| Age | Commit message (Collapse) | Author |
|---|
|
The ROA update and generate methods were parsing the ipv4 and ipv6
instance variables as if they were resource sets, rather than ROA
prefix sets. This works as expected when max-length is not being
used, but when max-length is used, parsing does not succeed and ROAs
cannot be generated or updated. Parsing each variable as if it's a
ROA prefix set, and then converting the result to a resource set,
appears to fix the problem.
Signed-off-by: Rob Austein <sra@hactrn.net>
|
|
|
|
for XML. Apparently we were carefully changing just the XML files to
use a single "-" to work around this. Enough already, just convert
all copyright year ranges to single "-" and have done with this.
svn path=/branches/tk705/; revision=6427
|
|
svn path=/branches/tk705/; revision=6426
|
|
since copyright holder of record changed.
svn path=/branches/tk705/; revision=6425
|
|
svn path=/branches/tk705/; revision=6421
|
|
.up_down_query() must handle errors signaled by .up_down_query_root() correctly.
svn path=/branches/tk705/; revision=6383
|
|
"Try adding .all(), idiot."
svn path=/branches/tk705/; revision=6381
|
|
svn path=/branches/tk705/; revision=6379
|
|
worker CA and going straight from the root to certifying children,
which is wrong. However...this is far enough along that we can now
remove all the rootd glorp, which is a worthwhile simplification in
its own right, so checkpoint here, remove rootd glorp, then figure out
what's wrong with the internal certificate hierarchy.
rcynic does validate the current output, given a manually constructed
TAL, even if the current output isn't quite what it should be. So we
should also be able to sort out the new TAL generation code now.
Yes, checking in a version that works for the wrong reasons is weird,
but the current sort-of-broken state lets us confirm that the lower
levels of the tree are still correct as we go, which would be much
harder if the poor thing just sat there and whimpered until we had
the new internal CA code completely finished.
svn path=/branches/tk705/; revision=6376
|
|
the companion Root object.
svn path=/branches/tk705/; revision=6374
|
|
svn path=/branches/tk705/; revision=6373
|
|
subelements in left-right responses, so we don't have to duplicate the
mechanism used for BSC <pkcs10_request/> subelements when handling
Parent <rpki_root_cert/> subelements.
svn path=/branches/tk705/; revision=6372
|
|
left-right schema. Not really using of this stuff yet, but haven't
broken existing code yet either.
svn path=/branches/tk705/; revision=6371
|
|
Parents do, because Roots will be uniquely named by reference to their
associated Parent. So move the handle back to Parent.
svn path=/branches/tk705/; revision=6370
|
|
svn path=/branches/tk705/; revision=6369
|
|
Parent model into base Turtle model and derived Parent model.
svn path=/branches/tk705/; revision=6367
|
|
svn path=/branches/tk705/; revision=6296
|
|
svn path=/branches/tk705/; revision=6289
|
|
both this and certificate serial number allocation under a lock, but
doing so would require converting a lot of plain methods into
coroutines, so postpone that decision until we're done with revisions
to the task scheduler.
svn path=/branches/tk705/; revision=6288
|
|
certificate, to make certain that it is not later than manifest
thisUpdate value.
svn path=/branches/tk705/; revision=6286
|
|
svn path=/branches/tk705/; revision=6275
|
|
from having SIA extensions, unlike all other RPKI certificates which
are required to have them.
Start moving RPKI conformance checks which can be performed in Python
out of POW.c, tag a bunch more for consideration.
svn path=/branches/tk705/; revision=6204
|
|
Regenerate EE certificates along with everything else when activating
a new CADetail (ie, when rolling a CA key).
svn path=/branches/tk705/; revision=6172
|
|
hacks: in practice, we always bypassed it (except when we forgot...).
