diff options
| -rwxr-xr-x | pow/POW-0.7/lib/pkix.py | 2 | ||||
| -rw-r--r-- | scripts/http-client.py | 2 | ||||
| -rw-r--r-- | scripts/http-server.py | 2 | ||||
| -rwxr-xr-x | scripts/irbe-cli.py | 4 | ||||
| -rwxr-xr-x | scripts/irdb.py | 4 | ||||
| -rw-r--r-- | scripts/pkcs10.py | 104 | ||||
| -rw-r--r-- | scripts/rpki/left_right.py | 6 | ||||
| -rw-r--r-- | scripts/rpki/pkcs10.py | 8 | ||||
| -rw-r--r-- | scripts/rpki/sql.py | 4 | ||||
| -rw-r--r-- | scripts/rpki/up_down.py | 2 | ||||
| -rw-r--r-- | scripts/rpki/x509.py | 31 | ||||
| -rwxr-xr-x | scripts/rpkid.py | 4 |
12 files changed, 104 insertions, 69 deletions
diff --git a/pow/POW-0.7/lib/pkix.py b/pow/POW-0.7/lib/pkix.py index 6262ed60..a0905f3e 100755 --- a/pow/POW-0.7/lib/pkix.py +++ b/pow/POW-0.7/lib/pkix.py @@ -117,7 +117,7 @@ class POWCryptoDriver(CryptoDriver): return digest.digest() def sign(self, key, oid, plaintext): - return key.sign(self._digest(oid, plaintext)) + return key.sign(self._digest(oid, plaintext), self.OID2driver[oid]) def verify(self, key, oid, plaintext, signature): return key.verify(signature, self._digest(oid, plaintext), self.OID2driver[oid]) diff --git a/scripts/http-client.py b/scripts/http-client.py index 1df47dad..ec311ffe 100644 --- a/scripts/http-client.py +++ b/scripts/http-client.py @@ -7,7 +7,7 @@ msg = "This is a test. This is only a test. Had this been real you would now b cfg = rpki.config.parser("http-demo.conf") section = "client" -print rpki.https.client(privateKey = rpki.x509.RSA_Keypair(Auto_file = cfg.get( section, "https-key")), +print rpki.https.client(privateKey = rpki.x509.RSA(Auto_file = cfg.get( section, "https-key")), certChain = rpki.x509.X509_chain(Auto_files = cfg.multiget(section, "https-cert")), x509TrustList = rpki.x509.X509_chain(Auto_files = cfg.multiget(section, "https-ta")), url = cfg.get(section, "https-url"), diff --git a/scripts/http-server.py b/scripts/http-server.py index 9ae9a43d..7716d5ed 100644 --- a/scripts/http-server.py +++ b/scripts/http-server.py @@ -5,7 +5,7 @@ import rpki.https, tlslite.api, rpki.config cfg = rpki.config.parser("http-demo.conf") section = "server" -privateKey = rpki.x509.RSA_Keypair(PEM_file = cfg.get(section, "https-key")) +privateKey = rpki.x509.RSA(PEM_file = cfg.get(section, "https-key")) certChain = rpki.x509.X509_chain() certChain.load_from_PEM(cfg.multiget(section, "https-cert")) diff --git a/scripts/irbe-cli.py b/scripts/irbe-cli.py index eb0ca2aa..4346107a 100755 --- a/scripts/irbe-cli.py +++ b/scripts/irbe-cli.py @@ -161,10 +161,10 @@ print "Sending:" print q_xml q_cms = rpki.cms.encode(q_xml, - rpki.x509.RSA_Keypair(Auto_file = cfg.get(cfg_section, "cms-key")), + rpki.x509.RSA(Auto_file = cfg.get(cfg_section, "cms-key")), rpki.x509.X509_chain(Auto_files = cfg.multiget(cfg_section, "cms-cert"))) -r_cms = rpki.https.client(privateKey = rpki.x509.RSA_Keypair(Auto_file = cfg.get(cfg_section, "https-key")), +r_cms = rpki.https.client(privateKey = rpki.x509.RSA(Auto_file = cfg.get(cfg_section, "https-key")), certChain = rpki.x509.X509_chain(Auto_files = cfg.multiget(cfg_section, "https-cert")), x509TrustList = rpki.x509.X509_chain(Auto_files = cfg.multiget(cfg_section, "https-ta")), url = cfg.get(cfg_section, "https-url"), diff --git a/scripts/irdb.py b/scripts/irdb.py index be191d75..4518df10 100755 --- a/scripts/irdb.py +++ b/scripts/irdb.py @@ -59,10 +59,10 @@ db = MySQLdb.connect(user = cfg.get(cfg_section, "sql-username"), cur = db.cursor() cms_ta = rpki.x509.X509(Auto_file = cfg.get(cfg_section, "cms-ta")) -cms_key = rpki.x509.RSA_Keypair(Auto_file = cfg.get(cfg_section, "cms-key")) +cms_key = rpki.x509.RSA(Auto_file = cfg.get(cfg_section, "cms-key")) cms_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget(cfg_section, "cms-cert")) -rpki.https.server(privateKey = rpki.x509.RSA_Keypair(Auto_file = cfg.get(cfg_section, "https-key")), +rpki.https.server(privateKey = rpki.x509.RSA(Auto_file = cfg.get(cfg_section, "https-key")), certChain = rpki.x509.X509_chain(Auto_files = cfg.multiget(cfg_section, "https-cert")), host = cfg.get(cfg_section, "https-host"), port = int(cfg.get(cfg_section, "https-port")), diff --git a/scripts/pkcs10.py b/scripts/pkcs10.py index 683f94df..77272ff0 100644 --- a/scripts/pkcs10.py +++ b/scripts/pkcs10.py @@ -1,6 +1,10 @@ # $Id$ -import POW.pkix, rpki.x509, glob, rpki.resource_set +import POW.pkix, glob, os +import rpki.x509, rpki.resource_set + +parse_test = False +generate_test = True parse_extensions = True show_attributes = False @@ -12,60 +16,70 @@ show_publickey = False def hexify(thing): return ":".join(["%02X" % ord(i) for i in thing]) -for name in glob.glob("resource-cert-samples/*.req") + glob.glob("biz-certs/*.req"): - pkcs10 = rpki.x509.PKCS10(Auto_file = name).get_POWpkix() +if parse_test: - print "[", name, "]" + for name in glob.glob("resource-cert-samples/*.req") + glob.glob("biz-certs/*.req"): + pkcs10 = rpki.x509.PKCS10(Auto_file = name).get_POWpkix() - if show_algorithm: - print pkcs10.signatureAlgorithm - print - print pkcs10.signatureAlgorithm.get() - print + print "[", name, "]" - if show_signature: - print pkcs10.signatureValue, hexify(pkcs10.signatureValue.get()) - print + if show_algorithm: + print pkcs10.signatureAlgorithm + print + print pkcs10.signatureAlgorithm.get() + print - if show_publickey: - print pkcs10.certificationRequestInfo.subjectPublicKeyInfo - print pkcs10.certificationRequestInfo.subjectPublicKeyInfo.get() - print hexify(pkcs10.certificationRequestInfo.subjectPublicKeyInfo.toString()) - print + if show_signature: + print pkcs10.signatureValue, hexify(pkcs10.signatureValue.get()) + print - if show_attributes: - print pkcs10.certificationRequestInfo.attributes.oid, pkcs10.certificationRequestInfo.attributes.oid.get() - print - print pkcs10.certificationRequestInfo.attributes.val, pkcs10.certificationRequestInfo.attributes.val.get() - print - print pkcs10.certificationRequestInfo.attributes.val.choice, pkcs10.certificationRequestInfo.attributes.val.choices - print - print pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice] - print - print len(pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice]) - print - if len(pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice]) > 0: - print pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice][0] + if show_publickey: + print pkcs10.certificationRequestInfo.subjectPublicKeyInfo + print pkcs10.certificationRequestInfo.subjectPublicKeyInfo.get() + print hexify(pkcs10.certificationRequestInfo.subjectPublicKeyInfo.toString()) + print + + if show_attributes: + print pkcs10.certificationRequestInfo.attributes.oid, pkcs10.certificationRequestInfo.attributes.oid.get() + print + print pkcs10.certificationRequestInfo.attributes.val, pkcs10.certificationRequestInfo.attributes.val.get() print + print pkcs10.certificationRequestInfo.attributes.val.choice, pkcs10.certificationRequestInfo.attributes.val.choices + print + print pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice] + print + print len(pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice]) + print + if len(pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice]) > 0: + print pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice][0] + print - if parse_extensions: + if parse_extensions: - exts = pkcs10.getExtensions() + exts = pkcs10.getExtensions() - as, v4, v6 = rpki.resource_set.parse_extensions(exts) - if as: print "ASN =", as - if v4: print "IPv4 =", v4 - if v6: print "IPv6 =", v6 + as, v4, v6 = rpki.resource_set.parse_extensions(exts) + if as: print "ASN =", as + if v4: print "IPv4 =", v4 + if v6: print "IPv6 =", v6 - for oid, crit, val in exts: - if oid in ((1, 3, 6, 1, 5, 5, 7, 1, 7), (1, 3, 6, 1, 5, 5, 7, 1, 8)): - continue - if isinstance(val, str): - val = hexify(val) - print POW.pkix.oid2obj(oid), oid, "=", val + for oid, crit, val in exts: + if oid in ((1, 3, 6, 1, 5, 5, 7, 1, 7), (1, 3, 6, 1, 5, 5, 7, 1, 8)): + continue + if isinstance(val, str): + val = hexify(val) + print POW.pkix.oid2obj(oid), oid, "=", val + + if do_verify: + print + print "Signature verification: %s" % pkcs10.verify() - if do_verify: print - print "Signature verification: %s" % pkcs10.verify() - print +if generate_test: + keypair = rpki.x509.RSA() + keypair.generate() + pkcs10 = rpki.x509.PKCS10.create(keypair) + f = os.popen("openssl req -text -config /dev/null", "w") + f.write(pkcs10.get_PEM()) + f.close() diff --git a/scripts/rpki/left_right.py b/scripts/rpki/left_right.py index 62db4c60..dedab062 100644 --- a/scripts/rpki/left_right.py +++ b/scripts/rpki/left_right.py @@ -3,7 +3,7 @@ """RPKI "left-right" protocol.""" import base64, lxml.etree, time -import rpki.sax_utils, rpki.resource_set, rpki.x509, rpki.sql, rpki.exceptions, rpki.pkcs10, rpki.https, rpki.up_down, rpki.relaxng +import rpki.sax_utils, rpki.resource_set, rpki.x509, rpki.sql, rpki.exceptions, rpki.https, rpki.up_down, rpki.relaxng xmlns = "http://www.hactrn.net/uris/rpki/left-right-spec/" @@ -284,11 +284,11 @@ class bsc_elt(data_elt): # Hard wire 2048-bit RSA with SHA-256 in schema for now. # Assume no HSM for now. # - keypair = rpki.x509.RSA_Keypair() + keypair = rpki.x509.RSA() keypair.generate(2048) self.private_key_id = keypair.get_DER() self.public_key = keypair.get_public_DER() - r_pdu.pkcs10_cert_request = rpki.pkcs10.make_request(keypair) + r_pdu.pkcs10_cert_request = rpki.x509.PKCS10.create(keypair) def startElement(self, stack, name, attrs): """Handle <bsc/> element.""" diff --git a/scripts/rpki/pkcs10.py b/scripts/rpki/pkcs10.py index 4d77c442..6404870a 100644 --- a/scripts/rpki/pkcs10.py +++ b/scripts/rpki/pkcs10.py @@ -1,5 +1,13 @@ # $Id$ +"""Old code to generate PKCS #10 certification requests. + +This has been replaced by direct support for PKCS #10 in my hacked +version of the POW package. This module will go away eventually, I'm +just keeping it around in case I discover some horrible bug in the new +code that would make me want to fall back to this. +""" + import POW, rpki.x509, os, rpki.exceptions, binascii req_fmt = ''' diff --git a/scripts/rpki/sql.py b/scripts/rpki/sql.py index e05fda80..27f77498 100644 --- a/scripts/rpki/sql.py +++ b/scripts/rpki/sql.py @@ -230,10 +230,10 @@ class ca_detail_obj(sql_persistant): def sql_decode(self, vals): sql_persistant.sql_decode(self, vals) - self.private_key_id = rpki.x509.RSA_Keypair(DER = self.private_key_id) + self.private_key_id = rpki.x509.RSA(DER = self.private_key_id) assert self.public_key is None or self.private_key_id.get_public_DER() == self.public_key self.latest_ca_cert = rpki.x509.X509(DER = self.latest_ca_cert) - self.manifest_private_key_id = rpki.x509.RSA_Keypair(DER = self.manifest_private_key_id) + self.manifest_private_key_id = rpki.x509.RSA(DER = self.manifest_private_key_id) assert self.manifest_public_key is None or self.manifest_private_key_id.get_public_DER() == self.manifest_public_key self.manifest_cert = rpki.x509.X509(DER = self.manifest_cert) raise NotImplementedError, "Still