diff options
| -rw-r--r-- | scripts/biz-certs/Bob-CA.srl | 2 | ||||
| -rw-r--r-- | scripts/left-right-schema.rnc | 2 | ||||
| -rw-r--r-- | scripts/left-right-schema.rng | 12 | ||||
| -rw-r--r-- | scripts/rpki/left_right.py | 8 | ||||
| -rw-r--r-- | scripts/rpki/relaxng.py | 14 | ||||
| -rw-r--r-- | scripts/rpki/resource_set.py | 3 | ||||
| -rw-r--r-- | scripts/rpki/sql.py | 17 | ||||
| -rw-r--r-- | scripts/rpki/sundial.py | 4 | ||||
| -rw-r--r-- | scripts/rpki/up_down.py | 18 | ||||
| -rw-r--r-- | scripts/rpki/x509.py | 18 | ||||
| -rwxr-xr-x | scripts/testroot.py | 7 |
11 files changed, 63 insertions, 42 deletions
diff --git a/scripts/biz-certs/Bob-CA.srl b/scripts/biz-certs/Bob-CA.srl index e5ce762b..f06575a7 100644 --- a/scripts/biz-certs/Bob-CA.srl +++ b/scripts/biz-certs/Bob-CA.srl @@ -1 +1 @@ -90801F1ED19454A7 +90801F1ED19454AB diff --git a/scripts/left-right-schema.rnc b/scripts/left-right-schema.rnc index b25ebc09..813c1710 100644 --- a/scripts/left-right-schema.rnc +++ b/scripts/left-right-schema.rnc @@ -186,7 +186,7 @@ ro_elt |= element route_origin { ctl_dr, self_id, ro_id } list_resources_elt = element list_resources { ( attribute type { "query" }, self_id, child_id ) | ( attribute type { "reply" }, self_id, child_id, - attribute valid_until { xsd:token { maxLength="1024" } }?, + attribute valid_until { xsd:token { maxLength="1024" } }, attribute subject_name { xsd:token { maxLength="1024" } }?, attribute as { xsd:token { maxLength="1024" } }?, attribute ipv4 { xsd:token { maxLength="1024" } }?, diff --git a/scripts/left-right-schema.rng b/scripts/left-right-schema.rng index b33c8e28..e431da7d 100644 --- a/scripts/left-right-schema.rng +++ b/scripts/left-right-schema.rng @@ -855,13 +855,11 @@ </attribute> <ref name="self_id"/> <ref name="child_id"/> - <optional> - <attribute name="valid_until"> - <data type="token"> - <param name="maxLength">1024</param> - </data> - </attribute> - </optional> + <attribute name="valid_until"> + <data type="token"> + <param name="maxLength">1024</param> + </data> + </attribute> <optional> <attribute name="subject_name"> <data type="token"> diff --git a/scripts/rpki/left_right.py b/scripts/rpki/left_right.py index e1fcf4a1..c4abffa9 100644 --- a/scripts/rpki/left_right.py +++ b/scripts/rpki/left_right.py @@ -448,7 +448,10 @@ class parent_elt(data_elt): url = self.peer_contact_uri) r_elt = rpki.cms.xml_verify(r_cms, self.cms_ta) rpki.relaxng.up_down.assertValid(r_elt) - return rpki.up_down.sax_handler.saxify(r_elt) + r_msg = rpki.up_down.sax_handler.saxify(r_elt) + r_msg.payload.check_response() + return r_msg + class child_elt(data_elt): """<child/> element.""" @@ -759,4 +762,5 @@ def irdb_query(gctx, self_id, child_id = None): raise rpki.exceptions.BadIRDBReply, "Unexpected response to IRDB query: %s" % r_msg.toXML() return rpki.resource_set.resource_bag(r_msg[0].as, r_msg[0].ipv4, - r_msg[0].ipv6) + r_msg[0].ipv6, + r_msg[0].valid_until) diff --git a/scripts/rpki/relaxng.py b/scripts/rpki/relaxng.py index 3f479ef6..6e0946a3 100644 --- a/scripts/rpki/relaxng.py +++ b/scripts/rpki/relaxng.py @@ -6,7 +6,7 @@ import lxml.etree ## Parsed RelaxNG left_right schema left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" encoding="UTF-8"?> <!-- - $Id: left-right-schema.rng 1262 2007-11-07 05:06:24Z sra $ + $Id: left-right-schema.rnc 1262 2007-11-07 05:06:24Z sra $ RelaxNG (Compact Syntax) Schema for RPKI left-right protocol. @@ -861,13 +861,11 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" enc </attribute> <ref name="self_id"/> <ref name="child_id"/> - <optional> - <attribute name="valid_until"> - <data type="token"> - <param name="maxLength">1024</param> - </data> - </attribute> - </optional> + <attribute name="valid_until"> + <data type="token"> + <param name="maxLength">1024</param> + </data> + </attribute> <optional> <attribute name="subject_name"> <data type="token"> diff --git a/scripts/rpki/resource_set.py b/scripts/rpki/resource_set.py index d42fc808..a98824b8 100644 --- a/scripts/rpki/resource_set.py +++ b/scripts/rpki/resource_set.py @@ -384,10 +384,11 @@ class resource_bag(object): IPv4, and IPv6 resource sets. """ - def __init__(self, as = None, v4 = None, v6 = None): + def __init__(self, as = None, v4 = None, v6 = None, valid_until = None): self.as = as or resource_set_as() self.v4 = v4 or resource_set_ipv4() self.v6 = v6 or resource_set_ipv6() + self.valid_until = valid_until def oversized(self, other): """True iff self is oversized with respect to other.""" diff --git a/scripts/rpki/sql.py b/scripts/rpki/sql.py index ea3e74e4..88ba39d8 100644 --- a/scripts/rpki/sql.py +++ b/scripts/rpki/sql.py @@ -256,7 +256,6 @@ class ca_obj(sql_persistant): self.sia_uri = self.construct_sia_uri(gctx, parent, rc) ca_detail = ca_detail_obj.create(gctx, self) issue_response = rpki.up_down.issue_pdu.query(gctx, parent, self, ca_detail) - issue_response.payload.check_syntax() ca_detail.latest_ca_cert = issue_response.payload.classes[0].certs[0].cert ca_detail.ca_cert_uri = issue_response.payload.classes[0].certs[0].cert_url.rsync() ca_detail.generate_manifest_cert(self) @@ -357,14 +356,17 @@ class ca_detail_obj(sql_persistant): """ if undersized: issue_response = rpki.up_down.issue_pdu.query(gctx, parent, ca, self) - issue_response.check_syntax() self.latest_ca_cert = issue_response.classes[0].certs[0].cert current_resources = self.latest_ca_cert.get_3779resources() if oversized or sia_uri_changed: for child_cert in child_cert_obj.sql_fetch_where(gctx, "ca_detail_id = %s" % self.ca_detail_id): child_resources = child_cert.cert.get_3779resources() if sia_uri_changed or child_resources.oversized(current_resources): - child_cert.reissue(gctx, self, child_resources.intersection(current_resources), ca.sia_uri) + child_cert.reissue(gctx = gctx, + ca_detail = self, + resources = child_resources.intersection(current_resources), + sia = ca.sia_uri, + valid_until = child_resources.valid_until) @classmethod def create(cls, gctx, ca): @@ -398,9 +400,10 @@ class ca_detail_obj(sql_persistant): aia = self.ca_cert_uri, crldp = ca.sia_uri + self.latest_ca_cert.gSKI() + ".crl", resources = resources, + notAfter = self.latest_ca_cert.getNotAfter(), is_ca = False) - def issue(self, gctx, ca, child, subject_key, sia, resources, child_cert = None): + def issue(self, gctx, ca, child, subject_key, sia, resources, valid_until, child_cert = None): """Issue a new certificate to a child. Optional child_cert argument specifies an existing child_cert object to update in place; if not specified, we create a new one. Returns the @@ -415,7 +418,8 @@ class ca_detail_obj(sql_persistant): aia = self.ca_cert_uri, crldp = ca.sia_uri + self.latest_ca_cert.gSKI() + ".crl", sia = sia, - resources = resources) + resources = resources, + notAfter = valid_until) if child_cert is None: child_cert = rpki.sql.child_cert_obj(child_id = child.child_id, @@ -512,7 +516,7 @@ class child_cert_obj(sql_persistant): d["cert"] = self.cert.get_DER() return d - def reissue(self, gctx, ca_detail, resources, sia): + def reissue(self, gctx, ca_detail, resources, sia, valid_until): """Reissue an existing child_cert_obj, reusing the public key.""" # if sia is None: sia = self.cert.get_SIA() @@ -523,6 +527,7 @@ class child_cert_obj(sql_persistant): subject_key = self.cert.getPublicKey(), sia = sia, resources = resources, + notAfter = valid_until, child_cert = self) def revoke(self): diff --git a/scripts/rpki/sundial.py b/scripts/rpki/sundial.py index 2360732d..d656ca16 100644 --- a/scripts/rpki/sundial.py +++ b/scripts/rpki/sundial.py @@ -42,9 +42,9 @@ class datetime(pydatetime.datetime): """Convert from ASN.1 tuple representation.""" assert isinstance(x, tuple) and len(x) == 2 and x[0] in ("utcTime", "generalTime") if x[0] == "utcTime": - return cls.fromUTCTime(x) + return cls.fromUTCTime(x[1]) else: - return cls.fromGeneralizedTime(x) + return cls.fromGeneralizedTime(x[1]) ## @var PKIX_threshhold # Threshold specified in RFC 3280 for switchover from UTCTime to GeneralizedTime. diff --git a/scripts/rpki/up_down.py b/scripts/rpki/up_down.py index 1710b30f..7f127971 100644 --- a/scripts/rpki/up_down.py +++ b/scripts/rpki/up_down.py @@ -50,6 +50,10 @@ class base_elt(object): """Default PDU handler to catch unexpected types.""" raise rpki.exceptions.BadQuery, "Unexpected query type %s" % q_msg.type + def check_response(self): + """Placeholder for response checking.""" + pass + class multi_uri(list): """Container for a set of URIs.""" @@ -270,12 +274,14 @@ class issue_pdu(base_elt): child = child, subject_key = req_key, sia = req_sia, - resources = resources) + resources = resources, + valid_until = irdb_resources.valid_until) elif resources != child_cert.cert.get_3779resources() or child_cert.cert.get_SIA() != req_sia: child_cert = child_cert.reissue(gctx = gctx, ca_detail = ca_detail, sia = req_sia, - resources = resources) + resources = resources, + valid_until = irdb_resources.valid_until) # Save anything we modified and generate response rpki.sql.sql_sweep(gctx) @@ -306,7 +312,7 @@ class issue_pdu(base_elt): class issue_response_pdu(class_response_syntax): """Up-Down protocol "issue_response" PDU.""" - def check_syntax(self): + def check_response(self): """Check whether this looks like a reasonable issue_response PDU. XML schema should be tighter for this response. """ @@ -416,9 +422,9 @@ class error_response_pdu(base_elt): payload.append(elt) return payload - def check_syntax(self): - """Handle an error response. For the moment, just raise an - exception, eventually figure out something more clever to do. + def check_response(self): + """Handle an error response. For now, just raise an exception, + perhaps figure out something more clever to do later. """ raise rpki.exceptions.UpstreamError, self.codes[self.status] diff --git a/scripts/rpki/x509.py b/scripts/rpki/x509.py index 44c2a168..e5539d83 100644 --- a/scripts/rpki/x509.py +++ b/scripts/rpki/x509.py @@ -167,7 +167,12 @@ class DER_object(object): """Get RFC 3779 resources as rpki.resource_set objects. Only works for subclasses that support getExtensions(). """ - return rpki.resource_set.resource_bag.from_asn1_tuples(self.get_POWpkix().getExtensions()) + resources = rpki.resource_set.resource_bag.from_asn1_tuples(self.get_POWpkix().getExtensions()) + try: + resources.valid_until = self.getNotAfter() + except AttributeError: + pass + return resources class X509(DER_object): """X.509 certificates. @@ -230,11 +235,11 @@ class X509(DER_object): def getNotBefore(self): """Get the inception time of this certificate.""" - return POW.pkix.utc2time(self.get_POW().getNotBefore()) + return rpki.sundial.datetime.fromASN1tuple(self.get_POWpkix().tbs.validity.notBefore.get()) def getNotAfter(self): """Get the expiration time of this certificate.""" - return POW.pkix.utc2time(self.get_POW().getNotAfter()) + return rpki.sundial.datetime.fromASN1tuple(self.get_POWpkix().tbs.validity.notAfter.get()) def getSerial(self): """Get the serial number of this certificate.""" @@ -244,8 +249,8 @@ class X509(DER_object): """Extract the public key from this certificate.""" return RSApublic(DER = self.get_POWpkix().tbs.subjectPublicKeyInfo.toString()) - def issue(self, keypair, subject_key, serial, sia, aia, crldp, - cn = None, notAfter = None, resources = None, is_ca = True): + def issue(self, keypair, subject_key, serial, sia, aia, crldp, notAfter, + cn = None, resources = None, is_ca = True): """Issue a certificate.""" now = rpki.sundial.datetime.utcnow() @@ -255,8 +260,7 @@ class X509(DER_object): if cn is None: cn = "".join(("%02X" % ord(i) for i in ski)) - if notAfter is None: - notAfter = now + rpki.sundial.timedelta(days = 30) + # if notAfter is None: notAfter = now + rpki.sundial.timedelta(days = 30) cert = POW.pkix.Certificate() cert.setVersion(2) diff --git a/scripts/testroot.py b/scripts/testroot.py index 762a1757..f92cd24a 100755 --- a/scripts/testroot.py +++ b/scripts/testroot.py @@ -13,11 +13,15 @@ Default configuration file is testroot.conf, override with --config option. import traceback, os, time, getopt, sys, lxml import rpki.resource_set, rpki.up_down, rpki.left_right, rpki.x509 import rpki.https, rpki.config, rpki.cms, rpki.exceptions, rpki.relaxng +import rpki.sundial root_name = "wombat" root_base = "rsync://" + root_name + ".invalid/" root_cert = root_base + "testroot.cer" +rpki_subject_lifetime = rpki.sundial.timedelta(days = 30) + + def get_subject_cert(): try: x = rpki.x509.X509(Auto_file = rpki_subject_filename) @@ -71,7 +75,8 @@ class issue_pdu(rpki.up_down.issue_pdu): sia = req_sia, aia = root_cert, crldp = crldp, - resources = resources)) + resources = resources, + notAfter = rpki.sundial.datetime.utcnow() + rpki_subject_lifetime)) compose_response(r_msg) class revoke_pdu(rpki.up_down.revoke_pdu): |