diff options
| -rw-r--r-- | rpkid/rpki/irdb/zookeeper.py | 15 | ||||
| -rw-r--r-- | rpkid/rpki/rpkic.py | 64 | ||||
| -rw-r--r-- | rpkid/tests/yamltest.py | 96 |
3 files changed, 90 insertions, 85 deletions
diff --git a/rpkid/rpki/irdb/zookeeper.py b/rpkid/rpki/irdb/zookeeper.py index ff05ae2d..8f884723 100644 --- a/rpkid/rpki/irdb/zookeeper.py +++ b/rpkid/rpki/irdb/zookeeper.py @@ -405,12 +405,15 @@ class Zookeeper(object): self.server_ca.ee_certificates.get(purpose = "irbe").certificate) if self.run_rootd: - rootd = rpki.irdb.ResourceHolderCA.objects.get(handle = self.cfg.get("handle", section = myrpki_section)).rootd - writer(self.cfg.get("bpki-ta", section = rootd_section), self.server_ca.certificate) - writer(self.cfg.get("rootd-bpki-crl", section = rootd_section), self.server_ca.latest_crl) - writer(self.cfg.get("rootd-bpki-key", section = rootd_section), rootd.private_key) - writer(self.cfg.get("rootd-bpki-cert", section = rootd_section), rootd.certificate) - writer(self.cfg.get("child-bpki-cert", section = rootd_section), rootd.issuer.certificate) + try: + rootd = rpki.irdb.ResourceHolderCA.objects.get(handle = self.cfg.get("handle", section = myrpki_section)).rootd + writer(self.cfg.get("bpki-ta", section = rootd_section), self.server_ca.certificate) + writer(self.cfg.get("rootd-bpki-crl", section = rootd_section), self.server_ca.latest_crl) + writer(self.cfg.get("rootd-bpki-key", section = rootd_section), rootd.private_key) + writer(self.cfg.get("rootd-bpki-cert", section = rootd_section), rootd.certificate) + writer(self.cfg.get("child-bpki-cert", section = rootd_section), rootd.issuer.certificate) + except rpki.irdb.ResourceHolderCA.DoesNotExist: + self.log("rootd enabled but resource holding entity not yet configured, skipping rootd setup") @django.db.transaction.commit_on_success diff --git a/rpkid/rpki/rpkic.py b/rpkid/rpki/rpkic.py index 79c2e556..7b7f6cfb 100644 --- a/rpkid/rpki/rpkic.py +++ b/rpkid/rpki/rpkic.py @@ -208,48 +208,46 @@ class main(rpki.cli.Cmd): self.zoo.write_bpki_files() - # These aren't quite ready for prime time yet. See https://trac.rpki.net/ticket/466 - - if False: + def do_create_identity(self, arg): + """ + Create a new resource-holding entity. Argument is the handle of + the entity to create. Returns XML file describing the new + resource holder. - def do_create_identity(self, arg): - """ - Create a new resource-holding entity. Argument is the handle of - the entity to create. Returns XML file describing the new - resource holder. + This command is idempotent: calling it for a resource holder which + already exists returns the existing identity. + """ - This command is idempotent: calling it for a resource holder which - already exists returns the existing identity. - """ + argv = arg.split() + if len(argv) != 1: + raise BadCommandSyntax("This command expexcts one argument, not %r" % arg) - argv = arg.split() - if len(argv) != 1: - raise BadCommandSyntax("This command expexcts one argument, not %r" % arg) + self.zoo.reset_identity(argv[0]) - self.zoo.reset_identity(argv[0]) + rootd_case = self.zoo.run_rootd and self.zoo.handle == self.zoo.cfg.get("handle") - rootd_case = self.zoo.run_rootd and self.zoo.handle == self.zoo.cfg.get("handle") + r = self.zoo.initialize_resource_bpki() + r.save("%s.identity.xml" % self.zoo.handle, + None if rootd_case else sys.stdout) - r = self.zoo.initialize_resource_bpki() - r.save("%s.identity.xml" % self.zoo.handle, - None if rootd_case else sys.stdout) + if rootd_case: + r = self.zoo.configure_rootd() + if r is not None: + r.save("%s.%s.repository-request.xml" % (self.zoo.handle, self.zoo.handle), sys.stdout) + self.zoo.write_bpki_files() - if rootd_case: - r = self.zoo.configure_rootd() - if r is not None: - r.save("%s.