diff options
Diffstat (limited to 'rpkid')
| -rw-r--r-- | rpkid/README | 31 | ||||
| -rw-r--r-- | rpkid/rpki/exceptions.py | 3 | ||||
| -rw-r--r-- | rpkid/rpki/https.py | 20 |
3 files changed, 22 insertions, 32 deletions
diff --git a/rpkid/README b/rpkid/README index 17f95192..2dd9599e 100644 --- a/rpkid/README +++ b/rpkid/README @@ -14,7 +14,7 @@ External Python packages required: Fedora: python-lxml.i386 - MySQLdb, which in turn requires MySQL client and server. I'm - testing with MySQL 5.1. + testing with MySQL 5.0 and 5.1. http://sourceforge.net/projects/mysql-python/ @@ -27,11 +27,6 @@ External Python packages required: FreeBSD: /usr/ports/security/py-tlslite -- Cryptlib is no longer required. - -- Eventually I expect that this will require an event-handling package - like Twisted, but I'm not there yet. - - The testpoke tool (up-down protocol command line test client) and testbed tools also uses PyYAML. @@ -39,12 +34,12 @@ External Python packages required: FreeBSD: /usr/ports/devel/py-yaml +- Eventually I expect that this will require an event-handling package + like Twisted, but I'm not there yet. + We also use a hacked copy of the Python OpenSSL Wrappers (POW) package, but our copy has enough modifications that it's expanded in -the Subversion tree. Depending on how this all works out, I may end -up splitting the POW.pkix module out of the POW package and using it -with Cryptlib, as the POW.pkix package is 98% about doing ASN.1 in -pure Python and only 2% about any kind of crypto. +the Subversion tree. @@ -52,22 +47,6 @@ $Revision$ TO DO: - - Update BPKI model to what was defined in Amsterdam. This was - a direct result of security review by Kent and Housley. - - Much of this is now done. Remaining tasks: - - Check chain length in received TLS - If TLS cert in SQL is EE: - EE cert in SQL must be same as EE cert received from TLS - - PRIORITY: Required for pilot (security issue) - - TIME REQUIRED: Two weeks. - - STATUS: Started - - - rcynic handling of RPKI trust anchors needs updating, per discussions over previous months of how RPKI trust anchors work, how we package them, and how we roll them over. The last diff --git a/rpkid/rpki/exceptions.py b/rpkid/rpki/exceptions.py index a9579337..c8874f3f 100644 --- a/rpkid/rpki/exceptions.py +++ b/rpkid/rpki/exceptions.py @@ -114,3 +114,6 @@ class MissingCMSCRL(RPKI_Exception): class UnparsableCMSDER(RPKI_Exception): """Alleged CMS DER wasn't parsable.""" + +class MultipleTLSEECert(RPKI_Exception): + """Received more than one TLS EE certificate.""" diff --git a/rpkid/rpki/https.py b/rpkid/rpki/https.py index 558db171..8ccaff2c 100644 --- a/rpkid/rpki/https.py +++ b/rpkid/rpki/https.py @@ -86,15 +86,23 @@ class Checker(tlslite.api.Checker): chain = [rpki.x509.X509(tlslite = chain.x509List[i]) for i in range(chain.getNumCerts())] - if debug_tls_certs: - for i in range(len(chain)): - rpki.log.debug("Received %s TLS cert[%d] issuer %s [%s] subject %s [%s]" % (peer, i, chain[i].getIssuer(), chain[i].hAKI(), chain[i].getSubject(), chain[i].hSKI())) + ee = None + for x in chain: + if debug_tls_certs: + rpki.log.debug("Received %s TLS %s cert issuer %s [%s] subject %s [%s]" + % (peer, "CA" if x.is_CA() else "EE", x.getIssuer(), x.hAKI(), x.getSubject(), x.hSKI())) if pem_dump_tls_certs: - print chain[i].get_PEM() + print x.get_PEM() + if x.is_CA(): + rpki.log.debug("Ignoring received TLS CA cert") + elif ee is None: + ee = x + else: + raise rpki.exceptions.MultipleTLSEECert, chain - result = self.x509store_thunk().verifyDetailed(chain[0].get_POW(), [x.get_POW() for x in chain[1:]]) - rpki.log.debug("TLS certificate validation result %s" % repr(result)) + result = self.x509store_thunk().verifyDetailed(ee.get_POW()) if not result[0]: + rpki.log.debug("TLS certificate validation result %s" % repr(result)) if disable_tls_certificate_validation_exceptions: rpki.log.warn("DANGER WILL ROBINSON! IGNORING TLS VALIDATION FAILURE!") else: |