diff options
| -rw-r--r-- | scripts/Makefile | 5 | ||||
| -rwxr-xr-x | scripts/encode-test.py | 2 | ||||
| -rw-r--r-- | scripts/rpki/up_down.py | 44 | ||||
| -rwxr-xr-x | scripts/rpkid.py | 2 | ||||
| -rw-r--r-- | scripts/up-down-medium-schema.rnc | 79 | ||||
| -rw-r--r-- | scripts/up-down-medium-schema.rng | 258 | ||||
| -rw-r--r-- | scripts/up-down-protocol-samples/issue_response.xml | 8 | ||||
| -rw-r--r-- | scripts/up-down-protocol-samples/list_response.xml | 12 | ||||
| -rwxr-xr-x | scripts/xml-parse-test.py | 2 |
9 files changed, 54 insertions, 358 deletions
diff --git a/scripts/Makefile b/scripts/Makefile index 26d31538..5aa33cba 100644 --- a/scripts/Makefile +++ b/scripts/Makefile @@ -11,11 +11,6 @@ all:: left-right-schema.rng left-right-schema.rng: left-right-schema.rnc trang left-right-schema.rnc left-right-schema.rng -all:: up-down-medium-schema.rng - -up-down-medium-schema.rng: up-down-medium-schema.rnc - trang up-down-medium-schema.rnc up-down-medium-schema.rng - all:: up-down-schema.rng up-down-schema.rng: up-down-schema.rnc diff --git a/scripts/encode-test.py b/scripts/encode-test.py index 08f78d82..b4709866 100755 --- a/scripts/encode-test.py +++ b/scripts/encode-test.py @@ -23,7 +23,7 @@ def main(): dir = "biz-certs" cer = "biz-certs/Alice-EE.cer" key = "biz-certs/Alice-EE.key" - rng = "up-down-medium-schema.rng" + rng = "up-down-schema.rng" for x in xml: print x diff --git a/scripts/rpki/up_down.py b/scripts/rpki/up_down.py index 256ef790..d1437775 100644 --- a/scripts/rpki/up_down.py +++ b/scripts/rpki/up_down.py @@ -45,13 +45,37 @@ class base_elt(object): if value is not None: lxml.etree.SubElement(elt, "{%s}%s" % (xmlns, name), nsmap=nsmap).text = base64.b64encode(value) +class multi_uri(list): + """Container for a set of URIs.""" + + def __init__(self, ini): + """Initialize a set of URIs, which includes basic some syntax checking.""" + if isinstance(ini, (list, tuple)): + self[:] = ini + elif isinstance(ini, str): + self[:] = ini.split(",") + for s in self: + assert s.strip() == s and s.find("://") >= 0, "Bad URI \"%s\"" % s + else: + raise TypeError + + def __str__(self): + return ",".join(self) + + def rsync(self): + """Find first rsync://... URI in self.""" + for s in self: + if s.startswith("rsync://"): + return s + return None + class certificate_elt(base_elt): """Up-Down protocol representation of an issued certificate.""" def startElement(self, stack, name, attrs): """Handle attributes of <certificate/> element.""" assert name == "certificate", "Unexpected name %s, stack %s" % (name, stack) - self.cert_url = attrs["cert_url"] + self.cert_url = multi_uri(attrs["cert_url"]) self.req_resource_set_as = resource_set.resource_set_as(attrs.get("req_resource_set_as")) self.req_resource_set_ipv4 = resource_set.resource_set_ipv4(attrs.get("req_resource_set_ipv4")) self.req_resource_set_ipv6 = resource_set.resource_set_ipv6(attrs.get("req_resource_set_ipv6")) @@ -84,7 +108,7 @@ class class_elt(base_elt): elif name != "issuer": assert name == "class", "Unexpected name %s, stack %s" % (name, stack) self.class_name = attrs["class_name"] - self.cert_url = attrs["cert_url"] + self.cert_url = multi_uri(attrs["cert_url"]) self.suggested_sia_head = attrs.get("suggested_sia_head") self.resource_set_as = resource_set.resource_set_as(attrs["resource_set_as"]) self.resource_set_ipv4 = resource_set.resource_set_ipv4(attrs["resource_set_ipv4"]) @@ -180,10 +204,23 @@ class revoke_response_pdu(revoke_pdu): class error_response_pdu(base_elt): """Up-Down protocol "error_response" PDU.""" + codes = { + 1101 : "Already processing request", + 1102 : "Version number error", + 1103 : "Unrecognised request type", + 1201 : "Request - no such resource class", + 1202 : "Request - no resources allocated in resource class", + 1203 : "Request - badly formed certificate request", + 1301 : "Revoke - no such resource class", + 1302 : "Revoke - no such key", + 2001 : "Internal Server Error - Request not performed" } + def endElement(self, stack, name, text): """Handle "error_response" PDU.""" if name == "status": - self.status = int(text) + code = int(text) + assert code in self.codes + self.status = code elif name == "last_message_processed": self.last_message_processed = text elif name == "description": @@ -195,6 +232,7 @@ class error_response_pdu(base_elt): def toXML(self): """Generate payload of "error_response" PDU.""" + assert self.status in self.codes elt = self.make_elt("status") elt.text = str(self.status) return [elt] diff --git a/scripts/rpkid.py b/scripts/rpkid.py index a8eb024c..483ad5be 100755 --- a/scripts/rpkid.py +++ b/scripts/rpkid.py @@ -88,7 +88,7 @@ db = MySQLdb.connect(user = cfg.get(section, "sql-username"), cur = db.cursor() lr_rng = rpki.relaxng.RelaxNG("left-right-schema.rng") -ud_rng = rpki.relaxng.RelaxNG("up-down-medium-schema.rng") +ud_rng = rpki.relaxng.RelaxNG("up-down-schema.rng") cms_ta_irdb = cfg.get(section, "cms-ta-irdb") cms_ta_irbe = cfg.get(section, "cms-ta-irbe") diff --git a/scripts/up-down-medium-schema.rnc b/scripts/up-down-medium-schema.rnc deleted file mode 100644 index 623d83b5..00000000 --- a/scripts/up-down-medium-schema.rnc +++ /dev/null @@ -1,79 +0,0 @@ -# $Id$ -# -# RelaxNG (Compact Syntax) Schema -# for RPKI up-down protocol. This is based on the schema in the APNIC -# Wiki, but has tighter constraints on some fields. -# -# libxml2 (including xmllint) only groks the XML syntax of RelaxNG, so -# run the output of this script through a converter like trang to get -# XML syntax. - - default namespace = "http://www.apnic.net/specs/rescerts/up-down/" - - grammar { - start = element message { - attribute version { xsd:positiveInteger { maxInclusive="1" } }, - attribute sender { xsd:token { maxLength="1024" } }, - attribute recipient { xsd:token { maxLength="1024" } }, - payload - } - - payload |= attribute type { "list" }, list_request - payload |= attribute type { "list_response"}, list_response - payload |= attribute type { "issue" }, issue_request - payload |= attribute type { "issue_response"}, issue_response - payload |= attribute type { "revoke" }, revoke_request - payload |= attribute type { "revoke_response"}, revoke_response - payload |= attribute type { "error_response"}, error_response - - list_request = empty - list_response = class* - - class = element class { - attribute class_name { xsd:token { maxLength="1024" } }, - attribute cert_url { xsd:anyURI { maxLength="1024" } }, - attribute resource_set_as { xsd:string { maxLength="512000" pattern="[\-,0-9]*" } }, - attribute resource_set_ipv4 { xsd:string { maxLength="512000" pattern="[\-,/.0-9]*" } }, - attribute resource_set_ipv6 { xsd:string { maxLength="512000" pattern="[\-,/:0-9a-fA-F]*" } }, - attribute suggested_sia_head { xsd:anyURI { maxLength="1024" pattern="rsync://.+"} }?, - element certificate { - attribute cert_url { xsd:anyURI { maxLength="1024" } }, - attribute req_resource_set_as { xsd:string { maxLength="512000" pattern="[\-,0-9]*" } }?, - attribute req_resource_set_ipv4 { xsd:string { maxLength="512000" pattern="[\-,/.0-9]*" } }?, - attribute req_resource_set_ipv6 { xsd:string { maxLength="512000" pattern="[\-,/:0-9a-fA-F]*" } }?, - xsd:base64Binary { maxLength="512000" } - }*, - element issuer { xsd:base64Binary { maxLength="512000" } } - } - - issue_request = element request { - attribute class_name { xsd:token { maxLength="1024" } }, - attribute req_resource_set_as { xsd:string { maxLength="512000" pattern="[\-,0-9]*" } }?, - attribute req_resource_set_ipv4 { xsd:string { maxLength="512000" pattern="[\-,/.0-9]*" } }?, - attribute req_resource_set_ipv6 { xsd:string { maxLength="512000" pattern="[\-,/:0-9a-fA-F]*" } }?, - xsd:base64Binary { maxLength="512000" } - } - issue_response = class - - revoke_request = revocation - revoke_response = revocation - - revocation = element key { - attribute class_name { xsd:token { maxLength="1024" } }, - attribute ski { xsd:token { maxLength="1024" } } - } - - error_response = - element status { - "1101" | # Already processing request - "1102" | # version number error - "1103" | # unrecognised request type - "1201" | # request - no such resource class - "1202" | # request - no resources allocated in resource class - "1203" | # request - badly formed certificate request - "1301" | # revoke - no such resource class - "1302" | # revoke - no such key - "2001" # Internal Server Error - Request not performed - }, - element description { attribute xml:lang { xsd:language }, xsd:string { maxLength="1024" } }? - } diff --git a/scripts/up-down-medium-schema.rng b/scripts/up-down-medium-schema.rng deleted file mode 100644 index d9c84489..00000000 --- a/scripts/up-down-medium-schema.rng +++ /dev/null @@ -1,258 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - $Id: up-down-medium-schema.rnc 704 2007-07-02 16:11:58Z sra $ - - RelaxNG (Compact Syntax) Schema - for RPKI up-down protocol. This is based on the schema in the APNIC - Wiki, but has tighter constraints on some fields. - - libxml2 (including xmllint) only groks the XML syntax of RelaxNG, so - run the output of this script through a converter like trang to get - XML syntax. ---> -<grammar ns="http://www.apnic.net/specs/rescerts/up-down/" xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes"> - <start> - <element name="message"> - <attribute name="version"> - <data type="positiveInteger"> - <param name="maxInclusive">1</param> - </data> - </attribute> - <attribute name="sender"> - <data type="token"> - <param name="maxLength">1024</param> - </data> - </attribute> - <attribute name="recipient"> - <data type="token"> - <param name="maxLength">1024</param> - </data> - </attribute> - <ref name="payload"/> - </element> - </start> - <define name="payload" combine="choice"> - <attribute name="type"> - <value>list</value> - </attribute> - <ref name="list_request"/> - </define> - <define name="payload" combine="choice"> - <attribute name="type"> - <value>list_response</value> - </attribute> - <ref name="list_response"/> - </define> - <define name="payload" combine="choice"> - <attribute name="type"> - <value>issue</value> - </attribute> - <ref name="issue_request"/> - </define> - <define name="payload" combine="choice"> - <attribute name="type"> - <value>issue_response</value> - </attribute> - <ref name="issue_response"/> - </define> - <define name="payload" combine="choice"> - <attribute name="type"> - <value>revoke</value> - </attribute> - <ref name="revoke_request"/> - </define> - <define name="payload" combine="choice"> - <attribute name="type"> - <value>revoke_response</value> - </attribute> - <ref name="revoke_response"/> - </define> - <define name="payload" combine="choice"> - <attribute name="type"> - <value>error_response</value> - </attribute> - <ref name="error_response"/> - </define> - <define name="list_request"> - <empty/> - </define> - <define name="list_response"> - <zeroOrMore> - <ref name="class"/> - </zeroOrMore> - </define> - <define name="class"> - <element name="class"> - <attribute name="class_name"> - <data type="token"> - <param name="maxLength">1024</param> - </data> - </attribute> - <attribute name="cert_url"> - <data type="anyURI"> - <param name="maxLength">1024</param> - </data> - </attribute> - <attribute name="resource_set_as"> - <data type="string"> - <param name="maxLength">512000</param> - <param name="pattern">[\-,0-9]*</param> - </data> - </attribute> - <attribute name="resource_set_ipv4"> - <data type="string"> - <param name="maxLength">512000</param> - <param name="pattern">[\-,/.0-9]*</param> - </data> - </attribute> - <attribute name="resource_set_ipv6"> - <data type="string"> - <param name="maxLength">512000</param> - <param name="pattern">[\-,/:0-9a-fA-F]*</param> - </data> - </attribute> - <optional> - <attribute name="suggested_sia_head"> - <data type="anyURI"> - <param name="maxLength">1024</param> - <param name="pattern">rsync://.