aboutsummaryrefslogtreecommitdiff
path: root/myrpki
diff options
context:
space:
mode:
Diffstat (limited to 'myrpki')
-rw-r--r--myrpki/Makefile3
-rw-r--r--myrpki/myirbe.py206
-rw-r--r--myrpki/myrpki.conf119
-rw-r--r--myrpki/myrpki.py66
-rw-r--r--myrpki/myrpki.rnc16
-rw-r--r--myrpki/myrpki.rng22
-rw-r--r--myrpki/sql-cleaner.py36
-rwxr-xr-xmyrpki/xml-parse-test.py12
8 files changed, 259 insertions, 221 deletions
diff --git a/myrpki/Makefile b/myrpki/Makefile
index 5ef4e4bd..01573142 100644
--- a/myrpki/Makefile
+++ b/myrpki/Makefile
@@ -7,7 +7,7 @@
#all:: graph
all:: load
-myrpki.xml: myrpki.py asns.csv prefixes.csv roas.csv validity.csv bpki.myrpki
+myrpki.xml: myrpki.py asns.csv prefixes.csv roas.csv validity.csv children.csv parents.csv
python myrpki.py
lint: myrpki.xml myrpki.rng
@@ -27,6 +27,7 @@ bpki.myrpki:
clean:
rm -rf *.xml bpki.myrpki bpki.rpkid bpki.pubd bpki.rootd
+ python sql-cleaner.py
relatives: mom.pem dad.pem bro.pem sis.pem
diff --git a/myrpki/myirbe.py b/myrpki/myirbe.py
index ac14c7f3..c392f9bb 100644
--- a/myrpki/myirbe.py
+++ b/myrpki/myirbe.py
@@ -18,7 +18,7 @@ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""
-import lxml.etree, base64, subprocess, sys, os, time, getopt, MySQLdb
+import lxml.etree, base64, subprocess, sys, os, time, re, getopt, MySQLdb
import rpki.https, rpki.config, rpki.resource_set, rpki.relaxng
import rpki.exceptions, rpki.left_right, rpki.log, rpki.x509, rpki.async
import myrpki
@@ -32,9 +32,11 @@ def findbase64(tree, name, b64type = rpki.x509.X509):
x = tree.findtext(tag(name))
return b64type(Base64 = x) if x else None
-# For simple cases we don't really care what this value is, so long
-# as we're consistant about it, so wiring it in is fine.
+# For simple cases we don't really care what these value are, so long
+# as we're consistant about them, so wiring them in is fine.
+
bsc_handle = "bsc"
+repository_handle = "repository"
class caller(object):
"""
@@ -91,36 +93,38 @@ for o, a in opts:
cfg = rpki.config.parser(cfg_file, "myirbe")
-modified = False
+bpki_modified = False
# I suppose the distinguished names in these certificates might need
# to become configurable eventually.
bpki_rpkid = myrpki.CA(cfg_file, cfg.get("rpkid_ca_directory"))
-modified |= bpki_rpkid.setup("/CN=rpkid TA")
+bpki_modified |= bpki_rpkid.setup("/CN=rpkid TA")
for name in ("rpkid", "irdbd", "irbe_cli"):
- modified |= bpki_rpkid.ee("/CN=%s EE" % name, name)
+ bpki_modified |= bpki_rpkid.ee("/CN=%s EE" % name, name)
bpki_pubd = myrpki.CA(cfg_file, cfg.get("pubd_ca_directory"))
-modified |= bpki_pubd.setup("/CN=pubd TA")
+bpki_modified |= bpki_pubd.setup("/CN=pubd TA")
for name in ("pubd", "irbe_cli"):
- modified |= bpki_pubd.ee("/CN=%s EE" % name, name)
+ bpki_modified |= bpki_pubd.ee("/CN=%s EE" % name, name)
bpki_rootd = myrpki.CA(cfg_file, cfg.get("rootd_ca_directory"))
-modified |= bpki_rootd.setup("/CN=rootd TA")
-modified |= bpki_rootd.ee("/CN=rootd EE", "rootd")
+bpki_modified |= bpki_rootd.setup("/CN=rootd TA")
+bpki_modified |= bpki_rootd.ee("/CN=rootd EE", "rootd")
-if modified:
+if bpki_modified:
print "BPKI (re)initialized. You need to (re)start daemons before continuing."
