OID cleanup

svn path=/scripts/biz-certs/Bob-CA.srl; revision=1282

4 files changed, 57 insertions, 53 deletions

diff --git a/scripts/rpki/oids.py b/scripts/rpki/oids.py
new file mode 100644
index 00000000..6537ba9f
--- /dev/null
+++ b/scripts/rpki/oids.py
@@ -0,0 +1,34 @@
+# $Id$
+
+"""OID database."""
+
+## @var oid2name
+# Mapping table of OIDs to conventional string names.
+
+oid2name = {
+  (1, 2, 840, 113549, 1, 1, 11) : "sha256WithRSAEncryption",
+  (1, 2, 840, 113549, 1, 1, 12) : "sha384WithRSAEncryption",
+  (1, 2, 840, 113549, 1, 1, 13) : "sha512WithRSAEncryption",
+  (1, 3, 6, 1, 5, 5, 7, 1, 1)   : "authorityInfoAccess",
+  (1, 3, 6, 1, 5, 5, 7, 1, 11)  : "subjectInfoAccess",
+  (1, 3, 6, 1, 5, 5, 7, 1, 7)   : "sbgp-ipAddrBlock",
+  (1, 3, 6, 1, 5, 5, 7, 1, 8)   : "sbgp-autonomousSysNum",
+  (1, 3, 6, 1, 5, 5, 7, 14, 2)  : "id-cp-ipAddr-asNumber",
+  (1, 3, 6, 1, 5, 5, 7, 48, 2)  : "id-ad-caIssuers",
+  (1, 3, 6, 1, 5, 5, 7, 48, 5)  : "id-ad-caRepository",
+  (1, 3, 6, 1, 5, 5, 7, 48, 9)  : "id-ad-signedObjectRepository",
+  (1, 3, 6, 1, 5, 5, 7, 48, 10) : "id-ad-rpkiManifest",
+  (1, 3, 6, 1, 5, 5, 7, 48, 11) : "id-ad-signedObject",
+  (2, 5, 29, 14)                : "subjectKeyIdentifier",
+  (2, 5, 29, 15)                : "keyUsage",
+  (2, 5, 29, 19)                : "basicConstraints",
+  (2, 5, 29, 31)                : "cRLDistributionPoints",
+  (2, 5, 29, 32)                : "certificatePolicies",
+  (2, 5, 29, 35)                : "authorityKeyIdentifier",
+  (2, 5, 4, 3)                  : "commonName",
+}
+
+## @var name2oid
+# Mapping table of string names to OIDs
+
+name2oid = dict((v,k) for k,v in oid2name.items())
diff --git a/scripts/rpki/resource_set.py b/scripts/rpki/resource_set.py
index 48c6cfb1..d42fc808 100644
--- a/scripts/rpki/resource_set.py
+++ b/scripts/rpki/resource_set.py
@@ -10,7 +10,8 @@ underlying details vary.
 We also provide some basic set operations (union, intersection, etc).
 """
 
-import re, ipaddrs
+import re
+import rpki.ipaddrs, rpki.oids
 
 inherit_token = "<inherit>"
 
@@ -96,12 +97,12 @@ class resource_range_ip(resource_range):
 class resource_range_ipv4(resource_range_ip):
   """Range of IPv4 addresses."""
 
-  datum_type = ipaddrs.v4addr
+  datum_type = rpki.ipaddrs.v4addr
 
 class resource_range_ipv6(resource_range_ip):
   """Range of IPv6 addresses."""
 
-  datum_type = ipaddrs.v6addr
+  datum_type = rpki.ipaddrs.v6addr
 
 def _rsplit(rset, that):
   """Split a resource range into two resource ranges."""
@@ -407,11 +408,11 @@ class resource_bag(object):
     v4 = None
     v6 = None
     for x in exts:
-      if x[0] == (1, 3, 6, 1, 5, 5, 7, 1, 8): # sbgp-autonomousSysNum
+      if x[0] == rpki.oids.name2oid["sbgp-autonomousSysNum"]: # 
         assert x[2][1] is None, "RDI not implemented: %s" % (str(x))
         assert as is None
         as = resource_set_as(x[2][0])
-      if x[0] == (1, 3, 6, 1, 5, 5, 7, 1, 7): # sbgp-ipAddrBlock
+      if x[0] == rpki.oids.name2oid["sbgp-ipAddrBlock"]:
         for fam in x[2]:
           if fam[0] == resource_set_ipv4.afi:
             assert v4 is None
diff --git a/scripts/rpki/up_down.py b/scripts/rpki/up_down.py
index d4c0f287..d349bce2 100644
--- a/scripts/rpki/up_down.py
+++ b/scripts/rpki/up_down.py
@@ -296,8 +296,8 @@ class issue_pdu(base_elt):
   def query(cls, gctx, parent, ca, ca_detail):
     """Send an "issue" request to parent associated with ca."""
     assert ca_detail is not None and ca_detail.state not in ("deprecated", "revoked")
-    sia = ((rpki.x509.name2oid["id-ad-caRepository"], ("uri", ca.sia_uri)),
-           (rpki.x509.name2oid["id-ad-rpkiManifest"], ("uri", ca.sia_uri + ca_detail.public_key.gSKI() + ".mnf")))
+    sia = ((rpki.oids.name2oid["id-ad-caRepository"], ("uri", ca.sia_uri)),
+           (rpki.oids.name2oid["id-ad-rpkiManifest"], ("uri", ca.sia_uri + ca_detail.public_key.gSKI() + ".mnf")))
     self = cls()
     self.class_name = ca.parent_resource_class
     self.pkcs10 = rpki.x509.PKCS10.create_ca(ca_detail.private_key_id, sia)
diff --git a/scripts/rpki/x509.py b/scripts/rpki/x509.py
index a9ebf625..5ee612a3 100644
--- a/scripts/rpki/x509.py
+++ b/scripts/rpki/x509.py
@@ -13,38 +13,7 @@ some of the nasty details.  This involves a lot of format conversion.
 """
 