%s.repository-request.xml" % (self.zoo.handle, self.zoo.handle), sys.stdout) - def do_initialize_server_bpki(self, arg): - """ - Initialize server BPKI portion of an RPKI installation. Reads - server configuration from configuration file and creates the - server BPKI objects needed to start daemons. - """ + def do_initialize_server_bpki(self, arg): + """ + Initialize server BPKI portion of an RPKI installation. Reads + server configuration from configuration file and creates the + server BPKI objects needed to start daemons. + """ - if arg: - raise BadCommandSyntax, "This command takes no arguments" - self.zoo.initialize_server_bpki() - self.zoo.write_bpki_files() + if arg: + raise BadCommandSyntax, "This command takes no arguments" + self.zoo.initialize_server_bpki() + self.zoo.write_bpki_files() def do_update_bpki(self, arg): diff --git a/rpkid/tests/yamltest.py b/rpkid/tests/yamltest.py index b11fe52d..f39fbf97 100644 --- a/rpkid/tests/yamltest.py +++ b/rpkid/tests/yamltest.py @@ -519,6 +519,44 @@ class allocation(object): print "Running rsyncd for %s: pid %d process %r" % (self.name, p.pid, p) return p +def create_root_certificate(db_root): + + print "Creating rootd RPKI root certificate" + + root_resources = rpki.resource_set.resource_bag( + asn = rpki.resource_set.resource_set_as("0-4294967295"), + v4 = rpki.resource_set.resource_set_ipv4("0.0.0.0/0"), + v6 = rpki.resource_set.resource_set_ipv6("::/0")) + + root_key = rpki.x509.RSA.generate(quiet = True) + + root_uri = "rsync://localhost:%d/rpki/" % db_root.pubd.rsync_port + + root_sia = (root_uri, root_uri + "root.mft", None) + + root_cert = rpki.x509.X509.self_certify( + keypair = root_key, + subject_key = root_key.get_RSApublic(), + serial = 1, + sia = root_sia, + notAfter = rpki.sundial.now() + rpki.sundial.timedelta(days = 365), + resources = root_resources) + + f = open(db_root.path("publication.root/root.cer"), "wb") + f.write(root_cert.get_DER()) + f.close() + + f = open(db_root.path("root.key"), "wb") + f.write(root_key.get_DER()) + f.close() + + f = open(os.path.join(test_dir, "root.tal"), "w") + f.write("rsync://localhost:%d/root/root.cer\n\n" % db_root.pubd.rsync_port) + f.write(root_key.get_RSApublic().get_Base64()) + f.close() + + + os.environ["TZ"] = "UTC" time.tzset() @@ -611,63 +649,29 @@ try: else: - # Set up each entity in our test + # Set up each entity in our test, create publication directories, + # and initialize server BPKI. for d in db: if not d.is_hosted: os.makedirs(d.path()) d.dump_conf() - if d.runs_pubd: - d.dump_rsyncd() - - # Initialize BPKI and generate self-descriptor for each entity. - - for d in db: - d.run_rpkic("initialize") + if d.runs_pubd: + os.makedirs(d.path("publication")) + d.dump_rsyncd() + if d.is_root: + os.makedirs(d.path("publication.root")) + d.run_rpkic("initialize_server_bpki") - # Create publication directories. + # Initialize resource holding BPKI and generate self-descriptor + # for each entity. for d in db: - if d.runs_pubd: - os.makedirs(d.path("publication")) - if d.is_root: - os.makedirs(d.path("publication.root")) + d.run_rpkic("create_identity", d.name) # Create RPKI root certificate. - print "Creating rootd RPKI root certificate" - - root_resources = rpki.resource_set.resource_bag( - asn = rpki.resource_set.resource_set_as("0-4294967295"), - v4 = rpki.resource_set.resource_set_ipv4("0.0.0.0/0"), - v6 = rpki.resource_set.resource_set_ipv6("::/0")) - - root_key = rpki.x509.RSA.generate(quiet = True) - - root_uri = "rsync://localhost:%d/rpki/" % db.root.pubd.rsync_port - - root_sia = (root_uri, root_uri + "root.mft", None) - - root_cert = rpki.x509.X509.self_certify( - keypair = root_key, - subject_key = root_key.get_RSApublic(), - serial = 1, - sia = root_sia, - notAfter = rpki.sundial.now() + rpki.sundial.timedelta(days = 365), - resources = root_resources) - - f = open(db.root.path("publication.root/root.cer"), "wb") - f.write(root_cert.get_DER()) - f.close() - - f = open(db.root.path("root.key"), "wb") - f.write(root_key.get_DER()) - f.close() - - f = open(os.path.join(test_dir, "root.tal"), "w") - f.write("rsync://localhost:%d/root/root.cer\n\n" % db.root.pubd.rsync_port) - f.write(root_key.get_RSApublic().get_Base64()) - f.close() + create_root_certificate(db.root) # From here on we need to pay attention to initialization order. We # used to do all the pre-configure_daemons stuff before running any |