sys.exit()
self_crl_interval = cfg.get("self_crl_interval", 300)
self_regen_margin = cfg.get("self_regen_margin", 120)
+rsync_base = cfg.get("rsync_base")
+pubd_base = cfg.get("pubd_base")
+rpkid_base = cfg.get("rpkid_base")
+
+# Nasty regexp for parsing rpkid's up-down service URLs
-# These probably come from the .conf file
-rsync_base = "rsync://server.example/"
-pubd_base = "https://localhost:4402"
-rpkid_base = "https://localhost:4404"
+updown_regexp = re.compile(re.escape(rpkid_base) + "/up-down/([-A-Z0-9_]+)/([-A-Z0-9_]+)$", re.I)
# Wrappers to simplify calling rpkid and pubd
@@ -244,19 +248,6 @@ for xmlfile in xmlfiles:
client_pdu = pubd_reply[0]
- # This is doubly wrong -- both the wrong value and (probably) set in the wrong place.
- # Do it anyway for now, for testing.
- pubd_base_uri = rsync_base + handle + "/"
-
- if isinstance(client_pdu, rpki.publication.report_error_elt) or client_pdu.base_uri != pubd_base_uri or client_pdu.bpki_cert != pubd_xcert:
- pubd_reply = call_pubd((rpki.publication.client_elt.make_pdu(
- action = "create" if isinstance(client_pdu, rpki.publication.report_error_elt) else "set",
- tag = "client",
- client_handle = handle,
- bpki_cert = pubd_xcert,
- base_uri = pubd_base_uri),))
- assert len(pubd_reply) == 1 and isinstance(pubd_reply[0], rpki.publication.client_elt) and pubd_reply[0].client_handle == handle
-
rpkid_reply = call_rpkid((
rpki.left_right.self_elt.make_pdu( action = "get", tag = "self", self_handle = handle),
rpki.left_right.bsc_elt.make_pdu( action = "list", tag = "bsc", self_handle = handle),
@@ -270,6 +261,7 @@ for xmlfile in xmlfiles:
parent_pdus = dict((x.parent_handle, x) for x in rpkid_reply if isinstance(x, rpki.left_right.parent_elt))
child_pdus = dict((x.child_handle, x) for x in rpkid_reply if isinstance(x, rpki.left_right.child_elt))
+ pubd_query = []
rpkid_query = []
# There should be exactly one <self/> object per hosted entity, by definition
@@ -286,7 +278,7 @@ for xmlfile in xmlfiles:
crl_interval = self_crl_interval,
regen_margin = self_regen_margin))
- # In general we only need one BSC per <self/>. BSC objects are a
+ # In general we only need one <bsc/> per <self/>. BSC objects are a
# little unusual in that the PKCS #10 subelement is generated by rpkid
# in response to generate_keypair, so there's more of a separation
# between create and set than with other objects.
@@ -320,53 +312,17 @@ for xmlfile in xmlfiles:
if bsc_pdu and bsc_pdu.pkcs10_request:
bsc_req = bsc_pdu.pkcs10_request
+ # In general we need one <repository/> per publication daemon with
+ # whom this <self/> has a relationship. In practice there is rarely
+ # (never?) a good reason for a single <self/> to use multiple
+ # publication services, so in normal use we only need one
+ # <repository/> object.
