From ce5fd146cb746836c46c7f1ab435ec7d3d49af4f Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Tue, 25 Feb 2014 23:04:11 +0000 Subject: Router certificates working again after changes to get subject name out of the PKCS !#10. svn path=/branches/tk671/; revision=5683 --- rpkid/rpki/irdb/models.py | 4 ++-- rpkid/rpki/relaxng.py | 45 +++++++++++++++++++++++++++------------------ rpkid/rpki/rpkid.py | 2 +- rpkid/rpki/rpkid_tasks.py | 4 +--- rpkid/rpki/x509.py | 25 ++++++++++++++++++------- 5 files changed, 49 insertions(+), 31 deletions(-) (limited to 'rpkid/rpki') diff --git a/rpkid/rpki/irdb/models.py b/rpkid/rpki/irdb/models.py index 7a3c8521..1ad9b4e3 100644 --- a/rpkid/rpki/irdb/models.py +++ b/rpkid/rpki/irdb/models.py @@ -583,8 +583,8 @@ class EECertificateRequest(ResourceSet): issuer = django.db.models.ForeignKey(ResourceHolderCA, related_name = "ee_certificate_requests") pkcs10 = PKCS10Field() gski = django.db.models.CharField(max_length = 27) - cn = django.db-models.CharField(max_length = 64) - sn = django.db-models.CharField(max_length = 64) + cn = django.db.models.CharField(max_length = 64) + sn = django.db.models.CharField(max_length = 64) eku = django.db.models.TextField(null = True) def _select_resource_bag(self): diff --git a/rpkid/rpki/relaxng.py b/rpkid/rpki/relaxng.py index 9162fdfa..714a7b28 100644 --- a/rpkid/rpki/relaxng.py +++ b/rpkid/rpki/relaxng.py @@ -6,7 +6,7 @@ import lxml.etree ## Parsed RelaxNG left_right schema left_right = lxml.etree.RelaxNG(lxml.etree.fromstring(r''' @@ -238,13 +238,6 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''[\-,0-9/:a-fA-F]* - - - - 512000 - [.0-9,]* - - @@ -989,7 +982,7 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring(r''' 64 - [\-0-9A-Za-z_ ]* + [\-0-9A-Za-z_ ]+ @@ -997,7 +990,15 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring(r''' 64 - [0-9A-Fa-f]* + [0-9A-Fa-f]+ + + + + + + + 512000 + [.,0-9]+ @@ -1102,6 +1103,8 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring(r''' ''')) @@ -1488,7 +1491,7 @@ publication = lxml.etree.RelaxNG(lxml.etree.fromstring(r''' 255 - [\-_A-Za-z0-9/]* + [\-_A-Za-z0-9/]+ ''')) @@ -1990,13 +1995,13 @@ myrpki = lxml.etree.RelaxNG(lxml.etree.fromstring(r''' 255 - [\-_A-Za-z0-9]* + [\-_A-Za-z0-9]+ 255 - [\-_A-Za-z0-9/]* + [\-_A-Za-z0-9/]+ @@ -2010,19 +2015,19 @@ myrpki = lxml.etree.RelaxNG(lxml.etree.fromstring(r''' 512000 - [\-,0-9]* + [\-,0-9]+ 512000 - [\-,0-9/.]* + [\-,0-9/.]+ 512000 - [\-,0-9/:a-fA-F]* + [\-,0-9/:a-fA-F]+ @@ -2325,6 +2330,8 @@ myrpki = lxml.etree.RelaxNG(lxml.etree.fromstring(r''' ''')) @@ -2376,7 +2383,7 @@ router_certificate = lxml.etree.RelaxNG(lxml.etree.fromstring(r''' 512000 - [\-,0-9]* + [0-9][\-,0-9]* @@ -2428,6 +2435,8 @@ router_certificate = lxml.etree.RelaxNG(lxml.etree.fromstring(r''' ''')) diff --git a/rpkid/rpki/rpkid.py b/rpkid/rpki/rpkid.py index 9b83cc59..9fd73067 100644 --- a/rpkid/rpki/rpkid.py +++ b/rpkid/rpki/rpkid.py @@ -2369,7 +2369,7 @@ class ee_cert_obj(rpki.sql.sql_persistent): self.cert = ca_detail.issue_ee( ca = ca_detail.ca, subject_key = self.cert.getPublicKey(), - eku = self.cert.getEKU(), + eku = self.cert.get_EKU(), sia = None, resources = resources, notAfter = resources.valid_until, diff --git a/rpkid/rpki/rpkid_tasks.py b/rpkid/rpki/rpkid_tasks.py index fe08b7cc..1811967b 100644 --- a/rpkid/rpki/rpkid_tasks.py +++ b/rpkid/rpki/rpkid_tasks.py @@ -624,13 +624,11 @@ class UpdateEECertificatesTask(AbstractTask): rpki.log.debug("Existing EE certificate for %s %s is no longer covered" % (req.gski, resources)) ee.revoke(publisher = publisher) - eku = (rpki.oids.id_kp_bgpsec_router,) if req.router_id else None - for ca_detail in covering: rpki.log.debug("No existing EE certificate for %s %s" % (req.gski, resources)) rpki.rpkid.ee_cert_obj.create( ca_detail = ca_detail, - subject_name = rpki.x509.X501DN.from_cn(req.cn, req.dn), + subject_name = rpki.x509.X501DN.from_cn(req.cn, req.sn), subject_key = req.pkcs10.getPublicKey(), resources = resources, publisher = publisher, diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index 5cb5efd6..fb1a5a2b 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -133,10 +133,14 @@ class X501DN(object): @classmethod def from_cn(cls, cn, sn = None): assert isinstance(cn, (str, unicode)) - assert sn is None or isinstance(sn, (int, long)) or (isinstance(sn, (str, unicode)) and sn.isdigit()) + if isinstance(sn, (int, long)): + sn = "%08X" % sn + elif isinstance(sn, (str, unicode)): + assert all(c in "0123456789abcdefABCDEF" for c in sn) + sn = str(sn) self = cls() if sn is not None: - self.dn = (((rpki.oids.commonName, cn),), ((rpki.oids.serialNumber, str(sn)),)) + self.dn = (((rpki.oids.commonName, cn),), ((rpki.oids.serialNumber, sn),)) else: self.dn = (((rpki.oids.commonName, cn),),) return self @@ -391,18 +395,22 @@ class DER_object(object): def get_AKI(self): """ - Get the AKI extension from this object. Only works for subclasses - that support getExtension(). + Get the AKI extension from this object, if supported. """ return self.get_POW().getAKI() def get_SKI(self): """ - Get the SKI extension from this object. Only works for subclasses - that support getExtension(). + Get the SKI extension from this object, if supported. """ return self.get_POW().getSKI() + def get_EKU(self): + """ + Get the Extended Key Usage extension from this object, if supported. + """ + return self.get_POW().getEKU() + def get_SIA(self): """ Get the SIA extension from this object. Only works for subclasses @@ -1053,7 +1061,10 @@ class PKCS10(DER_object): if alg != rpki.oids.ecdsa_with_SHA256: raise rpki.exceptions.BadPKCS10("PKCS #10 has bad signature algorithm for router: %s" % alg) - if eku is None or rpki.oids.id_kp_bgpsec_router not in eku: + # Not really clear to me whether PKCS #10 should have EKU or not, so allow + # either, but insist that it be the right one if present. + + if eku is not None and rpki.oids.id_kp_bgpsec_router not in eku: raise rpki.exceptions.BadPKCS10("PKCS #10 router must have EKU") -- cgit v1.2.3