diff options
| author | Rob Austein <sra@hactrn.net> | 2014-02-21 02:28:13 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2014-02-21 02:28:13 +0000 |
| commit | bf0b63854ec52df692a503eb78e270363f31ebfd (patch) | |
| tree | 328ab3d0c76c05a6699a9998c4e08ce97ec2baee /rpkid | |
| parent | a25c336c1d7752b60a251fcce51f2fbd81d930bf (diff) | |
Add EKU when generating router certificates.
svn path=/branches/tk671/; revision=5681
Diffstat (limited to 'rpkid')
| -rw-r--r-- | rpkid/router-certificate-schema.rng | 2 | ||||
| -rw-r--r-- | rpkid/rpki/relaxng.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/rpkid.py | 14 | ||||
| -rw-r--r-- | rpkid/rpki/rpkid_tasks.py | 5 | ||||
| -rw-r--r-- | rpkid/rpki/x509.py | 16 |
5 files changed, 27 insertions, 12 deletions
diff --git a/rpkid/router-certificate-schema.rng b/rpkid/router-certificate-schema.rng index afd14d5e..b87323d5 100644 --- a/rpkid/router-certificate-schema.rng +++ b/rpkid/router-certificate-schema.rng @@ -1,6 +1,6 @@ <?xml version="1.0" encoding="UTF-8"?> <!-- - $Id: router-certificate-schema.rnc 5657 2014-01-31 05:50:52Z sra $ + $Id: router-certificate-schema.rnc 5680 2014-02-21 02:05:36Z sra $ RelaxNG Schema for BGPSEC router certificate interchange format. diff --git a/rpkid/rpki/relaxng.py b/rpkid/rpki/relaxng.py index a7553d51..e85655e4 100644 --- a/rpkid/rpki/relaxng.py +++ b/rpkid/rpki/relaxng.py @@ -2315,7 +2315,7 @@ myrpki = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''<?xml version="1.0" encodi ## Parsed RelaxNG router_certificate schema router_certificate = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''<?xml version="1.0" encoding="UTF-8"?> <!-- - $Id: router-certificate-schema.rnc 5657 2014-01-31 05:50:52Z sra $ + $Id: router-certificate-schema.rnc 5680 2014-02-21 02:05:36Z sra $ RelaxNG Schema for BGPSEC router certificate interchange format. diff --git a/rpkid/rpki/rpkid.py b/rpkid/rpki/rpkid.py index 0b564b57..9b83cc59 100644 --- a/rpkid/rpki/rpkid.py +++ b/rpkid/rpki/rpkid.py @@ -616,7 +616,8 @@ class ca_obj(rpki.sql.sql_persistent): if ca_details: rpki.async.iterator(ca_details, loop, done) else: - rpki.log.warn("Existing resource class %s to %s from %s with no certificates, rekeying" % (rc.class_name, parent.self.self_handle, parent.parent_handle)) + rpki.log.warn("Existing resource class %s to %s from %s with no certificates, rekeying" % + (rc.class_name, parent.self.self_handle, parent.parent_handle)) self.gctx.checkpoint() self.rekey(cb, eb) @@ -1125,7 +1126,7 @@ class ca_detail_obj(rpki.sql.sql_persistent): return self def issue_ee(self, ca, resources, subject_key, sia, - cn = None, sn = None, notAfter = None): + cn = None, sn = None, notAfter = None, eku = None): """ Issue a new EE certificate. """ @@ -1144,7 +1145,8 @@ class ca_detail_obj(rpki.sql.sql_persistent): notAfter = notAfter, is_ca = False, cn = cn, - sn = sn) + sn = sn, + eku = eku) def generate_manifest_cert(self): """ @@ -2248,7 +2250,7 @@ class ee_cert_obj(rpki.sql.sql_persistent): return self.cert.gSKI() + ".cer" @classmethod - def create(cls, ca_detail, subject_name, subject_key, resources, publisher): + def create(cls, ca_detail, subject_name, subject_key, resources, publisher, eku = None): """ Generate a new certificate and stuff it in a new ee_cert_obj. """ @@ -2263,7 +2265,8 @@ class ee_cert_obj(rpki.sql.sql_persistent): resources = resources, notAfter = resources.valid_until, cn = cn, - sn = sn) + sn = sn, + eku = eku) self = cls( gctx = ca_detail.gctx, @@ -2366,6 +2369,7 @@ class ee_cert_obj(rpki.sql.sql_persistent): self.cert = ca_detail.issue_ee( ca = ca_detail.ca, subject_key = self.cert.getPublicKey(), + eku = self.cert.getEKU(), sia = None, resources = resources, notAfter = resources.valid_until, diff --git a/rpkid/rpki/rpkid_tasks.py b/rpkid/rpki/rpkid_tasks.py index 492876aa..8889aa64 100644 --- a/rpkid/rpki/rpkid_tasks.py +++ b/rpkid/rpki/rpkid_tasks.py @@ -624,6 +624,8 @@ class UpdateEECertificatesTask(AbstractTask): rpki.log.debug("Existing EE certificate for %s %s is no longer covered" % (req.gski, resources)) ee.revoke(publisher = publisher) + eku = (rpki.oids.id_kp_bgpsec_router,) if req.router_id else None + for ca_detail in covering: rpki.log.debug("No existing EE certificate for %s %s" % (req.gski, resources)) rpki.rpkid.ee_cert_obj.create( @@ -631,7 +633,8 @@ class UpdateEECertificatesTask(AbstractTask): subject_name = req.pkcs10.getSubject(), subject_key = req.pkcs10.getPublicKey(), resources = resources, - publisher = publisher) + publisher = publisher, + eku = eku) # Anything left is an orphan for ees in existing.values(): diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index 847c90f6..5cb5efd6 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -598,13 +598,15 @@ class X509(DER_object): def issue(self, keypair, subject_key, serial, sia, aia, crldp, notAfter, cn = None, resources = None, is_ca = True, notBefore = None, - sn = None): + sn = None, eku = None): """ Issue an RPKI certificate. """ assert aia is not None and crldp is not None + assert eku is None or not is_ca + return self._issue( keypair = keypair, subject_key = subject_key, @@ -619,7 +621,8 @@ class X509(DER_object): resources = resources, is_ca = is_ca, aki = self.get_SKI(), - issuer_name = self.getSubject()) + issuer_name = self.getSubject(), + eku = eku) @classmethod @@ -649,12 +652,13 @@ class X509(DER_object): resources = resources, is_ca = True, aki = ski, - issuer_name = X501DN.from_cn(cn, sn)) + issuer_name = X501DN.from_cn(cn, sn), + eku = None) @classmethod def _issue(cls, keypair, subject_key, serial, sia, aia, crldp, notAfter, - cn, sn, resources, is_ca, aki, issuer_name, notBefore): + cn, sn, resources, is_ca, aki, issuer_name, notBefore, eku): """ Common code to issue an RPKI certificate. """ @@ -719,6 +723,10 @@ class X509(DER_object): ipv6 = ("inherit" if resources.v6.inherit else ((r.min, r.max) for r in resources.v6))) + if eku is not None: + assert not is_ca + cert.setEKU(eku) + cert.sign(keypair.get_POW(), rpki.POW.SHA256_DIGEST) return cls(POW = cert) |