diff options
| author | Rob Austein <sra@hactrn.net> | 2014-04-05 22:42:12 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2014-04-05 22:42:12 +0000 |
| commit | fe0bf509f528dbdc50c7182f81057c6a4e15e4bd (patch) | |
| tree | 07c9a923d4a0ccdfea11c49cd284f6d5757c5eda /ca | |
| parent | aa28ef54c271fbe4d52860ff8cf13cab19e2207c (diff) | |
Source tree reorg, phase 1. Almost everything moved, no file contents changed.
svn path=/branches/tk685/; revision=5757
Diffstat (limited to 'ca')
71 files changed, 13508 insertions, 0 deletions
diff --git a/ca/Doxyfile b/ca/Doxyfile new file mode 100644 index 00000000..33f39f4b --- /dev/null +++ b/ca/Doxyfile @@ -0,0 +1,1705 @@ +# Doxyfile 1.7.3 + +# This file describes the settings to be used by the documentation system +# doxygen (www.doxygen.org) for a project. +# +# All text after a hash (#) is considered a comment and will be ignored. +# The format is: +# TAG = value [value, ...] +# For lists items can also be appended using: +# TAG += value [value, ...] +# Values that contain spaces should be placed between quotes (" "). + +#--------------------------------------------------------------------------- +# Project related configuration options +#--------------------------------------------------------------------------- + +# This tag specifies the encoding used for all characters in the config file +# that follow. The default is UTF-8 which is also the encoding used for all +# text before the first occurrence of this tag. Doxygen uses libiconv (or the +# iconv built into libc) for the transcoding. See +# http://www.gnu.org/software/libiconv for the list of possible encodings. + +DOXYFILE_ENCODING = UTF-8 + +# The PROJECT_NAME tag is a single word (or a sequence of words surrounded +# by quotes) that should identify the project. + +PROJECT_NAME = "RPKI Engine" + +# The PROJECT_NUMBER tag can be used to enter a project or revision number. +# This could be handy for archiving the generated documentation or +# if some version control system is used. + +PROJECT_NUMBER = 1.0 + +# Using the PROJECT_BRIEF tag one can provide an optional one line description for a project that appears at the top of each page and should give viewer a quick idea about the purpose of the project. Keep the description short. + +PROJECT_BRIEF = + +# With the PROJECT_LOGO tag one can specify an logo or icon that is +# included in the documentation. The maximum height of the logo should not +# exceed 55 pixels and the maximum width should not exceed 200 pixels. +# Doxygen will copy the logo to the output directory. + +PROJECT_LOGO = + +# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) +# base path where the generated documentation will be put. +# If a relative path is entered, it will be relative to the location +# where doxygen was started. If left blank the current directory will be used. + +OUTPUT_DIRECTORY = doc + +# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create +# 4096 sub-directories (in 2 levels) under the output directory of each output +# format and will distribute the generated files over these directories. +# Enabling this option can be useful when feeding doxygen a huge amount of +# source files, where putting all generated files in the same directory would +# otherwise cause performance problems for the file system. + +CREATE_SUBDIRS = NO + +# The OUTPUT_LANGUAGE tag is used to specify the language in which all +# documentation generated by doxygen is written. Doxygen will use this +# information to generate all constant output in the proper language. +# The default language is English, other supported languages are: +# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional, +# Croatian, Czech, Danish, Dutch, Esperanto, Farsi, Finnish, French, German, +# Greek, Hungarian, Italian, Japanese, Japanese-en (Japanese with English +# messages), Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian, +# Polish, Portuguese, Romanian, Russian, Serbian, Serbian-Cyrillic, Slovak, +# Slovene, Spanish, Swedish, Ukrainian, and Vietnamese. + +OUTPUT_LANGUAGE = English + +# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will +# include brief member descriptions after the members that are listed in +# the file and class documentation (similar to JavaDoc). +# Set to NO to disable this. + +BRIEF_MEMBER_DESC = YES + +# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend +# the brief description of a member or function before the detailed description. +# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the +# brief descriptions will be completely suppressed. + +REPEAT_BRIEF = YES + +# This tag implements a quasi-intelligent brief description abbreviator +# that is used to form the text in various listings. Each string +# in this list, if found as the leading text of the brief description, will be +# stripped from the text and the result after processing the whole list, is +# used as the annotated text. Otherwise, the brief description is used as-is. +# If left blank, the following values are used ("$name" is automatically +# replaced with the name of the entity): "The $name class" "The $name widget" +# "The $name file" "is" "provides" "specifies" "contains" +# "represents" "a" "an" "the" + +ABBREVIATE_BRIEF = "The $name class" \ + "The $name widget" \ + "The $name file" \ + is \ + provides \ + specifies \ + contains \ + represents \ + a \ + an \ + the + +# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then +# Doxygen will generate a detailed section even if there is only a brief +# description. + +ALWAYS_DETAILED_SEC = NO + +# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all +# inherited members of a class in the documentation of that class as if those +# members were ordinary class members. Constructors, destructors and assignment +# operators of the base classes will not be shown. + +INLINE_INHERITED_MEMB = NO + +# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full +# path before files name in the file list and in the header files. If set +# to NO the shortest path that makes the file name unique will be used. + +FULL_PATH_NAMES = NO + +# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag +# can be used to strip a user-defined part of the path. Stripping is +# only done if one of the specified strings matches the left-hand part of +# the path. The tag can be used to show relative paths in the file list. +# If left blank the directory from which doxygen is run is used as the +# path to strip. + +STRIP_FROM_PATH = + +# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of +# the path mentioned in the documentation of a class, which tells +# the reader which header file to include in order to use a class. +# If left blank only the name of the header file containing the class +# definition is used. Otherwise one should specify the include paths that +# are normally passed to the compiler using the -I flag. + +STRIP_FROM_INC_PATH = + +# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter +# (but less readable) file names. This can be useful if your file system +# doesn't support long names like on DOS, Mac, or CD-ROM. + +SHORT_NAMES = NO + +# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen +# will interpret the first line (until the first dot) of a JavaDoc-style +# comment as the brief description. If set to NO, the JavaDoc +# comments will behave just like regular Qt-style comments +# (thus requiring an explicit @brief command for a brief description.) + +JAVADOC_AUTOBRIEF = NO + +# If the QT_AUTOBRIEF tag is set to YES then Doxygen will +# interpret the first line (until the first dot) of a Qt-style +# comment as the brief description. If set to NO, the comments +# will behave just like regular Qt-style comments (thus requiring +# an explicit \brief command for a brief description.) + +QT_AUTOBRIEF = NO + +# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen +# treat a multi-line C++ special comment block (i.e. a block of //! or /// +# comments) as a brief description. This used to be the default behaviour. +# The new default is to treat a multi-line C++ comment block as a detailed +# description. Set this tag to YES if you prefer the old behaviour instead. + +MULTILINE_CPP_IS_BRIEF = NO + +# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented +# member inherits the documentation from any documented member that it +# re-implements. + +INHERIT_DOCS = YES + +# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce +# a new page for each member. If set to NO, the documentation of a member will +# be part of the file/class/namespace that contains it. + +SEPARATE_MEMBER_PAGES = NO + +# The TAB_SIZE tag can be used to set the number of spaces in a tab. +# Doxygen uses this value to replace tabs by spaces in code fragments. + +TAB_SIZE = 8 + +# This tag can be used to specify a number of aliases that acts +# as commands in the documentation. An alias has the form "name=value". +# For example adding "sideeffect=\par Side Effects:\n" will allow you to +# put the command \sideeffect (or @sideeffect) in the documentation, which +# will result in a user-defined paragraph with heading "Side Effects:". +# You can put \n's in the value part of an alias to insert newlines. + +ALIASES = + +# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C +# sources only. Doxygen will then generate output that is more tailored for C. +# For instance, some of the names that are used will be different. The list +# of all members will be omitted, etc. + +OPTIMIZE_OUTPUT_FOR_C = NO + +# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java +# sources only. Doxygen will then generate output that is more tailored for +# Java. For instance, namespaces will be presented as packages, qualified +# scopes will look different, etc. + +OPTIMIZE_OUTPUT_JAVA = YES + +# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran +# sources only. Doxygen will then generate output that is more tailored for +# Fortran. + +OPTIMIZE_FOR_FORTRAN = NO + +# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL +# sources. Doxygen will then generate output that is tailored for +# VHDL. + +OPTIMIZE_OUTPUT_VHDL = NO + +# Doxygen selects the parser to use depending on the extension of the files it +# parses. With this tag you can assign which parser to use for a given extension. +# Doxygen has a built-in mapping, but you can override or extend it using this +# tag. The format is ext=language, where ext is a file extension, and language +# is one of the parsers supported by doxygen: IDL, Java, Javascript, CSharp, C, +# C++, D, PHP, Objective-C, Python, Fortran, VHDL, C, C++. For instance to make +# doxygen treat .inc files as Fortran files (default is PHP), and .f files as C +# (default is Fortran), use: inc=Fortran f=C. Note that for custom extensions +# you also need to set FILE_PATTERNS otherwise the files are not read by doxygen. + +EXTENSION_MAPPING = + +# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want +# to include (a tag file for) the STL sources as input, then you should +# set this tag to YES in order to let doxygen match functions declarations and +# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. +# func(std::string) {}). This also makes the inheritance and collaboration +# diagrams that involve STL classes more complete and accurate. + +BUILTIN_STL_SUPPORT = NO + +# If you use Microsoft's C++/CLI language, you should set this option to YES to +# enable parsing support. + +CPP_CLI_SUPPORT = NO + +# Set the SIP_SUPPORT tag to YES if your project consists of sip sources only. +# Doxygen will parse them like normal C++ but will assume all classes use public +# instead of private inheritance when no explicit protection keyword is present. + +SIP_SUPPORT = NO + +# For Microsoft's IDL there are propget and propput attributes to indicate getter +# and setter methods for a property. Setting this option to YES (the default) +# will make doxygen replace the get and set methods by a property in the +# documentation. This will only work if the methods are indeed getting or +# setting a simple type. If this is not the case, or you want to show the +# methods anyway, you should set this option to NO. + +IDL_PROPERTY_SUPPORT = YES + +# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC +# tag is set to YES, then doxygen will reuse the documentation of the first +# member in the group (if any) for the other members of the group. By default +# all members of a group must be documented explicitly. + +DISTRIBUTE_GROUP_DOC = NO + +# Set the SUBGROUPING tag to YES (the default) to allow class member groups of +# the same type (for instance a group of public functions) to be put as a +# subgroup of that type (e.g. under the Public Functions section). Set it to +# NO to prevent subgrouping. Alternatively, this can be done per class using +# the \nosubgrouping command. + +SUBGROUPING = YES + +# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum +# is documented as struct, union, or enum with the name of the typedef. So +# typedef struct TypeS {} TypeT, will appear in the documentation as a struct +# with name TypeT. When disabled the typedef will appear as a member of a file, +# namespace, or class. And the struct will be named TypeS. This can typically +# be useful for C code in case the coding convention dictates that all compound +# types are typedef'ed and only the typedef is referenced, never the tag name. + +TYPEDEF_HIDES_STRUCT = NO + +# The SYMBOL_CACHE_SIZE determines the size of the internal cache use to +# determine which symbols to keep in memory and which to flush to disk. +# When the cache is full, less often used symbols will be written to disk. +# For small to medium size projects (<1000 input files) the default value is +# probably good enough. For larger projects a too small cache size can cause +# doxygen to be busy swapping symbols to and from disk most of the time +# causing a significant performance penalty. +# If the system has enough physical memory increasing the cache will improve the +# performance by keeping more symbols in memory. Note that the value works on +# a logarithmic scale so increasing the size by one will roughly double the +# memory usage. The cache size is given by this formula: +# 2^(16+SYMBOL_CACHE_SIZE). The valid range is 0..9, the default is 0, +# corresponding to a cache size of 2^16 = 65536 symbols + +SYMBOL_CACHE_SIZE = 0 + +#--------------------------------------------------------------------------- +# Build related configuration options +#--------------------------------------------------------------------------- + +# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in +# documentation are documented, even if no documentation was available. +# Private class members and static file members will be hidden unless +# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES + +EXTRACT_ALL = YES + +# If the EXTRACT_PRIVATE tag is set to YES all private members of a class +# will be included in the documentation. + +EXTRACT_PRIVATE = YES + +# If the EXTRACT_STATIC tag is set to YES all static members of a file +# will be included in the documentation. + +EXTRACT_STATIC = YES + +# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) +# defined locally in source files will be included in the documentation. +# If set to NO only classes defined in header files are included. + +EXTRACT_LOCAL_CLASSES = YES + +# This flag is only useful for Objective-C code. When set to YES local +# methods, which are defined in the implementation section but not in +# the interface are included in the documentation. +# If set to NO (the default) only methods in the interface are included. + +EXTRACT_LOCAL_METHODS = NO + +# If this flag is set to YES, the members of anonymous namespaces will be +# extracted and appear in the documentation as a namespace called +# 'anonymous_namespace{file}', where file will be replaced with the base +# name of the file that contains the anonymous namespace. By default +# anonymous namespaces are hidden. + +EXTRACT_ANON_NSPACES = NO + +# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all +# undocumented members of documented classes, files or namespaces. +# If set to NO (the default) these members will be included in the +# various overviews, but no documentation section is generated. +# This option has no effect if EXTRACT_ALL is enabled. + +HIDE_UNDOC_MEMBERS = NO + +# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all +# undocumented classes that are normally visible in the class hierarchy. +# If set to NO (the default) these classes will be included in the various +# overviews. This option has no effect if EXTRACT_ALL is enabled. + +HIDE_UNDOC_CLASSES = NO + +# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all +# friend (class|struct|union) declarations. +# If set to NO (the default) these declarations will be included in the +# documentation. + +HIDE_FRIEND_COMPOUNDS = NO + +# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any +# documentation blocks found inside the body of a function. +# If set to NO (the default) these blocks will be appended to the +# function's detailed documentation block. + +HIDE_IN_BODY_DOCS = NO + +# The INTERNAL_DOCS tag determines if documentation +# that is typed after a \internal command is included. If the tag is set +# to NO (the default) then the documentation will be excluded. +# Set it to YES to include the internal documentation. + +INTERNAL_DOCS = NO + +# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate +# file names in lower-case letters. If set to YES upper-case letters are also +# allowed. This is useful if you have classes or files whose names only differ +# in case and if your file system supports case sensitive file names. Windows +# and Mac users are advised to set this option to NO. + +CASE_SENSE_NAMES = YES + +# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen +# will show members with their full class and namespace scopes in the +# documentation. If set to YES the scope will be hidden. + +HIDE_SCOPE_NAMES = NO + +# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen +# will put a list of the files that are included by a file in the documentation +# of that file. + +SHOW_INCLUDE_FILES = YES + +# If the FORCE_LOCAL_INCLUDES tag is set to YES then Doxygen +# will list include files with double quotes in the documentation +# rather than with sharp brackets. + +FORCE_LOCAL_INCLUDES = NO + +# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] +# is inserted in the documentation for inline members. + +INLINE_INFO = YES + +# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen +# will sort the (detailed) documentation of file and class members +# alphabetically by member name. If set to NO the members will appear in +# declaration order. + +SORT_MEMBER_DOCS = YES + +# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the +# brief documentation of file, namespace and class members alphabetically +# by member name. If set to NO (the default) the members will appear in +# declaration order. + +SORT_BRIEF_DOCS = YES + +# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen +# will sort the (brief and detailed) documentation of class members so that +# constructors and destructors are listed first. If set to NO (the default) +# the constructors will appear in the respective orders defined by +# SORT_MEMBER_DOCS and SORT_BRIEF_DOCS. +# This tag will be ignored for brief docs if SORT_BRIEF_DOCS is set to NO +# and ignored for detailed docs if SORT_MEMBER_DOCS is set to NO. + +SORT_MEMBERS_CTORS_1ST = NO + +# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the +# hierarchy of group names into alphabetical order. If set to NO (the default) +# the group names will appear in their defined order. + +SORT_GROUP_NAMES = NO + +# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be +# sorted by fully-qualified names, including namespaces. If set to +# NO (the default), the class list will be sorted only by class name, +# not including the namespace part. +# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES. +# Note: This option applies only to the class list, not to the +# alphabetical list. + +SORT_BY_SCOPE_NAME = YES + +# If the STRICT_PROTO_MATCHING option is enabled and doxygen fails to do proper type resolution of all parameters of a function it will reject a +# match between the prototype and the implementation of a member function even if there is only one candidate or it is obvious which candidate to choose by doing a simple string match. By disabling STRICT_PROTO_MATCHING doxygen +# will still accept a match between prototype and implementation in such cases. + +STRICT_PROTO_MATCHING = NO + +# The GENERATE_TODOLIST tag can be used to enable (YES) or +# disable (NO) the todo list. This list is created by putting \todo +# commands in the documentation. + +GENERATE_TODOLIST = YES + +# The GENERATE_TESTLIST tag can be used to enable (YES) or +# disable (NO) the test list. This list is created by putting \test +# commands in the documentation. + +GENERATE_TESTLIST = YES + +# The GENERATE_BUGLIST tag can be used to enable (YES) or +# disable (NO) the bug list. This list is created by putting \bug +# commands in the documentation. + +GENERATE_BUGLIST = YES + +# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or +# disable (NO) the deprecated list. This list is created by putting +# \deprecated commands in the documentation. + +GENERATE_DEPRECATEDLIST= YES + +# The ENABLED_SECTIONS tag can be used to enable conditional +# documentation sections, marked by \if sectionname ... \endif. + +ENABLED_SECTIONS = + +# The MAX_INITIALIZER_LINES tag determines the maximum number of lines +# the initial value of a variable or macro consists of for it to appear in +# the documentation. If the initializer consists of more lines than specified +# here it will be hidden. Use a value of 0 to hide initializers completely. +# The appearance of the initializer of individual variables and macros in the +# documentation can be controlled using \showinitializer or \hideinitializer +# command in the documentation regardless of this setting. + +MAX_INITIALIZER_LINES = 30 + +# Set the SHOW_USED_FILES tag to NO to disable the list of files generated +# at the bottom of the documentation of classes and structs. If set to YES the +# list will mention the files that were used to generate the documentation. + +SHOW_USED_FILES = YES + +# If the sources in your project are distributed over multiple directories +# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy +# in the documentation. The default is NO. + +SHOW_DIRECTORIES = NO + +# Set the SHOW_FILES tag to NO to disable the generation of the Files page. +# This will remove the Files entry from the Quick Index and from the +# Folder Tree View (if specified). The default is YES. + +SHOW_FILES = YES + +# Set the SHOW_NAMESPACES tag to NO to disable the generation of the +# Namespaces page. +# This will remove the Namespaces entry from the Quick Index +# and from the Folder Tree View (if specified). The default is YES. + +SHOW_NAMESPACES = YES + +# The FILE_VERSION_FILTER tag can be used to specify a program or script that +# doxygen should invoke to get the current version for each file (typically from +# the version control system). Doxygen will invoke the program by executing (via +# popen()) the command <command> <input-file>, where <command> is the value of +# the FILE_VERSION_FILTER tag, and <input-file> is the name of an input file +# provided by doxygen. Whatever the program writes to standard output +# is used as the file version. See the manual for examples. + +FILE_VERSION_FILTER = "perl -e '@a = split(q( ), qx(svn stat -v $ARGV[0])); shift @a until $a[0] =~ /^[0-9]+$/ or @a == 0; shift @a; print shift(@a), qq(\n)'" + +# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed +# by doxygen. The layout file controls the global structure of the generated +# output files in an output format independent way. The create the layout file +# that represents doxygen's defaults, run doxygen with the -l option. +# You can optionally specify a file name after the option, if omitted +# DoxygenLayout.xml will be used as the name of the layout file. + +LAYOUT_FILE = + +#--------------------------------------------------------------------------- +# configuration options related to warning and progress messages +#--------------------------------------------------------------------------- + +# The QUIET tag can be used to turn on/off the messages that are generated +# by doxygen. Possible values are YES and NO. If left blank NO is used. + +QUIET = YES + +# The WARNINGS tag can be used to turn on/off the warning messages that are +# generated by doxygen. Possible values are YES and NO. If left blank +# NO is used. + +WARNINGS = YES + +# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings +# for undocumented members. If EXTRACT_ALL is set to YES then this flag will +# automatically be disabled. + +WARN_IF_UNDOCUMENTED = YES + +# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for +# potential errors in the documentation, such as not documenting some +# parameters in a documented function, or documenting parameters that +# don't exist or using markup commands wrongly. + +WARN_IF_DOC_ERROR = YES + +# The WARN_NO_PARAMDOC option can be enabled to get warnings for +# functions that are documented, but have no documentation for their parameters +# or return value. If set to NO (the default) doxygen will only warn about +# wrong or incomplete parameter documentation, but not about the absence of +# documentation. + +WARN_NO_PARAMDOC = NO + +# The WARN_FORMAT tag determines the format of the warning messages that +# doxygen can produce. The string should contain the $file, $line, and $text +# tags, which will be replaced by the file and line number from which the +# warning originated and the warning text. Optionally the format may contain +# $version, which will be replaced by the version of the file (if it could +# be obtained via FILE_VERSION_FILTER) + +WARN_FORMAT = "$file:$line: $text" + +# The WARN_LOGFILE tag can be used to specify a file to which warning +# and error messages should be written. If left blank the output is written +# to stderr. + +WARN_LOGFILE = + +#--------------------------------------------------------------------------- +# configuration options related to the input files +#--------------------------------------------------------------------------- + +# The INPUT tag can be used to specify the files and/or directories that contain +# documented source files. You may enter file names like "myfile.cpp" or +# directories like "/usr/src/myproject". Separate the files or directories +# with spaces. + +INPUT = doc \ + rpki \ + rpki/gui \ + rpki/gui/app \ + rpki/gui/app/templates \ + rpki/gui/app/templates/registration \ + rpki/gui/app/templates/rpkigui \ + rpki/gui/cacheview \ + rpki/gui/cacheview/templates \ + rpki/gui/cacheview/templates/cacheview \ + rpki/gui/templates \ + rpkid.py \ + pubd.py \ + irdbd.py \ + rootd.py \ + irbe_cli.py + +# This tag can be used to specify the character encoding of the source files +# that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is +# also the default input encoding. Doxygen uses libiconv (or the iconv built +# into libc) for the transcoding. See http://www.gnu.org/software/libiconv for +# the list of possible encodings. + +INPUT_ENCODING = UTF-8 + +# If the value of the INPUT tag contains directories, you can use the +# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp +# and *.h) to filter out the source-files in the directories. If left +# blank the following patterns are tested: +# *.c *.cc *.cxx *.cpp *.c++ *.d *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh +# *.hxx *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.dox *.py +# *.f90 *.f *.for *.vhd *.vhdl + +FILE_PATTERNS = *.py + +# The RECURSIVE tag can be used to turn specify whether or not subdirectories +# should be searched for input files as well. Possible values are YES and NO. +# If left blank NO is used. + +RECURSIVE = NO + +# The EXCLUDE tag can be used to specify files and/or directories that should +# excluded from the INPUT source files. This way you can easily exclude a +# subdirectory from a directory tree whose root is specified with the INPUT tag. + +EXCLUDE = + +# The EXCLUDE_SYMLINKS tag can be used select whether or not files or +# directories that are symbolic links (a Unix file system feature) are excluded +# from the input. + +EXCLUDE_SYMLINKS = NO + +# If the value of the INPUT tag contains directories, you can use the +# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude +# certain files from those directories. Note that the wildcards are matched +# against the file with absolute path, so to exclude all test directories +# for example use the pattern */test/* + +EXCLUDE_PATTERNS = + +# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names +# (namespaces, classes, functions, etc.) that should be excluded from the +# output. The symbol name can be a fully qualified name, a word, or if the +# wildcard * is used, a substring. Examples: ANamespace, AClass, +# AClass::ANamespace, ANamespace::*Test + +EXCLUDE_SYMBOLS = + +# The EXAMPLE_PATH tag can be used to specify one or more files or +# directories that contain example code fragments that are included (see +# the \include command). + +EXAMPLE_PATH = . \ + examples + +# If the value of the EXAMPLE_PATH tag contains directories, you can use the +# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp +# and *.h) to filter out the source-files in the directories. If left +# blank all files are included. + +EXAMPLE_PATTERNS = * + +# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be +# searched for input files to be used with the \include or \dontinclude +# commands irrespective of the value of the RECURSIVE tag. +# Possible values are YES and NO. If left blank NO is used. + +EXAMPLE_RECURSIVE = NO + +# The IMAGE_PATH tag can be used to specify one or more files or +# directories that contain image that are included in the documentation (see +# the \image command). + +IMAGE_PATH = $(IMAGE_PATH) + +# The INPUT_FILTER tag can be used to specify a program that doxygen should +# invoke to filter for each input file. Doxygen will invoke the filter program +# by executing (via popen()) the command <filter> <input-file>, where <filter> +# is the value of the INPUT_FILTER tag, and <input-file> is the name of an +# input file. Doxygen will then use the output that the filter program writes +# to standard output. +# If FILTER_PATTERNS is specified, this tag will be +# ignored. + +INPUT_FILTER = + +# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern +# basis. +# Doxygen will compare the file name with each pattern and apply the +# filter if there is a match. +# The filters are a list of the form: +# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further +# info on how filters are used. If FILTER_PATTERNS is empty or if +# non of the patterns match the file name, INPUT_FILTER is applied. + +FILTER_PATTERNS = + +# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using +# INPUT_FILTER) will be used to filter the input files when producing source +# files to browse (i.e. when SOURCE_BROWSER is set to YES). + +FILTER_SOURCE_FILES = NO + +# The FILTER_SOURCE_PATTERNS tag can be used to specify source filters per file +# pattern. A pattern will override the setting for FILTER_PATTERN (if any) +# and it is also possible to disable source filtering for a specific pattern +# using *.ext= (so without naming a filter). This option only has effect when +# FILTER_SOURCE_FILES is enabled. + +FILTER_SOURCE_PATTERNS = + +#--------------------------------------------------------------------------- +# configuration options related to source browsing +#--------------------------------------------------------------------------- + +# If the SOURCE_BROWSER tag is set to YES then a list of source files will +# be generated. Documented entities will be cross-referenced with these sources. +# Note: To get rid of all source code in the generated output, make sure also +# VERBATIM_HEADERS is set to NO. + +SOURCE_BROWSER = YES + +# Setting the INLINE_SOURCES tag to YES will include the body +# of functions and classes directly in the documentation. + +INLINE_SOURCES = NO + +# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct +# doxygen to hide any special comment blocks from generated source code +# fragments. Normal C and C++ comments will always remain visible. + +STRIP_CODE_COMMENTS = YES + +# If the REFERENCED_BY_RELATION tag is set to YES +# then for each documented function all documented +# functions referencing it will be listed. + +REFERENCED_BY_RELATION = YES + +# If the REFERENCES_RELATION tag is set to YES +# then for each documented function all documented entities +# called/used by that function will be listed. + +REFERENCES_RELATION = YES + +# If the REFERENCES_LINK_SOURCE tag is set to YES (the default) +# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from +# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will +# link to the source code. +# Otherwise they will link to the documentation. + +REFERENCES_LINK_SOURCE = YES + +# If the USE_HTAGS tag is set to YES then the references to source code +# will point to the HTML generated by the htags(1) tool instead of doxygen +# built-in source browser. The htags tool is part of GNU's global source +# tagging system (see http://www.gnu.org/software/global/global.html). You +# will need version 4.8.6 or higher. + +USE_HTAGS = NO + +# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen +# will generate a verbatim copy of the header file for each class for +# which an include is specified. Set to NO to disable this. + +VERBATIM_HEADERS = NO + +#--------------------------------------------------------------------------- +# configuration options related to the alphabetical class index +#--------------------------------------------------------------------------- + +# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index +# of all compounds will be generated. Enable this if the project +# contains a lot of classes, structs, unions or interfaces. + +ALPHABETICAL_INDEX = YES + +# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then +# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns +# in which this list will be split (can be a number in the range [1..20]) + +COLS_IN_ALPHA_INDEX = 5 + +# In case all classes in a project start with a common prefix, all +# classes will be put under the same header in the alphabetical index. +# The IGNORE_PREFIX tag can be used to specify one or more prefixes that +# should be ignored while generating the index headers. + +IGNORE_PREFIX = + +#--------------------------------------------------------------------------- +# configuration options related to the HTML output +#--------------------------------------------------------------------------- + +# If the GENERATE_HTML tag is set to YES (the default) Doxygen will +# generate HTML output. + +GENERATE_HTML = YES + +# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `html' will be used as the default path. + +HTML_OUTPUT = html + +# The HTML_FILE_EXTENSION tag can be used to specify the file extension for +# each generated HTML page (for example: .htm,.php,.asp). If it is left blank +# doxygen will generate files with .html extension. + +HTML_FILE_EXTENSION = .html + +# The HTML_HEADER tag can be used to specify a personal HTML header for +# each generated HTML page. If it is left blank doxygen will generate a +# standard header. + +HTML_HEADER = + +# The HTML_FOOTER tag can be used to specify a personal HTML footer for +# each generated HTML page. If it is left blank doxygen will generate a +# standard footer. + +HTML_FOOTER = + +# The HTML_STYLESHEET tag can be used to specify a user-defined cascading +# style sheet that is used by each HTML page. It can be used to +# fine-tune the look of the HTML output. If the tag is left blank doxygen +# will generate a default style sheet. Note that doxygen will try to copy +# the style sheet file to the HTML output directory, so don't put your own +# stylesheet in the HTML output directory as well, or it will be erased! + +HTML_STYLESHEET = + +# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. +# Doxygen will adjust the colors in the stylesheet and background images +# according to this color. Hue is specified as an angle on a colorwheel, +# see http://en.wikipedia.org/wiki/Hue for more information. +# For instance the value 0 represents red, 60 is yellow, 120 is green, +# 180 is cyan, 240 is blue, 300 purple, and 360 is red again. +# The allowed range is 0 to 359. + +HTML_COLORSTYLE_HUE = 220 + +# The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of +# the colors in the HTML output. For a value of 0 the output will use +# grayscales only. A value of 255 will produce the most vivid colors. + +HTML_COLORSTYLE_SAT = 100 + +# The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to +# the luminance component of the colors in the HTML output. Values below +# 100 gradually make the output lighter, whereas values above 100 make +# the output darker. The value divided by 100 is the actual gamma applied, +# so 80 represents a gamma of 0.8, The value 220 represents a gamma of 2.2, +# and 100 does not change the gamma. + +HTML_COLORSTYLE_GAMMA = 80 + +# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML +# page will contain the date and time when the page was generated. Setting +# this to NO can help when comparing the output of multiple runs. + +HTML_TIMESTAMP = YES + +# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, +# files or namespaces will be aligned in HTML using tables. If set to +# NO a bullet list will be used. + +HTML_ALIGN_MEMBERS = YES + +# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML +# documentation will contain sections that can be hidden and shown after the +# page has loaded. For this to work a browser that supports +# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox +# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari). + +HTML_DYNAMIC_SECTIONS = NO + +# If the GENERATE_DOCSET tag is set to YES, additional index files +# will be generated that can be used as input for Apple's Xcode 3 +# integrated development environment, introduced with OSX 10.5 (Leopard). +# To create a documentation set, doxygen will generate a Makefile in the +# HTML output directory. Running make will produce the docset in that +# directory and running "make install" will install the docset in +# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find +# it at startup. +# See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html +# for more information. + +GENERATE_DOCSET = NO + +# When GENERATE_DOCSET tag is set to YES, this tag determines the name of the +# feed. A documentation feed provides an umbrella under which multiple +# documentation sets from a single provider (such as a company or product suite) +# can be grouped. + +DOCSET_FEEDNAME = "Doxygen generated docs" + +# When GENERATE_DOCSET tag is set to YES, this tag specifies a string that +# should uniquely identify the documentation set bundle. This should be a +# reverse domain-name style string, e.g. com.mycompany.MyDocSet. Doxygen +# will append .docset to the name. + +DOCSET_BUNDLE_ID = org.doxygen.Project + +# When GENERATE_PUBLISHER_ID tag specifies a string that should uniquely identify +# the documentation publisher. This should be a reverse domain-name style +# string, e.g. com.mycompany.MyDocSet.documentation. + +DOCSET_PUBLISHER_ID = org.doxygen.Publisher + +# The GENERATE_PUBLISHER_NAME tag identifies the documentation publisher. + +DOCSET_PUBLISHER_NAME = Publisher + +# If the GENERATE_HTMLHELP tag is set to YES, additional index files +# will be generated that can be used as input for tools like the +# Microsoft HTML help workshop to generate a compiled HTML help file (.chm) +# of the generated HTML documentation. + +GENERATE_HTMLHELP = NO + +# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can +# be used to specify the file name of the resulting .chm file. You +# can add a path in front of the file if the result should not be +# written to the html output directory. + +CHM_FILE = + +# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can +# be used to specify the location (absolute path including file name) of +# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run +# the HTML help compiler on the generated index.hhp. + +HHC_LOCATION = + +# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag +# controls if a separate .chi index file is generated (YES) or that +# it should be included in the master .chm file (NO). + +GENERATE_CHI = NO + +# If the GENERATE_HTMLHELP tag is set to YES, the CHM_INDEX_ENCODING +# is used to encode HtmlHelp index (hhk), content (hhc) and project file +# content. + +CHM_INDEX_ENCODING = + +# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag +# controls whether a binary table of contents is generated (YES) or a +# normal table of contents (NO) in the .chm file. + +BINARY_TOC = NO + +# The TOC_EXPAND flag can be set to YES to add extra items for group members +# to the contents of the HTML help documentation and to the tree view. + +TOC_EXPAND = NO + +# If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and +# QHP_VIRTUAL_FOLDER are set, an additional index file will be generated +# that can be used as input for Qt's qhelpgenerator to generate a +# Qt Compressed Help (.qch) of the generated HTML documentation. + +GENERATE_QHP = NO + +# If the QHG_LOCATION tag is specified, the QCH_FILE tag can +# be used to specify the file name of the resulting .qch file. +# The path specified is relative to the HTML output folder. + +QCH_FILE = + +# The QHP_NAMESPACE tag specifies the namespace to use when generating +# Qt Help Project output. For more information please see +# http://doc.trolltech.com/qthelpproject.html#namespace + +QHP_NAMESPACE = + +# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating +# Qt Help Project output. For more information please see +# http://doc.trolltech.com/qthelpproject.html#virtual-folders + +QHP_VIRTUAL_FOLDER = doc + +# If QHP_CUST_FILTER_NAME is set, it specifies the name of a custom filter to +# add. For more information please see +# http://doc.trolltech.com/qthelpproject.html#custom-filters + +QHP_CUST_FILTER_NAME = + +# The QHP_CUST_FILT_ATTRS tag specifies the list of the attributes of the +# custom filter to add. For more information please see +# <a href="http://doc.trolltech.com/qthelpproject.html#custom-filters"> +# Qt Help Project / Custom Filters</a>. + +QHP_CUST_FILTER_ATTRS = + +# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this +# project's +# filter section matches. +# <a href="http://doc.trolltech.com/qthelpproject.html#filter-attributes"> +# Qt Help Project / Filter Attributes</a>. + +QHP_SECT_FILTER_ATTRS = + +# If the GENERATE_QHP tag is set to YES, the QHG_LOCATION tag can +# be used to specify the location of Qt's qhelpgenerator. +# If non-empty doxygen will try to run qhelpgenerator on the generated +# .qhp file. + +QHG_LOCATION = + +# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files +# will be generated, which together with the HTML files, form an Eclipse help +# plugin. To install this plugin and make it available under the help contents +# menu in Eclipse, the contents of the directory containing the HTML and XML +# files needs to be copied into the plugins directory of eclipse. The name of +# the directory within the plugins directory should be the same as +# the ECLIPSE_DOC_ID value. After copying Eclipse needs to be restarted before +# the help appears. + +GENERATE_ECLIPSEHELP = NO + +# A unique identifier for the eclipse help plugin. When installing the plugin +# the directory name containing the HTML and XML files should also have +# this name. + +ECLIPSE_DOC_ID = org.doxygen.Project + +# The DISABLE_INDEX tag can be used to turn on/off the condensed index at +# top of each HTML page. The value NO (the default) enables the index and +# the value YES disables it. + +DISABLE_INDEX = NO + +# This tag can be used to set the number of enum values (range [0,1..20]) +# that doxygen will group on one line in the generated HTML documentation. +# Note that a value of 0 will completely suppress the enum values from appearing in the overview section. + +ENUM_VALUES_PER_LINE = 4 + +# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index +# structure should be generated to display hierarchical information. +# If the tag value is set to YES, a side panel will be generated +# containing a tree-like index structure (just like the one that +# is generated for HTML Help). For this to work a browser that supports +# JavaScript, DHTML, CSS and frames is required (i.e. any modern browser). +# Windows users are probably better off using the HTML help feature. + +GENERATE_TREEVIEW = NO + +# By enabling USE_INLINE_TREES, doxygen will generate the Groups, Directories, +# and Class Hierarchy pages using a tree view instead of an ordered list. + +USE_INLINE_TREES = NO + +# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be +# used to set the initial width (in pixels) of the frame in which the tree +# is shown. + +TREEVIEW_WIDTH = 250 + +# When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open +# links to external symbols imported via tag files in a separate window. + +EXT_LINKS_IN_WINDOW = NO + +# Use this tag to change the font size of Latex formulas included +# as images in the HTML documentation. The default is 10. Note that +# when you change the font size after a successful doxygen run you need +# to manually remove any form_*.png images from the HTML output directory +# to force them to be regenerated. + +FORMULA_FONTSIZE = 10 + +# Use the FORMULA_TRANPARENT tag to determine whether or not the images +# generated for formulas are transparent PNGs. Transparent PNGs are +# not supported properly for IE 6.0, but are supported on all modern browsers. +# Note that when changing this option you need to delete any form_*.png files +# in the HTML output before the changes have effect. + +FORMULA_TRANSPARENT = YES + +# Enable the USE_MATHJAX option to render LaTeX formulas using MathJax +# (see http://www.mathjax.org) which uses client side Javascript for the +# rendering instead of using prerendered bitmaps. Use this if you do not +# have LaTeX installed or if you want to formulas look prettier in the HTML +# output. When enabled you also need to install MathJax separately and +# configure the path to it using the MATHJAX_RELPATH option. + +USE_MATHJAX = NO + +# When MathJax is enabled you need to specify the location relative to the +# HTML output directory using the MATHJAX_RELPATH option. The destination +# directory should contain the MathJax.js script. For instance, if the mathjax +# directory is located at the same level as the HTML output directory, then +# MATHJAX_RELPATH should be ../mathjax. The default value points to the mathjax.org site, so you can quickly see the result without installing +# MathJax, but it is strongly recommended to install a local copy of MathJax +# before deployment. + +MATHJAX_RELPATH = http://www.mathjax.org/mathjax + +# When the SEARCHENGINE tag is enabled doxygen will generate a search box +# for the HTML output. The underlying search engine uses javascript +# and DHTML and should work on any modern browser. Note that when using +# HTML help (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets +# (GENERATE_DOCSET) there is already a search function so this one should +# typically be disabled. For large projects the javascript based search engine +# can be slow, then enabling SERVER_BASED_SEARCH may provide a better solution. + +SEARCHENGINE = YES + +# When the SERVER_BASED_SEARCH tag is enabled the search engine will be +# implemented using a PHP enabled web server instead of at the web client +# using Javascript. Doxygen will generate the search PHP script and index +# file to put on the web server. The advantage of the server +# based approach is that it scales better to large projects and allows +# full text search. The disadvantages are that it is more difficult to setup +# and does not have live searching capabilities. + +SERVER_BASED_SEARCH = NO + +#--------------------------------------------------------------------------- +# configuration options related to the LaTeX output +#--------------------------------------------------------------------------- + +# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will +# generate Latex output. + +GENERATE_LATEX = NO + +# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `latex' will be used as the default path. + +LATEX_OUTPUT = latex + +# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be +# invoked. If left blank `latex' will be used as the default command name. +# Note that when enabling USE_PDFLATEX this option is only used for +# generating bitmaps for formulas in the HTML output, but not in the +# Makefile that is written to the output directory. + +LATEX_CMD_NAME = latex + +# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to +# generate index for LaTeX. If left blank `makeindex' will be used as the +# default command name. + +MAKEINDEX_CMD_NAME = makeindex + +# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact +# LaTeX documents. This may be useful for small projects and may help to +# save some trees in general. + +COMPACT_LATEX = YES + +# The PAPER_TYPE tag can be used to set the paper type that is used +# by the printer. Possible values are: a4, letter, legal and +# executive. If left blank a4wide will be used. + +PAPER_TYPE = letter + +# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX +# packages that should be included in the LaTeX output. + +EXTRA_PACKAGES = + +# The LATEX_HEADER tag can be used to specify a personal LaTeX header for +# the generated