From 0b9d273ed65a77d480f789ab77107e73af55fd1c Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Mon, 24 Dec 2007 07:35:25 +0000 Subject: Rename testroot => rootd svn path=/scripts/Makefile; revision=1437 --- scripts/Makefile | 2 +- scripts/apnic-poke-1.sh | 20 ++--- scripts/biz-certs/Bob-CA.srl | 2 +- scripts/http-client.py | 2 +- scripts/rootd.cer | 93 ++++++++++++++++++++++ scripts/rootd.cnf | 30 ++++++++ scripts/rootd.key | 27 +++++++ scripts/rootd.py | 179 +++++++++++++++++++++++++++++++++++++++++++ scripts/rootd.sh | 129 +++++++++++++++++++++++++++++++ scripts/testbed.py | 4 +- scripts/testroot.cer | 93 ---------------------- scripts/testroot.cnf | 30 -------- scripts/testroot.key | 27 ------- scripts/testroot.py | 179 ------------------------------------------- scripts/testroot.sh | 129 ------------------------------- 15 files changed, 473 insertions(+), 473 deletions(-) create mode 100644 scripts/rootd.cer create mode 100644 scripts/rootd.cnf create mode 100644 scripts/rootd.key create mode 100755 scripts/rootd.py create mode 100644 scripts/rootd.sh delete mode 100644 scripts/testroot.cer delete mode 100644 scripts/testroot.cnf delete mode 100644 scripts/testroot.key delete mode 100755 scripts/testroot.py delete mode 100644 scripts/testroot.sh (limited to 'scripts') diff --git a/scripts/Makefile b/scripts/Makefile index 8133d691..f582c06e 100644 --- a/scripts/Makefile +++ b/scripts/Makefile @@ -51,4 +51,4 @@ rpki/relaxng.py: left-right-schema.rng up-down-schema.rng make-relaxng.py python make-relaxng.py >$@.tmp mv $@.tmp $@ -test:: all ; sh -x testroot.sh run +test:: all ; sh -x rootd.sh run diff --git a/scripts/apnic-poke-1.sh b/scripts/apnic-poke-1.sh index d56a694b..f59dcc80 100644 --- a/scripts/apnic-poke-1.sh +++ b/scripts/apnic-poke-1.sh @@ -14,16 +14,16 @@ openssl=../openssl/openssl/apps/openssl set -ex -# Generate new key and cert for testroot.py if needed +# Generate new key and cert for rootd.py if needed -if test ! -r testroot.cer -o ! -r testroot.key +if test ! -r rootd.cer -o ! -r rootd.key then - $openssl req -new -newkey rsa:2048 -nodes -keyout testroot.key -out testroot.req -config testroot.cnf + $openssl req -new -newkey rsa:2048 -nodes -keyout rootd.key -out rootd.req -config rootd.cnf - $openssl x509 -req -in testroot.req -out testroot.cer -extfile testroot.cnf -extensions req_x509_ext \ - -signkey testroot.key -text -sha256 + $openssl x509 -req -in rootd.req -out rootd.cer -extfile rootd.cnf -extensions req_x509_ext \ + -signkey rootd.key -text -sha256 - rm -f testroot.req + rm -f rootd.req fi # Blow away old rpkid database (!) so we can start clean @@ -65,7 +65,7 @@ rm -f bsc.req bsc.cer python irbe-cli.py repository --self_id 1 --action create --bsc_id 1 -# Create a parent context pointing at testroot.py +# Create a parent context pointing at rootd.py python irbe-cli.py parent --self_id 1 --action create --bsc_id 1 --repository_id 1 \ --peer_contact_uri https://localhost:44333/ \ @@ -82,12 +82,12 @@ python irbe-cli.py child --self_id 1 --action create --bsc_id 1 --cms_ta biz-cer if test -n "$STY" then - screen python testroot.py + screen python rootd.py screen python irdb.py else - python testroot.py >>testroot.log 2>&1 & testroot=$! + python rootd.py >>rootd.log 2>&1 & rootd=$! python irdb.py >>irdb.log 2>&1 & irdb=$! - trap "kill $rpkid $irdb $testroot" 0 1 2 3 13 15 + trap "kill $rpkid $irdb $rootd" 0 1 2 3 13 15 fi python http-client.py diff --git a/scripts/biz-certs/Bob-CA.srl b/scripts/biz-certs/Bob-CA.srl index 2d52136c..29ac2a7a 100644 --- a/scripts/biz-certs/Bob-CA.srl +++ b/scripts/biz-certs/Bob-CA.srl @@ -1 +1 @@ -90801F1ED194555A +90801F1ED194555C diff --git a/scripts/http-client.py b/scripts/http-client.py index 880ad039..3e5ec618 100644 --- a/scripts/http-client.py +++ b/scripts/http-client.py @@ -8,7 +8,7 @@ Usage: python http-client [ { -c | --config } configfile ] Default configuration file is http-demo.conf, override with --config option. """ -import rpki.config, rpki.https, getopt +import rpki.config, rpki.https, getopt, sys msg = "This is a test. This is only a test. Had this been real you would now be really confused.\n" diff --git a/scripts/rootd.cer b/scripts/rootd.cer new file mode 100644 index 00000000..205fee80 --- /dev/null +++ b/scripts/rootd.cer @@ -0,0 +1,93 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + a7:85:aa:b9:ac:55:06:68 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=Completely Bogus Test Root (NOT FOR PRODUCTION USE) + Validity + Not Before: Nov 7 01:24:37 2007 GMT + Not After : Dec 7 01:24:37 2007 GMT + Subject: CN=Completely Bogus Test Root (NOT FOR PRODUCTION USE) + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:b1:b5:66:85:a4:cc:91:81:15:0c:de:bf:dc:fe: + 53:bd:34:20:ed:b0:3b:be:25:8c:1e:ab:da:07:20: + cd:c3:c0:22:22:1a:0e:dc:38:c8:3a:c2:35:23:9a: + 1f:91:32:ea:29:53:fc:be:4a:ce:f1:c2:23:44:16: + 0d:cc:9c:c5:02:b7:06:53:46:b1:20:60:c2:73:3c: + f8:c2:61:15:c5:c8:65:b9:cd:5d:56:ef:03:e9:44: + 80:27:f1:f8:d5:28:d6:f1:be:6b:51:d8:5e:24:26: + 8e:5e:29:2d:3d:6b:ac:1c:ce:d9:d1:51:00:22:2c: + fb:64:a4:c4:4d:0c:ce:45:10:a0:d6:a1:b5:ac:fa: + 4f:1d:41:78:f8:6c:87:8b:e4:52:0c:25:66:6b:75: + 42:1e:10:a6:fe:e6:17:2f:ad:07:f7:bc:a8:f3:57: + c9:1c:b4:95:e7:f1:19:2d:ab:a6:ef:6d:b2:dd:6e: + fe:c2:bb:1a:1c:d5:dd:21:e9:d7:92:27:0b:bb:df: + f0:3b:6e:ad:f1:21:55:d1:6e:e2:cc:0b:05:0f:25: + 5a:4a:5b:d2:9b:74:f0:2f:fc:c3:45:37:68:ac:6a: + d5:3b:f6:09:dd:41:fd:f7:48:47:f9:ab:93:2b:79: + 8f:47:ae:d9:34:69:42:f8:60:46:a0:52:d7:b2:a3: + 17:55 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + BC:C8:FF:91:73:B7:5F:60:75:A9:CC:2A:5C:DC:CE:AC:83:A0:04:F1 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + Subject Information Access: + 1.3.6.1.5.5.7.48.5 - URI:rsync://wombat.invalid/ + + sbgp-autonomousSysNum: critical + Autonomous System Numbers: + 1-65535 + + sbgp-ipAddrBlock: critical + IPv4: + 0.0.0.0/0 + IPv6: + :/0 + + Signature Algorithm: sha256WithRSAEncryption + 9b:05:00:c1:1c:2a:4e:5f:52:1e:2a:2b:c5:46:2e:e9:a4:2f: + 4c:a8:4a:67:08:56:e9:62:70:7c:0b:48:c2:13:46:89:7b:31: + ba:60:ad:0d:62:0d:fe:df:05:f6:2f:ab:73:ae:4a:1a:b0:7a: + 77:7a:11:66:a2:09:6c:99:b6:bc:b2:a6:f5:06:e4:8e:d7:4d: + 09:a4:0f:35:11:51:1d:22:42:4e:1a:93:a8:fd:dc:b0:d5:d6: + 16:cf:30:a8:c4:fa:21:47:c0:97:ed:26:71:e7:a0:05:d2:8d: + 68:f0:b9:cb:48:00:da:d4:c2:18:94:b3:fa:22:f8:57:d1:76: + b4:7f:b9:b3:95:21:07:1a:56:71:3d:51:6e:2e:cd:93:ff:48: + a0:7c:4a:eb:c3:e0:0a:30:19:4e:b4:8d:d0:33:b8:3b:e8:43: + dd:c0:76:76:b8:ff:07:ad:10:67:7f:09:d4:54:86:3d:61:87: + c4:56:c4:be:f5:4a:9e:5a:aa:35:a3:10:33:ae:86:e6:10:3b: + 2a:6b:d7:3d:cb:3e:c8:94:d8:d3:c0:9a:f6:ae:14:f7:1c:f4: + 13:2f:14:45:bb:12:55:00:84:1c:e7:24:f0:f2:a8:42:c0:59: + 9c:bb:25:ed:f5:fa:46:6f:43:89:2e:e6:ad:75:c1:ff:df:52: + 25:85:c3:37 +-----BEGIN CERTIFICATE----- +MIIDwjCCAqqgAwIBAgIJAKeFqrmsVQZoMA0GCSqGSIb3DQEBCwUAMD4xPDA6BgNV +BAMTM0NvbXBsZXRlbHkgQm9ndXMgVGVzdCBSb290IChOT1QgRk9SIFBST0RVQ1RJ +T04gVVNFKTAeFw0wNzExMDcwMTI0MzdaFw0wNzEyMDcwMTI0MzdaMD4xPDA6BgNV +BAMTM0NvbXBsZXRlbHkgQm9ndXMgVGVzdCBSb290IChOT1QgRk9SIFBST0RVQ1RJ +T04gVVNFKTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALG1ZoWkzJGB +FQzev9z+U700IO2wO74ljB6r2gcgzcPAIiIaDtw4yDrCNSOaH5Ey6ilT/L5KzvHC +I0QWDcycxQK3BlNGsSBgwnM8+MJhFcXIZbnNXVbvA+lEgCfx+NUo1vG+a1HYXiQm +jl4pLT1rrBzO2dFRACIs+2SkxE0MzkUQoNahtaz6Tx1BePhsh4vkUgwlZmt1Qh4Q +pv7mFy+tB/e8qPNXyRy0lefxGS2rpu9tst1u/sK7GhzV3SHp15InC7vf8DturfEh +VdFu4swLBQ8lWkpb0pt08C/8w0U3aKxq1Tv2Cd1B/fdIR/mrkyt5j0eu2TRpQvhg +RqBS17KjF1UCAwEAAaOBwjCBvzAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBS8 +yP+Rc7dfYHWpzCpc3M6sg6AE8TAOBgNVHQ8BAf8EBAMCAQYwMwYIKwYBBQUHAQsE +JzAlMCMGCCsGAQUFBzAFhhdyc3luYzovL3dvbWJhdC5pbnZhbGlkLzAfBggrBgEF +BQcBCAEB/wQQMA6gDDAKMAgCAQECAwD//zAnBggrBgEFBQcBBwEB/wQYMBYwCQQC +AAEwAwMBADAJBAIAAjADAwEAMA0GCSqGSIb3DQEBCwUAA4IBAQCbBQDBHCpOX1Ie +KivFRi7ppC9MqEpnCFbpYnB8C0jCE0aJezG6YK0NYg3+3wX2L6tzrkoasHp3ehFm +oglsmba8sqb1BuSO100JpA81EVEdIkJOGpOo/dyw1dYWzzCoxPohR8CX7SZx56AF +0o1o8LnLSADa1MIYlLP6IvhX0Xa0f7mzlSEHGlZxPVFuLs2T/0igfErrw+AKMBlO +tI3QM7g76EPdwHZ2uP8HrRBnfwnUVIY9YYfEVsS+9UqeWqo1oxAzrobmEDsqa9c9 +yz7IlNjTwJr2rhT3HPQTLxRFuxJVAIQc5yTw8qhCwFmcuyXt9fpGb0OJLuatdcH/ +31IlhcM3 +-----END CERTIFICATE----- diff --git a/scripts/rootd.cnf b/scripts/rootd.cnf new file mode 100644 index 00000000..1e400c04 --- /dev/null +++ b/scripts/rootd.cnf @@ -0,0 +1,30 @@ +# $Id$ +# +# Generate test root resource certificate for use with rootd.py server. + +[ req ] +default_bits = 2048 +encrypt_key = no +distinguished_name = req_dn +req_extensions = req_x509_ext +prompt = no + +[ req_dn ] +CN = Completely Bogus Test Root (NOT FOR PRODUCTION USE) + +[ req_x509_ext ] +basicConstraints = critical,CA:true +subjectKeyIdentifier = hash +keyUsage = critical,keyCertSign,cRLSign +subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombat.invalid/ +sbgp-autonomousSysNum = critical,@req_asid_ext +sbgp-ipAddrBlock = critical,@req_addr_ext + +[ req_asid_ext ] + +AS.0 = 1-65535 + +[ req_addr_ext ] + +IPv4.0 = 0.0.0.0/0 +IPv6.0 = 0::/0 diff --git a/scripts/rootd.key b/scripts/rootd.key new file mode 100644 index 00000000..d97fc64d --- /dev/null +++ b/scripts/rootd.