Checkpoint. Most of the BPKI setup stuff now in place.

svn path=/myrpki/Makefile; revision=2563

4 files changed, 58 insertions, 60 deletions

diff --git a/myrpki/Makefile b/myrpki/Makefile
index d8d30598..bcadc044 100644
--- a/myrpki/Makefile
+++ b/myrpki/Makefile
@@ -3,7 +3,7 @@
 all:: relatives
 all:: myrpki.xml
 all:: lint
-all:: parse
+#all:: parse
 all:: load
 
 myrpki.xml: myrpki.py asns.csv prefixes.csv roas.csv validity.csv
@@ -22,7 +22,7 @@ load: myrpki.xml myrpki.rng
 	python myirbe.py
 
 clean:
-	rm -rf *.xml *.pem bpki
+	rm -rf *.xml bpki bpki.myrpki bpki.rpkid bpki.pubd bpki.rootd
 
 relatives: mom.pem dad.pem bro.pem sis.pem
 
diff --git a/myrpki/myirbe.py b/myrpki/myirbe.py
index 921f4cb2..0cca8d16 100644
--- a/myrpki/myirbe.py
+++ b/myrpki/myirbe.py
@@ -47,10 +47,6 @@ if argv:
 
 cfg = rpki.config.parser(cfg_file, "myirbe")
 
-startup_msg = cfg.get("startup-message", "")
-if startup_msg:
-  rpki.log.info(startup_msg)
-
 tree = lxml.etree.parse("myrpki.xml").getroot()
 rng.assertValid(tree)
 
@@ -118,6 +114,20 @@ for x in tree.getiterator(tag("child")):
 db.commit()
 db.close()
 
+bpki_rpkid = myrpki.CA(cfg_file, cfg.get("rpkid_ca_directory"), cfg.get("rpkid_ca_certificate"))
+bpki_rpkid.setup("/CN=RPKID TEST TA")
+for name in ("rpkid", "irdbd", "irbe_cli"):
+  bpki_rpkid.ee("/CN=%s EE" % name, name)
+
+bpki_pubd  = myrpki.CA(cfg_file, cfg.get("pubd_ca_directory"),  cfg.get("pubd_ca_certificate"))
+bpki_pubd.setup("/CN=PUBD TEST TA")
+for name in ("pubd", "irbe_cli"):
+  bpki_rpkid.ee("/CN=%s EE" % name, name)
+
+bpki_rootd = myrpki.CA(cfg_file, cfg.get("rootd_ca_directory"), cfg.get("rootd_ca_certificate"))
+bpki_rootd.setup("/CN=ROOTD TEST TA")
+bpki_rpkid.ee("/CN=rootd EE", "rootd")
+
 rpkid_pdus = [
   rpki.left_right.self_elt.make_pdu(      action = "get",  self_handle = my_handle),
   rpki.left_right.bsc_elt.make_pdu(       action = "list", self_handle = my_handle),
diff --git a/myrpki/myrpki.conf b/myrpki/myrpki.conf
index 796c5d3c..51c5d931 100644
--- a/myrpki/myrpki.conf
+++ b/myrpki/myrpki.conf
@@ -1,24 +1,21 @@
 # $Id$
 #
-
 # Config file for myrpi.py; note that this is also read by the OpenSSL
 # command line tool running under mypki.py, so syntax must remain
 # OpenSSL-compatible and portions of this are OpenSSL voodoo.
 
 [myrpki]
-
 handle			= wombat
 roa_csv			= roas.csv
 children_csv		= children.csv
 parents_csv		= parents.csv
 prefix_csv		= prefixes.csv
 asn_csv			= asns.csv
+xml_filename		= myrpki.xml
 
 bpki_ca_directory	= bpki
 bpki_ca_certificate	= bpki/ca.cer
 
-xml_filename		= myrpki.xml
-
 [constants]
 digest			= sha256
 key_length		= 2048
@@ -33,9 +30,9 @@ prompt			= no
 encrypt_key		= no
 
 [req_dn]
-CN                      = ${myrpki::handle}
+CN                      = Dummy name for certificate request
 
-[ca_x509_ext_bsc]
+[ca_x509_ext_ee]
 subjectKeyIdentifier	= hash
 authorityKeyIdentifier	= keyid:always
 
diff --git a/myrpki/myrpki.py b/myrpki/myrpki.py
index 43f66328..ed46b84b 100644
--- a/myrpki/myrpki.py
+++ b/myrpki/myrpki.py
@@ -199,7 +199,7 @@ def PEMElement(e, tag, filename):
 
 class CA(object):
 
-  debug = False
+  debug = True
 
   def __init__(self, cfg, dir, cer):
     self.cfg    = cfg
@@ -212,52 +212,53 @@ class CA(object):
     self.serial = dir + "/serial"
     self.crlnum = dir + "/crl_number"
 
