1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
# $Id$
#
# Copyright (C) 2008 American Registry for Internet Numbers ("ARIN")
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
"""
Extract a private key from rpkid's database.
This is a debugging tool. rpkid goes to some trouble not to expose
private keys, which is correct for normal operation, but for debugging
it is occasionally useful to be able to extract the private key from
MySQL. This script is just a convenience, it doesn't enable anything
that couldn't be done via the mysql command line tool.
While we're at this we also extract the corresponding certificate.
Usage: python extract-key.py [ { -s | --self } self_handle ]
[ { -b | --bsc } bsc_handle ]
[ { -u | --user } mysql_user_id ]
[ { -d | --db } mysql_database ]
[ { -p | --password } mysql_password ]
[ { -h | --help } ]
Default for both user and db is "rpki".
"""
import os
import time
import getopt
import sys
import MySQLdb
import rpki.x509
os.environ["TZ"] = "UTC"
time.tzset()
def usage(code):
print __doc__
sys.exit(code)
self_handle = None
bsc_handle = None
user = "rpki"
passwd = "fnord"
db = "rpki"
opts, argv = getopt.getopt(sys.argv[1:], "s:b:u:p:d:h?",
["self=", "bsc=", "user=", "password=", "db=", "help"])
for o, a in opts:
if o in ("-h", "--help", "-?"):
usage(0)
elif o in ("-s", "--self"):
self_handle = a
elif o in ("-b", "--bsc"):
bsc_handle = a
elif o in ("-u", "--user"):
user = a
elif o in ("-p", "--password"):
passwd = a
elif o in ("-d", "--db"):
db = a
if argv:
usage(1)
cur = MySQLdb.connect(user = user, db = db, passwd = passwd).cursor()
cur.execute(
"""
SELECT bsc.private_key_id, bsc.signing_cert
FROM bsc, self
WHERE self.self_handle = %s AND self.self_id = bsc.self_id AND bsc_handle = %s
""",
(self_handle, bsc_handle))
key, cer = cur.fetchone()
print rpki.x509.RSA(DER = key).get_PEM()
if cer:
print rpki.x509.X509(DER = cer).get_PEM()
|
