5 files changed, 36 insertions, 15 deletions

diff --git a/scripts/rpki/left_right.py b/scripts/rpki/left_right.py
index 62db4c60..dedab062 100644
--- a/scripts/rpki/left_right.py
+++ b/scripts/rpki/left_right.py
@@ -3,7 +3,7 @@
 """RPKI "left-right" protocol."""
 
 import base64, lxml.etree, time
-import rpki.sax_utils, rpki.resource_set, rpki.x509, rpki.sql, rpki.exceptions, rpki.pkcs10, rpki.https, rpki.up_down, rpki.relaxng
+import rpki.sax_utils, rpki.resource_set, rpki.x509, rpki.sql, rpki.exceptions, rpki.https, rpki.up_down, rpki.relaxng
 
 xmlns = "http://www.hactrn.net/uris/rpki/left-right-spec/"
 
@@ -284,11 +284,11 @@ class bsc_elt(data_elt):
       # Hard wire 2048-bit RSA with SHA-256 in schema for now.
       # Assume no HSM for now.
       #
-      keypair = rpki.x509.RSA_Keypair()
+      keypair = rpki.x509.RSA()
       keypair.generate(2048)
       self.private_key_id = keypair.get_DER()
       self.public_key = keypair.get_public_DER()
-      r_pdu.pkcs10_cert_request = rpki.pkcs10.make_request(keypair)
+      r_pdu.pkcs10_cert_request = rpki.x509.PKCS10.create(keypair)
 
   def startElement(self, stack, name, attrs):
     """Handle <bsc/> element."""
diff --git a/scripts/rpki/pkcs10.py b/scripts/rpki/pkcs10.py
index 4d77c442..6404870a 100644
--- a/scripts/rpki/pkcs10.py
+++ b/scripts/rpki/pkcs10.py
@@ -1,5 +1,13 @@
 # $Id$
 
+"""Old code to generate PKCS #10 certification requests.
+
+This has been replaced by direct support for PKCS #10 in my hacked
+version of the POW package.  This module will go away eventually, I'm
+just keeping it around in case I discover some horrible bug in the new
+code that would make me want to fall back to this.
+"""
+
 import POW, rpki.x509, os, rpki.exceptions, binascii
 
 req_fmt = '''
diff --git a/scripts/rpki/sql.py b/scripts/rpki/sql.py
index e05fda80..27f77498 100644
--- a/scripts/rpki/sql.py
+++ b/scripts/rpki/sql.py
@@ -230,10 +230,10 @@ class ca_detail_obj(sql_persistant):
 
   def sql_decode(self, vals):
     sql_persistant.sql_decode(self, vals)
-    self.private_key_id = rpki.x509.RSA_Keypair(DER = self.private_key_id)
+    self.private_key_id = rpki.x509.RSA(DER = self.private_key_id)
     assert self.public_key is None or self.private_key_id.get_public_DER() == self.public_key
     self.latest_ca_cert = rpki.x509.X509(DER = self.latest_ca_cert)
-    self.manifest_private_key_id = rpki.x509.RSA_Keypair(DER = self.manifest_private_key_id)
+    self.manifest_private_key_id = rpki.x509.RSA(DER = self.manifest_private_key_id)
     assert self.manifest_public_key is None or self.manifest_private_key_id.get_public_DER() == self.manifest_public_key
     self.manifest_cert = rpki.x509.X509(DER = self.manifest_cert)
     raise NotImplementedError, "Still have to handle manifest and CRL"
diff --git a/scripts/rpki/up_down.py b/scripts/rpki/up_down.py
index 5b3ec841..c7cbb6ce 100644
--- a/scripts/rpki/up_down.py
+++ b/scripts/rpki/up_down.py
@@ -305,7 +305,7 @@ class issue_pdu(base_elt):
       ca_detail = rpki.sql.ca_detail_obj.create(gctx, ca)
     self = cls()
     self.class_name = ca.parent_resource_class
-    self.pkcs10 = rpki.x509.PKCS10.create(ca_detail.private_key_id, sia)
+    self.pkcs10 = rpki.x509.PKCS10.create_ca(ca_detail.private_key_id, sia)
     return parent.query_up_down(gctx, self)
 
 class issue_response_pdu(class_response_syntax):
diff --git a/scripts/rpki/x509.py b/scripts/rpki/x509.py
index 6a030490..9589388f 100644
--- a/scripts/rpki/x509.py
+++ b/scripts/rpki/x509.py
@@ -418,20 +418,28 @@ class PKCS10(DER_object):
     assert "subjectInfoAccess" in req_exts, "Can't (yet) handle PKCS #10 without an SIA extension"
 
   @classmethod
-  def create(cls, keypair, sia):
+  def create_ca(cls, keypair, sia = None):
     """Create a new request for a given keypair, including given SIA value."""
-    req = POW.pkix.CertificationRequest()
-    req.version.set(0)
     exts = [ ("basicConstraints",  True,  (1, None)),
-             ("keyUsage",          True,  (0, 0, 0, 0, 0, 1, 1)),
-             ("subjectInfoAccess", False, sia) ]
+             ("keyUsage",          True,  (0, 0, 0, 0, 0, 1, 1)) ]
+    if sia is not None:
+      exts.append(("subjectInfoAccess", False, sia))
     for x in exts:
       x[0] = POW.pkix.obj2oid(x[0])
-    req.setExtension(exts)
-    req.sign(keypair)
+    return cls.create(keypair, exts)
+
+  @classmethod
+  def create(cls, keypair, exts = None):
+    """Create a new request for a given keypair, including given SIA value."""
+    req = POW.pkix.CertificationRequest()
+    req.certificationRequestInfo.version.set(0)
+    req.certificationRequestInfo.subject.set((((POW.pkix.obj2oid("commonName"), ("printableString", "".join(("%02X" % ord(i) for i in keypair.get_SKI())))),),))
+    if exts is not None:
+      req.setExtension(exts)
+    req.sign(keypair.get_POW(), POW.SHA256_DIGEST)
     return cls(POWpkix = req)
 
-class RSA_Keypair(DER_object):
+class RSA(DER_object):
   """Class to hold an RSA key pair."""
 
   formats = ("DER", "POW", "tlslite")
@@ -458,13 +466,18 @@ class RSA_Keypair(DER_object):
       self.tlslite = tlslite.api.parsePEMKey(self.get_PEM(), private=True)
     return self.tlslite
 
-  def generate(self, keylength):
+  def generate(self, keylength = 2048):
     self.clear()
     self.set(POW=POW.Asymmetric(POW.RSA_CIPHER, keylength))
 
   def get_public_DER(self):
     return self.get_POW().derWrite(POW.RSA_PUBLIC_KEY)
 
+  def get_SKI(self):
+    d = POW.Digest(POW.SHA1_DIGEST)
+    d.update(self.get_public_DER())
+    return d.digest()
+
 class Manifest(DER_object):
   """Class to hold a signed manifest."""