Cleanup

svn path=/scripts/Old/apnic-test-3.tgz; revision=3972

3 files changed, 0 insertions, 441 deletions

diff --git a/scripts/Old/apnic-test-3.tgz b/scripts/Old/apnic-test-3.tgz
deleted file mode 100644
index 2d50fe3f..00000000
--- a/scripts/Old/apnic-test-3.tgz
+++ /dev/null
diff --git a/scripts/Old/gen-verify-test.pl b/scripts/Old/gen-verify-test.pl
deleted file mode 100644
index e1b53579..00000000
--- a/scripts/Old/gen-verify-test.pl
+++ /dev/null
@@ -1,104 +0,0 @@
-:
-# $Id$
-eval 'exec perl -w -S $0 ${1+"$@"}'
-    if 0;
-
-use strict;
-
-my $openssl = "/u/sra/isc/route-pki/subvert-rpki.hactrn.net/openssl/openssl/apps/openssl";
-
-my $verify_options = "-verbose -crl_check_all -policy_check -explicit_policy -policy 1.3.6.1.5.5.7.14.2 -x509_strict";
-
-my $verbose = 1;
-
-my $debug = $ENV{DEBUG};
-
-exit unless (@ARGV);
-
-# Find all certificates in the repository
-
-open(F, "-|", "find", @ARGV, qw(-type f -name *.cer))
-    or die("Couldn't run find: $!\n");
-chomp(my @files = <F>);
-close(F);
-@ARGV = ();
-
-# Snarf all the AIA and CDP values from the certs we're examining.
-# Icky screen scraping, better mechanism needed.
-
-my %aia;
-my %cdp;
-
-for my $f (@files) {
-    my ($a, $c) = (0, 0);
-    open(F, "-|", $openssl, qw(x509 -noout -text -inform DER -in), $f)
-	or die("Couldn't run openssl x509 on $f: $!\n");
-    while (<F>) {
-	chomp;
-	s{^.+URI:rsync://}{};
-	$a = $. + 1
-	    if (/Authority Information Access:/);
-	$c = $. + 1
-	    if (/X509v3 CRL Distribution Points:/);
-	$aia{$f} = $_
-	    if ($a && $. == $a);
-	$cdp{$f} = $_
-	    if ($c && $. == $c);
-    }
-    print(STDERR $f, " ", ($aia{$f} || "-"), " ", ($cdp{$f} || "-"), "\n")
-	if ($debug);
-    close(F);
-}
-
-# Sort out ancestry
-
-my %daddy;
-
-for my $f (@files) {
-    next unless ($aia{$f});
-    my @daddy = grep({ $_ eq $aia{$f} } @files);
-    die("Can't figure out who my daddy is! $f @{[join(' ', @daddy)]}\n")
-	if (@daddy > 1);
-    $daddy{$f} = $daddy[0]
-	if (@daddy && $daddy[0] ne $f);
-    print(STDERR "me: $f, daddy: $daddy[0]\n")
-	if ($debug);
-}
-
-# Generate a test script based on all of the above
-
-for my $f (@files) {
-    my @ancestors;
-    for (my $d = $daddy{$f}; $d; $d = $daddy{$d}) {
-	push(@ancestors, $d);
-    }
-    next unless (@ancestors);
-    my @crls;
-    for my $c (map {$cdp{$_}} ($f, @ancestors)) {
-	push(@crls, $c)
-	    unless (grep {$_ eq $c} @crls);
-    }
-    print("echo ", "=" x 40, "\n",
-	  "echo Checking chain:\n")
-	if ($verbose > 0);
-    for (($f, @ancestors)) {
-	print("echo '    Certificate: $_'\n")
-	    if ($verbose > 0);