- for parent in tree.getiterator(tag("parent")):
-
- # Perhaps what we need here is to have the hosting entity's handle and
- # sia base in the .conf file, then as we go we check each hosted
- # entity to see whether (a) it's the right .xml file and (b) its
- # handle matches the hosting handle. We can put hosted entities under
- # the self-hosted entity automatically, but the self-hosted entity
- # will need another .conf file entry telling it the parent's service
- # uri (or do we get that from the .xml somehow?)
- #
- # Ok, so part of my confusion is that I've never tested multiple
- # parents before. The parent sia_base and pubd client base_uri are
- # almost the same thing, but not quite. pubd base_uri is what pubd
- # insists upon as the head of the publication URI, or it won't
- # publish. parent sia_base is either the base URI at which rpkid will
- # publish stuff issued by the cert issued by this parent, or is the
- # head of that base URI (if the parent made an acceptable suggestion,
- # where acceptable means that the configured sia_base is the head of
- # the parent's suggestion).
- #
- # I think this boils down to meaning that if we have multiple
- # parents, we also need multiple repository objects, which -may- in
- # turn mean multiple pubd client objects -- if our pubd is relevant
- # at all. Assume for now that if we're running pubd at all,
- # everything our rpkid generates goes into it.
- #
- # We also need to compare all these URIs against pubd's publication
- # base, so we know whether this is our problem or not. For testbed,
- # we probably are, at least initially.
-
- parent_handle = parent.get("handle")
-
- repository_pdu = repository_pdus.pop(parent_handle, None)
- parent_pdu = parent_pdus.pop(parent_handle, None)
-
- parent_uri = parent.get("parent_service_uri")
- parent_cert = findbase64(parent, "parent_bpki_certificate")
-
- repository_uri = parent.get("repository_service_uri")
- repository_cert = findbase64(parent, "repository_bpki_certificate")
-
- # This is wrong, should be parent's sia_base + handle + "/", but
- # how do we get parent's sia_base in this setup?
- #
- parent_sia_base = rsync_base + handle + "/"
- pubd_base_uri = parent_sia_base
+ repository_cert = findbase64(tree, "bpki_repository_certificate")
+ if repository_cert:
+
+ repository_pdu = repository_pdus.pop(repository_handle, None)
+ repository_uri = pubd_base + "/client/" + handle
if (repository_pdu is None or
repository_pdu.bsc_handle != bsc_handle or
@@ -375,40 +331,86 @@ for xmlfile in xmlfiles:
repository_pdu.bpki_https_cert != repository_cert):
rpkid_query.append(rpki.left_right.repository_elt.make_pdu(
action = "create" if repository_pdu is None else "set",
- tag = parent_handle,
+ tag = repository_handle,
self_handle = handle,
- repository_handle = parent_handle,
+ repository_handle = repository_handle,
bsc_handle = bsc_handle,
peer_contact_uri = repository_uri,
bpki_cms_cert = repository_cert,
bpki_https_cert = repository_cert))
- if (parent_pdu is None or
- parent_pdu.bsc_handle != bsc_handle or
- parent_pdu.repository_handle != parent_handle or
- parent_pdu.peer_contact_uri != parent_uri or
- parent_pdu.sia_base != parent_sia_base or
- parent_pdu.sender_name != handle or
- parent_pdu.recipient_name != parent_handle or
- parent_pdu.bpki_cms_cert != parent_cert or
- parent_pdu.bpki_https_cert != parent_cert):
- rpkid_query.append(rpki.left_right.parent_elt.make_pdu(
- action = "create" if parent_pdu is None else "set",
- tag = parent_handle,
- self_handle = handle,
- parent_handle = parent_handle,
- bsc_handle = bsc_handle,
- repository_handle = parent_handle,
- peer_contact_uri = parent_uri,
- sia_base = parent_sia_base,
- sender_name = handle,
- recipient_name = parent_handle,
- bpki_cms_cert = parent_cert,
- bpki_https_cert = parent_cert))
-
rpkid_query.extend(rpki.left_right.repository_elt.make_pdu(
action = "destroy", self_handle = handle, repository_handle = r) for r in repository_pdus)
+ # Ok, here's where the fun starts. We need to figure out what the
+ # publication naming scheme is for this <self/>, based on how many
+ # <parent/> object this <self/> has and what the relationship is
+ # between this <self/> and the entity operating this irbe and pubd.
