Cleanup

svn path=/scripts/Old/check-hashes.sh; revision=1434
author: Rob Austein <sra@hactrn.net> 2007-12-24 06:36:18 +0000
committer: Rob Austein <sra@hactrn.net> 2007-12-24 06:36:18 +0000
commit: e62cfb013638b5e68218c0702e88c6c4dfeb06f9 (patch)
tree: 93b5b864915a92a03e805062cf3b5b6d7f8b1e27 /scripts/Old
parent: 6923ec5709af6f4fa5ea8e6e9af9265f5b9e213f (diff)
13 files changed, 1046 insertions, 0 deletions
diff --git a/scripts/Old/check-hashes.sh b/scripts/Old/check-hashes.sh
new file mode 100644
index 00000000..87c140de
--- /dev/null
+++ b/scripts/Old/check-hashes.sh
@@ -0,0 +1,13 @@
+#!/bin/sh -
+# $Id$
+
+: ${openssl=/u/sra/isc/route-pki/subvert-rpki.hactrn.net/openssl/openssl/apps/openssl}
+: ${switches='-verbose -crl_check_all -policy_check -explicit_policy -policy 1.3.6.1.5.5.7.14.2 -x509_strict'}
+: ${hashtree=hashed}
+
+find $hashtree -type f -name '*.[0-9]*' 2>&1 -print -exec \
+    $openssl verify $switches -CApath $(find $hashtree -type d | tr \\012 : | sed 's=:$==') {} \;
+
+# Hack for analyzing results of running this script:
+#
+# awk -F: '/^hashed/ && NF == 1 {f = $0; p = 1; next} /^hashed/ && NF == 2 && $1 == f && $2 == " OK" {next} p {print "\n" f; p = 0} {print}' check-hashes.log
diff --git a/scripts/Old/encode-test.py b/scripts/Old/encode-test.py
new file mode 100755
index 00000000..b4709866
--- /dev/null
+++ b/scripts/Old/encode-test.py
@@ -0,0 +1,161 @@
+# $Id$
+
+import os
+
+def run(func, arg, *cmd):
+    i, o = func(cmd)
+    i.write(arg)
+    i.close()
+    value = o.read()
+    o.close()
+    return value
+
+def encode(xml, cer, key):
+    return run(os.popen2, xml, "openssl", "smime", "-sign", "-nodetach", "-outform", "PEM", "-signer", cer, "-inkey", key)
+
+def decode(cms, dir):
+    return run(os.popen2, cms, "openssl", "smime", "-verify", "-inform", "PEM", "-CApath", dir)
+
+def relaxng(xml, rng):
+    return run(os.popen4, xml, "xmllint", "--noout", "--relaxng", rng, "-")
+
+def main():
+    dir = "biz-certs"
+    cer = "biz-certs/Alice-EE.cer"
+    key = "biz-certs/Alice-EE.key"
+    rng = "up-down-schema.rng"
+
+    for x in xml:
+        print x
+        e = encode(x, cer, key)
+        print e
+        d = decode(e, dir)
+        print d
+        v = relaxng(d, rng)
+        print v
+        print "=====\n"
+
+# Ugly inline stuff here for initial testing
+
+xml = [
+'''<?xml version="1.0" encoding="UTF-8"?>
+<message xmlns="http://www.apnic.net/specs/rescerts/up-down/"
+         version="1"
+	 sender="sender name"
+	 recipient="recipient name"
+	 msg_ref="42"
+	 type="error_response">
+    <status>2001</status>
+    <last_msg_processed>17</last_msg_processed>
+    <description xml:lang="en-US">[Readable text]</description>
+</message>
+''',
+'''<?xml version="1.0" encoding="UTF-8"?>
+<message xmlns="http://www.apnic.net/specs/rescerts/up-down/"
+         version="1"
+	 sender="sender name"
+	 recipient="recipient name"
+	 msg_ref="42" type="issue">
+    <request class_name="class name"
+             req_resource_set_as=""
+	     req_resource_set_ipv4="10.0.0.44/32"
+	     req_resource_set_ipv6="dead:beef::/32">
+        deadbeef
+    </request>
+</message>
+''',
+'''<?xml version="1.0" encoding="UTF-8"?>
+<message xmlns="http://www.apnic.net/specs/rescerts/up-down/"
+         version="1"
+	 sender="sender name"
+	 recipient="recipient name"
+	 msg_ref="1"
+	 type="issue_response">
+    <class class_name="class name"
+           cert_url="url"
+	   cert_ski="g(ski)"
+	   resource_set_as="22,42,44444-5555555"
+	   resource_set_ipv4="10.0.0.44-10.3.0.44,10.6.0.2/32"
+	   resource_set_ipv6="dead:beef::/128">
+        <certificate cert_url="url"
+	             cert_ski="g(ski)"
+		     cert_aki="g(aki)"
+		     cert_serial="1"
+		     resource_set_as="14-17"
+		     resource_set_ipv4="128.224.1.136/22"
+		     resource_set_ipv6="0:0::/22"
+		     req_resource_set_as=""
+		     req_resource_set_ipv4="10.0.0.77/16,127.0.0.1/8"
+		     req_resource_set_ipv6="dead:beef::/16"
+		     status="match">
+            deadbeef
+        </certificate>
+        <issuer>deadbeef</issuer>
+    </class>
+</message>
+''',
+'''<?xml version="1.0" encoding="UTF-8"?>
+<message xmlns="http://www.apnic.net/specs/rescerts/up-down/"
+         version="1"
+	 sender="sender name"
+	 recipient="recipient name"
+	 msg_ref="42"
+	 type="list"/>
+''',
+'''<?xml version="1.0" encoding="UTF-8"?>
+<message xmlns="http://www.apnic.net/specs/rescerts/up-down/"
+         version="1"
+	 sender="sender name"
+	 recipient="recipient name"
+	 msg_ref="42"
+	 type="list_response">
+    <class class_name="class name"
+           cert_url="url"
+	   cert_ski="g(ski)"
+	   resource_set_as="1,2,4,6,16-32"
+	   resource_set_ipv4="128.224.1.1-128.22.4.32"
+	   resource_set_ipv6=""
+	   suggested_sia_head="rsync://wombat.example/fnord/">
+        <certificate cert_url="url"
+	             cert_ski="g(ski)"
+		     cert_aki="g(aki)"
+		     cert_serial="1"
+		     resource_set_as=""
+		     resource_set_ipv4=""
+		     resource_set_ipv6=""
+		     req_resource_set_as=""
