Finally got client cert checks working with tlslite -- then promptly

disabled them again in testbed.py (commented out in generated config), because I need to rework the internal trust anchor setup before the up-down protocol will have a prayer of working with this enabled. svn path=/rpkid/OPERATION; revision=1565
author: Rob Austein <sra@hactrn.net> 2008-03-27 23:40:44 +0000
committer: Rob Austein <sra@hactrn.net> 2008-03-27 23:40:44 +0000
commit: 5aa99a66a4cd1064eda1880879e034b7ae8058ac (patch)
tree: 631cbfda17e2ce633228795afe702d07db922ab8 /rpkid
parent: e1e5eb6d4541d865b1fcda093c90da8ba93b537b (diff)
8 files changed, 91 insertions, 61 deletions
diff --git a/rpkid/OPERATION b/rpkid/OPERATION
index a3f3841d..d9e08acd 100644
--- a/rpkid/OPERATION
+++ b/rpkid/OPERATION
@@ -134,22 +134,22 @@ cms-ta-irbe:		Name of file containing CMS trust anchor to
 cms-key:		Name of file containing RSA key to use when
 			signing CMS messages to IRBE or irdbd.
 
-cms-certs:		Name(s) of file(s) containing certificate(s)
+cms-cert:		Name(s) of file(s) containing certificate(s)
 			to include in CMS wrapper when signing
 			messages to IRBE or irdbd.   You can specify
 			more than one certificate using OpenSSL-style
-			subscripts: cms-certs.0, cms-certs.1, etc.
+			subscripts: cms-cert.0, cms-cert.1, etc.
 
 https-key:		Name of file containing RSA key to use, both
 			in the HTTPS server role (for both up-down and
 			left-right protocols) and in the HTTPS client
 			role (left-right protocol only).
 
-https-certs:		Name(s) of file(s) containing certificate(s)
+https-cert:		Name(s) of file(s) containing certificate(s)
 			to use in same contexts where https-key is
 			used.  You can specify more than one
 			certificate using OpenSSL-style subscripts:
-			https-certs.0, https-certs.1, etc.
+			https-cert.0, https-cert.1, etc.
 
 https-ta:		Name of file containing trust anchor to use
 			when verifying irdbd's HTTPS server
@@ -195,20 +195,20 @@ cms-ta:			Name of file containing trust anchor to use
 cms-key:		Name of file containing RSA key to use when
 			signing CMS up-down replies.
 
-cms-certs:		Name(s) of file(s) containing certificate(s)
+cms-cert:		Name(s) of file(s) containing certificate(s)
 			to include in CMS wrapper when signing up-down
 			replies.   You can specify more than one
 			certificate using OpenSSL-style subscripts:
-			cms-certs.0, cms-certs.1, etc.
+			cms-cert.0, cms-cert.1, etc.
 
 https-key:		Name of file containing RSA key to use in the
 			HTTPS server role for the up-down protocol.
 
-https-certs:		Name(s) of file(s) containing certificate(s)
+https-cert:		Name(s) of file(s) containing certificate(s)
 			to use in the HTTPS server role for the
 			up-down protocol.  You can specify more than
 			one certificate using OpenSSL-style
-			subscripts: https-certs.0, https-certs.1,
+			subscripts: https-cert.0, https-cert.1,
 			etc.
 
 https-server-host:	Hostname or IP address on which to listen for
@@ -276,21 +276,21 @@ cms-ta:			Name of file containing CMS trust anchor to
 cms-key:		Name of file containing RSA key to use when
 			signing CMS messages to rpkid.
 
-cms-certs:		Name(s) of file(s) containing certificate(s)
+cms-cert:		Name(s) of file(s) containing certificate(s)
 			to include in CMS wrapper when signing
 			messages to rpkid.  You can specify more than
 			one certificate using OpenSSL-style
-			subscripts: cms-certs.0, cms-certs.1, etc.
+			subscripts: cms-cert.0, cms-cert.1, etc.
 
 https-key:		Name of file containing RSA key to use in the
 			HTTPS server role when listening for
 			connections from rpkid. 
 