have to handle manifest and CRL" diff --git a/scripts/rpki/up_down.py b/scripts/rpki/up_down.py index 5b3ec841..c7cbb6ce 100644 --- a/scripts/rpki/up_down.py +++ b/scripts/rpki/up_down.py @@ -305,7 +305,7 @@ class issue_pdu(base_elt): ca_detail = rpki.sql.ca_detail_obj.create(gctx, ca) self = cls() self.class_name = ca.parent_resource_class - self.pkcs10 = rpki.x509.PKCS10.create(ca_detail.private_key_id, sia) + self.pkcs10 = rpki.x509.PKCS10.create_ca(ca_detail.private_key_id, sia) return parent.query_up_down(gctx, self) class issue_response_pdu(class_response_syntax): diff --git a/scripts/rpki/x509.py b/scripts/rpki/x509.py index 6a030490..9589388f 100644 --- a/scripts/rpki/x509.py +++ b/scripts/rpki/x509.py @@ -418,20 +418,28 @@ class PKCS10(DER_object): assert "subjectInfoAccess" in req_exts, "Can't (yet) handle PKCS #10 without an SIA extension" @classmethod - def create(cls, keypair, sia): + def create_ca(cls, keypair, sia = None): """Create a new request for a given keypair, including given SIA value.""" - req = POW.pkix.CertificationRequest() - req.version.set(0) exts = [ ("basicConstraints", True, (1, None)), - ("keyUsage", True, (0, 0, 0, 0, 0, 1, 1)), - ("subjectInfoAccess", False, sia) ] + ("keyUsage", True, (0, 0, 0, 0, 0, 1, 1)) ] + if sia is not None: + exts.append(("subjectInfoAccess", False, sia)) for x in exts: x[0] = POW.pkix.obj2oid(x[0]) - req.setExtension(exts) - req.sign(keypair) + return cls.create(keypair, exts) + + @classmethod + def create(cls, keypair, exts = None): + """Create a new request for a given keypair, including given SIA value.""" + req = POW.pkix.CertificationRequest() + req.certificationRequestInfo.version.set(0) + req.certificationRequestInfo.subject.set((((POW.pkix.obj2oid("commonName"), ("printableString", "".join(("%02X" % ord(i) for i in keypair.get_SKI())))),),)) + if exts is not None: + req.setExtension(exts) + req.sign(keypair.get_POW(), POW.SHA256_DIGEST) return cls(POWpkix = req) -class RSA_Keypair(DER_object): +class RSA(DER_object): """Class to hold an RSA key pair.""" formats = ("DER", "POW", "tlslite") @@ -458,13 +466,18 @@ class RSA_Keypair(DER_object): self.tlslite = tlslite.api.parsePEMKey(self.get_PEM(), private=True) return self.tlslite - def generate(self, keylength): + def generate(self, keylength = 2048): self.clear() self.set(POW=POW.Asymmetric(POW.RSA_CIPHER, keylength)) def get_public_DER(self): return self.get_POW().derWrite(POW.RSA_PUBLIC_KEY) + def get_SKI(self): + d = POW.Digest(POW.SHA1_DIGEST) + d.update(self.get_public_DER()) + return d.digest() + class Manifest(DER_object): """Class to hold a signed manifest.""" diff --git a/scripts/rpkid.py b/scripts/rpkid.py index 95632ba6..efcb5d2d 100755 --- a/scripts/rpkid.py +++ b/scripts/rpkid.py @@ -57,10 +57,10 @@ gctx.cur = gctx.db.cursor() gctx.cms_ta_irdb = rpki.x509.X509(Auto_file = gctx.cfg.get(gctx.cfg_section, "cms-ta-irdb")) gctx.cms_ta_irbe = rpki.x509.X509(Auto_file = gctx.cfg.get(gctx.cfg_section, "cms-ta-irbe")) -gctx.cms_key = rpki.x509.RSA_Keypair(Auto_file = gctx.cfg.get(gctx.cfg_section, "cms-key")) +gctx.cms_key = rpki.x509.RSA(Auto_file = gctx.cfg.get(gctx.cfg_section, "cms-key")) gctx.cms_certs = rpki.x509.X509_chain(Auto_files = gctx.cfg.multiget(gctx.cfg_section, "cms-cert")) -gctx.https_key = rpki.x509.RSA_Keypair(Auto_file = gctx.cfg.get(gctx.cfg_section, "https-key")) +gctx.https_key = rpki.x509.RSA(Auto_file = gctx.cfg.get(gctx.cfg_section, "https-key")) gctx.https_certs = rpki.x509.X509_chain(Auto_files = gctx.cfg.multiget(gctx.cfg_section, "https-cert")) gctx.https_tas = rpki.x509.X509_chain(Auto_files = gctx.cfg.multiget(gctx.cfg_section, "https-ta")) |