#!/usr/bin/python
#
-# SFA Certificate Signing and management
-#
+# SFA Certificate Signing and management. Root authorities can use this script
+# to sign the certificate of another authority and become its parent. Sub
+# authorities (authorities that have had their cert signed by another authority)
+# can use this script to update their registry hierarchy with the new cert
+#
+# Example usage:
+#
+## sign a peer cert
+# sfa-ca.py --sign PEER_CERT_FILENAME -o OUTPUT_FILENAME
+#
+## import a cert and update the registry hierarchy
+# sfa-ca.py --import CERT_FILENAME
+#
+## display a cert
+# sfa-ca.py --display CERT_FILENAME
+
import os
import sys
help="gid file to import into the registry")
parser.add_option("-e", "--export", dest="export",
help="name of gid to export from registry")
+ parser.add_option("-t", "--type", dest="type",
+ help="record type", default=None)
parser.add_option("-o", "--outfile", dest="outfile",
help="where to write the exprted gid")
parser.add_option("-v", "--verbose", dest="verbose", default=False,
def sign_gid(gid, parent_key, parent_gid):
gid.set_issuer(parent_key, parent_gid.get_hrn())
gid.set_parent(parent_gid)
+ gid.set_intermediate_ca(True)
+ gid.set_pubkey(gid.get_pubkey())
gid.sign()
return gid
from sfa.util.table import SfaTable
# lookup the record for the specified hrn
hrn = options.export
-
- # check sfa table first
+ type = options.type
+ # check sfa table first
+ filter = {'hrn': hrn}
+ if type:
+ filter['type'] = type
table = SfaTable()
- records = table.find({'hrn': hrn, type: 'authority'})
+ records = table.find(filter)
if not records:
# check the authorities hierarchy
hierarchy = Hierarchy()