aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--myrpki/Makefile1
-rw-r--r--myrpki/myirbe.py11
-rw-r--r--myrpki/myrpki.py28
-rw-r--r--myrpki/schema.py9
-rw-r--r--myrpki/schema.rnc3
-rw-r--r--myrpki/schema.rng9
-rw-r--r--myrpki/yamltest.py56
7 files changed, 65 insertions, 52 deletions
diff --git a/myrpki/Makefile b/myrpki/Makefile
index 4ff9cd35..b83745d8 100644
--- a/myrpki/Makefile
+++ b/myrpki/Makefile
@@ -1,6 +1,5 @@
# $Id$
-#all:: relatives
#all:: myrpki.xml
#all:: lint
#all:: parse
diff --git a/myrpki/myirbe.py b/myrpki/myirbe.py
index 076c02b7..af70755a 100644
--- a/myrpki/myirbe.py
+++ b/myrpki/myirbe.py
@@ -377,7 +377,8 @@ for xmlfile in xmlfiles:
parent_handle = parent.get("handle")
parent_pdu = parent_pdus.pop(parent_handle, None)
parent_uri = parent.get("service_uri")
- parent_cert = findbase64(parent, "bpki_certificate")
+ parent_cms_cert = findbase64(parent, "bpki_cms_certificate")
+ parent_https_cert = findbase64(parent, "bpki_https_certificate")
if need_own_pub_point:
parent_sia_base = pubd_base_uri + parent_handle + "/"
@@ -391,8 +392,8 @@ for xmlfile in xmlfiles:
parent_pdu.sia_base != parent_sia_base or
parent_pdu.sender_name != handle or
parent_pdu.recipient_name != parent_handle or
- parent_pdu.bpki_cms_cert != parent_cert or
- parent_pdu.bpki_https_cert != parent_cert):
+ parent_pdu.bpki_cms_cert != parent_cms_cert or
+ parent_pdu.bpki_https_cert != parent_https_cert):
rpkid_query.append(rpki.left_right.parent_elt.make_pdu(
action = "create" if parent_pdu is None else "set",
tag = parent_handle,
@@ -404,8 +405,8 @@ for xmlfile in xmlfiles:
sia_base = parent_sia_base,
sender_name = handle,
recipient_name = parent_handle,
- bpki_cms_cert = parent_cert,
- bpki_https_cert = parent_cert))
+ bpki_cms_cert = parent_cms_cert,
+ bpki_https_cert = parent_https_cert))
rpkid_query.extend(rpki.left_right.parent_elt.make_pdu(
action = "destroy", self_handle = handle, parent_handle = p) for p in parent_pdus)
diff --git a/myrpki/myrpki.py b/myrpki/myrpki.py
index 724a4c52..9a661eb4 100644
--- a/myrpki/myrpki.py
+++ b/myrpki/myrpki.py
@@ -155,29 +155,33 @@ class parent(object):
self.bpki_certificate = None
def __repr__(self):
- return "<%s uri %s cert %s uri %s cert %s>" % (self.__class__.__name__,
- self.service_uri, self.bpki_certificate)
+ return "<%s uri %s cms %s https %s>" % (self.__class__.__name__, self.service_uri,
+ self.bpki_cms_certificate, self.bpki_https_certificate)
- def add(self, service_uri = None, bpki_certificate = None):
+ def add(self, service_uri = None, bpki_cms_certificate = None, bpki_https_certificate = None):
if service_uri is not None:
self.service_uri = service_uri
- if bpki_certificate is not None:
- self.bpki_certificate = bpki_certificate
+ if bpki_cms_certificate is not None:
+ self.bpki_cms_certificate = bpki_cms_certificate
