diff options
| author | Rob Austein <sra@hactrn.net> | 2014-01-11 00:59:59 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2014-01-11 00:59:59 +0000 |
| commit | caeedc1f0876a4321158853c6aba76c0847999f3 (patch) | |
| tree | ca995664edf14dcd1c16d472d76e9ea1d26782bb /scripts | |
| parent | 6bef581590d643b85d65a17080c281b14acf6c61 (diff) | |
Even more getopt -> argparse. Clean up some old conversion scripts.
svn path=/trunk/; revision=5629
Diffstat (limited to 'scripts')
| -rw-r--r-- | scripts/analyze-rcynic-history.py | 1 | ||||
| -rw-r--r-- | scripts/convert-from-csv-to-entitydb.py | 241 | ||||
| -rw-r--r-- | scripts/convert-from-entitydb-to-sql.py | 462 | ||||
| -rw-r--r-- | scripts/convert-https-to-http.py | 140 | ||||
| -rw-r--r-- | scripts/cross_certify.py | 136 | ||||
| -rw-r--r-- | scripts/debug-roas.py | 122 |
6 files changed, 45 insertions, 1057 deletions
diff --git a/scripts/analyze-rcynic-history.py b/scripts/analyze-rcynic-history.py index 24a6524e..b72d0741 100644 --- a/scripts/analyze-rcynic-history.py +++ b/scripts/analyze-rcynic-history.py @@ -27,7 +27,6 @@ import mailbox import sys import urlparse import os -import getopt import datetime import subprocess import shelve diff --git a/scripts/convert-from-csv-to-entitydb.py b/scripts/convert-from-csv-to-entitydb.py deleted file mode 100644 index bfa85b15..00000000 --- a/scripts/convert-from-csv-to-entitydb.py +++ /dev/null @@ -1,241 +0,0 @@ -# $Id$ -# -# Copyright (C) 2010 Internet Systems Consortium ("ISC") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -""" -Convert {parents,children,pubclients}.csv into new XML formats. -""" - -import subprocess -import re -import os -import getopt -import sys -import base64 -import urlparse -import rpki.sundial -import rpki.myrpki -import rpki.config - -from lxml.etree import Element, SubElement, ElementTree - -section_regexp = re.compile("\s*\[\s*(.+?)\s*\]\s*$") -variable_regexp = re.compile("\s*([-a-zA-Z0-9_]+)(\s*=\s*)(.+?)\s*$") - -cfg_file = "rpki.conf" -template_file = os.path.join(os.path.dirname(sys.argv[0]), "examples", "rpki.conf") -new_cfg_file = None -preserve_valid_until = False - -opts, argv = getopt.getopt(sys.argv[1:], "c:hn:pt:?", ["config=", "new_config=", "preserve_valid_until", "template_config=", "help"]) -for o, a in opts: - if o in ("-h", "--help", "-?"): - print __doc__ - sys.exit(0) - elif o in ("-c", "--config"): - cfg_file = a - elif o in ("-n", "--new_config"): - new_cfg_file = a - elif o in ("-p", "--preserve_valid_until"): - preserve_valid_until = True - elif o in ("-t", "--template_config"): - template_file = a -if argv: - raise RuntimeError, "Unexpected arguments %r" % (argv,) -if os.path.samefile(cfg_file, template_file): - raise RuntimeError, "Old config and template for new config can't be the same file" -if new_cfg_file is None: - new_cfg_file = cfg_file + ".new" -if os.path.exists(new_cfg_file): - raise RuntimeError, "%s already exists, NOT overwriting" % new_cfg_file - -cfg = rpki.config.parser(cfg_file) - -# These have no counterparts in new config file, just read them from old - -repository_bpki_certificate = cfg.get(option = "repository_bpki_certificate", section = "myrpki") -repository_handle = cfg.get(option = "repository_handle", section = "myrpki") -parents_csv = cfg.get(option = "parents_csv", section = "myrpki", default = "parents.csv") -children_csv = cfg.get(option = "children_csv", section = "myrpki", default = "children.csv") -pubclients_csv = cfg.get(option = "pubclients_csv", section = "myrpki", default = "pubclients.csv") -pubd_base = cfg.get(option = "pubd_base", section = "myirbe") - -# Here we need to construct values for the new config file from the -# old one. Basic model here is to look at whatever variables need to -# be set in the template (mostly just the [myrpki], I hope), pull -# necessary data from old config file any way we can. Stuff that -# didn't make the jump from old config file to new we can just ignore, -# stuff that is automated via macro expansions in the new config file -# should be ok without modification. - -r = {} - -if cfg.has_section("myrpki"): - for i in ("handle", "roa_csv", "prefix_csv", "asn_csv", "xml_filename"): - r["myrpki", i] = cfg.get(section = "myrpki", option = i) - r["myrpki", "bpki_resources_directory"] = cfg.get(option = "bpki_directory", section = "myrpki") - -if cfg.has_section("myirbe"): - r["myrpki", "bpki_servers_directory"] = cfg.get(option = "bpki_directory", section = "myirbe") - r["myrpki", "run_rpkid"] = True - r["myrpki", "run_pubd"] = cfg.getboolean(option = "want_pubd", section = "myirbe", default = False) - r["myrpki", "run_rootd"] = cfg.getboolean(option = "want_rootd", section = "myirbe", default = False) -else: - for i in ("run_rpkid", "run_pubd", "run_rootd"): - r["myrpki", i] = False - -if cfg.has_section("rpkid"): - r["myrpki", "rpkid_server_host"] = cfg.get(option = "server-host", section = "rpkid") - r["myrpki", "rpkid_server_port"] = cfg.get(option = "server-port", section = "rpkid") - -if cfg.has_section("irdbd"): - u = urlparse.urlparse(cfg.get(option = "https-url", section = "irdbd")) - r["myrpki", "irdbd_server_host"] = u.hostname or "localhost" - r["myrpki", "irdbd_server_port"] = u.port or 443 - -if cfg.has_section("pubd"): - r["myrpki", "pubd_server_host"] = cfg.get(option = "server-host", section = "pubd") - r["myrpki", "pubd_server_port"] = cfg.get(option = "server-port", section = "pubd") - r["myrpki", "publication_base_directory"] = cfg.get(option = "publication-base", section = "pubd") - -if cfg.has_section("rootd"): - r["myrpki", "rootd_server_port"] = cfg.get(option = "server-port", section = "rootd") - u = urlparse.urlparse(cfg.get(option = "rpki-base-uri", section = "rootd")) - r["myrpki", "publication_rsync_server"] = u.netloc - -for i in ("rpkid", "irdbd", "pubd"): - if cfg.has_section(i): - for j in ("sql-database", "sql-username", "sql-password"): - r[i, j] = cfg.get(section = i, option = j) - -f = open(new_cfg_file, "w") -f.write("# Automatically converted from %s using %s as a template.\n\n" % (cfg_file, template_file)) -section = None -for line in open(template_file): - m = section_regexp.match(line) - if m: - section = m.group(1) - m = variable_regexp.match(line) - if m: - option, whitespace = m.group(1, 2) - else: - option = None - if (section, option) in r: - line = "%s%s%s\n" % (option, whitespace, r[section, option]) - f.write(line) -f.close() -print "Wrote", new_cfg_file - -# Get all of these from the new config file; in theory we just set all -# of them, but we want to use values matching new config in any case. - -newcfg = rpki.config.parser(new_cfg_file, "myrpki") - -handle = newcfg.get("handle") -bpki_resources_directory = newcfg.get("bpki_resources_directory") -bpki_servers_directory = newcfg.get("bpki_servers_directory") -pubd_server_host = newcfg.get("pubd_server_host") -pubd_server_port = newcfg.get("pubd_server_port") -rpkid_server_host = newcfg.get("rpkid_server_host") -rpkid_server_port = newcfg.get("rpkid_server_port") -entitydb_dir = newcfg.get("entitydb_dir", "entitydb") - -bpki_resources_pemfile = bpki_resources_directory + "/ca.cer" -bpki_servers_pemfile = bpki_servers_directory + "/ca.cer" - -def entitydb(*args): - return os.path.join(entitydb_dir, *args) - -# Now convert the .csv files. It'd be nice to have XML validation -# enabled for this, so try to turn it on ourselves if the magic -# environment variable hasn't already been set. - -rng_file = os.path.join(os.path.dirname(sys.argv[0]), "myrpki.rng") -if not os.getenv("MYRPKI_RNG") and os.path.exists(rng_file): - os.putenv("MYRPKI_RNG", rng_file) - -for d in map(entitydb, ("children", "parents", "repositories", "pubclients")): - if not os.path.exists(d): - os.makedirs(d) - -one_year_from_now = str(rpki.sundial.now() + rpki.sundial.timedelta(days = 365)) - -if os.path.exists(children_csv): - for child_handle, valid_until, child_resource_pemfile in rpki.myrpki.csv_reader(children_csv, columns = 3): - try: - - e = Element("parent", - valid_until = valid_until if preserve_valid_until else one_year_from_now, - service_uri = "https://%s:%s/up-down/%s/%s" % (rpkid_server_host, rpkid_server_port, handle, child_handle), - child_handle = child_handle, - parent_handle = handle) - rpki.myrpki.PEMElement(e, "bpki_resource_ta", bpki_resources_pemfile) - rpki.myrpki.PEMElement(e, "bpki_server_ta", bpki_servers_pemfile) - rpki.myrpki.PEMElement(e, "bpki_child_ta", child_resource_pemfile) - rpki.myrpki.etree_write(e, entitydb("children", "%s.xml" % child_handle)) - - except IOError: - pass - -if os.path.exists(parents_csv): - for parent_handle, parent_service_uri, parent_cms_pemfile, parent_https_pemfile, parent_myhandle, parent_sia_base in rpki.myrpki.csv_reader(parents_csv, columns = 6): - try: - - e = Element("parent", - valid_until = one_year_from_now, - service_uri = parent_service_uri, - child_handle = parent_myhandle, - parent_handle = parent_handle) - rpki.myrpki.PEMElement(e, "bpki_resource_ta", parent_cms_pemfile) - rpki.myrpki.PEMElement(e, "bpki_server_ta", parent_https_pemfile) - rpki.myrpki.PEMElement(e, "bpki_child_ta", bpki_resources_pemfile) - rpki.myrpki.etree_write(e, entitydb("parents", "%s.xml" % parent_handle)) - - client_handle = "/".join(parent_sia_base.rstrip("/").split("/")[3:]) - assert