From 784b20d33070a8450b23d846a0d936a356646739 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Sat, 23 Apr 2016 15:03:37 +0000 Subject: Internal root sort of working, but only sort of. It's skipping the worker CA and going straight from the root to certifying children, which is wrong. However...this is far enough along that we can now remove all the rootd glorp, which is a worthwhile simplification in its own right, so checkpoint here, remove rootd glorp, then figure out what's wrong with the internal certificate hierarchy. rcynic does validate the current output, given a manually constructed TAL, even if the current output isn't quite what it should be. So we should also be able to sort out the new TAL generation code now. Yes, checking in a version that works for the wrong reasons is weird, but the current sort-of-broken state lets us confirm that the lower levels of the tree are still correct as we go, which would be much harder if the poor thing just sat there and whimpered until we had the new internal CA code completely finished. svn path=/branches/tk705/; revision=6376 --- rpki/irdb/migrations/0002_root.py | 31 +++++++-------- rpki/irdb/models.py | 19 ++-------- rpki/irdb/zookeeper.py | 80 +++++++++++++++++++++------------------ 3 files changed, 59 insertions(+), 71 deletions(-) (limited to 'rpki/irdb') diff --git a/rpki/irdb/migrations/0002_root.py b/rpki/irdb/migrations/0002_root.py index 73c08dde..6bdc060e 100644 --- a/rpki/irdb/migrations/0002_root.py +++ b/rpki/irdb/migrations/0002_root.py @@ -2,8 +2,6 @@ from __future__ import unicode_literals from django.db import migrations, models -import rpki.irdb.models -import rpki.fields class Migration(migrations.Migration): @@ -13,22 +11,19 @@ class Migration(migrations.Migration): ] operations = [ - migrations.CreateModel( - name='Root', - fields=[ - ('turtle_ptr', models.OneToOneField(parent_link=True, auto_created=True, primary_key=True, serialize=False, to='irdb.Turtle')), - ('certificate', rpki.fields.CertificateField()), - ('handle', rpki.irdb.models.HandleField(max_length=120)), - ('ta', rpki.fields.CertificateField()), - ('asn_resources', models.TextField()), - ('ipv4_resources', models.TextField()), - ('ipv6_resources', models.TextField()), - ('issuer', models.OneToOneField(related_name='root', to='irdb.ResourceHolderCA')), - ], - bases=('irdb.turtle', models.Model), + migrations.AddField( + model_name='parent', + name='asn_resources', + field=models.TextField(blank=True), ), - migrations.AlterUniqueTogether( - name='root', - unique_together=set([('issuer', 'handle')]), + migrations.AddField( + model_name='parent', + name='ipv4_resources', + field=models.TextField(blank=True), + ), + migrations.AddField( + model_name='parent', + name='ipv6_resources', + field=models.TextField(blank=True), ), ] diff --git a/rpki/irdb/models.py b/rpki/irdb/models.py index dc3723d8..ab81aa84 100644 --- a/rpki/irdb/models.py +++ b/rpki/irdb/models.py @@ -452,27 +452,14 @@ class Parent(CrossCertification, Turtle): repository_type = EnumField(choices = ("none", "offer", "referral")) referrer = HandleField(null = True, blank = True) referral_authorization = SignedReferralField(null = True, blank = True) + asn_resources = django.db.models.TextField(blank = True) # root only + ipv4_resources = django.db.models.TextField(blank = True) # root only + ipv6_resources = django.db.models.TextField(blank = True) # root only # This shouldn't be necessary class Meta: unique_together = ("issuer", "handle") -class Root(CrossCertification, Turtle): - # - # This is sort of a cross between a Rootd and a Parent with extra - # fields for the root resources. As with Parent, the private key - # comes from a BSC rather than from a server EE cert as with - # Rootd, so this looks looks to us like a cross