diff options
Diffstat (limited to 'rpkid/rpki')
| -rw-r--r-- | rpkid/rpki/__doc__.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/rootd.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/rpkid.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/up_down.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/x509.py | 52 |
5 files changed, 39 insertions, 21 deletions
diff --git a/rpkid/rpki/__doc__.py b/rpkid/rpki/__doc__.py index 1f9a7ec2..c53de51e 100644 --- a/rpkid/rpki/__doc__.py +++ b/rpkid/rpki/__doc__.py @@ -1382,7 +1382,7 @@ # # @par @c rpki-root-manifest: # Name of file to which rootd should save its -# RPKI manifest. Default is "Root.mnf". +# RPKI manifest. Default is "Root.mft". # # @par @c rpki-subject-pkcs10: # Name of file that rootd should use when saving diff --git a/rpkid/rpki/rootd.py b/rpkid/rpki/rootd.py index 26553b33..44e6af83 100644 --- a/rpkid/rpki/rootd.py +++ b/rpkid/rpki/rootd.py @@ -306,7 +306,7 @@ class main(object): self.rpki_root_cert_file = self.cfg.get("rpki-root-cert") self.rpki_root_cert_uri = self.cfg.get("rpki-root-cert-uri", self.rpki_base_uri + "Root.cer") - self.rpki_root_manifest = self.cfg.get("rpki-root-manifest", "Root.mnf") + self.rpki_root_manifest = self.cfg.get("rpki-root-manifest", "Root.mft") self.rpki_root_crl = self.cfg.get("rpki-root-crl", "Root.crl") self.rpki_subject_cert = self.cfg.get("rpki-subject-cert", "Child.cer") self.rpki_subject_pkcs10 = self.cfg.get("rpki-subject-pkcs10", "Child.pkcs10") diff --git a/rpkid/rpki/rpkid.py b/rpkid/rpki/rpkid.py index 9a9be46e..715a8aa2 100644 --- a/rpkid/rpki/rpkid.py +++ b/rpkid/rpki/rpkid.py @@ -742,7 +742,7 @@ class ca_detail_obj(rpki.sql.sql_persistent): """ Return publication URI for this ca_detail's manifest. """ - return self.ca.sia_uri + self.public_key.gSKI() + ".mnf" + return self.ca.sia_uri + self.public_key.gSKI() + ".mft" def has_expired(self): """ diff --git a/rpkid/rpki/up_down.py b/rpkid/rpki/up_down.py index 009818cb..0eba6b52 100644 --- a/rpkid/rpki/up_down.py +++ b/rpkid/rpki/up_down.py @@ -704,3 +704,5 @@ class cms_msg(rpki.x509.XML_CMS_object): encoding = "UTF-8" schema = rpki.relaxng.up_down saxify = sax_handler.saxify + allow_extra_certs = True + allow_extra_crls = True diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index 7bbb47bc..955b8d97 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -940,11 +940,12 @@ class RSA(DER_object): return self.POW @classmethod - def generate(cls, keylength = 2048): + def generate(cls, keylength = 2048, quiet = False): """ Generate a new keypair. """ - rpki.log.debug("Generating new %d-bit RSA key" % keylength) + if not quiet: + rpki.log.debug("Generating new %d-bit RSA key" % keylength) return cls(POW = rpki.POW.Asymmetric(rpki.POW.RSA_CIPHER, keylength)) def get_public_DER(self): @@ -1052,6 +1053,16 @@ class CMS_object(DER_object): require_crls = False + ## @var allow_extra_certs + # Set this to True to allow CMS messages to contain CA certificates. + + allow_extra_certs = False + + ## @var allow_extra_crls + # Set this to True to allow CMS messages to contain multiple CRLs. + + allow_extra_crls = False + ## @var print_on_der_error # Set this to True to log alleged DER when we have trouble parsing # it, in case it's really a Perl backtrace or something. @@ -1136,36 +1147,41 @@ class CMS_object(DER_object): if self.debug_cms_certs: rpki.log.debug("CMS trusted cert issuer %s subject %s SKI %s" % (x.getIssuer(), x.getSubject(), x.hSKI())) if x.getNotAfter() < now: - raise rpki.exceptions.TrustedCMSCertHasExpired + raise rpki.exceptions.TrustedCMSCertHasExpired("Trusted CMS certificate has expired", "%s (%s)" % (x.getSubject(), x.hSKI())) if not x.is_CA(): - if trusted_ee is not None: - raise rpki.exceptions.MultipleCMSEECert - trusted_ee = x + if trusted_ee is None: + trusted_ee = x + else: + raise rpki.exceptions.MultipleCMSEECert("Multiple CMS EE certificates", *("%s (%s)" % (x.getSubject(), x.hSKI()) for x in ta if not x.is_CA())) store.addTrust(x.get_POW()) if trusted_ee: if self.debug_cms_certs: rpki.log.debug("Trusted CMS EE cert issuer %s subject %s SKI %s" % (trusted_ee.getIssuer(), trusted_ee.getSubject(), trusted_ee.hSKI())) - if certs and (len(certs) > 1 or certs[0].getSubject() != trusted_ee.getSubject() or certs[0].getPublicKey() != trusted_ee.getPublicKey()): - raise rpki.exceptions.UnexpectedCMSCerts # , certs + if len(certs) > 1 or (len(certs) == 1 and + (certs[0].getSubject() != trusted_ee.getSubject() or + certs[0].getPublicKey() != trusted_ee.getPublicKey())): + raise rpki.exceptions.UnexpectedCMSCerts("Unexpected CMS certificates", *("%s (%s)" % (x.getSubject(), x.hSKI()) for x in certs)) if crls: - rpki.log.warn("Ignoring unexpected CMS CRL%s from trusted peer" % ("" if len(crls) == 1 else "s")) + raise rpki.exceptions.UnexpectedCMSCRLs("Unexpected CRLs", *("%s (%s)" % (c.getIssuer(), c.hAKI()) for c in crls)) + else: - if not certs: - raise rpki.exceptions.MissingCMSEEcert # , certs - if len(certs) > 1 or certs[0].is_CA(): - raise rpki.exceptions.UnexpectedCMSCerts # , certs - if not crls: + untrusted_ee = [x for x in certs if not x.is_CA()] + if len(untrusted_ee) < 1: + raise rpki.exceptions.MissingCMSEEcert + if len(untrusted_ee) > 1 or (not self.allow_extra_certs and len(certs) > len(untrusted_ee)): + raise rpki.exceptions.UnexpectedCMSCerts("Unexpected CMS certificates", *("%s (%s)" % (x.getSubject(), x.hSKI()) for x in certs)) + if len(crls) < 1: if self.require_crls: - raise rpki.exceptions.MissingCMSCRL # , crls + raise rpki.exceptions.MissingCMSCRL else: rpki.log.warn("MISSING CMS CRL! Ignoring per self.require_crls setting") - if len(crls) > 1: - raise rpki.exceptions.UnexpectedCMSCRLs # , crls + if len(crls) > 1 and not self.allow_extra_crls: + raise rpki.exceptions.UnexpectedCMSCRLs("Unexpected CRLs", *("%s (%s)" % (c.getIssuer(), c.hAKI()) for c in crls)) for x in certs: if x.getNotAfter() < now: - raise rpki.exceptions.CMSCertHasExpired # , x + raise rpki.exceptions.CMSCertHasExpired("CMS certificate has expired", "%s (%s)" % (x.getSubject(), x.hSKI())) try: content = cms.verify(store) |