diff options
| -rw-r--r-- | Makefile.in | 5 | ||||
| -rw-r--r-- | ca/rpki-confgen.xml | 16 | ||||
| -rw-r--r-- | ca/tests/smoketest.py | 4 | ||||
| -rw-r--r-- | ca/tests/xml-parse-test.py | 8 | ||||
| -rw-r--r-- | ca/tests/yamltest.py | 8 | ||||
| -rw-r--r-- | rpki/irdb/migrations/0003_repository_rrdp_notification_uri.py | 19 | ||||
| -rw-r--r-- | rpki/irdb/models.py | 1 | ||||
| -rw-r--r-- | rpki/irdb/zookeeper.py | 22 | ||||
| -rw-r--r-- | rpki/left_right.py | 23 | ||||
| -rw-r--r-- | rpki/publication.py | 5 | ||||
| -rw-r--r-- | rpki/relaxng.py | 9 | ||||
| -rw-r--r-- | rpki/rootd.py | 4 | ||||
| -rw-r--r-- | rpki/rpkid.py | 10 | ||||
| -rw-r--r-- | rpki/rpkidb/migrations/0002_auto_20151015_2213.py | 29 | ||||
| -rw-r--r-- | rpki/rpkidb/models.py | 27 | ||||
| -rw-r--r-- | rpki/sql_schemas.py | 5 | ||||
| -rw-r--r-- | schemas/relaxng/left-right.rnc | 5 | ||||
| -rw-r--r-- | schemas/relaxng/left-right.rng | 9 | ||||
| -rw-r--r-- | schemas/sql/rpkid.sql | 5 |
19 files changed, 152 insertions, 62 deletions
diff --git a/Makefile.in b/Makefile.in index d688ef04..1e06fb8e 100644 --- a/Makefile.in +++ b/Makefile.in @@ -226,4 +226,9 @@ tags: Makefile .FORCE ! -name relaxng.py ! -name sql_schemas.py -print | \ etags - +# This isn't all that useful until SQL has been set up. Might want to +# hack up something using ca/rpki-confgen and ca/rpki-sql-setup. +makemigrations: + for i in rpkid pubd irdb; do RPKI_CONF=ca/examples/rpki.conf ca/rpki-manage makemigrations --settings rpki.django_settings.$$i; done + .FORCE: diff --git a/ca/rpki-confgen.xml b/ca/rpki-confgen.xml index 14f160ab..63e9d793 100644 --- a/ca/rpki-confgen.xml +++ b/ca/rpki-confgen.xml @@ -217,6 +217,15 @@ </doc> </option> + <option name = "publication_rrdp_notification_uri" + value = "https://${myrpki::pubd_server_host}/rrdp/notify.xml"> + + <doc> + URI for RRDP notification file. In most cases this should be + a HTTPS URL for the notify.xml file on the publication server. + </doc> + </option> + <option name = "start_rpkid" value = "${myrpki::run_rpkid}"> <doc> @@ -857,6 +866,13 @@ </doc> </option> + <option name = "rrdp-notification-uri" + value = "${myrpki::publication_rrdp_notification_uri"> + <doc> + RRDP URI for inclusion in generated objects. + </doc> + </option> + </section> <section name = "web_portal"> diff --git a/ca/tests/smoketest.py b/ca/tests/smoketest.py index fb121525..f52ce984 100644 --- a/ca/tests/smoketest.py +++ b/ca/tests/smoketest.py @@ -1018,7 +1018,7 @@ class allocation(object): bsc_handle = "b", repository_handle = "r", sia_base = s.sia_base, - bpki_cms_cert = rootd_cert, + bpki_cert = rootd_cert, sender_name = s.name, recipient_name = "rootd", peer_contact_uri = "http://localhost:%s/" % rootd_port)) @@ -1030,7 +1030,7 @@ class allocation(object): bsc_handle = "b", repository_handle = "r", sia_base = s.sia_base, - bpki_cms_cert = s.cross_certify(s.parent.name + "-SELF"), + bpki_cert = s.cross_certify(s.parent.name + "-SELF"), sender_name = s.name, recipient_name = s.parent.name, peer_contact_uri = "http://localhost:%s/up-down/%s/%s" % (s.parent.get_rpki_port(), diff --git a/ca/tests/xml-parse-test.py b/ca/tests/xml-parse-test.py index ac276eb4..90c80775 100644 --- a/ca/tests/xml-parse-test.py +++ b/ca/tests/xml-parse-test.py @@ -83,11 +83,11 @@ def lr_tester(elt_in, elt_out, msg): (obj.signing_cert_crl, "Signing