diff options
| author | Rob Austein <sra@hactrn.net> | 2012-07-12 02:10:45 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2012-07-12 02:10:45 +0000 |
| commit | c16481cb659f5c846d4b16ed538c30b3b6f764bd (patch) | |
| tree | 97eed639951edf0f5aaebf729184c567ff7ec114 /scripts | |
| parent | e127b94b302ce89057887485cd7e36a96eda5f37 (diff) | |
First cut at script to find ROAs and list expiration dates of all
certificates in that ROA's authorization chain. See #256.
svn path=/trunk/; revision=4596
Diffstat (limited to 'scripts')
| -rw-r--r-- | scripts/find-roa-expiration.py | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/scripts/find-roa-expiration.py b/scripts/find-roa-expiration.py new file mode 100644 index 00000000..0ae6fa66 --- /dev/null +++ b/scripts/find-roa-expiration.py @@ -0,0 +1,61 @@ +""" +Look for ROAs for particular prefixes, like find_roa, then, for each +ROA we find, dig out the expiration times of all the certificates +involved in the authorization chain, all the way back to the root. + +$Id$ + +Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") + +Permission to use, copy, modify, and/or distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +PERFORMANCE OF THIS SOFTWARE. +""" + +import sys +import subprocess +import rpki.POW + +def filename_to_uri(filename): + if not filename.startswith(sys.argv[1]): + raise ValueError + return "rsync://" + filename[len(sys.argv[1]):].lstrip("/") + +def uri_to_filename(uri): + if not uri.startswith("rsync://"): + raise ValueError + return sys.argv[1] + "/" + uri[len("rsync://"):] + +def get_aia(x): + for i in xrange(x.countExtensions()): + ext = x.getExtension(i) + if ext[0] == "authorityInfoAccess": + return ext[2][ext[2].index("rsync://"):] + return None + +for line in subprocess.check_output(["find_roa"] + sys.argv[1:]).splitlines(): + + words = line.split() + fn = words.pop() + del words[-1] + print " ".join(words) + + x = rpki.POW.derRead(rpki.POW.CMS_MESSAGE, open(fn, "rb").read()).certs()[0] + uri = get_aia(x) + print x.getNotAfter(), filename_to_uri(fn) + + while uri: + fn = uri_to_filename(uri) + x = rpki.POW.derRead(rpki.POW.X509_CERTIFICATE, open(fn, "rb").read()) + print x.getNotAfter(), uri + uri = get_aia(x) + + print |