-https-certs:		Name(s) of file(s) containing certificate(s)
+https-cert:		Name(s) of file(s) containing certificate(s)
 			to use in the HTTPS server role when listening
 			for connections from rpkid.  You can specify
 			more than one certificate using OpenSSL-style
-			subscripts: https-certs.0, https-certs.1, etc.
+			subscripts: https-cert.0, https-cert.1, etc.
 
 https-url:		Service URL for irdbd.  Must be a https:// URL.
 
@@ -378,20 +378,20 @@ cms-ta:			Name of file containing CMS trust anchor to
 cms-key:		Name of file containing RSA key to use when
 			signing CMS messages to rpkid.
 
-cms-certs:		Name(s) of file(s) containing certificate(s)
+cms-cert:		Name(s) of file(s) containing certificate(s)
 			to include in CMS wrapper when signing
 			messages to rpkid.  You can specify more than
 			one certificate using OpenSSL-style
-			subscripts: cms-certs.0, cms-certs.1, etc.
+			subscripts: cms-cert.0, cms-cert.1, etc.
 
 https-key:		Name of file containing RSA key to use in the
 			HTTPS client role when contacting rpkid. 
 
-https-certs:		Name(s) of file(s) containing certificate(s)
+https-cert:		Name(s) of file(s) containing certificate(s)
 			to use in the HTTPS client role when
 			contacting rpkid.  You can specify more than
 			one certificate using OpenSSL-style
-			subscripts: https-certs.0, https-certs.1,
+			subscripts: https-cert.0, https-cert.1,
 			etc.
 
 https-ta:		Name of file containing trust anchor to use
@@ -417,20 +417,20 @@ cms-ta:			Name of file containing CMS trust anchor to
 cms-key:		Name of file containing RSA key to use when
 			signing CMS messages to rpkid.
 
-cms-certs:		Name(s) of file(s) containing certificate(s)
+cms-cert:		Name(s) of file(s) containing certificate(s)
 			to include in CMS wrapper when signing
 			messages to rpkid.  You can specify more than
 			one certificate using OpenSSL-style
-			subscripts: cms-certs.0, cms-certs.1, etc.
+			subscripts: cms-cert.0, cms-cert.1, etc.
 
 https-key:		Name of file containing RSA key to use in the
 			HTTPS client role when contacting rpkid. 
 
-https-certs:		Name(s) of file(s) containing certificate(s)
+https-cert:		Name(s) of file(s) containing certificate(s)
 			to use in the HTTPS client role when
 			contacting rpkid.  You can specify more than
 			one certificate using OpenSSL-style
-			subscripts: https-certs.0, https-certs.1,
+			subscripts: https-cert.0, https-cert.1,
 			etc.
 
 https-ta:		Name of file containing trust anchor to use
@@ -472,11 +472,11 @@ Config file options:
 https-key:		Name of file containing RSA key to use in the
 			HTTPS client role when contacting rpkid. 
 
-https-certs:		Name(s) of file(s) containing certificate(s)
+https-cert:		Name(s) of file(s) containing certificate(s)
 			to use in the HTTPS client role when
 			contacting rpkid.  You can specify more than
 			one certificate using OpenSSL-style
-			subscripts: https-certs.0, https-certs.1,
+			subscripts: https-cert.0, https-cert.1,
 			etc.
 
 https-ta:		Name of file containing trust anchor to use
diff --git a/rpkid/irbe-cli.py b/rpkid/irbe-cli.py
index b6ce7479..af75d430 100755
--- a/rpkid/irbe-cli.py
+++ b/rpkid/irbe-cli.py
@@ -179,10 +179,10 @@ except lxml.etree.DocumentInvalid:
 
 q_cms = rpki.cms.sign(q_xml,
                         rpki.x509.RSA(Auto_file = cfg.get("cms-key")),
-                        rpki.x509.X509_chain(Auto_files = cfg.multiget("cms-certs")))
+                        rpki.x509.X509_chain(Auto_files = cfg.multiget("cms-cert")))
 
 r_cms = rpki.https.client(privateKey    = rpki.x509.RSA(Auto_file = cfg.get("https-key")),
-                          certChain     = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-certs")),
+                          certChain     = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert")),
                           x509TrustList = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta")),
                           url           = cfg.get("https-url"),
                           msg           = q_cms)
diff --git a/rpkid/irdbd.py b/rpkid/irdbd.py
index d7ecca2b..18c75bff 100755
--- a/rpkid/irdbd.py
+++ b/rpkid/irdbd.py
@@ -113,7 +113,7 @@ cur = db.cursor()
 