Make sure we revoke and withdraw the old certs and objects for ROAs
and Ghostbusters rather than the new ones during forced reissue.
svn path=/branches/tk705/; revision=6171
|
|
.publish_world_now() to something a little less whacky. Consolidate
fix for singleton URIs in SIA fields.
svn path=/branches/tk705/; revision=6170
|
|
Tweak publication callback mechanism to use uri instead of tag.
svn path=/branches/tk705/; revision=6169
|
|
svn path=/branches/tk705/; revision=6168
|
|
svn path=/branches/tk705/; revision=6166
|
|
rpkid_task code. Combine and simplify CRL and manifest generation.
svn path=/branches/tk705/; revision=6164
|
|
understands Django's exotic metaclasses, which in turn allows us to
re-enable a number of pylint checks we had disabled. While we were at
this, stripped out a bunch of old pylint pragmas, then added back the
subset that were really needed. As usual with pylint, this turned up
a few real bugs along with an awful lot of noise.
svn path=/branches/tk705/; revision=6162
|
|
sequence trace code to rpki.rpkidb.models to assist in simplifying
some of the gratuitously complicated method call chains. Various
trivial PyLint cleanups.
svn path=/branches/tk705/; revision=6161
|
|
or commenting conventions should be shot. If it so happens that it is
inconvenient to shoot him, then he is to be politely requested to recode
his program in adherence to the above standard."
-- Michael Spier, Digital Equipment Corporation
svn path=/branches/tk705/; revision=6152
|
|
operations, so simplify code and schema by removing gratuitous
transformations to and from binary format.
svn path=/branches/tk705/; revision=6150
|
|
backend. Switch yamltest's default database configuration to sqlite3.
MySQL still has character set issues, which are almost certainly to do
with the communication channel rather than the database tables. It's
possible that one of the newer DB API drivers for MySQL fixes this,
might be worth trying one of them at some point (see the "MySQL notes"
discussion of MySQL DB API drivers in the Django documentation).
svn path=/branches/tk705/; revision=6149
|
|
up-down protocol specification and, more importantly, avoid spurious
CMS Replay errors.
svn path=/branches/tk705/; revision=6144
|
|
UTF-8 whining on what are supposed to be binary fields that's probably
the result of a MySQL upgrade, and CMS Replay exceptions due to the
pseudo-random order in which HTTP client connections run in Tornado.
The UTF-8 mess is probably a good reason to change over to Django's
native binary field type, which we were going to want to do anyway.
The CMS Replay problem is not Tornado's fault: we probably would have
seen it in the old code were it not for an accidental side effect of a
long-since-abandoned attempt to use persistent HTTP connections. The
fix is probably to serialize requests to a particular host using use a
tornaodo.queue.Queue() object, or something like that.
svn path=/branches/tk705/; revision=6143
|
|
were ordinary functions. May want some kind of naming scheme or other
convention to make it easier to avoid this sort of thing.
svn path=/branches/tk705/; revision=6142
|
|
quite working perfectly yet (cron is a bit wonky) but manages to
produce an initial set of ROAs without thowing any exceptions, and
code is already much cleaner than the old callback-based horror.
svn path=/branches/tk705/; revision=6139
|
|
bad choice for something implemented in Python, holdover from an older
specification, but Django ORM's troubles with "self" as a keyword
argument were the last straw. Enough already. Backwards
compatability should be a straightforward data migration.
svn path=/branches/tk705/; revision=6134
|
|
Django ORM. Duct tape and bailing wire everywhere, much clean-up left
to do, but basic "make yamltest" suite runs. Much of the clean-up
isn't worth doing until after revamping the I/O system, as it'll all
change again at that point anyway.
svn path=/branches/tk705/; revision=6127
|
|
svn path=/branches/tk705/; revision=6123
|
|
svn path=/branches/tk705/; revision=6122
|
|
left-right protocol and irdb and rpkidb models.
Not fully working yet, RRDP URI isn't yet showing up everywhere it
should, but this is probably more an indication that the previous hack
was incomplete than that the replacement broke something.
svn path=/branches/tk705/; revision=6120
|
|
svn path=/branches/tk705/; revision=6116
|
|
svn path=/branches/tk705/; revision=6115
|
|
svn path=/branches/tk705/; revision=6114
|
|
svn path=/branches/tk705/; revision=6113
|
|
svn path=/branches/tk705/; revision=6112
|
|
XML-related voodoo for models exposed in the left-right protocol.
svn path=/branches/tk705/; revision=6110
|