certificate CRL"))) # (obj.pkcs10_request, "PKCS #10 request") if isinstance(obj, rpki.left_right.parent_elt): - pprint(((obj.bpki_cms_cert, "CMS certificate"), - (obj.bpki_cms_glue, "CMS glue"))) + pprint(((obj.bpki_cert, "BPKI certificate"), + (obj.bpki_glue, "BPKI glue"))) if isinstance(obj, (rpki.left_right.child_elt, rpki.left_right.repository_elt)): - pprint(((obj.bpki_cert, "Certificate"), - (obj.bpki_glue, "Glue"))) + pprint(((obj.bpki_cert, "BPKI certificate"), + (obj.bpki_glue, "BPKI glue"))) def pp_tester(elt_in, elt_out, msg): assert isinstance(msg, rpki.publication.msg) diff --git a/ca/tests/yamltest.py b/ca/tests/yamltest.py index 44b7b6bf..a279b530 100644 --- a/ca/tests/yamltest.py +++ b/ca/tests/yamltest.py @@ -208,6 +208,7 @@ class allocation(object): pubd_port = -1 rsync_port = -1 rootd_port = -1 + rrdp_port = -1 rpkic_counter = 0L @classmethod @@ -274,6 +275,7 @@ class allocation(object): if self.runs_pubd: self.pubd_port = self.allocate_port() self.rsync_port = self.allocate_port() + self.rrdp_port = self.allocate_port() if self.is_root: self.rootd_port = self.allocate_port() @@ -502,6 +504,7 @@ class allocation(object): pubd_server_host = "localhost", pubd_server_port = str(self.pubd.pubd_port), publication_rsync_server = "localhost:%s" % self.pubd.rsync_port, + publication_rrdp_notification_uri = "http://localhost:%s/rrdp/notify.xml" % self.pubd.rrdp_port, bpki_servers_directory = self.path(), publication_base_directory = self.path("publication"), rrdp_publication_base_directory = self.path("rrdp-publication"), @@ -698,8 +701,9 @@ def create_root_certificate(db_root): root_uri = "rsync://localhost:%d/rpki/%s-root/root" % (db_root.pubd.rsync_port, db_root.name) - from rpki.publication import rrdp_sia_uri_kludge - root_sia = (root_uri + "/", root_uri + "/root.mft", None, rrdp_sia_uri_kludge) + rrdp_uri = "http://localhost:%s/rrdp/notify.xml" % db.root.pubd.rrdp_port + + root_sia = (root_uri + "/", root_uri + "/root.mft", None, rrdp_uri) root_cert = rpki.x509.X509.self_certify( keypair = root_key, diff --git a/rpki/irdb/migrations/0003_repository_rrdp_notification_uri.py b/rpki/irdb/migrations/0003_repository_rrdp_notification_uri.py new file mode 100644 index 00000000..1e0e43c2 --- /dev/null +++ b/rpki/irdb/migrations/0003_repository_rrdp_notification_uri.py @@ -0,0 +1,19 @@ +# -*- coding: utf-8 -*- +from __future__ import unicode_literals + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('irdb', '0002_remove_client_parent_handle'), + ] + + operations = [ + migrations.AddField( + model_name='repository', + name='rrdp_notification_uri', + field=models.TextField(null=True), + ), + ] diff --git a/rpki/irdb/models.py b/rpki/irdb/models.py index c8e47717..0911d7aa 100644 --- a/rpki/irdb/models.py +++ b/rpki/irdb/models.py @@ -528,6 +528,7 @@ class Repository(CrossCertification): client_handle = HandleField() service_uri = django.db.models.CharField(max_length = 255) sia_base = django.db.models.TextField() + rrdp_notification_uri = django.db.models.TextField(null = True) turtle = django.db.models.OneToOneField(Turtle, related_name = "repository") # This shouldn't be necessary diff --git a/rpki/irdb/zookeeper.py b/rpki/irdb/zookeeper.py index 98201f95..d0597e86 100644 --- a/rpki/irdb/zookeeper.py +++ b/rpki/irdb/zookeeper.py @@ -537,7 +537,7 @@ class