diff options
| -rw-r--r-- | rpkid/cronjob.py | 12 | ||||
| -rw-r--r-- | rpkid/rpki/exceptions.py | 9 | ||||
| -rw-r--r-- | rpkid/rpki/https.py | 39 | ||||
| -rw-r--r-- | rpkid/rpki/sql.py | 13 | ||||
| -rw-r--r-- | rpkid/rpki/x509.py | 2 | ||||
| -rw-r--r-- | rpkid/testpoke.py | 11 |
6 files changed, 60 insertions, 26 deletions
diff --git a/rpkid/cronjob.py b/rpkid/cronjob.py index f2c1748d..b67f698c 100644 --- a/rpkid/cronjob.py +++ b/rpkid/cronjob.py @@ -18,7 +18,8 @@ Tool to trigger "cron" runs in rpkid. Usage: python cronjob.py [ { -c | --config } configfile ] - [ { -h | --help } ] + [ { -d | --debug } ] + [ { -h | --help } ] Default configuration file is cronjob.conf, override with --config option. """ @@ -26,6 +27,7 @@ Default configuration file is cronjob.conf, override with --config option. import rpki.config, rpki.https, getopt, sys cfg_file = "cronjob.conf" +debug = False opts,argv = getopt.getopt(sys.argv[1:], "c:h?", ["config=", "help"]) for o,a in opts: @@ -34,15 +36,17 @@ for o,a in opts: sys.exit(0) elif o in ("-c", "--config"): cfg_file = a + elif o in ("-d", "--debug"): + debug = True if argv: print __doc__ raise RuntimeError, "Unexpected arguments %s" % argv cfg = rpki.config.parser(cfg_file, "cronjob") -# Some day this should be conditional -rpki.log.init("cronjob") -rpki.log.set_trace(True) +if debug: + rpki.log.init("cronjob") + rpki.log.set_trace(True) irbe_key = rpki.x509.RSA( Auto_file = cfg.get("irbe-key")) irbe_cert = rpki.x509.X509(Auto_file = cfg.get("irbe-cert")) diff --git a/rpkid/rpki/exceptions.py b/rpkid/rpki/exceptions.py index c8874f3f..91f7e351 100644 --- a/rpkid/rpki/exceptions.py +++ b/rpkid/rpki/exceptions.py @@ -94,6 +94,12 @@ class MustBePrefix(RPKI_Exception): class TLSValidationError(RPKI_Exception): """TLS certificate validation error.""" +class MultipleTLSEECert(TLSValidationError): + """Received more than one TLS EE certificate.""" + +class ReceivedTLSCACert(TLSValidationError): + """Received CA certificate via TLS.""" + class WrongEContentType(RPKI_Exception): """Received wrong CMS eContentType.""" @@ -114,6 +120,3 @@ class MissingCMSCRL(RPKI_Exception): class UnparsableCMSDER(RPKI_Exception): """Alleged CMS DER wasn't parsable.""" - -class MultipleTLSEECert(RPKI_Exception): - """Received more than one TLS EE certificate.""" diff --git a/rpkid/rpki/https.py b/rpkid/rpki/https.py index 8ccaff2c..57ef379f 100644 --- a/rpkid/rpki/https.py +++ b/rpkid/rpki/https.py @@ -31,10 +31,7 @@ import POW disable_tls_certificate_validation_exceptions = False # Chatter about TLS certificates -debug_tls_certs = True - -# Vile debugging hack -pem_dump_tls_certs = False +debug_tls_certs = False rpki_content_type = "application/x-rpki" @@ -48,6 +45,17 @@ def tlslite_certChain(x509): class Checker(tlslite.api.Checker): """Derived class to handle X.509 client certificate checking.""" + ## @var refuse_tls_ca_certs + # Raise an exception upon receiving CA certificates via TLS rather + # than just quietly ignoring them. + + refuse_tls_ca_certs = False + + ## @var pem_dump_tls_certs + # Vile debugging hack + + pem_dump_tls_certs = False + def __init__(self, trust_anchor = None, dynamic_x509store = None): """Initialize our modified certificate checker.""" @@ -65,7 +73,7 @@ class Checker(tlslite.api.Checker): if debug_tls_certs: rpki.log.debug("HTTPS trusted cert issuer %s [%s] subject %s [%s]" % (x.getIssuer(), x.hAKI(), x.getSubject(), x.hSKI())) self.x509store.addTrust(x.get_POW()) - if pem_dump_tls_certs: + if self.pem_dump_tls_certs: print x.get_PEM() def x509store_thunk(self): @@ -75,7 +83,11 @@ class Checker(tlslite.api.Checker): return