-	print("$openssl x509 -noout -text -inform DER -certopt no_header,no_signame,no_validity,no_pubkey,no_sigdump,no_version -in $_\n")
-	    if ($verbose > 1);
-    }
-    for (@crls) {
-	print("echo '    CRL:         $_'\n")
-	    if ($verbose > 0);
-	print("$openssl crl -noout -text -inform DER -in $_\n")
-	    if ($verbose > 1);
-    }
-    print("rm -f CAfile.pem cert-in-hand.pem\n");
-    print("$openssl x509 -inform DER -outform PEM >>CAfile.pem -in $_\n")
-	foreach (@ancestors);
-    print("$openssl crl  -inform DER -outform PEM >>CAfile.pem -in $_\n")
-	foreach (@crls);
-    print("$openssl x509 -inform DER -outform PEM -out cert-in-hand.pem -in $f\n",
-	  "$openssl verify -CAfile CAfile.pem $verify_options cert-in-hand.pem\n",
-	  "rm -f CAfile.pem cert-in-hand.pem\n");
-}
diff --git a/scripts/Old/generate-testrepo.pl b/scripts/Old/generate-testrepo.pl
deleted file mode 100644
index bacbe0de..00000000
--- a/scripts/Old/generate-testrepo.pl
+++ /dev/null
@@ -1,337 +0,0 @@
-# $Id$
-
-# Hack to generate a small test repository for testing Apache + OpenSSL + RPKI
-
-use strict;
-
-my %resources;
-my %parent;
-my @ordering;
-my %hashes;
-
-my $openssl	= "../../openssl/openssl/apps/openssl";
-my $subdir	= "apacheca";
-my $passwd	= "fnord";
-my $keybits	= 2048;
-my $verbose	= 0;
-my $debug	= 1;
-my $revoke	= 0;
-
-sub openssl {
-    print(STDERR join(" ", qw(+ openssl), @_), "\n")
-	if ($debug);
-    !system($openssl, @_)
-	or die("openssl @_ returned $?\n");
-}
-
-# Ok, this is a bit complicated, but the idea is to let us specify the
-# resources we're giving to each leaf entity and let the program do
-# the work of figuring out what resources each issuers need to have,
-# the order in which we need to generate the certificates, which
-# certificates need to sign which other certificates, etcetera.
-#
-# This would be much easier to read in a sane language (eg, Scheme).
-
-{
-    my @ctx;
-    my $loop ;
-    $loop= sub {
-	my $x = shift;
-	if (ref($x) eq "HASH") {
-	    while (my ($k, $v) = each(%$x)) {
-		$parent{$k} = $ctx[@ctx - 1];
-		push(@ordering, $k);
-		push(@ctx, $k); $loop->($v); pop(@ctx);
-	    }
-	} else {
-	    for my $c (@ctx) { push(@{$resources{$c}}, @$x) }
-	}
-    };
-    $loop->({
-	RIR => {
-	    LIR1 => {
-		ISP1 => [IPv4 => "192.0.2.1-192.0.2.33", AS => "64533"],
-		ISP2 => [IPv4 => "192.0.2.44-192.0.2.100"],
-	    },
-	    LIR2 => {
-		ISP3 => [IPv6 => "2001:db8::44-2001:db8::100"],
-		ISP4 => [IPv6 => "2001:db8::10:0:44", AS => "64544"],
-	    },
-	},
-    });
-}
-
-# Put this stuff into a subdirectory
-
-mkdir($subdir) unless (-d $subdir);
-chdir($subdir) or die;
-
-# Generate configurations for each entity.