+ #
+ # For now we only handle the simplest cases: if a hosted entity is a
+ # direct child of the hosting entity, we place it under the hosting
+ # entity; in all other cases, we use a separate subtree. This is
+ # suboptimal in the long run.
+
+ parents = tree.getiterator(tag("parent"))
+
+ if parents:
+
+ need_own_pub_point = True
+ if handle != my_handle and len(parents) == 1 and parents[0].get("service_uri").startwith(rpkid_base):
+ m = updown_regexp.match(parents[0].get("service_uri"))
+ if m:
+ self_part, child_part = m.groups()
+ if self_part == my_handle and child_part == handle:
+ need_own_pub_point = False
+
+ if need_own_pub_point:
+ pubd_base_uri = rsync_base + handle + "/"
+ else:
+ pubd_base_uri = rsync_base + my_handle + "/" + handle + "/"
+
+ if isinstance(client_pdu, rpki.publication.report_error_elt) or client_pdu.base_uri != pubd_base_uri or client_pdu.bpki_cert != pubd_xcert:
+ pubd_query.append(rpki.publication.client_elt.make_pdu(
+ action = "create" if isinstance(client_pdu, rpki.publication.report_error_elt) else "set",
+ client_handle = handle,
+ bpki_cert = pubd_xcert,
+ base_uri = pubd_base_uri))
+
+ for parent in parents:
+
+ parent_handle = parent.get("handle")
+ parent_pdu = parent_pdus.pop(parent_handle, None)
+ parent_uri = parent.get("service_uri")
+ parent_cert = findbase64(parent, "bpki_certificate")
+
+ if need_own_pub_point:
+ parent_sia_base = pubd_base_uri + parent_handle + "/"
+ else:
+ parent_sia_base = pubd_base_uri
+
+ if (parent_pdu is None or
+ parent_pdu.bsc_handle != bsc_handle or
+ parent_pdu.repository_handle != repository_handle or
+ parent_pdu.peer_contact_uri != parent_uri or
+ parent_pdu.sia_base != parent_sia_base or
+ parent_pdu.sender_name != handle or
+ parent_pdu.recipient_name != parent_handle or
+ parent_pdu.bpki_cms_cert != parent_cert or
+ parent_pdu.bpki_https_cert != parent_cert):
+ rpkid_query.append(rpki.left_right.parent_elt.make_pdu(
+ action = "create" if parent_pdu is None else "set",
+ tag = parent_handle,
+ self_handle = handle,
+ parent_handle = parent_handle,
+ bsc_handle = bsc_handle,
+ repository_handle = repository_handle,
+ peer_contact_uri = parent_uri,
+ sia_base = parent_sia_base,
+ sender_name = handle,
+ recipient_name = parent_handle,
+ bpki_cms_cert = parent_cert,
+ bpki_https_cert = parent_cert))
+
rpkid_query.extend(rpki.left_right.parent_elt.make_pdu(
action = "destroy", self_handle = handle, parent_handle = p) for p in parent_pdus)
@@ -438,6 +440,10 @@ for xmlfile in xmlfiles:
if bsc_handle in bsc_pdus and bsc_pdus[bsc_handle].pkcs10_request:
bsc_req = bsc_pdus[bsc_handle].pkcs10_request
+ if pubd_query:
+ pubd_reply = call_pubd(pubd_query)
+ assert len(pubd_reply) == 1 and isinstance(pubd_reply[0], rpki.publication.client_elt) and pubd_reply[0].client_handle == handle
+
e = tree.find(tag("bpki_bsc_pkcs10"))
if e is None and bsc_req is not None:
e = lxml.etree.SubElement(tree, "bpki_bsc_pkcs10")
diff --git a/myrpki/myrpki.conf b/myrpki/myrpki.conf
index f79fc3fb..65c3b18a 100644
--- a/myrpki/myrpki.conf
+++ b/myrpki/myrpki.conf
@@ -2,82 +2,87 @@
#
# Config file for myrpi.py; note that this is also read by the OpenSSL
# command line tool running under mypki.py, so syntax must remain
-# OpenSSL-compatible and portions of this are OpenSSL voodoo.
