diff options
| -rw-r--r-- | scripts/rpki/cms.py | 9 | ||||
| -rw-r--r-- | scripts/rpki/https.py | 9 | ||||
| -rw-r--r-- | scripts/rpki/ipaddrs.py | 3 | ||||
| -rw-r--r-- | scripts/rpki/left_right.py | 58 | ||||
| -rw-r--r-- | scripts/rpki/pkcs10.py | 3 | ||||
| -rw-r--r-- | scripts/rpki/resource_set.py | 3 | ||||
| -rw-r--r-- | scripts/rpki/sql.py | 46 | ||||
| -rw-r--r-- | scripts/rpki/up_down.py | 29 | ||||
| -rw-r--r-- | scripts/rpki/x509.py | 21 | ||||
| -rwxr-xr-x | scripts/rpkid.py | 3 |
10 files changed, 126 insertions, 58 deletions
diff --git a/scripts/rpki/cms.py b/scripts/rpki/cms.py index 5b27a97f..999e3197 100644 --- a/scripts/rpki/cms.py +++ b/scripts/rpki/cms.py @@ -8,7 +8,8 @@ requires disk I/O, and likes PEM format. Fix this later. import os, rpki.x509, rpki.exceptions, lxml.etree -# openssl smime -sign -nodetach -outform DER -signer biz-certs/Alice-EE.cer -certfile biz-certs/Alice-CA.cer -inkey biz-certs/Alice-EE.key -in PLAN -out PLAN.der +# openssl smime -sign -nodetach -outform DER -signer biz-certs/Alice-EE.cer +# -certfile biz-certs/Alice-CA.cer -inkey biz-certs/Alice-EE.key -in PLAN -out PLAN.der def sign(plaintext, keypair, certs): """Sign plaintext as CMS with specified key and bag of certificates. @@ -36,7 +37,8 @@ def sign(plaintext, keypair, certs): f.write(plaintext) f.close() - i,o = os.popen2(("openssl", "smime", "-sign", "-nodetach", "-outform", "DER", "-binary", "-signer", signer_filename, + i,o = os.popen2(("openssl", "smime", "-sign", "-nodetach", "-outform", "DER", "-binary", + "-signer", signer_filename, "-certfile", certfile_filename, "-inkey", "/dev/stdin", "-in", plaintext_filename)) i.write(keypair.get_PEM()) i.close() @@ -86,4 +88,5 @@ def xml_verify(elt, ta): def xml_sign(elt, key, certs): """Composite routine to sign CMS-wrapped XML.""" - return sign(lxml.etree.tostring(elt, pretty_print=True, encoding="us-ascii", xml_declaration=True), key, certs) + return sign(lxml.etree.tostring(elt, pretty_print=True, encoding="us-ascii", xml_declaration=True), + key, certs) diff --git a/scripts/rpki/https.py b/scripts/rpki/https.py index 6aeba62a..eec9e3a0 100644 --- a/scripts/rpki/https.py +++ b/scripts/rpki/https.py @@ -42,7 +42,8 @@ def client(msg, privateKey, certChain, x509TrustList, url): return response.read() else: r = response.read() - raise rpki.exceptions.HTTPRequestFailed, "HTTP request failed with status %s, response %s" % (response.status, r) + raise rpki.exceptions.HTTPRequestFailed, \ + "HTTP request failed with status %s, response %s" % (response.status, r) class requestHandler(BaseHTTPServer.BaseHTTPRequestHandler): """Derived type to supply POST handler.""" @@ -61,11 +62,13 @@ class requestHandler(BaseHTTPServer.BaseHTTPRequestHandler): try: handler = self.rpki_find_handler() if self.headers["Content-Type"] != rpki_content_type: - rcode, rtext = 415, "Received Content-Type %s, expected %s" % (self.headers["Content-Type"], rpki_content_type) + rcode, rtext = 415, "Received Content-Type %s, expected %s" \ + % (self.headers["Content-Type"], rpki_content_type) elif handler is None: rcode, rtext = 404, "No handler found for URL " + self.path else: - rcode, rtext = handler(query = self.rfile.read(int(self.headers["Content-Length"])), path = self.path) + rcode, rtext = handler(query = self.rfile.read(int(self.headers["Content-Length"])), + path = self.path) except Exception, edata: traceback.print_exc() rcode, rtext = 500, "Unhandled exception %s" % edata diff --git a/scripts/rpki/ipaddrs.py b/scripts/rpki/ipaddrs.py index 161ffae4..32410691 100644 --- a/scripts/rpki/ipaddrs.py +++ b/scripts/rpki/ipaddrs.py @@ -51,4 +51,5 @@ class v6addr(long): def __str__(self): """Convert a v6addr object to string format.""" - return socket.inet_ntop(socket.AF_INET6, struct.pack("!QQ", long(self) >> 64, long(self) & 0xFFFFFFFFFFFFFFFF)) + return socket.inet_ntop(socket.AF_INET6, + struct.pack("!QQ", long(self) >> 64, long(self) & 0xFFFFFFFFFFFFFFFF)) diff --git a/scripts/rpki/left_right.py b/scripts/rpki/left_right.py index 73d2130d..e4756a51 100644 --- a/scripts/rpki/left_right.py +++ b/scripts/rpki/left_right.py @@ -3,7 +3,8 @@ """RPKI "left-right" protocol.""" import base64, lxml.etree, time -import rpki.sax_utils, rpki.resource_set, rpki.x509, rpki.sql, rpki.exceptions, rpki.https, rpki.up_down, rpki.relaxng +import rpki.sax_utils, rpki.resource_set, rpki.x509, rpki.sql, rpki.exceptions +import rpki.https, rpki.up_down, rpki.relaxng xmlns = "http://www.hactrn.net/uris/rpki/left-right-spec/" @@ -227,7 +228,10 @@ class self_elt(data_elt): def serve_post_save_hook(self, q_pdu, r_pdu): """Extra server actions for self_elt.""" if self.rekey or self.reissue or self.revoke or self.run_now or self.publish_world_now: - raise NotImplementedError, "Unimplemented control %s" % ", ".join(b for b in ("rekey", "reissue", "revoke", "run_now", "publish_world_now") if getattr(self, b)) + raise NotImplementedError, \ + "Unimplemented control %s" % ", ".join(b for b in ("rekey", "reissue", "revoke", + "run_now", "publish_world_now") + if getattr(self, b)) def startElement(self, stack, name, attrs): """Handle <self/> element.""" @@ -255,7 +259,8 @@ class self_elt(data_elt): """Run the regular client poll cycle with each of this self's parents in turn.""" for parent in parent_elt.sql_fetch_where(gctx, "self_id = %s" % self.self_id): r_pdu = rpki.up_down.list_pdu(gctx, parent) - ca_map = dict((ca.parent_resource_class, ca) for ca in rpki.sql.ca_obj.sql_fetch_where(gctx, "parent_id = %s", parent.parent_id)) + ca_map = dict((ca.parent_resource_class, ca) + for ca in rpki.sql.ca_obj.sql_fetch_where(gctx, "parent_id = %s", parent.parent_id)) for rc in r_pdu.payload: if rc.class_name in ca_map: ca = ca_map[rc.class_name] @@ -293,7 +298,8 @@ class bsc_elt(data_elt): def sql_insert_hook(self, gctx): """Extra SQL insert actions for bsc_elt -- handle signing certs.""" if self.signing_cert: - gctx.cur.executemany("INSERT bsc_cert (cert, bsc_id) VALUES (%s, %s)", ((x.get_DER(), self.bsc_id) for x in self.signing_cert)) + gctx.cur.executemany("INSERT bsc_cert (cert, bsc_id) VALUES (%s, %s)", + ((x.get_DER(), self.bsc_id) for x in self.signing_cert)) def sql_delete_hook(self, gctx): """Extra SQL delete actions for bsc_elt -- handle signing certs.""" @@ -349,11 +355,13 @@ class parent_elt(data_elt): """<parent/> element.""" element_name = "parent" - attributes = ("action", "type", "self_id", "parent_id", "bsc_id", "repository_id", "peer_contact_uri", "sia_base") + attributes = ("action", "type", "self_id", "parent_id", "bsc_id", "repository_id", + "peer_contact_uri", "sia_base") elements = ("cms_ta", "https_ta") booleans = ("rekey", "reissue", "revoke") - sql_template = rpki.sql.template("parent", "parent_id", "self_id", "bsc_id", "repository_id", "cms_ta", "https_ta", "peer_contact_uri", "sia_base") + sql_template = rpki.sql.template("parent", "parent_id", "self_id", "bsc_id", "repository_id", + "cms_ta", "https_ta", "peer_contact_uri", "sia_base") cms_ta = None https_ta = None @@ -361,7 +369,9 @@ class parent_elt(data_elt): def serve_post_save_hook(self, q_pdu, r_pdu): """"Extra server actions for parent_elt.""" if self.rekey or self.reissue or self.revoke: - raise NotImplementedError, "Unimplemented control %s" % ", ".join(b for b in ("rekey", "reissue", "revoke") if getattr(self, b)) + raise NotImplementedError, \ + "Unimplemented control %s" % ", ".join(b for b in ("rekey","reissue","revoke") + if getattr(self, b)) def startElement(self, stack, name, attrs): """Handle <parent/> element.""" @@ -408,7 +418,9 @@ class parent_elt(data_elt): q_elt = q_msg.toXML() rpki.relaxng.up_down.assertValid(q_elt) q_cms = rpki.cms.xml_sign(q_elt, bsc.private_key_id, bsc.signing_cert) - r_cms = self.client_up_down_reply(gctx, q_pdu, rpki.https.client(x509TrustList = rpki.x509.X509_chain(self.https_ta), msg = q_cms, url = self.peer_contact_uri)) + r_cms = self.client_up_down_reply(gctx, q_pdu, + rpki.https.client(x509TrustList = rpki.x509.X509_chain(self.https_ta), + msg = q_cms, url = self.peer_contact_uri)) r_elt = rpki.cms.xml_verify(r_cms, self.cms_ta) rpki.relaxng.up_down.assertValid(r_elt) return rpki.up_down.sax_handler.saxify(r_elt) @@ -428,7 +440,8 @@ class child_elt(data_elt): def serve_post_save_hook(self, q_pdu, r_pdu): """Extra server actions for child_elt.""" if self.reissue: - raise NotImplementedError, "Unimplemented control %s" % ", ".join(b for b in ("reissue",) if getattr(self, b)) + raise NotImplementedError, \ + "Unimplemented control %s" % ", ".join(b for b in ("reissue",) if getattr(self, b)) def startElement(self, stack, name, attrs): """Handle <child/> element.""" @@ -473,7 +486,8 @@ class repository_elt(data_elt): attributes = ("action", "type", "self_id", "repository_id", "bsc_id", "peer_contact_uri") elements = ("cms_ta", "https_ta") - sql_template = rpki.sql.template("repository", "repository_id", "self_id", "bsc_id", "cms_ta", "peer_contact_uri") + sql_template = rpki.sql.template("repository", "repository_id", "self_id", "bsc_id", "cms_ta", + "peer_contact_uri") cms_ta = None https_ta = None @@ -510,24 +524,29 @@ class route_origin_elt(data_elt): attributes = ("action", "type", "self_id", "route_origin_id", "as_number", "ipv4", "ipv6") booleans = ("suppress_publication",) - sql_template = rpki.sql.template("route_origin", "route_origin_id", "self_id", "as_number", "ca_detail_id", "roa") + sql_template = rpki.sql.template("route_origin", "route_origin_id", "self_id", "as_number", + "ca_detail_id", "roa") ca_detail_id = None roa = None def sql_fetch_hook(self, gctx): """Extra SQL fetch actions for route_origin_elt -- handle address ranges.""" - self.ipv4 = rpki.resource_set.resource_set_ipv4.from_sql(gctx.cur, - "SELECT start_ip, end_ip FROM route_origin_range WHERE route_origin_id = %s AND start_ip NOT LIKE '%:%'", - self.route_origin_id) - self.ipv6 = rpki.resource_set.resource_set_ipv6.from_sql(gctx.cur, - "SELECT start_ip, end_ip FROM route_origin_range WHERE route_origin_id = %s AND start_ip LIKE '%:%'", - self.route_origin_id) + self.ipv4 = rpki.resource_set.resource_set_ipv4.from_sql(gctx.cur, """ + SELECT start_ip, end_ip FROM