diff options
| author | Rob Austein <sra@hactrn.net> | 2007-10-01 19:19:45 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2007-10-01 19:19:45 +0000 |
| commit | e81d0d5080afd1a2fd53ad9195f4c27dc58e1180 (patch) | |
| tree | 21d5b8030492e886ef11cd34a84b5a5f9adb8e5b /scripts | |
| parent | 9162534362e2ff6ff3b54625ee3d3e2f778d1e8b (diff) | |
Checkpoint
svn path=/pow/POW-0.7/lib/pkix.py; revision=1064
Diffstat (limited to 'scripts')
| -rw-r--r-- | scripts/rpki/up_down.py | 44 | ||||
| -rw-r--r-- | scripts/rpki/x509.py | 51 | ||||
| -rw-r--r-- | scripts/test-pow.py | 8 |
3 files changed, 74 insertions, 29 deletions
diff --git a/scripts/rpki/up_down.py b/scripts/rpki/up_down.py index 95ce745e..e73730b7 100644 --- a/scripts/rpki/up_down.py +++ b/scripts/rpki/up_down.py @@ -244,7 +244,7 @@ class issue_pdu(base_elt): if child_cert is not None and ((rc_as, rc_v4, rc_v6) != child_cert.latest_ca_cert.get_3779resources()): child_cert = None if child_cert is not None and \ - child_cert.get_POWpkix().getExtension(name2oid["subjectInfoAccess"]) != self.get_POWpkix().getExtension(name2oid["subjectInfoAccess"]): + child_cert.get_POWpkix().getExtension(name2oid["subjectInfoAccess"]) != self.pkcs10.get_POWpkix().getExtension(name2oid["subjectInfoAccess"]): child_cert = None # Do we need to check certificate expiration here too? Maybe we # can just trust the cron job that handles renewals for that? @@ -252,32 +252,24 @@ class issue_pdu(base_elt): # Step 3: If we didn't find a reusable cert, generate a new one. if child_cert is None: # - # This will need to become a separate function eventually, but - # inline it for now until it's a bit better fleshed out. - # Might make sense as a .certify() method for the issuer. - # - # Hmm, the following is a bit confused between the POW and - # POW.pkix APIs. - + # This is probably not the quite right model yet. + # issuer.issue() makes sense from the cert point of view but + # leaves the ca state a bit of a mess. Refine later. + + child_cert = ca_detail.latest_ca_cert.issue(keypair = ca_detail.private_key_id, + subject_key = pubkey, + serial = serial, # XXX + aia = aia, # XXX + crldp = crldp, # XXX + sia = self.pkcs10.get_POWpkix().getExtension(name2oid["subjectInfoAccess"]), + as = rc_as, + v4 = rc_v4, + v6 = rc_v6) + + # Insert the cert we just generated into the database! raise NotImplementedError - cn_hash = POW.Digest(POW.SHA1_DIGEST) - cn_hash.update(pubkey) - cn = "".join(["%02X" % ord(i) for i in cn_hash.digest()]) - - newcert = POW.pkix.Certificate() - newcert.setVersion(2) - newcert.setNotBefore(('UTCTime', POW.pkix.time2utc(time.time()))) - newcert.setNotAfter(('UTCTime', blah)) - newcert.setIssuer(ca_detail.latest_ca_cert.get_POWpkix().getSubject()) - newcert.setSubject((((name2oid("commonName"), ("printableString", cn)),),)) - newcert.setExtensions((blah, - blah, - blah, - blah)) - newcert.sign(rsakey, name2oid["sha256WithRSAEncryption"]) - child_cert = rpki.x509.X509(POWpkix = newcert) - - # And finally, return what we got + + # And finally, return a PDU containing what we got raise NotImplementedError class issue_response_pdu(class_response_syntax): diff --git a/scripts/rpki/x509.py b/scripts/rpki/x509.py index 8306b243..a569e2a0 100644 --- a/scripts/rpki/x509.py +++ b/scripts/rpki/x509.py @@ -228,6 +228,57 @@ class X509(DER_object): v6 = v6.intersection(v6_intersector) return as, v4, v6 + def issue(self, keypair, subject_key, serial, sia, aia, crldp, cn = None, notAfter = None, as = None, v4 = None, v6 = None, is_ca = True): + + now = time.time() + + aki = self.get_SKI() + + ski = POW.Digest(POW.SHA1_DIGEST) + ski.update(subject_key) + ski = ski.digest() + + if cn is None: + cn = "".join(("%02X" % ord(i) for i in ski)) + + if notAfter is None: + notAfter = now + 30 * 24 * 60 * 60 + + cert = POW.pkix.Certificate() + cert.setVersion(2) + cert.setSerial(serial) + cert.setIssuer(self.get_POWpkix().getSubject()) + cert.setSubject(((((2, 5, 4, 3), ("printableString", cn)),),)) + cert.setNotBefore(("UTCTime", POW.pkix.time2utc(now))) + cert.setNotAfter(("UTCTime", POW.pkix.time2utc(notAfter))) + cert.tbs.subjectPublicKeyInfo.set(subject_key) + + exts = [ ("subjectKeyIdentifier", False, ski), + ("authorityKeyIdentifier", False, (aki, (), None)), + ("cRLDistributionPoints", False, ((("fullName", (("uri", crldp),)), None, ()),)), + ("authorityInfoAccess", False, aia), # (((1, 3, 6, 1, 5, 5, 7, 48, 2), ('uri', 'rsync://repository.apnic.net/TRUSTANCHORS/apnic.cer')),) + ("subjectInfoAccess", False, sia), # (((1, 3, 6, 1, 5, 5, 7, 48, 5), ('uri', 'rsync://repository.apnic.net/APNIC/q66IrWSGuBE7jqx8PAUHAlHCqRw/')),) + ("certificatePolicies", True, (((1, 3, 6, 1, 5, 5, 7, 14, 2), ()),)) ] + + if is_ca: + exts.append(("basicConstraints", True, (1, None))) + exts.append(("keyUsage", True, (0, 0, 0, 0, 0, 1, 1))) + else: + exts.append(("keyUsage", True, (1,))) + + if as: + exts.append(("sbgp-autonomousSysNum", True, (as.to_tuple(), None))) + if v4 or v6: + exts.append(("sbgp-ipAddrBlock", True, [x for x in (v4.to_tuple(), v6.to_tuple()) if x is not None])) + + for x in exts: + x[0] = POW.pkix.obj2oid(x[0]) + cert.setExtensions(exts) + + cert.sign(keypair.get_POW(), POW.SHA256_DIGEST) + + return X509(POWpkix = cert) + class X509_chain(list): """Collections of certs. diff --git a/scripts/test-pow.py b/scripts/test-pow.py index cad5b729..f371cc46 100644 --- a/scripts/test-pow.py +++ b/scripts/test-pow.py @@ -70,13 +70,15 @@ apnic = base64.b64decode(APNIC_Root) verbose = True for der in (alice, apnic): - print POW.derRead(POW.X509_CERTIFICATE, der).pprint() + cert = POW.derRead(POW.X509_CERTIFICATE, der) + print cert.pprint() cert = POW.pkix.Certificate() cert.fromString(der) if verbose: for oid, crit, val in cert.getExtensions(): - print " OID: ", oid, POW.pkix.oid2obj(oid) - print " Val:", val + print " OID: ", oid, POW.pkix.oid2obj(oid) + print " Crit: ", crit + print " Value:", val print as, v4, v6 = rpki.resource_set.parse_extensions(cert.getExtensions()) if as: print ",".join(map(lambda x: "AS:" + str(x), as)) |