client_handle.startswith(repository_handle) - - e = Element("repository", - parent_handle = parent_handle, - client_handle = client_handle, - service_uri = "%s/client/%s" % (pubd_base.rstrip("/"), client_handle), - sia_base = parent_sia_base, - type = "confirmed") - rpki.myrpki.PEMElement(e, "bpki_server_ta", repository_bpki_certificate) - rpki.myrpki.PEMElement(e, "bpki_client_ta", bpki_resources_pemfile) - SubElement(e, "contact_info").text = "Automatically generated by convert-csv.py" - rpki.myrpki.etree_write(e, entitydb("repositories", "%s.xml" % parent_handle)) - - except IOError: - pass - -if os.path.exists(pubclients_csv): - for client_handle, client_resource_pemfile, client_sia_base in rpki.myrpki.csv_reader(pubclients_csv, columns = 3): - try: - - parent_handle = client_handle.split("/")[-2] if "/" in client_handle else handle - - e = Element("repository", - parent_handle = parent_handle, - client_handle = client_handle, - service_uri = "https://%s:%s/client/%s" % (pubd_server_host, pubd_server_port, client_handle), - sia_base = client_sia_base, - type = "confirmed") - rpki.myrpki.PEMElement(e, "bpki_server_ta", bpki_servers_pemfile) - rpki.myrpki.PEMElement(e, "bpki_client_ta", client_resource_pemfile) - SubElement(e, "contact_info").text = "Automatically generated by convert-csv.py" - rpki.myrpki.etree_write(e, entitydb("pubclients", "%s.xml" % client_handle.replace("/", "."))) - - except IOError: - pass diff --git a/scripts/convert-from-entitydb-to-sql.py b/scripts/convert-from-entitydb-to-sql.py deleted file mode 100644 index 5371aa78..00000000 --- a/scripts/convert-from-entitydb-to-sql.py +++ /dev/null @@ -1,462 +0,0 @@ -# $Id$ -# -# Copyright (C) 2011-2012 Internet Systems Consortium ("ISC") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -""" -Merge XML entitydb and OpenSSL command-line BPKI into SQL IRDB. - -This is a work in progress, don't use it unless you really know what -you're doing. -""" - -import sys, os, time, getopt, glob, subprocess, base64 -import rpki.config, rpki.x509, rpki.relaxng, rpki.sundial -from rpki.mysql_import import MySQLdb -from lxml.etree import ElementTree - -cfg_file = "rpki.conf" -entitydb = "entitydb" -bpki = "bpki" -copy_csv_data = True -force = False - -opts, argv = getopt.getopt(sys.argv[1:], "c:fh?", ["config=", "force", "help"]) -for o, a in opts: - if o in ("-h", "--help", "-?"): - print __doc__ - sys.exit(0) - if o in ("-c", "--config"): - cfg_file = a - elif o in ("-f", "--force"): - force = True -if argv: - sys.exit("Unexpected arguments %s" % argv) - -if not force: - print """ - WARNING WARNING WARNING - - This script attempts to upgrade an existing rpkid instance to - work with the newer SQL-based back end code. It has worked in - the handful of cases where we've tested it, but it's dangerous - and relies heavily on guesses about how your existing instance - was originally set up. It may not work right. It may not - work at all. It may turn your cat blue. - - Please back up all your data (MySQL databases, bpki/ and - entitydb/ directories) and configuration (rpki.conf file) before - running this script. - """ - while True: - answer = raw_input("Are you SURE you want to proceed? (yes/NO) ").strip().lower() - if answer in ("", "n", "no"): - sys.exit("You have chosen wisely") - elif answer in ("y", "yes"): - print "You have been warned" - break - else: - print 'Please answer "yes" or "no"' - -cfg = rpki.config.parser(cfg_file) - -sql_database = cfg.get("sql-database", section = "irdbd") -sql_username = cfg.get("sql-username", section = "irdbd") -sql_password = cfg.get("sql-password", section = "irdbd") - -db = MySQLdb.connect(user = sql_username, db = sql_database, passwd = sql_password) -cur = db.cursor() - -# Configure the Django model system - -from django.conf import settings - -settings.configure( - DATABASES = { "default" : { - "ENGINE" : "django.db.backends.mysql", - "NAME" : sql_database, - "USER" : sql_username, - "PASSWORD" : sql_password, - "HOST" : "", - "PORT" : "", - "OPTIONS" : { "init_command": "SET storage_engine=INNODB" }}}, - INSTALLED_APPS = ("rpki.irdb",), -) - -import rpki.irdb - -# Create the model-based tables if they don't already exist - -import django.core.management - -django.core.management.call_command("syncdb", verbosity = 4, load_initial_data = False) - -# From here down will be an awful lot of messing about with XML and -# X.509 data, extracting stuff from the old SQL database and whacking -# it into the new. Still working out these bits. - -xmlns = "{http://www.hactrn.net/uris/rpki/myrpki/}" - -tag_authorization = xmlns + "authorization" -tag_bpki_child_ta = xmlns + "bpki_child_ta" -tag_bpki_client_ta = xmlns + "bpki_client_ta" -tag_bpki_resource_ta = xmlns + "bpki_resource_ta" -tag_bpki_server_ta = xmlns + "bpki_server_ta" -tag_bpki_ta = xmlns + "bpki_ta" -tag_contact_info = xmlns + "contact_info" -tag_identity = xmlns + "identity" -tag_parent = xmlns + "parent" -tag_repository = xmlns + "repository" - -def read_element_tree(filename, tag): - print "Reading file %s, tag %s" % (filename, tag) - e = ElementTree(file = filename).getroot() - rpki.relaxng.myrpki.assertValid(e) - assert e.tag == tag - return e - -e = read_element_tree(os.path.join(entitydb, "identity.xml"), tag_identity) - -self_handle = e.get("handle") -assert self_handle == cfg.get("handle", section = "myrpki") - -# Some BPKI utillity routines - -def read_openssl_serial(filename): - f = open(filename, "r") - text = f.read() - f.close() - return int(text.strip(), 16) - -def get_or_create_ServerEE(issuer, purpose): - cer = rpki.x509.X509(Auto_file = os.path.join(bpki, "servers", purpose + ".cer")) - key = rpki.x509.RSA(Auto_file = os.path.join(bpki, "servers", purpose + ".key")) - rpki.irdb.ServerEE.objects.get_or_create( - issuer = issuer, - purpose = purpose, - certificate = cer, - private_key = key) - -# Load BPKI CAs and directly certified EEs - -cer = rpki.x509.X509(Auto_file = os.path.join(bpki, "resources", "ca.cer")) -key = rpki.x509.RSA(Auto_file = os.path.join(bpki, "resources", "ca.key")) -crl = rpki.x509.CRL(Auto_file = os.path.join(bpki, "resources", "ca.crl")) -serial = read_openssl_serial(os.path.join(bpki, "resources", "serial")) -crl_number = read_openssl_serial(os.path.join(bpki, "resources", "crl_number")) - -resource_ca = rpki.irdb.ResourceHolderCA.objects.get_or_create( - handle = self_handle, - certificate = cer, - private_key = key, - latest_crl = crl, - next_serial = serial, - next_crl_number = crl_number, - last_crl_update = crl.getThisUpdate().to_sql(), - next_crl_update = crl.getNextUpdate().to_sql())[0] - -if os.path.exists(os.path.join(bpki, "resources", "referral.cer")): - cer = rpki.x509.X509(Auto_file = os.path.join(bpki, "resources", "referral.cer")) - key = rpki.x509.RSA(Auto_file = os.path.join(bpki, "resources", "referral.key")) - rpki.irdb.Referral.objects.get_or_create( - issuer = resource_ca, - certificate = cer, - private_key = key) - -run_rpkid = cfg.getboolean("run_rpkid", section = "myrpki") -run_pubd = cfg.getboolean("run_pubd", section = "myrpki") -run_rootd = cfg.getboolean("run_rootd", section = "myrpki") - -if run_rpkid or run_pubd: - cer = rpki.x509.X509(Auto_file = os.path.join(bpki, "servers", "ca.cer")) - key = rpki.x509.RSA(Auto_file = os.path.join(bpki, "servers", "ca.key")) - crl = rpki.x509.CRL(Auto_file = os.path.join(bpki, "servers", "ca.crl")) - serial = read_openssl_serial(os.path.join(bpki, "servers", "serial")) - crl_number = read_openssl_serial(os.path.join(bpki, "servers", "crl_number")) - server_ca = rpki.irdb.ServerCA.objects.get_or_create( - certificate = cer, - private_key = key, - latest_crl = crl, - next_serial = serial, - next_crl_number = crl_number, - last_crl_update = crl.getThisUpdate().to_sql(), - next_crl_update = crl.getNextUpdate().to_sql())[0] - get_or_create_ServerEE(server_ca, "irbe") - -else: - server_ca = None - -if run_rpkid: - get_or_create_ServerEE(server_ca, "rpkid") - get_or_create_ServerEE(server_ca, "irdbd") - -if run_pubd: - get_or_create_ServerEE(server_ca, "pubd") - -# Certification model for rootd has changed. We can reuse the old -# key, but we have to recertify under a different CA than previously. -# Yes, we're pulling a key from the servers BPKI tree and certifying -# it under the resource holder CA, that's part of the change. - -if run_rootd: - rpki.irdb.Rootd.objects.get_or_certify( - issuer = resource_ca, - service_uri = "http://localhost:%s/" % cfg.get("rootd_server_port", section = "myrpki"), - private_key = rpki.x509.RSA(Auto_file = os.path.join(bpki, "servers", "rootd.key"))) - -# Load BSC certificates and requests. Yes, this currently wires in -# exactly one BSC handle, "bsc". So does the old myrpki code. Ick. - -for fn in glob.iglob(os.path.join(bpki, "resources", "bsc.