diff options
| -rw-r--r-- | rpkid/rpki/exceptions.py | 12 | ||||
| -rw-r--r-- | rpkid/rpki/x509.py | 24 |
2 files changed, 34 insertions, 2 deletions
diff --git a/rpkid/rpki/exceptions.py b/rpkid/rpki/exceptions.py index a80ab0e5..8bde9cde 100644 --- a/rpkid/rpki/exceptions.py +++ b/rpkid/rpki/exceptions.py @@ -99,3 +99,15 @@ class WrongEContentType(RPKI_Exception): class EmptyPEM(RPKI_Exception): """Couldn't find PEM block to convert.""" + +class UnexpectedCMSCerts(RPKI_Exception): + """Received CMS certs when not expecting any.""" + +class UnexpectedCMSCRLs(RPKI_Exception): + """Received CMS CRLs when not expecting any.""" + +class MissingCMSEEcert(RPKI_Exception): + """Didn't receive CMS EE cert when expecting one.""" + +class MissingCMSCRL(RPKI_Exception): + """Didn't receive CMS CRL when expecting one.""" diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index 04efbe92..d8544562 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -579,6 +579,7 @@ class CMS_object(DER_object): dump_on_verify_failure = False debug_cms_certs = False + require_crls = False # This is only an option because I haven't implemented sending CRLs yet def get_DER(self): """Get the DER value of this CMS_object.""" @@ -605,8 +606,8 @@ class CMS_object(DER_object): if cms.eContentType() != self.econtent_oid: raise rpki.exceptions.WrongEContentType, "Got CMS eContentType %s, expected %s" % (cms.eContentType(), self.econtent_oid) - certs = cms.certs() - crls = cms.crls() + certs = [X509(POW = x) for x in cms.certs()] + crls = [CRL(POW = c) for c in cms.crls()] if self.debug_cms_certs: for x in certs: @@ -626,6 +627,25 @@ class CMS_object(DER_object): trusted_ee = x store.addTrust(x.get_POW()) + rpki.log.debug("CMS.verify(): Trusted_EE %s" % repr(trusted_ee)) + rpki.log.debug("CMS.verify(): Certs %s" % repr(certs)) + rpki.log.debug("CMS.verify(): CRLS %s" % repr(crls)) + + if trusted_ee: + if certs and (len(certs) > 1 or certs[0] != trusted_ee): + raise rpki.exceptions.UnexpectedCMSCerts, certs + if crls: + raise rpki.exceptions.UnexpectedCMSCRLs, crls + else: + if not certs: + raise rpki.exceptions.MissingCMSEEcert, certs + if len(certs) > 1 or certs[0].is_CA(): + raise rpki.exceptions.UnexpectedCMSCerts, certs + if self.require_crls and not crls: + raise rpki.exceptions.MissingCMSCRL, crls + if len(crls) > 1: + raise rpki.exceptions.UnexpectedCMSCRLs, crls + try: content = cms.verify(store) except: |