diff options
| author | Rob Austein <sra@hactrn.net> | 2009-05-16 18:49:13 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2009-05-16 18:49:13 +0000 |
| commit | 625c9890842b76574b57f028a3f1f9f5c7d7db3e (patch) | |
| tree | 1fb700fc0b2e30c10fb3c8af1c6c22665f70ed35 | |
| parent | 35fde32cbc25f7f9bef33a28dcbeeba3174404b1 (diff) | |
Cleanup
svn path=/rpkid/cross_certify.py; revision=2431
| -rw-r--r-- | rpkid/cross_certify.py | 59 |
1 files changed, 41 insertions, 18 deletions
diff --git a/rpkid/cross_certify.py b/rpkid/cross_certify.py index 97d436af..c634f3ea 100644 --- a/rpkid/cross_certify.py +++ b/rpkid/cross_certify.py @@ -4,10 +4,6 @@ one that was issued by somebody else. The point of the exercise is to end up with a valid certificate in our own BPKI which has the same subject name and subject public key as the one we're replacing. -Much of this code lifted from rpki.x509.X509.issue(), but this is a -sufficiently different purpose that it's probably not worth -refactoring. - Usage: python cross_certify.py { -i | --in } input_cert { -c | --ca } issuing_cert { -k | --key } issuing_cert_key @@ -18,7 +14,21 @@ Usage: python cross_certify.py { -i | --in } input_cert $Id$ -Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +Copyright (C) 2009 Internet Systems Consortium ("ISC") + +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +PERFORMANCE OF THIS SOFTWARE. + +Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above @@ -33,8 +43,7 @@ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. """ -import os, time, getopt, sys, POW -import rpki.x509, rpki.sundial +import os, time, getopt, sys, POW, rpki.x509, rpki.sundial os.environ["TZ"] = "UTC" time.tzset() @@ -43,11 +52,16 @@ def usage(code): print __doc__ sys.exit(code) -output = None -lifetime = rpki.sundial.timedelta(days = 30) +child = None +parent = None +keypair = None +serial_file = None +lifetime = rpki.sundial.timedelta(days = 30) +output = None opts, argv = getopt.getopt(sys.argv[1:], "h?i:o:c:k:s:l:", - ["help", "in=", "out=", "ca=", "key=", "serial=", "lifetime="]) + ["help", "in=", "out=", "ca=", + "key=", "serial=", "lifetime="]) for o, a in opts: if o in ("-h", "--help", "-?"): usage(0) @@ -63,7 +77,7 @@ for o, a in opts: serial_file = a elif o in ("-l", "--lifetime"): lifetime = rpki.sundial.timedelta.parse(a) -if argv: +if argv or None in (child, parent, keypair, serial_file): usage(1) now = rpki.sundial.now() @@ -77,6 +91,10 @@ try: except IOError: serial = 1 +def make_ext(name, critical, value): + assert isinstance(critical, bool) + return rpki.oids.name2oid[name], critical, value + x = POW.pkix.Certificate() x.setVersion(2) x.setSerial(serial) @@ -84,13 +102,18 @@ x.setIssuer(parent.get_POWpkix().getSubject()) x.setSubject(child.get_POWpkix().getSubject()) x.setNotBefore(now.toASN1tuple()) x.setNotAfter(notAfter.toASN1tuple()) -x.tbs.subjectPublicKeyInfo.set(child.get_POWpkix().tbs.subjectPublicKeyInfo.get()) -x.setExtensions(((rpki.oids.name2oid["subjectKeyIdentifier"], False, - child.get_SKI()), - (rpki.oids.name2oid["authorityKeyIdentifier"], False, - (parent.get_SKI(), (), None)), - (rpki.oids.name2oid["basicConstraints"], True, - (1, 0)))) +x.tbs.subjectPublicKeyInfo.set( + child.get_POWpkix().tbs.subjectPublicKeyInfo.get()) +x.setExtensions(( + make_ext(name = "subjectKeyIdentifier", + critical = False, + value = child.get_SKI()), + make_ext(name = "authorityKeyIdentifier", + critical = False, + value = (parent.get_SKI(), (), None)), + make_ext(name = "basicConstraints", + critical = True, + value = (1, 0)))) x.sign(keypair.get_POW(), POW.SHA256_DIGEST) cert = rpki.x509.X509(POWpkix = x) |