-
-while (my ($entity, $resources) = each(%resources)) {
-    my %r;
-    print($entity, ":\n")
-	if ($verbose);
-    for (my $i = 0; $i < @$resources; $i += 2) {
-	printf("  %4s: %s\n", $resources->[$i], $resources->[$i+1])
-	    if ($verbose);
-	push(@{$r{$resources->[$i]}}, $resources->[$i+1]);
-    }
-    open(F, ">${entity}.cnf") or die;
-    print(F <<EOF);
-
-	[ ca ]
-	default_ca = ca_default
-
-	[ ca_default ]
-
-	certificate = ${entity}.cer
-	serial = ${entity}/serial
-	private_key = ${entity}.key
-	database = ${entity}/index
-	new_certs_dir = ${entity}
-	name_opt = ca_default
-	cert_opt = ca_default
-	default_days = 365
-	default_crl_days = 30
-	default_md = sha1
-	preserve = no
-	copy_extensions = copy
-	policy = ca_policy_anything
-	unique_subject = no
-
-	[ ca_policy_anything ]
-	countryName = optional
-	stateOrProvinceName = optional
-	localityName = optional
-	organizationName = optional
-	organizationalUnitName = optional
-	commonName = supplied
-	emailAddress = optional
-	givenName = optional
-	surname = optional
-
-	[ req ]
-	default_bits = $keybits
-	encrypt_key = no
-	distinguished_name = req_dn
-	x509_extensions = req_x509_ext
-	prompt = no
-
-	[ req_dn ]
-
-	CN = TEST ENTITY $entity
-
-	[ req_x509_ext ]
-
-	basicConstraints = critical,CA:true
-	subjectKeyIdentifier = hash
-	authorityKeyIdentifier = keyid
-	keyUsage = critical,keyCertSign,cRLSign
-	subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/
-
-EOF
-
-    print(F <<EOF) if ($parent{$entity});
-
-	authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/$parent{$entity}.cer
-
-EOF
-
-    print(F <<EOF) if ($r{AS} || $r{RDI});
-
-	sbgp-autonomousSysNum = critical,\@asid_ext
-
-EOF
-
-    print(F <<EOF) if ($r{IPv4} || $r{IPv6});
-
-	sbgp-ipAddrBlock = critical,\@addr_ext
-
-EOF
-
-    print(F <<EOF);
-
-	[ asid_ext ]
-
-EOF
-
-    for my $n (qw(AS RDI)) {
-	my $i = 0;
-	for my $a (@{$r{$n}}) {
-	    print(F "\t", $n, ".", $i++, " = ", $a, "\n");
-	}
-    }
-
-    print(F <<EOF);
-
-
-	[ addr_ext ]
-
-EOF
-
-    for my $n (qw(IPv4 IPv6)) {
-	my $i = 0;
-	for my $a (@{$r{$n}}) {
-	    print(F "\t", $n, ".", $i++, " = ", $a, "\n");
-	}
-    }
-    close(F);
-}
-
-# Revoke old certificates, maybe.
-
-if ($revoke) {
-    for my $cert (glob("*/*.pem")) {
-	my $conf = (split("/", $cert))[0] . ".cnf";
-	openssl("ca", "-verbose", "-config", $conf, "-revoke", $cert);
-	unlink($cert);
-    }
-}
-
-# Run OpenSSL to create the keys and certificates.  We generate keys
-# separately to avoid wasting /dev/random bits if we need to change
-# the configuration.