-  def run_ca(self, *args, **env):
-    cmd = ("openssl", "ca", "-notext", "-batch", "-config",  self.cfg) + args
-    env = env.copy()
-    if "PATH" in os.environ:
-      env["PATH"] = os.environ["PATH"]
+    self.env = { "PATH" : os.environ["PATH"], "BPKI_DIRECTORY" : dir }
+
+  def run_ca(self, *args):
+    cmd = ("openssl", "ca", "-notext", "-verbose", "-batch", "-config",  self.cfg) + args
     if self.debug:
       print "cmd: %r" % (cmd,)
-      print "env: %r" % (env,)
-    subprocess.check_call(cmd, env = env)
+      print "env: %r" % (self.env,)
+    subprocess.check_call(cmd, env = self.env)
+
+  def run_req(self, key_file, req_file):
+    if not os.path.exists(key_file) or not os.path.exists(req_file):
+      subprocess.check_call(("openssl", "req", "-new", "-sha256", "-newkey", "rsa:2048",
+                             "-config", self.cfg, "-keyout", key_file, "-out", req_file),
+                            env = self.env)
+    
+  @staticmethod
+  def touch_file(filename, content = None):
+    if not os.path.exists(filename):
+      f = open(filename, "w")
+      if content is not None:
+        f.write(content)
+      f.close()
 
-  def setup(self):
+  def setup(self, ta_name):
 
     if not os.path.exists(self.dir):
       os.makedirs(self.dir)
 
-    if not os.path.exists(self.index):
-      f = open(self.index, "w")
-      f.close()
+    self.touch_file(self.index)
+    self.touch_file(self.serial, "01\n")
+    self.touch_file(self.crlnum, "01\n")
 
-    if not os.path.exists(self.serial):
-      f = open(self.serial, "w")
-      f.write("01\n")
-      f.close()
-
-    if not os.path.exists(self.crlnum):
-      f = open(self.crlnum, "w")
-      f.write("01\n")
-      f.close()
-
-    if not os.path.exists(self.key) or not os.path.exists(self.req):
-      subprocess.check_call(("openssl", "req", "-new",
-                             #"-verbose",
-                             "-sha256", "-newkey", "rsa:2048",
-                             "-config", self.cfg,
-                             "-keyout", self.key,
-                             "-out",    self.req))
+    self.run_req(key_file = self.key, req_file = self.req)
 
     if not os.path.exists(self.cer):
-      self.run_ca("-selfsign", "-extensions", "ca_x509_ext_ca", "-in", self.req, "-out", self.cer)
+      self.run_ca("-selfsign", "-extensions", "ca_x509_ext_ca", "-subj", ta_name, "-in", self.req, "-out", self.cer)
 
     if not os.path.exists(self.crl):
-      subprocess.check_call(("openssl", "ca", "-batch", "-batch", "-notext",
-                             #"-verbose",
-                             "-config",     self.cfg,
-                             "-gencrl",
-                             "-out",        self.crl))
+      self.run_ca("-gencrl", "-out", self.crl)
+
+  def ee(self, ee_name, base_name):
+    key_file = "%s/%s.key" % (self.dir, base_name)
+    req_file = "%s/%s.req" % (self.dir, base_name)
+    cer_file = "%s/%s.cer" % (self.dir, base_name)
+    self.run_req(key_file = key_file, req_file = req_file)
+    if not os.path.exists(cer_file):
+      self.run_ca("-extensions", "ca_x509_ext_ee", "-subj", ee_name, "-in", req_file, "-out", cer_file)
 
   def bsc(self, e, pkcs10):
 
@@ -279,12 +280,7 @@ class CA(object):
       if p.wait() != 0:
         raise RuntimeError, "Couldn't save PKCS #10 in PEM format"
 
-      subprocess.check_call(("openssl", "ca", "-batch", "-notext",
-                             #"-verbose",
-                             "-extensions", "ca_x509_ext_bsc",
-                             "-config", self.cfg,
-                             "-in",     req_file,
-                             "-out",    cer_file))
+      self.run_ca("-extensions", "ca_x509_ext_ee", "-in", req_file, "-out", cer_file)
 
     PEMElement(e, "bpki_bsc_certificate", cer_file)
     PEMElement(e, "bpki_bsc_pkcs10",      req_file)
@@ -313,12 +309,7 @@ class CA(object):
     # OpenSSL command line tool.
 
     if not os.path.exists(xcert):
-      subprocess.check_call(("openssl", "ca", "-notext", "-batch",
-                             #"-verbose", 
-                             "-config",  self.cfg,
-                             "-ss_cert", cert,
-                             "-out",     xcert,
-                             "-extensions", "ca_x509_ext_xcert"))
+      self.run_ca("-ss_cert", cert, "-out", xcert, "-extensions", "ca_x509_ext_xcert")
 
     return xcert
 
@@ -361,7 +352,7 @@ def main():
       bsc_req = base64.b64decode(r)
 
   bpki = CA(cfg_file, bpki_dir, bpki_cacert)
-  bpki.setup()
+  bpki.setup("/CN=%s TA" % my_handle)
 
   e = Element("myrpki", xmlns = namespace, version = "1", handle = my_handle)