diff options
| -rw-r--r-- | myrpki/Makefile | 5 | ||||
| -rw-r--r-- | myrpki/myirbe.py | 159 | ||||
| -rw-r--r-- | myrpki/myrpki.py | 116 | ||||
| -rw-r--r-- | myrpki/myrpki.rnc | 15 | ||||
| -rw-r--r-- | myrpki/myrpki.rng | 28 | ||||
| -rwxr-xr-x | myrpki/xml-parse-test.py | 24 |
6 files changed, 137 insertions, 210 deletions
diff --git a/myrpki/Makefile b/myrpki/Makefile index 4aaeb0b5..5ef4e4bd 100644 --- a/myrpki/Makefile +++ b/myrpki/Makefile @@ -7,7 +7,7 @@ #all:: graph all:: load -myrpki.xml: myrpki.py asns.csv prefixes.csv roas.csv validity.csv +myrpki.xml: myrpki.py asns.csv prefixes.csv roas.csv validity.csv bpki.myrpki python myrpki.py lint: myrpki.xml myrpki.rng @@ -22,6 +22,9 @@ parse: myrpki.xml myrpki.rng load: myrpki.xml myrpki.rng python myirbe.py +bpki.myrpki: + python myirbe.py + clean: rm -rf *.xml bpki.myrpki bpki.rpkid bpki.pubd bpki.rootd diff --git a/myrpki/myirbe.py b/myrpki/myirbe.py index 81b9ac03..ac14c7f3 100644 --- a/myrpki/myirbe.py +++ b/myrpki/myirbe.py @@ -114,6 +114,9 @@ if modified: print "BPKI (re)initialized. You need to (re)start daemons before continuing." sys.exit() +self_crl_interval = cfg.get("self_crl_interval", 300) +self_regen_margin = cfg.get("self_regen_margin", 120) + # These probably come from the .conf file rsync_base = "rsync://server.example/" pubd_base = "https://localhost:4402" @@ -228,49 +231,6 @@ for xmlfile in xmlfiles: db.commit() - # Various parameters that ought to come out of a config or xml file eventually - - self_crl_interval = cfg.get("self_crl_interval", 300) - self_regen_margin = cfg.get("self_regen_margin", 120) - - # These are specific to the entity under discussion, and in this - # script's case may differ depending on whether this is the - # self-hosting case or not. - - # Perhaps what we need here is to have the hosting entity's handle and - # sia base in the .conf file, then as we go we check each hosted - # entity to see whether (a) it's the right .xml file and (b) its - # handle matches the hosting handle. We can put hosted entities under - # the self-hosted entity automatically, but the self-hosted entity - # will need another .conf file entry telling it the parent's service - # uri (or do we get that from the .xml somehow?) - - # This is wrong, should be parent's sia_base + handle + "/", but - # how do we get parent's sia_base in this setup? - # - parent_sia_base = rsync_base + handle + "/" - pubd_base_uri = parent_sia_base - - # Ok, so part of my confusion is that I've never tested multiple - # parents before. The parent sia_base and pubd client base_uri are - # almost the same thing, but not quite. pubd base_uri is what pubd - # insists upon as the head of the publication URI, or it won't - # publish. parent sia_base is either the base URI at which rpkid will - # publish stuff issued by the cert issued by this parent, or is the - # head of that base URI (if the parent made an acceptable suggestion, - # where acceptable means that the configured sia_base is the head of - # the parent's suggestion). - # - # I think this boils down to meaning that if we have multiple - # parents, we also need multiple repository objects, which -may- in - # turn mean multiple pubd client objects -- if our pubd is relevant - # at all. Assume for now that if we're running pubd at all, - # everything our rpkid generates goes into it. - # - # We also need to compare all these URIs against pubd's publication - # base, so we know whether this is our problem or not. For testbed, - # we probably