Zookeeper(object): tag = "%s__parent__%s" % (parent.issuer.handle, parent.handle), self_handle = parent.issuer.handle, parent_handle = parent.handle) - SubElement(q_pdu, rpki.left_right.tag_bpki_cms_cert).text = parent.certificate.get_Base64() + SubElement(q_pdu, rpki.left_right.tag_bpki_cert).text = parent.certificate.get_Base64() for rootd in rpki.irdb.models.Rootd.objects.all(): q_pdu = SubElement(q_msg, rpki.left_right.tag_parent, @@ -545,7 +545,7 @@ class Zookeeper(object): tag = "%s__rootd" % rootd.issuer.handle, self_handle = rootd.issuer.handle, parent_handle = rootd.issuer.handle) - SubElement(q_pdu, rpki.left_right.tag_bpki_cms_cert).text = rootd.certificate.get_Base64() + SubElement(q_pdu, rpki.left_right.tag_bpki_cert).text = rootd.certificate.get_Base64() for child in rpki.irdb.models.Child.objects.all(): q_pdu = SubElement(q_msg, rpki.left_right.tag_child, @@ -831,12 +831,16 @@ class Zookeeper(object): port = self.cfg.get("pubd_server_port", section = myrpki_section), handle = client.handle) + rrdp_uri = self.cfg.get("publication_rrdp_notification_uri", section = myrpki_section, + default = "") or None + e = Element(tag_oob_repository_response, nsmap = oob_nsmap, version = oob_version, service_uri = service_uri, publisher_handle = client.handle, sia_base = client.sia_base) - # This is where we'd insert the rrdp_notification_uri attribute + if rrdp_uri is not None: + e.set("rrdp_notification_uri", rrdp_uri) B64Element(e, tag_oob_repository_bpki_ta, self.server_ca.certificate) return etree_wrapper(e, msg = "Send this file back to the publication client you just configured") @@ -905,6 +909,7 @@ class Zookeeper(object): client_handle = x.get("publisher_handle"), service_uri = x.get("service_uri"), sia_base = x.get("sia_base"), + rrdp_notification_uri = x.get("rrdp_notification_uri"), ta = rpki.x509.X509(Base64 = x.findtext(tag_oob_repository_bpki_ta)), turtle = turtle) @@ -1439,6 +1444,7 @@ class Zookeeper(object): if (repository_pdu is None or repository_pdu.get("bsc_handle") != bsc_handle or repository_pdu.get("peer_contact_uri") != repository.service_uri or + repository_pdu.get("rrdp_notification_uri") != repository.rrdp_notification_uri or repository_pdu.findtext(rpki.left_right.tag_bpki_cert, "").decode("base64") != repository.certificate.get_DER()): q_pdu = SubElement(q_msg, rpki.left_right.tag_repository, action = "create" if repository_pdu is None else "set", @@ -1447,6 +1453,8 @@ class Zookeeper(object): repository_handle = repository.handle, bsc_handle = bsc_handle, peer_contact_uri = repository.service_uri) + if repository.rrdp_notification_uri: + q_pdu.set("rrdp_notification_uri", repository.rrdp_notification_uri) SubElement(q_pdu, rpki.left_right.tag_bpki_cert).text = repository.certificate.get_Base64() for repository_handle in repository_pdus: @@ -1473,7 +1481,7 @@ class Zookeeper(object): parent_pdu.get("sia_base") != parent.repository.sia_base or parent_pdu.get("sender_name") != parent.child_handle or parent_pdu.get("recipient_name") != parent.parent_handle or - parent_pdu.findtext(rpki.left_right.tag_bpki_cms_cert, "").decode("base64") != parent.certificate.get_DER()): + parent_pdu.findtext(rpki.left_right.tag_bpki_cert, "").decode("base64") != parent.certificate.get_DER()): q_pdu = SubElement(q_msg, rpki.left_right.tag_parent, action = "create" if parent_pdu