From 43948f0e75b25feb7b70e09369c0d20859395fcb Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Wed, 14 Nov 2007 04:17:16 +0000
Subject: Make valid_until mandatory in left-right protocol, and reflect
 resulting validity interval in generated certs.

svn path=/scripts/biz-certs/Bob-CA.srl; revision=1287
---
 scripts/biz-certs/Bob-CA.srl  |  2 +-
 scripts/left-right-schema.rnc |  2 +-
 scripts/left-right-schema.rng | 12 +++++-------
 scripts/rpki/left_right.py    |  8 ++++++--
 scripts/rpki/relaxng.py       | 14 ++++++--------
 scripts/rpki/resource_set.py  |  3 ++-
 scripts/rpki/sql.py           | 17 +++++++++++------
 scripts/rpki/sundial.py       |  4 ++--
 scripts/rpki/up_down.py       | 18 ++++++++++++------
 scripts/rpki/x509.py          | 18 +++++++++++-------
 scripts/testroot.py           |  7 ++++++-
 11 files changed, 63 insertions(+), 42 deletions(-)

(limited to 'scripts')

diff --git a/scripts/biz-certs/Bob-CA.srl b/scripts/biz-certs/Bob-CA.srl
index e5ce762b..f06575a7 100644
--- a/scripts/biz-certs/Bob-CA.srl
+++ b/scripts/biz-certs/Bob-CA.srl
@@ -1 +1 @@
-90801F1ED19454A7
+90801F1ED19454AB
diff --git a/scripts/left-right-schema.rnc b/scripts/left-right-schema.rnc
index b25ebc09..813c1710 100644
--- a/scripts/left-right-schema.rnc
+++ b/scripts/left-right-schema.rnc
@@ -186,7 +186,7 @@ ro_elt |= element route_origin { ctl_dr, self_id, ro_id }
 list_resources_elt = element list_resources {
   ( attribute type { "query" }, self_id, child_id ) |
   ( attribute type { "reply" }, self_id, child_id,
-    attribute valid_until { xsd:token { maxLength="1024" } }?,
+    attribute valid_until { xsd:token { maxLength="1024" } },
     attribute subject_name { xsd:token { maxLength="1024" } }?,
     attribute as { xsd:token { maxLength="1024" } }?,
     attribute ipv4 { xsd:token { maxLength="1024" } }?,
diff --git a/scripts/left-right-schema.rng b/scripts/left-right-schema.rng
index b33c8e28..e431da7d 100644
--- a/scripts/left-right-schema.rng
+++ b/scripts/left-right-schema.rng
@@ -855,13 +855,11 @@
           </attribute>
           <ref name="self_id"/>
           <ref name="child_id"/>
-          <optional>
-            <attribute name="valid_until">
-              <data type="token">
-                <param name="maxLength">1024</param>
-              </data>
-            </attribute>
-          </optional>
+          <attribute name="valid_until">
+            <data type="token">
+              <param name="maxLength">1024</param>
+            </data>
+          </attribute>
           <optional>
             <attribute name="subject_name">
               <data type="token">
diff --git a/scripts/rpki/left_right.py b/scripts/rpki/left_right.py
index e1fcf4a1..c4abffa9 100644
--- a/scripts/rpki/left_right.py
+++ b/scripts/rpki/left_right.py
@@ -448,7 +448,10 @@ class parent_elt(data_elt):
                               url = self.peer_contact_uri)
     r_elt = rpki.cms.xml_verify(r_cms, self.cms_ta)
     rpki.relaxng.up_down.assertValid(r_elt)
-    return rpki.up_down.sax_handler.saxify(r_elt)
+    r_msg = rpki.up_down.sax_handler.saxify(r_elt)
+    r_msg.payload.check_response()
+    return r_msg
+
 
