Sort out BSC EE cert issuence.

svn path=/myrpki/myirbe.py; revision=2560

6 files changed, 72 insertions, 31 deletions

diff --git a/myrpki/myirbe.py b/myrpki/myirbe.py
index f055e457..2aea4e88 100644
--- a/myrpki/myirbe.py
+++ b/myrpki/myirbe.py
@@ -152,9 +152,13 @@ def showcerts():
   if ca:
     showpem("CA", ca, "x509")
 
-  ee = tree.findtext(tag("bpki_ee_certificate"))
-  if ee:
-    showpem("EE", ee, "x509")
+  bsc = tree.findtext(tag("bpki_bsc_certificate"))
+  if bsc:
+    showpem("BSC EE", bsc, "x509")
+
+  req = tree.findtext(tag("bpki_bsc_pkcs10"))
+  if req:
+    showpem("BSC EE", req, "req")
 
   crl = tree.findtext(tag("bpki_crl"))
   if crl:
diff --git a/myrpki/myrpki.conf b/myrpki/myrpki.conf
index 54aa3c66..24e512ed 100644
--- a/myrpki/myrpki.conf
+++ b/myrpki/myrpki.conf
@@ -27,16 +27,13 @@ bpki_ca_certificate	= bpki/ca.cer
 # User knows about these but doesn't need to touch them
 bpki_ca_key		= bpki/ca.key
 bpki_crl		= bpki/ca.crl
-bpki_ee_certificate	= bpki/bsc.cer
-bpki_ee_pkcs10		= bpki/bsc.req
 
 # Internal database junk for "openssl ca"
 bpki_index		= bpki/index
 bpki_serial		= bpki/serial
 bpki_crl_number		= bpki/crl_number
 
-output_filename		= myrpki.xml
-relaxng_schema		= myrpki.rng
+xml_filename		= myrpki.xml
 
 [constants]
 digest			= sha256
diff --git a/myrpki/myrpki.py b/myrpki/myrpki.py
index c8a16751..be3fbbdc 100644
--- a/myrpki/myrpki.py
+++ b/myrpki/myrpki.py
@@ -23,7 +23,7 @@ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 PERFORMANCE OF THIS SOFTWARE.
 """
 
-import subprocess, csv, re, os, getopt, sys, ConfigParser
+import subprocess, csv, re, os, getopt, sys, ConfigParser, base64
 
 from xml.etree.ElementTree import Element, SubElement, ElementTree
 
@@ -254,15 +254,35 @@ class bpki(object):
                              "-gencrl",
                              "-out",        self.crl))
 
-  def issue_bsc(self, bsc_req, bsc_cer):
+  def bsc(self, e, pkcs10):
+
+    if pkcs10 is None:
+      return
+
+    p = subprocess.Popen(("openssl", "dgst", "-md5"), stdin = subprocess.PIPE, stdout = subprocess.PIPE)
+    hash = p.communicate(pkcs10)[0].strip()
+    if p.wait() != 0:
+      raise RuntimeError, "Couldn't hash PKCS#10 request"
+
+    req_file = "%s/bsc.%s.req" % (self.dir, hash)
+    cer_file = "%s/bsc.%s.cer" % (self.dir, hash)
+
+    if not os.path.exists(cer_file):
+
+      p = subprocess.Popen(("openssl", "req", "-inform", "DER", "-out", req_file), stdin = subprocess.PIPE)
+      p.communicate(pkcs10)
+      if p.wait() != 0:
+        raise RuntimeError, "Couldn't save PKCS #10 in PEM format"
 
-    if os.path.exists(bsc_req) and not os.path.exists(bsc_cer):
       subprocess.check_call(("openssl", "ca", "-batch", "-notext",
                              #"-verbose",
                              "-extensions", "ca_x509_ext_bsc",
-                             "-config",     self.cfg,
-                             "-in",         bsc_req,
-                             "-out",        bsc_cer))
+                             "-config", self.cfg,
+                             "-in",     req_file,
+                             "-out",    cer_file))
+
+    PEMElement(e, "bpki_bsc_certificate", cer_file)
+    PEMElement(e, "bpki_bsc_pkcs10",      req_file)
 
   def xcert(self, cert):
 
@@ -278,7 +298,7 @@ class bpki(object):
     p1 = subprocess.Popen(("openssl", "x509", "-noout", "-pubkey", "-subject", "-in", cert), stdout = subprocess.PIPE)
     p2 = subprocess.Popen(("openssl", "dgst", "-md5"), stdin = p1.stdout, stdout = subprocess.PIPE)
 
