Router certificates working again after changes to get subject name out of the PKCS !#10.

svn path=/branches/tk671/; revision=5683

5 files changed, 49 insertions, 31 deletions

diff --git a/rpkid/rpki/irdb/models.py b/rpkid/rpki/irdb/models.py
index 7a3c8521..1ad9b4e3 100644
--- a/rpkid/rpki/irdb/models.py
+++ b/rpkid/rpki/irdb/models.py
@@ -583,8 +583,8 @@ class EECertificateRequest(ResourceSet):
   issuer = django.db.models.ForeignKey(ResourceHolderCA, related_name = "ee_certificate_requests")
   pkcs10 = PKCS10Field()
   gski   = django.db.models.CharField(max_length = 27)
-  cn     = django.db-models.CharField(max_length = 64)
-  sn     = django.db-models.CharField(max_length = 64)
+  cn     = django.db.models.CharField(max_length = 64)
+  sn     = django.db.models.CharField(max_length = 64)
   eku    = django.db.models.TextField(null = True)
 
   def _select_resource_bag(self):
diff --git a/rpkid/rpki/relaxng.py b/rpkid/rpki/relaxng.py
index 9162fdfa..714a7b28 100644
--- a/rpkid/rpki/relaxng.py
+++ b/rpkid/rpki/relaxng.py
@@ -6,7 +6,7 @@ import lxml.etree
 ## Parsed RelaxNG left_right schema
 left_right = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''<?xml version="1.0" encoding="UTF-8"?>
 <!--
-  $Id: left-right-schema.rnc 5657 2014-01-31 05:50:52Z sra $
+  $Id: left-right-schema.rnc 5682 2014-02-25 20:46:05Z sra $
   
   RelaxNG Schema for RPKI left-right protocol.
   
@@ -204,7 +204,7 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''<?xml version="1.0" en
   <define name="object_handle">
     <data type="string">
       <param name="maxLength">255</param>
-      <param name="pattern">[\-_A-Za-z0-9]*</param>
+      <param name="pattern">[\-_A-Za-z0-9]+</param>
     </data>
   </define>
   <!-- URIs -->
@@ -238,13 +238,6 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''<?xml version="1.0" en
       <param name="pattern">[\-,0-9/:a-fA-F]*</param>
     </data>
   </define>
-  <!-- OID list for Extended Key Usage (EKU) -->
-  <define name="eku_list">
-    <data type="string">
-      <param name="maxLength">512000</param>
-      <param name="pattern">[.0-9,]*</param>
-    </data>
-  </define>
   <!-- <self/> element -->
   <define name="self_bool">
     <optional>
@@ -989,7 +982,7 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''<?xml version="1.0" en
         <attribute name="cn">
           <data type="string">
             <param name="maxLength">64</param>
-            <param name="pattern">[\-0-9A-Za-z_ ]*</param>
+            <param name="pattern">[\-0-9A-Za-z_ ]+</param>
           </data>
         </attribute>
       </optional>
@@ -997,7 +990,15 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''<?xml version="1.0" en
         <attribute name="sn">
           <data type="string">
             <param name="maxLength">64</param>
-            <param name="pattern">[0-9A-Fa-f]*</param>
+            <param name="pattern">[0-9A-Fa-f]+</param>
+          </data>
+        </attribute>
+      </optional>
+      <optional>
+        <attribute name="eku">
+          <data type="string">
+            <param name="maxLength">512000</param>
+            <param name="pattern">[.,0-9]+</param>
           </data>
         </attribute>
       </optional>
@@ -1102,6 +1103,8 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''<?xml version="1.0" en
 <!--
   Local Variables:
   indent-tabs-mode: nil
+  comment-start: "# "
+  comment-start-skip: "#[ \t]*"
   End:
 -->
 '''))
@@ -1488,7 +1491,7 @@ publication = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''<?xml version="1.0" e
   <define name="object_handle">
     <data type="string">
       <param name="maxLength">255</param>
-      <param name="pattern">[\-_A-Za-z0-9/]*</param>
+      <param name="pattern">[\-_A-Za-z0-9/]+</param>
     </data>
   </define>
   <!--
@@ -1944,6 +1947,8 @@ publication = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''<?xml version="1.0" e
 <!--
   Local Variables:
   indent-tabs-mode: nil
+  comment-start: "# "
+  comment-start-skip: "#[ \t]*"
   End:
 -->
 '''))
@@ -1990,13 +1995,13 @@ myrpki = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''<?xml version="1.0" encodi
   <define name="object_handle">
     <data type="string">
       <param name="maxLength">255</param>
-      <param name="pattern">[\-_A-Za-z0-9]*</param>
+      <param name="pattern">[\-_A-Za-z0-9]+</param>
     </data>
   </define>
   <define name="pubd_handle">
     <data type="string">
       <param name="maxLength">255</param>
-      <param name="pattern">[\-_A-Za-z0-9/]*</param>
+      <param name="pattern">[\-_A-Za-z0-9/]+</param>
     </data>
   </define>
   <define name="uri">
@@ -2010,19 +2015,19 @@ myrpki = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''<?xml version="1.0" encodi
   <define name="asn_list">
     <data type="string">
       <param name="maxLength">512000</param>
-      <param name="pattern">[\-,0-9]*</param>
+      <param name="pattern">[\-,0-9]+</param>
     </data>
   </define>
   <define name="ipv4_list">
     <data type="string">
       <param name="maxLength">512000</param>
-      <param name="pattern">[\-,0-9/.]*</param>
+      <param name="pattern">[\-,0-9/.]+</param>
     </data>
   </define>
   <define name="ipv6_list">
     <data type="string">
       <param name="maxLength">512000</param>
-      <param name="pattern">[\-,0-9/:a-fA-F]*</param>
+      <param name="pattern">[\-,0-9/:a-fA-F]+</param>
     </data>
   </define>
   <define name="timestamp">
@@ -2325,6 +2330,8 @@ myrpki = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''<?xml version="1.0" encodi
 <!--
   Local Variables:
   indent-tabs-mode: nil
+  comment-start: "# "
+  comment-start-skip: "#[ \t]*"
   End:
 -->
 '''))
@@ -2376,7 +2383,7 @@ router_certificate = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''<?xml version=
   <define name="asn_list">
     <data type="string">
       <param name="maxLength">512000</param>
-      <param name="pattern">[\-,0-9]*</param>
+      <param name="pattern">[0-9][\-,0-9]*</param>
     </data>
   </define>
   <define name="timestamp">
@@ -2428,6 +2435,8 @@ router_certificate = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''<?xml version=
 <!--
   Local Variables:
   indent-tabs-mode: nil
+  comment-start: "# "
+  comment-start-skip: "#[ \t]*"
   End:
 -->
 '''))
diff --git a/rpkid/rpki/rpkid.py b/rpkid/rpki/rpkid.py
index 9b83cc59..9fd73067 100644
--- a/rpkid/rpki/rpkid.py
+++ b/rpkid/rpki/rpkid.py
@@ -2369,7 +2369,7 @@ class ee_cert_obj(rpki.sql.sql_persistent):
     self.cert = ca_detail.issue_ee(
       ca          = ca_detail.ca,
       subject_key = self.cert.getPublicKey(),
-      eku         = self.cert.getEKU(),
+      eku         = self.cert.get_EKU(),
       sia         = None,
       resources   = resources,
       notAfter    = resources.valid_until,
diff --git a/rpkid/rpki/rpkid_tasks.py b/rpkid/rpki/rpkid_tasks.py
index fe08b7cc..1811967b 100644
--- a/rpkid/rpki/rpkid_tasks.py
+++ b/rpkid/rpki/rpkid_tasks.py
@@ -624,13 +624,11 @@ class UpdateEECertificatesTask(AbstractTask):
             rpki.log.debug("Existing EE certificate for %s %s is no longer covered" % (req.gski, resources))
             ee.revoke(publisher = publisher)
 
