diff options
| -rw-r--r-- | rpkid/rpki/exceptions.py | 5 | ||||
| -rw-r--r-- | rpkid/rpki/rootd.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/rpkic.py | 11 | ||||
| -rw-r--r-- | rpkid/rpki/x509.py | 17 |
4 files changed, 31 insertions, 4 deletions
diff --git a/rpkid/rpki/exceptions.py b/rpkid/rpki/exceptions.py index 12abed7e..a72f819b 100644 --- a/rpkid/rpki/exceptions.py +++ b/rpkid/rpki/exceptions.py @@ -356,3 +356,8 @@ class PastNotAfter(RPKI_Exception): """ Requested notAfter value is already in the past. """ + +class NullValidityInterval(RPKI_Exception): + """ + Requested validity interval is null. + """ diff --git a/rpkid/rpki/rootd.py b/rpkid/rpki/rootd.py index 7cfcb957..f9f2d254 100644 --- a/rpkid/rpki/rootd.py +++ b/rpkid/rpki/rootd.py @@ -215,6 +215,7 @@ class main(object): aia = self.rpki_root_cert_uri, crldp = self.rpki_base_uri + self.rpki_root_crl, resources = resources, + notBefore = now, notAfter = notAfter) self.set_subject_cert(subject_cert) self.generate_crl_and_manifest(now) @@ -250,6 +251,7 @@ class main(object): aia = self.rpki_root_cert_uri, crldp = self.rpki_base_uri + self.rpki_root_crl, resources = manifest_resources, + notBefore = now, notAfter = now + self.rpki_subject_lifetime, is_ca = False) manifest = rpki.x509.SignedManifest.build( diff --git a/rpkid/rpki/rpkic.py b/rpkid/rpki/rpkic.py index 0423d408..1cdf41c6 100644 --- a/rpkid/rpki/rpkic.py +++ b/rpkid/rpki/rpkic.py @@ -595,6 +595,17 @@ class main(Cmd): print " IPv6:", resources.v6 + # Other "show_" commands we should have. + # + # Peek in IRDB: + # show_roa_requests + # show_ghostbuster_requests + # + # Ask rpkid: + # show_received_resources + # show_published_objects + + def do_load_asns(self, arg): """ Load ASNs into IRDB from CSV file. diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index 80241896..2a55e174 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -605,7 +605,7 @@ class X509(DER_object): return self.getNotAfter() <= rpki.sundial.now() def issue(self, keypair, subject_key, serial, sia, aia, crldp, notAfter, - cn = None, resources = None, is_ca = True): + cn = None, resources = None, is_ca = True, notBefore = None): """ Issue an RPKI certificate. """ @@ -619,6 +619,7 @@ class X509(DER_object): sia = sia, aia = aia, crldp = crldp, + notBefore = notBefore, notAfter = notAfter, cn = cn, resources = resources, @@ -629,7 +630,7 @@ class X509(DER_object): @classmethod def self_certify(cls, keypair, subject_key, serial, sia, notAfter, - cn = None, resources = None): + cn = None, resources = None, notBefore = None): """ Generate a self-certified RPKI certificate. """ @@ -646,6 +647,7 @@ class X509(DER_object): sia = sia, aia = None, crldp = None, + notBefore = notBefore, notAfter = notAfter, cn = cn, resources = resources, @@ -656,7 +658,7 @@ class X509(DER_object): @classmethod def _issue(cls, keypair, subject_key, serial, sia, aia, crldp, notAfter, - cn, resources, is_ca, aki, issuer_name): + cn, resources, is_ca, aki, issuer_name, notBefore): """ Common code to issue an RPKI certificate. """ @@ -664,19 +666,26 @@ class X509(DER_object): now = rpki.sundial.now() ski = subject_key.get_SKI() + if notBefore is None: + notBefore = now + if cn is None: cn = "".join(("%02X" % ord(i) for i in ski)) if now >= notAfter: raise rpki.exceptions.PastNotAfter("notAfter value %s is already in the past" % notAfter) + if notBefore >= notAfter: + raise rpki.exceptions.NullValidityInterval("notAfter value %s predates notBefore value %s" % + (notAfter, notBefore)) + cert = rpki.POW.X509() cert.setVersion(2) cert.setSerial(serial) cert.setIssuer(issuer_name.get_POW()) cert.setSubject(X501DN.from_cn(cn).get_POW()) - cert.setNotBefore(now) + cert.setNotBefore(notBefore) cert.setNotAfter(notAfter) cert.setPublicKey(subject_key.get_POW()) cert.setSKI(ski) |