is None else "set", tag = parent.handle, @@ -1485,7 +1493,7 @@ class Zookeeper(object): sia_base = parent.repository.sia_base, sender_name = parent.child_handle, recipient_name = parent.parent_handle) - SubElement(q_pdu, rpki.left_right.tag_bpki_cms_cert).text = parent.certificate.get_Base64() + SubElement(q_pdu, rpki.left_right.tag_bpki_cert).text = parent.certificate.get_Base64() except rpki.irdb.models.Repository.DoesNotExist: pass @@ -1501,7 +1509,7 @@ class Zookeeper(object): parent_pdu.get("sia_base") != ca.rootd.repository.sia_base or parent_pdu.get("sender_name") != ca.handle or parent_pdu.get("recipient_name") != ca.handle or - parent_pdu.findtext(rpki.left_right.tag_bpki_cms_cert).decode("base64") != ca.rootd.certificate.get_DER()): + parent_pdu.findtext(rpki.left_right.tag_bpki_cert).decode("base64") != ca.rootd.certificate.get_DER()): q_pdu = SubElement(q_msg, rpki.left_right.tag_parent, action = "create" if parent_pdu is None else "set", tag = ca.handle, @@ -1513,7 +1521,7 @@ class Zookeeper(object): sia_base = ca.rootd.repository.sia_base, sender_name = ca.handle, recipient_name = ca.handle) - SubElement(q_pdu, rpki.left_right.tag_bpki_cms_cert).text = ca.rootd.certificate.get_Base64() + SubElement(q_pdu, rpki.left_right.tag_bpki_cert).text = ca.rootd.certificate.get_Base64() except rpki.irdb.models.Rootd.DoesNotExist: pass diff --git a/rpki/left_right.py b/rpki/left_right.py index 3367d102..1b5cf5b8 100644 --- a/rpki/left_right.py +++ b/rpki/left_right.py @@ -47,8 +47,6 @@ nsmap = rpki.relaxng.left_right.nsmap version = rpki.relaxng.left_right.version tag_bpki_cert = xmlns + "bpki_cert" -tag_bpki_cms_cert = xmlns + "bpki_cms_cert" -tag_bpki_cms_glue = xmlns + "bpki_cms_glue" tag_bpki_glue = xmlns + "bpki_glue" tag_bsc = xmlns + "bsc" tag_child = xmlns + "child" @@ -584,7 +582,7 @@ class repository_elt(base_elt): """ element_name = xmlns + "repository" - attributes = ("action", "tag", "self_handle", "repository_handle", "bsc_handle", "peer_contact_uri") + attributes = ("action", "tag", "self_handle", "repository_handle", "bsc_handle", "peer_contact_uri", "rrdp_notification_uri") booleans = ("clear_replay_protection",) elements = collections.OrderedDict(( @@ -608,6 +606,7 @@ class repository_elt(base_elt): bpki_cert = None bpki_glue = None last_cms_timestamp = None + rrdp_notification_uri = None def __repr__(self): return rpki.log.log_repr(self, self.repository_handle) @@ -700,8 +699,8 @@ class parent_elt(base_elt): booleans = ("rekey", "reissue", "revoke", "revoke_forgotten", "clear_replay_protection") elements = collections.OrderedDict(( - (tag_bpki_cms_cert, rpki.x509.X509), - (tag_bpki_cms_glue, rpki.x509.X509))) + (tag_bpki_cert, rpki.x509.X509), + (tag_bpki_glue, rpki.x509.X509))) sql_template = rpki.sql.template( "parent", @@ -714,16 +713,16 @@ class parent_elt(base_elt): "sia_base", "sender_name", "recipient_name", - ("bpki_cms_cert", rpki.x509.X509), - ("bpki_cms_glue", rpki.x509.X509), + ("bpki_cert", rpki.x509.X509), + ("bpki_glue", rpki.x509.X509), ("last_cms_timestamp", rpki.sundial.datetime)) handles = (("self", self_elt), ("bsc", bsc_elt), ("repository", repository_elt)) - bpki_cms_cert = None - bpki_cms_glue = None + bpki_cert = None + bpki_glue = None last_cms_timestamp = None def __repr__(self): @@ -883,7 +882,7 @@ class parent_elt(base_elt): is_ca = True, caRepository = ca.sia_uri, rpkiManifest = ca_detail.manifest_uri, - rpkiNotify = rpki.publication.rrdp_sia_uri_kludge) + rpkiNotify = ca.parent.repository.rrdp_notification_uri) q_msg = self._compose_up_down_query("issue") q_pdu = SubElement(q_msg, rpki.up_down.tag_request, class_name = ca.parent_resource_class) q_pdu.text = pkcs10.get_Base64() @@ -915,8 +914,8 @@ class parent_elt(base_elt): r_msg = r_cms.unwrap((self.gctx.bpki_ta, self.self.bpki_cert, self.self.bpki_glue, - self.bpki_cms_cert, - self.bpki_cms_glue)) + self.bpki_cert, + self.bpki_glue)) r_cms.check_replay_sql(self, self.peer_contact_uri) rpki.up_down.check_response(r_msg, q_msg.get("type")) diff --git a/rpki/publication.py b/rpki/publication.py index 58c52d34..117bd0ef 100644 --- a/rpki/publication.py +++ b/rpki/publication.py @@ -44,11 +44,6 @@ tag_withdraw = rpki.relaxng.publication.xmlns + "withdraw" tag_report_error = rpki.relaxng.publication.xmlns + "report_error" -# Horrible kludge: static RRDP URI for testing, this needs to be fixed -from socket import getfqdn -rrdp_sia_uri_kludge = "http://%s/rrdp/notify.xml" % getfqdn() - - def raise_if_error(pdu): """ Raise an appropriate error if this is a <report_error/> PDU. diff --git a/rpki/relaxng.py b/rpki/relaxng.py index 829cddc2..1b16073b 100644 --- a/rpki/relaxng.py +++ b/rpki/relaxng.py @@ -552,12 +552,12 @@ left_right = RelaxNGParser(r'''<?xml version="1.0" encoding="UTF-8"?> </attribute> </optional> <optional> - <element name="bpki_cms_cert"> + <element name="bpki_cert"> <ref name="base64"/> </element> </optional> <optional> - <element name="bpki_cms_glue"> + <element name="bpki_glue"> <ref name="base64"/> </element> </optional> @@ -768,6 +768,11 @@ left_right = RelaxNGParser(r'''<?xml version="1.0" encoding="UTF-8"?> <ref name="bsc_handle"/> </optional> <optional> + <attribute name="rrdp_notification_uri"> + <ref name="uri"/> + </attribute> + </optional> + <optional> <element name="bpki_cert"> <ref name="base64"/> </element> diff --git a/rpki/rootd.py b/rpki/rootd.py index 5a84b5df..1a669b97 100644 --- a/rpki/rootd.py +++ b/rpki/rootd.py @@ -189,7 +189,7 @@ class main(object): keypair = self.rpki_root_key, subject_key = manifest_keypair.get_public(), serial = self.serial_number, - sia = (None, None, self.rpki_root_manifest_uri, rpki.publication.rrdp_sia_uri_kludge), + sia = (None, None, self.rpki_root_manifest_uri, self.rrdp_notification_uri), aia = self.rpki_root_cert_uri, crldp = self.rpki_root_crl_uri, resources = manifest_resources, @@ -452,6 +452,8 @@ class main(object): self.pubd_url = self.cfg.get("pubd-contact-uri") + self.rrdp_notification_uri = self.cfg.get("rrdp-notification-uri") + rpki.http_simple.server(host = self.http_server_host, port = self.http_server_port, handlers = (("/", self.handler, rpki.up_down.allowed_content_types),)) diff --git a/rpki/rpkid.py b/rpki/rpkid.py index 24f92a46..79fbcca2 100644 --- a/rpki/rpkid.py +++ b/rpki/rpkid.py @@ -1435,7 +1435,7 @@ class ca_detail_obj(rpki.sql.sql_persistent): ca = self.ca, resources = resources, subject_key = self.manifest_public_key, - sia = (None, None, self.manifest_uri, rpki.publication.rrdp_sia_uri_kludge)) + sia = (None, None, self.manifest_uri, self.ca.parent.repository.rrdp_notification_uri)) def issue(self, ca, child, subject_key, sia, resources, publisher, child_cert = None): """ @@ -2199,7 +2199,7 @@ class roa_obj(rpki.sql.sql_persistent): ca = ca, resources = resources, subject_key = keypair.get_public(), - sia = (None, None, self.uri_from_key(keypair), rpki.publication.rrdp_sia_uri_kludge)) + sia = (None, None, self.uri_from_key(keypair), ca.parent.repository.rrdp_notification_uri)) self.roa = rpki.x509.ROA.build(self.asn, self.ipv4, self.ipv6, keypair, (self.cert,)) self.published = rpki.sundial.now() self.sql_store() @@ -2409,7 +2409,7 @@ class ghostbuster_obj(rpki.sql.sql_persistent): ca = ca, resources = resources, subject_key = keypair.get_public(), - sia = (None, None, self.uri_from_key(keypair), rpki.publication.rrdp_sia_uri_kludge)) + sia = (None, None, self.uri_from_key(keypair), ca.parent.repository.rrdp_notification_uri)) self.ghostbuster = rpki.x509.Ghostbuster.build(self.vcard, keypair, (self.cert,)) self.published = rpki.sundial.now() self.sql_store() @@ -2604,7 +2604,7 @@ class ee_cert_obj(rpki.sql.sql_persistent): cn, sn = subject_name.extract_cn_and_sn() ca = ca_detail.ca - sia = (None, None, ca_detail.ca.sia_uri + subject_key.gSKI() + ".cer", rpki.publication.rrdp_sia_uri_kludge) + sia = (None, None, ca_detail.ca.sia_uri + subject_key.gSKI() + ".cer", ca.parent.repository.rrdp_notification_uri) cert = ca_detail.issue_ee( ca = ca, @@ -2721,7 +2721,7 @@ class ee_cert_obj(rpki.sql.sql_persistent): ca = ca_detail.ca, subject_key = self.cert.getPublicKey(), eku = self.cert.get_EKU(), - sia = (None, None, self.uri, rpki.publication.rrdp_sia_uri_kludge), + sia = (None, None, self.uri, ca_detail.ca.parent.repository.rrdp_notification_uri), resources = resources, notAfter = resources.valid_until, cn = cn, diff --git a/rpki/rpkidb/migrations/0002_auto_20151015_2213.py b/rpki/rpkidb/migrations/0002_auto_20151015_2213.py new file mode 100644 index 00000000..f602b42b --- /dev/null +++ b/rpki/rpkidb/migrations/0002_auto_20151015_2213.py @@ -0,0 +1,29 @@ +# -*- coding: utf-8 -*- +from __future__ import unicode_literals + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('rpkidb', '0001_initial'), + ] + + operations = [ + migrations.RenameField( + model_name='parent', + old_name='bpki_cms_cert', + new_name='bpki_cert', + ), + migrations.RenameField( + model_name='parent', + old_name='bpki_cms_glue', + new_name='bpki_glue', + ), + migrations.AddField( + model_name='repository', + name='rrdp_notification_uri', + field=models.TextField(null=True), + ), + ] diff --git a/rpki/rpkidb/models.py b/rpki/rpkidb/models.py index 26be729d..3e5bad44 100644 --- a/rpki/rpkidb/models.py +++ b/rpki/rpkidb/models.py @@ -44,8 +44,6 @@ class XMLTemplate(object): element_type = dict(bpki_cert = rpki.x509.X509, bpki_glue = rpki.x509.X509, - bpki_cms_cert = rpki.x509.X509, - bpki_cms_glue = rpki.x509.X509, pkcs10_request = rpki.x509.PKCS10, signing_cert = rpki.x509.X509, signing_cert_crl = rpki.x509.CRL) @@ -345,6 +343,7 @@ class BSC(models.Model): class Repository(models.Model): repository_handle = models.SlugField(max_length = 255) peer_contact_uri = models.TextField(null = True) + rrdp_notification_uri = models.TextField(null = True) bpki_cert = CertificateField(null = True) bpki_glue = CertificateField(null = True) last_cms_timestamp = SundialField(null = True) @@ -358,7 +357,7 @@ class Repository(models.Model): xml_template = XMLTemplate( name = "repository", handles = (BSC,), - attributes = ("peer_contact_uri",), + attributes = ("peer_contact_uri", "rrdp_notification_uri"), elements = ("bpki_cert", "bpki_glue")) @@ -432,8 +431,8 @@ class Repository(models.Model): class Parent(models.Model): parent_handle = models.SlugField(max_length = 255) - bpki_cms_cert = CertificateField(null = True) - bpki_cms_glue = CertificateField(null = True) + bpki_cert = CertificateField(null = True) + bpki_glue = CertificateField(null = True) peer_contact_uri = models.TextField(null = True) sia_base = models.TextField(null = True) sender_name = models.TextField(null = True) @@ -451,7 +450,7 @@ class Parent(models.Model): name = "parent", handles = (BSC, Repository), attributes = ("peer_contact_uri", "sia_base", "sender_name", "recipient_name"), - elements = ("bpki_cms_cert", "bpki_cms_glue")) + elements = ("bpki_cert", "bpki_glue")) def xml_pre_delete_hook(self, cb, eb): @@ -594,7 +593,7 @@ class Parent(models.Model): is_ca = True, caRepository = ca.sia_uri, rpkiManifest = ca_detail.manifest_uri, - rpkiNotify = rpki.publication.rrdp_sia_uri_kludge) + rpkiNotify = ca.parent.repository.rrdp_notification_uri) q_msg = self._compose_up_down_query("issue") q_pdu = SubElement(q_msg, rpki.up_down.tag_request, class_name = ca.parent_resource_class) q_pdu.text = pkcs10.get_Base64() @@ -626,8 +625,8 @@ class Parent(models.Model): r_msg = r_cms.unwrap((self.gctx.bpki_ta, self.self.bpki_cert, self.self.bpki_glue, - self.bpki_cms_cert, - self.bpki_cms_glue)) + self.bpki_cert, + self.bpki_glue)) r_cms.check_replay_sql(self, self.peer_contact_uri) rpki.up_down.check_response(r_msg, q_msg.get("type")) @@ -1166,7 +1165,7 @@ class CADetail(models.Model): ca = self.ca, resources = resources, subject_key = self.manifest_public_key, - sia = (None, None, self.manifest_uri, rpki.publication.rrdp_sia_uri_kludge)) + sia = (None, None, self.manifest_uri, self.ca.parent.repository.rrdp_notification_uri)) def issue(self, ca, child, subject_key, sia, resources, publisher, child_cert = None): @@ -1769,7 +1768,7 @@ class EECert(models.Model): cn, sn = subject_name.extract_cn_and_sn() ca = ca_detail.ca - sia = (None, None, ca_detail.ca.sia_uri + subject_key.gSKI() + ".cer", rpki.publication.rrdp_sia_uri_kludge) + sia = (None, None, ca_detail.ca.sia_uri + subject_key.gSKI() + ".cer", ca_detail.ca.parent.repository.rrdp_notification_uri) cert = ca_detail.issue_ee( ca = ca_detail.ca, subject_key = subject_key, @@ -1853,7 +1852,7 @@ class EECert(models.Model): ca = ca_detail.ca, subject_key = self.cert.getPublicKey(), eku = self.cert.get_EKU(), - sia = (None, None, self.uri, rpki.publication.rrdp_sia_uri_kludge), + sia = (None, None, self.uri, ca_detail.ca.parent.repository.rrdp_notification_uri), resources = resources, notAfter = resources.valid_until, cn = cn, @@ -1935,7 +1934,7 @@ class Ghostbuster(models.Model): ca = self.ca_detail.ca, resources = resources, subject_key = keypair.get_public(), - sia = (None, None, self.uri_from_key(keypair), rpki.publication.rrdp_sia_uri_kludge)) + sia = (None, None, self.uri_from_key(keypair), self.ca_detail.ca.parent.repository.rrdp_notification_uri)) self.ghostbuster = rpki.x509.Ghostbuster.build(self.vcard, keypair, (self.cert,)) self.published = rpki.sundial.now() self.save() @@ -2155,7 +2154,7 @@ class ROA(models.Model): ca = self.ca_detail.ca, resources = resources, subject_key = keypair.get_public(), - sia = (None, None, self.uri_from_key(keypair), rpki.publication.rrdp_sia_uri_kludge)) + sia = (None, None, self.uri_from_key(keypair), self.ca_detail.ca.parent.repository.rrdp_notification_uri)) self.roa = rpki.x509.ROA.build(self.asn, self.ipv4, self.ipv6, keypair, (self.cert,)) self.published = rpki.sundial.now() self.save() diff --git a/rpki/sql_schemas.py b/rpki/sql_schemas.py index fc262f12..a3c039af 100644 --- a/rpki/sql_schemas.py +++ b/rpki/sql_schemas.py @@ -71,6 +71,7 @@ CREATE TABLE repository ( repository_id SERIAL NOT NULL, repository_handle VARCHAR(255) NOT NULL, peer_contact_uri TEXT, + rrdp_notification_uri TEXT, bpki_cert LONGBLOB, bpki_glue LONGBLOB, last_cms_timestamp DATETIME, @@ -87,8 +88,8 @@ CREATE TABLE repository ( CREATE TABLE parent ( parent_id SERIAL NOT NULL, parent_handle VARCHAR(255) NOT NULL, - bpki_cms_cert LONGBLOB, - bpki_cms_glue LONGBLOB, + bpki_cert LONGBLOB, + bpki_glue LONGBLOB, peer_contact_uri TEXT, sia_base TEXT, sender_name TEXT, diff --git a/schemas/relaxng/left-right.rnc b/schemas/relaxng/left-right.rnc index 22d971f0..b5ab56a7 100644 --- a/schemas/relaxng/left-right.rnc +++ b/schemas/relaxng/left-right.rnc @@ -162,8 +162,8 @@ parent_payload = (attribute peer_contact_uri { uri }?, repository_handle?, attribute sender_name { up_down_name }?, attribute recipient_name { up_down_name }?, - element bpki_cms_cert { base64 }?, - element bpki_cms_glue { base64 }?) + element bpki_cert { base64 }?, + element bpki_glue { base64 }?) parent_query |= element parent { ctl_create, self_handle, parent_handle, parent_bool, parent_payload } parent_reply |= element parent { ctl_create, self_handle, parent_handle } @@ -206,6 +206,7 @@ repository_bool = attribute clear_replay_protection { "yes" }? repository_payload = (attribute peer_contact_uri { uri }?, bsc_handle?, + attribute rrdp_notification_uri { uri }?, element bpki_cert { base64 }?, element bpki_glue { base64 }?) diff --git a/schemas/relaxng/left-right.rng b/schemas/relaxng/left-right.rng index bd63410e..24804af2 100644 --- a/schemas/relaxng/left-right.rng +++ b/schemas/relaxng/left-right.rng @@ -546,12 +546,12 @@ </attribute> </optional> <optional> - <element name="bpki_cms_cert"> + <element name="bpki_cert"> <ref name="base64"/> </element> </optional> <optional> - <element name="bpki_cms_glue"> + <element name="bpki_glue"> <ref name="base64"/> </element> </optional> @@ -762,6 +762,11 @@ <ref name="bsc_handle"/> </optional> <optional> + <attribute name="rrdp_notification_uri"> + <ref name="uri"/> + </attribute> + </optional> + <optional> <element name="bpki_cert"> <ref name="base64"/> </element> diff --git a/schemas/sql/rpkid.sql b/schemas/sql/rpkid.sql index f3b899ee..14499091 100644 --- a/schemas/sql/rpkid.sql +++ b/schemas/sql/rpkid.sql @@ -67,6 +67,7 @@ CREATE TABLE repository ( repository_id SERIAL NOT NULL, repository_handle VARCHAR(255) NOT NULL, peer_contact_uri TEXT, + rrdp_notification_uri TEXT, bpki_cert LONGBLOB, bpki_glue LONGBLOB, last_cms_timestamp DATETIME, @@ -83,8 +84,8 @@ CREATE TABLE repository ( CREATE TABLE parent ( parent_id SERIAL NOT NULL, parent_handle VARCHAR(255) NOT NULL, - bpki_cms_cert LONGBLOB, - bpki_cms_glue LONGBLOB, + bpki_cert LONGBLOB, + bpki_glue LONGBLOB, peer_contact_uri TEXT, sia_base TEXT, sender_name TEXT, |