path: root/scripts/README

$Id$

Python RPKI production tools.

Requires Python 2.5.

External Python packages required:

- lxml, which in turn requires the libxml2 C libraries.

  FreeBSD: /usr/ports/devel/py-lxml

- MySQLdb, which in turn requires MySQL client and server.  I'm
  testing with MySQL 5.1.

  FreeBSD: /usr/ports/databases/py-MySQLdb

- TLSLite, which pulls in other crypto packages.

  FreeBSD: /usr/ports/security/py-tlslite

- Cryptlib, at the moment just to support TLSlite but may end up using
  it for other things later.

  FreeBSD: /usr/ports/security/cryptlib

  ...but the FreeBSD port doesn't (yet?) install the Python bindings,
  sigh, so at the moment you have to do that by hand:

  # cd /usr/ports/security/cryptlib
  # make install
  # cd work/bindings
  # python setup.py install
  # cd ../..
  # make clean

- Eventually I expect that this will require an event-handling package
  like Twisted, but I'm not there yet.

We also use a hacked copy of the Python OpenSSL Wrappers (POW)
package, but our copy has enough modifications that it's expanded in
the Subversion tree.  Depending on how this all works out, I may end
up splitting the POW.pkix module out of the POW package and using it
with Cryptlib, as the POW.pkix package is 98% about doing ASN.1 in
pure Python and only 2% about any kind of crypto.



To do list:

- timestamps are a mess.  we have four different kinds already:
  seconds from epoch, the the two flavors of timestamps used
  in asn.1, and the timestamps used in mysql.  need a
  unifying class to hide all this nastiness.

- publication protocol and implementation

- manifest generation

- subsetting (req_* attributes in up-down protocol)

- revocation and crl generation

  - need to keep data on unexpired revoked certs to generate crl

  - ever need to delay revocation of old certs to give their
  replacements time to propegate?

  these two may imply that we need more fields in child_cert table to
  indicate whether a cert is dead, eg, a date field which is NULL if
  the cert is still live, otherwise is the date after which it should
  be in the crl

- publication hooks everywhere - need not wait for protocol, can just
  log what would happen for now

  - cert publication

  - crl publication

  - manifest publication

  - withdrawal of all of the above

- child batch processing loop, eg, regeneration or removal of expired
  certs, crl and manifest update, etc

  hmm, should this be an iteration over child_cert objects or over ca
  objects?  probably the latter as the ca is the actor in pretty much
  everything that might need to be done

  figuring out whether to regenerate or remove expired certs requires
  some of the same data as crl generation

- tiny up-down root server -- no sql or left-right needed, just config
  file, http server, static root cert and key.  in theory this should
  just be a matter of subtyping the main up-down code while overriding
  the serve_pdu() methods.

  things we'd need in a config file for this:

  - the one and only issuer cert (self-signed in this special case)
  - the one and only issuer private key id
  - filename in which to store the one and only subject cert
  - bsc info for one and only child
  - https server key and cert
  - validity interval to use when issuing
  - publication urls for issuer cert, subject cert, crl, and manifest
  - https and cms data for publication server
  - resources to issue?  or just copy/inherit from self-signed?

- Haven't done anything about db.commit() and db.rollback() yet, for
  that matter haven't yet whacked MySQL to enable those features.

- Access to object data attributes really ought to be through accessor
  methods so that the .set() method can set the sql_dirty flag
  automagically.  Not done yet.

- Hmm, I seem to have goofed on the bsc table, need a column for the
  hash algorithm after all, as it's not intrinsic to the key.  Probably
  ought to let it be set independently of the key too.  But for the
  moment I'm only supporting 2048-bit RSA with SHA-256 digests, so
  fixing this is not urgent.