diff options
Diffstat (limited to 'rpkid/rpki')
| -rw-r--r-- | rpkid/rpki/exceptions.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/https.py | 6 | ||||
| -rw-r--r-- | rpkid/rpki/x509.py | 28 |
3 files changed, 26 insertions, 10 deletions
diff --git a/rpkid/rpki/exceptions.py b/rpkid/rpki/exceptions.py index 620a0a49..a80ab0e5 100644 --- a/rpkid/rpki/exceptions.py +++ b/rpkid/rpki/exceptions.py @@ -97,3 +97,5 @@ class TLSValidationError(RPKI_Exception): class WrongEContentType(RPKI_Exception): """Received wrong CMS eContentType.""" +class EmptyPEM(RPKI_Exception): + """Couldn't find PEM block to convert.""" diff --git a/rpkid/rpki/https.py b/rpkid/rpki/https.py index 2e70455b..3f411c22 100644 --- a/rpkid/rpki/https.py +++ b/rpkid/rpki/https.py @@ -31,7 +31,7 @@ import POW disable_tls_certificate_validation_exceptions = False # Chatter suppression -debug_tls_certs = True +debug_tls_certs = False rpki_content_type = "application/x-rpki" @@ -55,8 +55,8 @@ class Checker(tlslite.api.Checker): self.x509store = POW.X509Store() - if isinstance(trust_anchor, rpki.x509.X509): - trust_anchor = (trust_anchor,) + trust_anchor = rpki.x509.X509.normalize_chain(trust_anchor) + assert trust_anchor for x in trust_anchor: if debug_tls_certs: diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index f43d882a..b6b07039 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -60,7 +60,8 @@ class PEM_converter(object): pass while lines and lines.pop(-1) != self.e: pass - assert lines + if not lines: + raise rpki.exceptions.EmptyPEM, "Could not find PEM in:\n%s" % pem return base64.b64decode("".join(lines)) def to_PEM(self, der): @@ -214,16 +215,18 @@ class DER_object(object): seek() when decoding ASN.1 content nested in OCTET STRING values. """ + ret = None fn = "dumpasn1.tmp" try: f = open(fn, "wb") f.write(self.get_DER()) f.close() f = os.popen("dumpasn1 2>&1 -a " + fn) - print "\n".join(x for x in f.read().splitlines() if x.startswith(" ")) + ret = "\n".join(x for x in f.read().splitlines() if x.startswith(" ")) f.close() finally: os.unlink(fn) + return ret class X509(DER_object): """X.509 certificates. @@ -356,6 +359,19 @@ class X509(DER_object): return X509(POWpkix = cert) + @classmethod + def normalize_chain(cls, chain): + """Normalize a chain of certificates into a tuple of X509 objects. + Given all the glue certificates needed for BPKI cross + certification, it's easiest to allow sloppy arguments to the HTTPS + and CMS validation methods and provide a single method that + normalizes the allowed cases. So this method allows X509, None, + lists, and tuples, and returns a tuple of X509 objects. + """ + if isinstance(chain, cls): + chain = (chain,) + return tuple(x for x in chain if x is not None) + class PKCS10(DER_object): """Class to hold a PKCS #10 request.""" @@ -554,7 +570,7 @@ class CMS_object(DER_object): econtent_oid = POWify("id-data") dump_on_verify_failure = False - debug_cms_certs = True + debug_cms_certs = False def get_DER(self): """Get the DER value of this CMS_object.""" @@ -583,8 +599,7 @@ class CMS_object(DER_object): store = POW.X509Store() - if isinstance(ta, X509): - ta = (ta,) + ta = X509.normalize_chain(ta) for x in ta: if self.debug_cms_certs: @@ -602,8 +617,7 @@ class CMS_object(DER_object): content = cms.verify(store) except: if self.dump_on_verify_failure: - print "CMS verification failed, dumping ASN.1:" - self.dumpasn1() + rpki.log.debug("CMS verification failed, dumping ASN.1:\n" + self.dumpasn1()) raise rpki.exceptions.CMSVerificationFailed, "CMS verification failed" self.decode(content) |