latex document. The header should contain everything until +# the first chapter. If it is left blank doxygen will generate a +# standard header. Notice: only use this tag if you know what you are doing! + +LATEX_HEADER = + +# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated +# is prepared for conversion to pdf (using ps2pdf). The pdf file will +# contain links (just like the HTML output) instead of page references +# This makes the output suitable for online browsing using a pdf viewer. + +PDF_HYPERLINKS = YES + +# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of +# plain latex in the generated Makefile. Set this option to YES to get a +# higher quality PDF documentation. + +USE_PDFLATEX = YES + +# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. +# command to the generated LaTeX files. This will instruct LaTeX to keep +# running if errors occur, instead of asking the user for help. +# This option is also used when generating formulas in HTML. + +LATEX_BATCHMODE = YES + +# If LATEX_HIDE_INDICES is set to YES then doxygen will not +# include the index chapters (such as File Index, Compound Index, etc.) +# in the output. + +LATEX_HIDE_INDICES = YES + +# If LATEX_SOURCE_CODE is set to YES then doxygen will include +# source code with syntax highlighting in the LaTeX output. +# Note that which sources are shown also depends on other settings +# such as SOURCE_BROWSER. + +LATEX_SOURCE_CODE = NO + +#--------------------------------------------------------------------------- +# configuration options related to the RTF output +#--------------------------------------------------------------------------- + +# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output +# The RTF output is optimized for Word 97 and may not look very pretty with +# other RTF readers or editors. + +GENERATE_RTF = NO + +# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `rtf' will be used as the default path. + +RTF_OUTPUT = rtf + +# If the COMPACT_RTF tag is set to YES Doxygen generates more compact +# RTF documents. This may be useful for small projects and may help to +# save some trees in general. + +COMPACT_RTF = NO + +# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated +# will contain hyperlink fields. The RTF file will +# contain links (just like the HTML output) instead of page references. +# This makes the output suitable for online browsing using WORD or other +# programs which support those fields. +# Note: wordpad (write) and others do not support links. + +RTF_HYPERLINKS = NO + +# Load stylesheet definitions from file. Syntax is similar to doxygen's +# config file, i.e. a series of assignments. You only have to provide +# replacements, missing definitions are set to their default value. + +RTF_STYLESHEET_FILE = + +# Set optional variables used in the generation of an rtf document. +# Syntax is similar to doxygen's config file. + +RTF_EXTENSIONS_FILE = + +#--------------------------------------------------------------------------- +# configuration options related to the man page output +#--------------------------------------------------------------------------- + +# If the GENERATE_MAN tag is set to YES (the default) Doxygen will +# generate man pages + +GENERATE_MAN = NO + +# The MAN_OUTPUT tag is used to specify where the man pages will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `man' will be used as the default path. + +MAN_OUTPUT = man + +# The MAN_EXTENSION tag determines the extension that is added to +# the generated man pages (default is the subroutine's section .3) + +MAN_EXTENSION = .3 + +# If the MAN_LINKS tag is set to YES and Doxygen generates man output, +# then it will generate one additional man file for each entity +# documented in the real man page(s). These additional files +# only source the real man page, but without them the man command +# would be unable to find the correct page. The default is NO. + +MAN_LINKS = NO + +#--------------------------------------------------------------------------- +# configuration options related to the XML output +#--------------------------------------------------------------------------- + +# If the GENERATE_XML tag is set to YES Doxygen will +# generate an XML file that captures the structure of +# the code including all documentation. + +GENERATE_XML = YES + +# The XML_OUTPUT tag is used to specify where the XML pages will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `xml' will be used as the default path. + +XML_OUTPUT = xml + +# The XML_SCHEMA tag can be used to specify an XML schema, +# which can be used by a validating XML parser to check the +# syntax of the XML files. + +XML_SCHEMA = + +# The XML_DTD tag can be used to specify an XML DTD, +# which can be used by a validating XML parser to check the +# syntax of the XML files. + +XML_DTD = + +# If the XML_PROGRAMLISTING tag is set to YES Doxygen will +# dump the program listings (including syntax highlighting +# and cross-referencing information) to the XML output. Note that +# enabling this will significantly increase the size of the XML output. + +XML_PROGRAMLISTING = YES + +#--------------------------------------------------------------------------- +# configuration options for the AutoGen Definitions output +#--------------------------------------------------------------------------- + +# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will +# generate an AutoGen Definitions (see autogen.sf.net) file +# that captures the structure of the code including all +# documentation. Note that this feature is still experimental +# and incomplete at the moment. + +GENERATE_AUTOGEN_DEF = NO + +#--------------------------------------------------------------------------- +# configuration options related to the Perl module output +#--------------------------------------------------------------------------- + +# If the GENERATE_PERLMOD tag is set to YES Doxygen will +# generate a Perl module file that captures the structure of +# the code including all documentation. Note that this +# feature is still experimental and incomplete at the +# moment. + +GENERATE_PERLMOD = NO + +# If the PERLMOD_LATEX tag is set to YES Doxygen will generate +# the necessary Makefile rules, Perl scripts and LaTeX code to be able +# to generate PDF and DVI output from the Perl module output. + +PERLMOD_LATEX = NO + +# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be +# nicely formatted so it can be parsed by a human reader. +# This is useful +# if you want to understand what is going on. +# On the other hand, if this +# tag is set to NO the size of the Perl module output will be much smaller +# and Perl will parse it just the same. + +PERLMOD_PRETTY = YES + +# The names of the make variables in the generated doxyrules.make file +# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. +# This is useful so different doxyrules.make files included by the same +# Makefile don't overwrite each other's variables. + +PERLMOD_MAKEVAR_PREFIX = + +#--------------------------------------------------------------------------- +# Configuration options related to the preprocessor +#--------------------------------------------------------------------------- + +# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will +# evaluate all C-preprocessor directives found in the sources and include +# files. + +ENABLE_PREPROCESSING = YES + +# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro +# names in the source code. If set to NO (the default) only conditional +# compilation will be performed. Macro expansion can be done in a controlled +# way by setting EXPAND_ONLY_PREDEF to YES. + +MACRO_EXPANSION = NO + +# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES +# then the macro expansion is limited to the macros specified with the +# PREDEFINED and EXPAND_AS_DEFINED tags. + +EXPAND_ONLY_PREDEF = NO + +# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files +# in the INCLUDE_PATH (see below) will be search if a #include is found. + +SEARCH_INCLUDES = YES + +# The INCLUDE_PATH tag can be used to specify one or more directories that +# contain include files that are not input files but should be processed by +# the preprocessor. + +INCLUDE_PATH = + +# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard +# patterns (like *.h and *.hpp) to filter out the header-files in the +# directories. If left blank, the patterns specified with FILE_PATTERNS will +# be used. + +INCLUDE_FILE_PATTERNS = + +# The PREDEFINED tag can be used to specify one or more macro names that +# are defined before the preprocessor is started (similar to the -D option of +# gcc). The argument of the tag is a list of macros of the form: name +# or name=definition (no spaces). If the definition and the = are +# omitted =1 is assumed. To prevent a macro definition from being +# undefined via #undef or recursively expanded use the := operator +# instead of the = operator. + +PREDEFINED = + +# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then +# this tag can be used to specify a list of macro names that should be expanded. +# The macro definition that is found in the sources will be used. +# Use the PREDEFINED tag if you want to use a different macro definition that overrules the definition found in the source code. + +EXPAND_AS_DEFINED = + +# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then +# doxygen's preprocessor will remove all references to function-like macros +# that are alone on a line, have an all uppercase name, and do not end with a +# semicolon, because these will confuse the parser if not removed. + +SKIP_FUNCTION_MACROS = YES + +#--------------------------------------------------------------------------- +# Configuration::additions related to external references +#--------------------------------------------------------------------------- + +# The TAGFILES option can be used to specify one or more tagfiles. +# Optionally an initial location of the external documentation +# can be added for each tagfile. The format of a tag file without +# this location is as follows: +# +# TAGFILES = file1 file2 ... +# Adding location for the tag files is done as follows: +# +# TAGFILES = file1=loc1 "file2 = loc2" ... +# where "loc1" and "loc2" can be relative or absolute paths or +# URLs. If a location is present for each tag, the installdox tool +# does not have to be run to correct the links. +# Note that each tag file must have a unique name +# (where the name does NOT include the path) +# If a tag file is not located in the directory in which doxygen +# is run, you must also specify the path to the tagfile here. + +TAGFILES = + +# When a file name is specified after GENERATE_TAGFILE, doxygen will create +# a tag file that is based on the input files it reads. + +GENERATE_TAGFILE = + +# If the ALLEXTERNALS tag is set to YES all external classes will be listed +# in the class index. If set to NO only the inherited external classes +# will be listed. + +ALLEXTERNALS = NO + +# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed +# in the modules index. If set to NO, only the current project's groups will +# be listed. + +EXTERNAL_GROUPS = YES + +# The PERL_PATH should be the absolute path and name of the perl script +# interpreter (i.e. the result of `which perl'). + +PERL_PATH = /usr/bin/perl + +#--------------------------------------------------------------------------- +# Configuration options related to the dot tool +#--------------------------------------------------------------------------- + +# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will +# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base +# or super classes. Setting the tag to NO turns the diagrams off. Note that +# this option also works with HAVE_DOT disabled, but it is recommended to +# install and use dot, since it yields more powerful graphs. + +CLASS_DIAGRAMS = NO + +# You can define message sequence charts within doxygen comments using the \msc +# command. Doxygen will then run the mscgen tool (see +# http://www.mcternan.me.uk/mscgen/) to produce the chart and insert it in the +# documentation. The MSCGEN_PATH tag allows you to specify the directory where +# the mscgen tool resides. If left empty the tool is assumed to be found in the +# default search path. + +MSCGEN_PATH = + +# If set to YES, the inheritance and collaboration graphs will hide +# inheritance and usage relations if the target is undocumented +# or is not a class. + +HIDE_UNDOC_RELATIONS = NO + +# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is +# available from the path. This tool is part of Graphviz, a graph visualization +# toolkit from AT&T and Lucent Bell Labs. The other options in this section +# have no effect if this option is set to NO (the default) + +HAVE_DOT = YES + +# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is +# allowed to run in parallel. When set to 0 (the default) doxygen will +# base this on the number of processors available in the system. You can set it +# explicitly to a value larger than 0 to get control over the balance +# between CPU load and processing speed. + +DOT_NUM_THREADS = 0 + +# By default doxygen will write a font called Helvetica to the output +# directory and reference it in all dot files that doxygen generates. +# When you want a differently looking font you can specify the font name +# using DOT_FONTNAME. You need to make sure dot is able to find the font, +# which can be done by putting it in a standard location or by setting the +# DOTFONTPATH environment variable or by setting DOT_FONTPATH to the directory +# containing the font. + +DOT_FONTNAME = FreeSans + +# The DOT_FONTSIZE tag can be used to set the size of the font of dot graphs. +# The default size is 10pt. + +DOT_FONTSIZE = 10 + +# By default doxygen will tell dot to use the output directory to look for the +# FreeSans.ttf font (which doxygen will put there itself). If you specify a +# different font using DOT_FONTNAME you can set the path where dot +# can find it using this tag. + +DOT_FONTPATH = + +# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for each documented class showing the direct and +# indirect inheritance relations. Setting this tag to YES will force the +# the CLASS_DIAGRAMS tag to NO. + +CLASS_GRAPH = YES + +# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for each documented class showing the direct and +# indirect implementation dependencies (inheritance, containment, and +# class references variables) of the class with other documented classes. + +COLLABORATION_GRAPH = YES + +# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for groups, showing the direct groups dependencies + +GROUP_GRAPHS = YES + +# If the UML_LOOK tag is set to YES doxygen will generate inheritance and +# collaboration diagrams in a style similar to the OMG's Unified Modeling +# Language. + +UML_LOOK = YES + +# If set to YES, the inheritance and collaboration graphs will show the +# relations between templates and their instances. + +TEMPLATE_RELATIONS = YES + +# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT +# tags are set to YES then doxygen will generate a graph for each documented +# file showing the direct and indirect include dependencies of the file with +# other documented files. + +INCLUDE_GRAPH = YES + +# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and +# HAVE_DOT tags are set to YES then doxygen will generate a graph for each +# documented header file showing the documented files that directly or +# indirectly include this file. + +INCLUDED_BY_GRAPH = YES + +# If the CALL_GRAPH and HAVE_DOT options are set to YES then +# doxygen will generate a call dependency graph for every global function +# or class method. Note that enabling this option will significantly increase +# the time of a run. So in most cases it will be better to enable call graphs +# for selected functions only using the \callgraph command. + +CALL_GRAPH = YES + +# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then +# doxygen will generate a caller dependency graph for every global function +# or class method. Note that enabling this option will significantly increase +# the time of a run. So in most cases it will be better to enable caller +# graphs for selected functions only using the \callergraph command. + +CALLER_GRAPH = YES + +# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen +# will generate a graphical hierarchy of all classes instead of a textual one. + +GRAPHICAL_HIERARCHY = YES + +# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES +# then doxygen will show the dependencies a directory has on other directories +# in a graphical way. The dependency relations are determined by the #include +# relations between the files in the directories. + +DIRECTORY_GRAPH = YES + +# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images +# generated by dot. Possible values are png, svg, gif or svg. +# If left blank png will be used. + +DOT_IMAGE_FORMAT = png + +# The tag DOT_PATH can be used to specify the path where the dot tool can be +# found. If left blank, it is assumed the dot tool can be found in the path. + +DOT_PATH = + +# The DOTFILE_DIRS tag can be used to specify one or more directories that +# contain dot files that are included in the documentation (see the +# \dotfile command). + +DOTFILE_DIRS = doc + +# The MSCFILE_DIRS tag can be used to specify one or more directories that +# contain msc files that are included in the documentation (see the +# \mscfile command). + +MSCFILE_DIRS = + +# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of +# nodes that will be shown in the graph. If the number of nodes in a graph +# becomes larger than this value, doxygen will truncate the graph, which is +# visualized by representing a node as a red box. Note that doxygen if the +# number of direct children of the root node in a graph is already larger than +# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note +# that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH. + +DOT_GRAPH_MAX_NODES = 50 + +# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the +# graphs generated by dot. A depth value of 3 means that only nodes reachable +# from the root by following a path via at most 3 edges will be shown. Nodes +# that lay further from the root node will be omitted. Note that setting this +# option to 1 or 2 may greatly reduce the computation time needed for large +# code bases. Also note that the size of a graph can be further restricted by +# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction. + +MAX_DOT_GRAPH_DEPTH = 0 + +# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent +# background. This is disabled by default, because dot on Windows does not +# seem to support this out of the box. Warning: Depending on the platform used, +# enabling this option may lead to badly anti-aliased labels on the edges of +# a graph (i.e. they become hard to read). + +DOT_TRANSPARENT = NO + +# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output +# files in one run (i.e. multiple -o and -T options on the command line). This +# makes dot run faster, but since only newer versions of dot (>1.8.10) +# support this, this feature is disabled by default. + +DOT_MULTI_TARGETS = YES + +# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will +# generate a legend page explaining the meaning of the various boxes and +# arrows in the dot generated graphs. + +GENERATE_LEGEND = NO + +# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will +# remove the intermediate dot files that are used to generate +# the various graphs. + +DOT_CLEANUP = NO diff --git a/ca/Makefile.in b/ca/Makefile.in new file mode 100644 index 00000000..d36a3163 --- /dev/null +++ b/ca/Makefile.in @@ -0,0 +1,339 @@ +# $Id$ + +PYTHON = @PYTHON@ +TRANG = @TRANG@ + +CFLAGS = @CFLAGS@ +LDFLAGS = @LDFLAGS@ @POW_LDFLAGS@ +LIBS = @LIBS@ + +INSTALL = @INSTALL@ -m 555 + +prefix = @prefix@ +exec_prefix = @exec_prefix@ +datarootdir = @datarootdir@ +datadir = @datadir@ +localstatedir = @localstatedir@ +sharedstatedir = @sharedstatedir@ +sysconfdir = @sysconfdir@ +bindir = @bindir@ +sbindir = @sbindir@ +libexecdir = @libexecdir@ +sysconfdir = @sysconfdir@ + +abs_builddir = @abs_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +abs_top_builddir= @abs_top_builddir@ +srcdir = @srcdir@ + +WSGI_DAEMON_PROCESS = @WSGI_DAEMON_PROCESS@ +WSGI_PROCESS_GROUP = @WSGI_PROCESS_GROUP@ +RCYNIC_HTML_DIR = @RCYNIC_HTML_DIR@ +APACHE_VERSION = @APACHE_VERSION@ +WSGI_PYTHON_EGG_CACHE_DIR = @WSGI_PYTHON_EGG_CACHE_DIR@ +WSGI_PYTHON_EGG_CACHE_USER = @WSGI_PYTHON_EGG_CACHE_USER@ + +RPKID_INSTALL_TARGETS = @RPKID_INSTALL_TARGETS@ + +SETUP_PY_INSTALL_LAYOUT = @SETUP_PY_INSTALL_LAYOUT@ + +SETUP_PY_ROOT = `${PYTHON} -c 'import sys; print "--root " + sys.argv[1] if sys.argv[1] else ""' '${DESTDIR}'` + +POW_SO = rpki/POW/_POW.so + +all:: rpki/autoconf.py setup_autoconf.py rpki/relaxng.py myrpki.rng rpki/sql_schemas.py ${POW_SO} build/stamp + +.FORCE: + +${POW_SO}: .FORCE setup_autoconf.py + ${PYTHON} setup.py build_ext --inplace + +build/stamp: .FORCE setup_autoconf.py + ${PYTHON} setup.py build + touch $@ + +clean:: + rm -rf ${POW_SO} build dist + +RNGS = left-right-schema.rng up-down-schema.rng publication-schema.rng myrpki.rng router-certificate-schema.rng + +rpki/relaxng.py: ${abs_top_srcdir}/buildtools/make-relaxng.py ${RNGS} + ${PYTHON} ${abs_top_srcdir}/buildtools/make-relaxng.py ${RNGS} >$@.tmp + mv $@.tmp $@ + +left-right-schema.rng: left-right-schema.rnc + ${TRANG} left-right-schema.rnc left-right-schema.rng + +up-down-schema.rng: up-down-schema.rnc + ${TRANG} up-down-schema.rnc up-down-schema.rng + +publication-schema.rng: publication-schema.rnc + ${TRANG} publication-schema.rnc publication-schema.rng + +myrpki.rng: myrpki.rnc + ${TRANG} myrpki.rnc myrpki.rng + +router-certificate-schema.rng: router-certificate-schema.rnc + ${TRANG} router-certificate-schema.rnc router-certificate-schema.rng + +rpki/sql_schemas.py: ${abs_top_srcdir}/buildtools/make-sql-schemas.py rpkid.sql pubd.sql + ${PYTHON} ${abs_top_srcdir}/buildtools/make-sql-schemas.py >$@.tmp + mv $@.tmp $@ + +clean:: + find . -type f -name '*.py[co]' -delete + cd tests; $(MAKE) $@ + +install:: ${RPKID_INSTALL_TARGETS} + +install-always:: all + ${PYTHON} setup.py install ${SETUP_PY_ROOT} ${SETUP_PY_INSTALL_LAYOUT} --record installed + @echo + @echo "== Default configuration file location is ${sysconfdir}/rpki.conf ==" + @echo + ${INSTALL} examples/rpki.conf ${DESTDIR}${sysconfdir}/rpki.conf.sample + ${INSTALL} -d ${DESTDIR}${datarootdir}/rpki/publication + +uninstall deinstall:: + -${libexecdir}/rpkigui-apache-conf-gen --remove --verbose + xargs rm -fv <installed + +distclean:: + rm -f installed + +dont-run-trang: + touch *.rng + +relaxng: left-right-schema.rng up-down-schema.rng publication-schema.rng + cd tests; $(MAKE) protocol-samples + xmllint --noout --relaxng left-right-schema.rng tests/left-right-protocol-samples/*.xml + xmllint --noout --relaxng up-down-schema.rng tests/up-down-protocol-samples/*.xml + xmllint --noout --relaxng publication-schema.rng tests/publication-protocol-samples/*.xml + +unit-tests: all + PWD=`pwd`; for i in rpki/*.py; do echo "[$$i]"; PYTHONPATH=$$PWD ${PYTHON} $$i; done + +all-tests:: unit-tests + +all-tests:: relaxng + +test all-tests parse-test profile yamltest yamlconf:: all + cd tests; $(MAKE) $@ + +tags: Makefile + find . -type d -name build -prune -o -type f \( -name '*.py' -o -name '*.sql' -o -name '*.rnc' -o -name '*.py.in' \) ! -name relaxng.py ! -name sql_schemas.py -print | etags - + +lint: + pylint --rcfile ${abs_top_srcdir}/buildtools/pylint.rc rpki/*.py rpki/irdb/*.py *.py tests/*.py + +# Documentation + +doc/pubd.dot: pubd.sql + sh ${abs_top_srcdir}/buildtools/graphviz-sql.sh $? >$@ + +doc/rpkid.dot: rpkid.sql + sh ${abs_top_srcdir}/buildtools/graphviz-sql.sh $? >$@ + +.SUFFIXES: .dot .png .pdf .eps + +.dot.pdf: + dot -Tps2 $? | ps2pdf - $@ + +.dot.eps: + dot -o $@ -Teps $? + +.dot.png: + dot -o $@ -Tpng $? + +dot: doc/pubd.dot doc/rpkid.dot + +eps: doc/pubd.eps doc/rpkid.eps doc/rpkid-bpki.eps doc/pubd-bpki.eps + +png: doc/pubd.png doc/rpkid.png doc/rpkid-bpki.png doc/pubd-bpki.png + +pdf: doc/pubd.pdf doc/rpkid.pdf doc/rpkid-bpki.pdf doc/pubd-bpki.pdf + +docclean: + rm -rf doc/html doc/latex doc/xml + rm -f doc/*.eps doc/*.pdf doc/*.png + rm -f doc/pubd.dot doc/rpkid.dot + +html: dot eps png + TZ='' IMAGE_PATH=${abs_builddir}/doc doxygen + +docs: dot eps png html pdf + +## + +distclean:: clean docclean + cd tests; ${MAKE} $@ + rm -f TAGS Makefile + +all:: examples/rpki.conf + +examples/rpki.conf: rpki/autoconf.py rpki-confgen rpki-confgen.xml + ${PYTHON} rpki-confgen \ + --read-xml rpki-confgen.xml \ + --autoconf \ + --set myrpki::handle=`hostname -f | sed 's/[.]/_/g'` \ + --set myrpki::rpkid_server_host=`hostname -f` \ + --set myrpki::pubd_server_host=`hostname -f` \ + --pwgen myrpki::shared_sql_password \ + --pwgen web_portal::secret-key \ + --write-conf $@ + +clean:: + rm -f examples/rpki.conf + +rpki/autoconf.py: Makefile + @echo 'Generating $@'; \ + (echo '# Automatically generated. DO NOT EDIT.'; \ + echo ; \ + echo 'bindir = "${bindir}"'; \ + echo 'datarootdir = "${datarootdir}"'; \ + echo 'localstatedir = "${localstatedir}"'; \ + echo 'sbindir = "${sbindir}"'; \ + echo 'sharedstatedir = "${sharedstatedir}"'; \ + echo 'sysconfdir = "${sysconfdir}"'; \ + echo 'libexecdir = "${libexecdir}"'; \ + echo ; \ + echo 'WSGI_DAEMON_PROCESS = "${WSGI_DAEMON_PROCESS}"'; \ + echo 'WSGI_PROCESS_GROUP = "${WSGI_PROCESS_GROUP}"'; \ + echo 'RCYNIC_HTML_DIR = "${RCYNIC_HTML_DIR}"'; \ + echo 'APACHE_VERSION = "${APACHE_VERSION}"'; \ + echo 'WSGI_PYTHON_EGG_CACHE_DIR = "${WSGI_PYTHON_EGG_CACHE_DIR}"'; \ + echo 'WSGI_PYTHON_EGG_CACHE_USER = "${WSGI_PYTHON_EGG_CACHE_USER}"'; \ + ) > $@ + +clean:: + rm -f rpki/autoconf.py + +setup_autoconf.py: rpki/autoconf.py + @echo 'Generating $@'; \ + (cat rpki/autoconf.py; \ + echo ; \ + echo 'CFLAGS = """${CFLAGS}"""'; \ + echo 'LDFLAGS = """${LDFLAGS}"""'; \ + echo 'LIBS = """${LIBS}"""'; \ + ) > $@ + +clean:: + rm -f setup_autoconf.py setup_autoconf.pyc + +install-postconf: \ + install-user install-egg-cache install-conf install-apache install-mysql install-django install-bpki install-cron + +# This should create user "rpkid" and group "rpkid", but as we have +# not yet tested our ability to run in such a configuration, this +# would be a little premature. Can steal Makefile code for this from +# rcynic when we're ready to do something with it. + +install-user: + @true + +# This is only necessary on some platforms (currently FreeBSD, +# due to shortcomings in the way that Python eggs are installed +# as system libraries). + +install-egg-cache: + @if test 'X${WSGI_PYTHON_EGG_CACHE_DIR}' != X && test ! -d '${WSGI_PYTHON_EGG_CACHE_DIR}'; then \ + mkdir -v '${WSGI_PYTHON_EGG_CACHE_DIR}'; \ + if test 'X${WSGI_PYTHON_EGG_CACHE_USER}' != X; then \ + chown '${WSGI_PYTHON_EGG_CACHE_USER}' '${WSGI_PYTHON_EGG_CACHE_DIR}'; \ + fi; \ + fi + +# We used to play the FreeBSD game of copying rpki.conf.sample to +# rpki.conf on install and removing rpki.conf if it's identical to +# rpki.conf.sample in uninstall, but that turns out to work poorly +# with generated passwords. So now we copy rpki.conf.sample if and +# only if rpki.conf does not exist, and we leave removal of rpki.conf +# for the user to deal with. This in turn leaves us with a different +# problem of how to upgrade rpki.conf, but at least in the FreeBSD +# universe we're supposed to leave that problem for the user. + +install-conf: + if test -f ${DESTDIR}${sysconfdir}/rpki.conf; \ + then \ + true; \ + else \ + cp -p ${DESTDIR}${sysconfdir}/rpki.conf.sample ${DESTDIR}${sysconfdir}/rpki.conf; \ + fi + +uninstall deinstall:: +# if cmp -s ${DESTDIR}${sysconfdir}/rpki.conf ${DESTDIR}${sysconfdir}/rpki.conf.sample; then rm -f ${DESTDIR}${sysconfdir}/rpki.conf; else true; fi + rm -f ${DESTDIR}${sysconfdir}/rpki.conf.sample + +install-apache: + ${libexecdir}/rpkigui-apache-conf-gen --install --verbose + +install-mysql: + ${sbindir}/rpki-sql-setup + +install-django: + ${sbindir}/rpki-manage syncdb --noinput + ${sbindir}/rpki-manage migrate app + +install-bpki: + ${sbindir}/rpkic initialize_server_bpki + +# This needs to set up crontab entries for rpkigui-check-expired, +# rpkigui-import-routes, and rpkic update_bpki. They probably don't +# want run under the same user IDs either, so what with having to use +# /usr/bin/crontab on some platforms, this should be entirely too +# entertaining. Might be ok to run them all as user rpkid eventually. +# +# We really should be running exactly the same cron setup/teardown +# code here as we do in platform-specific post-installation scripts, +# but for now we just use crontab(1) here on all platforms. + +install-cron: install-cron-using-crontab + +uninstall deinstall:: uninstall-cron-using-crontab + +# Code for setting up and tearing down cron jobs using the crontab(1) +# program. We don't use this on all platforms, but we do use it on +# more than one, so it's broken out here as common code. +# +# CRONTAB_USER really should be rpkid, but we don't have the rest of +# the package set up for that yet, so run it as root for now. + +CRONTAB_USER = root + +install-cron-using-crontab: + @crontab -l -u ${CRONTAB_USER} 2>/dev/null | \ + awk -v t=`hexdump -n 2 -e '"%u\n"' /dev/urandom` ' \ + BEGIN { \ + cmd["${libexecdir}/rpkigui-import-routes"] = sprintf("%2u */2 * * *", t % 60); \ + cmd["${libexecdir}/rpkigui-check-expired"] = "@daily "; \ + cmd["${sbindir}/rpkic update_bpki" ] = "30 3 * * * "; \ + } \ + { \ + print; \ + for (i in cmd) \ + if ($$0 ~ i) \ + found[i] = $$0; \ + } \ + END { \ + for (i in cmd) \ + if (!found[i]) \ + print cmd[i] "\texec " i; \ + }' | \ + crontab -u ${CRONTAB_USER} - + +uninstall-cron-using-crontab: + @crontab -l -u ${CRONTAB_USER} 2>/dev/null | \ + awk ' \ + BEGIN { \ + empty = 1; \ + } \ + $$0 !~ "${libexecdir}/rpkigui-import-routes" && \ + $$0 !~ "${libexecdir}/rpkigui-check-expired" && \ + $$0 !~ "${sbindir}/rpkic update_bpki" { \ + empty = 0; \ + print | "/usr/bin/crontab -u ${CRONTAB_USER} -"; \ + } \ + END { \ + if (empty) \ + system("/usr/bin/crontab -u ${CRONTAB_USER} -r"); \ + }' diff --git a/ca/README b/ca/README new file mode 100644 index 00000000..91d372de --- /dev/null +++ b/ca/README @@ -0,0 +1,11 @@ +$Id$ -*- Text -*- + +RPKI CA tools. + +See: + +- The primary documentation at http://trac.rpki.net/ + +- The PDF manual in ../doc/manual.pdf, or + +- The flat text pages ../doc/doc.RPKI.CA* diff --git a/ca/doc/README b/ca/doc/README new file mode 100644 index 00000000..33902d7e --- /dev/null +++ b/ca/doc/README @@ -0,0 +1,16 @@ +$Id$ + +Internals documentation for the RPKI CA tools. + +Once upon a time this included the hand-written documentation for the +CA tools, but that is now part of the overall package documentation. +What's left here is just what Doxygen generates from the source code +and a few Graphviz diagrams. + +At the moment the control for the stuff generated here is still +../Makefile, that may change at some point. + +We no longer generate the documentation here automatically, as it's +kind of large and we're not sure anybody else cares about it, so if +you want this manual you'll have to install Doxygen and build it +yourself. diff --git a/ca/doc/mainpage.py b/ca/doc/mainpage.py new file mode 100644 index 00000000..4570547b --- /dev/null +++ b/ca/doc/mainpage.py @@ -0,0 +1,71 @@ +## @file +# @details +# Doxygen documentation source, expressed as Python comments to make Doxygen happy. +# +# $Id$ +# +# Copyright (C) 2009--2012 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. +# +# Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +## @mainpage RPKI Engine Reference Manual +# +# This collection of Python modules implements an RPKI CA engine. +# +# See http://trac.rpki.net/ for the RPKI tools package documentation. +# +# The documentation you're reading is generated automatically by +# Doxygen from comments and documentation in +# <a href="http://trac.rpki.net/browser/trunk">the code</a>. +# +# At one point this manual also included documentation for the CA +# tools, but that has been integrated into the overall package +# documentation. This manual is now just the CA tools internals. + +## @page sql-schemas SQL database schemas +# +# @li @subpage rpkid-sql "rpkid database schema" +# @li @subpage pubd-sql "pubd database schema" + +## @page rpkid-sql rpkid SQL schema +# +# @image html rpkid.png "Diagram of rpkid.sql" +# @image latex rpkid.eps "Diagram of rpkid.sql" height=\textheight +# +# @verbinclude rpkid.sql + +## @page pubd-sql pubd SQL Schema +# +# @image html pubd.png "Diagram of pubd.sql" +# @image latex pubd.eps "Diagram of pubd.sql" width=\textwidth +# +# @verbinclude pubd.sql + +# Local Variables: +# mode:python +# compile-command: "cd ../.. && ./config.status && cd rpkid && make docs" +# End: diff --git a/ca/doc/pubd-bpki.dot b/ca/doc/pubd-bpki.dot new file mode 100644 index 00000000..44ad8a90 --- /dev/null +++ b/ca/doc/pubd-bpki.dot @@ -0,0 +1,42 @@ +// $Id$ + +// Color code: +// Black: Operating entity +// Red: Cross-certified client +// +// Shape code: +// Octagon: TA +// Diamond: CA +// Record: EE + +digraph bpki_pubd { + splines = true; + size = "14,14"; + node [ fontname = Times, fontsize = 9 ]; + + // Operating entity + node [ color = black, fontcolor = black, shape = record ]; + TA [ shape = octagon, label = "BPKI TA" ]; + pubd [ label = "pubd|{HTTPS server|CMS}" ]; + ctl [ label = "Control|{HTTPS client|CMS}" ]; + + // Clients + node [ color = red, fontcolor = red, shape = diamond ]; + Alice_CA; + Bob_CA; + node [ color = red, fontcolor = red, shape = record ]; + Alice_EE [ label = "Alice\nEE|{HTTPS client|CMS}" ]; + Bob_EE [ label = "Bob\nEE|{HTTPS client|CMS}" ]; + + edge [ color = black, style = dotted ]; + TA -> pubd; + TA -> ctl; + + edge [ color = black, style = solid ]; + TA -> Alice_CA; + TA -> Bob_CA; + + edge [ color = red, style = solid ]; + Alice_CA -> Alice_EE; + Bob_CA -> Bob_EE; +} diff --git a/ca/doc/rpkid-bpki.dot b/ca/doc/rpkid-bpki.dot new file mode 100644 index 00000000..651591cb --- /dev/null +++ b/ca/doc/rpkid-bpki.dot @@ -0,0 +1,76 @@ +// $Id$ + +// Color code: +// Black: Hosting entity +// Blue: Hosted entity +// Red: Cross-certified peer +// +// Shape code: +// Octagon: TA +// Diamond: CA +// Record: EE + +digraph bpki_rpkid { + splines = true; + size = "14,14"; + node [ fontname = Times, fontsize = 9 ]; + + // Hosting entity + node [ color = black, shape = record ]; + TA [ shape = octagon, label = "BPKI TA" ]; + rpkid [ label = "rpkid|{HTTPS server|HTTPS left-right client|CMS left-right}" ]; + irdbd [ label = "irdbd|{HTTPS left-right server|CMS left-right}" ]; + irbe [ label = "IRBE|{HTTPS left-right client|CMS left-right}" ]; + + // Hosted entities + node [ color = blue, fontcolor = blue ]; + Alice_CA [ shape = diamond ]; + Alice_EE [ label = "Alice\nBSC EE|{HTTPS up-down client|CMS up-down}" ]; + Ellen_CA [ shape = diamond ]; + Ellen_EE [ label = "Ellen\nBSC EE|{HTTPS up-down client|CMS up-down}" ]; + + // Peers + node [ color = red, fontcolor = red, shape = diamond ]; + Bob_CA; + Carol_CA; + Dave_CA; + Frank_CA; + Ginny_CA; + Harry_CA; + node [ shape = record ]; + Bob_EE [ label = "Bob\nEE|{HTTPS up-down|CMS up-down}" ]; + Carol_EE [ label = "Carol\nEE|{HTTPS up-down|CMS up-down}" ]; + Dave_EE [ label = "Dave\nEE|{HTTPS up-down|CMS up-down}" ]; + Frank_EE [ label = "Frank\nEE|{HTTPS up-down|CMS up-down}" ]; + Ginny_EE [ label = "Ginny\nEE|{HTTPS up-down|CMS up-down}" ]; + Harry_EE [ label = "Bob\nEE|{HTTPS up-down|CMS up-down}" ]; + + edge [ color = black, style = solid ]; + TA -> Alice_CA; + TA -> Ellen_CA; + + edge [ color = black, style = dotted ]; + TA -> rpkid; + TA -> irdbd; + TA -> irbe; + + edge [ color = blue, style = solid ]; + Alice_CA -> Bob_CA; + Alice_CA -> Carol_CA; + Alice_CA -> Dave_CA; + Ellen_CA -> Frank_CA; + Ellen_CA -> Ginny_CA; + Ellen_CA -> Harry_CA; + + edge [ color = blue, style = dotted ]; + Alice_CA -> Alice_EE; + Ellen_CA -> Ellen_EE; + + edge [ color = red, style = solid ]; + Bob_CA -> Bob_EE; + Carol_CA -> Carol_EE; + Dave_CA -> Dave_EE; + Frank_CA -> Frank_EE; + Ginny_CA -> Ginny_EE; + Harry_CA -> Harry_EE; +} diff --git a/ca/examples/asns.csv b/ca/examples/asns.csv new file mode 100644 index 00000000..9d742740 --- /dev/null +++ b/ca/examples/asns.csv @@ -0,0 +1,5 @@ +# $Id$ +# +# Syntax: <child_handle> <asn> +# +Alice 64533 diff --git a/ca/examples/prefixes.csv b/ca/examples/prefixes.csv new file mode 100644 index 00000000..ece18d32 --- /dev/null +++ b/ca/examples/prefixes.csv @@ -0,0 +1,8 @@ +# $Id$ +# +# Syntax: <child_handle> <prefix>/<length> +# or: <child_handle> <min>-<max> +# +Alice 192.0.2.0/27 +Bob 192.0.2.44-192.0.2.100 +Bob 10.0.0.0/8 diff --git a/ca/examples/roas.csv b/ca/examples/roas.csv new file mode 100644 index 00000000..e4ec3074 --- /dev/null +++ b/ca/examples/roas.csv @@ -0,0 +1,5 @@ +# $Id$ +# +# Syntax: <prefix>/<length>-<maxlength> <asn> <group> +# +10.3.0.44/32 666 Mom diff --git a/ca/examples/rsyncd.conf b/ca/examples/rsyncd.conf new file mode 100644 index 00000000..faf1dd0d --- /dev/null +++ b/ca/examples/rsyncd.conf @@ -0,0 +1,53 @@ +# $Id$ +# +# Sample rsyncd.conf file for use with pubd. You may need to +# customize this for the conventions on your system. See the rsync +# and rsyncd.conf manual pages for a complete explanation of how to +# configure rsyncd, this is just a simple configuration to get you +# started. +# +# There are two parameters in the following which you should set to +# appropriate values for your system: +# +# "myname" is the rsync module name to configure, as in +# "rsync://rpki.example.org/rpki/"; see the publication_rsync_module +# parameter in rpki.conf +# +# "/some/where/publication" is the absolute pathname of the directory +# where you told pubd to place its outputs; see the +# publication_base_directory parameter in rpki.conf. +# +# You may need to adjust other parameters for your system environment. +# +# Copyright (C) 2009-2010 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +pid file = /var/run/rsyncd.pid +uid = nobody +gid = nobody + +[rpki] + use chroot = no + read only = yes + transfer logging = yes + path = /some/where/publication + comment = RPKI Testbed + +[root] + # This one is only relevant if you're running rootd. + use chroot = no + read only = yes + transfer logging = yes + path = /some/where/publication.root + comment = RPKI Testbed Root diff --git a/ca/irbe_cli b/ca/irbe_cli new file mode 100755 index 00000000..9deac6d6 --- /dev/null +++ b/ca/irbe_cli @@ -0,0 +1,388 @@ +#!/usr/bin/env python + +# $Id$ +# +# Copyright (C) 2009--2013 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. +# +# Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +__doc__ = """ +Command line IR back-end control program for rpkid and pubd. +""" + +# Command line processing of this program is too complex and +# idiosyncratic to be worth trying to reimplement using argparse. + +import sys +import getopt +import textwrap +import rpki.left_right +import rpki.http +import rpki.x509 +import rpki.config +import rpki.log +import rpki.publication +import rpki.async + +pem_out = None + +class UsageWrapper(textwrap.TextWrapper): + """ + Call interface around Python textwrap.Textwrapper class. + """ + + def __call__(self, *args): + """ + Format arguments, with TextWrapper indentation. + """ + return self.fill(textwrap.dedent(" ".join(args))) + +usage_fill = UsageWrapper(subsequent_indent = " " * 4) + +class reply_elt_mixin(object): + """ + Protocol mix-in for printout of reply PDUs. + """ + + is_cmd = False + + def client_reply_decode(self): + pass + + def client_reply_show(self): + print self.element_name + for i in self.attributes + self.elements: + if getattr(self, i) is not None: + print " %s: %s" % (i, getattr(self, i)) + +class cmd_elt_mixin(reply_elt_mixin): + """ + Protocol mix-in for command line client element PDUs. + """ + + is_cmd = True + + ## @var excludes + # XML attributes and elements that should not be allowed as command + # line arguments. + excludes = () + + @classmethod + def usage(cls): + """ + Generate usage message for this PDU. + """ + args = " ".join("--" + x + "=" for x in cls.attributes + cls.elements if x not in cls.excludes) + bools = " ".join("--" + x for x in cls.booleans) + if args and bools: + return args + " " + bools + else: + return args or bools + + def client_getopt(self, argv): + """ + Parse options for this class. + """ + # pylint: disable=W0621 + opts, argv = getopt.getopt(argv, "", [x + "=" for x in self.attributes + self.elements if x not in self.excludes] + list(self.booleans)) + for o, a in opts: + o = o[2:] + handler = getattr(self, "client_query_" + o, None) + if handler is not None: + handler(a) + elif o in self.booleans: + setattr(self, o, True) + else: + assert o in self.attributes + setattr(self, o, a) + return argv + + def client_query_bpki_cert(self, arg): + """ + Special handler for --bpki_cert option. + """ + self.bpki_cert = rpki.x509.X509(Auto_file = arg) + + def client_query_glue(self, arg): + """ + Special handler for --bpki_glue option. + """ + self.bpki_glue = rpki.x509.X509(Auto_file = arg) + + def client_query_bpki_cms_cert(self, arg): + """ + Special handler for --bpki_cms_cert option. + """ + self.bpki_cms_cert = rpki.x509.X509(Auto_file = arg) + + def client_query_cms_glue(self, arg): + """ + Special handler for --bpki_cms_glue option. + """ + self.bpki_cms_glue = rpki.x509.X509(Auto_file = arg) + +class cmd_msg_mixin(object): + """ + Protocol mix-in for command line client message PDUs. + """ + + @classmethod + def usage(cls): + """ + Generate usage message for this PDU. + """ + for k, v in cls.pdus.items(): + if v.is_cmd: + print usage_fill(k, v.usage()) + +# left-right protcol + +class left_right_msg(cmd_msg_mixin, rpki.left_right.msg): + + class self_elt(cmd_elt_mixin, rpki.left_right.self_elt): + pass + + class bsc_elt(cmd_elt_mixin, rpki.left_right.bsc_elt): + + excludes = ("pkcs10_request",) + + def client_query_signing_cert(self, arg): + """--signing_cert option.""" + self.signing_cert = rpki.x509.X509(Auto_file = arg) + + def client_query_signing_cert_crl(self, arg): + """--signing_cert_crl option.""" + self.signing_cert_crl = rpki.x509.CRL(Auto_file = arg) + + def client_reply_decode(self): + global pem_out + if pem_out is not None and self.pkcs10_request is not None: + if isinstance(pem_out, str): + pem_out = open(pem_out, "w") + pem_out.write(self.pkcs10_request.get_PEM()) + + class parent_elt(cmd_elt_mixin, rpki.left_right.parent_elt): + pass + + class child_elt(cmd_elt_mixin, rpki.left_right.child_elt): + pass + + class repository_elt(cmd_elt_mixin, rpki.left_right.repository_elt): + pass + + class list_published_objects_elt(cmd_elt_mixin, rpki.left_right.list_published_objects_elt): + excludes = ("uri",) + + class list_received_resources_elt(cmd_elt_mixin, rpki.left_right.list_received_resources_elt): + excludes = ("parent_handle", "notBefore", "notAfter", "uri", "sia_uri", "aia_uri", "asn", "ipv4", "ipv6") + + class report_error_elt(reply_elt_mixin, rpki.left_right.report_error_elt): + pass + + pdus = dict((x.element_name, x) + for x in (self_elt, bsc_elt, parent_elt, child_elt, repository_elt, + list_published_objects_elt, list_received_resources_elt, report_error_elt)) + +class left_right_sax_handler(rpki.left_right.sax_handler): + pdu = left_right_msg + +class left_right_cms_msg(rpki.left_right.cms_msg): + saxify = left_right_sax_handler.saxify + +# Publication protocol + +class publication_msg(cmd_msg_mixin, rpki.publication.msg): + + class config_elt(cmd_elt_mixin, rpki.publication.config_elt): + + def client_query_bpki_crl(self, arg): + """ + Special handler for --bpki_crl option. + """ + self.bpki_crl = rpki.x509.CRL(Auto_file = arg) + + class client_elt(cmd_elt_mixin, rpki.publication.client_elt): + pass + + class certificate_elt(cmd_elt_mixin, rpki.publication.certificate_elt): + pass + + class crl_elt(cmd_elt_mixin, rpki.publication.crl_elt): + pass + + class manifest_elt(cmd_elt_mixin, rpki.publication.manifest_elt): + pass + + class roa_elt(cmd_elt_mixin, rpki.publication.roa_elt): + pass + + class report_error_elt(reply_elt_mixin, rpki.publication.report_error_elt): + pass + + class ghostbuster_elt(cmd_elt_mixin, rpki.publication.ghostbuster_elt): + pass + + pdus = dict((x.element_name, x) + for x in (config_elt, client_elt, certificate_elt, crl_elt, + manifest_elt, roa_elt, report_error_elt, + ghostbuster_elt)) + +class publication_sax_handler(rpki.publication.sax_handler): + pdu = publication_msg + +class publication_cms_msg(rpki.publication.cms_msg): + saxify = publication_sax_handler.saxify + +# Usage + +top_opts = ["config=", "help", "pem_out=", "quiet", "verbose"] + +def usage(code = 1): + if __doc__ is not None: + print __doc__.strip() + print + print "Usage:" + print + print "# Top-level options:" + print usage_fill(*["--" + x for x in top_opts]) + print + print "# left-right protocol:" + left_right_msg.usage() + print + print "# publication protocol:" + publication_msg.usage() + sys.exit(code) + +# Main program + +rpki.log.init("irbe_cli") + +argv = sys.argv[1:] + +if not argv: + usage(0) + +cfg_file = None +verbose = True + +opts, argv = getopt.getopt(argv, "c:hpqv?", top_opts) +for o, a in opts: + if o in ("-?", "-h", "--help"): + usage(0) + elif o in ("-c", "--config"): + cfg_file = a + elif o in ("-p", "--pem_out"): + pem_out = a + elif o in ("-q", "--quiet"): + verbose = False + elif o in ("-v", "--verbose"): + verbose = True + +if not argv: + usage(1) + +cfg = rpki.config.parser(cfg_file, "irbe_cli") + +q_msg_left_right = [] +q_msg_publication = [] + +while argv: + if argv[0] in left_right_msg.pdus: + q_pdu = left_right_msg.pdus[argv[0]]() + q_msg = q_msg_left_right + elif argv[0] in publication_msg.pdus: + q_pdu = publication_msg.pdus[argv[0]]() + q_msg = q_msg_publication + else: + usage(1) + argv = q_pdu.client_getopt(argv[1:]) + q_msg.append(q_pdu) + +from django.conf import settings + +settings.configure( + DATABASES = { "default" : { + "ENGINE" : "django.db.backends.mysql", + "NAME" : cfg.get("sql-database", section = "irdbd"), + "USER" : cfg.get("sql-username", section = "irdbd"), + "PASSWORD" : cfg.get("sql-password", section = "irdbd"), + "HOST" : "", + "PORT" : "", + "OPTIONS" : { "init_command": "SET storage_engine=INNODB" }}}, + INSTALLED_APPS = ("rpki.irdb",), +) + +import rpki.irdb + +server_ca = rpki.irdb.ServerCA.objects.get() +irbe = server_ca.ee_certificates.get(purpose = "irbe") + +if q_msg_left_right: + + class left_right_proto(object): + cms_msg = left_right_cms_msg + msg = left_right_msg + + rpkid = server_ca.ee_certificates.get(purpose = "rpkid") + + rpkid_url = "http://%s:%s/left-right/" % ( + cfg.get("server-host", section = "rpkid"), + cfg.get("server-port", section = "rpkid")) + + call_rpkid = rpki.async.sync_wrapper(rpki.http.caller( + proto = left_right_proto, + client_key = irbe.private_key, + client_cert = irbe.certificate, + server_ta = server_ca.certificate, + server_cert = rpkid.certificate, + url = rpkid_url, + debug = verbose)) + + call_rpkid(*q_msg_left_right) + +if q_msg_publication: + + class publication_proto(object): + msg = publication_msg + cms_msg = publication_cms_msg + + pubd = server_ca.ee_certificates.get(purpose = "pubd") + + pubd_url = "http://%s:%s/control/" % ( + cfg.get("server-host", section = "pubd"), + cfg.get("server-port", section = "pubd")) + + call_pubd = rpki.async.sync_wrapper(rpki.http.caller( + proto = publication_proto, + client_key = irbe.private_key, + client_cert = irbe.certificate, + server_ta = server_ca.certificate, + server_cert = pubd.certificate, + url = pubd_url, + debug = verbose)) + + call_pubd(*q_msg_publication) diff --git a/ca/irdbd b/ca/irdbd new file mode 100755 index 00000000..493e3d72 --- /dev/null +++ b/ca/irdbd @@ -0,0 +1,21 @@ +#!/usr/bin/env python + +# $Id$ +# +# Copyright (C) 2010 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +if __name__ == "__main__": + import rpki.irdbd + rpki.irdbd.main() diff --git a/ca/pubd b/ca/pubd new file mode 100755 index 00000000..7d8ecbfa --- /dev/null +++ b/ca/pubd @@ -0,0 +1,21 @@ +#!/usr/bin/env python + +# $Id$ +# +# Copyright (C) 2010 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +if __name__ == "__main__": + import rpki.pubd + rpki.pubd.main() diff --git a/ca/rootd b/ca/rootd new file mode 100755 index 00000000..cb59f958 --- /dev/null +++ b/ca/rootd @@ -0,0 +1,21 @@ +#!/usr/bin/env python + +# $Id$ +# +# Copyright (C) 2010 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +if __name__ == "__main__": + import rpki.rootd + rpki.rootd.main() diff --git a/ca/rpki-confgen b/ca/rpki-confgen new file mode 100755 index 00000000..f531bee8 --- /dev/null +++ b/ca/rpki-confgen @@ -0,0 +1,291 @@ +#!/usr/bin/env python + +# $Id$ +# +# Copyright (C) 2014 Dragon Research Labs ("DRL") +# Portions copyright (C) 2013 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notices and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND DRL AND ISC DISCLAIM ALL +# WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DRL OR +# ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL +# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA +# OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER +# TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +import os +import sys +import argparse +import base64 +import textwrap + +from lxml.etree import Element, SubElement, ElementTree + +space4 = " " * 4 +space6 = " " * 6 +space8 = " " * 8 +star78 = "*" * 78 + +wiki_wrapper = textwrap.TextWrapper() +conf_wrapper = textwrap.TextWrapper(initial_indent = "# ", subsequent_indent = "# ") +xml6_wrapper = textwrap.TextWrapper(initial_indent = space6, subsequent_indent = space6) +xml8_wrapper = textwrap.TextWrapper(initial_indent = space8, subsequent_indent = space8) + +class Option(object): + + def __init__(self, name, value, doc): + self.name = name + self.value = value + self.doc = doc + + @property + def width(self): + return len(self.name) + + def to_xml(self): + x = Element("option", name = self.name) + if self.value is not None: + x.set("value", self.value) + for d in self.doc: + SubElement(x, "doc").text = "\n" + xml8_wrapper.fill(d) + "\n" + space6 + return x + + def to_wiki(self, f): + f.write("\n== %s == #%s\n" % (self.name, self.name)) + for d in self.doc: + f.write("\n%s\n" % wiki_wrapper.fill(d)) + if self.value is None: + f.write("\n%s\n" % wiki_wrapper.fill("No default value.")) + else: + f.write("\n{{{\n#!ini\n%s = %s\n}}}\n" % (self.name, self.value)) + + def to_conf(self, f, width): + for i, d in enumerate(self.doc): + f.write("%s\n%s\n" % ("" if i == 0 else "#", conf_wrapper.fill(d))) + if self.value is None: + f.write("\n#%-*s = ???