diff options
| -rw-r--r-- | rpkid/rpki/https.py | 22 | ||||
| -rw-r--r-- | rpkid/rpki/x509.py | 3 | ||||
| -rw-r--r-- | rpkid/testbed.py | 10 |
3 files changed, 25 insertions, 10 deletions
diff --git a/rpkid/rpki/https.py b/rpkid/rpki/https.py index 762b6e88..d57c6db8 100644 --- a/rpkid/rpki/https.py +++ b/rpkid/rpki/https.py @@ -29,6 +29,16 @@ rpki_content_type = "application/x-rpki" class Checker(tlslite.api.Checker): """Derived class to handle X.509 client certificate checking.""" + x509TrustList = None + + def __init__(self, x509TrustList = None): + """Initialize our modified checker.""" + + if False: + self.x509TrustList = x509TrustList + else: + rpki.log.debug("Ignoring HTTPS trust anchors %s, validation disabled" % repr(x509TrustList)) + def __call__(self, tlsConnection): """Wrap some logging code around standard tlslite.Checker class. @@ -38,9 +48,12 @@ class Checker(tlslite.api.Checker): """ for i in range(tlsConnection.session.clientCertChain.getNumCerts()): - rpki.log.debug("Received cert[%d] %s" % (i, tlsConnection.session.clientCertChain.x509List[i].getCommonName())) + x = rpki.x509.X509(tlslite = tlsConnection.session.clientCertChain.x509List[i]) + rpki.log.debug("Received cert[%d] %s" % (i, x.getSubject())) - return tlslite.api.Checker.__call__(self, tlsConnection) + # Disabling this removes the need for cryptlib_py + if self.x509TrustList is not None: + tlslite.api.Checker.__call__(self, tlsConnection) class httpsClient(tlslite.api.HTTPTLSConnection): """Derived class to let us replace the default Checker.""" @@ -54,8 +67,6 @@ class httpsClient(tlslite.api.HTTPTLSConnection): self, host = host, port = port, settings = settings, certChain = certChain, privateKey = privateKey) - rpki.log.debug("Found checker %s" % repr(self.checker)) - self.checker = Checker(x509TrustList = x509TrustList) def client(msg, privateKey, certChain, x509TrustList, url, timeout = 300): @@ -183,7 +194,8 @@ def server(handlers, privateKey, certChain, port = 4433, host = "", x509TrustLis if x509TrustList is not None: x509TrustList = x509TrustList.tlslite_trustList() for x in x509TrustList: - rpki.log.debug("HTTPS trust anchor %s" % x.getCommonName()) + rpki.log.debug("HTTPS trust anchor %s" % rpki.x509.X509(tlslite = x).getSubject()) + httpd.rpki_checker = Checker(x509TrustList = x509TrustList) httpd.serve_forever() diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index a2e81a67..3636ece0 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -231,6 +231,9 @@ class X509(DER_object): if self.POWpkix: self.DER = self.POWpkix.toString() return self.get_DER() + if self.tlslite: + self.DER = self.tlslite.writeBytes() + return self.get_DER() raise rpki.exceptions.DERObjectConversionError, "No conversion path to DER available" def get_POW(self): diff --git a/rpkid/testbed.py b/rpkid/testbed.py index e4ad2c22..5c3099d5 100644 --- a/rpkid/testbed.py +++ b/rpkid/testbed.py @@ -796,7 +796,7 @@ cms-ta = %(my_name)s-RPKI-TA.cer https-key = %(my_name)s-IRDB-EE.key https-cert.0 = %(my_name)s-IRDB-EE.cer https-cert.1 = %(my_name)s-IRDB-CA.cer -#https-ta = %(my_name)s-RPKI-TA.cer +https-ta = %(my_name)s-RPKI-TA.cer https-url = https://localhost:%(irdb_port)d/ @@ -810,7 +810,7 @@ cms-ta = %(my_name)s-RPKI-TA.cer https-key = %(testbed_name)s-EE.key https-cert.0 = %(testbed_name)s-EE.cer https-cert.1 = %(testbed_name)s-CA.cer -#https-ta = %(my_name)s-RPKI-TA.cer +https-ta = %(my_name)s-RPKI-TA.cer https-url = https://localhost:%(rpki_port)d/left-right @@ -833,8 +833,8 @@ https-key = %(my_name)s-RPKI-EE.key https-cert.0 = %(my_name)s-RPKI-EE.cer https-cert.1 = %(my_name)s-RPKI-CA.cer -#https-ta-irdb = %(my_name)s-IRDB-TA.cer -#https-ta-irbe = %(testbed_name)s-TA.cer +https-ta-irdb = %(my_name)s-IRDB-TA.cer +https-ta-irbe = %(testbed_name)s-TA.cer irdb-url = https://localhost:%(irdb_port)d/ @@ -854,7 +854,7 @@ cms-ta = %(rpkid_name)s-RPKI-TA.cer https-key = %(rootd_name)s-EE.key https-cert.0 = %(rootd_name)s-EE.cer https-cert.1 = %(rootd_name)s-CA.cer -#https-ta = %(rpkid_name)s-RPKI-TA.cer +https-ta = %(rpkid_name)s-RPKI-TA.cer server-port = %(rootd_port)s |