+# compatable with both OpenSSL and Python config file parsers, and
+# large portions of this are OpenSSL voodoo.
[myrpki]
-handle = wombat
-roa_csv = roas.csv
-children_csv = children.csv
-parents_csv = parents.csv
-prefix_csv = prefixes.csv
-asn_csv = asns.csv
-repositories_csv = repositories.csv
-xml_filename = myrpki.xml
-bpki_directory = bpki.myrpki
+handle = wombat
+roa_csv = roas.csv
+children_csv = children.csv
+parents_csv = parents.csv
+prefix_csv = prefixes.csv
+asn_csv = asns.csv
+repositories_csv = repositories.csv
+xml_filename = myrpki.xml
+bpki_directory = bpki.myrpki
+repository_bpki_certificate = bpki.pubd/ca.cer
[constants]
-digest = sha256
-key_length = 2048
-cert_days = 365
-crl_days = 365
+digest = sha256
+key_length = 2048
+cert_days = 365
+crl_days = 365
[myirbe]
-irdbd_conf = irdbd.conf
-rpkid_ca_directory = bpki.rpkid
-pubd_ca_directory = bpki.pubd
-rootd_ca_directory = bpki.rootd
+irdbd_conf = irdbd.conf
+rpkid_ca_directory = bpki.rpkid
+pubd_ca_directory = bpki.pubd
+rootd_ca_directory = bpki.rootd
+rsync_base = rsync://server.example/
+pubd_base = https://localhost:4402
+rpkid_base = https://localhost:4404
[req]
-default_bits = ${constants::key_length}
-default_md = ${constants::digest}
-distinguished_name = req_dn
-prompt = no
-encrypt_key = no
+default_bits = ${constants::key_length}
+default_md = ${constants::digest}
+distinguished_name = req_dn
+prompt = no
+encrypt_key = no
[req_dn]
-CN = Dummy name for certificate request
+CN = Dummy name for certificate request
[ca_x509_ext_ee]
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
[ca_x509_ext_xcert0]
-basicConstraints = critical,CA:true,pathlen:0
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always
+basicConstraints = critical,CA:true,pathlen:0
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
[ca_x509_ext_xcert1]
-basicConstraints = critical,CA:true,pathlen:1
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always
+basicConstraints = critical,CA:true,pathlen:1
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
[ca_x509_ext_ca]
-basicConstraints = critical,CA:true
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always
+basicConstraints = critical,CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
[ca]
-default_ca = ca
-dir = ${ENV::BPKI_DIRECTORY}
-new_certs_dir = $dir
-database = $dir/index
-certificate = $dir/ca.cer
-private_key = $dir/ca.key
-default_days = ${constants::cert_days}
-default_crl_days = ${constants::crl_days}
-default_md = ${constants::digest}
-policy = ca_dn_policy
-unique_subject = no
-serial = $dir/serial
-crlnumber = $dir/crl_number
+default_ca = ca
+dir = ${ENV::BPKI_DIRECTORY}
+new_certs_dir = $dir
+database = $dir/index
+certificate = $dir/ca.cer
+private_key = $dir/ca.key
+default_days = ${constants::cert_days}
+default_crl_days = ${constants::crl_days}
+default_md = ${constants::digest}
+policy = ca_dn_policy
+unique_subject = no
+serial = $dir/serial
