diff options
| -rwxr-xr-x | pow/POW-0.7/lib/pkix.py | 4 | ||||
| -rw-r--r-- | scripts/pkcs10.py | 34 | ||||
| -rw-r--r-- | scripts/rpki/up_down.py | 24 |
3 files changed, 22 insertions, 40 deletions
diff --git a/pow/POW-0.7/lib/pkix.py b/pow/POW-0.7/lib/pkix.py index 7dd75322..744c4ccf 100755 --- a/pow/POW-0.7/lib/pkix.py +++ b/pow/POW-0.7/lib/pkix.py @@ -1226,12 +1226,12 @@ class CertificationRequest(Sequence): def getExtensions(self): oid = self.certificationRequestInfo.attributes.oid.get() if oid is None: - return None + return () if oid != (1, 2, 840, 113549, 1, 9, 14) or \ self.certificationRequestInfo.attributes.val.choice != "set" or \ len(self.certificationRequestInfo.attributes.val.choices["set"]) > 1: raise DerError, "failed to understand X.501 Attribute encoding, sorry: %s" % self.get() - return self.certificationRequestInfo.attributes.val.choices["set"][0] + return self.certificationRequestInfo.attributes.val.choices["set"][0].get() #---------- PKCS10 ----------# #---------- GeneralNames object support ----------# diff --git a/scripts/pkcs10.py b/scripts/pkcs10.py index 5636027b..3a88b779 100644 --- a/scripts/pkcs10.py +++ b/scripts/pkcs10.py @@ -3,11 +3,11 @@ import POW.pkix, rpki.x509, glob, rpki.resource_set parse_extensions = True -list_extensions = False show_attributes = False show_algorithm = False do_verify = True -show_signature = True +show_signature = False +show_publickey = False def hexify(thing): return ":".join(["%02X" % ord(i) for i in thing]) @@ -27,6 +27,12 @@ for name in glob.glob("resource-cert-samples/*.req") + glob.glob("biz-certs/*.re print pkcs10.signatureValue, hexify(pkcs10.signatureValue.get()) print + if show_publickey: + print pkcs10.certificationRequestInfo.subjectPublicKeyInfo + print pkcs10.certificationRequestInfo.subjectPublicKeyInfo.get() + print hexify(pkcs10.certificationRequestInfo.subjectPublicKeyInfo.toString()) + print + if show_attributes: print pkcs10.certificationRequestInfo.attributes.oid, pkcs10.certificationRequestInfo.attributes.oid.get() print @@ -42,32 +48,16 @@ for name in glob.glob("resource-cert-samples/*.req") + glob.glob("biz-certs/*.re print pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice][0] print - if False: - extc = pkcs10.certificationRequestInfo.attributes.val - exts = extc.choices[extc.choice][0] - assert exts is pkcs10.getExtensions() - else: - exts = pkcs10.getExtensions() - - #print len(exts), exts[0].extnValue - - if list_extensions and exts is not None: - for x in exts: - oid = x.extnID.get() - name = POW.pkix.oid2obj(oid) - crit = x.critical.get() - value = x.extnValue.get() - assert isinstance(value, str) - print [ name, oid, crit, hexify(value) ] + if parse_extensions: - if parse_extensions and exts is not None: + exts = pkcs10.getExtensions() - as, v4, v6 = rpki.resource_set.parse_extensions(exts.get()) + as, v4, v6 = rpki.resource_set.parse_extensions(exts) if as: print "ASN =", as if v4: print "IPv4 =", v4 if v6: print "IPv6 =", v6 - for oid, crit, val in exts.get(): + for oid, crit, val in exts: if oid in ((1, 3, 6, 1, 5, 5, 7, 1, 7), (1, 3, 6, 1, 5, 5, 7, 1, 8)): continue if isinstance(val, str): diff --git a/scripts/rpki/up_down.py b/scripts/rpki/up_down.py index 814a8534..388ba21c 100644 --- a/scripts/rpki/up_down.py +++ b/scripts/rpki/up_down.py @@ -234,18 +234,14 @@ class issue_pdu(base_elt): if oids.get(self.pkcs10.get_POWpkix().signatureAlgorithm) not in ("sha256WithRSAEncryption", "sha384WithRSAEncryption", "sha512WithRSAEncryption"): raise rpki.exceptions.BadPKCS10, "Bad signature algorithm %s" % self.pkcs10.get_POWpkix().signatureAlgorithm exts = self.pkcs10.getExtensions() - if exts is None: - exts = {} - else: - exts = exts.get() - for oid, critical, value in exts: - if oids.get(oid) not in ("basicConstraints", "keyUsage", "subjectInfoAccess"): - raise rpki.exceptions.BadExtension, "Forbidden extension %s" % oid - exts = dict((oids[oid], value) for (oid, critical, value) in exts) + for oid, critical, value in exts: + if oids.get(oid) not in ("basicConstraints", "keyUsage", "subjectInfoAccess"): + raise rpki.exceptions.BadExtension, "Forbidden extension %s" % oid + exts = dict((oids[oid], value) for (oid, critical, value) in exts) if "basicConstraints" not in exts or not exts["basicConstraints"][0]: raise rpki.exceptions.BadPKCS10, "request for EE cert not allowed here" if exts["basicConstraints"][1] is not None: - raise rpki.exceptions.BadPKCS10, "basicConstraints extension must not specify Path Length" + raise rpki.exceptions.BadPKCS10, "basicConstraints must not specify Path Length" if "keyUsage" in exts and (not exts["keyUsage"][5] or not exts["keyUsage"][6]): raise rpki.exceptions.BadPKCS10, "keyUsage doesn't match basicConstraints" for method, location in exts.get("subjectInfoAccess", ()): @@ -257,9 +253,9 @@ class issue_pdu(base_elt): # resources (approximately the same algorithm used for # list_response). Check: # - # 3a) that resources match exactly + # 3a) that public key matches exactly # - # 3b) that public key matches exactly + # 3b) that resources match exactly # # 3c) that any relevant extensions in the pkcs10 match exactly # @@ -275,12 +271,8 @@ class issue_pdu(base_elt): else: child_cert = None if child_cert is not None: - pass + pass # Fill in remaining tests here - # - # In theory the spec requires that that public keys here be - # different, so at most one key should match. Sez here. - # Anyway, need to perform remaining tests on the match if we got one. raise NotImplementedError |