diff options
Diffstat (limited to 'rpki')
| -rw-r--r-- | rpki/oids.py | 1 | ||||
| -rw-r--r-- | rpki/pubdb/models.py | 2 | ||||
| -rw-r--r-- | rpki/publication.py | 5 | ||||
| -rw-r--r-- | rpki/rootd.py | 2 | ||||
| -rw-r--r-- | rpki/rpkid.py | 6 | ||||
| -rw-r--r-- | rpki/x509.py | 18 |
6 files changed, 22 insertions, 12 deletions
diff --git a/rpki/oids.py b/rpki/oids.py index 9fa30a04..afb95020 100644 --- a/rpki/oids.py +++ b/rpki/oids.py @@ -57,6 +57,7 @@ id_ad_caRepository = "1.3.6.1.5.5.7.48.5" id_ad_signedObjectRepository = "1.3.6.1.5.5.7.48.9" id_ad_rpkiManifest = "1.3.6.1.5.5.7.48.10" id_ad_signedObject = "1.3.6.1.5.5.7.48.11" +id_ad_rpkiNotify = "1.3.6.1.5.5.7.48.13" commonName = "2.5.4.3" serialNumber = "2.5.4.5" countryName = "2.5.4.6" diff --git a/rpki/pubdb/models.py b/rpki/pubdb/models.py index 5241ea45..ce42c688 100644 --- a/rpki/pubdb/models.py +++ b/rpki/pubdb/models.py @@ -139,7 +139,7 @@ class Session(models.Model): @property def notification_fn(self): - return "updates.xml" + return "notify.xml" @staticmethod diff --git a/rpki/publication.py b/rpki/publication.py index ec2dabd4..524b5a53 100644 --- a/rpki/publication.py +++ b/rpki/publication.py @@ -50,6 +50,11 @@ tag_withdraw = rpki.relaxng.publication.xmlns + "withdraw" tag_report_error = rpki.relaxng.publication.xmlns + "report_error" +logger.warning("Horrible kludge: static RRDP URI for testing, this needs to be fixed") +from socket import getfqdn +rrdp_sia_uri_kludge = "http://%s/rrdp/notify.xml" % getfqdn() + + def raise_if_error(pdu): """ Raise an appropriate error if this is a <report_error/> PDU. diff --git a/rpki/rootd.py b/rpki/rootd.py index 987d8356..8f08e0dd 100644 --- a/rpki/rootd.py +++ b/rpki/rootd.py @@ -189,7 +189,7 @@ class main(object): keypair = self.rpki_root_key, subject_key = manifest_keypair.get_public(), serial = self.serial_number, - sia = (None, None, self.rpki_root_manifest_uri), + sia = (None, None, self.rpki_root_manifest_uri, rpki.publication.rrdp_sia_uri_kludge), aia = self.rpki_root_cert_uri, crldp = self.rpki_root_crl_uri, resources = manifest_resources, diff --git a/rpki/rpkid.py b/rpki/rpkid.py index 64157663..cc7fbc5b 100644 --- a/rpki/rpkid.py +++ b/rpki/rpkid.py @@ -1184,7 +1184,7 @@ class ca_detail_obj(rpki.sql.sql_persistent): ca = self.ca, resources = resources, subject_key = self.manifest_public_key, - sia = (None, None, self.manifest_uri)) + sia = (None, None, self.manifest_uri, rpki.publication.rrdp_sia_uri_kludge)) def issue(self, ca, child, subject_key, sia, resources, publisher, child_cert = None): """ @@ -1948,7 +1948,7 @@ class roa_obj(rpki.sql.sql_persistent): ca = ca, resources = resources, subject_key = keypair.get_public(), - sia = (None, None, self.uri_from_key(keypair))) + sia = (None, None, self.uri_from_key(keypair), rpki.publication.rrdp_sia_uri_kludge)) self.roa = rpki.x509.ROA.build(self.asn, self.ipv4, self.ipv6, keypair, (self.cert,)) self.published = rpki.sundial.now() self.sql_store() @@ -2158,7 +2158,7 @@ class ghostbuster_obj(rpki.sql.sql_persistent): ca = ca, resources = resources, subject_key = keypair.get_public(), - sia = (None, None, self.uri_from_key(keypair))) + sia = (None, None, self.uri_from_key(keypair), rpki.publication.rrdp_sia_uri_kludge)) self.ghostbuster = rpki.x509.Ghostbuster.build(self.vcard, keypair, (self.cert,)) self.published = rpki.sundial.now() self.sql_store() diff --git a/rpki/x509.py b/rpki/x509.py index 89b598d4..9bc34e19 100644 --- a/rpki/x509.py +++ b/rpki/x509.py @@ -784,11 +784,12 @@ class X509(DER_object): assert sia is not None or not is_ca if sia is not None: - caRepository, rpkiManifest, signedObject = sia + caRepository, rpkiManifest, signedObject, rpkiNotify = sia cert.setSIA( (caRepository,) if isinstance(caRepository, str) else caRepository, (rpkiManifest,) if isinstance(rpkiManifest, str) else rpkiManifest, - (signedObject,) if isinstance(signedObject, str) else signedObject) + (signedObject,) if isinstance(signedObject, str) else signedObject, + (rpkiNotify,) if isinstance(rpkiNotify, str) else rpkiNotify) if resources is not None: cert.setRFC3779( @@ -1045,7 +1046,7 @@ class PKCS10(DER_object): if sias is None: raise rpki.exceptions.BadPKCS10("PKCS #10 CA SIA missing") - caRepository, rpkiManifest, signedObject = sias + caRepository, rpkiManifest, signedObject, rpkiNotify = sias if signedObject: raise rpki.exceptions.BadPKCS10("PKCS #10 CA SIA must not have id-ad-signedObject") @@ -1095,7 +1096,7 @@ class PKCS10(DER_object): bc = self.get_POW().getBasicConstraints() sia = self.get_POW().getSIA() - caRepository, rpkiManifest, signedObject = sia or (None, None, None) + caRepository, rpkiManifest, signedObject, rpkiNotify = sia or (None, None, None, None) if alg not in (rpki.oids.sha256WithRSAEncryption, rpki.oids.ecdsa_with_SHA256): raise rpki.exceptions.BadPKCS10("PKCS #10 has bad signature algorithm for EE: %s" % alg) @@ -1149,7 +1150,7 @@ class PKCS10(DER_object): @classmethod def create(cls, keypair, exts = None, is_ca = False, caRepository = None, rpkiManifest = None, signedObject = None, - cn = None, sn = None, eku = None): + cn = None, sn = None, eku = None, rpkiNotify = None): """ Create a new request for a given keypair. """ @@ -1168,6 +1169,9 @@ class PKCS10(DER_object): if isinstance(signedObject, str): signedObject = (signedObject,) + if isinstance(rpkiNotify, str): + rpkiNotify = (rpkiNotify,) + req = rpki.POW.PKCS10() req.setVersion(0) req.setSubject(X501DN.from_cn(cn, sn).get_POW()) @@ -1177,8 +1181,8 @@ class PKCS10(DER_object): req.setBasicConstraints(True, None) req.setKeyUsage(cls.expected_ca_keyUsage) - if caRepository or rpkiManifest or signedObject: - req.setSIA(caRepository, rpkiManifest, signedObject) + if caRepository or rpkiManifest or signedObject or rpkiNotify: + req.setSIA(caRepository, rpkiManifest, signedObject, rpkiNotify) if eku: req.setEKU(eku) |