diff options
Diffstat (limited to 'rpkid/rpki')
| -rw-r--r-- | rpkid/rpki/https.py | 22 | ||||
| -rw-r--r-- | rpkid/rpki/x509.py | 3 |
2 files changed, 20 insertions, 5 deletions
diff --git a/rpkid/rpki/https.py b/rpkid/rpki/https.py index 762b6e88..d57c6db8 100644 --- a/rpkid/rpki/https.py +++ b/rpkid/rpki/https.py @@ -29,6 +29,16 @@ rpki_content_type = "application/x-rpki" class Checker(tlslite.api.Checker): """Derived class to handle X.509 client certificate checking.""" + x509TrustList = None + + def __init__(self, x509TrustList = None): + """Initialize our modified checker.""" + + if False: + self.x509TrustList = x509TrustList + else: + rpki.log.debug("Ignoring HTTPS trust anchors %s, validation disabled" % repr(x509TrustList)) + def __call__(self, tlsConnection): """Wrap some logging code around standard tlslite.Checker class. @@ -38,9 +48,12 @@ class Checker(tlslite.api.Checker): """ for i in range(tlsConnection.session.clientCertChain.getNumCerts()): - rpki.log.debug("Received cert[%d] %s" % (i, tlsConnection.session.clientCertChain.x509List[i].getCommonName())) + x = rpki.x509.X509(tlslite = tlsConnection.session.clientCertChain.x509List[i]) + rpki.log.debug("Received cert[%d] %s" % (i, x.getSubject())) - return tlslite.api.Checker.__call__(self, tlsConnection) + # Disabling this removes the need for cryptlib_py + if self.x509TrustList is not None: + tlslite.api.Checker.__call__(self, tlsConnection) class httpsClient(tlslite.api.HTTPTLSConnection): """Derived class to let us replace the default Checker.""" @@ -54,8 +67,6 @@ class httpsClient(tlslite.api.HTTPTLSConnection): self, host = host, port = port, settings = settings, certChain = certChain, privateKey = privateKey) - rpki.log.debug("Found checker %s" % repr(self.checker)) - self.checker = Checker(x509TrustList = x509TrustList) def client(msg, privateKey, certChain, x509TrustList, url, timeout = 300): @@ -183,7 +194,8 @@ def server(handlers, privateKey, certChain, port = 4433, host = "", x509TrustLis if x509TrustList is not None: x509TrustList = x509TrustList.tlslite_trustList() for x in x509TrustList: - rpki.log.debug("HTTPS trust anchor %s" % x.getCommonName()) + rpki.log.debug("HTTPS trust anchor %s" % rpki.x509.X509(tlslite = x).getSubject()) + httpd.rpki_checker = Checker(x509TrustList = x509TrustList) httpd.serve_forever() diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index a2e81a67..3636ece0 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -231,6 +231,9 @@ class X509(DER_object): if self.POWpkix: self.DER = self.POWpkix.toString() return self.get_DER() + if self.tlslite: + self.DER = self.tlslite.writeBytes() + return self.get_DER() raise rpki.exceptions.DERObjectConversionError, "No conversion path to DER available" def get_POW(self): |