""" Extract a private key from rpkid's database. This is a debugging tool. rpkid goes to some trouble not to expose private keys, which is correct for normal operation, but for debugging it is occasionally useful to be able to extract the private key from MySQL. This script is just a convenience, it doesn't enable anything that couldn't be done via the mysql command line tool. While we're at this we also extract the corresponding certificate. Usage: python extract-key.py [ { -s | --self } self_handle ] [ { -b | --bsc } bsc_handle ] [ { -u | --user } mysql_user_id ] [ { -d | --db } mysql_database ] [ { -p | --password } mysql_password ] [ { -h | --help } ] Default for both user and db is "rpki". $Id$ Copyright (C) 2008 American Registry for Internet Numbers ("ARIN") Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. """ import os, time, getopt, sys, MySQLdb import rpki.x509 os.environ["TZ"] = "UTC" time.tzset() def usage(code): print __doc__ sys.exit(code) self_handle = None bsc_handle = None user = "rpki" passwd = "fnord" db = "rpki" opts, argv = getopt.getopt(sys.argv[1:], "s:b:u:p:d:h?", ["self=", "bsc=", "user=", "password=", "db=", "help"]) for o, a in opts: if o in ("-h", "--help", "-?"): usage(0) elif o in ("-s", "--self"): self_handle = a elif o in ("-b", "--bsc"): bsc_handle = a elif o in ("-u", "--user"): user = a elif o in ("-p", "--password"): passwd = a elif o in ("-d", "--db"): db = a if argv: usage(1) cur = MySQLdb.connect(user = user, db = db, passwd = passwd).cursor() cur.execute( """ SELECT bsc.private_key_id, bsc.signing_cert FROM bsc, self WHERE self.self_handle = %s AND self.self_id = bsc.self_id AND bsc_handle = %s """, (self_handle, bsc_handle)) key, cer = cur.fetchone() print rpki.x509.RSA(DER = key).get_PEM() if cer: print rpki.x509.X509(DER = cer).get_PEM() et/blame/scripts/testbed-rootcert.py?id=c8f81cdcffc99cdeba1dd75e9f59e6a504dbcba3'>blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

"""
Generate config for a test RPKI root certificate for resources
specified in asns.csv and prefixes.csv.

This script is separate from arin-to-csv.py so that we can convert on
the fly rather than having to pull the entire database into memory.

$Id$

Copyright (C) 2009-2012  Internet Systems Consortium ("ISC")

Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""

import sys
from rpki.csv_utils import csv_reader

if len(sys.argv) not in (2, 4):
  sys.exit("Usage: %s holder [asns.csv prefixes.csv]" % sys.argv[0])

print '''\
[req]
default_bits                    = 2048
default_md                      = sha256
distinguished_name              = req_dn
prompt                          = no
encrypt_key                     = no

[req_dn]
CN                              = Pseudo-%(HOLDER)s testbed root RPKI certificate

[x509v3_extensions]
basicConstraints                = critical,CA:true
subjectKeyIdentifier            = hash
keyUsage                        = critical,keyCertSign,cRLSign
subjectInfoAccess               = 1.3.6.1.5.5.7.48.5;URI:rsync://%(holder)s.rpki.net/rpki/%(holder)s/,1.3.6.1.5.5.7.48.10;URI:rsync://%(holder)s.rpki.net/rpki/%(holder)s/root.mft
certificatePolicies             = critical,1.3.6.1.5.5.7.14.2
sbgp-autonomousSysNum           = critical,@rfc3779_asns
sbgp-ipAddrBlock                = critical,@rfc3997_addrs

[rfc3779_asns]
''' % { "holder" : sys.argv[1].lower(),
        "HOLDER" : sys.argv[1].upper() }

for i, asn in enumerate(asn for handle, asn in csv_reader(sys.argv[2] if len(sys.argv) > 2 else "asns.csv", columns = 2)):
  print "AS.%d = %s" % (i, asn)

print '''\

[rfc3997_addrs]

'''

for i, prefix in enumerate(prefix for handle, prefix in csv_reader(sys.argv[3] if len(sys.argv) > 2 else "prefixes.csv", columns = 2)):
  v = 6 if ":" in prefix else 4
  print "IPv%d.%d = %s" % (v, i, prefix)
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-14 23:01:25 +0000