\n" % (width - 1, self.name)) + else: + f.write("\n%-*s = %s\n" % (width, self.name, self.value)) + +class Section(object): + + def __init__(self, name): + self.name = name + self.doc = [] + self.options = [] + + @property + def width(self): + return max(o.width for o in self.options) + + @classmethod + def from_xml(cls, elt): + self = cls(name = elt.get("name")) + for x in elt.iterchildren("doc"): + self.doc.append(" ".join(x.text.split())) + for x in elt.iterchildren("option"): + self.options.append(Option(name = x.get("name"), value = x.get("value"), + doc = [" ".join(d.text.split()) + for d in x.iterchildren("doc")])) + return self + + def to_xml(self): + x = Element("section", name = self.name) + for d in self.doc: + SubElement(x, "doc").text = "\n" + xml6_wrapper.fill(d) + "\n" + space4 + x.extend(o.to_xml() for o in self.options) + return x + + def to_wiki(self, f): + f.write("\n= [%s] section = #%s\n" % (self.name, self.name)) + for d in self.doc: + f.write("\n%s\n" % wiki_wrapper.fill(d)) + for o in self.options: + o.to_wiki(f) + + def to_conf(self, f, width): + f.write("\n" + "#" * 78 + "\n\n[" + self.name + "]\n") + if self.doc: + f.write("\n##") + for i, d in enumerate(self.doc): + f.write("%s\n%s\n" % ("" if i == 0 else "#", conf_wrapper.fill(d))) + f.write("##\n") + for o in self.options: + o.to_conf(f, width) + +def wiki_header(f, ident, toc): + f.write("\n".join(( + "{{{", + "#!comment", + "", + star78, + "THIS PAGE WAS GENERATED AUTOMATICALLY, DO NOT EDIT.", + "", + "Generated from " + ident, + " by $Id$", + star78, + "", + "}}}", + ""))) + if toc is not None: + f.write("[[TracNav(%s)]]\n" % toc) + f.write("[[PageOutline]]\n") + +def conf_header(f, ident): + f.write("\n".join(( + "# Automatically generated. Edit as needed, but be careful of overwriting.", + "#", + "# Generated from " + ident, + "# by $Id$", + ""))) + + +# http://stackoverflow.com/questions/9027028/argparse-argument-order + +class CustomAction(argparse.Action): + def __call__(self, parser, namespace, values, option_string = None): + if not "ordered_args" in namespace: + namespace.ordered_args = [] + namespace.ordered_args.append((self.dest, values)) + +class CustomFlagAction(argparse.Action): + def __init__(self, option_strings, dest, default = None, + required = False, help = None): + super(CustomFlagAction, self).__init__( + option_strings = option_strings, dest = dest, nargs = 0, + const = None, default = default, required = required, help = help) + def __call__(self, parser, namespace, values, option_string = None): + if not "ordered_args" in namespace: + namespace.ordered_args = [] + namespace.ordered_args.append((self.dest, None)) + + +class main(object): + + def __init__(self): + self.sections = [] + self.section_map = None + self.option_map = None + self.ident = None + self.toc = None + + parser = argparse.ArgumentParser(description = __doc__) + parser.add_argument("--read-xml", metavar = "FILE", action = CustomAction, + required = True, type = argparse.FileType("r"), + help = "XML input file defining sections and options") + parser.add_argument("--write-xml", metavar = "FILE", action = CustomAction, + help = "XML file to write") + parser.add_argument("--write-wiki", metavar = "FILE", action = CustomAction, + help = "TracWiki file to write") + parser.add_argument("--write-conf", metavar = "FILE", action = CustomAction, + help = "rpki.conf configuration file to write") + parser.add_argument("--set", metavar = "VARVAL", action = CustomAction, + help = "variable setting in form \"VAR=VAL\"") + parser.add_argument("--pwgen", metavar = "VAR", action = CustomAction, + help = "set variable to generated password") + parser.add_argument("--toc", metavar = "TRACNAV", action = CustomAction, + help = "set TOC value to use with TracNav plugin") + parser.add_argument("--autoconf", action = CustomFlagAction, + help = "configure [autoconf] section") + args = parser.parse_args() + + for cmd, arg in args.ordered_args: + getattr(self, "do_" + cmd)(arg) + + + def do_read_xml(self, arg): + self.option_map = None + root = ElementTree(file = arg).getroot() + self.ident = root.get("ident") + self.sections.extend(Section.from_xml(x) for x in root) + self.option_map = {} + self.section_map = {} + for section in self.sections: + if section.name in self.section_map: + sys.exit("Duplicate section %s" % section.name) + self.section_map[section.name] = section + for option in section.options: + name = (section.name, option.name) + if name in self.option_map: + sys.exit("Duplicate option %s::%s" % name) + self.option_map[name] = option + + + def do_set(self, arg): + try: + name, value = arg.split("=", 1) + section, option = name.split("::") + except ValueError: + sys.exit("Couldn't parse --set specification \"%s\"" % a) + name = (section, option) + if name not in self.option_map: + sys.exit("Couldn't find option %s::%s" % name) + self.option_map[name].value = value + + + def do_pwgen(self, arg): + try: + section, option = arg.split("::") + except ValueError: + sys.exit("Couldn't parse --pwgen specification \"%s\"" % a) + name = (section, option) + if name not in self.option_map: + sys.exit("Couldn't find option %s::%s" % name) + self.option_map[name].value = base64.urlsafe_b64encode(os.urandom(66)) + + + def do_autoconf(self, ignored): + try: + import rpki.autoconf + for option in self.section_map["autoconf"].options: + try: + option.value = getattr(rpki.autoconf, option.name) + except AttributeError: + pass + except ImportError: + sys.exit("rpki.autoconf module is not available") + except KeyError: + sys.exit("Couldn't find autoconf section") + + + def do_write_xml(self, arg): + x = Element("configuration", ident = self.ident) + x.extend(s.to_xml() for s in self.sections) + ElementTree(x).write(arg, pretty_print = True, encoding = "us-ascii") + + + def do_write_wiki(self, arg): + if "%" in arg: + for section in self.sections: + with open(arg % section.name, "w") as f: + wiki_header(f, self.ident, self.toc) + section.to_wiki(f) + else: + with open(arg, "w") as f: + for i, section in enumerate(self.sections): + if i == 0: + wiki_header(f, self.ident, self.toc) + else: + f.write("\f\n") + section.to_wiki(f) + + + def do_write_conf(self, arg): + with open(arg, "w") as f: + conf_header(f, self.ident) + width = max(s.width for s in self.sections) + for section in self.sections: + section.to_conf(f, width) + + + def do_toc(self, arg): + self.toc = arg + + +if __name__ == "__main__": + main() diff --git a/ca/rpki-confgen.xml b/ca/rpki-confgen.xml new file mode 100644 index 00000000..e0ed273a --- /dev/null +++ b/ca/rpki-confgen.xml @@ -0,0 +1,900 @@ +<!-- -*- SGML -*- + $Id$ + + Documented option definitions for rpki-confgen to use in generating + rpki.conf and TracWiki documentation. + + Copyright (C) 2009-2013 Internet Systems Consortium ("ISC") + + Permission to use, copy, modify, and distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + + THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + PERFORMANCE OF THIS SOFTWARE. +--> + +<configuration ident = "$Id$"> + + <section name = "myrpki"> + + <doc> + The "`[myrpki]`" section contains all the parameters that you + really need to configure. The name "`myrpki`" is historical and + may change in the future. + </doc> + + <option name = "handle"> + <doc> + Every resource-holding or server-operating entity needs a + "handle", which is just an identifier by which the entity + calls itself. Handles do not need to be globally unique, but + should be chosen with an eye towards debugging operational + problems: it's best if you use a handle that your parents and + children will recognize as being you. + </doc> + <doc> + The "`handle`" option in the "`[myrpki]`" section specifies the + default handle for this installation. Previous versions of + the CA tools required a separate configuration file, each with + its own handle setting, for each hosted entity. The current + code allows the current handle to be selected at runtime in + both the GUI and command line user interface tools, so the + handle setting here is just the default when you don't set one + explictly. In the long run, this option may go away entirely, + but for now you need to set this. + </doc> + <doc> + Syntax is an identifier (ASCII letters, digits, hyphen, + underscore -- no whitespace, non-ASCII characters, or other + punctuation). + </doc> + </option> + + <option name = "bpki_servers_directory" + value = "${autoconf::datarootdir}/rpki"> + <doc> + Directory for BPKI files generated by rpkic and used by rpkid + and pubd. You will not normally need to change this. + </doc> + </option> + + <option name = "run_rpkid" + value = "yes"> + <doc> + Whether you want to run your own copy of rpkid (and irdbd). + Leave this alone unless you're doing something unusual like + running a pubd-only installation. + </doc> + </option> + + <option name = "rpkid_server_host"> + <doc> + DNS hostname for rpkid. In most cases, this must resolve to a + publicly-reachable address to be useful, as your RPKI children + will need to contact your rpkid at this address. + </doc> + </option> + + <option name = "rpkid_server_port" + value = "4404"> + <doc> + Server port number for rpkid. This can be any legal TCP port + number that you're not using for something else. + </doc> + </option> + + <option name = "irdbd_server_host" + value = "localhost"> + <doc> + DNS hostname for irdbd, or "`localhost`". This should be + "`localhost`" unless you really know what you are doing. + </doc> + </option> + + <option name = "irdbd_server_port" + value = "4403"> + <doc> + Server port number for irdbd. This can be any legal TCP port + number that you're not using for something else. + </doc> + </option> + + <option name = "run_pubd" + value = "yes"> + <doc> + Whether you want to run your own copy of pubd. In general, + it's best to use your parent's pubd if your parent allows you + to do so, because this will reduce the overall number of + publication sites from which relying parties will need to + retrieve data. However, not all parents offer publication + service, or you may need to run pubd yourself for reliability + reasons, or because you're certifying private address space or + private Autonomous System Numbers. + </doc> + <doc> + The out of band setup protocol will attempt to negotiate + publication service for you with whatever publication service + your parent is using, if it can and if you let it. + </doc> + </option> + + <option name = "pubd_server_host"> + <doc> + DNS hostname for pubd, if you're running it. This must + resolve to a publicly reachable address to be useful. + </doc> + </option> + + <option name = "pubd_server_port" + value = "4402"> + <doc> + Server port number for pubd. This can be any legal TCP port + number that you're not using for something else. + </doc> + </option> + + <option name = "pubd_contact_info"> + <doc> + Contact information to include in offers of repository + service. This only matters when you're running pubd. This + should be a human readable string, perhaps containing an email + address or URL. + </doc> + </option> + + <option name = "run_rootd" + value = "no"> + <doc> + Whether you want to run your very own copy of rootd. Don't + enable this unless you really know what you're doing. + </doc> + </option> + + <option name = "rootd_server_host" + value = "localhost"> + <doc> + DNS hostname for rootd, if you're running it. This should be + localhost unless you really know what you are doing. + </doc> + </option> + + <option name = "rootd_server_port" + value = "4401"> + <doc> + Server port number for rootd, if you're running it. This can + be any legal TCP port number that you're not using for + something else. + </doc> + </option> + + <option name = "publication_base_directory" + value = "${autoconf::datarootdir}/rpki/publication"> + <doc> + Root of local directory tree where pubd should write out published + data. You need to configure this, and the configuration should + match up with the directory where you point rsyncd. Neither pubd + nor rsyncd much cares //where// you tell it to put this stuff, the + important thing is that the rsync URIs in generated + certificates match up with the published objects so that relying + parties can find and verify rpkid's published outputs. + </doc> + </option> + + <option name = "publication_root_cert_directory" + value = "${myrpki::publication_base_directory}.root"> + <doc> + Root of local directory tree where rootd (sigh) should write out + published data. This is just like publication_base_directory, but + rootd is too dumb to use pubd and needs its own directory in + which to write one certificate, one CRL, and one manifest. + Neither rootd nor rsyncd much cares //where// you tell them to put + this stuff, the important thing is that the rsync URIs in + generated certificates match up with the published objects so that + relying parties can find and verify rootd's published outputs. + </doc> + </option> + + <option name = "publication_rsync_module" + value = "rpki"> + <doc> + rsyncd module name corresponding to publication_base_directory. + This has to match the module you configured into `rsyncd.conf`. + Leave this alone unless you have some need to change it. + </doc> + </option> + + <option name = "publication_root_module" + value = "root"> + <doc> + rsyncd module name corresponding to publication_root_cert_directory. + This has to match the module you configured into `rsyncd.conf`. + Leave this alone unless you have some need to change it. + </doc> + </option> + + <option name = "publication_rsync_server" + value = "${myrpki::pubd_server_host}"> + <doc> + Hostname and optional port number for rsync URIs. In most cases + this should just be the same value as pubd_server_host. + </doc> + </option> + + <option name = "start_rpkid" + value = "${myrpki::run_rpkid}"> + <doc> + rpkid startup control. This should usually have the same value as + run_rpkid: the only case where you would want to change this is + when you are running the back-end code on a different machine from + one or more of the daemons, in which case you need finer control + over which daemons to start on which machines. In such cases, + run_rpkid controls whether the back-end code is doing things to + manage rpkid, while start_rpkid controls whether + rpki-start-servers attempts to start rpkid on this machine. + </doc> + </option> + + <option name = "start_irdbd" + value = "${myrpki::run_rpkid}"> + <doc> + irdbd startup control. This should usually have the same value as + run_rpkid: the only case where you would want to change this is + when you are running the back-end code on a different machine from + one or more of the daemons, in which case you need finer control + over which daemons to start on which machines. In such cases, + run_rpkid controls whether the back-end code is doing things to + manage rpkid, while start_irdbd controls whether + rpki-start-servers attempts to start irdbd on this machine. + </doc> + </option> + + <option name = "start_pubd" + value = "${myrpki::run_pubd}"> + <doc> + pubd startup control. This should usually have the same value as + run_pubd: the only case where you would want to change this is + when you are running the back-end code on a different machine from + one or more of the daemons, in which case you need finer control + over which daemons to start on which machines. In such cases, + run_pubd controls whether the back-end code is doing things to + manage pubd, while start_pubd controls whether + rpki-start-servers attempts to start pubd on this machine. + </doc> + </option> + + <option name = "start_rootd" + value = "${myrpki::run_rootd}"> + <doc> + rootd startup control. This should usually have the same value as + run_rootd: the only case where you would want to change this is + when you are running the back-end code on a different machine from + one or more of the daemons, in which case you need finer control + over which daemons to start on which machines. In such cases, + run_rootd controls whether the back-end code is doing things to + manage rootd, while start_rootd controls whether + rpki-start-servers attempts to start rootd on this machine. + </doc> + </option> + + <option name = "shared_sql_username" + value = "rpki"> + <doc> + If you're comfortable with having all of the databases use the + same MySQL username, set that value here. The default setting + of this variable should be fine. + </doc> + </option> + + <option name = "shared_sql_password"> + <doc> + If you're comfortable with having all of the databases use the + same MySQL password, set that value here. You should use a + locally generated password either here or in the individual + settings below. The installation process generates a random + value for this option, which satisfies this requirement, so + ordinarily you should have no need to change this option. + </doc> + </option> + + <option name = "rpkid_sql_database" + value = "rpkid"> + <doc> + SQL database name for rpkid's database. The default setting of + this variable should be fine. + </doc> + </option> + + <option name = "rpkid_sql_username" + value = "${myrpki::shared_sql_username}"> + <doc> + If you want to use a separate SQL username for rpkid's database, + set it here. + </doc> + </option> + + <option name = "rpkid_sql_password" + value = "${myrpki::shared_sql_password}"> + <doc> + If you want to use a separate SQL password for rpkid's database, + set it here. + </doc> + </option> + + <option name = "irdbd_sql_database" + value = "irdbd"> + <doc> + SQL database for irdbd's database. The default setting of this + variable should be fine. + </doc> + </option> + + <option name = "irdbd_sql_username" + value = "${myrpki::shared_sql_username}"> + <doc> + If you want to use a separate SQL username for irdbd's database, + set it here. + </doc> + </option> + + <option name = "irdbd_sql_password" + value = "${myrpki::shared_sql_password}"> + <doc> + If you want to use a separate SQL password for irdbd's database, + set it here. + </doc> + </option> + + <option name = "pubd_sql_database" + value = "pubd"> + <doc> + SQL database name for pubd's database. The default setting of + this variable should be fine. + </doc> + </option> + + <option name = "pubd_sql_username" + value = "${myrpki::shared_sql_username}"> + <doc> + If you want to use a separate SQL username for pubd's database, + set it here. + </doc> + </option> + + <option name = "pubd_sql_password" + value = "${myrpki::shared_sql_password}"> + <doc> + If you want to use a separate SQL password for pubd's database, + set it here. + </doc> + </option> + + </section> + + <section name = "rpkid"> + + <doc> + rpkid's default config file is the system `rpki.conf` file. + Start rpkid with "`-c filename`" to choose a different config + file. All options are in the "`[rpkid]`" section. BPKI + Certificates and keys may be in either DER or PEM format. + </doc> + + <option name = "sql-database" + value = "${myrpki::rpkid_sql_database}"> + <doc> + MySQL database name for rpkid. + </doc> + </option> + + <option name = "sql-username" + value = "${myrpki::rpkid_sql_username}"> + <doc> + MySQL user name for rpkid. + </doc> + </option> + + <option name = "sql-password" + value = "${myrpki::rpkid_sql_password}"> + <doc> + MySQL password for rpkid. + </doc> + </option> + + <option name = "server-host" + value = "${myrpki::rpkid_server_host}"> + <doc> + Host on which rpkid should listen for HTTP service requests. + </doc> + </option> + + <option name = "server-port" + value = "${myrpki::rpkid_server_port}"> + <doc> + Port on which rpkid should listen for HTTP service requests. + </doc> + </option> + + <option name = "irdb-url" + value = "http://${myrpki::irdbd_server_host}:${myrpki::irdbd_server_port}/"> + <doc> + HTTP service URL rpkid should use to contact irdbd. If irdbd is + running on the same machine as rpkid, this can and probably should + be a loopback URL, since nobody but rpkid needs to talk to irdbd. + </doc> + </option> + + <option name = "bpki-ta" + value = "${myrpki::bpki_servers_directory}/ca.cer"> + <doc> + Where rpkid should look for the BPKI trust anchor. All BPKI + certificate verification within rpkid traces back to this + trust anchor. Don't change this unless you really know what + you are doing. + </doc> + </option> + + <option name = "rpkid-cert" + value = "${myrpki::bpki_servers_directory}/rpkid.cer"> + <doc> + Where rpkid should look for its own BPKI EE certificate. Don't + change this unless you really know what you are doing. + </doc> + </option> + + <option name = "rpkid-key" + value = "${myrpki::bpki_servers_directory}/rpkid.key"> + <doc> + Where rpkid should look for the private key corresponding to its + own BPKI EE certificate. Don't change this unless you really know + what you are doing. + </doc> + </option> + + <option name = "irdb-cert" + value = "${myrpki::bpki_servers_directory}/irdbd.cer"> + <doc> + Where rpkid should look for irdbd's BPKI EE certificate. + Don't change this unless you really know what you are doing. + </doc> + </option> + + <option name = "irbe-cert" + value = "${myrpki::bpki_servers_directory}/irbe.cer"> + <doc> + Where rpkid should look for the back-end control client's BPKI EE + certificate. Don't change this unless you really know what you + are doing. + </doc> + </option> + + </section> + + <section name = "irdbd"> + + <doc> + irdbd's default configuration file is the system `rpki.conf` + file. Start irdbd with "`-c filename`" to choose a different + configuration file. All options are in the "`[irdbd]`" section. + </doc> + + <doc> + Since irdbd is part of the back-end system, it has direct access to + the back-end's SQL database, and thus is able to pull its own BPKI + configuration directly from the database, and thus needs a bit less + configuration than the other daemons. + </doc> + + <option name = "sql-database" + value = "${myrpki::irdbd_sql_database}"> + <doc> + MySQL database name for irdbd. + </doc> + </option> + + <option name = "sql-username" + value = "${myrpki::irdbd_sql_username}"> + <doc> + MySQL user name for irdbd. + </doc> + </option> + + <option name = "sql-password" + value = "${myrpki::irdbd_sql_password}"> + <doc> + MySQL password for irdbd. + </doc> + </option> + + <option name = "server-host" + value = "${myrpki::irdbd_server_host}"> + <doc> + Host on which irdbd should listen for HTTP service requests. + </doc> + </option> + + <option name = "server-port" + value = "${myrpki::irdbd_server_port}"> + <doc> + Port on which irdbd should listen for HTTP service requests. + </doc> + </option> + + <option name = "startup-message"> + <doc> + String to log on startup, useful when debugging a collection + of irdbd instances at once. + </doc> + </option> + + </section> + + <section name = "pubd"> + + <doc> + pubd's default configuration file is the system `rpki.conf` + file. Start pubd with "`-c filename`" to choose a different + configuration file. All options are in the "`[pubd]`" section. + BPKI certificates and keys may be either DER or PEM format. + </doc> + + <option name = "sql-database" + value = "${myrpki::pubd_sql_database}"> + <doc> + MySQL database name for pubd. + </doc> + </option> + + <option name = "sql-username" + value = "${myrpki::pubd_sql_username}"> + <doc> + MySQL user name for pubd. + </doc> + </option> + + <option name = "sql-password" + value = "${myrpki::pubd_sql_password}"> + <doc> + MySQL password for pubd. + </doc> + </option> + + <option name = "publication-base" + value = "${myrpki::publication_base_directory}"> + <doc> + Root of directory tree where pubd should write out published data. + You need to configure this, and the configuration should match up + with the directory where you point rsyncd. Neither pubd nor rsyncd + much cares -where- you tell them to put this stuff, the important + thing is that the rsync URIs in generated certificates match up + with the published objects so that relying parties can find and + verify rpkid's published outputs. + </doc> + </option> + + <option name = "server-host" + value = "${myrpki::pubd_server_host}"> + <doc> + Host on which pubd should listen for HTTP service requests. + </doc> + </option> + + <option name = "server-port" + value = "${myrpki::pubd_server_port}"> + <doc> + Port on which pubd should listen for HTTP service requests. + </doc> + </option> + + <option name = "bpki-ta" + value = "${myrpki::bpki_servers_directory}/ca.cer"> + <doc> + Where pubd should look for the BPKI trust anchor. All BPKI + certificate verification within pubd traces back to this + trust anchor. Don't change this unless you really know what + you are doing. + </doc> + </option> + + <option name = "pubd-cert" + value = "${myrpki::bpki_servers_directory}/pubd.cer"> + <doc> + Where pubd should look for its own BPKI EE certificate. Don't + change this unless you really know what you are doing. + </doc> + </option> + + <option name = "pubd-key" + value = "${myrpki::bpki_servers_directory}/pubd.key"> + <doc> + Where pubd should look for the private key corresponding to its + own BPKI EE certificate. Don't change this unless you really know + what you are doing. + </doc> + </option> + + <option name = "irbe-cert" + value = "${myrpki::bpki_servers_directory}/irbe.cer"> + <doc> + Where pubd should look for the back-end control client's BPKI EE + certificate. Don't change this unless you really know what you + are doing. + </doc> + </option> + + </section> + + <section name = "rootd"> + + <doc> + You don't need to run rootd unless you're IANA, are certifying + private address space, or are an RIR which refuses to accept IANA as + the root of the public address hierarchy. + </doc> + + <doc> + Ok, if that wasn't enough to scare you off: rootd is a mess, and + needs to be rewritten, or, better, merged into rpkid. It + doesn't use the publication protocol, and it requires far too + many configuration parameters. + </doc> + + <doc> + rootd was originally intended to be a very simple program which + simplified rpkid enormously by moving one specific task (acting + as the root CA of an RPKI certificate hierarchy) out of rpkid. + As the specifications and code (mostly the latter) have evolved, + however, this task has become more complicated, and rootd would + have to become much more complicated to keep up. + </doc> + + <doc> + Don't run rootd unless you're sure that you need to do so. + </doc> + + <doc> + Still think you need to run rootd? OK, but remember, you have + been warned.... + </doc> + + <doc> + rootd's default configuration file is the system `rpki.conf` + file. Start rootd with "`-c filename`" to choose a different + configuration file. All options are in the "`[rootd]`" section. + Certificates and keys may be in either DER or PEM format. + </doc> + + <option name = "bpki-ta" + value = "${myrpki::bpki_servers_directory}/ca.cer"> + <doc> + Where rootd should look for the BPKI trust anchor. All BPKI + certificate verification within rootd traces back to this + trust anchor. Don't change this unless you really know what + you are doing. + </doc> + </option> + + <option name = "rootd-bpki-crl" + value = "${myrpki::bpki_servers_directory}/ca.crl"> + <doc> + BPKI CRL. Don't change this unless you really know what you are + doing. + </doc> + </option> + + <option name = "rootd-bpki-cert" + value = "${myrpki::bpki_servers_directory}/rootd.cer"> + <doc> + rootd's own BPKI EE certificate. Don't change this unless you + really know what you are doing. + </doc> + </option> + + <option name = "rootd-bpki-key" + value = "${myrpki::bpki_servers_directory}/rootd.key"> + <doc> + Private key corresponding to rootd's own BPKI EE certificate. + Don't change this unless you really know what you are doing. + </doc> + </option> + + <option name = "child-bpki-cert" + value = "${myrpki::bpki_servers_directory}/child.cer"> + <doc> + BPKI certificate for rootd's one and only up-down child (RPKI + engine to which rootd issues an RPKI certificate). Don't + change this unless you really know what you are doing. + </doc> + </option> + + <option name = "server-host" + value = "${myrpki::rootd_server_host}"> + <doc> + Server host on which rootd should listen. + </doc> + </option> + + <option name = "server-port" + value = "${myrpki::rootd_server_port}"> + <doc> + Server port on which rootd should listen. + </doc> + </option> + + <option name = "rpki-root-dir" + value = "${myrpki::publication_base_directory}"> + <doc> + Where rootd should write its output. Yes, rootd should be using + pubd instead of publishing directly, but it doesn't. This + needs to match pubd's configuration. + </doc> + </option> + + <option name = "rpki-base-uri" + value = "rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/"> + <doc> + rsync URI corresponding to directory containing rootd's outputs. + </doc> + </option> + + <option name = "rpki-root-cert-uri" + value = "rsync://${myrpki::publication_rsync_server}/${myrpki::publication_root_module}/root.cer"> + <doc> + rsync URI for rootd's root (self-signed) RPKI certificate. + </doc> + </option> + + <option name = "rpki-root-key" + value = "${myrpki::bpki_servers_directory}/root.key"> + <doc> + Private key corresponding to rootd's root RPKI certificate. + </doc> + </option> + + <option name = "rpki-root-cert" + value = "${myrpki::publication_root_cert_directory}/root.cer"> + <doc> + Filename (as opposed to rsync URI) of rootd's root RPKI + certificate. + </doc> + </option> + + <option name = "rpki-subject-pkcs10" + value = "${myrpki::bpki_servers_directory}/rootd.subject.pkcs10"> + <doc> + Where rootd should stash a copy of the PKCS #10 request it gets + from its one (and only) child + </doc> + </option> + + <option name = "rpki-subject-lifetime" + value = "30d"> + <doc> + Lifetime of the one and only RPKI certificate rootd issues. + </doc> + </option> + + <option name = "rpki-root-crl" + value = "root.crl"> + <doc> + Filename (relative to rootd-base-uri and rpki-root-dir) of the CRL + for rootd's root RPKI certificate. + </doc> + </option> + + <option name = "rpki-root-manifest" + value = "root.mft"> + <doc> + Filename (relative to rootd-base-uri and rpki-root-dir) of the + manifest for rootd's root RPKI certificate. + </doc> + </option> + + <option name = "rpki-class-name" + value = "${myrpki::handle}"> + <doc> + Up-down protocol class name for RPKI certificate rootd issues to its + one (and only) child. + </doc> + </option> + + <option name = "rpki-subject-cert" + value = "${myrpki::handle}.cer"> + <doc> + Filename (relative to rootd-base-uri and rpki-root-dir) of the one + (and only) RPKI certificate rootd issues. + </doc> + </option> + + </section> + + <section name = "web_portal"> + + <doc> + Glue to allow the Django application to pull user configuration + from this file rather than directly editing settings.py. + </doc> + + <option name = "sql-database" + value = "${myrpki::irdbd_sql_database}"> + <doc> + SQL database name the web portal should use. + </doc> + </option> + + <option name = "sql-username" + value = "${myrpki::irdbd_sql_username}"> + <doc> + SQL user name the web portal should use. + </doc> + </option> + + <option name = "sql-password" + value = "${myrpki::irdbd_sql_password}"> + <doc> + SQL password the web portal should use. + </doc> + </option> + + <option name = "secret-key"> + <doc> + Site-specific secret key for Django. + </doc> + </option> + + <option name = "allowed-hosts"> + <doc> + Name of virtual host that runs the Django GUI, if this is not + the same as the system hostname. Django's security code wants + to know the name of the virtual host on which Django is + running, and will fail when it thinks it's running on a + disallowed host. + </doc> + <doc> + If you get an error like "Invalid HTTP_HOST header (you may + need to set ALLOWED_HOSTS)", you will need to set this option. + </doc> + </option> + + </section> + + <section name = "autoconf"> + + <doc> + rpki-confgen --autoconf records the current autoconf settings + here, so that other options can refer to them. The section name + "autoconf" is magic, don't change it. + </doc> + + <option name = "bindir"> + <doc> + Usually /usr/bin or /usr/local/bin. + </doc> + </option> + + <option name = "datarootdir"> + <doc> + Usually /usr/share or /usr/local/share. + </doc> + </option> + + <option name = "sbindir"> + <doc> + Usually /usr/sbin or /usr/local/sbin. + </doc> + </option> + + <option name = "sysconfdir"> + <doc> + Usually /etc or /usr/local/etc. + </doc> + </option> + + </section> + +</configuration> diff --git a/ca/rpki-manage b/ca/rpki-manage new file mode 100755 index 00000000..0d581ce9 --- /dev/null +++ b/ca/rpki-manage @@ -0,0 +1,13 @@ +#!/usr/bin/env python + +import os +from django.core.management import execute_from_command_line + +# django-admin seems to have problems creating the superuser account when +# $LANG is unset or is set to something totally incompatible with UTF-8. +if os.environ.get('LANG') in (None, "", "C"): + os.environ['LANG'] = 'en_US.UTF-8' + +os.environ['DJANGO_SETTINGS_MODULE'] = 'rpki.gui.default_settings' + +execute_from_command_line() diff --git a/ca/rpki-sql-backup b/ca/rpki-sql-backup new file mode 100755 index 00000000..0b2d079d --- /dev/null +++ b/ca/rpki-sql-backup @@ -0,0 +1,53 @@ +#!/usr/bin/env python + +# $Id$ +# +# Copyright (C) 2014 Dragon Research Labs ("DRL") +# Portions copyright (C) 2010-2013 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notices and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND DRL AND ISC DISCLAIM ALL +# WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DRL OR +# ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL +# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA +# OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER +# TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +""" +Back up data from SQL databases, looking at config file to figure out +which databases and what credentials to use with them. +""" + +import subprocess +import os +import argparse +import sys +import time +import rpki.config + +os.environ["TZ"] = "UTC" +time.tzset() + +parser = argparse.ArgumentParser(description = __doc__) +parser.add_argument("-c", "--config", + help = "override default location of configuration file") +parser.add_argument("-o", "--output", + type = argparse.FileType("wb"), default = sys.stdout, + help = "destination for SQL dump (default: stdout)") +args = parser.parse_args() + +cfg = rpki.config.parser(args.config, "myrpki") + +for name in ("rpkid", "irdbd", "pubd"): + if cfg.getboolean("start_" + name, False): + subprocess.check_call( + ("mysqldump", "--add-drop-database", + "-u", cfg.get("sql-username", section = name), + "-p" + cfg.get("sql-password", section = name), + "-B", cfg.get("sql-database", section = name)), + stdout = args.output) diff --git a/ca/rpki-sql-setup b/ca/rpki-sql-setup new file mode 100755 index 00000000..40a78532 --- /dev/null +++ b/ca/rpki-sql-setup @@ -0,0 +1,311 @@ +#!/usr/bin/env python + +# $Id$ +# +# Copyright (C) 2014 Dragon Research Labs ("DRL") +# Portions copyright (C) 2009-2013 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notices and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND DRL AND ISC DISCLAIM ALL +# WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DRL OR +# ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL +# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA +# OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER +# TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +import os +import sys +import glob +import getpass +import argparse +import datetime +import rpki.config +import rpki.version +import rpki.autoconf +import rpki.sql_schemas + +from rpki.mysql_import import MySQLdb, _mysql_exceptions + +ER_NO_SUCH_TABLE = 1146 # See mysqld_ername.h + + +class RootDB(object): + """ + Class to wrap MySQL actions that require root-equivalent access so + we can defer such actions until we're sure they're really needed. + Overall goal here is to prompt the user for the root password once + at most, and not at all when not necessary. + """ + + def __init__(self, mysql_defaults = None): + self.initialized = False + self.mysql_defaults = mysql_defaults + + def __getattr__(self, name): + if self.initialized: + raise AttributeError + if self.mysql_defaults is None: + self.db = MySQLdb.connect(db = "mysql", + user = "root", + passwd = getpass.getpass("Please enter your MySQL root password: ")) + else: + mysql_cfg = rpki.config.parser(self.mysql_defaults, "client") + self.db = MySQLdb.connect(db = "mysql", + user = mysql_cfg.get("user"), + passwd = mysql_cfg.get("password")) + self.cur = self.db.cursor() + self.cur.execute("SHOW DATABASES") + self.databases = set(d[0] for d in self.cur.fetchall()) + self.initialized = True + return getattr(self, name) + + def close(self): + if self.initialized: + self.db.close() + + +class UserDB(object): + """ + Class to wrap MySQL access parameters for a particular database. + + NB: The SQL definitions for the upgrade_version table is embedded in + this class rather than being declared in any of the .sql files. + This is deliberate: nothing but the upgrade system should ever touch + this table, and it's simpler to keep everything in one place. + + We have to be careful about SQL commits here, because CREATE TABLE + implies an automatic commit. So presence of the magic table per se + isn't significant, only its content (or lack thereof). + """ + + upgrade_version_table_schema = """ + CREATE TABLE upgrade_version ( + version TEXT NOT NULL, + updated DATETIME NOT NULL + ) ENGINE=InnoDB + """ + + def __init__(self, name): + self.name = name + self.database = cfg.get("sql-database", section = name) + self.username = cfg.get("sql-username", section = name) + self.password = cfg.get("sql-password", section = name) + self.db = None + self.cur = None + + def open(self): + self.db = MySQLdb.connect(db = self.database, user = self.username, passwd = self.password) + self.db.autocommit(False) + self.cur = self.db.cursor() + + def close(self): + if self.cur is not None: + self.cur.close() + self.cur = None + if self.db is not None: + self.db.commit() + self.db.close() + self.db = None + + @property + def exists_and_accessible(self): + try: + MySQLdb.connect(db = self.database, user = self.username, passwd = self.password).close() + except: + return False + else: + return True + + @property + def version(self): + try: + self.cur.execute("SELECT version FROM upgrade_version") + v = self.cur.fetchone() + return Version(None if v is None else v[0]) + except _mysql_exceptions.ProgrammingError, e: + if e.args[0] != ER_NO_SUCH_TABLE: + raise + log("Creating upgrade_version table in %s" % self.name) + self.cur.execute(self.upgrade_version_table_schema) + return Version(None) + + @version.setter + def version(self, v): + if v > self.version: + self.cur.execute("DELETE FROM upgrade_version") + self.cur.execute("INSERT upgrade_version (version, updated) VALUES (%s, %s)", (v, datetime.datetime.now())) + self.db.commit() + log("Updated %s to %s" % (self.name, v)) + + @property + def schema(self): + lines = [] + for line in getattr(rpki.sql_schemas, self.name, "").splitlines(): + line = " ".join(line.split()) + if line and not line.startswith("--"): + lines.append(line) + return [statement.strip() for statement in " ".join(lines).rstrip(";").split(";") if statement.strip()] + + +class Version(object): + """ + A version number. This is a class in its own right to force the + comparision and string I/O behavior we want. + """ + + def __init__(self, v): + if v is None: + v = "0.0" + self.v = tuple(v.lower().split(".")) + + def __str__(self): + return ".".join(self.v) + + def __cmp__(self, other): + return cmp(self.v, other.v) + + +class Upgrade(object): + """ + One upgrade script. Really, just its filename and the Version + object we parse from its filename, we don't need to read the script + itself except when applying it, but we do need to sort all the + available upgrade scripts into version order. + """ + + @classmethod + def load_all(cls, name, dir): + g = os.path.join(dir, "upgrade-%s-to-*.py" % name) + for fn in glob.iglob(g): + yield cls(g, fn) + + def __init__(self, g, fn): + head, sep, tail = g.partition("*") + self.fn = fn + self.version = Version(fn[len(head):-len(tail)]) + + def __cmp__(self, other): + return cmp(self.version, other.version) + + def apply(self, db): + # db is an argument here primarily so the script we exec can get at it + log("Applying %s to %s" % (self.fn, db.name)) + with open(self.fn, "r") as f: + exec f + + +def do_drop(name): + db = UserDB(name) + if db.database in root.databases: + log("DROP DATABASE %s" % db.database) + root.cur.execute("DROP DATABASE %s" % db.database) + root.db.commit() + +def do_create(name): + db = UserDB(name) + log("CREATE DATABASE %s" % db.database) + root.cur.execute("CREATE DATABASE %s" % db.database) + log("GRANT ALL ON %s.* TO %s@localhost IDENTIFIED BY ###" % (db.database, db.username)) + root.cur.execute("GRANT ALL ON %s.* TO %s@localhost IDENTIFIED BY %%s" % (db.database, db.username), + (db.password,)) + root.db.commit() + db.open() + for statement in db.schema: + if not statement.upper().startswith("DROP TABLE"): + log(statement) + db.cur.execute(statement) + db.version = current_version + db.close() + +def do_script_drop(name): + db = UserDB(name) + print "DROP DATABASE IF EXISTS %s;" % db.database + +def do_drop_and_create(name): + do_drop(name) + do_create(name) + +def do_fix_grants(name): + db = UserDB(name) + if not db.exists_and_accessible: + log("GRANT ALL ON %s.* TO %s@localhost IDENTIFIED BY ###" % (db.database, db.username)) + root.cur.execute("GRANT ALL ON %s.* TO %s@localhost IDENTIFIED BY %%s" % (db.database, db.username), + (db.password,)) + root.db.commit() + +def do_create_if_missing(name): + db = UserDB(name) + if not db.exists_and_accessible: + do_create(name) + +def do_apply_upgrades(name): + upgrades = sorted(Upgrade.load_all(name, args.upgrade_scripts)) + if upgrades: + db = UserDB(name) + db.open() + log("Current version of %s is %s" % (db.name, db.version)) + for upgrade in upgrades: + if upgrade.version > db.version: + upgrade.apply(db) + db.version = upgrade.version + db.version = current_version + db.close() + +def log(text): + if args.verbose: + print "#", text + +parser = argparse.ArgumentParser(description = """\ +Automated setup of all SQL stuff used by the RPKI CA tools. Pulls +configuration from rpki.conf, prompts for MySQL password when needed. +""") +group = parser.add_mutually_exclusive_group() +parser.add_argument("-c", "--config", + help = "specify alternate location for rpki.conf") +parser.add_argument("-v", "--verbose", action = "store_true", + help = "whistle while you work") +parser.add_argument("--mysql-defaults", + help = "specify MySQL root access credentials via a configuration file") +parser.add_argument("--upgrade-scripts", + default = os.path.join(rpki.autoconf.datarootdir, "rpki", "upgrade-scripts"), + help = "override default location of upgrade scripts") +group.add_argument("--create", + action = "store_const", dest = "dispatch", const = do_create, + help = "create databases and load schemas") +group.add_argument("--drop", + action = "store_const", dest = "dispatch", const = do_drop, + help = "drop databases") +group.add_argument("--script-drop", + action = "store_const", dest = "dispatch", const = do_script_drop, + help = "send SQL commands to drop databases to standard output") +group.add_argument("--drop-and-create", + action = "store_const", dest = "dispatch", const = do_drop_and_create, + help = "drop databases then recreate them and load schemas") +group.add_argument("--fix-grants", + action = "store_const", dest = "dispatch", const = do_fix_grants, + help = "whack database access to match current configuration file") +group.add_argument("--create-if-missing", + action = "store_const", dest = "dispatch", const = do_create_if_missing, + help = "create databases and load schemas if they don't exist already") +group.add_argument("--apply-upgrades", + action = "store_const", dest = "dispatch", const = do_apply_upgrades, + help = "apply upgrade scripts to existing databases") +parser.set_defaults(dispatch = do_create_if_missing) +args = parser.parse_args() + +try: + cfg = rpki.config.parser(args.config, "myrpki") + root = RootDB(args.mysql_defaults) + current_version = Version(rpki.version.VERSION) + for name in ("irdbd", "rpkid", "pubd"): + if cfg.getboolean("start_" + name, False): + args.dispatch(name) + root.close() +except Exception, e: + #sys.exit(str(e)) + raise diff --git a/ca/rpki-start-servers b/ca/rpki-start-servers new file mode 100755 index 00000000..edaffb2e --- /dev/null +++ b/ca/rpki-start-servers @@ -0,0 +1,76 @@ +#!/usr/bin/env python + +# $Id$ +# +# Copyright (C) 2014 Dragon Research Labs ("DRL") +# Portions copyright (C) 2009--2013 Internet Systems Consortium ("ISC") +# Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notices and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND DRL, ISC, AND ARIN DISCLAIM ALL +# WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DRL, +# ISC, OR ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR +# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS +# OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, +# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION +# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +""" +Start servers, using config file to figure out which servers the user +wants started. +""" + +import subprocess +import os +import argparse +import sys +import time +import rpki.config +import rpki.autoconf + +os.environ["TZ"] = "UTC" +time.tzset() + +parser = argparse.ArgumentParser(description = __doc__) +parser.add_argument("-c", "--config", + help = "override default location of configuration file") +parser.add_argument("-d", "--debug", action = "store_true", + help = "enable debugging") +parser.add_argument("--logdir", default = ".", + help = "where to write write log files when debugging") +args = parser.parse_args() + +cfg = rpki.config.parser(args.config, "myrpki") + +def run(name): + # pylint: disable=E1103 + cmd = (os.path.join(rpki.autoconf.libexecdir, name), "-c", cfg.filename) + if args.debug: + proc = subprocess.Popen(cmd + ("-d",), + stdout = open(os.path.join(args.logdir, name + ".log"), "a"), + stderr = subprocess.STDOUT) + else: + proc = subprocess.Popen(cmd) + if args.debug and proc.poll() is None: + print "Started %s, pid %s" % (name, proc.pid) + elif not args.debug and proc.wait() == 0: + print "Started %s" % name + else: + print "Problem starting %s, pid %s" % (name, proc.pid) + + +if cfg.getboolean("start_irdbd", cfg.getboolean("run_rpkid", False)): + run("irdbd") + +if cfg.getboolean("start_rpkid", cfg.getboolean("run_rpkid", False)): + run("rpkid") + +if cfg.getboolean("start_pubd", cfg.getboolean("run_pubd", False)): + run("pubd") + +if cfg.getboolean("start_rootd", cfg.getboolean("run_rootd", False)): + run("rootd") diff --git a/ca/rpki.wsgi b/ca/rpki.wsgi new file mode 100644 index 00000000..72ba75ac --- /dev/null +++ b/ca/rpki.wsgi @@ -0,0 +1,45 @@ +# Copyright (C) 2010, 2011 SPARTA, Inc. dba Cobham Analytic Solutions +# Copyright (C) 2012, 2013 SPARTA, Inc. a Parsons Company +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND SPARTA DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL SPARTA BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# This is an example wsgi application for use with mod_wsgi and apache. + +__version__ = '$Id$' + +import sys +import os +import rpki.autoconf + +os.environ['DJANGO_SETTINGS_MODULE'] = 'rpki.gui.default_settings' + +# Needed for local_settings.py +sys.path.insert(1, rpki.autoconf.sysconfdir + '/rpki') + +# Kludge to disable use of setproctitle in rpki.log. For reasons +# unknown, at least on Ubuntu 12.04 LTS, we dump core with a segment +# violation if we try to load that module in this process, even though +# it works fine in other processes on the same system. Not yet sure +# what this is about, just disable setproctitle in WSGI case for now. +os.environ['DISABLE_SETPROCTITLE'] = 'yes' + +# Kludge to set PYTHON_EGG_CACHE, mostly for FreeBSD where the ports +# system installs Python eggs in their zipped format and expects each +# user application to unpack them into its own egg cache. +if not os.environ.get('PYTHON_EGG_CACHE') and rpki.autoconf.WSGI_PYTHON_EGG_CACHE_DIR: + os.environ['PYTHON_EGG_CACHE'] = rpki.autoconf.WSGI_PYTHON_EGG_CACHE_DIR + +import django.core.handlers.wsgi +application = django.core.handlers.wsgi.WSGIHandler() + +# vim:ft=python diff --git a/ca/rpkic b/ca/rpkic new file mode 100755 index 00000000..333a5eb7 --- /dev/null +++ b/ca/rpkic @@ -0,0 +1,21 @@ +#!/usr/bin/env python + +# $Id$ +# +# Copyright (C) 2010-2011 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +if __name__ == "__main__": + import rpki.rpkic + rpki.rpkic.main() diff --git a/ca/rpkid b/ca/rpkid new file mode 100755 index 00000000..a4cc6cd3 --- /dev/null +++ b/ca/rpkid @@ -0,0 +1,21 @@ +#!