beab..f57c679d 100644 --- a/rpkid/rpki/exceptions.py +++ b/rpkid/rpki/exceptions.py @@ -3,7 +3,7 @@ Exception definitions for RPKI modules. $Id$ -Copyright (C) 2009 Internet Systems Consortium ("ISC") +Copyright (C) 2009--2010 Internet Systems Consortium ("ISC") Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above @@ -231,7 +231,7 @@ class NoActiveCA(RPKI_Exception): class BadClientURL(RPKI_Exception): """ - URL given to HTTPS client does not match profile. + URL given to HTTP client does not match profile. """ class ClientNotFound(RPKI_Exception): @@ -249,9 +249,9 @@ class ForbiddenURI(RPKI_Exception): Forbidden URI, does not start with correct base URI. """ -class HTTPSClientAborted(RPKI_Exception): +class HTTPClientAborted(RPKI_Exception): """ - HTTPS client connection closed while in request-sent state. + HTTP client connection closed while in request-sent state. """ class BadPublicationReply(RPKI_Exception): @@ -279,14 +279,14 @@ class BSCNotReady(RPKI_Exception): BSC not yet in a usable state, signing_cert not set. """ -class HTTPSUnexpectedState(RPKI_Exception): +class HTTPUnexpectedState(RPKI_Exception): """ - HTTPS event occurred in an unexpected state. + HTTP event occurred in an unexpected state. """ -class HTTPSBadVersion(RPKI_Exception): +class HTTPBadVersion(RPKI_Exception): """ - HTTPS couldn't parse HTTP version. + HTTP couldn't parse HTTP version. """ class HandleTranslationError(RPKI_Exception): diff --git a/rpkid/rpki/https.py b/rpkid/rpki/http.py index 8592b578..aa5f21f5 100644 --- a/rpkid/rpki/https.py +++ b/rpkid/rpki/http.py @@ -1,5 +1,5 @@ """ -HTTPS utilities, both client and server. +HTTP utilities, both client and server. $Id$ @@ -44,10 +44,6 @@ rpki_content_type = "application/x-rpki" # Verbose chatter about HTTP streams. debug_http = False -## @var debug_tls_certs -# Verbose chatter about TLS certificates. -debug_tls_certs = False - ## @var want_persistent_client # Whether we want persistent HTTP client streams, when server also supports them. want_persistent_client = False @@ -199,7 +195,7 @@ class http_message(object): Parse HTTP version, raise an exception if we can't. """ if version[:5] != "HTTP/": - raise rpki.exceptions.HTTPSBadVersion, "Couldn't parse version %s" % version + raise rpki.exceptions.HTTPBadVersion, "Couldn't parse version %s" % version self.version = tuple(int(i) for i in version[5:].split(".")) def persistent(self): @@ -285,9 +281,6 @@ class http_stream(asynchat.async_chat): """ log = log_method - tls = None - retry_read = None - retry_write = None def __init__(self, sock = None): asynchat.async_chat.__init__(self, sock) @@ -433,16 +426,16 @@ class http_stream(asynchat.async_chat): raise self.log("Error in HTTP stream handler", rpki.log.warn) rpki.log.traceback() - if etype not in (rpki.exceptions.HTTPSClientAborted,): + if etype not in (rpki.exceptions.HTTPClientAborted,): self.log("Closing due to error", rpki.log.warn) - self.close(force = True) + self.close() def handle_timeout(self): """ Inactivity timer expired, close connection with prejudice. """ self.log("Timeout, closing") - self.close(force = True) + self.close() def handle_close(self): """ @@ -452,157 +445,6 @@ class http_stream(asynchat.async_chat): self.log("Close event in HTTP stream handler") asynchat.async_chat.handle_close(self) - def send(self, data): - """ - TLS replacement for normal asyncore .send() method. Throw an - exception if TLS hasn't been started or if TLS I/O was already in - progress, otherwise hand off to the TLS code. - """ - assert self.retry_read is None and self.retry_write is None, "%r: TLS I/O already in progress, r %r w %r" % (self, self.retry_read, self.retry_write) - assert self.tls is not None - return self.tls.write(data) - - def recv(self, buffer_size): - """ - TLS replacement for normal asyncore .recv() method. Throw an - exception if TLS hasn't been started or if TLS I/O was already in - progress, otherwise hand off to the TLS code. - """ - assert self.retry_read is None and self.retry_write is None, "%r: TLS I/O already in progress, r %r w %r" % (self, self.retry_read, self.retry_write) - assert self.tls is not None - return self.tls.read(buffer_size) - - def readable(self): - """ - TLS replacement for normal asynchat .readable() method. A TLS - connection that's blocked waiting for TLS write is considered not - readable even if the underlying socket is. - """ - return self.retry_read is not None or (self.retry_write is None and asynchat.async_chat.readable(self)) - - def writeable(self): - """ - TLS replacement for normal asynchat .writeable() method. A TLS - connection that's blocked waiting for TLS read is considered not - writeable even if the underlying socket is. - """ - return self.retry_write is not None or (self.retry_read is None and asynchat.async_chat.writeable(self)) - - def handle_read(self): - """ - Asyncore says socket is readable. Make sure there's no TLS write - already in progress, retry previous read operation if we had one - that was waiting for more input, otherwise try to read some data, - and handle all the weird OpenSSL exceptions that the TLS code - throws. - """ - assert self.retry_write is None, "%r: TLS I/O already in progress, w %r" % (self, self.retry_write) - if self.retry_read is not None: - thunk = self.retry_read - self.retry_read = None - self.log("Retrying TLS read %r" % thunk) - thunk() - else: - try: - asynchat.async_chat.handle_read(self) - except POW.WantReadError: - self.retry_read = self.handle_read - except POW.WantWriteError: - self.retry_write = self.handle_read - except POW.ZeroReturnError: - self.log("ZeroReturn in handle_read()") - self.handle_close() - except POW.SSLUnexpectedEOFError: - self.log("SSLUnexpectedEOF in handle_read()", rpki.log.warn) - self.handle_error() - - def handle_write(self): - """ - Asyncore says socket is writeable. Make sure there's no TLS read - already in progress, retry previous write operation if we had one - that was blocked on the socket, otherwise try to write some data. - Handling all the weird OpenSSL exceptions that TLS throws is our - caller's problem. - """ - # This used to be an assertion, but apparently this can happen - # without anything really being wrong, as a sort of race - # condition, due to select() having signaled that a socket was - # both readable and writable. I think. - # - if self.retry_read is not None: - self.log("TLS I/O already in progress, r %r" % self.retry_read) - return - if self.retry_write is not None: - thunk = self.retry_write - self.retry_write = None - thunk() - self.log("Retrying TLS write %r" % thunk) - else: - asynchat.async_chat.handle_write(self) - - def initiate_send(self): - """ - Initiate a write operation. This is just a wrapper around the - asynchat method, to handle all the whacky TLS exceptions. - """ - assert self.retry_read is None and self.retry_write is None, "%r: TLS I/O already in progress, r %r w %r" % (self, self.retry_read, self.retry_write) - try: - asynchat.async_chat.initiate_send(self) - except POW.WantReadError: - self.retry_read = self.initiate_send - except POW.WantWriteError: - self.retry_write = self.initiate_send - except POW.ZeroReturnError: - self.log("ZeroReturn in initiate_send()") - self.handle_close() - except POW.SSLUnexpectedEOFError: - self.log("SSLUnexpectedEOF in initiate_send()", rpki.log.warn) - self.handle_error() - - def close(self, force = False): - """ - Close the stream. - - Graceful shutdown of a TLS connection requires multiple calls to - the underlying TLS code. If the connection should be closed right - now without waiting (perhaps because it's already dead and we're - just cleaning up), call with force = True. - """ - self.log("Close requested") - assert force or (self.retry_read is None and self.retry_write is None), "%r: TLS I/O already in progress, r %r w %r" % (self, self.retry_read, self.retry_write) - if self.tls is not None: - try: - if self.retry_read is None and self.retry_write is None: - ret = self.tls.shutdown() - else: - ret = None - self.log("tls.shutdown() returned %s, force_shutdown %s" % (ret, force)) - if ret or force: - self.tls = None - except POW.WantReadError: - self.retry_read = self.close - except POW.WantWriteError: - self.retry_write = self.close - except POW.SSLError, e: - self.log("tls.shutdown() threw %s, shutting down anyway" % e) - self.tls = None - if self.tls is None: - self.log("TLS layer is done, closing socket") - self.timer.cancel() - self.timer.set_handler(None) - try: - asynchat.async_chat.close(self) - except AttributeError: - if getattr(self, "socket", None) is not None: - raise - - def log_cert(self, tag, x): - """ - Log HTTPS certificates, if certificate debugging is enabled. - """ - if debug_tls_certs: - rpki.log.debug("%r: HTTPS %s cert %r issuer %s [%s] subject %s [%s]" % (self, tag, x, x.getIssuer(), x.hAKI(), x.getSubject(), x.hSKI())) - class http_server(http_stream): """ HTTP(S) server stream. @@ -616,58 +458,12 @@ class http_server(http_stream): # Use the default server timeout value set in the module header. timeout = default_server_timeout - def __init__(self, sock, handlers, cert = None, key = None, ta = (), dynamic_ta = None): + def __init__(self, sock, handlers): self.log("Starting") self.handlers = handlers http_stream.__init__(self, sock = sock) self.expect_close = not want_persistent_server - self.log("cert %r key %r ta %r dynamic_ta %r" % (cert, key, ta, dynamic_ta)) - - self.tls = POW.Ssl(POW.TLSV1_SERVER_METHOD) - self.log_cert("server", cert) - self.tls.useCertificate(cert.get_POW()) - self.tls.useKey(key.get_POW()) - ta = rpki.x509.X509.normalize_chain(dynamic_ta() if dynamic_ta else ta) - assert ta - for x in ta: - self.log_cert("trusted", x) - self.tls.addTrust(x.get_POW()) - self.tls.setVerifyMode(POW.SSL_VERIFY_PEER | POW.SSL_VERIFY_FAIL_IF_NO_PEER_CERT) - - self.tls.setFd(self.fileno()) - self.tls_accept() - - def tls_accept(self): - """ - Set up TLS for server side connection, handling all the whacky - OpenSSL exceptions from TLS. - - SSLErrorSSLError exceptions are particularly nasty, because all - too often they indicate a certificate lookup failure deep within - the guts of OpenSSL's TLS connection setup logic. Extracting - anything resembling a Python data structure from a handler called - that deep inside the OpenSSL TLS library, while theoretically - possible, runs a high risk of triggering some kind of memory leak - or corruption. So, for now, we just get back a long text string, - which we break up and log but don't attempt to process further. - """ - try: - self.tls.accept() - except