Preliminary version of rpkid et al with all the TLS code ripped out.

Not quite ready for cutover yet, may need some conversion tools and
instructions, but checking this into a branch (well, sort of) so that
others can look at the code changes involved, try it out themselves,
etc.  At some point this will merge back into rpkid/ directory and
there will be only one, without TLS, but converting the testbed is
going to require a flag day, so need to keep the TLS version around
until then.

svn path=/rpkid.without_tls; revision=3449

5 files changed, 521 insertions, 0 deletions

diff --git a/rpkid.without_tls/examples/asns.csv b/rpkid.without_tls/examples/asns.csv
new file mode 100644
index 00000000..9d742740
--- /dev/null
+++ b/rpkid.without_tls/examples/asns.csv
@@ -0,0 +1,5 @@
+# $Id$
+#
+# Syntax: <child_handle> <asn>
+#
+Alice	64533
diff --git a/rpkid.without_tls/examples/myrpki.conf b/rpkid.without_tls/examples/myrpki.conf
new file mode 100644
index 00000000..3ef99fd6
--- /dev/null
+++ b/rpkid.without_tls/examples/myrpki.conf
@@ -0,0 +1,458 @@
+################################################################
+#
+# $Id: myrpki.conf 2722 2009-08-31 22:24:48Z sra $
+#
+# Config file for myrpki.py and RPKI daemons.
+#
+# NB: This config file is read both by Python code and also by the
+# OpenSSL command line tool (running under mypki), so syntax must
+# remain compatable with both parsers, and there's a big chunk of
+# OpenSSL voodoo towards the end of this file.
+#
+################################################################
+
+[myrpki]
+
+# Handle naming hosted resource-holding entity (<self/>) represented
+# by this myrpki instance.  Syntax is an identifier (ASCII letters,
+# digits, hyphen, underscore -- no whitespace, non-ASCII characters,
+# or other punctuation).  You need to set this.
+
+handle				= Me
+
+# Names of various files and directories.  Don't change these without
+# a good reason.
+
+roa_csv				= roas.csv
+prefix_csv			= prefixes.csv
+asn_csv				= asns.csv
+xml_filename			= myrpki.xml
+bpki_resources_directory	= bpki/resources
+bpki_servers_directory		= bpki/servers
+
+# Whether you want to run your own copy of rpkid (and irdbd).  You
+# want this on unless somebody else is hosting rpkid service for you.
+
+run_rpkid			= true
+
+# DNS hostname and server port numbers for rpkid and irdbd, if you're
+# running them.  rpkid's server host has to be a publicly reachable
+# name to be useful; irdbd's server host should always be localhost
+# unless you really know what you are doing.  Port numbers can be any
+# legal TCP port number that you're not using for something else.
+
+rpkid_server_host     		= rpkid.example.org
+rpkid_server_port     		= 4404
+irdbd_server_host		= localhost
+irdbd_server_port		= 4403
+
+# Whether you want to run your own copy of pubd.  In general, it's
+# best to use your parent's pubd if you can, to reduce the overall
+# number of publication sites that relying parties need to check, so
+# don't enable this unless you have a good reason.
+
+run_pubd			= false
+
+# DNS hostname and server port number for pubd, if you're running it.
+# Hostname has to be a publicly reachable name to be useful, port can
+# be any legal TCP port number that you're not using for something
+# else.
+
+pubd_server_host             	= pubd.example.org
+pubd_server_port             	= 4402
+
+# Contact information to include in offers of repository service.
+# This only matters when we're running pubd.  This should be a human
+# readable string, perhaps containing an email address or URL.
+
+pubd_contact_info		= repo-man@rpki.example.org
+
+# Whether you want to run your very own copy of rootd.  Don't enable
+# this unless you really know what you're doing.
+
+run_rootd			= false
+
+# Server port number for rootd, if you're running it.  This can be any
+# legal TCP port number that you're not using for something else.
+
+rootd_server_port		= 4401
+
+# Root of local directory tree where pubd (and rootd, sigh) should
+# write out published data.  You need to configure this, and the
+# configuration should match up with the directory where you point
+# rsyncd.  Neither pubd nor rsyncd much cares -where- you tell them to
+# put this stuff, the important thing is that the rsync:// URIs in
+# generated certificates match up with the published objects so that
+# relying parties can find and verify rpkid's published outputs.