+		     req_resource_set_ipv4=""
+		     req_resource_set_ipv6=""
+		     status="match">
+            deadbeef
+        </certificate>
+        <!-- Repeated for each current certificate naming the client as subject -->
+        <issuer>deadbeef</issuer>
+    </class>
+</message>
+''',
+'''<?xml version="1.0" encoding="UTF-8"?>
+<message xmlns="http://www.apnic.net/specs/rescerts/up-down/" 
+         version="1"
+	 sender="sender name"
+	 recipient="recipient name"
+	 msg_ref="42"
+	 type="revoke">
+    <key class_name="class name"
+         ski="g(ski)"/>
+</message>
+''',
+'''<?xml version="1.0" encoding="UTF-8"?>
+<message xmlns="http://www.apnic.net/specs/rescerts/up-down/"
+         version="1"
+	 sender="sender name"
+	 recipient="recipient name"
+	 msg_ref="42"
+	 type="revoke_response">
+    <key class_name="class name"
+         ski="g(ski)"/>
+</message>
+'''
+]
+
+main()
diff --git a/scripts/Old/gen-verify-test.pl b/scripts/Old/gen-verify-test.pl
new file mode 100644
index 00000000..e1b53579
--- /dev/null
+++ b/scripts/Old/gen-verify-test.pl
@@ -0,0 +1,104 @@
+:
+# $Id$
+eval 'exec perl -w -S $0 ${1+"$@"}'
+    if 0;
+
+use strict;
+
+my $openssl = "/u/sra/isc/route-pki/subvert-rpki.hactrn.net/openssl/openssl/apps/openssl";
+
+my $verify_options = "-verbose -crl_check_all -policy_check -explicit_policy -policy 1.3.6.1.5.5.7.14.2 -x509_strict";
+
+my $verbose = 1;
+
+my $debug = $ENV{DEBUG};
+
+exit unless (@ARGV);
+
+# Find all certificates in the repository
+
+open(F, "-|", "find", @ARGV, qw(-type f -name *.cer))
+    or die("Couldn't run find: $!\n");
+chomp(my @files = <F>);
+close(F);
+@ARGV = ();
+
+# Snarf all the AIA and CDP values from the certs we're examining.
+# Icky screen scraping, better mechanism needed.
+
+my %aia;
+my %cdp;
+
+for my $f (@files) {
+    my ($a, $c) = (0, 0);
+    open(F, "-|", $openssl, qw(x509 -noout -text -inform DER -in), $f)
+	or die("Couldn't run openssl x509 on $f: $!\n");
+    while (<F>) {
+	chomp;
+	s{^.+URI:rsync://}{};
+	$a = $. + 1
+	    if (/Authority Information Access:/);
+	$c = $. + 1
+	    if (/X509v3 CRL Distribution Points:/);
+	$aia{$f} = $_
+	    if ($a && $. == $a);
+	$cdp{$f} = $_
+	    if ($c && $. == $c);
+    }
+    print(STDERR $f, " ", ($aia{$f} || "-"), " ", ($cdp{$f} || "-"), "\n")
+	if ($debug);
+    close(F);
+}
+
+# Sort out ancestry
+
+my %daddy;
+
+for my $f (@files) {
+    next unless ($aia{$f});
+    my @daddy = grep({ $_ eq $aia{$f} } @files);
+    die("Can't figure out who my daddy is! $f @{[join(' ', @daddy)]}\n")
+	if (@daddy > 1);
+    $daddy{$f} = $daddy[0]
+	if (@daddy && $daddy[0] ne $f);
+    print(STDERR "me: $f, daddy: $daddy[0]\n")
+	if ($debug);
+}
+
+# Generate a test script based on all of the above
+
+for my $f (@files) {
+    my @ancestors;
+    for (my $d = $daddy{$f}; $d; $d = $daddy{$d}) {
+	push(@ancestors, $d);
+    }
+    next unless (@ancestors);
+    my @crls;
+    for my $c (map {$cdp{$_}} ($f, @ancestors)) {
+	push(@crls, $c)
+	    unless (grep {$_ eq $c} @crls);
+    }
+    print("echo ", "=" x 40, "\n",
+	  "echo Checking chain:\n")
+	if ($verbose > 0);
+    for (($f, @ancestors)) {
+	print("echo '    Certificate: $_'\n")
+	    if ($verbose > 0);
+	print("$openssl x509 -noout -text -inform DER -certopt no_header,no_signame,no_validity,no_pubkey,no_sigdump,no_version -in $_\n")
+	    if ($verbose > 1);
+    }
+    for (@crls) {
+	print("echo '    CRL:         $_'\n")
+	    if ($verbose > 0);
+	print("$openssl crl -noout -text -inform DER -in $_\n")
+	    if ($verbose > 1);
+    }
+    print("rm -f CAfile.pem cert-in-hand.pem\n");
+    print("$openssl x509 -inform DER -outform PEM >>CAfile.pem -in $_\n")
+	foreach (@ancestors);
+    print("$openssl crl  -inform DER -outform PEM >>CAfile.pem -in $_\n")
+	foreach (@crls);
+    print("$openssl x509 -inform DER -outform PEM -out cert-in-hand.pem -in $f\n",
+	  "$openssl verify -CAfile CAfile.pem $verify_options cert-in-hand.pem\n",
+	  "rm -f CAfile.pem cert-in-hand.pem\n");
+}
diff --git a/scripts/Old/generate-testrepo.pl b/scripts/Old/generate-testrepo.pl
new file mode 100644
index 00000000..bacbe0de
--- /dev/null
+++ b/scripts/Old/generate-testrepo.pl
@@ -0,0 +1,337 @@
+# $Id$
+
+# Hack to generate a small test repository for testing Apache + OpenSSL + RPKI
+
+use strict;
+
+my %resources;
+my %parent;
+my @ordering;
+my %hashes;
+
+my $openssl	= "../../openssl/openssl/apps/openssl";
+my $subdir	= "apacheca";
+my $passwd	= "fnord";
+my $keybits	= 2048;
+my $verbose	= 0;
+my $debug	= 1;
+my $revoke	= 0;
+
+sub openssl {
+    print(STDERR join(" ", qw(+ openssl), @_), "\n")
+	if ($debug);
+    !system($openssl, @_)
+	or die("openssl @_ returned $?\n");
+}
+
+# Ok, this is a bit complicated, but the idea is to let us specify the
+# resources we're giving to each leaf entity and let the program do
+# the work of figuring out what resources each issuers need to have,
+# the order in which we need to generate the certificates, which
+# certificates need to sign which other certificates, etcetera.
+#
+# This would be much easier to read in a sane language (eg, Scheme).
+
+{
+    my @ctx;
+    my $loop ;
+    $loop= sub {
+	my $x = shift;
+	if (ref($x) eq "HASH") {
+	    while (my ($k, $v) = each(%$x)) {
+		$parent{$k} = $ctx[@ctx - 1];
+		push(@ordering, $k);
+		push(@ctx, $k); $loop->($v); pop(@ctx);
+	    }
+	} else {
+	    for my $c (@ctx) { push(@{$resources{$c}}, @$x) }
+	}
+    };
+    $loop->({
+	RIR => {
+	    LIR1 => {
+		ISP1 => [IPv4 => "192.0.2.1-192.0.2.33", AS => "64533"],
+		ISP2 => [IPv4 => "192.0.2.44-192.0.2.100"],
+	    },
+	    LIR2 => {
+		ISP3 => [IPv6 => "2001:db8::44-2001:db8::100"],
+		ISP4 => [IPv6 => "2001:db8::10:0:44", AS => "64544"],
+	    },
+	},
+    });
+}
+
+# Put this stuff into a subdirectory
+
+mkdir($subdir) unless (-d $subdir);
+chdir($subdir) or die;
+
+# Generate configurations for each entity.
+
+while (my ($entity, $resources) = each(%resources)) {
+    my %r;
+    print($entity, ":\n")
+	if ($verbose);
+    for (my $i = 0; $i < @$resources; $i += 2) {
+	printf("  %4s: %s\n", $resources->[$i], $resources->[$i+1])
+	    if ($verbose);
+	push(@{$r{$resources->[$i]}}, $resources->[$i+1]);
+    }
+    open(F, ">${entity}.cnf") or die;
+    print(F <<EOF);
+
+	[ ca ]
+	default_ca = ca_default
+
+	[ ca_default ]
+
+	certificate = ${entity}.cer
+	serial = ${entity}/serial
+	private_key = ${entity}.key
+	database = ${entity}/index
+	new_certs_dir = ${entity}
+	name_opt = ca_default
+	cert_opt = ca_default
+	default_days = 365
+	default_crl_days = 30
+	default_md = sha1
+	preserve = no
+	copy_extensions = copy
+	policy = ca_policy_anything
+	unique_subject = no
+
+	[ ca_policy_anything ]
+	countryName = optional
+	stateOrProvinceName = optional
+	localityName = optional
+	organizationName = optional
+	organizationalUnitName = optional
+	commonName = supplied
+	emailAddress = optional
+	givenName = optional
+	surname = optional
+
+	[ req ]
+	default_bits = $keybits
+	encrypt_key = no
+	distinguished_name = req_dn
+	x509_extensions = req_x509_ext
+	prompt = no
+
+	[ req_dn ]
+
+	CN = TEST ENTITY $entity
+
+	[ req_x509_ext ]
+
+	basicConstraints = critical,CA:true
+	subjectKeyIdentifier = hash
+	authorityKeyIdentifier = keyid
+	keyUsage = critical,keyCertSign,cRLSign
+	subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/
+
+EOF
+
+    print(F <<EOF) if ($parent{$entity});
+
+	authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/$parent{$entity}.cer
+
+EOF
+
+    print(F <<EOF) if ($r{AS} || $r{RDI});
+
+	sbgp-autonomousSysNum = critical,\@asid_ext
+
+EOF
+
+    print(F <<EOF) if ($r{IPv4} || $r{IPv6});
+
+	sbgp-ipAddrBlock = critical,\@addr_ext
+
+EOF
+
+    print(F <<EOF);
+
+	[ asid_ext ]
+
+EOF
+
+    for my $n (qw(AS RDI)) {
+	my $i = 0;
+	for my $a (@{$r{$n}}) {
+	    print(F "\t", $n, ".", $i++, " = ", $a, "\n");
+	}
+    }
+
+    print(F <<EOF);
+
+
+	[ addr_ext ]
+
+EOF
+
+    for my $n (qw(IPv4 IPv6)) {
+	my $i = 0;
+	for my $a (@{$r{$n}}) {
+	    print(F "\t", $n, ".", $i++, " = ", $a, "\n");
+	}
+    }
+    close(F);
+}
+
+# Revoke old certificates, maybe.
+
+if ($revoke) {
+    for my $cert (glob("*/*.pem")) {
+	my $conf = (split("/", $cert))[0] . ".cnf";
+	openssl("ca", "-verbose", "-config", $conf, "-revoke", $cert);
+	unlink($cert);
+    }
+}
+
+# Run OpenSSL to create the keys and certificates.  We generate keys
+# separately to avoid wasting /dev/random bits if we need to change
+# the configuration.
+
+for my $entity (@ordering) {
+    openssl("genrsa", "-out", "${entity}.key", $keybits)
+	unless (-f "${entity}.key");
+    openssl("req", "-new", "-config", "${entity}.cnf", "-key", "${entity}.key", "-out", "${entity}.req");
+
+    mkdir($entity)
+	unless (-d $entity);
+    if (!-f "${entity}/index") {
+	open(F, ">${entity}/index") or die;
+	close(F);
+    }
+    if (!-f "${entity}/serial") {
+	open(F, ">${entity}/serial") or die;
+	print(F "01\n") or die;
+	close(F);
+    }
+
+    openssl("ca", "-batch", "-verbose", "-out", "${entity}.cer", "-in", "${entity}.req",
+	    "-extensions", "req_x509_ext", "-extfile", "${entity}.cnf",
+	    ($parent{$entity}
+	     ? ("-config", "${parent{$entity}}.cnf")
+	     : ("-config", "${entity}.cnf", "-selfsign")));
+}
+
+# Generate CRLs
+
+for my $entity (@ordering) {
+    openssl("ca", "-batch", "-verbose", "-out", "${entity}.crl", 
+	    "-config", "${entity}.cnf", "-gencrl");
+}
+
+# Generate EE certs
+
+for my $parent (@ordering) {
+    my $entity = "${parent}-EE";
+    open(F, ">${entity}.cnf") or die;
+    print(F <<EOF);
+
+	[ req ]
+	default_bits = $keybits
+	encrypt_key = no
+	distinguished_name = req_dn
+	x509_extensions = req_x509_ext
+	prompt = no
+
+	[ req_dn ]
+
+	CN = TEST ENDPOINT ENTITY ${entity}
+
+	[ req_x509_ext ]
+
+	basicConstraints = critical,CA:false
+	subjectKeyIdentifier = hash
+	authorityKeyIdentifier = keyid
+	subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/
+	authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/$parent.cer
+
+EOF
+
+    close(F);
+    openssl("genrsa", "-out", "${entity}.key", $keybits)
+	unless (-f "${entity}.key");
+    openssl("req", "-new", "-config", "${entity}.cnf", "-key", "${entity}.key", "-out", "${entity}.req");
+
+    mkdir($entity)
+	unless (-d $entity);
+    if (!-f "${entity}/index") {
+	open(F, ">${entity}/index") or die;
+	close(F);
+    }
+    if (!-f "${entity}/serial") {
+	open(F, ">${entity}/serial") or die;
+	print(F "01\n") or die;
+	close(F);
+    }
+
+    openssl("ca", "-batch", "-verbose", "-config", "${parent}.cnf",
+	    "-extensions", "req_x509_ext", "-extfile", "${entity}.cnf",
+	    "-out", "${entity}.cer", "-in", "${entity}.req");
+}
+
+# Generate hashes
+
+for my $cert (map({("$_.cer", "$_-EE.cer")} @ordering)) {
+    my $hash = `$openssl x509 -noout -hash -in $cert`;
+    chomp($hash);
+    $hash .= ".";
+    $hash .= (0 + $hashes{$hash}++);
+    unlink($hash) if (-l $hash);
+    symlink($cert, $hash)
+	or die("Couldn't link $hash to $cert: $!\n");
+}
+
+for my $crl (map({"$_.crl"} @ordering)) {
+    my $hash = `$openssl crl -noout -hash -in $crl`;
+    chomp($hash);
+    $hash .= ".r";
+    $hash .= (0 + $hashes{$hash}++);
+    unlink($hash) if (-l $hash);
+    symlink($crl, $hash)
+	or die("Couldn't link $hash to $crl: $!\n");
+}
+
+# Generate PKCS12 forms of EE certificates
+# -chain argument to pkcs12 requires certificate store, which we configure via an environment variable
+
+$ENV{SSL_CERT_DIR} = do { my $pwd = `pwd`; chomp($pwd); $pwd; };
+
+for my $ee (map({"$_-EE"} @ordering)) {
+    my @cmd = ("pkcs12", "-export", "-in", "$ee.cer",  "-inkey", "$ee.key", "-password", "pass:$passwd");
+    openssl(@cmd, "-out", "$ee.p12");
+    openssl(@cmd, "-out", "$ee.chain.p12", "-chain");
+}
+
+# Finally, generate an unrelated self-signed certificate for the server
+
+my $hostname = `hostname`;
+chomp($hostname);
+open(F, ">server.cnf") or die;
+print(F <<EOF);
+
+	[ req ]
+	default_bits = $keybits
+	encrypt_key = no
+	distinguished_name = req_dn
+	prompt = no
+
+	[ req_dn ]
+
+	CN = $hostname
+
+EOF
+
+close(F);
+openssl(qw(genrsa -out server.key), $keybits)
+    unless (-f "server.key");
+openssl(qw(req -new -config server.cnf -key server.key -out server.req));
+openssl(qw(x509 -req -CAcreateserial -in server.req -out server.cer -signkey server.key));
+
+# Local Variables:
+# compile-command: "perl generate-testrepo.pl"
+# End:
diff --git a/scripts/Old/gki.pl b/scripts/Old/gki.pl
new file mode 100644
index 00000000..e91c4abe
--- /dev/null
+++ b/scripts/Old/gki.pl
@@ -0,0 +1,46 @@
+:
+# $Id$
+eval 'exec perl -w -S $0 ${1+"$@"}'
+    if 0;
+
+use MIME::Base64;
+
+sub g {
+    my $x = shift;
+    $x =~ s{:}{}g;
+    $x = pack("H*", $x);
+    $x = encode_base64($x, "");
+    $x =~ y{+/}{-_};
+    $x =~ s{=+$}{};
+    return $x;
+}
+
+while (@ARGV) {
+    my ($file, $aki, $ski, $a, $s) = shift(@ARGV);
+    if ($file =~ /\.cer$/) {
+	open(F, "-|", qw(openssl x509 -noout -inform DER -text -in), $file)
+	    or die("Couldn't run openssl x509 on $file: $!\n");
+    } elsif  ($file =~ /\.crl$/) {
+	open(F, "-|", qw(openssl crl  -noout -inform DER -text -in), $file)
+	    or die("Couldn't run openssl x509 on $file: $!\n");
+    } else {
+	next;
+    }
+    while (<F>) {
+	chomp;
+	s/^\s*//;
+	s/^keyid://;
+	$a = $. + 1
+	    if (/X509v3 Authority Key Identifier:/);
+	$s = $. + 1
+	    if (/X509v3 Subject Key Identifier:/);    
+	$aki = $_
+	    if ($a && $. == $a);
+	$ski = $_
+	    if ($s && $. == $s);
+    }
+    close(F);
+    my $gaki = $aki ? g($aki) : "=" x 27;
+    my $gski = $ski ? g($ski) : "=" x 27;
+    print("$gaki $gski $file\n");
+}
diff --git a/scripts/Old/make-hashes.pl b/scripts/Old/make-hashes.pl
new file mode 100644
index 00000000..4b58a9d0
--- /dev/null
+++ b/scripts/Old/make-hashes.pl
@@ -0,0 +1,42 @@
+#  -*- Perl -*-
+# $Id$
+
+use strict;
+
+my $openssl = "/u/sra/isc/route-pki/subvert-rpki.hactrn.net/openssl/openssl/apps/openssl";
+my $dir     = "hashed";
+
+my @cmds;
+my %hashes;
+
+exit unless (@ARGV);
+
+open(F, "-|", "find", @ARGV, qw{-type f ( -name *.cer -o -name *.crl )})
+    or die("Couldn't run find: $!\n");
+
+@ARGV = ();
+
+while (<F>) {
+    chomp;
+    my $f = $_;
+    my $type = /\.cer$/ ? "x509" : "crl";
+    $_ = "$dir/$f";
+    s=/[^/]+$==;
+    my $d = $_;
+    my $h = `$openssl $type -inform DER -in $f -noout -hash`;
+    chomp($h);
+    $h .= ".";
+    $h .= "r" if ($type eq "crl");
+    $h .= 0 + $hashes{$d}{$h}++;
+    push(@cmds, "$openssl $type -inform DER -outform PEM -out $d/$h -in $f\n");
+}
+
+close(F);
+
+print("rm -rf $dir\n");
+
+print("test -d $_ || mkdir -p $_\n")
+    foreach (sort(keys(%hashes)));
+
+print($_)
+    foreach (@cmds);
diff --git a/scripts/Old/master.sh b/scripts/Old/master.sh
new file mode 100644
index 00000000..8f59d357
--- /dev/null
+++ b/scripts/Old/master.sh
@@ -0,0 +1,24 @@
+#!/bin/sh -
+# $Id$
+
+scripts="subvert-rpki.hactrn.net/scripts"
+
+repositories="ca-trial.ripe.net/RIPE ca-trial.ripe.net/ARIN repository.apnic.net"
+
+cd `dirname $0`
+
+. $scripts/mirror-apnic.sh
+. $scripts/mirror-ripe.sh
+
+perl $scripts/gen-verify-test.pl $repositories |
+tee verify.sh |
+sh 2>&1 |
+tee verify.log
+
+perl $scripts/make-hashes.pl $repositories |
+tee make-hashes.sh |
+sh 2>&1 |
+tee make-hashes.log
+
+sh $scripts/check-hashes.sh 2>&1 |
+tee check-hashes.log
diff --git a/scripts/Old/mirror-apnic.sh b/scripts/Old/mirror-apnic.sh
new file mode 100644
index 00000000..995efcb8
--- /dev/null
+++ b/scripts/Old/mirror-apnic.sh
@@ -0,0 +1,12 @@
+#!/bin/sh -
+# $Id$
+
+# An unknown entity representing itself as gmm says that this is the
+# trust anchor for the APNIC test repository.
+#
+fetch -m -o repository.apnic.net/trust-anchor.cer \
+    http://mirin.apnic.net/resourcecerts/trust-anchor.cer
+
+# Mirror the repository itself
+#
+rsync -aiz --delete rsync://repository.apnic.net/APNIC/ repository.apnic.net/APNIC/
diff --git a/scripts/Old/mirror-ripe.sh b/scripts/Old/mirror-ripe.sh
new file mode 100644
index 00000000..f2ba5a17
--- /dev/null
+++ b/scripts/Old/mirror-ripe.sh
@@ -0,0 +1,46 @@
+#!/bin/sh -
+# $Id$
+
+# The following are freshly produced in conformance with Geoff &
+# George's latest developments - I hope.
+
+# Trust Anchors (consider this an out-of-band delivery method):
+
+# RIPE TA:
+fetch -m -o ca-trial.ripe.net/riperoot/repos/root.cer \
+    http://ca-trial.ripe.net/~riperoot/repos/root.cer
+
+# ARIN TA: 
+fetch -m -o ca-trial.ripe.net/arinroot/repos/root.cer \
+    http://ca-trial.ripe.net/~arinroot/repos/root.cer
+
+# The repositories are here:
+rsync -aiz --delete rsync://ca-trial.ripe.net/RIPE/ ca-trial.ripe.net/RIPE/
+rsync -aiz --delete rsync://ca-trial.ripe.net/ARIN/ ca-trial.ripe.net/ARIN/
+
+# Some test certificates:
+
+# RIPE->RIPE->ISP: 
+fetch -m -o ca-trial.ripe.net/ripeprod/repos/ripe-08.cer \
+    http://ca-trial.ripe.net/~ripeprod/repos/ripe-08.cer
+
+# ARIN->ARIN->ISP: 
+fetch -m -o ca-trial.ripe.net/arinprod/repos/arin-01.cer \
+    http://ca-trial.ripe.net/~arinprod/repos/arin-01.cer
+
+# RIPE->ARIN->ISP: 
+fetch -m -o ca-trial.ripe.net/arinprod/repos/ripe-01.cer \
+    http://ca-trial.ripe.net/~arinprod/repos/ripe-01.cer
+
+# ARIN->RIPE->ISP: 
+fetch -m -o ca-trial.ripe.net/ripeprod/repos/arin-01.cer \
+    http://ca-trial.ripe.net/~ripeprod/repos/arin-01.cer
+
+# I think they work with full up-down chaining, provided that I copied 
+# everything in place.
+#
+# George, please look at these, I believe I only need your SIA for these to be 
+# ready:
+#
+# RIPE->APNIC cert currently: http://ca-trial.ripe.net/~riperoot/repos/root-0E.cer
+# ARIN->APNIC cert currently: http://ca-trial.ripe.net/~arinroot/repos/root-09.cer
diff --git a/scripts/Old/resource-set.py b/scripts/Old/resource-set.py
new file mode 100644
index 00000000..fe0da8d3
--- /dev/null
+++ b/scripts/Old/resource-set.py
@@ -0,0 +1,83 @@
+# $Id$
+
+import socket
+import re
+
+class ip_address(object):
+
+  def __init__(self, text):
+    self.addr = socket.inet_pton(self.af, text)
+
+  def __str__(self):
+    return socket.inet_ntop(self.af, self.addr)
+
+  def __eq__(self, other):
+    return self.addr == other.addr
+
+  def __hash__(self):
+    return self.addr.__hash__()
+
+class ipv4_address(ip_address):
+  af = socket.AF_INET
+
+class ipv6_address(ip_address):
+  af = socket.AF_INET6
+
+class resource(object):
+  pass
+
+class asn(resource, long):
+  pass
+
+class ip_prefix(resource):
+
+  def __init__(self, addr, prefixlen):
+    self.addr = self.ac(addr)
+    self.prefixlen = prefixlen
+
+  def __str__(self):
+    return str(self.addr) + "/" + str(self.prefixlen)
+
+  def __eq__(self, other):
+    return self.addr == other.addr and self.prefixlen == other.prefixlen
+
+  def __hash__(self):
+    return self.addr.__hash__() + self.prefixlen.__hash__()
+
+class ipv4_prefix(ip_prefix):
+  ac = ipv4_address
+
+class ipv6_prefix(ip_prefix):
+  ac = ipv6_address
+
+class resource_range(resource):
+
+  def __init__(self, min, max):
+    assert isinstance(min, resource) and isinstance(max, resource)
+    self.min = min
+    self.max = max
+
+  def __str__(self):
+    return str(self.min) + "-" + str(self.max)
+
+  def __eq__(self, other):
+    return self.min == other.min and self.max == other.max
+
+  def __hash__(self):
+    return self.min.__hash__() + self.max.__hash__()
+
+class resource_set(set):
+
+  def __init__(self, *elts):
+    for e in elts:
+      assert isinstance(e, resource)
+    set.__init__(self, elts)
+
+  def __str__(self):
+    s = [i for i in self]
+    s.sort()
+    return "{" + ", ".join(map(str, s)) + "}"
+
+s = resource_set(ipv6_prefix("fe80::", 16), ipv4_prefix("10.0.0.44", 32), ipv4_prefix("10.3.0.44", 32))
+
+print s
diff --git a/scripts/Old/test-pow.py b/scripts/Old/test-pow.py
new file mode 100644
index 00000000..06827995
--- /dev/null
+++ b/scripts/Old/test-pow.py
@@ -0,0 +1,89 @@
+# $Id$
+
+import POW, POW.pkix, base64, rpki.ipaddrs, rpki.resource_set
+
+Alice_EE = """
+MIIDGDCCAgCgAwIBAgIJANkdU8+R7K3dMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+BAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxpY2UgQ0EwHhcNMDcwNjE5MTk1MzE4WhcN
+MDcwNzE5MTk1MzE4WjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEFsaWNl
+IEVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzxuYZsSzM7J4D/GN
+TiSB/EzRF7U91bYIoqZHG/NcLePFJfHKvKd7LuRNXI4WXrUjQ+6VlcQGdPfo6uvZ
+9r/UKocS3ATc7p28CkMNM99RcLM4OWg70021MwmS04CaMpUftsQCtSwAVrWkL3dM
+C9LuMdChA619q1x56RGrBeqgnk9NfHahUjmqjhUVQejTk2fYfLcINdxUwOQP9GT5
+bQLhf5hxq+QsixyBjB0BE/h1KxCRJITu5JLzCZIxHxMeN/MdDz3T0m1Vhwd7KZZS
+H1Iq5WIBArhzuLQsekSL4GmDLXSxuLi68w8W53YEpc4hRzS29+p1mMK5bZMttvYN
+hfoVOQIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTDNm3cT2DjtkzqsI7N
+hTSoXmbGsDAfBgNVHSMEGDAWgBRqTejqD9pJQzENNALChYOBrglzEzANBgkqhkiG
+9w0BAQUFAAOCAQEAZac7WWRWCItjea9O6YJgB1EUy0NdN7rRuzQSJg9LQfsevwJK
+s2R/gV6RF8c53BnexUoVOu5VxSFZin9qRMMZxEMzo3TlFY2JuhPchLFrnYQ5SsjL
+w25iLY9xaswZoaAdu4HG5IbN+Drew4Hlfqfoqgi1x79MbL4i+xdPjrHjV+5T/bLE
+hADax/Ki7qWOMW2eMWIYuhyHwlqaJaa4xvgSuBdzccPur9nYuYyMQhR5FEtiBrFk
+H+SG3DPUYnJjHo/0hqZ+cRRtoNJO00gfgzDUYGIrDak4aGapJsGcJ5/6xIvYKrpu
+mkmvYl9m3IB1QYSAtu+0C98ShPgIFNqLvWOceA==
+"""
+
+APNIC_Root = """
+MIIHMjCCBhqgAwIBAgIBcjANBgkqhkiG9w0BAQsFADBNMS4wLAYDVQQDEyVEZW1v
+IEFQTklDIFJPT1QgQ0EgLSBOb3QgZm9yIHJlYWwgdXNlMRswGQYJKoZIhvcNAQkB
+FgxjYUBhcG5pYy5uZXQwHhcNMDYxMTE2MDU1MDEwWhcNMDcxMTE2MDU1MDEwWjA2
+MTQwMgYDVQQDEytEZW1vIFByb2R1Y3Rpb24gQVBOSUMgQ0EgLSBOb3QgZm9yIHJl
+YWwgdXNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA64tZcEhcMvdF
+s0sXVF+op473Px/0ANRBHKl772wzTIBno6I4+RNmh8zkasTh6aKhNwcpkc03AaTs
+cFmPrlq5PREyZrO1vzq6McShEH5/FcVLUcHKKq46/f+0mx7ec/ExaeRljHJeIVxJ
+TuKUrs87PbPYBz+KI6bjb4e0ICsVgomat6DphPPd3krCBJVNqBD6W2UCv1huK9Kx
+6egiWaqAYzcrI3W0TFNA5+RUnjnybB0qg1pOkdgKDOEFnIkl0MnX4ENSWNOnezHF
+myV3ypJ+42Zllu5OZacqbPh+UJzHv4rMdfKjwpvn1ofiqglYG74HY2lzXSUyYPuA
+cZX9572A9wIDAQABo4IEMjCCBC4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
+BAMCAQYwHQYDVR0OBBYEFKuuiK1khrgRO46sfDwFBwJRwqkcMB8GA1UdIwQYMBaA
+FKb6Y78FHkIsdnueF/Hxm4ZnWDKNMBgGA1UdIAEB/wQOMAwwCgYIKwYBBQUHDgIw
+PQYDVR0fBDYwNDAyoDCgLoYscnN5bmM6Ly9yZXBvc2l0b3J5LmFwbmljLm5ldC9B
+UE5JQy9BUE5JQy5jcmwwTwYIKwYBBQUHAQEEQzBBMD8GCCsGAQUFBzAChjNyc3lu
+YzovL3JlcG9zaXRvcnkuYXBuaWMubmV0L1RSVVNUQU5DSE9SUy9hcG5pYy5jZXIw
+WwYIKwYBBQUHAQsETzBNMEsGCCsGAQUFBzAFhj9yc3luYzovL3JlcG9zaXRvcnku
+YXBuaWMubmV0L0FQTklDL3E2NklyV1NHdUJFN2pxeDhQQVVIQWxIQ3FSdy8wggJF
+BggrBgEFBQcBCAEB/wSCAjQwggIwoIICLDCCAigCAgCtAgICqQICBMUCAgTRAgIE
+1QICBOICAgZ7AgIGqDAIAgIG6AICBukCAgb1AgIHOwICB/oCAghgAgIJUTAIAgIJ
+wQICCeACAgnpAgIJ+gICCgMwCAICCgkCAgoKAgIKiQICCpICAgqZAgIKxAICCswC
+AgrUAgILBwICC1sCAgtjMAgCAgttAgILbgICDR0CAg0jAgINNgICDT8CAg1DAgIN
+hAICDYYCAg2gAgINtgICDd4wCAICDeYCAg3nAgIN/wICDhUCAg4YMAgCAg5NAgIO
+TjAIAgIOaQICDm0CAg5/AgIOhTAIAgIOowICDqQwCAICDq0CAg6uAgIOvQICDr8C
+Ag7IMAgCAg7KAgIOywICDuUCAg7xAgIO/DAIAgIO/wICDwACAg9ZAgIPgQICD4gC
+Ag+nAgIPyAICD9ECAg/aAgIP3AICECYCAhAuAgIQPjAIAgIQTgICEE8CAhBlAgIQ
+agICEJsCAhCyAgIRADAIAgIRHQICER4CAhFPMAgCAhFRAgIRUgICEaMCAhGwAgIR
+ugICEfICAhH9MAgCAhIAAgITAAICE2EwCAICE5kCAhOaAgITuwICE90CAhPfAgIW
+TQICF7QCAhgTAgIYdgICGdsCAhn4AgIb2wICHAcwCAICHSsCAh4qAgIerwICHt0w
+CAICJAACAif/AgIqNwICLMswCAICRAACAkf/AgJM+TAIAgJcAAICX/8wCgIDAJQA
+AgMAl/8wewYIKwYBBQUHAQcBAf8EbDBqMDQEAgABMC4wCAMCAToDAgE8MAgDAgB5
+AwIAfgMCAJYDAgCjAwIBygMCAdIwCAMCAdoDAgDeMDIEAgACMCwDBAEgAQIDBAIg
+AQwDBAEgAUQwDAMEByABgAMEBCABoDAKAwICJAMEAyQAQDANBgkqhkiG9w0BAQsF
+AAOCAQEAxjUMY1cBdWUXWmPOwK6zk8E7BOVR3U7U62AfYqlE75cjt2RhRQBcc0XP
+tEG8rl6DJMmzH6XB0+czrsUijeBdRBeC+WTMbJd1ZMzgqrqHgXI0CjdjPMR0k6Dx
+qpsdDXmlIuAIUHy/GISIel9N/eXSu8ctsWXV2YYlaf7WVGHIhmJs03iSu324vJSk
+vhlLtNxdV+neQhkXT54mrx7mADxWYz5+rjWFvJuiOfQicXJI4uh5oAN8POcfx4hu
+7xYYqCunudhilCEz53CCcjzCAx5pW1jl32YdguWEwTf6ttwTnTsXQ0a+waMk4ljw
+uMsR5Xzvy12ti/m+7MSTLR1kMxJOFA==
+"""
+
+alice = base64.b64decode(Alice_EE)
+apnic = base64.b64decode(APNIC_Root)
+
+verbose = True
+
+for der in (alice, apnic):
+  cert = POW.derRead(POW.X509_CERTIFICATE, der)
+  print cert.pprint()
+  cert = POW.pkix.Certificate()
+  cert.fromString(der)
+  if verbose:
+    for oid, crit, val in cert.getExtensions():
+      print "  OID:  ", oid, POW.pkix.oid2obj(oid)
+      print "  Crit: ", crit
+      print "  Value:", val
+      print
+  bag = rpki.resource_set.parse_extensions(cert.getExtensions())
+  if bag.as: print ",".join(map(lambda x: "AS:"   + str(x), bag.as))
+  if bag.v4: print ",".join(map(lambda x: "IPv4:" + str(x), bag.v4))
+  if bag.v6: print ",".join(map(lambda x: "IPv6:" + str(x), bag.v6))
+  if bag.as is not None: print bag.as.to_tuple()
+  if bag.v4 is not None: print bag.v4.to_tuple()
+  if bag.v6 is not None: print bag.v6.to_tuple()
diff --git a/scripts/Old/test-sql.py b/scripts/Old/test-sql.py
new file mode 100644
index 00000000..6357ed42
--- /dev/null
+++ b/scripts/Old/test-sql.py
@@ -0,0 +1,36 @@
+# $Id$
+
+import MySQLdb, rpki.config
+
+def test(filename, section):
+
+  print "[Checking " + filename + "]\n"
+
+  cfg = rpki.config.parser(filename)
+
+  db = MySQLdb.connect(user   = cfg.get(section, "sql-username"),
+                       db     = cfg.get(section, "sql-database"),
+                       passwd = cfg.get(section, "sql-password"))
+
+  cur = db.cursor()
+
+  def duh(db, cmd, header):
+    cur.execute(cmd)
+    print header
+    print "-" * len(header)
+    print cur.description
+    for i in cur.fetchall():
+      print i[0]
+    print
+
+  duh(db, "SHOW DATABASES", "Databases")
+  duh(db, "SELECT DATABASE()", "Current database")
+  duh(db, "SHOW TABLES", "Current tables")
+
+  db.close()
+
+print MySQLdb.Timestamp(2007,6,9,9,45,51), MySQLdb.DateFromTicks(1000), \
+      MySQLdb.Binary("Hi, Mom!"), MySQLdb.STRING, MySQLdb.BINARY, MySQLdb.NUMBER, MySQLdb.NULL, "\n"
+
+test("re.conf",   "rpki")
+test("irbe.conf", "irdb")
diff --git a/scripts/Old/uri.pl b/scripts/Old/uri.pl
new file mode 100644
index 00000000..cd029fec
--- /dev/null
+++ b/scripts/Old/uri.pl
@@ -0,0 +1,53 @@
+:
+# $Id$
+eval 'exec perl -w -S $0 ${1+"$@"}'
+    if 0;
+
+use strict;
+
+my $format = "DER";
+my $badsia = 0;
+
+while ($ARGV[0] =~ /^--/) {
+    $_ = shift;
+    if (/^--der/)	{ $format = "DER"; next }
+    if (/^--pem/)	{ $format = "PEM"; next }
+    if (/^--badsia/)	{ $badsia = 1;   next }
+    if (/^--help/)	{
+	print("$0 [ --der | --pem ] [ --badsia ] cert [ cert ...]\n");
+	exit;
+    }
+    die("Unrecognized option: $_");
+}
+
+while (@ARGV) {
+    my $file = shift(@ARGV);
+    my ($aia, $sia, $cdp, $a, $s, $c) = qw(- - -);
+    next unless ($file =~ /\.cer$/);
+    open(F, "-|", ( qw(openssl x509 -noout -inform), $format,
+		    qw(-text -in), $file))
+	or die("Couldn't run openssl x509 on $file: $!\n");
+    while (<F>) {
+	chomp;
+	s{^.+URI:rsync://}{};
+	$a = $. + 1
+	    if (/Authority Information Access:/);
+	$s = $. + 1
+	    if (/Subject Information Access:/);
+	$c = $. + 1
+	    if (/X509v3 CRL Distribution Points:/);
+	$aia = $_
+	    if ($a && $. == $a);
+	$sia = $_
+	    if ($s && $. == $s);
+	$cdp = $_
+	    if ($c && $. == $c);
+    }
+    close(F);
+    if ($badsia) {
+	print("$file\n\t$sia\n")
+	    if ($sia && $sia =~ m=[^/]$=);
+    } else {
+	print("$aia $sia $cdp $file\n");
+    }
+}
author	Rob Austein <sra@hactrn.net>	2007-12-24 06:36:18 +0000
committer	Rob Austein <sra@hactrn.net>	2007-12-24 06:36:18 +0000
commit	e62cfb013638b5e68218c0702e88c6c4dfeb06f9 (patch)
tree	93b5b864915a92a03e805062cf3b5b6d7f8b1e27 /scripts/Old
parent	6923ec5709af6f4fa5ea8e6e9af9265f5b9e213f (diff)