diff options
| -rw-r--r-- | rpkid/Doxyfile | 2 | ||||
| -rw-r--r-- | rpkid/Makefile | 58 | ||||
| -rw-r--r-- | rpkid/doc/Installation | 2 | ||||
| -rw-r--r-- | rpkid/doc/Left-right | 2 | ||||
| -rw-r--r-- | rpkid/doc/Operation | 2 | ||||
| -rw-r--r-- | rpkid/doc/Publication | 2 | ||||
| -rw-r--r-- | rpkid/doc/irdbd.dot | 12 | ||||
| -rw-r--r-- | rpkid/doc/irdbd.pdf (renamed from rpkid/irdbd.pdf) | bin | 3500 -> 3500 bytes | |||
| -rw-r--r-- | rpkid/doc/pubd.dot | 9 | ||||
| -rw-r--r-- | rpkid/doc/pubd.pdf (renamed from rpkid/pubd.pdf) | bin | 3076 -> 3076 bytes | |||
| -rw-r--r-- | rpkid/doc/rpkid.dot | 34 | ||||
| -rw-r--r-- | rpkid/doc/rpkid.pdf (renamed from rpkid/rpkid.pdf) | bin | 6931 -> 6931 bytes | |||
| -rw-r--r-- | rpkid/rpki/__init__.py | 117 | ||||
| -rw-r--r-- | scripts/graphviz-sql.sh | 30 |
14 files changed, 228 insertions, 42 deletions
diff --git a/rpkid/Doxyfile b/rpkid/Doxyfile index 4c9808a0..baee27b4 100644 --- a/rpkid/Doxyfile +++ b/rpkid/Doxyfile @@ -1222,7 +1222,7 @@ DOT_PATH = # contain dot files that are included in the documentation (see the # \dotfile command). -DOTFILE_DIRS = +DOTFILE_DIRS = doc # The MAX_DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of # nodes that will be shown in the graph. If the number of nodes in a graph diff --git a/rpkid/Makefile b/rpkid/Makefile index 5877012a..da318514 100644 --- a/rpkid/Makefile +++ b/rpkid/Makefile @@ -1,10 +1,5 @@ # $Id$ -.SUFFIXES: .pdf .sql - -.sql.pdf: - -sh ../scripts/graphviz-sql.sh $< - all:: left-right-protocol-samples/.stamp left-right-protocol-samples/.stamp: left-right-protocol-samples.xml split-protocol-samples.xsl @@ -76,17 +71,6 @@ resource-cert-samples/.stamp: generate-testrepo.py Makefile irbe-cli.usage: irbe-cli.py python irbe-cli.py --help | sed 's/^/ /' >$@ -dox doxygen: irbe-cli.usage - TZ='' doxygen - cd doc/latex && TZ='' ${MAKE} >/dev/null 2>&1 - for i in Installation Operation Left-right Publication; do \ - xsltproc --html tweak-doc.xsl doc/html/$$i.html | lynx -dump -nolist -force_html /dev/stdin >doc/$$i; \ - done - cd doc; ln -f latex/refman.pdf manual.pdf - cd doc; tar -cf - html | gzip -9 >manual.tar.gz - -doc:: dox - tags: find . -type f -name '*.py' ! -name relaxng.py | etags - @@ -96,10 +80,6 @@ rpki/relaxng.py: make-relaxng.py python make-relaxng.py >$@.tmp mv $@.tmp $@ -pdf: rpkid.pdf irdbd.pdf pubd.pdf - -doc:: pdf - # all-tests:: all; sh -x rootd.sh run test all-tests:: all @@ -107,3 +87,41 @@ test all-tests:: all all-tests:: all python testbed.py -y testbed.2.yaml + +# Documentation + +doc/irdbd.dot: irdbd.sql + sh ../scripts/graphviz-sql.sh $? >$@ + +doc/pubd.dot: pubd.sql + sh ../scripts/graphviz-sql.sh $? >$@ + +doc/rpkid.dot: rpkid.sql + sh ../scripts/graphviz-sql.sh $? >$@ + +doc:: doc/irdbd.dot doc/pubd.dot doc/rpkid.dot + +doc/irdbd.pdf: doc/irdbd.dot + dot -Tps2 $? | ps2pdf - $@ + +doc/pubd.pdf: doc/pubd.dot + dot -Tps2 $? | ps2pdf - $@ + +doc/rpkid.pdf: doc/rpkid.dot + dot -Tps2 $? | ps2pdf - $@ + +doc:: doc/irdbd.pdf doc/pubd.pdf doc/rpkid.pdf + +# Certain invocations of Graphviz by Doxygen whine about fonts. Not +# clear whose bug this is. Apparently harmless, so just ignore it. + +dox doxygen: irbe-cli.usage doc/irdbd.dot doc/pubd.dot doc/rpkid.dot + TZ='' doxygen 2>&1 | awk '$$0 != "Error: Could not find/open font"' + cd doc/latex && TZ='' ${MAKE} >/dev/null 2>&1 + for i in Installation Operation Left-right Publication; do \ + xsltproc --html tweak-doc.xsl doc/html/$$i.html | lynx -dump -nolist -force_html /dev/stdin >doc/$$i; \ + done + cd doc; ln -f latex/refman.pdf manual.pdf + cd doc; tar -cf - html | gzip -9 >manual.tar.gz + +doc:: dox diff --git a/rpkid/doc/Installation b/rpkid/doc/Installation index 1760e4ff..28524e2a 100644 --- a/rpkid/doc/Installation +++ b/rpkid/doc/Installation @@ -67,5 +67,5 @@ Installation Guide __________________________________________________________________ - Generated on Thu Jun 12 22:02:16 2008 for RPKI Engine by doxygen + Generated on Mon Jun 16 20:04:23 2008 for RPKI Engine by doxygen 1.5.5 diff --git a/rpkid/doc/Left-right b/rpkid/doc/Left-right index d56e4281..f40fe784 100644 --- a/rpkid/doc/Left-right +++ b/rpkid/doc/Left-right @@ -473,5 +473,5 @@ Error handling __________________________________________________________________ - Generated on Thu Jun 12 22:02:16 2008 for RPKI Engine by doxygen + Generated on Mon Jun 16 20:04:23 2008 for RPKI Engine by doxygen 1.5.5 diff --git a/rpkid/doc/Operation b/rpkid/doc/Operation index efe319bd..6f41bc8f 100644 --- a/rpkid/doc/Operation +++ b/rpkid/doc/Operation @@ -685,5 +685,5 @@ testpoke.py __________________________________________________________________ - Generated on Thu Jun 12 22:02:16 2008 for RPKI Engine by doxygen + Generated on Mon Jun 16 20:04:23 2008 for RPKI Engine by doxygen 1.5.5 diff --git a/rpkid/doc/Publication b/rpkid/doc/Publication index 548b4700..d5bc0526 100644 --- a/rpkid/doc/Publication +++ b/rpkid/doc/Publication @@ -220,5 +220,5 @@ Additional access control considerations. __________________________________________________________________ - Generated on Thu Jun 12 22:02:16 2008 for RPKI Engine by doxygen + Generated on Mon Jun 16 20:04:23 2008 for RPKI Engine by doxygen 1.5.5 diff --git a/rpkid/doc/irdbd.dot b/rpkid/doc/irdbd.dot new file mode 100644 index 00000000..a469057c --- /dev/null +++ b/rpkid/doc/irdbd.dot @@ -0,0 +1,12 @@ +// Automatically generated from irdbd.sql + +digraph test { + edge [arrowtail=none, arrowhead=crow]; + graph [ratio=fill, overlap=false, bgcolor=white]; + node [label="\N", fillcolor=white, shape=record, style=filled]; + registrant [label="registrant|{registrant_id\ SERIAL\ \[PK\]|IRBE_mapped_id\ TEXT|subject_name\ TEXT|rpki_self_id\ BIGINT|rpki_child_id\ BIGINT|valid_until\ DATETIME}"]; + asn [label="asn|{asn_id\ SERIAL\ \[PK\]|start_as\ BIGINT|end_as\ BIGINT|registrant_id\ BIGINT\ \[FK\]}"]; + net [label="net|{net_id\ SERIAL\ \[PK\]|start_ip\ VARCHAR|end_ip\ VARCHAR|version\ TINYINT|registrant_id\ BIGINT\ \[FK\]}"]; + registrant -> asn; + registrant -> net; +} diff --git a/rpkid/irdbd.pdf b/rpkid/doc/irdbd.pdf Binary files differindex 1fe31970..f94debaa 100644 --- a/rpkid/irdbd.pdf +++ b/rpkid/doc/irdbd.pdf diff --git a/rpkid/doc/pubd.dot b/rpkid/doc/pubd.dot new file mode 100644 index 00000000..8865483e --- /dev/null +++ b/rpkid/doc/pubd.dot @@ -0,0 +1,9 @@ +// Automatically generated from pubd.sql + +digraph test { + edge [arrowtail=none, arrowhead=crow]; + graph [ratio=fill, overlap=false, bgcolor=white]; + node [label="\N", fillcolor=white, shape=record, style=filled]; + config [label="config|{config_id\ SERIAL\ \[PK\]|bpki_crl\ LONGBLOB}"]; + client [label="client|{client_id\ SERIAL\ \[PK\]|base_uri\ TEXT|bpki_cert\ LONGBLOB|bpki_glue\ LONGBLOB}"]; +} diff --git a/rpkid/pubd.pdf b/rpkid/doc/pubd.pdf Binary files differindex 1bf1310b..d7c1edee 100644 --- a/rpkid/pubd.pdf +++ b/rpkid/doc/pubd.pdf diff --git a/rpkid/doc/rpkid.dot b/rpkid/doc/rpkid.dot new file mode 100644 index 00000000..e5ea88ea --- /dev/null +++ b/rpkid/doc/rpkid.dot @@ -0,0 +1,34 @@ +// Automatically generated from rpkid.sql + +digraph test { + edge [arrowtail=none, arrowhead=crow]; + graph [ratio=fill, overlap=false, bgcolor=white]; + node [label="\N", fillcolor=white, shape=record, style=filled]; + self [label="self|{self_id\ SERIAL\ \[PK\]|use_hsm\ BOOLEAN|crl_interval\ BIGINT|regen_margin\ BIGINT|bpki_cert\ LONGBLOB|bpki_glue\ LONGBLOB}"]; + bsc [label="bsc|{bsc_id\ SERIAL\ \[PK\]|private_key_id\ LONGBLOB|pkcs10_request\ LONGBLOB|hash_alg\ ENUM|signing_cert\ LONGBLOB|signing_cert_crl\ LONGBLOB|self_id\ BIGINT\ \[FK\]}"]; + repository [label="repository|{repository_id\ SERIAL\ \[PK\]|peer_contact_uri\ TEXT|bpki_cms_cert\ LONGBLOB|bpki_cms_glue\ LONGBLOB|bpki_https_cert\ LONGBLOB|bpki_https_glue\ LONGBLOB|bsc_id\ BIGINT\ \[FK\]|self_id\ BIGINT\ \[FK\]}"]; + parent [label="parent|{parent_id\ SERIAL\ \[PK\]|bpki_cms_cert\ LONGBLOB|bpki_cms_glue\ LONGBLOB|bpki_https_cert\ LONGBLOB|bpki_https_glue\ LONGBLOB|peer_contact_uri\ TEXT|sia_base\ TEXT|sender_name\ TEXT|recipient_name\ TEXT|self_id\ BIGINT\ \[FK\]|bsc_id\ BIGINT\ \[FK\]|repository_id\ BIGINT\ \[FK\]}"]; + ca [label="ca|{ca_id\ SERIAL\ \[PK\]|last_crl_sn\ BIGINT|last_manifest_sn\ BIGINT|next_manifest_update\ DATETIME|next_crl_update\ DATETIME|last_issued_sn\ BIGINT|sia_uri\ TEXT|parent_resource_class\ TEXT|parent_id\ BIGINT\ \[FK\]}"]; + ca_detail [label="ca_detail|{ca_detail_id\ SERIAL\ \[PK\]|public_key\ LONGBLOB|private_key_id\ LONGBLOB|latest_crl\ LONGBLOB|latest_ca_cert\ LONGBLOB|manifest_private_key_id\ LONGBLOB|manifest_public_key\ LONGBLOB|latest_manifest_cert\ LONGBLOB|latest_manifest\ LONGBLOB|state\ ENUM|ca_cert_uri\ TEXT|ca_id\ BIGINT\ \[FK\]}"]; + child [label="child|{child_id\ SERIAL\ \[PK\]|bpki_cert\ LONGBLOB|bpki_glue\ LONGBLOB|self_id\ BIGINT\ \[FK\]|bsc_id\ BIGINT\ \[FK\]}"]; + child_cert [label="child_cert|{child_cert_id\ SERIAL\ \[PK\]|cert\ LONGBLOB|ski\ TINYBLOB|child_id\ BIGINT\ \[FK\]|ca_detail_id\ BIGINT\ \[FK\]}"]; + revoked_cert [label="revoked_cert|{revoked_cert_id\ SERIAL\ \[PK\]|serial\ BIGINT|revoked\ DATETIME|expires\ DATETIME|ca_detail_id\ BIGINT\ \[FK\]}"]; + route_origin [label="route_origin|{route_origin_id\ SERIAL\ \[PK\]|as_number\ DECIMAL|exact_match\ BOOLEAN|cert\ LONGBLOB|roa\ LONGBLOB|self_id\ BIGINT\ \[FK\]|ca_detail_id\ BIGINT\ \[FK\]}"]; + route_origin_prefix [label="route_origin_prefix|{address\ VARCHAR\ \[PK\]|prefixlen\ TINYINT\ \[PK\]|max_prefixlen\ TINYINT\ \[PK\]|route_origin_id\ BIGINT\ \[PK,FK\]}"]; + bsc -> child; + bsc -> parent; + bsc -> repository; + ca -> ca_detail; + ca_detail -> child_cert; + ca_detail -> revoked_cert; + ca_detail -> route_origin; + child -> child_cert; + parent -> ca; + repository -> parent; + route_origin -> route_origin_prefix; + self -> bsc; + self -> child; + self -> parent; + self -> repository; + self -> route_origin; +} diff --git a/rpkid/rpkid.pdf b/rpkid/doc/rpkid.pdf Binary files differindex 707dbb63..78366428 100644 --- a/rpkid/rpkid.pdf +++ b/rpkid/doc/rpkid.pdf diff --git a/rpkid/rpki/__init__.py b/rpkid/rpki/__init__.py index 42b5d80d..541e0886 100644 --- a/rpkid/rpki/__init__.py +++ b/rpkid/rpki/__init__.py @@ -1616,3 +1616,120 @@ # repository makes to publish the RPKI engine's output is conditional # upon the %object to be published passing whatever access control checks # the %publication server imposes. + +## @page rpkid-sql rpkid SQL schema +# +# @dotfile rpkid.dot "Diagram of rpkid.sql" +# +# @verbinclude rpkid.sql + +## @page pubd-sql pubd SQL Schema +# +# @dotfile pubd.dot "Diagram of pubd.sql" +# +# @verbinclude pubd.sql + +## @page irdbd-sql irdbd SQL Schema +# +# @dotfile irdbd.dot "Diagram of irdbd.sql" +# +# @verbinclude irdbd.sql + +## @page bpki-digraph rpkid BPKI Diagram +# +# @dot +# // Color code: +# // Black: Hosting entity +# // Blue: Hosted entity +# // Red: Cross-certified peer +# // +# // Shape code: +# // Octagon: TA +# // Diamond: CA +# // Record: EE +# +# digraph bpki_symmetric { +# splines = true; ratio = fill; +# +# // Hosting entity +# node [ color = black, shape = record ]; +# TA [ shape = octagon ]; +# rpkid [ label = "rpkid|{HTTPS server|HTTPS left-right client|CMS left-right}" ]; +# irdbd [ label = "irdbd|{HTTPS left-right server|CMS left-right}" ]; +# irbe [ label = "IRBE|{HTTPS left-right client|CMS left-right}" ]; +# +# // Hosted entities +# node [ color = blue, fontcolor = blue ]; +# Alice_CA [ shape = diamond ]; +# Alice_EE [ label = "Alice\nBSC EE|{HTTPS up-down client|CMS up-down}" ]; +# Ellen_CA [ shape = diamond ]; +# Ellen_EE [ label = "Ellen\nBSC EE|{HTTPS up-down client|CMS up-down}" ]; +# +# // Peers +# node [ color = red, fontcolor = red, shape = diamond ]; +# Bob_CA; +# Carol_CA; +# Dave_CA; +# Frank_CA; +# Ginny_CA; +# Harry_CA; +# node [ shape = record ]; +# Bob_EE [ label = "Bob\nEE|{HTTPS up-down|CMS up-down}" ]; +# Carol_EE [ label = "Carol\nEE|{HTTPS up-down|CMS up-down}" ]; +# Dave_EE [ label = "Dave\nEE|{HTTPS up-down|CMS up-down}" ]; +# Frank_EE [ label = "Frank\nEE|{HTTPS up-down|CMS up-down}" ]; +# Ginny_EE [ label = "Ginny\nEE|{HTTPS up-down|CMS up-down}" ]; +# Harry_EE [ label = "Bob\nEE|{HTTPS up-down|CMS up-down}" ]; +# +# edge [ color = black, style = solid ]; +# TA -> Alice_CA; +# TA -> Ellen_CA; +# +# edge [ color = black, style = dotted ]; +# TA -> rpkid; +# TA -> irdbd; +# TA -> irbe; +# +# edge [ color = blue, style = solid ]; +# Alice_CA -> Bob_CA; +# Alice_CA -> Carol_CA; +# Alice_CA -> Dave_CA; +# Ellen_CA -> Frank_CA; +# Ellen_CA -> Ginny_CA; +# Ellen_CA -> Harry_CA; +# +# edge [ color = blue, style = dotted ]; +# Alice_CA -> Alice_EE; +# Ellen_CA -> Ellen_EE; +# +# edge [ color = red, style = solid ]; +# Bob_CA -> Bob_EE; +# Carol_CA -> Carol_EE; +# Dave_CA -> Dave_EE; +# Frank_CA -> Frank_EE; +# Ginny_CA -> Ginny_EE; +# Harry_CA -> Harry_EE; +# } +# @enddot +# +# Black objects belong to the hosting entity, blue objects belong to +# the hosted entities, red objects are cross-certified objects from +# peers. The arrows indicate certificate issuance: solid arrows are +# the ones that this RPKI engine will care about during certificate +# validation, dotted arrows show the origin of EE certificates this +# engine uses to sign things. +# +# There's one nasty bit here: it's not possible to use exactly the +# same BPKI keys and certificates for HTTPS and CMS. The reason for +# this is simple: each hosted entity has its own BPKI, as does the +# hosting entity, but the HTTPS listener is shared. The only ways to +# avoid this would be to use separate listeners for each hosted +# entity, which scales poorly, or to rely on the TLS "Server Name +# Indication" extension (RFC 4366 3.1) which is not yet widely +# implemented. +# +# The certificate tree looks complicated, but the set of certificates +# needed to build a particular validation chain is obvious, again +# excepting the HTTPS server case, where client certificate is the +# first hint that the engine has of the client's identity, so the +# server must be prepared to accept any current client certificate. diff --git a/scripts/graphviz-sql.sh b/scripts/graphviz-sql.sh index 5690bbfc..76901076 100644 --- a/scripts/graphviz-sql.sh +++ b/scripts/graphviz-sql.sh @@ -25,20 +25,16 @@ # # On FreeBSD, SQL Fairy is /usr/ports/databases/p5-SQL-Translator. -for i in "$@" -do - sqlt-graph --db MySQL --output-type canon --show-datatypes --show-constraints $i | - perl -0777 -pe ' - s/\\\n//g; - s/ +/ /g; - s/\\\|/|/g; - s/\\{([a-z0-9_]+)\|/${1}|{/gi; - s/-\\ +//g; - s/\\ \\l/|/g; - s/\|\\l \\}/}/g; - s/\|\\}/}/g; - s/{\n/{\n\tedge [arrowtail=none, arrowhead=crow];\n/; - ' | - dot -Tps2 | - ps2pdf - ${i%.sql}.pdf -done +sqlt-graph --db MySQL --output-type canon --show-datatypes --show-constraints $1 | +SOURCE="$1" perl -0777 -pe ' + s/\\\n//g; + s/ +/ /g; + s/\\\|/|/g; + s/\\{([a-z0-9_]+)\|/${1}|{/gi; + s/-\\ +//g; + s/\\ \\l/|/g; + s/\|\\l \\}/}/g; + s/\|\\}/}/g; + s/{\n/{\n\tedge [arrowtail=none, arrowhead=crow];\n/; + s=^=// Automatically generated from $ENV{SOURCE}\n\n=; +' |