 cms_ta          = rpki.x509.X509(Auto_file = cfg.get("cms-ta"))
 cms_key         = rpki.x509.RSA(Auto_file = cfg.get("cms-key"))
-cms_certs       = rpki.x509.X509_chain(Auto_files = cfg.multiget("cms-certs"))
+cms_certs       = rpki.x509.X509_chain(Auto_files = cfg.multiget("cms-cert"))
 
 u = urlparse.urlparse(cfg.get("https-url"))
 
@@ -124,8 +124,9 @@ assert u.scheme in ("", "https") and \
        u.query    == "" and \
        u.fragment == ""
 
-rpki.https.server(privateKey = rpki.x509.RSA(Auto_file = cfg.get("https-key")),
-                  certChain  = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-certs")),
-                  host       = u.hostname or "localhost",
-                  port       = u.port or 443,
-                  handlers   = ((u.path, handler),))
+rpki.https.server(privateKey    = rpki.x509.RSA(Auto_file = cfg.get("https-key")),
+                  certChain     = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert")),
+                  x509TrustList = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta")),
+                  host          = u.hostname or "localhost",
+                  port          = u.port or 443,
+                  handlers      = ((u.path, handler),))
diff --git a/rpkid/rootd.py b/rpkid/rootd.py
index 06819ff0..feae6e91 100755
--- a/rpkid/rootd.py
+++ b/rpkid/rootd.py
@@ -177,10 +177,11 @@ cfg = rpki.config.parser(cfg_file, "rootd")
 
 cms_ta      = rpki.x509.X509(Auto_file = cfg.get("cms-ta"))
 cms_key     = rpki.x509.RSA(Auto_file = cfg.get("cms-key"))
-cms_certs   = rpki.x509.X509_chain(Auto_files = cfg.multiget("cms-certs"))
+cms_certs   = rpki.x509.X509_chain(Auto_files = cfg.multiget("cms-cert"))
 
 https_key   = rpki.x509.RSA(Auto_file = cfg.get("https-key"))
-https_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-certs"))
+https_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert"))
+https_ta    = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta"))
 
 https_server_host = cfg.get("server-host", "")
 https_server_port = int(cfg.get("server-port"))
@@ -197,6 +198,7 @@ rootd_cert  = cfg.get("rootd_cert", rootd_base + "rootd.cer")
 
 rpki.https.server(privateKey    = https_key,
                   certChain     = https_certs,
+                  x509TrustList = https_ta,
                   host          = https_server_host,
                   port          = https_server_port,
                   handlers      = up_down_handler)
diff --git a/rpkid/rpki/https.py b/rpkid/rpki/https.py
index bca5a8b1..fe36cfc9 100644
--- a/rpkid/rpki/https.py
+++ b/rpkid/rpki/https.py
@@ -106,29 +106,45 @@ class requestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
 class httpServer(tlslite.api.TLSSocketServerMixIn, BaseHTTPServer.HTTPServer):
   """Derived type to handle TLS aspects of HTTPS."""
 
-  rpki_certChain = None
-  rpki_privateKey = None
   rpki_sessionCache = None
+  rpki_privateKey   = None
+  rpki_certChain    = None
+  rpki_checker      = None
   
   def handshake(self, tlsConnection):
     """TLS handshake handler."""
-    assert self.rpki_certChain is not None
-    assert self.rpki_privateKey is not None
+    assert self.rpki_certChain    is not None
+    assert self.rpki_privateKey   is not None
     assert self.rpki_sessionCache is not None
     try:
+      #
       # We could add a "settings = foo" argument to the following call
       # to pass in a tlslite.HandshakeSettings object that would let
       # us insist on, eg, particular SSL/TLS versions.
+      #
       tlsConnection.handshakeServer(certChain    = self.rpki_certChain,
                                     privateKey   = self.rpki_privateKey,
-                                    sessionCache = self.rpki_sessionCache)
+                                    sessionCache = self.rpki_sessionCache,
+                                    checker      = self.rpki_checker,
+                                    reqCert      = self.rpki_checker is not None)
       tlsConnection.ignoreAbruptClose = True
       return True
     except tlslite.api.TLSError, error:
       rpki.log.warn("TLS handshake failure: " + str(error))
       return False
 