 import POW, tlslite.api, POW.pkix, base64, time
-import rpki.exceptions, rpki.resource_set, rpki.manifest, rpki.cms
-
-## @var oid2name
-# Mapping table of OIDs to conventional string names.
-
-oid2name = {
-  (1, 2, 840, 113549, 1, 1, 11) : "sha256WithRSAEncryption",
-  (1, 2, 840, 113549, 1, 1, 12) : "sha384WithRSAEncryption",
-  (1, 2, 840, 113549, 1, 1, 13) : "sha512WithRSAEncryption",
-  (1, 3, 6, 1, 5, 5, 7, 1, 1)   : "authorityInfoAccess",
-  (1, 3, 6, 1, 5, 5, 7, 1, 11)  : "subjectInfoAccess",
-  (1, 3, 6, 1, 5, 5, 7, 1, 7)   : "sbgp-ipAddrBlock",
-  (1, 3, 6, 1, 5, 5, 7, 1, 8)   : "sbgp-autonomousSysNum",
-  (1, 3, 6, 1, 5, 5, 7, 14, 2)  : "id-cp-ipAddr-asNumber",
-  (1, 3, 6, 1, 5, 5, 7, 48, 2)  : "id-ad-caIssuers",
-  (1, 3, 6, 1, 5, 5, 7, 48, 5)  : "id-ad-caRepository",
-  (1, 3, 6, 1, 5, 5, 7, 48, 9)  : "id-ad-signedObjectRepository",
-  (1, 3, 6, 1, 5, 5, 7, 48, 10) : "id-ad-rpkiManifest",
-  (1, 3, 6, 1, 5, 5, 7, 48, 11) : "id-ad-signedObject",
-  (2, 5, 29, 14)                : "subjectKeyIdentifier",
-  (2, 5, 29, 15)                : "keyUsage",
-  (2, 5, 29, 19)                : "basicConstraints",
-  (2, 5, 29, 31)                : "cRLDistributionPoints",
-  (2, 5, 29, 32)                : "certificatePolicies",
-  (2, 5, 29, 35)                : "authorityKeyIdentifier",
-  (2, 5, 4, 3)                  : "commonName",
-}
-
-## @var name2oid
-# Mapping table of string names to OIDs
-
-name2oid = dict((v,k) for k,v in oid2name.items())
+import rpki.exceptions, rpki.resource_set, rpki.manifest, rpki.cms, rpki.oids
 
 class PEM_converter(object):
   """Convert between DER and PEM encodings for various kinds of ASN.1 data."""
@@ -180,19 +149,19 @@ class DER_object(object):
 
   def get_AKI(self):
     """Get the AKI extension from this object.  Only works for subclasses that support getExtension()."""
-    return (self.get_POWpkix().getExtension(name2oid["authorityKeyIdentifier"]) or ((), 0, None))[2]
+    return (self.get_POWpkix().getExtension(rpki.oids.name2oid["authorityKeyIdentifier"]) or ((), 0, None))[2]
 
   def get_SKI(self):
     """Get the SKI extension from this object.  Only works for subclasses that support getExtension()."""
-    return (self.get_POWpkix().getExtension(name2oid["subjectKeyIdentifier"]) or ((), 0, None))[2]
+    return (self.get_POWpkix().getExtension(rpki.oids.name2oid["subjectKeyIdentifier"]) or ((), 0, None))[2]
 
   def get_SIA(self):
     """Get the SIA extension from this object.  Only works for subclasses that support getExtension()."""
-    return (self.get_POWpkix().getExtension(name2oid["subjectInfoAccess"]) or ((), 0, None))[2]
+    return (self.get_POWpkix().getExtension(rpki.oids.name2oid["subjectInfoAccess"]) or ((), 0, None))[2]
 
   def get_AIA(self):
     """Get the SIA extension from this object.  Only works for subclasses that support getExtension()."""
-    return (self.get_POWpkix().getExtension(name2oid["subjectInfoAccess"]) or ((), 0, None))[2]
+    return (self.get_POWpkix().getExtension(rpki.oids.name2oid["subjectInfoAccess"]) or ((), 0, None))[2]
 
   def get_3779resources(self):
     """Get RFC 3779 resources as rpki.resource_set objects.
@@ -293,7 +262,7 @@ class X509(DER_object):
     cert.setVersion(2)
     cert.setSerial(serial)
     cert.setIssuer(self.get_POWpkix().getSubject())
-    cert.setSubject((((name2oid["commonName"], ("printableString", cn)),),))
+    cert.setSubject((((rpki.oids.name2oid["commonName"], ("printableString", cn)),),))
     cert.setNotBefore(("utcTime", POW.pkix.time2utc(now)))
     cert.setNotAfter(("utcTime", POW.pkix.time2utc(notAfter)))
     cert.tbs.subjectPublicKeyInfo.fromString(subject_key.get_DER())
@@ -301,8 +270,8 @@ class X509(DER_object):
     exts = [ ["subjectKeyIdentifier",   False, ski],
              ["authorityKeyIdentifier", False, (aki, (), None)],
              ["cRLDistributionPoints",  False, ((("fullName", (("uri", crldp),)), None, ()),)],
-             ["authorityInfoAccess",    False, ((name2oid["id-ad-caIssuers"], ("uri", aia)),)],
-             ["certificatePolicies",    True,  ((name2oid["id-cp-ipAddr-asNumber"], ()),)] ]
+             ["authorityInfoAccess",    False, ((rpki.oids.name2oid["id-ad-caIssuers"], ("uri", aia)),)],
+             ["certificatePolicies",    True,  ((rpki.oids.name2oid["id-cp-ipAddr-asNumber"], ()),)] ]
 
     if is_ca:
       exts.append(["basicConstraints",  True,  (1, None)])
@@ -322,7 +291,7 @@ class X509(DER_object):
       exts.append(["sbgp-ipAddrBlock", True, [x for x in (resources.v4.to_tuple(), resources.v6.to_tuple()) if x is not None]])
 
     for x in exts:
-      x[0] = name2oid[x[0]]
+      x[0] = rpki.oids.name2oid[x[0]]
     cert.setExtensions(exts)
 
     cert.sign(keypair.get_POW(), POW.SHA256_DIGEST)
@@ -442,15 +411,15 @@ class PKCS10(DER_object):
       raise rpki.exceptions.BadPKCS10, \
             "Bad version number %s" % self.get_POWpkix().certificationRequestInfo.version
 
-    if oid2name.get(self.get_POWpkix().signatureAlgorithm.algorithm.get()) \
+    if rpki.oids.oid2name.get(self.get_POWpkix().signatureAlgorithm.algorithm.get()) \
          not in ("sha256WithRSAEncryption", "sha384WithRSAEncryption", "sha512WithRSAEncryption"):
       raise rpki.exceptions.BadPKCS10, "Bad signature algorithm %s" % self.get_POWpkix().signatureAlgorithm
 
     exts = self.get_POWpkix().getExtensions()
     for oid, critical, value in exts:
-      if oid2name.get(oid) not in ("basicConstraints", "keyUsage", "subjectInfoAccess"):
+      if rpki.oids.oid2name.get(oid) not in ("basicConstraints", "keyUsage", "subjectInfoAccess"):
         raise rpki.exceptions.BadExtension, "Forbidden extension %s" % oid
-    req_exts = dict((oid2name[oid], value) for (oid, critical, value) in exts)
+    req_exts = dict((rpki.oids.oid2name[oid], value) for (oid, critical, value) in exts)
 
     if "basicConstraints" not in req_exts or not req_exts["basicConstraints"][0]:
       raise rpki.exceptions.BadPKCS10, "request for EE cert not allowed here"
@@ -462,7 +431,7 @@ class PKCS10(DER_object):
       raise rpki.exceptions.BadPKCS10, "keyUsage doesn't match basicConstraints"
 
     for method, location in req_exts.get("subjectInfoAccess", ()):
-      if oid2name.get(method) == "id-ad-caRepository" and \
+      if rpki.oids.oid2name.get(method) == "id-ad-caRepository" and \
            (location[0] != "uri" or (location[1].startswith("rsync://") and not location[1].endswith("/"))):
         raise rpki.exceptions.BadPKCS10, "Certificate request includes bad SIA component: %s" % repr(location)
 
@@ -478,7 +447,7 @@ class PKCS10(DER_object):
     if sia is not None:
       exts.append(["subjectInfoAccess", False, sia])
     for x in exts:
-      x[0] = name2oid[x[0]]
+      x[0] = rpki.oids.name2oid[x[0]]
     return cls.create(keypair, exts)
 
   @classmethod
@@ -487,7 +456,7 @@ class PKCS10(DER_object):
     cn = "".join(("%02X" % ord(i) for i in keypair.get_SKI()))
     req = POW.pkix.CertificationRequest()
     req.certificationRequestInfo.version.set(0)
-    req.certificationRequestInfo.subject.set((((name2oid["commonName"],
+    req.certificationRequestInfo.subject.set((((rpki.oids.name2oid["commonName"],
                                                 ("printableString", cn)),),))
     if exts is not None:
       req.setExtensions(exts)