+</param> - </data> - </attribute> - </optional> - <zeroOrMore> - <element name="certificate"> - <attribute name="cert_url"> - <data type="anyURI"> - <param name="maxLength">1024</param> - </data> - </attribute> - <optional> - <attribute name="req_resource_set_as"> - <data type="string"> - <param name="maxLength">512000</param> - <param name="pattern">[\-,0-9]*</param> - </data> - </attribute> - </optional> - <optional> - <attribute name="req_resource_set_ipv4"> - <data type="string"> - <param name="maxLength">512000</param> - <param name="pattern">[\-,/.0-9]*</param> - </data> - </attribute> - </optional> - <optional> - <attribute name="req_resource_set_ipv6"> - <data type="string"> - <param name="maxLength">512000</param> - <param name="pattern">[\-,/:0-9a-fA-F]*</param> - </data> - </attribute> - </optional> - <data type="base64Binary"> - <param name="maxLength">512000</param> - </data> - </element> - </zeroOrMore> - <element name="issuer"> - <data type="base64Binary"> - <param name="maxLength">512000</param> - </data> - </element> - </element> - </define> - <define name="issue_request"> - <element name="request"> - <attribute name="class_name"> - <data type="token"> - <param name="maxLength">1024</param> - </data> - </attribute> - <optional> - <attribute name="req_resource_set_as"> - <data type="string"> - <param name="maxLength">512000</param> - <param name="pattern">[\-,0-9]*</param> - </data> - </attribute> - </optional> - <optional> - <attribute name="req_resource_set_ipv4"> - <data type="string"> - <param name="maxLength">512000</param> - <param name="pattern">[\-,/.0-9]*</param> - </data> - </attribute> - </optional> - <optional> - <attribute name="req_resource_set_ipv6"> - <data type="string"> - <param name="maxLength">512000</param> - <param name="pattern">[\-,/:0-9a-fA-F]*</param> - </data> - </attribute> - </optional> - <data type="base64Binary"> - <param name="maxLength">512000</param> - </data> - </element> - </define> - <define name="issue_response"> - <ref name="class"/> - </define> - <define name="revoke_request"> - <ref name="revocation"/> - </define> - <define name="revoke_response"> - <ref name="revocation"/> - </define> - <define name="revocation"> - <element name="key"> - <attribute name="class_name"> - <data type="token"> - <param name="maxLength">1024</param> - </data> - </attribute> - <attribute name="ski"> - <data type="token"> - <param name="maxLength">1024</param> - </data> - </attribute> - </element> - </define> - <define name="error_response"> - <element name="status"> - <choice> - <value>1101</value> - <!-- Already processing request --> - <value>1102</value> - <!-- version number error --> - <value>1103</value> - <!-- unrecognised request type --> - <value>1201</value> - <!-- request - no such resource class --> - <value>1202</value> - <!-- request - no resources allocated in resource class --> - <value>1203</value> - <!-- request - badly formed certificate request --> - <value>1301</value> - <!-- revoke - no such resource class --> - <value>1302</value> - <!-- revoke - no such key --> - <value>2001</value> - </choice> - <!-- Internal Server Error - Request not performed --> - </element> - <optional> - <element name="description"> - <attribute name="xml:lang"> - <data type="language"/> - </attribute> - <data type="string"> - <param name="maxLength">1024</param> - </data> - </element> - </optional> - </define> -</grammar> diff --git a/scripts/up-down-protocol-samples/issue_response.xml b/scripts/up-down-protocol-samples/issue_response.xml index 849626c6..39f6b954 100644 --- a/scripts/up-down-protocol-samples/issue_response.xml +++ b/scripts/up-down-protocol-samples/issue_response.xml @@ -5,12 +5,12 @@ recipient="recipient name" type="issue_response"> <class class_name="ISP5" - cert_url="url" + cert_url="rsync://wombat.example/ISP5" resource_set_as="64534-64540" resource_set_ipv4="10.0.0.0/24,10.3.0.0/24" resource_set_ipv6="2001:db8:0:0:0:0:a00::/120,2001:db8:0:0:0:0:a03::/120" suggested_sia_head="rsync://wombat.example/fnord/"> - <certificate cert_url="ISP5a" + <certificate cert_url="rsync://wombat.example/ISP5a" req_resource_set_as="" req_resource_set_ipv4="10.0.0.0/24" req_resource_set_ipv6="2001:db8:0:0:0:0:a00::/120"> @@ -36,7 +36,7 @@ AIYRKF4k4ZDYZ9gA/LYnH56xvpEXwRE1bpxgUC5n8wQrdIn5/pJz3R5EgWe4CGOo n/SMvEfe8d+LEc0C7LmtCwYoDOKENoOF809GVkbV9fjL8w== </certificate> - <certificate cert_url="ISP5b" + <certificate cert_url="rsync://wombat.example/ISP5b" req_resource_set_as="" req_resource_set_ipv4="10.3.0.0/24" req_resource_set_ipv6="2001:db8:0:0:0:0:a03::/120"> @@ -62,7 +62,7 @@ 2emkoegzzS2cN+5I5I+O8IRnZInqmiPgEgElgEFw+rg6xw23yax5Nyqx12J56tt0 tPWGhrYe1dCwKZajWKn3P9+NMcGQ0d8bw/QU+B3RyVeVfw== </certificate> - <certificate cert_url="ISP5c" + <certificate cert_url="rsync://wombat.example/ISP5c" req_resource_set_as="64534-64540" req_resource_set_ipv4="" req_resource_set_ipv6=""> diff --git a/scripts/up-down-protocol-samples/list_response.xml b/scripts/up-down-protocol-samples/list_response.xml index a2598d33..9e368f5a 100644 --- a/scripts/up-down-protocol-samples/list_response.xml +++ b/scripts/up-down-protocol-samples/list_response.xml @@ -5,12 +5,12 @@ recipient="recipient name" type="list_response"> <class class_name="ISP5" - cert_url="url" + cert_url="rsync://wombat.example/ISP5" resource_set_as="64534-64540" resource_set_ipv4="10.0.0.0/24,10.3.0.0/24" resource_set_ipv6="2001:db8:0:0:0:0:a00::/120,2001:db8:0:0:0:0:a03::/120" suggested_sia_head="rsync://wombat.example/fnord/"> - <certificate cert_url="ISP5a" + <certificate cert_url="rsync://wombat.example/ISP5a" req_resource_set_as="" req_resource_set_ipv4="10.0.0.0/24" req_resource_set_ipv6="2001:db8:0:0:0:0:a00::/120"> @@ -36,7 +36,7 @@ AIYRKF4k4ZDYZ9gA/LYnH56xvpEXwRE1bpxgUC5n8wQrdIn5/pJz3R5EgWe4CGOo n/SMvEfe8d+LEc0C7LmtCwYoDOKENoOF809GVkbV9fjL8w== </certificate> - <certificate cert_url="ISP5b" + <certificate cert_url="rsync://wombat.example/ISP5b" req_resource_set_as="" req_resource_set_ipv4="10.3.0.0/24" req_resource_set_ipv6="2001:db8:0:0:0:0:a03::/120"> @@ -62,7 +62,7 @@ 2emkoegzzS2cN+5I5I+O8IRnZInqmiPgEgElgEFw+rg6xw23yax5Nyqx12J56tt0 tPWGhrYe1dCwKZajWKn3P9+NMcGQ0d8bw/QU+B3RyVeVfw== </certificate> - <certificate cert_url="ISP5c" + <certificate cert_url="rsync://wombat.example/ISP5c" req_resource_set_as="64534-64540" req_resource_set_ipv4="" req_resource_set_ipv6=""> @@ -114,11 +114,11 @@ </issuer> </class> <class class_name="ISP2" - cert_url="url" + cert_url="rsync://wombat.example/ISP2" resource_set_as="" resource_set_ipv4="192.0.2.44-192.0.2.100" resource_set_ipv6=""> - <certificate cert_url="url"> + <certificate cert_url="http://wombat.example/ISP2a,rsync://wombat.example/ISP2a,ftp://wombat.example/ISP2a"> MIIDzDCCArSgAwIBAgIBCTANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU IEVOVElUWSBMSVIxMB4XDTA3MDgwMTE0NDgyMloXDTA4MDczMTE0NDgyMlowGzEZ MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMjCCASIwDQYJKoZIhvcNAQEBBQADggEP diff --git a/scripts/xml-parse-test.py b/scripts/xml-parse-test.py index ed437789..73ab295d 100755 --- a/scripts/xml-parse-test.py +++ b/scripts/xml-parse-test.py @@ -42,7 +42,7 @@ def lr_tester(elt_in, elt_out, msg): pprint_cert(cert) test(fileglob="up-down-protocol-samples/*.xml", - schema="up-down-medium-schema.rng", + schema="up-down-schema.rng", sax_handler=rpki.up_down.sax_handler, encoding="utf-8", tester=ud_tester) |