diff options
| author | Rob Austein <sra@hactrn.net> | 2014-04-05 19:24:26 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2014-04-05 19:24:26 +0000 |
| commit | 3e9ffaab9aef186a3c94123bcfc8346aebda026d (patch) | |
| tree | 3127d04811c8bf780641314cbd4c7f3e5a286e91 /rpkid/tests | |
| parent | b221ad67e384afbfc8513488325a6e29414e0085 (diff) | |
| parent | 5cb86d4686552904bd16affffb902410e2580471 (diff) | |
Merge tk671 (router certificate support) back to trunk. See #671.
svn path=/trunk/; revision=5753
Diffstat (limited to 'rpkid/tests')
| -rw-r--r-- | rpkid/tests/old_irdbd.sql | 58 | ||||
| -rw-r--r-- | rpkid/tests/revoke.yaml | 300 | ||||
| -rw-r--r-- | rpkid/tests/smoketest.1.yaml | 14 | ||||
| -rw-r--r-- | rpkid/tests/smoketest.3.yaml | 22 | ||||
| -rw-r--r-- | rpkid/tests/smoketest.7.yaml | 9 | ||||
| -rw-r--r-- | rpkid/tests/smoketest.py | 227 | ||||
| -rw-r--r-- | rpkid/tests/testpoke.py | 1 | ||||
| -rw-r--r-- | rpkid/tests/yamlconf.py | 4 | ||||
| -rw-r--r-- | rpkid/tests/yamltest.py | 67 |
9 files changed, 573 insertions, 129 deletions
diff --git a/rpkid/tests/old_irdbd.sql b/rpkid/tests/old_irdbd.sql index bf324cd8..e773bb2e 100644 --- a/rpkid/tests/old_irdbd.sql +++ b/rpkid/tests/old_irdbd.sql @@ -42,6 +42,9 @@ DROP TABLE IF EXISTS registrant_net; DROP TABLE IF EXISTS registrant_asn; DROP TABLE IF EXISTS registrant; DROP TABLE IF EXISTS ghostbuster_request; +DROP TABLE IF EXISTS ee_certificate_asn; +DROP TABLE IF EXISTS ee_certificate_net; +DROP TABLE IF EXISTS ee_certificate; CREATE TABLE registrant ( registrant_id SERIAL NOT NULL, @@ -54,29 +57,29 @@ CREATE TABLE registrant ( ) ENGINE=InnoDB; CREATE TABLE registrant_asn ( - registrant_asn_id SERIAL NOT NULL, start_as BIGINT UNSIGNED NOT NULL, end_as BIGINT UNSIGNED NOT NULL, registrant_id BIGINT UNSIGNED NOT NULL, - PRIMARY KEY (registrant_asn_id), + PRIMARY KEY (registrant_id, start_as, end_as), CONSTRAINT registrant_asn_registrant_id - FOREIGN KEY (registrant_id) REFERENCES registrant (registrant_id) ON DELETE CASCADE + FOREIGN KEY (registrant_id) REFERENCES registrant (registrant_id) + ON DELETE CASCADE ON UPDATE CASCADE ) ENGINE=InnoDB; CREATE TABLE registrant_net ( - registrant_net_id SERIAL NOT NULL, start_ip VARCHAR(40) NOT NULL, end_ip VARCHAR(40) NOT NULL, version TINYINT UNSIGNED NOT NULL, registrant_id BIGINT UNSIGNED NOT NULL, - PRIMARY KEY (registrant_net_id), + PRIMARY KEY (registrant_id, version, start_ip, end_ip), CONSTRAINT registrant_net_registrant_id - FOREIGN KEY (registrant_id) REFERENCES registrant (registrant_id) ON DELETE CASCADE + FOREIGN KEY (registrant_id) REFERENCES registrant (registrant_id) + ON DELETE CASCADE ON UPDATE CASCADE ) ENGINE=InnoDB; CREATE TABLE roa_request ( roa_request_id SERIAL NOT NULL, - roa_request_handle VARCHAR(255) NOT NULL, + self_handle VARCHAR(255) NOT NULL, asn BIGINT UNSIGNED NOT NULL, PRIMARY KEY (roa_request_id) ) ENGINE=InnoDB; @@ -89,17 +92,52 @@ CREATE TABLE roa_request_prefix ( roa_request_id BIGINT UNSIGNED NOT NULL, PRIMARY KEY (roa_request_id, prefix, prefixlen, max_prefixlen), CONSTRAINT roa_request_prefix_roa_request_id - FOREIGN KEY (roa_request_id) REFERENCES roa_request (roa_request_id) ON DELETE CASCADE + FOREIGN KEY (roa_request_id) REFERENCES roa_request (roa_request_id) + ON DELETE CASCADE ON UPDATE CASCADE ) ENGINE=InnoDB; CREATE TABLE ghostbuster_request ( ghostbuster_request_id SERIAL NOT NULL, - self_handle VARCHAR(40) NOT NULL, - parent_handle VARCHAR(40), + self_handle VARCHAR(255) NOT NULL, + parent_handle VARCHAR(255), vcard LONGBLOB NOT NULL, PRIMARY KEY (ghostbuster_request_id) ) ENGINE=InnoDB; +CREATE TABLE ee_certificate ( + ee_certificate_id SERIAL NOT NULL, + self_handle VARCHAR(255) NOT NULL, + pkcs10 LONGBLOB NOT NULL, + gski VARCHAR(27) NOT NULL, + cn VARCHAR(64) NOT NULL, + sn VARCHAR(64), + eku TEXT NOT NULL, + valid_until DATETIME NOT NULL, + PRIMARY KEY (ee_certificate_id), + UNIQUE (self_handle, gski) +) ENGINE=InnoDB; + +CREATE TABLE ee_certificate_asn ( + start_as BIGINT UNSIGNED NOT NULL, + end_as BIGINT UNSIGNED NOT NULL, + ee_certificate_id BIGINT UNSIGNED NOT NULL, + PRIMARY KEY (ee_certificate_id, start_as, end_as), + CONSTRAINT ee_certificate_asn_ee_certificate_id + FOREIGN KEY (ee_certificate_id) REFERENCES ee_certificate (ee_certificate_id) + ON DELETE CASCADE ON UPDATE CASCADE +) ENGINE=InnoDB; + +CREATE TABLE ee_certificate_net ( + version TINYINT UNSIGNED NOT NULL, + start_ip VARCHAR(40) NOT NULL, + end_ip VARCHAR(40) NOT NULL, + ee_certificate_id BIGINT UNSIGNED NOT NULL, + PRIMARY KEY (ee_certificate_id, version, start_ip, end_ip), + CONSTRAINT ee_certificate_net_ee_certificate_id + FOREIGN KEY (ee_certificate_id) REFERENCES ee_certificate (ee_certificate_id) + ON DELETE CASCADE ON UPDATE CASCADE +) ENGINE=InnoDB; + -- Local Variables: -- indent-tabs-mode: nil -- End: diff --git a/rpkid/tests/revoke.yaml b/rpkid/tests/revoke.yaml index c006460d..2edb8335 100644 --- a/rpkid/tests/revoke.yaml +++ b/rpkid/tests/revoke.yaml @@ -49,150 +49,372 @@ kids: ipv4: 10.3.0.44/32 --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - name: R0 rekey: - sleep 10 + --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 + - name: R0 revoke: - sleep 10 + --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - sleep 30 - --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - name: R0 rekey: - sleep 10 + --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - name: R0 revoke: - sleep 10 + --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - sleep 30 - --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - name: R0 rekey: - sleep 10 + --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - name: R0 revoke: - sleep 10 + --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - sleep 30 - --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - name: R0 rekey: - sleep 10 + --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - name: R0 revoke: - sleep 10 + --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - sleep 30 - --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - name: R0 rekey: - sleep 10 + --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - name: R0 revoke: - sleep 10 + --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - sleep 30 - --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - name: R0 rekey: - sleep 10 + --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - name: R0 revoke: - sleep 10 + --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - sleep 30 - --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - name: R0 rekey: - sleep 10 + --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - name: R0 revoke: - sleep 10 + --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - sleep 30 - --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - name: R0 rekey: - sleep 10 + --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - name: R0 revoke: - sleep 10 + --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - sleep 30 - --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - name: R0 rekey: - sleep 10 + --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - name: R0 revoke: - sleep 10 + --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - sleep 30 - --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - name: R0 rekey: - sleep 10 + --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - name: R0 revoke: - sleep 10 + --- -- shell sleep 1; dir=rcynic.`date +%s`.data; mkdir $dir; cd rcynic-data; pax -rwl . ../$dir; find . -type f -name '*.cer' | sort | xargs ../../../../utils/uri/uri -s >../${dir%.data}.uris; sleep 1 +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 - sleep 30 diff --git a/rpkid/tests/smoketest.1.yaml b/rpkid/tests/smoketest.1.yaml index 455e14d6..914aaae4 100644 --- a/rpkid/tests/smoketest.1.yaml +++ b/rpkid/tests/smoketest.1.yaml @@ -40,14 +40,21 @@ kids: roa_request: - asn: 42 ipv4: 192.0.2.32/32 + router_cert: + - router_id: 666 + asn: 42 - name: Bob ipv4: 192.0.2.44-192.0.2.100 ipv4: 10.3.0.0/16 roa_request: - asn: 666 ipv4: 10.3.0.44/32 + --- -- shell set -x; rtr_origin='python ../../../rtr-origin/rtr-origin.py'; $rtr_origin --cronjob rcynic-data/authenticated && $rtr_origin --show +- shell set -x; + rtr_origin='python ../../../rtr-origin/rtr-origin.py'; + $rtr_origin --cronjob rcynic-data/authenticated && + $rtr_origin --show --- - name: R0 rekey: @@ -62,7 +69,10 @@ kids: - asn: 17 ipv4: 10.3.0.1/32, 10.0.0.44/32 --- -- shell set -x; rtr_origin='python ../../../rtr-origin/rtr-origin.py'; $rtr_origin --cronjob rcynic-data/authenticated && $rtr_origin --show +- shell set -x; + rtr_origin='python ../../../rtr-origin/rtr-origin.py'; + $rtr_origin --cronjob rcynic-data/authenticated && + $rtr_origin --show --- - sleep 30 --- diff --git a/rpkid/tests/smoketest.3.yaml b/rpkid/tests/smoketest.3.yaml index f7e4d2a9..e6a10a12 100644 --- a/rpkid/tests/smoketest.3.yaml +++ b/rpkid/tests/smoketest.3.yaml @@ -50,13 +50,20 @@ kids: - asn: 666 ipv4: 10.3.0.0/23 --- -#- shell find publication -type f -name '*.roa' -print -exec ../../../utils/print_roa/print_roa {} \; -#- shell find publication -type f -name '*.mft' -print -exec ../../../utils/print_manifest/print_manifest {} \; +#- shell find publication -type f -name '*.roa' +# -print -exec ../../../utils/print_roa/print_roa {} \; +#- shell find publication -type f -name '*.mft' +# -print -exec ../../../utils/print_manifest/print_manifest {} \; #--- -#- shell find publication -type f -name '*.roa' -print -exec ../../../utils/print_roa/print_roa {} \; -#- shell find publication -type f -name '*.mft' -print -exec ../../../utils/print_manifest/print_manifest {} \; +#- shell find publication -type f -name '*.roa' +# -print -exec ../../../utils/print_roa/print_roa {} \; +#- shell find publication -type f -name '*.mft' +# -print -exec ../../../utils/print_manifest/print_manifest {} \; #--- -- shell set -x; rtr_origin=../../../rtr-origin/rtr-origin; $rtr_origin --cronjob rcynic-data/authenticated && $rtr_origin --show +- shell set -x; + rtr_origin=../../../rtr-origin/rtr-origin; + $rtr_origin --cronjob rcynic-data/authenticated && + $rtr_origin --show --- - name: Alice roa_request_del: @@ -68,4 +75,7 @@ kids: ipv4: 192.0.2.0/30-32,192.0.2.32/32 ipv6: 2002:0a00::/32-128 --- -- shell set -x; rtr_origin=../../../rtr-origin/rtr-origin; $rtr_origin --cronjob rcynic-data/authenticated && $rtr_origin --show +- shell set -x; + rtr_origin=../../../rtr-origin/rtr-origin; + $rtr_origin --cronjob rcynic-data/authenticated && + $rtr_origin --show diff --git a/rpkid/tests/smoketest.7.yaml b/rpkid/tests/smoketest.7.yaml index 84c98a31..fedd2fff 100644 --- a/rpkid/tests/smoketest.7.yaml +++ b/rpkid/tests/smoketest.7.yaml @@ -68,5 +68,10 @@ roa_request: ipv4: 208.91.236.0/22,203.33.196.0/24,203.27.251.0/24,198.80.148.0/24,198.80.131.0/24,157.130.103.144/30,140.222.224.0/24,65.243.171.0/24,63.122.162.212/30,63.116.191.0/24,63.81.136.0/24,17.0.0.0/8,17.128.0.0/9 --- -- shell set -x; find publication -type f -name '*.roa' -print -exec ../../../utils/print_roa/print_roa {} \; -- shell set -x; rtr_origin=../../../rtr-origin/rtr-origin; $rtr_origin --cronjob rcynic-data/authenticated && $rtr_origin --show +- shell set -x; + find publication -type f -name '*.roa' + -print -exec ../../../utils/print_roa/print_roa {} \; + ; + rtr_origin=../../../rtr-origin/rtr-origin; + $rtr_origin --cronjob rcynic-data/authenticated && + $rtr_origin --show diff --git a/rpkid/tests/smoketest.py b/rpkid/tests/smoketest.py index e9135a42..28bedaa4 100644 --- a/rpkid/tests/smoketest.py +++ b/rpkid/tests/smoketest.py @@ -134,6 +134,8 @@ pubd_pubd_cert = None pubd_last_cms_time = None +ecdsa_params = None + class CantRekeyYAMLLeaf(Exception): """ Can't rekey YAML leaf. @@ -228,7 +230,8 @@ def main(): rootd_process = subprocess.Popen((prog_python, prog_rootd, "-d", "-c", rootd_name + ".conf")) rpki.log.info("Starting pubd") - pubd_process = subprocess.Popen((prog_python, prog_pubd, "-d", "-c", pubd_name + ".conf") + (("-p", pubd_name + ".prof") if args.profile else ())) + pubd_process = subprocess.Popen((prog_python, prog_pubd, "-d", "-c", pubd_name + ".conf") + + (("-p", pubd_name + ".prof") if args.profile else ())) rpki.log.info("Starting rsyncd") rsyncd_process = subprocess.Popen((prog_rsyncd, "--daemon", "--no-detach", "--config", rsyncd_name + ".conf")) @@ -248,10 +251,6 @@ def main(): def created_rpki_objects(): - # Setup