diff options
| -rw-r--r-- | myrpki.rototill/examples/myrpki.conf | 4 | ||||
| -rw-r--r-- | myrpki.rototill/initialize.py | 27 | ||||
| -rw-r--r-- | myrpki.rototill/myrpki.py | 13 |
3 files changed, 27 insertions, 17 deletions
diff --git a/myrpki.rototill/examples/myrpki.conf b/myrpki.rototill/examples/myrpki.conf index 2ec34b78..5819ffaf 100644 --- a/myrpki.rototill/examples/myrpki.conf +++ b/myrpki.rototill/examples/myrpki.conf @@ -77,7 +77,7 @@ irdbd_server_port = 4403 # cause myirbe.py to fail when it attempts to perform runtime # configuration of your nonexistant pubd. -want_pubd = false +want_pubd = true # DNS hostname and server port number for pubd, if you're running it. # Hostname has to be a publicly reachable name to be useful, port can @@ -91,7 +91,7 @@ pubd_server_port = 4402 # very own copy of rootd. Don't enable this unless you really know # what you're doing. See [rootd] section below for further comments. -want_rootd = false +want_rootd = true # Server port number for rootd, if you're running it. This can be any # legal TCP port number that you're not using for something else. diff --git a/myrpki.rototill/initialize.py b/myrpki.rototill/initialize.py index 7b6f305b..9df16e2e 100644 --- a/myrpki.rototill/initialize.py +++ b/myrpki.rototill/initialize.py @@ -99,11 +99,13 @@ if want_rpkid or want_pubd or want_rootd: bpki_myirbe.setup(cfg.get("bpki_myirbe_ta_dn", "/CN=%s BPKI Server Trust Anchor" % handle)) - if want_rpkid: # rpkid implies irdbd - + if want_rpkid: + bpki_myirbe.ee(cfg.get("bpki_rpkid_ee_dn", "/CN=%s rpkid server certificate" % handle), "rpkid") + # rpkid implies irdbd + bpki_myirbe.ee(cfg.get("bpki_irdbd_ee_dn", "/CN=%s irdbd server certificate" % handle), "irdbd") @@ -111,8 +113,10 @@ if want_rpkid or want_pubd or want_rootd: bpki_myirbe.ee(cfg.get("bpki_pubd_ee_dn", "/CN=%s pubd server certificate" % handle), "pubd") - if want_rpkid or want_irdbd: # Client cert for myirbe and irbe_cli + if want_rpkid or want_pubd: + # Client cert for myirbe and irbe_cli + bpki_myirbe.ee(cfg.get("bpki_irbe_ee_dn", "/CN=%s irbe client certificate" % handle), "irbe") @@ -121,12 +125,19 @@ if want_rpkid or want_pubd or want_rootd: bpki_myirbe.ee(cfg.get("bpki_rootd_ee_dn", "/CN=%s rootd server certificate" % handle), "rootd") -# Now build the me.xml file (name should be configurable, and should -# check for existing file so we don't overwrite, ... hack later ...). +# Build the me.xml file. Need to check for existing file so we don't +# overwrite? Worry about that later. e = Element("me", xmlns = myrpki.namespace, version = "1", handle = handle) - myrpki.PEMElement(e, "bpki_ca_certificate", bpki_myrpki.cer) +myrpki.etree_write(e, handle + ".xml") + +# If we're running rootd, construct a fake parent to go with it. -ElementTree(e).write("me.xml.tmp") -os.rename("me.xml.tmp", "me.xml") +if want_rootd: + e = Element("parent", xmlns = myrpki.namespace, version = "1", + handle = handle, + service_uri = "https://localhost:%d/" % cfg.getint("rootd_server_port")) + myrpki.PEMElement(e, "bpki_resource_ca", bpki_myirbe.cer) + myrpki.PEMElement(e, "bpki_server_ca", bpki_myirbe.cer) + myrpki.etree_write(e, "parents/rootd.xml") diff --git a/myrpki.rototill/myrpki.py b/myrpki.rototill/myrpki.py index a42f5702..5466ef8d 100644 --- a/myrpki.rototill/myrpki.py +++ b/myrpki.rototill/myrpki.py @@ -559,13 +559,15 @@ class CA(object): return xcert -def extract_resources(): +def etree_write(e, filename): """ - Extract RFC 3779 resources from a certificate. Not written yet. + Write out an etree to a file, safely. + I still miss SYSCAL(RENMWO). """ - raise NotImplementedError + ElementTree(e).write(filename + ".tmp") + os.rename(filename + ".tmp", filename) def main(argv = ()): """ @@ -638,10 +640,7 @@ def main(argv = ()): if bsc_req: PEMElement(e, "bpki_bsc_pkcs10", bsc_req) - # I still miss SYSCAL(RENMWO) - - ElementTree(e).write(xml_filename + ".tmp") - os.rename(xml_filename + ".tmp", xml_filename) + etree_write(e, xml_filename) # When this file is run as a script, run main() with command line # arguments. main() can't use sys.argv directly as that might be the |