1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
# $Id$
#
# Copyright (C) 2014 Dragon Research Labs ("DRL")
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND DRL DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL DRL BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
"""
Schedule action to force certificate reissuance as part of upgrade to
version 0.5678 of the rpki-ca toolkit.
This code is evaluated in the context of rpki-sql-setup's
do_apply_upgrades() function and has access to its variables.
"""
# Real work here has to be a deferred upgrade because the daemons have
# to be running for anything useful to happen.
db.add_deferred_upgrade('''
print """
Version 0.5678 included a change which changed publication
URIs embedded in issued certificates, which requires reissuing
all affected certificates before everything will really work
properly again. Attempting to do this automatically...
"""
# General plan here:
#
# - Force parent to reissue, to whack SIA in cert issued to us. Only
# mechanism available to us that will force this is an up-down
# rekey/revoke cycle, although it certainly seems that parent should
# reissue if we issue a new request with a different SIA. Hmm.
# Investigate, but carry on for now.
#
# - Force reissuance of everything we've issued, to whack SIA and AIA
# of everything we're producing.
#
# - Do the revoke portion of the up-down rekey/revoke separately, to
# isolate the rest of this from errors caused by attmepting to
# withdraw certificates that might have already been withdrawn.
#
# - "Manually" (ie, Python code here) whack any all-numeric
# directories in our publication tree, as those are the ones that
# [5678] removed.
#
# - Force (re)publication of everything, just in case we accidently
# - whacked something we still cared about.
#
# We include the occasional pause to let things settle between steps.
import os
import time
import shutil
import subprocess
import rpki.autoconf
time.sleep(10)
rpkic = os.path.join(rpki.autoconf.sbindir, "rpkic")
irbe_cli = os.path.join(rpki.autoconf.sbindir, "irbe_cli")
handles = subprocess.check_output((rpkic, "list_self_handles")).splitlines()
argv = [irbe_cli]
for handle in handles:
argv.extend(("self", "--self_handle", handle, "--action", "set", "--rekey"))
subprocess.check_call(argv)
time.sleep(10)
argv = [irbe_cli]
for handle in handles:
argv.extend(("self", "--self_handle", handle, "--action", "set", "--reissue"))
# Run this twice
subprocess.check_call(argv)
subprocess.check_call(argv)
time.sleep(5)
# Revoke can return failure when certificate being revoked has already
# been withdrawn for other reasons. This is harmless, except that it
# causes batch mode irbe_cli to blow out without processing any other
# revocations. So we don't try to batch revocations.
for handle in handles:
subprocess.check_call((irbe_cli, "self", "--self_handle", handle, "--action", "set", "--revoke"))
deletions = []
for top, dirs, files in os.walk(os.path.join(rpki.autoconf.datarootdir, "rpki", "publication")):
deletions.extend(os.path.join(top, d) for d in dirs if d.isdigit())
for d in deletions:
shutil.rmtree(d, ignore_errors = True)
argv = [irbe_cli]
for handle in handles:
argv.extend(("self", "--self_handle", handle, "--action", "set", "--publish_world_now"))
subprocess.check_call(argv)
''')
|
