diff options
| -rw-r--r-- | rpkid/rpki/left_right.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/up_down.py | 8 | ||||
| -rw-r--r-- | rpkid/rpki/x509.py | 80 |
3 files changed, 47 insertions, 43 deletions
diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py index 89587f85..acb49e49 100644 --- a/rpkid/rpki/left_right.py +++ b/rpkid/rpki/left_right.py @@ -446,7 +446,7 @@ class bsc_elt(data_elt): if q_pdu.generate_keypair: assert q_pdu.key_type in (None, "rsa") and q_pdu.hash_alg in (None, "sha256") self.private_key_id = rpki.x509.RSA.generate(keylength = q_pdu.key_length or 2048) - self.pkcs10_request = rpki.x509.PKCS10.create(self.private_key_id) + self.pkcs10_request = rpki.x509.PKCS10.create(keypair = self.private_key_id) r_pdu.pkcs10_request = self.pkcs10_request data_elt.serve_pre_save_hook(self, q_pdu, r_pdu, cb, eb) diff --git a/rpkid/rpki/up_down.py b/rpkid/rpki/up_down.py index 1ebfed59..836bdedb 100644 --- a/rpkid/rpki/up_down.py +++ b/rpkid/rpki/up_down.py @@ -434,11 +434,13 @@ class issue_pdu(base_elt): Send an "issue" request to parent associated with ca. """ assert ca_detail is not None and ca_detail.state in ("pending", "active") - sia = ((rpki.oids.name2oid["id-ad-caRepository"], ("uri", ca.sia_uri)), - (rpki.oids.name2oid["id-ad-rpkiManifest"], ("uri", ca_detail.manifest_uri))) self = cls() self.class_name = ca.parent_resource_class - self.pkcs10 = rpki.x509.PKCS10.create_ca(ca_detail.private_key_id, sia) + self.pkcs10 = rpki.x509.PKCS10.create( + keypair = ca_detail.private_key_id, + is_ca = True, + caRepository = ca.sia_uri, + rpkiManifest = ca_detail.manifest_uri) rpki.log.info('Sending "issue" request to parent %s' % parent.parent_handle) parent.query_up_down(self, callback, errback) diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index 08873b91..cce9a6de 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -785,27 +785,21 @@ class X509(DER_object): assert pathLenConstraint is None or (isinstance(pathLenConstraint, (int, long)) and pathLenConstraint >= 0) - extensions = [ - (rpki.oids.name2oid["subjectKeyIdentifier" ], False, subject_key.get_SKI())] - if issuer_key != subject_key: - extensions.append( - (rpki.oids.name2oid["authorityKeyIdentifier"], False, (issuer_key.get_SKI(), (), None))) - if is_ca: - extensions.append( - (rpki.oids.name2oid["basicConstraints" ], True, (1, pathLenConstraint))) - - cert = rpki.POW.pkix.Certificate() + cert = rpki.POW.X509() cert.setVersion(2) cert.setSerial(serial) - cert.setIssuer(issuer_name.get_POWpkix()) - cert.setSubject(subject_name.get_POWpkix()) - cert.setNotBefore(now.toASN1tuple()) - cert.setNotAfter(notAfter.toASN1tuple()) - cert.tbs.subjectPublicKeyInfo.fromString(subject_key.get_DER()) - cert.setExtensions(extensions) + cert.setIssuer(issuer_name.get_POW()) + cert.setSubject(subject_name.get_POW()) + cert.setNotBefore(now.toGeneralizedTime()) + cert.setNotAfter(notAfter.toGeneralizedTime()) + cert.setPublicKey(subject_key.get_POW()) + cert.setSKI(subject_key.get_POW().calculateSKI()) + if issuer_key != subject_key: + cert.setAKI(issuer_key.get_POW().calculateSKI()) + if is_ca: + cert.setBasicConstraints(is_ca, pathLenConstraint) cert.sign(keypair.get_POW(), rpki.POW.SHA256_DIGEST) - - return cls(POWpkix = cert) + return cls(POW = cert) @classmethod def normalize_chain(cls, chain): @@ -858,6 +852,7 @@ class PKCS10(DER_object): return self.DER if self.POW: self.DER = self.POW.derWrite() + return self.get_DER() if self.POWpkix: self.DER = self.POWpkix.toString() return self.get_DER() @@ -969,32 +964,39 @@ class PKCS10(DER_object): raise rpki.exceptions.BadPKCS10, "Certificate request SIA id-ad-rpkiManifest ends with slash" @classmethod - def create_ca(cls, keypair, sia = None): + def create(cls, keypair, exts = None, is_ca = False, + caRepository = None, rpkiManifest = None, signedObject = None): """ - Create a new request for a given keypair, including given SIA value. + Create a new request for a given keypair. """ - exts = [["basicConstraints", True, (1, None)], - ["keyUsage", True, (0, 0, 0, 0, 0, 1, 1)]] - if sia is not None: - exts.append(["subjectInfoAccess", False, sia]) - for x in exts: - x[0] = rpki.oids.name2oid[x[0]] - return cls.create(keypair, exts) - @classmethod - def create(cls, keypair, exts = None): - """ - Create a new request for a given keypair, including given extensions. - """ + assert exts is None, "Old calling sequence to rpki.x509.PKCS10.create()" + cn = "".join(("%02X" % ord(i) for i in keypair.get_SKI())) - req = rpki.POW.pkix.CertificationRequest() - req.certificationRequestInfo.version.set(0) - req.certificationRequestInfo.subject.set((((rpki.oids.name2oid["commonName"], - ("printableString", cn)),),)) - if exts is not None: - req.setExtensions(exts) + + if isinstance(caRepository, str): + caRepository = (caRepository,) + + if isinstance(rpkiManifest, str): + rpkiManifest = (rpkiManifest,) + + if isinstance(signedObject, str): + signedObject = (signedObject,) + + req = rpki.POW.PKCS10() + req.setVersion(0) + req.setSubject(X501DN.from_cn(cn).get_POW()) + req.setPublicKey(keypair.get_POW()) + + if is_ca: + req.setBasicConstraints(True, None) + req.setKeyUsage(cls.expected_ca_keyUsage) + + if caRepository or rpkiManifest or signedObject: + req.setSIA(caRepository, rpkiManifest, signedObject) + req.sign(keypair.get_POW(), rpki.POW.SHA256_DIGEST) - return cls(POWpkix = req) + return cls(POW = req) ## @var generate_insecure_debug_only_rsa_key # Debugging hack to let us save throwaway RSA keys from one debug |