aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--rpkid/rpki/gctx.py33
-rw-r--r--rpkid/rpki/https.py16
-rwxr-xr-xrpkid/rpkid.py17
-rw-r--r--rpkid/testbed.py7
-rw-r--r--rpkid/testpoke.py9
5 files changed, 63 insertions, 19 deletions
diff --git a/rpkid/rpki/gctx.py b/rpkid/rpki/gctx.py
index b1ecdcd0..fd25b5ba 100644
--- a/rpkid/rpki/gctx.py
+++ b/rpkid/rpki/gctx.py
@@ -23,6 +23,9 @@ import traceback, os, time, getopt, sys, MySQLdb, lxml.etree
import rpki.resource_set, rpki.up_down, rpki.left_right, rpki.x509, rpki.sql
import rpki.https, rpki.config, rpki.cms, rpki.exceptions, rpki.relaxng, rpki.log
+# This should be wrapped somewhere in rpki.x509 eventually
+import POW
+
class global_context(object):
"""A container for various global parameters."""
@@ -159,3 +162,33 @@ class global_context(object):
s.regenerate_crls_and_manifests()
self.sql_sweep()
return 200, "OK"
+
+ def build_x509store(self):
+ """Build a dynamic x509store object. This is horribly
+ inefficient, so will require some kind of caching scheme
+ eventually, but the task at hand is just to confirm that this
+ method will work at all.
+ """
+
+ store = POW.X509Store()
+
+ def add_anchors(x, y = None):
+ if x is not None:
+ rpki.log.debug("HTTPS dynamic trust anchor %s" % x.getSubject())
+ store.addTrust(x.get_POW())
+ if y is not None and y != x:
+ rpki.log.debug("HTTPS dynamic trust anchor %s" % y.getSubject())
+ store.addTrust(y.get_POW())
+
+ for parent in rpki.left_right.parent_elt.sql_fetch_all(self):
+ add_anchors(parent.cms_ta, parent.https_ta)
+
+ for child in rpki.left_right.child_elt.sql_fetch_all(self):
+ add_anchors(child.cms_ta)
+
+ for repository in rpki.left_right.repository_elt.sql_fetch_all(self):
+ add_anchors(repository.cms_ta, repository.https_ta)
+
+ add_anchors(self.https_ta_irbe[0])
+
+ return store
diff --git a/rpkid/rpki/https.py b/rpkid/rpki/https.py
index 9659fe73..7fd0c5f2 100644
--- a/rpkid/rpki/https.py
+++ b/rpkid/rpki/https.py
@@ -24,11 +24,11 @@ general version should use SQL anyway.
import httplib, BaseHTTPServer, tlslite.api, glob, traceback, urlparse, socket
import rpki.x509, rpki.exceptions, rpki.log
-# This probably should be wrapped somewhere in rpki.x509 eventually
+# This should be wrapped somewhere in rpki.x509 eventually
import POW
-# Not for production use!
-disable_tls_certificate_validation_exceptions = True
+# Do not set this to True for production use!
+disable_tls_certificate_validation_exceptions = False
rpki_content_type = "application/x-rpki"
@@ -45,6 +45,8 @@ class Checker(tlslite.api.Checker):
for x in trust_anchors:
rpki.log.debug("HTTPS trust anchor %s" % x.getSubject())
self.x509store.addTrust(x.get_POW())
+ else:
+ rpki.log.debug("HTTPS dynamic trust anchors")
def x509store_thunk(self):
if self.dynamic_x509store is not None:
@@ -105,6 +107,9 @@ def client(msg, client_key, client_certs, server_ta, url, timeout = 300):
u.query == "" and \
u.fragment == ""
+ for client_cert in client_certs:
+ rpki.log.debug("Sending client TLS cert %s" % client_cert.getSubject())
+
# We could add a "settings = foo" argument to the following call to
# pass in a tlslite.HandshakeSettings object that would let us
# insist on, eg, particular SSL/TLS versions.
@@ -177,6 +182,7 @@ class httpsServer(tlslite.api.TLSSocketServerMixIn, BaseHTTPServer.HTTPServer):
assert self.rpki_server_certs is not None
assert self.rpki_server_key is not None
assert self.rpki_sessionCache is not None
+
try:
#
# We could add a "settings = foo" argument to the following call
@@ -194,7 +200,7 @@ class httpsServer(tlslite.api.TLSSocketServerMixIn, BaseHTTPServer.HTTPServer):
rpki.log.warn("TLS handshake failure: " + str(error))
return False
-def server(handlers, server_key, server_certs, port = 4433, host = "", client_ta = None):
+def server(handlers, server_key, server_certs, port = 4433, host = "", client_ta = None, dynamic_x509store = None):
"""Run an HTTPS server and wait (forever) for connections."""