+crlnumber = $dir/crl_number
[ca_dn_policy]
-countryName = optional
-stateOrProvinceName = optional
-localityName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-givenName = optional
-surname = optional
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+givenName = optional
+surname = optional
diff --git a/myrpki/myrpki.py b/myrpki/myrpki.py
index 8a1258f0..47980161 100644
--- a/myrpki/myrpki.py
+++ b/myrpki/myrpki.py
@@ -151,44 +151,33 @@ class parent(object):
def __init__(self, handle):
self.handle = handle
- self.parent_service_uri = None
- self.parent_bpki_certificate = None
- self.repository_service_uri = None
- self.repository_bpki_certificate = None
+ self.service_uri = None
+ self.bpki_certificate = None
def __repr__(self):
return "<%s uri %s cert %s uri %s cert %s>" % (self.__class__.__name__,
- self.parent_service_uri, self.parent_bpki_certificate,
- self.repository_service_uri, self.repository_bpki_certificate)
-
- def add(self, parent_service_uri = None, parent_bpki_certificate = None, repository_service_uri = None, repository_bpki_certificate = None):
- if parent_service_uri is not None:
- self.parent_service_uri = parent_service_uri
- if parent_bpki_certificate is not None:
- self.parent_bpki_certificate = parent_bpki_certificate
- if repository_service_uri is not None:
- self.repository_service_uri = repository_service_uri
- if repository_bpki_certificate is not None:
- self.repository_bpki_certificate = repository_bpki_certificate
+ self.service_uri, self.bpki_certificate)
+
+ def add(self, service_uri = None, bpki_certificate = None):
+ if service_uri is not None:
+ self.service_uri = service_uri
+ if bpki_certificate is not None:
+ self.bpki_certificate = bpki_certificate
def xml(self, e):
e2 = SubElement(e, "parent",
handle = self.handle,
- parent_service_uri = self.parent_service_uri,
- repository_service_uri = self.repository_service_uri)
- if self.parent_bpki_certificate:
- PEMElement(e2, "parent_bpki_certificate", self.parent_bpki_certificate)
- if self.repository_bpki_certificate:
- PEMElement(e2, "repository_bpki_certificate", self.repository_bpki_certificate)
+ service_uri = self.service_uri)
+ if self.bpki_certificate:
+ PEMElement(e2, "bpki_certificate", self.bpki_certificate)
return e2
class parents(dict):
- def add(self, handle, parent_service_uri = None, parent_bpki_certificate = None, repository_service_uri = None, repository_bpki_certificate = None):
+ def add(self, handle, service_uri = None, bpki_certificate = None):
if handle not in self:
self[handle] = parent(handle)
- self[handle].add(parent_service_uri = parent_service_uri, parent_bpki_certificate = parent_bpki_certificate,
- repository_service_uri = repository_service_uri, repository_bpki_certificate = repository_bpki_certificate)
+ self[handle].add(service_uri = service_uri, bpki_certificate = bpki_certificate)
def xml(self, e):
for c in self.itervalues():
