1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
"""
Step 1: User runs a new "initialize" script. This reads the .conf file
and creates the resource-holding "self" BPKI identity (what
we've been calling bpki.myrpki/ca.cer, although that name
should change and the user shouldn't need to know it anymore).
If the .conf file says that this user will be running any
servers at all (rpkid, irdbd, pubd, rootd), this script also
creates what we've been calling bpki.myirbe/ca.cer and issues
bpki ee certificates for all the servers we will be running.
It bundles up the "self" identity (bpki.myrpki/ca.cer and the
"handle" value from the [myrpki] section of the .conf file) as
an xml blob, which it writes out to some filename (call it
me.xml for now).
The general idea here is to start with all the setup that we
can do based just on the .conf file without talking to anybody
else.
$Id$
Copyright (C) 2010 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""
import subprocess, csv, re, os, getopt, sys, base64, time, myrpki, rpki.config
from xml.etree.ElementTree import Element, SubElement, ElementTree
os.environ["TZ"] = "UTC"
time.tzset()
cfg_file = "myrpki.conf"
opts, argv = getopt.getopt(sys.argv[1:], "c:h?", ["config=", "help"])
for o, a in opts:
if o in ("-c", "--config"):
cfg_file = a
elif o in ("-h", "--help", "-?"):
print __doc__
sys.exit(0)
cfg = rpki.config.parser(cfg_file, "myrpki")
handle = cfg.get("handle")
want_rpkid = cfg.getboolean("want_rpkid")
want_pubd = cfg.getboolean("want_pubd")
want_rootd = cfg.getboolean("want_rootd")
myrpki.openssl = cfg.get("openssl", "openssl")
# First create the "myrpki" (resource holding) BPKI and trust anchor
bpki_myrpki = myrpki.CA(cfg_file, cfg.get("myrpki_bpki_directory"))
bpki_myrpki.setup(cfg.get("bpki_myrpki_ta_dn",
"/CN=%s BPKI Resource Trust Anchor" % handle))
# If we're running any daemons at all, we also need to set up the
# "myirbe" (server-operating) BPKI, its trust anchor, and EE certs for
# each program we need to run.
if want_rpkid or want_pubd or want_rootd:
bpki_myirbe = myrpki.CA(cfg_file, cfg.get("myirbe_bpki_directory"))
bpki_myirbe.setup(cfg.get("bpki_myirbe_ta_dn",
"/CN=%s BPKI Server Trust Anchor" % handle))
if want_rpkid: # rpkid implies irdbd
bpki_myirbe.ee(cfg.get("bpki_rpkid_ee_dn",
"/CN=%s rpkid server certificate" % handle), "rpkid")
bpki_myirbe.ee(cfg.get("bpki_irdbd_ee_dn",
"/CN=%s irdbd server certificate" % handle), "irdbd")
if want_pubd:
bpki_myirbe.ee(cfg.get("bpki_pubd_ee_dn",
"/CN=%s pubd server certificate" % handle), "pubd")
if want_rpkid or want_irdbd: # Client cert for myirbe and irbe_cli
bpki_myirbe.ee(cfg.get("bpki_irbe_ee_dn",
"/CN=%s irbe client certificate" % handle), "irbe")
if want_rootd:
bpki_myirbe.ee(cfg.get("bpki_rootd_ee_dn",
"/CN=%s rootd server certificate" % handle), "rootd")
# Now build the me.xml file (name should be configurable, and should
# check for existing file so we don't overwrite, ... hack later ...).
e = Element("me", xmlns = myrpki.namespace, version = "1", handle = handle)
myrpki.PEMElement(e, "bpki_ca_certificate", bpki_myrpki.cer)
ElementTree(e).write("me.xml.tmp")
os.rename("me.xml.tmp", "me.xml")
|