self.x509store def __call__(self, tlsConnection): - """POW/OpenSSL-based certificate checker.""" + """POW/OpenSSL-based certificate checker. + + Given our BPKI model, we're only interested in the TLS EE + certificates. + """ if tlsConnection._client: chain = tlsConnection.session.serverCertChain @@ -87,18 +99,23 @@ class Checker(tlslite.api.Checker): chain = [rpki.x509.X509(tlslite = chain.x509List[i]) for i in range(chain.getNumCerts())] ee = None + for x in chain: + if debug_tls_certs: rpki.log.debug("Received %s TLS %s cert issuer %s [%s] subject %s [%s]" % (peer, "CA" if x.is_CA() else "EE", x.getIssuer(), x.hAKI(), x.getSubject(), x.hSKI())) - if pem_dump_tls_certs: + if self.pem_dump_tls_certs: print x.get_PEM() + if x.is_CA(): - rpki.log.debug("Ignoring received TLS CA cert") - elif ee is None: - ee = x - else: + if self.refuse_tls_ca_certs: + raise rpki.exceptions.ReceivedTLSCACert + continue + + if ee is not None: raise rpki.exceptions.MultipleTLSEECert, chain + ee = x result = self.x509store_thunk().verifyDetailed(ee.get_POW()) if not result[0]: diff --git a/rpkid/rpki/sql.py b/rpkid/rpki/sql.py index 2aa2ed49..791bc7d8 100644 --- a/rpkid/rpki/sql.py +++ b/rpkid/rpki/sql.py @@ -54,12 +54,19 @@ class sql_persistant(object): ## @var sql_in_db # Whether this object is already in SQL or not. + sql_in_db = False ## @var sql_deleted # Whether our cached copy of this object has been deleted. + sql_deleted = False + ## @var sql_debug + # Enable logging of SQL actions + + sql_debug = False + @classmethod def sql_fetch(cls, gctx, id): """Fetch one object from SQL, based on its primary key. @@ -105,11 +112,13 @@ class sql_persistant(object): """Fetch objects of this type matching an arbitrary SQL WHERE expression.""" if where is None: assert args is None - rpki.log.debug("sql_fetch_where(%s)" % repr(cls.sql_template.select)) + if cls.sql_debug: + rpki.log.debug("sql_fetch_where(%s)" % repr(cls.sql_template.select)) gctx.cur.execute(cls.sql_template.select) else: query = cls.sql_template.select + " WHERE " + where - rpki.log.debug("sql_fetch_where(%s, %s)" % (repr(query), repr(args))) + if cls.sql_debug: + rpki.log.debug("sql_fetch_where(%s, %s)" % (repr(query), repr(args))) gctx.cur.execute(query, args) results = [] for row in gctx.cur.fetchall(): diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index 23b7a693..99a6e247 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -604,7 +604,7 @@ class CMS_object(DER_object): ## @var debug_cms_certs # Set this to True to log a lot of chatter about CMS certificates. - debug_cms_certs = True + debug_cms_certs = False ## @var require_crls # Set this to False to make CMS CRLs optional in the cases where we diff --git a/rpkid/testpoke.py b/rpkid/testpoke.py index 2d26d12c..a97c117f 100644 --- a/rpkid/testpoke.py +++ b/rpkid/testpoke.py @@ -41,6 +41,7 @@ def usage(code): yaml_file = "testpoke.yaml" yaml_cmd = None +debug = False opts,argv = getopt.getopt(sys.argv[1:], "y:r:h?d", ["yaml=", "request=", "help", "debug"]) for o,a in opts: @@ -51,10 +52,14 @@ for o,a in opts: elif o in ("-r", "--request"): yaml_cmd = a elif o in ("-d", "--debug"): - rpki.log.init("testpoke") + debug = True if argv: usage(1) +if debug: + rpki.log.init("testpoke") + rpki.log.set_trace(True) + f = open(yaml_file) yaml_data = yaml.load(f) f.close() @@ -118,10 +123,6 @@ def do_revoke(): q_pdu.ski = yaml_req["ski"] query_up_down(q_pdu) -# Some day this should be conditional -rpki.log.init("testpoke") -rpki.log.set_trace(True) - dispatch = { "list" : do_list, "issue" : do_issue, "revoke" : do_revoke } cms_ta = get_PEM("cms-ca-cert", rpki.x509.X509) |