POW.WantReadError: - self.retry_read = self.tls_accept - except POW.WantWriteError: - self.retry_write = self.tls_accept - except POW.SSLUnexpectedEOFError: - self.close(force = True) # nagios/sysmond probe, just close - except POW.SSLErrorSSLError, e: - if "\n" in e: - for line in str(e).splitlines(): - rpki.log.warn(line) - raise POW.SSLErrorSSLError, "TLS certificate problem, most likely" - else: - raise - def handle_no_content_length(self): """ Handle an incoming message that used neither chunking nor a @@ -687,7 +483,7 @@ class http_server(http_stream): def handle_message(self): """ - TLS and HTTP layers managed to deliver a complete HTTP request to + HTTP layer managed to deliver a complete HTTP request to us, figure out what to do with it. Check the command and Content-Type, look for a handler, and if everything looks right, pass the message body, path, and a reply callback to the handler. @@ -755,14 +551,10 @@ class http_listener(asyncore.dispatcher): log = log_method - def __init__(self, handlers, addrinfo, cert = None, key = None, ta = None, dynamic_ta = None): - self.log("Listener cert %r key %r ta %r dynamic_ta %r" % (cert, key, ta, dynamic_ta)) + def __init__(self, handlers, addrinfo): + self.log("Listener") asyncore.dispatcher.__init__(self) self.handlers = handlers - self.cert = cert - self.key = key - self.ta = ta - self.dynamic_ta = dynamic_ta try: af, socktype, proto, canonname, sockaddr = addrinfo self.create_socket(af, socktype) @@ -784,13 +576,13 @@ class http_listener(asyncore.dispatcher): def handle_accept(self): """ Asyncore says we have an incoming connection, spawn an http_server - stream for it and pass along all of our handler and TLS data. + stream for it and pass along all of our handler data. """ self.log("Accepting connection") try: s, client = self.accept() self.log("Accepting connection from %r" % (client,)) - http_server(sock = s, handlers = self.handlers, cert = self.cert, key = self.key, ta = self.ta, dynamic_ta = self.dynamic_ta) + http_server(sock = s, handlers = self.handlers) except (rpki.async.ExitNow, SystemExit): raise except: @@ -818,18 +610,14 @@ class http_client(http_stream): # Use the default client timeout value set in the module header. timeout = default_client_timeout - def __init__(self, queue, hostport, cert = None, key = None, ta = ()): + def __init__(self, queue, hostport): self.log("Creating new connection to %r" % (hostport,)) - self.log("cert %r key %r ta %r" % (cert, key, ta)) http_stream.__init__(self) self.queue = queue self.host = hostport[0] self.port = hostport[1] self.state = "opening" self.expect_close = not want_persistent_client - self.cert = cert - self.key = key - self.ta = rpki.x509.X509.normalize_chain(ta) def start(self): """ @@ -865,35 +653,11 @@ class http_client(http_stream): def handle_connect(self): """ - Asyncore says socket has connected, configure TLS junk. + Asyncore says socket has connected. """ self.log("Socket connected") - self.tls = POW.Ssl(POW.TLSV1_CLIENT_METHOD) - self.log_cert("client", self.cert) - self.tls.useCertificate(self.cert.get_POW()) - self.tls.useKey(self.key.get_POW()) - assert self.ta - for x in self.ta: - self.log_cert("trusted", x) - self.tls.addTrust(x.get_POW()) - self.tls.setVerifyMode(POW.SSL_VERIFY_PEER | POW.SSL_VERIFY_FAIL_IF_NO_PEER_CERT) - self.tls.setFd(self.fileno()) - self.tls_connect() - - def tls_connect(self): - """ - Initialize client side of TLS. - """ - try: - self.tls.connect() - except POW.WantReadError: - self.retry_read = self.tls_connect - except POW.WantWriteError: - self.retry_write = self.tls_connect - else: - self.log("TLS connected") - self.set_state("idle") - self.queue.send_request() + self.set_state("idle") + self.queue.send_request() def set_state(self, state): """ @@ -942,7 +706,7 @@ class http_client(http_stream): assert not self.msg.body self.log("Ignoring empty response received while closing") return - raise rpki.exceptions.HTTPSUnexpectedState, "%r received message while in unexpected state %s" % (self, self.state) + raise rpki.exceptions.HTTPUnexpectedState, "%r received message while in unexpected state %s" % (self, self.state) if self.expect_close: self.log("Closing") @@ -955,7 +719,7 @@ class http_client(http_stream): self.update_timeout() if self.msg.code != 200: - raise rpki.exceptions.HTTPRequestFailed, "HTTPS request failed with status %s, reason %s, response %s" % (self.msg.code, self.msg.reason, self.msg.body) + raise rpki.exceptions.HTTPRequestFailed, "HTTP request failed with status %s, reason %s, response %s" % (self.msg.code, self.msg.reason, self.msg.body) self.queue.return_result(self.msg) def handle_close(self): @@ -971,18 +735,19 @@ class http_client(http_stream): if self.get_terminator() is None: self.handle_body() elif self.state == "request-sent": - raise rpki.exceptions.HTTPSClientAborted, "HTTPS request aborted by close event" + raise rpki.exceptions.HTTPClientAborted, "HTTP request aborted by close event" def handle_timeout(self): """ Connection idle timer has expired. Shut down connection in any case, noisily if we weren't idle. """ - if self.state != "idle": + bad = self.state not in ("idle", "closing") + if bad: self.log("Timeout while in state %s" % self.state, rpki.log.warn) http_stream.handle_timeout(self) self.queue.detach(self) - if