-def server(handlers, privateKey, certChain, port = 4433, host = ""):
+class Checker(tlslite.api.Checker):
+  """Derived class to add a logging wrapper."""
+
+  def __call__(self, tlsConnection):
+    """Wrap some logging code around standard tlslite checker."""
+
+    for i in range(tlsConnection.session.clientCertChain.getNumCerts()):
+      rpki.log.debug("Received client cert[%d] %s" % (i, tlsConnection.session.clientCertChain.x509List[i].getCommonName()))
+
+    return tlslite.api.Checker.__call__(self, tlsConnection)
+
+def server(handlers, privateKey, certChain, port = 4433, host = "", x509TrustList = None):
   """Run an HTTPS server and wait (forever) for connections."""
 
   if not isinstance(handlers, (tuple, list)):
@@ -143,4 +159,10 @@ def server(handlers, privateKey, certChain, port = 4433, host = ""):
   httpd.rpki_certChain = certChain.tlslite_certChain()
   httpd.rpki_sessionCache = tlslite.api.SessionCache()
 
+  if x509TrustList is not None:
+    x509TrustList = x509TrustList.tlslite_trustList()
+    for x in x509TrustList:
+      rpki.log.debug("HTTPS trust anchor %s" % x.getCommonName())
+    httpd.rpki_checker = Checker(x509TrustList = x509TrustList)
+
   httpd.serve_forever()
diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py
index ca4aedc0..4ace0bca 100644
--- a/rpkid/rpki/left_right.py
+++ b/rpkid/rpki/left_right.py
@@ -1070,7 +1070,7 @@ def irdb_query(gctx, self_id, child_id = None):
   r_cms = rpki.https.client(
     privateKey    = gctx.https_key,
     certChain     = gctx.https_certs,
-    x509TrustList = gctx.https_ta,
+    x509TrustList = gctx.https_ta_irdb,
     url           = gctx.irdb_url,
     msg           = q_cms)
   r_elt = rpki.cms.xml_verify(r_cms, gctx.cms_ta_irdb)
diff --git a/rpkid/rpkid.py b/rpkid/rpkid.py
index 5779753b..cb142da4 100755
--- a/rpkid/rpkid.py
+++ b/rpkid/rpkid.py
@@ -87,14 +87,15 @@ class global_context(object):
                               passwd = cfg.get("sql-password"))
     self.cur = self.db.cursor()
 
-    self.cms_ta_irdb = rpki.x509.X509(Auto_file = cfg.get("cms-ta-irdb"))
-    self.cms_ta_irbe = rpki.x509.X509(Auto_file = cfg.get("cms-ta-irbe"))
-    self.cms_key     = rpki.x509.RSA(Auto_file = cfg.get("cms-key"))
-    self.cms_certs   = rpki.x509.X509_chain(Auto_files = cfg.multiget("cms-cert"))
+    self.cms_ta_irdb   = rpki.x509.X509(Auto_file = cfg.get("cms-ta-irdb"))
+    self.cms_ta_irbe   = rpki.x509.X509(Auto_file = cfg.get("cms-ta-irbe"))
+    self.cms_key       = rpki.x509.RSA(Auto_file = cfg.get("cms-key"))
+    self.cms_certs     = rpki.x509.X509_chain(Auto_files = cfg.multiget("cms-cert"))
 
-    self.https_key   = rpki.x509.RSA(Auto_file = cfg.get("https-key"))
-    self.https_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert"))
-    self.https_ta    = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta"))
+    self.https_key     = rpki.x509.RSA(Auto_file = cfg.get("https-key"))
+    self.https_certs   = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert"))
+    self.https_ta_irdb = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta-irdb"))
+    self.https_ta_irbe = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta-irbe"))
 
     self.irdb_url    = cfg.get("irdb-url")
 
