aboutsummaryrefslogtreecommitdiff
path: root/scripts/irbe-setup.py
blob: 49ec32eb2d52493757ab3358eb180d93849c30d0 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

# $Id$

"""Set up the relationship between an IRBE and an RPKI engine given an
IRDB.  Our main task here is to create child objects in the RPKI
engine for every registrant object in the IRDB.
"""

import os, MySQLdb, getopt, sys, lxml.etree, lxml.sax
import rpki.left_right, rpki.relaxng, rpki.cms, rpki.https, rpki.x509, rpki.config

cfg = rpki.config.parser("irbe.conf")

db = MySQLdb.connect(user   = cfg.get("irdb", "sql-username"),
                     db     = cfg.get("irdb", "sql-database"),
                     passwd = cfg.get("irdb", "sql-password"))
cur = db.cursor()

cms_certs   = rpki.x509.X509_chain(Auto_files = cfg.multiget("irbe-cli", "cms-cert"))
cms_key     = rpki.x509.RSA(       Auto_file  = cfg.get(     "irbe-cli", "cms-key"))
cms_ta      = rpki.x509.X509(      Auto_file  = cfg.get(     "irbe-cli", "cms-ta"))
https_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("irbe-cli", "https-cert"))
https_key   = rpki.x509.RSA(       Auto_file  = cfg.get(     "irbe-cli", "https-key"))
https_tas   = rpki.x509.X509_chain(Auto_files = cfg.multiget("irbe-cli", "https-ta"))
https_url   = cfg.get(                                       "irbe-cli", "https-url")

def call_rpkid(pdu):
  """Hand a PDU to rpkid and get back the response.  Should be able to
  steal most of this code from irbe-cli.  Just throw an exception if
  anything bad happens, no fancy error handling.
  """

  pdu.type = "query"
  msg = rpki.left_right.msg((pdu,))
  elt = msg.toXML()
  try:
    rpki.relaxng.left_right.assertValid(elt)
  except lxml.etree.DocumentInvalid:
    print lxml.etree.tostring(elt, pretty_print = True, encoding = "us-ascii")
    raise
  elt = rpki.cms.xml_verify(cms = rpki.https.client(privateKey    = https_key,
                                                    certChain     = https_certs,
                                                    x509TrustList = https_tas,
                                                    url           = https_url,
                                                    msg           = rpki.cms.xml_sign(elt   = elt,
                                                                                      key   = cms_key,
                                                                                      certs = cms_certs)),
                            ta = cms_ta)
  try:
    rpki.relaxng.left_right.assertValid(elt)
  except lxml.etree.DocumentInvalid:
    print lxml.etree.tostring(elt, pretty_print = True, encoding = "us-ascii")
    raise
  msg = rpki.left_right.sax_handler.saxify(elt)
  pdu = msg[0]
  assert len(msg) == 1 and pdu.type == "reply" and not isinstance(pdu, rpki.left_right.report_error_elt)
  return pdu

print "Create a self instance"
pdu = rpki.left_right.self_elt()
pdu.action = "create"
pdu.crl_interval = 84600
pdu = call_rpkid(pdu)
self_id = pdu.self_id

print "Create a business signing context"
pdu = rpki.left_right.bsc_elt()
pdu.action = "create"
pdu.self_id = self_id
pdu.generate_keypair = True
pdu.signing_cert.append(rpki.x509.X509(Auto_file = "biz-certs/Bob-CA.cer"))
pdu = call_rpkid(pdu)
bsc_id = pdu.bsc_id

print "Issue the business cert"
i,o = os.popen2(("openssl", "x509", "-req",
                 "-CA", "biz-certs/Bob-CA.cer",
                 "-CAkey", "biz-certs/Bob-CA.key",
                 "-CAserial", "biz-certs/Bob-CA.srl"))
i.write(pdu.pkcs10_cert_request.get_PEM())
i.close()
cer = rpki.x509.X509(PEM = o.read())
o.close()

print "Set up the business cert chain"
pdu = rpki.left_right.bsc_elt()
pdu.action = "set"
pdu.self_id = self_id
pdu.bsc_id = bsc_id
pdu.signing_cert.append(cer)
call_rpkid(pdu)

print "Create a repository context"
pdu = rpki.left_right.repository_elt()
pdu.action = "create"
pdu.self_id = self_id
pdu.bsc_id = bsc_id
pdu = call_rpkid(pdu)
repository_id = pdu.repository_id

print "Create a parent context"
pdu = rpki.left_right.parent_elt()
pdu.action = "create"
pdu.self_id = self_id
pdu.bsc_id = bsc_id
pdu.repository_id = repository_id
pdu.peer_contact_uri = "https://localhost:44333/" 
pdu.cms_ta = rpki.x509.X509(Auto_file = "biz-certs/Elena-Root.cer")
pdu.https_ta = pdu.cms_ta
pdu.sia_base = "rsync://wombat.invalid/"
pdu = call_rpkid(pdu)
parent_id = pdu.parent_id

print "Create child contexts for everybody"
print "Using a single cert for all of these registrants is a crock"

cer = rpki.x509.X509(Auto_file = "biz-certs/Frank-Root.cer")

cur.execute("SELECT registrant_id, subject_name FROM registrant")
registrants = cur.fetchall()

for registrant_id, subject_name  in registrants:
  print "Attempting to bind", registrant_id, subject_name
  pdu = rpki.left_right.child_elt()
  pdu.action = "create"
  pdu.self_id = self_id
  pdu.bsc_id = bsc_id
  pdu.cms_ta = cer
  pdu = call_rpkid(pdu)
  print "Attempting to bind", registrant_id, subject_name, pdu.child_id
  cur.execute("""UPDATE registrant
                 SET rpki_self_id = %d, rpki_child_id = %d
                 WHERE registrant_id = %d
              """ % (self_id, pdu.child_id, registrant_id))
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-13 14:38:30 +0000