 class child_elt(data_elt):
   """<child/> element."""
@@ -759,4 +762,5 @@ def irdb_query(gctx, self_id, child_id = None):
     raise rpki.exceptions.BadIRDBReply, "Unexpected response to IRDB query: %s" % r_msg.toXML()
   return rpki.resource_set.resource_bag(r_msg[0].as,
                                         r_msg[0].ipv4,
-                                        r_msg[0].ipv6)
+                                        r_msg[0].ipv6,
+                                        r_msg[0].valid_until)
diff --git a/scripts/rpki/relaxng.py b/scripts/rpki/relaxng.py
index 3f479ef6..6e0946a3 100644
--- a/scripts/rpki/relaxng.py
+++ b/scripts/rpki/relaxng.py
@@ -6,7 +6,7 @@ import lxml.etree
 ## Parsed RelaxNG left_right schema
 left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" encoding="UTF-8"?>
 <!--
-  $Id: left-right-schema.rng 1262 2007-11-07 05:06:24Z sra $
+  $Id: left-right-schema.rnc 1262 2007-11-07 05:06:24Z sra $
   
   RelaxNG (Compact Syntax) Schema for RPKI left-right protocol.
   
@@ -861,13 +861,11 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" enc
           </attribute>
           <ref name="self_id"/>
           <ref name="child_id"/>
-          <optional>
-            <attribute name="valid_until">
-              <data type="token">
-                <param name="maxLength">1024</param>
-              </data>
-            </attribute>
-          </optional>
+          <attribute name="valid_until">
+            <data type="token">
+              <param name="maxLength">1024</param>
+            </data>
+          </attribute>
           <optional>
             <attribute name="subject_name">
               <data type="token">
diff --git a/scripts/rpki/resource_set.py b/scripts/rpki/resource_set.py
index d42fc808..a98824b8 100644
--- a/scripts/rpki/resource_set.py
+++ b/scripts/rpki/resource_set.py
@@ -384,10 +384,11 @@ class resource_bag(object):
   IPv4, and IPv6 resource sets.
   """
 
-  def __init__(self, as = None, v4 = None, v6 = None):
+  def __init__(self, as = None, v4 = None, v6 = None, valid_until = None):
     self.as = as or resource_set_as()
     self.v4 = v4 or resource_set_ipv4()
     self.v6 = v6 or resource_set_ipv6()
+    self.valid_until = valid_until
 
   def oversized(self, other):
     """True iff self is oversized with respect to other."""
diff --git a/scripts/rpki/sql.py b/scripts/rpki/sql.py
index ea3e74e4..88ba39d8 100644
--- a/scripts/rpki/sql.py
+++ b/scripts/rpki/sql.py
@@ -256,7 +256,6 @@ class ca_obj(sql_persistant):
     self.sia_uri = self.construct_sia_uri(gctx, parent, rc)
     ca_detail = ca_detail_obj.create(gctx, self)
     issue_response = rpki.up_down.issue_pdu.query(gctx, parent, self, ca_detail)
-    issue_response.payload.check_syntax()
     ca_detail.latest_ca_cert = issue_response.payload.classes[0].certs[0].cert
     ca_detail.ca_cert_uri = issue_response.payload.classes[0].certs[0].cert_url.rsync()
     ca_detail.generate_manifest_cert(self)
@@ -357,14 +356,17 @@ class ca_detail_obj(sql_persistant):
     """
     if undersized:
       issue_response = rpki.up_down.issue_pdu.query(gctx, parent, ca, self)
-      issue_response.check_syntax()
       self.latest_ca_cert = issue_response.classes[0].certs[0].cert
       current_resources = self.latest_ca_cert.get_3779resources()
     if oversized or sia_uri_changed:
       for child_cert in child_cert_obj.sql_fetch_where(gctx, "ca_detail_id = %s" % self.ca_detail_id):
         child_resources = child_cert.cert.get_3779resources()
         if sia_uri_changed or child_resources.oversized(current_resources):
-          child_cert.reissue(gctx, self, child_resources.intersection(current_resources), ca.sia_uri)
+          child_cert.reissue(gctx = gctx,
+                             ca_detail = self,
+                             resources = child_resources.intersection(current_resources),
+                             sia = ca.sia_uri,
+                             valid_until = child_resources.valid_until)
 
   @classmethod
   def create(cls, gctx, ca):
@@ -398,9 +400,10 @@ class ca_detail_obj(sql_persistant):
                                                           aia = self.ca_cert_uri,
                                                           crldp = ca.sia_uri + self.latest_ca_cert.gSKI() + ".crl",
                                                           resources = resources,
+                                                          notAfter = self.latest_ca_cert.getNotAfter(),
                                                           is_ca = False)
 
-  def issue(self, gctx, ca, child, subject_key, sia, resources, child_cert = None):
+  def issue(self, gctx, ca, child, subject_key, sia, resources, valid_until, child_cert = None):
     """Issue a new certificate to a child.  Optional child_cert
     argument specifies an existing child_cert object to update in
     place; if not specified, we create a new one.  Returns the
@@ -415,7 +418,8 @@ class ca_detail_obj(sql_persistant):
                                      aia = self.ca_cert_uri,
                                      crldp = ca.sia_uri + self.latest_ca_cert.gSKI() + ".crl",
                                      sia = sia,
-                                     resources = resources)
+                                     resources = resources,
+                                     notAfter = valid_until)
 
     if child_cert is None:
       child_cert = rpki.sql.child_cert_obj(child_id = child.child_id,
@@ -512,7 +516,7 @@ class child_cert_obj(sql_persistant):
     d["cert"] = self.cert.get_DER()
     return d
 
-  def reissue(self, gctx, ca_detail, resources, sia):
+  def reissue(self, gctx, ca_detail, resources, sia, valid_until):
     """Reissue an existing child_cert_obj, reusing the public key."""
 
     # if sia is None: sia = self.cert.get_SIA()
@@ -523,6 +527,7 @@ class child_cert_obj(sql_persistant):
                            subject_key = self.cert.getPublicKey(),
                            sia = sia,
                            resources = resources,
+                           notAfter = valid_until,
                            child_cert = self)
 
   def revoke(self):
diff --git a/scripts/rpki/sundial.py b/scripts/rpki/sundial.py
index 2360732d..d656ca16 100644
--- a/scripts/rpki/sundial.py
+++ b/scripts/rpki/sundial.py
@@ -42,9 +42,9 @@ class datetime(pydatetime.datetime):
     """Convert from ASN.1 tuple representation."""
     assert isinstance(x, tuple) and len(x) == 2 and x[0] in ("utcTime", "generalTime")
     if x[0] == "utcTime":
-      return cls.fromUTCTime(x)
+      return cls.fromUTCTime(x[1])
     else:
-      return cls.fromGeneralizedTime(x)
+      return cls.fromGeneralizedTime(x[1])
 
   ## @var PKIX_threshhold
   # Threshold specified in RFC 3280 for switchover from UTCTime to GeneralizedTime.
diff --git a/scripts/rpki/up_down.py b/scripts/rpki/up_down.py
index 1710b30f..7f127971 100644
--- a/scripts/rpki/up_down.py
+++ b/scripts/rpki/up_down.py
@@ -50,6 +50,10 @@ class base_elt(object):
     """Default PDU handler to catch unexpected types."""
     raise rpki.exceptions.BadQuery, "Unexpected query type %s" % q_msg.type
 
+  def check_response(self):
+    """Placeholder for response checking."""
+    pass
+
 class multi_uri(list):
   """Container for a set of URIs."""
 
@@ -270,12 +274,14 @@ class issue_pdu(base_elt):
                                    child = child,
                                    subject_key = req_key,
                                    sia = req_sia,
-                                   resources = resources)
+                                   resources = resources,
+                                   valid_until = irdb_resources.valid_until)
     elif resources != child_cert.cert.get_3779resources() or child_cert.cert.get_SIA() != req_sia:
       child_cert = child_cert.reissue(gctx = gctx,
                                       ca_detail = ca_detail,
                                       sia = req_sia,
-                                      resources = resources)
+                                      resources = resources,
+                                      valid_until = irdb_resources.valid_until)
 
     # Save anything we modified and generate response
     rpki.sql.sql_sweep(gctx)
@@ -306,7 +312,7 @@ class issue_pdu(base_elt):
 class issue_response_pdu(class_response_syntax):
   """Up-Down protocol "issue_response" PDU."""
 