route_origin_range + WHERE route_origin_id = %s AND start_ip NOT LIKE '%:%' + """, self.route_origin_id) + self.ipv6 = rpki.resource_set.resource_set_ipv6.from_sql(gctx.cur, """ + SELECT start_ip, end_ip FROM route_origin_range + WHERE route_origin_id = %s AND start_ip LIKE '%:%' + """, self.route_origin_id) def sql_insert_hook(self, gctx): """Extra SQL insert actions for route_origin_elt -- handle address ranges.""" if self.ipv4 + self.ipv6: - gctx.cur.executemany("INSERT route_origin_range (route_origin_id, start_ip, end_ip) VALUES (%s, %s, %s)", + gctx.cur.executemany(""" + INSERT route_origin_range (route_origin_id, start_ip, end_ip) + VALUES (%s, %s, %s)""", ((self.route_origin_id, x.min, x.max) for x in self.ipv4 + self.ipv6)) def sql_delete_hook(self, gctx): @@ -537,7 +556,8 @@ class route_origin_elt(data_elt): def serve_post_save_hook(self, q_pdu, r_pdu): """Extra server actions for route_origin_elt.""" if self.suppress_publication: - raise NotImplementedError, "Unimplemented control %s" % ", ".join(b for b in ("suppress_publication",) if getattr(self, b)) + raise NotImplementedError, \ + "Unimplemented control %s" % ", ".join(b for b in ("suppress_publication",) if getattr(self, b)) def startElement(self, stack, name, attrs): """Handle <route_origin/> element.""" diff --git a/scripts/rpki/pkcs10.py b/scripts/rpki/pkcs10.py index 25326c20..7f8ee17d 100644 --- a/scripts/rpki/pkcs10.py +++ b/scripts/rpki/pkcs10.py @@ -35,7 +35,8 @@ def make_request(keypair): f.write(req_fmt % commonName) f.close() - i,o = os.popen2(["openssl", "req", "-config", config_filename, "-new", "-key", "/dev/stdin", "-outform", "DER"]) + i,o = os.popen2(["openssl", "req", "-config", config_filename, "-new", + "-key", "/dev/stdin", "-outform", "DER"]) i.write(keypair.get_PEM()) i.close() pkcs10 = rpki.x509.PKCS10(DER = o.read()) diff --git a/scripts/rpki/resource_set.py b/scripts/rpki/resource_set.py index d176e70a..3436398c 100644 --- a/scripts/rpki/resource_set.py +++ b/scripts/rpki/resource_set.py @@ -103,7 +103,8 @@ def _rsplit(rset, that): """Split a resource range into two resource ranges.""" this = rset.pop(0) cell_type = type(this.min) - assert type(this) is type(that) and type(this.max) is cell_type and type(that.min) is cell_type and type(that.max) is cell_type + assert type(this) is type(that) and type(this.max) is cell_type and \ + type(that.min) is cell_type and type(that.max) is cell_type if this.min < that.min: rset.insert(0, type(this)(this.min, cell_type(that.min - 1))) rset.insert(1, type(this)(that.min, this.max)) diff --git a/scripts/rpki/sql.py b/scripts/rpki/sql.py index 713a6e85..f47c6572 100644 --- a/scripts/rpki/sql.py +++ b/scripts/rpki/sql.py @@ -20,8 +20,11 @@ class template(object): self.index = index_column self.columns = columns self.select = "SELECT %s FROM %s" % (", ".join(columns), table_name) - self.insert = "INSERT %s (%s) VALUES (%s)" % (table_name, ", ".join(data_columns), ", ".join("%(" + s + ")s" for s in data_columns)) - self.update = "UPDATE %s SET %s WHERE %s = %%(%s)s" % (table_name, ", ".join(s + " = %(" + s + ")s" for s in data_columns), index_column, index_column) + self.insert = "INSERT %s (%s) VALUES (%s)" % (table_name, ", ".join(data_columns), + ", ".join("%(" + s + ")s" for s in data_columns)) + self.update = "UPDATE %s SET %s WHERE %s = %%(%s)s" % \ + (table_name, ", ".join(s + " = %(" + s + ")s" for s in data_columns), + index_column, index_column) self.delete = "DELETE FROM %s WHERE %s = %%s" % (table_name, index_column) ## @var sql_cache @@ -70,7 +73,8 @@ class sql_persistant(object): elif len(results) == 1: return results[0] else: - raise rpki.exceptions.DBConsistancyError, "Database contained multiple matches for %s.