/usr/bin/env python + +# $Id$ +# +# Copyright (C) 2010 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +if __name__ == "__main__": + import rpki.rpkid + rpki.rpkid.main() diff --git a/ca/rpkigui-apache-conf-gen b/ca/rpkigui-apache-conf-gen new file mode 100755 index 00000000..6201c364 --- /dev/null +++ b/ca/rpkigui-apache-conf-gen @@ -0,0 +1,483 @@ +#!/usr/bin/env python + +# $Id$ +# +# Copyright (C) 2013 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +import os +import re +import sys +import socket +import urllib2 +import argparse +import platform +import textwrap +import subprocess +import rpki.autoconf + +fqdn = socket.getfqdn() + +vhost_template = """\ +# +# By default, this configuration assumes that you use name-based +# virtual hosting. If that's not what you want, you may need +# to change this. +# +<VirtualHost *:443> + + # + # By default, we enable an HTTPS virtual host on this machine's + # fully qualified domain name. This works for simple + # configurations, but if you're running a more complex Apache + # configuration or want to run the GUI on a different hostname, + # you may need to change this. + # + ServerName %(fqdn)s + + # + # Configure the WSGI application to run as a separate process from + # the Apache daemon itself. + # + %(WSGI_DAEMON_PROCESS)s + %(WSGI_PROCESS_GROUP)s + + # + # Allow access to our WSGI directory. + # + <Directory %(datarootdir)s/rpki/wsgi> +%(allow)s + </Directory> + + # + # Define the URL to the RPKI GUI + # + WSGIScriptAlias / %(datarootdir)s/rpki/wsgi/rpki.wsgi + + # + # Allow access to static content (icons, etc). + # + <Directory %(datarootdir)s/rpki/media> +%(allow)s + </Directory> + + # + # Add the aliases Django expects for static content. + # + Alias /media/ %(datarootdir)s/rpki/media/ + Alias /site_media/ %(datarootdir)s/rpki/media/ + + # + # Allow access to the directory where rcynic-html writes + # its output files. + # + <Directory %(RCYNIC_HTML_DIR)s> +%(allow)s + </Directory> + + # + # Add alias pointing to rcynic-html's output files. + # + # If for some reason you need to change this, be careful to leave + # the trailing slash off the URL, otherwise /rcynic will be + # swallowed by the WSGIScriptAlias + # + Alias /rcynic %(RCYNIC_HTML_DIR)s/ + + # + # Redirect to the GUI dashboard when someone hits the bare vhost. + # + RedirectMatch ^/$ /rpki/ + + # + # Enable HTTPS + # + SSLEngine on + + # + # Specify HTTPS server certificate and key files for this virtual host. + # This should suffice for simple configurations, but if you're running + # a more complex Apache configuration you may need to change or remove + # these lines. + # + SSLCertificateFile %(sysconfdir)s/rpki/apache.cer + SSLCertificateKeyFile %(sysconfdir)s/rpki/apache.key + + # + # Take pity on users running Internet Exploder + # + BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0 + BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + +</VirtualHost> +""" + +allow_22_template = ''' + Order deny,allow + Allow from all\ +''' + +allow_24_template = ''' + Require all granted\ +''' + +name_virtual_host_template = '''\ +# +# In most cases we want to use name-based virtual hosting. If this causes +# problems with your existing Apache configuration, try commenting out this line. +# +NameVirtualHost *:443 + +''' + +def Guess(args): + """ + Guess what platform this is and dispatch to platform constructor. + """ + + system = platform.system() + if system == "FreeBSD": + return FreeBSD(args) + if system == "Darwin": + return Darwin(args) + if system == "Linux": + distro = platform.linux_distribution()[0].lower() + if distro in ("debian", "ubuntu"): + return Debian(args) + if distro in ("fedora", "centos"): + return Redhat(args) + raise NotImplementedError("Can't guess what platform this is, sorry") + +class Platform(object): + """ + Abstract base class representing an operating system platform. + """ + + apache_cer = os.path.join(rpki.autoconf.sysconfdir, "rpki", "apache.cer") + apache_key = os.path.join(rpki.autoconf.sysconfdir, "rpki", "apache.key") + + apache_conf = os.path.join(rpki.autoconf.sysconfdir, "rpki", "apache.conf") + apache_conf_sample = apache_conf + ".sample" + + apache_conf_preface = "" + + def __init__(self, args): + self.args = args + self.log("RPKI Apache configuration: platform \"%s\", action \"%s\"" % ( + self.__class__.__name__, args.action)) + getattr(self, args.action)() + + def log(self, msg): + if self.args.verbose: + print msg + + def run(self, *cmd, **kwargs): + self.log("Running %s" % " ".join(cmd)) + subprocess.check_call(cmd, **kwargs) + + req_cmd = ("openssl", "req", "-new", + "-config", "/dev/stdin", + "-out", "/dev/stdout", + "-keyout", apache_key, + "-newkey", "rsa:2048") + + x509_cmd = ("openssl", "x509", "-req", "-sha256", + "-signkey", apache_key, + "-in", "/dev/stdin", + "-out", apache_cer, + "-days", "3650") + + req_conf = '''\ + [req] + default_bits = 2048 + default_md = sha256 + distinguished_name = req_dn + prompt = no + encrypt_key = no + [req_dn] + CN = %s + ''' % fqdn + + def unlink(self, fn, silent = False): + if os.path.lexists(fn): + if not silent: + self.log("Removing %s" % fn) + os.unlink(fn) + elif not silent: + self.log("Would have removed %s if it existed" % fn) + + def del_certs(self, silent = False): + self.unlink(self.apache_cer, silent) + self.unlink(self.apache_key, silent) + + def add_certs(self): + if os.path.exists(self.apache_cer) and os.path.exists(self.apache_key): + return + self.del_certs() + req = subprocess.Popen(self.req_cmd, + stdin = subprocess.PIPE, + stdout = subprocess.PIPE, + stderr = open("/dev/null", "w")) + x509 = subprocess.Popen(self.x509_cmd, + stdin = req.stdout, + stderr = open("/dev/null", "w")) + req.stdin.write(self.req_conf) + req.stdin.close() + if req.wait(): + raise subprocess.CalledProcessError(req.returncode, self.req_cmd) + if x509.wait(): + raise subprocess.CalledProcessError(x509.returncode, self.x509_cmd) + self.log("Created %s and %s, chmoding %s" % ( + self.apache_cer, self.apache_key, self.apache_key)) + os.chmod(self.apache_key, 0600) + + _vhost = None + + @property + def vhost(self): + if self._vhost is None: + allow = allow_22_template if self.args.apache_version <= 22 else allow_24_template + self._vhost = vhost_template % dict(rpki.autoconf.__dict__, fqdn = fqdn, allow = allow) + return self._vhost + + @property + def name_virtual_host(self): + return name_virtual_host_template if self.args.apache_version <= 22 else "" + + @property + def too_complex(self): + return textwrap.dedent('''\ + # It looks like you already have HTTPS enabled in your + # Apache configuration, which makes your configuration too + # complex for us to enable support for the RPKI GUI automatically. + # + # To enable support, take a look at %s + # and copy what you need from that file into %s, + # paying attention to the comments which mark the bits that + # you might (or might not) need to change or omit, depending + # on the details of your particular Apache configuration. + ''' % (self.apache_conf_sample, self.apache_conf)) + + def install(self): + with open(self.apache_conf_sample, "w") as f: + self.log("Writing %s" % f.name) + f.write(self.apache_conf_preface) + f.write(self.name_virtual_host) + f.write(self.vhost) + if not os.path.exists(self.apache_conf): + self.unlink(self.apache_conf) + with open(self.apache_conf, "w") as f: + self.log("Writing %s" % f.name) + if self.test_url("https://%s/" % fqdn): + f.write(self.too_complex) + sys.stdout.write(self.too_complex) + else: + if not self.test_tcp("localhost", 443): + f.write(self.apache_conf_preface) + f.write(self.name_virtual_host) + f.write(self.vhost) + if not os.path.exists(self.apache_conf_target): + self.unlink(self.apache_conf_target) + self.log("Symlinking %s to %s" % ( + self.apache_conf_target, self.apache_conf)) + os.symlink(self.apache_conf, self.apache_conf_target) + self.add_certs() + self.enable() + self.restart() + + def enable(self): + pass + + def disable(self): + pass + + def remove(self): + try: + same = open(self.apache_conf, "r").read() == open(self.apache_conf_sample, "r").read() + except: + same = False + self.unlink(self.apache_conf_sample) + if same: + self.unlink(self.apache_conf) + self.unlink(self.apache_conf_target) + self.disable() + self.restart() + + def purge(self): + self.remove() + self.unlink(self.apache_conf) + self.del_certs() + + @staticmethod + def test_url(url = "https://localhost/"): + try: + urllib2.urlopen(url).close() + except IOError: + return False + else: + return True + + @staticmethod + def test_tcp(host = "localhost", port = 443, family = socket.AF_UNSPEC, proto = socket.SOCK_STREAM): + try: + addrinfo = socket.getaddrinfo(host, port, family, proto) + except socket.error: + return False + for af, socktype, proto, canon, sa in addrinfo: + try: + s = socket.socket(af, socktype, proto) + s.connect(sa) + s.close() + except socket.error: + continue + else: + return True + return False + +class FreeBSD(Platform): + """ + FreeBSD. + """ + + # On FreeBSD we have to ask httpd what version it is before we know + # where to put files or what to call the service. In FreeBSD's makefiles, + # this value is called APACHE_VERSION, and is calculated thusly: + # + # httpd -V | sed -ne 's/^Server version: Apache\/\([0-9]\)\.\([0-9]*\).*/\1\2/p' + + _apache_name = None + + @property + def apache_name(self): + if self._apache_name is None: + self._apache_name = "apache%s" % self.args.apache_version + return self._apache_name + + @property + def apache_conf_target(self): + return "/usr/local/etc/%s/Includes/rpki.conf" % self.apache_name + + apache_conf_preface = textwrap.dedent('''\ + # These directives tell Apache to listen on the HTTPS port + # and to enable name-based virtual hosting. If you already + # have HTTPS enabled elsewhere in your configuration, you may + # need to remove these. + + Listen [::]:443 + Listen 0.0.0.0:443 + ''') + + def restart(self): + self.run("service", self.apache_name, "restart") + +class Debian(Platform): + """ + Debian and related platforms like Ubuntu. + """ + + apache_conf_target = "/etc/apache2/sites-available/rpki" + + snake_oil_cer = "/etc/ssl/certs/ssl-cert-snakeoil.pem" + snake_oil_key = "/etc/ssl/private/ssl-cert-snakeoil.key" + + def add_certs(self): + if not os.path.exists(self.snake_oil_cer) or not os.path.exists(self.snake_oil_key): + return Platform.add_certs(self) + if not os.path.exists(self.apache_cer): + self.unlink(self.apache_cer) + os.symlink(self.snake_oil_cer, self.apache_cer) + if not os.path.exists(self.apache_key): + self.unlink(self.apache_key) + os.symlink(self.snake_oil_key, self.apache_key) + + def enable(self): + self.run("a2enmod", "ssl") + self.run("a2ensite", "rpki") + # + # In light of BREACH and CRIME attacks, mod_deflate is looking + # like a bad idea, so make sure it's off. + self.run("a2dismod", "deflate") + + def disable(self): + self.run("a2dissite", "rpki") + + def restart(self): + self.run("service", "apache2", "restart") + +class NIY(Platform): + def __init__(self, args): + raise NotImplementedError("Platform %s not implemented yet, sorry" % self.__class__.__name__) + +class Redhat(NIY): + """ + Redhat family of Linux distributions (Fedora, CentOS). + """ + +class Darwin(NIY): + """ + Mac OS X (aka Darwin). + """ + +def main(): + """ + Generate and (de)install configuration suitable for using Apache httpd + to drive the RPKI web interface under WSGI. + """ + + parser = argparse.ArgumentParser(description = __doc__) + group1 = parser.add_mutually_exclusive_group() + group2 = parser.add_mutually_exclusive_group() + + parser.add_argument("-v", "--verbose", + help = "whistle while you work", action = "store_true") + parser.add_argument("--apache-version", + help = "Apache version (default " + rpki.autoconf.APACHE_VERSION + ")", + type = int, default = rpki.autoconf.APACHE_VERSION) + + group1.add_argument("--freebsd", + help = "configure for FreeBSD", + action = "store_const", dest = "platform", const = FreeBSD) + group1.add_argument("--debian", "--ubuntu", + help = "configure for Debian/Ubuntu", + action = "store_const", dest = "platform", const = Debian) + group1.add_argument("--redhat", "--fedora", "--centos", + help = "configure for Redhat/Fedora/CentOS", + action = "store_const", dest = "platform", const = Redhat) + group1.add_argument("--macosx", "--darwin", + help = "configure for Mac OS X (Darwin)", + action = "store_const", dest = "platform", const = Darwin) + group1.add_argument("--guess", + help = "guess which platform configuration to use", + action = "store_const", dest = "platform", const = Guess) + + group2.add_argument("-i", "--install", + help = "install configuration", + action = "store_const", dest = "action", const = "install") + group2.add_argument("-r", "--remove", "--deinstall", "--uninstall", + help = "remove configuration", + action = "store_const", dest = "action", const = "remove") + group2.add_argument("-P", "--purge", + help = "remove configuration with extreme prejudice", + action = "store_const", dest = "action", const = "purge") + + parser.set_defaults(platform = Guess, action = "install") + args = parser.parse_args() + + try: + args.platform(args) + except Exception, e: + sys.exit(str(e)) + +if __name__ == "__main__": + main() diff --git a/ca/rpkigui-check-expired b/ca/rpkigui-check-expired new file mode 100755 index 00000000..eb0c7fbb --- /dev/null +++ b/ca/rpkigui-check-expired @@ -0,0 +1,61 @@ +#!/usr/bin/env python + +# Copyright (C) 2012 SPARTA, Inc. a Parsons Company +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND SPARTA DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL SPARTA BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +__version__ = '$Id$' + +from optparse import OptionParser +import logging +import sys + +# configure django ORM +from rpki.gui.script_util import setup +setup() + +from rpki.gui.app.check_expired import notify_expired + +usage = '%prog [ -nV ] [ handle1 handle2... ]' + +description = """Generate a report detailing all RPKI/BPKI certificates which +are due for impending expiration. If no resource handles are specified, a +report about all resource handles hosted by the local rpkid instance will be +generated.""" + +parser = OptionParser(usage, description=description) +parser.add_option('-V', '--version', help='display script version', + action='store_true', dest='version', default=False) +parser.add_option('-f', '--from', metavar='ADDRESS', dest='from_email', + help='specify the return email address for notifications') +parser.add_option('-t', '--expire-time', dest='expire_days', metavar='DAYS', + help='specify the number of days in the future to check') +parser.add_option('-l', '--level', dest='log_level', default='WARNING', + help='Set logging level [Default: %default]') +(options, args) = parser.parse_args() +if options.version: + print __version__ + sys.exit(0) + +v = getattr(logging, options.log_level.upper()) +logging.basicConfig(level=v) +logging.info('logging level set to ' + logging.getLevelName(v)) + +kwargs = {} +if options.from_email: + kwargs['from_email'] = options.from_email +if options.expire_days: + kwargs['expire_days'] = int(options.expire_days) +notify_expired(**kwargs) + +sys.exit(0) diff --git a/ca/rpkigui-import-routes b/ca/rpkigui-import-routes new file mode 100755 index 00000000..234a865b --- /dev/null +++ b/ca/rpkigui-import-routes @@ -0,0 +1,115 @@ +#!/usr/bin/env python + +# Copyright (C) 2012, 2013 SPARTA, Inc. a Parsons Company +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND SPARTA DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL SPARTA BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +__version__ = '$Id$' + +import optparse +import logging +import time +import random +import signal +import errno +import atexit +import fcntl +import sys +import os + +# configure django ORM +from rpki.gui.script_util import setup +setup() + +from rpki.gui.routeview.util import import_routeviews_dump + + +class BadArgument(Exception): + pass + + +def timed_out(*ignored): + logging.info('timed out') + sys.exit(1) + + +if __name__ == '__main__': + parser = optparse.OptionParser( + usage='%prog [options] [PATH]', + description="""This tool is used to import the IPv4/6 BGP table dumps +from routeviews.org into the RPKI Web Portal database. If the +input file is a bzip2 compressed file, it will be decompressed +automatically.""") + parser.add_option('-t', '--type', dest='filetype', metavar='TYPE', + help='Specify the input file type (auto, text, mrt) [Default: %default]') + parser.add_option('-l', '--level', dest='log_level', default='ERROR', + help='Set logging level [Default: %default]') + parser.add_option('-u', '--bunzip2', dest='bunzip', metavar='PROG', + help='Specify bunzip2 program to use') + parser.add_option('-b', '--bgpdump', dest='bgpdump', metavar='PROG', + help='Specify path to bgdump binary') + parser.add_option('-j', '--jitter', dest='jitter', type='int', + help='Specify upper bound of startup delay, in seconds [Default: %default]') + parser.add_option('--lockfile', dest='lockfile', + help='Set name of lock file; empty string disables locking [Default: %default]') + parser.add_option('--timeout', dest='timeout', type='int', + help='Specify timeout for download and import, in seconds [Default: %default]') + parser.set_defaults(debug=False, verbose=False, filetype='auto', jitter=0, + lockfile='/tmp/rpkigui-import-routes.lock', timeout=90*60) + options, args = parser.parse_args() + + v = getattr(logging, options.log_level.upper()) + logging.basicConfig(level=v) + atexit.register(logging.shutdown) + logging.info('logging level set to ' + logging.getLevelName(v)) + + if options.bgpdump: + BGPDUMP = os.path.expanduser(options.bgpdump) + + if options.jitter > 0: + try: + delay = random.SystemRandom().randint(0, options.jitter) + except NotImplementedError: + delay = random.randint(0, options.jitter) + logging.info('jitter active, delaying startup for %d seconds' % delay) + time.sleep(delay) + + if options.lockfile: + try: + lock = os.open(options.lockfile, os.O_RDONLY | os.O_CREAT | os.O_NONBLOCK, 0666) + fcntl.flock(lock, fcntl.LOCK_EX | fcntl.LOCK_NB) + except (IOError, OSError), e: + if e.errno == errno.EAGAIN: + logging.info('lock held by another process') + sys.exit(0) + else: + logging.exception(e) + sys.exit(1) + + try: + if len(args) > 1: + raise BadArgument('more than one filename specified') + + if options.timeout > 0: + signal.signal(signal.SIGALRM, timed_out) + signal.setitimer(signal.ITIMER_REAL, options.timeout) + + import_routeviews_dump(*args) + + if options.timeout > 0: + signal.setitimer(signal.ITIMER_REAL, 0) + + except Exception as e: + logging.exception(e) + sys.exit(1) + diff --git a/ca/rpkigui-query-routes b/ca/rpkigui-query-routes new file mode 100755 index 00000000..1f698f23 --- /dev/null +++ b/ca/rpkigui-query-routes @@ -0,0 +1,66 @@ +#!/usr/bin/env python + +# Copyright (C) 2013 SPARTA, Inc. a Parsons Company +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND SPARTA DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL SPARTA BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +__version__ = '$Id$' + +import sys +import optparse + +from rpki.gui.script_util import setup +setup() + +from rpki.gui.routeview import models as rv +from rpki.resource_set import resource_range_ip + +parser = optparse.OptionParser( + usage='%prog [options] PREFIX', + description='query the rpki web portal database for routes covering a ' + 'prefix specified as an argument, and display the validity and covering ' + 'ROAs for each route', + version=__version__, +) +options, args = parser.parse_args() + +if len(args) == 0: + print 'error: Specify an address/prefix' + sys.exit(1) + +# allow bare IP addresses +if '/' not in args[0]: + args[0] = args[0] + '/32' + +r = resource_range_ip.parse_str(args[0]) + +qs = rv.RouteOrigin.objects.filter( + prefix_min__lte=r.min, + prefix_max__gte=r.max +) + + +def validity_marker(route, roa, roa_prefix): + "Return + if the roa would cause the route to be accepted, or - if not" + # we already know the ROA covers this route because they are returned + # from RouteOrigin.roas, so just check the ASN and max prefix length + return '-' if (roa.asid == 0 or route.asn != roa.asid or + route.prefixlen > roa_prefix.max_length) else '+' + +# xxx.xxx.xxx.xxx/xx-xx is 22 characters +for route in qs: + print route.as_resource_range(), route.asn, route.status + for pfx in route.roa_prefixes: + for roa in pfx.roas.all(): + print validity_marker(route, roa, pfx), pfx.as_roa_prefix(), roa.asid, roa.repo.uri + print diff --git a/ca/rpkigui-rcynic b/ca/rpkigui-rcynic new file mode 100755 index 00000000..8fb91a70 --- /dev/null +++ b/ca/rpkigui-rcynic @@ -0,0 +1,54 @@ +#!/usr/bin/env python + +# Copyright (C) 2011 SPARTA, Inc. dba Cobham +# Copyright (C) 2012, 2013 SPARTA, Inc. a Parsons Company +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND SPARTA DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL SPARTA BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +__version__ = '$Id$' + +# probably should be exported from rpki.gui.cacheview.util +default_logfile = '/var/rcynic/data/rcynic.xml' +default_root = '/var/rcynic/data' + +import logging +import sys + +from rpki.gui.script_util import setup +setup() + +from rpki.gui.cacheview.util import import_rcynic_xml + +if __name__ == '__main__': + import optparse + + parser = optparse.OptionParser() + parser.add_option("-l", "--level", dest="log_level", default='ERROR', + help="specify the logging level [default: %default]") + parser.add_option( + "-f", "--file", dest="logfile", + help="specify the rcynic XML file to parse [default: %default]", + default=default_logfile) + parser.add_option( + "-r", "--root", + help="specify the chroot directory for the rcynic jail [default: %default]", + metavar="DIR", default=default_root) + options, args = parser.parse_args(sys.argv) + + v = getattr(logging, options.log_level.upper()) + logging.basicConfig(level=v) + logging.info('log level set to %s' % logging.getLevelName(v)) + + import_rcynic_xml(options.root, options.logfile) + + logging.shutdown() diff --git a/ca/tests/Makefile.in b/ca/tests/Makefile.in new file mode 100644 index 00000000..b63e8dc3 --- /dev/null +++ b/ca/tests/Makefile.in @@ -0,0 +1,91 @@ +# $Id$ + +PYTHON = @PYTHON@ +abs_top_builddir = @abs_top_builddir@ + +all: protocol-samples + +clean: + rm -rf smoketest.dir left-right-protocol-samples publication-protocol-samples yamltest.dir rcynic.xml rcynic-data + +protocol-samples: left-right-protocol-samples/.stamp publication-protocol-samples/.stamp + +left-right-protocol-samples/.stamp: left-right-protocol-samples.xml split-protocol-samples.xsl + rm -rf left-right-protocol-samples + mkdir left-right-protocol-samples + xsltproc --param verbose 0 --stringparam dir left-right-protocol-samples split-protocol-samples.xsl left-right-protocol-samples.xml + touch $@ + +publication-protocol-samples/.stamp: publication-protocol-samples.xml split-protocol-samples.xsl + rm -rf publication-protocol-samples + mkdir publication-protocol-samples + xsltproc --param verbose 0 --stringparam dir publication-protocol-samples split-protocol-samples.xsl publication-protocol-samples.xml + touch $@ + +parse-test: protocol-samples + ${PYTHON} xml-parse-test.py + +all-tests:: parse-test + +all-tests:: + ${PYTHON} smoketest.py smoketest.1.yaml + +all-tests:: + ${PYTHON} smoketest.py smoketest.2.yaml + +test all-tests:: + ${PYTHON} smoketest.py smoketest.3.yaml + +all-tests:: + ${PYTHON} smoketest.py smoketest.4.yaml + +all-tests:: + ${PYTHON} smoketest.py smoketest.5.yaml + +test all-tests:: + ${PYTHON} smoketest.py smoketest.6.yaml + +all-tests:: + ${PYTHON} smoketest.py smoketest.7.yaml + +profile: all + find smoketest.dir -name '*.prof' -delete + ${PYTHON} smoketest.py smoketest.2.yaml -p + for i in smoketest.dir/*.prof; do ${PYTHON} -c "import pstats;pstats.Stats('$$i').sort_stats('time').print_stats()"; done + +# This isn't a full exercise of the yamltest framework, but is +# probably as good as we can do under make. + +YAMLTEST_CONFIG = smoketest.1.yaml + +yamltest: + rm -rf yamltest.dir rcynic-data + ${PYTHON} sql-cleaner.py + ${PYTHON} yamltest.py ${YAMLTEST_CONFIG} + +YAMLCONF_CONFIG = ${YAMLTEST_CONFIG} + +yamlconf: + rm -rf yamltest.dir rcynic-data + ${PYTHON} sql-cleaner.py + ${PYTHON} yamlconf.py --loopback ${YAMLCONF_CONFIG} + @echo + ${PYTHON} yamltest.py --skip_config --synchronize ${YAMLCONF_CONFIG} + +yamltest-resume yamlconf-resume: + ${PYTHON} yamltest.py --skip_config ${YAMLCONF_CONFIG} + +yamlconf-profile: + rm -rf yamltest.dir rcynic-data + ${PYTHON} sql-cleaner.py + ${PYTHON} yamlconf.py --loopback --profile yamlconf.prof ${YAMLCONF_CONFIG} + @echo + ${PYTHON} yamltest.py --skip_config --synchronize --profile ${YAMLCONF_CONFIG} + +backup: + ${PYTHON} sql-dumper.py + tar cvvJf yamltest.backup.$$(TZ='' date +%Y.%m.%d.%H.%M.%S).txz screenlog.* yamltest.dir backup.*.sql + rm backup.*.sql + +distclean: clean + rm -f rcynic.xml Makefile diff --git a/ca/tests/left-right-protocol-samples.xml b/ca/tests/left-right-protocol-samples.xml new file mode 100644 index 00000000..7b97386d --- /dev/null +++ b/ca/tests/left-right-protocol-samples.xml @@ -0,0 +1,1093 @@ +<!-- -*- SGML -*- + - $Id$ + - + - Copyright (C) 2010 Internet Systems Consortium ("ISC") + - + - Permission to use, copy, modify, and distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. + - + - Portions copyright (C) 2007-2008 American Registry for Internet Numbers ("ARIN") + - + - Permission to use, copy, modify, and distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. + - + - + - This is a collection of sample left-right protocol PDU samples + - to use as test cases for the left-right protocol RelaxNG schema. + --> + +<completely_gratuitous_wrapper_element_to_let_me_run_this_through_xmllint> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <self action="create" tag="a000" self_handle="42"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <self action="create" tag="a000" self_handle="42"/> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <self action="set" self_handle="42" + rekey="yes" + reissue="yes" + revoke="yes" + run_now="yes" + publish_world_now="yes" + crl_interval="3600" + regen_margin="86400" + use_hsm="no"> + <bpki_cert> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_cert> + <bpki_glue> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_glue> + </self> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <self action="set" self_handle="42"/> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <self action="get" self_handle="42"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <self action="get" self_handle="42"> + <bpki_cert> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_cert> + <bpki_glue> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_glue> + </self> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <self action="list"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <self action="list" self_handle="42"> + <bpki_cert> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_cert> + <bpki_glue> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_glue> + </self> + <self action="list" self_handle="99"/> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <self action="destroy" self_handle="42"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <self action="destroy" self_handle="42"/> + </msg> + + <!-- ==== --> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <bsc action="create" self_handle="42" bsc_handle="17" + generate_keypair="yes" + key_type="rsa" + hash_alg="sha256" + key_length="2048"> + <signing_cert> + MIIDHTCCAgWgAwIBAgIJAKUUCoKn9ovVMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV + BAMTG1Rlc3QgQ2VydGlmaWNhdGUgQWxpY2UgUm9vdDAeFw0wNzA4MDExOTUzMDda + Fw0wNzA4MzExOTUzMDdaMCQxIjAgBgNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxp + Y2UgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmLngkGT5kWsXd + IgLeV+5zNvcDt0+D4cds1cu+bw6Y/23z1+ooA8fU1gXQ28bl6ELM8WRLHgcntqzr + 5UX6S1xPdNfFYt8z4E1ZuvwCPsxcSwVdlYRvzAGNQivDpcJ75Mf5DTeDpr6wm7yn + 2pzxvQIet5djOX51RVGA3hOwCbhq2ceHs0ZruWG3T70H3Sa1ZVxP7m0DJlsSZa6v + 3oEeFOKZQlqrgeU74mJyLAGx/fNbIw+UBrvejfjZobIv985vQ06DZ5S2AquQ2bht + O/2bW3yqeOjH98YK0zlOpYtaZ2fyx4JLjHCspoki6+4W9UG+TuqdkB20mRsr25XT + 9kLuwIGZAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFF6I4IR33h/s + vOa4Vsw2icPo8TgaMB8GA1UdIwQYMBaAFG9ed1KlOQDyB+k7Yeb8LSjG5FDtMA0G + CSqGSIb3DQEBBQUAA4IBAQDVzBuGyXIq/rfMjoNKIHTUgppkc+FjS02cFASpB5mk + ksSpGWYHMZKlqz47qDi44KAG+kmPIPOT0em81+/VGeY1oizJyKSeNDhNboth5oTu + ShDr4flTQCoYvRxm1wh8WIIg09nwibzGztuV1XxtdzfQV5kK5bMBlDXnUfAYydsO + jc52x5f4tgdcfBhjnMzkCAx2kvw5Wp3NekkOKl5YYnPK++zT9IBwqrqJmsJvyLPO + vvqVBYkoBWRbmcy6wVU8JpYegNNgVRbi6zeAq33gS75m9uy+4z8Ql6DqVF0s/y+/ + 240tLCW62X98EzrALKsxhkqVZCtdc5HSRaOQr0K3I03S + </signing_cert> + </bsc> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <bsc action="create" self_handle="42" bsc_handle="17"> + <pkcs10_request>cmVxdWVzdAo=</pkcs10_request> + </bsc> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <bsc action="set" self_handle="42" bsc_handle="17"> + <signing_cert> + MIIDHTCCAgWgAwIBAgIJAKUUCoKn9ovVMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV + BAMTG1Rlc3QgQ2VydGlmaWNhdGUgQWxpY2UgUm9vdDAeFw0wNzA4MDExOTUzMDda + Fw0wNzA4MzExOTUzMDdaMCQxIjAgBgNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxp + Y2UgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmLngkGT5kWsXd + IgLeV+5zNvcDt0+D4cds1cu+bw6Y/23z1+ooA8fU1gXQ28bl6ELM8WRLHgcntqzr + 5UX6S1xPdNfFYt8z4E1ZuvwCPsxcSwVdlYRvzAGNQivDpcJ75Mf5DTeDpr6wm7yn + 2pzxvQIet5djOX51RVGA3hOwCbhq2ceHs0ZruWG3T70H3Sa1ZVxP7m0DJlsSZa6v + 3oEeFOKZQlqrgeU74mJyLAGx/fNbIw+UBrvejfjZobIv985vQ06DZ5S2AquQ2bht + O/2bW3yqeOjH98YK0zlOpYtaZ2fyx4JLjHCspoki6+4W9UG+TuqdkB20mRsr25XT + 9kLuwIGZAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFF6I4IR33h/s + vOa4Vsw2icPo8TgaMB8GA1UdIwQYMBaAFG9ed1KlOQDyB+k7Yeb8LSjG5FDtMA0G + CSqGSIb3DQEBBQUAA4IBAQDVzBuGyXIq/rfMjoNKIHTUgppkc+FjS02cFASpB5mk + ksSpGWYHMZKlqz47qDi44KAG+kmPIPOT0em81+/VGeY1oizJyKSeNDhNboth5oTu + ShDr4flTQCoYvRxm1wh8WIIg09nwibzGztuV1XxtdzfQV5kK5bMBlDXnUfAYydsO + jc52x5f4tgdcfBhjnMzkCAx2kvw5Wp3NekkOKl5YYnPK++zT9IBwqrqJmsJvyLPO + vvqVBYkoBWRbmcy6wVU8JpYegNNgVRbi6zeAq33gS75m9uy+4z8Ql6DqVF0s/y+/ + 240tLCW62X98EzrALKsxhkqVZCtdc5HSRaOQr0K3I03S + </signing_cert> + <signing_cert_crl> + MIIBfjBoAgEBMA0GCSqGSIb3DQEBCwUAMCYxJDAiBgNVBAMTG1Rlc3QgQ2VydGlm + aWNhdGUgUklSIFNFTEYtMRcNMDgwNTAxMDQ1MjAxWhcNMDgwNTMxMDQ1MjAxWqAO + MAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBACTbbaYh+f4EtXFIKPwH + K2NYq/MrhE2BnHDyA43siryddtac1E2bOtXPkC74nY5yGm4wZU07qPovJNGu1McG + J2hV2uUyAN00lJU3EikrS1ewz7vqjINar1ZUMDkh0wMYKLB9S8SdwNvCf1vcjshz + yasBRse9PCH1R0bmDaP8FZM47P55dKiijaN87HQKyZPOExFslnWH+Nr+mAF1xost + pwGcc3jreVZWbtQ2RdUDJYcNrSSCH8JYqd5ZgAYcE53xxy43rKcULz054GDFcS/B + rprwJgfrjkPttAl80cfrVOUl77ZFfFxzOeHCmQMl9VSoCxmWvnBCBBO4H7meJ7NO + gyc= + </signing_cert_crl> + </bsc> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <bsc action="set" self_handle="42" bsc_handle="17"/> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <bsc action="get" self_handle="42" bsc_handle="17"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <bsc action="get" self_handle="42" bsc_handle="17"> + <signing_cert> + MIIDHTCCAgWgAwIBAgIJAKUUCoKn9ovVMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV + BAMTG1Rlc3QgQ2VydGlmaWNhdGUgQWxpY2UgUm9vdDAeFw0wNzA4MDExOTUzMDda + Fw0wNzA4MzExOTUzMDdaMCQxIjAgBgNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxp + Y2UgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmLngkGT5kWsXd + IgLeV+5zNvcDt0+D4cds1cu+bw6Y/23z1+ooA8fU1gXQ28bl6ELM8WRLHgcntqzr + 5UX6S1xPdNfFYt8z4E1ZuvwCPsxcSwVdlYRvzAGNQivDpcJ75Mf5DTeDpr6wm7yn + 2pzxvQIet5djOX51RVGA3hOwCbhq2ceHs0ZruWG3T70H3Sa1ZVxP7m0DJlsSZa6v + 3oEeFOKZQlqrgeU74mJyLAGx/fNbIw+UBrvejfjZobIv985vQ06DZ5S2AquQ2bht + O/2bW3yqeOjH98YK0zlOpYtaZ2fyx4JLjHCspoki6+4W9UG+TuqdkB20mRsr25XT + 9kLuwIGZAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFF6I4IR33h/s + vOa4Vsw2icPo8TgaMB8GA1UdIwQYMBaAFG9ed1KlOQDyB+k7Yeb8LSjG5FDtMA0G + CSqGSIb3DQEBBQUAA4IBAQDVzBuGyXIq/rfMjoNKIHTUgppkc+FjS02cFASpB5mk + ksSpGWYHMZKlqz47qDi44KAG+kmPIPOT0em81+/VGeY1oizJyKSeNDhNboth5oTu + ShDr4flTQCoYvRxm1wh8WIIg09nwibzGztuV1XxtdzfQV5kK5bMBlDXnUfAYydsO + jc52x5f4tgdcfBhjnMzkCAx2kvw5Wp3NekkOKl5YYnPK++zT9IBwqrqJmsJvyLPO + vvqVBYkoBWRbmcy6wVU8JpYegNNgVRbi6zeAq33gS75m9uy+4z8Ql6DqVF0s/y+/ + 240tLCW62X98EzrALKsxhkqVZCtdc5HSRaOQr0K3I03S + </signing_cert> + </bsc> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <bsc action="list" self_handle="42"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <bsc action="get" self_handle="42" bsc_handle="17"> + <signing_cert> + MIIDHTCCAgWgAwIBAgIJAKUUCoKn9ovVMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV + BAMTG1Rlc3QgQ2VydGlmaWNhdGUgQWxpY2UgUm9vdDAeFw0wNzA4MDExOTUzMDda + Fw0wNzA4MzExOTUzMDdaMCQxIjAgBgNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxp + Y2UgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmLngkGT5kWsXd + IgLeV+5zNvcDt0+D4cds1cu+bw6Y/23z1+ooA8fU1gXQ28bl6ELM8WRLHgcntqzr + 5UX6S1xPdNfFYt8z4E1ZuvwCPsxcSwVdlYRvzAGNQivDpcJ75Mf5DTeDpr6wm7yn + 2pzxvQIet5djOX51RVGA3hOwCbhq2ceHs0ZruWG3T70H3Sa1ZVxP7m0DJlsSZa6v + 3oEeFOKZQlqrgeU74mJyLAGx/fNbIw+UBrvejfjZobIv985vQ06DZ5S2AquQ2bht + O/2bW3yqeOjH98YK0zlOpYtaZ2fyx4JLjHCspoki6+4W9UG+TuqdkB20mRsr25XT + 9kLuwIGZAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFF6I4IR33h/s + vOa4Vsw2icPo8TgaMB8GA1UdIwQYMBaAFG9ed1KlOQDyB+k7Yeb8LSjG5FDtMA0G + CSqGSIb3DQEBBQUAA4IBAQDVzBuGyXIq/rfMjoNKIHTUgppkc+FjS02cFASpB5mk + ksSpGWYHMZKlqz47qDi44KAG+kmPIPOT0em81+/VGeY1oizJyKSeNDhNboth5oTu + ShDr4flTQCoYvRxm1wh8WIIg09nwibzGztuV1XxtdzfQV5kK5bMBlDXnUfAYydsO + jc52x5f4tgdcfBhjnMzkCAx2kvw5Wp3NekkOKl5YYnPK++zT9IBwqrqJmsJvyLPO + vvqVBYkoBWRbmcy6wVU8JpYegNNgVRbi6zeAq33gS75m9uy+4z8Ql6DqVF0s/y+/ + 240tLCW62X98EzrALKsxhkqVZCtdc5HSRaOQr0K3I03S + </signing_cert> + </bsc> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <bsc action="destroy" self_handle="42" bsc_handle="17"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <bsc action="destroy" self_handle="42" bsc_handle="17"/> + </msg> + + <!-- ==== --> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <parent action="create" self_handle="42" parent_handle="666" + peer_contact_uri="https://re.bar.example/bandicoot/" + sia_base="rsync://repo.foo.example/wombat/" + bsc_handle="17" + repository_handle="120" + sender_name="tweedledee" + recipient_name="tweedledum"> + <bpki_cms_cert> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_cms_cert> + <bpki_cms_glue> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_cms_glue> + </parent> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <parent action="create" self_handle="42" parent_handle="666"/> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <parent action="set" self_handle="42" parent_handle="666" + peer_contact_uri="https://re.bar.example/bandicoot/" + sia_base="rsync://repo.foo.example/wombat/" + bsc_handle="17" + repository_handle="120" + rekey="yes" + reissue="yes" + revoke="yes"> + <bpki_cms_cert> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_cms_cert> + <bpki_cms_glue> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_cms_glue> + </parent> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <parent action="set" self_handle="42" parent_handle="666"/> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <parent action="get" self_handle="42" parent_handle="666"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <parent action="get" self_handle="42" parent_handle="666" + peer_contact_uri="https://re.bar.example/bandicoot/" + sia_base="rsync://repo.foo.example/wombat/" + bsc_handle="17" + repository_handle="120"> + <bpki_cms_cert> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_cms_cert> + <bpki_cms_glue> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_cms_glue> + </parent> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <parent action="list" self_handle="42"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <parent action="list" self_handle="42" parent_handle="666" + peer_contact_uri="https://re.bar.example/bandicoot/" + sia_base="rsync://repo.foo.example/wombat/" + bsc_handle="17" + repository_handle="120"> + <bpki_cms_cert> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_cms_cert> + <bpki_cms_glue> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_cms_glue> + </parent> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <parent action="destroy" self_handle="42" + parent_handle="666"/> </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <parent action="destroy" self_handle="42" parent_handle="666"/> + </msg> + + <!-- ==== --> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <child action="create" self_handle="42" child_handle="3" + bsc_handle="17"> + <bpki_cert> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_cert> + </child> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <child action="create" self_handle="42" child_handle="3"/> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <child action="set" self_handle="42" child_handle="3" + bsc_handle="17" + reissue="yes"> + <bpki_cert> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_cert> + </child> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <child action="set" self_handle="42" child_handle="3"/> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <child action="get" self_handle="42" child_handle="3"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <child action="get" self_handle="42" child_handle="3" + bsc_handle="17"> + <bpki_cert> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_cert> + </child> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <child action="list" self_handle="42"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <child action="list" self_handle="42" child_handle="3" + bsc_handle="17"> + <bpki_cert> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_cert> + </child> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <child action="destroy" self_handle="42" child_handle="3"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <child action="destroy" self_handle="42" child_handle="3"/> + </msg> + + <!-- ==== --> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <repository action="create" self_handle="42" repository_handle="120" + peer_contact_uri="https://re.bar.example/bandicoot/" + bsc_handle="17"> + <bpki_cert> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_cert> + <bpki_glue> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_glue> + </repository> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <repository action="create" self_handle="42" repository_handle="120"/> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <repository action="set" self_handle="42" repository_handle="120" + peer_contact_uri="https://re.bar.example/bandicoot/" + bsc_handle="17"> + <bpki_cert> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_cert> + <bpki_glue> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_glue> + </repository> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <repository action="set" self_handle="42" repository_handle="120"/> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <repository action="get" self_handle="42" repository_handle="120"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <repository action="get" self_handle="42" repository_handle="120" + peer_contact_uri="https://re.bar.example/bandicoot/" + bsc_handle="17"> + <bpki_cert> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_cert> + <bpki_glue> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_glue> + </repository> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <repository action="list" self_handle="42"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <repository action="list" self_handle="42" repository_handle="120" + peer_contact_uri="https://re.bar.example/bandicoot/" + bsc_handle="17"> + <bpki_cert> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_cert> + <bpki_glue> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_glue> + </repository> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <repository action="destroy" self_handle="42" repository_handle="120"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <repository action="destroy" self_handle="42" repository_handle="120"/> + </msg> + + <!-- ==== --> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <list_resources self_handle="42" child_handle="289"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <list_resources self_handle="42" child_handle="289" + valid_until="2008-04-01T00:00:00Z" + ipv4="10.0.0.44/32,10.3.0.44/32" + ipv6="fe80:deed:f00d::/48,fe80:dead:beef:2::-fe80:dead:beef:2::49" + asn="666"/> + </msg> + + <!-- === --> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <list_roa_requests self_handle="42"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <list_roa_requests self_handle="42" + asn="666" + ipv4="10.0.0.44/32,10.3.0.44/32" + ipv6="fe80:deed:f00d::/48,fe80:dead:beef::/48-56" + /> + <list_roa_requests self_handle="42" + asn="12345" + ipv4="10.0.0.44/32" + ipv6="2002:a00::/48-56" + /> + </msg> + + <!-- === --> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <list_received_resources self_handle="42"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <list_received_resources self_handle="42" + parent_handle="Alice" + notBefore="2010-02-22T03:44:23Z" + notAfter="2011-02-21T11:03:49Z" + uri="rsync://arin.rpki.net/arin/1/Du4MhiSkjd_3bPL7c2trEkJBZ-U.cer" + sia_uri="rsync://arin.rpki.net/arin/isc/ISC-94-Z/2/" + aia_uri="rsync://arin.rpki.net/arin/arin.cer" + asn="1280,3557" + ipv4="149.20.0.0/16,192.5.4.0/23,204.152.184.0/21"/> + <list_received_resources self_handle="42" + parent_handle="Bob" + uri="rsync://arin.rpki.net/arin/1/uWqpa8GkcEDBZkEsmOEofeDKk9s.cer" + notBefore="2010-02-22T03:44:20Z" + notAfter="2011-02-21T11:03:49Z" + sia_uri="rsync://arin.rpki.net/arin/isc/ISC-94/1/" + aia_uri="rsync://arin.rpki.net/arin/arin.cer" + asn="27318-27322,30122-30134,33071-33082,53459,393221" + ipv4="192.158.248.0-192.158.252.255,192.228.80.0-192.228.92.255,199.6.0.0-199.6.14.255,199.254.27.0/24" + ipv6="2001:4f8::/32,2001:500::/48,2001:500:2e::/47,2001:500:60::-2001:500:7c:ffff:ffff:ffff:ffff:ffff,2001:500:85::/48"/> + </msg> + + + <!-- === --> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <list_published_objects self_handle="42"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <list_published_objects self_handle="42" uri="rsync://rpki.example.org/rpki/DEMEtlxZrZes7TNGbe7XwVSMgW0.crl"> + MIIBrjCBlwIBATANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEygwQzQzMDRCNjVDNTlBRDk3 + QUNFRDMzNDY2REVFRDdDMTU0OEM4MTZEFw0wOTA5MjgyMDUxNDlaFw0wOTA5MjgyMTUxNDla + oDAwLjAfBgNVHSMEGDAWgBQMQwS2XFmtl6ztM0Zt7tfBVIyBbTALBgNVHRQEBAICAWkwDQYJ + KoZIhvcNAQELBQADggEBAIRT1nriWsvZO9QtLKEiO7SZE3YZqMqDXS1auGBxEZtcLyF93ct6 + dstbiWHXjlHLztgePXh970BsTYhiVbKKnZvS0pjI8a9vr9b2Dyia3QG8ArV0zXVKhAGku5v+ + RG9d+f/VH0GMQ8ITcjJOKOaK0afv1KmQsydAb8KLKAGhCs7zeuztQG2k3YP6BE2OOPYK9fYk + EGHz0kPGp/oD/PJJfmPlKD4Uk4mSvM6e5ksgKg0BnxoU9RMkWjAeGVxk0F+SDG5sPmCsVOgB + fBk4i7H945v/zs7bLLMJxTs8+ao4iCDuknjbGhjWmi9xrTXDtcCXx607rPDkJQcJE2WnRS/U + HIA= + </list_published_objects> + <list_published_objects self_handle="42" uri="rsync://rpki.example.org/rpki/DEMEtlxZrZes7TNGbe7XwVSMgW0.mft"> + MIIHBQYJKoZIhvcNAQcCoIIG9jCCBvICAQMxDTALBglghkgBZQMEAgEwggEfBgsqhkiG9w0B + CRABGqCCAQ4EggEKMIIBBgICAWoYDzIwMDkwOTI4MjA1MTQ5WhgPMjAwOTA5MjgyMTUxNDla + BglghkgBZQMEAgEwgdIwRBYfREVNRXRseFpyWmVzN1ROR2JlN1h3VlNNZ1cwLmNybAMhAPgd + nO/fVdSWmPrnxJAf4JXrf0J/dHv9en+Tsqrz4WjcMEQWH2xkdnhjSEdkcjNvS0hjUGotZ3Vr + bWV0TlJaMC5yb2EDIQAxseZlGDtfsvDOBv1X2ElR8k/V78ynwSBGM22F5DYXUTBEFh94b3BO + R2NzQl9wN2VhZllxWGF0bVZWOEhaZDAucm9hAyEAKIKdRZhS1tawepRzVXtdP1imh6zPymWp + dCjYJUDqzY2gggQLMIIEBzCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQD + EygwQzQzMDRCNjVDNTlBRDk3QUNFRDMzNDY2REVFRDdDMTU0OEM4MTZEMB4XDTA5MDkxODIx + NDE1NFoXDTEwMDkxMzExMDcwOVowMzExMC8GA1UEAxMoMEQ3MjU5REEyNEY5OTRFNTVCN0E2 + NkQxMDBEOUE5REJFMURGODIwNzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKwo + COG8kQMKuAVMOe5eTlasUpFQ2OT2VNmJtJ7NPQ1rLm1ahVUcTXUn7p+ikmJYpwFRACZ6htgF + n51RL43lm/pITTSVc1A6fofkrnoNImwMG8Pj8Z46H6kbJOM69NW5asjvA5DfSu73cltGHPRg + DQqt1k/3+aWqPWiYS7OGbQdDYGmy3T5VNlc+DBzyAM2VxNrLNF5Imv1NbfLw0Bp/gvayeApe + AjhjraCP7ZQxyXesLbBZrjQz1MXpi4DOZtY8gYwaMNgeU56jR9tpM5IDY5zSPHKZyJVvLQnT + iQfMKasHYMcFDtDrRH7t+YQlmt40uby0YsIIcv5FWJf1OBHnyYcCAwEAAaOCASQwggEgMB0G + A1UdDgQWBBQNclnaJPmU5Vt6ZtEA2anb4d+CBzAfBgNVHSMEGDAWgBQMQwS2XFmtl6ztM0Zt + 7tfBVIyBbTBaBgNVHR8EUzBRME+gTaBLhklyc3luYzovL2FyaW4ucnBraS5uZXQvYXJpbi9p + c2MvSVNDLTk0LVovMi9ERU1FdGx4WnJaZXM3VE5HYmU3WHdWU01nVzAuY3JsMFgGCCsGAQUF + BwEBBEwwSjBIBggrBgEFBQcwAoY8cnN5bmM6Ly9hcmluLnJwa2kubmV0L2FyaW4vMS9ERU1F + dGx4WnJaZXM3VE5HYmU3WHdWU01nVzAuY2VyMBgGA1UdIAEB/wQOMAwwCgYIKwYBBQUHDgIw + DgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQCZtr0XdjKRitItHi7UfUx6hTp2 + BOwoaNoOCEKw+dRMDYEgfRKbWSRd3gyVR3F1DV41aT1vDm56+WoN2Td1WEi2H0q22f1iIKuS + m0MkOpdqVZGOYHLTErv22XzDf7ifdGo3RkW7QOQ3D1n6Qraft5AB3aHskCofvPx3CBGFHKWh + N5HXnh+J/Bly2EwxPYs4yibx6K8stnxwIwsmo7DvjdPwv+VnrmIb7pxOpvqHjEQEs7Wy9Y47 + NP3Ym2YLwbIqAuN6F9kF7DeCanBt0HeFqMsOowz11ll1xBAwcpz/bxVwyAwWUoJNncoJCrjz + n2gPGYKqW80qgQwL8vBLFtBevZbyMYIBqjCCAaYCAQOAFA1yWdok+ZTlW3pm0QDZqdvh34IH + MAsGCWCGSAFlAwQCAaBrMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABGjAcBgkqhkiG9w0B + CQUxDxcNMDkwOTI4MjA1MTQ5WjAvBgkqhkiG9w0BCQQxIgQgYA8+0xE+taAr6cM6tEAt4Wh6 + BWT8Xu76a6YSZt9hb2kwDQYJKoZIhvcNAQEBBQAEggEAmD/WNppqwMtpQw+RkqIbcg3HT7fg + RRK+ehJfcyCqP/t7vUu65cAcz02gbT3LHZDkqtGD9WjgjoxSVNrYiS+4TEQbt0AXrSQFqr9F + ud2eujpeGpx56VVYgE/Jef9MfiYXSjWj9oveEWR1OdRFVCn6TW6+t1n6OMTNhnDxYt9t4NZV + OCK95aHm9vi7d8CMZfPnZMQuXiNmHberYkxLu5LZJ84C2GqGbyBllkFp2KUGKoWgMyeKkk0q + yML8lQJAFAyjnXJ+doGbqfTUpVH4q4drqRb73WbL0zf/Z2HGwhDlTmsAdjparWdQcfXIVrJF + ynS1fab9XZfj+VtBFKjooDjaLw== + </list_published_objects> + <list_published_objects self_handle="42" uri="rsync://rpki.example.org/rpki/ldvxcHGdr3oKHcPj-gukmetNRZ0.roa"> + MIIGnQYJKoZIhvcNAQcCoIIGjjCCBooCAQMxDTALBglghkgBZQMEAgEwMQYLKoZIhvcNAQkQ + ARigIgQgMB4CAg3lMBgwFgQCAAEwEDAGAwQAwAUEMAYDBADABQWgggSTMIIEjzCCA3egAwIB + AgIBAjANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEygwQzQzMDRCNjVDNTlBRDk3QUNFRDMz + NDY2REVFRDdDMTU0OEM4MTZEMB4XDTA5MDkxODIyNTkzM1oXDTEwMDkxMzExMDcwOVowMzEx + MC8GA1UEAxMoOTVEQkYxNzA3MTlEQUY3QTBBMURDM0UzRkEwQkE0OTlFQjRENDU5RDCCASIw + DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALpn7TNbq1aYIa9fQG660Rz3dUfpx/dZEOJc + /PD5sxLSBCgcMJKGUb7RGajyI4pbIwVax1w+A4Ie38YjSl6p95FdwBMDX2w6OwePdLwDC+0R + zCf2p/F4Go79glYssEKjFGYvUDwm8SwJ3dr8XdlgdjbT4zIrMZj9SVOgreeNGOU+jcn8HvX3 + 94/0w49JDzPwKmHzGSlBTunzQ4pYZyZ2R+rDKuTJqRslEdD5KOFjNV2s4owWkhJzCermBj2u + CFExS+0Fc0In9Q3X5PcTMp2L1Gj4sdgc2Kbc8VTWU7kgF5M/15HThgRy+Ldx/b05w22mJV7L + 6yMkNGfRpn4CxLFD0U8CAwEAAaOCAawwggGoMB0GA1UdDgQWBBSV2/FwcZ2vegodw+P6C6SZ + 601FnTAfBgNVHSMEGDAWgBQMQwS2XFmtl6ztM0Zt7tfBVIyBbTBaBgNVHR8EUzBRME+gTaBL + hklyc3luYzovL2FyaW4ucnBraS5uZXQvYXJpbi9pc2MvSVNDLTk0LVovMi9ERU1FdGx4WnJa + ZXM3VE5HYmU3WHdWU01nVzAuY3JsMFgGCCsGAQUFBwEBBEwwSjBIBggrBgEFBQcwAoY8cnN5 + bmM6Ly9hcmluLnJwa2kubmV0L2FyaW4vMS9ERU1FdGx4WnJaZXM3VE5HYmU3WHdWU01nVzAu + Y2VyMBgGA1UdIAEB/wQOMAwwCgYIKwYBBQUHDgIwDgYDVR0PAQH/BAQDAgeAMGUGCCsGAQUF + BwELBFkwVzBVBggrBgEFBQcwC4ZJcnN5bmM6Ly9hcmluLnJwa2kubmV0L2FyaW4vaXNjL0lT + Qy05NC1aLzIvbGR2eGNIR2RyM29LSGNQai1ndWttZXROUlowLnJvYTAfBggrBgEFBQcBBwEB + /wQQMA4wDAQCAAEwBgMEAcAFBDANBgkqhkiG9w0BAQsFAAOCAQEAIjdpXxwxe9sK9RkqzvDP + to3zdDhpLf29XqKKkNhux2pXXeMcRR5vNN13mguuxaO/uQtrFTBgk8EJn7CfhmIoZpZClcAS + cvIyYSBbc/VspOdmPH2DnQGFjBk/qpEUs3W3Us5/w6x2BnjuUtRBj5eQQ5kydtHTy/URSX7i + K76ngiTsDL6e77UVu8KY+EutZU3b2HH73qfeP8L4HJ2rpm5tnHZEECcAHS20bhqTqyuECcuK + FBhQA2Ye8LtVg/CbZixZNqb5bfcCj72HzsZAKC57gzu/ROJ43wINcwgCkYUeWM8eoFJoYCaQ + z1avg/vDGBrZtkNQQJt9mXoxaJF25YEuRDGCAaowggGmAgEDgBSV2/FwcZ2vegodw+P6C6SZ + 601FnTALBglghkgBZQMEAgGgazAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQARgwHAYJKoZI + hvcNAQkFMQ8XDTA5MDkxODIyNTkzM1owLwYJKoZIhvcNAQkEMSIEIEU7rNCYuAgPtZckEMP4 + MMUl4hMwvLJ4KWHgg1fZNkJMMA0GCSqGSIb3DQEBAQUABIIBAA6fqD9/VisrRFIqRbwFpG/B + fkmnZGPequD7JPgJR/O/7ofUe1yunPugdPoDe+bTrEaUfyj6xAcdXXwR2fKHF8HyCPMclqCB + aQNZH/nHnawrwOXem8qwnKRyn7hOXyKPxar4VIVg90JFttgaM/l9W++PV02KQS8GlFRymvpg + Eca4THQ5/VWe/3V5dAOEGFUl0/WAjYId+jYzF9oHKSeZTqWmpvDaX4Pc+xkydw18kQBsovnv + +N931gu2r5I/XB/MGgGvXNWozK7RuMn55i5hMqI2NQs+/b7/AQU0+/i3g7SlLA8iZwHq49U2 + ZXRCjLXcy0tQOWVsMnGfReN8oNDhHbc= + </list_published_objects> + <list_published_objects self_handle="42" uri="rsync://rpki.example.org/rpki/xopNGcsB_p7eafYqXatmVV8HZd0.roa"> + MIIGoQYJKoZIhvcNAQcCoIIGkjCCBo4CAQMxDTALBglghkgBZQMEAgEwMAYLKoZIhvcNAQkQ + ARigIQQfMB0CAgUAMBcwFQQCAAEwDzAFAwMAlRQwBgMEA8yYuKCCBJgwggSUMIIDfKADAgEC + AgEDMA0GCSqGSIb3DQEBCwUAMDMxMTAvBgNVBAMTKDBDNDMwNEI2NUM1OUFEOTdBQ0VEMzM0 + NjZERUVEN0MxNTQ4QzgxNkQwHhcNMDkwOTE4MjI1OTU1WhcNMTAwOTEzMTEwNzA5WjAzMTEw + LwYDVQQDEyhDNjhBNEQxOUNCMDFGRTlFREU2OUY2MkE1REFCNjY1NTVGMDc2NUREMIIBIjAN + BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2z9OLSVMT632SBjbKcwfnZtkIOeaFG8oRZKe + u6q7E3krOxXuK2Yxafz5d2+FJBBFHWSmtKuHpeR2rkUWOZlgIWny6u9hb7vzt2wvuEXjBI7H + Bn3sNgGOIgHyuWjUxWyy6gr1K4x437XaMUeMx7xy/82DSgqyK0298EoiPlg8wQau38WFx+FZ + cu2Bnf3prc2l3oSRKNPAE7l4P6DKnjy3VPQT6xCt5PEscVDFzkMeJXrGe48GwJzV0ZbUQHeZ + /eMAsWyZIp5K4kciU6A552ImLjim64HXaviyHiv0rHAUImBoK5AbnpH1yOZ93StqD0iFEJMF + HubclLRuJRFomX05DwIDAQABo4IBsTCCAa0wHQYDVR0OBBYEFMaKTRnLAf6e3mn2Kl2rZlVf + B2XdMB8GA1UdIwQYMBaAFAxDBLZcWa2XrO0zRm3u18FUjIFtMFoGA1UdHwRTMFEwT6BNoEuG + SXJzeW5jOi8vYXJpbi5ycGtpLm5ldC9hcmluL2lzYy9JU0MtOTQtWi8yL0RFTUV0bHhaclpl + czdUTkdiZTdYd1ZTTWdXMC5jcmwwWAYIKwYBBQUHAQEETDBKMEgGCCsGAQUFBzAChjxyc3lu + YzovL2FyaW4ucnBraS5uZXQvYXJpbi8xL0RFTUV0bHhaclplczdUTkdiZTdYd1ZTTWdXMC5j + ZXIwGAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjAOBgNVHQ8BAf8EBAMCB4AwZQYIKwYBBQUH + AQsEWTBXMFUGCCsGAQUFBzALhklyc3luYzovL2FyaW4ucnBraS5uZXQvYXJpbi9pc2MvSVND + LTk0LVovMi94b3BOR2NzQl9wN2VhZllxWGF0bVZWOEhaZDAucm9hMCQGCCsGAQUFBwEHAQH/ + BBUwEzARBAIAATALAwMAlRQDBAPMmLgwDQYJKoZIhvcNAQELBQADggEBAMmzrOxl/SA7uEHR + 4D5jCMNFZaKkh9Shf2Uqg+JpD88BPVLdBDHmG7CmFSI42puZk76SIrXLjyaUv3kP4wKNXOug + c3/80bynPgT+25kTeJc5T4Th735fzJZantqfG+uBQmC2Rk5mihTAL1wweIBFBYcmjAWSmuo9 + N84XWOikQnkPLAsiX75mT1E2BZB5te6UruWHRtlMggNvE72zrZBYAhk+bCC5HdkAhwA3dah5 + SsMSOoGgniFoWlLq3COV+ga1OkJgYVRQHXGP7Fjh7YCU2yUygKaf5Yniqh1ijbjJvVz419QY + ZflO9//gP3IM5ClbnWR4RhzZFKJ4DGz+lDmHIugxggGqMIIBpgIBA4AUxopNGcsB/p7eafYq + XatmVV8HZd0wCwYJYIZIAWUDBAIBoGswGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEYMBwG + CSqGSIb3DQEJBTEPFw0wOTA5MTgyMjU5NTVaMC8GCSqGSIb3DQEJBDEiBCC4ptBgQZ1Ktxau + h1foPe9MJiB8XZJ21ynmZ7BPTWLQVTANBgkqhkiG9w0BAQEFAASCAQBlAxAGN2Tcvi8tF5qk + ECahrFZn0qvOw9tQRKNwwC5SRUQWQcd6Pi7g0znLVS0Y5iOZB7QvHiuPXvVAR7cxwjRlEZy2 + kmERAbrq7ROweJjb9L5JsacRSWUfG7JQjdqMSGLOf3gqlidBnDrKlNIWfyGntpZZFmIGKo9X + 5U8PWrCGkb+2AZT/tpt0eMGRhdgGX0n987dEhUbU7k9dZZXA7ou/g1MSL2HHfH17mL9rQqzN + UwHopIkNlG0ljGy7xI2wjjcvUCDi0Ns/asqxlz6icHgXhrhLyZy3JlcjG7/v2dm0MdZLFg4m + FN/5lE6Ayt2VEDfVNRfMzD6ezxb8PZc2astn + </list_published_objects> + + </msg> + + <!