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAsbVmhaTMkYEVDN6/3P5TvTQg7bA7viWMHqvaByDNw8AiIhoO +3DjIOsI1I5ofkTLqKVP8vkrO8cIjRBYNzJzFArcGU0axIGDCczz4wmEVxchluc1d +Vu8D6USAJ/H41SjW8b5rUdheJCaOXiktPWusHM7Z0VEAIiz7ZKTETQzORRCg1qG1 +rPpPHUF4+GyHi+RSDCVma3VCHhCm/uYXL60H97yo81fJHLSV5/EZLaum722y3W7+ +wrsaHNXdIenXkicLu9/wO26t8SFV0W7izAsFDyVaSlvSm3TwL/zDRTdorGrVO/YJ +3UH990hH+auTK3mPR67ZNGlC+GBGoFLXsqMXVQIDAQABAoIBAG5CxlzPltoFBGGa +5+Kfrqdra67utPLS6zCwojPgB6uYT9Vm46eCV8IVc9EmNMXrmFySLvSHCAX61dTN +9jvpXVfE5djPuOEFCEFmKFa61D6Gi4+QO4TQAlY+2WFvglwH3e3an04F+MtnXNhR +pi9A2mZ5da6pGnMaA9U7Yk0IUAeLMva/WfsMtY3+HvTyjNfYtULAOw82nuC4wddc +SYAOlFL9dw/QJ1bICddVoV0HfyiSJgGWQZbVGFacTeh8w6ir47sXxTOvWiCiUWYn +gDuhknDI7yXAFIUZYSiJKlJfrSLrbfPEg3l8xNvwZR0FCVZLdrmldhVNSyLg2II8 +IALn92ECgYEA6RcuOx29gjdz9uwFxlkEMYpVKLGOEBABGeSCo8dyFmbBKY1iw22e +OzSDzVAQoaPk6Fqgbs0XNsrpDpkqoejnrXeqgK6BlyikcE4qelnWXWEvDQy+1tXs +nJsS9jHGVEr0e+aUGhJAJn9pO3TbDtQnswwbxmLkvSGy35SnNMSAfFkCgYEAwyy/ +dNP02y8zEdpt+8CHysOEnnS/VlJvDXoYGVu6AZ3dWPLwxymJC2YGdxGLqHpVkoNI +oKlNFrnRbhYMbMIGFOJr6pvTDsM4zxJ0wy86PSE1Oid9JqZwXrNJqnPo861nNW86 +xRopLlZjsQ2RU0VNiPjYgoriaDXOAvTzppzr410CgYA0ddEj4Per/QsOgeRy1coJ +1FaCSCPvHYsB5to4PkVBIXNMBNQ7o8o/DPy1EtYLazWzzeHZzjLxVA3MCVD9C8xI +0GwBdkUYXj9UP2N0EhAbCCpsx3eUJqWQQZ6s5lr60bvgvu6KR51EjNyEUzKSTdF5 +jLobllpg7tqxU2WmjKtWUQKBgHUVXAlmuaXfa8CTC5WSCyQdJGq2WK4dJ5erHdfg +ifY8ULPykXS4uwjGfKxjLyezs6//58rRpXgzoqpquatovaM7rUeBkRxzCppWVQte +Qo63ZCnt1IsiH5j/7vo9LIs6BAcvIc9qAThWBNoK7JpKodfAiInPbUDcvihR7/SM +gInVAoGBAKLrNc91EygUaXJR92z/PzEoNI6UGYAbP+z0bmn67jpPLxCjN2aZRUkm +18MElOmSoedsf+dIcqOHdWvoyiDHVo2i0yxRy0nD54VVH2ZqS2fRLX6+pnCE0XiI +ulAAjPazIPG5XOugl17O7cKsPAI/uF7bWRcg4OLjXQy7XvPPMoR3 +-----END RSA PRIVATE KEY----- diff --git a/scripts/rootd.py b/scripts/rootd.py new file mode 100755 index 00000000..02d6322b --- /dev/null +++ b/scripts/rootd.py @@ -0,0 +1,179 @@ +# $Id$ + +""" +Trivial RPKI up-down protocol root server, for testing. Not suitable +for production use. Overrides a bunch of method definitions from the +rpki.* classes in order to reuse as much code as possible. + +Usage: python rootd.py [ { -c | --config } configfile ] [ { -h | --help } ] + +Default configuration file is rootd.conf, override with --config option. +""" + +import traceback, os, time, getopt, sys, lxml +import rpki.resource_set, rpki.up_down, rpki.left_right, rpki.x509 +import rpki.https, rpki.config, rpki.cms, rpki.exceptions, rpki.relaxng +import rpki.sundial, rpki.log + +rootd_name = "wombat" +rootd_base = "rsync://" + rootd_name + ".invalid/" +rootd_cert = rootd_base + "rootd.cer" + +rpki_subject_lifetime = rpki.sundial.timedelta(days = 30) + + +def get_subject_cert(): + try: + x = rpki.x509.X509(Auto_file = rpki_subject_filename) + return x + except IOError: + return None + +def set_subject_cert(cert): + f = open(rpki_subject_filename, "wb") + f.write(cert.get_DER()) + f.close() + +def del_subject_cert(): + os.remove(rpki_subject_filename) + +def stash_subject_pkcs10(pkcs10): + if rpki_pkcs10_filename: + f = open(rpki_pkcs10_filename, "wb") + f.write(pkcs10.get_DER()) + f.close() + +def compose_response(r_msg): + rc = rpki.up_down.class_elt() + rc.class_name = rootd_name + rc.cert_url = rpki.up_down.multi_uri(rootd_cert) + rc.from_resource_bag(rpki_issuer.get_3779resources()) + rc.issuer = rpki_issuer + r_msg.payload.classes.append(rc) + rpki_subject = get_subject_cert() + if rpki_subject is not None: + rc.certs.append(rpki.up_down.certificate_elt()) + rc.certs[0].cert_url = rpki.up_down.multi_uri(rootd_base + rpki_subject.gSKI() + ".cer") + rc.certs[0].cert = rpki_subject + +class list_pdu(rpki.up_down.list_pdu): + def serve_pdu(self, xxx1, q_msg, r_msg, xxx2): + r_msg.payload = rpki.up_down.list_response_pdu() + compose_response(r_msg) + +class issue_pdu(rpki.up_down.issue_pdu): + def serve_pdu(self, xxx1, q_msg, r_msg, xxx2): + stash_subject_pkcs10(self.pkcs10) + self.pkcs10.check_valid_rpki() + r_msg.payload = rpki.up_down.issue_response_pdu() + rpki_subject = get_subject_cert() + if rpki_subject is None: + resources = rpki_issuer.get_3779resources() + req_key = self.pkcs10.getPublicKey() + req_sia = self.pkcs10.get_SIA() + crldp = rootd_base + rpki_issuer.gSKI() + ".crl" + set_subject_cert(rpki_issuer.issue(keypair = rpki_key, + subject_key = req_key, + serial = int(time.time()), + sia = req_sia, + aia = rootd_cert, + crldp = crldp, + resources = resources, + notAfter = rpki.sundial.datetime.utcnow() + rpki_subject_lifetime)) + compose_response(r_msg) + +class revoke_pdu(rpki.up_down.revoke_pdu): + def serve_pdu(self, xxx1, q_msg, r_msg, xxx2): + rpki_subject = get_subject_cert() + if rpki_subject is None or rpki_subject.gSKI() != self.ski: + raise rpki.exceptions.NotInDatabase + del_subject_cert() + r_msg.payload = rpki.up_down.revoke_response_pdu() + r_msg.payload.class_name = self.class_name + r_msg.payload.ski = self.ski + +class message_pdu(rpki.up_down.message_pdu): + name2type = { + "list" : list_pdu, + "list_response" : rpki.up_down.list_response_pdu, + "issue" : issue_pdu, + "issue_response" : rpki.up_down.issue_response_pdu, + "revoke" : revoke_pdu, + "revoke_response" : rpki.up_down.revoke_response_pdu, + "error_response" : rpki.up_down.error_response_pdu } + type2name = dict((v,k) for k,v in name2type.items()) + +class sax_handler(rpki.sax_utils.handler): + def create_top_level(self, name, attrs): + return message_pdu() + +def up_down_handler(query, path): + try: + q_elt = rpki.cms.xml_verify(query, cms_ta) + rpki.relaxng.up_down.assertValid(q_elt) + q_msg = sax_handler.saxify(q_elt) + except Exception, data: + rpki.log.error(traceback.format_exc()) + return 400, "Could not process PDU: %s" % data + try: + r_msg = q_msg.serve_top_level(None, None) + r_elt = r_msg.toXML() + try: + rpki.relaxng.up_down.assertValid(r_elt) + except lxml.etree.DocumentInvalid: + rpki.log.debug(lxml.etree.tostring(r_elt, pretty_print = True, encoding ="utf-8", xml_declaration = True)) + raise + return 200, rpki.cms.xml_sign(r_elt, cms_key, cms_certs, encoding = "utf-8") + except Exception, data: + rpki.log.error(traceback.format_exc()) + try: + r_msg = q_msg.serve_error(data) + r_elt = r_msg.toXML() + rpki.relaxng.up_down.assertValid(r_elt) + return 200, rpki.cms.xml_sign(r_elt, cms_key, cms_certs, encoding = "utf-8") + except Exception, data: + rpki.log.error(traceback.format_exc()) + return 500, "Could not process PDU: %s" % data + +os.environ["TZ"] = "UTC" +time.tzset() + +rpki.log.init("rootd") + +cfg_file = "rootd.conf" + +opts,argv = getopt.getopt(sys.argv[1:], "c:h?", ["config=", "help"]) +for o,a in opts: + if o in ("-h", "--help", "-?"): + print __doc__ + sys.exit(0) + if o in ("-c", "--config"): + cfg_file = a +if argv: + raise RuntimeError, "Unexpected arguments %s" % argv + +cfg = rpki.config.parser(cfg_file) +section = "rootd" + +cms_ta = rpki.x509.X509(Auto_file = cfg.get(section, "cms-ta")) +cms_key = rpki.x509.RSA(Auto_file = cfg.get(section, "cms-key")) +cms_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget(section, "cms-cert")) + +https_key = rpki.x509.RSA(Auto_file = cfg.get(section, "https-key")) +https_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget(section, "https-cert")) + +https_server_host = cfg.get(section, "server-host", "") +https_server_port = int(cfg.get(section, "server-port")) + +rpki_key = rpki.x509.RSA(Auto_file = cfg.get(section, "rpki-key")) +rpki_issuer = rpki.x509.X509(Auto_file = cfg.get(section, "rpki-issuer")) + +rpki_subject_filename = cfg.get(section, "rpki-subject-filename") + +rpki_pkcs10_filename = cfg.get(section, "rpki-pkcs10-filename", "") + +rpki.https.server(privateKey = https_key, + certChain = https_certs, + host = https_server_host, + port = https_server_port, + handlers = up_down_handler) diff --git a/scripts/rootd.sh b/scripts/rootd.sh new file mode 100644 index 00000000..2b8fd07d --- /dev/null +++ b/scripts/rootd.sh @@ -0,0 +1,129 @@ +#!/bin/sh - +# $Id$ +# +# Script to test against rootd.py. +# +# This blows away rpkid's database and rebuilds it with what we need +# for this test, and knows far too much about the id numbers that +# rpkid and mysql will assign. In the long run we must do better than +# this, but gotta start somewhere. + +openssl=../openssl/openssl/apps/openssl + +# Halt on first error + +set -e + +# Generate new key and cert for rootd.py if needed + +if test ! -r rootd.cer -o ! -r rootd.key +then + $openssl req -new -newkey rsa:2048 -nodes -keyout rootd.key -out rootd.req -config rootd.cnf + $openssl x509 -req -in rootd.req -out rootd.cer -extfile rootd.cnf -extensions req_x509_ext -signkey rootd.key -text -sha256 + rm -f rootd.req +fi + +# Blow away old rpkid database (!) so we can start clean + +mysql -u rpki -p`awk '$1 == "sql-password" {print $3}' rpkid.conf` rpki <../docs/rpki-db-schema.sql + +# Start rpkid so we can configure it, make sure we shut it down on exit + +python rpkid.py & rpkid=$! +trap "kill $rpkid" 0 1 2 3 13 15 + +: Waiting to let rpkid start up; sleep 5 + +# Create a self instance + +time python irbe-cli.py self --action create --crl_interval 84600 + +# Create a business signing context, issue the necessary business cert, and set up the cert chain + +time python irbe-cli.py --pem_out bsc.req bsc --action create --self_id 1 --generate_keypair --signing_cert biz-certs/Bob-CA.cer +time $openssl x509 -req -in bsc.req -out bsc.cer -CA biz-certs/Bob-CA.cer -CAkey biz-certs/Bob-CA.key -CAserial biz-certs/Bob-CA.srl +time python irbe-cli.py bsc --action set --self_id 1 --bsc_id 1 --signing_cert bsc.cer +rm -f bsc.req bsc.cer + +# Create a repository context + +time python irbe-cli.py repository --self_id 1 --action create --bsc_id 1 + +# Create a parent context pointing at rootd.py + +time python irbe-cli.py parent --self_id 1 --action create --bsc_id 1 --repository_id 1 \ + --peer_contact_uri https://localhost:44333/ \ + --cms_ta biz-certs/Elena-Root.cer \ + --https_ta biz-certs/Elena-Root.cer \ + --sia_base rsync://wombat.invalid/ \ + --sender_name tweedledee \ + --recipient_name tweedledum + +# Create a child context + +time python irbe-cli.py child --self_id 1 --action create --bsc_id 1 --cms_ta biz-certs/Frank-Root.cer + +# Need to link irdb to created child and clear conflicting links. +# For now, just do this "manually" in MySQL CLI. + +echo ' + UPDATE registrant SET rpki_self_id = NULL, rpki_child_id = NULL; + UPDATE registrant SET rpki_self_id = 1, rpki_child_id = 1 WHERE subject_name = "Epilogue Technology Corporation"; +' | +mysql -u irdb -p`awk '$1 == "sql-password" {print $3}' irbe.conf` irdb + +if test "$1" = "run" +then + + rm -rf publication + + python rootd.py & rootd=$! + python irdb.py & irdb=$! + trap "kill $rpkid $irdb $rootd" 0 1 2 3 13 15 + + : Waiting to let daemons start up; sleep 5 + + date; time python http-client.py + date; time python testpoke.py -r list + date; time python testpoke.py -r issue + + date; time python http-client.py + date; time python testpoke.py -r list + date; time python testpoke.py -r issue + + date; python testpoke.py -r issue | + qh | + sed -n '/^(certificate/,/^)certificate/s/^-//p' | + mimencode -u | + $openssl x509 -noout -inform DER -text + + date; time python testpoke.py -r revoke + date; time python testpoke.py -r list + date; time python http-client.py + date; time python testpoke.py -r list + + date; time python http-client.py + date; time python testpoke.py -r list + date; time python testpoke.py -r issue + + date; time python testpoke.py -r revoke + date; time python testpoke.py -r list + date; time python http-client.py + date; time python testpoke.py -r list + + date; time python testpoke.py -r issue + date; time python testpoke.py -r revoke + date; time python testpoke.py -r issue + date; time python testpoke.py -r revoke + date; time python testpoke.py -r issue + date; time python testpoke.py -r revoke + date; time python testpoke.py -r list + date; time python http-client.py + date; time python testpoke.py -r list + + date; time python testpoke.py -r issue + date; time python http-client.py + date; time python testpoke.py -r list + date + +fi diff --git a/scripts/testbed.py b/scripts/testbed.py index 9fe8ae25..67d60fa3 100644 --- a/scripts/testbed.py +++ b/scripts/testbed.py @@ -47,7 +47,7 @@ prog_python = cfg.get(cfg_section, "prog_python", "python") prog_rpkid = cfg.get(cfg_section, "prog_rpkid", "../rpkid.py") prog_irdbd = cfg.get(cfg_section, "prog_irdbd", "../irdb.py") prog_poke = cfg.get(cfg_section, "prog_poke", "../testpoke.py") -prog_rootd = cfg.get(cfg_section, "prog_rootd", "../testroot.py") +prog_rootd = cfg.get(cfg_section, "prog_rootd", "../rootd.py") prog_openssl = cfg.get(cfg_section, "prog_openssl", "../../openssl/openssl/apps/openssl") rpki_sql_file = cfg.get(cfg_section, "rpki_sql_file", "../docs/rpki-db-schema.sql") @@ -695,7 +695,7 @@ https-url = https://localhost:%(rpki_port)d/left-right rootd_fmt_1 = '''\ -[testroot] +[rootd] cms-key = %(rootd_name)s-EE.key cms-cert.0 = %(rootd_name)s-EE.cer diff --git a/scripts/testroot.cer b/scripts/testroot.cer deleted file mode 100644 index 205fee80..00000000 --- a/scripts/testroot.cer +++ /dev/null @@ -1,93 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - a7:85:aa:b9:ac:55:06:68 - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN=Completely Bogus Test Root (NOT FOR PRODUCTION USE) - Validity - Not Before: Nov 7 01:24:37 2007 GMT - Not After : Dec 7 01:24:37 2007 GMT - Subject: CN=Completely Bogus Test Root (NOT FOR PRODUCTION USE) - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:b1:b5:66:85:a4:cc:91:81:15:0c:de:bf:dc:fe: - 53:bd:34:20:ed:b0:3b:be:25:8c:1e:ab:da:07:20: - cd:c3:c0:22:22:1a:0e:dc:38:c8:3a:c2:35:23:9a: - 1f:91:32:ea:29:53:fc:be:4a:ce:f1:c2:23:44:16: - 0d:cc:9c:c5:02:b7:06:53:46:b1:20:60:c2:73:3c: - f8:c2:61:15:c5:c8:65:b9:cd:5d:56:ef:03:e9:44: - 80:27:f1:f8:d5:28:d6:f1:be:6b:51:d8:5e:24:26: - 8e:5e:29:2d:3d:6b:ac:1c:ce:d9:d1:51:00:22:2c: - fb:64:a4:c4:4d:0c:ce:45:10:a0:d6:a1:b5:ac:fa: - 4f:1d:41:78:f8:6c:87:8b:e4:52:0c:25:66:6b:75: - 42:1e:10:a6:fe:e6:17:2f:ad:07:f7:bc:a8:f3:57: - c9:1c:b4:95:e7:f1:19:2d:ab:a6:ef:6d:b2:dd:6e: - fe:c2:bb:1a:1c:d5:dd:21:e9:d7:92:27:0b:bb:df: - f0:3b:6e:ad:f1:21:55:d1:6e:e2:cc:0b:05:0f:25: - 5a:4a:5b:d2:9b:74:f0:2f:fc:c3:45:37:68:ac:6a: - d5:3b:f6:09:dd:41:fd:f7:48:47:f9:ab:93:2b:79: - 8f:47:ae:d9:34:69:42:f8:60:46:a0:52:d7:b2:a3: - 17:55 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Subject Key Identifier: - BC:C8:FF:91:73:B7:5F:60:75:A9:CC:2A:5C:DC:CE:AC:83:A0:04:F1 - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - Subject Information Access: - 1.3.6.1.5.5.7.48.5 - URI:rsync://wombat.invalid/ - - sbgp-autonomousSysNum: critical - Autonomous System Numbers: - 1-65535 - - sbgp-ipAddrBlock: critical - IPv4: - 0.0.0.0/0 - IPv6: - :/0 - - Signature Algorithm: sha256WithRSAEncryption - 9b:05:00:c1:1c:2a:4e:5f:52:1e:2a:2b:c5:46:2e:e9:a4:2f: - 4c:a8:4a:67:08:56:e9:62:70:7c:0b:48:c2:13:46:89:7b:31: - ba:60:ad:0d:62:0d:fe:df:05:f6:2f:ab:73:ae:4a:1a:b0:7a: - 77:7a:11:66:a2:09:6c:99:b6:bc:b2:a6:f5:06:e4:8e:d7:4d: - 09:a4:0f:35:11:51:1d:22:42:4e:1a:93:a8:fd:dc:b0:d5:d6: - 16:cf:30:a8:c4:fa:21:47:c0:97:ed:26:71:e7:a0:05:d2:8d: - 68:f0:b9:cb:48:00:da:d4:c2:18:94:b3:fa:22:f8:57:d1:76: - b4:7f:b9:b3:95:21:07:1a:56:71:3d:51:6e:2e:cd:93:ff:48: - a0:7c:4a:eb:c3:e0:0a:30:19:4e:b4:8d:d0:33:b8:3b:e8:43: - dd:c0:76:76:b8:ff:07:ad:10:67:7f:09:d4:54:86:3d:61:87: - c4:56:c4:be:f5:4a:9e:5a:aa:35:a3:10:33:ae:86:e6:10:3b: - 