%s" % (cls.__name__, id) + raise rpki.exceptions.DBConsistancyError, \ + "Database contained multiple matches for %s.%s" % (cls.__name__, id) @classmethod def sql_fetch_all(cls, gctx): @@ -183,7 +187,8 @@ class sql_persistant(object): class ca_obj(sql_persistant): """Internal CA object.""" - sql_template = template("ca", "ca_id", "last_crl_sn", "next_crl_update", "last_issued_sn", "last_manifest_sn", "next_manifest_update", "sia_uri", "parent_id") + sql_template = template("ca", "ca_id", "last_crl_sn", "next_crl_update", "last_issued_sn", + "last_manifest_sn", "next_manifest_update", "sia_uri", "parent_id") def construct_sia_uri(self, gctx, parent, rc): """Construct the sia_uri value for this CA given configured @@ -209,22 +214,30 @@ class ca_obj(sql_persistant): cert_map = dict((c.get_SKI(), c) for c in rc.certs) ca_details = ca_detail_obj.sql_fetch_where(gctx, "ca_id = %s AND latest_ca_cert IS NOT NULL", ca.ca_id) as, v4, v6 = ca_detail_obj.sql_fetch_active(gctx, ca_id).latest_ca_cert.get_3779resources() - undersized = not rc.resource_set_as.issubset(as) or not rc.resource_set_ipv4.issubset(v4) or not rc.resource_set_ipv6.issubset(v6) - oversized = not as.issubset(rc.resource_set_as) or not v4.issubset(rc.resource_set_ipv4) or not v6.issubset(rc.resource_set_ipv6) + undersized = not rc.resource_set_as.issubset(as) or \ + not rc.resource_set_ipv4.issubset(v4) or not rc.resource_set_ipv6.issubset(v6) + oversized = not as.issubset(rc.resource_set_as) or \ + not v4.issubset(rc.resource_set_ipv4) or not v6.issubset(rc.resource_set_ipv6) sia_uri = self.construct_sia_uri() sia_uri_changed = self.sia_uri != sia_uri if sia_uri_changed: self.sia_uri = sia_uri self.sql_mark_dirty() for ca_detail in ca_details: - assert ca_detail.state != "pending" or (as, v4, v6) == ca_detail.get_3779resources(), "Resource mismatch for pending cert" + assert ca_detail.state != "pending" or (as, v4, v6) == ca_detail.get_3779resources(), \ + "Resource mismatch for pending cert" for ca_detail in ca_details: ski = ca_detail.latest_ca_cert.get_SKI() - assert ski in cert_map, "Certificate in our database missing from list_response, SKI %s" % ca_detail.latest_ca_cert.hSKI() - if ca_detail.state != "deprecated" and (undersized or oversized or sia_uri_changed or ca_detail.latest_ca_cert != cert_map[ski]): - ca_detail.update(gctx, parent, self, rc, cert_map[ski], undersized, oversized, sia_uri_changed, as, v4, v6) + assert ski in cert_map, \ + "Certificate in our database missing from list_response, SKI %s" % \ + ca_detail.latest_ca_cert.hSKI() + if ca_detail.state != "deprecated" and \ + (undersized or oversized or sia_uri_changed or ca_detail.latest_ca_cert != cert_map[ski]): + ca_detail.update(gctx, parent, self, rc, cert_map[ski], undersized, oversized, sia_uri_changed, + as, v4, v6) del cert_map[ski] - assert not cert_map, "Certificates in list_response missing from our database, SKIs %s" % ", ".join(c.hSKI() for c in cert_map.values()) + assert not cert_map, "Certificates in list_response missing from our database, SKIs %s" % \ + ", ".join(c.hSKI() for c in cert_map.values()) @classmethod def create(cls, gctx, parent, rc): @@ -270,8 +283,9 @@ class ca_obj(sql_persistant): class ca_detail_obj(sql_persistant): """Internal CA detail object.""" - sql_template = template("ca", "ca_detail_id", "private_key_id", "public_key", "latest_ca_cert", "manifest_private_key_id", - "manifest_public_key", "latest_manifest_cert", "latest_manifest", "latest_crl", "state", "ca_cert_uri", "ca_id") + sql_template = template("ca", "ca_detail_id", "private_key_id", "public_key", "latest_ca_cert", + "manifest_private_key_id", "manifest_public_key", "latest_manifest_cert", + "latest_manifest", "latest_crl", "state", "ca_cert_uri", "ca_id") def sql_decode(self, vals): """Decode SQL representation of a ca_detail_obj.""" @@ -290,7 +304,8 @@ class ca_detail_obj(sql_persistant): def sql_encode(self): """Encode SQL representation of a ca_detail_obj.""" d = sql_persistant.sql_encode(self) - for i in ("private_key_id", "public_key", "latest_ca_cert", "manifest_private_key_id", "manifest_public_key", "latest_manifest_cert", "latest_manifest", "latest_crl"): + for i in ("private_key_id", "public_key", "latest_ca_cert", "manifest_private_key_id", + "manifest_public_key", "latest_manifest_cert", "latest_manifest", "latest_crl"): d[i] = getattr(self, i).get_DER() return d @@ -327,7 +342,8 @@ class ca_detail_obj(sql_persistant): if oversized or sia_uri_changed: for child_cert in child_cert_obj.sql_fetch_where(gctx, "ca_detail_id = %s" % self.ca_detail_id): child_as, child_v4, child_v6 = child_cert.cert.get_3779resources() - if sia_uri_changed or not child_as.issubset(as) or not child_v4.issubset(v4) or not child_v6.issubset(v6): + if sia_uri_changed or not child_as.issubset(as) or \ + not child_v4.issubset(v4) or not child_v6.issubset(v6): child_cert.reissue(gctx, self, as, v4, v6) @classmethod diff --git a/scripts/rpki/up_down.py b/scripts/rpki/up_down.py index d5d3d93e..5c2ad35c 100644 --- a/scripts/rpki/up_down.py +++ b/scripts/rpki/up_down.py @@ -110,7 +110,8 @@ class certificate_elt(base_elt): def toXML(self): """Generate a <certificate/> element.""" - elt = self.make_elt("certificate", "cert_url", "req_resource_set_as", "req_resource_set_ipv4", "req_resource_set_ipv6") + elt = self.make_elt("certificate", "cert_url", + "req_resource_set_as", "req_resource_set_ipv4", "req_resource_set_ipv6") elt.text = self.cert.get_Base64() return elt @@ -147,7 +148,8 @@ class class_elt(base_elt): def toXML(self): """Generate a <class/> element.""" - elt = self.make_elt("class", "class_name", "cert_url", "resource_set_as", "resource_set_ipv4", "resource_set_ipv6", "suggested_sia_head") + elt = self.make_elt("class", "class_name", "cert_url", + "resource_set_as", "resource_set_ipv4", "resource_set_ipv6", "suggested_sia_head") elt.extend([i.toXML() for i in self.certs]) self.make_b64elt(elt, "issuer", self.issuer.get_DER()) return elt @@ -163,7 +165,10 @@ class list_pdu(base_elt): """Serve one "list" PDU.""" r_msg.payload = list_response_pdu() irdb_as, irdb_v4, irdb_v6 = rpki.left_right.irdb_query(gctx, child.self_id, child.child_id) - for ca_id in rpki.sql.fetch_column(gctx, "SELECT ca_id FROM ca WHERE ca.parent_id = parent.parent_id AND parent.self_id = %s" % child.self_id): + for ca_id in rpki.sql.fetch_column(gctx, """ + SELECT ca_id FROM ca + WHERE ca.parent_id = parent.parent_id AND parent.self_id = %s + """ % child.self_id): ca_detail = rpki.sql.ca_detail_obj.sql_fetch_active(gctx, ca_id) if not ca_detail: continue @@ -174,7 +179,9 @@ class list_pdu(base_elt): rc.class_name = str(ca_id) rc.cert_url = multi_uri(ca_detail.ca_cert_uri) rc.resource_set_as, rc.resource_set_ipv4, rc.resource_set_ipv6 = rc_as, rc_v4, rc_v6 - for child_cert in rpki.sql.child_cert_obj.sql_fetch_where(gctx, "child_id = %s AND ca_detail_id = %s" % (child.child_id, ca_detail.ca_detail_id)): + for child_cert in rpki.sql.child_cert_obj.sql_fetch_where(gctx, """ + child_id = %s AND ca_detail_id = %s + """ % (child.child_id, ca_detail.ca_detail_id)): c = certificate_elt() c.cert_url = multi_uri(ca.sia_uri + child_cert.cert.gSKI() + ".cer") c.cert = child_cert.cert @@ -231,7 +238,8 @@ class issue_pdu(base_elt): def toXML(self): """Generate payload of "issue" PDU.""" - elt = self.make_elt("request", "class_name", "req_resource_set_as", "req_resource_set_ipv4", "req_resource_set_ipv6") + elt = self.make_elt("request", "class_name", "req_resource_set_as", + "req_resource_set_ipv4", "req_resource_set_ipv6") elt.text = self.pkcs10.get_Base64() return [elt] @@ -249,11 +257,14 @@ class issue_pdu(base_elt): self.pkcs10.check_valid_rpki() # Check current cert, if any - rc_as, rc_v4, rc_v6 = ca_detail.latest_ca_cert.get_3779resources(rpki.left_right.irdb_query(gctx, child.self_id, child.child_id)) + irdb_resources = rpki.left_right.irdb_query(gctx, child.self_id, child.child_id) + rc_as, rc_v4, rc_v6 = ca_detail.latest_ca_cert.get_3779resources(irdb_resources) req_key = self.pkcs10.getPublicKey() req_sia = self.pkcs10.get_SIA() req_ski = self.pkcs10.get_SKI() - child_cert = rpki.sql.child_cert_obj.sql_fetch_where(gctx, "child_id = %s AND ca_detail_id = %s AND ski = %s" % (child.child_id, ca_detail.ca_detail_id, req_ski)) + child_cert = rpki.sql.child_cert_obj.sql_fetch_where(gctx, """ + child_id = %s AND ca_detail_id = %s AND ski = %s + """ % (child.child_id, ca_detail.ca_detail_id, req_ski)) assert len(child_cert) < 2 child_cert = child_cert[0] if child_cert else None @@ -339,7 +350,9 @@ class revoke_pdu(revoke_syntax): ca_detail = rpki.sql.ca_detail_obj.sql_fetch_active(gctx, ca_id) if ca is None or ca_detail is None: raise rpki.exceptions.NotInDatabase - for c in rpki.sql.child_cert_obj.sql_fetch_where(gctx, "child_id = %s AND ca_detail_id = %s AND ski = %s" % (child.child_id, ca_detail.ca_detail_id, self.get_SKI())): + for c in rpki.sql.child_cert_obj.sql_fetch_where(gctx, """ + child_id = %s AND ca_detail_id = %s AND ski = %s + """ % (child.child_id, ca_detail.ca_detail_id, self.get_SKI())): c.sql_delete() r_msg.payload = revoke_response_pdu() r_msg.payload.class_name = self.class_name diff --git a/scripts/rpki/x509.py b/scripts/rpki/x509.py index 96503f3d..40412d61 100644 --- a/scripts/rpki/x509.py +++ b/scripts/rpki/x509.py @@ -164,7 +164,9 @@ class DER_object(object): return (self.get_POWpkix().getExtension((1, 3, 6, 1, 5, 5, 7, 1, 1)) or ((), 0, None))[2] def get_3779resources(self, as_intersector = None, v4_intersector = None, v6_intersector = None): - """Get RFC 3779 resources as rpki.resource_set objects. Only works for subclasses that support getExtensions().""" + """Get RFC 3779 resources as rpki.resource_set objects. + Only works for subclasses that support getExtensions(). + """ as, v4, v6 = rpki.resource_set.parse_extensions(self.get_POWpkix().getExtensions()) if as_intersector is not None: as = as.intersection(as_intersector) @@ -245,7 +247,8 @@ class X509(DER_object): """Extract the public key from this certificate.""" return RSApublic(DER = self.get_POWpkix().tbs.subjectPublicKeyInfo.toString()) - def issue(self, keypair, subject_key, serial, sia, aia, crldp, cn = None, notAfter = None, as = None, v4 = None, v6 = None, is_ca = True): + def issue(self, keypair, subject_key, serial, sia, aia, crldp, + cn = None, notAfter = None, as = None, v4 = None, v6 = None, is_ca = True): """Issue a certificate.""" now = time.time() @@ -407,9 +410,12 @@ class PKCS10(DER_object): raise rpki.exceptions.BadPKCS10, "Signature check failed" if self.get_POWpkix().certificationRequestInfo.version != 0: - raise rpki.exceptions.BadPKCS10, "Bad version number %s" % self.get_POWpkix().certificationRequestInfo.version + raise rpki.exceptions.BadPKCS10, \ + "Bad version number %s" % self.get_POWpkix().certificationRequestInfo.version - if oid2name.get(self.get_POWpkix().signatureAlgorithm) not in ("sha256WithRSAEncryption", "sha384WithRSAEncryption", "sha512WithRSAEncryption"): + if oid2name.get(self.get_POWpkix().signatureAlgorithm) not in ("sha256WithRSAEncryption", + "sha384WithRSAEncryption", + "sha512WithRSAEncryption"): raise rpki.exceptions.BadPKCS10, "Bad signature algorithm %s" % self.get_POWpkix().signatureAlgorithm exts = self.getExtensions() @@ -428,7 +434,8 @@ class PKCS10(DER_object): raise rpki.exceptions.BadPKCS10, "keyUsage doesn't match basicConstraints" for method, location in req_exts.get("subjectInfoAccess", ()): - if oid2name.get(method) == "caRepository" and (location[0] != "uri" or (location[1].startswith("rsync://") and not location[1].endswith("/"))): + if oid2name.get(method) == "caRepository" and \ + (location[0] != "uri" or (location[1].startswith("rsync://") and not location[1].endswith("/"))): raise rpki.exceptions.BadPKCS10, "Certificate request includes bad SIA component: %s" % location # This one is an implementation restriction. I don't yet @@ -449,9 +456,11 @@ class PKCS10(DER_object): @classmethod def create(cls, keypair, exts = None): """Create a new request for a given keypair, including given SIA value.""" + cn = "".join(("%02X" % ord(i) for i in keypair.get_SKI())) req = POW.pkix.CertificationRequest() req.certificationRequestInfo.version.set(0) - req.certificationRequestInfo.subject.set((((POW.pkix.obj2oid("commonName"), ("printableString", "".join(("%02X" % ord(i) for i in keypair.get_SKI())))),),)) + req.certificationRequestInfo.subject.set((((POW.pkix.obj2oid("commonName"), + ("printableString", cn)),),)) if exts is not None: req.setExtension(exts) req.sign(keypair.get_POW(), POW.SHA256_DIGEST) diff --git a/scripts/rpkid.py b/scripts/rpkid.py index b4b20d73..fb0ccd60 100755 --- a/scripts/rpkid.py +++ b/scripts/rpkid.py @@ -6,7 +6,8 @@ framework onto which I'm bolting various parts for testing. """ import tlslite.api, MySQLdb, xml.sax, lxml.etree, lxml.sax, POW, POW.pkix, traceback, os, time -import rpki.https, rpki.config, rpki.resource_set, rpki.up_down, rpki.left_right, rpki.relaxng, rpki.cms, rpki.exceptions, rpki.x509 +import rpki.https, rpki.config, rpki.resource_set, rpki.up_down, rpki.left_right, rpki.relaxng +import rpki.cms, rpki.exceptions, rpki.x509 def left_right_handler(query, path): try: |