diff options
Diffstat (limited to 'rpkid/rpki/irdb')
| -rw-r--r-- | rpkid/rpki/irdb/models.py | 16 | ||||
| -rw-r--r-- | rpkid/rpki/irdb/zookeeper.py | 52 |
2 files changed, 66 insertions, 2 deletions
diff --git a/rpkid/rpki/irdb/models.py b/rpkid/rpki/irdb/models.py index 03b6643c..3553581e 100644 --- a/rpkid/rpki/irdb/models.py +++ b/rpkid/rpki/irdb/models.py @@ -581,10 +581,22 @@ class GhostbusterRequest(django.db.models.Model): class EECertificateRequest(ResourceSet): issuer = django.db.models.ForeignKey(ResourceHolderCA, related_name = "ee_certificate_requests") - router_id = django.db.models.BigIntegerField(null = True) pkcs10 = PKCS10Field() gski = django.db.models.CharField(max_length = 27) - + + # At one point I had a router_id field here, but I don't think it + # serves any real purpose. Put it back if I remember why I thought + # we needed it, but the current I-D has router-id encoded in teh + # subject name. + + # Need subject name field here? It's in the PKCS #10, but then so + # is the public key from which we generate the g(SKI); question is + # whether we need to use the subject name or just transport it. + # + # I guess we could have left-right XML attributes corresponding to + # X.509 commonName and serialNumber if necessary, question is whether + # this is necessary. + def _select_resource_bag(self): ee_asn = rpki.irdb.EECertificateRequestASN.objects.raw(""" SELECT * diff --git a/rpkid/rpki/irdb/zookeeper.py b/rpkid/rpki/irdb/zookeeper.py index 1c2d2d16..bb52bddd 100644 --- a/rpkid/rpki/irdb/zookeeper.py +++ b/rpkid/rpki/irdb/zookeeper.py @@ -1586,3 +1586,55 @@ class Zookeeper(object): if rpkid_query: rpkid_reply = self.call_rpkid(rpkid_query) self.check_error_report(rpkid_reply) + + + @django.db.transaction.commit_on_success + def add_ee_certificate_request(self, pkcs10, resources): + """ + Check a PKCS #10 request to see if it complies with the + specification for a RPKI EE certificate; if it does, add an + EECertificateRequest for it to the IRDB. + + Not yet sure what we want for update and delete semantics here, so + for the moment this is straight addition. See methods like + .load_asns() and .load_prefixes() for other strategies. + """ + + pkcs10.check_valid_rpki(ee = True) + ee_request = self.resource_ca.ee_certificate_requests.create( + pkcs10 = pkcs10, + gski = pkcs10.gSKI(), + valid_until = resources.valid_until) + for range in resources.asn: + ee_request.asns.create(start_as = str(range.min), end_as = str(range.max)) + for range in resources.v4: + ee_request.address_ranges.create(start_ip = str(range.min), end_ip = str(range.max), version = 4) + for range in resources.v6: + ee_request.address_ranges.create(start_ip = str(range.min), end_ip = str(range.max), version = 6) + + + def add_router_certificate_request(self, pkcs10, asn): + """ + Check a PKCS #10 request to see if it complies with the + specification for a router certificate; if it does, create an EE + certificate request for it along with a specified ASN. + """ + + if isinstance(asn, (str, unicode)): + asn = long(asn) + if not isinstance(asn, (int, long)) or asn < 0 or asn > 0xFFFFFFFF: + raise rpki.exceptions.BadAutonomousSystemNumber("Bad AutonomousSystem number: %s" % asn) + + # This attempts to enforce draft-ietf-sidr-bgpsec-pki-profiles-06 + # section 3.1.1.1, which may be a mistake, too early to tell. + cn, sn = pkcs10.getSubject().extract_cn_and_sn() + if not cn.startswith("ROUTER-") \ + or len(cn) != 7 + 8 \ + or not cn[7:].isalnum() \ + or int(cn[7:], 16) != asn \ + or not sn.isalnum() \ + or len(sn) != 8 \ + or int(sn, 16) > 0xFFFFFFFF: + raise rpki.exceptions.BadX510DN("Subject name doesn't match router profile: %s" % pkcs10.getSubject()) + + raise NotImplementedError, "Not finished" |