certification (of - # ourself). We may want to revisit this. - # - issuer = django.db.models.OneToOneField(ResourceHolderCA, related_name = "root") - asn_resources = django.db.models.TextField() - ipv4_resources = django.db.models.TextField() - ipv6_resources = django.db.models.TextField() - - class Meta: - unique_together = ("issuer", "handle") - class ROARequest(django.db.models.Model): issuer = django.db.models.ForeignKey(ResourceHolderCA, related_name = "roa_requests") asn = django.db.models.BigIntegerField() diff --git a/rpki/irdb/zookeeper.py b/rpki/irdb/zookeeper.py index 7446e7c7..1f6fb6c2 100644 --- a/rpki/irdb/zookeeper.py +++ b/rpki/irdb/zookeeper.py @@ -368,34 +368,23 @@ class Zookeeper(object): def configure_root(self, handle, resources): # XXX This should be some other exception, not an assertion - assert self.run_rpkid and self.run_pubd and self.run_rootd + assert self.run_rpkid and self.run_pubd - rpki.irdb.models.Rootd.objects.get_or_certify( - issuer = self.resource_ca, - service_uri = "http://localhost:%s/" % self.cfg.get("rootd_server_port", - section = myrpki_section)) + if not handle: + handle = self.handle - rpki.irdb.models.Root.objects.get_or_certify( - handle = handle or self.handle, - issuer = self.resource_ca, - ta = self.resource_ca.certificate, - asn_resources = str(resources.asn), - ipv4_resources = str(resources.v4), - ipv6_resources = str(resources.v6)) + parent = rpki.irdb.models.Parent.objects.get_or_certify( + issuer = self.resource_ca, + handle = handle, + parent_handle = handle, + child_handle = handle, + ta = self.resource_ca.certificate, + repository_type = "none", + asn_resources = str(resources.asn), + ipv4_resources = str(resources.v4), + ipv6_resources = str(resources.v6))[0] - return self.generate_root_repository_offer() - - - def generate_root_repository_offer(self): - """ - Generate repository offer for rootd. Split out of - configure_rootd() because that's easier for the GUI. - """ - - e = Element(tag_oob_publisher_request, nsmap = oob_nsmap, version = oob_version, - publisher_handle = self.handle) - B64Element(e, tag_oob_publisher_bpki_ta, self.resource_ca.certificate) - return etree_wrapper(e, msg = 'This is the "repository offer" file for you to use if you want to publish in your own repository') + return self.generate_repository_request(parent) def write_bpki_files(self): @@ -1341,7 +1330,9 @@ class Zookeeper(object): # might make a case for a day instead, but we've been running with # six hours for a while now and haven't seen a lot of whining. - tenant_crl_interval = self.cfg.getint("tenant_crl_interval", 6 * 60 * 60, section = myrpki_section) + tenant_crl_interval = self.cfg.getint("tenant_crl_interval", + 6 * 60 * 60, + section = myrpki_section) # regen_margin now just controls how long before RPKI certificate # expiration we should regenerate; it used to control the interval @@ -1353,7 +1344,9 @@ class Zookeeper(object): # that this will regenerate certificates just *before* the # companion cron job warns of impending doom. - tenant_regen_margin = self.cfg.getint("tenant_regen_margin", 14 * 24 * 60 * 60 + 2 * 60, section = myrpki_section) + tenant_regen_margin = self.cfg.getint("tenant_regen_margin", + 14 * 24 * 60 * 60 + 2 * 60, + section = myrpki_section) # See what rpkid already has on file for this entity. @@ -1390,7 +1383,8 @@ class Zookeeper(object): if (tenant_pdu is None or tenant_pdu.get("crl_interval") != str(tenant_crl_interval) or tenant_pdu.get("regen_margin") != str(tenant_regen_margin) or - tenant_pdu.findtext(rpki.left_right.tag_bpki_cert, "").decode("base64") != tenant_cert.certificate.get_DER()): + tenant_pdu.findtext(rpki.left_right.tag_bpki_cert, + "").decode("base64") != tenant_cert.certificate.get_DER()): q_pdu = SubElement(q_msg, rpki.left_right.tag_tenant, action = "create" if tenant_pdu is None else "set", tag = "tenant", @@ -1422,7 +1416,8 @@ class Zookeeper(object): # can finish setting up the BSC before anything tries to use it. if len(q_msg) > 0: - SubElement(q_msg, rpki.left_right.tag_bsc, action = "list", tag = "bsc", tenant_handle = ca.handle) + SubElement(q_msg, rpki.left_right.tag_bsc, + action = "list", tag = "bsc", tenant_handle = ca.handle) r_msg = self.call_rpkid(q_msg) bsc_pdus = dict((r_pdu.get("bsc_handle"), r_pdu) for r_pdu in r_msg.getiterator(rpki.left_right.tag_bsc) @@ -1439,8 +1434,10 @@ class Zookeeper(object): handle = bsc_handle, pkcs10 = rpki.x509.PKCS10(Base64 = bsc_pkcs10.text))[0] - if (bsc_pdu.findtext(rpki.left_right.tag_signing_cert, "").decode("base64") != bsc.certificate.get_DER() or - bsc_pdu.findtext(rpki.left_right.tag_signing_cert_crl, "").decode("base64") != ca.latest_crl.get_DER()): + if (bsc_pdu.findtext(rpki.left_right.tag_signing_cert, + "").decode("base64") != bsc.certificate.get_DER() or + bsc_pdu.findtext(rpki.left_right.tag_signing_cert_crl, + "").decode("base64") != ca.latest_crl.get_DER()): q_pdu = SubElement(q_msg, rpki.left_right.tag_bsc, action = "set", tag = "bsc", @@ -1463,7 +1460,8 @@ class Zookeeper(object): repository_pdu.get("bsc_handle") != bsc_handle or repository_pdu.get("peer_contact_uri") != repository.service_uri or repository_pdu.get("rrdp_notification_uri") != repository.rrdp_notification_uri or - repository_pdu.findtext(rpki.left_right.tag_bpki_cert, "").decode("base64") != repository.certificate.get_DER()): + repository_pdu.findtext(rpki.left_right.tag_bpki_cert, + "").decode("base64") != repository.certificate.get_DER()): q_pdu = SubElement(q_msg, rpki.left_right.tag_repository, action = "create" if repository_pdu is None else "set", tag = repository.handle, @@ -1473,7 +1471,8 @@ class Zookeeper(object): peer_contact_uri = repository.service_uri) if repository.rrdp_notification_uri: q_pdu.set("rrdp_notification_uri", repository.rrdp_notification_uri) - SubElement(q_pdu, rpki.left_right.tag_bpki_cert).text = repository.certificate.get_Base64() + SubElement(q_pdu, + rpki.left_right.tag_bpki_cert).text = repository.certificate.get_Base64() for repository_handle in repository_pdus: SubElement(q_msg, rpki.left_right.tag_repository, action = "destroy", @@ -1499,7 +1498,11 @@ class Zookeeper(object): parent_pdu.get("sia_base") != parent.repository.sia_base or parent_pdu.get("sender_name") != parent.child_handle or parent_pdu.get("recipient_name") != parent.parent_handle or - parent_pdu.findtext(rpki.left_right.tag_bpki_cert, "").decode("base64") != parent.certificate.get_DER()): + parent_pdu.get("root_asn_resources", "") != parent.asn_resources or + parent_pdu.get("root_ipv4_resources", "") != parent.ipv4_resources or + parent_pdu.get("root_ipv6_resources", "") != parent.ipv6_resources or + parent_pdu.findtext(rpki.left_right.tag_bpki_cert, + "").decode("base64") != parent.certificate.get_DER()): q_pdu = SubElement(q_msg, rpki.left_right.tag_parent, action = "create" if parent_pdu is None else "set", tag = parent.handle, @@ -1510,14 +1513,17 @@ class Zookeeper(object): peer_contact_uri = parent.service_uri, sia_base = parent.repository.sia_base, sender_name = parent.child_handle, - recipient_name = parent.parent_handle) - SubElement(q_pdu, rpki.left_right.tag_bpki_cert).text = parent.certificate.get_Base64() + recipient_name = parent.parent_handle, + root_asn_resources = parent.asn_resources, + root_ipv4_resources = parent.ipv4_resources, + root_ipv6_resources = parent.ipv6_resources) + SubElement(q_pdu, + rpki.left_right.tag_bpki_cert).text = parent.certificate.get_Base64() except rpki.irdb.models.Repository.DoesNotExist: pass try: - parent_pdu = parent_pdus.pop(ca.handle, None) if (parent_pdu is None or -- cgit v1.2.3