diff options
| author | Rob Austein <sra@hactrn.net> | 2008-05-01 07:07:28 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2008-05-01 07:07:28 +0000 |
| commit | ac9ca8b4e7904365dd0e37b0599f2f66b289ed46 (patch) | |
| tree | 128d388c9c9aa8aad22cfa4d9998d994f5a46bf4 /rpkid/testbed.py | |
| parent | dd4e65cc86b552daadc0d41408f8635236e182e0 (diff) | |
Simplify BSC and start adding BPKI CRL support; the latter doesn't
work yet due to an apparent bug in OpenSSL (CMS_add0_crl() dumps core).
If through some bizzare twist of fate we revive the idea of allowing
CA certs in CMS messages, this is the change that will need to be
(partly) backed out.
svn path=/docs/left-right-xml; revision=1730
Diffstat (limited to 'rpkid/testbed.py')
| -rw-r--r-- | rpkid/testbed.py | 27 |
1 files changed, 25 insertions, 2 deletions
diff --git a/rpkid/testbed.py b/rpkid/testbed.py index bdc54a56..fc3e6328 100644 --- a/rpkid/testbed.py +++ b/rpkid/testbed.py @@ -584,7 +584,6 @@ class allocation(object): else: certifier = self.name + "-SELF-1" certfile = certifier + "-" + certificant + ".cer" - rpki.log.trace() rpki.log.info("Cross certifying %s into %s's BPKI (%s)" % (certificant, certifier, certfile)) signer = subprocess.Popen((prog_openssl, "x509", "-req", "-sha256", "-text", "-extensions", "req_x509_ext", "-CAcreateserial", @@ -638,9 +637,10 @@ class allocation(object): rpki.log.error(signed[1]) raise RuntimeError, "Couldn't issue BSC EE certificate" bsc_ee = rpki.x509.X509(PEM = signed[0]) + bsc_crl = rpki.x509.CRL(PEM_file = self.name + "-SELF-1.crl") rpki.log.info("Installing BSC EE cert for %s" % self.name) - self.call_rpkid(rpki.left_right.bsc_elt.make_pdu(action = "set", self_id = self.self_id, bsc_id = self.bsc_id, signing_cert = (bsc_ee,))) + self.call_rpkid(rpki.left_right.bsc_elt.make_pdu(action = "set", self_id = self.self_id, bsc_id = self.bsc_id, signing_cert = bsc_ee, signing_cert_crl = bsc_crl)) # Once we have a real repository protocol we'll have to do cross-certification here rpki.log.info("Creating rpkid repository object for %s" % self.name) @@ -745,6 +745,9 @@ def setup_bpki_cert_chain(name, ee = (), ca = ()): for kind in ee + ca: d["kind"] = kind s += bpki_cert_fmt_5 % d + for kind in ("TA",) + ca: + d["kind"] = kind + s += bpki_cert_fmt_6 % d subprocess.check_call(s, shell = True) def setup_rootd(rpkid_name, rpkid_tag): @@ -828,6 +831,20 @@ CN = Test Certificate %(name)s %(kind)s basicConstraints = CA:%(ca)s subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always + + +[ ca ] +default_ca = ca_default + +[ ca_default ] + +certificate = %(name)s-%(kind)s.cer +serial = %(name)s-%(kind)s.srl +private_key = %(name)s-%(kind)s.key +database = %(name)s-%(kind)s.idx +crlnumber = %(name)s-%(kind)s.cnm +default_crl_days = 30 +default_md = sha256 ''' bpki_cert_fmt_2 = '''\ @@ -836,6 +853,8 @@ bpki_cert_fmt_2 = '''\ bpki_cert_fmt_3 = '''\ %(openssl)s req -new -sha256 -key %(name)s-%(kind)s.key -out %(name)s-%(kind)s.req -config %(name)s-%(kind)s.conf && +touch %(name)s-%(kind)s.idx && +echo >%(name)s-%(kind)s.cnm 01 && ''' bpki_cert_fmt_4 = '''\ @@ -847,6 +866,10 @@ bpki_cert_fmt_5 = ''' && \ -CA %(name)s-TA.cer -CAkey %(name)s-TA.key -CAcreateserial \ ''' +bpki_cert_fmt_6 = ''' && \ +%(openssl)s ca -batch -gencrl -out %(name)s-%(kind)s.crl -config %(name)s-%(kind)s.conf \ +''' + yaml_fmt_1 = '''--- version: 1 posturl: https://localhost:%(https_port)s/up-down/%(child_id)s |