1 files changed, 155 insertions, 0 deletions

diff --git a/mklog.py b/mklog.py
new file mode 100755
index 0000000..26df433
--- /dev/null
+++ b/mklog.py
@@ -0,0 +1,155 @@
+#! /usr/bin/env python
+
+import sys
+import os
+import stat
+import argparse
+import yaml
+import subprocess
+import shutil
+
+def run_openssl(args):
+    p = subprocess.Popen(['openssl'] + args, stderr=subprocess.PIPE)
+    (_, out_stderr) = p.communicate()
+    if p.returncode == 0:
+        return True
+    print >>sys.stderr, "openssl %s failure: %d: %s" % \
+        (args, p.returncode, out_stderr)
+    return False
+
+def make_eckey(name):
+    print "creating EC key \"%s\"" % name
+
+    privkey_filename = '%s-private.pem' % name
+    pubkey_filename = '%s.pem' % name
+    ecparam_args =  ['ecparam', '-name', 'prime256v1', '-genkey', '-noout',
+                     '-out', privkey_filename]
+    if not run_openssl(ecparam_args):
+        return False
+    os.chmod(privkey_filename, stat.S_IRUSR)
+
+    ec_args = ['ec', '-in', privkey_filename, '-pubout', '-out', pubkey_filename]
+    if not run_openssl(ec_args):
+        return False
+    os.chmod(pubkey_filename, stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
+
+    return True
+
+def make_ca(logname, cakey_filename, cacert_filename):
+    os.makedirs('./demoCA/newcerts', 0700)
+
+    f = open('./demoCA/index.txt', 'w')
+    f.close()
+
+    f = open('./demoCA/serial', 'w')
+    f.write('00\n')
+    f.close()
+
+    f = open('caconfig.txt', 'w')
+    f.write('[ req ]\n')
+    f.write('distinguished_name = req_distinguished_name\n')
+    f.write('x509_extensions = v3_ca\n')
+    f.write('string_mask = utf8only\n')
+    f.write('[ req_distinguished_name ]\n')
+    f.write('[ v3_ca ]\n')
+    f.write('basicConstraints=CA:true\n')
+    f.close()
+    
+    subject = '/countryName=II/stateOrProvinceName=internets/organizationName=%s/commonName=ca' % logname
+    req_args = ['req', '-newkey', 'rsa:2048', '-keyout', cakey_filename, '-out',
+                'req.csr', '-nodes', '-subj', subject, '-config', 'caconfig.txt']
+    if not run_openssl(req_args):
+        return False
+    os.chmod(cakey_filename, stat.S_IRUSR)
+
+    ca_args = ['ca', '-in', 'req.csr', '-selfsign', '-keyfile', cakey_filename,
+               '-out', cacert_filename, '-batch']
+    if not run_openssl(ca_args):
+        return False
+
+    return True
+
+def make_certs(logname, nodenames):
+    wdir = './httpscerts'
+    if not os.access(wdir, os.F_OK):
+        os.mkdir(wdir)
+    os.chdir(wdir)
+
+    ca_key = './cakey.pem'
+    ca_cert = './demoCA/cacert.pem'
+    if not os.access(ca_key, os.R_OK) or not os.access(ca_cert, os.R_OK):
+        if not make_ca(logname, ca_key, ca_cert):
+            return False
+
+    for nodename in nodenames:
+        key = './%s-key.pem' % nodename
+        csr = './%s.csr' % nodename
+        cert = './%s.pem' % nodename
+        subject = '/countryName=II/stateOrProvinceName=internets/organizationName=%s/CN=%s' % (logname, nodename)
+
+        print "creating cert for node %s" % nodename
+
+        if os.access(key, os.R_OK) and os.access(cert, os.R_OK):
+            continue
+        req_args = ['req', '-new', '-newkey', 'rsa:2048', '-keyout', key,
+                    '-out', csr, '-nodes', '-subj', subject]
+        if not run_openssl(req_args):
+            return False
+        ca_args = ['ca', '-in', csr, '-keyfile', ca_key, '-out', cert, '-batch']
+        if not run_openssl(ca_args):
+            return False
+
+        shutil.copy(ca_cert, '../nodes/%s/cacert.pem' % nodename)
+        shutil.copy(cert, '../nodes/%s/webcert-%s.pem' % (nodename, nodename))
+        shutil.copy(key, '../nodes/%s/webkey-%s.pem' % (nodename, nodename))
+
+    os.chdir('..')
+    return True
+
+def make_authkeys(nodenames):
+    wdir = './publickeys'
+    if not os.access(wdir, os.F_OK):
+        os.mkdir(wdir)
+    os.chdir(wdir)
+
+    for nodename in nodenames:
+        if not make_eckey(nodename):
+            return False
+        shutil.move('%s-private.pem' % nodename, '../nodes/%s/' % nodename)
+    for nodename in nodenames:
+        shutil.copytree('.', '../nodes/%s/publickeys' % nodename)
+
+    os.chdir('..')
+    return True
+
+def copy_logkey(logname, nodenames):
+    for nodename in nodenames:
+        shutil.copy('%s.pem' % logname, 'nodes/%s/' % nodename)
+
+def create_destdirs(logname, nodenames):
+    for nodename in nodenames:
+        d = 'nodes/%s' % nodename
+        if not os.access(d, os.F_OK):
+            os.makedirs(d)
+
+def main():
+    parser = argparse.ArgumentParser(description="")
+    parser.add_argument('config', help="System configuration")
+    parser.add_argument('--logname', help="Log name", default="mylog")
+    args = parser.parse_args()
+
+    logname = args.logname
+    config = yaml.load(open(args.config))
+    nodenames = [node["name"] for node in
+                 config["frontendnodes"] +
+                 config["storagenodes"] +
+                 config["signingnodes"]]
+    mergenodenames = [node["name"] for node in config["mergenodes"]]
+
+    create_destdirs(logname, nodenames + mergenodenames)
+    make_eckey(logname)
+    copy_logkey(logname, nodenames + mergenodenames)
+    make_certs(logname, nodenames)
+    make_authkeys(nodenames + mergenodenames)
+
+main()