Test cert generator.

svn path=/scripts/generate-testrepo.py; revision=800

1 files changed, 171 insertions, 0 deletions

diff --git a/scripts/generate-testrepo.py b/scripts/generate-testrepo.py
new file mode 100644
index 00000000..0acc3503
--- /dev/null
+++ b/scripts/generate-testrepo.py
@@ -0,0 +1,171 @@
+# $Id$
+
+import rpki.resource_set
+
+subdir  = "testrepo"
+openssl = "../../openssl/openssl-0.9.8e/apps/openssl"
+keybits = 2048
+
+def main():
+  """
+  Main program, up front to make it easier to find.
+  """
+
+  allocation("ISP1", ipv4="192.0.2.1-192.0.2.33", asn="64533")
+  allocation("ISP2", ipv4="192.0.2.44-192.0.2.100")
+  allocation("ISP3", ipv6="2001:db8::44-2001:db8::100")
+  allocation("ISP4", ipv6="2001:db8::10:0:44/128", asn="64544")
+  allocation("LIR1", children=["ISP1", "ISP2"])
+  allocation("LIR2", children=["ISP3", "ISP4"])
+  allocation("RIR",  children=["LIR1", "LIR2"])
+
+  for i in allocations:
+    write_maybe("%s/%s.cnf" % (subdir, i.name), i.cfg_string())
+  write_maybe("%s/Makefile" % subdir,
+              "# Automatically generated, do not edit.\n" +
+              "".join([i.makefile_rules() for i in allocations]))
+
+def write_maybe(name, new_content):
+  old_content = None
+  try:
+    f = open(name, "r")
+    old_content = f.read()
+    f.close()
+  except IOError:
+    pass
+  if old_content != new_content:
+    print "Writing", name
+    f = open(name, "w")
+    f.write(new_content)
+    f.close()
+
+allocation_dict = {}
+allocations = []
+
+class allocation(object):
+
+  parent = None
+
+  def __init__(self, name, asn=None, ipv4=None, ipv6=None, children=[]):
+    self.name = name
+    self.children = [allocation_dict[i] for i in children]
+    for child in self.children:
+      assert child.parent is None
+      child.parent = self
+    self.asn  = self.summarize("asn",  rpki.resource_set.resource_set_as(asn))
+    self.ipv4 = self.summarize("ipv4", rpki.resource_set.resource_set_ipv4(ipv4))
+    self.ipv6 = self.summarize("ipv6", rpki.resource_set.resource_set_ipv6(ipv6))
+    allocation_dict[name] = self
+    allocations.insert(0, self)
+
+  def summarize(self, attrname, seed=None):
+    if seed is None:
+      seed = getattr(self, attrname)
+    for child in self.children:
+      seed = seed.union(child.summarize(attrname))
+    return seed
+
+  def __str__(self):
+    return "%s\n  ASN: %s\n IPv4: %s\n IPv6: %s" % (self.name, self.asn, self.ipv4, self.ipv6)
+
+  def cfg_string(self):
+    keys = { "self"    : self.name,
+             "keybits" : keybits,
+             "no_aia"  : "#", "parent"  : "???",
+             "no_asid" : "#", "asid"    : "???",
+             "no_addr" : "#", "addr"    : "???" }
+    if self.parent:
+      keys["no_aia"] = ""
+      keys["parent"] = self.parent.name
+    if self.asn:
+      keys["no_asid"] = ""
+      keys["asid"] = ",".join(["AS:" + str(x) for x in self.asn])
+    if self.ipv4 or self.ipv6:
+      keys["no_addr"] = ""
+      keys["addr"] = ",".join(["IPv4:" + str(x) for x in self.ipv4] + ["IPv6:" + str(x) for x in self.ipv6])
+    return openssl_cfg_fmt % keys
+
+  def makefile_rules(self):
+    keys = { "self"     : self.name,
+             "keybits"  : keybits,
+             "openssl"  : openssl }
+    if self.parent:
+      keys["signconf"] = "%s.cnf"           % self.parent.name
+      keys["signdeps"] = "%s.key"           % self.parent.name
+    else:
+      keys["signconf"] = "%s.cnf -selfsign" % self.name
+      keys["signdeps"] = "%s.key"           % self.name
+    return makefile_fmt % keys
+
+makefile_fmt = '''\
+
+all:: %(self)s.cer
+
+%(self)s.key:
+	%(openssl)s genrsa -out $@ %(keybits)d
+
+%(self)s.req: %(self)s.key %(self)s.cnf Makefile
+	%(openssl)s req -new -config %(self)s.cnf -key %(self)s.key -out $@
+
+%(self)s.cer: %(self)s.req %(self)s.cnf %(signdeps)s Makefile
+	test -d %(self)s || mkdir %(self)s
+	test -f %(self)s/index || touch %(self)s/index
+	test -f %(self)s/serial || echo 01 >%(self)s/serial
+	%(openssl)s ca -batch -verbose -notext -out $@ -in %(self)s.req -extensions req_x509_ext -extfile %(self)s.cnf -config %(signconf)s
+
+'''
+
+openssl_cfg_fmt = '''# Automatically generated, do not edit.
+
+[ ca ]
+default_ca = ca_default
+
+[ ca_default ]
+certificate = %(self)s.cer
+serial = %(self)s/serial
+private_key = %(self)s.key
+database = %(self)s/index
+new_certs_dir = %(self)s
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 365
+default_crl_days = 30
+default_md = sha1
+preserve = no
+copy_extensions = copy
+policy = ca_policy_anything
+unique_subject = no
+
+[ ca_policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+givenName = optional
+surname = optional
+
+[ req ]
+default_bits = %(keybits)d
+encrypt_key = no
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+
+[ req_dn ]
+CN = TEST ENTITY %(self)s
+
+[ req_x509_ext ]
+basicConstraints = critical,CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/%(self)s/
+%(no_aia)sauthorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/%(parent)s.cer
+%(no_asid)ssbgp-autonomousSysNum = critical,%(asid)s
+%(no_addr)ssbgp-ipAddrBlock = critical,%(addr)s
+'''
+
+main()