diff options
Diffstat (limited to 'scripts/cross_certify.py')
| -rw-r--r-- | scripts/cross_certify.py | 136 |
1 files changed, 45 insertions, 91 deletions
diff --git a/scripts/cross_certify.py b/scripts/cross_certify.py index c696923c..fab7743b 100644 --- a/scripts/cross_certify.py +++ b/scripts/cross_certify.py @@ -1,120 +1,74 @@ # $Id$ # -# Copyright (C) 2009-2011 Internet Systems Consortium ("ISC") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. -# +# Copyright (C) 2014 Dragon Research Labs ("DRL") +# Portions copyright (C) 2009--2012 Internet Systems Consortium ("ISC") # Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. +# copyright notices and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND DRL, ISC, AND ARIN DISCLAIM ALL +# WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DRL, +# ISC, OR ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR +# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS +# OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, +# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION +# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. """ Cross-certification tool to issue a new certificate based on an old one that was issued by somebody else. The point of the exercise is to end up with a valid certificate in our own BPKI which has the same subject name and subject public key as the one we're replacing. - -Usage: python cross_certify.py { -i | --in } input_cert - { -c | --ca } issuing_cert - { -k | --key } issuing_cert_key - { -s | --serial } serial_filename - [ { -h | --help } ] - [ { -o | --out } filename (default: stdout) ] - [ { -l | --lifetime } timedelta (default: 30 days) ] - """ -import os, time, getopt, sys, rpki.x509, rpki.sundial +import os +import sys +import time +import argparse +import rpki.x509 +import rpki.sundial os.environ["TZ"] = "UTC" time.tzset() -def usage(errmsg = None): - if errmsg is None: - sys.stdout.write(__doc__) - sys.exit(0) - else: - sys.stderr.write(errmsg + "\n" + __doc__) - sys.exit(1) - -child = None -parent = None -keypair = None -serial_file = None -lifetime = rpki.sundial.timedelta(days = 30) -output = None - -opts, argv = getopt.getopt(sys.argv[1:], "h?i:o:c:k:s:l:", - ["help", "in=", "out=", "ca=", - "key=", "serial=", "lifetime="]) -for o, a in opts: - if o in ("-h", "--help", "-?"): - usage() - elif o in ("-i", "--in"): - child = rpki.x509.X509(Auto_file = a) - elif o in ("-o", "--out"): - output = a - elif o in ("-c", "--ca"): - parent = rpki.x509.X509(Auto_file = a) - elif o in ("-k", "--key"): - keypair = rpki.x509.RSA(Auto_file = a) - elif o in ("-s", "--serial"): - serial_file = a - elif o in ("-l", "--lifetime"): - lifetime = rpki.sundial.timedelta.parse(a) - -if argv: - usage("Unused arguments: %r" % argv) -elif child is None: - usage("--in not specified") -elif parent is None: - usage("--ca not specified") -elif keypair is None: - usage("--key not specified") -elif serial_file is None: - usage("--serial not specified") +parser = argparse.ArgumentParser(description = __doc__) +parser.add_argument("-i", "--in", required = True, dest = "input", + type = lambda s: rpki.x509.X509(Auto_file = s), + help = "input certificate") +parser.add_argument("-c", "--ca", required = True, + type = lambda s: rpki.x509.X509(Auto_file = s), + help = "issuing certificate") +parser.add_argument("-k", "--key", required = True, + type = lambda s: rpki.x509.RSA(Auto_file = s), + help = "private key of issuing certificate") +parser.add_argument("-s", "--serial", required = True, + help = "serial number file") +parser.add_argument("-o", "--out", + help = "output filename") +parser.add_argument("-l", "--lifetime", + type = rpki.sundial.timedelta, default = "30d", + help = "lifetime of generated certificate") +args = parser.parse_args() now = rpki.sundial.now() -notAfter = now + lifetime +notAfter = now + args.lifetime try: - f = open(serial_file, "r") - serial = f.read() - f.close() - serial = int(serial.splitlines()[0], 16) + with open(args.serial, "r") as f: + serial = int(f.read().splitlines()[0], 16) except IOError: serial = 1 -cert = parent.cross_certify(keypair, child, serial, notAfter, now) +cert = args.ca.cross_certify(args.key, args.input, serial, notAfter, now) -f = open(serial_file, "w") -f.write("%02x\n" % (serial + 1)) -f.close() +with open(args.serial, "w") as f: + f.write("%02x\n" % (serial + 1)) -if output is None: - print cert.get_PEM() +if args.out is None: + sys.stdout.write(cert.get_PEM()) else: - f = open(output, "w") - f.write(cert.get_PEM()) - f.close() - + with open(args.out, "w") as f: + f.write(cert.get_PEM()) |