@@ -130,6 +131,7 @@ gctx = global_context(cfg)
 
 rpki.https.server(privateKey = gctx.https_key,
                   certChain = gctx.https_certs,
+                  x509TrustList = gctx.https_ta_irbe,
                   host = gctx.https_server_host,
                   port = gctx.https_server_port,
                   handlers=(("/left-right", left_right_handler),
diff --git a/rpkid/testbed.py b/rpkid/testbed.py
index fc3de1b5..e4ad2c22 100644
--- a/rpkid/testbed.py
+++ b/rpkid/testbed.py
@@ -789,27 +789,28 @@ sql-username	= irdb
 sql-password	= %(irdb_db_pass)s
 
 cms-key		= %(my_name)s-IRDB-EE.key
-cms-certs.0	= %(my_name)s-IRDB-EE.cer
-cms-certs.1	= %(my_name)s-IRDB-CA.cer
+cms-cert.0	= %(my_name)s-IRDB-EE.cer
+cms-cert.1	= %(my_name)s-IRDB-CA.cer
 cms-ta		= %(my_name)s-RPKI-TA.cer
 
 https-key	= %(my_name)s-IRDB-EE.key
-https-certs.0	= %(my_name)s-IRDB-EE.cer
-https-certs.1	= %(my_name)s-IRDB-CA.cer
+https-cert.0	= %(my_name)s-IRDB-EE.cer
+https-cert.1	= %(my_name)s-IRDB-CA.cer
+#https-ta	= %(my_name)s-RPKI-TA.cer
 
 https-url	= https://localhost:%(irdb_port)d/
 
 [irbe-cli]
 
 cms-key		= %(testbed_name)s-EE.key
-cms-certs.0	= %(testbed_name)s-EE.cer
-cms-certs.1	= %(testbed_name)s-CA.cer
-cms-tas		= %(my_name)s-RPKI-TA.cer
+cms-cert.0	= %(testbed_name)s-EE.cer
+cms-cert.1	= %(testbed_name)s-CA.cer
+cms-ta		= %(my_name)s-RPKI-TA.cer
 
 https-key	= %(testbed_name)s-EE.key
-https-certs.0	= %(testbed_name)s-EE.cer
-https-certs.1	= %(testbed_name)s-CA.cer
-https-tas	= %(my_name)s-RPKI-TA.cer
+https-cert.0	= %(testbed_name)s-EE.cer
+https-cert.1	= %(testbed_name)s-CA.cer
+#https-ta	= %(my_name)s-RPKI-TA.cer
 
 https-url	= https://localhost:%(rpki_port)d/left-right
 
@@ -832,7 +833,8 @@ https-key	= %(my_name)s-RPKI-EE.key
 https-cert.0	= %(my_name)s-RPKI-EE.cer
 https-cert.1	= %(my_name)s-RPKI-CA.cer
 
-https-ta	= %(my_name)s-IRDB-TA.cer
+#https-ta-irdb	= %(my_name)s-IRDB-TA.cer
+#https-ta-irbe	= %(testbed_name)s-TA.cer
 
 irdb-url	= https://localhost:%(irdb_port)d/
 
@@ -845,13 +847,14 @@ rootd_fmt_1 = '''\
 [rootd]
 
 cms-key			= %(rootd_name)s-EE.key
-cms-certs.0		= %(rootd_name)s-EE.cer
-cms-certs.1		= %(rootd_name)s-CA.cer
+cms-cert.0		= %(rootd_name)s-EE.cer
+cms-cert.1		= %(rootd_name)s-CA.cer
 cms-ta			= %(rpkid_name)s-RPKI-TA.cer
 
 https-key		= %(rootd_name)s-EE.key
-https-certs.0		= %(rootd_name)s-EE.cer
-https-certs.1		= %(rootd_name)s-CA.cer
+https-cert.0		= %(rootd_name)s-EE.cer
+https-cert.1		= %(rootd_name)s-CA.cer
+#https-ta		= %(rpkid_name)s-RPKI-TA.cer
 
 server-port		= %(rootd_port)s
author	Rob Austein <sra@hactrn.net>	2008-03-27 23:40:44 +0000
committer	Rob Austein <sra@hactrn.net>	2008-03-27 23:40:44 +0000
commit	5aa99a66a4cd1064eda1880879e034b7ae8058ac (patch)
tree	631cbfda17e2ce633228795afe702d07db922ab8 /rpkid
parent	e1e5eb6d4541d865b1fcda093c90da8ba93b537b (diff)