From 5c5edfa9b3a2f3baad06802269e7acd1d3e77566 Mon Sep 17 00:00:00 2001
From: "Chris St. Pierre" <chris.a.st.pierre@gmail.com>
Date: Tue, 13 Aug 2013 08:21:25 -0400
Subject: Rewrote SSLCA as Cfg handler.

This adds encryption support to SSL key creation (much like SSH
private keys), and the ability to generate keys and certs that are
specific to groups, instead of just to hosts.  It also moves the SSLCA
data (the XML files describing keys and certs as well as the keys and
certs themselves) into the Cfg tree, rather than off in their own
separate place.

tools/upgrade/1.4/migrate_sslca.py can be used to migrate to the new
format.

This also adds XMLCfgCreator, a CfgCreator that makes it easier to
create data based on XML descriptions of it (which is exactly what the
SSH key and SSL CA creators do), including built-in support for host-
and group-specific data, encryption, and so on.
---
 schemas/sslca-cert.xsd |  4 ++--
 schemas/sslca-key.xsd  | 23 +++++++++++++++++++----
 2 files changed, 21 insertions(+), 6 deletions(-)

(limited to 'schemas')

diff --git a/schemas/sslca-cert.xsd b/schemas/sslca-cert.xsd
index a3f6db94d..7a9fb5683 100644
--- a/schemas/sslca-cert.xsd
+++ b/schemas/sslca-cert.xsd
@@ -2,7 +2,7 @@
             xmlns:py="http://genshi.edgewall.org/" xml:lang="en">
   <xsd:annotation>
     <xsd:documentation>
-      Schema for :ref:`server-plugins-generators-sslca` ``cert.xml``
+      Schema for :ref:`server-plugins-generators-sslca` ``sslcert.xml``
     </xsd:documentation>
   </xsd:annotation>
 
@@ -76,7 +76,7 @@
         <xsd:documentation>
           The full path to the key entry to use for this certificate.
           This is the *client* path; e.g., for a key defined at
-          ``/var/lib/bcfg2/SSLCA/etc/pki/tls/private/foo.key/key.xml``,
+          ``/var/lib/bcfg2/SSLCA/etc/pki/tls/private/foo.key/sslkey.xml``,
           **key** should be ``/etc/pki/tls/private/foo.key``.
         </xsd:documentation>
       </xsd:annotation>
diff --git a/schemas/sslca-key.xsd b/schemas/sslca-key.xsd
index 261b71e1a..3523a0c60 100644
--- a/schemas/sslca-key.xsd
+++ b/schemas/sslca-key.xsd
@@ -2,7 +2,7 @@
             xmlns:py="http://genshi.edgewall.org/" xml:lang="en">
   <xsd:annotation>
     <xsd:documentation>
-      Schema for :ref:`server-plugins-generators-sslca` ``key.xml``
+      Schema for :ref:`server-plugins-generators-sslca` ``sslkey.xml``
     </xsd:documentation>
   </xsd:annotation>
 
@@ -91,11 +91,26 @@
       <xsd:element name="Client" type="SSLCAKeyGroupType"/>
       <xsd:element name="KeyInfo" type="KeyInfoType"/>
     </xsd:choice>
-    <xsd:attribute name="lax_decryption" type="xsd:boolean">
+    <xsd:attribute name="perhost" type="xsd:boolean">
       <xsd:annotation>
         <xsd:documentation>
-          Override the global lax_decryption setting in
-          ``bcfg2.conf``.
+          Create keys on a per-host basis (rather than on a per-group
+          basis).
+        </xsd:documentation>
+      </xsd:annotation>
+    </xsd:attribute>
+    <xsd:attribute name="category" type="xsd:string">
+      <xsd:annotation>
+        <xsd:documentation>
+          Create keys specific to the given category, instead of
+          specific to the category given in ``bcfg2.conf``.
+        </xsd:documentation>
+      </xsd:annotation>
+    </xsd:attribute>
+    <xsd:attribute name="priority" type="xsd:positiveInteger" default="50">
+      <xsd:annotation>
+        <xsd:documentation>
+          Create group-specific keys with the given priority.
         </xsd:documentation>
       </xsd:annotation>
     </xsd:attribute>
-- 
cgit v1.2.3-1-g7c22