From 401bbea99c1ba43ae0987b6346c65293a8efafa0 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Thu, 20 Feb 2014 23:03:11 +0000 Subject: Whack RSA-specific code to a more general API using PrivateKey and PublicKey classes, with RSA and ECDSA as subclasses extending PrivateKey. Revised API not necessarily in final form yet, but good enough for smoketest to generate ECDSA keys for testing router certs. svn path=/branches/tk671/; revision=5679 --- rpkid/tests/yamltest.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'rpkid/tests/yamltest.py') diff --git a/rpkid/tests/yamltest.py b/rpkid/tests/yamltest.py index 08da81f3..9131a595 100644 --- a/rpkid/tests/yamltest.py +++ b/rpkid/tests/yamltest.py @@ -553,7 +553,7 @@ def create_root_certificate(db_root): root_cert = rpki.x509.X509.self_certify( keypair = root_key, - subject_key = root_key.get_RSApublic(), + subject_key = root_key.get_public(), serial = 1, sia = root_sia, notAfter = rpki.sundial.now() + rpki.sundial.timedelta(days = 365), @@ -569,7 +569,7 @@ def create_root_certificate(db_root): f = open(os.path.join(test_dir, "root.tal"), "w") f.write("rsync://localhost:%d/root/root.cer\n\n" % db_root.pubd.rsync_port) - f.write(root_key.get_RSApublic().get_Base64()) + f.write(root_key.get_public().get_Base64()) f.close() -- cgit v1.2.3 From a25c336c1d7752b60a251fcce51f2fbd81d930bf Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Fri, 21 Feb 2014 02:05:36 +0000 Subject: Add router certificate support to yamltest, rpkic, etc. svn path=/branches/tk671/; revision=5680 --- rpkid/tests/yamltest.py | 67 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) (limited to 'rpkid/tests/yamltest.py') diff --git a/rpkid/tests/yamltest.py b/rpkid/tests/yamltest.py index 9131a595..1b52ced6 100644 --- a/rpkid/tests/yamltest.py +++ b/rpkid/tests/yamltest.py @@ -46,12 +46,14 @@ import sys import yaml import signal import time +import lxml.etree import rpki.resource_set import rpki.sundial import rpki.config import rpki.log import rpki.csv_utils import rpki.x509 +import rpki.relaxng # Nasty regular expressions for parsing config files. Sadly, while # the Python ConfigParser supports writing config files, it does so in @@ -109,6 +111,45 @@ class roa_request(object): """ return cls(y.get("asn"), y.get("ipv4"), y.get("ipv6")) + +class router_cert(object): + """ + Representation for a router_cert object. + """ + + _ecparams = None + + @classmethod + def ecparams(cls): + if cls._ecparams is None: + cls._ecparams = rpki.x509.KeyParams.generateEC() + return cls._ecparams + + def __init__(self, asn, router_id): + self.asn = rpki.resource_set.resource_set_as("".join(str(asn).split())) + self.router_id = router_id + self.keypair = rpki.x509.ECDSA.generate(self.ecparams()) + self.pkcs10 = rpki.x509.PKCS10.create( + keypair = self.keypair, + cn = "ROUTER-%d" % self.asn[0].min, + sn = self.router_id, + eku = (rpki.oids.id_kp_bgpsec_router,)) + self.gski = self.pkcs10.gSKI() + + def __eq__(self, other): + return self.asn == other.asn and self.router_id == other.router_id and self.gski == other.gski + + def __hash__(self): + v6 = tuple(self.v6) if self.v6 is not None else None + return tuple(self.asn).__hash__() + router_id.__hash__() + self.gski.__hash__() + + def __str__(self): + return "%s: %s: %s" % (self.asn, self.router_id, self.gski) + + @classmethod + def parse(cls, yaml): + return cls(yaml.get("asn"), yaml.get("router_id")) + class allocation_db(list): """ Our allocation database. @@ -207,6 +248,7 @@ class allocation(object): if "regen_margin" in yaml: self.regen_margin = rpki.sundial.timedelta.parse(yaml["regen_margin"]).convert_to_seconds() self.roa_requests = [roa_request.parse(y) for y in yaml.get("roa_request", yaml.get("route_origin", ()))] + self.router_certs = [router_cert.parse(y) for y in yaml.get("router_cert", ())] if "ghostbusters" in yaml: self.ghostbusters = yaml.get("ghostbusters") elif "ghostbuster" in yaml: @@ -218,6 +260,8 @@ class allocation(object): self.base.v4 |= r.v4.to_resource_set() if r.v6: self.base.v6 |= r.v6.to_resource_set() + for r in self.router_certs: + self.base.asn |= r.asn self.hosted_by = yaml.get("hosted_by") self.hosts = [] if not self.is_hosted: @@ -365,6 +409,28 @@ class allocation(object): if not args.stop_after_config: self.run_rpkic("load_ghostbuster_requests", fn) + def dump_router_certificates(self): + """ + Write EE certificates (router certificates, etc). + """ + if self.router_certs: + fn = "%s.routercerts.xml" % d.name + if not args.skip_config: + path = self.path(fn) + print "Writing", path + xmlns = "{http://www.hactrn.net/uris/rpki/router-certificate/}" + xml = lxml.etree.Element(xmlns + "router_certificate_requests", version = "1") + for r in self.router_certs: + x = lxml.etree.SubElement(xml, xmlns + "router_certificate_request", + router_id = str(r.router_id), + asn = str(r.asn), + valid_until = str(self.resources.valid_until)) + x.text = r.pkcs10.get_Base64() + rpki.relaxng.router_certificate.assertValid(xml) + lxml.etree.ElementTree(xml).write(path, pretty_print = True) + if not args.stop_after_config: + self.run_rpkic("add_router_certificate_request", fn) + @property def pubd(self): """ @@ -761,6 +827,7 @@ try: d.dump_prefixes() d.dump_roas() d.dump_ghostbusters() + d.dump_router_certificates() # Wait until something terminates. -- cgit v1.2.3 From de95fb9525bf5f1ced2fb90924b31b78494e1e87 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Tue, 25 Feb 2014 20:46:05 +0000 Subject: Something broke MySQLdb on my laptop during a recent upgrade, and I have better things to do than shaving that particular yak today. So I'm committing untested changes (to a development branch that nobody but me is using) so I can test them on a working development platform. svn path=/branches/tk671/; revision=5682 --- rpkid/tests/yamltest.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'rpkid/tests/yamltest.py') diff --git a/rpkid/tests/yamltest.py b/rpkid/tests/yamltest.py index 1b52ced6..9525a048 100644 --- a/rpkid/tests/yamltest.py +++ b/rpkid/tests/yamltest.py @@ -131,8 +131,6 @@ class router_cert(object): self.keypair = rpki.x509.ECDSA.generate(self.ecparams()) self.pkcs10 = rpki.x509.PKCS10.create( keypair = self.keypair, - cn = "ROUTER-%d" % self.asn[0].min, - sn = self.router_id, eku = (rpki.oids.id_kp_bgpsec_router,)) self.gski = self.pkcs10.gSKI() @@ -141,7 +139,7 @@ class router_cert(object): def __hash__(self): v6 = tuple(self.v6) if self.v6 is not None else None - return tuple(self.asn).__hash__() + router_id.__hash__() + self.gski.__hash__() + return tuple(self.asn).__hash__() + self.router_id.__hash__() + self.gski.__hash__() def __str__(self): return "%s: %s: %s" % (self.asn, self.router_id, self.gski) -- cgit v1.2.3 From ce5fd146cb746836c46c7f1ab435ec7d3d49af4f Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Tue, 25 Feb 2014 23:04:11 +0000 Subject: Router certificates working again after changes to get subject name out of the PKCS !#10. svn path=/branches/tk671/; revision=5683 --- rpkid/tests/yamltest.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'rpkid/tests/yamltest.py') diff --git a/rpkid/tests/yamltest.py b/rpkid/tests/yamltest.py index 9525a048..5eb3bd2f 100644 --- a/rpkid/tests/yamltest.py +++ b/rpkid/tests/yamltest.py @@ -129,9 +129,7 @@ class router_cert(object): self.asn = rpki.resource_set.resource_set_as("".join(str(asn).split())) self.router_id = router_id self.keypair = rpki.x509.ECDSA.generate(self.ecparams()) - self.pkcs10 = rpki.x509.PKCS10.create( - keypair = self.keypair, - eku = (rpki.oids.id_kp_bgpsec_router,)) + self.pkcs10 = rpki.x509.PKCS10.create(keypair = self.keypair) self.gski = self.pkcs10.gSKI() def __eq__(self, other): -- cgit v1.2.3