diff options
Diffstat (limited to 'rpkid')
| -rw-r--r-- | rpkid/rpki/rootd.py | 3 | ||||
| -rw-r--r-- | rpkid/rpki/rpkid.py | 6 | ||||
| -rw-r--r-- | rpkid/rpki/x509.py | 62 | ||||
| -rw-r--r-- | rpkid/tests/smoketest.py | 47 | ||||
| -rw-r--r-- | rpkid/tests/testpoke.py | 8 | ||||
| -rw-r--r-- | rpkid/tests/yamlconf.py | 8 | ||||
| -rw-r--r-- | rpkid/tests/yamltest.py | 3 |
7 files changed, 82 insertions, 55 deletions
diff --git a/rpkid/rpki/rootd.py b/rpkid/rpki/rootd.py index 1dad93f2..d6cf591e 100644 --- a/rpkid/rpki/rootd.py +++ b/rpkid/rpki/rootd.py @@ -227,8 +227,7 @@ class main(object): keypair = self.rpki_root_key, subject_key = manifest_keypair.get_RSApublic(), serial = self.serial_number, - sia = ((rpki.oids.name2oid["id-ad-signedObject"], - ("uri", self.rpki_base_uri + self.rpki_root_manifest)),), + sia = (None, None, self.rpki_root_manifest), aia = self.rpki_root_cert_uri, crldp = self.rpki_base_uri + self.rpki_root_crl, resources = manifest_resources, diff --git a/rpkid/rpki/rpkid.py b/rpkid/rpki/rpkid.py index 75218be5..f378ab43 100644 --- a/rpkid/rpki/rpkid.py +++ b/rpkid/rpki/rpkid.py @@ -1039,7 +1039,7 @@ class ca_detail_obj(rpki.sql.sql_persistent): ca = self.ca, resources = resources, subject_key = self.manifest_public_key, - sia = ((rpki.oids.name2oid["id-ad-signedObject"], ("uri", self.manifest_uri)),)) + sia = (None, None, self.manifest_uri)) def issue(self, ca, child, subject_key, sia, resources, publisher, child_cert = None): """ @@ -1639,7 +1639,7 @@ class roa_obj(rpki.sql.sql_persistent): ca = ca, resources = resources, subject_key = keypair.get_RSApublic(), - sia = ((rpki.oids.name2oid["id-ad-signedObject"], ("uri", self.uri_from_key(keypair))),)) + sia = (None, None, self.uri_from_key(keypair))) self.roa = rpki.x509.ROA.build(self.asn, self.ipv4, self.ipv6, keypair, (self.cert,)) self.published = rpki.sundial.now() self.sql_store() @@ -1818,7 +1818,7 @@ class ghostbuster_obj(rpki.sql.sql_persistent): ca = ca, resources = resources, subject_key = keypair.get_RSApublic(), - sia = ((rpki.oids.name2oid["id-ad-signedObject"], ("uri", self.uri_from_key(keypair))),)) + sia = (None, None, self.uri_from_key(keypair))) self.ghostbuster = rpki.x509.Ghostbuster.build(self.vcard, keypair, (self.cert,)) self.published = rpki.sundial.now() self.sql_store() diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index cce9a6de..b3132b9b 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -96,6 +96,18 @@ class PEM_converter(object): """ return self.b + base64_with_linebreaks(der) + self.e + "\n" +def first_rsync_uri(xia): + """ + Find first rsync URI in a sequence of AIA or SIA URIs. + Returns the URI if found, otherwise None. + """ + + if xia is not None: + for uri in xia: + if uri.startswith("rsync://"): + return uri + return None + def _find_xia_uri(extension, name): """ Find a rsync URI in an SIA or AIA extension. @@ -394,37 +406,47 @@ class DER_object(object): def get_SIA(self): """ Get the SIA extension from this object. Only works for subclasses - that support getExtension(). + that support getSIA(). """ - return (self.get_POWpkix().getExtension(rpki.oids.name2oid["subjectInfoAccess"]) or ((), 0, None))[2] + return self.get_POW().getSIA() def get_sia_directory_uri(self): """ Get SIA directory (id-ad-caRepository) URI from this