+ if bpki_https_certificate is not None:
+ self.bpki_https_certificate = bpki_https_certificate
def xml(self, e):
e2 = SubElement(e, "parent",
handle = self.handle,
service_uri = self.service_uri)
- if self.bpki_certificate:
- PEMElement(e2, "bpki_certificate", self.bpki_certificate)
+ if self.bpki_cms_certificate:
+ PEMElement(e2, "bpki_cms_certificate", self.bpki_cms_certificate)
+ if self.bpki_https_certificate:
+ PEMElement(e2, "bpki_https_certificate", self.bpki_https_certificate)
return e2
class parents(dict):
- def add(self, handle, service_uri = None, bpki_certificate = None):
+ def add(self, handle, service_uri = None, bpki_cms_certificate = None, bpki_https_certificate = None):
if handle not in self:
self[handle] = parent(handle)
- self[handle].add(service_uri = service_uri, bpki_certificate = bpki_certificate)
+ self[handle].add(service_uri = service_uri, bpki_cms_certificate = bpki_cms_certificate, bpki_https_certificate = bpki_https_certificate)
def xml(self, e):
for c in self.itervalues():
@@ -186,10 +190,10 @@ class parents(dict):
@classmethod
def from_csv(cls, parents_csv_file, xcert):
self = cls()
- # parentname service_uri parent_bpki_pemfile
- for handle, service_uri, parent_pemfile in csv_open(parents_csv_file):
+ # parentname service_uri parent_bpki_cms_pemfile parent_bpki_https_pemfile
+ for handle, service_uri, parent_cms_pemfile, parent_https_pemfile in csv_open(parents_csv_file):
self.add(handle = handle,
- service_uri = service_uri, bpki_certificate = xcert(parent_pemfile))
+ service_uri = service_uri, bpki_cms_certificate = xcert(parent_cms_pemfile), bpki_https_certificate = xcert(parent_https_pemfile))
return self
def csv_open(filename, delimiter = "\t", dialect = None):
diff --git a/myrpki/schema.py b/myrpki/schema.py
index d5078714..38df6d3d 100644
--- a/myrpki/schema.py
+++ b/myrpki/schema.py
@@ -1,7 +1,7 @@
import lxml.etree
myrpki = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" encoding="UTF-8"?>
<!--
- $Id: schema.rnc -1 $
+ $Id: schema.rnc 2608 2009-07-11 04:34:55Z sra $
RelaxNG Schema for MyRPKI XML messages
@@ -135,7 +135,12 @@ myrpki = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" encodin
</attribute>
</optional>
<optional>
- <element name="bpki_certificate">
+ <element name="bpki_cms_certificate">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="bpki_https_certificate">
<ref name="base64"/>
</element>
</optional>
diff --git a/myrpki/schema.rnc b/myrpki/schema.rnc
index 0ad11734..da5f9a12 100644
--- a/myrpki/schema.rnc
+++ b/myrpki/schema.rnc
@@ -45,7 +45,8 @@ child_elt = element child {
parent_elt = element parent {
attribute handle { object_handle },
attribute service_uri { uri }?,
- element bpki_certificate { base64 }?
+ element bpki_cms_certificate { base64 }?,
+ element bpki_https_certificate { base64 }?