-    xcert = "%s/%s.xcert" % (self.dir, p2.communicate()[0].strip())
+    xcert = "%s/xcert.%s.cer" % (self.dir, p2.communicate()[0].strip())
 
     if p1.wait() != 0 or p2.wait() != 0:
       raise RuntimeError, "Couldn't generate cross-certification tag for %r" % cert
@@ -326,7 +346,14 @@ def main():
   asn_csv_file         = cfg.get(myrpki_section, "asn_csv")
   bpki_dir             = cfg.get(myrpki_section, "bpki_ca_directory")
   bpki_cacert          = cfg.get(myrpki_section, "bpki_ca_certificate")
-  output_filename      = cfg.get(myrpki_section, "output_filename")
+  xml_filename         = cfg.get(myrpki_section, "xml_filename")
+
+  bsc_req = None
+  if os.path.exists(xml_filename):
+    e = ElementTree(file = xml_filename).getroot()
+    r = e.findtext("{%s}%s" % (namespace, "bpki_bsc_pkcs10"))
+    if r:
+      bsc_req = base64.b64decode(r)
 
   ca = bpki(cfg_file, bpki_dir, bpki_cacert)
   ca.setup()
@@ -348,11 +375,10 @@ def main():
   PEMElement(e, "bpki_ca_certificate", ca.cer)
   PEMElement(e, "bpki_crl",            ca.crl)
 
-  if os.path.exists(bpki_dir + "/bsc.cer"):
-    PEMElement(e, "bpki_ee_certificate", bpki_dir + "/bsc.cer")
+  ca.bsc(e, bsc_req)
 
-  ElementTree(e).write(output_filename + ".tmp")
-  os.rename(output_filename + ".tmp", output_filename)
+  ElementTree(e).write(xml_filename + ".tmp")
+  os.rename(xml_filename + ".tmp", xml_filename)
 
 if __name__ == "__main__":
   main()
diff --git a/myrpki/myrpki.rnc b/myrpki/myrpki.rnc
index 0af3a883..8ea93167 100644
--- a/myrpki/myrpki.rnc
+++ b/myrpki/myrpki.rnc
@@ -22,7 +22,8 @@ start = element myrpki {
   parent_elt*,
   bpki_ca_certificate_elt?,
   bpki_crl_elt?,
-  bpki_ee_certificate_elt?
+  bpki_bsc_certificate_elt?,
+  bpki_bsc_pkcs10_elt?
 }
 
 roa_request_elt = element roa_request {
@@ -46,9 +47,10 @@ parent_elt = element parent {
   element bpki_ta { base64 }?
 }
 
-bpki_ca_certificate_elt = element bpki_ca_certificate { base64 }
-bpki_ee_certificate_elt = element bpki_ee_certificate { base64 }
-bpki_crl_elt            = element bpki_crl            { base64 }
+bpki_ca_certificate_elt  = element bpki_ca_certificate  { base64 }
+bpki_crl_elt             = element bpki_crl             { base64 }
+bpki_bsc_certificate_elt = element bpki_bsc_certificate { base64 }
+bpki_bsc_pkcs10_elt      = element bpki_bsc_pkcs10      { base64 }
 
 # Local Variables:
 # indent-tabs-mode: nil
diff --git a/myrpki/myrpki.rng b/myrpki/myrpki.rng
index b498f30b..d35db9fc 100644
--- a/myrpki/myrpki.rng
+++ b/myrpki/myrpki.rng
@@ -68,7 +68,10 @@
         <ref name="bpki_crl_elt"/>
       </optional>
       <optional>
-        <ref name="bpki_ee_certificate_elt"/>
+        <ref name="bpki_bsc_certificate_elt"/>
+      </optional>
+      <optional>
+        <ref name="bpki_bsc_pkcs10_elt"/>
       </optional>
     </element>
   </start>
@@ -139,13 +142,18 @@
       <ref name="base64"/>
     </element>
   </define>
-  <define name="bpki_ee_certificate_elt">
-    <element name="bpki_ee_certificate">
+  <define name="bpki_crl_elt">
+    <element name="bpki_crl">
       <ref name="base64"/>
     </element>
   </define>
-  <define name="bpki_crl_elt">
-    <element name="bpki_crl">
+  <define name="bpki_bsc_certificate_elt">
+    <element name="bpki_bsc_certificate">
+      <ref name="base64"/>
+    </element>
+  </define>
+  <define name="bpki_bsc_pkcs10_elt">
+    <element name="bpki_bsc_pkcs10">
       <ref name="base64"/>
     </element>
   </define>
diff --git a/myrpki/xml-parse-test.py b/myrpki/xml-parse-test.py
index 698f04f4..14aa6fd7 100755
--- a/myrpki/xml-parse-test.py
+++ b/myrpki/xml-parse-test.py
@@ -84,9 +84,13 @@ ca = tree.findtext(tag("bpki_ca_certificate"))
 if ca:
   showpem("CA", ca, "x509")
 
-ee = tree.findtext(tag("bpki_ee_certificate"))
-if ee:
-  showpem("EE", ee, "x509")
+bsc = tree.findtext(tag("bpki_bsc_certificate"))
+if bsc:
+  showpem("BSC EE", bsc, "x509")
+
+req = tree.findtext(tag("bpki_bsc_pkcs10"))
+if req:
+  showpem("BSC EE", req, "req")
 
 crl = tree.findtext(tag("bpki_crl"))
 if crl: