diff options
| -rw-r--r-- | pow/POW-0.7/POW.c | 16 | ||||
| -rw-r--r-- | rpkid/Makefile | 4 | ||||
| -rwxr-xr-x | rpkid/irbe-cli.py | 6 | ||||
| -rw-r--r-- | rpkid/irbe-setup.py | 4 | ||||
| -rw-r--r-- | rpkid/left-right-protocol-samples.xml (renamed from docs/left-right-xml) | 61 | ||||
| -rw-r--r-- | rpkid/left-right-protocol-samples.xsl | 28 | ||||
| -rw-r--r-- | rpkid/left-right-protocol-samples/pdu.013.xml | 13 | ||||
| -rw-r--r-- | rpkid/left-right-protocol-samples/pdu.016.xml | 19 | ||||
| -rw-r--r-- | rpkid/left-right-protocol-samples/pdu.018.xml | 19 | ||||
| -rw-r--r-- | rpkid/left-right-schema.rnc | 6 | ||||
| -rw-r--r-- | rpkid/left-right-schema.rng | 14 | ||||
| -rw-r--r-- | rpkid/rpki/__init__.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/gctx.py | 18 | ||||
| -rw-r--r-- | rpkid/rpki/left_right.py | 69 | ||||
| -rw-r--r-- | rpkid/rpki/relaxng.py | 16 | ||||
| -rw-r--r-- | rpkid/rpki/x509.py | 22 | ||||
| -rw-r--r-- | rpkid/rpkid.sql | 12 | ||||
| -rw-r--r-- | rpkid/testbed.py | 27 | ||||
| -rwxr-xr-x | rpkid/xml-parse-test.py | 4 |
19 files changed, 161 insertions, 199 deletions
diff --git a/pow/POW-0.7/POW.c b/pow/POW-0.7/POW.c index ca6af89e..5a92acdb 100644 --- a/pow/POW-0.7/POW.c +++ b/pow/POW-0.7/POW.c @@ -6857,7 +6857,6 @@ CMS_object_sign(cms_object *self, PyObject *args) BIO *bio = NULL; CMS_ContentInfo *cms = NULL; ASN1_OBJECT *econtent_type = NULL; - X509_CRL *crl = NULL; if (!PyArg_ParseTuple(args, "O!O!s#|OOsI", &x509type, &signcert, @@ -6926,27 +6925,20 @@ CMS_object_sign(cms_object *self, PyObject *args) assert_no_unhandled_openssl_errors(); if (crl_sequence != Py_None) { - if (!PyTuple_Check(crl_sequence) && !PyList_Check(crl_sequence)) lose_type_error("inapropriate type"); - n = PySequence_Size( crl_sequence ); - for (i = 0; i < n; i++) { if ( !(crlobj = (x509_crl_object *) PySequence_GetItem(crl_sequence, i))) goto error; - if (!X_X509_crl_Check(crlobj)) lose_type_error("inappropriate type"); - - if ( !(crl = X509_CRL_dup(crlobj->crl))) - lose_type_error("couldn't clone CRL"); - + if (!crlobj->crl) + lose("CRL object with null crl field!"); assert_no_unhandled_openssl_errors(); - - if (!CMS_add0_crl(self->cms, crl)) + if (!CMS_add0_crl(self->cms, crlobj->crl)) lose_openssl_error("could not add CRL to CMS"); - + CRYPTO_add(&crlobj->crl->references, 1, CRYPTO_LOCK_X509_CRL); Py_DECREF(crlobj); crlobj = NULL; } diff --git a/rpkid/Makefile b/rpkid/Makefile index 9c565132..535bb261 100644 --- a/rpkid/Makefile +++ b/rpkid/Makefile @@ -7,8 +7,8 @@ all:: left-right-protocol-samples/.stamp -left-right-protocol-samples/.stamp: left-right-protocol-samples.xsl ../docs/left-right-xml - xsltproc left-right-protocol-samples.xsl ../docs/left-right-xml +left-right-protocol-samples/.stamp: left-right-protocol-samples.xsl left-right-protocol-samples.xml + xsltproc left-right-protocol-samples.xsl left-right-protocol-samples.xml touch $@ all:: left-right-schema.rng diff --git a/rpkid/irbe-cli.py b/rpkid/irbe-cli.py index 02c55a6c..eea87ff4 100755 --- a/rpkid/irbe-cli.py +++ b/rpkid/irbe-cli.py @@ -95,7 +95,11 @@ class bsc_elt(cmd_mixin, rpki.left_right.bsc_elt): def client_query_signing_cert(self, arg): """--signing_cert option.""" - self.signing_cert.append(rpki.x509.X509(Auto_file=arg)) + self.signing_cert = rpki.x509.X509(Auto_file=arg) + + def client_query_signing_cert_crl(self, arg): + """--signing_cert_crl option.""" + self.signing_cert_crl = rpki.x509.CRL(Auto_file=arg) def client_reply_decode(self): global pem_out diff --git a/rpkid/irbe-setup.py b/rpkid/irbe-setup.py index 1ded8e3e..9531cda7 100644 --- a/rpkid/irbe-setup.py +++ b/rpkid/irbe-setup.py @@ -62,7 +62,6 @@ self_id = pdu.self_id print "Create a business signing context" pdu = rpki.left_right.bsc_elt.make_pdu(action = "create", self_id = self_id, generate_keypair = True) -pdu.signing_cert.append(rpki.x509.X509(Auto_file = "biz-certs/Bob-CA.cer")) pdu = call_rpkid(pdu) bsc_id = pdu.bsc_id @@ -77,8 +76,7 @@ cer = rpki.x509.X509(PEM = o.read()) o.close() print "Set up the business cert chain" -pdu = rpki.left_right.bsc_elt.make_pdu(action = "set", self_id = self_id, bsc_id = bsc_id) -pdu.signing_cert.append(cer) +pdu = rpki.left_right.bsc_elt.make_pdu(action = "set", self_id = self_id, bsc_id = bsc_id, signing_cert = cer) call_rpkid(pdu) print "Create a repository context" diff --git a/docs/left-right-xml b/rpkid/left-right-protocol-samples.xml index e1d8a866..e6f5328b 100644 --- a/docs/left-right-xml +++ b/rpkid/left-right-protocol-samples.xml @@ -15,7 +15,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. - - - See left-right-protocol for comments. + - + - This is a collection of sample left-right protocol PDU samples + - to use as test cases for the left-right protocol RelaxNG schema. --> <completely_gratuitous_wrapper_element_to_let_me_run_this_through_xmllint> @@ -238,7 +240,7 @@ </msg> <msg version="1" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> - <bsc action="set" type="query" self_id="42" bsc_id="17" clear_signing_certs="yes"> + <bsc action="set" type="query" self_id="42" bsc_id="17"> <signing_cert> MIIDHTCCAgWgAwIBAgIJAKUUCoKn9ovVMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV BAMTG1Rlc3QgQ2VydGlmaWNhdGUgQWxpY2UgUm9vdDAeFw0wNzA4MDExOTUzMDda @@ -258,6 +260,17 @@ vvqVBYkoBWRbmcy6wVU8JpYegNNgVRbi6zeAq33gS75m9uy+4z8Ql6DqVF0s/y+/ 240tLCW62X98EzrALKsxhkqVZCtdc5HSRaOQr0K3I03S </signing_cert> + <signing_cert_crl> + MIIBfjBoAgEBMA0GCSqGSIb3DQEBCwUAMCYxJDAiBgNVBAMTG1Rlc3QgQ2VydGlm + aWNhdGUgUklSIFNFTEYtMRcNMDgwNTAxMDQ1MjAxWhcNMDgwNTMxMDQ1MjAxWqAO + MAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBACTbbaYh+f4EtXFIKPwH + K2NYq/MrhE2BnHDyA43siryddtac1E2bOtXPkC74nY5yGm4wZU07qPovJNGu1McG + J2hV2uUyAN00lJU3EikrS1ewz7vqjINar1ZUMDkh0wMYKLB9S8SdwNvCf1vcjshz + yasBRse9PCH1R0bmDaP8FZM47P55dKiijaN87HQKyZPOExFslnWH+Nr+mAF1xost + pwGcc3jreVZWbtQ2RdUDJYcNrSSCH8JYqd5ZgAYcE53xxy43rKcULz054GDFcS/B + rprwJgfrjkPttAl80cfrVOUl77ZFfFxzOeHCmQMl9VSoCxmWvnBCBBO4H7meJ7NO + gyc= + </signing_cert_crl> </bsc> </msg> @@ -290,25 +303,6 @@ vvqVBYkoBWRbmcy6wVU8JpYegNNgVRbi6zeAq33gS75m9uy+4z8Ql6DqVF0s/y+/ 240tLCW62X98EzrALKsxhkqVZCtdc5HSRaOQr0K3I03S </signing_cert> - <signing_cert> - MIIDGDCCAgCgAwIBAgIJANkdU8+R7K3fMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV - BAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxpY2UgQ0EwHhcNMDcwODAxMTk1MzA3WhcN - MDcwODMxMTk1MzA3WjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEFsaWNl - IEVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA64aCougbqPB/PjR9 - ipPd5c/QGlKh8QsCvh4ka3VjRp+zCUEiOI6W7hKUGVoNlqwFjZo2CsqX8qoW0e/S - sQp9RMH80jgYjfxVPvK3S+sMoXredH+PhOqttf1rCEXbvqP4t9FWUdKJz558oHbO - MXirP7MFUrWk96F/id+BFG01aKy9RE68DlkcPZAJjpcQ0kEYCIyAQckqgVrIaH2X - QiEtB5asHrvGH0N5fmUWDeBfHTGVI3dbc6nLU9RYlVo/RCo0C38fi44/PIdnJCZG - 4+m2ZXG+QbhNWVr4BsSIpF0oiQDelrebDrK4TYJ4skfwLHdlmJbtaeG7zwukDQkN - CIIXRwIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTjSaMtxysroFSek8cD - OTdc6+ZY0jAfBgNVHSMEGDAWgBReiOCEd94f7LzmuFbMNonD6PE4GjANBgkqhkiG - 9w0BAQUFAAOCAQEAH8ccePGVdGeytS14upV+20hxsGHLS66XxZJlQyQmYOwy4OL9 - F17VODm7UC3h6qnAGbNCvRa6TPah1gRWfwkZDlYC48whDlxi2QX23PcuVKstrv3i - MiVcTm6AuVyfDn4DJ89TDUY+bPFne46lpSBxt9xXg6UsHMSthoerTYVcaYNHoGpt - wQPCgrYT/bdQeUpAL7rtha+by0x74vUgO8W84MX0XjCWqXgyP/XBlqxjx7B9Gydw - 5tNbASf9blRIQcQ9uy+S8mOlHQWfOhe6nN++LhVxYlOzdDKFboTmCwYZwNJHhnRl - okQ8do5ItBt92MoJgI26PoOiE3xXVyuYb1b7vw== - </signing_cert> </bsc> </msg> @@ -337,25 +331,6 @@ vvqVBYkoBWRbmcy6wVU8JpYegNNgVRbi6zeAq33gS75m9uy+4z8Ql6DqVF0s/y+/ 240tLCW62X98EzrALKsxhkqVZCtdc5HSRaOQr0K3I03S </signing_cert> - <signing_cert> - MIIDGDCCAgCgAwIBAgIJANkdU8+R7K3fMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV - BAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxpY2UgQ0EwHhcNMDcwODAxMTk1MzA3WhcN - MDcwODMxMTk1MzA3WjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEFsaWNl - IEVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA64aCougbqPB/PjR9 - ipPd5c/QGlKh8QsCvh4ka3VjRp+zCUEiOI6W7hKUGVoNlqwFjZo2CsqX8qoW0e/S - sQp9RMH80jgYjfxVPvK3S+sMoXredH+PhOqttf1rCEXbvqP4t9FWUdKJz558oHbO - MXirP7MFUrWk96F/id+BFG01aKy9RE68DlkcPZAJjpcQ0kEYCIyAQckqgVrIaH2X - QiEtB5asHrvGH0N5fmUWDeBfHTGVI3dbc6nLU9RYlVo/RCo0C38fi44/PIdnJCZG - 4+m2ZXG+QbhNWVr4BsSIpF0oiQDelrebDrK4TYJ4skfwLHdlmJbtaeG7zwukDQkN - CIIXRwIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTjSaMtxysroFSek8cD - OTdc6+ZY0jAfBgNVHSMEGDAWgBReiOCEd94f7LzmuFbMNonD6PE4GjANBgkqhkiG - 9w0BAQUFAAOCAQEAH8ccePGVdGeytS14upV+20hxsGHLS66XxZJlQyQmYOwy4OL9 - F17VODm7UC3h6qnAGbNCvRa6TPah1gRWfwkZDlYC48whDlxi2QX23PcuVKstrv3i - MiVcTm6AuVyfDn4DJ89TDUY+bPFne46lpSBxt9xXg6UsHMSthoerTYVcaYNHoGpt - wQPCgrYT/bdQeUpAL7rtha+by0x74vUgO8W84MX0XjCWqXgyP/XBlqxjx7B9Gydw - 5tNbASf9blRIQcQ9uy+S8mOlHQWfOhe6nN++LhVxYlOzdDKFboTmCwYZwNJHhnRl - okQ8do5ItBt92MoJgI26PoOiE3xXVyuYb1b7vw== - </signing_cert> </bsc> </msg> @@ -1291,9 +1266,3 @@ </msg> </completely_gratuitous_wrapper_element_to_let_me_run_this_through_xmllint> - -<!-- - - Local Variables: - - compile-command: "xmllint -noout left-right-xml" - - End: - --> diff --git a/rpkid/left-right-protocol-samples.xsl b/rpkid/left-right-protocol-samples.xsl index da313544..a152fa0e 100644 --- a/rpkid/left-right-protocol-samples.xsl +++ b/rpkid/left-right-protocol-samples.xsl @@ -1,8 +1,24 @@ -<!-- $Id$ +<!-- -*- SGML -*- + - $Id$ + - + - Copyright (C) 2007-2008 American Registry for Internet Numbers ("ARIN") + - + - Permission to use, copy, modify, and distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. + - - - Generate test case PDUs for left-right protocol. Invoke thusly: - - - $ xsltproc left-right-protocol-samples.xsl ../docs/left-right-xml + - $ xsltproc left-right-protocol-samples.xsl left-right-protocol-samples.xml --> <xsl:transform xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0" @@ -27,11 +43,3 @@ </xsl:for-each> </xsl:template> </xsl:transform> - - -<!-- - - Local variables: - - mode: sgml - - compile-command: "xsltproc left-right-protocol-samples.xsl ../docs/left-right-xml" - - End: - --> diff --git a/rpkid/left-right-protocol-samples/pdu.013.xml b/rpkid/left-right-protocol-samples/pdu.013.xml index 3c1c5adc..708724c8 100644 --- a/rpkid/left-right-protocol-samples/pdu.013.xml +++ b/rpkid/left-right-protocol-samples/pdu.013.xml @@ -1,7 +1,7 @@ <?xml version="1.0" encoding="US-ASCII"?> <!--Automatically generated, do not edit.--> <msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1"> - <bsc action="set" type="query" self_id="42" bsc_id="17" clear_signing_certs="yes"> + <bsc action="set" type="query" self_id="42" bsc_id="17"> <signing_cert> MIIDHTCCAgWgAwIBAgIJAKUUCoKn9ovVMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV BAMTG1Rlc3QgQ2VydGlmaWNhdGUgQWxpY2UgUm9vdDAeFw0wNzA4MDExOTUzMDda @@ -21,5 +21,16 @@ vvqVBYkoBWRbmcy6wVU8JpYegNNgVRbi6zeAq33gS75m9uy+4z8Ql6DqVF0s/y+/ 240tLCW62X98EzrALKsxhkqVZCtdc5HSRaOQr0K3I03S </signing_cert> + <signing_cert_crl> + MIIBfjBoAgEBMA0GCSqGSIb3DQEBCwUAMCYxJDAiBgNVBAMTG1Rlc3QgQ2VydGlm + aWNhdGUgUklSIFNFTEYtMRcNMDgwNTAxMDQ1MjAxWhcNMDgwNTMxMDQ1MjAxWqAO + MAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBACTbbaYh+f4EtXFIKPwH + K2NYq/MrhE2BnHDyA43siryddtac1E2bOtXPkC74nY5yGm4wZU07qPovJNGu1McG + J2hV2uUyAN00lJU3EikrS1ewz7vqjINar1ZUMDkh0wMYKLB9S8SdwNvCf1vcjshz + yasBRse9PCH1R0bmDaP8FZM47P55dKiijaN87HQKyZPOExFslnWH+Nr+mAF1xost + pwGcc3jreVZWbtQ2RdUDJYcNrSSCH8JYqd5ZgAYcE53xxy43rKcULz054GDFcS/B + rprwJgfrjkPttAl80cfrVOUl77ZFfFxzOeHCmQMl9VSoCxmWvnBCBBO4H7meJ7NO + gyc= + </signing_cert_crl> </bsc> </msg> diff --git a/rpkid/left-right-protocol-samples/pdu.016.xml b/rpkid/left-right-protocol-samples/pdu.016.xml index 2abf3bac..7e3d1485 100644 --- a/rpkid/left-right-protocol-samples/pdu.016.xml +++ b/rpkid/left-right-protocol-samples/pdu.016.xml @@ -21,24 +21,5 @@ vvqVBYkoBWRbmcy6wVU8JpYegNNgVRbi6zeAq33gS75m9uy+4z8Ql6DqVF0s/y+/ 240tLCW62X98EzrALKsxhkqVZCtdc5HSRaOQr0K3I03S </signing_cert> - <signing_cert> - MIIDGDCCAgCgAwIBAgIJANkdU8+R7K3fMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV - BAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxpY2UgQ0EwHhcNMDcwODAxMTk1MzA3WhcN - MDcwODMxMTk1MzA3WjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEFsaWNl - IEVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA64aCougbqPB/PjR9 - ipPd5c/QGlKh8QsCvh4ka3VjRp+zCUEiOI6W7hKUGVoNlqwFjZo2CsqX8qoW0e/S - sQp9RMH80jgYjfxVPvK3S+sMoXredH+PhOqttf1rCEXbvqP4t9FWUdKJz558oHbO - MXirP7MFUrWk96F/id+BFG01aKy9RE68DlkcPZAJjpcQ0kEYCIyAQckqgVrIaH2X - QiEtB5asHrvGH0N5fmUWDeBfHTGVI3dbc6nLU9RYlVo/RCo0C38fi44/PIdnJCZG - 4+m2ZXG+QbhNWVr4BsSIpF0oiQDelrebDrK4TYJ4skfwLHdlmJbtaeG7zwukDQkN - CIIXRwIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTjSaMtxysroFSek8cD - OTdc6+ZY0jAfBgNVHSMEGDAWgBReiOCEd94f7LzmuFbMNonD6PE4GjANBgkqhkiG - 9w0BAQUFAAOCAQEAH8ccePGVdGeytS14upV+20hxsGHLS66XxZJlQyQmYOwy4OL9 - F17VODm7UC3h6qnAGbNCvRa6TPah1gRWfwkZDlYC48whDlxi2QX23PcuVKstrv3i - MiVcTm6AuVyfDn4DJ89TDUY+bPFne46lpSBxt9xXg6UsHMSthoerTYVcaYNHoGpt - wQPCgrYT/bdQeUpAL7rtha+by0x74vUgO8W84MX0XjCWqXgyP/XBlqxjx7B9Gydw - 5tNbASf9blRIQcQ9uy+S8mOlHQWfOhe6nN++LhVxYlOzdDKFboTmCwYZwNJHhnRl - okQ8do5ItBt92MoJgI26PoOiE3xXVyuYb1b7vw== - </signing_cert> </bsc> </msg> diff --git a/rpkid/left-right-protocol-samples/pdu.018.xml b/rpkid/left-right-protocol-samples/pdu.018.xml index 2abf3bac..7e3d1485 100644 --- a/rpkid/left-right-protocol-samples/pdu.018.xml +++ b/rpkid/left-right-protocol-samples/pdu.018.xml @@ -21,24 +21,5 @@ vvqVBYkoBWRbmcy6wVU8JpYegNNgVRbi6zeAq33gS75m9uy+4z8Ql6DqVF0s/y+/ 240tLCW62X98EzrALKsxhkqVZCtdc5HSRaOQr0K3I03S </signing_cert> - <signing_cert> - MIIDGDCCAgCgAwIBAgIJANkdU8+R7K3fMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV - BAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxpY2UgQ0EwHhcNMDcwODAxMTk1MzA3WhcN - MDcwODMxMTk1MzA3WjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEFsaWNl - IEVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA64aCougbqPB/PjR9 - ipPd5c/QGlKh8QsCvh4ka3VjRp+zCUEiOI6W7hKUGVoNlqwFjZo2CsqX8qoW0e/S - sQp9RMH80jgYjfxVPvK3S+sMoXredH+PhOqttf1rCEXbvqP4t9FWUdKJz558oHbO - MXirP7MFUrWk96F/id+BFG01aKy9RE68DlkcPZAJjpcQ0kEYCIyAQckqgVrIaH2X - QiEtB5asHrvGH0N5fmUWDeBfHTGVI3dbc6nLU9RYlVo/RCo0C38fi44/PIdnJCZG - 4+m2ZXG+QbhNWVr4BsSIpF0oiQDelrebDrK4TYJ4skfwLHdlmJbtaeG7zwukDQkN - CIIXRwIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTjSaMtxysroFSek8cD - OTdc6+ZY0jAfBgNVHSMEGDAWgBReiOCEd94f7LzmuFbMNonD6PE4GjANBgkqhkiG - 9w0BAQUFAAOCAQEAH8ccePGVdGeytS14upV+20hxsGHLS66XxZJlQyQmYOwy4OL9 - F17VODm7UC3h6qnAGbNCvRa6TPah1gRWfwkZDlYC48whDlxi2QX23PcuVKstrv3i - MiVcTm6AuVyfDn4DJ89TDUY+bPFne46lpSBxt9xXg6UsHMSthoerTYVcaYNHoGpt - wQPCgrYT/bdQeUpAL7rtha+by0x74vUgO8W84MX0XjCWqXgyP/XBlqxjx7B9Gydw - 5tNbASf9blRIQcQ9uy+S8mOlHQWfOhe6nN++LhVxYlOzdDKFboTmCwYZwNJHhnRl - okQ8do5ItBt92MoJgI26PoOiE3xXVyuYb1b7vw== - </signing_cert> </bsc> </msg> diff --git a/rpkid/left-right-schema.rnc b/rpkid/left-right-schema.rnc index 243990cc..35917c1d 100644 --- a/rpkid/left-right-schema.rnc +++ b/rpkid/left-right-schema.rnc @@ -75,12 +75,12 @@ self_elt |= element self { ctl_dr, self_id } bsc_bool = ((attribute generate_keypair { "yes" }, attribute key_type { "rsa" }?, attribute hash_alg { "sha256" }?, - attribute key_length { "2048" }?)