From 81cd03a374206c6045fbd7f42d6f0433e2cf17c4 Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Thu, 16 Jul 2009 04:32:25 +0000
Subject: Rework paretns.csv etc to support separate HTTPS and CMS certificates
 (sigh).

svn path=/myrpki/Makefile; revision=2625
---
 myrpki/Makefile    |  1 -
 myrpki/myirbe.py   | 11 ++++++-----
 myrpki/myrpki.py   | 28 +++++++++++++++------------
 myrpki/schema.py   |  9 +++++++--
 myrpki/schema.rnc  |  3 ++-
 myrpki/schema.rng  |  9 +++++++--
 myrpki/yamltest.py | 56 ++++++++++++++++++++++++++----------------------------
 7 files changed, 65 insertions(+), 52 deletions(-)

diff --git a/myrpki/Makefile b/myrpki/Makefile
index 4ff9cd35..b83745d8 100644
--- a/myrpki/Makefile
+++ b/myrpki/Makefile
@@ -1,6 +1,5 @@
 # $Id$
 
-#all:: relatives
 #all:: myrpki.xml
 #all:: lint
 #all:: parse
diff --git a/myrpki/myirbe.py b/myrpki/myirbe.py
index 076c02b7..af70755a 100644
--- a/myrpki/myirbe.py
+++ b/myrpki/myirbe.py
@@ -377,7 +377,8 @@ for xmlfile in xmlfiles:
       parent_handle = parent.get("handle")
       parent_pdu = parent_pdus.pop(parent_handle, None)
       parent_uri = parent.get("service_uri")
-      parent_cert = findbase64(parent, "bpki_certificate")
+      parent_cms_cert = findbase64(parent, "bpki_cms_certificate")
+      parent_https_cert = findbase64(parent, "bpki_https_certificate")
 
       if need_own_pub_point:
         parent_sia_base = pubd_base_uri + parent_handle + "/"
@@ -391,8 +392,8 @@ for xmlfile in xmlfiles:
           parent_pdu.sia_base != parent_sia_base or
           parent_pdu.sender_name != handle or
           parent_pdu.recipient_name != parent_handle or
-          parent_pdu.bpki_cms_cert != parent_cert or
-          parent_pdu.bpki_https_cert != parent_cert):
+          parent_pdu.bpki_cms_cert != parent_cms_cert or
+          parent_pdu.bpki_https_cert != parent_https_cert):
         rpkid_query.append(rpki.left_right.parent_elt.make_pdu(
           action = "create" if parent_pdu is None else "set",
           tag = parent_handle,
@@ -404,8 +405,8 @@ for xmlfile in xmlfiles:
           sia_base = parent_sia_base,
           sender_name = handle,
           recipient_name = parent_handle,
-          bpki_cms_cert = parent_cert,
-          bpki_https_cert = parent_cert))
+          bpki_cms_cert = parent_cms_cert,
+          bpki_https_cert = parent_https_cert))
 
   rpkid_query.extend(rpki.left_right.parent_elt.make_pdu(
     action = "destroy", self_handle = handle, parent_handle = p) for p in parent_pdus)
diff --git a/myrpki/myrpki.py b/myrpki/myrpki.py
index 724a4c52..9a661eb4 100644
--- a/myrpki/myrpki.py
+++ b/myrpki/myrpki.py
@@ -155,29 +155,33 @@ class parent(object):
     self.bpki_certificate = None
 
   def __repr__(self):
-    return "<%s uri %s cert %s uri %s cert %s>" % (self.__class__.__name__,
-                                               self.service_uri, self.bpki_certificate)
+    return "<%s uri %s cms %s https %s>" % (self.__class__.__name__, self.service_uri,
+                                            self.bpki_cms_certificate, self.bpki_https_certificate)
 
-  def add(self, service_uri = None, bpki_certificate = None):
+  def add(self, service_uri = None, bpki_cms_certificate = None, bpki_https_certificate = None):
     if service_uri is not None:
       self.service_uri = service_uri
-    if bpki_certificate is not None:
-      self.bpki_certificate = bpki_certificate
+    if bpki_cms_certificate is not None:
+      self.bpki_cms_certificate = bpki_cms_certificate
+    if bpki_https_certificate is not None:
+      self.bpki_https_certificate = bpki_https_certificate
 
   def xml(self, e):
     e2 = SubElement(e, "parent",
                     handle = self.handle,
                     service_uri = self.service_uri)
-    if self.bpki_certificate:
-      PEMElement(e2, "bpki_certificate", self.bpki_certificate)
+    if self.bpki_cms_certificate:
+      PEMElement(e2, "bpki_cms_certificate", self.bpki_cms_certificate)
+    if self.bpki_https_certificate:
+      PEMElement(e2, "bpki_https_certificate", self.bpki_https_certificate)
     return e2
 
 class parents(dict):
 