-- === --> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <report_error self_handle="42" error_code="your_hair_is_on_fire">text string</report_error> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/"> + <report_error self_handle="42" error_code="your_hair_is_on_fire"/> + </msg> + +</completely_gratuitous_wrapper_element_to_let_me_run_this_through_xmllint> diff --git a/ca/tests/myrpki-xml-parse-test.py b/ca/tests/myrpki-xml-parse-test.py new file mode 100644 index 00000000..10b9cd58 --- /dev/null +++ b/ca/tests/myrpki-xml-parse-test.py @@ -0,0 +1,101 @@ +# $Id$ +# +# Copyright (C) 2009--2012 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +""" +Test parser and display tool for myrpki.xml files. +""" + +import lxml.etree, rpki.resource_set, base64, subprocess + +relaxng = lxml.etree.RelaxNG(file = "myrpki.rng") + +tree = lxml.etree.parse("myrpki.xml").getroot() + +if False: + print lxml.etree.tostring(tree, pretty_print = True, encoding = "us-ascii", xml_declaration = True) + +relaxng.assertValid(tree) + +def showitems(y): + if False: + for k, v in y.items(): + if v: + print " ", k, v + +def tag(t): + return "{http://www.hactrn.net/uris/rpki/myrpki/}" + t + +print "My handle:", tree.get("handle") + +print "Children:" +for x in tree.getiterator(tag("child")): + print " ", x + print " Handle:", x.get("handle") + print " ASNS: ", rpki.resource_set.resource_set_as(x.get("asns")) + print " IPv4: ", rpki.resource_set.resource_set_ipv4(x.get("v4")) + print " Valid: ", x.get("valid_until") + showitems(x) +print + +print "ROA requests:" +for x in tree.getiterator(tag("roa_request")): + print " ", x + print " ASN: ", x.get("asn") + print " IPv4:", rpki.resource_set.roa_prefix_set_ipv4(x.get("v4")) + print " IPv6:", rpki.resource_set.roa_prefix_set_ipv6(x.get("v6")) + showitems(x) +print + +def showpem(label, b64, kind): + cmd = ("openssl", kind, "-noout", "-text", "-inform", "DER") + if kind == "x509": + cmd += ("-certopt", "no_pubkey,no_sigdump") + p = subprocess.Popen(cmd, stdin = subprocess.PIPE, stdout = subprocess.PIPE) + text = p.communicate(input = base64.b64decode(b64))[0] + if p.returncode != 0: + raise subprocess.CalledProcessError(returncode = p.returncode, cmd = cmd) + print label, text + +for x in tree.getiterator(tag("child")): + cert = x.findtext(tag("bpki_certificate")) + if cert: + showpem("Child", cert, "x509") + +for x in tree.getiterator(tag("parent")): + print "Parent URI:", x.get("service_uri") + cert = x.findtext(tag("bpki_certificate")) + if cert: + showpem("Parent", cert, "x509") + +ca = tree.findtext(tag("bpki_ca_certificate")) +if ca: + showpem("CA", ca, "x509") + +bsc = tree.findtext(tag("bpki_bsc_certificate")) +if bsc: + showpem("BSC EE", bsc, "x509") + +repo = tree.findtext(tag("bpki_repository_certificate")) +if repo: + showpem("Repository", repo, "x509") + +req = tree.findtext(tag("bpki_bsc_pkcs10")) +if req: + showpem("BSC EE", req, "req") + +crl = tree.findtext(tag("bpki_crl")) +if crl: + showpem("CA", crl, "crl") diff --git a/ca/tests/old_irdbd.py b/ca/tests/old_irdbd.py new file mode 100644 index 00000000..d258e4c0 --- /dev/null +++ b/ca/tests/old_irdbd.py @@ -0,0 +1,19 @@ +# $Id$ +# +# Copyright (C) 2010-2012 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +if __name__ == "__main__": + import rpki.old_irdbd + rpki.old_irdbd.main() diff --git a/ca/tests/old_irdbd.sql b/ca/tests/old_irdbd.sql new file mode 100644 index 00000000..e773bb2e --- /dev/null +++ b/ca/tests/old_irdbd.sql @@ -0,0 +1,143 @@ +-- $Id$ + +-- Copyright (C) 2009--2011 Internet Systems Consortium ("ISC") +-- +-- Permission to use, copy, modify, and distribute this software for any +-- purpose with or without fee is hereby granted, provided that the above +-- copyright notice and this permission notice appear in all copies. +-- +-- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +-- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +-- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +-- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +-- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +-- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +-- PERFORMANCE OF THIS SOFTWARE. + +-- Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +-- +-- Permission to use, copy, modify, and distribute this software for any +-- purpose with or without fee is hereby granted, provided that the above +-- copyright notice and this permission notice appear in all copies. +-- +-- THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +-- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +-- AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +-- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +-- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +-- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +-- PERFORMANCE OF THIS SOFTWARE. + +-- SQL objects needed by irdbd.py. You only need this if you're using +-- irdbd.py as your IRDB; if you have a "real" backend you can do +-- anything you like so long as you implement the relevant portion of +-- the left-right protocol. + +-- DROP TABLE commands must be in correct (reverse dependency) order +-- to satisfy FOREIGN KEY constraints. + +DROP TABLE IF EXISTS roa_request_prefix; +DROP TABLE IF EXISTS roa_request; +DROP TABLE IF EXISTS registrant_net; +DROP TABLE IF EXISTS registrant_asn; +DROP TABLE IF EXISTS registrant; +DROP TABLE IF EXISTS ghostbuster_request; +DROP TABLE IF EXISTS ee_certificate_asn; +DROP TABLE IF EXISTS ee_certificate_net; +DROP TABLE IF EXISTS ee_certificate; + +CREATE TABLE registrant ( + registrant_id SERIAL NOT NULL, + registrant_handle VARCHAR(255) NOT NULL, + registrant_name TEXT, + registry_handle VARCHAR(255), + valid_until DATETIME NOT NULL, + PRIMARY KEY (registrant_id), + UNIQUE (registry_handle, registrant_handle) +) ENGINE=InnoDB; + +CREATE TABLE registrant_asn ( + start_as BIGINT UNSIGNED NOT NULL, + end_as BIGINT UNSIGNED NOT NULL, + registrant_id BIGINT UNSIGNED NOT NULL, + PRIMARY KEY (registrant_id, start_as, end_as), + CONSTRAINT registrant_asn_registrant_id + FOREIGN KEY (registrant_id) REFERENCES registrant (registrant_id) + ON DELETE CASCADE ON UPDATE CASCADE +) ENGINE=InnoDB; + +CREATE TABLE registrant_net ( + start_ip VARCHAR(40) NOT NULL, + end_ip VARCHAR(40) NOT NULL, + version TINYINT UNSIGNED NOT NULL, + registrant_id BIGINT UNSIGNED NOT NULL, + PRIMARY KEY (registrant_id, version, start_ip, end_ip), + CONSTRAINT registrant_net_registrant_id + FOREIGN KEY (registrant_id) REFERENCES registrant (registrant_id) + ON DELETE CASCADE ON UPDATE CASCADE +) ENGINE=InnoDB; + +CREATE TABLE roa_request ( + roa_request_id SERIAL NOT NULL, + self_handle VARCHAR(255) NOT NULL, + asn BIGINT UNSIGNED NOT NULL, + PRIMARY KEY (roa_request_id) +) ENGINE=InnoDB; + +CREATE TABLE roa_request_prefix ( + prefix VARCHAR(40) NOT NULL, + prefixlen TINYINT UNSIGNED NOT NULL, + max_prefixlen TINYINT UNSIGNED NOT NULL, + version TINYINT UNSIGNED NOT NULL, + roa_request_id BIGINT UNSIGNED NOT NULL, + PRIMARY KEY (roa_request_id, prefix, prefixlen, max_prefixlen), + CONSTRAINT roa_request_prefix_roa_request_id + FOREIGN KEY (roa_request_id) REFERENCES roa_request (roa_request_id) + ON DELETE CASCADE ON UPDATE CASCADE +) ENGINE=InnoDB; + +CREATE TABLE ghostbuster_request ( + ghostbuster_request_id SERIAL NOT NULL, + self_handle VARCHAR(255) NOT NULL, + parent_handle VARCHAR(255), + vcard LONGBLOB NOT NULL, + PRIMARY KEY (ghostbuster_request_id) +) ENGINE=InnoDB; + +CREATE TABLE ee_certificate ( + ee_certificate_id SERIAL NOT NULL, + self_handle VARCHAR(255) NOT NULL, + pkcs10 LONGBLOB NOT NULL, + gski VARCHAR(27) NOT NULL, + cn VARCHAR(64) NOT NULL, + sn VARCHAR(64), + eku TEXT NOT NULL, + valid_until DATETIME NOT NULL, + PRIMARY KEY (ee_certificate_id), + UNIQUE (self_handle, gski) +) ENGINE=InnoDB; + +CREATE TABLE ee_certificate_asn ( + start_as BIGINT UNSIGNED NOT NULL, + end_as BIGINT UNSIGNED NOT NULL, + ee_certificate_id BIGINT UNSIGNED NOT NULL, + PRIMARY KEY (ee_certificate_id, start_as, end_as), + CONSTRAINT ee_certificate_asn_ee_certificate_id + FOREIGN KEY (ee_certificate_id) REFERENCES ee_certificate (ee_certificate_id) + ON DELETE CASCADE ON UPDATE CASCADE +) ENGINE=InnoDB; + +CREATE TABLE ee_certificate_net ( + version TINYINT UNSIGNED NOT NULL, + start_ip VARCHAR(40) NOT NULL, + end_ip VARCHAR(40) NOT NULL, + ee_certificate_id BIGINT UNSIGNED NOT NULL, + PRIMARY KEY (ee_certificate_id, version, start_ip, end_ip), + CONSTRAINT ee_certificate_net_ee_certificate_id + FOREIGN KEY (ee_certificate_id) REFERENCES ee_certificate (ee_certificate_id) + ON DELETE CASCADE ON UPDATE CASCADE +) ENGINE=InnoDB; + +-- Local Variables: +-- indent-tabs-mode: nil +-- End: diff --git a/ca/tests/publication-protocol-samples.xml b/ca/tests/publication-protocol-samples.xml new file mode 100644 index 00000000..96b095a7 --- /dev/null +++ b/ca/tests/publication-protocol-samples.xml @@ -0,0 +1,370 @@ +<!-- -*- SGML -*- + - $Id$ + - + - Copyright (C) 2008 American Registry for Internet Numbers ("ARIN") + - + - Permission to use, copy, modify, and distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. + - + - + - This is a collection of sample publication protocol PDU samples + - to use as test cases for the publication protocol RelaxNG schema. + --> + +<completely_gratuitous_wrapper_element_to_let_me_run_this_through_xmllint> + + <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" type="query" version="1"> + <config action="set"> + <bpki_crl> + MIIBezBlAgEBMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNVBAMTGFRlc3QgQ2VydGlm + aWNhdGUgcHViZCBUQRcNMDgwNjAyMjE0OTQ1WhcNMDgwNzAyMjE0OTQ1WqAOMAww + CgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBAFWCWgBl4ljVqX/CHo+RpqYt + vmKMnjPVflMXUB7i28RGP4DAq4l7deDU7Q82xEJyE4TXMWDWAV6UG6uUGum0VHWO + cj9ohqyiZUGfOsKg2hbwkETm8sAENOsi1yNdyKGk6jZ16aF5fubxQqZa1pdGCSac + 1/ZYC5sLLhEz3kmz+B9z9mXFVc5TgAh4dN3Gy5ftF8zZAFpDGnS4biCnRVqhGv6R + 0Lh/5xmii+ZU6kNDhbeMsjJg+ZOmtN+wMeHSIbjiy0WuuaZ3k2xSh0C94anrHBZA + vvCRhbazjR0Ef5OMZ5lcllw3uO8IHuoisHKkehy4Y0GySdj98fV+OuiRTH9vt/M= + </bpki_crl> + </config> + </msg> + + <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" type="reply" version="1"> + <config action="set"/> + </msg> + + <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" type="query" version="1"> + <config action="get"/> + </msg> + + <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" type="reply" version="1"> + <config action="get"> + <bpki_crl> + MIIBezBlAgEBMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNVBAMTGFRlc3QgQ2VydGlm + aWNhdGUgcHViZCBUQRcNMDgwNjAyMjE0OTQ1WhcNMDgwNzAyMjE0OTQ1WqAOMAww + CgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBAFWCWgBl4ljVqX/CHo+RpqYt + vmKMnjPVflMXUB7i28RGP4DAq4l7deDU7Q82xEJyE4TXMWDWAV6UG6uUGum0VHWO + cj9ohqyiZUGfOsKg2hbwkETm8sAENOsi1yNdyKGk6jZ16aF5fubxQqZa1pdGCSac + 1/ZYC5sLLhEz3kmz+B9z9mXFVc5TgAh4dN3Gy5ftF8zZAFpDGnS4biCnRVqhGv6R + 0Lh/5xmii+ZU6kNDhbeMsjJg+ZOmtN+wMeHSIbjiy0WuuaZ3k2xSh0C94anrHBZA + vvCRhbazjR0Ef5OMZ5lcllw3uO8IHuoisHKkehy4Y0GySdj98fV+OuiRTH9vt/M= + </bpki_crl> + </config> + </msg> + + <!-- === --> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <client action="create" client_handle="3" base_uri="rsync://wombat.invalid/"> + <bpki_cert> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_cert> + </client> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <client action="create" client_handle="3"/> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <client action="set" client_handle="3"> + <bpki_glue> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_glue> + </client> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <client action="set" client_handle="3"/> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <client action="get" client_handle="3"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <client action="get" client_handle="3" base_uri="rsync://wombat.invalid/"> + <bpki_cert> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_cert> + </client> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <client action="list"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <client action="list" client_handle="3"> + <bpki_cert> + MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV + BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN + MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS + b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S + G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G + Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC + DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM + uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP + 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ + diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4 + ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq + hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg + cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4 + XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm + sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH + YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq + 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== + </bpki_cert> + </client> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <client action="destroy" client_handle="3"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <client action="destroy" client_handle="3"/> + </msg> + + <!-- === --> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <certificate action="publish" uri="rsync://wombat.invalid/testbed/RIR/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.cer"> + MIIE+jCCA+KgAwIBAgIBDTANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEyhERjRBODAxN0U2 + NkE5RTkxNzJFNDYxMkQ4Q0Y0QzgzRjIzOERFMkEzMB4XDTA4MDUyMjE4MDUxMloXDTA4MDUy + NDE3NTQ1M1owMzExMC8GA1UEAxMoOEZCODIxOEYwNkU1MEFCNzAyQTdEOTZEQzhGMENEQ0Q4 + MjhGN0YxNzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMeziKp0k5nP7v6SZoNs + XIMQYRgNtC6Fr/9Xm/1yQHomiPqHUk47rHhGojYiK5AhkrwoYhkH4UjJl2iwklDYczXuaBU3 + F5qrKlZ4aZnjIxdlP7+hktVpeApL6yuJTUAYeC3UIxnLDVdD6phydZ/FOQluffiNDjzteCCv + oyOUatqt8WB+oND6LToHp028g1YUYLHG6mur0dPdcHOVXLSmUDuZ1HDz1nDuYvIVKjB/MpH9 + aW9XeaQ6ZFIlZVPwuuvI2brR+ThH7Gv27GL/o8qFdC300VQfoTZ+rKPGDE8K1cI906BL4kiw + x9z0oiDcE96QCz+B0vsjc9mGaA1jgAxlXWsCAwEAAaOCAhcwggITMB0GA1UdDgQWBBSPuCGP + BuUKtwKn2W3I8M3Ngo9/FzAfBgNVHSMEGDAWgBTfSoAX5mqekXLkYS2M9Mg/I43iozBVBgNV + HR8ETjBMMEqgSKBGhkRyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rlc3RiZWQvUklSLzEvMzBx + QUYtWnFucEZ5NUdFdGpQVElQeU9ONHFNLmNybDBFBggrBgEFBQcBAQQ5MDcwNQYIKwYBBQUH + MAKGKXJzeW5jOi8vbG9jYWxob3N0OjQ0MDAvdGVzdGJlZC9XT01CQVQuY2VyMBgGA1UdIAEB + /wQOMAwwCgYIKwYBBQUHDgIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwgZsG + CCsGAQUFBwELBIGOMIGLMDQGCCsGAQUFBzAFhihyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rl + c3RiZWQvUklSL1IwLzEvMFMGCCsGAQUFBzAKhkdyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rl + c3RiZWQvUklSL1IwLzEvajdnaGp3YmxDcmNDcDlsdHlQRE56WUtQZnhjLm1uZjAaBggrBgEF + BQcBCAEB/wQLMAmgBzAFAgMA/BUwPgYIKwYBBQUHAQcBAf8ELzAtMCsEAgABMCUDAwAKAzAO + AwUAwAACAQMFAcAAAiAwDgMFAsAAAiwDBQDAAAJkMA0GCSqGSIb3DQEBCwUAA4IBAQCEhuH7 + jtI2PJY6+zwv306vmCuXhtu9Lr2mmRw2ZErB8EMcb5xypMrNqMoKeu14K2x4a4RPJkK4yATh + M81FPNRsU5mM0acIRnAPtxjHvPME7PHN2w2nGLASRsZmaa+b8A7SSOxVcFURazENztppsolH + eTpm0cpLItK7mNpudUg1JGuFo94VLf1MnE2EqARG1vTsNhel/SM/UvOArCCOBvf0Gz7kSuup + DSZ7qx+LiDmtEsLdbGNQBiYPbLrDk41PHrxdx28qIj7ejZkRzNFw/3pi8/XK281h8zeHoFVu + 6ghRPy5dbOA4akX/KG6b8XIx0iwPYdLiDbdWFbtTdPcXBauY + </certificate> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <certificate action="publish" uri="rsync://wombat.invalid/testbed/RIR/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.cer"/> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <certificate action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.cer"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <certificate action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.cer"/> + </msg> + + <!-- === --> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <crl action="publish" uri="rsync://wombat.invalid/testbed/RIR/1/30qAF-ZqnpFy5GEtjPTIPyON4qM.crl"> + MIIBwzCBrAIBATANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEyhERjRBODAxN0U2NkE5RTkx + NzJFNDYxMkQ4Q0Y0QzgzRjIzOERFMkEzFw0wODA1MjIxODA0MTZaFw0wODA1MjIxODA1MTZa + MBQwEgIBAhcNMDgwNTIyMTc1ODQwWqAvMC0wHwYDVR0jBBgwFoAU30qAF+ZqnpFy5GEtjPTI + PyON4qMwCgYDVR0UBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAKkM0Fb/pJpHVHWZyjp4wojH + W2KkvA/DFtBiz3moxocSnkDVP3QI19uVvqdC6nH3hJyFmsAMwULR0f1XU/V4j+X+FqYEl6Nv + p8zAEPIB4r8xbEFs7udRwXRAjkJmOQbv9aomF2i+d7jpTFVJxShZWOgsoGEhIy/aktKQrOIR + c4ZDrXpQwXVj2Y7+cGVfQ4gvnPOdlyLcnNovoegazATvA3EcidBNPWRg7XTCz0LVBEB7JgPd + nNyXRg35HdMEHBl7U9uUQJXP7S02oaQ1ehNDMfaJPgBBpQtAnM1lIzJfevd9+e4ywGsRpxAV + 8wxTXSPd1jwuKtS0kwrgsrQ8Ya85xUE= + </crl> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <crl action="publish" uri="rsync://wombat.invalid/testbed/RIR/1/30qAF-ZqnpFy5GEtjPTIPyON4qM.crl"/> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <crl action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/1/30qAF-ZqnpFy5GEtjPTIPyON4qM.crl"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <crl action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/1/30qAF-ZqnpFy5GEtjPTIPyON4qM.crl"/> + </msg> + + <!-- === --> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <manifest action="publish" uri="rsync://wombat.invalid/testbed/RIR/R0/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.mft"> + MIIHCgYJKoZIhvcNAQcCoIIG+zCCBvcCAQMxDTALBglghkgBZQMEAgEwggEeBgsqhkiG9w0B + CRABGqCCAQ0EggEJMIIBBQIBEhgPMjAwODA1MjIxODA1MTVaGA8yMDA4MDUyMjE4MDYxNVoG + CWCGSAFlAwQCATCB0jBEFh9ZbTVUTzRJYnlDb0pNZ3E2R2o4dG41Mng5U0UuY2VyAyEA4L8Z + WMyuhOx+o6kUfsRR++QjSaRaATy4UOeVtjvZVqYwRBYfWnRxbjB3NEVFbU9hclAzQmd1SUY3 + MDhhNTM4LmNlcgMhAGQI1gYJotxWmwzcmpLNFZJ656uWOjcPYANlbNz80xm8MEQWH2xxa1Vx + RHEwMDBESW9ZVjlybXdLTGdrN2F6by5jZXIDIQB7jRAEpkPvc4s4PX9vDvnTifj3BIE145FO + 1ne2kEejVqCCBBEwggQNMIIC9aADAgECAgEFMA0GCSqGSIb3DQEBCwUAMDMxMTAvBgNVBAMT + KDhGQjgyMThGMDZFNTBBQjcwMkE3RDk2REM4RjBDRENEODI4RjdGMTcwHhcNMDgwNTIyMTc1 + NzQ5WhcNMDgwNTI0MTc1NDUzWjAzMTEwLwYDVQQDEyhERkRBMjMyMUJENEVCMDNFQTE1RkUy + N0NGRkRGMEFGRkU1QjBFNjY4MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2/Gk + AHW5pDqye0+TvUp7sl0rVgmTfeHpVp18ypxvuovogVJgkjEtBEikfaFU0646wYD6JM6IJFJX + lWLWd7bVmhkWViKuZL0VmT2wpUToNHCLUGUQUVVX8R7oSHFdTArv2AqH+6yt0LmczDH1y2M6 + 2Tgkz9wZ9ryyuPx3VX4PkHzUMlkGFICj1fvyXkcAu8jBaxR9UME1c413TPaMi6lMh1HUmtVN + LJMP5+/SnwEAW/Z3dPClCFIgQXK3nAKPVzAIwADEiqhK7cSchhO7ikI1CVt0XzG4n7oaILc3 + Hq/DAxyiutw5GlkUlKPri2YJzJ3+H4P+TveSa/b02fVA5csm/QIDAQABo4IBKjCCASYwHQYD + VR0OBBYEFN/aIyG9TrA+oV/ifP/fCv/lsOZoMB8GA1UdIwQYMBaAFI+4IY8G5Qq3AqfZbcjw + zc2Cj38XMFgGA1UdHwRRME8wTaBLoEmGR3JzeW5jOi8vbG9jYWxob3N0OjQ0MDAvdGVzdGJl + ZC9SSVIvUjAvMS9qN2doandibENyY0NwOWx0eVBETnpZS1BmeGMuY3JsMGAGCCsGAQUFBwEB + BFQwUjBQBggrBgEFBQcwAoZEcnN5bmM6Ly9sb2NhbGhvc3Q6NDQwMC90ZXN0YmVkL1JJUi8x + L2o3Z2hqd2JsQ3JjQ3A5bHR5UEROellLUGZ4Yy5jZXIwGAYDVR0gAQH/BA4wDDAKBggrBgEF + BQcOAjAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBADpsE9HfgVTgmX1WeJTE + fm87CXuOoGH85RFiAngSt5kR4gYCyadklOZ7Eta+ERUZVu4tcKO6sJOTuHPfVrAvR0VpgH+j + PvXboYWSfwJdi00BC28ScrVM2zarA7B10+J6Oq8tbFlAyVBkrbuPet/axmndBtGWhrBTynGl + nc/5L371Lxy6CrOYqXO0Qx3SrOKaailAe3zTIpHQeACqnPdL00zIBw/hVy/VNaH1wy+FmhAz + TsmsQUrMyovJcu/ry5w0KHlP8BTnqfykikCWR+Lw0VQHmpJGAbtrmsOeIbfLY1zl7A81lDAl + AG/ZH1DUdDOUIXMLHWur+D2rwjp7RL16LHYxggGqMIIBpgIBA4AU39ojIb1OsD6hX+J8/98K + /+Ww5mgwCwYJYIZIAWUDBAIBoGswGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEaMBwGCSqG + SIb3DQEJBTEPFw0wODA1MjIxODA1MTVaMC8GCSqGSIb3DQEJBDEiBCBj/GjEQw3LgKPf5DTz + 8eu1fcp6/cQjqqne6ZqFkF42azANBgkqhkiG9w0BAQEFAASCAQBOY0uHNMwy/o1nFANSgha5 + PZxt8fz+wTrbeomCb+lxqQKq1clcSiQORVGc8NmqC8sS5OR3eTw/3qnK9yPHxz2UQ4hn1pBa + +Zy5veM61qMaXCw6w98EyNcvUfA1AkezAjkabfHQDs3o4Ezh49thXXyRcBoF+O6Lmi+LZbT2 + 4jvfFbaXW9zsb6/DaoDkeHnlk+YYgfSP4wOnkK5uqxtDW8QpMPq3GGdIp0oJDkzEdj7VsWIL + 9JP2mxxL8fTPVUyAPOmURYwYDXqhke2O9eVDiCYhrEfB8/84Rint4Cj8n5aCujnAtqtwxHpD + 0NRYO/V1MjhG+ARy1vRH1Dm0r92RBam3 + </manifest> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <manifest action="publish" uri="rsync://wombat.invalid/testbed/RIR/R0/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.mft"/> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <manifest action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/R0/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.mft"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <manifest action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/R0/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.mft"/> + </msg> + + <!-- === --> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <roa action="publish" uri="rsync://wombat.invalid/testbed/RIR/R0/1/lqkUqDq000DIoYV9rmwKLgk7azo.roa"> + MIIGmwYJKoZIhvcNAQcCoIIGjDCCBogCAQMxDTALBglghkgBZQMEAgEwKgYLKoZIhvcNAQkQ + ARigGwQZMBcCAgKaMBEwDwQCAAEwCTAHAwUACgMALKCCBJgwggSUMIIDfKADAgECAgEJMA0G + CSqGSIb3DQEBCwUAMDMxMTAvBgNVBAMTKDhGQjgyMThGMDZFNTBBQjcwMkE3RDk2REM4RjBD + RENEODI4RjdGMTcwHhcNMDgwNTIyMTc1ODI0WhcNMDgwNTI0MTc1NDUzWjAzMTEwLwYDVQQD + Eyg5NkE5MTRBODNBQjREMzQwQzhBMTg1N0RBRTZDMEEyRTA5M0I2QjNBMIIBIjANBgkqhkiG + 9w0BAQEFAAOCAQ8AMIIBCgKCAQEApoK50BjW5bcF4gsdaYhndtVADZvQk3RCsvuqDElF6uLi + 9BYQq/NHyDOIMyJtvCmzjdv3Y135n1sNO7YvssqHlt7dMfCQTD5ND1GpFnQLdWP7stWM5AbO + nJV6+PtDITUA/QHOli7Do0YCUgR6G+1QJsMu0DK+TRSzBJ6WP7WIYOBOOg3y/NKc1rkWhS1Q + dcQepbHgQYZHzzpjNDR6+oYVuhuUEWx1P6O4pv/p+tpE0SDua7jBjMywIYHkPQBecf2IX1RU + WNojB9dJlnRx5YUUneP2SvF2MrmdDbclgzwhf6alqD2OjiMuoBOG8yeTKcuhzCMnrFAklbst + 6x3Rnq9BswIDAQABo4IBsTCCAa0wHQYDVR0OBBYEFJapFKg6tNNAyKGFfa5sCi4JO2s6MB8G + A1UdIwQYMBaAFI+4IY8G5Qq3AqfZbcjwzc2Cj38XMFgGA1UdHwRRME8wTaBLoEmGR3JzeW5j + Oi8vbG9jYWxob3N0OjQ0MDAvdGVzdGJlZC9SSVIvUjAvMS9qN2doandibENyY0NwOWx0eVBE + TnpZS1BmeGMuY3JsMGAGCCsGAQUFBwEBBFQwUjBQBggrBgEFBQcwAoZEcnN5bmM6Ly9sb2Nh + bGhvc3Q6NDQwMC90ZXN0YmVkL1JJUi8xL2o3Z2hqd2JsQ3JjQ3A5bHR5UEROellLUGZ4Yy5j + ZXIwGAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjAOBgNVHQ8BAf8EBAMCB4AwYwYIKwYBBQUH + AQsEVzBVMFMGCCsGAQUFBzALhkdyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rlc3RiZWQvUklS + L1IwLzEvbHFrVXFEcTAwMERJb1lWOXJtd0tMZ2s3YXpvLnJvYTAgBggrBgEFBQcBBwEB/wQR + MA8wDQQCAAEwBwMFAAoDACwwDQYJKoZIhvcNAQELBQADggEBAL8iHwsyGOYhhIf3nVuL361y + TOJSP8SR0mtQLHULPl+GkYk+5MRNWtL8ucTXFvniYJtOCXEGGEIO9eDXvkQIXQSz/qbF9URQ + fuf38ghRza257syVhal6UHTgCFYuRIO9CUjcU1vkWUxH05BBIHlYdtlIQbAG/mRsCPCEgSmG + bbQaomGlUOqmJMlKxLLcoAtz2vDrwVotgHyfS5h2mgINFjnlLcNLTci+sfs7/aQAkDYx7K98 + se/ZlMorvGkFNhHoOTcGIrWkYsfkbTygVwWRm278PaB3o4449Kvsg/gb8BZeHXRs68cr5Mcf + jP7Q6jeypjTgDBnwb1yzoJIKWszFuSgxggGqMIIBpgIBA4AUlqkUqDq000DIoYV9rmwKLgk7 + azowCwYJYIZIAWUDBAIBoGswGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEYMBwGCSqGSIb3 + DQEJBTEPFw0wODA1MjIxNzU4MjRaMC8GCSqGSIb3DQEJBDEiBCDCyf9v9Wed515TRp2WwnyM + 1rk6dB///X+aqIym2e9jdTANBgkqhkiG9w0BAQEFAASCAQAFvzrHeRPW+wn4WSyoyBEq0zKS + Cyh5tu1qTR0NHs6Rr/p8Pk81P1HQLND/U+znJZKLWlO2niEHUXPIicPDYchbj8ApH9VxKA+1 + lCWllOzFAsYyZFr3/VNs9pVp2eT4F9eEYBrBVDSNrD72MMTlWm1T5MEXqltTJJOCKzUEX96x + 91iW6A+4erop7S8hpCnxqkTin4bFVreqYcGc4CC4bh+L9pPqJnURcEk7Qeu/WEHQBm38voB4 + S11qRZNrJMQ99oiJR7hXDIBm66HjGqoUL2gPCfpgJEVVnM9pVv2k889z4eTTck2Qj54gga2W + Xkvw4Je420aDx88s9T2+PqXcbZ4g + </roa> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <roa action="publish" uri="rsync://wombat.invalid/testbed/RIR/R0/1/lqkUqDq000DIoYV9rmwKLgk7azo.roa"/> + </msg> + + <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <roa action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/R0/1/lqkUqDq000DIoYV9rmwKLgk7azo.roa"/> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <roa action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/R0/1/lqkUqDq000DIoYV9rmwKLgk7azo.roa"/> + </msg> + + <!-- === --> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <report_error error_code="your_hair_is_on_fire">text string</report_error> + </msg> + + <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"> + <report_error error_code="your_hair_is_on_fire"/> + </msg> + +</completely_gratuitous_wrapper_element_to_let_me_run_this_through_xmllint> diff --git a/ca/tests/rcynic.conf b/ca/tests/rcynic.conf new file mode 100644 index 00000000..ea31fe58 --- /dev/null +++ b/ca/tests/rcynic.conf @@ -0,0 +1,14 @@ +# $Id$ +# +# rcynic configuration for looking at yamltest results. + +[rcynic] +xml-summary = rcynic.xml +jitter = 0 +use-links = yes +use-syslog = no +use-stderr = yes +log-level = log_debug +max-parallel-fetches = 32 + +trust-anchor-locator = yamltest.dir/root.tal diff --git a/ca/tests/revoke.yaml b/ca/tests/revoke.yaml new file mode 100644 index 00000000..2edb8335 --- /dev/null +++ b/ca/tests/revoke.yaml @@ -0,0 +1,420 @@ +# $Id: smoketest.1.yaml 3881 2011-06-17 18:32:54Z sra $ + +# Copyright (C) 2009-2012 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. +# +# Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +name: RIR +crl_interval: 5m +regen_margin: 2m +valid_for: 2d +kids: + - name: R0 + kids: + - name: Alice + ipv4: 192.0.2.1-192.0.2.33 + asn: 64533 + roa_request: + - asn: 42 + ipv4: 192.0.2.32/32 + - name: Bob + ipv4: 192.0.2.44-192.0.2.100 + ipv4: 10.3.0.0/16 + roa_request: + - asn: 666 + ipv4: 10.3.0.44/32 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- name: R0 + rekey: +- sleep 10 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 + +- name: R0 + revoke: +- sleep 10 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- sleep 30 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- name: R0 + rekey: +- sleep 10 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- name: R0 + revoke: +- sleep 10 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- sleep 30 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- name: R0 + rekey: +- sleep 10 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- name: R0 + revoke: +- sleep 10 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- sleep 30 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- name: R0 + rekey: +- sleep 10 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- name: R0 + revoke: +- sleep 10 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- sleep 30 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- name: R0 + rekey: +- sleep 10 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- name: R0 + revoke: +- sleep 10 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- sleep 30 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- name: R0 + rekey: +- sleep 10 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- name: R0 + revoke: +- sleep 10 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- sleep 30 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- name: R0 + rekey: +- sleep 10 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- name: R0 + revoke: +- sleep 10 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- sleep 30 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- name: R0 + rekey: +- sleep 10 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- name: R0 + revoke: +- sleep 10 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- sleep 30 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- name: R0 + rekey: +- sleep 10 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- name: R0 + revoke: +- sleep 10 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- sleep 30 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- name: R0 + rekey: +- sleep 10 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- name: R0 + revoke: +- sleep 10 + +--- +- shell sleep 1; + dir=rcynic.`date +%s`.data; mkdir $dir; + cd rcynic-data; + pax -rwl . ../$dir; find . -type f -name '*.cer' | + sort | + xargs ../../../../utils/uri/uri -s + >../${dir%.data}.uris; + sleep 1 +- sleep 30 diff --git a/ca/tests/rootd.yaml b/ca/tests/rootd.yaml new file mode 100644 index 00000000..2ee5dcd4 --- /dev/null +++ b/ca/tests/rootd.yaml @@ -0,0 +1,24 @@ +# $Id$ +--- +version: 1 +posturl: https://localhost:4401/up-down/1 +recipient-id: "rootd" +sender-id: "RIR" + +cms-cert-file: RIR-RPKI-EE.cer +cms-key-file: RIR-RPKI-EE.key +cms-ca-cert-file: rootd-TA.cer +cms-cert-chain-file: [ RIR-RPKI-CA.cer ] + +ssl-cert-file: RIR-RPKI-EE.cer +ssl-key-file: RIR-RPKI-EE.key +ssl-ca-cert-file: rootd-TA.cer + +requests: + list: + type: list + issue: + type: issue + class: 1 + sia: + - rsync://localhost:4400/testbed/RIR/ diff --git a/ca/tests/rpki b/ca/tests/rpki new file mode 120000 index 00000000..8d289d0b --- /dev/null +++ b/ca/tests/rpki @@ -0,0 +1 @@ +../rpki
\ No newline at end of file diff --git a/ca/tests/smoketest.1.yaml b/ca/tests/smoketest.1.yaml new file mode 100644 index 00000000..914aaae4 --- /dev/null +++ b/ca/tests/smoketest.1.yaml @@ -0,0 +1,89 @@ +# $Id$ +# +# Copyright (C) 2013--2014 Dragon Research Labs ("DRL") +# Portions copyright (C) 2009--2012 Internet Systems Consortium ("ISC") +# Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notices and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND DRL, ISC, AND ARIN DISCLAIM ALL +# WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DRL, +# ISC, OR ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR +# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS +# OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, +# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION +# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +name: RIR +crl_interval: 5m +regen_margin: 2m +valid_for: 2d +kids: + - name: R0 + ghostbuster: | + BEGIN:VCARD + VERSION:4.0 + FN:R0 + ORG:Organizational Entity + ADR;TYPE=WORK:;;42 Twisty Passage;Deep Cavern;WA;98666;U.S.A. + TEL;TYPE=VOICE,TEXT,WORK;VALUE=uri:tel:+1-666-555-1212 + TEL;TYPE=FAX,WORK;VALUE=uri:tel:+1-666-555-1213 + EMAIL:human@example.com + END:VCARD + kids: + - name: Alice + ipv4: 192.0.2.1-192.0.2.33 + asn: 64533 + roa_request: + - asn: 42 + ipv4: 192.0.2.32/32 + router_cert: + - router_id: 666 + asn: 42 + - name: Bob + ipv4: 192.0.2.44-192.0.2.100 + ipv4: 10.3.0.0/16 + roa_request: + - asn: 666 + ipv4: 10.3.0.44/32 + +--- +- shell set -x; + rtr_origin='python ../../../rtr-origin/rtr-origin.py'; + $rtr_origin --cronjob rcynic-data/authenticated && + $rtr_origin --show +--- +- name: R0 + rekey: +--- +- name: R0 + revoke: +--- +- name: Alice + valid_add: 10 +- name: R0 + roa_request_add: + - asn: 17 + ipv4: 10.3.0.1/32, 10.0.0.44/32 +--- +- shell set -x; + rtr_origin='python ../../../rtr-origin/rtr-origin.py'; + $rtr_origin --cronjob rcynic-data/authenticated && + $rtr_origin --show +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 diff --git a/ca/tests/smoketest.2.yaml b/ca/tests/smoketest.2.yaml new file mode 100644 index 00000000..0cdec650 --- /dev/null +++ b/ca/tests/smoketest.2.yaml @@ -0,0 +1,126 @@ +# $Id$ + +# Copyright (C) 2009 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. +# +# Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +name: RIR +valid_for: 2d +kids: + - name: R0 + kids: + - name: Alice + hosted_by: R0 + ipv4: 192.0.2.1-192.0.2.33 + asn: 64533 + - name: Bob + hosted_by: R0 + ipv4: 192.0.2.44-192.0.2.100 + - name: R1 + kids: + - name: Carol + hosted_by: R1 + ipv6: 2001:db8::44-2001:db8::100 + - name: Dave + hosted_by: R1 + ipv6: 2001:db8::10:0:44/128 + asn: 64544 + - name: R2 + kids: + - name: Elena + hosted_by: R2 + ipv4: 10.0.0.0/24 + ipv6: 2001:db8::a00:0/120 + - name: Frank + hosted_by: R2 + ipv4: 10.3.0.0/24 + ipv6: 2001:db8::a03:0/120 + - name: R3 + kids: + - name: Ginny + hosted_by: R3 + asn: 64534-64540 + - name: Harry + hosted_by: R3 + asn: 666-677 + - name: R4 + kids: + - name: Ilse + hosted_by: R4 + ipv4: 10.3.0.0/16 + - name: Jack + hosted_by: R4 + ipv4: 10.2.0.0/16 + - name: R5 + kids: + - name: Kari + hosted_by: R5 + asn: 222-233 + - name: Leon + hosted_by: R5 + asn: 244-255 + - name: R6 + kids: + - name: Mary + hosted_by: R6 + ipv4: 10.77.0.0/16 + - name: Neal + hosted_by: R6 + ipv4: 10.66.0.0/16 + - name: R7 + kids: + - name: Olga + hosted_by: R7 + ipv4: 10.88.0.0/16 + - name: Piet + hosted_by: R7 + ipv4: 10.99.0.0/16 + - name: R8 + kids: + - name: Qi + hosted_by: R8 + asn: 111-122 + - name: Rex + hosted_by: R8 + asn: 333-344 + - name: R9 + kids: + - name: Sandra + hosted_by: R9 + asn: 555-566 + - name: Thad + hosted_by: R9 + asn: 577-588 +--- +- name: Alice + add_as: 33 +--- +- name: Alice + sub_as: 33 +--- +- name: Alice + valid_for: 365d diff --git a/ca/tests/smoketest.3.yaml b/ca/tests/smoketest.3.yaml new file mode 100644 index 00000000..e6a10a12 --- /dev/null +++ b/ca/tests/smoketest.3.yaml @@ -0,0 +1,81 @@ +# $Id$ + +# Copyright (C) 2009-2010 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. +# +# Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +name: RIR +crl_interval: 2d +regen_margin: 1h +valid_for: 90d +kids: + - name: R0 + kids: + - name: Alice + ipv4: 192.0.2.0-192.0.2.33 + ipv6: 2002:0a00::/32 + asn: 64533 + roa_request: + - asn: 42 + ipv4: 192.0.2.0/30-32,192.0.2.32/32 + ipv6: 2002:0a00::/32-128 + - name: Bob + ipv4: 192.0.2.44-192.0.2.100 + ipv4: 10.3.0.0/16 + roa_request: + - asn: 666 + ipv4: 10.3.0.0/23 +--- +#- shell find publication -type f -name '*.roa' +# -print -exec ../../../utils/print_roa/print_roa {} \; +#- shell find publication -type f -name '*.mft' +# -print -exec ../../../utils/print_manifest/print_manifest {} \; +#--- +#- shell find publication -type f -name '*.roa' +# -print -exec ../../../utils/print_roa/print_roa {} \; +#- shell find publication -type f -name '*.mft' +# -print -exec ../../../utils/print_manifest/print_manifest {} \; +#--- +- shell set -x; + rtr_origin=../../../rtr-origin/rtr-origin; + $rtr_origin --cronjob rcynic-data/authenticated && + $rtr_origin --show +--- +- name: Alice + roa_request_del: + - asn: 42 + ipv4: 192.0.2.0/30-32,192.0.2.32/32 + ipv6: 2002:0a00::/32-128 + roa_request_add: + - asn: 666 + ipv4: 192.0.2.0/30-32,192.0.2.32/32 + ipv6: 2002:0a00::/32-128 +--- +- shell set -x; + rtr_origin=../../../rtr-origin/rtr-origin; + $rtr_origin --cronjob rcynic-data/authenticated && + $rtr_origin --show diff --git a/ca/tests/smoketest.4.yaml b/ca/tests/smoketest.4.yaml new file mode 100644 index 00000000..c0d446bc --- /dev/null +++ b/ca/tests/smoketest.4.yaml @@ -0,0 +1,72 @@ +# $Id$ + +# Copyright (C) 2011 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. +# +# Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# This is a test of what happens when certificates go missing in +# action, IRDB data expires, etc. Expected result: +# +# - RIR, R0, and Alice get certs +# - Bob gets no cert at all +# - RO and Alice have short-lived certs, which go away +# - Test ends with only RIR having a cert +# +# If run on a very slow machine, the 60 second expiration may have +# already passed by the time everything is up and running, in which +# case nobody but RIR will ever get any certs. +# +# The extra cycles with no sleep are deliberate, at one point we had a +# cycle where parent would issue a cert that had already expired, +# which led to a tight loop of revocation and reissuance every cycle; +# we're checking to make sure that doesn't happen anymore, although +# things should never get to that point because list_response should +# discourage the child from ever asking for a cert in the first place. + +name: RIR +valid_for: 60 +kids: + - name: R0 + kids: + - name: Alice + ipv4: 192.0.2.1-192.0.2.33 + asn: 64533 + - name: Bob + ipv4: 192.0.2.34-192.0.2.65 + valid_for: -10 +--- +--- +--- +--- +--- +--- +- sleep 30 +--- +- sleep 30 +--- +--- +--- diff --git a/ca/tests/smoketest.5.yaml b/ca/tests/smoketest.5.yaml new file mode 100644 index 00000000..c6304dfc --- /dev/null +++ b/ca/tests/smoketest.5.yaml @@ -0,0 +1,65 @@ +# $Id$ + +# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +rootd: + lifetime: 2m30s +name: RIR +crl_interval: 1m30s +regen_margin: 2m +valid_for: 1h +kids: + - name: R0 + kids: + - name: Alice + ipv4: 192.0.2.1-192.0.2.33 + asn: 64533 + roa_request: + - asn: 42 + ipv4: 192.0.2.32/32 + - name: Bob + ipv4: 192.0.2.44-192.0.2.100 + ipv4: 10.3.0.0/16 + roa_request: + - asn: 666 + ipv4: 10.3.0.44/32 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 diff --git a/ca/tests/smoketest.6.yaml b/ca/tests/smoketest.6.yaml new file mode 100644 index 00000000..e8d65433 --- /dev/null +++ b/ca/tests/smoketest.6.yaml @@ -0,0 +1,81 @@ +# $Id$ + +# Copyright (C) 2009-2013 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +name: RIR +valid_for: 4w +kids: + - name: Alice + hosted_by: RIR + # + # To test immediate expiration + #valid_for: 5m + # + # To test what happens when we reach rgen_margin + #valid_for: 2w2h5m + #valid_for: 2w5m + # + kids: + - name: Betty + hosted_by: RIR + kids: + - name: Carol + hosted_by: RIR + ghostbuster: | + BEGIN:VCARD + VERSION:4.0 + FN:Carol Clever + EMAIL:carol@example.org + END:VCARD + kids: + - name: Dana + hosted_by: RIR + kids: + - name: Eve + hosted_by: RIR + kids: + - name: Fiona + hosted_by: RIR + ipv4: 192.0.2.1-192.0.2.33 + asn: 64533 + ipv6: 2001:db8::44-2001:db8::100 + roa_request: + - asn: 64533 + ipv6: 2001:db8::80/121 + ghostbusters: + - | + BEGIN:VCARD + VERSION:4.0 + FN:Fiona Fearless + EMAIL:fiona@example.org + END:VCARD + - | + BEGIN:VCARD + VERSION:4.0 + FN:Frank Fearless + EMAIL:frank@example.org + END:VCARD +--- +- name: Fiona + add_as: 33 +--- +- name: Fiona + sub_as: 33 +--- +--- +--- +--- +#- name: Fiona +# valid_for: 365d diff --git a/ca/tests/smoketest.7.yaml b/ca/tests/smoketest.7.yaml new file mode 100644 index 00000000..fedd2fff --- /dev/null +++ b/ca/tests/smoketest.7.yaml @@ -0,0 +1,77 @@ +# $Id$ + +# Copyright (C) 2009 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# Test configuration to generate some initial ROAs for Pradosh to use +# in testing his code, until Randy has the live testbed set up. + +# Python code to remove overlaps in a set of prefixes (needed to take +# something like this peval output and feed it into smoketest.py): +# +# import rpki.resource_set +# +# r = rpki.resource_set.resource_set_ipv4() +# +# for p in prefixes: +# r = r.union(rpki.resource_set.resource_set_ipv4(p)) +# +# print r +# +# +# where "prefixes" is a sequence of prefixes in text form, eg, what +# you'd get if you applied .split(", ") to the peval output below. + + +# ran.psg.com:/usr/home/randy> peval as3130 +# ({198.180.152.0/24, 198.180.153.0/24, 198.180.152.0/25, 198.180.152.128/25, 198.180.150.0/24, 198.180.151.0/24, 198.133.206.0/24, 192.83.230.0/24, 147.28.0.0/16, 147.28.128.0/17, 147.28.128.0/18, 147.28.192.0/18, 147.28.192.0/19, 147.28.192.0/20, 147.28.192.0/21, 147.28.192.0/22, 147.28.192.0/23, 147.28.192.0/24, 147.28.192.0/25, 147.28.192.0/26, 147.28.128.0/19, 147.28.128.0/20, 147.28.128.0/21, 147.28.128.0/22, 147.28.128.0/23, 147.28.128.0/24, 147.28.128.0/25, 147.28.128.0/26}) +# +# ran.psg.com:/usr/home/randy> peval as2914 +# ({216.167.0.0/17, 216.105.240.0/24, 216.44.0.0/16, 216.42.0.0/16, 213.198.0.0/17, 213.130.32.0/19, 212.119.0.0/19, 212.105.160.0/19, 211.130.96.0/19, 211.1.32.0/19, 211.1.60.0/22, 211.1.48.0/23, 211.1.32.0/20, 210.175.160.0/19, 209.243.96.0/20, 209.243.70.0/23, 209.238.0.0/16, 209.227.0.0/17, 209.207.128.0/17, 209.189.0.0/17, 209.170.0.0/18, 209.168.0.0/17, 209.162.64.0/18, 209.157.0.0/16, 209.139.128.0/18, 209.139.0.0/17, 209.130.0.0/17, 209.124.0.0/19, 209.112.96.0/20, 209.107.64.0/19, 209.107.0.0/18, 209.75.0.0/16, 209.70.0.0/16, 209.69.0.0/16, 209.59.32.0/19, 209.57.0.0/16, 209.43.128.0/17, 209.41.0.0/18, 209.39.0.0/16, 209.24.0.0/16, 209.21.0.0/18, 208.55.0.0/16, 207.241.0.0/17, 207.207.128.0/19, 207.206.0.0/17, 207.201.128.0/18, 207.199.0.0/17, 207.198.128.0/17, 207.197.128.0/17, 207.196.0.0/17, 207.195.240.0/20, 207.159.0.0/18, 207.158.192.0/18, 207.156.128.0/17, 207.153.128.0/17, 207.152.64.0/18, 207.150.128.0/19, 207.150.0.0/17, 207.137.0.0/16, 207.126.254.0/23, 207.126.240.0/21, 207.111.64.0/18, 207.97.0.0/17, 207.91.64.0/18, 207.71.64.0/18, 207.67.128.0/17, 207.58.0.0/17, 207.56.0.0/15, 207.55.192.0/19, 207.55.128.0/18, 207.33.0.0/16, 207.32.64.0/18, 207.31.192.0/18, 207.22.64.0/18, 207.21.128.0/18, 207.21.0.0/17, 207.20.0.0/16, 206.252.0.0/19, 206.239.0.0/16, 206.222.32.0/19, 206.213.64.0/18, 206.197.192.0/24, 206.197.81.0/24, 206.184.0.0/16, 206.183.192.0/19, 206.169.194.0/24, 206.169.195.0/24, 206.169.186.0/24, 206.169.41.0/24, 206.166.128.0/18, 206.163.192.0/19, 206.163.128.0/18, 206.163.0.0/17, 206.86.0.0/16, 206.82.32.0/19, 206.80.32.0/19, 206.68.0.0/15, 206.58.0.0/16, 206.55.0.0/18, 206.54.0.0/18, 206.52.0.0/16, 206.50.0.0/16, 206.14.0.0/16, 205.238.0.0/18, 205.212.0.0/16, 205.157.128.0/20, 205.153.56.0/22, 205.149.160.0/19, 205.146.0.0/16, 204.247.0.0/16, 204.245.128.0/17, 204.233.0.0/16, 204.227.160.0/19, 204.200.0.0/14, 204.194.176.0/21, 204.170.0.0/15, 204.156.128.0/19, 204.156.0.0/19, 204.142.0.0/15, 204.141.0.0/16, 204.108.0.0/23, 204.75.146.0/24, 204.68.197.0/24, 204.62.232.0/24, 204.57.32.0/19, 204.42.0.0/16, 204.0.0.0/14, 204.0.43.0/24, 203.215.136.0/23, 203.208.120.0/21, 203.208.120.0/22, 203.208.124.0/22, 203.208.120.0/23, 203.208.122.0/23, 203.208.124.0/23, 203.208.126.0/23, 203.208.120.0/24, 203.208.121.0/24, 203.208.122.0/24, 203.208.123.0/24, 203.208.124.0/24, 203.208.125.0/24, 203.208.126.0/24, 203.208.127.0/24, 203.208.80.0/21, 203.208.80.0/22, 203.208.84.0/22, 203.208.80.0/23, 203.208.82.0/23, 203.208.84.0/23, 203.208.86.0/23, 203.208.80.0/24, 203.208.81.0/24, 203.208.82.0/24, 203.208.83.0/24, 203.208.84.0/24, 203.208.85.0/24, 203.208.86.0/24, 203.208.87.0/24, 203.205.112.0/20, 203.131.240.0/20, 203.131.248.0/21, 203.105.64.0/19, 203.105.80.0/21, 203.105.72.0/22, 203.78.192.0/20, 203.33.3.0/24, 203.32.132.0/24, 203.20.71.0/24, 203.12.225.0/24, 202.237.244.0/24, 202.163.134.0/24, 202.163.132.0/24, 202.163.128.0/22, 202.163.128.0/24, 202.163.129.0/24, 202.163.130.0/24, 202.163.131.0/24, 202.153.208.0/20, 202.69.224.0/20, 202.68.64.0/20, 202.68.64.0/21, 202.68.72.0/21, 202.68.64.0/22, 202.68.68.0/22, 202.68.72.0/22, 202.68.76.0/22, 202.68.64.0/23, 202.68.66.0/23, 202.68.68.0/23, 202.68.70.0/23, 202.68.72.0/23, 202.68.74.0/23, 202.68.76.0/23, 202.68.78.0/23, 202.68.64.0/24, 202.68.65.0/24, 202.68.66.0/24, 202.68.67.0/24, 202.68.68.0/24, 202.68.69.0/24, 202.68.70.0/24, 202.68.71.0/24, 202.68.72.0/24, 202.68.73.0/24, 202.68.74.0/24, 202.68.75.0/24, 202.68.76.0/24, 202.68.77.0/24, 202.68.78.0/24, 202.68.79.0/24, 202.47.16.0/20, 202.23.124.0/24, 200.15.0.0/16, 199.245.16.0/20, 199.240.0.0/16, 199.236.0.0/14, 199.234.0.0/16, 199.224.0.0/20, 199.217.128.0/17, 199.212.0.0/24, 199.201.197.0/24, 199.184.226.0/24, 199.184.212.0/24, 199.164.210.0/24, 199.103.128.0/17, 199.73.40.0/23, 199.73.32.0/21, 199.4.64.0/18, 198.252.194.0/23, 198.247.0.0/16, 198.232.16.0/24, 198.172.0.0/15, 198.170.0.0/15, 198.170.208.0/24, 198.138.0.0/15, 198.106.0.0/15, 198.104.0.0/16, 198.88.0.0/16, 198.87.0.0/16, 198.84.16.0/20, 198.66.0.0/16, 198.64.0.0/15, 198.63.0.0/16, 195.234.244.0/22, 192.220.0.0/16, 192.217.0.0/16, 192.204.0.0/16, 192.195.85.0/24, 192.159.82.0/24, 192.147.176.0/22, 192.147.175.0/24, 192.147.160.0/21, 192.108.74.0/23, 192.102.248.0/24, 192.80.12.0/22, 192.67.240.0/23, 192.67.236.0/22, 192.41.219.0/24, 192.41.171.0/24, 192.11.188.0/24, 170.253.0.0/16, 170.250.0.0/16, 170.249.64.0/19, 170.249.0.0/19, 168.143.0.0/16, 165.254.0.0/16, 164.162.0.0/16, 161.58.0.0/16, 159.230.128.0/20, 159.230.138.0/24, 157.238.0.0/16, 157.107.0.0/16, 154.37.0.0/16, 140.174.0.0/16, 131.103.0.0/16, 130.94.0.0/16, 130.94.60.0/24, 129.250.0.0/16, 129.192.196.0/22, 129.7.136.0/24, 128.242.0.0/16, 128.241.0.0/16, 128.241.83.0/29, 128.121.0.0/16, 125.56.144.0/21, 125.56.152.0/21, 124.40.0.0/18, 124.40.0.0/19, 124.40.32.0/19, 122.255.80.0/20, 120.29.160.0/19, 120.29.144.0/21, 119.161.104.0/21, 118.215.168.0/21, 118.215.136.0/21, 118.215.64.0/21, 118.214.208.0/21, 118.214.216.0/21, 117.104.128.0/19, 117.104.64.0/18, 117.103.176.0/20, 116.51.16.0/21, 96.17.167.0/24, 96.17.157.0/24, 96.17.155.0/24, 96.17.32.0/20, 96.16.224.0/21, 96.16.232.0/21, 96.16.240.0/21, 96.16.248.0/21, 96.6.224.0/20, 96.6.176.0/20, 96.6.144.0/20, 96.6.40.0/24, 91.186.160.0/19, 89.238.138.0/24, 83.231.128.0/17, 82.112.96.0/19, 81.93.208.0/20, 81.93.176.0/20, 81.93.189.0/24, 81.25.192.0/20, 81.20.64.0/20, 81.19.96.0/20, 80.68.16.0/21, 72.247.200.0/21, 72.247.128.0/21, 72.247.125.0/24, 72.247.56.0/22, 72.247.52.0/22, 72.246.32.0/21, 69.192.96.0/20, 69.192.32.0/20, 69.192.48.0/20, 69.55.56.0/23, 69.41.176.0/21, 69.41.168.0/21, 69.41.166.0/23, 69.41.165.0/24, 69.41.160.0/24, 66.249.144.0/24, 66.187.28.0/24, 64.7.64.0/19, 62.73.160.0/19, 61.251.96.0/20, 61.213.160.0/19, 61.213.144.0/20, 61.200.80.0/20, 61.200.80.0/21, 61.200.88.0/21, 61.120.144.0/20, 61.120.144.0/21, 61.120.152.0/21, 61.114.112.0/20, 61.114.120.0/21, 61.114.112.0/22, 61.58.32.0/20, 61.28.200.0/24, 61.28.199.0/24, 60.254.153.0/24, 60.254.132.0/22, 59.151.184.0/22}) +# +# ran.psg.com:/usr/home/randy> peval as1239 +# ({207.7.0.0/18, 204.248.180.0/25, 204.241.122.0/24, 204.217.244.0/24, 203.98.192.0/19, 193.188.96.0/23, 192.77.142.0/24, 192.31.36.0/24, 192.31.32.0/22, 192.23.224.0/21, 192.23.208.0/20, 192.23.76.0/24, 192.23.75.0/24, 163.183.0.0/16, 157.245.70.0/24, 134.32.0.0/16, 129.87.0.0/16, 85.237.96.0/19, 72.246.128.0/20, 65.168.150.0/23, 65.168.149.0/24, 63.172.252.0/22, 63.171.143.128/25, 63.169.52.128/25}) +# +# ran.psg.com:/usr/home/randy> peval as701 +# ({208.91.236.0/22, 203.33.196.0/24, 203.27.251.0/24, 198.80.148.0/24, 198.80.131.0/24, 157.130.103.144/30, 140.222.224.0/24, 65.243.171.0/24, 63.122.162.212/30, 63.116.191.0/24, 63.81.136.0/24, 17.0.0.0/8, 17.128.0.0/9}) + + +name: Alice + +valid_for: 2d + +ipv4: 17.0.0.0/8,59.151.184.0/22,60.254.132.0/22,60.254.153.0/24,61.28.199.0-61.28.200.255,61.58.32.0/20,61.114.112.0/20,61.120.144.0/20,61.200.80.0/20,61.213.144.0-61.213.191.255,61.251.96.0/20,62.73.160.0/19,63.81.136.0/24,63.116.191.0/24,63.122.162.212/30,63.169.52.128/25,63.171.143.128/25,63.172.252.0/22,64.7.64.0/19,65.168.149.0-65.168.151.255,65.243.171.0/24,66.187.28.0/24,66.249.144.0/24,69.41.160.0/24,69.41.165.0-69.41.183.255,69.55.56.0/23,69.192.32.0/19,69.192.96.0/20,72.246.32.0/21,72.246.128.0/20,72.247.52.0-72.247.59.255,72.247.125.0/24,72.247.128.0/21,72.247.200.0/21,80.68.16.0/21,81.19.96.0/20,81.20.64.0/20,81.25.192.0/20,81.93.176.0/20,81.93.208.0/20,82.112.96.0/19,83.231.128.0/17,85.237.96.0/19,89.238.138.0/24,91.186.160.0/19,96.6.40.0/24,96.6.144.0/20,96.6.176.0/20,96.6.224.0/20,96.16.224.0/19,96.17.32.0/20,96.17.155.0/24,96.17.157.0/24,96.17.167.0/24,116.51.16.0/21,117.103.176.0/20,117.104.64.0-117.104.159.255,118.214.208.0/20,118.215.64.0/21,118.215.136.0/21,118.215.168.0/21,119.161.104.0/21,120.29.144.0/21,120.29.160.0/19,122.255.80.0/20,124.40.0.0/18,125.56.144.0/20,128.121.0.0/16,128.241.0.0-128.242.255.255,129.7.136.0/24,129.87.0.0/16,129.192.196.0/22,129.250.0.0/16,130.94.0.0/16,131.103.0.0/16,134.32.0.0/16,140.174.0.0/16,140.222.224.0/24,147.28.0.0/16,154.37.0.0/16,157.107.0.0/16,157.130.103.144/30,157.238.0.0/16,157.245.70.0/24,159.230.128.0/20,161.58.0.0/16,163.183.0.0/16,164.162.0.0/16,165.254.0.0/16,168.143.0.0/16,170.249.0.0/19,170.249.64.0/19,170.250.0.0/16,170.253.0.0/16,192.11.188.0/24,192.23.75.0-192.23.76.255,192.23.208.0-192.23.231.255,192.31.32.0-192.31.36.255,192.41.171.0/24,192.41.219.0/24,192.67.236.0-192.67.241.255,192.77.142.0/24,192.80.12.0/22,192.83.230.0/24,192.102.248.0/24,192.108.74.0/23,192.147.160.0/21,192.147.175.0-192.147.179.255,192.159.82.0/24,192.195.85.0/24,192.204.0.0/16,192.217.0.0/16,192.220.0.0/16,193.188.96.0/23,195.234.244.0/22,198.63.0.0-198.66.255.255,198.80.131.0/24,198.80.148.0/24,198.84.16.0/20,198.87.0.0-198.88.255.255,198.104.0.0/16,198.106.0.0/15,198.133.206.0/24,198.138.0.0/15,198.170.0.0-198.173.255.255,198.180.150.0-198.180.153.255,198.232.16.0/24,198.247.0.0/16,198.252.194.0/23,199.4.64.0/18,199.73.32.0-199.73.41.255,199.103.128.0/17,199.164.210.0/24,199.184.212.0/24,199.184.226.0/24,199.201.197.0/24,199.212.0.0/24,199.217.128.0/17,199.224.0.0/20,199.234.0.0/16,199.236.0.0-199.240.255.255,199.245.16.0/20,200.15.0.0/16,202.23.124.0/24,202.47.16.0/20,202.68.64.0/20,202.69.224.0/20,202.153.208.0/20,202.163.128.0-202.163.132.255,202.163.134.0/24,202.237.244.0/24,203.12.225.0/24,203.20.71.0/24,203.27.251.0/24,203.32.132.0/24,203.33.3.0/24,203.33.196.0/24,203.78.192.0/20,203.98.192.0/19,203.105.64.0/19,203.131.240.0/20,203.205.112.0/20,203.208.80.0/21,203.208.120.0/21,203.215.136.0/23,204.0.0.0/14,204.42.0.0/16,204.57.32.0/19,204.62.232.0/24,204.68.197.0/24,204.75.146.0/24,204.108.0.0/23,204.141.0.0-204.143.255.255,204.156.0.0/19,204.156.128.0/19,204.170.0.0/15,204.194.176.0/21,204.200.0.0/14,204.217.244.0/24,204.227.160.0/19,204.233.0.0/16,204.241.122.0/24,204.245.128.0/17,204.247.0.0/16,204.248.180.0/25,205.146.0.0/16,205.149.160.0/19,205.153.56.0/22,205.157.128.0/20,205.212.0.0/16,205.238.0.0/18,206.14.0.0/16,206.50.0.0/16,206.52.0.0/16,206.54.0.0/18,206.55.0.0/18,206.58.0.0/16,206.68.0.0/15,206.80.32.0/19,206.82.32.0/19,206.86.0.0/16,206.163.0.0-206.163.223.255,206.166.128.0/18,206.169.41.0/24,206.169.186.0/24,206.169.194.0/23,206.183.192.0/19,206.184.0.0/16,206.197.81.0/24,206.197.192.0/24,206.213.64.0/18,206.222.32.0/19,206.239.0.0/16,206.252.0.0/19,207.7.0.0/18,207.20.0.0-207.21.191.255,207.22.64.0/18,207.31.192.0/18,207.32.64.0/18,207.33.0.0/16,207.55.128.0-207.55.223.255,207.56.0.0-207.58.127.255,207.67.128.0/17,207.71.64.0/18,207.91.64.0/18,207.97.0.0/17,207.111.64.0/18,207.126.240.0/21,207.126.254.0/23,207.137.0.0/16,207.150.0.0-207.150.159.255,207.152.64.0/18,207.153.128.0/17,207.156.128.0/17,207.158.192.0-207.159.63.255,207.195.240.0-207.196.127.255,207.197.128.0/17,207.198.128.0-207.199.127.255,207.201.128.0/18,207.206.0.0/17,207.207.128.0/19,207.241.0.0/17,208.55.0.0/16,208.91.236.0/22,209.21.0.0/18,209.24.0.0/16,209.39.0.0/16,209.41.0.0/18,209.43.128.0/17,209.57.0.0/16,209.59.32.0/19,209.69.0.0-209.70.255.255,209.75.0.0/16,209.107.0.0-209.107.95.255,209.112.96.0/20,209.124.0.0/19,209.130.0.0/17,209.139.0.0-209.139.191.255,209.157.0.0/16,209.162.64.0/18,209.168.0.0/17,209.170.0.0/18,209.189.0.0/17,209.207.128.0/17,209.227.0.0/17,209.238.0.0/16,209.243.70.0/23,209.243.96.0/20,210.175.160.0/19,211.1.32.0/19,211.130.96.0/19,212.105.160.0/19,212.119.0.0/19,213.130.32.0/19,213.198.0.0/17,216.42.0.0/16,216.44.0.0/16,216.105.240.0/24,216.167.0.0/17 + +roa_request: + + - asn: 3130 + ipv4: 198.180.152.0/24,198.180.153.0/24,198.180.152.0/25,198.180.152.128/25,198.180.150.0/24,198.180.151.0/24,198.133.206.0/24,192.83.230.0/24,147.28.0.0/16-24 + + - asn: 2914 + ipv4: 216.167.0.0/17,216.105.240.0/24,216.44.0.0/16,216.42.0.0/16,213.198.0.0/17,213.130.32.0/19,212.119.0.0/19,212.105.160.0/19,211.130.96.0/19,211.1.32.0/19,211.1.60.0/22,211.1.48.0/23,211.1.32.0/20,210.175.160.0/19,209.243.96.0/20,209.243.70.0/23,209.238.0.0/16,209.227.0.0/17,209.207.128.0/17,209.189.0.0/17,209.170.0.0/18,209.168.0.0/17,209.162.64.0/18,209.157.0.0/16,209.139.128.0/18,209.139.0.0/17,209.130.0.0/17,209.124.0.0/19,209.112.96.0/20,209.107.64.0/19,209.107.0.0/18,209.75.0.0/16,209.70.0.0/16,209.69.0.0/16,209.59.32.0/19,209.57.0.0/16,209.43.128.0/17,209.41.0.0/18,209.39.0.0/16,209.24.0.0/16,209.21.0.0/18,208.55.0.0/16,207.241.0.0/17,207.207.128.0/19,207.206.0.0/17,207.201.128.0/18,207.199.0.0/17,207.198.128.0/17,207.197.128.0/17,207.196.0.0/17,207.195.240.0/20,207.159.0.0/18,207.158.192.0/18,207.156.128.0/17,207.153.128.0/17,207.152.64.0/18,207.150.128.0/19,207.150.0.0/17,207.137.0.0/16,207.126.254.0/23,207.126.240.0/21,207.111.64.0/18,207.97.0.0/17,207.91.64.0/18,207.71.64.0/18,207.67.128.0/17,207.58.0.0/17,207.56.0.0/15,207.55.192.0/19,207.55.128.0/18,207.33.0.0/16,207.32.64.0/18,207.31.192.0/18,207.22.64.0/18,207.21.128.0/18,207.21.0.0/17,207.20.0.0/16,206.252.0.0/19,206.239.0.0/16,206.222.32.0/19,206.213.64.0/18,206.197.192.0/24,206.197.81.0/24,206.184.0.0/16,206.183.192.0/19,206.169.194.0/24,206.169.195.0/24,206.169.186.0/24,206.169.41.0/24,206.166.128.0/18,206.163.192.0/19,206.163.128.0/18,206.163.0.0/17,206.86.0.0/16,206.82.32.0/19,206.80.32.0/19,206.68.0.0/15,206.58.0.0/16,206.55.0.0/18,206.54.0.0/18,206.52.0.0/16,206.50.0.0/16,206.14.0.0/16,205.238.0.0/18,205.212.0.0/16,205.157.128.0/20,205.153.56.0/22,205.149.160.0/19,205.146.0.0/16,204.247.0.0/16,204.245.128.0/17,204.233.0.0/16,204.227.160.0/19,204.200.0.0/14,204.194.176.0/21,204.170.0.0/15,204.156.128.0/19,204.156.0.0/19,204.142.0.0/15,204.141.0.0/16,204.108.0.0/23,204.75.146.0/24,204.68.197.0/24,204.62.232.0/24,204.57.32.0/19,204.42.0.0/16,204.0.0.0/14,204.0.43.0/24,203.215.136.0/23,203.208.120.0/21,203.208.120.0/22,203.208.124.0/22,203.208.120.0/23,203.208.122.0/23,203.208.124.0/23,203.208.126.0/23,203.208.120.0/24,203.208.121.0/24,203.208.122.0/24,203.208.123.0/24,203.208.124.0/24,203.208.125.0/24,203.208.126.0/24,203.208.127.0/24,203.208.80.0/21,203.208.80.0/22,203.208.84.0/22,203.208.80.0/23,203.208.82.0/23,203.208.84.0/23,203.208.86.0/23,203.208.80.0/24,203.208.81.0/24,203.208.82.0/24,203.208.83.0/24,203.208.84.0/24,203.208.85.0/24,203.208.86.0/24,203.208.87.0/24,203.205.112.0/20,203.131.240.0/20,203.131.248.0/21,203.105.64.0/19,203.105.80.0/21,203.105.72.0/22,203.78.192.0/20,203.33.3.0/24,203.32.132.0/24,203.20.71.0/24,203.12.225.0/24,202.237.244.0/24,202.163.134.0/24,202.163.132.0/24,202.163.128.0/22,202.163.128.0/24,202.163.129.0/24,202.163.130.0/24,202.163.131.0/24,202.153.208.0/20,202.69.224.0/20,202.68.64.0/20,202.68.64.0/21,202.68.72.0/21,202.68.64.0/22,202.68.68.0/22,202.68.72.0/22,202.68.76.0/22,202.68.64.0/23,202.68.66.0/23,202.68.68.0/23,202.68.70.0/23,202.68.72.0/23,202.68.74.0/23,202.68.76.0/23,202.68.78.0/23,202.68.64.0/24,202.68.65.0/24,202.68.66.0/24,202.68.67.0/24,202.68.68.0/24,202.68.69.0/24,202.68.70.0/24,202.68.71.0/24,202.68.72.0/24,202.68.73.0/24,202.68.74.0/24,202.68.75.0/24,202.68.76.0/24,202.68.77.0/24,202.68.78.0/24,202.68.79.0/24,202.47.16.0/20,202.23.124.0/24,200.15.0.0/16,199.245.16.0/20,199.240.0.0/16,199.236.0.0/14,199.234.0.0/16,199.224.0.0/20,199.217.128.0/17,199.212.0.0/24,199.201.197.0/24,199.184.226.0/24,199.184.212.0/24,199.164.210.0/24,199.103.128.0/17,199.73.40.0/23,199.73.32.0/21,199.4.64.0/18,198.252.194.0/23,198.247.0.0/16,198.232.16.0/24,198.172.0.0/15,198.170.0.0/15,198.170.208.0/24,198.138.0.0/15,198.106.0.0/15,198.104.0.0/16,198.88.0.0/16,198.87.0.0/16,198.84.16.0/20,198.66.0.0/16,198.64.0.0/15,198.63.0.0/16,195.234.244.0/22,192.220.0.0/16,192.217.0.0/16,192.204.0.0/16,192.195.85.0/24,192.159.82.0/24,192.147.176.0/22,192.147.175.0/24,192.147.160.0/21,192.108.74.0/23,192.102.248.0/24,192.80.12.0/22,192.67.240.0/23,192.67.236.0/22,192.41.219.0/24,192.41.171.0/24,192.11.188.0/24,170.253.0.0/16,170.250.0.0/16,170.249.64.0/19,170.249.0.0/19,168.143.0.0/16,165.254.0.0/16,164.162.0.0/16,161.58.0.0/16,159.230.128.0/20,159.230.138.0/24,157.238.0.0/16,157.107.0.0/16,154.37.0.0/16,140.174.0.0/16,131.103.0.0/16,130.94.0.0/16,130.94.60.0/24,129.250.0.0/16,129.192.196.0/22,129.7.136.0/24,128.242.0.0/16,128.241.0.0/16,128.241.83.0/29,128.121.0.0/16,125.56.144.0/21,125.56.152.0/21,124.40.0.0/18,124.40.0.0/19,124.40.32.0/19,122.255.80.0/20,120.29.160.0/19,120.29.144.0/21,119.161.104.0/21,118.215.168.0/21,118.215.136.0/21,118.215.64.0/21,118.214.208.0/21,118.214.216.0/21,117.104.128.0/19,117.104.64.0/18,117.103.176.0/20,116.51.16.0/21,96.17.167.0/24,96.17.157.0/24,96.17.155.0/24,96.17.32.0/20,96.16.224.0/21,96.16.232.0/21,96.16.240.0/21,96.16.248.0/21,96.6.224.0/20,96.6.176.0/20,96.6.144.0/20,96.6.40.0/24,91.186.160.0/19,89.238.138.0/24,83.231.128.0/17,82.112.96.0/19,81.93.208.0/20,81.93.176.0/20,81.93.189.0/24,81.25.192.0/20,81.20.64.0/20,81.19.96.0/20,80.68.16.0/21,72.247.200.0/21,72.247.128.0/21,72.247.125.0/24,72.247.56.0/22,72.247.52.0/22,72.246.32.0/21,69.192.96.0/20,69.192.32.0/20,69.192.48.0/20,69.55.56.0/23,69.41.176.0/21,69.41.168.0/21,69.41.166.0/23,69.41.165.0/24,69.41.160.0/24,66.249.144.0/24,66.187.28.0/24,64.7.64.0/19,62.73.160.0/19,61.251.96.0/20,61.213.160.0/19,61.213.144.0/20,61.200.80.0/20,61.200.80.0/21,61.200.88.0/21,61.120.144.0/20,61.120.144.0/21,61.120.152.0/21,61.114.112.0/20,61.114.120.0/21,61.114.112.0/22,61.58.32.0/20,61.28.200.0/24,61.28.199.0/24,60.254.153.0/24,60.254.132.0/22,59.151.184.0/22 + + - asn: 1239 + ipv4: 207.7.0.0/18,204.248.180.0/25,204.241.122.0/24,204.217.244.0/24,203.98.192.0/19,193.188.96.0/23,192.77.142.0/24,192.31.36.0/24,192.31.32.0/22,192.23.224.0/21,192.23.208.0/20,192.23.76.0/24,192.23.75.0/24,163.183.0.0/16,157.245.70.0/24,134.32.0.0/16,129.87.0.0/16,85.237.96.0/19,72.246.128.0/20,65.168.150.0/23,65.168.149.0/24,63.172.252.0/22,63.171.143.128/25,63.169.52.128/25 + + - asn: 701 + ipv4: 208.91.236.0/22,203.33.196.0/24,203.27.251.0/24,198.80.148.0/24,198.80.131.0/24,157.130.103.144/30,140.222.224.0/24,65.243.171.0/24,63.122.162.212/30,63.116.191.0/24,63.81.136.0/24,17.0.0.0/8,17.128.0.0/9 + +--- +- shell set -x; + find publication -type f -name '*.roa' + -print -exec ../../../utils/print_roa/print_roa {} \; + ; + rtr_origin=../../../rtr-origin/rtr-origin; + $rtr_origin --cronjob rcynic-data/authenticated && + $rtr_origin --show diff --git a/ca/tests/smoketest.8.yaml b/ca/tests/smoketest.8.yaml new file mode 100644 index 00000000..cd6d1e7a --- /dev/null +++ b/ca/tests/smoketest.8.yaml @@ -0,0 +1,41 @@ +# $Id$ + +# Copyright (C) 2009-2010 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +name: RIR +valid_for: 2d +kids: + - name: Alice + hosted_by: RIR + kids: + - name: Betty + hosted_by: RIR + kids: + - name: Carol + hosted_by: RIR + kids: + - name: Dana + hosted_by: RIR + kids: + - name: Eve + hosted_by: RIR + kids: + - name: Fiona + hosted_by: RIR + ipv4: 10.0.0.0/8 + asn: 64533 + roa_request: + - asn: 64533 + ipv4: 10.0.0.0/24 diff --git a/ca/tests/smoketest.9.yaml b/ca/tests/smoketest.9.yaml new file mode 100644 index 00000000..3efc4f08 --- /dev/null +++ b/ca/tests/smoketest.9.yaml @@ -0,0 +1,849 @@ +# $Id$ + +# Copyright (C) 2009-2010 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. +# +# Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +name: RIR +crl_interval: 30s +regen_margin: 30s +valid_for: 2m +kids: + - name: R0 + kids: + - name: Alice + ipv4: 192.0.2.1-192.0.2.33 + asn: 64533 + roa_request: + - asn: 42 + ipv4: 192.0.2.32/32 + - name: Bob + ipv4: 192.0.2.44-192.0.2.100 + ipv4: 10.3.0.0/16 + roa_request: + - asn: 666 + ipv4: 10.3.0.44/32 +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m +--- +- sleep 15 +- name: RIR + valid_for: 2m +- name: R0 + valid_for: 2m +- name: Alice + valid_for: 2m +- name: Bob + valid_for: 2m diff --git a/ca/tests/smoketest.clean.sql b/ca/tests/smoketest.clean.sql new file mode 100644 index 00000000..9f5ff9fb --- /dev/null +++ b/ca/tests/smoketest.clean.sql @@ -0,0 +1,54 @@ +-- $Id$ + +-- Copyright (C) 2009 Internet Systems Consortium ("ISC") +-- +-- Permission to use, copy, modify, and distribute this software for any +-- purpose with or without fee is hereby granted, provided that the above +-- copyright notice and this permission notice appear in all copies. +-- +-- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +-- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +-- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +-- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +-- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +-- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +-- PERFORMANCE OF THIS SOFTWARE. + +-- Clean up databases left behind by smoketest.py et al. + +DROP DATABASE IF EXISTS irdb0; +DROP DATABASE IF EXISTS irdb1; +DROP DATABASE IF EXISTS irdb2; +DROP DATABASE IF EXISTS irdb3; +DROP DATABASE IF EXISTS irdb4; +DROP DATABASE IF EXISTS irdb5; +DROP DATABASE IF EXISTS irdb6; +DROP DATABASE IF EXISTS irdb7; +DROP DATABASE IF EXISTS irdb8; +DROP DATABASE IF EXISTS irdb9; +DROP DATABASE IF EXISTS irdb10; +DROP DATABASE IF EXISTS irdb11; +DROP DATABASE IF EXISTS rpki0; +DROP DATABASE IF EXISTS rpki1; +DROP DATABASE IF EXISTS rpki2; +DROP DATABASE IF EXISTS rpki3; +DROP DATABASE IF EXISTS rpki4; +DROP DATABASE IF EXISTS rpki5; +DROP DATABASE IF EXISTS rpki6; +DROP DATABASE IF EXISTS rpki7; +DROP DATABASE IF EXISTS rpki8; +DROP DATABASE IF EXISTS rpki9; +DROP DATABASE IF EXISTS rpki10; +DROP DATABASE IF EXISTS rpki11; +DROP DATABASE IF EXISTS pubd0; +DROP DATABASE IF EXISTS pubd1; +DROP DATABASE IF EXISTS pubd2; +DROP DATABASE IF EXISTS pubd3; +DROP DATABASE IF EXISTS pubd4; +DROP DATABASE IF EXISTS pubd5; +DROP DATABASE IF EXISTS pubd6; +DROP DATABASE IF EXISTS pubd7; +DROP DATABASE IF EXISTS pubd8; +DROP DATABASE IF EXISTS pubd9; +DROP DATABASE IF EXISTS pubd10; +DROP DATABASE IF EXISTS pubd11; diff --git a/ca/tests/smoketest.py b/ca/tests/smoketest.py new file mode 100644 index 00000000..28bedaa4 --- /dev/null +++ b/ca/tests/smoketest.py @@ -0,0 +1,1630 @@ +#!/usr/bin/env python + +""" +Test framework to configure and drive a collection of rpkid.py and +old_irdbd.py instances under control of a master script. + +yaml_file is a YAML description the tests to be run, and is intended +to be implementation-agnostic. + +CONFIG contains settings for various implementation-specific +things that don't belong in yaml_file. +""" + +# $Id$ +# +# Copyright (C) 2013--2014 Dragon Research Labs ("DRL") +# Portions copyright (C) 2009--2012 Internet Systems Consortium ("ISC") +# Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notices and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND DRL, ISC, AND ARIN DISCLAIM ALL +# WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DRL, +# ISC, OR ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR +# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS +# OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, +# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION +# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +# pylint: disable=W0621 + +import os +import yaml +import subprocess +import signal +import time +import argparse +import sys +import errno +import rpki.resource_set +import rpki.sundial +import rpki.x509 +import rpki.http +import rpki.log +import rpki.left_right +import rpki.config +import rpki.publication +import rpki.async + +from rpki.mysql_import import MySQLdb + +os.environ["TZ"] = "UTC" +time.tzset() + +parser = argparse.ArgumentParser(description = __doc__) +parser.add_argument("-c", "--config", + help = "configuration file") +parser.add_argument("--profile", action = "store_true", + help = "enable profiling") +parser.add_argument("-y", action = "store_true", + help = "ignored, present only for backwards compatability") +parser.add_argument("yaml_file", type = argparse.FileType("r"), + help = "YAML description of test network") +args = parser.parse_args() + +cfg = rpki.config.parser(args.config, "smoketest", allow_missing = True) + +# Load the YAML script early, so we can report errors ASAP + +yaml_script = [y for y in yaml.safe_load_all(args.yaml_file)] + +# Define port allocator early, so we can use it while reading config + +def allocate_port(): + """ + Allocate a TCP port number. + """ + global base_port + p = base_port + base_port += 1 + return p + +# Most filenames in the following are relative to the working directory. + +smoketest_name = cfg.get("smoketest_name", "smoketest") +smoketest_dir = cfg.get("smoketest_dir", smoketest_name + ".dir") + +irdb_db_pass = cfg.get("irdb_db_pass", "fnord") +rpki_db_pass = cfg.get("rpki_db_pass", "fnord") +pubd_db_pass = cfg.get("pubd_db_pass", "fnord") +pubd_db_name = cfg.get("pubd_db_name", "pubd0") +pubd_db_user = cfg.get("pubd_db_user", "pubd") + +base_port = int(cfg.get("base_port", "4400")) + +rsyncd_port = allocate_port() +rootd_port = allocate_port() +pubd_port = allocate_port() + +rsyncd_module = cfg.get("rsyncd_module", smoketest_name) +rootd_sia = cfg.get("rootd_sia", "rsync://localhost:%d/%s/" % (rsyncd_port, rsyncd_module)) + +rootd_name = cfg.get("rootd_name", "rootd") +rsyncd_name = cfg.get("rsyncd_name", "rsyncd") +rcynic_name = cfg.get("rcynic_name", "rcynic") +pubd_name = cfg.get("pubd_name", "pubd") + +prog_python = cfg.get("prog_python", sys.executable) +prog_rpkid = cfg.get("prog_rpkid", "../../rpkid") +prog_irdbd = cfg.get("prog_irdbd", "../old_irdbd.py") +prog_poke = cfg.get("prog_poke", "../testpoke.py") +prog_rootd = cfg.get("prog_rootd", "../../rootd") +prog_pubd = cfg.get("prog_pubd", "../../pubd") +prog_rsyncd = cfg.get("prog_rsyncd", "rsync") +prog_rcynic = cfg.get("prog_rcynic", "../../../rcynic/rcynic") +prog_openssl = cfg.get("prog_openssl", "../../../openssl/openssl/apps/openssl") + +rcynic_stats = cfg.get("rcynic_stats", "echo ; ../../../rcynic/rcynic-text %s.xml ; echo" % rcynic_name) + +rpki_sql_file = cfg.get("rpki_sql_file", "../rpkid.sql") +irdb_sql_file = cfg.get("irdb_sql_file", "old_irdbd.sql") +pub_sql_file = cfg.get("pub_sql_file", "../pubd.sql") + +startup_delay = int(cfg.get("startup_delay", "10")) + +rsyncd_dir = None +pubd_ta = None +pubd_irbe_key = None +pubd_irbe_cert = None +pubd_pubd_cert = None + +pubd_last_cms_time = None + +ecdsa_params = None + +class CantRekeyYAMLLeaf(Exception): + """ + Can't rekey YAML leaf. + """ + +class CouldntIssueBSCEECertificate(Exception): + """ + Couldn't issue BSC EE certificate + """ + +sql_conversions = MySQLdb.converters.conversions.copy() +sql_conversions.update({ + rpki.sundial.datetime : MySQLdb.converters.DateTime2literal, + MySQLdb.converters.FIELD_TYPE.DATETIME : rpki.sundial.datetime.DateTime_or_None }) + +def main(): + """ + Main program. + """ + + rpki.log.init(smoketest_name, use_syslog = False) + rpki.log.info("Starting") + + pubd_process = None + rootd_process = None + rsyncd_process = None + + rpki_sql = mangle_sql(rpki_sql_file) + irdb_sql = mangle_sql(irdb_sql_file) + pubd_sql = mangle_sql(pub_sql_file) + + rpki.log.info("Initializing test directory") + + # Connect to test directory, creating it if necessary + try: + os.chdir(smoketest_dir) + except OSError: + os.makedirs(smoketest_dir) + os.chdir(smoketest_dir) + + # Now that we're in the right directory, we can figure out whether + # we have a private openssl executable to use + global prog_openssl + if not os.path.exists(prog_openssl): + prog_openssl = "openssl" + + # Discard everything but keys, which take a while to generate. + # Apparently os.walk() can't tell the difference between directories + # and symlinks to directories, so we have to handle both. + for root, dirs, files in os.walk(".", topdown = False): + for fn in files: + if not fn.endswith(".key"): + os.remove(os.path.join(root, fn)) + for d in dirs: + try: + os.rmdir(os.path.join(root, d)) + except OSError, e: + if e.errno == errno.ENOTDIR: + os.remove(os.path.join(root, d)) + else: + raise + + rpki.log.info("Reading master YAML configuration") + y = yaml_script.pop(0) + + rpki.log.info("Constructing internal allocation database") + db = allocation_db(y) + + rpki.log.info("Constructing BPKI keys and certs for rootd") + setup_bpki_cert_chain(rootd_name, ee = ("RPKI",)) + + rpki.log.info("Constructing BPKI keys and certs for pubd") + setup_bpki_cert_chain(pubd_name, ee = ("PUBD", "IRBE")) + + + for a in db: + a.setup_bpki_certs() + + setup_publication(pubd_sql) + setup_rootd(db.root, y.get("rootd", {})) + setup_rsyncd() + setup_rcynic() + + for a in db.engines: + a.setup_conf_file() + a.setup_sql(rpki_sql, irdb_sql) + a.sync_sql() + + try: + + rpki.log.info("Starting rootd") + rootd_process = subprocess.Popen((prog_python, prog_rootd, "-d", "-c", rootd_name + ".conf")) + + rpki.log.info("Starting pubd") + pubd_process = subprocess.Popen((prog_python, prog_pubd, "-d", "-c", pubd_name + ".conf") + + (("-p", pubd_name + ".prof") if args.profile else ())) + + rpki.log.info("Starting rsyncd") + rsyncd_process = subprocess.Popen((prog_rsyncd, "--daemon", "--no-detach", "--config", rsyncd_name + ".conf")) + + # Start rpkid and irdbd instances + for a in db.engines: + a.run_daemons() + + # From this point on we'll be running event-driven, so the rest of + # the code until final exit is all closures. + + def start(): + rpki.async.iterator(db.engines, create_rpki_objects, created_rpki_objects) + + def create_rpki_objects(iterator, a): + a.create_rpki_objects(iterator) + + def created_rpki_objects(): + + # Set pubd's BPKI CRL + set_pubd_crl(yaml_loop) + + def yaml_loop(): + + # This is probably where we should be updating expired BPKI + # objects, particular CRLs + + rpki.log.info("Running cron for all RPKI engines") + rpki.async.iterator(db.engines, run_cron, run_yaml) + + def run_cron(iterator, a): + a.run_cron(iterator) + + def run_yaml(): + + # Run rcynic to check results + run_rcynic() + + # Apply next delta if we have one; otherwise, we're done. + if yaml_script: + rpki.log.info("Applying deltas") + db.apply_delta(yaml_script.pop(0), apply_delta_done) + else: + rpki.log.info("No more deltas to apply, done") + rpki.async.exit_event_loop() + + def apply_delta_done(): + + # Resync IRDBs + for a in db.engines: + a.sync_sql() + + # Loop until we run out of control YAML + yaml_loop() + + rpki.log.info("Sleeping %d seconds while daemons start up" % startup_delay) + rpki.async.timer(start).set(rpki.sundial.timedelta(seconds = startup_delay)) + rpki.async.event_loop() + + # At this point we have gone into event-driven code. + + rpki.log.info("Event loop exited normally") + + except Exception, e: + + rpki.log.info("Event loop exited with an exception: %r" % e) + rpki.log.traceback() + + finally: + + rpki.log.info("Cleaning up") + for a in db.engines: + a.kill_daemons() + for proc, name in ((rootd_process, "rootd"), + (pubd_process, "pubd"), + (rsyncd_process, "rsyncd")): + # pylint: disable=E1103 + if proc is not None and proc.poll() is None: + rpki.log.info("Killing %s, pid %s" % (name, proc.pid)) + try: + proc.terminate() + except OSError: + pass + if proc is not None: + rpki.log.info("Daemon %s, pid %s exited with code %s" % (name, proc.pid, proc.wait())) + +def cmd_sleep(cb, interval): + """ + Set an alarm, then wait for it to go off. + """ + howlong = rpki.sundial.timedelta.parse(interval) + rpki.log.info("Sleeping %r" % howlong) + rpki.async.timer(cb).set(howlong) + +def cmd_shell(cb, *cmd): + """ + Run a shell command. + """ + cmd = " ".join(cmd) + status = subprocess.call(cmd, shell = True) + rpki.log.info("Shell command returned status %d" % status) + cb() + +def cmd_echo(cb, *words): + """ + Echo some text to the log. + """ + rpki.log.note(" ".join(words)) + cb() + +## @var cmds +# Dispatch table for commands embedded in delta sections + +cmds = { "sleep" : cmd_sleep, + "shell" : cmd_shell, + "echo" : cmd_echo } + +class roa_request(object): + """ + Representation for a roa_request object. + """ + + def __init__(self, asn, ipv4, ipv6): + self.asn = asn + self.v4 = rpki.resource_set.roa_prefix_set_ipv4("".join(ipv4.split())) if ipv4 else None + self.v6 = rpki.resource_set.roa_prefix_set_ipv6("".join(ipv6.split())) if ipv6 else None + + def __eq__(self, other): + return self.asn == other.asn and self.v4 == other.v4 and self.v6 == other.v6 + + def __hash__(self): + v4 = tuple(self.v4) if self.v4 is not None else None + v6 = tuple(self.v6) if self.v6 is not None else None + return self.asn.__hash__() + v4.__hash__() + v6.__hash__() + + def __str__(self): + if self.v4 and self.v6: s = str(self.v4) + "," + str(self.v6) + elif self.v4: s = str(self.v4) + else: s = str(self.v6) + return "%s: %s" % (self.asn, s) + + @classmethod + def parse(cls, yaml): + return cls(yaml.get("asn"), yaml.get("ipv4"), yaml.get("ipv6")) + +class router_cert(object): + """ + Representation for a router_cert object. + """ + + _ecparams = None + + @classmethod + def ecparams(cls): + if cls._ecparams is None: + cls._ecparams = rpki.x509.KeyParams.generateEC() + return cls._ecparams + + def __init__(self, asn, router_id): + self.asn = rpki.resource_set.resource_set_as("".join(str(asn).split())) + self.router_id = router_id + self.keypair = rpki.x509.ECDSA.generate(self.ecparams()) + self.pkcs10 = rpki.x509.PKCS10.create(keypair = self.keypair) + self.gski = self.pkcs10.gSKI() + self.cn = "ROUTER-%08x" % self.asn[0].min + self.sn = "%08x" % self.router_id + self.eku = rpki.oids.id_kp_bgpsec_router + + def __eq__(self, other): + return self.asn == other.asn and self.sn == other.sn and self.gski == other.gski + + def __hash__(self): + v6 = tuple(self.v6) if self.v6 is not None else None + return tuple(self.asn).__hash__() + sn.__hash__() + self.gski.__hash__() + + def __str__(self): + return "%s: %s: %s" % (self.asn, self.cn, self.sn, self.gski) + + @classmethod + def parse(cls, yaml): + return cls(yaml.get("asn"), yaml.get("router_id")) + +class allocation_db(list): + """ + Representation of all the entities and allocations in the test + system. Almost everything is generated out of this database. + """ + + def __init__(self, yaml): + """ + Initialize database from the (first) YAML document. + """ + + list.__init__(self) + self.root = allocation(yaml, self) + assert self.root.is_root + if self.root.crl_interval is None: + self.root.crl_interval = rpki.sundial.timedelta.parse(cfg.get("crl_interval", "1d")).convert_to_seconds() + if self.root.regen_margin is None: + self.root.regen_margin = rpki.sundial.timedelta.parse(cfg.get("regen_margin", "1d")).convert_to_seconds() + for a in self: + if a.sia_base is None: + a.sia_base = (rootd_sia + "root/trunk/" if a.is_root else a.parent.sia_base) + a.name + "/" + if a.base.valid_until is None: + a.base.valid_until = a.parent.base.valid_until + if a.crl_interval is None: + a.crl_interval = a.parent.crl_interval + if a.regen_margin is None: + a.regen_margin = a.parent.regen_margin + a.client_handle = "/".join(a.sia_base.split("/")[4:]).rstrip("/") + self.root.closure() + self.map = dict((a.name, a) for a in self) + self.engines = [a for a in self if a.is_engine] + for i, a in enumerate(self.engines): + a.set_engine_number(i) + for a in self: + if a.is_hosted: + a.hosted_by = self.map[a.hosted_by] + a.hosted_by.hosts.append(a) + assert a.is_twig, "%s is not twig" % a.name + assert not a.hosted_by.is_hosted, "%s is hosted by a hosted entity" % a.name + + def apply_delta(self, delta, cb): + """ + Apply a delta or run a command. + """ + + def loop(iterator, d): + if isinstance(d, str): + c = d.split() + cmds[c[0]](iterator, *c[1:]) + else: + self.map[d["name"]].apply_delta(d, iterator) + + def done(): + self.root.closure() + cb() + + if delta is None: + cb() + else: + rpki.async.iterator(delta, loop, done) + + def dump(self): + """ + Print content of the database. + """ + for a in self: + print a + +class allocation(object): + + parent = None + irdb_db_name = None + irdb_port = None + rpki_db_name = None + rpki_port = None + crl_interval = None + regen_margin = None + last_cms_time = None + rpkid_process = None + irdbd_process = None + + def __init__(self, yaml, db, parent = None): + """ + Initialize one entity and insert it into the database. + """ + db.append(self) + self.name = yaml["name"] + self.parent = parent + self.kids = [allocation(k, db, self) for k in yaml.get("kids", ())] + valid_until = None + if "valid_until" in yaml: + valid_until = rpki.sundial.datetime.from_datetime(yaml.get("valid_until")) + if valid_until is None and "valid_for" in yaml: + valid_until = rpki.sundial.now() + rpki.sundial.timedelta.parse(yaml["valid_for"]) + self.base = rpki.resource_set.resource_bag( + asn = rpki.resource_set.resource_set_as(yaml.get("asn")), + v4 = rpki.resource_set.resource_set_ipv4(yaml.get("ipv4")), + v6 = rpki.resource_set.resource_set_ipv6(yaml.get("ipv6")), + valid_until = valid_until) + self.sia_base = yaml.get("sia_base") + if "crl_interval" in yaml: + self.crl_interval = rpki.sundial.timedelta.parse(yaml["crl_interval"]).convert_to_seconds() + if "regen_margin" in yaml: + self.regen_margin = rpki.sundial.timedelta.parse(yaml["regen_margin"]).convert_to_seconds() + self.roa_requests = [roa_request.parse(y) for y in yaml.get("roa_request", yaml.get("route_origin", ()))] + for r in self.roa_requests: + if r.v4: + self.base.v4 |= r.v4.to_resource_set() + if r.v6: + self.base.v6 |= r.v6.to_resource_set() + self.router_certs = [router_cert.parse(y) for y in yaml.get("router_cert", ())] + for r in self.router_certs: + self.base.asn |= r.asn + self.hosted_by = yaml.get("hosted_by") + self.extra_conf = yaml.get("extra_conf", []) + self.hosts = [] + + def closure(self): + """ + Compute the transitive resource closure. + """ + resources = self.base + for kid in self.kids: + resources |= kid.closure() + self.resources = resources + return resources + + def apply_delta(self, yaml, cb): + """ + Apply deltas to this entity. + """ + + rpki.log.info("Applying delta: %s" % yaml) + + def loop(iterator, kv): + if kv[0] == "name": + iterator() + else: + getattr(self, "apply_" + kv[0])(kv[1], iterator) + + rpki.async.iterator(yaml.items(), loop, cb) + + def apply_add_as(self, text, cb): + self.base.asn |= rpki.resource_set.resource_set_as(text) + cb() + + def apply_add_v4(self, text, cb): + self.base.v4 |= rpki.resource_set.resource_set_ipv4(text) + cb() + + def apply_add_v6(self, text, cb): + self.base.v6 |= rpki.resource_set.resource_set_ipv6(text) + cb() + + def apply_sub_as(self, text, cb): + self.base.asn |= rpki.resource_set.resource_set_as(text) + cb() + + def apply_sub_v4(self, text, cb): + self.base.v4 |= rpki.resource_set.resource_set_ipv4(text) + cb() + + def apply_sub_v6(self, text, cb): + self.base.v6 |= rpki.resource_set.resource_set_ipv6(text) + cb() + + def apply_valid_until(self, stamp, cb): + self.base.valid_until = rpki.sundial.datetime.from_datetime(stamp) + cb() + + def apply_valid_for(self, text, cb): + self.base.valid_until = rpki.sundial.now() + rpki.sundial.timedelta.parse(text) + cb() + + def apply_valid_add(self, text, cb): + self.base.valid_until += rpki.sundial.timedelta.parse(text) + cb() + + def apply_valid_sub(self, text, cb): + self.base.valid_until -= rpki.sundial.timedelta.parse(text) + cb() + + def apply_roa_request_add(self, yaml, cb): + for y in yaml: + r = roa_request.parse(y) + if r not in self.roa_requests: + self.roa_requests.append(r) + cb() + + def apply_roa_request_del(self, yaml, cb): + for y in yaml: + r = roa_request.parse(y) + if r in self.roa_requests: + self.roa_requests.remove(r) + cb() + + def apply_router_cert_add(self, yaml, cb): + for y in yaml: + r = router_cert.parse(y) + if r not in self.router_certs: + self.router_certs.append(r) + cb() + + def apply_router_cert_del(self, yaml, cb): + for y in yaml: + r = router_cert.parse(y) + if r in self.router_certs: + self.router_certs.remove(r) + cb() + + def apply_rekey(self, target, cb): + + def done(e): + if isinstance(e, Exception): + rpki.log.traceback() + raise e + cb() + + if target is None: + rpki.log.info("Rekeying <self/> %s" % self.name) + self.call_rpkid([rpki.left_right.self_elt.make_pdu( + action = "set", self_handle = self.name, rekey = "yes")], cb = done) + else: + rpki.log.info("Rekeying <parent/> %s %s" % (self.name, target)) + self.call_rpkid([rpki.left_right.parent_elt.make_pdu( + action = "set", self_handle = self.name, parent_handle = target, rekey = "yes")], cb = done) + + def apply_revoke(self, target, cb): + + def done(e): + if isinstance(e, Exception): + rpki.log.traceback() + raise e + cb() + + if target is None: + rpki.log.info("Revoking <self/> %s" % self.name) + self.call_rpkid([rpki.left_right.self_elt.make_pdu( + action = "set", self_handle = self.name, revoke = "yes")], cb = done) + else: + rpki.log.info("Revoking <parent/> %s %s" % (self.name, target)) + self.call_rpkid([rpki.left_right.parent_elt.make_pdu( + action = "set", self_handle = self.name, parent_handle = target, revoke = "yes")], cb = done) + + def __str__(self): + s = self.name + "\n" + if self.resources.asn: s += " ASN: %s\n" % self.resources.asn + if self.resources.v4: s += " IPv4: %s\n" % self.resources.v4 + if self.resources.v6: s += " IPv6: %s\n" % self.resources.v6 + if self.kids: s += " Kids: %s\n" % ", ".join(k.name for k in self.kids) + if self.parent: s += " Up: %s\n" % self.parent.name + if self.sia_base: s += " SIA: %s\n" % self.sia_base + return s + "Until: %s\n" % self.resources.valid_until + + + @property + def is_root(self): + return self.parent is None + + @property + def is_twig(self): + return not self.is_root + + @property + def is_hosted(self): + return self.hosted_by is not None + + @property + def is_engine(self): + return not self.is_hosted + + def set_engine_number(self, n): + """ + Set the engine number for this entity. + """ + self.irdb_db_name = "irdb%d" % n + self.irdb_port = allocate_port() + self.rpki_db_name = "rpki%d" % n + self.rpki_port = allocate_port() + + def get_rpki_port(self): + """ + Get rpki port to use for this entity. + """ + if self.is_hosted: + assert self.hosted_by.rpki_port is not None + return self.hosted_by.rpki_port + else: + assert self.rpki_port is not None + return self.rpki_port + + def setup_bpki_certs(self): + """ + Create BPKI certificates for this entity. + """ + rpki.log.info("Constructing BPKI keys and certs for %s" % self.name) + setup_bpki_cert_chain(name = self.name, + ee = ("RPKI", "IRDB", "IRBE"), + ca = ("SELF",)) + self.rpkid_ta = rpki.x509.X509(PEM_file = self.name + "-TA.cer") + self.irbe_key = rpki.x509.RSA( PEM_file = self.name + "-IRBE.key") + self.irbe_cert = rpki.x509.X509(PEM_file = self.name + "-IRBE.cer") + self.rpkid_cert = rpki.x509.X509(PEM_file = self.name + "-RPKI.cer") + + def setup_conf_file(self): + """ + Write config files for this entity. + """ + rpki.log.info("Writing config files for %s" % self.name) + assert self.rpki_port is not None + d = { "my_name" : self.name, + "irdb_db_name" : self.irdb_db_name, + "irdb_db_pass" : irdb_db_pass, + "irdb_port" : self.irdb_port, + "rpki_db_name" : self.rpki_db_name, + "rpki_db_pass" : rpki_db_pass, + "rpki_port" : self.rpki_port } + f = open(self.name + ".conf", "w") + f.write(conf_fmt_1 % d) + for line in self.extra_conf: + f.write(line + "\n") + f.close() + + def setup_sql(self, rpki_sql, irdb_sql): + """ + Set up this entity's IRDB. + """ + rpki.log.info("Setting up MySQL for %s" % self.name) + db = MySQLdb.connect(user = "rpki", db = self.rpki_db_name, passwd = rpki_db_pass, + conv = sql_conversions) + cur = db.cursor() + db.autocommit(True) + for sql in rpki_sql: + try: + cur.execute(sql) + except Exception: + if "DROP TABLE IF EXISTS" not in sql.upper(): + raise + db.close() + db = MySQLdb.connect(user = "irdb", db = self.irdb_db_name, passwd = irdb_db_pass, + conv = sql_conversions) + cur = db.cursor() + db.autocommit(True) + for sql in irdb_sql: + try: + cur.execute(sql) + except Exception: + if "DROP TABLE IF EXISTS" not in sql.upper(): + raise + for s in [self] + self.hosts: + for kid in s.kids: + cur.execute("INSERT registrant (registrant_handle, registry_handle, valid_until) VALUES (%s, %s, %s)", + (kid.name, s.name, kid.resources.valid_until)) + db.close() + + def sync_sql(self): + """ + Whack this entity's IRDB to match our master database. We do this + once during setup, then do it again every time we apply a delta to + this entity. + """ + rpki.log.info("Updating MySQL data for IRDB %s" % self.name) + db = MySQLdb.connect(user = "irdb", db = self.irdb_db_name, passwd = irdb_db_pass, + conv = sql_conversions) + cur = db.cursor() + db.autocommit(True) + cur.execute("DELETE FROM registrant_asn") + cur.execute("DELETE FROM registrant_net") + cur.execute("DELETE FROM roa_request_prefix") + cur.execute("DELETE FROM roa_request") + cur.execute("DELETE FROM ee_certificate_asn") + cur.execute("DELETE FROM ee_certificate_net") + cur.execute("DELETE FROM ee_certificate") + + for s in [self] + self.hosts: + for kid in s.kids: + cur.execute("SELECT registrant_id FROM registrant WHERE registrant_handle = %s AND registry_handle = %s", + (kid.name, s.name)) + registrant_id = cur.fetchone()[0] + for as_range in kid.resources.asn: + cur.execute("INSERT registrant_asn (start_as, end_as, registrant_id) VALUES (%s, %s, %s)", + (as_range.min, as_range.max, registrant_id)) + for v4_range in kid.resources.v4: + cur.execute("INSERT registrant_net (start_ip, end_ip, version, registrant_id) VALUES (%s, %s, 4, %s)", + (v4_range.min, v4_range.max, registrant_id)) + for v6_range in kid.resources.v6: + cur.execute("INSERT registrant_net (start_ip, end_ip, version, registrant_id) VALUES (%s, %s, 6, %s)", + (v6_range.min, v6_range.max, registrant_id)) + cur.execute("UPDATE registrant SET valid_until = %s WHERE registrant_id = %s", + (kid.resources.valid_until, registrant_id)) + for r in s.roa_requests: + cur.execute("INSERT roa_request (self_handle, asn) VALUES (%s, %s)", + (s.name, r.asn)) + roa_request_id = cur.lastrowid + for version, prefix_set in ((4, r.v4), (6, r.v6)): + if prefix_set: + cur.executemany("INSERT roa_request_prefix " + "(roa_request_id, prefix, prefixlen, max_prefixlen, version) " + "VALUES (%s, %s, %s, %s, %s)", + ((roa_request_id, x.prefix, x.prefixlen, x.max_prefixlen, version) + for x in prefix_set)) + for r in s.router_certs: + cur.execute("INSERT ee_certificate (self_handle, pkcs10, gski, cn, sn, eku, valid_until) " + "VALUES (%s, %s, %s, %s, %s, %s, %s)", + (s.name, r.pkcs10.get_DER(), r.gski, r.cn, r.sn, r.eku, s.resources.valid_until)) + ee_certificate_id = cur.lastrowid + cur.executemany("INSERT ee_certificate_asn (ee_certificate_id, start_as, end_as) VALUES (%s, %s, %s)", + ((ee_certificate_id, a.min, a.max) for a in r.asn)) + db.close() + + def run_daemons(self): + """ + Run daemons for this entity. + """ + rpki.log.info("Running daemons for %s" % self.name) + self.rpkid_process = subprocess.Popen((prog_python, prog_rpkid, "-d", "-c", self.name + ".conf") + + (("-p", self.name + ".prof") if args.profile else ())) + self.irdbd_process = subprocess.Popen((prog_python, prog_irdbd, "-d", "-c", self.name + ".conf")) + + def kill_daemons(self): + """ + Kill daemons for this entity. + """ + # pylint: disable=E1103 + for proc, name in ((self.rpkid_process, "rpkid"), + (self.irdbd_process, "irdbd")): + if proc is not None and proc.poll() is None: + rpki.log.info("Killing daemon %s pid %s for %s" % (name, proc.pid, self.name)) + try: + proc.terminate() + except OSError: + pass + if proc is not None: + rpki.log.info("Daemon %s pid %s for %s exited with code %s" % ( + name, proc.pid, self.name, proc.wait())) + + def call_rpkid(self, pdus, cb): + """ + Send a left-right message to this entity's RPKI daemon and return + the response. + + If this entity is hosted (does not run its own RPKI daemon), all + of this happens with the hosting RPKI daemon. + """ + + rpki.log.info("Calling rpkid for %s" % self.name) + + if self.is_hosted: + rpki.log.info("rpkid %s is hosted by rpkid %s, switching" % (self.name, self.hosted_by.name)) + self = self.hosted_by + assert not self.is_hosted + + assert isinstance(pdus, (list, tuple)) + assert self.rpki_port is not None + + q_msg = rpki.left_right.msg.query(*pdus) + q_cms = rpki.left_right.cms_msg() + q_der = q_cms.wrap(q_msg, self.irbe_key, self.irbe_cert) + q_url = "http://localhost:%d/left-right" % self.rpki_port + + rpki.log.debug(q_cms.pretty_print_content()) + + def done(r_der): + rpki.log.info("Callback from rpkid %s" % self.name) + r_cms = rpki.left_right.cms_msg(DER = r_der) + r_msg = r_cms.unwrap((self.rpkid_ta, self.rpkid_cert)) + self.last_cms_time = r_cms.check_replay(self.last_cms_time, q_url) + rpki.log.debug(r_cms.pretty_print_content()) + assert r_msg.is_reply + for r_pdu in r_msg: + assert not isinstance(r_pdu, rpki.left_right.report_error_elt) + cb(r_msg) + + def lose(e): + raise + + rpki.http.client( + url = q_url, + msg = q_der, + callback = done, + errback = lose) + + def cross_certify(self, certificant, reverse = False): + """ + Cross-certify and return the resulting certificate. + """ + + if reverse: + certifier = certificant + certificant = self.name + "-SELF" + else: + certifier = self.name + "-SELF" + certfile = certifier + "-" + certificant + ".cer" + + rpki.log.info("Cross certifying %s into %s's BPKI (%s)" % (certificant, certifier, certfile)) + + child = rpki.x509.X509(Auto_file = certificant + ".cer") + parent = rpki.x509.X509(Auto_file = certifier + ".cer") + keypair = rpki.x509.RSA(Auto_file = certifier + ".key") + serial_file = certifier + ".srl" + + now = rpki.sundial.now() + notAfter = now + rpki.sundial.timedelta(days = 30) + + try: + f = open(serial_file, "r") + serial = f.read() + f.close() + serial = int(serial.splitlines()[0], 16) + except IOError: + serial = 1 + + x = parent.bpki_cross_certify( + keypair = keypair, + source_cert = child, + serial = serial, + notAfter = notAfter, + now = now) + + f = open(serial_file, "w") + f.write("%02x\n" % (serial + 1)) + f.close() + + f = open(certfile, "w") + f.write(x.get_PEM()) + f.close() + + rpki.log.debug("Cross certified %s:" % certfile) + rpki.log.debug(" Issuer %s [%s]" % (x.getIssuer(), x.hAKI())) + rpki.log.debug(" Subject %s [%s]" % (x.getSubject(), x.hSKI())) + return x + + def create_rpki_objects(self, cb): + """ + Create RPKI engine objects for this engine. + + Root node of the engine tree is special, it too has a parent but + that one is the magic self-signed micro engine. + + The rest of this is straightforward. There are a lot of objects + to create, but we can do batch them all into one honking PDU, then + issue one more PDU to set BSC EE certificates based on the PKCS + #10 requests we get back when we tell rpkid to generate BSC keys. + """ + + assert not self.is_hosted + + selves = [self] + self.hosts + + for i, s in enumerate(selves): + rpki.log.info("Creating RPKI objects for [%d] %s" % (i, s.name)) + + rpkid_pdus = [] + pubd_pdus = [] + + for s in selves: + + rpkid_pdus.append(rpki.left_right.self_elt.make_pdu( + action = "create", + self_handle = s.name, + crl_interval = s.crl_interval, + regen_margin = s.regen_margin, + bpki_cert = (s.cross_certify(s.hosted_by.name + "-TA", reverse = True) + if s.is_hosted else + rpki.x509.X509(Auto_file = s.name + "-SELF.cer")))) + + rpkid_pdus.append(rpki.left_right.bsc_elt.make_pdu( + action = "create", + self_handle = s.name, + bsc_handle = "b", + generate_keypair = True)) + + pubd_pdus.append(rpki.publication.client_elt.make_pdu( + action = "create", + client_handle = s.client_handle, + base_uri = s.sia_base, + bpki_cert = s.cross_certify(pubd_name + "-TA", reverse = True))) + + rpkid_pdus.append(rpki.left_right.repository_elt.make_pdu( + action = "create", + self_handle = s.name, + bsc_handle = "b", + repository_handle = "r", + bpki_cert = s.cross_certify(pubd_name + "-TA"), + peer_contact_uri = "http://localhost:%d/client/%s" % (pubd_port, s.client_handle))) + + for k in s.kids: + rpkid_pdus.append(rpki.left_right.child_elt.make_pdu( + action = "create", + self_handle = s.name, + child_handle = k.name, + bsc_handle = "b", + bpki_cert = s.cross_certify(k.name + "-SELF"))) + + if s.is_root: + rootd_cert = s.cross_certify(rootd_name + "-TA") + rpkid_pdus.append(rpki.left_right.parent_elt.make_pdu( + action = "create", + self_handle = s.name, + parent_handle = "rootd", + bsc_handle = "b", + repository_handle = "r", + sia_base = s.sia_base, + bpki_cms_cert = rootd_cert, + sender_name = s.name, + recipient_name = "rootd", + peer_contact_uri = "http://localhost:%s/" % rootd_port)) + else: + rpkid_pdus.append(rpki.left_right.parent_elt.make_pdu( + action = "create", + self_handle = s.name, + parent_handle = s.parent.name, + bsc_handle = "b", + repository_handle = "r", + sia_base = s.sia_base, + bpki_cms_cert = s.cross_certify(s.parent.name + "-SELF"), + sender_name = s.name, + recipient_name = s.parent.name, + peer_contact_uri = "http://localhost:%s/up-down/%s/%s" % (s.parent.get_rpki_port(), + s.parent.name, s.name))) + + def one(): + call_pubd(pubd_pdus, cb = two) + + def two(vals): + self.call_rpkid(rpkid_pdus, cb = three) + + def three(vals): + + bsc_dict = dict((b.self_handle, b) for b in vals if isinstance(b, rpki.left_right.bsc_elt)) + + bsc_pdus = [] + + for s in selves: + b = bsc_dict[s.name] + + rpki.log.info("Issuing BSC EE cert for %s" % s.name) + cmd = (prog_openssl, "x509", "-req", "-sha256", "-extfile", s.name + "-RPKI.conf", + "-extensions", "req_x509_ext", "-days", "30", + "-CA", s.name + "-SELF.cer", "-CAkey", s.name + "-SELF.key", "-CAcreateserial", "-text") + signer = subprocess.Popen(cmd, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE) + signed = signer.communicate(input = b.pkcs10_request.get_PEM()) + if not signed[0]: + rpki.log.warn(signed[1]) + raise CouldntIssueBSCEECertificate, "Couldn't issue BSC EE certificate" + s.bsc_ee = rpki.x509.X509(PEM = signed[0]) + s.bsc_crl = rpki.x509.CRL(PEM_file = s.name + "-SELF.crl") + rpki.log.info("BSC EE cert for %s SKI %s" % (s.name, s.bsc_ee.hSKI())) + + bsc_pdus.append(rpki.left_right.bsc_elt.make_pdu( + action = "set", + self_handle = s.name, + bsc_handle = "b", + signing_cert = s.bsc_ee, + signing_cert_crl = s.bsc_crl)) + + self.call_rpkid(bsc_pdus, cb = four) + + def four(vals): + cb() + + one() + + def setup_yaml_leaf(self): + """ + Generate certificates and write YAML scripts for leaf nodes. + + We're cheating a bit here: properly speaking, we can't generate + issue or revoke requests without knowing the class, which is + generated on the fly, but at the moment the test case is + simplistic enough that the class will always be "1", so we just + wire in that value for now. + + Well, ok, we just broke that assumption. Now we do something even + nastier, just to eke a bit more life out of this kludge. This + really needs to be rewritten, but it may require a different tool + than testpoke. + """ + + if not os.path.exists(self.name + ".key"): + rpki.log.info("Generating RPKI key for %s" % self.name) + subprocess.check_call((prog_openssl, "genrsa", "-out", self.name + ".key", "2048" ), + stdout = subprocess.PIPE, stderr = subprocess.STDOUT) + ski = rpki.x509.RSA(PEM_file = self.name + ".key").gSKI() + + if self.parent.is_hosted: + parent_host = self.parent.hosted_by.name + else: + parent_host = self.parent.name + + self.cross_certify(self.parent.name + "-SELF") + self.cross_certify(parent_host + "-TA") + + rpki.log.info("Writing leaf YAML for %s" % self.name) + f = open(self.name + ".yaml", "w") + f.write(yaml_fmt_1 % { + "parent_name" : self.parent.name, + "parent_host" : parent_host, + "my_name" : self.name, + "http_port" : self.parent.get_rpki_port(), + "class_name" : 2 if self.parent.is_hosted else 1, + "sia" : self.sia_base, + "ski" : ski }) + f.close() + + def run_cron(self, cb): + """ + Trigger cron run for this engine. + """ + + rpki.log.info("Running cron for %s" % self.name) + + assert self.rpki_port is not None + + def done(result): + assert result == "OK", 'Expected "OK" result from cronjob, got %r' % result + cb() + + rpki.http.client( + url = "http://localhost:%d/cronjob" % self.rpki_port, + msg = "Run cron now, please", + callback = done, + errback = done) + + def run_yaml(self): + """ + Run YAML scripts for this leaf entity. Since we're not bothering + to check the class list returned by the list command, the issue + command may fail, so we treat failure of the list command as an + error, but only issue a warning when issue fails. + """ + + rpki.log.info("Running YAML for %s" % self.name) + subprocess.check_call((prog_python, prog_poke, "-y", self.name + ".yaml", "-r", "list")) + if subprocess.call((prog_python, prog_poke, "-y", self.name + ".yaml", "-r", "issue")) != 0: + rpki.log.warn("YAML issue command failed for %s, continuing" % self.name) + +def setup_bpki_cert_chain(name, ee = (), ca = ()): + """ + Build a set of BPKI certificates. + """ + s = "exec >/dev/null 2>&1\n" + #s = "set -x\n" + for kind in ("TA",) + ee + ca: + d = { "name" : name, + "kind" : kind, + "ca" : "false" if kind in ee else "true", + "openssl" : prog_openssl } + f = open("%(name)s-%(kind)s.conf" % d, "w") + f.write(bpki_cert_fmt_1 % d) + f.close() + if not os.path.exists("%(name)s-%(kind)s.key" % d): + s += bpki_cert_fmt_2 % d + s += bpki_cert_fmt_3 % d + d = { "name" : name, "openssl" : prog_openssl } + s += bpki_cert_fmt_4 % d + for kind in ee + ca: + d["kind"] = kind + s += bpki_cert_fmt_5 % d + for kind in ("TA",) + ca: + d["kind"] = kind + s += bpki_cert_fmt_6 % d + subprocess.check_call(s, shell = True) + +def setup_rootd(rpkid, rootd_yaml): + """ + Write the config files for rootd. + """ + rpkid.cross_certify(rootd_name + "-TA", reverse = True) + rpki.log.info("Writing config files for %s" % rootd_name) + d = { "rootd_name" : rootd_name, + "rootd_port" : rootd_port, + "rpkid_name" : rpkid.name, + "rootd_sia" : rootd_sia, + "rsyncd_dir" : rsyncd_dir, + "openssl" : prog_openssl, + "lifetime" : rootd_yaml.get("lifetime", "30d") } + f = open(rootd_name + ".conf", "w") + f.write(rootd_fmt_1 % d) + f.close() + s = "exec >/dev/null 2>&1\n" + #s = "set -x\n" + if not os.path.exists("root.key"): + s += rootd_fmt_2 % d + s += rootd_fmt_3 % d + subprocess.check_call(s, shell = True) + +def setup_rcynic(): + """ + Write the config file for rcynic. + """ + rpki.log.info("Config file for rcynic") + d = { "rcynic_name" : rcynic_name, + "rootd_name" : rootd_name, + "rootd_sia" : rootd_sia } + f = open(rcynic_name + ".conf", "w") + f.write(rcynic_fmt_1 % d) + f.close() + +def setup_rsyncd(): + """ + Write the config file for rsyncd. + """ + rpki.log.info("Config file for rsyncd") + d = { "rsyncd_name" : rsyncd_name, + "rsyncd_port" : rsyncd_port, + "rsyncd_module" : rsyncd_module, + "rsyncd_dir" : rsyncd_dir } + f = open(rsyncd_name + ".conf", "w") + f.write(rsyncd_fmt_1 % d) + f.close() + +def setup_publication(pubd_sql): + """ + Set up publication daemon. + """ + rpki.log.info("Configure publication daemon") + publication_dir = os.getcwd() + "/publication" + assert rootd_sia.startswith("rsync://") + global rsyncd_dir + rsyncd_dir = publication_dir + "/".join(rootd_sia.split("/")[4:]) + if not rsyncd_dir.endswith("/"): + rsyncd_dir += "/" + os.makedirs(rsyncd_dir + "root/trunk") + db = MySQLdb.connect(db = pubd_db_name, user = pubd_db_user, passwd = pubd_db_pass, + conv = sql_conversions) + cur = db.cursor() + db.autocommit(True) + for sql in pubd_sql: + try: + cur.execute(sql) + except Exception: + if "DROP TABLE IF EXISTS" not in sql.upper(): + raise + db.close() + d = { "pubd_name" : pubd_name, + "pubd_port" : pubd_port, + "pubd_db_name" : pubd_db_name, + "pubd_db_user" : pubd_db_user, + "pubd_db_pass" : pubd_db_pass, + "pubd_dir" : rsyncd_dir } + f = open(pubd_name + ".conf", "w") + f.write(pubd_fmt_1 % d) + f.close() + global pubd_ta + global pubd_irbe_key + global pubd_irbe_cert + global pubd_pubd_cert + pubd_ta = rpki.x509.X509(Auto_file = pubd_name + "-TA.cer") + pubd_irbe_key = rpki.x509.RSA( Auto_file = pubd_name + "-IRBE.key") + pubd_irbe_cert = rpki.x509.X509(Auto_file = pubd_name + "-IRBE.cer") + pubd_pubd_cert = rpki.x509.X509(Auto_file = pubd_name + "-PUBD.cer") + +def call_pubd(pdus, cb): + """ + Send a publication message to publication daemon and return the + response. + """ + rpki.log.info("Calling pubd") + q_msg = rpki.publication.msg.query(*pdus) + q_cms = rpki.publication.cms_msg() + q_der = q_cms.wrap(q_msg, pubd_irbe_key, pubd_irbe_cert) + q_url = "http://localhost:%d/control" % pubd_port + + rpki.log.debug(q_cms.pretty_print_content()) + + def call_pubd_cb(r_der): + global pubd_last_cms_time + r_cms = rpki.publication.cms_msg(DER = r_der) + r_msg = r_cms.unwrap((pubd_ta, pubd_pubd_cert)) + pubd_last_cms_time = r_cms.check_replay(pubd_last_cms_time, q_url) + rpki.log.debug(r_cms.pretty_print_content()) + assert r_msg.is_reply + for r_pdu in r_msg: + assert not isinstance(r_pdu, rpki.publication.report_error_elt) + cb(r_msg) + + def call_pubd_eb(e): + rpki.log.warn("Problem calling pubd: %s" % e) + rpki.log.traceback() + + rpki.http.client( + url = q_url, + msg = q_der, + callback = call_pubd_cb, + errback = call_pubd_eb) + +def set_pubd_crl(cb): + """ + Whack publication daemon's bpki_crl. This must be configured before + publication daemon starts talking to its clients, and must be + updated whenever we update the CRL. + """ + rpki.log.info("Setting pubd's BPKI CRL") + crl = rpki.x509.CRL(Auto_file = pubd_name + "-TA.crl") + call_pubd([rpki.publication.config_elt.make_pdu(action = "set", bpki_crl = crl)], cb = lambda ignored: cb()) + +last_rcynic_run = None + +def run_rcynic(): + """ + Run rcynic to see whether what was published makes sense. + """ + rpki.log.info("Running rcynic") + env = os.environ.copy() + env["TZ"] = "" + global last_rcynic_run + if int(time.time()) == last_rcynic_run: + time.sleep(1) + subprocess.check_call((prog_rcynic, "-c", rcynic_name + ".conf"), env = env) + subprocess.call(rcynic_stats, shell = True, env = env) + last_rcynic_run = int(time.time()) + os.link("%s.xml" % rcynic_name, "%s.%s.xml" % (rcynic_name, last_rcynic_run)) + +def mangle_sql(filename): + """ + Mangle an SQL file into a sequence of SQL statements. + """ + words = [] + f = open(filename) + for line in f: + words.extend(line.partition("--")[0].split()) + f.close() + return " ".join(words).strip(";").split(";") + +bpki_cert_fmt_1 = '''\ +[req] +distinguished_name = req_dn +x509_extensions = req_x509_ext +prompt = no +default_md = sha256 + +[req_dn] +CN = Test Certificate %(name)s %(kind)s + +[req_x509_ext] +basicConstraints = critical,CA:%(ca)s +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + + +[ca] +default_ca = ca_default + +[ca_default] + +certificate = %(name)s-%(kind)s.cer +serial = %(name)s-%(kind)s.srl +private_key = %(name)s-%(kind)s.key +database = %(name)s-%(kind)s.idx +crlnumber = %(name)s-%(kind)s.cnm +default_crl_days = 30 +default_md = sha256 +''' + +bpki_cert_fmt_2 = '''\ +%(openssl)s genrsa -out %(name)s-%(kind)s.key 2048 && +''' + +bpki_cert_fmt_3 = '''\ +%(openssl)s req -new \ + -sha256 \ + -key %(name)s-%(kind)s.key \ + -out %(name)s-%(kind)s.req \ + -config %(name)s-%(kind)s.conf && +touch %(name)s-%(kind)s.idx && +echo >%(name)s-%(kind)s.cnm 01 && +''' + +bpki_cert_fmt_4 = '''\ +%(openssl)s x509 -req -sha256 \ + -in %(name)s-TA.req \ + -out %(name)s-TA.cer \ + -extfile %(name)s-TA.conf \ + -extensions req_x509_ext \ + -signkey %(name)s-TA.key \ + -days 60 -text \ +''' + +bpki_cert_fmt_5 = ''' && \ +%(openssl)s x509 -req \ + -sha256 \ + -in %(name)s-%(kind)s.req \ + -out %(name)s-%(kind)s.cer \ + -extfile %(name)s-%(kind)s.conf \ + -extensions req_x509_ext \ + -days 30 \ + -text \ + -CA %(name)s-TA.cer \ + -CAkey %(name)s-TA.key \ + -CAcreateserial \ +''' + +bpki_cert_fmt_6 = ''' && \ +%(openssl)s ca -batch \ + -gencrl \ + -out %(name)s-%(kind)s.crl \ + -config %(name)s-%(kind)s.conf \ +''' + +yaml_fmt_1 = '''--- +version: 1 +posturl: http://localhost:%(http_port)s/up-down/%(parent_name)s/%(my_name)s +recipient-id: "%(parent_name)s" +sender-id: "%(my_name)s" + +cms-cert-file: %(my_name)s-RPKI.cer +cms-key-file: %(my_name)s-RPKI.key +cms-ca-cert-file: %(my_name)s-TA.cer +cms-crl-file: %(my_name)s-TA.crl +cms-ca-certs-file: + - %(my_name)s-TA-%(parent_name)s-SELF.cer + +ssl-cert-file: %(my_name)s-RPKI.cer +ssl-key-file: %(my_name)s-RPKI.key +ssl-ca-cert-file: %(my_name)s-TA.cer +ssl-ca-certs-file: + - %(my_name)s-TA-%(parent_host)s-TA.cer + +# We're cheating here by hardwiring the class name + +requests: + list: + type: list + issue: + type: issue + class: %(class_name)s + sia: + - %(sia)s + cert-request-key-file: %(my_name)s.key + revoke: + type: revoke + class: %(class_name)s + ski: %(ski)s +''' + +conf_fmt_1 = '''\ + +[irdbd] + +startup-message = This is %(my_name)s irdbd + +sql-database = %(irdb_db_name)s +sql-username = irdb +sql-password = %(irdb_db_pass)s +bpki-ta = %(my_name)s-TA.cer +rpkid-cert = %(my_name)s-RPKI.cer +irdbd-cert = %(my_name)s-IRDB.cer +irdbd-key = %(my_name)s-IRDB.key +http-url = http://localhost:%(irdb_port)d/ +enable_tracebacks = yes + +[irbe_cli] + +rpkid-bpki-ta = %(my_name)s-TA.cer +rpkid-cert = %(my_name)s-RPKI.cer +rpkid-irbe-cert = %(my_name)s-IRBE.cer +rpkid-irbe-key = %(my_name)s-IRBE.key +rpkid-url = http://localhost:%(rpki_port)d/left-right +enable_tracebacks = yes + +[rpkid] + +startup-message = This is %(my_name)s rpkid + +sql-database = %(rpki_db_name)s +sql-username = rpki +sql-password = %(rpki_db_pass)s + +bpki-ta = %(my_name)s-TA.cer +rpkid-key = %(my_name)s-RPKI.key +rpkid-cert = %(my_name)s-RPKI.cer +irdb-cert = %(my_name)s-IRDB.cer +irbe-cert = %(my_name)s-IRBE.cer + +irdb-url = http://localhost:%(irdb_port)d/ + +server-host = localhost +server-port = %(rpki_port)d + +use-internal-cron = false +enable_tracebacks = yes +''' + +rootd_fmt_1 = '''\ + +[rootd] + +bpki-ta = %(rootd_name)s-TA.cer +rootd-bpki-cert = %(rootd_name)s-RPKI.cer +rootd-bpki-key = %(rootd_name)s-RPKI.key +rootd-bpki-crl = %(rootd_name)s-TA.crl +child-bpki-cert = %(rootd_name)s-TA-%(rpkid_name)s-SELF.cer + +server-port = %(rootd_port)s + +rpki-root-dir = %(rsyncd_dir)sroot +rpki-base-uri = %(rootd_sia)sroot/ +rpki-root-cert-uri = %(rootd_sia)sroot.cer + +rpki-root-key = root.key +rpki-root-cert = root.cer + +rpki-subject-pkcs10 = %(rootd_name)s.subject.pkcs10 +rpki-subject-lifetime = %(lifetime)s + +rpki-root-crl = root.crl +rpki-root-manifest = root.mft + +rpki-class-name = trunk +rpki-subject-cert = trunk.cer + +include-bpki-crl = yes +enable_tracebacks = yes + +[req] +default_bits = 2048 +encrypt_key = no +distinguished_name = req_dn +prompt = no +default_md = sha256 +default_days = 60 + +[req_dn] +CN = Completely Bogus Test Root (NOT FOR PRODUCTION USE) + +[req_x509_ext] +basicConstraints = critical,CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[req_x509_rpki_ext] +basicConstraints = critical,CA:true +subjectKeyIdentifier = hash +keyUsage = critical,keyCertSign,cRLSign +subjectInfoAccess = @sia +sbgp-autonomousSysNum = critical,AS:0-4294967295 +sbgp-ipAddrBlock = critical,IPv4:0.0.0.0/0,IPv6:0::/0 +certificatePolicies = critical, @rpki_certificate_policy + +[sia] + +1.3.6.1.5.5.7.48.5;URI = %(rootd_sia)sroot/ +1.3.6.1.5.5.7.48.10;URI = %(rootd_sia)sroot/root.mft + +[rpki_certificate_policy] + +policyIdentifier = 1.3.6.1.5.5.7.14.2 +''' + +rootd_fmt_2 = '''\ +%(openssl)s genrsa -out root.key 2048 && +''' + +rootd_fmt_3 = '''\ +echo >%(rootd_name)s.tal %(rootd_sia)sroot.cer && +echo >>%(rootd_name)s.tal && +%(openssl)s rsa -pubout -in root.key | +awk '!/-----(BEGIN|END)/' >>%(rootd_name)s.tal && +%(openssl)s req -new -text -sha256 \ + -key root.key \ + -out %(rootd_name)s.req \ + -config %(rootd_name)s.conf \ + -extensions req_x509_rpki_ext && +%(openssl)s x509 -req -sha256 \ + -in %(rootd_name)s.req \ + -out root.cer \ + -outform DER \ + -extfile %(rootd_name)s.conf \ + -extensions req_x509_rpki_ext \ + -signkey root.key && +ln -f root.cer %(rsyncd_dir)s +''' + +rcynic_fmt_1 = '''\ +[rcynic] +xml-summary = %(rcynic_name)s.xml +jitter = 0 +use-links = yes +use-syslog = no +use-stderr = yes +log-level = log_debug +trust-anchor-locator = %(rootd_name)s.tal +''' + +rsyncd_fmt_1 = '''\ +port = %(rsyncd_port)d +address = localhost + +[%(rsyncd_module)s] +read only = yes +transfer logging = yes +use chroot = no +path = %(rsyncd_dir)s +comment = RPKI test +''' + +pubd_fmt_1 = '''\ +[pubd] + +sql-database = %(pubd_db_name)s +sql-username = %(pubd_db_user)s +sql-password = %(pubd_db_pass)s +bpki-ta = %(pubd_name)s-TA.cer +pubd-cert = %(pubd_name)s-PUBD.cer +pubd-key = %(pubd_name)s-PUBD.key +irbe-cert = %(pubd_name)s-IRBE.cer +server-host = localhost +server-port = %(pubd_port)d +publication-base = %(pubd_dir)s +enable_tracebacks = yes +''' + +main() diff --git a/ca/tests/smoketest.setup.sql b/ca/tests/smoketest.setup.sql new file mode 100644 index 00000000..326988f1 --- /dev/null +++ b/ca/tests/smoketest.setup.sql @@ -0,0 +1,112 @@ +-- $Id$ +-- +-- Run this manually under the MySQL CLI to set up databases for testdb.py. +-- testdb.py doesn't do this automatically because it requires privileges +-- that smoketest.py doesn't (or at least shouldn't) have. + +-- Copyright (C) 2009 Internet Systems Consortium ("ISC") +-- +-- Permission to use, copy, modify, and distribute this software for any +-- purpose with or without fee is hereby granted, provided that the above +-- copyright notice and this permission notice appear in all copies. +-- +-- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +-- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +-- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +-- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +-- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +-- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +-- PERFORMANCE OF THIS SOFTWARE. +-- +-- Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +-- +-- Permission to use, copy, modify, and distribute this software for any +-- purpose with or without fee is hereby granted, provided that the above +-- copyright notice and this permission notice appear in all copies. +-- +-- THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +-- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +-- AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +-- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +-- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +-- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +-- PERFORMANCE OF THIS SOFTWARE. + + +CREATE DATABASE irdb0; +CREATE DATABASE irdb1; +CREATE DATABASE irdb2; +CREATE DATABASE irdb3; +CREATE DATABASE irdb4; +CREATE DATABASE irdb5; +CREATE DATABASE irdb6; +CREATE DATABASE irdb7; +CREATE DATABASE irdb8; +CREATE DATABASE irdb9; +CREATE DATABASE irdb10; +CREATE DATABASE irdb11; + +CREATE DATABASE rpki0; +CREATE DATABASE rpki1; +CREATE DATABASE rpki2; +CREATE DATABASE rpki3; +CREATE DATABASE rpki4; +CREATE DATABASE rpki5; +CREATE DATABASE rpki6; +CREATE DATABASE rpki7; +CREATE DATABASE rpki8; +CREATE DATABASE rpki9; +CREATE DATABASE rpki10; +CREATE DATABASE rpki11; + +CREATE DATABASE pubd0; +CREATE DATABASE pubd1; +CREATE DATABASE pubd2; +CREATE DATABASE pubd3; +CREATE DATABASE pubd4; +CREATE DATABASE pubd5; +CREATE DATABASE pubd6; +CREATE DATABASE pubd7; +CREATE DATABASE pubd8; +CREATE DATABASE pubd9; +CREATE DATABASE pubd10; +CREATE DATABASE pubd11; + +GRANT ALL ON irdb0.* TO irdb@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON irdb1.* TO irdb@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON irdb2.* TO irdb@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON irdb3.* TO irdb@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON irdb4.* TO irdb@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON irdb5.* TO irdb@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON irdb6.* TO irdb@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON irdb7.* TO irdb@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON irdb8.* TO irdb@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON irdb9.* TO irdb@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON irdb10.* TO irdb@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON irdb11.* TO irdb@localhost IDENTIFIED BY 'fnord'; + +GRANT ALL ON rpki0.* TO rpki@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON rpki1.* TO rpki@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON rpki2.* TO rpki@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON rpki3.* TO rpki@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON rpki4.* TO rpki@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON rpki5.* TO rpki@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON rpki6.* TO rpki@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON rpki7.* TO rpki@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON rpki8.* TO rpki@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON rpki9.* TO rpki@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON rpki10.* TO rpki@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON rpki11.* TO rpki@localhost IDENTIFIED BY 'fnord'; + +GRANT ALL ON pubd0.* TO pubd@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON pubd1.* TO pubd@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON pubd2.* TO pubd@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON pubd3.* TO pubd@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON pubd4.* TO pubd@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON pubd5.* TO pubd@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON pubd6.* TO pubd@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON pubd7.* TO pubd@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON pubd8.* TO pubd@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON pubd9.* TO pubd@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON pubd10.* TO pubd@localhost IDENTIFIED BY 'fnord'; +GRANT ALL ON pubd11.* TO pubd@localhost IDENTIFIED BY 'fnord'; diff --git a/ca/tests/split-protocol-samples.xsl b/ca/tests/split-protocol-samples.xsl new file mode 100644 index 00000000..8800b6da --- /dev/null +++ b/ca/tests/split-protocol-samples.xsl @@ -0,0 +1,40 @@ +<!-- -*- SGML -*- + - $Id$ + - + - Copyright (C) 2007-2008 American Registry for Internet Numbers ("ARIN") + - + - Permission to use, copy, modify, and distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. + --> + +<xsl:transform xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0" + xmlns:exsl="http://exslt.org/common" + extension-element-prefixes="exsl"> + + <xsl:param name="dir">.</xsl:param> + <xsl:param name="verbose" select="1"/> + + <xsl:strip-space elements="*"/> + + <xsl:template match="/completely_gratuitous_wrapper_element_to_let_me_run_this_through_xmllint"> + <xsl:for-each select="*"> + <xsl:variable name="filename" select="concat($dir, '/pdu.', format-number(position(), '000'), '.xml')"/> + <xsl:if test="$verbose"> + <xsl:message><xsl:text>Writing </xsl:text><xsl:value-of select="$filename"/></xsl:message> + </xsl:if> + <exsl:document href="{$filename}" indent="yes" encoding="US-ASCII"> + <xsl:comment>Automatically generated, do not edit.</xsl:comment> + <xsl:copy-of select="." /> + </exsl:document> + </xsl:for-each> + </xsl:template> +</xsl:transform> diff --git a/ca/tests/sql-cleaner.py b/ca/tests/sql-cleaner.py new file mode 100644 index 00000000..c5b25ac2 --- /dev/null +++ b/ca/tests/sql-cleaner.py @@ -0,0 +1,61 @@ +# $Id$ +# +# Copyright (C) 2009--2012 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +""" +(Re)Initialize SQL tables used by these programs. +""" + +import rpki.config +import rpki.sql_schemas +from rpki.mysql_import import MySQLdb + +cfg = rpki.config.parser(None, "yamltest", allow_missing = True) + +for name in ("rpkid", "irdbd", "pubd"): + + username = cfg.get("%s_sql_username" % name, name[:4]) + password = cfg.get("%s_sql_password" % name, "fnord") + + schema = [] + for line in getattr(rpki.sql_schemas, name, "").splitlines(): + schema.extend(line.partition("--")[0].split()) + schema = " ".join(schema).strip(";").split(";") + schema = [statement.strip() for statement in schema if statement and "DROP TABLE" not in statement] + + db = MySQLdb.connect(user = username, passwd = password) + cur = db.cursor() + + cur.execute("SHOW DATABASES") + + databases = [r[0] for r in cur.fetchall() if r[0][:4] == name[:4] and r[0][4:].isdigit()] + + for database in databases: + + cur.execute("USE " + database) + + cur.execute("SHOW TABLES") + tables = [r[0] for r in cur.fetchall()] + + cur.execute("SET foreign_key_checks = 0") + for table in tables: + cur.execute("DROP TABLE %s" % table) + cur.execute("SET foreign_key_checks = 1") + + for statement in schema: + cur.execute(statement) + + cur.close() + db.close() diff --git a/ca/tests/sql-dumper.py b/ca/tests/sql-dumper.py new file mode 100644 index 00000000..f4a7681d --- /dev/null +++ b/ca/tests/sql-dumper.py @@ -0,0 +1,43 @@ +# $Id$ +# +# Copyright (C) 2009--2012 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +""" +Dump backup copies of SQL tables used by these programs. +""" + +import subprocess +import rpki.config +from rpki.mysql_import import MySQLdb + +cfg = rpki.config.parser(None, "yamltest", allow_missing = True) + +for name in ("rpkid", "irdbd", "pubd"): + + username = cfg.get("%s_sql_username" % name, name[:4]) + password = cfg.get("%s_sql_password" % name, "fnord") + + cmd = ["mysqldump", "-u", username, "-p" + password, "--databases"] + + db = MySQLdb.connect(user = username, passwd = password) + cur = db.cursor() + + cur.execute("SHOW DATABASES") + cmd.extend(r[0] for r in cur.fetchall() if r[0][:4] == name[:4] and r[0][4:].isdigit()) + + cur.close() + db.close() + + subprocess.check_call(cmd, stdout = open("backup.%s.sql" % name, "w")) diff --git a/ca/tests/testpoke.py b/ca/tests/testpoke.py new file mode 100644 index 00000000..fd5ab206 --- /dev/null +++ b/ca/tests/testpoke.py @@ -0,0 +1,152 @@ +# $Id$ +# +# Copyright (C) 2014 Dragon Research Labs ("DRL") +# Portions copyright (C) 2009--2012 Internet Systems Consortium ("ISC") +# Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notices and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND DRL, ISC, AND ARIN DISCLAIM ALL +# WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DRL, +# ISC, OR ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR +# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS +# OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, +# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION +# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +""" +Trivial RPKI up-down protocol client, for testing. + +Configuration file is YAML to be compatable with APNIC rpki_poke.pl tool. +""" + +import os +import time +import argparse +import sys +import yaml +import rpki.resource_set +import rpki.up_down +import rpki.left_right +import rpki.x509 +import rpki.http +import rpki.config +import rpki.exceptions +import rpki.relaxng +import rpki.log +import rpki.async + +os.environ["TZ"] = "UTC" +time.tzset() + +parser = argparse.ArgumentParser(description = __doc__) +parser.add_argument("-y", "--yaml", required = True, type = argparse.FileType("r"), + help = "configuration file") +parser.add_argument("-r", "--request", + help = "request name") +parser.add_argument("-d", "--debug", + help = "enable debugging") +args = parser.parse_args() + +rpki.log.init("testpoke") + +if args.debug: + rpki.log.set_trace(True) + +yaml_data = yaml.load(args.yaml) + +yaml_cmd = args.request + +if yaml_cmd is None and len(yaml_data["requests"]) == 1: + yaml_cmd = yaml_data["requests"].keys()[0] + +yaml_req = yaml_data["requests"][yaml_cmd] + +def get_PEM(name, cls, y = yaml_data): + if name in y: + return cls(PEM = y[name]) + if name + "-file" in y: + return cls(PEM_file = y[name + "-file"]) + return None + +def get_PEM_chain(name, cert = None): + chain = [] + if cert is not None: + chain.append(cert) + if name in yaml_data: + chain.extend([rpki.x509.X509(PEM = x) for x in yaml_data[name]]) + elif name + "-file" in yaml_data: + chain.extend([rpki.x509.X509(PEM_file = x) for x in yaml_data[name + "-file"]]) + return chain + +def query_up_down(q_pdu): + q_msg = rpki.up_down.message_pdu.make_query( + payload = q_pdu, + sender = yaml_data["sender-id"], + recipient = yaml_data["recipient-id"]) + q_der = rpki.up_down.cms_msg().wrap(q_msg, cms_key, cms_certs, cms_crl) + + def done(r_der): + global last_cms_timestamp + r_cms = rpki.up_down.cms_msg(DER = r_der) + r_msg = r_cms.unwrap([cms_ta] + cms_ca_certs) + last_cms_timestamp = r_cms.check_replay(last_cms_timestamp) + print r_cms.pretty_print_content() + try: + r_msg.payload.check_response() + except (rpki.async.ExitNow, SystemExit): + raise + except Exception, e: + fail(e) + + rpki.http.want_persistent_client = False + + rpki.http.client( + msg = q_der, + url = yaml_data["posturl"], + callback = done, + errback = fail) + +def do_list(): + query_up_down(rpki.up_down.list_pdu()) + +def do_issue(): + q_pdu = rpki.up_down.issue_pdu() + req_key = get_PEM("cert-request-key", rpki.x509.RSA, yaml_req) or cms_key + q_pdu.class_name = yaml_req["class"] + q_pdu.pkcs10 = rpki.x509.PKCS10.create( + keypair = req_key, + is_ca = True, + caRepository = yaml_req["sia"][0], + rpkiManifest = yaml_req["sia"][0] + req_key.gSKI() + ".mft") + query_up_down(q_pdu) + +def do_revoke(): + q_pdu = rpki.up_down.revoke_pdu() + q_pdu.class_name = yaml_req["class"] + q_pdu.ski = yaml_req["ski"] + query_up_down(q_pdu) + +dispatch = { "list" : do_list, "issue" : do_issue, "revoke" : do_revoke } + +def fail(e): # pylint: disable=W0621 + rpki.log.traceback(args.debug) + sys.exit("Testpoke failed: %s" % e) + +cms_ta = get_PEM("cms-ca-cert", rpki.x509.X509) +cms_cert = get_PEM("cms-cert", rpki.x509.X509) +cms_key = get_PEM("cms-key", rpki.x509.RSA) +cms_crl = get_PEM("cms-crl", rpki.x509.CRL) +cms_certs = get_PEM_chain("cms-cert-chain", cms_cert) +cms_ca_certs = get_PEM_chain("cms-ca-certs") + +last_cms_timestamp = None + +try: + dispatch[yaml_req["type"]]() + rpki.async.event_loop() +except Exception, e: + fail(e) diff --git a/ca/tests/testpoke.xsl b/ca/tests/testpoke.xsl new file mode 100644 index 00000000..91658b0b --- /dev/null +++ b/ca/tests/testpoke.xsl @@ -0,0 +1,78 @@ +<!-- -*- SGML -*- + - $Id$ + - + - Copyright (C) 2008 American Registry for Internet Numbers ("ARIN") + - + - Permission to use, copy, modify, and distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. + --> + +<!-- + - Decoder ring for testpoke.py XML output. Use this to get a + - (somewhat) human-readable listing and to put OpenSSL-style + - delimiters onto the certificates so that "openssl x509" can read + - the result. With a tad more work, we could select just one out of + - the set of multiple certificates, or output YAML. For the moment, + - I'll settle for being readable by human beings and OpenSSL. + --> + +<xsl:transform xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0" + xmlns:rpkiud="http://www.apnic.net/specs/rescerts/up-down/"> + + <xsl:output method="text"/> + + <xsl:param name="show-issuer" select="0"/> + + <xsl:template match="/rpkiud:message[@type = 'list_response']"> + <xsl:value-of select="concat('[Message]', ' ', + 'Version: ', @version, ' ', + 'Sender: ', @sender, ' ', + 'Recipient: ', @recipient, ' ')"/> + <xsl:apply-templates select="rpkiud:class"/> + </xsl:template> + + <xsl:template match="rpkiud:class"> + <xsl:value-of select="concat(' ', + '[Class]', ' ', + 'Name: ', @class_name, ' ', + 'Issuer URL: ', @cert_url, ' ', + 'ASNs: ', @resource_set_as, ' ', + 'IPv4: ', @resource_set_ipv4, ' ', + 'IPv6: ', @resource_set_ipv6, ' ', + 'NotAfter: ', @resource_set_notafter, ' ', + 'SIA head: ', @suggested_sia_head, ' ')"/> + <xsl:if test="$show-issuer"> + <xsl:apply-templates select="rpkiud:issuer"/> + </xsl:if> + <xsl:apply-templates select="rpkiud:certificate"/> + </xsl:template> + + <xsl:template match="rpkiud:certificate"> + <xsl:value-of select="concat(' ', + '[Certificate]', ' ', + 'Subject URL: ', @cert_url, ' ', + 'Req ASNs: ', @resource_set_as, ' ', + 'Req IPv4: ', @resource_set_ipv4, ' ', + 'Req IPv6: ', @resource_set_ipv6, ' ')"/> + <xsl:call-template name="show-pem"/> + </xsl:template> + + <xsl:template match="rpkiud:issuer" name="show-pem"> + <xsl:text> </xsl:text> + <xsl:text>-----BEGIN CERTIFICATE-----</xsl:text> + <xsl:text> </xsl:text> + <xsl:value-of select="text()"/> + <xsl:text>-----END CERTIFICATE-----</xsl:text> + <xsl:text> </xsl:text> + </xsl:template> + +</xsl:transform> diff --git a/ca/tests/testpoke.yaml b/ca/tests/testpoke.yaml new file mode 100644 index 00000000..f2b2c618 --- /dev/null +++ b/ca/tests/testpoke.yaml @@ -0,0 +1,24 @@ +--- +# $Id$ + +version: 1 +posturl: http://localhost:4433/up-down/1 +recipient-id: wombat +sender-id: "1" + +cms-cert-file: biz-certs/Frank-EE.cer +cms-key-file: biz-certs/Frank-EE.key +cms-ca-cert-file: biz-certs/Bob-Root.cer +cms-cert-chain-file: [ biz-certs/Frank-CA.cer ] + +requests: + list: + type: list + issue: + type: issue + class: 1 + sia: [ "rsync://bandicoot.invalid/some/where/" ] + revoke: + type: revoke + class: 1 + ski: "CB5K6APY-4KcGAW9jaK_cVPXKX0" diff --git a/ca/tests/up-down-protocol-samples/Makefile b/ca/tests/up-down-protocol-samples/Makefile new file mode 100644 index 00000000..10ee791a --- /dev/null +++ b/ca/tests/up-down-protocol-samples/Makefile @@ -0,0 +1,11 @@ +XMLLINT = xmllint --noout --relaxng +JING = java -jar /usr/local/share/java/classes/jing.jar +SCHEMA = ../up-down-medium-schema.rng + +all: jing xmllint + +jing: + ${JING} ${SCHEMA} *.xml + +xmllint: + ${XMLLINT} ${SCHEMA} *.xml diff --git a/ca/tests/up-down-protocol-samples/error_response.xml b/ca/tests/up-down-protocol-samples/error_response.xml new file mode 100644 index 00000000..83af6649 --- /dev/null +++ b/ca/tests/up-down-protocol-samples/error_response.xml @@ -0,0 +1,9 @@ +<?xml version="1.0" encoding="UTF-8"?> +<message xmlns="http://www.apnic.net/specs/rescerts/up-down/" + version="1" + sender="sender name" + recipient="recipient name" + type="error_response"> + <status>2001</status> + <description xml:lang="en-US">[Readable text]</description> +</message> diff --git a/ca/tests/up-down-protocol-samples/issue1.xml b/ca/tests/up-down-protocol-samples/issue1.xml new file mode 100644 index 00000000..4b8366f9 --- /dev/null +++ b/ca/tests/up-down-protocol-samples/issue1.xml @@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="UTF-8"?> +<message xmlns="http://www.apnic.net/specs/rescerts/up-down/" + version="1" + sender="sender name" + recipient="recipient name" + type="issue"> + <request class_name="class name" + req_resource_set_as="64534-64540" + req_resource_set_ipv4="" + req_resource_set_ipv6=""> + MIICYTCCAUkCAQAwHDEaMBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWMwggEiMA0G + CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIi6ElZd/uon9Ur1IKGhr6DXWzPOng + KdOJIOlRSWcsQ9qgLNREs5YUqQd3YLlvAe+OVKV0rFpn+DBNEPmsn7h1YQv253zq + m1yYeks+xOJZQtMZyg9YDrfIgk7lu6z9kuWIsvxkz244OxiD/OemrvuQNtDhyk2Q + QQ8POyrADNl7fehQE/YJc4Kj0uO7ggiHf9K7Dg56KLYlArXZUfwzMkdH/89/vO4A + AbsFXi4Dmq2VO8rCxodkdDmqWWuu4KdRGgfyjkyOZS/f8pm64LaKT8AgcnmYAI8N + UBM90T6Mvdx0qTOoVh0xeHznAp6NChQSbdM3x3rwhBD+/k0olyZuCIWhAgMBAAGg + ADANBgkqhkiG9w0BAQUFAAOCAQEAj9bYIVfREySBzUhQSlbNi9kfdXgivC/4A7pn + b4sMm081S05u0QLhyh1XNF/L3/U5yVElVHE8xobM/CuAkXpy7N5GSYj2T28Fmn77 + 1y/xdGg6Jp26OkbrqY3gjQAaMigYg9/6tPAc9fgLiQAJLUUYb2hRqaqu4Ze8RrxU + RsnVpAHWYDFWJhNqEp8eErzAVLqxpmoYJKgmpK6TKyYKuf8+xf3Rlkb4+iu2FotR + DQrmcd6jmMjp9xLejDEuoPgcfpVP2CB1jUCAIW7yE7+a7vj9Mop1gs61zP8y/p2V + rVnXgEy93WZLjQt1D29oKhlcFGtCG4nqIBCDAWVuz/LGACB85w== + </request> +</message> diff --git a/ca/tests/up-down-protocol-samples/issue2.xml b/ca/tests/up-down-protocol-samples/issue2.xml new file mode 100644 index 00000000..a991cbcd --- /dev/null +++ b/ca/tests/up-down-protocol-samples/issue2.xml @@ -0,0 +1,24 @@ +<?xml version="1.0" encoding="UTF-8"?> +<message xmlns="http://www.apnic.net/specs/rescerts/up-down/" + version="1" + sender="sender name" + recipient="recipient name" + type="issue"> + <request class_name="class name" + req_resource_set_ipv4="" + req_resource_set_ipv6=""> + MIICYTCCAUkCAQAwHDEaMBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWMwggEiMA0G + CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIi6ElZd/uon9Ur1IKGhr6DXWzPOng + KdOJIOlRSWcsQ9qgLNREs5YUqQd3YLlvAe+OVKV0rFpn+DBNEPmsn7h1YQv253zq + m1yYeks+xOJZQtMZyg9YDrfIgk7lu6z9kuWIsvxkz244OxiD/OemrvuQNtDhyk2Q + QQ8POyrADNl7fehQE/YJc4Kj0uO7ggiHf9K7Dg56KLYlArXZUfwzMkdH/89/vO4A + AbsFXi4Dmq2VO8rCxodkdDmqWWuu4KdRGgfyjkyOZS/f8pm64LaKT8AgcnmYAI8N + UBM90T6Mvdx0qTOoVh0xeHznAp6NChQSbdM3x3rwhBD+/k0olyZuCIWhAgMBAAGg + ADANBgkqhkiG9w0BAQUFAAOCAQEAj9bYIVfREySBzUhQSlbNi9kfdXgivC/4A7pn + b4sMm081S05u0QLhyh1XNF/L3/U5yVElVHE8xobM/CuAkXpy7N5GSYj2T28Fmn77 + 1y/xdGg6Jp26OkbrqY3gjQAaMigYg9/6tPAc9fgLiQAJLUUYb2hRqaqu4Ze8RrxU + RsnVpAHWYDFWJhNqEp8eErzAVLqxpmoYJKgmpK6TKyYKuf8+xf3Rlkb4+iu2FotR + DQrmcd6jmMjp9xLejDEuoPgcfpVP2CB1jUCAIW7yE7+a7vj9Mop1gs61zP8y/p2V + rVnXgEy93WZLjQt1D29oKhlcFGtCG4nqIBCDAWVuz/LGACB85w== + </request> +</message> diff --git a/ca/tests/up-down-protocol-samples/issue_response.xml b/ca/tests/up-down-protocol-samples/issue_response.xml new file mode 100644 index 00000000..1ee34f62 --- /dev/null +++ b/ca/tests/up-down-protocol-samples/issue_response.xml @@ -0,0 +1,117 @@ +<?xml version="1.0" encoding="UTF-8"?> +<message xmlns="http://www.apnic.net/specs/rescerts/up-down/" + version="1" + sender="sender name" + recipient="recipient name" + type="issue_response"> + <class class_name="ISP5" + cert_url="rsync://wombat.example/ISP5" + resource_set_as="64534-64540" + resource_set_ipv4="10.0.0.0/24,10.3.0.0/24" + resource_set_ipv6="2001:db8:0:0:0:0:a00::/120,2001:db8:0:0:0:0:a03::/120" + resource_set_notafter="2011-04-01T12:34:56Z" + suggested_sia_head="rsync://wombat.example/fnord/"> + <certificate cert_url="rsync://wombat.example/ISP5a" + req_resource_set_as="" + req_resource_set_ipv4="10.0.0.0/24" + req_resource_set_ipv6="2001:db8:0:0:0:0:a00::/120"> + MIID3jCCAsagAwIBAgIBAzANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU + IEVOVElUWSBMSVIzMB4XDTA3MDgwMTE0NDgyMloXDTA4MDczMTE0NDgyMlowHDEa + MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWEwggEiMA0GCSqGSIb3DQEBAQUAA4IB + DwAwggEKAoIBAQDmS614KGvmUBtlgdWNK1Z3zbvJR6CqMrAsrB/x5JArwjNv51Ox + 0B2rBSedt6HuqE/IWzYj4xLkUVknzf16qtxWBaFzq3ndPIKyj6757MA2OOYCqv2J + YCFSW7YzgHXlf/2sbuzUmiYvfihFFilHffOKctXkZfr0VG+uSDNiwTLxK4MzNmNg + nrzH55ldUdrNL4+DRyCe6cyjcsByvUktxFLqb9pCRnGQx69/n8fdC5aWPEWfwOpl + akPj85LV4XPAbiD1F+XRWNohs+kMTfDovXy374HJ9XDPqCB94mr5G2apyHHWMvhy + PYOZGQ0Ma+n4ks0zF4ZqPa8NBZSrHNQspEXLAgMBAAGjggEqMIIBJjAPBgNVHRMB + Af8EBTADAQH/MB0GA1UdDgQWBBQJ8BQLefsL/6jvVLnsPrmL0Muc7DAfBgNVHSME + GDAWgBSYvgT/gNGrlTmqPfIOZ30AraP9xTAOBgNVHQ8BAf8EBAMCAQYwQgYIKwYB + BQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dvbWJhdHMtci11cy5oYWN0 + cm4ubmV0L0lTUDVhLzBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAKGKHJzeW5j + Oi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5jZXIwOQYIKwYBBQUHAQcB + Af8EKjAoMAwEAgABMAYDBAAKAAAwGAQCAAIwEgMQACABDbgAAAAAAAAAAAoAADAN + BgkqhkiG9w0BAQUFAAOCAQEAkzKZYt3F6vAfWFAQN9M5N9n2klEmL9b9b4K4Vmv9 + DPNCBFbtZytCAphWB/FILS60MrvXHCcUoOmtOx3+Cw5D3yKX8Y9z2HbWmw2/7iDo + dxejgwGzI0OFa79vzC5pRwVz9CFFlMiuIShBFpHuSElmWmcxcQTJSXGU1fSGXHvG + Pv6RHSGzFJhUrW5RKOmoIrqk0JyM49R8IRAM+aMA+MOfALRTNAavW0pDlcuy+4wY + AIYRKF4k4ZDYZ9gA/LYnH56xvpEXwRE1bpxgUC5n8wQrdIn5/pJz3R5EgWe4CGOo + n/SMvEfe8d+LEc0C7LmtCwYoDOKENoOF809GVkbV9fjL8w== + </certificate> + <certificate cert_url="rsync://wombat.example/ISP5b" + req_resource_set_as="" + req_resource_set_ipv4="10.3.0.0/24" + req_resource_set_ipv6="2001:db8:0:0:0:0:a03::/120"> + MIID3jCCAsagAwIBAgIBAjANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU + IEVOVElUWSBMSVIzMB4XDTA3MDgwMTE0NDgyMFoXDTA4MDczMTE0NDgyMFowHDEa + MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWIwggEiMA0GCSqGSIb3DQEBAQUAA4IB + DwAwggEKAoIBAQC/j1nY/PodBHApznsBZCFA3FxD/kyviMhim76cco+KpTSKOyON + m4pPv2asaHGc/WhZ9b+fTS611uP6vfNgU1y3EayVC8CHzZmelFeN7AW436r8jjjT + D2VtCWDy4ZiBcthRPkGRsxCV9fXQ+eVcoYX6cSaF49FMAn8U4h5KipZontYWpe+t + tYNizSN0fIJWtNE0U1qKemGfrlRb7/lW3odrQpK8SfS1wzUHShhH0pLGHBZ0dLHp + OTxTEgWd69ycciuXTSchd5Z9TM55DPunuJlrZiAuVpxEtONegMR9eKG0BfcgfSYe + RL9daRU8eiRnvbm1CA8zTa87Lee5qx0r1vtzAgMBAAGjggEqMIIBJjAPBgNVHRMB + Af8EBTADAQH/MB0GA1UdDgQWBBRss2WU/safSlCdTYtAGqH9lxeXkjAfBgNVHSME + GDAWgBSYvgT/gNGrlTmqPfIOZ30AraP9xTAOBgNVHQ8BAf8EBAMCAQYwQgYIKwYB + BQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dvbWJhdHMtci11cy5oYWN0 + cm4ubmV0L0lTUDViLzBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAKGKHJzeW5j + Oi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5jZXIwOQYIKwYBBQUHAQcB + Af8EKjAoMAwEAgABMAYDBAAKAwAwGAQCAAIwEgMQACABDbgAAAAAAAAAAAoDADAN + BgkqhkiG9w0BAQUFAAOCAQEARNgVrXF+6W7sMytC7YyKSt+CpJGZV7AvzKNZKv8k + xazhefrXkrpyK0caz4BtCHbptZFgNR/dDOC9M3wn0PcRTh9ISgW8beNfut16uj1F + fZdylJvNMXa4lt/wfRbzKqPicusCH0nutkRIW2mZuLuAO8v1vKr4umgZU+z/rXWu + glEA7OeBwmvPoqKixbgER5GtnTNySKIVVa1DUo/2CaPT/YjT48P0zXHoy6rnNgcn + 2emkoegzzS2cN+5I5I+O8IRnZInqmiPgEgElgEFw+rg6xw23yax5Nyqx12J56tt0 + tPWGhrYe1dCwKZajWKn3P9+NMcGQ0d8bw/QU+B3RyVeVfw== + </certificate> + <certificate cert_url="rsync://wombat.example/ISP5c" + req_resource_set_as="64534-64540" + req_resource_set_ipv4="" + req_resource_set_ipv6=""> + MIIDxjCCAq6gAwIBAgIBATANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU + IEVOVElUWSBMSVIzMB4XDTA3MDgwMTE0NDgxOFoXDTA4MDczMTE0NDgxOFowHDEa + MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWMwggEiMA0GCSqGSIb3DQEBAQUAA4IB + DwAwggEKAoIBAQDIi6ElZd/uon9Ur1IKGhr6DXWzPOngKdOJIOlRSWcsQ9qgLNRE + s5YUqQd3YLlvAe+OVKV0rFpn+DBNEPmsn7h1YQv253zqm1yYeks+xOJZQtMZyg9Y + DrfIgk7lu6z9kuWIsvxkz244OxiD/OemrvuQNtDhyk2QQQ8POyrADNl7fehQE/YJ + c4Kj0uO7ggiHf9K7Dg56KLYlArXZUfwzMkdH/89/vO4AAbsFXi4Dmq2VO8rCxodk + dDmqWWuu4KdRGgfyjkyOZS/f8pm64LaKT8AgcnmYAI8NUBM90T6Mvdx0qTOoVh0x + eHznAp6NChQSbdM3x3rwhBD+/k0olyZuCIWhAgMBAAGjggESMIIBDjAPBgNVHRMB + Af8EBTADAQH/MB0GA1UdDgQWBBQth8Ga+FgrvcL4fjBHs6mIN8nrRjAfBgNVHSME + GDAWgBSYvgT/gNGrlTmqPfIOZ30AraP9xTAOBgNVHQ8BAf8EBAMCAQYwQgYIKwYB + BQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dvbWJhdHMtci11cy5oYWN0 + cm4ubmV0L0lTUDVjLzBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAKGKHJzeW5j + Oi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5jZXIwIQYIKwYBBQUHAQgB + Af8EEjAQoA4wDDAKAgMA/BYCAwD8HDANBgkqhkiG9w0BAQUFAAOCAQEAUGsbhHfl + kwhe3EIkhnARJPgRkWgPCJtJ9konhROT7VlJ0Pim0kSrJWlBWUCLeKvSjQmowP4g + SddHxN4ZoXnSjb0pCDeomrZeViVQ2hxH6L/tHkl5SIEHl9MvFOe8junvgpq9GGAI + CFcibkW7Gp9p4A+GQkns0l9v+wGwuVZmqmJk4YBo7hHZRbg6/IFL1MD3HKeXmn33 + lCwFhjUuDIMXRbY/1k5fui13QUolN7mLSk60NvXJ94Tga68c1eCIpapvhxAYw69G + 7mOX42aYu1FnidZNj7Lt9jOuW0REHlavrG17HxP5loTuCNtLH1ZIrJcO7rUz9C0D + YqMybYWFUqZHyg== + </certificate> + <issuer> + MIIEFTCCAv2gAwIBAgIBDjANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU + IEVOVElUWSBSSVIwHhcNMDcwODAxMTQ0ODE4WhcNMDgwNzMxMTQ0ODE4WjAbMRkw + FwYDVQQDExBURVNUIEVOVElUWSBMSVIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A + MIIBCgKCAQEAoyFXYWSvERjUy96m3K3ZLA8PWJ9+yIVVESZMfPBraBqeagyP5tw9 + g1gqzHesGXNvWvNuJKzNGtwdC0xE9W2LChc9hvno/uZg5Z9AauWU6JpWFxccq8GM + N0ArVb8sXtyNyiV/il/u+xaG6+AI0ybl43DFDGv7G49rXPbiSlilNQHqBRs+zoS+ + tT9tGBZLaOV5TIh9tqVlozrCMtytj4oF7vbpeoDaEqkPWrXS0zGsPtMZJS0o3nls + zv13ZtXjL6nL+YWMILuihiPwk5UgBHjHxwem/vD0RbvPeCvdzpwIpUZoEEzXBWJs + hlotfwY4wk27RIcAQ3nSj/NrsvRcHLloAQIDAQABo4IBYzCCAV8wDwYDVR0TAQH/ + BAUwAwEB/zAdBgNVHQ4EFgQUmL4E/4DRq5U5qj3yDmd9AK2j/cUwHwYDVR0jBBgw + FoAU+7inozZICqCf8C7ci2i8s1xFJdcwDgYDVR0PAQH/BAQDAgEGMEEGCCsGAQUF + BwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJu + Lm5ldC9MSVIzLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ3JzeW5jOi8v + d29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAhBggrBgEFBQcBCAEB/wQS + MBCgDjAMMAoCAwD8FgIDAPwcMFEGCCsGAQUFBwEHAQH/BEIwQDASBAIAATAMAwQA + CgAAAwQACgMAMCoEAgACMCQDEAAgAQ24AAAAAAAAAAAKAAADEAAgAQ24AAAAAAAA + AAAKAwAwDQYJKoZIhvcNAQEFBQADggEBAEhmCa7kUuozB6aST0Gd2XStJBcR1oWI + 8mZS5WEOjnjbVvuryDEb0fLs3x2HgCHZgZ7IAOg31cNxJpc1Ff6ZYEG+m3LpkcG/ + yOMllfOVK8RQSY+nKuya2fm2J3dCOKogEjBW20HwxNd1WgFLrDaOTR9V+iROBPKs + 3ppMPp6ksPqEqDU/3N3bLHROIISlFwWHilXuTK5ZAnzncDIQnm+zUuxI/0d3v6Fp + 8VxVlNBHqzo0VpakZOkxwqo01qJRsoxVaIxeetGNQ4noPhtj6bEM4Y8xDS9f3R7o + eEHUSTnKonMemm/AB3KZnjwL7rkL2FI1ThmDRO3Z3lprbThjThJF8EU= + </issuer> + </class> +</message> diff --git a/ca/tests/up-down-protocol-samples/list.xml b/ca/tests/up-down-protocol-samples/list.xml new file mode 100644 index 00000000..01a803f3 --- /dev/null +++ b/ca/tests/up-down-protocol-samples/list.xml @@ -0,0 +1,6 @@ +<?xml version="1.0" encoding="UTF-8"?> +<message xmlns="http://www.apnic.net/specs/rescerts/up-down/" + version="1" + sender="sender name" + recipient="recipient name" + type="list" /> diff --git a/ca/tests/up-down-protocol-samples/list_response.xml b/ca/tests/up-down-protocol-samples/list_response.xml new file mode 100644 index 00000000..09634955 --- /dev/null +++ b/ca/tests/up-down-protocol-samples/list_response.xml @@ -0,0 +1,171 @@ +<?xml version="1.0" encoding="UTF-8"?> +<message xmlns="http://www.apnic.net/specs/rescerts/up-down/" + version="1" + sender="sender name" + recipient="recipient name" + type="list_response"> + <class class_name="ISP5" + cert_url="rsync://wombat.example/ISP5" + resource_set_as="64534-64540" + resource_set_ipv4="10.0.0.0/24,10.3.0.0/24" + resource_set_ipv6="2001:db8:0:0:0:0:a00::/120,2001:db8:0:0:0:0:a03::/120" + resource_set_notafter="2011-04-01T12:34:56Z" + suggested_sia_head="rsync://wombat.example/fnord/"> + <certificate cert_url="rsync://wombat.example/ISP5a" + req_resource_set_as="" + req_resource_set_ipv4="10.0.0.0/24" + req_resource_set_ipv6="2001:db8:0:0:0:0:a00::/120"> + MIID3jCCAsagAwIBAgIBAzANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU + IEVOVElUWSBMSVIzMB4XDTA3MDgwMTE0NDgyMloXDTA4MDczMTE0NDgyMlowHDEa + MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWEwggEiMA0GCSqGSIb3DQEBAQUAA4IB + DwAwggEKAoIBAQDmS614KGvmUBtlgdWNK1Z3zbvJR6CqMrAsrB/x5JArwjNv51Ox + 0B2rBSedt6HuqE/IWzYj4xLkUVknzf16qtxWBaFzq3ndPIKyj6757MA2OOYCqv2J + YCFSW7YzgHXlf/2sbuzUmiYvfihFFilHffOKctXkZfr0VG+uSDNiwTLxK4MzNmNg + nrzH55ldUdrNL4+DRyCe6cyjcsByvUktxFLqb9pCRnGQx69/n8fdC5aWPEWfwOpl + akPj85LV4XPAbiD1F+XRWNohs+kMTfDovXy374HJ9XDPqCB94mr5G2apyHHWMvhy + PYOZGQ0Ma+n4ks0zF4ZqPa8NBZSrHNQspEXLAgMBAAGjggEqMIIBJjAPBgNVHRMB + Af8EBTADAQH/MB0GA1UdDgQWBBQJ8BQLefsL/6jvVLnsPrmL0Muc7DAfBgNVHSME + GDAWgBSYvgT/gNGrlTmqPfIOZ30AraP9xTAOBgNVHQ8BAf8EBAMCAQYwQgYIKwYB + BQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dvbWJhdHMtci11cy5oYWN0 + cm4ubmV0L0lTUDVhLzBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAKGKHJzeW5j + Oi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5jZXIwOQYIKwYBBQUHAQcB + Af8EKjAoMAwEAgABMAYDBAAKAAAwGAQCAAIwEgMQACABDbgAAAAAAAAAAAoAADAN + BgkqhkiG9w0BAQUFAAOCAQEAkzKZYt3F6vAfWFAQN9M5N9n2klEmL9b9b4K4Vmv9 + DPNCBFbtZytCAphWB/FILS60MrvXHCcUoOmtOx3+Cw5D3yKX8Y9z2HbWmw2/7iDo + dxejgwGzI0OFa79vzC5pRwVz9CFFlMiuIShBFpHuSElmWmcxcQTJSXGU1fSGXHvG + Pv6RHSGzFJhUrW5RKOmoIrqk0JyM49R8IRAM+aMA+MOfALRTNAavW0pDlcuy+4wY + AIYRKF4k4ZDYZ9gA/LYnH56xvpEXwRE1bpxgUC5n8wQrdIn5/pJz3R5EgWe4CGOo + n/SMvEfe8d+LEc0C7LmtCwYoDOKENoOF809GVkbV9fjL8w== + </certificate> + <certificate cert_url="rsync://wombat.example/ISP5b" + req_resource_set_as="" + req_resource_set_ipv4="10.3.0.0/24" + req_resource_set_ipv6="2001:db8:0:0:0:0:a03::/120"> + MIID3jCCAsagAwIBAgIBAjANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU + IEVOVElUWSBMSVIzMB4XDTA3MDgwMTE0NDgyMFoXDTA4MDczMTE0NDgyMFowHDEa + MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWIwggEiMA0GCSqGSIb3DQEBAQUAA4IB + DwAwggEKAoIBAQC/j1nY/PodBHApznsBZCFA3FxD/kyviMhim76cco+KpTSKOyON + m4pPv2asaHGc/WhZ9b+fTS611uP6vfNgU1y3EayVC8CHzZmelFeN7AW436r8jjjT + D2VtCWDy4ZiBcthRPkGRsxCV9fXQ+eVcoYX6cSaF49FMAn8U4h5KipZontYWpe+t + tYNizSN0fIJWtNE0U1qKemGfrlRb7/lW3odrQpK8SfS1wzUHShhH0pLGHBZ0dLHp + OTxTEgWd69ycciuXTSchd5Z9TM55DPunuJlrZiAuVpxEtONegMR9eKG0BfcgfSYe + RL9daRU8eiRnvbm1CA8zTa87Lee5qx0r1vtzAgMBAAGjggEqMIIBJjAPBgNVHRMB + Af8EBTADAQH/MB0GA1UdDgQWBBRss2WU/safSlCdTYtAGqH9lxeXkjAfBgNVHSME + GDAWgBSYvgT/gNGrlTmqPfIOZ30AraP9xTAOBgNVHQ8BAf8EBAMCAQYwQgYIKwYB + BQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dvbWJhdHMtci11cy5oYWN0 + cm4ubmV0L0lTUDViLzBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAKGKHJzeW5j + Oi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5jZXIwOQYIKwYBBQUHAQcB + Af8EKjAoMAwEAgABMAYDBAAKAwAwGAQCAAIwEgMQACABDbgAAAAAAAAAAAoDADAN + BgkqhkiG9w0BAQUFAAOCAQEARNgVrXF+6W7sMytC7YyKSt+CpJGZV7AvzKNZKv8k + xazhefrXkrpyK0caz4BtCHbptZFgNR/dDOC9M3wn0PcRTh9ISgW8beNfut16uj1F + fZdylJvNMXa4lt/wfRbzKqPicusCH0nutkRIW2mZuLuAO8v1vKr4umgZU+z/rXWu + glEA7OeBwmvPoqKixbgER5GtnTNySKIVVa1DUo/2CaPT/YjT48P0zXHoy6rnNgcn + 2emkoegzzS2cN+5I5I+O8IRnZInqmiPgEgElgEFw+rg6xw23yax5Nyqx12J56tt0 + tPWGhrYe1dCwKZajWKn3P9+NMcGQ0d8bw/QU+B3RyVeVfw== + </certificate> + <certificate cert_url="rsync://wombat.example/ISP5c" + req_resource_set_as="64534-64540" + req_resource_set_ipv4="" + req_resource_set_ipv6=""> + MIIDxjCCAq6gAwIBAgIBATANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU + IEVOVElUWSBMSVIzMB4XDTA3MDgwMTE0NDgxOFoXDTA4MDczMTE0NDgxOFowHDEa + MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWMwggEiMA0GCSqGSIb3DQEBAQUAA4IB + DwAwggEKAoIBAQDIi6ElZd/uon9Ur1IKGhr6DXWzPOngKdOJIOlRSWcsQ9qgLNRE + s5YUqQd3YLlvAe+OVKV0rFpn+DBNEPmsn7h1YQv253zqm1yYeks+xOJZQtMZyg9Y + DrfIgk7lu6z9kuWIsvxkz244OxiD/OemrvuQNtDhyk2QQQ8POyrADNl7fehQE/YJ + c4Kj0uO7ggiHf9K7Dg56KLYlArXZUfwzMkdH/89/vO4AAbsFXi4Dmq2VO8rCxodk + dDmqWWuu4KdRGgfyjkyOZS/f8pm64LaKT8AgcnmYAI8NUBM90T6Mvdx0qTOoVh0x + eHznAp6NChQSbdM3x3rwhBD+/k0olyZuCIWhAgMBAAGjggESMIIBDjAPBgNVHRMB + Af8EBTADAQH/MB0GA1UdDgQWBBQth8Ga+FgrvcL4fjBHs6mIN8nrRjAfBgNVHSME + GDAWgBSYvgT/gNGrlTmqPfIOZ30AraP9xTAOBgNVHQ8BAf8EBAMCAQYwQgYIKwYB + BQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dvbWJhdHMtci11cy5oYWN0 + cm4ubmV0L0lTUDVjLzBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAKGKHJzeW5j + Oi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5jZXIwIQYIKwYBBQUHAQgB + Af8EEjAQoA4wDDAKAgMA/BYCAwD8HDANBgkqhkiG9w0BAQUFAAOCAQEAUGsbhHfl + kwhe3EIkhnARJPgRkWgPCJtJ9konhROT7VlJ0Pim0kSrJWlBWUCLeKvSjQmowP4g + SddHxN4ZoXnSjb0pCDeomrZeViVQ2hxH6L/tHkl5SIEHl9MvFOe8junvgpq9GGAI + CFcibkW7Gp9p4A+GQkns0l9v+wGwuVZmqmJk4YBo7hHZRbg6/IFL1MD3HKeXmn33 + lCwFhjUuDIMXRbY/1k5fui13QUolN7mLSk60NvXJ94Tga68c1eCIpapvhxAYw69G + 7mOX42aYu1FnidZNj7Lt9jOuW0REHlavrG17HxP5loTuCNtLH1ZIrJcO7rUz9C0D + YqMybYWFUqZHyg== + </certificate> + <issuer> + MIIEFTCCAv2gAwIBAgIBDjANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU + IEVOVElUWSBSSVIwHhcNMDcwODAxMTQ0ODE4WhcNMDgwNzMxMTQ0ODE4WjAbMRkw + FwYDVQQDExBURVNUIEVOVElUWSBMSVIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A + MIIBCgKCAQEAoyFXYWSvERjUy96m3K3ZLA8PWJ9+yIVVESZMfPBraBqeagyP5tw9 + g1gqzHesGXNvWvNuJKzNGtwdC0xE9W2LChc9hvno/uZg5Z9AauWU6JpWFxccq8GM + N0ArVb8sXtyNyiV/il/u+xaG6+AI0ybl43DFDGv7G49rXPbiSlilNQHqBRs+zoS+ + tT9tGBZLaOV5TIh9tqVlozrCMtytj4oF7vbpeoDaEqkPWrXS0zGsPtMZJS0o3nls + zv13ZtXjL6nL+YWMILuihiPwk5UgBHjHxwem/vD0RbvPeCvdzpwIpUZoEEzXBWJs + hlotfwY4wk27RIcAQ3nSj/NrsvRcHLloAQIDAQABo4IBYzCCAV8wDwYDVR0TAQH/ + BAUwAwEB/zAdBgNVHQ4EFgQUmL4E/4DRq5U5qj3yDmd9AK2j/cUwHwYDVR0jBBgw + FoAU+7inozZICqCf8C7ci2i8s1xFJdcwDgYDVR0PAQH/BAQDAgEGMEEGCCsGAQUF + BwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJu + Lm5ldC9MSVIzLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ3JzeW5jOi8v + d29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAhBggrBgEFBQcBCAEB/wQS + MBCgDjAMMAoCAwD8FgIDAPwcMFEGCCsGAQUFBwEHAQH/BEIwQDASBAIAATAMAwQA + CgAAAwQACgMAMCoEAgACMCQDEAAgAQ24AAAAAAAAAAAKAAADEAAgAQ24AAAAAAAA + AAAKAwAwDQYJKoZIhvcNAQEFBQADggEBAEhmCa7kUuozB6aST0Gd2XStJBcR1oWI + 8mZS5WEOjnjbVvuryDEb0fLs3x2HgCHZgZ7IAOg31cNxJpc1Ff6ZYEG+m3LpkcG/ + yOMllfOVK8RQSY+nKuya2fm2J3dCOKogEjBW20HwxNd1WgFLrDaOTR9V+iROBPKs + 3ppMPp6ksPqEqDU/3N3bLHROIISlFwWHilXuTK5ZAnzncDIQnm+zUuxI/0d3v6Fp + 8VxVlNBHqzo0VpakZOkxwqo01qJRsoxVaIxeetGNQ4noPhtj6bEM4Y8xDS9f3R7o + eEHUSTnKonMemm/AB3KZnjwL7rkL2FI1ThmDRO3Z3lprbThjThJF8EU= + </issuer> + </class> + <class class_name="ISP2" + cert_url="rsync://wombat.example/ISP2" + resource_set_as="" + resource_set_ipv4="192.0.2.44-192.0.2.100" + resource_set_ipv6="" + resource_set_notafter="2011-04-01T12:34:56Z"> + <certificate cert_url="http://wombat.example/ISP2a,rsync://wombat.example/ISP2a,ftp://wombat.example/ISP2a"> + MIIDzDCCArSgAwIBAgIBCTANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU + IEVOVElUWSBMSVIxMB4XDTA3MDgwMTE0NDgyMloXDTA4MDczMTE0NDgyMlowGzEZ + MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMjCCASIwDQYJKoZIhvcNAQEBBQADggEP + ADCCAQoCggEBANB338Qhrxtaa6inKNdDyJttJdiNf5Er45X9kmCsFBLXI2iFSw7b + K+Y44EjbGDePQMCQWA4/CWdfjj8EdQZgkkLz5EUENZVd6SJCLPZcpn15jOEIGXw1 + nTr95/+bKbXuiUfMDYOg4XOvHwmEqAuDzHmIv3wdc9arQhtkmlwZgyud5a1MWAV2 + lXAj7qXAMcqip8gdHvLJ8j04gsJT5VSG8nyxc+Hc6YZzCKxZO74vWMFCxYAYjDoK + KjL2/ijQKFKDxjBpUZBZGZvT1MLgUmrBTlmaGOR4Llf5fytddijJycV+5UOhm2jS + Bhy+P2n5wvqeT2jPY2/bbfxnNcCxbgo37DMCAwEAAaOCARkwggEVMA8GA1UdEwEB + /wQFMAMBAf8wHQYDVR0OBBYEFHOyFhrN3NcwYA/6gZX4ovVOlfOtMB8GA1UdIwQY + MBaAFIqUF/lT8luUVFbfdlETKfZxGaizMA4GA1UdDwEB/wQEAwIBBjBBBggrBgEF + BQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry + bi5uZXQvSVNQMi8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov + L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjEuY2VyMCkGCCsGAQUFBwEHAQH/ + BBowGDAWBAIAATAQMA4DBQLAAAIsAwUAwAACZDANBgkqhkiG9w0BAQUFAAOCAQEA + CvG1rzj5fZOV1Oq/SO+NYzxOHIA9egYgQg4NUpmqSz6v17RhR0+3tPfMmzxepTs8 + ut23KieOG7RcPGvR2f/CEvedgrrPdTS81wu01qhPWJNqriN6N+Mu8XCK3fUO+t+w + PxLUWqwzrRUcpdy+CMOOGg81Eg7e77iAeJCp648AChUdBRI6HTfp9PlKd25pJ7fj + f654MpKGbTkWXllPkxC1sL4cJUcq4o+Sn1zAKkjXUwAUjp6G6s+mIWZQiZU5Pv8n + lYXvPciYf83+wTBllLGtSFyut8hk6WmiB8rC1/5jS96pJaGRSxejqd0r99GlPre+ + QgMe2TRfFuM1esod7j1M1Q== + </certificate> + <issuer> + MIID9jCCAt6gAwIBAgIBEDANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU + IEVOVElUWSBSSVIwHhcNMDcwODAxMTQ0ODE4WhcNMDgwNzMxMTQ0ODE4WjAbMRkw + FwYDVQQDExBURVNUIEVOVElUWSBMSVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A + MIIBCgKCAQEAr10c+dm71QHhWzbMUfb9hldgqp7H7E4Fr/tRXHrCWMSoV64UYum8 + tnJ9z0nISkCCSvQ+MLWUJZ5seIFXQ9aFAo3RnLXXNC/iqX0YJ7VHmkIWyJB/lizd + uJgXH3diSggALeBzDDk3ug+nWVlMfM3iXNeYNhBsiD5FmaaIL/Z/MUm6QisTecKy + 8QnZrTekQbZtRqEYBaBTB47gmLLR/Wdod2TV8/4dIjaeJloaqhiUwyx+mq++LJ1e + dSxJ1jcrBh/MY5d+7ixfZ69NYj56HwzhHgLy0gZ1rj8RvI4PE2Q4FDYdXQLsr2XV + uWj0ImYr70dbrTvyr7ZxDJRWinwBNvA6PwIDAQABo4IBRDCCAUAwDwYDVR0TAQH/ + BAUwAwEB/zAdBgNVHQ4EFgQUipQX+VPyW5RUVt92URMp9nEZqLMwHwYDVR0jBBgw + FoAU+7inozZICqCf8C7ci2i8s1xFJdcwDgYDVR0PAQH/BAQDAgEGMEEGCCsGAQUF + BwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJu + Lm5ldC9MSVIxLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ3JzeW5jOi8v + d29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAaBggrBgEFBQcBCAEB/wQL + MAmgBzAFAgMA/BUwOQYIKwYBBQUHAQcBAf8EKjAoMCYEAgABMCAwDgMFAMAAAgED + BQHAAAIgMA4DBQLAAAIsAwUAwAACZDANBgkqhkiG9w0BAQUFAAOCAQEAcn3dpGAj + ceSZKAuaulzTl0ty64mBPBGFjCXtebJQpeiuDjd0+SyhvpaDNUANNvkyFnQlnPcP + zUZHjrnNrAx+06yEXvYx9KnyBc2C1+DXOySbxxXR253CHZL3Gam4oWcK+z0jOgWD + KQVQ4wAnqYD+u1HxPjsMmK7x7tETckZkj0syTs9kzxqlsTSm8F8Y+ES7E+qNXyR9 + OxVgjr70vdgEp9AQftMQZ781SclWz7eLe5sXC1TuIct1sD6NssHGfCaxfFipSjEk + zeU/pZodfREUQSrlVbbb9HU0N59eHfGGKvZ0vojhuWPOrVzpPJGKTI20aQPn+VJ5 + KH3Nf1ICSa7Vxw== + </issuer> + </class> +</message> diff --git a/ca/tests/up-down-protocol-samples/revoke.xml b/ca/tests/up-down-protocol-samples/revoke.xml new file mode 100644 index 00000000..eb4b3efb --- /dev/null +++ b/ca/tests/up-down-protocol-samples/revoke.xml @@ -0,0 +1,9 @@ +<?xml version="1.0" encoding="UTF-8"?> +<message xmlns="http://www.apnic.net/specs/rescerts/up-down/" + version="1" + sender="sender name" + recipient="recipient name" + type="revoke"> + <key class_name="ISP5" + ski="CfAUC3n7C_-o71S57D65i9DLnOw"/> +</message> diff --git a/ca/tests/up-down-protocol-samples/revoke_response.xml b/ca/tests/up-down-protocol-samples/revoke_response.xml new file mode 100644 index 00000000..9f4ebacc --- /dev/null +++ b/ca/tests/up-down-protocol-samples/revoke_response.xml @@ -0,0 +1,9 @@ +<?xml version="1.0" encoding="UTF-8"?> +<message xmlns="http://www.apnic.net/specs/rescerts/up-down/" + version="1" + sender="sender name" + recipient="recipient name" + type="revoke_response"> + <key class_name="ISP5" + ski="CfAUC3n7C_-o71S57D65i9DLnOw"/> +</message> diff --git a/ca/tests/xml-parse-test.py b/ca/tests/xml-parse-test.py new file mode 100644 index 00000000..42b54695 --- /dev/null +++ b/ca/tests/xml-parse-test.py @@ -0,0 +1,119 @@ +# $Id$ +# +# Copyright (C) 2010 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. +# +# Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +import glob, lxml.etree, lxml.sax +import rpki.up_down, rpki.left_right, rpki.publication, rpki.relaxng + +verbose = False + +def test(fileglob, rng, sax_handler, encoding, tester = None): + files = glob.glob(fileglob) + files.sort() + for f in files: + print "<!--", f, "-->" + handler = sax_handler() + elt_in = lxml.etree.parse(f).getroot() + if verbose: + print "<!-- Input -->" + print lxml.etree.tostring(elt_in, pretty_print = True, encoding = encoding, xml_declaration = True) + rng.assertValid(elt_in) + lxml.sax.saxify(elt_in, handler) + elt_out = handler.result.toXML() + if verbose: + print "<!