diff options
| author | Rob Austein <sra@hactrn.net> | 2009-08-28 19:57:18 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2009-08-28 19:57:18 +0000 |
| commit | 65dd0c1eebf86559508ac24a8200fa4194dec8c0 (patch) | |
| tree | c4f9eb6939377e6b607227292fa2fcb5934f01ed | |
| parent | 5fcc3a597880faba983508ab6f5843369217686c (diff) | |
Consolidate bpki.{rpkid,pubd,rootd} into a single bpki.myirbe
(bpki.myrpki remains separate). Partial conversion to model in which
myirbe supports running rpkid without running pubd -- not working yet.
svn path=/myrpki/Makefile; revision=2713
| -rw-r--r-- | myrpki/Makefile | 2 | ||||
| -rw-r--r-- | myrpki/myirbe.py | 95 | ||||
| -rw-r--r-- | myrpki/myrpki.conf | 46 | ||||
| -rw-r--r-- | myrpki/yamltest.py | 34 |
4 files changed, 94 insertions, 83 deletions
diff --git a/myrpki/Makefile b/myrpki/Makefile index f8637bfc..5548889b 100644 --- a/myrpki/Makefile +++ b/myrpki/Makefile @@ -27,7 +27,7 @@ bpki.myrpki: python myirbe.py clean: - rm -rf *.xml bpki.myrpki bpki.rpkid bpki.pubd bpki.rootd test screenlog.* + rm -rf *.xml bpki.myrpki bpki.myirbe test screenlog.* python sql-cleaner.py format: myrpki.xml diff --git a/myrpki/myirbe.py b/myrpki/myirbe.py index 546f5346..a1ac1e5d 100644 --- a/myrpki/myirbe.py +++ b/myrpki/myirbe.py @@ -120,22 +120,22 @@ for o, a in opts: cfg = rpki.config.parser(cfg_file, "myirbe") -bpki_modified = False +handle = cfg.get("handle", cfg.get("handle", "Amnesiac", "myrpki")) -bpki_rpkid = myrpki.CA(cfg_file, cfg.get("rpkid_ca_directory")) -bpki_modified |= bpki_rpkid.setup(cfg.get("bpki_rpkid_ta_dn", "/CN=rpkid TA")) -bpki_modified |= bpki_rpkid.ee( cfg.get("bpki_rpkid_ee_dn", "/CN=rpkid EE"), "rpkid") -bpki_modified |= bpki_rpkid.ee( cfg.get("bpki_irdbd_ee_dn", "/CN=irdbd EE"), "irdbd") -bpki_modified |= bpki_rpkid.ee( cfg.get("bpki_rpkid_irbe_dn", "/CN=irbe_cli EE"), "irbe_cli") +want_pubd = cfg.getboolean("want_pubd", False) +want_rootd = cfg.getboolean("want_rootd", False) -bpki_pubd = myrpki.CA(cfg_file, cfg.get("pubd_ca_directory")) -bpki_modified |= bpki_pubd.setup(cfg.get("bpki_pubd_ta_dn", "/CN=pubd TA")) -bpki_modified |= bpki_pubd.ee( cfg.get("bpki_pubd_ee_dn", "/CN=pubd EE"), "pubd") -bpki_modified |= bpki_pubd.ee( cfg.get("bpki_pubd_irbe_dn", "/CN=irbe_cli EE"), "irbe_cli") +bpki_modified = False -bpki_rootd = myrpki.CA(cfg_file, cfg.get("rootd_ca_directory")) -bpki_modified |= bpki_rootd.setup(cfg.get("bpki_rootd_ta_dn", "/CN=rootd TA")) -bpki_modified |= bpki_rootd.ee( cfg.get("bpki_rootd_ee_dn", "/CN=rootd EE"), "rootd") +bpki = myrpki.CA(cfg_file, cfg.get("bpki_directory")) +bpki_modified |= bpki.setup(cfg.get("bpki_ta_dn", "/CN=%s BPKI TA" % handle)) +bpki_modified |= bpki.ee( cfg.get("bpki_rpkid_ee_dn", "/CN=%s rpkid EE" % handle), "rpkid") +bpki_modified |= bpki.ee( cfg.get("bpki_irdbd_ee_dn", "/CN=%s irdbd EE" % handle), "irdbd") +bpki_modified |= bpki.ee( cfg.get("bpki_irbe_ee_dn", "/CN=%s irbe EE" % handle), "irbe") +if want_pubd: + bpki_modified |= bpki.ee( cfg.get("bpki_pubd_ee_dn", "/CN=%s pubd EE" % handle), "pubd") +if want_rootd: + bpki_modified |= bpki.ee( cfg.get("bpki_rootd_ee_dn", "/CN=%s rootd EE" % handle), "rootd") if bpki_modified: print "BPKI (re)initialized. You need to (re)start daemons before continuing." @@ -157,25 +157,27 @@ updown_regexp = re.compile(re.escape(rpkid_base) + "up-down/([-A-Z0-9_]+)/([-A-Z call_rpkid = rpki.async.sync_wrapper(caller( proto = rpki.left_right, - client_key = rpki.x509.RSA( PEM_file = bpki_rpkid.dir + "/irbe_cli.key"), - client_cert = rpki.x509.X509(PEM_file = bpki_rpkid.dir + "/irbe_cli.cer"), - server_ta = rpki.x509.X509(PEM_file = bpki_rpkid.cer), - server_cert = rpki.x509.X509(PEM_file = bpki_rpkid.dir + "/rpkid.cer"), + client_key = rpki.x509.RSA( PEM_file = bpki.dir + "/irbe.key"), + client_cert = rpki.x509.X509(PEM_file = bpki.dir + "/irbe.cer"), + server_ta = rpki.x509.X509(PEM_file = bpki.cer), + server_cert = rpki.x509.X509(PEM_file = bpki.dir + "/rpkid.cer"), url = rpkid_base + "left-right")) -call_pubd = rpki.async.sync_wrapper(caller( - proto = rpki.publication, - client_key = rpki.x509.RSA( PEM_file = bpki_pubd.dir + "/irbe_cli.key"), - client_cert = rpki.x509.X509(PEM_file = bpki_pubd.dir + "/irbe_cli.cer"), - server_ta = rpki.x509.X509(PEM_file = bpki_pubd.cer), - server_cert = rpki.x509.X509(PEM_file = bpki_pubd.dir + "/pubd.cer"), - url = pubd_base + "control")) +if want_pubd: -# Make sure that pubd's BPKI CRL is up to date. + call_pubd = rpki.async.sync_wrapper(caller( + proto = rpki.publication, + client_key = rpki.x509.RSA( PEM_file = bpki.dir + "/irbe.key"), + client_cert = rpki.x509.X509(PEM_file = bpki.dir + "/irbe.cer"), + server_ta = rpki.x509.X509(PEM_file = bpki.cer), + server_cert = rpki.x509.X509(PEM_file = bpki.dir + "/pubd.cer"), + url = pubd_base + "control")) -call_pubd((rpki.publication.config_elt.make_pdu( - action = "set", - bpki_crl = rpki.x509.CRL(PEM_file = bpki_pubd.crl)),)) + # Make sure that pubd's BPKI CRL is up to date. + + call_pubd((rpki.publication.config_elt.make_pdu( + action = "set", + bpki_crl = rpki.x509.CRL(PEM_file = bpki.crl)),)) irdbd_cfg = rpki.config.parser(cfg.get("irdbd_conf"), "irdbd") @@ -279,16 +281,16 @@ for xmlfile in xmlfiles: print "Nothing else I can do without a trust anchor for the entity I'm hosting." continue - rpkid_xcert = rpki.x509.X509(PEM_file = bpki_rpkid.fxcert(handle + ".cacert.cer", - hosted_cacert.get_PEM(), - path_restriction = 1)) + rpkid_xcert = rpki.x509.X509(PEM_file = bpki.fxcert(handle + ".cacert.cer", + hosted_cacert.get_PEM(), + path_restriction = 1)) # See what rpkid and pubd already have on file for this entity. - pubd_reply = call_pubd(( - rpki.publication.client_elt.make_pdu(action = "list"),)) + if want_pubd: + pubd_reply = call_pubd((rpki.publication.client_elt.make_pdu(action = "list"),)) - client_pdus = dict((x.client_handle, x) for x in pubd_reply if isinstance(x, rpki.publication.client_elt)) + client_pdus = dict((x.client_handle, x) for x in pubd_reply if isinstance(x, rpki.publication.client_elt)) rpkid_reply = call_rpkid(( rpki.left_right.self_elt.make_pdu( action = "get", tag = "self", self_handle = handle), @@ -455,20 +457,22 @@ for xmlfile in xmlfiles: # Publication setup, used to be inferred (badly) from parent setup, # now handled explictly via yet another freaking .csv file. - for client_handle, client_bpki_cert, client_base_uri in myrpki.csv_open(cfg.get("pubclients_csv", "pubclients.csv")): + if want_pubd: + + for client_handle, client_bpki_cert, client_base_uri in myrpki.csv_open(cfg.get("pubclients_csv", "pubclients.csv")): - client_pdu = client_pdus.pop(client_handle, None) + client_pdu = client_pdus.pop(client_handle, None) - client_bpki_cert = rpki.x509.X509(PEM_file = bpki_pubd.xcert(client_bpki_cert)) + client_bpki_cert = rpki.x509.X509(PEM_file = bpki.xcert(client_bpki_cert)) - if (client_pdu is None or - client_pdu.base_uri != client_base_uri or - client_pdu.bpki_cert != client_bpki_cert): - pubd_query.append(rpki.publication.client_elt.make_pdu( - action = "create" if client_pdu is None else "set", - client_handle = client_handle, - bpki_cert = client_bpki_cert, - base_uri = client_base_uri)) + if (client_pdu is None or + client_pdu.base_uri != client_base_uri or + client_pdu.bpki_cert != client_bpki_cert): + pubd_query.append(rpki.publication.client_elt.make_pdu( + action = "create" if client_pdu is None else "set", + client_handle = client_handle, + bpki_cert = client_bpki_cert, + base_uri = client_base_uri)) # If we changed anything, ship updates off to daemons @@ -481,6 +485,7 @@ for xmlfile in xmlfiles: assert not isinstance(r, rpki.left_right.report_error_elt) if pubd_query: + assert want_pubd pubd_reply = call_pubd(pubd_query) for r in pubd_reply: assert not isinstance(r, rpki.publication.report_error_elt) diff --git a/myrpki/myrpki.conf b/myrpki/myrpki.conf index 0aba3eb1..d7161a5d 100644 --- a/myrpki/myrpki.conf +++ b/myrpki/myrpki.conf @@ -24,9 +24,9 @@ crl_days = 365 [myirbe] irdbd_conf = irdbd.conf -rpkid_ca_directory = bpki.rpkid -pubd_ca_directory = bpki.pubd -rootd_ca_directory = bpki.rootd +bpki_directory = bpki.myirbe +want_pubd = true +want_rootd = true rsync_base = rsync://server.example/ pubd_base = https://localhost:4402 rpkid_base = https://localhost:4404 @@ -91,11 +91,11 @@ surname = optional sql-database = rpki sql-username = rpki sql-password = fnord -bpki-ta = bpki.rpkid/ca.cer -rpkid-key = bpki.rpkid/rpkid.key -rpkid-cert = bpki.rpkid/rpkid.cer -irdb-cert = bpki.rpkid/irdbd.cer -irbe-cert = bpki.rpkid/irbe_cli.cer +bpki-ta = bpki.myirbe/ca.cer +rpkid-key = bpki.myirbe/rpkid.key +rpkid-cert = bpki.myirbe/rpkid.cer +irdb-cert = bpki.myirbe/irdbd.cer +irbe-cert = bpki.myirbe/irbe.cer irdb-url = https://localhost:4403/ server-host = localhost server-port = 4404 @@ -105,10 +105,10 @@ server-port = 4404 sql-database = irdb sql-username = irdb sql-password = fnord -bpki-ta = bpki.rpkid/ca.cer -rpkid-cert = bpki.rpkid/rpkid.cer -irdbd-cert = bpki.rpkid/irdbd.cer -irdbd-key = bpki.rpkid/irdbd.key +bpki-ta = bpki.myirbe/ca.cer +rpkid-cert = bpki.myirbe/rpkid.cer +irdbd-cert = bpki.myirbe/irdbd.cer +irdbd-key = bpki.myirbe/irdbd.key https-url = https://localhost:4403/ [pubd] @@ -118,10 +118,10 @@ startup-message = This is pubd sql-database = pubd sql-username = pubd sql-password = fnord -bpki-ta = bpki.pubd/ca.cer -pubd-cert = bpki.pubd/pubd.cer -pubd-key = bpki.pubd/pubd.key -irbe-cert = bpki.pubd/irbe_cli.cer +bpki-ta = bpki.myirbe/ca.cer +pubd-cert = bpki.myirbe/pubd.cer +pubd-key = bpki.myirbe/pubd.key +irbe-cert = bpki.myirbe/irbe.cer server-host = localhost server-port = 4402 publication-base = publication/ @@ -130,11 +130,11 @@ publication-base = publication/ startup-message = This is rootd -bpki-ta = bpki.rootd/ca.cer -rootd-bpki-crl = bpki.rootd/ca.crl -rootd-bpki-cert = bpki.rootd/rootd.cer -rootd-bpki-key = bpki.rootd/rootd.key -child-bpki-cert = bpki.rootd/child.cer +bpki-ta = bpki.myirbe/ca.cer +rootd-bpki-crl = bpki.myirbe/ca.crl +rootd-bpki-cert = bpki.myirbe/rootd.cer +rootd-bpki-key = bpki.myirbe/rootd.key +child-bpki-cert = bpki.myirbe/child.cer server-port = 4401 @@ -142,8 +142,8 @@ rpki-root-dir = publication/localhost:4400/ rpki-base-uri = rsync://localhost:4400/ rpki-root-cert-uri = rsync://localhost:4400/rootd.cer -rpki-root-key = bpki.rootd/ca.key -rpki-root-cert = bpki.rootd/rpkiroot.cer +rpki-root-key = bpki.myirbe/ca.key +rpki-root-cert = bpki.myirbe/rpkiroot.cer rpki-subject-pkcs10 = rootd.subject.pkcs10 rpki-subject-lifetime = 30d diff --git a/myrpki/yamltest.py b/myrpki/yamltest.py index 0aa21eac..3df6e0bc 100644 --- a/myrpki/yamltest.py +++ b/myrpki/yamltest.py @@ -163,7 +163,7 @@ class allocation_db(list): this for the root node. """ env = { "PATH" : os.environ["PATH"], - "BPKI_DIRECTORY" : self.root.path("bpki.rootd"), + "BPKI_DIRECTORY" : self.root.path("bpki.myirbe"), "RANDFILE" : ".OpenSSL.whines.unless.I.set.this" } cwd = self.root.path() return lambda *args: subprocess.check_call((prog_openssl,) + args, cwd = cwd, env = env) @@ -337,8 +337,8 @@ class allocation(object): if self.is_root(): self.csvout(fn).writerow(("rootd", "https://localhost:%d/" % self.rootd_port, - self.path("bpki.rootd/ca.cer"), - self.path("bpki.rootd/ca.cer"), + self.path("bpki.myirbe/ca.cer"), + self.path("bpki.myirbe/ca.cer"), self.name, self.sia_base)) else: @@ -346,7 +346,7 @@ class allocation(object): self.csvout(fn).writerow((self.parent.name, self.up_down_url(), self.parent.path("bpki.myrpki/ca.cer"), - parent_host.path("bpki.rpkid/ca.cer"), + parent_host.path("bpki.myirbe/ca.cer"), self.name, self.sia_base)) @@ -382,8 +382,7 @@ class allocation(object): host = self.hosted_by if self.is_hosted() else self - r = { ("myrpki", "handle"): self.name, - ("myrpki", "repository_bpki_certificate"): host.path("bpki.pubd/ca.cer") } + r = { ("myrpki", "handle"): self.name } if not self.is_hosted(): r["irdbd", "https-url"] = "https://localhost:%d/" % self.irdbd_port @@ -393,6 +392,8 @@ class allocation(object): r["rpkid", "irdb-url"] = "https://localhost:%d/" % self.irdbd_port r["rpkid", "server-port"] = "%d" % self.rpkid_port r["rpkid", "sql-database"] = "rpki%d" % self.engine + r["myirbe", "want_pubd"] = "true" if self.runs_pubd() else "false" + r["myirbe", "want_rootd"] = "true" if self.is_root() else "false" if self.is_root(): r["rootd", "rpki-root-dir"] = "publication/localhost:%d/" % self.rsync_port @@ -404,10 +405,15 @@ class allocation(object): (self.rsync_port, self.rsync_port)) if self.runs_pubd(): - r["pubd", "server-port"] = "%d" % self.pubd_port - r["pubd", "sql-database"] = "pubd%d" % self.engine - r["myirbe", "pubd_base"] = "https://localhost:%d/" % self.pubd_port - r["myirbe", "rsync_base"] = "rsync://localhost:%d/" % self.rsync_port + r["pubd", "server-port"] = "%d" % self.pubd_port + r["pubd", "sql-database"] = "pubd%d" % self.engine + + s = self + while not s.runs_pubd(): + s = s.parent + r["myirbe", "pubd_base"] = "https://localhost:%d/" % s.pubd_port + r["myirbe", "rsync_base"] = "rsync://localhost:%d/" % s.rsync_port + r["myrpki", "repository_bpki_certificate"] = s.path("bpki.myirbe/ca.cer") if self.is_root(): r["rootd", "server-port"] = "%d" % self.rootd_port @@ -581,14 +587,14 @@ print "Creating rootd BPKI cross-certificate for its child" rootd_openssl("ca", "-notext", "-batch", "-config", "myrpki.conf", "-ss_cert", "bpki.myrpki/ca.cer", - "-out", "bpki.rootd/child.cer", + "-out", "bpki.myirbe/child.cer", "-extensions", "ca_x509_ext_xcert0") print "Creating rootd RPKI root certificate" rootd_openssl("x509", "-req", "-sha256", "-outform", "DER", - "-signkey", "bpki.rootd/ca.key", - "-in", "bpki.rootd/ca.req", - "-out", "bpki.rootd/rpkiroot.cer", + "-signkey", "bpki.myirbe/ca.key", + "-in", "bpki.myirbe/ca.req", + "-out", "bpki.myirbe/rpkiroot.cer", "-extfile", "myrpki.conf", "-extensions", "rpki_x509_extensions") |