-
-for my $entity (@ordering) {
-    openssl("genrsa", "-out", "${entity}.key", $keybits)
-	unless (-f "${entity}.key");
-    openssl("req", "-new", "-config", "${entity}.cnf", "-key", "${entity}.key", "-out", "${entity}.req");
-
-    mkdir($entity)
-	unless (-d $entity);
-    if (!-f "${entity}/index") {
-	open(F, ">${entity}/index") or die;
-	close(F);
-    }
-    if (!-f "${entity}/serial") {
-	open(F, ">${entity}/serial") or die;
-	print(F "01\n") or die;
-	close(F);
-    }
-
-    openssl("ca", "-batch", "-verbose", "-out", "${entity}.cer", "-in", "${entity}.req",
-	    "-extensions", "req_x509_ext", "-extfile", "${entity}.cnf",
-	    ($parent{$entity}
-	     ? ("-config", "${parent{$entity}}.cnf")
-	     : ("-config", "${entity}.cnf", "-selfsign")));
-}
-
-# Generate CRLs
-
-for my $entity (@ordering) {
-    openssl("ca", "-batch", "-verbose", "-out", "${entity}.crl", 
-	    "-config", "${entity}.cnf", "-gencrl");
-}
-
-# Generate EE certs
-
-for my $parent (@ordering) {
-    my $entity = "${parent}-EE";
-    open(F, ">${entity}.cnf") or die;
-    print(F <<EOF);
-
-	[ req ]
-	default_bits = $keybits
-	encrypt_key = no
-	distinguished_name = req_dn
-	x509_extensions = req_x509_ext
-	prompt = no
-
-	[ req_dn ]
-
-	CN = TEST ENDPOINT ENTITY ${entity}
-
-	[ req_x509_ext ]
-
-	basicConstraints = critical,CA:false
-	subjectKeyIdentifier = hash
-	authorityKeyIdentifier = keyid
-	subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/
-	authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/$parent.cer
-
-EOF
-
-    close(F);
-    openssl("genrsa", "-out", "${entity}.key", $keybits)
-	unless (-f "${entity}.key");
-    openssl("req", "-new", "-config", "${entity}.cnf", "-key", "${entity}.key", "-out", "${entity}.req");
-
-    mkdir($entity)
-	unless (-d $entity);
-    if (!-f "${entity}/index") {
-	open(F, ">${entity}/index") or die;
-	close(F);
-    }
-    if (!-f "${entity}/serial") {
-	open(F, ">${entity}/serial") or die;
-	print(F "01\n") or die;
-	close(F);
-    }
-
-    openssl("ca", "-batch", "-verbose", "-config", "${parent}.cnf",
-	    "-extensions", "req_x509_ext", "-extfile", "${entity}.cnf",
-	    "-out", "${entity}.cer", "-in", "${entity}.req");
-}
-
-# Generate hashes
-
-for my $cert (map({("$_.cer", "$_-EE.cer")} @ordering)) {
-    my $hash = `$openssl x509 -noout -hash -in $cert`;
-    chomp($hash);
-    $hash .= ".";
-    $hash .= (0 + $hashes{$hash}++);
-    unlink($hash) if (-l $hash);
-    symlink($cert, $hash)
-	or die("Couldn't link $hash to $cert: $!\n");
-}
-
-for my $crl (map({"$_.crl"} @ordering)) {
-    my $hash = `$openssl crl -noout -hash -in $crl`;
-    chomp($hash);
-    $hash .= ".r";
-    $hash .= (0 + $hashes{$hash}++);
-    unlink($hash) if (-l $hash);
-    symlink($crl, $hash)
-	or die("Couldn't link $hash to $crl: $!\n");
-}
-
-# Generate PKCS12 forms of EE certificates
-# -chain argument to pkcs12 requires certificate store, which we configure via an environment variable
-
-$ENV{SSL_CERT_DIR} = do { my $pwd = `pwd`; chomp($pwd); $pwd; };
-
-for my $ee (map({"$_-EE"} @ordering)) {
-    my @cmd = ("pkcs12", "-export", "-in", "$ee.cer",  "-inkey", "$ee.key", "-password", "pass:$passwd");
-    openssl(@cmd, "-out", "$ee.p12");
-    openssl(@cmd, "-out", "$ee.chain.p12", "-chain");
-}
-
-# Finally, generate an unrelated self-signed certificate for the server
-
-my $hostname = `hostname`;
-chomp($hostname);
-open(F, ">server.cnf") or die;
-print(F <<EOF);
-
-	[ req ]
-	default_bits = $keybits
-	encrypt_key = no
-	distinguished_name = req_dn
-	prompt = no
-
-	[ req_dn ]
-
-	CN = $hostname
-
-EOF
-
-close(F);
-openssl(qw(genrsa -out server.key), $keybits)
-    unless (-f "server.key");
-openssl(qw(req -new -config server.cnf -key server.key -out server.req));
-openssl(qw(x509 -req -CAcreateserial -in server.req -out server.cer -signkey server.key));
-
-# Local Variables:
-# compile-command: "perl generate-testrepo.pl"
-# End: