diff options
| author | Rob Austein <sra@hactrn.net> | 2011-10-07 20:08:54 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2011-10-07 20:08:54 +0000 |
| commit | 662e34662ba794f6c4b9c39b68dc62f2f4859c25 (patch) | |
| tree | 4e227eb1d4acc030b4952e5bc4d4b977e29b39cf /rpkid | |
| parent | b1594b7053eccc5b1d09a67c1bd90def14ca0515 (diff) | |
Tighten up PKCS 10 request checking (closes #6).
svn path=/rpkid/rpki/oids.py; revision=4025
Diffstat (limited to 'rpkid')
| -rw-r--r-- | rpkid/rpki/oids.py | 1 | ||||
| -rw-r--r-- | rpkid/rpki/x509.py | 28 |
2 files changed, 20 insertions, 9 deletions
diff --git a/rpkid/rpki/oids.py b/rpkid/rpki/oids.py index 2b1ffdd9..2557d7cf 100644 --- a/rpkid/rpki/oids.py +++ b/rpkid/rpki/oids.py @@ -65,6 +65,7 @@ oid2name = { (2, 5, 29, 31) : "cRLDistributionPoints", (2, 5, 29, 32) : "certificatePolicies", (2, 5, 29, 35) : "authorityKeyIdentifier", + (2, 5, 29, 37) : "extendedKeyUsage", (2, 5, 4, 3) : "commonName", } diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index 65031d9e..d4a38858 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -643,6 +643,10 @@ class PKCS10(DER_object): Throws an exception if the request isn't valid, so if this method returns at all, the request is ok. + + At the moment, this only allows requests for CA certificates; as a + direct consequence, it also rejects ExtendedKeyUsage, because the + RPKI profile only allows EKU for EE certificates. """ if not self.get_POWpkix().verify(): @@ -652,8 +656,7 @@ class PKCS10(DER_object): raise rpki.exceptions.BadPKCS10, \ "Bad version number %s" % self.get_POWpkix().certificationRequestInfo.version - if rpki.oids.oid2name.get(self.get_POWpkix().signatureAlgorithm.algorithm.get()) \ - not in ("sha256WithRSAEncryption", "sha384WithRSAEncryption", "sha512WithRSAEncryption"): + if rpki.oids.oid2name.get(self.get_POWpkix().signatureAlgorithm.algorithm.get()) != "sha256WithRSAEncryption": raise rpki.exceptions.BadPKCS10, "Bad signature algorithm %s" % self.get_POWpkix().signatureAlgorithm exts = self.get_POWpkix().getExtensions() @@ -671,14 +674,21 @@ class PKCS10(DER_object): if "keyUsage" in req_exts and (not req_exts["keyUsage"][5] or not req_exts["keyUsage"][6]): raise rpki.exceptions.BadPKCS10, "keyUsage doesn't match basicConstraints" - for method, location in req_exts.get("subjectInfoAccess", ()): - if rpki.oids.oid2name.get(method) == "id-ad-caRepository" and \ - (location[0] != "uri" or (location[1].startswith("rsync://") and not location[1].endswith("/"))): - raise rpki.exceptions.BadPKCS10, "Certificate request includes bad SIA component: %r" % location + sias = dict((method, location[1]) + for method, location in req_exts.get("subjectInfoAccess", ()) + if location[0] == "uri" and location[1].startswith("rsync://")) + + if "id-ad-caRepository" not in sias: + raise rpki.exceptions.BadPKCS10, "Certificate request is missing SIA id-ad-caRepository" + + if not sias["id-ad-caRepository"].endswith("/"): + raise rpki.exceptions.BadPKCS10, "Certificate request includes bad SIA component: %r" % sias["id-ad-caRepository"] + + if "id-ad-rpkiManifest" not in sias: + raise rpki.exceptions.BadPKCS10, "Certificate request is missing SIA id-ad-rpkiManifest" - # This one is an implementation restriction. I don't yet - # understand what the spec is telling me to do in this case. - assert "subjectInfoAccess" in req_exts, "Can't (yet) handle PKCS #10 without an SIA extension" + if sias["id-ad-rpkiManifest"].endswith("/"): + raise rpki.exceptions.BadPKCS10, "Certificate request includes bad SIA component: %r" % sias["id-ad-rpkiManifest"] @classmethod def create_ca(cls, keypair, sia = None): |