@@ -197,11 +186,10 @@ class parents(dict):
@classmethod
def from_csv(cls, parents_csv_file, xcert):
self = cls()
- # parentname parent_service_uri parent_bpki_pemfile repository_service_uri repository_bpki_pemfile
- for handle, parent_service_uri, parent_pemfile, repository_service_uri, repository_pemfile in csv_open(parents_csv_file):
+ # parentname service_uri parent_bpki_pemfile
+ for handle, service_uri, parent_pemfile in csv_open(parents_csv_file):
self.add(handle = handle,
- parent_service_uri = parent_service_uri, parent_bpki_certificate = xcert(parent_pemfile),
- repository_service_uri = repository_service_uri, repository_bpki_certificate = xcert(repository_pemfile))
+ service_uri = service_uri, bpki_certificate = xcert(parent_pemfile))
return self
def csv_open(filename, delimiter = "\t", dialect = None):
@@ -366,14 +354,15 @@ def main():
cfg = ConfigParser.RawConfigParser()
cfg.read(cfg_file)
- my_handle = cfg.get(myrpki_section, "handle")
- roa_csv_file = cfg.get(myrpki_section, "roa_csv")
- children_csv_file = cfg.get(myrpki_section, "children_csv")
- parents_csv_file = cfg.get(myrpki_section, "parents_csv")
- prefix_csv_file = cfg.get(myrpki_section, "prefix_csv")
- asn_csv_file = cfg.get(myrpki_section, "asn_csv")
- bpki_dir = cfg.get(myrpki_section, "bpki_directory")
- xml_filename = cfg.get(myrpki_section, "xml_filename")
+ my_handle = cfg.get(myrpki_section, "handle")
+ roa_csv_file = cfg.get(myrpki_section, "roa_csv")
+ children_csv_file = cfg.get(myrpki_section, "children_csv")
+ parents_csv_file = cfg.get(myrpki_section, "parents_csv")
+ prefix_csv_file = cfg.get(myrpki_section, "prefix_csv")
+ asn_csv_file = cfg.get(myrpki_section, "asn_csv")
+ bpki_dir = cfg.get(myrpki_section, "bpki_directory")
+ xml_filename = cfg.get(myrpki_section, "xml_filename")
+ repository_bpki_certificate = cfg.get(myrpki_section, "repository_bpki_certificate")
bpki = CA(cfg_file, bpki_dir)
bpki.setup("/CN=%s TA" % my_handle)
@@ -401,6 +390,9 @@ def main():
PEMElement(e, "bpki_ca_certificate", bpki.cer)
PEMElement(e, "bpki_crl", bpki.crl)
+ if os.path.exists(repository_bpki_certificate):
+ PEMElement(e, "bpki_repository_certificate", bpki.xcert(repository_bpki_certificate))
+
if bsc_cer:
PEMElement(e, "bpki_bsc_certificate", bsc_cer)
diff --git a/myrpki/myrpki.rnc b/myrpki/myrpki.rnc
index bf479d13..0ad11734 100644
--- a/myrpki/myrpki.rnc
+++ b/myrpki/myrpki.rnc
@@ -22,6 +22,7 @@ start = element myrpki {
parent_elt*,
bpki_ca_certificate_elt?,
bpki_crl_elt?,
+ bpki_repository_certificate_elt?,
bpki_bsc_certificate_elt?,
bpki_bsc_pkcs10_elt?
}
@@ -43,16 +44,15 @@ child_elt = element child {
parent_elt = element parent {
attribute handle { object_handle },
- attribute parent_service_uri { uri }?,
- attribute repository_service_uri { uri }?,
- element parent_bpki_certificate { base64 }?,
- element repository_bpki_certificate { base64 }?
+ attribute service_uri { uri }?,
+ element bpki_certificate { base64 }?