-        eku = (rpki.oids.id_kp_bgpsec_router,) if req.router_id else None
-
         for ca_detail in covering:
           rpki.log.debug("No existing EE certificate for %s %s" % (req.gski, resources))
           rpki.rpkid.ee_cert_obj.create(
             ca_detail    = ca_detail,
-            subject_name = rpki.x509.X501DN.from_cn(req.cn, req.dn),
+            subject_name = rpki.x509.X501DN.from_cn(req.cn, req.sn),
             subject_key  = req.pkcs10.getPublicKey(),
             resources    = resources,
             publisher    = publisher,
diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py
index 5cb5efd6..fb1a5a2b 100644
--- a/rpkid/rpki/x509.py
+++ b/rpkid/rpki/x509.py
@@ -133,10 +133,14 @@ class X501DN(object):
   @classmethod
   def from_cn(cls, cn, sn = None):
     assert isinstance(cn, (str, unicode))
-    assert sn is None or isinstance(sn, (int, long)) or (isinstance(sn, (str, unicode)) and sn.isdigit())
+    if isinstance(sn, (int, long)):
+      sn = "%08X" % sn
+    elif isinstance(sn, (str, unicode)):
+      assert all(c in "0123456789abcdefABCDEF" for c in sn)
+      sn = str(sn)
     self = cls()
     if sn is not None:
-      self.dn = (((rpki.oids.commonName, cn),), ((rpki.oids.serialNumber, str(sn)),))
+      self.dn = (((rpki.oids.commonName, cn),), ((rpki.oids.serialNumber, sn),))
     else:
       self.dn = (((rpki.oids.commonName, cn),),)
     return self
@@ -391,18 +395,22 @@ class DER_object(object):
 
   def get_AKI(self):
     """
-    Get the AKI extension from this object.  Only works for subclasses
-    that support getExtension().
+    Get the AKI extension from this object, if supported.
     """
     return self.get_POW().getAKI()
 
   def get_SKI(self):
     """
-    Get the SKI extension from this object.  Only works for subclasses
-    that support getExtension().
+    Get the SKI extension from this object, if supported.
     """
     return self.get_POW().getSKI()
 
+  def get_EKU(self):
+    """
+    Get the Extended Key Usage extension from this object, if supported.
+    """
+    return self.get_POW().getEKU()
+
   def get_SIA(self):
     """
     Get the SIA extension from this object.  Only works for subclasses
@@ -1053,7 +1061,10 @@ class PKCS10(DER_object):
     if alg != rpki.oids.ecdsa_with_SHA256:
       raise rpki.exceptions.BadPKCS10("PKCS #10 has bad signature algorithm for router: %s" % alg)
 
-    if eku is None or rpki.oids.id_kp_bgpsec_router not in eku:
+    # Not really clear to me whether PKCS #10 should have EKU or not, so allow
+    # either, but insist that it be the right one if present.
+
+    if eku is not None and rpki.oids.id_kp_bgpsec_router not in eku:
       raise rpki.exceptions.BadPKCS10("PKCS #10 router must have EKU")