aboutsummaryrefslogtreecommitdiff
path: root/rpkid
diff options
context:
space:
mode:
Diffstat (limited to 'rpkid')
-rw-r--r--rpkid/rpki/myrpki.py40
1 files changed, 27 insertions, 13 deletions
diff --git a/rpkid/rpki/myrpki.py b/rpkid/rpki/myrpki.py
index d00e29ae..4dcc0448 100644
--- a/rpkid/rpki/myrpki.py
+++ b/rpkid/rpki/myrpki.py
@@ -757,29 +757,43 @@ class CA(object):
if not filename and os.path.exists(fn):
os.unlink(fn)
- def xcert(self, cert, path_restriction = 0):
+ def xcert_filename(self, cert):
"""
- Cross-certify a certificate represented as a PEM file.
+ Generate filename for a cross-certification.
+
+ Extracts public key and subject name from PEM file and hash it so
+ we can use the result as a tag for cross-certifying this cert.
"""
- if not cert or not os.path.exists(cert):
+ if cert and os.path.exists(cert):
+ return "%s/xcert.%s.cer" % (self.dir, self.run_dgst(self.run_openssl(
+ "x509", "-noout", "-pubkey", "-subject", "-in", cert)).strip())
+ else:
return None
- # Extract public key and subject name from PEM file and hash it so
- # we can use the result as a tag for cross-certifying this cert.
-
- hash = self.run_dgst(self.run_openssl(
- "x509", "-noout", "-pubkey", "-subject", "-in", cert))
-
- # Cross-certify the cert we were given, if we haven't already.
- # This only works for self-signed certs, due to limitations of the
- # OpenSSL command line tool, but that suffices for our purposes.
+ def xcert(self, cert, path_restriction = 0):
+ """
+ Cross-certify a certificate represented as a PEM file, if we
+ haven't already. This only works for self-signed certs, due to
+ limitations of the OpenSSL command line tool, but that suffices
+ for our purposes.
+ """
- xcert = "%s/xcert.%s.cer" % (self.dir, hash.strip())
+ xcert = self.xcert_filename(cert)
if not os.path.exists(xcert):
self.run_ca("-ss_cert", cert, "-out", xcert, "-extensions", self.path_restriction[path_restriction])
return xcert
+ def xcert_revoke(self, cert):
+ """
+ Revoke a cross-certification and regenerate CRL.
+ """
+
+ xcert = self.xcert_filename(cert)
+ if xcert:
+ self.run_ca("-revoke", xcert)
+ self.run_ca("-gencrl", "-out", self.crl)
+
def etree_validate(e):
# This is a kludge, schema should be loaded as module or configured
# in .conf, but it will do as a temporary debugging hack.
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-12 07:42:13 +0000
tein <sra@hactrn.net> 2008-06-30 20:34:38 +0000 committer Rob Austein <sra@hactrn.net> 2008-06-30 20:34:38 +0000 Cleanup' href='/sra/rpki.net/commit/rpkid/testbed.3.yaml?id=ce57914c7d8db0bbf0f80f43a3745907e57cc3d8'>ce57914c 
94479e16

440687c9

94479e16

440687c9

3031f6ec

94479e16

440687c9

94479e16

440687c9

3031f6ec

94479e16

ff2f7625



62e61eca











94479e16

ff2f7625



1
2

3

4
5
6
7
8
9
10
11
12
13
14
15
16
17

18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

33
34

35
36
37
38

39

40

41

42

43

44

45

46
47
48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64
65
66

67
68
69
70
71
72
73
74
75
76
77

78

79
80
81


      
                                                              













                                                                                    














                                                                             

                   



                   
                                  
                            
                   
                    
                   
                                               
                                    


                                    
                
                
                         
   
                                               
                                                       
                                               
                                                            
    
                                               
                                                       
                                               
                                                            
    
               


                                                










                                         
               


                                                
# $Id$

# Copyright (C) 2009-2010  Internet Systems Consortium ("ISC")
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
#
# Portions copyright (C) 2007--2008  American Registry for Internet Numbers ("ARIN")
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS.  IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.

name:           RIR
crl_interval:   2d
regen_margin:   1h
valid_for:      90d
kids:
  - name: R0
    kids:
      - name: Alice
        ipv4: 192.0.2.0-192.0.2.33
        ipv6: 2002:0a00::/32
        asn:  64533
        roa_request:
          - asn: 42
            ipv4: 192.0.2.0/30-32,192.0.2.32/32
            ipv6: 2002:0a00::/32-128
      - name: Bob
        ipv4: 192.0.2.44-192.0.2.100
    ipv4: 10.3.0.0/16
    roa_request:
      - asn: 666
        ipv4: 10.3.0.0/23
---
#- shell find publication -type f -name '*.roa'
#        -print -exec ../../../rp/utils/print_roa {} \;
#- shell find publication -type f -name '*.mft'
#        -print -exec ../../../rp/utils/print_manifest {} \;
#---
#- shell find publication -type f -name '*.roa'
#        -print -exec ../../../rp/utils/print_roa {} \;
#- shell find publication -type f -name '*.mft'
#        -print -exec ../../../rp/utils/print_manifest {} \;
#---
- shell set -x;
  rpki_rtr=../../../rp/rpki-rtr/rpki-rtr;
  $rpki_rtr cronjob rcynic-data/authenticated &&
  $rpki_rtr show
---
- name: Alice
  roa_request_del:
    - asn: 42
      ipv4: 192.0.2.0/30-32,192.0.2.32/32
      ipv6: 2002:0a00::/32-128
  roa_request_add:
    - asn: 666
      ipv4: 192.0.2.0/30-32,192.0.2.32/32
      ipv6: 2002:0a00::/32-128
---
- shell set -x;
  rpki_rtr=../../../rp/rpki-rtr/rpki-rtr;
  $rpki_rtr cronjob rcynic-data/authenticated &&
  $rpki_rtr show