object. - Only works for subclasses that support getExtension(). + Only works for subclasses that support getSIA(). """ - return _find_xia_uri(self.get_SIA(), "id-ad-caRepository") + sia = self.get_POW().getSIA() + return None if sia is None else first_rsync_uri(sia[0]) def get_sia_manifest_uri(self): """ Get SIA manifest (id-ad-rpkiManifest) URI from this object. - Only works for subclasses that support getExtension(). + Only works for subclasses that support getSIA(). """ - return _find_xia_uri(self.get_SIA(), "id-ad-rpkiManifest") + sia = self.get_POW().getSIA() + return None if sia is None else first_rsync_uri(sia[1]) + + def get_sia_object_uri(self): + """ + Get SIA object (id-ad-signedObject) URI from this object. + Only works for subclasses that support getSIA(). + """ + sia = self.get_POW().getSIA() + return None if sia is None else first_rsync_uri(sia[2]) def get_AIA(self): """ Get the SIA extension from this object. Only works for subclasses - that support getExtension(). + that support getAIA(). """ - return (self.get_POWpkix().getExtension(rpki.oids.name2oid["authorityInfoAccess"]) or ((), 0, None))[2] + return self.get_POW().getAIA() def get_aia_uri(self): """ Get AIA (id-ad-caIssuers) URI from this object. - Only works for subclasses that support getExtension(). + Only works for subclasses that support getAIA(). """ - return _find_xia_uri(self.get_AIA(), "id-ad-caIssuers") + return first_rsync_uri(self.get_POW().getAIA()) def get_basicConstraints(self): """ @@ -632,6 +654,7 @@ class X509(DER_object): """ ski = subject_key.get_SKI() + if cn is None: cn = "".join(("%02X" % ord(i) for i in ski)) @@ -663,8 +686,6 @@ class X509(DER_object): if cn is None: cn = "".join(("%02X" % ord(i) for i in ski)) - # if notAfter is None: notAfter = now + rpki.sundial.timedelta(days = 30) - cert = rpki.POW.pkix.Certificate() cert.setVersion(2) cert.setSerial(serial) @@ -678,7 +699,6 @@ class X509(DER_object): ["authorityKeyIdentifier", False, (aki, (), None)], ["certificatePolicies", True, ((rpki.oids.name2oid["id-cp-ipAddr-asNumber"], ()),)] ] - if crldp is not None: exts.append(["cRLDistributionPoints", False, ((("fullName", (("uri", crldp),)), None, ()),)]) @@ -691,10 +711,22 @@ class X509(DER_object): else: exts.append(["keyUsage", True, (1,)]) + assert sia is not None or not is_ca + + # Nasty bit midway through conversion from POW.pkix to POW, just + # grit teeth for the moment. + if sia is not None: + tagged_sia = zip(("id-ad-caRepository", "id-ad-rpkiManifest", "id-ad-signedObject"), sia) + sia = [] + for tag, uris in tagged_sia: + if isinstance(uris, str): + uris = (uris,) + if uris: + oid = rpki.oids.name2oid[tag] + sia.extend((oid, ("uri", uri)) for uri in uris) + assert len(sia) > 0 exts.append(["subjectInfoAccess", False, sia]) - else: - assert not is_ca # This next bit suggests that perhaps .to_rfc3779_tuple() should # be raising an exception when there are no resources rather than diff --git a/rpkid/tests/smoketest.py b/rpkid/tests/smoketest.py index bb97108b..8ecbe2b1 100644 --- a/rpkid/tests/smoketest.py +++ b/rpkid/tests/smoketest.py @@ -409,7 +409,7 @@ class allocation_db(list): self.root.regen_margin = rpki.sundial.timedelta.parse(cfg.get("regen_margin", "1d")).convert_to_seconds() for a in self: if a.sia_base is None: - a.sia_base = (rootd_sia if a.is_root else a.parent.sia_base) + a.name + "/" + a.sia_base = (rootd_sia + "root/trunk/" if a.is_root else a.parent.sia_base) + a.name + "/" if a.base.valid_until is None: a.base.valid_until = a.parent.base.valid_until if a.crl_interval is None: @@ -1140,7 +1140,7 @@ def setup_rootd(rpkid, rootd_yaml): f.close() s = "exec >/dev/null 2>&1\n" #s = "set -x\n" - if not os.path.exists(rootd_name + ".key"): + if not os.path.exists("root.key"): s += rootd_fmt_2 % d s += rootd_fmt_3 % d subprocess.check_call(s, shell = True) @@ -1175,14 +1175,15 @@ def setup_publication(pubd_sql): Set up publication daemon. """ rpki.log.info("Configure publication daemon") - pubd_dir = os.getcwd() + "/publication/" + publication_dir = os.getcwd() + "/publication/" assert rootd_sia.startswith("rsync://") i = 0 for j in xrange(4): i = rootd_sia.index("/", i + 1) global rsyncd_dir - rsyncd_dir = pubd_dir.rstrip("/") + rootd_sia[i:] - os.makedirs(rsyncd_dir) + rsyncd_dir = publication_dir.rstrip("/") + rootd_sia[i:] + pubd_dir = rsyncd_dir + os.makedirs(pubd_dir + "root/trunk") db = MySQLdb.connect(db = pubd_db_name, user = pubd_db_user, passwd = pubd_db_pass) cur = db.cursor() db.autocommit(True) @@ -1432,21 +1433,21 @@ child-bpki-cert = %(rootd_name)s-TA-%(rpkid_name)s-SELF.cer server-port = %(rootd_port)s -rpki-root-dir = %(rsyncd_dir)s -rpki-base-uri = %(rootd_sia)s -rpki-root-cert-uri = %(rootd_sia)s%(rootd_name)s.cer +rpki-root-dir = %(rsyncd_dir)sroot +rpki-base-uri = %(rootd_sia)sroot/ +rpki-root-cert-uri = %(rootd_sia)sroot.cer -rpki-root-key = %(rootd_name)s.key -rpki-root-cert = %(rootd_name)s.cer +rpki-root-key = root.key +rpki-root-cert = root.cer rpki-subject-pkcs10 = %(rootd_name)s.subject.pkcs10 rpki-subject-lifetime = %(lifetime)s -rpki-root-crl = Bandicoot.crl -rpki-root-manifest = Bandicoot.mft +rpki-root-crl = root.crl +rpki-root-manifest = root.mft -rpki-class-name = Wombat -rpki-subject-cert = Wombat.cer +rpki-class-name = trunk +rpki-subject-cert = trunk.cer include-bpki-crl = yes enable_tracebacks = yes @@ -1455,7 +1456,6 @@ enable_tracebacks = yes default_bits = 2048 encrypt_key = no distinguished_name = req_dn -#req_extensions = req_x509_ext prompt = no default_md = sha256 default_days = 60 @@ -1472,7 +1472,7 @@ authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:true subjectKeyIdentifier = hash keyUsage = critical,keyCertSign,cRLSign -subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:%(rootd_sia)s,1.3.6.1.5.5.7.48.10;URI:%(rootd_sia)sBandicoot.mft +subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:%(rootd_sia)sroot/,1.3.6.1.5.5.7.48.10;URI:%(rootd_sia)sroot/root.mft sbgp-autonomousSysNum = critical,AS:0-4294967295 sbgp-ipAddrBlock = critical,IPv4:0.0.0.0/0,IPv6:0::/0 certificatePolicies = critical, @rpki_certificate_policy @@ -1483,17 +1483,17 @@ policyIdentifier = 1.3.6.1.5.5.7.14.2 ''' rootd_fmt_2 = '''\ -%(openssl)s genrsa -out %(rootd_name)s.key 2048 && +%(openssl)s genrsa -out root.key 2048 && ''' rootd_fmt_3 = '''\ -echo >%(rootd_name)s.tal %(rootd_sia)s%(rootd_name)s.cer && +echo >%(rootd_name)s.tal %(rootd_sia)sroot.cer && echo >>%(rootd_name)s.tal && -%(openssl)s rsa -pubout -in %(rootd_name)s.key | awk '!