1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
#!/usr/bin/env python
# Copyright (C) 2015--2016 Parsons Government Services ("PARSONS")
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notices and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND PARSONS DISCLAIMS ALL
# WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
# PARSONS BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
# OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
"""
Generate an RPKI root certificate for rootd. In most cases you should
not need to do this; see caveats in the manual about running rootd if
you think you need this. This script does nothing that can't also be
done with the OpenSSL command line tool, but on some platforms the
installed copy of openssl doesn't understand the RFC 3779 extensions.
"""
import os
import sys
import pwd
import time
import rpki.x509
import rpki.config
import rpki.sundial
import rpki.autoconf
import rpki.resource_set
os.environ["TZ"] = "UTC"
time.tzset()
cfg = rpki.config.argparser(section = "rootd", doc = __doc__)
default_certfile = cfg.get("rpki-root-cert-file", "root.cer")
default_keyfile = cfg.get("rpki-root-key-file", "root.key")
default_talfile = os.path.splitext(default_certfile)[0] + ".tal"
cfg.argparser.add_argument("-a", "--asns", help = "ASN resources", default = "0-4294967295")
cfg.argparser.add_argument("-4", "--ipv4", help = "IPv4 resources", default = "0.0.0.0/0")
cfg.argparser.add_argument("-6", "--ipv6", help = "IPv6 resources", default = "::/0")
cfg.argparser.add_argument("--certificate", help = "certificate file", default = default_certfile)
cfg.argparser.add_argument("--key", help = "key file", default = default_keyfile)
cfg.argparser.add_argument("--tal", help = "TAL file", default = default_talfile)
args = cfg.argparser.parse_args()
resources = rpki.resource_set.resource_bag(
asn = args.asns,
v4 = args.ipv4,
v6 = args.ipv6)
keypair = rpki.x509.RSA.generate(quiet = True)
sia = (cfg.get("rpki_base_uri") + "/",
cfg.get("rpki-root-manifest-uri"),
None,
cfg.get("publication_rrdp_notification_uri", section = "myrpki"))
uris = (cfg.get("rpki-root-cert-uri"),
cfg.get("publication_rrdp_base_uri", section = "myrpki") + "root.cer")
cert = rpki.x509.X509.self_certify(
keypair = keypair,
subject_key = keypair.get_public(),
serial = 1,
sia = sia,
notAfter = rpki.sundial.now() + rpki.sundial.timedelta(days = 365),
resources = resources)
with open(args.certificate, "wb") as f:
f.write(cert.get_DER())
with open(args.tal, "w") as f:
for uri in uris:
f.write(uri + "\n")
f.write(keypair.get_public().get_Base64())
with os.fdopen(os.open(args.key, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0400), "w") as f:
f.write(keypair.get_DER())
try:
pw = pwd.getpwnam(rpki.autoconf.RPKI_USER)
os.chown(args.key, pw.pw_uid, pw.pw_gid)
except:
pass
|