2a:6b:d7:3d:cb:3e:c8:94:d8:d3:c0:9a:f6:ae:14:f7:1c:f4: - 13:2f:14:45:bb:12:55:00:84:1c:e7:24:f0:f2:a8:42:c0:59: - 9c:bb:25:ed:f5:fa:46:6f:43:89:2e:e6:ad:75:c1:ff:df:52: - 25:85:c3:37 ------BEGIN CERTIFICATE----- -MIIDwjCCAqqgAwIBAgIJAKeFqrmsVQZoMA0GCSqGSIb3DQEBCwUAMD4xPDA6BgNV -BAMTM0NvbXBsZXRlbHkgQm9ndXMgVGVzdCBSb290IChOT1QgRk9SIFBST0RVQ1RJ -T04gVVNFKTAeFw0wNzExMDcwMTI0MzdaFw0wNzEyMDcwMTI0MzdaMD4xPDA6BgNV -BAMTM0NvbXBsZXRlbHkgQm9ndXMgVGVzdCBSb290IChOT1QgRk9SIFBST0RVQ1RJ -T04gVVNFKTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALG1ZoWkzJGB -FQzev9z+U700IO2wO74ljB6r2gcgzcPAIiIaDtw4yDrCNSOaH5Ey6ilT/L5KzvHC -I0QWDcycxQK3BlNGsSBgwnM8+MJhFcXIZbnNXVbvA+lEgCfx+NUo1vG+a1HYXiQm -jl4pLT1rrBzO2dFRACIs+2SkxE0MzkUQoNahtaz6Tx1BePhsh4vkUgwlZmt1Qh4Q -pv7mFy+tB/e8qPNXyRy0lefxGS2rpu9tst1u/sK7GhzV3SHp15InC7vf8DturfEh -VdFu4swLBQ8lWkpb0pt08C/8w0U3aKxq1Tv2Cd1B/fdIR/mrkyt5j0eu2TRpQvhg -RqBS17KjF1UCAwEAAaOBwjCBvzAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBS8 -yP+Rc7dfYHWpzCpc3M6sg6AE8TAOBgNVHQ8BAf8EBAMCAQYwMwYIKwYBBQUHAQsE -JzAlMCMGCCsGAQUFBzAFhhdyc3luYzovL3dvbWJhdC5pbnZhbGlkLzAfBggrBgEF -BQcBCAEB/wQQMA6gDDAKMAgCAQECAwD//zAnBggrBgEFBQcBBwEB/wQYMBYwCQQC -AAEwAwMBADAJBAIAAjADAwEAMA0GCSqGSIb3DQEBCwUAA4IBAQCbBQDBHCpOX1Ie -KivFRi7ppC9MqEpnCFbpYnB8C0jCE0aJezG6YK0NYg3+3wX2L6tzrkoasHp3ehFm -oglsmba8sqb1BuSO100JpA81EVEdIkJOGpOo/dyw1dYWzzCoxPohR8CX7SZx56AF -0o1o8LnLSADa1MIYlLP6IvhX0Xa0f7mzlSEHGlZxPVFuLs2T/0igfErrw+AKMBlO -tI3QM7g76EPdwHZ2uP8HrRBnfwnUVIY9YYfEVsS+9UqeWqo1oxAzrobmEDsqa9c9 -yz7IlNjTwJr2rhT3HPQTLxRFuxJVAIQc5yTw8qhCwFmcuyXt9fpGb0OJLuatdcH/ -31IlhcM3 ------END CERTIFICATE----- diff --git a/scripts/testroot.cnf b/scripts/testroot.cnf deleted file mode 100644 index c8e3db65..00000000 --- a/scripts/testroot.cnf +++ /dev/null @@ -1,30 +0,0 @@ -# $Id$ -# -# Generate test root resource certificate for use with testroot.py server. - -[ req ] -default_bits = 2048 -encrypt_key = no -distinguished_name = req_dn -req_extensions = req_x509_ext -prompt = no - -[ req_dn ] -CN = Completely Bogus Test Root (NOT FOR PRODUCTION USE) - -[ req_x509_ext ] -basicConstraints = critical,CA:true -subjectKeyIdentifier = hash -keyUsage = critical,keyCertSign,cRLSign -subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombat.invalid/ -sbgp-autonomousSysNum = critical,@req_asid_ext -sbgp-ipAddrBlock = critical,@req_addr_ext - -[ req_asid_ext ] - -AS.0 = 1-65535 - -[ req_addr_ext ] - -IPv4.0 = 0.0.0.0/0 -IPv6.0 = 0::/0 diff --git a/scripts/testroot.key b/scripts/testroot.key deleted file mode 100644 index d97fc64d..00000000 --- a/scripts/testroot.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAsbVmhaTMkYEVDN6/3P5TvTQg7bA7viWMHqvaByDNw8AiIhoO -3DjIOsI1I5ofkTLqKVP8vkrO8cIjRBYNzJzFArcGU0axIGDCczz4wmEVxchluc1d -Vu8D6USAJ/H41SjW8b5rUdheJCaOXiktPWusHM7Z0VEAIiz7ZKTETQzORRCg1qG1 -rPpPHUF4+GyHi+RSDCVma3VCHhCm/uYXL60H97yo81fJHLSV5/EZLaum722y3W7+ -wrsaHNXdIenXkicLu9/wO26t8SFV0W7izAsFDyVaSlvSm3TwL/zDRTdorGrVO/YJ -3UH990hH+auTK3mPR67ZNGlC+GBGoFLXsqMXVQIDAQABAoIBAG5CxlzPltoFBGGa -5+Kfrqdra67utPLS6zCwojPgB6uYT9Vm46eCV8IVc9EmNMXrmFySLvSHCAX61dTN -9jvpXVfE5djPuOEFCEFmKFa61D6Gi4+QO4TQAlY+2WFvglwH3e3an04F+MtnXNhR -pi9A2mZ5da6pGnMaA9U7Yk0IUAeLMva/WfsMtY3+HvTyjNfYtULAOw82nuC4wddc -SYAOlFL9dw/QJ1bICddVoV0HfyiSJgGWQZbVGFacTeh8w6ir47sXxTOvWiCiUWYn -gDuhknDI7yXAFIUZYSiJKlJfrSLrbfPEg3l8xNvwZR0FCVZLdrmldhVNSyLg2II8 -IALn92ECgYEA6RcuOx29gjdz9uwFxlkEMYpVKLGOEBABGeSCo8dyFmbBKY1iw22e -OzSDzVAQoaPk6Fqgbs0XNsrpDpkqoejnrXeqgK6BlyikcE4qelnWXWEvDQy+1tXs -nJsS9jHGVEr0e+aUGhJAJn9pO3TbDtQnswwbxmLkvSGy35SnNMSAfFkCgYEAwyy/ -dNP02y8zEdpt+8CHysOEnnS/VlJvDXoYGVu6AZ3dWPLwxymJC2YGdxGLqHpVkoNI -oKlNFrnRbhYMbMIGFOJr6pvTDsM4zxJ0wy86PSE1Oid9JqZwXrNJqnPo861nNW86 -xRopLlZjsQ2RU0VNiPjYgoriaDXOAvTzppzr410CgYA0ddEj4Per/QsOgeRy1coJ -1FaCSCPvHYsB5to4PkVBIXNMBNQ7o8o/DPy1EtYLazWzzeHZzjLxVA3MCVD9C8xI -0GwBdkUYXj9UP2N0EhAbCCpsx3eUJqWQQZ6s5lr60bvgvu6KR51EjNyEUzKSTdF5 -jLobllpg7tqxU2WmjKtWUQKBgHUVXAlmuaXfa8CTC5WSCyQdJGq2WK4dJ5erHdfg -ifY8ULPykXS4uwjGfKxjLyezs6//58rRpXgzoqpquatovaM7rUeBkRxzCppWVQte -Qo63ZCnt1IsiH5j/7vo9LIs6BAcvIc9qAThWBNoK7JpKodfAiInPbUDcvihR7/SM -gInVAoGBAKLrNc91EygUaXJR92z/PzEoNI6UGYAbP+z0bmn67jpPLxCjN2aZRUkm -18MElOmSoedsf+dIcqOHdWvoyiDHVo2i0yxRy0nD54VVH2ZqS2fRLX6+pnCE0XiI -ulAAjPazIPG5XOugl17O7cKsPAI/uF7bWRcg4OLjXQy7XvPPMoR3 ------END RSA PRIVATE KEY----- diff --git a/scripts/testroot.py b/scripts/testroot.py deleted file mode 100755 index 831ee3d5..00000000 --- a/scripts/testroot.py +++ /dev/null @@ -1,179 +0,0 @@ -# $Id$ - -""" -Trivial RPKI up-down protocol root server, for testing. Not suitable -for production use. Overrides a bunch of method definitions from the -rpki.