rpkic extract_root_certificate and extract_root_tal commands.

svn path=/branches/tk705/; revision=6378

3 files changed, 56 insertions, 0 deletions

diff --git a/rpki/irdb/zookeeper.py b/rpki/irdb/zookeeper.py
index 1eb950f4..f0fda08a 100644
--- a/rpki/irdb/zookeeper.py
+++ b/rpki/irdb/zookeeper.py
@@ -381,6 +381,28 @@ class Zookeeper(object):
         return self.generate_repository_request(parent)
 
 
+    def extract_root_certificate_and_uris(self, handle):
+
+        if not handle:
+            handle = self.handle
+
+        q_msg = self.compose_left_right_query()
+        SubElement(q_msg, rpki.left_right.tag_parent, action = "get",
+                   tenant_handle = self.handle, parent_handle = handle)
+        r_msg = self.call_rpkid(q_msg)
+        assert len(r_msg) == 1 and r_msg[0].tag == rpki.left_right.tag_parent
+
+        cert = rpki.x509.X509(Base64 = r_msg[0].findtext(rpki.left_right.tag_rpki_root_cert))
+        caDirectory, rpkiManifest, signedObjectRepository, rpkiNotify = cert.get_SIA()
+        sia_base = r_msg[0].get("sia_base")
+        fn = cert.gSKI() + ".cer"
+
+        https_uri = os.path.join(os.path.dirname(rpkiNotify[0]), fn)
+        rsync_uri = sia_base + fn
+
+        return cert, (https_uri, rsync_uri)
+
+
     def write_bpki_files(self):
         """
         Write out BPKI certificate, key, and CRL files for daemons that
diff --git a/rpki/left_right.py b/rpki/left_right.py
index 3572ee98..02b118c0 100644
--- a/rpki/left_right.py
+++ b/rpki/left_right.py
@@ -55,6 +55,7 @@ tag_pkcs10                       = xmlns + "pkcs10"
 tag_pkcs10_request               = xmlns + "pkcs10_request"
 tag_report_error                 = xmlns + "report_error"
 tag_repository                   = xmlns + "repository"
+tag_rpki_root_cert               = xmlns + "rpki_root_cert"
 tag_tenant                       = xmlns + "tenant"
 tag_signing_cert                 = xmlns + "signing_cert"
 tag_signing_cert_crl             = xmlns + "signing_cert_crl"
diff --git a/rpki/rpkic.py b/rpki/rpkic.py
index 2d49a1e7..755e9102 100644
--- a/rpki/rpkic.py
+++ b/rpki/rpkic.py
@@ -438,6 +438,39 @@ class main(Cmd):
 
 
     @parsecmd(argsubparsers,
+              cmdarg("--root_handle", help = "override default handle"),
+              cmdarg("--output_file", help = "override default output filename"))
+    def do_extract_root_certificate(self, args):
+        """
+        Extract self-signed RPKI certificate from a root object.
+        """
+
+        cert, uris = self.zoo.extract_root_certificate_and_uris(args.root_handle)
+        fn = args.output_file or (cert.gSKI() + ".cer")
+        with open_swapped_uids(fn, "wb") as f:
+            print "Writing", f.name
+            f.write(cert.get_DER())
+
+
+    @parsecmd(argsubparsers,
+              cmdarg("--root_handle", help = "override default handle"),
+              cmdarg("--output_file", help = "override default output filename"))
+    def do_extract_root_tal(self, args):
+        """
+        Extract self-signed RPKI certificate from a root object.
+        """
+
+        cert, uris = self.zoo.extract_root_certificate_and_uris(args.root_handle)
+        fn = args.output_file or (cert.gSKI() + ".tal")
+        with open_swapped_uids(fn, "w") as f:
+            print "Writing", f.name
+            for uri in uris:
+                f.write(uri + "\n")
+            f.write("\n")
+            f.write(cert.getPublicKey().get_Base64())
+
+
+    @parsecmd(argsubparsers,
               cmdarg("--flat",     help = "use flat publication scheme", action = "store_true"),
               cmdarg("--sia_base", help = "override SIA base value"),
               cmdarg("client_xml", help = "XML file containing client request"))