+
+publication_base_directory     	= publication/
+
+# rsyncd module name corresponding to publication_base_directory.
+# This has to match the module you configured into rsyncd.conf.
+# Leave this alone unless you have some need to change it.
+
+publication_rsync_module	= rpki
+
+# Hostname and optional port number for rsync:// URIs.  In most cases
+# this should just be the same value as pubd_server_host.
+
+publication_rsync_server	= ${myrpki::pubd_server_host}
+
+# SQL configuration.  You can ignore this if you're not running any of
+# the daemons yourself.
+
+# If you're comfortable with having all of the databases use the same
+# MySQL username and password, set those values here.  It's ok to
+# leave the default username alone, but you should use a locally
+# generated password either here or in the individual settings below.
+
+shared_sql_username		= rpki
+shared_sql_password		= fnord
+
+# If you want different usernames and passwords for the separate SQL
+# databases, enter those settings here; the shared_sql_* settings are
+# only referenced here, so you can remove them entirely if you're
+# setting everything in this block.
+
+rpkid_sql_database		= rpkid
+rpkid_sql_username		= ${myrpki::shared_sql_username}
+rpkid_sql_password		= ${myrpki::shared_sql_password}
+
+irdbd_sql_database		= irdbd
+irdbd_sql_username		= ${myrpki::shared_sql_username}
+irdbd_sql_password		= ${myrpki::shared_sql_password}
+
+pubd_sql_database		= pubd
+pubd_sql_username		= ${myrpki::shared_sql_username}
+pubd_sql_password		= ${myrpki::shared_sql_password}
+
+# Name of OpenSSL binary.  You might need to change this if you have
+# no system copy installed, or if the system copy doesn't support CMS.
+# The copy of openssl built by this package should suffice.
+
+openssl				= openssl
+
+# End of [myrpki] section
+
+#################################################################
+#
+# In theory it should not be necessary to modify anything below this
+# point, at least not if you're within the boundaries of the
+# simplified configuration that the myrpki tool is intended to
+# support.  If you do have to modify anything below this point, please
+# report it.
+#
+#################################################################
+
+[rpkid]
+
+# MySQL database name, user name, and password for rpkid to use to
+# store its data.
+
+sql-database			= ${myrpki::rpkid_sql_database}
+sql-username			= ${myrpki::rpkid_sql_username}
+sql-password    		= ${myrpki::rpkid_sql_password}
+
+# Host and port on which rpkid should listen for HTTP service
+# requests.
+
+server-host     		= ${myrpki::rpkid_server_host}
+server-port     		= ${myrpki::rpkid_server_port}
+
+# HTTP service URL rpkid should use to contact irdbd.  If irdbd is
+# running on the same machine as rpkid, this can and probably should
+# be a loopback URL, since nobody but rpkid needs to talk to irdbd.
+
+irdb-url        		= http://${myrpki::irdbd_server_host}:${myrpki::irdbd_server_port}/
+
+# Where rpkid should look for BPKI certs and keys used in the
+# left-right protocol.  The following values match where myirbe.py
+# will have placed things.  Don't change these without a reason.
+
+bpki-ta         		= ${myrpki::bpki_servers_directory}/ca.cer
+rpkid-key       		= ${myrpki::bpki_servers_directory}/rpkid.key
+rpkid-cert      		= ${myrpki::bpki_servers_directory}/rpkid.cer
+irdb-cert       		= ${myrpki::bpki_servers_directory}/irdbd.cer
+irbe-cert       		= ${myrpki::bpki_servers_directory}/irbe.cer
+
+#################################################################
+
+[irdbd]
+
+# MySQL database name, user name, and password for irdbd to use to
+# store its data.
+
+sql-database			= ${myrpki::irdbd_sql_database}
+sql-username			= ${myrpki::irdbd_sql_username}
+sql-password    		= ${myrpki::irdbd_sql_password}
+
+# HTTP service URL irdbd should listen on.  This should match the
+# irdb-url parameter in the [rpkid] section; see comments there.
+
+http-url			= http://${myrpki::irdbd_server_host}:${myrpki::irdbd_server_port}/
+
+# Where irdbd should look for BPKI certs and keys used in the
+# left-right protocol.  The following values match where myirbe.py
+# will have placed things.  Don't change these without a reason.
+
+bpki-ta         		= ${myrpki::bpki_servers_directory}/ca.cer
+rpkid-cert      		= ${myrpki::bpki_servers_directory}/rpkid.cer
+irdbd-cert      		= ${myrpki::bpki_servers_directory}/irdbd.cer
+irdbd-key       		= ${myrpki::bpki_servers_directory}/irdbd.key
+
+#################################################################
+
+[pubd]
+
+# MySQL database name, user name, and password for pubd to use to
+# store (some of) its data.
+
+sql-database			= ${myrpki::pubd_sql_database}
+sql-username			= ${myrpki::pubd_sql_username}
+sql-password    		= ${myrpki::pubd_sql_password}
+
+# Root of directory tree where pubd should write out published data.
+# You need to configure this, and the configuration should match up
+# with the directory where you point rsyncd.  Neither pubd nor rsyncd
+# much cares -where- you tell them to put this stuff, the important
+# thing is that the rsync:// URIs in generated certificates match up
+# with the published objects so that relying parties can find and
+# verify rpkid's published outputs.
+
+publication-base        	= ${myrpki::publication_base_directory}
+
+# Host and port on which pubd should listen for HTTP service
+# requests.
+
+server-host             	= ${myrpki::pubd_server_host}
+server-port             	= ${myrpki::pubd_server_port}
+
+# Where pubd should look for BPKI certs and keys used in the
+# left-right protocol.  The following values match where myirbe.py
+# will have placed things.  Don't change these without a reason.
+
+bpki-ta                 	= ${myrpki::bpki_servers_directory}/ca.cer
+pubd-cert               	= ${myrpki::bpki_servers_directory}/pubd.cer
+pubd-key                	= ${myrpki::bpki_servers_directory}/pubd.key
+irbe-cert               	= ${myrpki::bpki_servers_directory}/irbe.cer
+
+#################################################################
+
+[irbe_cli]
+
+# HTTP service URL for rpkid
+
+rpkid-url                       = http://${myrpki::rpkid_server_host}:${myrpki::rpkid_server_port}/left-right/
+
+# BPKI certificates and keys for talking to rpkid
+
+rpkid-bpki-ta                   = ${myrpki::bpki_servers_directory}/ca.cer
+rpkid-irbe-key                  = ${myrpki::bpki_servers_directory}/irbe.key
+rpkid-irbe-cert                 = ${myrpki::bpki_servers_directory}/irbe.cer
+rpkid-cert                      = ${myrpki::bpki_servers_directory}/rpkid.cer
+
+# HTTP service URL for pubd
+
+pubd-url                        = http://${myrpki::pubd_server_host}:${myrpki::pubd_server_port}/control/
+
+# BPKI certificates and keys for talking to pubd
+
+pubd-bpki-ta                    = ${myrpki::bpki_servers_directory}/ca.cer
+pubd-irbe-key                   = ${myrpki::bpki_servers_directory}/irbe.key
+pubd-irbe-cert                  = ${myrpki::bpki_servers_directory}/irbe.cer
+pubd-cert                       = ${myrpki::bpki_servers_directory}/pubd.cer
+
+#################################################################
+
+[rootd]
+
+# You don't need to run rootd unless you're IANA, are certifying
+# private address space, or are an RIR which refuses to accept IANA as
+# the root of the public address hierarchy.
+#
+# Ok, if that wasn't enough to scare you off: rootd is a kludge, and
+# needs to be rewritten, or, better, merged into rpkid.  It does a
+# number of things wrong, and requires far too many configuration
+# parameters.  You have been warned....
+
+# BPKI certificates and keys for rootd
+
+bpki-ta                 	= ${myrpki::bpki_servers_directory}/ca.cer
+rootd-bpki-crl          	= ${myrpki::bpki_servers_directory}/ca.crl
+rootd-bpki-cert         	= ${myrpki::bpki_servers_directory}/rootd.cer
+rootd-bpki-key          	= ${myrpki::bpki_servers_directory}/rootd.key
+child-bpki-cert         	= ${myrpki::bpki_servers_directory}/child.cer
+
+# Server port on which rootd should listen.
+
+server-port             	= ${myrpki::rootd_server_port}
+
+# Where rootd should write its output.  Yes, rootd should be using
+# pubd instead of publishing directly, but it doesn't.
+
+rpki-root-dir           	= ${myrpki::publication_base_directory}
+
+# rsync URI for directory containing rootd's outputs
+
+rpki-base-uri           	= rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/
+
+# rsync URI for rootd's root (self-signed) RPKI certificate
+
+rpki-root-cert-uri      	= rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/root.cer
+
+# Private key corresponding to rootd's root RPKI certificate
+
+rpki-root-key           	= ${myrpki::bpki_servers_directory}/ca.key
+
+# Filename (as opposed to rsync URI) of rootd's root RPKI certificate
+
+rpki-root-cert          	= ${myrpki::publication_base_directory}/root.cer
+
+# Where rootd should stash a copy of the PKCS #10 request it gets from
+# its one (and only) child
+
+rpki-subject-pkcs10     	= rootd.subject.pkcs10
+
+# Lifetime of the one and only certificate rootd issues
+
+rpki-subject-lifetime   	= 30d
+
+# Filename (relative to rootd-base-uri and rpki-root-dir) of the CRL
+# for rootd's root RPKI certificate
+
+rpki-root-crl           	= root.crl
+
+# Filename (relative to rootd-base-uri and rpki-root-dir) of the
+# manifest for rootd's root RPKI certificate
+
+rpki-root-manifest      	= root.mnf
+
+# Up-down protocol class name for RPKI certificate rootd issues to its
+# one (and only) child
+
+rpki-class-name         	= ${myrpki::handle}
+
+# Filename (relative to rootd-base-uri and rpki-root-dir) of the one
+# (and only) RPKI certificate rootd issues
+
+rpki-subject-cert       	= ${myrpki::handle}.cer
+
+# The last four paramters in this section are really parameters for
+# myirbe.py to use when constructing rootd's root RPKI certificate,
+# via an indirection hack in the OpenSSL voodoo portion of this file.
+# Don't ask why some of these are duplicated from other paramters in
+# this section, you don't want to know (really, you don't).
+
+# ASNs to include in rootd's root RPKI certificate, in openssl.conf format
+
+root_cert_asns			= AS:0-4294967295
+
+# IP addresses to include in rootd's root RPKI certificate, in
+# openssl.conf format
+
+root_cert_addrs			= IPv4:0.0.0.0/0,IPv6:0::/0
+
+# Whatever you put in rpki-base-uri, earlier in this section
+
+root_cert_sia			= rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/
+
+# root_cert_sia + rpki-root-manifest
+
+root_cert_manifest		= rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/root.mnf
+
+#################################################################
+
+# Constants for OpenSSL voodoo portion of this file, to make them
+# easier to find.
+
+[constants]
+
+# Digest algorithm.  Don't change this.
+
+digest				= sha256
+
+# RSA key length.   Don't change this.
+
+key_length			= 2048
+
+# Lifetime of BPKI certificates (and rootd RPKI root certificate).
+# Don't change this unless you know what you're doing.
+
+cert_days			= 365
+
+# Lifetime of BPKI CRLs.  Don't change this unless you know what
+# you're doing.
+
+crl_days			= 365
+
+#################################################################
+
+# The rest of this file is OpenSSL configuration voodoo.  Don't touch
+# anything below here even if you -do- know what you're doing.  Even
+# by OpenSSL standards, some of this is weird, and interacts in
+# non-obvious ways with code in myrpki.py and myirbe.py.  If you touch
+# this stuff and something breaks, don't say you weren't warned.
+
+[req]
+default_bits			= ${constants::key_length}
+default_md			= ${constants::digest}
+distinguished_name		= req_dn
+prompt				= no
+encrypt_key			= no
+
+[req_dn]
+CN                      	= Dummy name for certificate request
+
+[ca_x509_ext_ee]
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid:always
+
+[ca_x509_ext_xcert0]
+basicConstraints		= critical,CA:true,pathlen:0
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid:always
+
+[ca_x509_ext_xcert1]
+basicConstraints		= critical,CA:true,pathlen:1
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid:always
+
+[ca_x509_ext_ca]
+basicConstraints		= critical,CA:true
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid:always
+
+[ca]
+default_ca			= ca
+dir				= ${ENV::BPKI_DIRECTORY}
+new_certs_dir			= $dir
+database			= $dir/index
+certificate			= $dir/ca.cer
+private_key			= $dir/ca.key
+default_days			= ${constants::cert_days}
+default_crl_days		= ${constants::crl_days}
+default_md			= ${constants::digest}
+policy				= ca_dn_policy
+unique_subject			= no
+serial				= $dir/serial
+crlnumber			= $dir/crl_number
+
+[ca_dn_policy]
+countryName			= optional
+stateOrProvinceName		= optional
+localityName			= optional
+organizationName		= optional
+organizationalUnitName		= optional
+commonName			= supplied
+emailAddress			= optional
+givenName			= optional
+surname				= optional
+
+[rootd_x509_extensions]
+basicConstraints        	= critical,CA:true
+subjectKeyIdentifier    	= hash
+keyUsage                	= critical,keyCertSign,cRLSign
+subjectInfoAccess       	= 1.3.6.1.5.5.7.48.5;URI:${rootd::root_cert_sia},1.3.6.1.5.5.7.48.10;URI:${rootd::root_cert_manifest}
+sbgp-autonomousSysNum   	= critical,${rootd::root_cert_asns}
+sbgp-ipAddrBlock        	= critical,${rootd::root_cert_addrs}
+certificatePolicies     	= critical,1.3.6.1.5.5.7.14.2
diff --git a/rpkid.without_tls/examples/prefixes.csv b/rpkid.without_tls/examples/prefixes.csv
new file mode 100644
index 00000000..ece18d32
--- /dev/null
+++ b/rpkid.without_tls/examples/prefixes.csv
@@ -0,0 +1,8 @@
+# $Id$
+#
+# Syntax: <child_handle> <prefix>/<length>
+#     or: <child_handle> <min>-<max>
+#
+Alice	192.0.2.0/27
+Bob	192.0.2.44-192.0.2.100
+Bob	10.0.0.0/8
diff --git a/rpkid.without_tls/examples/roas.csv b/rpkid.without_tls/examples/roas.csv
new file mode 100644
index 00000000..e4ec3074
--- /dev/null
+++ b/rpkid.without_tls/examples/roas.csv
@@ -0,0 +1,5 @@
+# $Id$
+#
+# Syntax: <prefix>/<length>-<maxlength> <asn> <group>
+#
+10.3.0.44/32	666	Mom
diff --git a/rpkid.without_tls/examples/rsyncd.conf b/rpkid.without_tls/examples/rsyncd.conf
new file mode 100644
index 00000000..fabb5aa2
--- /dev/null
+++ b/rpkid.without_tls/examples/rsyncd.conf
@@ -0,0 +1,45 @@
+# $Id$
+#
+# Sample rsyncd.conf file for use with pubd.  You may need to
+# customize this for the conventions on your system.  See the rsync
+# and rsyncd.conf manual pages for a complete explanation of how to
+# configure rsyncd, this is just a simple configuration to get you
+# started.
+#
+# There are two parameters in the following which you should set to
+# appropriate values for your system:
+#
+# "myname" is the rsync module name to configure, as in
+# "rsync://rpki.example.org/rpki/"; see the publication_rsync_module
+# parameter in myrpki.conf
+#
+# "/some/where/publication" is the absolute pathname of the directory
+# where you told pubd to place its outputs; see the
+# publication_base_directory parameter in myrpki.conf.
+#
+# You may need to adjust other parameters for your system environment.
+#
+# Copyright (C) 2009-2010  Internet Systems Consortium ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+pid file	= /var/run/rsyncd.pid
+uid		= nobody
+gid		= nobody
+
+[rpki]
+    use chroot		= no
+    read only		= yes
+    transfer logging	= yes
+    path		= /some/where/publication
+    comment		= RPKI Testbed