diff options
| -rw-r--r-- | docs/rpki-db-schema.pdf | bin | 5219 -> 5193 bytes | |||
| -rw-r--r-- | docs/rpki-db-schema.sql | 1 | ||||
| -rw-r--r-- | rpkid/rpki/left_right.py | 42 | ||||
| -rw-r--r-- | rpkid/rpki/sql.py | 6 |
4 files changed, 24 insertions, 25 deletions
diff --git a/docs/rpki-db-schema.pdf b/docs/rpki-db-schema.pdf Binary files differindex e7e4ddb4..d8436d26 100644 --- a/docs/rpki-db-schema.pdf +++ b/docs/rpki-db-schema.pdf diff --git a/docs/rpki-db-schema.sql b/docs/rpki-db-schema.sql index 71af47d1..17fa1541 100644 --- a/docs/rpki-db-schema.sql +++ b/docs/rpki-db-schema.sql @@ -154,6 +154,7 @@ DROP TABLE IF EXISTS route_origin; CREATE TABLE route_origin ( route_origin_id SERIAL NOT NULL, as_number DECIMAL(24,0), + cert LONGBLOB, roa LONGBLOB, self_id BIGINT unsigned NOT NULL, ca_detail_id BIGINT unsigned, diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py index f8edb919..4be71369 100644 --- a/rpkid/rpki/left_right.py +++ b/rpkid/rpki/left_right.py @@ -423,9 +423,9 @@ class bsc_elt(data_elt): elements = ('signing_cert',) booleans = ("generate_keypair", "clear_signing_certs") - sql_template = rpki.sql.template("bsc", "bsc_id", "self_id", + sql_template = rpki.sql.template("bsc", "bsc_id", "self_id", "hash_alg", ("public_key", rpki.x509.RSApublic), - ("private_key_id", rpki.x509.RSA), "hash_alg") + ("private_key_id", rpki.x509.RSA)) pkcs10_cert_request = None public_key = None @@ -799,9 +799,11 @@ class route_origin_elt(data_elt): booleans = ("suppress_publication",) sql_template = rpki.sql.template("route_origin", "route_origin_id", "self_id", "as_number", - "ca_detail_id", "roa") + "ca_detail_id", "roa", + ("cert", rpki.x509.X509)) ca_detail_id = None + cert = None roa = None def sql_fetch_hook(self, gctx): @@ -908,36 +910,32 @@ class route_origin_elt(data_elt): keypair = rpki.x509.RSA() keypair.generate() - # Hmm, may need to specify SIA here naming the ROA itself. In - # which case it's the EE cert that needs to go into the - # ca_detail's manifest, not the ROA. Hmm, where do we even store - # the EE cert, other than in the ROA itself? + sia = ((rpki.oids.name2oid["id-ad-signedObject"], ("uri", self.roa_uri(ca, keypair))),) - ee_cert = ca_detail.issue_ee(ca, resources) - - self.roa = rpki.cms.sign(payload.toString(), keypair, (ee_cert,)) + self.cert = ca_detail.issue_ee(ca, resources, sia) + self.roa = rpki.cms.sign(payload.toString(), keypair, (self.cert,)) self.ca_detail_id = ca_detail.ca_detail_id self.sql_store(gctx) - parent.repository(gctx).publish(gctx, self.roa, self.uri(ca)) + repository = parent.repository(gctx) + + repository.publish(gctx, self.roa, self.roa_uri(ca)) + repository.publish(gctx, self.cert, self.ee_uri(ca)) ca_detail.generate_manifest(gctx) raise rpki.exceptions.NotImplementedYet - def uri_tail(self): - """Return the tail (filename) portion of the URI for this route_origin's ROA.""" - - # And just what -is- the filename for a ROA? In a - # single-signature model it could be the hash of the EE public - # key, which is a bit painful to extract. In a multiple-signature - # model ... feh. I'm tempted just to hash the ROA itself and have - # done. + def roa_uri(self, ca, key = None): + """Return the publication URI for this route_origin's ROA.""" + return ca.sia_uri + (key or self.cert).gSKI() + ".roa" - raise rpki.exceptions.NotImplementedYet + def ee_uri_tail(self): + """Return the tail (filename) portion of the URI for this route_origin's ROA's EE certificate.""" + return self.cert.gSKI() + ".cer" - def uri(self, ca): - """Return the publication URI for this route_origin's ROA.""" + def ee_uri(self, ca): + """Return the publication URI for this route_origin's ROA's EE certificate.""" return ca.sia_uri + self.uri_tail() class list_resources_elt(base_elt): diff --git a/rpkid/rpki/sql.py b/rpkid/rpki/sql.py index dd6312b6..168c9cba 100644 --- a/rpkid/rpki/sql.py +++ b/rpkid/rpki/sql.py @@ -671,15 +671,15 @@ class ca_detail_obj(sql_persistant): if nextUpdate is None: nextUpdate = now + crl_interval - certs = [(c.uri_tail(), c.cert) for c in self.child_certs(gctx)] - roas = [(r.uri_tail(), r.roa) for r in self.route_origins(gctx) if r is not None] + certs = [(c.uri_tail(), c.cert) for c in self.child_certs(gctx)] + \ + [(r.ee_uri_tail(), r.cert) for r in self.route_origins(gctx) if r.cert is not None] m = rpki.x509.SignedManifest() m.build( serial = ca.next_manifest_number(), thisUpdate = now, nextUpdate = nextUpdate, - names_and_objs = certs + roas, + names_and_objs = certs, keypair = self.manifest_private_key_id, certs = rpki.x509.X509_chain(self.latest_manifest_cert)) self.latest_manifest = m |