diff options
| -rw-r--r-- | rpkid/rootd.py | 5 | ||||
| -rw-r--r-- | rpkid/rpki/resource_set.py | 15 | ||||
| -rw-r--r-- | rpkid/rpki/rpki_engine.py | 6 | ||||
| -rw-r--r-- | rpkid/rpki/x509.py | 16 |
4 files changed, 28 insertions, 14 deletions
diff --git a/rpkid/rootd.py b/rpkid/rootd.py index 1b0115b0..ac38d76d 100644 --- a/rpkid/rootd.py +++ b/rpkid/rootd.py @@ -143,10 +143,7 @@ def issue_subject_cert_maybe(new_pkcs10): f = open(rpki_root_dir + rpki_root_crl, "wb") f.write(crl.get_DER()) f.close() - manifest_resources = rpki.resource_set.resource_bag( - asn = rpki.resource_set.resource_set_as(rpki.resource_set.inherit_token), - v4 = rpki.resource_set.resource_set_ipv4(rpki.resource_set.inherit_token), - v6 = rpki.resource_set.resource_set_ipv6(rpki.resource_set.inherit_token)) + manifest_resources = rpki.resource_set.resource_bag.from_inheritance() manifest_keypair = rpki.x509.RSA.generate() manifest_cert = rpki_root_cert.issue( keypair = rpki_root_key, diff --git a/rpkid/rpki/resource_set.py b/rpkid/rpki/resource_set.py index 08a577c9..611f1f44 100644 --- a/rpkid/rpki/resource_set.py +++ b/rpkid/rpki/resource_set.py @@ -703,6 +703,21 @@ class resource_bag(object): not other.v6.issubset(self.v6) @classmethod + def from_inheritance(cls): + """ + Build a resource bag that just inherits everything from its + parent. + """ + self = cls() + self.asn = resource_set_as() + self.v4 = resource_set_ipv4() + self.v6 = resource_set_ipv6() + self.asn.inherit = True + self.v4.inherit = True + self.v6.inherit = True + return self + + @classmethod def from_rfc3779_tuples(cls, exts): """ Build a resource_bag from intermediate form generated by RFC 3779 diff --git a/rpkid/rpki/rpki_engine.py b/rpkid/rpki/rpki_engine.py index f31e1df7..ba7f1cf7 100644 --- a/rpkid/rpki/rpki_engine.py +++ b/rpkid/rpki/rpki_engine.py @@ -774,11 +774,7 @@ class ca_detail_obj(rpki.sql.sql_persistent): Generate a new manifest certificate for this ca_detail. """ - resources = rpki.resource_set.resource_bag( - asn = rpki.resource_set.resource_set_as(rpki.resource_set.inherit_token), - v4 = rpki.resource_set.resource_set_ipv4(rpki.resource_set.inherit_token), - v6 = rpki.resource_set.resource_set_ipv6(rpki.resource_set.inherit_token)) - + resources = rpki.resource_set.resource_bag.from_inheritance() self.latest_manifest_cert = self.issue_ee(ca, resources, self.manifest_public_key) def issue(self, ca, child, subject_key, sia, resources, publisher, child_cert = None): diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index d013d247..61b5fef7 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -509,11 +509,17 @@ class X509(DER_object): else: assert not is_ca - if resources is not None and resources.asn: - exts.append(["sbgp-autonomousSysNum", True, (resources.asn.to_rfc3779_tuple(), None)]) - - if resources is not None and (resources.v4 or resources.v6): - exts.append(["sbgp-ipAddrBlock", True, [x for x in (resources.v4.to_rfc3779_tuple(), resources.v6.to_rfc3779_tuple()) if x is not None]]) + # This next bit suggests that perhaps .to_rfc3779_tuple() should + # be raising an exception when there are no resources rather than + # returning None. Maybe refactor later. + + if resources is not None: + r = resources.asn.to_rfc3779_tuple() + if r is not None: + exts.append(["sbgp-autonomousSysNum", True, (r, None)]) + r = [x for x in (resources.v4.to_rfc3779_tuple(), resources.v6.to_rfc3779_tuple()) if x is not None] + if r: + exts.append(["sbgp-ipAddrBlock", True, r]) for x in exts: x[0] = rpki.oids.name2oid[x[0]] |