if not isinstance(handlers, (tuple, list)):
@@ -208,6 +214,6 @@ def server(handlers, server_key, server_certs, port = 4433, host = "", client_ta
httpd.rpki_server_key = server_key.get_tlslite()
httpd.rpki_server_certs = server_certs.tlslite_certChain()
httpd.rpki_sessionCache = tlslite.api.SessionCache()
- httpd.rpki_checker = Checker(trust_anchors = client_ta)
+ httpd.rpki_checker = Checker(trust_anchors = client_ta, dynamic_x509store = dynamic_x509store)
httpd.serve_forever()
diff --git a/rpkid/rpkid.py b/rpkid/rpkid.py
index e6fbb370..7ea22a46 100755
--- a/rpkid/rpkid.py
+++ b/rpkid/rpkid.py
@@ -52,11 +52,12 @@ if startup_msg:
gctx = rpki.gctx.global_context(cfg)
-rpki.https.server(server_key = gctx.https_key,
- server_certs = gctx.https_certs,
- client_ta = gctx.https_ta_irbe,
- host = gctx.https_server_host,
- port = gctx.https_server_port,
- handlers = (("/left-right", gctx.left_right_handler),
- ("/up-down/", gctx.up_down_handler),
- ("/cronjob", gctx.cronjob_handler)))
+rpki.https.server(host = gctx.https_server_host,
+ port = gctx.https_server_port,
+ server_key = gctx.https_key,
+ server_certs = gctx.https_certs,
+ client_ta = gctx.https_ta_irbe,
+ dynamic_x509store = gctx.build_x509store,
+ handlers = (("/left-right", gctx.left_right_handler),
+ ("/up-down/", gctx.up_down_handler),
+ ("/cronjob", gctx.cronjob_handler)))
diff --git a/rpkid/testbed.py b/rpkid/testbed.py
index daa73f50..a6843a08 100644
--- a/rpkid/testbed.py
+++ b/rpkid/testbed.py
@@ -409,7 +409,7 @@ class allocation(object):
def apply_revoke(self, target):
if self.is_leaf():
rpki.log.info("Attempting to revoke YAML leaf %s" % self.name)
- subprocess.check_call((prog_python, prog_poke, "-y", self.name + ".yaml", "-r", "revoke"))
+ subprocess.check_call((prog_python, prog_poke, "-y", self.name + ".yaml", "-r", "revoke", "-d"))
elif target is None:
rpki.log.info("Revoking <self/> %s" % self.name)
self.call_rpkid(rpki.left_right.self_elt.make_pdu(action = "set", self_id = self.self_id, revoke = "yes"))
@@ -634,8 +634,8 @@ class allocation(object):
def run_yaml(self):
"""Run YAML scripts for this leaf entity."""
rpki.log.info("Running YAML for %s" % self.name)
- subprocess.check_call((prog_python, prog_poke, "-y", self.name + ".yaml", "-r", "list"))
- subprocess.check_call((prog_python, prog_poke, "-y", self.name + ".yaml", "-r", "issue"))
+ subprocess.check_call((prog_python, prog_poke, "-y", self.name + ".yaml", "-r", "list", "-d"))
+ subprocess.check_call((prog_python, prog_poke, "-y", self.name + ".yaml", "-r", "issue", "-d"))
def setup_biz_cert_chain(name):
"""Build a set of business certs."""
@@ -764,6 +764,7 @@ cms-cert-chain-file: [ %(my_name)s-RPKI-CA.cer ]
ssl-cert-file: %(my_name)s-RPKI-EE.cer
ssl-key-file: %(my_name)s-RPKI-EE.key
ssl-ca-cert-file: %(parent_name)s-RPKI-TA.cer
+ssl-cert-chain-file: [ %(my_name)s-RPKI-CA.cer ]
requests:
list:
diff --git a/rpkid/testpoke.py b/rpkid/testpoke.py
index 185c99ea..d964b72c 100644
--- a/rpkid/testpoke.py
+++ b/rpkid/testpoke.py
@@ -21,6 +21,7 @@ Configuration file is YAML to be compatable with APNIC rpki_poke.pl tool.
Usage: python testpoke.py [ { -y | --yaml } configfile ]
[ { -r | --request } requestname ]
+ [ { -d | --debug } ]
[ { -h | --help } ]
Default configuration file is testpoke.yaml, override with --yaml option.
@@ -29,7 +30,7 @@ Default configuration file is testpoke.yaml, override with --yaml option.
import os, time, getopt, sys, lxml, yaml
import rpki.resource_set, rpki.up_down, rpki.left_right, rpki.x509
import rpki.https, rpki.config, rpki.cms, rpki.exceptions
-import rpki.relaxng, rpki.oids
+import rpki.relaxng, rpki.oids, rpki.log
os.environ["TZ"] = "UTC"
time.tzset()
@@ -41,7 +42,7 @@ def usage(code):
yaml_file = "testpoke.yaml"
yaml_cmd = None
-opts,argv = getopt.getopt(sys.argv[1:], "y:r:h?", ["yaml=", "request=", "help"])
+opts,argv = getopt.getopt(sys.argv[1:], "y:r:h?d", ["yaml=", "request=", "help", "debug"])
for o,a in opts:
if o in ("-h", "--help", "-?"):
usage(0)
@@ -49,6 +50,8 @@ for o,a in opts:
yaml_file = a
elif o in ("-r", "--request"):
yaml_cmd = a
+ elif o in ("-d", "--debug"):
+ rpki.log.init("testpoke")
if argv:
usage(1)
@@ -125,7 +128,7 @@ cms_cert = get_PEM("cms-cert", rpki.x509.X509)
cms_key = get_PEM("cms-key", rpki.x509.RSA)
cms_certs = get_PEM_chain("cms-cert-chain", cms_cert)
-https_ta = get_PEM("ssl-ta", rpki.x509.X509)
+https_ta = get_PEM("ssl-ca-cert", rpki.x509.X509)
https_key = get_PEM("ssl-key", rpki.x509.RSA)
https_cert = get_PEM("ssl-cert", rpki.x509.X509)
https_certs = get_PEM_chain("ssl-cert-chain", https_cert)