diff options
Diffstat (limited to 'rp/config/rpki-generate-root-certificate')
| -rwxr-xr-x | rp/config/rpki-generate-root-certificate | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/rp/config/rpki-generate-root-certificate b/rp/config/rpki-generate-root-certificate new file mode 100755 index 00000000..10b8b194 --- /dev/null +++ b/rp/config/rpki-generate-root-certificate @@ -0,0 +1,77 @@ +#!/usr/bin/env python + +""" +Generate an RPKI root certificate for rootd. In most cases you should +not need to do this; see caveats in the manual about running rootd if +you think you need this. This script does nothing that can't also be +done with the OpenSSL command line tool, but on some platforms the +installed copy of openssl doesn't understand the RFC 3779 extensions. +""" + +import os +import sys +import pwd +import time +import rpki.x509 +import rpki.config +import rpki.sundial +import rpki.autoconf +import rpki.resource_set + +os.environ["TZ"] = "UTC" +time.tzset() + +cfg = rpki.config.argparser(section = "rootd", doc = __doc__) + +default_certfile = cfg.get("rpki-root-cert-file", "root.cer") +default_keyfile = cfg.get("rpki-root-key-file", "root.key") +default_talfile = os.path.splitext(default_certfile)[0] + ".tal" + +cfg.argparser.add_argument("-a", "--asns", help = "ASN resources", default = "0-4294967295") +cfg.argparser.add_argument("-4", "--ipv4", help = "IPv4 resources", default = "0.0.0.0/0") +cfg.argparser.add_argument("-6", "--ipv6", help = "IPv6 resources", default = "::/0") +cfg.argparser.add_argument("--certificate", help = "certificate file", default = default_certfile) +cfg.argparser.add_argument("--key", help = "key file", default = default_keyfile) +cfg.argparser.add_argument("--tal", help = "TAL file", default = default_talfile) + +args = cfg.argparser.parse_args() + +resources = rpki.resource_set.resource_bag( + asn = args.asns, + v4 = args.ipv4, + v6 = args.ipv6) + +keypair = rpki.x509.RSA.generate(quiet = True) + +sia = (cfg.get("rpki_base_uri") + "/", + cfg.get("rpki-root-manifest-uri"), + None, + cfg.get("publication_rrdp_notification_uri", section = "myrpki")) + +uris = (cfg.get("rpki-root-cert-uri"), + cfg.get("publication_rrdp_base_uri", section = "myrpki") + "root.cer") + +cert = rpki.x509.X509.self_certify( + keypair = keypair, + subject_key = keypair.get_public(), + serial = 1, + sia = sia, + notAfter = rpki.sundial.now() + rpki.sundial.timedelta(days = 365), + resources = resources) + +with open(args.certificate, "wb") as f: + f.write(cert.get_DER()) + +with open(args.tal, "w") as f: + for uri in uris: + f.write(uri + "\n") + f.write(keypair.get_public().get_Base64()) + +with os.fdopen(os.open(args.key, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0400), "w") as f: + f.write(keypair.get_DER()) + +try: + pw = pwd.getpwnam(rpki.autoconf.RPKI_USER) + os.chown(args.key, pw.pw_uid, pw.pw_gid) +except: + pass |