api-config

   1 #!/usr/bin/python
   2 #
   3 # Bootstraps the PLC database with a default administrator account and
   4 # a default site. Also generates the MA/SA API certificate.
   5 #
   6 # Mark Huang <mlhuang@cs.princeton.edu>
   7 # Copyright (C) 2006 The Trustees of Princeton University
   8 #
   9 # $Id: api-config,v 1.15 2006/07/11 20:57:25 mlhuang Exp $
  10 #
  11
  12 from plc_config import PLCConfiguration
  13 import os
  14 import re
  15 import xml
  16 import CertOps, Certificate
  17 import Certificate
  18 import commands
  19
  20
  21 def main():
  22     cfg = PLCConfiguration()
  23     cfg.load()
  24     variables = cfg.variables()
  25
  26     # Load variables into dictionaries
  27     for category_id, (category, variablelist) in variables.iteritems():
  28         globals()[category_id] = dict(zip(variablelist.keys(),
  29                                        [variable['value'] for variable in variablelist.values()]))
  30
  31     # Get the issuer e-mail address and public key from the root CA certificate
  32     root_ca_email = commands.getoutput("openssl x509 -in %s -noout -email" % \
  33                                        plc_ma_sa['ca_ssl_crt'])
  34     root_ca_key_pub = commands.getoutput("openssl x509 -in %s -noout -pubkey" % \
  35                                          plc_ma_sa['ca_ssl_crt'])
  36
  37     # Verify API certificate
  38     if os.path.exists(plc_ma_sa['api_crt']):
  39         print "Verifying API certificate '%s'" % plc_ma_sa['api_crt']
  40         try:
  41             cert_xml = file(plc_ma_sa['api_crt']).read().strip()
  42             # Verify root CA signature
  43             CertOps.authenticate_cert(cert_xml, {root_ca_email: root_ca_key_pub})
  44             # Check if MA/SA e-mail address has changed
  45             dom = xml.dom.minidom.parseString(cert_xml)
  46             for subject in dom.getElementsByTagName('subject'):
  47                 if subject.getAttribute('email') != plc_mail['support_address']:
  48                     raise Exception, "E-mail address '%s' in certificate '%s' does not match support address '%s'" % \
  49                           (subject.getAttribute('email'), plc_ma_sa['api_crt'], plc_mail['support_address'])
  50         except Exception, e:
  51             # Delete invalid API certificate
  52             print "Warning: ", e
  53             os.unlink(plc_ma_sa['api_crt'])
  54
  55     # Generate self-signed API certificate
  56     if not os.path.exists(plc_ma_sa['api_crt']):
  57         print "Generating new API certificate"
  58         try:
  59             cert = Certificate.Certificate('ticket-cert-0')
  60             ma_sa_ssl_key_pub = commands.getoutput("openssl x509 -in %s -noout -pubkey" % \
  61                                                    plc_ma_sa['ssl_crt'])
  62             cert.add_subject_pubkey(pubkey = ma_sa_ssl_key_pub, email = plc_mail['support_address'])
  63             root_ca_subject = commands.getoutput("openssl x509 -in %s -noout -subject" % \
  64                                                  plc_ma_sa['ssl_crt'])
  65             m = re.search('/CN=([^/]*).*', root_ca_subject)
  66             if m is None:
  67                 root_ca_cn = plc['name'] + " Management and Slice Authority"
  68             else:
  69                 root_ca_cn = m.group(1)
  70             cert.set_issuer(email = root_ca_email, cn = root_ca_cn)
  71             cert_xml = cert.sign(plc_ma_sa['ssl_key'])
  72             ma_sa_api_crt = file(plc_ma_sa['api_crt'], "w")
  73             ma_sa_api_crt.write(cert_xml)
  74             ma_sa_api_crt.close()
  75         except Exception, e:
  76             print "Warning: Could not generate API certificate: ", e
  77
  78 if __name__ == '__main__':
  79     main()