* classes in order to reuse as much code as possible. - -Usage: python testroot.py [ { -c | --config } configfile ] [ { -h | --help } ] - -Default configuration file is testroot.conf, override with --config option. -""" - -import traceback, os, time, getopt, sys, lxml -import rpki.resource_set, rpki.up_down, rpki.left_right, rpki.x509 -import rpki.https, rpki.config, rpki.cms, rpki.exceptions, rpki.relaxng -import rpki.sundial, rpki.log - -root_name = "wombat" -root_base = "rsync://" + root_name + ".invalid/" -root_cert = root_base + "testroot.cer" - -rpki_subject_lifetime = rpki.sundial.timedelta(days = 30) - - -def get_subject_cert(): - try: - x = rpki.x509.X509(Auto_file = rpki_subject_filename) - return x - except IOError: - return None - -def set_subject_cert(cert): - f = open(rpki_subject_filename, "wb") - f.write(cert.get_DER()) - f.close() - -def del_subject_cert(): - os.remove(rpki_subject_filename) - -def stash_subject_pkcs10(pkcs10): - if rpki_pkcs10_filename: - f = open(rpki_pkcs10_filename, "wb") - f.write(pkcs10.get_DER()) - f.close() - -def compose_response(r_msg): - rc = rpki.up_down.class_elt() - rc.class_name = root_name - rc.cert_url = rpki.up_down.multi_uri(root_cert) - rc.from_resource_bag(rpki_issuer.get_3779resources()) - rc.issuer = rpki_issuer - r_msg.payload.classes.append(rc) - rpki_subject = get_subject_cert() - if rpki_subject is not None: - rc.certs.append(rpki.up_down.certificate_elt()) - rc.certs[0].cert_url = rpki.up_down.multi_uri(root_base + rpki_subject.gSKI() + ".cer") - rc.certs[0].cert = rpki_subject - -class list_pdu(rpki.up_down.list_pdu): - def serve_pdu(self, xxx1, q_msg, r_msg, xxx2): - r_msg.payload = rpki.up_down.list_response_pdu() - compose_response(r_msg) - -class issue_pdu(rpki.up_down.issue_pdu): - def serve_pdu(self, xxx1, q_msg, r_msg, xxx2): - stash_subject_pkcs10(self.pkcs10) - self.pkcs10.check_valid_rpki() - r_msg.payload = rpki.up_down.issue_response_pdu() - rpki_subject = get_subject_cert() - if rpki_subject is None: - resources = rpki_issuer.get_3779resources() - req_key = self.pkcs10.getPublicKey() - req_sia = self.pkcs10.get_SIA() - crldp = root_base + rpki_issuer.gSKI() + ".crl" - set_subject_cert(rpki_issuer.issue(keypair = rpki_key, - subject_key = req_key, - serial = int(time.time()), - sia = req_sia, - aia = root_cert, - crldp = crldp, - resources = resources, - notAfter = rpki.sundial.datetime.utcnow() + rpki_subject_lifetime)) - compose_response(r_msg) - -class revoke_pdu(rpki.up_down.revoke_pdu): - def serve_pdu(self, xxx1, q_msg, r_msg, xxx2): - rpki_subject = get_subject_cert() - if rpki_subject is None or rpki_subject.gSKI() != self.ski: - raise rpki.exceptions.NotInDatabase - del_subject_cert() - r_msg.payload = rpki.up_down.revoke_response_pdu() - r_msg.payload.class_name = self.class_name - r_msg.payload.ski = self.ski - -class message_pdu(rpki.up_down.message_pdu): - name2type = { - "list" : list_pdu, - "list_response" : rpki.up_down.list_response_pdu, - "issue" : issue_pdu, - "issue_response" : rpki.up_down.issue_response_pdu, - "revoke" : revoke_pdu, - "revoke_response" : rpki.up_down.revoke_response_pdu, - "error_response" : rpki.up_down.error_response_pdu } - type2name = dict((v,k) for k,v in name2type.items()) - -class sax_handler(rpki.sax_utils.handler): - def create_top_level(self, name, attrs): - return message_pdu() - -def up_down_handler(query, path): - try: - q_elt = rpki.cms.xml_verify(query, cms_ta) - rpki.relaxng.up_down.assertValid(q_elt) - q_msg = sax_handler.saxify(q_elt) - except Exception, data: - rpki.log.error(traceback.format_exc()) - return 400, "Could not process PDU: %s" % data - try: - r_msg = q_msg.serve_top_level(None, None) - r_elt = r_msg.toXML() - try: - rpki.relaxng.up_down.assertValid(r_elt) - except lxml.etree.DocumentInvalid: - rpki.log.debug(lxml.etree.tostring(r_elt, pretty_print = True, encoding ="utf-8", xml_declaration = True)) - raise - return 200, rpki.cms.xml_sign(r_elt, cms_key, cms_certs, encoding = "utf-8") - except Exception, data: - rpki.log.error(traceback.format_exc()) - try: - r_msg = q_msg.serve_error(data) - r_elt = r_msg.toXML() - rpki.relaxng.up_down.assertValid(r_elt) - return 200, rpki.cms.xml_sign(r_elt, cms_key, cms_certs, encoding = "utf-8") - except Exception, data: - rpki.log.error(traceback.format_exc()) - return 500, "Could not process PDU: %s" % data - -os.environ["TZ"] = "UTC" -time.tzset() - -rpki.log.init("testroot") - -cfg_file = "testroot.conf" - -opts,argv = getopt.getopt(sys.argv[1:], "c:h?", ["config=", "help"]) -for o,a in opts: - if o in ("-h", "--help", "-?"): - print __doc__ - sys.exit(0) - if o in ("-c", "--config"): - cfg_file = a -if argv: - raise RuntimeError, "Unexpected arguments %s" % argv - -cfg = rpki.config.parser(cfg_file) -section = "testroot" - -cms_ta = rpki.x509.X509(Auto_file = cfg.get(section, "cms-ta")) -cms_key = rpki.x509.RSA(Auto_file = cfg.get(section, "cms-key")) -cms_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget(section, "cms-cert")) - -https_key = rpki.x509.RSA(Auto_file = cfg.get(section, "https-key")) -https_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget(section, "https-cert")) - -https_server_host = cfg.get(section, "server-host", "") -https_server_port = int(cfg.get(section, "server-port")) - -rpki_key = rpki.x509.RSA(Auto_file = cfg.get(section, "rpki-key")) -rpki_issuer = rpki.x509.X509(Auto_file = cfg.get(section, "rpki-issuer")) - -rpki_subject_filename = cfg.get(section, "rpki-subject-filename") - -rpki_pkcs10_filename = cfg.get(section, "rpki-pkcs10-filename", "") - -rpki.https.server(privateKey = https_key, - certChain = https_certs, - host = https_server_host, - port = https_server_port, - handlers = up_down_handler) diff --git a/scripts/testroot.sh b/scripts/testroot.sh deleted file mode 100644 index 4fdb1058..00000000 --- a/scripts/testroot.sh +++ /dev/null @@ -1,129 +0,0 @@ -#!/bin/sh - -# $Id$ -# -# Script to test against testroot.py. -# -# This blows away rpkid's database and rebuilds it with what we need -# for this test, and knows far too much about the id numbers that -# rpkid and mysql will assign. In the long run we must do better than -# this, but gotta start somewhere. - -openssl=../openssl/openssl/apps/openssl - -# Halt on first error - -set -e - -# Generate new key and cert for testroot.py if needed - -if test ! -r testroot.cer -o ! -r testroot.key -then - $openssl req -new -newkey rsa:2048 -nodes -keyout testroot.key -out testroot.req -config testroot.cnf - $openssl x509 -req -in testroot.req -out testroot.cer -extfile testroot.cnf -extensions req_x509_ext -signkey testroot.key -text -sha256 - rm -f testroot.req -fi - -# Blow away old rpkid database (!) so we can start clean - -mysql -u rpki -p`awk '$1 == "sql-password" {print $3}' rpkid.conf` rpki <../docs/rpki-db-schema.sql - -# Start rpkid so we can configure it, make sure we shut it down on exit - -python rpkid.py & rpkid=$! -trap "kill $rpkid" 0 1 2 3 13 15 - -: Waiting to let rpkid start up; sleep 5 - -# Create a self instance - -time python irbe-cli.py self --action create --crl_interval 84600 - -# Create a business signing context, issue the necessary business cert, and set up the cert chain - -time python irbe-cli.py --pem_out bsc.req bsc --action create --self_id 1 --generate_keypair --signing_cert biz-certs/Bob-CA.cer -time $openssl x509 -req -in bsc.req -out bsc.cer -CA biz-certs/Bob-CA.cer -CAkey biz-certs/Bob-CA.key -CAserial biz-certs/Bob-CA.srl -time python irbe-cli.py bsc --action set --self_id 1 --bsc_id 1 --signing_cert bsc.cer -rm -f bsc.req bsc.cer - -# Create a repository context - -time python irbe-cli.py repository --self_id 1 --action create --bsc_id 1 - -# Create a parent context pointing at testroot.py - -time python irbe-cli.py parent --self_id 1 --action create --bsc_id 1 --repository_id 1 \ - --peer_contact_uri https://localhost:44333/ \ - --cms_ta biz-certs/Elena-Root.cer \ - --https_ta biz-certs/Elena-Root.cer \ - --sia_base rsync://wombat.invalid/ \ - --sender_name tweedledee \ - --recipient_name tweedledum - -# Create a child context - -time python irbe-cli.py child --self_id 1 --action create --bsc_id 1 --cms_ta biz-certs/Frank-Root.cer - -# Need to link irdb to created child and clear conflicting links. -# For now, just do this "manually" in MySQL CLI. - -echo ' - UPDATE registrant SET rpki_self_id = NULL, rpki_child_id = NULL; - UPDATE registrant SET rpki_self_id = 1, rpki_child_id = 1 WHERE subject_name = "Epilogue Technology Corporation"; -' | -mysql -u irdb -p`awk '$1 == "sql-password" {print $3}' irbe.conf` irdb - -if test "$1" = "run" -then - - rm -rf publication - - python testroot.py & testroot=$! - python irdb.py & irdb=$! - trap "kill $rpkid $irdb $testroot" 0 1 2 3 13 15 - - : Waiting to let daemons start up; sleep 5 - - date; time python http-client.py - date; time python testpoke.py -r list - date; time python testpoke.py -r issue - - date; time python http-client.py - date; time python testpoke.py -r list - date; time python testpoke.py -r issue - - date; python testpoke.py -r issue | - qh | - sed -n '/^(certificate/,/^)certificate/s/^-//p' | - mimencode -u | - $openssl x509 -noout -inform DER -text - - date; time python testpoke.py -r revoke - date; time python testpoke.py -r list - date; time python http-client.py - date; time python testpoke.py -r list - - date; time python http-client.py - date; time python testpoke.py -r list - date; time python testpoke.py -r issue - - date; time python testpoke.py -r revoke - date; time python testpoke.py -r list - date; time python http-client.py - date; time python testpoke.py -r list - - date; time python testpoke.py -r issue - date; time python testpoke.py -r revoke - date; time python testpoke.py -r issue - date; time python testpoke.py -r revoke - date; time python testpoke.py -r issue - date; time python testpoke.py -r revoke - date; time python testpoke.py -r list - date; time python http-client.py - date; time python testpoke.py -r list - - date; time python testpoke.py -r issue - date; time python http-client.py - date; time python testpoke.py -r list - date - -fi -- cgit v1.2.3