Checkpoint

svn path=/myrpki.rototill/examples/myrpki.conf; revision=2981

1 files changed, 110 insertions, 0 deletions

diff --git a/myrpki.rototill/initialize.py b/myrpki.rototill/initialize.py
new file mode 100644
index 00000000..f40b3e86
--- /dev/null
+++ b/myrpki.rototill/initialize.py
@@ -0,0 +1,110 @@
+"""
+Step 1: User runs a new "initialize" script.  This reads the .conf file
+        and creates the resource-holding "self" BPKI identity (what
+        we've been calling bpki.myrpki/ca.cer, although that name
+        should change and the user shouldn't need to know it anymore).
+        If the .conf file says that this user will be running any
+        servers at all (rpkid, irdbd, pubd, rootd), this script also
+        creates what we've been calling bpki.myirbe/ca.cer and issues
+        bpki ee certificates for all the servers we will be running.
+        It bundles up the "self" identity (bpki.myrpki/ca.cer and the
+        "handle" value from the [myrpki] section of the .conf file) as
+        an xml blob, which it writes out to some filename (call it
+        me.xml for now).
+
+	The general idea here is to start with all the setup that we
+	can do based just on the .conf file without talking to anybody
+	else.
+
+$Id$
+
+Copyright (C) 2010  Internet Systems Consortium ("ISC")
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
+"""
+
+import subprocess, csv, re, os, getopt, sys, base64, time, myrpki, rpki.config
+
+from xml.etree.ElementTree import Element, SubElement, ElementTree
+
+os.environ["TZ"] = "UTC"
+time.tzset()
+
+cfg_file = "myrpki.conf"
+
+opts, argv = getopt.getopt(sys.argv[1:], "c:h?", ["config=", "help"])
+for o, a in opts:
+  if o in ("-c", "--config"):
+    cfg_file = a
+  elif o in ("-h", "--help", "-?"):
+    print __doc__
+    sys.exit(0)
+
+cfg = rpki.config.parser(cfg_file, "myrpki")
+
+handle     = cfg.get("handle")
+want_rpkid = cfg.getboolean("want_rpkid")
+want_pubd  = cfg.getboolean("want_pubd")
+want_rootd = cfg.getboolean("want_rootd")
+
+myrpki.openssl = cfg.get("openssl", "openssl")
+
+# First create the "myrpki" (resource holding) BPKI and trust anchor
+
+bpki_myrpki = myrpki.CA(cfg_file, cfg.get("myrpki_bpki_directory"))
+
+bpki_myrpki.setup(cfg.get("bpki_myrpki_ta_dn",
+                          "/CN=%s BPKI Resource Trust Anchor" % handle))
+
+# If we're running any daemons at all, we also need to set up the
+# "myirbe" (server-operating) BPKI, its trust anchor, and EE certs for
+# each program we need to run.
+
+if want_rpkid or want_pubd or want_rootd:
+
+  bpki_myirbe = myrpki.CA(cfg_file, cfg.get("myirbe_bpki_directory"))
+
+  bpki_myirbe.setup(cfg.get("bpki_myirbe_ta_dn",
+                            "/CN=%s BPKI Server Trust Anchor" % handle))
+
+  if want_rpkid:                        # rpkid implies irdbd
+
+    bpki_myirbe.ee(cfg.get("bpki_rpkid_ee_dn",
+                           "/CN=%s rpkid server certificate" % handle), "rpkid")
+
+    bpki_myirbe.ee(cfg.get("bpki_irdbd_ee_dn",
+                           "/CN=%s irdbd server certificate" % handle), "irdbd")
+
+  if want_pubd:
+    bpki_myirbe.ee(cfg.get("bpki_pubd_ee_dn",
+                           "/CN=%s pubd server certificate" % handle), "pubd")
+
+  if want_rpkid or want_irdbd:          # Client cert for myirbe and irbe_cli
+    
+    bpki_myirbe.ee(cfg.get("bpki_irbe_ee_dn",
+                           "/CN=%s irbe client certificate" % handle), "irbe")
+
+  if want_rootd:
+
+    bpki_myirbe.ee(cfg.get("bpki_rootd_ee_dn",
+                           "/CN=%s rootd server certificate" % handle), "rootd")
+
+# Now build the me.xml file (name should be configurable, and should
+# check for existing file so we don't overwrite, ... hack later ...).
+
+e = Element("me", xmlns = myrpki.namespace, version = "1", handle = handle)
+
+myrpki.PEMElement(e, "bpki_ca_certificate", bpki_myrpki.cer)
+
+ElementTree(e).write("me.xml.tmp")
+os.rename("me.xml.tmp", "me.xml")