Signed referrals now working!

svn path=/myrpki.rototill/PLAN; revision=3083

3 files changed, 35 insertions, 24 deletions

diff --git a/myrpki.rototill/PLAN b/myrpki.rototill/PLAN
index 92fc8bd7..37a64c02 100644
--- a/myrpki.rototill/PLAN
+++ b/myrpki.rototill/PLAN
@@ -375,7 +375,8 @@ was obscuring the code:
     #   checking that this really is a child of ours (ie, must be in
     #   entitydb/children).
     #
-    #   Detectable by handle being listed in entitydb/children.
+    #   Detectable by handle being listed in entitydb/children,
+    #   not to mention @parent_handle == self.handle.
     #
     # - Client is self, ie, entity that runs pubd is its own client.
     #   Trivial to check (handle and BPKI match).  This gets top-level
diff --git a/myrpki.rototill/myrpki.py b/myrpki.rototill/myrpki.py
index 95902791..6de15dc7 100644
--- a/myrpki.rototill/myrpki.py
+++ b/myrpki.rototill/myrpki.py
@@ -1090,38 +1090,48 @@ class main(rpki.cli.Cmd):
     if len(argv) != 1:
       raise RuntimeError, "Need to specify filename for client.xml"
 
-    c = etree_read(argv[0])
+    client = etree_read(argv[0])
 
     if sia_base is None:
 
-      auth = c.find("authorization")
+      auth = client.find("authorization")
       if auth is not None:
-        try:
-          referrer = etree_read(self.entitydb("pubclients", "%s.xml" % auth.get("referrer").replace("/",".")))
-          referrer = self.bpki_servers.fxcert(referrer.findtext("bpki_client_ta"))
-          referral = self.bpki_servers.cms_xml_verify(auth.text, referrer)
-          if not b64_equal(referral.text, c.findtext("bpki_ta")):
-            raise RuntimeError, "Referral trust anchor does not match"
-          sia_base = referral.get("authorized_sia_base")
-
-        except:
-          # Yes we need better handling than this
-          print "Couldn't process referral:"
-          raise
+        print "Found <authorization/> element, this looks like a referral"
+        referrer = etree_read(self.entitydb("pubclients", "%s.xml" % auth.get("referrer").replace("/",".")))
+        referrer = self.bpki_servers.fxcert(referrer.findtext("bpki_client_ta"))
+        referral = self.bpki_servers.cms_xml_verify(auth.text, referrer)
+        if not b64_equal(referral.text, client.findtext("bpki_ta")):
+          raise RuntimeError, "Referral trust anchor does not match"
+        sia_base = referral.get("authorized_sia_base")
+
+      elif client.get("parent_handle") == self.handle:
+        print "Client claims to be our child, checking"
+        client_ta = client.findtext("bpki_ta")
+        assert client_ta
+        for child in self.entitydb.iterate("children", "*.xml"):
+          c = etree_read(child)
+          if b64_equal(c.findtext("bpki_child_ta"), client_ta):
+            sia_base = "rsync://%s/%s/%s/%s/" % (self.rsync_server, self.rsync_module,
+                                                 self.handle, client.get("handle"))
+            break
+
+    # If we still haven't figured out what to do with this client, it
+    # gets a top-level tree of its own, no attempt at nesting.
 
-      else:
-        sia_base = "rsync://%s/%s/%s/" % (self.rsync_server, self.rsync_module, self.handle)
-        if c.get("handle") != self.handle:
-          sia_base += c.get("handle") + "/"
+    if sia_base is None:
+      print "Don't know where to nest this client, defaulting to top-level"
+      sia_base = "rsync://%s/%s/%s/" % (self.rsync_server, self.rsync_module, client.get("handle"))
+      
+    assert sia_base.startswith("rsync://")
 
     client_handle = "/".join(sia_base.rstrip("/").split("/")[4:])
 
-    parent_handle = c.get("parent_handle")
+    parent_handle = client.get("parent_handle")
 
-    print "Client calls itself %r, we call it %r" % (c.get("handle"), client_handle)
+    print "Client calls itself %r, we call it %r" % (client.get("handle"), client_handle)
     print "Client says its parent handle is %r" % parent_handle
 
-    self.bpki_servers.fxcert(c.findtext("bpki_ta"))
+    self.bpki_servers.fxcert(client.findtext("bpki_ta"))
 
     e = Element("repository", type = "confirmed",
                 repository_handle = self.handle,
@@ -1133,7 +1143,7 @@ class main(rpki.cli.Cmd):
                                                            client_handle))
 
     PEMElement(e, "bpki_server_ta", self.bpki_servers.cer)
-    SubElement(e, "bpki_client_ta").text = c.findtext("bpki_ta")
+    SubElement(e, "bpki_client_ta").text = client.findtext("bpki_ta")
     SubElement(e, "contact_info").text = self.pubd_contact_info
     etree_write(e, self.entitydb("pubclients", "%s.xml" % client_handle.replace("/", ".")))
 
diff --git a/myrpki.rototill/myrpki.rng b/myrpki.rototill/myrpki.rng
index dda7086e..0d898c94 100644
--- a/myrpki.rototill/myrpki.rng
+++ b/myrpki.rototill/myrpki.rng
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  $Id: myrpki.rnc 3062 2010-03-10 06:55:02Z sra $
+  $Id: myrpki.rnc 3081 2010-03-13 22:38:13Z sra $
   
   RelaxNG Schema for MyRPKI XML messages