From 1da296f9f34e7c378f1f71e493c4f67adb3b67c4 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Fri, 29 Apr 2016 05:22:49 +0000 Subject: First cut at rpkid migration, preliminary data for rootd migration. Still have irdb and pubd to do. svn path=/branches/tk705/; revision=6406 --- potpourri/ca-unpickle.py | 202 +++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 177 insertions(+), 25 deletions(-) diff --git a/potpourri/ca-unpickle.py b/potpourri/ca-unpickle.py index c988a168..d41584da 100755 --- a/potpourri/ca-unpickle.py +++ b/potpourri/ca-unpickle.py @@ -17,6 +17,9 @@ import subprocess import rpki.config import rpki.x509 +import rpki.POW + +from base64 import urlsafe_b64encode class LazyDict(object): @@ -38,9 +41,6 @@ class LazyDict(object): return self._d[name] raise KeyError - def __missing__(self, name): - raise KeyError - def __iter__(self): return self._d.iterkeys() @@ -74,13 +74,28 @@ world = LazyDict.insinuate(cPickle.load(xzcat.stdout)) if xzcat.wait() != 0: sys.exit("XZ unpickling failed with code {}".format(xzcat.returncode)) -# Trivial test, but if this works, the LazyDict stuff is probably working -#print "Engine handle is", world.cooked_config.myrpki.handle +if False: + # Trivial test for the LazyDict code + print "Engine handle is", world.cooked_config.myrpki.handle + +# None-safe wrappers for DER constructors. +def X509(obj): return None if obj is None else rpki.x509.X509( DER = obj) +def CRL(obj): return None if obj is None else rpki.x509.CRL( DER = obj) +def RSA(obj): return None if obj is None else rpki.x509.RSA( DER = obj) +def PKCS10(obj): return None if obj is None else rpki.x509.PKCS10( DER = obj) +def MFT(obj): return None if obj is None else rpki.x509.SignedManifest(DER = obj) +def ROA(obj): return None if obj is None else rpki.x509.ROA( DER = obj) +def GBR(obj): return None if obj is None else rpki.x509.Ghostbuster( DER = obj) + +# Other conversions -def maybe_X509(obj): return None if obj is None else rpki.x509.X509( DER = obj) -def maybe_CRL(obj): return None if obj is None else rpki.x509.CRL( DER = obj) -def maybe_RSA(obj): return None if obj is None else rpki.x509.RSA( DER = obj) -def maybe_PKCS10(obj): return None if obj is None else rpki.x509.PKCS10(DER = obj) +def ski_to_gski(ski): + return None if ski is None else urlsafe_b64encode(ski).rstrip("=") + +def cfg_to_bool(v): + from ConfigParser import RawConfigParser + states = RawConfigParser._boolean_states + return states[v.lower()] # Because of the way Django ORM uses DJANGO_SETTINGS_MODULE, we'll # probably need to fork() to handle the several databases. Shouldn't @@ -104,34 +119,34 @@ for row in world.databases.rpkid.self: use_hsm = row.use_hsm, crl_interval = row.crl_interval, regen_margin = row.regen_margin, - bpki_cert = maybe_X509(row.bpki_cert), - bpki_glue = maybe_X509(row.bpki_glue)) + bpki_cert = X509(row.bpki_cert), + bpki_glue = X509(row.bpki_glue)) print "rpkid bsc" for row in world.databases.rpkid.bsc: print " ", row.bsc_handle - tenant = rpki.rpkidb.models.Tenant.objects.get(pk = row.self_id) + tenant = rpki.rpkidb.models.Tenant.objects.get(pk = row.self_id ) rpki.rpkidb.models.BSC.objects.create( pk = row.bsc_id, bsc_handle = row.bsc_handle, - private_key_id = maybe_RSA(row.private_key_id), - pkcs10_request = maybe_PKCS10(row.pkcs10_request), + private_key_id = RSA(row.private_key_id), + pkcs10_request = PKCS10(row.pkcs10_request), hash_alg = row.hash_alg or "sha256", - signing_cert = maybe_X509(row.signing_cert), - signing_cert_crl = maybe_CRL(row.signing_cert_crl), + signing_cert = X509(row.signing_cert), + signing_cert_crl = CRL(row.signing_cert_crl), tenant = tenant) print "rpkid repository" for row in world.databases.rpkid.repository: print " ", row.repository_handle - tenant = rpki.rpkidb.models.Tenant.objects.get(pk = row.self_id ) - bsc = rpki.rpkidb.models.BSC.objects.get (pk = row.bsc_id, tenant = tenant) + tenant = rpki.rpkidb.models.Tenant.objects.get(pk = row.self_id ) + bsc = rpki.rpkidb.models.BSC.objects.get( pk = row.bsc_id, tenant = tenant ) rpki.rpkidb.models.Repository.objects.create( pk = row.repository_id, repository_handle = row.repository_handle, peer_contact_uri = row.peer_contact_uri, - bpki_cert = maybe_X509(row.bpki_cert), - bpki_glue = maybe_X509(row.bpki_glue), + bpki_cert = X509(row.bpki_cert), + bpki_glue = X509(row.bpki_glue), last_cms_timestamp = row.last_cms_timestamp, bsc = bsc, tenant = tenant) @@ -139,14 +154,14 @@ for row in world.databases.rpkid.repository: print "rpkid parent" for row in world.databases.rpkid.parent: print " ", row.parent_handle - tenant = rpki.rpkidb.models.Tenant.objects.get (pk = row.self_id ) - bsc = rpki.rpkidb.models.BSC.objects.get (pk = row.bsc_id, tenant = tenant) - repository = rpki.rpkidb.models.Repository.objects.get(pk = row.repository_id, tenant = tenant) + tenant = rpki.rpkidb.models.Tenant.objects.get( pk = row.self_id ) + bsc = rpki.rpkidb.models.BSC.objects.get( pk = row.bsc_id, tenant = tenant ) + repository = rpki.rpkidb.models.Repository.objects.get(pk = row.repository_id, tenant = tenant ) rpki.rpkidb.models.Parent.objects.create( pk = row.parent_id, parent_handle = row.parent_handle, - bpki_cert = maybe_X509(row.bpki_cms_cert), - bpki_glue = maybe_X509(row.bpki_cms_glue), + bpki_cert = X509(row.bpki_cms_cert), + bpki_glue = X509(row.bpki_cms_glue), peer_contact_uri = row.peer_contact_uri, sia_base = row.sia_base, sender_name = row.sender_name, @@ -155,3 +170,140 @@ for row in world.databases.rpkid.parent: bsc = bsc, repository = repository, tenant = tenant) + +print "rpkid ca" +for row in world.databases.rpkid.ca: + parent = rpki.rpkidb.models.Parent.objects.get(pk = row.parent_id) + rpki.rpkidb.models.CA.objects.create( + pk = row.ca_id, + last_crl_manifest_number= max(row.last_crl_sn, row.last_manifest_sn), + last_issued_sn = row.last_issued_sn, + sia_uri = row.sia_uri, + parent_resource_class = row.parent_resource_class, + parent = parent) + +print "rpkid ca_detail" +for row in world.databases.rpkid.ca_detail: + ca = rpki.rpkidb.models.CA.objects.get(pk = row.ca_id) + rpki.rpkidb.models.CADetail.objects.create( + pk = row.ca_detail_id, + public_key = RSA(row.public_key), + private_key_id = RSA(row.private_key_id), + latest_crl = CRL(row.latest_crl), + crl_published = row.crl_published, + latest_ca_cert = X509(row.latest_ca_cert), + manifest_private_key_id = RSA(row.manifest_private_key_id), + manifest_public_key = RSA(row.manifest_public_key), + latest_manifest = MFT(row.latest_manifest), + manifest_published = row.manifest_published, + state = row.state, + ca_cert_uri = row.ca_cert_uri, + ca = ca) + +print "rpkid child" +for row in world.databases.rpkid.child: + print " ", row.child_handle + tenant = rpki.rpkidb.models.Tenant.objects.get(pk = row.self_id) + bsc = rpki.rpkidb.models.BSC.objects.get( pk = row.bsc_id, tenant = tenant) + rpki.rpkidb.models.Child.objects.create( + pk = row.child_id, + child_handle = row.child_handle, + bpki_cert = X509(row.bpki_cert), + bpki_glue = X509(row.bpki_glue), + last_cms_timestamp = row.last_cms_timestamp, + tenant = tenant, + bsc = bsc) + +print "rpkid child_cert" +for row in world.databases.rpkid.child_cert: + child = rpki.rpkidb.models.Child.objects.get( pk = row.child_id) + ca_detail = rpki.rpkidb.models.CADetail.objects.get(pk = row.ca_detail_id) + rpki.rpkidb.models.ChildCert.objects.create( + pk = row.child_cert_id, + cert = X509(row.cert), + published = row.published, + gski = ski_to_gski(row.ski), + child = child, + ca_detail = ca_detail) + +print "rpkid revoked_cert" +for row in world.databases.rpkid.revoked_cert: + ca_detail = rpki.rpkidb.models.CADetail.objects.get(pk = row.ca_detail_id) + rpki.rpkidb.models.RevokedCert.objects.create( + pk = row.revoked_cert_id, + serial = row.serial, + revoked = row.revoked, + expires = row.expires, + ca_detail = ca_detail) + +print "rpkid roa" +for row in world.databases.rpkid.roa: + tenant = rpki.rpkidb.models.Tenant.objects.get( pk = row.self_id) + ca_detail = rpki.rpkidb.models.CADetail.objects.get(pk = row.ca_detail_id) + prefixes = tuple((p.version, "%s/%s-%s".format(p.prefix, p.prefixlen, p.max_prefixlen)) + for p in world.databases.rpkid.roa_prefix + if p.roa_id == row.roa_id) + ipv4 = ",".join(p for v, p in prefixes if v == 4) or None + ipv6 = ",".join(p for v, p in prefixes if v == 6) or None + rpki.rpkidb.models.ROA.objects.create( + pk = row.roa_id, + asn = row.asn, + ipv4 = ipv4, + ipv6 = ipv6, + cert = X509(row.cert), + roa = ROA(row.roa), + published = row.published, + tenant = tenant, + ca_detail = ca_detail) + +print "rpkid ghostbuster" +for row in world.databases.rpkid.ghostbuster: + tenant = rpki.rpkidb.models.Tenant.objects.get( pk = row.self_id) + ca_detail = rpki.rpkidb.models.CADetail.objects.get(pk = row.ca_detail_id) + rpki.rpkidb.models.Ghostbuster.objects.create( + pk = row.ghostbuster_id, + vcard = row.vcard, + cert = X509(row.cert), + ghostbuster = GBR(row.ghostbuster), + published = row.published, + tenant = tenant, + ca_detail = ca_detail) + +print "rpkid ee_cert" +for row in world.databases.rpkid.ee_cert: + tenant = rpki.rpkidb.models.Tenant.objects.get( pk = row.self_id) + ca_detail = rpki.rpkidb.models.CADetail.objects.get(pk = row.ca_detail_id) + rpki.rpkidb.models.EECertificate.objects.create( + pk = row.ee_cert_id, + gski = ski_to_gski(row.ski), + cert = X509(row.cert), + published = row.published, + tenant = tenant, + ca_detail = ca_detail) + +if cfg_to_bool(world.cooked_config.myrpki.run_rootd): + print "rootd enabled" + root_cer = X509(world.files[world.cooked_config.rootd["rpki-root-cert"]]) + root_key = RSA(world.files[world.cooked_config.rootd["rpki-root-key"]]) + root_dir = world.cooked_config.rootd["rpki-root-dir"] + root_crl = CRL(world.files[os.path.join(root_dir, world.cooked_config.rootd["rpki-root-crl"])]) + root_mft = MFT(world.files[os.path.join(root_dir,world.cooked_config.rootd["rpki-root-manifest"])]) + work_cer = X509(world.files[os.path.join(root_dir,world.cooked_config.rootd["rpki-subject-cert"])]) + print "root cer: {!r}".format(root_cer) + print "root key: {!r}".format(root_key) + print "root crl: {!r}".format(root_crl) + print "root.mft: {!r}".format(root_mft) + print "work.cer: {!r}".format(work_cer) + + root_serial = root_cer.getSerial() + work_serial = work_cer.getSerial() + mft_serial = root_mft.get_POW().certs()[0].getSerial() + print "Serials: root {} worker {} manifest {} next {}".format( + root_serial, work_serial, mft_serial, + max(root_serial, work_serial, mft_serial) + 1) + + root_mft.extract() + mft_number = root_mft.get_POW().getManifestNumber() + crl_number = root_crl.getCRLNumber() + print "Numbers: CRL {} manifest {} next {}".format( + crl_number, mft_number, max(crl_number, mft_number) + 1) -- cgit v1.2.3