?, - attribute clear_signing_certs { "yes" }?) + attribute key_length { "2048" }?)?) bsc_id = attribute bsc_id { sql_id } -bsc_payload = (element signing_cert { base64 }*) +bsc_payload = (element signing_cert { base64 }?, + element signing_cert_crl { base64 }?) bsc_pkcs10 = element pkcs10_request { base64 }? diff --git a/rpkid/left-right-schema.rng b/rpkid/left-right-schema.rng index b548a079..0068ca32 100644 --- a/rpkid/left-right-schema.rng +++ b/rpkid/left-right-schema.rng @@ -312,11 +312,6 @@ </attribute> </optional> </optional> - <optional> - <attribute name="clear_signing_certs"> - <value>yes</value> - </attribute> - </optional> </define> <define name="bsc_id"> <attribute name="bsc_id"> @@ -324,11 +319,16 @@ </attribute> </define> <define name="bsc_payload"> - <zeroOrMore> + <optional> <element name="signing_cert"> <ref name="base64"/> </element> - </zeroOrMore> + </optional> + <optional> + <element name="signing_cert_crl"> + <ref name="base64"/> + </element> + </optional> </define> <define name="bsc_pkcs10"> <optional> diff --git a/rpkid/rpki/__init__.py b/rpkid/rpki/__init__.py index 8d088c65..9852d0b0 100644 --- a/rpkid/rpki/__init__.py +++ b/rpkid/rpki/__init__.py @@ -502,7 +502,7 @@ ## ## bsc --action= --type= --tag= --self_id= --bsc_id= ## --key_type= --hash_alg= --key_length= --signing_cert= -## --generate_keypair --clear_signing_certs +## --signing_cert_crl= --generate_keypair ## @endverbatim ## ## Global options (@c --config, @c --help, @c --pem_out) come first, then zero or diff --git a/rpkid/rpki/gctx.py b/rpkid/rpki/gctx.py index f3c8c4b4..995dede1 100644 --- a/rpkid/rpki/gctx.py +++ b/rpkid/rpki/gctx.py @@ -140,13 +140,17 @@ class global_context(object): """ rpki.log.trace() - for s in rpki.left_right.self_elt.sql_fetch_all(self): - s.client_poll() - s.update_children() - s.update_roas() - s.regenerate_crls_and_manifests() - self.sql_sweep() - return 200, "OK" + try: + for s in rpki.left_right.self_elt.sql_fetch_all(self): + s.client_poll() + s.update_children() + s.update_roas() + s.regenerate_crls_and_manifests() + self.sql_sweep() + return 200, "OK" + except Exception, data: + rpki.log.error(traceback.format_exc()) + return 500, "Unhandled exception %s" % data ## @var https_ta_cache # HTTPS trust anchor cache, to avoid regenerating it for every TLS connection. diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py index 1d87c195..1289e16a 100644 --- a/rpkid/rpki/left_right.py +++ b/rpkid/rpki/left_right.py @@ -443,34 +443,19 @@ class bsc_elt(data_elt): element_name = "bsc" attributes = ("action", "type", "tag", "self_id", "bsc_id", "key_type", "hash_alg", "key_length") - elements = ('signing_cert',) - booleans = ("generate_keypair", "clear_signing_certs") + elements = ("signing_cert", "signing_cert_crl") + booleans = ("generate_keypair",) sql_template = rpki.sql.template("bsc", "bsc_id", "self_id", "hash_alg", ("private_key_id", rpki.x509.RSA), - ("pkcs10_request", rpki.x509.PKCS10)) + ("pkcs10_request", rpki.x509.PKCS10), + ("signing_cert", rpki.x509.X509), + ("signing_cert_crl", rpki.x509.CRL)) private_key_id = None pkcs10_request = None - - def __init__(self): - """Initialize bsc_elt.""" - self.signing_cert = [] - - def