diff options
Diffstat (limited to 'scripts')
| -rw-r--r-- | scripts/rpki/sql.py | 18 | ||||
| -rw-r--r-- | scripts/rpki/up_down.py | 12 | ||||
| -rw-r--r-- | scripts/rpki/x509.py | 62 |
3 files changed, 58 insertions, 34 deletions
diff --git a/scripts/rpki/sql.py b/scripts/rpki/sql.py index 7be9b1ab..a6ac4cfd 100644 --- a/scripts/rpki/sql.py +++ b/scripts/rpki/sql.py @@ -239,6 +239,24 @@ class ca_obj(sql_persistant): """ raise NotImplementedError, "NIY" + def next_serial(self): + """Allocate a certificate serial number.""" + self.last_issued_sn += 1 + self.sql_mark_dirty() + return self.last_issued_sn + + def next_manifest(self): + """Allocate a manifest serial number.""" + self.last_manifest_sn += 1 + self.sql_mark_dirty() + return self.last_manifest_sn + + def next_crl(self): + """Allocate a CRL serial number.""" + self.last_crl_sn += 1 + self.sql_mark_dirty() + return self.last_crl_sn + class ca_detail_obj(sql_persistant): """Internal CA detail object.""" diff --git a/scripts/rpki/up_down.py b/scripts/rpki/up_down.py index 7dcab8ee..91860fba 100644 --- a/scripts/rpki/up_down.py +++ b/scripts/rpki/up_down.py @@ -245,18 +245,18 @@ class issue_pdu(base_elt): # # Step 2: See whether we can just return the current child cert rc_as, rc_v4, rc_v6 = ca_detail.latest_ca_cert.get_3779resources(rpki.left_right.irdb_query(gctx, child.self_id, child.child_id)) - pubkey = self.certificationRequestInfo.subjectPublicKeyInfo.get() - req_sia = self.pkcs10.get_POWpkix().getExtension(name2oid["subjectInfoAccess"]) + pubkey = self.pkcs10.getPublicKey() + req_sia = self.pkcs10.get_SIA() # # This next search loop might be an argument for a child_cert.ski column for child_cert in rpki.sql.child_cert_obj.sql_fetch_where(gctx, "child_id = %s AND ca_detail_id = %s" % (child.child_id, ca_detail.ca_detail_id)): - if child_cert.cert.get_POWpkix().tbs.subjectPublicKeyInfo.get() == pubkey: + if child_cert.cert.getPublicKey() == pubkey: break else: child_cert = None if child_cert is not None and ((rc_as, rc_v4, rc_v6) != child_cert.cert.get_3779resources()): child_cert = None - if child_cert is not None and child_cert.cert.get_POWpkix().getExtension(name2oid["subjectInfoAccess"]) != req_sia: + if child_cert is not None and child_cert.cert.get_SIA() != req_sia: child_cert = None # Do we need to check certificate expiration here too? Maybe we # can just trust the cron job that handles renewals for that? @@ -264,14 +264,12 @@ class issue_pdu(base_elt): # Step 3: If we didn't find a reusable cert, generate a new one. if child_cert is None: # Some of this code probably should become a method of rpki.sql.ca_obj - ca.last_issued_sn += 1 - ca.sql_mark_dirty() child_cert = rpki.sql.child_cert_obj() child_cert.child_id = child.child_id child_cert.ca_detail_id = ca_detail.ca_detail_id child_cert.cert = ca_detail.latest_ca_cert.issue(keypair = ca_detail.private_key_id, subject_key = pubkey, - serial = ca.last_issued_sn, + serial = ca.next_serial(), aia = ca_detail.ca_cert_uri, crldp = ca.sia_uri + ca_detail.latest_ca_cert.gSKI() + ".crl", sia = req_sia, diff --git a/scripts/rpki/x509.py b/scripts/rpki/x509.py index fa4f6cc9..0178a33d 100644 --- a/scripts/rpki/x509.py +++ b/scripts/rpki/x509.py @@ -144,6 +144,33 @@ class DER_object(object): """ return base64.b64encode(self.get_SKI()).replace("+", "-").replace("/", "_") + def get_AKI(self): + """Get the AKI extension from this object. Only works for subclasses that support getExtension().""" + return (self.get_POWpkix().getExtension((2, 5, 29, 35)) or ((), 0, None))[2] + + def get_SKI(self): + """Get the SKI extension from this object. Only