1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
# $Id$
#
# Copyright (C) 2014 Dragon Research Labs ("DRL")
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND DRL DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL DRL BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
"""
Schedule action to force certificate reissuance as part of upgrade to
version 0.5678 of the rpki-ca toolkit.
This code is evaluated in the context of rpki-sql-setup's
do_apply_upgrades() function and has access to its variables.
"""
# Real work here has to be a deferred upgrade because the daemons have
# to be running for anything useful to happen.
db.add_deferred_upgrade('''
print """
Version 0.5678 included a change which changed publication
URIs embedded in issued certificates, which requires reissuing
all affected certificates before everything will really work
properly again. Attempting to do this automatically...
"""
import time
import os.path
import subprocess
import rpki.autoconf
time.sleep(10)
rpkic = os.path.join(rpki.autoconf.sbindir, "rpkic")
handles = subprocess.check_output((rpkic, "list_self_handles")).splitlines()
for handle in handles:
print "Processing", handle
print "Asking parent to reissue with new key"
subprocess.check_call((rpkic, "-i", handle, "up_down_rekey"))
print "Asking parent to revoke old key"
subprocess.check_call((rpkic, "-i", handle, "up_down_revoke"))
time.sleep(10)
print "Reissuing everything"
subprocess.check_call((rpkic, "-i", handle, "force_reissue"))
print "Forcing publication"
subprocess.check_call((rpkic, "-i", handle, "force_publication"))
''')
|