sql_fetch_hook(self): - """Extra SQL fetch actions for bsc_elt -- handle signing certs.""" - self.gctx.cur.execute("SELECT cert FROM bsc_cert WHERE bsc_id = %s", (self.bsc_id,)) - self.signing_cert = [rpki.x509.X509(DER = x) for (x,) in self.gctx.cur.fetchall()] - - def sql_insert_hook(self): - """Extra SQL insert actions for bsc_elt -- handle signing certs.""" - if self.signing_cert: - self.gctx.cur.executemany("INSERT bsc_cert (cert, bsc_id) VALUES (%s, %s)", - ((x.get_DER(), self.bsc_id) for x in self.signing_cert)) - - def sql_delete_hook(self): - """Extra SQL delete actions for bsc_elt -- handle signing certs.""" - self.gctx.cur.execute("DELETE FROM bsc_cert WHERE bsc_id = %s", (self.bsc_id,)) + signing_cert = None + signing_cert_crl = None def repositories(self): """Fetch all repository objects that link to this BSC object.""" @@ -485,36 +470,29 @@ class bsc_elt(data_elt): return child_elt.sql_fetch_where(self.gctx, "bsc_id = %s", (self.bsc_id,)) def serve_pre_save_hook(self, q_pdu, r_pdu): - """Extra server actions for bsc_elt -- handle signing certs and key generation.""" - if self is not q_pdu: - if q_pdu.clear_signing_certs: - self.signing_cert[:] = [] - self.signing_cert.extend(q_pdu.signing_cert) + """Extra server actions for bsc_elt -- handle key generation. + For now this only allows RSA with SHA-256. + """ if q_pdu.generate_keypair: - # - # For the moment we only support 2048-bit RSA with SHA-256, no - # HSM. Assertion just checks that the schema hasn't changed out - # from under this code. - # - assert (q_pdu.key_type is None or q_pdu.key_type == "rsa") and \ - (q_pdu.hash_alg is None or q_pdu.hash_alg == "sha256") and \ - (q_pdu.key_length is None or q_pdu.key_length == 2048) + assert q_pdu.key_type in (None, "rsa") and q_pdu.hash_alg in (None, "sha256") keypair = rpki.x509.RSA() - keypair.generate() + keypair.generate(keylength = q_pdu.key_length or 2048) self.private_key_id = keypair self.pkcs10_request = rpki.x509.PKCS10.create(keypair) r_pdu.pkcs10_request = self.pkcs10_request def startElement(self, stack, name, attrs): """Handle <bsc/> element.""" - if not name in ("signing_cert", "pkcs10_request"): + if name not in ("pkcs10_request", "signing_cert", "signing_cert_crl"): assert name == "bsc", "Unexpected name %s, stack %s" % (name, stack) self.read_attrs(attrs) def endElement(self, stack, name, text): """Handle <bsc/> element.""" if name == "signing_cert": - self.signing_cert.append(rpki.x509.X509(Base64 = text)) + self.signing_cert = rpki.x509.X509(Base64 = text) + elif name == "signing_cert_crl": + self.signing_cert_crl = rpki.x509.CRL(Base64 = text) elif name == "pkcs10_request": self.pkcs10_request = rpki.x509.PKCS10(Base64 = text) else: @@ -524,8 +502,10 @@ class bsc_elt(data_elt): def toXML(self): """Generate <bsc/> element.""" elt = self.make_elt() - for cert in self.signing_cert: - self.make_b64elt(elt, "signing_cert", cert.get_DER()) + if self.signing_cert is not None: + self.make_b64elt(elt, "signing_cert", self.signing_cert.get_DER()) + if self.signing_cert_crl is not None: + self.make_b64elt(elt, "signing_cert_crl", self.signing_cert_crl.get_DER()) if self.pkcs10_request is not None: self.make_b64elt(elt, "pkcs10_request", self.pkcs10_request.get_DER()) return elt @@ -632,7 +612,10 @@ class parent_elt(data_elt): payload = q_pdu, sender = self.sender_name, recipient = self.recipient_name) - q_cms = rpki.up_down.cms_msg.wrap(q_msg, bsc.private_key_id, bsc.signing_cert) + + q_cms = rpki.up_down.cms_msg.wrap(q_msg, bsc.private_key_id, + bsc.signing_cert, + bsc.signing_cert_crl) der = rpki.https.client(server_ta = (self.gctx.bpki_ta, self.self().bpki_cert, self.self().bpki_glue, @@ -645,6 +628,7 @@ class parent_elt(data_elt): r_msg = rpki.up_down.cms_msg.unwrap(der, (self.gctx.bpki_ta, self.self().bpki_cert, self.self().bpki_glue, self.bpki_cms_cert, self.bpki_cms_glue)) + r_msg.payload.check_response() return r_msg @@ -741,7 +725,8 @@ class child_elt(data_elt): # sane way of reporting errors in the error reporting mechanism. # May require refactoring, ignore the issue for now. # - r_cms = rpki.up_down.cms_msg.wrap(r_msg, bsc.private_key_id, bsc.signing_cert) + r_cms = rpki.up_down.cms_msg.wrap(r_msg, bsc.private_key_id, + bsc.signing_cert, bsc.signing_cert_crl) return r_cms class repository_elt(data_elt): diff --git a/rpkid/rpki/relaxng.py b/rpkid/rpki/relaxng.py index 1a2592c3..1cef68d9 100644 --- a/rpkid/rpki/relaxng.py +++ b/rpkid/rpki/relaxng.py @@ -6,7 +6,7 @@ import lxml.etree ## Parsed RelaxNG left_right schema left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" encoding="UTF-8"?> <!-- - $Id: left-right-schema.rng 1704 2008-04-25 06:45:10Z sra $ + $Id: left-right-schema.rnc 1704 2008-04-25 06:45:10Z sra $ RelaxNG (Compact Syntax) Schema for RPKI left-right protocol. @@ -318,11 +318,6 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" enc </attribute> </optional> </optional> - <optional> - <attribute name="clear_signing_certs"> - <value>yes</value> - </attribute> - </optional> </define> <define name="bsc_id"> <attribute name="bsc_id"> @@ -330,11 +325,16 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" enc </attribute> </define> <define name="bsc_payload"> - <zeroOrMore> + <optional> <element name="signing_cert"> <ref name="base64"/> </element> - </zeroOrMore> + </optional> + <optional> + <element name="signing_cert_crl"> + <ref name="base64"/> + </element> + </optional> </define> <define name="bsc_pkcs10"> <optional> diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index d8544562..70c7fc85 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -511,7 +511,7 @@ class RSA(DER_object): def generate(self, keylength = 2048): """Generate a new keypair.""" self.clear() - self.set(POW=POW.Asymmetric(POW.RSA_CIPHER, keylength)) + self.set(POW = POW.Asymmetric(POW.RSA_CIPHER, keylength)) def get_public_DER(self): """Get the DER encoding of the public key from this keypair.""" @@ -659,6 +659,8 @@ class CMS_object(DER_object): def sign(self, keypair, certs, crls = None, no_certs = False): """Sign and wrap inner content.""" + rpki.log.trace() + if isinstance(certs, X509): cert = certs certs = () @@ -666,14 +668,25 @@ class CMS_object(DER_object): cert = certs[0] certs = certs[1:] + if crls: + rpki.log.warn("CMS CRL support disabled due to an OpenSSL bug I haven't tracked down yet, ignoring CRL") + crls = () + + if crls is None: + crls = () + elif isinstance(crls, CRL): + crls = (crls,) + cms = POW.CMS() + cms.sign(cert.get_POW(), keypair.get_POW(), self.encode(), [x.get_POW() for x in certs], - crls, + [c.get_POW() for c in crls], self.econtent_oid, POW.CMS_NOCERTS if no_certs else 0) + self.DER = cms.derWrite() class DER_CMS_object(CMS_object): @@ -771,12 +784,13 @@ class XML_CMS_object(CMS_object): raise @classmethod - def wrap(cls, msg, keypair, certs, pretty_print = False): + def wrap(cls, msg, keypair, certs, crls = None, pretty_print = False): """Build a CMS-wrapped XML PDU and return its DER encoding.""" + rpki.log.trace() self = cls() self.set_content(msg.toXML()) self.schema_check() - self.sign(keypair, certs) + self.sign(keypair, certs, crls) if pretty_print: return self.get_DER(), self.pretty_print_content() else: diff --git a/rpkid/rpkid.sql b/rpkid/rpkid.sql index 1b4005f1..d13eb370 100644 --- a/rpkid/rpkid.sql +++ b/rpkid/rpkid.sql @@ -45,21 +45,13 @@ CREATE TABLE bsc ( private_key_id LONGBLOB, pkcs10_request LONGBLOB, hash_alg ENUM ('sha256'), + signing_cert LONGBLOB, + signing_cert_crl LONGBLOB, self_id BIGINT unsigned NOT NULL, PRIMARY KEY (bsc_id), FOREIGN KEY (self_id) REFERENCES self ); -DROP TABLE IF EXISTS bsc_cert; - -CREATE TABLE bsc_cert ( - bsc_cert_id SERIAL NOT NULL, - cert LONGBLOB, - bsc_id BIGINT unsigned NOT NULL, - PRIMARY KEY (bsc_cert_id), - FOREIGN KEY (bsc_id) REFERENCES bsc -); - DROP TABLE IF EXISTS repository; CREATE TABLE repository ( diff --git a/rpkid/testbed.py b/rpkid/testbed.py index bdc54a56..fc3e6328 100644 --- a/rpkid/testbed.py +++ b/rpkid/testbed.py @@ -584,7 +584,6 @@ class allocation(object): else: certifier = self.name + "-SELF-1" certfile = certifier + "-" + certificant + ".cer" - rpki.log.trace() rpki.log.info("Cross certifying %s into %s's BPKI (%s)" % (certificant, certifier, certfile)) signer = subprocess.Popen((prog_openssl, "x509", "-req", "-sha256", "-text", "-extensions", "req_x509_ext", "-CAcreateserial", @@ -638,9 +637,10 @@ class allocation(object): rpki.log.error(signed[1]) raise RuntimeError, "Couldn't issue BSC EE certificate" bsc_ee = rpki.x509.X509(PEM = signed[0]) + bsc_crl = rpki.x509.CRL(PEM_file = self.name + "-SELF-1.crl") rpki.log.info("Installing BSC EE cert for %s" % self.name) - self.call_rpkid(rpki.left_right.bsc_elt.make_pdu(action = "set", self_id = self.self_id, bsc_id = self.bsc_id, signing_cert = (bsc_ee,))) + self.call_rpkid(rpki.left_right.bsc_elt.make_pdu(action = "set", self_id = self.self_id, bsc_id = self.bsc_id, signing_cert = bsc_ee, signing_cert_crl = bsc_crl)) # Once we have a real repository protocol we'll have to do cross-certification here rpki.log.info("Creating rpkid repository object for %s" % self.name) @@ -745,6 +745,9 @@ def setup_bpki_cert_chain(name, ee = (), ca = ()): for kind in ee + ca: d["kind"] = kind s += bpki_cert_fmt_5 % d + for kind in ("TA",) + ca: + d["kind"] = kind + s += bpki_cert_fmt_6 % d subprocess.check_call(s, shell = True) def setup_rootd(rpkid_name, rpkid_tag): @@ -828,6 +831,20 @@ CN = Test Certificate %(name)s %(kind)s basicConstraints = CA:%(ca)s subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always + + +[ ca ] +default_ca = ca_default + +[ ca_default ] + +certificate = %(name)s-%(kind)s.cer +serial = %(name)s-%(kind)s.srl +private_key = %(name)s-%(kind)s.key +database = %(name)s-%(kind)s.idx +crlnumber = %(name)s-%(kind)s.cnm +default_crl_days = 30 +default_md = sha256 ''' bpki_cert_fmt_2 = '''\ @@ -836,6 +853,8 @@ bpki_cert_fmt_2 = '''\ bpki_cert_fmt_3 = '''\ %(openssl)s req -new -sha256 -key %(name)s-%(kind)s.key -out %(name)s-%(kind)s.req -config %(name)s-%(kind)s.conf && +touch %(name)s-%(kind)s.idx && +echo >%(name)s-%(kind)s.cnm 01 && ''' bpki_cert_fmt_4 = '''\ @@ -847,6 +866,10 @@ bpki_cert_fmt_5 = ''' && \ -CA %(name)s-TA.cer -CAkey %(name)s-TA.key -CAcreateserial \ ''' +bpki_cert_fmt_6 = ''' && \ +%(openssl)s ca -batch -gencrl -out %(name)s-%(kind)s.crl -config %(name)s-%(kind)s.conf \ +''' + yaml_fmt_1 = '''--- version: 1 posturl: https://localhost:%(https_port)s/up-down/%(child_id)s diff --git a/rpkid/xml-parse-test.py b/rpkid/xml-parse-test.py index bf49ad28..3e3b20ef 100755 --- a/rpkid/xml-parse-test.py +++ b/rpkid/xml-parse-test.py @@ -52,8 +52,8 @@ def lr_tester(elt_in, elt_out, msg): assert isinstance(msg, rpki.left_right.msg) if verbose: for bsc in [x for x in msg if isinstance(x, rpki.left_right.bsc_elt)]: - for cert in bsc.signing_cert: - pprint_cert(cert) + if bsc.signing_cert is not None: + pprint_cert(bsc.signing_cert) test(fileglob = "up-down-protocol-samples/*.xml", rng = rpki.relaxng.up_down, |