*.cer")): - rpki.irdb.BSC.objects.get_or_create( - issuer = resource_ca, - handle = "bsc", - certificate = rpki.x509.X509(Auto_file = fn), - pkcs10 = rpki.x509.PKCS10(Auto_file = fn[:-4] + ".req")) - -def xcert_hash(cert): - """ - Generate the filename hash that myrpki would have generated for a - cross-certification. This is nasty, don't look. - """ - - cmd1 = ("openssl", "x509", "-noout", "-pubkey", "-subject") - cmd2 = ("openssl", "dgst", "-md5") - - env = { "PATH" : os.environ["PATH"], "OPENSSL_CONF" : "/dev/null" } - p1 = subprocess.Popen(cmd1, env = env, stdin = subprocess.PIPE, stdout = subprocess.PIPE) - p2 = subprocess.Popen(cmd2, env = env, stdin = p1.stdout, stdout = subprocess.PIPE) - p1.stdin.write(cert.get_PEM()) - p1.stdin.close() - hash = p2.stdout.read() - if p1.wait() != 0: - raise subprocess.CalledProcessError(returncode = p1.returncode, cmd = cmd1) - if p2.wait() != 0: - raise subprocess.CalledProcessError(returncode = p2.returncode, cmd = cmd2) - - hash = "".join(hash.split()) - if hash.startswith("(stdin)="): - hash = hash[len("(stdin)="):] - return hash - -# Let's try keeping track of all the xcert filenames we use, so we can -# list the ones we didn't. - -xcert_filenames = set(glob.iglob(os.path.join(bpki, "*", "xcert.*.cer"))) - -# Scrape child data out of the entitydb. - -for filename in glob.iglob(os.path.join(entitydb, "children", "*.xml")): - child_handle = os.path.splitext(os.path.split(filename)[1])[0] - - e = read_element_tree(filename, tag_parent) - - ta = rpki.x509.X509(Base64 = e.findtext(tag_bpki_child_ta)) - xcfn = os.path.join(bpki, "resources", "xcert.%s.cer" % xcert_hash(ta)) - xcert_filenames.discard(xcfn) - xcert = rpki.x509.X509(Auto_file = xcfn) - - cur.execute(""" - SELECT registrant_id, valid_until FROM registrant - WHERE registry_handle = %s AND registrant_handle = %s - """, (self_handle, child_handle)) - assert cur.rowcount == 1 - registrant_id, valid_until = cur.fetchone() - - valid_until = rpki.sundial.datetime.fromdatetime(valid_until) - if valid_until != rpki.sundial.datetime.fromXMLtime(e.get("valid_until")): - print "WARNING: valid_until dates in XML and SQL do not match for child", child_handle - print " SQL:", str(valid_until) - print " XML:", str(rpki.sundial.datetime.fromXMLtime(e.get("valid_until"))) - print "Blundering onwards" - - child = rpki.irdb.Child.objects.get_or_create( - handle = child_handle, - valid_until = valid_until.to_sql(), - ta = ta, - certificate = xcert, - issuer = resource_ca)[0] - - if copy_csv_data: - - cur.execute(""" - SELECT start_as, end_as FROM registrant_asn WHERE registrant_id = %s - """, (registrant_id,)) - for start_as, end_as in cur.fetchall(): - rpki.irdb.ChildASN.objects.get_or_create( - start_as = start_as, - end_as = end_as, - child = child) - - cur.execute(""" - SELECT start_ip, end_ip, version FROM registrant_net WHERE registrant_id = %s - """, (registrant_id,)) - for start_ip, end_ip, version in cur.fetchall(): - rpki.irdb.ChildNet.objects.get_or_create( - start_ip = start_ip, - end_ip = end_ip, - version = version, - child = child) - -# Scrape parent data out of the entitydb. - -for filename in glob.iglob(os.path.join(entitydb, "parents", "*.xml")): - parent_handle = os.path.splitext(os.path.split(filename)[1])[0] - - e = read_element_tree(filename, tag_parent) - - if parent_handle == self_handle: - assert run_rootd - assert e.get("service_uri") == "http://localhost:%s/" % cfg.get("rootd_server_port", section = "myrpki") - continue - - ta = rpki.x509.X509(Base64 = e.findtext(tag_bpki_resource_ta)) - xcfn = os.path.join(bpki, "resources", "xcert.%s.cer" % xcert_hash(ta)) - xcert_filenames.discard(xcfn) - xcert = rpki.x509.X509(Auto_file = xcfn) - - r = e.find(tag_repository) - repository_type = r.get("type") - if repository_type == "referral": - a = r.find(tag_authorization) - referrer = a.get("referrer") - referral_authorization = base64.b64decode(a.text) - else: - referrer = None - referral_authorization = None - - parent = rpki.irdb.Parent.objects.get_or_create( - handle = parent_handle, - parent_handle = e.get("parent_handle"), - child_handle = e.get("child_handle"), - ta = ta, - certificate = xcert, - service_uri = e.get("service_uri"), - repository_type = repository_type, - referrer = referrer, - referral_authorization = referral_authorization, - issuer = resource_ca)[0] - - # While we have the parent object in hand, load any Ghostbuster - # entries specific to this parent. - - if copy_csv_data: - cur.execute(""" - SELECT vcard FROM ghostbuster_request - WHERE self_handle = %s AND parent_handle = %s - """, (self_handle, parent_handle)) - for row in cur.fetchall(): - rpki.irdb.GhostbusterRequest.objects.get_or_create( - issuer = resource_ca, - parent = parent, - vcard = row[0]) - -# Scrape repository data out of the entitydb. - -for filename in glob.iglob(os.path.join(entitydb, "repositories", "*.xml")): - repository_handle = os.path.splitext(os.path.split(filename)[1])[0] - - e = read_element_tree(filename, tag_repository) - - if e.get("type") != "confirmed": - continue - - ta = rpki.x509.X509(Base64 = e.findtext(tag_bpki_server_ta)) - xcfn = os.path.join(bpki, "resources", "xcert.