-  def add(self, handle, service_uri = None, bpki_certificate = None):
+  def add(self, handle, service_uri = None, bpki_cms_certificate = None, bpki_https_certificate = None):
     if handle not in self:
       self[handle] = parent(handle)
-    self[handle].add(service_uri = service_uri, bpki_certificate = bpki_certificate)
+    self[handle].add(service_uri = service_uri, bpki_cms_certificate = bpki_cms_certificate, bpki_https_certificate = bpki_https_certificate)
 
   def xml(self, e):
     for c in self.itervalues():
@@ -186,10 +190,10 @@ class parents(dict):
   @classmethod
   def from_csv(cls, parents_csv_file, xcert):
     self = cls()
-    # parentname service_uri parent_bpki_pemfile
-    for handle, service_uri, parent_pemfile in csv_open(parents_csv_file):
+    # parentname service_uri parent_bpki_cms_pemfile parent_bpki_https_pemfile
+    for handle, service_uri, parent_cms_pemfile, parent_https_pemfile in csv_open(parents_csv_file):
       self.add(handle = handle,
-               service_uri = service_uri, bpki_certificate = xcert(parent_pemfile))
+               service_uri = service_uri, bpki_cms_certificate = xcert(parent_cms_pemfile), bpki_https_certificate = xcert(parent_https_pemfile))
     return self
 
 def csv_open(filename, delimiter = "\t", dialect = None):
diff --git a/myrpki/schema.py b/myrpki/schema.py
index d5078714..38df6d3d 100644
--- a/myrpki/schema.py
+++ b/myrpki/schema.py
@@ -1,7 +1,7 @@
 import lxml.etree
 myrpki = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" encoding="UTF-8"?>
 <!--
-  $Id: schema.rnc -1   $
+  $Id: schema.rnc 2608 2009-07-11 04:34:55Z sra $
   
   RelaxNG Schema for MyRPKI XML messages
   
@@ -135,7 +135,12 @@ myrpki = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" encodin
         </attribute>
       </optional>
       <optional>
-        <element name="bpki_certificate">
+        <element name="bpki_cms_certificate">
+          <ref name="base64"/>
+        </element>
+      </optional>
+      <optional>
+        <element name="bpki_https_certificate">
           <ref name="base64"/>
         </element>
       </optional>
diff --git a/myrpki/schema.rnc b/myrpki/schema.rnc
index 0ad11734..da5f9a12 100644
--- a/myrpki/schema.rnc
+++ b/myrpki/schema.rnc
@@ -45,7 +45,8 @@ child_elt = element child {
 parent_elt = element parent {
   attribute handle { object_handle },
   attribute service_uri { uri }?,
-  element bpki_certificate { base64 }?
+  element bpki_cms_certificate { base64 }?,
+  element bpki_https_certificate { base64 }?
 }
 
 bpki_ca_certificate_elt         = element bpki_ca_certificate           { base64 }
diff --git a/myrpki/schema.rng b/myrpki/schema.rng
index 80f2a391..d7b557cd 100644
--- a/myrpki/schema.rng
+++ b/myrpki/schema.rng
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  $Id: schema.rnc -1   $
+  $Id: schema.rnc 2608 2009-07-11 04:34:55Z sra $
   
   RelaxNG Schema for MyRPKI XML messages
   
@@ -134,7 +134,12 @@
         </attribute>
       </optional>
       <optional>
-        <element name="bpki_certificate">
+        <element name="bpki_cms_certificate">
+          <ref name="base64"/>
+        </element>
+      </optional>
+      <optional>
+        <element name="bpki_https_certificate">
           <ref name="base64"/>
         </element>
       </optional>
diff --git a/myrpki/yamltest.py b/myrpki/yamltest.py
index c9c9bb14..09653511 100644
--- a/myrpki/yamltest.py
+++ b/myrpki/yamltest.py
@@ -112,6 +112,13 @@ class allocation_db(list):
     for a in self:
       a.dump()
 