self.state != "idle": + if bad: try: raise rpki.exceptions.HTTPTimeout except rpki.exceptions.HTTPTimeout, e: @@ -1008,15 +773,11 @@ class http_queue(object): log = log_method - def __init__(self, hostport, cert = None, key = None, ta = ()): + def __init__(self, hostport): self.log("Creating queue for %r" % (hostport,)) - self.log("cert %r key %r ta %r" % (cert, key, ta)) self.hostport = hostport self.client = None self.queue = [] - self.cert = cert - self.key = key - self.ta = ta def request(self, *requests): """ @@ -1036,7 +797,7 @@ class http_queue(object): """ try: if self.client is None: - self.client = http_client(self, self.hostport, cert = self.cert, key = self.key, ta = self.ta) + self.client = http_client(self, self.hostport) self.log("Attached client %r" % self.client) self.client.start() elif self.client.state == "idle": @@ -1077,12 +838,11 @@ class http_queue(object): try: req = self.queue.pop(0) + self.log("Dequeuing request %r" % req) except IndexError: - self.log("No caller, this should not happen. Dropping result %r" % result) + self.log("No caller. THIS SHOULD NOT HAPPEN. Dropping result %r" % result, rpki.log.warn) return - self.log("Dequeuing request %r" % req) - try: if isinstance(result, http_response): self.log("Returning result %r to caller" % result) @@ -1093,10 +853,9 @@ class http_queue(object): req.errback(result) except (rpki.async.ExitNow, SystemExit): raise - except Exception, e: - self.log("Unhandled exception %r from callback: %s" % (e, e), rpki.log.warn) - #rpki.log.traceback() - req.errback(e) + except: + self.log("Unhandled exception from callback") + rpki.log.traceback() self.log("Queue: %r" % self.queue) @@ -1107,15 +866,15 @@ class http_queue(object): # Map of (host, port) tuples to http_queue objects. client_queues = {} -def client(msg, client_key, client_cert, server_ta, url, callback, errback): +def client(msg, url, callback, errback): """ - Open client HTTPS connection, send a message, set up callbacks to + Open client HTTP connection, send a message, set up callbacks to handle response. """ u = urlparse.urlparse(url) - if (u.scheme not in ("", "https") or + if (u.scheme not in ("", "http") or u.username is not None or u.password is not None or u.params != "" or @@ -1139,10 +898,8 @@ def client(msg, client_key, client_cert, server_ta, url, callback, errback): if debug_http: rpki.log.debug("Created request %r for %r" % (request, hostport)) - if not isinstance(server_ta, (tuple, list)): - server_ta = (server_ta,) if hostport not in client_queues: - client_queues[hostport] = http_queue(hostport, cert = client_cert, key = client_key, ta = server_ta) + client_queues[hostport] = http_queue(hostport) client_queues[hostport].request(request) # Defer connection attempt until after we've had time to process any @@ -1152,17 +909,14 @@ def client(msg, client_key, client_cert, server_ta, url, callback, errback): rpki.log.debug("Scheduling connection startup for %r" % request) rpki.async.defer(client_queues[hostport].restart) -def server(handlers, server_key, server_cert, port, host = "", client_ta = (), dynamic_https_trust_anchor = None): +def server(handlers, port, host = ""): """ - Run an HTTPS server and wait (forever) for connections. + Run an HTTP server and wait (forever) for connections. """ if not isinstance(handlers, (tuple, list)): handlers = (("/", handlers),) - if not isinstance(client_ta, (tuple, list)): - client_ta = (client_ta,) - # Yes, this is sick. So is getaddrinfo() returning duplicate # records, which RedHat has the gall to claim is a feature. ai = [] @@ -1181,24 +935,13 @@ def server(handlers, server_key, server_cert, port, host = "", client_ta = (), d pass for a in ai: - http_listener(addrinfo = a, handlers = handlers, cert = server_cert, key = server_key, ta = client_ta, dynamic_ta = dynamic_https_trust_anchor) + http_listener(addrinfo = a, handlers = handlers) rpki.async.event_loop() -def build_https_ta_cache(certs): - """ - Package up a collection of certificates into a form suitable for use - as a dynamic HTTPS trust anchor set. Precise format of this - collection is an internal conspiracy within the rpki.https module; - at one point it was a POW.X509Store object, at the moment it's a - Python set, what it will be tomorow is nobody else's business. - """ - - return set(certs) - class caller(object): """ - Handle client-side mechanics for protocols based on HTTPS, CMS, and + Handle client-side mechanics for protocols based on HTTP, CMS, and rpki.xml_utils. Calling sequence is intended to nest within rpki.async.sync_wrapper. """ @@ -1235,11 +978,4 @@ class caller(object): print "<!