works for subclasses that support getExtension().""" + return (self.get_POWpkix().getExtension((2, 5, 29, 14)) or ((), 0, None))[2] + + def get_SIA(self): + """Get the SIA extension from this object. Only works for subclasses that support getExtension().""" + return (self.get_POWpkix().getExtension((1, 3, 6, 1, 5, 5, 7, 1, 11)) or ((), 0, None))[2] + + def get_AIA(self): + """Get the SIA extension from this object. Only works for subclasses that support getExtension().""" + return (self.get_POWpkix().getExtension((1, 3, 6, 1, 5, 5, 7, 1, 1)) or ((), 0, None))[2] + + def get_3779resources(self, as_intersector = None, v4_intersector = None, v6_intersector = None): + """Get RFC 3779 resources as rpki.resource_set objects. Only works for subclasses that support getExtensions().""" + as, v4, v6 = rpki.resource_set.parse_extensions(self.get_POWpkix().getExtensions()) + if as_intersector is not None: + as = as.intersection(as_intersector) + if v4_intersector is not None: + v4 = v4.intersection(v4_intersector) + if v6_intersector is not None: + v6 = v6.intersection(v6_intersector) + return as, v4, v6 + class X509(DER_object): """X.509 certificates. @@ -211,32 +238,9 @@ class X509(DER_object): """Get the expiration time of this certificate.""" return POW.pkix.utc2time(self.get_POW().getNotAfter()) - def get_AKI(self): - """Get the AKI extension from this certificate.""" - return (self.get_POWpkix().getExtension((2, 5, 29, 35)) or ((), 0, None))[2] - - def get_SKI(self): - """Get the SKI extension from this certificate.""" - return (self.get_POWpkix().getExtension((2, 5, 29, 14)) or ((), 0, None))[2] - - def get_SIA(self): - """Get the SIA extension from this certificate.""" - return (self.get_POWpkix().getExtension((1, 3, 6, 1, 5, 5, 7, 1, 11)) or ((), 0, None))[2] - - def get_AIA(self): - """Get the SIA extension from this certificate.""" - return (self.get_POWpkix().getExtension((1, 3, 6, 1, 5, 5, 7, 1, 1)) or ((), 0, None))[2] - - def get_3779resources(self, as_intersector = None, v4_intersector = None, v6_intersector = None): - """Get RFC 3779 resources as rpki.resource_set objects.""" - as, v4, v6 = rpki.resource_set.parse_extensions(self.get_POWpkix().getExtensions()) - if as_intersector is not None: - as = as.intersection(as_intersector) - if v4_intersector is not None: - v4 = v4.intersection(v4_intersector) - if v6_intersector is not None: - v6 = v6.intersection(v6_intersector) - return as, v4, v6 + def getPublicKey(self): + """Extract the public key from this certificate.""" + return RSApublic(DER = self.get_POWpkix().tbs.subjectPublicKeyInfo.toString()) def issue(self, keypair, subject_key, serial, sia, aia, crldp, cn = None, notAfter = None, as = None, v4 = None, v6 = None, is_ca = True): @@ -261,7 +265,7 @@ class X509(DER_object): cert.setSubject(((((2, 5, 4, 3), ("printableString", cn)),),)) cert.setNotBefore(("UTCTime", POW.pkix.time2utc(now))) cert.setNotAfter(("UTCTime", POW.pkix.time2utc(notAfter))) - cert.tbs.subjectPublicKeyInfo.set(subject_key) + cert.tbs.subjectPublicKeyInfo.fromString(subject_key.get_DER()) exts = [ ["subjectKeyIdentifier", False, ski], ["authorityKeyIdentifier", False, (aki, (), None)], @@ -380,6 +384,10 @@ class PKCS10(DER_object): self.POWpkix = req return self.POWpkix + def getPublicKey(self): + """Extract the public key from this certification request.""" + return RSApublic(DER = self.get_POWpkix().certificationRequestInfo.subjectPublicKeyInfo.toString()) + def check_valid_rpki(self): """Check this certification request to see whether it's a valid request for an RPKI certificate. This is broken out of the |