+  def make_rootd_openssl(self):
+    env = { "PATH"           : os.environ["PATH"],
+            "BPKI_DIRECTORY" : self.root.path("bpki.rootd"),
+            "RANDFILE"       : ".OpenSSL.whines.unless.I.set.this" }
+    cwd = self.root.path()
+    return lambda *args: subprocess.check_call((prog_openssl,) + args, cwd = cwd, env = env)
+
 class allocation(object):
 
   parent       = None
@@ -231,9 +238,9 @@ class allocation(object):
   def dump_parents(self, fn):
     f = self.outfile(fn)
     if self.is_root():
-      f.write("%s\t%s\t%s\n" % ("rootd", "https://localhost:%d/" % self.rootd_port, self.path("bpki.rootd/ca.cer")))
+      f.write("%s\t%s\t%s\t%s\n" % ("rootd", "https://localhost:%d/" % self.rootd_port, self.path("bpki.rootd/ca.cer"), self.path("bpki.rootd/ca.cer")))
     else:
-      f.write("%s\t%s\t%s\n" % (self.parent.name, self.up_down_url(), self.parent.path("bpki.myrpki/ca.cer")))
+      f.write("%s\t%s\t%s\t%s\n" % (self.parent.name, self.up_down_url(), self.parent.path("bpki.myrpki/ca.cer"), self.parent.path("bpki.rpkid/ca.cer")))
     f.close()
 
   def dump_prefixes(self, fn):
@@ -369,33 +376,24 @@ for i in xrange(3):
   for d in db:
     d.run_myrpki()
 
-# Set up rootd's BPKI cross-certificate for its one and only child.
-
-if not os.path.exists(db.root.path("bpki.rootd/child.cer")):
-  subprocess.check_call((prog_openssl, "ca", "-notext", "-batch",
-                         "-subj",    "/CN=Totally Bogus BPKI Certificate For Test Purposes",
-                         "-config",  db.root.path("myrpki.conf"),
-                         "-ss_cert", db.root.path("bpki.rpkid/ca.cer"),
-                         "-out",     db.root.path("bpki.rootd/child.cer"),
-                         "-extensions", "ca_x509_ext_xcert0"),
-                         cwd = db.root.path(),
-                        env = { "PATH"           : os.environ["PATH"],
-                                "BPKI_DIRECTORY" : db.root.path("bpki.rootd"),
-                                "RANDFILE"       : ".OpenSSL.whines.unless.I.set.this" } )
-
-# Set up rootd's RPKI root certificate.
-
-if not os.path.exists(db.root.path("bpki.rootd/rpkiroot.cer")):
-  subprocess.check_call((prog_openssl, "x509", "-req", "-sha256", "-outform", "DER",
-                         "-in",      db.root.path("bpki.rootd/ca.req"),
-                         "-signkey", db.root.path("bpki.rootd/ca.key"),
-                         "-out",     db.root.path("bpki.rootd/rpkiroot.cer"),
-                         "-extfile", db.root.path("myrpki.conf"),
-                         "-extensions", "rpki_x509_extensions"),
-                         cwd = db.root.path(),
-                        env = { "PATH"           : os.environ["PATH"],
-                                "BPKI_DIRECTORY" : db.root.path("bpki.rootd"),
-                                "RANDFILE"       : ".OpenSSL.whines.unless.I.set.this" } )
+# Set up a few things for rootd
+
+rootd_openssl = db.make_rootd_openssl()
+
+print "Creating rootd BPKI cross-certificate for its child"
+rootd_openssl("ca", "-notext", "-batch",
+              "-config",  "myrpki.conf",
+              "-ss_cert", "bpki.myrpki/ca.cer",
+              "-out",     "bpki.rootd/child.cer",
+              "-extensions", "ca_x509_ext_xcert0")
+
+print "Creating rootd RPKI root certificate"
+rootd_openssl("x509", "-req", "-sha256", "-outform", "DER",
+              "-signkey", "bpki.rootd/ca.key",
+              "-in",      "bpki.rootd/ca.req",
+              "-out",     "bpki.rootd/rpkiroot.cer",
+              "-extfile", "myrpki.conf",
+              "-extensions", "rpki_x509_extensions")
 
 # At this point we need to start a whole lotta daemons.
 
-- 
cgit v1.2.3