}
bpki_ca_certificate_elt = element bpki_ca_certificate { base64 }
diff --git a/myrpki/schema.rng b/myrpki/schema.rng
index 80f2a391..d7b557cd 100644
--- a/myrpki/schema.rng
+++ b/myrpki/schema.rng
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
- $Id: schema.rnc -1 $
+ $Id: schema.rnc 2608 2009-07-11 04:34:55Z sra $
RelaxNG Schema for MyRPKI XML messages
@@ -134,7 +134,12 @@
</attribute>
</optional>
<optional>
- <element name="bpki_certificate">
+ <element name="bpki_cms_certificate">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="bpki_https_certificate">
<ref name="base64"/>
</element>
</optional>
diff --git a/myrpki/yamltest.py b/myrpki/yamltest.py
index c9c9bb14..09653511 100644
--- a/myrpki/yamltest.py
+++ b/myrpki/yamltest.py
@@ -112,6 +112,13 @@ class allocation_db(list):
for a in self:
a.dump()
+ def make_rootd_openssl(self):
+ env = { "PATH" : os.environ["PATH"],
+ "BPKI_DIRECTORY" : self.root.path("bpki.rootd"),
+ "RANDFILE" : ".OpenSSL.whines.unless.I.set.this" }
+ cwd = self.root.path()
+ return lambda *args: subprocess.check_call((prog_openssl,) + args, cwd = cwd, env = env)
+
class allocation(object):
parent = None
@@ -231,9 +238,9 @@ class allocation(object):
def dump_parents(self, fn):
f = self.outfile(fn)
if self.is_root():
- f.write("%s\t%s\t%s\n" % ("rootd", "https://localhost:%d/" % self.rootd_port, self.path("bpki.rootd/ca.cer")))
+ f.write("%s\t%s\t%s\t%s\n" % ("rootd", "https://localhost:%d/" % self.rootd_port, self.path("bpki.rootd/ca.cer"), self.path("bpki.rootd/ca.cer")))
else:
- f.write("%s\t%s\t%s\n" % (self.parent.name, self.up_down_url(), self.parent.path("bpki.myrpki/ca.cer")))
+ f.write("%s\t%s\t%s\t%s\n" % (self.parent.name, self.up_down_url(), self.parent.path("bpki.myrpki/ca.cer"), self.parent.path("bpki.rpkid/ca.cer")))
f.close()
def dump_prefixes(self, fn):
@@ -369,33 +376,24 @@ for i in xrange(3):
for d in db:
d.run_myrpki()
-# Set up rootd's BPKI cross-certificate for its one and only child.
-
-if not os.path.exists(db.root.path("bpki.rootd/child.cer")):
- subprocess.check_call((prog_openssl, "ca", "-notext", "-batch",
- "-subj", "/CN=Totally Bogus BPKI Certificate For Test Purposes",
- "-config", db.root.path("myrpki.conf"),
- "-ss_cert", db.root.path("bpki.rpkid/ca.cer"),
- "-out", db.root.path("bpki.rootd/child.cer"),
- "-extensions", "ca_x509_ext_xcert0"),
- cwd = db.root.path(),
- env = { "PATH" : os.environ["PATH"],
- "BPKI_DIRECTORY" : db.root.path("bpki.rootd"),
- "RANDFILE" : ".OpenSSL.whines.unless.I.set.this" } )
-
-# Set up rootd's RPKI root certificate.
-
-if not os.path.exists(db.root.path("bpki.rootd/rpkiroot.cer")):
- subprocess.check_call((prog_openssl, "x509", "-req", "-sha256", "-outform", "DER",
- "-in", db.root.path("bpki.rootd/ca.req"),
- "-signkey", db.root.path("bpki.rootd/ca.key"),
- "-out", db.root.path("bpki.rootd/rpkiroot.cer"),
- "-extfile", db.root.path("myrpki.conf"),
- "-extensions", "rpki_x509_extensions"),
- cwd = db.root.path(),
- env = { "PATH" : os.environ["PATH"],
- "BPKI_DIRECTORY" : db.root.path("bpki.rootd"),
- "RANDFILE" : ".OpenSSL.whines.unless.I.set.this" } )
+# Set up a few things for rootd
+
+rootd_openssl = db.make_rootd_openssl()
+
+print "Creating rootd BPKI cross-certificate for its child"
+rootd_openssl("ca", "-notext", "-batch",
+ "-config", "myrpki.conf",
+ "-ss_cert", "bpki.myrpki/ca.cer",
+ "-out", "bpki.rootd/child.cer",
+ "-extensions", "ca_x509_ext_xcert0")
+
+print "Creating rootd RPKI root certificate"
+rootd_openssl("x509", "-req", "-sha256", "-outform", "DER",
+ "-signkey", "bpki.rootd/ca.key",
+ "-in", "bpki.rootd/ca.req",
+ "-out", "bpki.rootd/rpkiroot.cer",
+ "-extfile", "myrpki.conf",
+ "-extensions", "rpki_x509_extensions")
# At this point we need to start a whole lotta daemons.
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-14 22:07:08 +0000