are, at least initially. - hosted_cacert = findbase64(tree, "bpki_ca_certificate") if not hosted_cacert: print "Nothing else I can do without a trust anchor for the entity I'm hosting." @@ -284,6 +244,10 @@ for xmlfile in xmlfiles: client_pdu = pubd_reply[0] + # This is doubly wrong -- both the wrong value and (probably) set in the wrong place. + # Do it anyway for now, for testing. + pubd_base_uri = rsync_base + handle + "/" + if isinstance(client_pdu, rpki.publication.report_error_elt) or client_pdu.base_uri != pubd_base_uri or client_pdu.bpki_cert != pubd_xcert: pubd_reply = call_pubd((rpki.publication.client_elt.make_pdu( action = "create" if isinstance(client_pdu, rpki.publication.report_error_elt) else "set", @@ -313,12 +277,12 @@ for xmlfile in xmlfiles: if (isinstance(self_pdu, rpki.left_right.report_error_elt) or self_pdu.crl_interval != self_crl_interval or self_pdu.regen_margin != self_regen_margin or - self_pdu.bpki_cert != pubd_xcert): + self_pdu.bpki_cert != rpkid_xcert): rpkid_query.append(rpki.left_right.self_elt.make_pdu( action = "create" if isinstance(self_pdu, rpki.left_right.report_error_elt) else "set", tag = "self", self_handle = handle, - bpki_cert = pubd_xcert, + bpki_cert = rpkid_xcert, crl_interval = self_crl_interval, regen_margin = self_regen_margin)) @@ -356,37 +320,78 @@ for xmlfile in xmlfiles: if bsc_pdu and bsc_pdu.pkcs10_request: bsc_req = bsc_pdu.pkcs10_request + for parent in tree.getiterator(tag("parent")): + # Perhaps what we need here is to have the hosting entity's handle and + # sia base in the .conf file, then as we go we check each hosted + # entity to see whether (a) it's the right .xml file and (b) its + # handle matches the hosting handle. We can put hosted entities under + # the self-hosted entity automatically, but the self-hosted entity + # will need another .conf file entry telling it the parent's service + # uri (or do we get that from the .xml somehow?) + # + # Ok, so part of my confusion is that I've never tested multiple + # parents before. The parent sia_base and pubd client base_uri are + # almost the same thing, but not quite. pubd base_uri is what pubd + # insists upon as the head of the publication URI, or it won't + # publish. parent sia_base is either the base URI at which rpkid will + # publish stuff issued by the cert issued by this parent, or is the + # head of that base URI (if the parent made an acceptable suggestion, + # where acceptable means that the configured sia_base is the head of + # the parent's suggestion). + # + # I think this boils down to meaning that if we have multiple + # parents, we also need multiple repository objects, which -may- in + # turn mean multiple pubd client objects -- if our pubd is relevant + # at all. Assume for now that if we're running pubd at all, + # everything our rpkid generates goes into it. + # + # We also need to compare all these URIs against pubd's publication + # base, so we know whether this is our problem or not. For testbed, + # we probably are, at least initially. + parent_handle = parent.get("handle") + repository_pdu = repository_pdus.pop(parent_handle, None) parent_pdu = parent_pdus.pop(parent_handle, None) - repository_peer_contact_uri = pubd_base + "/client/" + handle + + parent_uri = parent.get("parent_service_uri") + parent_cert = findbase64(parent, "parent_bpki_certificate") + + repository_uri = parent.get("repository_service_uri") + repository_cert = findbase64(parent, "repository_bpki_certificate") + + # This is wrong, should be