-#!/usr/bin/python
-#
-# Bootstraps the PLC database with a default administrator account and
-# a default site. Also generates the MA/SA API certificate.
-#
-# Mark Huang <mlhuang@cs.princeton.edu>
-# Copyright (C) 2006 The Trustees of Princeton University
-#
-# $Id: api-config,v 1.15 2006/07/11 20:57:25 mlhuang Exp $
-#
-
-from plc_config import PLCConfiguration
-import os
-import re
-import xml
-import CertOps, Certificate
-import Certificate
-import commands
-
-
-def main():
- cfg = PLCConfiguration()
- cfg.load()
- variables = cfg.variables()
-
- # Load variables into dictionaries
- for category_id, (category, variablelist) in variables.iteritems():
- globals()[category_id] = dict(zip(variablelist.keys(),
- [variable['value'] for variable in variablelist.values()]))
-
- # Get the issuer e-mail address and public key from the root CA certificate
- root_ca_email = commands.getoutput("openssl x509 -in %s -noout -email" % \
- plc_ma_sa['ca_ssl_crt'])
- root_ca_key_pub = commands.getoutput("openssl x509 -in %s -noout -pubkey" % \
- plc_ma_sa['ca_ssl_crt'])
-
- # Verify API certificate
- if os.path.exists(plc_ma_sa['api_crt']):
- print "Verifying API certificate '%s'" % plc_ma_sa['api_crt']
- try:
- cert_xml = file(plc_ma_sa['api_crt']).read().strip()
- # Verify root CA signature
- CertOps.authenticate_cert(cert_xml, {root_ca_email: root_ca_key_pub})
- # Check if MA/SA e-mail address has changed
- dom = xml.dom.minidom.parseString(cert_xml)
- for subject in dom.getElementsByTagName('subject'):
- if subject.getAttribute('email') != plc_mail['support_address']:
- raise Exception, "E-mail address '%s' in certificate '%s' does not match support address '%s'" % \
- (subject.getAttribute('email'), plc_ma_sa['api_crt'], plc_mail['support_address'])
- except Exception, e:
- # Delete invalid API certificate
- print "Warning: ", e
- os.unlink(plc_ma_sa['api_crt'])
-
- # Generate self-signed API certificate
- if not os.path.exists(plc_ma_sa['api_crt']):
- print "Generating new API certificate"
- try:
- cert = Certificate.Certificate('ticket-cert-0')
- ma_sa_ssl_key_pub = commands.getoutput("openssl x509 -in %s -noout -pubkey" % \
- plc_ma_sa['ssl_crt'])
- cert.add_subject_pubkey(pubkey = ma_sa_ssl_key_pub, email = plc_mail['support_address'])
- root_ca_subject = commands.getoutput("openssl x509 -in %s -noout -subject" % \
- plc_ma_sa['ssl_crt'])
- m = re.search('/CN=([^/]*).*', root_ca_subject)
- if m is None:
- root_ca_cn = plc['name'] + " Management and Slice Authority"
- else:
- root_ca_cn = m.group(1)
- cert.set_issuer(email = root_ca_email, cn = root_ca_cn)
- cert_xml = cert.sign(plc_ma_sa['ssl_key'])
- ma_sa_api_crt = file(plc_ma_sa['api_crt'], "w")
- ma_sa_api_crt.write(cert_xml)
- ma_sa_api_crt.close()
- except Exception, e:
- print "Warning: Could not generate API certificate: ", e
-
-if __name__ == '__main__':
- main()