/-----(BEGIN|END)/' >>%(rootd_name)s.tal && -%(openssl)s req -new -sha256 -key %(rootd_name)s.key -out %(rootd_name)s.req -config %(rootd_name)s.conf -text -extensions req_x509_rpki_ext && -%(openssl)s x509 -req -sha256 -in %(rootd_name)s.req -out %(rootd_name)s.cer -outform DER -extfile %(rootd_name)s.conf -extensions req_x509_rpki_ext \ - -signkey %(rootd_name)s.key && -ln -f %(rootd_name)s.cer %(rsyncd_dir)s +%(openssl)s rsa -pubout -in root.key | awk '!/-----(BEGIN|END)/' >>%(rootd_name)s.tal && +%(openssl)s req -new -sha256 -key root.key -out %(rootd_name)s.req -config %(rootd_name)s.conf -text -extensions req_x509_rpki_ext && +%(openssl)s x509 -req -sha256 -in %(rootd_name)s.req -out root.cer -outform DER -extfile %(rootd_name)s.conf -extensions req_x509_rpki_ext \ + -signkey root.key && +ln -f root.cer %(rsyncd_dir)s ''' rcynic_fmt_1 = '''\ @@ -1504,7 +1504,6 @@ use-links = yes use-syslog = no use-stderr = yes log-level = log_debug -#trust-anchor = %(rootd_name)s.cer trust-anchor-locator = %(rootd_name)s.tal ''' diff --git a/rpkid/tests/testpoke.py b/rpkid/tests/testpoke.py index 1f7713a1..ad20992d 100644 --- a/rpkid/tests/testpoke.py +++ b/rpkid/tests/testpoke.py @@ -138,10 +138,12 @@ def do_list(): def do_issue(): q_pdu = rpki.up_down.issue_pdu() req_key = get_PEM("cert-request-key", rpki.x509.RSA, yaml_req) or cms_key - sia = ((rpki.oids.name2oid["id-ad-caRepository"], ("uri", yaml_req["sia"][0])), - (rpki.oids.name2oid["id-ad-rpkiManifest"], ("uri", yaml_req["sia"][0] + req_key.gSKI() + ".mft"))) q_pdu.class_name = yaml_req["class"] - q_pdu.pkcs10 = rpki.x509.PKCS10.create_ca(req_key, sia) + q_pdu.pkcs10 = rpki.x509.PKCS10.create( + keypair = req_key, + is_ca = True, + caRepository = yaml_req["sia"][0], + rpkiManifest = yaml_req["sia"][0] + req_key.gSKI() + ".mft") query_up_down(q_pdu) def do_revoke(): diff --git a/rpkid/tests/yamlconf.py b/rpkid/tests/yamlconf.py index 2341ac3f..080b3c57 100644 --- a/rpkid/tests/yamlconf.py +++ b/rpkid/tests/yamlconf.py @@ -395,19 +395,16 @@ class allocation(object): "# Automatically generated, do not edit", "port = %d" % self.rsync_port, "address = %s" % self.hostname, - "[rpki]", "log file = rsyncd.log", "read only = yes", "use chroot = no", + "[rpki]", "path = %s" % self.publication_base_directory, "comment = RPKI test")) if self.is_root: assert self.runs_pubd lines.extend(( "[root]", - "log file = rsyncd_root.log", - "read only = yes", - "use chroot = no", "path = %s" % self.publication_root_directory, "comment = RPKI test root")) if lines: @@ -460,8 +457,7 @@ class allocation(object): root_uri = "rsync://%s/rpki/" % self.rsync_server - root_sia = ((rpki.oids.name2oid["id-ad-caRepository"], ("uri", root_uri)), - (rpki.oids.name2oid["id-ad-rpkiManifest"], ("uri", root_uri + "root.mft"))) + root_sia = (root_uri, root_uri + "root.mft", None) root_cert = rpki.x509.X509.self_certify( keypair = root_key, diff --git a/rpkid/tests/yamltest.py b/rpkid/tests/yamltest.py index 3150d0da..a76abf20 100644 --- a/rpkid/tests/yamltest.py +++ b/rpkid/tests/yamltest.py @@ -633,8 +633,7 @@ try: root_uri = "rsync://localhost:%d/rpki/" % db.root.pubd.rsync_port - root_sia = ((rpki.oids.name2oid["id-ad-caRepository"], ("uri", root_uri)), - (rpki.oids.name2oid["id-ad-rpkiManifest"], ("uri", root_uri + "root.mft"))) + root_sia = (root_uri, root_uri + "root.mft", None) root_cert = rpki.x509.X509.self_certify( keypair = root_key, |