diff options
| author | Rob Austein <sra@hactrn.net> | 2007-09-16 21:06:15 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2007-09-16 21:06:15 +0000 |
| commit | 32b7a7b22c11129c2c17d8adc3f6aceac0e6de0b (patch) | |
| tree | 1e01ca2834fed3e9a05e8d41a808dfb7f047d987 /scripts | |
| parent | 3b0c4bcd97d0af53239bfaed4a129a08858da4cf (diff) | |
Switch to using APNIC's preferred version of the up-down protocol
schema. I still think the folks at APNIC are wrong about allowing
bogus error codes to slip past schema checking, but coding around this
problem is less work in the long run than maintaining a forked schema
would be. Time to bury the hatchet and move on.
svn path=/scripts/Makefile; revision=975
Diffstat (limited to 'scripts')
| -rw-r--r-- | scripts/Makefile | 5 | ||||
| -rwxr-xr-x | scripts/encode-test.py | 2 | ||||
| -rw-r--r-- | scripts/rpki/up_down.py | 44 | ||||
| -rwxr-xr-x | scripts/rpkid.py | 2 | ||||
| -rw-r--r-- | scripts/up-down-medium-schema.rnc | 79 | ||||
| -rw-r--r-- | scripts/up-down-medium-schema.rng | 258 | ||||
| -rw-r--r-- | scripts/up-down-protocol-samples/issue_response.xml | 8 | ||||
| -rw-r--r-- | scripts/up-down-protocol-samples/list_response.xml | 12 | ||||
| -rwxr-xr-x | scripts/xml-parse-test.py | 2 |
9 files changed, 54 insertions, 358 deletions
diff --git a/scripts/Makefile b/scripts/Makefile index 26d31538..5aa33cba 100644 --- a/scripts/Makefile +++ b/scripts/Makefile @@ -11,11 +11,6 @@ all:: left-right-schema.rng left-right-schema.rng: left-right-schema.rnc trang left-right-schema.rnc left-right-schema.rng -all:: up-down-medium-schema.rng - -up-down-medium-schema.rng: up-down-medium-schema.rnc - trang up-down-medium-schema.rnc up-down-medium-schema.rng - all:: up-down-schema.rng up-down-schema.rng: up-down-schema.rnc diff --git a/scripts/encode-test.py b/scripts/encode-test.py index 08f78d82..b4709866 100755 --- a/scripts/encode-test.py +++ b/scripts/encode-test.py @@ -23,7 +23,7 @@ def main(): dir = "biz-certs" cer = "biz-certs/Alice-EE.cer" key = "biz-certs/Alice-EE.key" - rng = "up-down-medium-schema.rng" + rng = "up-down-schema.rng" for x in xml: print x diff --git a/scripts/rpki/up_down.py b/scripts/rpki/up_down.py index 256ef790..d1437775 100644 --- a/scripts/rpki/up_down.py +++ b/scripts/rpki/up_down.py @@ -45,13 +45,37 @@ class base_elt(object): if value is not None: lxml.etree.SubElement(elt, "{%s}%s" % (xmlns, name), nsmap=nsmap).text = base64.b64encode(value) +class multi_uri(list): + """Container for a set of URIs.""" + + def __init__(self, ini): + """Initialize a set of URIs, which includes basic some syntax checking.""" + if isinstance(ini, (list, tuple)): + self[:] = ini + elif isinstance(ini, str): + self[:] = ini.split(",") + for s in self: + assert s.strip() == s and s.find("://") >= 0, "Bad URI \"%s\"" % s + else: + raise TypeError + + def __str__(self): + return ",".join(self) + + def rsync(self): + """Find first rsync://... URI in self.""" + for s in self: + if s.startswith("rsync://"): + return s + return None + class certificate_elt(base_elt): """Up-Down protocol representation of an issued certificate.""" def startElement(self, stack, name, attrs): """Handle attributes of <certificate/> element.""" assert name == "certificate", "Unexpected name %s, stack %s" % (name, stack) - self.cert_url = attrs["cert_url"] + self.cert_url = multi_uri(attrs["cert_url"]) self.req_resource_set_as = resource_set.resource_set_as(attrs.get("req_resource_set_as")) self.req_resource_set_ipv4 = resource_set.resource_set_ipv4(attrs.get("req_resource_set_ipv4")) self.req_resource_set_ipv6 = resource_set.resource_set_ipv6(attrs.get("req_resource_set_ipv6")) @@ -84,7 +108,7 @@ class class_elt(base_elt): elif name != "issuer": assert name == "class", "Unexpected name %s, stack %s" % (name, stack) self.class_name = attrs["class_name"] - self.cert_url = attrs["cert_url"] + self.cert_url = multi_uri(attrs["cert_url"]) self.suggested_sia_head = attrs.get("suggested_sia_head") self.resource_set_as = resource_set.resource_set_as(attrs["resource_set_as"]) self.resource_set_ipv4 = resource_set.resource_set_ipv4(attrs["resource_set_ipv4"]) @@ -180,10 +204,23 @@ class revoke_response_pdu(revoke_pdu): class error_response_pdu(base_elt): """Up-Down protocol "error_response" PDU.""" + codes = { + 1101 : "Already processing request", + 1102 : "Version number error", + 1103 : "Unrecognised request type", + 1201 : "Request - no such resource class", + 1202 : "Request - no resources allocated in resource class", + 1203 : "Request - badly formed certificate request", + 1301 : "Revoke - no such resource class", + 1302 : "Revoke - no such key", + 2001 : "Internal Server Error - Request not performed" } + def endElement(self, stack, name, text): """Handle "error_response" PDU.""" if name == "status": - self.status = int(text) + code = int(text) + assert code in self.codes + self.status = code elif name == "last_message_processed": self.last_message_processed = text elif name == "description": @@ -195,6 +232,7 @@ class error_response_pdu(base_elt): def toXML(self): """Generate payload of "error_response" PDU.""" + assert self.status in self.codes elt = self.make_elt("status") elt.text = str(self.status) return [elt] diff --git a/scripts/rpkid.py b/scripts/rpkid.py index a8eb024c..483ad5be 100755 --- a/scripts/rpkid.py +++ b/scripts/rpkid.py @@ -88,7 +88,7 @@ db = MySQLdb.connect(user = cfg.get(section, "sql-username"), cur = db.cursor() lr_rng = rpki.relaxng.RelaxNG("left-right-schema.rng") -ud_rng = rpki.relaxng.RelaxNG("up-down-medium-schema.rng") +ud_rng = rpki.relaxng.RelaxNG("up-down-schema.rng") cms_ta_irdb = cfg.get(section, "cms-ta-irdb") cms_ta_irbe = cfg.get(section, "cms-ta-irbe") diff --git a/scripts/up-down-medium-schema.rnc b/scripts/up-down-medium-schema.rnc deleted file mode 100644 index 623d83b5..00000000 --- a/scripts/up-down-medium-schema.rnc +++ /dev/null @@ -1,79 +0,0 @@ -# $Id$ -# -# RelaxNG (Compact Syntax) Schema -# for RPKI up-down protocol. This is based on the schema in the APNIC -# Wiki, but has tighter constraints on some fields. -# -# libxml2 (including xmllint) only groks the XML syntax of RelaxNG, so -# run the output of this script through a converter like trang to get -# XML syntax. - - default namespace = "http://www.apnic.net/specs/rescerts/up-down/" - - grammar { - start = element message { - attribute version { xsd:positiveInteger { maxInclusive="1" } }, - attribute sender { xsd:token { maxLength="1024" } }, - attribute recipient { xsd:token { maxLength="1024" } }, - payload - } - - payload |= attribute type { "list" }, list_request - payload |= attribute type { "list_response"}, list_response - payload |= attribute type { "issue" }, issue_request - payload |= attribute type { "issue_response"}, issue_response - payload |= attribute type { "revoke" }, revoke_request - payload |= attribute type { "revoke_response"}, revoke_response - payload |= attribute type { "error_response"}, error_response - - list_request = empty - list_response = class* - - class = element class { - attribute class_name { xsd:token { maxLength="1024" } }, - attribute cert_url { xsd:anyURI { maxLength="1024" } }, - attribute resource_set_as { xsd:string { maxLength="512000" pattern="[\-,0-9]*" } }, - attribute resource_set_ipv4 { xsd:string { maxLength="512000" pattern="[\-,/.0-9]*" } }, - attribute resource_set_ipv6 { xsd:string { maxLength="512000" pattern="[\-,/:0-9a-fA-F]*" } }, - attribute suggested_sia_head { xsd:anyURI { maxLength="1024" pattern="rsync://.