keys and certs and write YAML files for leaves - for a in db.leaves: - a.setup_yaml_leaf() - # Set pubd's BPKI CRL set_pubd_crl(yaml_loop) @@ -268,10 +267,6 @@ def main(): def run_yaml(): - # Run all YAML clients - for a in db.leaves: - a.run_yaml() - # Run rcynic to check results run_rcynic() @@ -382,6 +377,43 @@ class roa_request(object): def parse(cls, yaml): return cls(yaml.get("asn"), yaml.get("ipv4"), yaml.get("ipv6")) +class router_cert(object): + """ + Representation for a router_cert object. + """ + + _ecparams = None + + @classmethod + def ecparams(cls): + if cls._ecparams is None: + cls._ecparams = rpki.x509.KeyParams.generateEC() + return cls._ecparams + + def __init__(self, asn, router_id): + self.asn = rpki.resource_set.resource_set_as("".join(str(asn).split())) + self.router_id = router_id + self.keypair = rpki.x509.ECDSA.generate(self.ecparams()) + self.pkcs10 = rpki.x509.PKCS10.create(keypair = self.keypair) + self.gski = self.pkcs10.gSKI() + self.cn = "ROUTER-%08x" % self.asn[0].min + self.sn = "%08x" % self.router_id + self.eku = rpki.oids.id_kp_bgpsec_router + + def __eq__(self, other): + return self.asn == other.asn and self.sn == other.sn and self.gski == other.gski + + def __hash__(self): + v6 = tuple(self.v6) if self.v6 is not None else None + return tuple(self.asn).__hash__() + sn.__hash__() + self.gski.__hash__() + + def __str__(self): + return "%s: %s: %s" % (self.asn, self.cn, self.sn, self.gski) + + @classmethod + def parse(cls, yaml): + return cls(yaml.get("asn"), yaml.get("router_id")) + class allocation_db(list): """ Representation of all the entities and allocations in the test @@ -413,7 +445,6 @@ class allocation_db(list): self.root.closure() self.map = dict((a.name, a) for a in self) self.engines = [a for a in self if a.is_engine] - self.leaves = [a for a in self if a.is_leaf] for i, a in enumerate(self.engines): a.set_engine_number(i) for a in self: @@ -493,6 +524,9 @@ class allocation(object): self.base.v4 |= r.v4.to_resource_set() if r.v6: self.base.v6 |= r.v6.to_resource_set() + self.router_certs = [router_cert.parse(y) for y in yaml.get("router_cert", ())] + for r in self.router_certs: + self.base.asn |= r.asn self.hosted_by = yaml.get("hosted_by") self.extra_conf = yaml.get("extra_conf", []) self.hosts = [] @@ -576,6 +610,20 @@ class allocation(object): self.roa_requests.remove(r) cb() + def apply_router_cert_add(self, yaml, cb): + for y in yaml: + r = router_cert.parse(y) + if r not in self.router_certs: + self.router_certs.append(r) + cb() + + def apply_router_cert_del(self, yaml, cb): + for y in yaml: + r = router_cert.parse(y) + if r in self.router_certs: + self.router_certs.remove(r) + cb() + def apply_rekey(self, target, cb): def done(e): @@ -584,14 +632,14 @@ class allocation(object): raise e cb() - if self.is_leaf: - raise CantRekeyYAMLLeaf, "Can't rekey YAML leaf %s, sorry" % self.name - elif target is None: + if target is None: rpki.log.info("Rekeying <self/> %s" % self.name) - self.call_rpkid([rpki.left_right.self_elt.make_pdu(action = "set", self_handle = self.name, rekey = "yes")], cb = done) + self.call_rpkid([rpki.left_right.self_elt.make_pdu( + action = "set", self_handle = self.name, rekey = "yes")], cb = done) else: rpki.log.info("Rekeying <parent/> %s %s" % (self.name, target)) - self.call_rpkid([rpki.left_right.parent_elt.make_pdu(action = "set", self_handle = self.name, parent_handle = target, rekey = "yes")], cb = done) + self.call_rpkid([rpki.left_right.parent_elt.make_pdu( + action = "set", self_handle = self.name, parent_handle = target, rekey = "yes")], cb = done) def apply_revoke(self, target, cb): @@ -601,16 +649,14 @@ class allocation(object): raise e cb() - if self.is_leaf: - rpki.log.info("Attempting to revoke YAML leaf %s" % self.name) - subprocess.check_call((prog_python, prog_poke, "-y", self.name + ".yaml", "-r", "revoke")) - cb() - elif target is None: + if target is None: rpki.log.info("Revoking <self/> %s" % self.name) - self.call_rpkid([rpki.left_right.self_elt.make_pdu(action = "set", self_handle = self.name, revoke = "yes")], cb = done) + self.call_rpkid([rpki.left_right.self_elt.make_pdu( + action = "set", self_handle = self.name, revoke = "yes")], cb = done) else: rpki.log.info("Revoking <parent/> %s %s" % (self.name, target)) - self.call_rpkid([rpki.left_right.parent_elt.make_pdu(action = "set", self_handle = self.name, parent_handle = target, revoke = "yes")], cb = done) + self.call_rpkid([rpki.left_right.parent_elt.make_pdu( + action = "set", self_handle = self.name, parent_handle = target, revoke = "yes")], cb = done) def __str__(self): s = self.name + "\n" @@ -622,10 +668,6 @@ class allocation(object): if self.sia_base: s += " SIA: %s\n" % self.sia_base return s + "Until: %s\n" % self.resources.valid_until - @property - def is_leaf(self): - #return not self.kids and not self.roa_requests - return False @property def is_root(self): @@ -633,7 +675,7 @@ class allocation(object): @property def is_twig(self): - return not self.is_leaf and not self.is_root + return not self.is_root @property def is_hosted(self): @@ -641,7 +683,7 @@ class allocation(object): @property def is_engine(self): - return not self.is_leaf and not self.is_hosted + return not self.is_hosted def set_engine_number(self, n): """ @@ -668,16 +710,13 @@ class allocation(object): Create BPKI certificates for this entity. """ rpki.log.info("Constructing BPKI keys and certs for %s" % self.name) - if self.is_leaf: - setup_bpki_cert_chain(self.name, ee = ("RPKI",)) - else: - setup_bpki_cert_chain(name = self.name, - ee = ("RPKI", "IRDB", "IRBE"), - ca = ("SELF",)) - self.rpkid_ta = rpki.x509.X509(PEM_file = self.name + "-TA.cer") - self.irbe_key = rpki.x509.RSA( PEM_file = self.name + "-IRBE.key") - self.irbe_cert = rpki.x509.X509(PEM_file = self.name + "-IRBE.cer") - self.rpkid_cert = rpki.x509.X509(PEM_file = self.name + "-RPKI.cer") + setup_bpki_cert_chain(name = self.name, + ee = ("RPKI", "IRDB", "IRBE"), + ca = ("SELF",)) + self.rpkid_ta = rpki.x509.X509(PEM_file = self.name + "-TA.cer") + self.irbe_key = rpki.x509.RSA( PEM_file = self.name + "-IRBE.key") + self.irbe_cert = rpki.x509.X509(PEM_file = self.name + "-IRBE.cer") + self.rpkid_cert = rpki.x509.X509(PEM_file = self.name + "-RPKI.cer") def setup_conf_file(self): """ @@ -745,24 +784,44 @@ class allocation(object): cur.execute("DELETE FROM registrant_net") cur.execute("DELETE FROM roa_request_prefix") cur.execute("DELETE FROM roa_request") + cur.execute("DELETE FROM ee_certificate_asn") + cur.execute("DELETE FROM ee_certificate_net") + cur.execute("DELETE FROM ee_certificate") + for s in [self] + self.hosts: for kid in s.kids: - cur.execute("SELECT registrant_id FROM registrant WHERE registrant_handle = %s AND registry_handle = %s", (kid.name, s.name)) + cur.execute("SELECT registrant_id FROM registrant WHERE registrant_handle = %s AND registry_handle = %s", + (kid.name, s.name)) registrant_id = cur.fetchone()[0] for as_range in kid.resources.asn: - cur.execute("INSERT registrant_asn (start_as, end_as, registrant_id) VALUES (%s, %s, %s)", (as_range.min, as_range.max, registrant_id)) + cur.execute("INSERT registrant_asn (start_as, end_as, registrant_id) VALUES (%s, %s, %s)", + (as_range.min, as_range.max, registrant_id)) for v4_range in kid.resources.v4: - cur.execute("INSERT registrant_net (start_ip, end_ip, version, registrant_id) VALUES (%s, %s, 4, %s)", (v4_range.min, v4_range.max, registrant_id)) + cur.execute("INSERT registrant_net (start_ip, end_ip, version, registrant_id) VALUES (%s, %s, 4, %s)", + (v4_range.min, v4_range.max, registrant_id)) for v6_range in kid.resources.v6: - cur.execute("INSERT registrant_net (start_ip, end_ip, version, registrant_id) VALUES (%s, %s, 6, %s)", (v6_range.min, v6_range.max, registrant_id)) - cur.execute("UPDATE registrant SET valid_until = %s WHERE registrant_id = %s", (kid.resources.valid_until, registrant_id)) + cur.execute("INSERT registrant_net (start_ip, end_ip, version, registrant_id) VALUES (%s, %s, 6, %s)", + (v6_range.min, v6_range.max, registrant_id)) + cur.execute("UPDATE registrant SET valid_until = %s WHERE registrant_id = %s", + (kid.resources.valid_until, registrant_id)) for r in s.roa_requests: - cur.execute("INSERT roa_request (roa_request_handle, asn) VALUES (%s, %s)", (s.name, r.asn)) + cur.execute("INSERT roa_request (self_handle, asn) VALUES (%s, %s)", + (s.name, r.asn)) roa_request_id = cur.lastrowid for version, prefix_set in ((4, r.v4), (6, r.v6)): if prefix_set: - cur.executemany("INSERT roa_request_prefix (roa_request_id, prefix, prefixlen, max_prefixlen, version) VALUES (%s, %s, %s, %s, %s)", - ((roa_request_id, x.prefix, x.prefixlen, x.max_prefixlen, version) for x in prefix_set)) + cur.executemany("INSERT roa_request_prefix " + "(roa_request_id, prefix, prefixlen, max_prefixlen, version) " + "VALUES (%s, %s, %s, %s, %s)", + ((roa_request_id, x.prefix, x.prefixlen, x.max_prefixlen, version) + for x in prefix_set)) + for r in s.router_certs: + cur.execute("INSERT ee_certificate (self_handle, pkcs10, gski, cn, sn, eku, valid_until) " + "VALUES (%s, %s, %s, %s, %s, %s, %s)", + (s.name, r.pkcs10.get_DER(), r.gski, r.cn, r.sn, r.eku, s.resources.valid_until)) + ee_certificate_id = cur.lastrowid + cur.executemany("INSERT ee_certificate_asn (ee_certificate_id, start_as, end_as) VALUES (%s, %s, %s)", + ((ee_certificate_id, a.min, a.max) for a in r.asn)) db.close() def run_daemons(self): @@ -770,7 +829,8 @@ class allocation(object): Run daemons for this entity. """ rpki.log.info("Running daemons for %s" % self.name) - self.rpkid_process = subprocess.Popen((prog_python, prog_rpkid, "-d", "-c", self.name + ".conf") + (("-p", self.name + ".prof") if args.profile else ())) + self.rpkid_process = subprocess.Popen((prog_python, prog_rpkid, "-d", "-c", self.name + ".conf") + + (("-p", self.name + ".prof") if args.profile else ())) self.irdbd_process = subprocess.Popen((prog_python, prog_irdbd, "-d", "-c", self.name + ".conf")) def kill_daemons(self): @@ -844,8 +904,6 @@ class allocation(object): if reverse: certifier = certificant certificant = self.name + "-SELF" - elif self.is_leaf: - certifier = self.name + "-TA" else: certifier = self.name + "-SELF" certfile = certifier + "-" + certificant + ".cer" @@ -901,7 +959,7 @@ class allocation(object): #10 requests we get back when we tell rpkid to generate BSC keys. """ - assert not self.is_hosted and not self.is_leaf + assert not self.is_hosted selves = [self] + self.hosts @@ -948,7 +1006,7 @@ class allocation(object): self_handle = s.name, child_handle = k.name, bsc_handle = "b", - bpki_cert = s.cross_certify(k.name + ("-TA" if k.is_leaf else "-SELF")))) + bpki_cert = s.cross_certify(k.name + "-SELF"))) if s.is_root: rootd_cert = s.cross_certify(rootd_name + "-TA") @@ -974,7 +1032,8 @@ class allocation(object): bpki_cms_cert = s.cross_certify(s.parent.name + "-SELF"), sender_name = s.name, recipient_name = s.parent.name, - peer_contact_uri = "http://localhost:%s/up-down/%s/%s" % (s.parent.get_rpki_port(), s.parent.name, s.name))) + peer_contact_uri = "http://localhost:%s/up-down/%s/%s" % (s.parent.get_rpki_port(), + s.parent.name, s.name))) def one(): call_pubd(pubd_pdus, cb = two) @@ -992,7 +1051,8 @@ class allocation(object): b = bsc_dict[s.name] rpki.log.info("Issuing BSC EE cert for %s" % s.name) - cmd = (prog_openssl, "x509", "-req", "-sha256", "-extfile", s.name + "-RPKI.conf", "-extensions", "req_x509_ext", "-days", "30", + cmd = (prog_openssl, "x509", "-req", "-sha256", "-extfile", s.name + "-RPKI.conf", + "-extensions", "req_x509_ext", "-days", "30", "-CA", s.name + "-SELF.cer", "-CAkey", s.name + "-SELF.key", "-CAcreateserial", "-text") signer = subprocess.Popen(cmd, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE) signed = signer.communicate(input = b.pkcs10_request.get_PEM()) @@ -1248,8 +1308,8 @@ def set_pubd_crl(cb): updated whenever we update the CRL. """ rpki.log.info("Setting pubd's BPKI CRL") - call_pubd([rpki.publication.config_elt.make_pdu(action = "set", bpki_crl = rpki.x509.CRL(Auto_file = pubd_name + "-TA.crl"))], - cb = lambda ignored: cb()) + crl = rpki.x509.CRL(Auto_file = pubd_name + "-TA.crl") + call_pubd([rpki.publication.config_elt.make_pdu(action = "set", bpki_crl = crl)], cb = lambda ignored: cb()) last_rcynic_run = None @@ -1314,22 +1374,44 @@ bpki_cert_fmt_2 = '''\ ''' bpki_cert_fmt_3 = '''\ -%(openssl)s req -new -sha256 -key %(name)s-%(kind)s.key -out %(name)s-%(kind)s.req -config %(name)s-%(kind)s.conf && +%(openssl)s req -new \ + -sha256 \ + -key %(name)s-%(kind)s.key \ + -out %(name)s-%(kind)s.req \ + -config %(name)s-%(kind)s.conf && touch %(name)s-%(kind)s.idx && echo >%(name)s-%(kind)s.cnm 01 && ''' bpki_cert_fmt_4 = '''\ -%(openssl)s x509 -req -sha256 -in %(name)s-TA.req -out %(name)s-TA.cer -extfile %(name)s-TA.conf -extensions req_x509_ext -signkey %(name)s-TA.key -days 60 -text \ +%(openssl)s x509 -req -sha256 \ + -in %(name)s-TA.req \ + -out %(name)s-TA.cer \ + -extfile %(name)s-TA.conf \ + -extensions req_x509_ext \ + -signkey %(name)s-TA.key \ + -days 60 -text \ ''' bpki_cert_fmt_5 = ''' && \ -%(openssl)s x509 -req -sha256 -in %(name)s-%(kind)s.req -out %(name)s-%(kind)s.cer -extfile %(name)s-%(kind)s.conf -extensions req_x509_ext -days 30 -text \ - -CA %(name)s-TA.cer -CAkey %(name)s-TA.key -CAcreateserial \ +%(openssl)s x509 -req \ + -sha256 \ + -in %(name)s-%(kind)s.req \ + -out %(name)s-%(kind)s.cer \ + -extfile %(name)s-%(kind)s.conf \ + -extensions req_x509_ext \ + -days 30 \ + -text \ + -CA %(name)s-TA.cer \ + -CAkey %(name)s-TA.key \ + -CAcreateserial \ ''' bpki_cert_fmt_6 = ''' && \ -%(openssl)s ca -batch -gencrl -out %(name)s-%(kind)s.crl -config %(name)s-%(kind)s.conf \ +%(openssl)s ca -batch \ + -gencrl \ + -out %(name)s-%(kind)s.crl \ + -config %(name)s-%(kind)s.conf \ ''' yaml_fmt_1 = '''--- @@ -1467,11 +1549,16 @@ authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:true subjectKeyIdentifier = hash keyUsage = critical,keyCertSign,cRLSign -subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:%(rootd_sia)sroot/,1.3.6.1.5.5.7.48.10;URI:%(rootd_sia)sroot/root.mft +subjectInfoAccess = @sia sbgp-autonomousSysNum = critical,AS:0-4294967295 sbgp-ipAddrBlock = critical,IPv4:0.0.0.0/0,IPv6:0::/0 certificatePolicies = critical, @rpki_certificate_policy +[sia] + +1.3.6.1.5.5.7.48.5;URI = %(rootd_sia)sroot/ +1.3.6.1.5.5.7.48.10;URI = %(rootd_sia)sroot/root.mft + [rpki_certificate_policy] policyIdentifier = 1.3.6.1.5.5.7.14.2 @@ -1484,10 +1571,20 @@ rootd_fmt_2 = '''\ rootd_fmt_3 = '''\ echo >%(rootd_name)s.tal %(rootd_sia)sroot.cer && echo >>%(rootd_name)s.tal && -%(openssl)s rsa -pubout -in root.key | awk '!/-----(BEGIN|END)/' >>%(rootd_name)s.tal && -%(openssl)s req -new -sha256 -key root.key -out %(rootd_name)s.req -config %(rootd_name)s.conf -text -extensions req_x509_rpki_ext && -%(openssl)s x509 -req -sha256 -in %(rootd_name)s.req -out root.cer -outform DER -extfile %(rootd_name)s.conf -extensions req_x509_rpki_ext \ - -signkey root.key && +%(openssl)s rsa -pubout -in root.key | +awk '!/-----(BEGIN|END)/' >>%(rootd_name)s.tal && +%(openssl)s req -new -text -sha256 \ + -key root.key \ + -out %(rootd_name)s.req \ + -config %(rootd_name)s.conf \ + -extensions req_x509_rpki_ext && +%(openssl)s x509 -req -sha256 \ + -in %(rootd_name)s.req \ + -out root.cer \ + -outform DER \ + -extfile %(rootd_name)s.conf \ + -extensions req_x509_rpki_ext \ + -signkey root.key && ln -f root.cer %(rsyncd_dir)s ''' diff --git a/rpkid/tests/testpoke.py b/rpkid/tests/testpoke.py index 00dbc300..fd5ab206 100644 --- a/rpkid/tests/testpoke.py +++ b/rpkid/tests/testpoke.py @@ -36,7 +36,6 @@ import rpki.http import rpki.config import rpki.exceptions import rpki.relaxng -import rpki.oids import rpki.log import rpki.async diff --git a/rpkid/tests/yamlconf.py b/rpkid/tests/yamlconf.py index 81698fbf..3c71d3cd 100644 --- a/rpkid/tests/yamlconf.py +++ b/rpkid/tests/yamlconf.py @@ -467,7 +467,7 @@ class allocation(object): root_cert = rpki.x509.X509.self_certify( keypair = root_key, - subject_key = root_key.get_RSApublic(), + subject_key = root_key.get_public(), serial = 1, sia = root_sia, notAfter = rpki.sundial.now() + rpki.sundial.timedelta(days = 365), @@ -481,7 +481,7 @@ class allocation(object): with open(cleanpath(test_dir, "root.tal"), "w") as f: f.write("rsync://%s/root/root.cer\n\n%s" % ( - self.rsync_server, root_key.get_RSApublic().get_Base64())) + self.rsync_server, root_key.get_public().get_Base64())) def mkdir(self, *path): path = self.path(*path) diff --git a/rpkid/tests/yamltest.py b/rpkid/tests/yamltest.py index 08da81f3..5eb3bd2f 100644 --- a/rpkid/tests/yamltest.py +++ b/rpkid/tests/yamltest.py @@ -46,12 +46,14 @@ import sys import yaml import signal import time +import lxml.etree import rpki.resource_set import rpki.sundial import rpki.config import rpki.log import rpki.csv_utils import rpki.x509 +import rpki.relaxng # Nasty regular expressions for parsing config files. Sadly, while # the Python ConfigParser supports writing config files, it does so in @@ -109,6 +111,41 @@ class roa_request(object): """ return cls(y.get("asn"), y.get("ipv4"), y.get("ipv6")) + +class router_cert(object): + """ + Representation for a router_cert object. + """ + + _ecparams = None + + @classmethod + def ecparams(cls): + if cls._ecparams is None: + cls._ecparams = rpki.x509.KeyParams.generateEC() + return cls._ecparams + + def __init__(self, asn, router_id): + self.asn = rpki.resource_set.resource_set_as("".join(str(asn).split())) + self.router_id = router_id + self.keypair = rpki.x509.ECDSA.generate(self.ecparams()) + self.pkcs10 = rpki.x509.PKCS10.create(keypair = self.keypair) + self.gski = self.pkcs10.gSKI() + + def __eq__(self, other): + return self.asn == other.asn and self.router_id == other.router_id and self.gski == other.gski + + def __hash__(self): + v6 = tuple(self.v6) if self.v6 is not None else None + return tuple(self.asn).__hash__() + self.router_id.__hash__() + self.gski.__hash__() + + def __str__(self): + return "%s: %s: %s" % (self.asn, self.router_id, self.gski) + + @classmethod + def parse(cls, yaml): + return cls(yaml.get("asn"), yaml.get("router_id")) + class allocation_db(list): """ Our allocation database. @@ -207,6 +244,7 @@ class allocation(object): if "regen_margin" in yaml: self.regen_margin = rpki.sundial.timedelta.parse(yaml["regen_margin"]).convert_to_seconds() self.roa_requests = [roa_request.parse(y) for y in yaml.get("roa_request", yaml.get("route_origin", ()))] + self.router_certs = [router_cert.parse(y) for y in yaml.get("router_cert", ())] if "ghostbusters" in yaml: self.ghostbusters = yaml.get("ghostbusters") elif "ghostbuster" in yaml: @@ -218,6 +256,8 @@ class allocation(object): self.base.v4 |= r.v4.to_resource_set() if r.v6: self.base.v6 |= r.v6.to_resource_set() + for r in self.router_certs: + self.base.asn |= r.asn self.hosted_by = yaml.get("hosted_by") self.hosts = [] if not self.is_hosted: @@ -365,6 +405,28 @@ class allocation(object): if not args.stop_after_config: self.run_rpkic("load_ghostbuster_requests", fn) + def dump_router_certificates(self): + """ + Write EE certificates (router certificates, etc). + """ + if self.router_certs: + fn = "%s.routercerts.xml" % d.name + if not args.skip_config: + path = self.path(fn) + print "Writing", path + xmlns = "{http://www.hactrn.net/uris/rpki/router-certificate/}" + xml = lxml.etree.Element(xmlns + "router_certificate_requests", version = "1") + for r in self.router_certs: + x = lxml.etree.SubElement(xml, xmlns + "router_certificate_request", + router_id = str(r.router_id), + asn = str(r.asn), + valid_until = str(self.resources.valid_until)) + x.text = r.pkcs10.get_Base64() + rpki.relaxng.router_certificate.assertValid(xml) + lxml.etree.ElementTree(xml).write(path, pretty_print = True) + if not args.stop_after_config: + self.run_rpkic("add_router_certificate_request", fn) + @property def pubd(self): """ @@ -553,7 +615,7 @@ def create_root_certificate(db_root): root_cert = rpki.x509.X509.self_certify( keypair = root_key, - subject_key = root_key.get_RSApublic(), + subject_key = root_key.get_public(), serial = 1, sia = root_sia, notAfter = rpki.sundial.now() + rpki.sundial.timedelta(days = 365), @@ -569,7 +631,7 @@ def create_root_certificate(db_root): f = open(os.path.join(test_dir, "root.tal"), "w") f.write("rsync://localhost:%d/root/root.cer\n\n" % db_root.pubd.rsync_port) - f.write(root_key.get_RSApublic().get_Base64()) + f.write(root_key.get_public().get_Base64()) f.close() @@ -761,6 +823,7 @@ try: d.dump_prefixes() d.dump_roas() d.dump_ghostbusters() + d.dump_router_certificates() # Wait until something terminates. |