-- Query -->" print q_cms.pretty_print_content() - client( - client_key = self.client_key, - client_cert = self.client_cert, - server_ta = self.server_ta, - url = self.url, - msg = q_der, - callback = done, - errback = eb) + client(url = self.url, msg = q_der, callback = done, errback = eb) diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py index 8d2bf0ad..81ff9ce6 100644 --- a/rpkid/rpki/left_right.py +++ b/rpkid/rpki/left_right.py @@ -3,7 +3,7 @@ RPKI "left-right" protocol. $Id$ -Copyright (C) 2009-2010 Internet Systems Consortium ("ISC") +Copyright (C) 2009--2010 Internet Systems Consortium ("ISC") Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above @@ -33,7 +33,7 @@ PERFORMANCE OF THIS SOFTWARE. """ import rpki.resource_set, rpki.x509, rpki.sql, rpki.exceptions, rpki.xml_utils -import rpki.https, rpki.up_down, rpki.relaxng, rpki.sundial, rpki.log, rpki.roa +import rpki.http, rpki.up_down, rpki.relaxng, rpki.sundial, rpki.log, rpki.roa import rpki.publication, rpki.async # Enforce strict checking of XML "sender" field in up-down protocol @@ -621,7 +621,10 @@ class repository_elt(data_elt): sql_template = rpki.sql.template("repository", "repository_id", "repository_handle", "self_id", "bsc_id", "peer_contact_uri", - ("bpki_cert", rpki.x509.X509), ("bpki_glue", rpki.x509.X509)) + ("bpki_cert", rpki.x509.X509), + ("bpki_glue", rpki.x509.X509), + ("last_cms_timestamp", rpki.sundial.datetime)) + handles = (("self", self_elt), ("bsc", bsc_elt)) bpki_cert = None @@ -685,10 +688,7 @@ class repository_elt(data_elt): except Exception, e: errback(e) - rpki.https.client( - client_key = bsc.private_key_id, - client_cert = bsc.signing_cert, - server_ta = bpki_ta_path, + rpki.http.client( url = self.peer_contact_uri, msg = q_der, callback = done, @@ -707,20 +707,21 @@ class parent_elt(data_elt): element_name = "parent" attributes = ("action", "tag", "self_handle", "parent_handle", "bsc_handle", "repository_handle", "peer_contact_uri", "sia_base", "sender_name", "recipient_name") - elements = ("bpki_cms_cert", "bpki_cms_glue", "bpki_https_cert", "bpki_https_glue") + elements = ("bpki_cms_cert", "bpki_cms_glue") booleans = ("rekey", "reissue", "revoke", "revoke_forgotten") sql_template = rpki.sql.template("parent", "parent_id", "parent_handle", "self_id", "bsc_id", "repository_id", - ("bpki_cms_cert", rpki.x509.X509), ("bpki_cms_glue", rpki.x509.X509), - ("bpki_https_cert", rpki.x509.X509), ("bpki_https_glue", rpki.x509.X509), - "peer_contact_uri", "sia_base", "sender_name", "recipient_name") + "peer_contact_uri", "sia_base", + "sender_name", "recipient_name", + ("bpki_cms_cert", rpki.x509.X509), + ("bpki_cms_glue", rpki.x509.X509), + ("last_cms_timestamp", rpki.sundial.datetime)) + handles = (("self", self_elt), ("bsc", bsc_elt), ("repository", repository_elt)) bpki_cms_cert = None bpki_cms_glue = None - bpki_https_cert = None - bpki_https_glue = None def repository(self): """Fetch repository object to which this parent object links.""" @@ -840,15 +841,11 @@ class parent_elt(data_elt): else: cb(r_msg) - rpki.https.client(server_ta = (self.gctx.bpki_ta, - self.self().bpki_cert, self.self().bpki_glue, - self.bpki_https_cert, self.bpki_https_glue), - client_key = bsc.private_key_id, - client_cert = bsc.signing_cert, - msg = q_der, - url = self.peer_contact_uri, - callback = unwrap, - errback = eb) + rpki.http.client( + msg = q_der, + url = self.peer_contact_uri, + callback = unwrap, + errback = eb) class child_elt(data_elt): """ @@ -863,13 +860,13 @@ class child_elt(data_elt): sql_template = rpki.sql.template("child", "child_id", "child_handle", "self_id", "bsc_id", ("bpki_cert", rpki.x509.X509), - ("bpki_glue", rpki.x509.X509)) + ("bpki_glue", rpki.x509.X509), + ("last_cms_timestamp", rpki.sundial.datetime)) handles = (("self", self_elt), ("bsc", bsc_elt)) bpki_cert = None bpki_glue = None - clear_https_ta_cache = False def child_certs(self, ca_detail = None, ski = None, unique = False): """Fetch all child_cert objects that link to this child object.""" @@ -893,16 +890,6 @@ class child_elt(data_elt): raise rpki.exceptions.ClassNameMismatch, "Class name mismatch: child.self_id = %d, parent.self_id = %d" % (self.self_id, parent.self_id) return ca - def serve_post_save_hook(self, q_pdu, r_pdu, cb, eb): - """ - Extra server actions for child_elt. - """ - self.unimplemented_control("reissue") - if self.clear_https_ta_cache: - self.gctx.clear_https_ta_cache() - self.clear_https_ta_cache = False - cb() - def serve_destroy_hook(self, cb, eb): """ Extra server actions when destroying a child_elt. @@ -913,16 +900,6 @@ class child_elt(data_elt): generate_crl_and_manifest = True) publisher.call_pubd(cb, eb) - def endElement(self, stack, name, text): - """ - Handle subelements of <child/> element. These require special - handling because modifying them invalidates the HTTPS trust anchor - cache. - """ - rpki.xml_utils.data_elt.endElement(self, stack, name, text) - if name in self.elements: - self.clear_https_ta_cache = True - def serve_up_down(self, query, callback): """ Outer layer of server handling for one up-down PDU from this child. diff --git a/rpkid/rpki/log.py b/rpkid/rpki/log.py index 8fbf6789..9d346385 100644 --- a/rpkid/rpki/log.py +++ b/rpkid/rpki/log.py @@ -3,7 +3,7 @@ Logging facilities for RPKI libraries. $Id$ -Copyright (C) 2009-2010 Internet Systems Consortium ("ISC") +Copyright (C) 2009--2010 Internet Systems Consortium ("ISC") Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above diff --git a/rpkid/rpki/myrpki.py b/rpkid/rpki/myrpki.py index c1812b5c..b2a54b04 100644 --- a/rpkid/rpki/myrpki.py +++ b/rpkid/rpki/myrpki.py @@ -38,7 +38,7 @@ work if the correct Python modules are not available. $Id$ -Copyright (C) 2009-2010 Internet Systems Consortium ("ISC") +Copyright (C) 2009--2010 Internet Systems Consortium ("ISC") Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above @@ -296,7 +296,6 @@ class parent(object): self.handle = handle