diff options
| author | Rob Austein <sra@hactrn.net> | 2013-10-01 19:40:58 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2013-10-01 19:40:58 +0000 |
| commit | 0a169990ab2e3c1bb1b91354499aaba4289fd862 (patch) | |
| tree | ab5a67aec11448b1ac1b38c647b5771340b2e450 /rpkid | |
| parent | 2159324599c3cc0237540a70b072b4837f5a8e19 (diff) | |
Map a few more exceptions to proper up-down protocol error codes,
teach rootd to generate same. Whack rootd's lame CRL generation code
to account for subject certificates overwritten by rekey and to time
entries out of the CRL.
svn path=/trunk/; revision=5538
Diffstat (limited to 'rpkid')
| -rw-r--r-- | rpkid/rpki/rootd.py | 21 | ||||
| -rw-r--r-- | rpkid/rpki/up_down.py | 30 |
2 files changed, 45 insertions, 6 deletions
diff --git a/rpkid/rpki/rootd.py b/rpkid/rpki/rootd.py index 09b792ea..7cfcb957 100644 --- a/rpkid/rpki/rootd.py +++ b/rpkid/rpki/rootd.py @@ -75,8 +75,13 @@ class revoke_pdu(rpki.up_down.revoke_pdu): def serve_pdu(self, q_msg, r_msg, ignored, callback, errback): rpki.log.debug("Revocation requested for SKI %s" % self.ski) subject_cert = rootd.get_subject_cert() - if subject_cert is None or subject_cert.gSKI() != self.ski: + if subject_cert is None: + rpki.log.debug("No subject certificate, nothing to revoke") raise rpki.exceptions.NotInDatabase + if subject_cert.gSKI() != self.ski: + rpki.log.debug("Subject certificate has different SKI %s, not revoking" % subject_cert.gSKI()) + raise rpki.exceptions.NotInDatabase + rpki.log.debug("Revoking certificate %s" % self.ski) now = rpki.sundial.now() rootd.revoke_subject_cert(now) rootd.del_subject_cert() @@ -87,6 +92,11 @@ class revoke_pdu(rpki.up_down.revoke_pdu): r_msg.payload.ski = self.ski callback() +class error_response_pdu(rpki.up_down.error_response_pdu): + exceptions = rpki.up_down.error_response_pdu.exceptions.copy() + exceptions[rpki.exceptions.ClassNameUnknown, revoke_pdu] = 1301 + exceptions[rpki.exceptions.NotInDatabase, revoke_pdu] = 1302 + class message_pdu(rpki.up_down.message_pdu): name2type = { @@ -96,10 +106,12 @@ class message_pdu(rpki.up_down.message_pdu): "issue_response" : rpki.up_down.issue_response_pdu, "revoke" : revoke_pdu, "revoke_response" : rpki.up_down.revoke_response_pdu, - "error_response" : rpki.up_down.error_response_pdu } + "error_response" : error_response_pdu } type2name = dict((v, k) for k, v in name2type.items()) + error_pdu_type = error_response_pdu + def log_query(self, child): """ Log query we're handling. @@ -171,12 +183,15 @@ class main(object): self.set_subject_pkcs10(new_pkcs10) if subject_cert is not None: rpki.log.debug("PKCS #10 changed, regenerating subject certificate") + self.revoke_subject_cert(now) subject_cert = None if subject_cert is not None and subject_cert.getNotAfter() <= now + self.rpki_subject_regen: rpki.log.debug("Subject certificate has reached expiration threshold, regenerating") + self.revoke_subject_cert(now) subject_cert = None if subject_cert is not None and self.root_newer_than_subject(): rpki.log.debug("Root certificate has changed, regenerating subject") + self.revoke_subject_cert(now) subject_cert = None self.get_root_cert() if subject_cert is not None: @@ -209,6 +224,8 @@ class main(object): subject_cert = self.get_subject_cert() self.next_serial_number() self.next_crl_number() + while self.revoked and self.revoked[0][1] + 2 * self.rpki_subject_regen < now: + del self.revoked[0] crl = rpki.x509.CRL.generate( keypair = self.rpki_root_key, issuer = self.rpki_root_cert, diff --git a/rpkid/rpki/up_down.py b/rpkid/rpki/up_down.py index c9a54702..02ef66e4 100644 --- a/rpkid/rpki/up_down.py +++ b/rpkid/rpki/up_down.py @@ -539,16 +539,36 @@ class error_response_pdu(base_elt): 2001 : "Internal Server Error - Request not performed" } exceptions = { - rpki.exceptions.NoActiveCA : 1202 } + rpki.exceptions.NoActiveCA : 1202, + (rpki.exceptions.ClassNameUnknown, revoke_pdu) : 1301, + rpki.exceptions.ClassNameUnknown : 1201, + (rpki.exceptions.NotInDatabase, revoke_pdu) : 1302 } - def __init__(self, exception = None): + def __init__(self, exception = None, request_payload = None): """ Initialize an error_response PDU from an exception object. """ base_elt.__init__(self) if exception is not None: - self.status = self.exceptions.get(type(exception), 2001) + rpki.log.debug("Constructing up-down error response from exception %s" % exception) + exception_type = type(exception) + request_type = None if request_payload is None else type(request_payload) + rpki.log.debug("Constructing up-down error response: exception_type %s, request_type %s" % ( + exception_type, request_type)) + if False: + self.status = self.exceptions.get((exception_type, request_type), + self.exceptions.get(exception_type, + 2001)) + else: + self.status = self.exceptions.get((exception_type, request_type)) + if self.status is None: + rpki.log.debug("No request-type-specific match, trying exception match") + self.status = self.exceptions.get(exception_type) + if self.status is None: + rpki.log.debug("No exception match either, defaulting") + self.status = 2001 self.description = str(exception) + rpki.log.debug("Chosen status code: %s" % self.status) def endElement(self, stack, name, text): """ @@ -606,6 +626,8 @@ class message_pdu(base_elt): type2name = dict((v, k) for k, v in name2type.items()) + error_pdu_type = error_response_pdu + def toXML(self): """ Generate payload of message PDU. @@ -674,7 +696,7 @@ class message_pdu(base_elt): r_msg = message_pdu() r_msg.sender = self.recipient r_msg.recipient = self.sender - r_msg.payload = error_response_pdu(exception) + r_msg.payload = self.error_pdu_type(exception, self.payload) r_msg.type = self.type2name[type(r_msg.payload)] return r_msg |