-- Output -->" + print lxml.etree.tostring(elt_out, pretty_print = True, encoding = encoding, xml_declaration = True) + rng.assertValid(elt_out) + if (tester): + tester(elt_in, elt_out, handler.result) + if verbose: + print + +def pprint(pairs): + if verbose: + for thing, name in pairs: + if thing is not None: + print "[%s]" % name + print thing.get_POW().pprint() + +def ud_tester(elt_in, elt_out, msg): + assert isinstance(msg, rpki.up_down.message_pdu) + if isinstance(msg.payload, rpki.up_down.list_response_pdu): + for c in msg.payload.classes: + pprint([(c.certs[i].cert, ("%s certificate #%d" % (c.class_name, i))) for i in xrange(len(c.certs))] + [(c.issuer, ("%s issuer" % c.class_name))]) + +def lr_tester(elt_in, elt_out, msg): + assert isinstance(msg, rpki.left_right.msg) + for obj in msg: + if isinstance(obj, rpki.left_right.self_elt): + pprint(((obj.bpki_cert, "BPKI cert"), + (obj.bpki_glue, "BPKI glue"))) + if isinstance(obj, rpki.left_right.bsc_elt): + pprint(((obj.signing_cert, "Signing certificate"), + (obj.signing_cert_crl, "Signing certificate CRL"))) + # (obj.pkcs10_request, "PKCS #10 request") + if isinstance(obj, rpki.left_right.parent_elt): + pprint(((obj.bpki_cms_cert, "CMS certificate"), + (obj.bpki_cms_glue, "CMS glue"))) + if isinstance(obj, (rpki.left_right.child_elt, rpki.left_right.repository_elt)): + pprint(((obj.bpki_cert, "Certificate"), + (obj.bpki_glue, "Glue"))) + +def pp_tester(elt_in, elt_out, msg): + assert isinstance(msg, rpki.publication.msg) + for obj in msg: + if isinstance(obj, rpki.publication.client_elt): + pprint(((obj.bpki_cert, "BPKI cert"), + (obj.bpki_glue, "BPKI glue"))) + if isinstance(obj, rpki.publication.certificate_elt): + pprint(((obj.payload, "RPKI cert"),)) + if isinstance(obj, rpki.publication.crl_elt): + pprint(((obj.payload, "RPKI CRL"),)) + if isinstance(obj, rpki.publication.manifest_elt): + pprint(((obj.payload, "RPKI manifest"),)) + if isinstance(obj, rpki.publication.roa_elt): + pprint(((obj.payload, "ROA"),)) + +test(fileglob = "up-down-protocol-samples/*.xml", + rng = rpki.relaxng.up_down, + sax_handler = rpki.up_down.sax_handler, + encoding = "utf-8", + tester = ud_tester) + +test(fileglob = "left-right-protocol-samples/*.xml", + rng = rpki.relaxng.left_right, + sax_handler = rpki.left_right.sax_handler, + encoding = "us-ascii", + tester = lr_tester) + +test(fileglob = "publication-protocol-samples/*.xml", + rng = rpki.relaxng.publication, + sax_handler = rpki.publication.sax_handler, + encoding = "us-ascii", + tester = pp_tester) diff --git a/ca/tests/yamlconf.py b/ca/tests/yamlconf.py new file mode 100644 index 00000000..3c71d3cd --- /dev/null +++ b/ca/tests/yamlconf.py @@ -0,0 +1,794 @@ +# $Id$ +# +# Copyright (C) 2013--2014 Dragon Research Labs ("DRL") +# Portions copyright (C) 2009--2012 Internet Systems Consortium ("ISC") +# Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notices and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND DRL, ISC, AND ARIN DISCLAIM ALL +# WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DRL, +# ISC, OR ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR +# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS +# OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, +# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION +# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +""" +Test configuration tool, using the same YAML test description format +as smoketest.py and yamltest.py, but doing just the IRDB configuration +for a massive testbed, via direct use of the rpki.irdb library code. + +For most purposes, you don't want this, but when building a +configuration for tens or hundreds of thousands of elements, being +able to do the initial configuration stage quickly can help a lot. +""" + +# pylint: disable=W0702,W0621,W0602 + +import subprocess +import re +import os +import sys +import yaml +import time +import argparse +import rpki.resource_set +import rpki.sundial +import rpki.config +import rpki.log +import rpki.csv_utils +import rpki.x509 +import rpki.sql_schemas + +from rpki.mysql_import import MySQLdb + +section_regexp = re.compile(r"\s*\[\s*(.+?)\s*\]\s*$") +variable_regexp = re.compile(r"\s*([-a-zA-Z0-9_]+)\s*=\s*(.+?)\s*$") + +flat_publication = False +only_one_pubd = True +yaml_file = None +loopback = False +quiet = False +dns_suffix = None +mysql_rootuser = None +mysql_rootpass = None +publication_base = None +publication_root = None + +# The SQL username mismatch between rpkid/examples/rpki.conf and +# rpkid/tests/smoketest.setup.sql is completely stupid and really +# should be cleaned up at some point...but not today, at least not as +# part of writing this program. These default values are wired into +# yamltest to match smoketest.setup.sql, so wire them in here too but +# in a more obvious way. + +config_overrides = { + "irdbd_sql_username" : "irdb", "irdbd_sql_password" : "fnord", + "rpkid_sql_username" : "rpki", "rpkid_sql_password" : "fnord", + "pubd_sql_username" : "pubd", "pubd_sql_password" : "fnord" } + +def cleanpath(*names): + return os.path.normpath(os.path.join(*names)) + +this_dir = os.getcwd() +test_dir = None +rpki_conf = None + +class roa_request(object): + """ + Representation of a ROA request. + """ + + def __init__(self, asn, ipv4, ipv6): + self.asn = asn + self.v4 = rpki.resource_set.roa_prefix_set_ipv4("".join(ipv4.split())) if ipv4 else None + self.v6 = rpki.resource_set.roa_prefix_set_ipv6("".join(ipv6.split())) if ipv6 else None + + def __eq__(self, other): + return self.asn == other.asn and self.v4 == other.v4 and self.v6 == other.v6 + + def __hash__(self): + v4 = tuple(self.v4) if self.v4 is not None else None + v6 = tuple(self.v6) if self.v6 is not None else None + return self.asn.__hash__() + v4.__hash__() + v6.__hash__() + + def __str__(self): + if self.v4 and self.v6: + return "%s: %s,%s" % (self.asn, self.v4, self.v6) + else: + return "%s: %s" % (self.asn, self.v4 or self.v6) + + @classmethod + def parse(cls, y): + return cls(y.get("asn"), y.get("ipv4"), y.get("ipv6")) + +class allocation_db(list): + """ + Allocation database. + """ + + def __init__(self, y): + list.__init__(self) + self.root = allocation(y, self) + assert self.root.is_root + if self.root.crl_interval is None: + self.root.crl_interval = 60 * 60 + if self.root.regen_margin is None: + self.root.regen_margin = 24 * 60 * 60 + if self.root.base.valid_until is None: + self.root.base.valid_until = rpki.sundial.now() + rpki.sundial.timedelta(days = 2) + for a in self: + if a.base.valid_until is None: + a.base.valid_until = a.parent.base.valid_until + if a.crl_interval is None: + a.crl_interval = a.parent.crl_interval + if a.regen_margin is None: + a.regen_margin = a.parent.regen_margin + self.root.closure() + self.map = dict((a.name, a) for a in self) + for a in self: + if a.is_hosted: + a.hosted_by = self.map[a.hosted_by] + a.hosted_by.hosts.append(a) + assert not a.is_root and not a.hosted_by.is_hosted + + def dump(self): + for a in self: + a.dump() + + +class allocation(object): + """ + One entity in our allocation database. Every entity in the database + is assumed to hold resources. Entities that don't have the + hosted_by property run their own copies of rpkid, irdbd, and pubd. + """ + + base_port = 4400 + base_engine = -1 + parent = None + crl_interval = None + regen_margin = None + engine = -1 + rpkid_port = 4404 + irdbd_port = 4403 + pubd_port = 4402 + rootd_port = 4401 + rsync_port = 873 + + @classmethod + def allocate_port(cls): + cls.base_port += 1 + return cls.base_port + + @classmethod + def allocate_engine(cls): + cls.base_engine += 1 + return cls.base_engine + + def __init__(self, y, db, parent = None): + db.append(self) + self.name = y["name"] + self.parent = parent + self.kids = [allocation(k, db, self) for k in y.get("kids", ())] + valid_until = None + if "valid_until" in y: + valid_until = rpki.sundial.datetime.from_datetime(y.get("valid_until")) + if valid_until is None and "valid_for" in y: + valid_until = rpki.sundial.now() + rpki.sundial.timedelta.parse(y["valid_for"]) + self.base = rpki.resource_set.resource_bag( + asn = rpki.resource_set.resource_set_as(y.get("asn")), + v4 = rpki.resource_set.resource_set_ipv4(y.get("ipv4")), + v6 = rpki.resource_set.resource_set_ipv6(y.get("ipv6")), + valid_until = valid_until) + if "crl_interval" in y: + self.crl_interval = rpki.sundial.timedelta.parse(y["crl_interval"]).convert_to_seconds() + if "regen_margin" in y: + self.regen_margin = rpki.sundial.timedelta.parse(y["regen_margin"]).convert_to_seconds() + if "ghostbusters" in y: + self.ghostbusters = y.get("ghostbusters") + elif "ghostbuster" in y: + self.ghostbusters = [y.get("ghostbuster")] + else: + self.ghostbusters = [] + self.roa_requests = [roa_request.parse(r) for r in y.get("roa_request", ())] + for r in self.roa_requests: + if r.v4: + self.base.v4 |= r.v4.to_resource_set() + if r.v6: + self.base.v6 |= r.v6.to_resource_set() + self.hosted_by = y.get("hosted_by") + self.hosts = [] + if not self.is_hosted: + self.engine = self.allocate_engine() + if loopback and not self.is_hosted: + self.rpkid_port = self.allocate_port() + self.irdbd_port = self.allocate_port() + if loopback and self.runs_pubd: + self.pubd_port = self.allocate_port() + self.rsync_port = self.allocate_port() + if loopback and self.is_root: + self.rootd_port = self.allocate_port() + + def closure(self): + resources = self.base + for kid in self.kids: + resources |= kid.closure() + self.resources = resources + return resources + + @property + def hostname(self): + if loopback: + return "localhost" + elif dns_suffix: + return self.name + "." + dns_suffix.lstrip(".") + else: + return self.name + + @property + def rsync_server(self): + if loopback: + return "%s:%s" % (self.pubd.hostname, self.pubd.rsync_port) + else: + return self.pubd.hostname + + def dump(self): + if not quiet: + print str(self) + + def __str__(self): + s = self.name + ":\n" + if self.resources.asn: s += " ASNs: %s\n" % self.resources.asn + if self.resources.v4: s += " IPv4: %s\n" % self.resources.v4 + if self.resources.v6: s += " IPv6: %s\n" % self.resources.v6 + if self.kids: s += " Kids: %s\n" % ", ".join(k.name for k in self.kids) + if self.parent: s += " Up: %s\n" % self.parent.name + if self.is_hosted: s += " Host: %s\n" % self.hosted_by.name + if self.hosts: s += " Hosts: %s\n" % ", ".join(h.name for h in self.hosts) + for r in self.roa_requests: s += " ROA: %s\n" % r + if not self.is_hosted: s += " IPort: %s\n" % self.irdbd_port + if self.runs_pubd: s += " PPort: %s\n" % self.pubd_port + if not self.is_hosted: s += " RPort: %s\n" % self.rpkid_port + if self.runs_pubd: s += " SPort: %s\n" % self.rsync_port + if self.is_root: s += " TPort: %s\n" % self.rootd_port + return s + " Until: %s\n" % self.resources.valid_until + + @property + def is_root(self): + return self.parent is None + + @property + def is_hosted(self): + return self.hosted_by is not None + + @property + def runs_pubd(self): + return self.is_root or not (self.is_hosted or only_one_pubd) + + def path(self, *names): + return cleanpath(test_dir, self.host.name, *names) + + def csvout(self, fn): + path = self.path(fn) + if not quiet: + print "Writing", path + return rpki.csv_utils.csv_writer(path) + + def up_down_url(self): + return "http://%s:%d/up-down/%s/%s" % (self.parent.host.hostname, + self.parent.host.rpkid_port, + self.parent.name, + self.name) + + def dump_asns(self, fn): + with self.csvout(fn) as f: + for k in self.kids: + f.writerows((k.name, a) for a in k.resources.asn) + + def dump_prefixes(self, fn): + with self.csvout(fn) as f: + for k in self.kids: + f.writerows((k.name, p) for p in (k.resources.v4 + k.resources.v6)) + + def dump_roas(self, fn): + with self.csvout(fn) as f: + for g1, r in enumerate(self.roa_requests): + f.writerows((p, r.asn, "G%08d%08d" % (g1, g2)) + for g2, p in enumerate((r.v4 + r.v6 if r.v4 and r.v6 else r.v4 or r.v6 or ()))) + + def dump_ghostbusters(self, fn): + if self.ghostbusters: + path = self.path(fn) + if not quiet: + print "Writing", path + with open(path, "w") as f: + for i, g in enumerate(self.ghostbusters): + if i > 0: + f.write("\n") + f.write(g) + + @property + def pubd(self): + s = self + while not s.runs_pubd: + s = s.parent + return s + + @property + def client_handle(self): + path = [] + s = self + if not flat_publication: + while not s.runs_pubd: + path.append(s) + s = s.parent + path.append(s) + return ".".join(i.name for i in reversed(path)) + + @property + def host(self): + return self.hosted_by or self + + @property + def publication_base_directory(self): + if not loopback and publication_base is not None: + return publication_base + else: + return self.path("publication") + + @property + def publication_root_directory(self): + if not loopback and publication_root is not None: + return publication_root + else: + return self.path("publication.root") + + def dump_conf(self): + + r = dict( + handle = self.name, + run_rpkid = str(not self.is_hosted), + run_pubd = str(self.runs_pubd), + run_rootd = str(self.is_root), + irdbd_sql_username = "irdb", + rpkid_sql_username = "rpki", + rpkid_server_host = self.hostname, + rpkid_server_port = str(self.rpkid_port), + irdbd_server_host = "localhost", + irdbd_server_port = str(self.irdbd_port), + rootd_server_port = str(self.rootd_port), + pubd_sql_username = "pubd", + pubd_server_host = self.pubd.hostname, + pubd_server_port = str(self.pubd.pubd_port), + publication_rsync_server = self.rsync_server) + + if loopback: + r.update( + irdbd_sql_database = self.irdb_name, + rpkid_sql_database = "rpki%d" % self.engine, + pubd_sql_database = "pubd%d" % self.engine, + bpki_servers_directory = self.path(), + publication_base_directory = self.publication_base_directory) + + r.update(config_overrides) + + with open(self.path("rpki.conf"), "w") as f: + f.write("# Automatically generated, do not edit\n") + if not quiet: + print "Writing", f.name + + section = None + for line in open(rpki_conf): + m = section_regexp.match(line) + if m: + section = m.group(1) + m = variable_regexp.match(line) + option = m.group(1) if m and section == "myrpki" else None + if option and option in r: + line = "%s = %s\n" % (option, r[option]) + f.write(line) + + def dump_rsyncd(self): + lines = [] + if self.runs_pubd: + lines.extend(( + "# Automatically generated, do not edit", + "port = %d" % self.rsync_port, + "address = %s" % self.hostname, + "log file = rsyncd.log", + "read only = yes", + "use chroot = no", + "[rpki]", + "path = %s" % self.publication_base_directory, + "comment = RPKI test")) + if self.is_root: + assert self.runs_pubd + lines.extend(( + "[root]", + "path = %s" % self.publication_root_directory, + "comment = RPKI test root")) + if lines: + with open(self.path("rsyncd.conf"), "w") as f: + if not quiet: + print "Writing", f.name + f.writelines(line + "\n" for line in lines) + + @property + def irdb_name(self): + return "irdb%d" % self.host.engine + + @property + def irdb(self): + prior_name = self.zoo.handle + return rpki.irdb.database( + self.irdb_name, + on_entry = lambda: self.zoo.reset_identity(self.name), + on_exit = lambda: self.zoo.reset_identity(prior_name)) + + def syncdb(self): + import django.core.management + assert not self.is_hosted + django.core.management.call_command("syncdb", + database = self.irdb_name, + load_initial_data = False, + interactive = False, + verbosity = 0) + + def hire_zookeeper(self): + assert not self.is_hosted + self._zoo = rpki.irdb.Zookeeper( + cfg = rpki.config.parser(self.path("rpki.conf")), + logstream = None if quiet else sys.stdout) + + @property + def zoo(self): + return self.host._zoo + + def dump_root(self): + + assert self.is_root and not self.is_hosted + + root_resources = rpki.resource_set.resource_bag( + asn = rpki.resource_set.resource_set_as("0-4294967295"), + v4 = rpki.resource_set.resource_set_ipv4("0.0.0.0/0"), + v6 = rpki.resource_set.resource_set_ipv6("::/0")) + + root_key = rpki.x509.RSA.generate(quiet = True) + + root_uri = "rsync://%s/rpki/" % self.rsync_server + + root_sia = (root_uri, root_uri + "root.mft", None) + + root_cert = rpki.x509.X509.self_certify( + keypair = root_key, + subject_key = root_key.get_public(), + serial = 1, + sia = root_sia, + notAfter = rpki.sundial.now() + rpki.sundial.timedelta(days = 365), + resources = root_resources) + + with open(self.path("publication.root", "root.cer"), "wb") as f: + f.write(root_cert.get_DER()) + + with open(self.path("root.key"), "wb") as f: + f.write(root_key.get_DER()) + + with open(cleanpath(test_dir, "root.tal"), "w") as f: + f.write("rsync://%s/root/root.cer\n\n%s" % ( + self.rsync_server, root_key.get_public().get_Base64())) + + def mkdir(self, *path): + path = self.path(*path) + if not quiet: + print "Creating directory", path + os.makedirs(path) + + def dump_sql(self): + if not self.is_hosted: + with open(self.path("rpkid.sql"), "w") as f: + if not quiet: + print "Writing", f.name + f.write(rpki.sql_schemas.rpkid) + if self.runs_pubd: + with open(self.path("pubd.sql"), "w") as f: + if not quiet: + print "Writing", f.name + f.write(rpki.sql_schemas.pubd) + if not self.is_hosted: + username = config_overrides["irdbd_sql_username"] + password = config_overrides["irdbd_sql_password"] + cmd = ("mysqldump", "-u", username, "-p" + password, self.irdb_name) + with open(self.path("irdbd.sql"), "w") as f: + if not quiet: + print "Writing", f.name + subprocess.check_call(cmd, stdout = f) + + +def pre_django_sql_setup(needed): + + username = config_overrides["irdbd_sql_username"] + password = config_overrides["irdbd_sql_password"] + + # If we have the MySQL root password, just blow away and recreate + # the required databases. Otherwise, check for missing databases, + # then blow away all tables in the required databases. In either + # case, we assume that the Django syncdb code will populate + # databases as necessary, all we need to do here is provide empty + # databases for the Django code to fill in. + + if mysql_rootpass is not None: + if mysql_rootpass: + db = MySQLdb.connect(user = mysql_rootuser, passwd = mysql_rootpass) + else: + db = MySQLdb.connect(user = mysql_rootuser) + cur = db.cursor() + for database in needed: + try: + cur.execute("DROP DATABASE IF EXISTS %s" % database) + except: + pass + cur.execute("CREATE DATABASE %s" % database) + cur.execute("GRANT ALL ON %s.* TO %s@localhost IDENTIFIED BY %%s" % ( + database, username), (password,)) + + else: + db = MySQLdb.connect(user = username, passwd = password) + cur = db.cursor() + cur.execute("SHOW DATABASES") + existing = set(r[0] for r in cur.fetchall()) + if needed - existing: + sys.stderr.write("The following databases are missing:\n") + for database in sorted(needed - existing): + sys.stderr.write(" %s\n" % database) + sys.stderr.write("Please create them manually or put MySQL root password in my config file\n") + sys.exit("Missing databases and MySQL root password not known, can't continue") + for database in needed: + db.select_db(database) + cur.execute("SHOW TABLES") + tables = [r[0] for r in cur.fetchall()] + cur.execute("SET foreign_key_checks = 0") + for table in tables: + cur.execute("DROP TABLE %s" % table) + cur.execute("SET foreign_key_checks = 1") + + cur.close() + db.commit() + db.close() + +class timestamp(object): + + def __init__(self, *args): + self.count = 0 + self.start = self.tick = rpki.sundial.now() + + def __call__(self, *args): + now = rpki.sundial.now() + if not quiet: + print "[Count %s last %s total %s now %s]" % ( + self.count, now - self.tick, now - self.start, now) + self.tick = now + self.count += 1 + + +def main(): + + global flat_publication + global config_overrides + global only_one_pubd + global loopback + global dns_suffix + global mysql_rootuser + global mysql_rootpass + global yaml_file + global test_dir + global rpki_conf + global publication_base + global publication_root + global quiet + + os.environ["TZ"] = "UTC" + time.tzset() + + parser = argparse.ArgumentParser(description = "yamlconf") + parser.add_argument("-c", "--config", help = "configuration file") + parser.add_argument("--dns_suffix", + help = "DNS suffix to add to hostnames") + parser.add_argument("-l", "--loopback", action = "store_true", + help = "Configure for use with yamltest on localhost") + parser.add_argument("-f", "--flat_publication", action = "store_true", + help = "Use flat publication model") + parser.add_argument("-q", "--quiet", action = "store_true", + help = "Work more quietly") + parser.add_argument("--profile", + help = "Filename for profile output") + parser.add_argument("yaml_file", type = argparse.FileType("r"), + help = "YAML file describing network to build") + args = parser.parse_args() + + dns_suffix = args.dns_suffix + loopback = args.loopback + flat_publication = args.flat_publication + quiet = args.quiet + yaml_file = args.yaml_file + + rpki.log.init("yamlconf", use_syslog = False) + + # Allow optional config file for this tool to override default + # passwords: this is mostly so that I can show a complete working + # example without publishing my own server's passwords. + + cfg = rpki.config.parser(args.config, "yamlconf", allow_missing = True) + try: + cfg.set_global_flags() + except: + pass + + # Use of "yamltest.dir" is deliberate: intent is for what we write to + # be usable with "yamltest --skip_config". + + only_one_pubd = cfg.getboolean("only_one_pubd", True) + test_dir = cfg.get("test_directory", cleanpath(this_dir, "yamltest.dir")) + rpki_conf = cfg.get("rpki_conf", cleanpath(this_dir, "..", "examples/rpki.conf")) + mysql_rootuser = cfg.get("mysql_rootuser", "root") + + try: + mysql_rootpass = cfg.get("mysql_rootpass") + except: + pass + + try: + publication_base = cfg.get("publication_base") + except: + pass + + try: + publication_root = cfg.get("publication_root") + except: + pass + + for k in ("rpkid_sql_password", "irdbd_sql_password", "pubd_sql_password", + "rpkid_sql_username", "irdbd_sql_username", "pubd_sql_username"): + if cfg.has_option(k): + config_overrides[k] = cfg.get(k) + + if args.profile: + import cProfile + prof = cProfile.Profile() + try: + prof.runcall(body) + finally: + prof.dump_stats(args.profile) + if not quiet: + print + print "Dumped profile data to %s" % args.profile + else: + body() + +def body(): + + global rpki + + ts = timestamp() + + for root, dirs, files in os.walk(test_dir, topdown = False): + for fn in files: + os.unlink(os.path.join(root, fn)) + for d in dirs: + os.rmdir(os.path.join(root, d)) + + if not quiet: + print + print "Reading YAML", yaml_file.name + + db = allocation_db(yaml.safe_load_all(yaml_file).next()) + + # Show what we loaded + + #db.dump() + + # Do pre-Django SQL setup + + pre_django_sql_setup(set(d.irdb_name for d in db if not d.is_hosted)) + + # Now ready for fun with multiple databases in Django! + + # https://docs.djangoproject.com/en/1.4/topics/db/multi-db/ + # https://docs.djangoproject.com/en/1.4/topics/db/sql/ + + database_template = { + "ENGINE" : "django.db.backends.mysql", + "USER" : config_overrides["irdbd_sql_username"], + "PASSWORD" : config_overrides["irdbd_sql_password"], + "HOST" : "", + "PORT" : "", + "OPTIONS" : { "init_command": "SET storage_engine=INNODB" }} + + databases = dict((d.irdb_name, + dict(database_template, NAME = d.irdb_name)) + for d in db if not d.is_hosted) + + databases["default"] = databases[db.root.irdb_name] + + from django.conf import settings + + settings.configure( + DATABASES = databases, + DATABASE_ROUTERS = ["rpki.irdb.router.DBContextRouter"], + INSTALLED_APPS = ("rpki.irdb",)) + + import rpki.irdb + + rpki.irdb.models.ca_certificate_lifetime = rpki.sundial.timedelta(days = 3652 * 2) + rpki.irdb.models.ee_certificate_lifetime = rpki.sundial.timedelta(days = 3652) + + ts() + + for d in db: + if not quiet: + print + print "Configuring", d.name + + if not d.is_hosted: + d.mkdir() + if d.runs_pubd: + d.mkdir("publication") + if d.is_root: + d.mkdir("publication.root") + + if not d.is_hosted: + d.dump_conf() + d.dump_rsyncd() + + d.dump_asns("%s.asns.csv" % d.name) + d.dump_prefixes("%s.prefixes.csv" % d.name) + d.dump_roas("%s.roas.csv" % d.name) + d.dump_ghostbusters("%s.ghostbusters.vcard" % d.name) + + if not d.is_hosted: + if not quiet: + print "Initializing SQL" + d.syncdb() + if not quiet: + print "Hiring zookeeper" + d.hire_zookeeper() + + with d.irdb: + if not quiet: + print "Creating identity" + x = d.zoo.initialize() + + if d.is_root: + if not quiet: + print "Creating RPKI root certificate and TAL" + d.dump_root() + x = d.zoo.configure_rootd() + + else: + with d.parent.irdb: + x = d.parent.zoo.configure_child(x.file)[0] + x = d.zoo.configure_parent(x.file)[0] + + with d.pubd.irdb: + x = d.pubd.zoo.configure_publication_client(x.file, flat = flat_publication)[0] + d.zoo.configure_repository(x.file) + + if loopback and not d.is_hosted: + with d.irdb: + d.zoo.write_bpki_files() + + ts() + + if not loopback: + if not quiet: + print + for d in db: + d.dump_sql() + +if __name__ == "__main__": + main() diff --git a/ca/tests/yamltest-test-all.sh b/ca/tests/yamltest-test-all.sh new file mode 100644 index 00000000..8daea04e --- /dev/null +++ b/ca/tests/yamltest-test-all.sh @@ -0,0 +1,58 @@ +#!/bin/sh - +# $Id$ + +# Copyright (C) 2009-2013 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +set -x + +export TZ=UTC + +test -z "$STY" && exec screen -L sh $0 + +screen -X split +screen -X focus + +: ${runtime=900} + +for yaml in smoketest.*.yaml +do + settitle "$yaml: Starting" + rm -rf test rcynic-data + python sql-cleaner.py + now=$(date +%s) + finish=$(($now + $runtime)) + title="$yaml: will finish at $(date -r $finish)" + settitle "$title" + screen sh -c "settitle '$title'; exec python yamltest.py -p yamltest.pid $yaml" + date + sleep 180 + date + while test $(date +%s) -lt $finish + do + sleep 30 + date + ../../rcynic/rcynic + ../../rcynic/rcynic-text rcynic.xml + ../../utils/scan_roas/scan_roas rcynic-data/authenticated + date + echo "$title" + done + if test -r yamltest.pid + then + kill -INT $(cat yamltest.pid) + sleep 30 + fi + make backup +done diff --git a/ca/tests/yamltest.py b/ca/tests/yamltest.py new file mode 100644 index 00000000..5eb3bd2f --- /dev/null +++ b/ca/tests/yamltest.py @@ -0,0 +1,875 @@ +#!/usr/bin/env python + +""" +Test framework, using the same YAML test description format as +smoketest.py, but using the rpkic.py tool to do all the back-end +work. Reads YAML file, generates .csv and .conf files, runs daemons +and waits for one of them to exit. +""" + +# $Id$ +# +# Copyright (C) 2013--2014 Dragon Research Labs ("DRL") +# Portions copyright (C) 2009--2012 Internet Systems Consortium ("ISC") +# Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notices and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND DRL, ISC, AND ARIN DISCLAIM ALL +# WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DRL, +# ISC, OR ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR +# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS +# OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, +# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION +# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +# Much of the YAML handling code lifted from smoketest.py. +# +# Still to do: +# +# - Implement smoketest.py-style delta actions, that is, modify the +# allocation database under control of the YAML file, dump out new +# .csv files, and run rpkic.py again to feed resulting changes into +# running daemons. +# + +# pylint: disable=W0702,W0621 + +import subprocess +import re +import os +import argparse +import sys +import yaml +import signal +import time +import lxml.etree +import rpki.resource_set +import rpki.sundial +import rpki.config +import rpki.log +import rpki.csv_utils +import rpki.x509 +import rpki.relaxng + +# Nasty regular expressions for parsing config files. Sadly, while +# the Python ConfigParser supports writing config files, it does so in +# such a limited way that it's easier just to hack this ourselves. + +section_regexp = re.compile(r"\s*\[\s*(.+?)\s*\]\s*$") +variable_regexp = re.compile(r"\s*([-a-zA-Z0-9_]+)\s*=\s*(.+?)\s*$") + +def cleanpath(*names): + """ + Construct normalized pathnames. + """ + return os.path.normpath(os.path.join(*names)) + +# Pathnames for various things we need + +this_dir = os.getcwd() +test_dir = cleanpath(this_dir, "yamltest.dir") +rpkid_dir = cleanpath(this_dir, "..") + +prog_rpkic = cleanpath(rpkid_dir, "rpkic") +prog_rpkid = cleanpath(rpkid_dir, "rpkid") +prog_irdbd = cleanpath(rpkid_dir, "irdbd") +prog_pubd = cleanpath(rpkid_dir, "pubd") +prog_rootd = cleanpath(rpkid_dir, "rootd") + +class roa_request(object): + """ + Representation of a ROA request. + """ + + def __init__(self, asn, ipv4, ipv6): + self.asn = asn + self.v4 = rpki.resource_set.roa_prefix_set_ipv4("".join(ipv4.split())) if ipv4 else None + self.v6 = rpki.resource_set.roa_prefix_set_ipv6("".join(ipv6.split())) if ipv6 else None + + def __eq__(self, other): + return self.asn == other.asn and self.v4 == other.v4 and self.v6 == other.v6 + + def __hash__(self): + v4 = tuple(self.v4) if self.v4 is not None else None + v6 = tuple(self.v6) if self.v6 is not None else None + return self.asn.__hash__() + v4.__hash__() + v6.__hash__() + + def __str__(self): + if self.v4 and self.v6: + return "%s: %s,%s" % (self.asn, self.v4, self.v6) + else: + return "%s: %s" % (self.asn, self.v4 or self.v6) + + @classmethod + def parse(cls, y): + """ + Parse a ROA request from YAML format. + """ + return cls(y.get("asn"), y.get("ipv4"), y.get("ipv6")) + + +class router_cert(object): + """ + Representation for a router_cert object. + """ + + _ecparams = None + + @classmethod + def ecparams(cls): + if cls._ecparams is None: + cls._ecparams = rpki.x509.KeyParams.generateEC() + return cls._ecparams + + def __init__(self, asn, router_id): + self.asn = rpki.resource_set.resource_set_as("".join(str(asn).split())) + self.router_id = router_id + self.keypair = rpki.x509.ECDSA.generate(self.ecparams()) + self.pkcs10 = rpki.x509.PKCS10.create(keypair = self.keypair) + self.gski = self.pkcs10.gSKI() + + def __eq__(self, other): + return self.asn == other.asn and self.router_id == other.router_id and self.gski == other.gski + + def __hash__(self): + v6 = tuple(self.v6) if self.v6 is not None else None + return tuple(self.asn).__hash__() + self.router_id.__hash__() + self.gski.__hash__() + + def __str__(self): + return "%s: %s: %s" % (self.asn, self.router_id, self.gski) + + @classmethod + def parse(cls, yaml): + return cls(yaml.get("asn"), yaml.get("router_id")) + +class allocation_db(list): + """ + Our allocation database. + """ + + def __init__(self, yaml): + list.__init__(self) + self.root = allocation(yaml, self) + assert self.root.is_root + if self.root.crl_interval is None: + self.root.crl_interval = 60 * 60 + if self.root.regen_margin is None: + self.root.regen_margin = 24 * 60 * 60 + if self.root.base.valid_until is None: + self.root.base.valid_until = rpki.sundial.now() + rpki.sundial.timedelta(days = 2) + for a in self: + if a.base.valid_until is None: + a.base.valid_until = a.parent.base.valid_until + if a.crl_interval is None: + a.crl_interval = a.parent.crl_interval + if a.regen_margin is None: + a.regen_margin = a.parent.regen_margin + self.root.closure() + self.map = dict((a.name, a) for a in self) + for a in self: + if a.is_hosted: + a.hosted_by = self.map[a.hosted_by] + a.hosted_by.hosts.append(a) + assert not a.is_root and not a.hosted_by.is_hosted + + def dump(self): + """ + Show contents of allocation database. + """ + for a in self: + a.dump() + + +class allocation(object): + """ + One entity in our allocation database. Every entity in the database + is assumed to hold resources, so needs at least rpkic services. + Entities that don't have the hosted_by property run their own copies + of rpkid, irdbd, and pubd, so they also need myirbe services. + """ + + base_port = None + parent = None + crl_interval = None + regen_margin = None + rootd_port = None + engine = -1 + rpkid_port = -1 + irdbd_port = -1 + pubd_port = -1 + rsync_port = -1 + rootd_port = -1 + rpkic_counter = 0L + + @classmethod + def allocate_port(cls): + """ + Allocate a TCP port. + """ + cls.base_port += 1 + return cls.base_port + + base_engine = -1 + + @classmethod + def allocate_engine(cls): + """ + Allocate an engine number, mostly used to construct MySQL database + names. + """ + cls.base_engine += 1 + return cls.base_engine + + def __init__(self, yaml, db, parent = None): + db.append(self) + self.name = yaml["name"] + self.parent = parent + self.kids = [allocation(k, db, self) for k in yaml.get("kids", ())] + valid_until = None + if "valid_until" in yaml: + valid_until = rpki.sundial.datetime.from_datetime(yaml.get("valid_until")) + if valid_until is None and "valid_for" in yaml: + valid_until = rpki.sundial.now() + rpki.sundial.timedelta.parse(yaml["valid_for"]) + self.base = rpki.resource_set.resource_bag( + asn = rpki.resource_set.resource_set_as(yaml.get("asn")), + v4 = rpki.resource_set.resource_set_ipv4(yaml.get("ipv4")), + v6 = rpki.resource_set.resource_set_ipv6(yaml.get("ipv6")), + valid_until = valid_until) + if "crl_interval" in yaml: + self.crl_interval = rpki.sundial.timedelta.parse(yaml["crl_interval"]).convert_to_seconds() + if "regen_margin" in yaml: + self.regen_margin = rpki.sundial.timedelta.parse(yaml["regen_margin"]).convert_to_seconds() + self.roa_requests = [roa_request.parse(y) for y in yaml.get("roa_request", yaml.get("route_origin", ()))] + self.router_certs = [router_cert.parse(y) for y in yaml.get("router_cert", ())] + if "ghostbusters" in yaml: + self.ghostbusters = yaml.get("ghostbusters") + elif "ghostbuster" in yaml: + self.ghostbusters = [yaml.get("ghostbuster")] + else: + self.ghostbusters = [] + for r in self.roa_requests: + if r.v4: + self.base.v4 |= r.v4.to_resource_set() + if r.v6: + self.base.v6 |= r.v6.to_resource_set() + for r in self.router_certs: + self.base.asn |= r.asn + self.hosted_by = yaml.get("hosted_by") + self.hosts = [] + if not self.is_hosted: + self.engine = self.allocate_engine() + self.rpkid_port = self.allocate_port() + self.irdbd_port = self.allocate_port() + if self.runs_pubd: + self.pubd_port = self.allocate_port() + self.rsync_port = self.allocate_port() + if self.is_root: + self.rootd_port = self.allocate_port() + + def closure(self): + """ + Compute resource closure of this node and its children, to avoid a + lot of tedious (and error-prone) duplication in the YAML file. + """ + resources = self.base + for kid in self.kids: + resources |= kid.closure() + self.resources = resources + return resources + + def dump(self): + """ + Show content of this allocation node. + """ + print str(self) + + def __str__(self): + s = self.name + ":\n" + if self.resources.asn: s += " ASNs: %s\n" % self.resources.asn + if self.resources.v4: s += " IPv4: %s\n" % self.resources.v4 + if self.resources.v6: s += " IPv6: %s\n" % self.resources.v6 + if self.kids: s += " Kids: %s\n" % ", ".join(k.name for k in self.kids) + if self.parent: s += " Up: %s\n" % self.parent.name + if self.is_hosted: s += " Host: %s\n" % self.hosted_by.name + if self.hosts: s += " Hosts: %s\n" % ", ".join(h.name for h in self.hosts) + for r in self.roa_requests: s += " ROA: %s\n" % r + if not self.is_hosted: s += " IPort: %s\n" % self.irdbd_port + if self.runs_pubd: s += " PPort: %s\n" % self.pubd_port + if not self.is_hosted: s += " RPort: %s\n" % self.rpkid_port + if self.runs_pubd: s += " SPort: %s\n" % self.rsync_port + if self.is_root: s += " TPort: %s\n" % self.rootd_port + return s + " Until: %s\n" % self.resources.valid_until + + @property + def is_root(self): + """ + Is this the root node? + """ + return self.parent is None + + @property + def is_hosted(self): + """ + Is this entity hosted? + """ + return self.hosted_by is not None + + @property + def runs_pubd(self): + """ + Does this entity run a pubd? + """ + return self.is_root or not (self.is_hosted or only_one_pubd) + + def path(self, *names): + """ + Construct pathnames in this entity's test directory. + """ + return cleanpath(test_dir, self.host.name, *names) + + def csvout(self, fn): + """ + Open and log a CSV output file. + """ + path = self.path(fn) + print "Writing", path + return rpki.csv_utils.csv_writer(path) + + def up_down_url(self): + """ + Construct service URL for this node's parent. + """ + return "http://localhost:%d/up-down/%s/%s" % (self.parent.host.rpkid_port, + self.parent.name, + self.name) + + def dump_asns(self): + """ + Write Autonomous System Numbers CSV file. + """ + fn = "%s.asns.csv" % d.name + if not args.skip_config: + f = self.csvout(fn) + for k in self.kids: + f.writerows((k.name, a) for a in k.resources.asn) + f.close() + if not args.stop_after_config: + self.run_rpkic("load_asns", fn) + + def dump_prefixes(self): + """ + Write prefixes CSV file. + """ + fn = "%s.prefixes.csv" % d.name + if not args.skip_config: + f = self.csvout(fn) + for k in self.kids: + f.writerows((k.name, p) for p in (k.resources.v4 + k.resources.v6)) + f.close() + if not args.stop_after_config: + self.run_rpkic("load_prefixes", fn) + + def dump_roas(self): + """ + Write ROA CSV file. + """ + fn = "%s.roas.csv" % d.name + if not args.skip_config: + f = self.csvout(fn) + for g1, r in enumerate(self.roa_requests): + f.writerows((p, r.asn, "G%08d%08d" % (g1, g2)) + for g2, p in enumerate((r.v4 + r.v6 if r.v4 and r.v6 else r.v4 or r.v6 or ()))) + f.close() + if not args.stop_after_config: + self.run_rpkic("load_roa_requests", fn) + + def dump_ghostbusters(self): + """ + Write Ghostbusters vCard file. + """ + if self.ghostbusters: + fn = "%s.ghostbusters.vcard" % d.name + if not args.skip_config: + path = self.path(fn) + print "Writing", path + f = open(path, "w") + for i, g in enumerate(self.ghostbusters): + if i: + f.write("\n") + f.write(g) + f.close() + if not args.stop_after_config: + self.run_rpkic("load_ghostbuster_requests", fn) + + def dump_router_certificates(self): + """ + Write EE certificates (router certificates, etc). + """ + if self.router_certs: + fn = "%s.routercerts.xml" % d.name + if not args.skip_config: + path = self.path(fn) + print "Writing", path + xmlns = "{http://www.hactrn.net/uris/rpki/router-certificate/}" + xml = lxml.etree.Element(xmlns + "router_certificate_requests", version = "1") + for r in self.router_certs: + x = lxml.etree.SubElement(xml, xmlns + "router_certificate_request", + router_id = str(r.router_id), + asn = str(r.asn), + valid_until = str(self.resources.valid_until)) + x.text = r.pkcs10.get_Base64() + rpki.relaxng.router_certificate.assertValid(xml) + lxml.etree.ElementTree(xml).write(path, pretty_print = True) + if not args.stop_after_config: + self.run_rpkic("add_router_certificate_request", fn) + + @property + def pubd(self): + """ + Walk up tree until we find somebody who runs pubd. + """ + s = self + while not s.runs_pubd: + s = s.parent + return s + + @property + def client_handle(self): + """ + Work out what pubd configure_publication_client will call us. + """ + path = [] + s = self + if not args.flat_publication: + while not s.runs_pubd: + path.append(s) + s = s.parent + path.append(s) + return ".".join(i.name for i in reversed(path)) + + @property + def host(self): + return self.hosted_by or self + + def dump_conf(self): + """ + Write configuration file for OpenSSL and RPKI tools. + """ + + r = dict( + handle = self.name, + run_rpkid = str(not self.is_hosted), + run_pubd = str(self.runs_pubd), + run_rootd = str(self.is_root), + irdbd_sql_database = "irdb%d" % self.engine, + irdbd_sql_username = "irdb", + rpkid_sql_database = "rpki%d" % self.engine, + rpkid_sql_username = "rpki", + rpkid_server_host = "localhost", + rpkid_server_port = str(self.rpkid_port), + irdbd_server_host = "localhost", + irdbd_server_port = str(self.irdbd_port), + rootd_server_port = str(self.rootd_port), + pubd_sql_database = "pubd%d" % self.engine, + pubd_sql_username = "pubd", + pubd_server_host = "localhost", + pubd_server_port = str(self.pubd.pubd_port), + publication_rsync_server = "localhost:%s" % self.pubd.rsync_port, + bpki_servers_directory = self.path(), + publication_base_directory = self.path("publication"), + shared_sql_password = "fnord") + + r.update(config_overrides) + + f = open(self.path("rpki.conf"), "w") + f.write("# Automatically generated, do not edit\n") + print "Writing", f.name + + section = None + for line in open(cleanpath(rpkid_dir, "examples/rpki.conf")): + m = section_regexp.match(line) + if m: + section = m.group(1) + m = variable_regexp.match(line) + option = m.group(1) if m and section == "myrpki" else None + if option and option in r: + line = "%s = %s\n" % (option, r[option]) + f.write(line) + + f.close() + + def dump_rsyncd(self): + """ + Write rsyncd configuration file. + """ + + if self.runs_pubd: + f = open(self.path("rsyncd.conf"), "w") + print "Writing", f.name + f.writelines(s + "\n" for s in + ("# Automatically generated, do not edit", + "port = %d" % self.rsync_port, + "address = localhost", + "[rpki]", + "log file = rsyncd.log", + "read only = yes", + "use chroot = no", + "path = %s" % self.path("publication"), + "comment = RPKI test", + "[root]", + "log file = rsyncd_root.log", + "read only = yes", + "use chroot = no", + "path = %s" % self.path("publication.root"), + "comment = RPKI test root")) + f.close() + + @classmethod + def next_rpkic_counter(cls): + cls.rpkic_counter += 10000 + return str(cls.rpkic_counter) + + def run_rpkic(self, *argv): + """ + Run rpkic for this entity. + """ + cmd = [prog_rpkic, "-i", self.name, "-c", self.path("rpki.conf")] + if args.profile: + cmd.append("--profile") + cmd.append(self.path("rpkic.%s.prof" % rpki.sundial.now())) + cmd.extend(str(a) for a in argv if a is not None) + print 'Running "%s"' % " ".join(cmd) + env = os.environ.copy() + env["YAMLTEST_RPKIC_COUNTER"] = self.next_rpkic_counter() + subprocess.check_call(cmd, cwd = self.host.path(), env = env) + + def run_python_daemon(self, prog): + """ + Start a Python daemon and return a subprocess.Popen object + representing the running daemon. + """ + basename = os.path.splitext(os.path.basename(prog))[0] + cmd = [prog, "-d", "-c", self.path("rpki.conf")] + if args.profile and basename != "rootd": + cmd.append("--profile") + cmd.append(self.path(basename + ".prof")) + log = basename + ".log" + p = subprocess.Popen(cmd, + cwd = self.path(), + stdout = open(self.path(log), "w"), + stderr = subprocess.STDOUT) + print 'Running %s for %s: pid %d process %r' % (" ".join(cmd), self.name, p.pid, p) + return p + + def run_rpkid(self): + """ + Run rpkid. + """ + return self.run_python_daemon(prog_rpkid) + + def run_irdbd(self): + """ + Run irdbd. + """ + return self.run_python_daemon(prog_irdbd) + + def run_pubd(self): + """ + Run pubd. + """ + return self.run_python_daemon(prog_pubd) + + def run_rootd(self): + """ + Run rootd. + """ + return self.run_python_daemon(prog_rootd) + + def run_rsyncd(self): + """ + Run rsyncd. + """ + p = subprocess.Popen(("rsync", "--daemon", "--no-detach", "--config", "rsyncd.conf"), + cwd = self.path()) + print "Running rsyncd for %s: pid %d process %r" % (self.name, p.pid, p) + return p + +def create_root_certificate(db_root): + + print "Creating rootd RPKI root certificate" + + root_resources = rpki.resource_set.resource_bag( + asn = rpki.resource_set.resource_set_as("0-4294967295"), + v4 = rpki.resource_set.resource_set_ipv4("0.0.0.0/0"), + v6 = rpki.resource_set.resource_set_ipv6("::/0")) + + root_key = rpki.x509.RSA.generate(quiet = True) + + root_uri = "rsync://localhost:%d/rpki/" % db_root.pubd.rsync_port + + root_sia = (root_uri, root_uri + "root.mft", None) + + root_cert = rpki.x509.X509.self_certify( + keypair = root_key, + subject_key = root_key.get_public(), + serial = 1, + sia = root_sia, + notAfter = rpki.sundial.now() + rpki.sundial.timedelta(days = 365), + resources = root_resources) + + f = open(db_root.path("publication.root/root.cer"), "wb") + f.write(root_cert.get_DER()) + f.close() + + f = open(db_root.path("root.key"), "wb") + f.write(root_key.get_DER()) + f.close() + + f = open(os.path.join(test_dir, "root.tal"), "w") + f.write("rsync://localhost:%d/root/root.cer\n\n" % db_root.pubd.rsync_port) + f.write(root_key.get_public().get_Base64()) + f.close() + + + +os.environ["TZ"] = "UTC" +time.tzset() + +parser = argparse.ArgumentParser(description = __doc__) +parser.add_argument("-c", "--config", + help = "configuration file") +parser.add_argument("-f", "--flat_publication", action = "store_true", + help = "disable hierarchical publication") +parser.add_argument("-k", "--keep_going", action = "store_true", + help = "keep going until all subprocesses exit") +parser.add_argument("-p", "--pidfile", + help = "save pid to this file") +parser.add_argument("--skip_config", action = "store_true", + help = "skip over configuration phase") +parser.add_argument("--stop_after_config", action = "store_true", + help = "stop after configuration phase") +parser.add_argument("--synchronize", action = "store_true", + help = "synchronize IRDB with daemons") +parser.add_argument("--profile", action = "store_true", + help = "enable profiling") +parser.add_argument("yaml_file", type = argparse.FileType("r"), + help = "YAML description of test network") +args = parser.parse_args() + +try: + + if args.pidfile is not None: + open(args.pidfile, "w").write("%s\n" % os.getpid()) + + rpki.log.init("yamltest", use_syslog = False) + + # Allow optional config file for this tool to override default + # passwords: this is mostly so that I can show a complete working + # example without publishing my own server's passwords. + + cfg = rpki.config.parser(args.config, "yamltest", allow_missing = True) + + only_one_pubd = cfg.getboolean("only_one_pubd", True) + allocation.base_port = cfg.getint("base_port", 4400) + + config_overrides = dict( + (k, cfg.get(k)) + for k in ("rpkid_sql_password", "irdbd_sql_password", "pubd_sql_password", + "rpkid_sql_username", "irdbd_sql_username", "pubd_sql_username") + if cfg.has_option(k)) + + # Start clean, maybe + + if not args.skip_config: + for root, dirs, files in os.walk(test_dir, topdown = False): + for fn in files: + os.unlink(os.path.join(root, fn)) + for d in dirs: + os.rmdir(os.path.join(root, d)) + + # Read first YAML doc in file and process as compact description of + # test layout and resource allocations. Ignore subsequent YAML docs, + # they're for smoketest.py, not this script. + + db = allocation_db(yaml.safe_load_all(args.yaml_file).next()) + + # Show what we loaded + + #db.dump() + + if args.skip_config: + + print "Skipping pre-daemon configuration, assuming you already did that" + + else: + + # Set up each entity in our test, create publication directories, + # and initialize server BPKI. + + for d in db: + if not d.is_hosted: + os.makedirs(d.path()) + d.dump_conf() + if d.runs_pubd: + os.makedirs(d.path("publication")) + d.dump_rsyncd() + if d.is_root: + os.makedirs(d.path("publication.root")) + d.run_rpkic("initialize_server_bpki") + + # Initialize resource holding BPKI and generate self-descriptor + # for each entity. + + for d in db: + d.run_rpkic("create_identity", d.name) + + # Create RPKI root certificate. + + create_root_certificate(db.root) + + # Set up rootd. + + db.root.run_rpkic("configure_root") + + # From here on we need to pay attention to initialization order. We + # used to do all the pre-configure_daemons stuff before running any + # of the daemons, but that doesn't work right in hosted cases, so we + # have to interleave configuration with starting daemons, just as + # one would in the real world for this sort of thing. + + progs = [] + + try: + + for d in db: + + if not d.is_hosted: + print + print "Running daemons for", d.name + if d.is_root: + progs.append(d.run_rootd()) + progs.append(d.run_irdbd()) + progs.append(d.run_rpkid()) + if d.runs_pubd: + progs.append(d.run_pubd()) + progs.append(d.run_rsyncd()) + + if args.synchronize or not args.skip_config: + + print + print "Giving daemons time to start up" + time.sleep(20) + assert all(p.poll() is None for p in progs) + + if args.skip_config: + + print + print "Skipping configure_*, you'll have to do that yourself if needed" + + else: + + for d in db: + + print + print "Configuring", d.name + print + if d.is_root: + assert not d.is_hosted + d.run_rpkic("configure_publication_client", + "--flat" if args.flat_publication else None, + d.path("%s.%s.repository-request.xml" % (d.name, d.name))) + print + d.run_rpkic("configure_repository", + d.path("%s.repository-response.xml" % d.client_handle)) + print + else: + d.parent.run_rpkic("configure_child", + "--valid_until", d.resources.valid_until, + d.path("%s.identity.xml" % d.name)) + print + d.run_rpkic("configure_parent", + d.parent.path("%s.%s.parent-response.xml" % (d.parent.name, d.name))) + print + d.pubd.run_rpkic("configure_publication_client", + "--flat" if args.flat_publication else None, + d.path("%s.%s.repository-request.xml" % (d.name, d.parent.name))) + print + d.run_rpkic("configure_repository", + d.pubd.path("%s.repository-response.xml" % d.client_handle)) + print + + print + print "Done with initial configuration" + print + + if args.synchronize: + print + print "Synchronizing" + print + for d in db: + if not d.is_hosted: + d.run_rpkic("synchronize") + + if args.synchronize or not args.skip_config: + print + print "Loading CSV files" + print + for d in db: + d.dump_asns() + d.dump_prefixes() + d.dump_roas() + d.dump_ghostbusters() + d.dump_router_certificates() + + # Wait until something terminates. + + if not args.stop_after_config or args.keep_going: + print + print "Waiting for daemons to exit" + signal.signal(signal.SIGCHLD, lambda *dont_care: None) + while (any(p.poll() is None for p in progs) + if args.keep_going else + all(p.poll() is None for p in progs)): + signal.pause() + + finally: + + print + print "Shutting down" + print + + signal.signal(signal.SIGCHLD, signal.SIG_DFL) + + if args.profile: + how_long = 300 + else: + how_long = 30 + + how_often = how_long / 2 + + for i in xrange(how_long): + if i % how_often == 0: + for p in progs: + if p.poll() is None: + print "Politely nudging pid %d" % p.pid + p.terminate() + print + if all(p.poll() is not None for p in progs): + break + time.sleep(1) + + for p in progs: + if p.poll() is None: + print "Pulling the plug on pid %d" % p.pid + p.kill() + + for p in progs: + print "Program pid %d %r returned %d" % (p.pid, p, p.wait()) + +finally: + if args.pidfile is not None: + os.unlink(args.pidfile) diff --git a/ca/upgrade-scripts/upgrade-rpkid-to-0.5709.py b/ca/upgrade-scripts/upgrade-rpkid-to-0.5709.py new file mode 100644 index 00000000..aa8e3ec1 --- /dev/null +++ b/ca/upgrade-scripts/upgrade-rpkid-to-0.5709.py @@ -0,0 +1,38 @@ +# $Id$ +# +# Copyright (C) 2014 Dragon Research Labs ("DRL") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND DRL DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL DRL BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +""" +Upgrade RPKI SQL databases to schema expected by 0.5709. + +This code is evaluated in the context of rpki-sql-setup's +do_apply_upgrades() function and has access to its variables. +""" + +db.cur.execute(""" + CREATE TABLE ee_cert ( + ee_cert_id SERIAL NOT NULL, + ski BINARY(20) NOT NULL, + cert LONGBLOB NOT NULL, + published DATETIME, + self_id BIGINT UNSIGNED NOT NULL, + ca_detail_id BIGINT UNSIGNED NOT NULL, + PRIMARY KEY (ee_cert_id), + CONSTRAINT ee_cert_self_id + FOREIGN KEY (self_id) REFERENCES self (self_id) ON DELETE CASCADE, + CONSTRAINT ee_cert_ca_detail_id + FOREIGN KEY (ca_detail_id) REFERENCES ca_detail (ca_detail_id) ON DELETE CASCADE + ) ENGINE=InnoDB +""") |