-  def check_syntax(self):
+  def check_response(self):
     """Check whether this looks like a reasonable issue_response PDU.
     XML schema should be tighter for this response.
     """
@@ -416,9 +422,9 @@ class error_response_pdu(base_elt):
       payload.append(elt)
     return payload
 
-  def check_syntax(self):
-    """Handle an error response.  For the moment, just raise an
-    exception, eventually figure out something more clever to do.
+  def check_response(self):
+    """Handle an error response.  For now, just raise an exception,
+    perhaps figure out something more clever to do later.
     """
     raise rpki.exceptions.UpstreamError, self.codes[self.status]
 
diff --git a/scripts/rpki/x509.py b/scripts/rpki/x509.py
index 44c2a168..e5539d83 100644
--- a/scripts/rpki/x509.py
+++ b/scripts/rpki/x509.py
@@ -167,7 +167,12 @@ class DER_object(object):
     """Get RFC 3779 resources as rpki.resource_set objects.
     Only works for subclasses that support getExtensions().
     """
-    return rpki.resource_set.resource_bag.from_asn1_tuples(self.get_POWpkix().getExtensions())
+    resources = rpki.resource_set.resource_bag.from_asn1_tuples(self.get_POWpkix().getExtensions())
+    try:
+      resources.valid_until = self.getNotAfter()
+    except AttributeError:
+      pass
+    return resources
 
 class X509(DER_object):
   """X.509 certificates.
@@ -230,11 +235,11 @@ class X509(DER_object):
 
   def getNotBefore(self):
     """Get the inception time of this certificate."""
-    return POW.pkix.utc2time(self.get_POW().getNotBefore())
+    return rpki.sundial.datetime.fromASN1tuple(self.get_POWpkix().tbs.validity.notBefore.get())
 
   def getNotAfter(self):
     """Get the expiration time of this certificate."""
-    return POW.pkix.utc2time(self.get_POW().getNotAfter())
+    return rpki.sundial.datetime.fromASN1tuple(self.get_POWpkix().tbs.validity.notAfter.get())
 
   def getSerial(self):
     """Get the serial number of this certificate."""
@@ -244,8 +249,8 @@ class X509(DER_object):
     """Extract the public key from this certificate."""
     return RSApublic(DER = self.get_POWpkix().tbs.subjectPublicKeyInfo.toString())
 
-  def issue(self, keypair, subject_key, serial, sia, aia, crldp,
-            cn = None, notAfter = None, resources = None, is_ca = True):
+  def issue(self, keypair, subject_key, serial, sia, aia, crldp, notAfter,
+            cn = None, resources = None, is_ca = True):
     """Issue a certificate."""
 
     now = rpki.sundial.datetime.utcnow()
@@ -255,8 +260,7 @@ class X509(DER_object):
     if cn is None:
       cn = "".join(("%02X" % ord(i) for i in ski))
 
-    if notAfter is None:
-      notAfter = now + rpki.sundial.timedelta(days = 30)
+    # if notAfter is None: notAfter = now + rpki.sundial.timedelta(days = 30)
 
     cert = POW.pkix.Certificate()
     cert.setVersion(2)
diff --git a/scripts/testroot.py b/scripts/testroot.py
index 762a1757..f92cd24a 100755
--- a/scripts/testroot.py
+++ b/scripts/testroot.py
@@ -13,11 +13,15 @@ Default configuration file is testroot.conf, override with --config option.
 import traceback, os, time, getopt, sys, lxml
 import rpki.resource_set, rpki.up_down, rpki.left_right, rpki.x509
 import rpki.https, rpki.config, rpki.cms, rpki.exceptions, rpki.relaxng
+import rpki.sundial
 
 root_name = "wombat"
 root_base = "rsync://" + root_name + ".invalid/"
 root_cert = root_base + "testroot.cer"
 
+rpki_subject_lifetime = rpki.sundial.timedelta(days = 30)
+
+
 def get_subject_cert():
   try:
     x = rpki.x509.X509(Auto_file = rpki_subject_filename)
@@ -71,7 +75,8 @@ class issue_pdu(rpki.up_down.issue_pdu):
                                          sia = req_sia,
                                          aia = root_cert,
                                          crldp = crldp,
-                                         resources = resources))
+                                         resources = resources,
+                                         notAfter = rpki.sundial.datetime.utcnow() + rpki_subject_lifetime))
     compose_response(r_msg)
 
 class revoke_pdu(rpki.up_down.revoke_pdu):
-- 
cgit v1.2.3