diff options
| -rw-r--r-- | rpkid/rpki/x509.py | 43 | ||||
| l--------- | rtr-origin/POW | 1 | ||||
| l--------- | rtr-origin/rpki | 1 | ||||
| -rwxr-xr-x | rtr-origin/updater.py | 85 |
4 files changed, 129 insertions, 1 deletions
diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index 53dfab79..b167560c 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -11,7 +11,23 @@ some of the nasty details. This involves a lot of format conversion. $Id$ -Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") + +Copyright (C) 2009 Internet Systems Consortium ("ISC") + +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +PERFORMANCE OF THIS SOFTWARE. + + +Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above @@ -720,6 +736,31 @@ class CMS_object(DER_object): self.decode(content) return self.get_content() + def extract(self): + """Extract and store inner content from CMS wrapper without + verifying the CMS. + + DANGER WILL ROBINSON!!! + + Do not use this method on unvalidated data. Use the verify() + method instead. + + If you don't understand this warning, don't use this method. + """ + + try: + cms = self.get_POW() + except: + raise rpki.exceptions.UnparsableCMSDER + + if cms.eContentType() != self.econtent_oid: + raise rpki.exceptions.WrongEContentType, "Got CMS eContentType %s, expected %s" % (cms.eContentType(), self.econtent_oid) + + content = cms.verify(POW.X509Store(), None, POW.CMS_NOCRL | POW.CMS_NO_SIGNER_CERT_VERIFY | POW.CMS_NO_ATTR_VERIFY | POW.CMS_NO_CONTENT_VERIFY) + + self.decode(content) + return self.get_content() + def sign(self, keypair, certs, crls = None, no_certs = False): """Sign and wrap inner content.""" diff --git a/rtr-origin/POW b/rtr-origin/POW new file mode 120000 index 00000000..43fccd7b --- /dev/null +++ b/rtr-origin/POW @@ -0,0 +1 @@ +../pow/buildlib/POW
\ No newline at end of file diff --git a/rtr-origin/rpki b/rtr-origin/rpki new file mode 120000 index 00000000..168548eb --- /dev/null +++ b/rtr-origin/rpki @@ -0,0 +1 @@ +../rpkid/rpki
\ No newline at end of file diff --git a/rtr-origin/updater.py b/rtr-origin/updater.py new file mode 100755 index 00000000..d97e5e42 --- /dev/null +++ b/rtr-origin/updater.py @@ -0,0 +1,85 @@ +""" +Router origin-authentication update job. Work in progress. + +This should be run under cron, after rcynic finishes. It chews over +the data rcynic collected and generates output suitable as input for a +companion server program (not yet written) which serves the resulting +data to the routers. + +$Id$ + +Copyright (C) 2009 Internet Systems Consortium ("ISC") + +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +PERFORMANCE OF THIS SOFTWARE. +""" + +import sys, os, rpki.x509, rpki.ipaddrs + +rcynic_dir = "../rcynic/rcynic-data/authenticated" + +class prefix(object): + + def __init__(self, asn, t): + x = 0L + for y in t[0]: + x = (x << 1) | y + for y in xrange(self.addr_type.bits - len(t[0])): + x = (x << 1) + + self.asn = asn + self.prefix = self.addr_type(x) + self.prefixlen = len(t[0]) + self.max_prefixlen = self.prefixlen if t[1] is None else t[1] + + def __str__(self): + return "%s/%s-%s[%s]" % (self.prefix, self.prefixlen, self.max_prefixlen, self.asn) + + def __cmp__(self, other): + c = self.addr_type.bits - other.addr_type.bits + if c == 0: c = self.prefix - other.prefix + if c == 0: c = self.prefixlen - other.prefixlen + if c == 0: c = self.max_prefixlen - other.max_prefixlen + if c == 0: c = self.asn - other.asn + if c < 0: c = -1 + if c > 0: c = 1 + return c + +class v4prefix(prefix): + addr_type = rpki.ipaddrs.v4addr + +class v6prefix(prefix): + addr_type = rpki.ipaddrs.v6addr + +prefix.map = { "\x00\x01" : v4prefix, + "\x00\x02" : v6prefix } + +prefixes = [] + +for root, dirs, files in os.walk(rcynic_dir): + for f in files: + if f.endswith(".roa"): + roa = rpki.x509.ROA(DER_file = os.path.join(root, f)).extract().get() + assert roa[0] == 0, "ROA version is %d, expected 0" % roa[0] + asn = roa[1] + for afi, addrs in roa[2]: + for addr in addrs: + prefixes.append(prefix.map[afi](asn, addr)) + +prefixes.sort() + +for i in xrange(len(prefixes) - 2, -1, -1): + if prefixes[i] == prefixes[i + 1]: + del prefixes[i + 1] + +for p in prefixes: + print p |