%s.cer" % xcert_hash(ta)) - xcert_filenames.discard(xcfn) - xcert = rpki.x509.X509(Auto_file = xcfn) - - parent_handle = e.get("parent_handle") - if parent_handle == self_handle: - turtle = resource_ca.rootd - else: - turtle = rpki.irdb.Parent.objects.get(handle = parent_handle, issuer = resource_ca) - - rpki.irdb.Repository.objects.get_or_create( - handle = repository_handle, - client_handle = e.get("client_handle"), - ta = ta, - certificate = xcert, - service_uri = e.get("service_uri"), - sia_base = e.get("sia_base"), - turtle = turtle, - issuer = resource_ca) - -# Scrape client data out of the entitydb. - -for filename in glob.iglob(os.path.join(entitydb, "pubclients", "*.xml")): - client_handle = os.path.splitext(os.path.split(filename)[1])[0].replace(".", "/") - - e = read_element_tree(filename, tag_repository) - - assert e.get("type") == "confirmed" - - ta = rpki.x509.X509(Base64 = e.findtext(tag_bpki_client_ta)) - xcfn = os.path.join(bpki, "servers", "xcert.%s.cer" % xcert_hash(ta)) - xcert_filenames.discard(xcfn) - xcert = rpki.x509.X509(Auto_file = xcfn) - - rpki.irdb.Client.objects.get_or_create( - handle = client_handle, - ta = ta, - certificate = xcert, - issuer = server_ca, - sia_base = e.get("sia_base")) - -if copy_csv_data: - - # Copy over any ROA requests - - cur.execute(""" - SELECT roa_request_id, asn FROM roa_request - WHERE roa_request_handle = %s - """, (self_handle,)) - for roa_request_id, asn in cur.fetchall(): - roa_request = rpki.irdb.ROARequest.objects.get_or_create(issuer = resource_ca, asn = asn)[0] - cur.execute(""" - SELECT prefix, prefixlen, max_prefixlen, version FROM roa_request_prefix - WHERE roa_request_id = %s - """, (roa_request_id,)) - for prefix, prefixlen, max_prefixlen, version in cur.fetchall(): - rpki.irdb.ROARequestPrefix.objects.get_or_create( - roa_request = roa_request, - version = version, - prefix = prefix, - prefixlen = prefixlen, - max_prefixlen = max_prefixlen) - - # Copy over any non-parent-specific Ghostbuster requests. - - cur.execute(""" - SELECT vcard FROM ghostbuster_request - WHERE self_handle = %s AND parent_handle IS NULL - """, (self_handle,)) - for row in cur.fetchall(): - rpki.irdb.GhostbusterRequest.objects.get_or_create( - issuer = resource_ca, - parent = None, - vcard = row[0]) - -# List cross certifications we didn't use. - -if False: - for filename in sorted(xcert_filenames): - cer = rpki.x509.X509(Auto_file = filename) - #print "Unused cross-certificate:", filename, cer.getSubject() - print "Unused cross-certificate:", filename, cer.get_POW().pprint() - -# Done! - -cur.close() -db.close() diff --git a/scripts/convert-https-to-http.py b/scripts/convert-https-to-http.py deleted file mode 100644 index a6411e53..00000000 --- a/scripts/convert-https-to-http.py +++ /dev/null @@ -1,140 +0,0 @@ -# $Id$ -# -# Copyright (C) 2010-2011 Internet Systems Consortium ("ISC") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -""" -Conversion tool for flag day on which we rip TLS (HTTPS) support out -of rpkid and friends. - -Usage: python convert-https-to-http.py [ { -c | --config } configfile ] - [ { -e | --entitydb } entitydbdir ] - [ { -h | --help } ] - -Default configuration file is rpki.conf, override with --config option. -""" - -import getopt -import sys -import os -import warnings -import lxml.etree -import rpki.config - -cfg_file = "rpki.conf" -entitydb_dir = "entitydb" -convert_sql = True - -opts, argv = getopt.getopt(sys.argv[1:], "c:e:h?", ["config=", "entitydb=", "help"]) -for o, a in opts: - if o in ("-h", "--help", "-?"): - print __doc__ - sys.exit(0) - elif o in ("-c", "--config"): - cfg_file = a - elif o in ("-e", "--entitydb"): - entitydb_dir = a -if argv: - sys.exit("Unexpected arguments %s" % argv) - -print "Checking", cfg_file -f = open(cfg_file + ".new", "w") -for line in open(cfg_file, "r"): - cmd, sep, comment = line.partition("#") - if "https" in cmd: - line = cmd.replace("https", "http") + sep + comment - print "Rewrote line:", " ".join(line.split()) - f.write(line) -f.close() -os.rename(cfg_file + ".new", cfg_file) - -def localname(s): - return s.partition("}")[-1] - -for root, dirs, files in os.walk(entitydb_dir): - for filename in files: - if filename.endswith(".xml"): - filename = os.path.join(root, filename) - print "Checking", filename - tree = lxml.etree.ElementTree(file = filename) - changed = False - for e in tree.getiterator(): - p = e.getparent() - if (e.tag in ("{http://www.hactrn.net/uris/rpki/myrpki/}bpki_https_cert", - "{http://www.hactrn.net/uris/rpki/myrpki/}bpki_https_glue", - "{http://www.hactrn.net/uris/rpki/myrpki/}bpki_https_certificate") or - (e.tag == "{http://www.hactrn.net/uris/rpki/myrpki/}bpki_server_ta" and - p.tag == "{http://www.hactrn.net/uris/rpki/myrpki/}parent")): - print "Deleting element %s/%s" % (localname(p.tag), localname(e.tag)) - p.remove(e) - changed = True - continue - for k, v in e.items(): - if v.startswith("https://"): - e.set(k, v.replace("https://", "http://")) - print "Rewrote attribute %s/@%s to %s" % (localname(e.tag), k, e.get(k)) - changed = True - if changed: - tree.write(filename + ".new") - os.rename(filename + ".new", filename) - - -# Automatic conversion of SQL is particularly dangerous, so we only do it on request - -if convert_sql: - - from rpki.mysql_import import MySQLdb - - cfg = rpki.config.parser(cfg_file, "myrpki") - - print "Converting SQL tables" - - def do_sql(section, *cmds): - if cfg.getboolean("run_" + section): - db = MySQLdb.connect(user = cfg.get("sql-username", section = section), - db = cfg.get("sql-database", section = section), - passwd = cfg.get("sql-password", section = section)) - cur = db.cursor() - ok = True - for cmd in cmds: - try: - print "SQL[%s]: %s" % (section, cmd) - cur.execute(cmd) - except MySQLdb.Error, e: - print str(e) - ok = False - if ok: - print "SQL[%s]: Comitting" % section - db.commit() - else: - print "SQL[%s]: NOT comitting due to previous errors" % section - db.close() - - - do_sql("rpkid", - "ALTER TABLE repository ADD COLUMN last_cms_timestamp DATETIME", - "ALTER TABLE parent ADD COLUMN last_cms_timestamp DATETIME", - "ALTER TABLE parent DROP COLUMN bpki_https_cert", - "ALTER TABLE parent DROP COLUMN bpki_https_glue", - "ALTER TABLE child ADD COLUMN last_cms_timestamp DATETIME", - "ALTER TABLE ca CHANGE COLUMN parent_id parent_id BIGINT UNSIGNED NOT NULL") - - do_sql("pubd", - "ALTER TABLE client ADD COLUMN last_cms_timestamp DATETIME") - - -print """ -Done. Don't forget to run "myrpki configure_daemons" (with whatever arguments you usually -give it) to push changed URLs and so forth into rpkid et al. -""" diff --git a/scripts/cross_certify.py b/scripts/cross_certify.py index c696923c..fab7743b 100644 --- a/scripts/cross_certify.py +++ b/scripts/cross_certify.py @@ -1,120 +1,74 @@ # $Id$ # -# Copyright (C) 2009-2011 Internet Systems Consortium ("ISC") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. -# +# Copyright (C) 2014 Dragon Research Labs ("DRL") +# Portions copyright (C) 2009--2012 Internet Systems Consortium ("ISC") # Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. +# copyright notices and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND DRL, ISC, AND ARIN DISCLAIM ALL +# WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DRL, +# ISC, OR ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR +# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS +# OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, +# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION +# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. """ Cross-certification tool to issue a new certificate based on an old one that was issued by somebody else. The point of the exercise is to end up with a valid certificate in our own BPKI which has the same subject name and subject public key as the one we're replacing. - -Usage: python cross_certify.py { -i | --in } input_cert - { -c | --ca } issuing_cert - { -k | --key } issuing_cert_key - { -s | --serial } serial_filename - [ { -h | --help } ] - [ { -o | --out } filename (default: stdout) ] - [ { -l | --lifetime } timedelta (default: 30 days) ] - """ -import os, time, getopt, sys, rpki.x509, rpki.sundial +import os +import sys +import time +import argparse +import rpki.x509 +import rpki.sundial os.environ["TZ"] = "UTC" time.tzset() -def usage(errmsg = None): - if errmsg is None: - sys.stdout.write(__doc__) - sys.exit(0) - else: - sys.stderr.write(errmsg + "\n" + __doc__) - sys.exit(1) - -child = None -parent = None -keypair = None -serial_file = None -lifetime = rpki.sundial.timedelta(days = 30) -output = None - -opts, argv = getopt.getopt(sys.argv[1:], "h?i:o:c:k:s:l:", - ["help", "in=", "out=", "ca=", - "key=", "serial=", "lifetime="]) -for o, a in opts: - if o in ("-h", "--help", "-?"): - usage() - elif o in ("-i", "--in"): - child = rpki.x509.X509(Auto_file = a) - elif o in ("-o", "--out"): - output = a - elif o in ("-c", "--ca"): - parent = rpki.x509.X509(Auto_file = a) - elif o in ("-k", "--key"): - keypair = rpki.x509.RSA(Auto_file = a) - elif o in ("-s", "--serial"): - serial_file = a - elif o in ("-l", "--lifetime"): - lifetime = rpki.sundial.timedelta.parse(a) - -if argv: - usage("Unused arguments: %r" % argv) -elif child is None: - usage("--in not specified") -elif parent is None: - usage("--ca not specified") -elif keypair is None: - usage("--key not specified") -elif serial_file is None: - usage("--serial not specified") +parser = argparse.ArgumentParser(description = __doc__) +parser.add_argument("-i", "--in", required = True, dest = "input", + type = lambda s: rpki.x509.X509(Auto_file = s), + help = "input certificate") +parser.add_argument("-c", "--ca", required = True, + type = lambda s: rpki.x509.X509(Auto_file = s), + help = "issuing certificate") +parser.add_argument("-k", "--key", required = True, + type = lambda s: rpki.x509.RSA(Auto_file = s), + help = "private key of issuing certificate") +parser.add_argument("-s", "--serial", required = True, + help = "serial number file") +parser.add_argument("-o", "--out", + help = "output filename") +parser.add_argument("-l", "--lifetime", + type = rpki.sundial.timedelta, default = "30d", + help = "lifetime of generated certificate") +args = parser.parse_args() now = rpki.sundial.now() -notAfter = now + lifetime +notAfter = now + args.lifetime try: - f = open(serial_file, "r") - serial = f.read() - f.close() - serial = int(serial.splitlines()[0], 16) + with open(args.serial, "r") as f: + serial = int(f.read().splitlines()[0], 16) except IOError: serial = 1 -cert = parent.cross_certify(keypair, child, serial, notAfter, now) +cert = args.ca.cross_certify(args.key, args.input, serial, notAfter, now) -f = open(serial_file, "w") -f.write("%02x\n" % (serial + 1)) -f.close() +with open(args.serial, "w") as f: + f.write("%02x\n" % (serial + 1)) -if output is None: - print cert.get_PEM() +if args.out is None: + sys.stdout.write(cert.get_PEM()) else: - f = open(output, "w") - f.write(cert.get_PEM()) - f.close() - + with open(args.out, "w") as f: + f.write(cert.get_PEM()) diff --git a/scripts/debug-roas.py b/scripts/debug-roas.py deleted file mode 100644 index 689f9870..00000000 --- a/scripts/debug-roas.py +++ /dev/null @@ -1,122 +0,0 @@ -# $Id$ -# -# Copyright (C) 2009-2010 Internet Systems Consortium ("ISC") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. -# -# Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -""" -Debugging tool for chasing a particular weird ROA problem. Dumps -contents of roa objects from SQL. Dog ugly, do not read output -without a welding helmet. - -Usage: python debug-roas.py [ { -c | --config } configfile ] - [ { -h | --help } ] - -Default configuration file is rpkid.conf, override with --config option. -""" - -import os -import time -import getopt -import sys -import re -import rpki.sql -import rpki.config -import rpki.log -import rpki.resource_set -import rpki.rpki_engine -import rpki.left_right - -class main(object): - - _afi_map = dict((cls.resource_set_type.afi, cls) - for cls in (rpki.resource_set.roa_prefix_set_ipv4, - rpki.resource_set.roa_prefix_set_ipv6)) - - def __init__(self): - - os.environ["TZ"] = "UTC" - time.tzset() - - rpki.log.use_syslog = False - rpki.log.init("debug-roas") - - cfg_file = "rpkid.conf" - verbose = 0 - - opts, argv = getopt.getopt(sys.argv[1:], "c:hv?", ["config=", "help", "verbose"]) - for o, a in opts: - if o in ("-h", "--help", "-?"): - print __doc__ - sys.exit(0) - elif o in ("-c", "--config"): - cfg_file = a - elif o in ("-v", "--verbose"): - verbose += 1 - if argv: - raise rpki.exceptions.CommandParseFailure, "Unexpected arguments %s" % argv - - self.sql = rpki.sql.session(rpki.config.parser(cfg_file, "rpkid")) - - for s in rpki.left_right.self_elt.sql_fetch_all(self): - print "Examining <self self_handle=%r/>" % s.self_handle - for r in s.roas(): - - v4 = r.ipv4.to_resource_set() if r.ipv4 is not None else rpki.resource_set.resource_set_ipv4() - v6 = r.ipv6.to_resource_set() if r.ipv6 is not None else rpki.resource_set.resource_set_ipv6() - print " Found ROA %r %s" % (r, "<%s %s>" % (r.asn, ("%s,%s" % (v4, v6)).strip(","))) - - if r.roa is None: - print " No CMS object" - if verbose: - print - elif verbose: - if verbose > 1: - print " %s" % r.roa.get_POW().pprint() - print " asID %s" % (r.roa.extract().asID.get(),) - for f in r.roa.get_content().ipAddrBlocks: - t = self._afi_map[f.addressFamily.get()].resource_set_type.range_type.datum_type - for a in f.addresses: - p = a.address.get() - l = len(p) - p = t(rpki.resource_set._bs2long(p, t.bits, 0)) - m = a.maxLength.get() - if m is None or m == l: - print " %s/%s" % (p, l) - else: - print " %s/%s-%s" % (p, l, m) - print - - if r.cert is None: - print " No EE certificate" - if verbose: - print - elif verbose > 1: - print " EE %s" % r.cert.get_POW().pprint() - - -main() |