parent's sia_base + handle + "/", but + # how do we get parent's sia_base in this setup? + # + parent_sia_base = rsync_base + handle + "/" + pubd_base_uri = parent_sia_base if (repository_pdu is None or repository_pdu.bsc_handle != bsc_handle or - repository_pdu.peer_contact_uri != repository_peer_contact_uri or - repository_pdu.bpki_cms_cert != rpkid_xcert or - repository_pdu.bpki_https_cert != rpkid_xcert): + repository_pdu.peer_contact_uri != repository_uri or + repository_pdu.bpki_cms_cert != repository_cert or + repository_pdu.bpki_https_cert != repository_cert): rpkid_query.append(rpki.left_right.repository_elt.make_pdu( action = "create" if repository_pdu is None else "set", - tag = "repository", + tag = parent_handle, self_handle = handle, repository_handle = parent_handle, bsc_handle = bsc_handle, - peer_contact_uri = repository_peer_contact_uri, - bpki_cms_cert = rpkid_xcert, - bpki_https_cert = rpkid_xcert)) + peer_contact_uri = repository_uri, + bpki_cms_cert = repository_cert, + bpki_https_cert = repository_cert)) if (parent_pdu is None or parent_pdu.bsc_handle != bsc_handle or parent_pdu.repository_handle != parent_handle or - parent_pdu.peer_contact_uri != parent.get("uri") or + parent_pdu.peer_contact_uri != parent_uri or parent_pdu.sia_base != parent_sia_base or parent_pdu.sender_name != handle or parent_pdu.recipient_name != parent_handle or - parent_pdu.bpki_cms_cert != rpkid_xcert or - parent_pdu.bpki_https_cert != rpkid_xcert): + parent_pdu.bpki_cms_cert != parent_cert or + parent_pdu.bpki_https_cert != parent_cert): rpkid_query.append(rpki.left_right.parent_elt.make_pdu( action = "create" if parent_pdu is None else "set", tag = parent_handle, @@ -394,12 +399,12 @@ for xmlfile in xmlfiles: parent_handle = parent_handle, bsc_handle = bsc_handle, repository_handle = parent_handle, - peer_contact_uri = parent.get("uri"), + peer_contact_uri = parent_uri, sia_base = parent_sia_base, sender_name = handle, recipient_name = parent_handle, - bpki_cms_cert = rpkid_xcert, - bpki_https_cert = rpkid_xcert)) + bpki_cms_cert = parent_cert, + bpki_https_cert = parent_cert)) rpkid_query.extend(rpki.left_right.repository_elt.make_pdu( action = "destroy", self_handle = handle, repository_handle = r) for r in repository_pdus) @@ -411,17 +416,18 @@ for xmlfile in xmlfiles: child_handle = child.get("handle") child_pdu = child_pdus.pop(child_handle, None) + child_cert = findbase64(child, "bpki_certificate") if (child_pdu is None or child_pdu.bsc_handle != bsc_handle or - child_pdu.bpki_cert != rpkid_xcert): + child_pdu.bpki_cert != child_cert): rpkid_query.append(rpki.left_right.child_elt.make_pdu( action = "create" if child_pdu is None else "set", tag = child_handle, self_handle = handle, child_handle = child_handle, bsc_handle = bsc_handle, - bpki_cert = rpkid_xcert)) + bpki_cert = child_cert)) rpkid_query.extend(rpki.left_right.child_elt.make_pdu( action = "destroy", self_handle = handle, child_handle = c) for c in child_pdus) @@ -446,35 +452,4 @@ for xmlfile in xmlfiles: lxml.etree.ElementTree(tree).write(xmlfile + ".tmp", pretty_print = True) os.rename(xmlfile + ".tmp", xmlfile) - if False: - - for x in tree.getiterator(tag("child")): - ta = findbase64(x, "bpki_ta") - if ta: - ta.pprint() - - for x in tree.getiterator(tag("parent")): - print "Parent URI:", x.get("uri") - ta = findbase64(x, "bpki_ta") - if ta: - ta.pprint() - - ca = findbase64(tree, "bpki_ca_certificate") - if ca: - ca.pprint() - - bsc = findbase64(tree, "bpki_bsc_certificate") - if