+"} }?, - element certificate { - attribute cert_url { xsd:anyURI { maxLength="1024" } }, - attribute req_resource_set_as { xsd:string { maxLength="512000" pattern="[\-,0-9]*" } }?, - attribute req_resource_set_ipv4 { xsd:string { maxLength="512000" pattern="[\-,/.0-9]*" } }?, - attribute req_resource_set_ipv6 { xsd:string { maxLength="512000" pattern="[\-,/:0-9a-fA-F]*" } }?, - xsd:base64Binary { maxLength="512000" } - }*, - element issuer { xsd:base64Binary { maxLength="512000" } } - } - - issue_request = element request { - attribute class_name { xsd:token { maxLength="1024" } }, - attribute req_resource_set_as { xsd:string { maxLength="512000" pattern="[\-,0-9]*" } }?, - attribute req_resource_set_ipv4 { xsd:string { maxLength="512000" pattern="[\-,/.0-9]*" } }?, - attribute req_resource_set_ipv6 { xsd:string { maxLength="512000" pattern="[\-,/:0-9a-fA-F]*" } }?, - xsd:base64Binary { maxLength="512000" } - } - issue_response = class - - revoke_request = revocation - revoke_response = revocation - - revocation = element key { - attribute class_name { xsd:token { maxLength="1024" } }, - attribute ski { xsd:token { maxLength="1024" } } - } - - error_response = - element status { - "1101" | # Already processing request - "1102" | # version number error - "1103" | # unrecognised request type - "1201" | # request - no such resource class - "1202" | # request - no resources allocated in resource class - "1203" | # request - badly formed certificate request - "1301" | # revoke - no such resource class - "1302" | # revoke - no such key - "2001" # Internal Server Error - Request not performed - }, - element description { attribute xml:lang { xsd:language }, xsd:string { maxLength="1024" } }? - } diff --git a/scripts/up-down-medium-schema.rng b/scripts/up-down-medium-schema.rng deleted file mode 100644 index d9c84489..00000000 --- a/scripts/up-down-medium-schema.rng +++ /dev/null @@ -1,258 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - $Id: up-down-medium-schema.rnc 704 2007-07-02 16:11:58Z sra $ - - RelaxNG (Compact Syntax) Schema - for RPKI up-down protocol. This is based on the schema in the APNIC - Wiki, but has tighter constraints on some fields. - - libxml2 (including xmllint) only groks the XML syntax of RelaxNG, so - run the output of this script through a converter like trang to get - XML syntax. ---> -<grammar ns="http://www.apnic.net/specs/rescerts/up-down/" xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes"> - <start> - <element name="message"> - <attribute name="version"> - <data type="positiveInteger"> - <param name="maxInclusive">1</param> - </data> - </attribute> - <attribute name="sender"> - <data type="token"> - <param name="maxLength">1024</param> - </data> - </attribute> - <attribute name="recipient"> - <data type="token"> - <param name="maxLength">1024</param> - </data> - </attribute> - <ref name="payload"/> - </element> - </start> - <define name="payload" combine="choice"> - <attribute name="type"> - <value>list</value> - </attribute> - <ref name="list_request"/> - </define> - <define name="payload" combine="choice"> - <attribute name="type"> - <value>list_response</value> - </attribute> - <ref name="list_response"/> - </define> - <define name="payload" combine="choice"> - <attribute name="type"> - <value>issue</value> - </attribute> - <ref name="issue_request"/> - </define> - <define name="payload" combine="choice"> - <attribute name="type"> - <value>issue_response</value> - </attribute> - <ref name="issue_response"/> - </define> - <define name="payload" combine="choice"> - <attribute name="type"> - <value>revoke</value> - </attribute> - <ref name="revoke_request"/> - </define> - <define name="payload" combine="choice"> - <attribute name="type"> - <value>revoke_response</value> - </attribute> - <ref name="revoke_response"/> - </define> - <define name="payload" combine="choice"> - <attribute name="type"> - <value>error_response</value> - </attribute> - <ref name="error_response"/> - </define> - <define name="list_request"> - <empty/> - </define> - <define name="list_response"> - <zeroOrMore> - <ref name="class"/> - </zeroOrMore> - </define> - <define name="class"> - <element name="class"> - <attribute name="class_name"> - <data type="token"> - <param name="maxLength">1024</param> - </data> - </attribute> - <attribute name="cert_url"> - <data type="anyURI"> - <param name="maxLength">1024</param> - </data> - </attribute> - <attribute name="resource_set_as"> - <data type="string"> - <param name="maxLength">512000</param> - <param name="pattern">[\-,0-9]*</param> - </data> - </attribute> - <attribute name="resource_set_ipv4"> - <data type="string"> - <param name="maxLength">512000</param> - <param name="pattern">[\-,/.0-9]*</param> - </data> - </attribute> - <attribute name="resource_set_ipv6"> - <data type="string"> - <param name="maxLength">512000</param> - <param name="pattern">[\-,/:0-9a-fA-F]*</param> - </data> - </attribute> - <optional> - <attribute name="suggested_sia_head"> - <data type="anyURI"> - <param name="maxLength">1024</param> - <param name="pattern">rsync://.+</param> - </data> - </attribute> - </optional> - <zeroOrMore> - <element name="certificate"> - <attribute name="cert_url"> - <data type="anyURI"> - <param name="maxLength">1024</param> - </data> - </attribute> - <optional> - <attribute name="req_resource_set_as"> - <data type="string"> - <param name="maxLength">512000</param> - <param name="pattern">[\-,0-9]*</param> - </data> - </attribute> - </optional> - <optional> - <attribute name="req_resource_set_ipv4"> - <data type="string"> - <param name="maxLength">512000</param> - <param name="pattern">[\-,/.0-9]*</param> - </data> - </attribute> - </optional> - <optional> - <attribute name="req_resource_set_ipv6"> - <data type="string"> - <param name="maxLength">512000</param> - <param name="pattern">[\-,/:0-9a-fA-F]*</param> - </data> - </attribute> - </optional> - <data type="base64Binary"> - <param name="maxLength">512000</param> - </data> - </element> - </zeroOrMore> - <element name="issuer"> - <data type="base64Binary"> - <param name="maxLength">512000</param> - </data> - </element> - </element> - </define> - <define name="issue_request"> - <element name="request"> - <attribute name="class_name"> - <data type="token"> - <param name="maxLength">1024</param> - </data> - </attribute> - <optional> - <attribute name="req_resource_set_as"> - <data type="string"> - <param name="maxLength">512000</param> - <param name="pattern">[\-,0-9]*</param> - </data> - </attribute> - </optional> - <optional> - <attribute name="req_resource_set_ipv4"> - <data type="string"> - <param name="maxLength">512000</param> - <param name="pattern">[\-,/.0-9]*</param> - </data> - </attribute> - </optional> - <optional> - <attribute name="req_resource_set_ipv6"> - <data type="string"> - <param name="maxLength">512000</param> - <param name="pattern">[\-,/:0-9a-fA-F]*</param> - </data> - </attribute> - </optional> - <data type="base64Binary"> - <param name="maxLength">512000</param> - </data> - </element> - </define> - <define name="issue_response"> - <ref name="class"/> - </define> - <define name="revoke_request"> - <ref name="revocation"/> - </define> - <define name="revoke_response"> - <ref name="revocation"/> - </define> - <define name="revocation"> - <element name="key"> - <attribute name="class_name"> - <data type="token"> - <param name="maxLength">1024</param> - </data> - </attribute> - <attribute name="ski"> - <data type="token"> - <param name="maxLength">1024</param> - </data> - </attribute> - </element> - </define> - <define name="error_response"> - <element name="status"> - <choice> - <value>1101</value> - <!-- Already processing request --> - <value>1102</value> - <!-- version number error --> - <value>1103</value> - <!-- unrecognised request type --> - <value>1201</value> - <!-- request - no such resource class --> - <value>1202</value> - <!-- request - no resources allocated in resource class --> - <value>1203</value> - <!-- request - badly formed certificate request --> - <value>1301</value> - <!-- revoke - no such resource class --> - <value>1302</value> - <!-- revoke - no such key --> - <value>2001</value> - </choice> - <!