}
-bpki_ca_certificate_elt = element bpki_ca_certificate { base64 }
-bpki_crl_elt = element bpki_crl { base64 }
-bpki_bsc_certificate_elt = element bpki_bsc_certificate { base64 }
-bpki_bsc_pkcs10_elt = element bpki_bsc_pkcs10 { base64 }
+bpki_ca_certificate_elt = element bpki_ca_certificate { base64 }
+bpki_crl_elt = element bpki_crl { base64 }
+bpki_repository_certificate_elt = element bpki_repository_certificate { base64 }
+bpki_bsc_certificate_elt = element bpki_bsc_certificate { base64 }
+bpki_bsc_pkcs10_elt = element bpki_bsc_pkcs10 { base64 }
# Local Variables:
# indent-tabs-mode: nil
diff --git a/myrpki/myrpki.rng b/myrpki/myrpki.rng
index 69199b6a..f79f1bbd 100644
--- a/myrpki/myrpki.rng
+++ b/myrpki/myrpki.rng
@@ -68,6 +68,9 @@
<ref name="bpki_crl_elt"/>
</optional>
<optional>
+ <ref name="bpki_repository_certificate_elt"/>
+ </optional>
+ <optional>
<ref name="bpki_bsc_certificate_elt"/>
</optional>
<optional>
@@ -126,22 +129,12 @@
<ref name="object_handle"/>
</attribute>
<optional>
- <attribute name="parent_service_uri">
+ <attribute name="service_uri">
<ref name="uri"/>
</attribute>
</optional>
<optional>
- <attribute name="repository_service_uri">
- <ref name="uri"/>
- </attribute>
- </optional>
- <optional>
- <element name="parent_bpki_certificate">
- <ref name="base64"/>
- </element>
- </optional>
- <optional>
- <element name="repository_bpki_certificate">
+ <element name="bpki_certificate">
<ref name="base64"/>
</element>
</optional>
@@ -157,6 +150,11 @@
<ref name="base64"/>
</element>
</define>
+ <define name="bpki_repository_certificate_elt">
+ <element name="bpki_repository_certificate">
+ <ref name="base64"/>
+ </element>
+ </define>
<define name="bpki_bsc_certificate_elt">
<element name="bpki_bsc_certificate">
<ref name="base64"/>
diff --git a/myrpki/sql-cleaner.py b/myrpki/sql-cleaner.py
new file mode 100644
index 00000000..889b9955
--- /dev/null
+++ b/myrpki/sql-cleaner.py
@@ -0,0 +1,36 @@
+"""
+(Re)Initialize SQL tables used by these programs.
+
+$Id$
+
+Copyright (C) 2009 Internet Systems Consortium ("ISC")
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
+"""
+
+import subprocess, ConfigParser
+
+for name in ("rpkid", "irdbd", "pubd"):
+
+ try:
+ cfg = ConfigParser.RawConfigParser()
+ cfg.read("%s.conf" % name)
+ username = cfg.get(name, "sql-username")
+ database = cfg.get(name, "sql-database")
+ password = cfg.get(name, "sql-password")
+
+ except:
+ print "Cleaner couldn't read %s config file, ignoring" % name
+ continue
+
+ subprocess.check_call(("mysql", "-u", username, "-p" + password, database), stdin = open("../rpkid/%s.sql" % name))
diff --git a/myrpki/xml-parse-test.py b/myrpki/xml-parse-test.py
index bf6ffd88..084d748f 100755
--- a/myrpki/xml-parse-test.py
+++ b/myrpki/xml-parse-test.py
@@ -75,14 +75,10 @@ for x in tree.getiterator(tag("child")):
showpem("Child", cert, "x509")
for x in tree.getiterator(tag("parent")):
- print "Parent URI:", x.get("parent_service_uri")
- cert = x.findtext(tag("parent_bpki_certificate"))
+ print "Parent URI:", x.get("service_uri")
+ cert = x.findtext(tag("bpki_certificate"))
if cert:
showpem("Parent", cert, "x509")
- print "Repository URI:", x.get("repository_service_uri")
- cert = x.findtext(tag("repository_bpki_certificate"))
- if cert:
- showpem("Repository", cert, "x509")
ca = tree.findtext(tag("bpki_ca_certificate"))
if ca:
@@ -92,6 +88,10 @@ bsc = tree.findtext(tag("bpki_bsc_certificate"))
if bsc:
showpem("BSC EE", bsc, "x509")
+repo = tree.findtext(tag("bpki_repository_certificate"))
+if repo:
+ showpem("Repository", repo, "x509")
+
req = tree.findtext(tag("bpki_bsc_pkcs10"))
if req:
showpem("BSC EE", req, "req")
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-15 20:23:22 +0000