diff options
| -rw-r--r-- | myrpki/Makefile | 2 | ||||
| -rw-r--r-- | myrpki/myrpki.conf | 39 | ||||
| -rwxr-xr-x | myrpki/xml-parse-test.py | 4 |
3 files changed, 30 insertions, 15 deletions
diff --git a/myrpki/Makefile b/myrpki/Makefile index 004b35df..d8d30598 100644 --- a/myrpki/Makefile +++ b/myrpki/Makefile @@ -3,7 +3,7 @@ all:: relatives all:: myrpki.xml all:: lint -#all:: parse +all:: parse all:: load myrpki.xml: myrpki.py asns.csv prefixes.csv roas.csv validity.csv diff --git a/myrpki/myrpki.conf b/myrpki/myrpki.conf index bdf93969..7e6be041 100644 --- a/myrpki/myrpki.conf +++ b/myrpki/myrpki.conf @@ -14,15 +14,26 @@ parents_csv = parents.csv prefix_csv = prefixes.csv asn_csv = asns.csv +# The only things in the following list whose pathnames are really any +# of the user's business are the ca-cert and the directory name. +# Everything else is internal use and could be wired in place for all +# the user should really care. Perhaps this means that some code can +# be simplified considerably.... + +# User cares about these bpki_ca_dir = bpki -bpki_serial = bpki/serial.txt -bpki_crl_number = bpki/crl_number.txt -bpki_ca_certificate = bpki/ca_cert.pem -bpki_ca_key = bpki/ca_key.pem -bpki_ee_certificate = bpki/bsc_ee_cert.pem -bpki_ee_pkcs10 = bpki/bsc_ee_pkcs10.pem -bpki_crl = bpki/crl.pem -bpki_index = bpki/index.txt +bpki_ca_certificate = bpki/ca.cer + +# User knows about these but doesn't need to touch them +bpki_ca_key = bpki/ca.key +bpki_crl = bpki/ca.crl +bpki_ee_certificate = bpki/bsc.cer +bpki_ee_pkcs10 = bpki/bsc.req + +# Internal database junk for "openssl ca" +bpki_index = bpki/index +bpki_serial = bpki/serial +bpki_crl_number = bpki/crl_number output_filename = myrpki.xml relaxng_schema = myrpki.rng @@ -30,6 +41,8 @@ relaxng_schema = myrpki.rng [constants] digest = sha256 key_length = 2048 +cert_days = 365 +crl_days = 365 [req] default_bits = ${constants::key_length} @@ -60,19 +73,19 @@ default_ca = ca_default [ca_default] -database = ${myrpki::bpki_index} new_certs_dir = ${myrpki::bpki_ca_dir} +database = ${myrpki::bpki_index} certificate = ${myrpki::bpki_ca_certificate} private_key = ${myrpki::bpki_ca_key} -default_days = 365 -default_crl_days = 365 +default_days = ${constants::cert_days} +default_crl_days = ${constants::crl_days} default_md = ${constants::digest} -policy = ca_dn_policy_allow_any_dn +policy = ca_dn_policy_only_require_cn unique_subject = no serial = ${myrpki::bpki_serial} crlnumber = ${myrpki::bpki_crl_number} -[ca_dn_policy_allow_any_dn] +[ca_dn_policy_only_require_cn] countryName = optional stateOrProvinceName = optional localityName = optional diff --git a/myrpki/xml-parse-test.py b/myrpki/xml-parse-test.py index e6a3a410..698f04f4 100755 --- a/myrpki/xml-parse-test.py +++ b/myrpki/xml-parse-test.py @@ -60,7 +60,9 @@ for x in tree.getiterator(tag("roa_request")): print def showpem(label, b64, kind): - cmd = ("openssl", kind, "-noout", "-text", "-inform", "DER", "-certopt", "no_pubkey,no_sigdump") + cmd = ("openssl", kind, "-noout", "-text", "-inform", "DER") + if kind == "x509": + cmd += ("-certopt", "no_pubkey,no_sigdump") p = subprocess.Popen(cmd, stdin = subprocess.PIPE, stdout = subprocess.PIPE) text = p.communicate(input = base64.b64decode(b64))[0] if p.returncode != 0: |