diff options
| author | Rob Austein <sra@hactrn.net> | 2012-05-11 02:31:24 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2012-05-11 02:31:24 +0000 |
| commit | f9ff6d1713750cae4062d2a7a38cab4119642936 (patch) | |
| tree | 45919827ff06e481d9d76ae3f46879795f9209f4 | |
| parent | 85ef88ddb731a9980e6fd40cc125964b75b2d958 (diff) | |
Add rekey, revoke, and reissue commands. Closes #249.
svn path=/trunk/; revision=4485
| -rw-r--r-- | rpkid/rpki/irdb/zookeeper.py | 27 | ||||
| -rw-r--r-- | rpkid/rpki/rpkic.py | 47 |
2 files changed, 74 insertions, 0 deletions
diff --git a/rpkid/rpki/irdb/zookeeper.py b/rpkid/rpki/irdb/zookeeper.py index b465e556..83fd8665 100644 --- a/rpkid/rpki/irdb/zookeeper.py +++ b/rpkid/rpki/irdb/zookeeper.py @@ -952,6 +952,33 @@ class Zookeeper(object): action = "set", self_handle = self.handle, publish_world_now = "yes")) + def reissue(self): + """ + Poke rpkid to reissue everything for the current handle. + """ + + self.call_rpkid(rpki.left_right.self_elt.make_pdu( + action = "set", self_handle = self.handle, reissue = "yes")) + + def rekey(self): + """ + Poke rpkid to rekey all RPKI certificates received for the current + handle. + """ + + self.call_rpkid(rpki.left_right.self_elt.make_pdu( + action = "set", self_handle = self.handle, rekey = "yes")) + + + def revoke(self): + """ + Poke rpkid to revoke old RPKI keys for the current handle. + """ + + self.call_rpkid(rpki.left_right.self_elt.make_pdu( + action = "set", self_handle = self.handle, revoke = "yes")) + + def call_pubd(self, *pdus): """ Issue a call to pubd, return result. diff --git a/rpkid/rpki/rpkic.py b/rpkid/rpki/rpkic.py index d3d35b3d..afae0d90 100644 --- a/rpkid/rpki/rpkic.py +++ b/rpkid/rpki/rpkic.py @@ -536,3 +536,50 @@ class main(rpki.cli.Cmd): raise BadCommandSyntax("Unexpected argument(s): %r" % arg) self.zoo.publish_world_now() + + + def do_force_reissue(self, arg): + """ + Whack rpkid to force reissuance of everything. + + This is not usually necessary, as rpkid reissues automatically + objects automatically as needed, but this command can be useful + occasionally when a fault or configuration error has prevented + rpkid from reissuing when it should have. + """ + + if arg: + raise BadCommandSyntax("Unexpected argument(s): %r" % arg) + + self.zoo.reissue() + + + def do_up_down_rekey(self, arg): + """ + Initiate a "rekey" operation: tell rpkid to generate new keys for + each certificate issued to it via the up-down protocol. + + This is the first stage of a key rollover operation. You will + need to follow it up later with a "revoke" operation to clean up + the old keys + """ + + if arg: + raise BadCommandSyntax("Unexpected argument(s): %r" % arg) + + self.zoo.rekey() + + + def do_up_down_revoke(self, arg): + """ + Initiate a "revoke" operation: tell rpkid to clean up old keys + formerly used by certificiates issued to it via the up-down + protocol. + + This is the cleanup stage of a key rollover operation. + """ + + if arg: + raise BadCommandSyntax("Unexpected argument(s): %r" % arg) + + self.zoo.revoke() |