aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--scripts/rpki/cms.py176
-rwxr-xr-xscripts/rpkid.py3
-rw-r--r--scripts/testbed.1.yaml1
-rw-r--r--scripts/testbed.py55
4 files changed, 137 insertions, 98 deletions
diff --git a/scripts/rpki/cms.py b/scripts/rpki/cms.py
index 6341aa53..bf8531c1 100644
--- a/scripts/rpki/cms.py
+++ b/scripts/rpki/cms.py
@@ -20,7 +20,9 @@ For the moment these just call the OpenSSL CLI tool, which is slow,
requires disk I/O, and likes PEM format. Fix this later.
"""
-import os, rpki.x509, rpki.exceptions, lxml.etree, rpki.log
+import os, rpki.x509, rpki.exceptions, lxml.etree, rpki.log, POW
+
+cmstest = False
debug = 1
@@ -37,86 +39,98 @@ def sign(plaintext, keypair, certs):
certs.chainsort()
- mypid = str(os.getpid())
+ if not cmstest:
- rpki.log.trace()
+ rpki.log.info("Running old CMS signer")
- signer_filename = "cms.tmp." + mypid + ".signer.pem"
- certfile_filename = "cms.tmp." + mypid + ".certfile.pem"
- plaintext_filename = "cms.tmp." + mypid + ".plaintext"
- signed_filename = "cms.tmp." + mypid + ".signed"
- key_filename = "cms.tmp." + mypid + ".key.pem"
-
- rpki.log.trace()
+ mypid = str(os.getpid())
- f = open(signer_filename, "w")
- f.write(certs[0].get_PEM())
- f.close()
+ rpki.log.trace()
- rpki.log.trace()
+ signer_filename = "cms.tmp." + mypid + ".signer.pem"
+ certfile_filename = "cms.tmp." + mypid + ".certfile.pem"
+ plaintext_filename = "cms.tmp." + mypid + ".plaintext"
+ signed_filename = "cms.tmp." + mypid + ".signed"
+ key_filename = "cms.tmp." + mypid + ".key.pem"
- f = open(certfile_filename, "w")
- for cert in certs[1:]:
- f.write(cert.get_PEM())
- f.close()
+ rpki.log.trace()
- rpki.log.trace()
+ f = open(signer_filename, "w")
+ f.write(certs[0].get_PEM())
+ f.close()
- f = open(plaintext_filename, "w")
- f.write(plaintext)
- f.close()
+ rpki.log.trace()
- rpki.log.trace()
+ f = open(certfile_filename, "w")
+ for cert in certs[1:]:
+ f.write(cert.get_PEM())
+ f.close()
- # This is evil, key should NOT be on disk, but OpenSSL CLI goes into
- # a spin wait sometimes and I now suspect it's an I/O problem.
- # So we whack this with chmod() to minimize the risk.
-
- f = open(key_filename, "w")
- f.close()
- os.chmod(key_filename, 0600)
- f = open(key_filename, "w")
- f.write(keypair.get_PEM())
- f.close()
- os.chmod(key_filename, 0600)
-
- cmd = ("openssl", "smime", "-sign", "-nodetach", "-outform", "DER", "-binary",
- "-inkey", key_filename,
- "-signer", signer_filename,
- "-certfile", certfile_filename,
- "-in", plaintext_filename,
- "-out", signed_filename)
+ rpki.log.trace()
- rpki.log.trace()
+ f = open(plaintext_filename, "w")
+ f.write(plaintext)
+ f.close()
- pid = os.fork()
+ rpki.log.trace()
+
+ # This is evil, key should NOT be on disk, but OpenSSL CLI goes into
+ # a spin wait sometimes and I now suspect it's an I/O problem.
+ # So we whack this with chmod() to minimize the risk.
+
+ f = open(key_filename, "w")
+ f.close()
+ os.chmod(key_filename, 0600)
+ f = open(key_filename, "w")
+ f.write(keypair.get_PEM())
+ f.close()
+ os.chmod(key_filename, 0600)
+
+ cmd = ("openssl", "smime", "-sign", "-nodetach", "-outform", "DER", "-binary",
+ "-inkey", key_filename,
+ "-signer", signer_filename,
+ "-certfile", certfile_filename,
+ "-in", plaintext_filename,
+ "-out", signed_filename)
- if pid == 0:
rpki.log.trace()
- os.execvp(cmd[0], cmd)
- raise rpki.exceptions.SubprocessError, "os.execvp() returned, which should never happen"
- rpki.log.trace()
+ pid = os.fork()
+
+ if pid == 0:
+ rpki.log.trace()
+ os.execvp(cmd[0], cmd)
+ raise rpki.exceptions.SubprocessError, "os.execvp() returned, which should never happen"
- assert pid != 0
+ rpki.log.trace()
- retpid, status = os.waitpid(pid, 0)
+ assert pid != 0
- rpki.log.trace()
+ retpid, status = os.waitpid(pid, 0)
- if status != 0:
- raise rpki.exceptions.SubprocessError, "CMS signing command returned status 0x%x" % status
+ rpki.log.trace()
- rpki.log.trace()
+ if status != 0:
+ raise rpki.exceptions.SubprocessError, "CMS signing command returned status 0x%x" % status
- f = open(signed_filename, "r")
- cms = f.read()
- f.close()
+ rpki.log.trace()
- rpki.log.trace()
+ f = open(signed_filename, "r")
+ cms = f.read()
+ f.close()
+
+ rpki.log.trace()
+
+ for f in (key_filename, signer_filename, certfile_filename, plaintext_filename, signed_filename):
+ os.unlink(f)
+
+ else: # cmstest
- for f in (key_filename, signer_filename, certfile_filename, plaintext_filename, signed_filename):
- os.unlink(f)
+ rpki.log.info("Running new CMS signer")
+
+ p7 = POW.PKCS7()
+ p7.sign(certs[0].get_POW(), keypair.get_POW(), [x.get_POW() for x in certs[1:]], plaintext)
+ cms = p7.derWrite()
rpki.log.trace()
@@ -141,23 +155,41 @@ def verify(cms, ta):
print "Verifying CMS:"
dumpasn1(cms)
- mypid = str(os.getpid())
+ if not cmstest:
+
+ rpki.log.info("Running old CMS verifier")
+
+ mypid = str(os.getpid())
+
+ ta_filename = "cms.tmp." + mypid + ".ta.pem"
+
+ f = open(ta_filename, "w")
+ f.write(ta.get_PEM())
+ f.close()
- ta_filename = "cms.tmp." + mypid + ".ta.pem"
+ i,o,e = os.popen3(("openssl", "smime", "-verify", "-inform", "DER", "-binary", "-CAfile", ta_filename))
+ i.write(cms)
+ i.close()
+ plaintext = o.read()
+ o.close()
+ status = e.read()
+ e.close()
- f = open(ta_filename, "w")
- f.write(ta.get_PEM())
- f.close()
+ os.unlink(ta_filename)
- i,o,e = os.popen3(("openssl", "smime", "-verify", "-inform", "DER", "-binary", "-CAfile", ta_filename))
- i.write(cms)
- i.close()
- plaintext = o.read()
- o.close()
- status = e.read()
- e.close()
+ else: # cmstest
+
+ rpki.log.info("Running new CMS verifier")
+
+ p7 = POW.derRead(POW.PKCS7_MESSAGE, cms)
+
+ store = POW.X509Store()
+ store.addTrust(ta.get_POW())
+
+ plaintext = p7.verify(store)
+ return plaintext
- os.unlink(ta_filename)
+ # never get here with new verifier, throws exception
if status == "Verification successful\n":
return plaintext
diff --git a/scripts/rpkid.py b/scripts/rpkid.py
index bf114c6e..fc84ca32 100755
--- a/scripts/rpkid.py
+++ b/scripts/rpkid.py
@@ -126,6 +126,9 @@ startup_msg = cfg.get("startup-message", "")
if startup_msg:
rpki.log.info(startup_msg)
+if cfg.get("cmstest", False):
+ rpki.cms.cmstest = True
+
gctx = global_context(cfg)
rpki.https.server(privateKey = gctx.https_key,
diff --git a/scripts/testbed.1.yaml b/scripts/testbed.1.yaml
index fa8bd6f8..908db21b 100644
--- a/scripts/testbed.1.yaml
+++ b/scripts/testbed.1.yaml
@@ -6,6 +6,7 @@ valid_for: 2d
sia_base: "rsync://wombat.invalid/"
kids:
- name: R0
+ extra_conf: [ "cmstest = 1" ]
kids:
- name: Alice
ipv4: 192.0.2.1-192.0.2.33
diff --git a/scripts/testbed.py b/scripts/testbed.py
index c7783dcb..3e5d33d0 100644
--- a/scripts/testbed.py
+++ b/scripts/testbed.py
@@ -340,6 +340,7 @@ class allocation(object):
v6 = rpki.resource_set.resource_set_ipv6(yaml.get("ipv6")),
valid_until = valid_until)
self.sia_base = yaml.get("sia_base")
+ self.extra_conf = yaml.get("extra_conf", [])
def closure(self):
"""Compute the transitive resource closure."""
@@ -410,6 +411,8 @@ class allocation(object):
"rpki_port" : self.rpki_port }
f = open(self.name + ".conf", "w")
f.write(conf_fmt_1 % d)
+ for line in self.extra_conf:
+ f.write(line + "\n")
f.close()
def setup_sql(self, rpki_sql, irdb_sql):
@@ -673,32 +676,6 @@ requests:
conf_fmt_1 = '''\
-[rpkid]
-
-startup-message = This is %(my_name)s rpkid
-
-sql-database = %(rpki_db_name)s
-sql-username = rpki
-sql-password = %(rpki_db_pass)s
-
-cms-key = %(my_name)s-RPKI-EE.key
-cms-cert.0 = %(my_name)s-RPKI-EE.cer
-cms-cert.1 = %(my_name)s-RPKI-CA.cer
-
-cms-ta-irdb = %(my_name)s-IRDB-TA.cer
-cms-ta-irbe = %(testbed_name)s-TA.cer
-
-https-key = %(my_name)s-RPKI-EE.key
-https-cert.0 = %(my_name)s-RPKI-EE.cer
-https-cert.1 = %(my_name)s-RPKI-CA.cer
-
-https-ta = %(my_name)s-IRDB-TA.cer
-
-irdb-url = https://localhost:%(irdb_port)d/
-
-server-host = localhost
-server-port = %(rpki_port)d
-
[irdbd]
startup-message = This is %(my_name)s irdbd
@@ -731,6 +708,32 @@ https-certs.1 = %(testbed_name)s-CA.cer
https-tas = %(my_name)s-RPKI-TA.cer
https-url = https://localhost:%(rpki_port)d/left-right
+
+[rpkid]
+
+startup-message = This is %(my_name)s rpkid
+
+sql-database = %(rpki_db_name)s
+sql-username = rpki
+sql-password = %(rpki_db_pass)s
+
+cms-key = %(my_name)s-RPKI-EE.key
+cms-cert.0 = %(my_name)s-RPKI-EE.cer
+cms-cert.1 = %(my_name)s-RPKI-CA.cer
+
+cms-ta-irdb = %(my_name)s-IRDB-TA.cer
+cms-ta-irbe = %(testbed_name)s-TA.cer
+
+https-key = %(my_name)s-RPKI-EE.key
+https-cert.0 = %(my_name)s-RPKI-EE.cer
+https-cert.1 = %(my_name)s-RPKI-CA.cer
+
+https-ta = %(my_name)s-IRDB-TA.cer
+
+irdb-url = https://localhost:%(irdb_port)d/
+
+server-host = localhost
+server-port = %(rpki_port)d
'''
rootd_fmt_1 = '''\
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-14 11:27:55 +0000