-- Internal Server Error - Request not performed --> - </element> - <optional> - <element name="description"> - <attribute name="xml:lang"> - <data type="language"/> - </attribute> - <data type="string"> - <param name="maxLength">1024</param> - </data> - </element> - </optional> - </define> -</grammar> diff --git a/scripts/up-down-protocol-samples/issue_response.xml b/scripts/up-down-protocol-samples/issue_response.xml index 849626c6..39f6b954 100644 --- a/scripts/up-down-protocol-samples/issue_response.xml +++ b/scripts/up-down-protocol-samples/issue_response.xml @@ -5,12 +5,12 @@ recipient="recipient name" type="issue_response"> <class class_name="ISP5" - cert_url="url" + cert_url="rsync://wombat.example/ISP5" resource_set_as="64534-64540" resource_set_ipv4="10.0.0.0/24,10.3.0.0/24" resource_set_ipv6="2001:db8:0:0:0:0:a00::/120,2001:db8:0:0:0:0:a03::/120" suggested_sia_head="rsync://wombat.example/fnord/"> - <certificate cert_url="ISP5a" + <certificate cert_url="rsync://wombat.example/ISP5a" req_resource_set_as="" req_resource_set_ipv4="10.0.0.0/24" req_resource_set_ipv6="2001:db8:0:0:0:0:a00::/120"> @@ -36,7 +36,7 @@ AIYRKF4k4ZDYZ9gA/LYnH56xvpEXwRE1bpxgUC5n8wQrdIn5/pJz3R5EgWe4CGOo n/SMvEfe8d+LEc0C7LmtCwYoDOKENoOF809GVkbV9fjL8w== </certificate> - <certificate cert_url="ISP5b" + <certificate cert_url="rsync://wombat.example/ISP5b" req_resource_set_as="" req_resource_set_ipv4="10.3.0.0/24" req_resource_set_ipv6="2001:db8:0:0:0:0:a03::/120"> @@ -62,7 +62,7 @@ 2emkoegzzS2cN+5I5I+O8IRnZInqmiPgEgElgEFw+rg6xw23yax5Nyqx12J56tt0 tPWGhrYe1dCwKZajWKn3P9+NMcGQ0d8bw/QU+B3RyVeVfw== </certificate> - <certificate cert_url="ISP5c" + <certificate cert_url="rsync://wombat.example/ISP5c" req_resource_set_as="64534-64540" req_resource_set_ipv4="" req_resource_set_ipv6=""> diff --git a/scripts/up-down-protocol-samples/list_response.xml b/scripts/up-down-protocol-samples/list_response.xml index a2598d33..9e368f5a 100644 --- a/scripts/up-down-protocol-samples/list_response.xml +++ b/scripts/up-down-protocol-samples/list_response.xml @@ -5,12 +5,12 @@ recipient="recipient name" type="list_response"> <class class_name="ISP5" - cert_url="url" + cert_url="rsync://wombat.example/ISP5" resource_set_as="64534-64540" resource_set_ipv4="10.0.0.0/24,10.3.0.0/24" resource_set_ipv6="2001:db8:0:0:0:0:a00::/120,2001:db8:0:0:0:0:a03::/120" suggested_sia_head="rsync://wombat.example/fnord/"> - <certificate cert_url="ISP5a" + <certificate cert_url="rsync://wombat.example/ISP5a" req_resource_set_as="" req_resource_set_ipv4="10.0.0.0/24" req_resource_set_ipv6="2001:db8:0:0:0:0:a00::/120"> @@ -36,7 +36,7 @@ AIYRKF4k4ZDYZ9gA/LYnH56xvpEXwRE1bpxgUC5n8wQrdIn5/pJz3R5EgWe4CGOo n/SMvEfe8d+LEc0C7LmtCwYoDOKENoOF809GVkbV9fjL8w== </certificate> - <certificate cert_url="ISP5b" + <certificate cert_url="rsync://wombat.example/ISP5b" req_resource_set_as="" req_resource_set_ipv4="10.3.0.0/24" req_resource_set_ipv6="2001:db8:0:0:0:0:a03::/120"> @@ -62,7 +62,7 @@ 2emkoegzzS2cN+5I5I+O8IRnZInqmiPgEgElgEFw+rg6xw23yax5Nyqx12J56tt0 tPWGhrYe1dCwKZajWKn3P9+NMcGQ0d8bw/QU+B3RyVeVfw== </certificate> - <certificate cert_url="ISP5c" + <certificate cert_url="rsync://wombat.example/ISP5c" req_resource_set_as="64534-64540" req_resource_set_ipv4="" req_resource_set_ipv6=""> @@ -114,11 +114,11 @@ </issuer> </class> <class class_name="ISP2" - cert_url="url" + cert_url="rsync://wombat.example/ISP2" resource_set_as="" resource_set_ipv4="192.0.2.44-192.0.2.100" resource_set_ipv6=""> - <certificate cert_url="url"> + <certificate cert_url="http://wombat.example/ISP2a,rsync://wombat.example/ISP2a,ftp://wombat.example/ISP2a"> MIIDzDCCArSgAwIBAgIBCTANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU IEVOVElUWSBMSVIxMB4XDTA3MDgwMTE0NDgyMloXDTA4MDczMTE0NDgyMlowGzEZ MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMjCCASIwDQYJKoZIhvcNAQEBBQADggEP diff --git a/scripts/xml-parse-test.py b/scripts/xml-parse-test.py index ed437789..73ab295d 100755 --- a/scripts/xml-parse-test.py +++ b/scripts/xml-parse-test.py @@ -42,7 +42,7 @@ def lr_tester(elt_in, elt_out, msg): pprint_cert(cert) test(fileglob="up-down-protocol-samples/*.xml", - schema="up-down-medium-schema.rng", + schema="up-down-schema.rng", sax_handler=rpki.up_down.sax_handler, encoding="utf-8", tester=ud_tester) |