diff options
| author | Rob Austein <sra@hactrn.net> | 2009-07-16 04:32:25 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2009-07-16 04:32:25 +0000 |
| commit | 81cd03a374206c6045fbd7f42d6f0433e2cf17c4 (patch) | |
| tree | 860f46737f8040547de3a275fd1aa59b9efaec00 | |
| parent | 9ebb1484f6d11d9fa97cc3a0c302301588988715 (diff) | |
Rework paretns.csv etc to support separate HTTPS and CMS certificates (sigh).
svn path=/myrpki/Makefile; revision=2625
| -rw-r--r-- | myrpki/Makefile | 1 | ||||
| -rw-r--r-- | myrpki/myirbe.py | 11 | ||||
| -rw-r--r-- | myrpki/myrpki.py | 28 | ||||
| -rw-r--r-- | myrpki/schema.py | 9 | ||||
| -rw-r--r-- | myrpki/schema.rnc | 3 | ||||
| -rw-r--r-- | myrpki/schema.rng | 9 | ||||
| -rw-r--r-- | myrpki/yamltest.py | 56 |
7 files changed, 65 insertions, 52 deletions
diff --git a/myrpki/Makefile b/myrpki/Makefile index 4ff9cd35..b83745d8 100644 --- a/myrpki/Makefile +++ b/myrpki/Makefile @@ -1,6 +1,5 @@ # $Id$ -#all:: relatives #all:: myrpki.xml #all:: lint #all:: parse diff --git a/myrpki/myirbe.py b/myrpki/myirbe.py index 076c02b7..af70755a 100644 --- a/myrpki/myirbe.py +++ b/myrpki/myirbe.py @@ -377,7 +377,8 @@ for xmlfile in xmlfiles: parent_handle = parent.get("handle") parent_pdu = parent_pdus.pop(parent_handle, None) parent_uri = parent.get("service_uri") - parent_cert = findbase64(parent, "bpki_certificate") + parent_cms_cert = findbase64(parent, "bpki_cms_certificate") + parent_https_cert = findbase64(parent, "bpki_https_certificate") if need_own_pub_point: parent_sia_base = pubd_base_uri + parent_handle + "/" @@ -391,8 +392,8 @@ for xmlfile in xmlfiles: parent_pdu.sia_base != parent_sia_base or parent_pdu.sender_name != handle or parent_pdu.recipient_name != parent_handle or - parent_pdu.bpki_cms_cert != parent_cert or - parent_pdu.bpki_https_cert != parent_cert): + parent_pdu.bpki_cms_cert != parent_cms_cert or + parent_pdu.bpki_https_cert != parent_https_cert): rpkid_query.append(rpki.left_right.parent_elt.make_pdu( action = "create" if parent_pdu is None else "set", tag = parent_handle, @@ -404,8 +405,8 @@ for xmlfile in xmlfiles: sia_base = parent_sia_base, sender_name = handle, recipient_name = parent_handle, - bpki_cms_cert = parent_cert, - bpki_https_cert = parent_cert)) + bpki_cms_cert = parent_cms_cert, + bpki_https_cert = parent_https_cert)) rpkid_query.extend(rpki.left_right.parent_elt.make_pdu( action = "destroy", self_handle = handle, parent_handle = p) for p in parent_pdus) diff --git a/myrpki/myrpki.py b/myrpki/myrpki.py index 724a4c52..9a661eb4 100644 --- a/myrpki/myrpki.py +++ b/myrpki/myrpki.py @@ -155,29 +155,33 @@ class parent(object): self.bpki_certificate = None def __repr__(self): - return "<%s uri %s cert %s uri %s cert %s>" % (self.__class__.__name__, - self.service_uri, self.bpki_certificate) + return "<%s uri %s cms %s https %s>" % (self.__class__.__name__, self.service_uri, + self.bpki_cms_certificate, self.bpki_https_certificate) - def add(self, service_uri = None, bpki_certificate = None): + def add(self, service_uri = None, bpki_cms_certificate = None, bpki_https_certificate = None): if service_uri is not None: self.service_uri = service_uri - if bpki_certificate is not None: - self.bpki_certificate = bpki_certificate + if bpki_cms_certificate is not None: + self.bpki_cms_certificate = bpki_cms_certificate + if bpki_https_certificate is not None: + self.bpki_https_certificate = bpki_https_certificate def xml(self, e): e2 = SubElement(e, "parent", handle = self.handle, service_uri = self.service_uri) - if self.bpki_certificate: - PEMElement(e2, "bpki_certificate", self.bpki_certificate) + if self.bpki_cms_certificate: + PEMElement(e2, "bpki_cms_certificate", self.bpki_cms_certificate) + if self.bpki_https_certificate: + PEMElement(e2, "bpki_https_certificate", self.bpki_https_certificate) return e2 class parents(dict): - def add(self, handle, service_uri = None, bpki_certificate = None): + def add(self, handle, service_uri = None, bpki_cms_certificate = None, bpki_https_certificate = None): if handle not in self: self[handle] = parent(handle) - self[handle].add(service_uri = service_uri, bpki_certificate = bpki_certificate) + self[handle].add(service_uri = service_uri, bpki_cms_certificate = bpki_cms_certificate, bpki_https_certificate = bpki_https_certificate) def xml(self, e): for c in self.itervalues(): @@ -186,10 +190,10 @@ class parents(dict): @classmethod def from_csv(cls, parents_csv_file, xcert): self = cls() - # parentname service_uri parent_bpki_pemfile - for handle, service_uri, parent_pemfile in csv_open(parents_csv_file): + # parentname service_uri parent_bpki_cms_pemfile parent_bpki_https_pemfile + for handle, service_uri, parent_cms_pemfile, parent_https_pemfile in csv_open(parents_csv_file): self.add(handle = handle, - service_uri = service_uri, bpki_certificate = xcert(parent_pemfile)) + service_uri = service_uri, bpki_cms_certificate = xcert(parent_cms_pemfile), bpki_https_certificate = xcert(parent_https_pemfile)) return self def csv_open(filename, delimiter = "\t", dialect = None): diff --git a/myrpki/schema.py b/myrpki/schema.py index d5078714..38df6d3d 100644 --- a/myrpki/schema.py +++ b/myrpki/schema.py @@ -1,7 +1,7 @@ import lxml.etree myrpki = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" encoding="UTF-8"?> <!-- - $Id: schema.rnc -1 $ + $Id: schema.rnc 2608 2009-07-11 04:34:55Z sra $ RelaxNG Schema for MyRPKI XML messages @@ -135,7 +135,12 @@ myrpki = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" encodin </attribute> </optional> <optional> - <element name="bpki_certificate"> + <element name="bpki_cms_certificate"> + <ref name="base64"/> + </element> + </optional> + <optional> + <element name="bpki_https_certificate"> <ref name="base64"/> </element> </optional> diff --git a/myrpki/schema.rnc b/myrpki/schema.rnc index 0ad11734..da5f9a12 100644 --- a/myrpki/schema.rnc +++ b/myrpki/schema.rnc @@ -45,7 +45,8 @@ child_elt = element child { parent_elt = element parent { attribute handle { object_handle }, attribute service_uri { uri }?, - element bpki_certificate { base64 }? + element bpki_cms_certificate { base64 }?, + element bpki_https_certificate { base64 }? } bpki_ca_certificate_elt = element bpki_ca_certificate { base64 } diff --git a/myrpki/schema.rng b/myrpki/schema.rng index 80f2a391..d7b557cd 100644 --- a/myrpki/schema.rng +++ b/myrpki/schema.rng @@ -1,6 +1,6 @@ <?xml version="1.0" encoding="UTF-8"?> <!-- - $Id: schema.rnc -1 $ + $Id: schema.rnc 2608 2009-07-11 04:34:55Z sra $ RelaxNG Schema for MyRPKI XML messages @@ -134,7 +134,12 @@ </attribute> </optional> <optional> - <element name="bpki_certificate"> + <element name="bpki_cms_certificate"> + <ref name="base64"/> + </element> + </optional> + <optional> + <element name="bpki_https_certificate"> <ref name="base64"/> </element> </optional> diff --git a/myrpki/yamltest.py b/myrpki/yamltest.py index c9c9bb14..09653511 100644 --- a/myrpki/yamltest.py +++ b/myrpki/yamltest.py @@ -112,6 +112,13 @@ class allocation_db(list): for a in self: a.dump() + def make_rootd_openssl(self): + env = { "PATH" : os.environ["PATH"], + "BPKI_DIRECTORY" : self.root.path("bpki.rootd"), + "RANDFILE" : ".OpenSSL.whines.unless.I.set.this" } + cwd = self.root.path() + return lambda *args: subprocess.check_call((prog_openssl,) + args, cwd = cwd, env = env) + class allocation(object): parent = None @@ -231,9 +238,9 @@ class allocation(object): def dump_parents(self, fn): f = self.outfile(fn) if self.is_root(): - f.write("%s\t%s\t%s\n" % ("rootd", "https://localhost:%d/" % self.rootd_port, self.path("bpki.rootd/ca.cer"))) + f.write("%s\t%s\t%s\t%s\n" % ("rootd", "https://localhost:%d/" % self.rootd_port, self.path("bpki.rootd/ca.cer"), self.path("bpki.rootd/ca.cer"))) else: - f.write("%s\t%s\t%s\n" % (self.parent.name, self.up_down_url(), self.parent.path("bpki.myrpki/ca.cer"))) + f.write("%s\t%s\t%s\t%s\n" % (self.parent.name, self.up_down_url(), self.parent.path("bpki.myrpki/ca.cer"), self.parent.path("bpki.rpkid/ca.cer"))) f.close() def dump_prefixes(self, fn): @@ -369,33 +376,24 @@ for i in xrange(3): for d in db: d.run_myrpki() -# Set up rootd's BPKI cross-certificate for its one and only child. - -if not os.path.exists(db.root.path("bpki.rootd/child.cer")): - subprocess.check_call((prog_openssl, "ca", "-notext", "-batch", - "-subj", "/CN=Totally Bogus BPKI Certificate For Test Purposes", - "-config", db.root.path("myrpki.conf"), - "-ss_cert", db.root.path("bpki.rpkid/ca.cer"), - "-out", db.root.path("bpki.rootd/child.cer"), - "-extensions", "ca_x509_ext_xcert0"), - cwd = db.root.path(), - env = { "PATH" : os.environ["PATH"], - "BPKI_DIRECTORY" : db.root.path("bpki.rootd"), - "RANDFILE" : ".OpenSSL.whines.unless.I.set.this" } ) - -# Set up rootd's RPKI root certificate. - -if not os.path.exists(db.root.path("bpki.rootd/rpkiroot.cer")): - subprocess.check_call((prog_openssl, "x509", "-req", "-sha256", "-outform", "DER", - "-in", db.root.path("bpki.rootd/ca.req"), - "-signkey", db.root.path("bpki.rootd/ca.key"), - "-out", db.root.path("bpki.rootd/rpkiroot.cer"), - "-extfile", db.root.path("myrpki.conf"), - "-extensions", "rpki_x509_extensions"), - cwd = db.root.path(), - env = { "PATH" : os.environ["PATH"], - "BPKI_DIRECTORY" : db.root.path("bpki.rootd"), - "RANDFILE" : ".OpenSSL.whines.unless.I.set.this" } ) +# Set up a few things for rootd + +rootd_openssl = db.make_rootd_openssl() + +print "Creating rootd BPKI cross-certificate for its child" +rootd_openssl("ca", "-notext", "-batch", + "-config", "myrpki.conf", + "-ss_cert", "bpki.myrpki/ca.cer", + "-out", "bpki.rootd/child.cer", + "-extensions", "ca_x509_ext_xcert0") + +print "Creating rootd RPKI root certificate" +rootd_openssl("x509", "-req", "-sha256", "-outform", "DER", + "-signkey", "bpki.rootd/ca.key", + "-in", "bpki.rootd/ca.req", + "-out", "bpki.rootd/rpkiroot.cer", + "-extfile", "myrpki.conf", + "-extensions", "rpki_x509_extensions") # At this point we need to start a whole lotta daemons. |