diff options
Diffstat (limited to 'rpki')
| -rw-r--r-- | rpki/irdb/migrations/0003_repository_rrdp_notification_uri.py | 19 | ||||
| -rw-r--r-- | rpki/irdb/models.py | 1 | ||||
| -rw-r--r-- | rpki/irdb/zookeeper.py | 22 | ||||
| -rw-r--r-- | rpki/left_right.py | 23 | ||||
| -rw-r--r-- | rpki/publication.py | 5 | ||||
| -rw-r--r-- | rpki/relaxng.py | 9 | ||||
| -rw-r--r-- | rpki/rootd.py | 4 | ||||
| -rw-r--r-- | rpki/rpkid.py | 10 | ||||
| -rw-r--r-- | rpki/rpkidb/migrations/0002_auto_20151015_2213.py | 29 | ||||
| -rw-r--r-- | rpki/rpkidb/models.py | 27 | ||||
| -rw-r--r-- | rpki/sql_schemas.py | 5 |
11 files changed, 106 insertions, 48 deletions
diff --git a/rpki/irdb/migrations/0003_repository_rrdp_notification_uri.py b/rpki/irdb/migrations/0003_repository_rrdp_notification_uri.py new file mode 100644 index 00000000..1e0e43c2 --- /dev/null +++ b/rpki/irdb/migrations/0003_repository_rrdp_notification_uri.py @@ -0,0 +1,19 @@ +# -*- coding: utf-8 -*- +from __future__ import unicode_literals + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('irdb', '0002_remove_client_parent_handle'), + ] + + operations = [ + migrations.AddField( + model_name='repository', + name='rrdp_notification_uri', + field=models.TextField(null=True), + ), + ] diff --git a/rpki/irdb/models.py b/rpki/irdb/models.py index c8e47717..0911d7aa 100644 --- a/rpki/irdb/models.py +++ b/rpki/irdb/models.py @@ -528,6 +528,7 @@ class Repository(CrossCertification): client_handle = HandleField() service_uri = django.db.models.CharField(max_length = 255) sia_base = django.db.models.TextField() + rrdp_notification_uri = django.db.models.TextField(null = True) turtle = django.db.models.OneToOneField(Turtle, related_name = "repository") # This shouldn't be necessary diff --git a/rpki/irdb/zookeeper.py b/rpki/irdb/zookeeper.py index 98201f95..d0597e86 100644 --- a/rpki/irdb/zookeeper.py +++ b/rpki/irdb/zookeeper.py @@ -537,7 +537,7 @@ class Zookeeper(object): tag = "%s__parent__%s" % (parent.issuer.handle, parent.handle), self_handle = parent.issuer.handle, parent_handle = parent.handle) - SubElement(q_pdu, rpki.left_right.tag_bpki_cms_cert).text = parent.certificate.get_Base64() + SubElement(q_pdu, rpki.left_right.tag_bpki_cert).text = parent.certificate.get_Base64() for rootd in rpki.irdb.models.Rootd.objects.all(): q_pdu = SubElement(q_msg, rpki.left_right.tag_parent, @@ -545,7 +545,7 @@ class Zookeeper(object): tag = "%s__rootd" % rootd.issuer.handle, self_handle = rootd.issuer.handle, parent_handle = rootd.issuer.handle) - SubElement(q_pdu, rpki.left_right.tag_bpki_cms_cert).text = rootd.certificate.get_Base64() + SubElement(q_pdu, rpki.left_right.tag_bpki_cert).text = rootd.certificate.get_Base64() for child in rpki.irdb.models.Child.objects.all(): q_pdu = SubElement(q_msg, rpki.left_right.tag_child, @@ -831,12 +831,16 @@ class Zookeeper(object): port = self.cfg.get("pubd_server_port", section = myrpki_section), handle = client.handle) + rrdp_uri = self.cfg.get("publication_rrdp_notification_uri", section = myrpki_section, + default = "") or None + e = Element(tag_oob_repository_response, nsmap = oob_nsmap, version = oob_version, service_uri = service_uri, publisher_handle = client.handle, sia_base = client.sia_base) - # This is where we'd insert the rrdp_notification_uri attribute + if rrdp_uri is not None: + e.set("rrdp_notification_uri", rrdp_uri) B64Element(e, tag_oob_repository_bpki_ta, self.server_ca.certificate) return etree_wrapper(e, msg = "Send this file back to the publication client you just configured") @@ -905,6 +909,7 @@ class Zookeeper(object): client_handle = x.get("publisher_handle"), service_uri = x.get("service_uri"), sia_base = x.get("sia_base"), + rrdp_notification_uri = x.get("rrdp_notification_uri"), ta = rpki.x509.X509(Base64 = x.findtext(tag_oob_repository_bpki_ta)), turtle = turtle) @@ -1439,6 +1444,7 @@ class Zookeeper(object): if (repository_pdu is None or repository_pdu.get("bsc_handle") != bsc_handle or repository_pdu.get("peer_contact_uri") != repository.service_uri or + repository_pdu.get("rrdp_notification_uri") != repository.rrdp_notification_uri or repository_pdu.findtext(rpki.left_right.tag_bpki_cert, "").decode("base64") != repository.certificate.get_DER()): q_pdu = SubElement(q_msg, rpki.left_right.tag_repository, action = "create" if repository_pdu is None else "set", @@ -1447,6 +1453,8 @@ class Zookeeper(object): repository_handle = repository.handle, bsc_handle = bsc_handle, peer_contact_uri = repository.service_uri) + if repository.rrdp_notification_uri: + q_pdu.set("rrdp_notification_uri", repository.rrdp_notification_uri) SubElement(q_pdu, rpki.left_right.tag_bpki_cert).text = repository.certificate.get_Base64() for repository_handle in repository_pdus: @@ -1473,7 +1481,7 @@ class Zookeeper(object): parent_pdu.get("sia_base") != parent.repository.sia_base or parent_pdu.get("sender_name") != parent.child_handle or parent_pdu.get("recipient_name") != parent.parent_handle or - parent_pdu.findtext(rpki.left_right.tag_bpki_cms_cert, "").decode("base64") != parent.certificate.get_DER()): + parent_pdu.findtext(rpki.left_right.tag_bpki_cert, "").decode("base64") != parent.certificate.get_DER()): q_pdu = SubElement(q_msg, rpki.left_right.tag_parent, action = "create" if parent_pdu is None else "set", tag = parent.handle, @@ -1485,7 +1493,7 @@ class Zookeeper(object): sia_base = parent.repository.sia_base, sender_name = parent.child_handle, recipient_name = parent.parent_handle) - SubElement(q_pdu, rpki.left_right.tag_bpki_cms_cert).text = parent.certificate.get_Base64() + SubElement(q_pdu, rpki.left_right.tag_bpki_cert).text = parent.certificate.get_Base64() except rpki.irdb.models.Repository.DoesNotExist: pass @@ -1501,7 +1509,7 @@ class Zookeeper(object): parent_pdu.get("sia_base") != ca.rootd.repository.sia_base or parent_pdu.get("sender_name") != ca.handle or parent_pdu.get("recipient_name") != ca.handle or - parent_pdu.findtext(rpki.left_right.tag_bpki_cms_cert).decode("base64") != ca.rootd.certificate.get_DER()): + parent_pdu.findtext(rpki.left_right.tag_bpki_cert).decode("base64") != ca.rootd.certificate.get_DER()): q_pdu = SubElement(q_msg, rpki.left_right.tag_parent, action = "create" if parent_pdu is None else "set", tag = ca.handle, @@ -1513,7 +1521,7 @@ class Zookeeper(object): sia_base = ca.rootd.repository.sia_base, sender_name = ca.handle, recipient_name = ca.handle) - SubElement(q_pdu, rpki.left_right.tag_bpki_cms_cert).text = ca.rootd.certificate.get_Base64() + SubElement(q_pdu, rpki.left_right.tag_bpki_cert).text = ca.rootd.certificate.get_Base64() except rpki.irdb.models.Rootd.DoesNotExist: pass diff --git a/rpki/left_right.py b/rpki/left_right.py index 3367d102..1b5cf5b8 100644 --- a/rpki/left_right.py +++ b/rpki/left_right.py @@ -47,8 +47,6 @@ nsmap = rpki.relaxng.left_right.nsmap version = rpki.relaxng.left_right.version tag_bpki_cert = xmlns + "bpki_cert" -tag_bpki_cms_cert = xmlns + "bpki_cms_cert" -tag_bpki_cms_glue = xmlns + "bpki_cms_glue" tag_bpki_glue = xmlns + "bpki_glue" tag_bsc = xmlns + "bsc" tag_child = xmlns + "child" @@ -584,7 +582,7 @@ class repository_elt(base_elt): """ element_name = xmlns + "repository" - attributes = ("action", "tag", "self_handle", "repository_handle", "bsc_handle", "peer_contact_uri") + attributes = ("action", "tag", "self_handle", "repository_handle", "bsc_handle", "peer_contact_uri", "rrdp_notification_uri") booleans = ("clear_replay_protection",) elements = collections.OrderedDict(( @@ -608,6 +606,7 @@ class repository_elt(base_elt): bpki_cert = None bpki_glue = None last_cms_timestamp = None + rrdp_notification_uri = None def __repr__(self): return rpki.log.log_repr(self, self.repository_handle) @@ -700,8 +699,8 @@ class parent_elt(base_elt): booleans = ("rekey", "reissue", "revoke", "revoke_forgotten", "clear_replay_protection") elements = collections.OrderedDict(( - (tag_bpki_cms_cert, rpki.x509.X509), - (tag_bpki_cms_glue, rpki.x509.X509))) + (tag_bpki_cert, rpki.x509.X509), + (tag_bpki_glue, rpki.x509.X509))) sql_template = rpki.sql.template( "parent", @@ -714,16 +713,16 @@ class parent_elt(base_elt): "sia_base", "sender_name", "recipient_name", - ("bpki_cms_cert", rpki.x509.X509), - ("bpki_cms_glue", rpki.x509.X509), + ("bpki_cert", rpki.x509.X509), + ("bpki_glue", rpki.x509.X509), ("last_cms_timestamp", rpki.sundial.datetime)) handles = (("self", self_elt), ("bsc", bsc_elt), ("repository", repository_elt)) - bpki_cms_cert = None - bpki_cms_glue = None + bpki_cert = None + bpki_glue = None last_cms_timestamp = None def __repr__(self): @@ -883,7 +882,7 @@ class parent_elt(base_elt): is_ca = True, caRepository = ca.sia_uri, rpkiManifest = ca_detail.manifest_uri, - rpkiNotify = rpki.publication.rrdp_sia_uri_kludge) + rpkiNotify = ca.parent.repository.rrdp_notification_uri) q_msg = self._compose_up_down_query("issue") q_pdu = SubElement(q_msg, rpki.up_down.tag_request, class_name = ca.parent_resource_class) q_pdu.text = pkcs10.get_Base64() @@ -915,8 +914,8 @@ class parent_elt(base_elt): r_msg = r_cms.unwrap((self.gctx.bpki_ta, self.self.bpki_cert, self.self.bpki_glue, - self.bpki_cms_cert, - self.bpki_cms_glue)) + self.bpki_cert, + self.bpki_glue)) r_cms.check_replay_sql(self, self.peer_contact_uri) rpki.up_down.check_response(r_msg, q_msg.get("type")) diff --git a/rpki/publication.py b/rpki/publication.py index 58c52d34..117bd0ef 100644 --- a/rpki/publication.py +++ b/rpki/publication.py @@ -44,11 +44,6 @@ tag_withdraw = rpki.relaxng.publication.xmlns + "withdraw" tag_report_error = rpki.relaxng.publication.xmlns + "report_error" -# Horrible kludge: static RRDP URI for testing, this needs to be fixed -from socket import getfqdn -rrdp_sia_uri_kludge = "http://%s/rrdp/notify.xml" % getfqdn() - - def raise_if_error(pdu): """ Raise an appropriate error if this is a <report_error/> PDU. diff --git a/rpki/relaxng.py b/rpki/relaxng.py index 829cddc2..1b16073b 100644 --- a/rpki/relaxng.py +++ b/rpki/relaxng.py @@ -552,12 +552,12 @@ left_right = RelaxNGParser(r'''<?xml version="1.0" encoding="UTF-8"?> </attribute> </optional> <optional> - <element name="bpki_cms_cert"> + <element name="bpki_cert"> <ref name="base64"/> </element> </optional> <optional> - <element name="bpki_cms_glue"> + <element name="bpki_glue"> <ref name="base64"/> </element> </optional> @@ -768,6 +768,11 @@ left_right = RelaxNGParser(r'''<?xml version="1.0" encoding="UTF-8"?> <ref name="bsc_handle"/> </optional> <optional> + <attribute name="rrdp_notification_uri"> + <ref name="uri"/> + </attribute> + </optional> + <optional> <element name="bpki_cert"> <ref name="base64"/> </element> diff --git a/rpki/rootd.py b/rpki/rootd.py index 5a84b5df..1a669b97 100644 --- a/rpki/rootd.py +++ b/rpki/rootd.py @@ -189,7 +189,7 @@ class main(object): keypair = self.rpki_root_key, subject_key = manifest_keypair.get_public(), serial = self.serial_number, - sia = (None, None, self.rpki_root_manifest_uri, rpki.publication.rrdp_sia_uri_kludge), + sia = (None, None, self.rpki_root_manifest_uri, self.rrdp_notification_uri), aia = self.rpki_root_cert_uri, crldp = self.rpki_root_crl_uri, resources = manifest_resources, @@ -452,6 +452,8 @@ class main(object): self.pubd_url = self.cfg.get("pubd-contact-uri") + self.rrdp_notification_uri = self.cfg.get("rrdp-notification-uri") + rpki.http_simple.server(host = self.http_server_host, port = self.http_server_port, handlers = (("/", self.handler, rpki.up_down.allowed_content_types),)) diff --git a/rpki/rpkid.py b/rpki/rpkid.py index 24f92a46..79fbcca2 100644 --- a/rpki/rpkid.py +++ b/rpki/rpkid.py @@ -1435,7 +1435,7 @@ class ca_detail_obj(rpki.sql.sql_persistent): ca = self.ca, resources = resources, subject_key = self.manifest_public_key, - sia = (None, None, self.manifest_uri, rpki.publication.rrdp_sia_uri_kludge)) + sia = (None, None, self.manifest_uri, self.ca.parent.repository.rrdp_notification_uri)) def issue(self, ca, child, subject_key, sia, resources, publisher, child_cert = None): """ @@ -2199,7 +2199,7 @@ class roa_obj(rpki.sql.sql_persistent): ca = ca, resources = resources, subject_key = keypair.get_public(), - sia = (None, None, self.uri_from_key(keypair), rpki.publication.rrdp_sia_uri_kludge)) + sia = (None, None, self.uri_from_key(keypair), ca.parent.repository.rrdp_notification_uri)) self.roa = rpki.x509.ROA.build(self.asn, self.ipv4, self.ipv6, keypair, (self.cert,)) self.published = rpki.sundial.now() self.sql_store() @@ -2409,7 +2409,7 @@ class ghostbuster_obj(rpki.sql.sql_persistent): ca = ca, resources = resources, subject_key = keypair.get_public(), - sia = (None, None, self.uri_from_key(keypair), rpki.publication.rrdp_sia_uri_kludge)) + sia = (None, None, self.uri_from_key(keypair), ca.parent.repository.rrdp_notification_uri)) self.ghostbuster = rpki.x509.Ghostbuster.build(self.vcard, keypair, (self.cert,)) self.published = rpki.sundial.now() self.sql_store() @@ -2604,7 +2604,7 @@ class ee_cert_obj(rpki.sql.sql_persistent): cn, sn = subject_name.extract_cn_and_sn() ca = ca_detail.ca - sia = (None, None, ca_detail.ca.sia_uri + subject_key.gSKI() + ".cer", rpki.publication.rrdp_sia_uri_kludge) + sia = (None, None, ca_detail.ca.sia_uri + subject_key.gSKI() + ".cer", ca.parent.repository.rrdp_notification_uri) cert = ca_detail.issue_ee( ca = ca, @@ -2721,7 +2721,7 @@ class ee_cert_obj(rpki.sql.sql_persistent): ca = ca_detail.ca, subject_key = self.cert.getPublicKey(), eku = self.cert.get_EKU(), - sia = (None, None, self.uri, rpki.publication.rrdp_sia_uri_kludge), + sia = (None, None, self.uri, ca_detail.ca.parent.repository.rrdp_notification_uri), resources = resources, notAfter = resources.valid_until, cn = cn, diff --git a/rpki/rpkidb/migrations/0002_auto_20151015_2213.py b/rpki/rpkidb/migrations/0002_auto_20151015_2213.py new file mode 100644 index 00000000..f602b42b --- /dev/null +++ b/rpki/rpkidb/migrations/0002_auto_20151015_2213.py @@ -0,0 +1,29 @@ +# -*- coding: utf-8 -*- +from __future__ import unicode_literals + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('rpkidb', '0001_initial'), + ] + + operations = [ + migrations.RenameField( + model_name='parent', + old_name='bpki_cms_cert', + new_name='bpki_cert', + ), + migrations.RenameField( + model_name='parent', + old_name='bpki_cms_glue', + new_name='bpki_glue', + ), + migrations.AddField( + model_name='repository', + name='rrdp_notification_uri', + field=models.TextField(null=True), + ), + ] diff --git a/rpki/rpkidb/models.py b/rpki/rpkidb/models.py index 26be729d..3e5bad44 100644 --- a/rpki/rpkidb/models.py +++ b/rpki/rpkidb/models.py @@ -44,8 +44,6 @@ class XMLTemplate(object): element_type = dict(bpki_cert = rpki.x509.X509, bpki_glue = rpki.x509.X509, - bpki_cms_cert = rpki.x509.X509, - bpki_cms_glue = rpki.x509.X509, pkcs10_request = rpki.x509.PKCS10, signing_cert = rpki.x509.X509, signing_cert_crl = rpki.x509.CRL) @@ -345,6 +343,7 @@ class BSC(models.Model): class Repository(models.Model): repository_handle = models.SlugField(max_length = 255) peer_contact_uri = models.TextField(null = True) + rrdp_notification_uri = models.TextField(null = True) bpki_cert = CertificateField(null = True) bpki_glue = CertificateField(null = True) last_cms_timestamp = SundialField(null = True) @@ -358,7 +357,7 @@ class Repository(models.Model): xml_template = XMLTemplate( name = "repository", handles = (BSC,), - attributes = ("peer_contact_uri",), + attributes = ("peer_contact_uri", "rrdp_notification_uri"), elements = ("bpki_cert", "bpki_glue")) @@ -432,8 +431,8 @@ class Repository(models.Model): class Parent(models.Model): parent_handle = models.SlugField(max_length = 255) - bpki_cms_cert = CertificateField(null = True) - bpki_cms_glue = CertificateField(null = True) + bpki_cert = CertificateField(null = True) + bpki_glue = CertificateField(null = True) peer_contact_uri = models.TextField(null = True) sia_base = models.TextField(null = True) sender_name = models.TextField(null = True) @@ -451,7 +450,7 @@ class Parent(models.Model): name = "parent", handles = (BSC, Repository), attributes = ("peer_contact_uri", "sia_base", "sender_name", "recipient_name"), - elements = ("bpki_cms_cert", "bpki_cms_glue")) + elements = ("bpki_cert", "bpki_glue")) def xml_pre_delete_hook(self, cb, eb): @@ -594,7 +593,7 @@ class Parent(models.Model): is_ca = True, caRepository = ca.sia_uri, rpkiManifest = ca_detail.manifest_uri, - rpkiNotify = rpki.publication.rrdp_sia_uri_kludge) + rpkiNotify = ca.parent.repository.rrdp_notification_uri) q_msg = self._compose_up_down_query("issue") q_pdu = SubElement(q_msg, rpki.up_down.tag_request, class_name = ca.parent_resource_class) q_pdu.text = pkcs10.get_Base64() @@ -626,8 +625,8 @@ class Parent(models.Model): r_msg = r_cms.unwrap((self.gctx.bpki_ta, self.self.bpki_cert, self.self.bpki_glue, - self.bpki_cms_cert, - self.bpki_cms_glue)) + self.bpki_cert, + self.bpki_glue)) r_cms.check_replay_sql(self, self.peer_contact_uri) rpki.up_down.check_response(r_msg, q_msg.get("type")) @@ -1166,7 +1165,7 @@ class CADetail(models.Model): ca = self.ca, resources = resources, subject_key = self.manifest_public_key, - sia = (None, None, self.manifest_uri, rpki.publication.rrdp_sia_uri_kludge)) + sia = (None, None, self.manifest_uri, self.ca.parent.repository.rrdp_notification_uri)) def issue(self, ca, child, subject_key, sia, resources, publisher, child_cert = None): @@ -1769,7 +1768,7 @@ class EECert(models.Model): cn, sn = subject_name.extract_cn_and_sn() ca = ca_detail.ca - sia = (None, None, ca_detail.ca.sia_uri + subject_key.gSKI() + ".cer", rpki.publication.rrdp_sia_uri_kludge) + sia = (None, None, ca_detail.ca.sia_uri + subject_key.gSKI() + ".cer", ca_detail.ca.parent.repository.rrdp_notification_uri) cert = ca_detail.issue_ee( ca = ca_detail.ca, subject_key = subject_key, @@ -1853,7 +1852,7 @@ class EECert(models.Model): ca = ca_detail.ca, subject_key = self.cert.getPublicKey(), eku = self.cert.get_EKU(), - sia = (None, None, self.uri, rpki.publication.rrdp_sia_uri_kludge), + sia = (None, None, self.uri, ca_detail.ca.parent.repository.rrdp_notification_uri), resources = resources, notAfter = resources.valid_until, cn = cn, @@ -1935,7 +1934,7 @@ class Ghostbuster(models.Model): ca = self.ca_detail.ca, resources = resources, subject_key = keypair.get_public(), - sia = (None, None, self.uri_from_key(keypair), rpki.publication.rrdp_sia_uri_kludge)) + sia = (None, None, self.uri_from_key(keypair), self.ca_detail.ca.parent.repository.rrdp_notification_uri)) self.ghostbuster = rpki.x509.Ghostbuster.build(self.vcard, keypair, (self.cert,)) self.published = rpki.sundial.now() self.save() @@ -2155,7 +2154,7 @@ class ROA(models.Model): ca = self.ca_detail.ca, resources = resources, subject_key = keypair.get_public(), - sia = (None, None, self.uri_from_key(keypair), rpki.publication.rrdp_sia_uri_kludge)) + sia = (None, None, self.uri_from_key(keypair), self.ca_detail.ca.parent.repository.rrdp_notification_uri)) self.roa = rpki.x509.ROA.build(self.asn, self.ipv4, self.ipv6, keypair, (self.cert,)) self.published = rpki.sundial.now() self.save() diff --git a/rpki/sql_schemas.py b/rpki/sql_schemas.py index fc262f12..a3c039af 100644 --- a/rpki/sql_schemas.py +++ b/rpki/sql_schemas.py @@ -71,6 +71,7 @@ CREATE TABLE repository ( repository_id SERIAL NOT NULL, repository_handle VARCHAR(255) NOT NULL, peer_contact_uri TEXT, + rrdp_notification_uri TEXT, bpki_cert LONGBLOB, bpki_glue LONGBLOB, last_cms_timestamp DATETIME, @@ -87,8 +88,8 @@ CREATE TABLE repository ( CREATE TABLE parent ( parent_id SERIAL NOT NULL, parent_handle VARCHAR(255) NOT NULL, - bpki_cms_cert LONGBLOB, - bpki_cms_glue LONGBLOB, + bpki_cert LONGBLOB, + bpki_glue LONGBLOB, peer_contact_uri TEXT, sia_base TEXT, sender_name TEXT, |