#!/usr/bin/python
#
-# SFA Certificate Signing and management
-#
+# SFA Certificate Signing and management. Root authorities can use this script
+# to sign the certificate of another authority and become its parent. Sub
+# authorities (authorities that have had their cert signed by another authority)
+# can use this script to update their registry hierarchy with the new cert
+#
+# Example usage:
+#
+## sign a peer cert
+# sfa-ca.py --sign PEER_CERT_FILENAME -o OUTPUT_FILENAME
+#
+## import a cert and update the registry hierarchy
+# sfa-ca.py --import CERT_FILENAME
+#
+## display a cert
+# sfa-ca.py --display CERT_FILENAME
+
import os
import sys
help="gid file to import into the registry")
parser.add_option("-e", "--export", dest="export",
help="name of gid to export from registry")
+ parser.add_option("-t", "--type", dest="type",
+ help="record type", default=None)
parser.add_option("-o", "--outfile", dest="outfile",
help="where to write the exprted gid")
- parser.add_option("-v", "--verbose", dest="verobse",
- help="be verbose")
+ parser.add_option("-v", "--verbose", dest="verbose", default=False,
+ action="store_true", help="be verbose")
(options, args) = parser.parse_args()
def sign_gid(gid, parent_key, parent_gid):
gid.set_issuer(parent_key, parent_gid.get_hrn())
gid.set_parent(parent_gid)
+ gid.set_intermediate_ca(True)
+ gid.set_pubkey(gid.get_pubkey())
gid.sign()
- gid.save_to_file(outfile, save_parents=True)
return gid
def sign(options):
hierarchy = Hierarchy()
config = Config()
default_authority = config.SFA_INTERFACE_HRN
- auth_info = hierarchy.get_auth_info(parent_hrn)
+ auth_info = hierarchy.get_auth_info(default_authority)
# load the gid
gidfile = os.path.abspath(options.sign)
sys.exit(1)
gid = GID(filename=gidfile)
+ # remove previous parent
+ gid = GID(string=gid.save_to_string(save_parents=False))
+
# load the parent private info
authority = options.authority
# if no pkey was specified, then use the this authority's key
# check if gid already has a parent
# sign the gid
- sign_gid(gid, parent_key, parent_gid)
+ if options.verbose:
+ print "Signing %s gid with parent %s" % \
+ (gid.get_hrn(), parent_gid.get_hrn())
+ gid = sign_gid(gid, parent_key, parent_gid)
+ # save the signed gid
+ if options.verbose:
+ print "Writing signed gid %s" % outfile
+ gid.save_to_file(outfile, save_parents=True)
def export_gid(options):
from sfa.util.table import SfaTable
# lookup the record for the specified hrn
hrn = options.export
-
- # check sfa table first
+ type = options.type
+ # check sfa table first
+ filter = {'hrn': hrn}
+ if type:
+ filter['type'] = type
table = SfaTable()
- records = table.find({'hrn': hrn, type: 'authority'})
+ records = table.find(filter)
if not records:
# check the authorities hierarchy
hierarchy = Hierarchy()
outfile = os.path.abspath('./%s.gid' % gid.get_hrn())
# save it
+ if options.verbose:
+ print "Writing %s gid to %s" % (gid.get_hrn(), outfile)
gid.save_to_file(outfile, save_parents=True)
def import_gid(options):
record = records[0]
record['gid'] = gid.save_to_string(save_parents=True)
table.update(record)
+ if options.verbose:
+ print "Imported %s gid into db" % record['hrn']
# update the hierarchy
auth_info = hierarchy.get_auth_info(gid.get_hrn())
filename = auth_info.gid_filename
gid.save_to_file(filename, save_parents=True)
+ if options.verbose:
+ print "Writing %s gid to %s" % (gid.get_hrn(), filename)
# re-sign all existing gids signed by this authority
# create a dictionary of records keyed on the record's authority
record_dict = defaultdict(list)
# only get regords that belong to this authority
# or any of its sub authorities
- all_records = table.find({'hrn': '%s*' % gid.get_hrn()})
- for record in records:
+ child_records = table.find({'hrn': '%s*' % gid.get_hrn()})
+ if not child_records:
+ return
+
+ for record in child_records:
record_dict[record['authority']].append(record)
# start with the authority we just imported
record_gid = GID(string=record['gid'])
parent_pkey = Keypair(filename=auth_info.privkey_filename)
parent_gid = GID(filename=auth_info.gid_filename)
+ if options.verbose:
+ print "re-signing %s gid with parent %s" % \
+ (record['hrn'], parent_gid.get_hrn())
signed_gid = sign_gid(record_gid, parent_pkey, parent_gid)
record['gid'] = signed_gid.save_to_string(save_parents=True)
table.update(record)
# if this is an authority then update the hierarchy
if record['type'] == 'authority':
record_info = hierarchy.get_auth_info(record['hrn'])
+ if options.verbose:
+ print "Writing %s gid to %s" % (record['hrn'], record_info.gid_filename)
signed_gid.save_to_file(filename=record_info.gid_filename, save_parents=True)
# update list of next authorities