self.service_uri = None self.bpki_cms_certificate = None - self.bpki_https_certificate = None self.myhandle = None self.sia_base = None @@ -310,13 +309,10 @@ class parent(object): s += " sia %s" % self.sia_base if self.bpki_cms_certificate: s += " cms %s" % self.bpki_cms_certificate - if self.bpki_https_certificate: - s += " https %s" % self.bpki_https_certificate return s + ">" def add(self, service_uri = None, bpki_cms_certificate = None, - bpki_https_certificate = None, myhandle = None, sia_base = None): """ @@ -326,8 +322,6 @@ class parent(object): self.service_uri = service_uri if bpki_cms_certificate is not None: self.bpki_cms_certificate = bpki_cms_certificate - if bpki_https_certificate is not None: - self.bpki_https_certificate = bpki_https_certificate if myhandle is not None: self.myhandle = myhandle if sia_base is not None: @@ -337,7 +331,7 @@ class parent(object): """ Render this parent object to XML. """ - complete = self.bpki_cms_certificate and self.bpki_https_certificate and self.myhandle and self.service_uri and self.sia_base + complete = self.bpki_cms_certificate and self.myhandle and self.service_uri and self.sia_base if whine and not complete: print "Incomplete parent entry %s" % self if complete or allow_incomplete: @@ -349,8 +343,6 @@ class parent(object): e.tail = "\n" if self.bpki_cms_certificate: PEMElement(e, "bpki_cms_certificate", self.bpki_cms_certificate) - if self.bpki_https_certificate: - PEMElement(e, "bpki_https_certificate", self.bpki_https_certificate) class parents(dict): """ @@ -360,7 +352,6 @@ class parents(dict): def add(self, handle, service_uri = None, bpki_cms_certificate = None, - bpki_https_certificate = None, myhandle = None, sia_base = None): """ @@ -370,7 +361,6 @@ class parents(dict): self[handle] = parent(handle) self[handle].add(service_uri = service_uri, bpki_cms_certificate = bpki_cms_certificate, - bpki_https_certificate = bpki_https_certificate, myhandle = myhandle, sia_base = sia_base) @@ -393,7 +383,6 @@ class parents(dict): self.add(handle = h, service_uri = p.get("service_uri"), bpki_cms_certificate = fxcert(p.findtext("bpki_resource_ta")), - bpki_https_certificate = fxcert(p.findtext("bpki_server_ta")), myhandle = p.get("child_handle"), sia_base = r.get("sia_base")) return self @@ -953,8 +942,6 @@ class main(rpki.cli.Cmd): self.bpki_resources = CA(self.cfg_file, self.cfg.get("bpki_resources_directory")) if self.run_rpkid or self.run_pubd or self.run_rootd: self.bpki_servers = CA(self.cfg_file, self.cfg.get("bpki_servers_directory")) - else: - self.bpki_servers = None self.pubd_contact_info = self.cfg.get("pubd_contact_info", "") @@ -1017,7 +1004,7 @@ class main(rpki.cli.Cmd): if self.run_rootd: e = Element("parent", parent_handle = self.handle, child_handle = self.handle, - service_uri = "https://localhost:%s/" % self.cfg.get("rootd_server_port"), + service_uri = "http://localhost:%s/" % self.cfg.get("rootd_server_port"), valid_until = str(rpki.sundial.now() + rpki.sundial.timedelta(days = 365))) PEMElement(e, "bpki_resource_ta", self.bpki_servers.cer) PEMElement(e, "bpki_server_ta", self.bpki_servers.cer) @@ -1044,6 +1031,7 @@ class main(rpki.cli.Cmd): etree_write(e, repo_file_name, msg = 'This is the "repository offer" file for you to use if you want to publish in your own repository') + def do_update_bpki(self, arg): """ Update BPKI certificates. Assumes an existing RPKI installation. @@ -1119,9 +1107,9 @@ class main(rpki.cli.Cmd): server_ta = None if not service_uri_base and self.run_rpkid: - service_uri_base = "https://%s:%s/up-down/%s" % (self.cfg.get("rpkid_server_host"), - self.cfg.get("rpkid_server_port"), - self.handle) + service_uri_base = "http://%s:%s/up-down/%s" % (self.cfg.get("rpkid_server_host"), + self.cfg.get("rpkid_server_port"), + self.handle) if not service_uri_base or not server_ta: print "Sorry, you can't set up children of a hosted config that itself has not yet been set up" return @@ -1321,9 +1309,9 @@ class main(rpki.cli.Cmd): client_handle = client_handle, parent_handle = parent_handle, sia_base = sia_base, - service_uri = "https://%s:%s/client/%s" % (self.cfg.get("pubd_server_host"), - self.cfg.get("pubd_server_port"), - client_handle)) + service_uri = "http://%s:%s/client/%s" % (self.cfg.get("pubd_server_host"), + self.cfg.get("pubd_server_port"), + client_handle)) PEMElement(e, "bpki_server_ta", self.bpki_servers.cer) SubElement(e, "bpki_client_ta").text = client.findtext("bpki_client_ta") @@ -1493,7 +1481,7 @@ class main(rpki.cli.Cmd): argv = arg.split() try: - import rpki.https, rpki.resource_set, rpki.relaxng, rpki.exceptions + import rpki.http, rpki.resource_set, rpki.relaxng, rpki.exceptions import rpki.left_right, rpki.x509, rpki.async if hasattr(warnings, "catch_warnings"): with warnings.catch_warnings(): @@ -1522,12 +1510,12 @@ class main(rpki.cli.Cmd): self_crl_interval = self.cfg.getint("self_crl_interval", 2 * 60 * 60) self_regen_margin = self.cfg.getint("self_regen_margin", self_crl_interval / 4) - pubd_base = "https://%s:%s/" % (self.cfg.get("pubd_server_host"), self.cfg.get("pubd_server_port")) - rpkid_base = "https://%s:%s/" % (self.cfg.get("rpkid_server_host"), self.cfg.get("rpkid_server_port")) + pubd_base = "http://%s:%s/" % (self.cfg.get("pubd_server_host"), self.cfg.get("pubd_server_port")) + rpkid_base = "http://%s:%s/" % (self.cfg.get("rpkid_server_host"), self.cfg.get("rpkid_server_port")) # Wrappers to simplify calling rpkid and pubd. - call_rpkid = rpki.async.sync_wrapper(rpki.https.caller( + call_rpkid = rpki.async.sync_wrapper(rpki.http.caller( proto = rpki.left_right, client_key = rpki.x509.RSA( PEM_file = self.bpki_servers.dir + "/irbe.key"), client_cert = rpki.x509.X509(PEM_file = self.bpki_servers.dir + "/irbe.cer"), @@ -1538,7 +1526,7 @@ class main(rpki.cli.Cmd): if self.run_pubd: - call_pubd = rpki.async.sync_wrapper(rpki.https.caller( + call_pubd = rpki.async.sync_wrapper(rpki.http.caller( proto = rpki.publication, client_key = rpki.x509.RSA( PEM_file = self.bpki_servers.dir + "/irbe.key"), client_cert = rpki.x509.X509(PEM_file = self.bpki_servers.dir + "/irbe.cer"), @@ -1767,7 +1755,6 @@ class main(rpki.cli.Cmd): parent_myhandle = parent.get("myhandle") parent_sia_base = parent.get("sia_base") parent_cms_cert = findbase64(parent, "bpki_cms_certificate") - parent_https_cert = findbase64(parent, "bpki_https_certificate") if (parent_pdu is None or parent_pdu.bsc_handle != bsc_handle or @@ -1776,8 +1763,7 @@ class main(rpki.cli.Cmd): parent_pdu.sia_base != parent_sia_base or parent_pdu.sender_name != parent_myhandle or parent_pdu.recipient_name != parent_handle or - parent_pdu.bpki_cms_cert != parent_cms_cert or - parent_pdu.bpki_https_cert != parent_https_cert): + parent_pdu.bpki_cms_cert != parent_cms_cert): rpkid_query.append(rpki.left_right.parent_elt.make_pdu( action = "create" if parent_pdu is None else "set", tag = parent_handle, @@ -1789,8 +1775,7 @@ class main(rpki.cli.Cmd): sia_base = parent_sia_base, sender_name = parent_myhandle, recipient_name = parent_handle, - bpki_cms_cert = parent_cms_cert, - bpki_https_cert = parent_https_cert)) + bpki_cms_cert = parent_cms_cert)) rpkid_query.extend(rpki.left_right.parent_elt.make_pdu( action = "destroy", self_handle = handle, parent_handle = p) for p in parent_pdus) @@ -1895,7 +1880,6 @@ class main(rpki.cli.Cmd): db.close() - # Run event loop again to give TLS connections a chance to shut down cleanly. - # Might need to add a timeout here, dunno yet. - - rpki.async.event_loop() + # We used to run event loop again to give TLS connections a chance to shut down cleanly. + # Seems not to be needed (and sometimes hangs forever, which is odd) with TLS out of the picture. + #rpki.async.event_loop() diff --git a/rpkid/rpki/publication.py b/rpkid/rpki/publication.py index 1af4be10..486dea45 100644 --- a/rpkid/rpki/publication.py +++ b/rpkid/rpki/publication.py @@ -3,7 +3,7 @@ RPKI "publication" protocol. $Id$ -Copyright (C) 2009-2010 Internet Systems Consortium ("ISC") +Copyright (C) 2009--2010 Internet Systems Consortium ("ISC") Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above @@ -34,7 +34,7 @@ PERFORMANCE OF THIS SOFTWARE. import base64, os, errno import rpki.resource_set, rpki.x509, rpki.sql, rpki.exceptions, rpki.xml_utils -import rpki.https, rpki.up_down, rpki.relaxng, rpki.sundial, rpki.log, rpki.roa +import rpki.http, rpki.up_down, rpki.relaxng, rpki.sundial, rpki.log, rpki.roa class publication_namespace(object): """ @@ -119,33 +119,15 @@ class client_elt(control_elt): attributes = ("action", "tag", "client_handle", "base_uri") elements = ("bpki_cert", "bpki_glue") - sql_template = rpki.sql.template("client", "client_id", "client_handle", "base_uri", ("bpki_cert", rpki.x509.X509), ("bpki_glue", rpki.x509.X509)) + sql_template = rpki.sql.template("client", "client_id", "client_handle", "base_uri", + ("bpki_cert", rpki.x509.X509), + ("bpki_glue", rpki.x509.X509), + ("last_cms_timestamp", rpki.sundial.datetime)) base_uri = None bpki_cert = None bpki_glue = None - clear_https_ta_cache = False - - def endElement(self, stack, name, text): - """ - Handle subelements of <client/> element. These require special - handling because modifying them invalidates the HTTPS trust anchor - cache. - """ - control_elt.endElement(self, stack, name, text) - if name in self.elements: - self.clear_https_ta_cache = True - - def serve_post_save_hook(self, q_pdu, r_pdu, cb, eb): - """ - Extra server actions for client_elt. - """ - if self.clear_https_ta_cache: - self.gctx.clear_https_ta_cache() - self.clear_https_ta_cache = False - cb() - def serve_fetch_one_maybe(self): """ Find the client object on which a get, set, or destroy method diff --git a/rpkid/rpki/relaxng.py b/rpkid/rpki/relaxng.py index b16a5a7d..62c5fb41 100644 --- a/rpkid/rpki/relaxng.py +++ b/rpkid/rpki/relaxng.py @@ -550,16 +550,6 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" enc <ref name="base64"/> </element> </optional> - <optional> - <element name="bpki_https_cert"> - <ref name="base64"/> - </element> - </optional> - <optional> - <element name="bpki_https_glue"> - <ref name="base64"/> - </element> - </optional> </define> <define name="parent_query" combine="choice"> <element name="parent"> @@ -1259,7 +1249,7 @@ publication = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" en libxml2 (including xmllint) only groks the XML syntax of RelaxNG, so run the compact syntax through trang to get XML syntax. - Copyright (C) 2009-2010 Internet Systems Consortium ("ISC") + Copyright (C) 2009- -2010 Internet Systems Consortium ("ISC") Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above @@ -1273,7 +1263,7 @@ publication = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" en OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - Portions copyright (C) 2007-2008 American Registry for Internet Numbers ("ARIN") + Portions copyright (C) 2007- -2008 American Registry for Internet Numbers ("ARIN") Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above diff --git a/rpkid/rpki/resource_set.py b/rpkid/rpki/resource_set.py index 9addab49..08a577c9 100644 --- a/rpkid/rpki/resource_set.py +++ b/rpkid/rpki/resource_set.py @@ -10,7 +10,7 @@ We also provide some basic set operations (union, intersection, etc). $Id$ -Copyright (C) 2009-2010 Internet Systems Consortium ("ISC") +Copyright (C) 2009--2010 Internet Systems Consortium ("ISC") Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above diff --git a/rpkid/rpki/rpki_engine.py b/rpkid/rpki/rpki_engine.py index 46523814..f31e1df7 100644 --- a/rpkid/rpki/rpki_engine.py +++ b/rpkid/rpki/rpki_engine.py @@ -3,7 +3,7 @@ Global context for rpkid. $Id$ -Copyright (C) 2009-2010 Internet Systems Consortium ("ISC") +Copyright (C) 2009--2010 Internet Systems Consortium ("ISC") Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above @@ -34,7 +34,7 @@ PERFORMANCE OF THIS SOFTWARE. import lxml.etree, re, random import rpki.resource_set, rpki.up_down, rpki.left_right, rpki.x509, rpki.sql -import rpki.https, rpki.config, rpki.exceptions, rpki.relaxng, rpki.log, rpki.async +import rpki.http, rpki.config, rpki.exceptions, rpki.relaxng, rpki.log, rpki.async class rpkid_context(object): """ @@ -53,8 +53,8 @@ class rpkid_context(object): self.irdb_url = cfg.get("irdb-url") - self.https_server_host = cfg.get("server-host", "") - self.https_server_port = cfg.getint("server-port", 4433) + self.http_server_host = cfg.get("server-host", "") + self.http_server_port = cfg.getint("server-port", 4433) self.publication_kludge_base = cfg.get("publication-kludge-base", "publication/") @@ -105,10 +105,7 @@ class rpkid_context(object): expected_pdu_count, "" if expected_pdu_count == 1 else "s", r_cms.pretty_print_content()) callback(r_msg) - rpki.https.client( - server_ta = (self.bpki_ta, self.irdb_cert), - client_key = self.rpkid_key, - client_cert = self.rpkid_cert, + rpki.http.client( url = self.irdb_url, msg = q_der, callback = unwrap, @@ -275,39 +272,6 @@ class rpkid_context(object): else: self.cron(lambda: cb(200, "OK")) - ## @var https_ta_cache - # HTTPS trust anchor cache, to avoid regenerating it for every TLS connection. - https_ta_cache = None - - def clear_https_ta_cache(self): - """ - Clear dynamic TLS trust anchors. - """ - - if self.https_ta_cache is not None: - rpki.log.debug("Clearing HTTPS trusted cert cache") - self.https_ta_cache = None - - def build_https_ta_cache(self): - """ - Build dynamic TLS trust anchors. - """ - - if self.https_ta_cache is None: - - selves = rpki.left_right.self_elt.sql_fetch_all(self) - children = rpki.left_right.child_elt.sql_fetch_all(self) - - self.https_ta_cache = rpki.https.build_https_ta_cache( - [c.bpki_cert for c in children if c.bpki_cert is not None] + - [c.bpki_glue for c in children if c.bpki_glue is not None] + - [s.bpki_cert for s in selves if s.bpki_cert is not None] + - [s.bpki_glue for s in selves if s.bpki_glue is not None] + - [self.irbe_cert, self.irdb_cert, self.bpki_ta]) - - return self.https_ta_cache - - class ca_obj(rpki.sql.sql_persistent): """ Internal CA object. diff --git a/rpkid/rpki/sundial.py b/rpkid/rpki/sundial.py index e8c92d5a..eef69258 100644 --- a/rpkid/rpki/sundial.py +++ b/rpkid/rpki/sundial.py @@ -15,7 +15,7 @@ inspection of the datetime module, to wit: $Id$ -Copyright (C) 2009-2010 Internet Systems Consortium ("ISC") +Copyright (C) 2009--2010 Internet Systems Consortium ("ISC") Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above diff --git a/rpkid/rpki/up_down.py b/rpkid/rpki/up_down.py index 225c0bd4..4320b173 100644 --- a/rpkid/rpki/up_down.py +++ b/rpkid/rpki/up_down.py @@ -3,7 +3,7 @@ RPKI "up-down" protocol. $Id$ -Copyright (C) 2009-2010 Internet Systems Consortium ("ISC") +Copyright (C) 2009--2010 Internet Systems Consortium ("ISC") Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index 07b127b1..d013d247 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -13,7 +13,7 @@ some of the nasty details. This involves a lot of format conversion. $Id$ -Copyright (C) 2009-2010 Internet Systems Consortium ("ISC") +Copyright (C) 2009--2010 Internet Systems Consortium ("ISC") Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above @@ -556,10 +556,10 @@ class X509(DER_object): """ Normalize a chain of certificates into a tuple of X509 objects. Given all the glue certificates needed for BPKI cross - certification, it's easiest to allow sloppy arguments to the HTTPS - and CMS validation methods and provide a single method that - normalizes the allowed cases. So this method allows X509, None, - lists, and tuples, and returns a tuple of X509 objects. + certification, it's easiest to allow sloppy arguments to the CMS + validation methods and provide a single method that normalizes the + allowed cases. So this method allows X509, None, lists, and + tuples, and returns a tuple of X509 objects. """ if isinstance(chain, cls): chain = (chain,) |