diff options
| -rw-r--r-- | scripts/rpki/up_down.py | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/scripts/rpki/up_down.py b/scripts/rpki/up_down.py index 83b80cda..a23909ed 100644 --- a/scripts/rpki/up_down.py +++ b/scripts/rpki/up_down.py @@ -2,7 +2,7 @@ """RPKI "up-down" protocol.""" -import base64, lxml.etree, time +import base64, lxml.etree, time, POW.pkix import rpki.sax_utils, rpki.resource_set, rpki.x509, rpki.exceptions xmlns="http://www.apnic.net/specs/rescerts/up-down/" @@ -228,9 +228,26 @@ class issue_pdu(base_elt): if ca is None or ca_detail is None: raise rpki.exceptions.NotInDatabase - # 2) Check that PKCS#10 is legal according to the profile (has all - # required fields, doesn't have any forbidden fields, fields - # that it has don't conflict with anything we already know). + # 2) Check that PKCS#10 is legal according to the profile + # (signature validates, has all required fields, doesn't have + # any forbidden fields, fields that it has don't conflict with + # anything we already know). + + if not self.pkcs10.get_POWpkix().verify(): + raise rpki.exceptions.BadSignature + if self.pkcs10.get_POWpkix().certificationRequestInfo.version != 0: + raise rpki.exceptions.BadVersion + if POW.pkix.oid2obj(self.pkcs10.get_POWpkix().signatureAlgorithm) not in ("sha256WithRSAEncryption", "sha384WithRSAEncryption", "sha512WithRSAEncryption"): + raise rpki.exceptions.BadAlgorithm + for x in self.pkcs10.certificationRequestInfo.attributes.val.choices[self.pkcs10.certificationRequestInfo.attributes.val.choice][0]: + + raise NotImplementedError + + oid = x.extnID.get() + val = x.extnValue.get() + name = POW.pkix.oid2obj(oid) + crit = x.critical.get() + # # 3) Find any certs already issued to this child for these # resources (approximately the same algorithm used for |