bsc: - bsc.pprint() - - req = findbase64(tree, "bpki_bsc_pkcs10", rpki.x509.PKCS10) - if req: - req.pprint() - - crl = findbase64(tree, "bpki_crl", rpki.x509.CRL) - if crl: - crl.pprint() - - - db.close() diff --git a/myrpki/myrpki.py b/myrpki/myrpki.py index 697522fa..8a1258f0 100644 --- a/myrpki/myrpki.py +++ b/myrpki/myrpki.py @@ -91,12 +91,12 @@ class child(object): self.v4 = comma_set() self.v6 = comma_set() self.validity = None - self.ta = None + self.bpki_certificate = None def __repr__(self): - return "<%s v4 %s v6 %s asns %s validity %s ta %s>" % (self.__class__.__name__, self.v4, self.v6, self.asns, self.validity, self.ta) + return "<%s v4 %s v6 %s asns %s validity %s cert %s>" % (self.__class__.__name__, self.v4, self.v6, self.asns, self.validity, self.bpki_certificate) - def add(self, prefix = None, asn = None, validity = None, ta = None): + def add(self, prefix = None, asn = None, validity = None, bpki_certificate = None): if prefix is not None: if self.v4re.match(prefix): self.v4.add(prefix) @@ -108,8 +108,8 @@ class child(object): self.asns.add(asn) if validity is not None: self.validity = validity - if ta is not None: - self.ta = ta + if bpki_certificate is not None: + self.bpki_certificate = bpki_certificate def xml(self, e): e2 = SubElement(e, "child", @@ -118,16 +118,16 @@ class child(object): asns = str(self.asns), v4 = str(self.v4), v6 = str(self.v6)) - if self.ta: - PEMElement(e2, "bpki_ta", self.ta) + if self.bpki_certificate: + PEMElement(e2, "bpki_certificate", self.bpki_certificate) return e2 class children(dict): - def add(self, handle, prefix = None, asn = None, validity = None, ta = None): + def add(self, handle, prefix = None, asn = None, validity = None, bpki_certificate = None): if handle not in self: self[handle] = child(handle) - self[handle].add(prefix = prefix, asn = asn, validity = validity, ta = ta) + self[handle].add(prefix = prefix, asn = asn, validity = validity, bpki_certificate = bpki_certificate) def xml(self, e): for c in self.itervalues(): @@ -138,7 +138,7 @@ class children(dict): self = cls() # childname date pemfile for handle, date, pemfile in csv_open(children_csv_file): - self.add(handle = handle, validity = date, ta = xcert(pemfile)) + self.add(handle = handle, validity = date, bpki_certificate = xcert(pemfile)) # childname p/n for handle, pn in csv_open(prefix_csv_file): self.add(handle = handle, prefix = pn) @@ -151,32 +151,44 @@ class parent(object): def __init__(self, handle): self.handle = handle - self.uri = None - self.ta = None + self.parent_service_uri = None + self.parent_bpki_certificate = None + self.repository_service_uri = None + self.repository_bpki_certificate = None def __repr__(self): - return "<%s uri %s ta %s>" % (self.__class__.__name__, self.uri, self.ta) - - def add(self, uri = None, ta = None): - if uri is not None: - self.uri = uri - if ta is not None: - self.ta = ta + return "<%s uri %s cert %s uri %s cert %s>" % (self.__class__.__name__, + self.parent_service_uri, self.parent_bpki_certificate, + self.repository_service_uri, self.repository_bpki_certificate) + + def add(self, parent_service_uri = None, parent_bpki_certificate = None, repository_service_uri = None, repository_bpki_certificate = None): + if parent_service_uri is not None: + self.parent_service_uri = parent_service_uri + if parent_bpki_certificate is not None: + self.parent_bpki_certificate = parent_bpki_certificate + if repository_service_uri is not None: + self.repository_service_uri = repository_service_uri + if repository_bpki_certificate is not None: + self.repository_bpki_certificate = repository_bpki_certificate def xml(self, e): e2 = SubElement(e, "parent", handle = self.handle, - uri = self.uri) - if self.ta: - PEMElement(e2, "bpki_ta", self.ta) + parent_service_uri = self.parent_service_uri, + repository_service_uri = self.repository_service_uri) + if self.parent_bpki_certificate: + PEMElement(e2, "parent_bpki_certificate", self.parent_bpki_certificate) + if self.repository_bpki_certificate: + PEMElement(e2, "repository_bpki_certificate", self.repository_bpki_certificate) return e2 class parents(dict): - def add(self, handle, uri = None, ta = None): + def add(self, handle, parent_service_uri = None, parent_bpki_certificate = None, repository_service_uri = None, repository_bpki_certificate = None): if handle not in self: self[handle] = parent(handle) - self[handle].add(uri = uri, ta = ta) + self[handle].add(parent_service_uri = parent_service_uri, parent_bpki_certificate = parent_bpki_certificate, + repository_service_uri = repository_service_uri, repository_bpki_certificate = repository_bpki_certificate) def xml(self, e): for c in self.itervalues(): @@ -185,52 +197,11 @@ class parents(dict): @classmethod def from_csv(cls, parents_csv_file, xcert): self = cls() - # parentname uri pemfile - for handle, uri, pemfile in csv_open(parents_csv_file): - self.add(handle = handle, uri = uri, ta = xcert(pemfile)) - return self - -class repository(object): - - def __init__(self, handle): - self.handle = handle - self.uri = None - self.ta = None - - def __repr__(self): - return "<%s uri %s ta %s>" % (self.__class__.__name__, self.uri, self.ta) - - def add(self, uri = None, ta = None): - if uri is not None: - self.uri = uri - if ta is not None: - self.ta = ta - - def xml(self, e): - e2 = SubElement(e, "repository", - handle = self.handle, - uri = self.uri) - if self.ta: - PEMElement(e2, "bpki_ta", self.ta) - return e2 - -class repositories(dict): - - def add(self, handle, uri = None, ta = None): - if handle not in self: - self[handle] = repository(handle) - self[handle].add(uri = uri, ta = ta) - - def xml(self, e): - for r in self.itervalues(): - r.xml(e) - - @classmethod - def from_csv(cls, repositories_csv_file, xcert): - self = cls() - # repositoryname uri pemfile - for handle, uri, pemfile in csv_open(repositories_csv_file): - self.add(handle = handle, uri = uri, ta = xcert(pemfile)) + # parentname parent_service_uri parent_bpki_pemfile repository_service_uri repository_bpki_pemfile + for handle, parent_service_uri, parent_pemfile, repository_service_uri, repository_pemfile in csv_open(parents_csv_file): + self.add(handle = handle, + parent_service_uri = parent_service_uri, parent_bpki_certificate = xcert(parent_pemfile), + repository_service_uri = repository_service_uri, repository_bpki_certificate = xcert(repository_pemfile)) return self def csv_open(filename, delimiter = "\t", dialect = None): @@ -401,7 +372,6 @@ def main(): parents_csv_file = cfg.get(myrpki_section, "parents_csv") prefix_csv_file = cfg.get(myrpki_section, "prefix_csv") asn_csv_file = cfg.get(myrpki_section, "asn_csv") - repositories_csv_file= cfg.get(myrpki_section, "repositories_csv") bpki_dir = cfg.get(myrpki_section, "bpki_directory") xml_filename = cfg.get(myrpki_section, "xml_filename") @@ -428,10 +398,6 @@ def main(): parents_csv_file = parents_csv_file, xcert = bpki.xcert).xml(e) - repositories.from_csv( - repositories_csv_file = repositories_csv_file, - xcert = bpki.xcert).xml(e) - PEMElement(e, "bpki_ca_certificate", bpki.cer) PEMElement(e, "bpki_crl", bpki.crl) diff --git a/myrpki/myrpki.rnc b/myrpki/myrpki.rnc index 288095de..bf479d13 100644 --- a/myrpki/myrpki.rnc +++ b/myrpki/myrpki.rnc @@ -20,7 +20,6 @@ start = element myrpki { roa_request_elt*, child_elt*, parent_elt*, - repository_elt*, bpki_ca_certificate_elt?, bpki_crl_elt?, bpki_bsc_certificate_elt?, @@ -39,19 +38,15 @@ child_elt = element child { attribute asns { asn_list }?, attribute v4 { ipv4_list }?, attribute v6 { ipv6_list }?, - element bpki_ta { base64 }? + element bpki_certificate { base64 }? } parent_elt = element parent { attribute handle { object_handle }, - attribute uri { uri }?, - element bpki_ta { base64 }? -} - -repository_elt = element repository { - attribute handle { object_handle }, - attribute uri { uri }?, - element bpki_ta { base64 }? + attribute parent_service_uri { uri }?, + attribute repository_service_uri { uri }?, + element parent_bpki_certificate { base64 }?, + element repository_bpki_certificate { base64 }? } bpki_ca_certificate_elt = element bpki_ca_certificate { base64 } diff --git a/myrpki/myrpki.rng b/myrpki/myrpki.rng index ddd19765..89ee25f0 100644 --- a/myrpki/myrpki.rng +++ b/myrpki/myrpki.rng @@ -61,9 +61,6 @@ <zeroOrMore> <ref name="parent_elt"/> </zeroOrMore> - <zeroOrMore> - <ref name="repository_elt"/> - </zeroOrMore> <optional> <ref name="bpki_ca_certificate_elt"/> </optional> @@ -117,7 +114,7 @@ </attribute> </optional> <optional> - <element name="bpki_ta"> + <element name="bpki_certificate"> <ref name="base64"/> </element> </optional> @@ -129,29 +126,22 @@ <ref name="object_handle"/> </attribute> <optional> - <attribute name="uri"> + <attribute name="parent_service_uri"> <ref name="uri"/> </attribute> </optional> <optional> - <element name="bpki_ta"> - <ref name="base64"/> - </element> - </optional> - </element> - </define> - <define name="repository_elt"> - <element name="repository"> - <attribute name="handle"> - <ref name="object_handle"/> - </attribute> - <optional> - <attribute name="uri"> + <attribute name="repository_service_uri"> <ref name="uri"/> </attribute> </optional> <optional> - <element name="bpki_ta"> + <element name="parent_bpki_certificate"> + <ref name="base64"/> + </element> + </optional> + <optional> + <element name="repository_bpki_certificate"> <ref name="base64"/> </element> </optional> diff --git a/myrpki/xml-parse-test.py b/myrpki/xml-parse-test.py index 479232e7..bf6ffd88 100755 --- a/myrpki/xml-parse-test.py +++ b/myrpki/xml-parse-test.py @@ -70,21 +70,19 @@ def showpem(label, b64, kind): print label, text for x in tree.getiterator(tag("child")): - ta = x.findtext(tag("bpki_ta")) - if ta: - showpem("Child", ta, "x509") + cert = x.findtext(tag("bpki_certificate")) + if cert: + showpem("Child", cert, "x509") for x in tree.getiterator(tag("parent")): - print "Parent URI:", x.get("uri") - ta = x.findtext(tag("bpki_ta")) - if ta: - showpem("Parent", ta, "x509") - -for x in tree.getiterator(tag("repository")): - print "Repository URI:", x.get("uri") - ta = x.findtext(tag("bpki_ta")) - if ta: - showpem("Repository", ta, "x509") + print "Parent URI:", x.get("parent_service_uri") + cert = x.findtext(tag("parent_bpki_certificate")) + if cert: + showpem("Parent", cert, "x509") + print "Repository URI:", x.get("repository_service_uri") + cert = x.findtext(tag("repository_bpki_certificate")) + if cert: + showpem("Repository", cert, "x509") ca = tree.findtext(tag("bpki_ca_certificate")) if ca: |