diff options
| -rw-r--r-- | doc/doc.RPKI.Utils | 107 | ||||
| -rw-r--r-- | doc/manual.pdf | bin | 758008 -> 760333 bytes |
2 files changed, 78 insertions, 29 deletions
diff --git a/doc/doc.RPKI.Utils b/doc/doc.RPKI.Utils index e6f89794..b9cd79b5 100644 --- a/doc/doc.RPKI.Utils +++ b/doc/doc.RPKI.Utils @@ -7,19 +7,19 @@ install". ***** uri ***** uri is a utility program to extract URIs from the SIA, AIA, and CRLDP -extensions of one or more X.509v3 certificates. +extensions of one or more X.509v3 certificates, either specified directly or as +CMS objects containing X.509v3 certificates within the CMS wrapper. Input files +must be in DER format. Usage: - $ uri [-p | -d] cert [cert...] + $ uri [-h | --help] [-s | --single-line] cert [cert...] --d Input is in DER format +-h --help show help --p Input is in PEM format +-s --single-line Single output line per input file --s Single output line per input file - --v Verbose mode + cert Object(s) to examine The rp/utils directory in the source tree also includes a few experimental AWK scripts to post-process the uri program's output in various ways. @@ -30,54 +30,82 @@ hashdir copies an authenticated result tree from an rcynic run into the format expected by most OpenSSL-based programs: a collection of "PEM" format files with names in the form that OpenSSL's -CApath lookup routines expect. This can be useful for validating RPKI objects which are not distributed as part of the -repository system. +repository system. Input files must be in DER format. Usage: - $ hashdir input-directory output-directory + $ hashdir [-h | --help] [-v | --verbose] rcynic_directory output_directory + +-h --help Show help + +-v --verbose Whistle while you work + + rcynic_directory rcynic authenticated output tree + + output_directory Output directory to create ***** print_rpki_manifest ***** -print_rpki_manifest prettyprints the content of a manifest. It does NOT attempt -to verify the signature. Usage: +print_rpki_manifest pretty-prints the content of a manifest. It does NOT +attempt to verify the signature. Input files must be in DER format. + +Usage: + + $ print_rpki_manifest [-h | --help] [-c | --cms] manifest [manifest...] + +-h --help Show help - $ print_rpki_manifest [-c] manifest [manifest...] +-c --cms Print text representation of entire CMS blob --c Print text representation of entire CMS blob + manifest Manifest(s) to print ***** print_roa ***** -print_roa prettyprints the content of a ROA. It does NOT attempt to verify the -signature. +print_roa pretty-prints the content of a ROA. It does NOT attempt to verify the +signature. Input files must be in DER format. Usage: - $ print_roa [-b] [-c] [-s] ROA [ROA...] + $ print_roa [-h | --help] [-b | --brief] [-c | --cms] [-s | --signing-time] + ROA [ROA...] + +-h --help Show help + +-b --brief Brief mode (only show ASN and prefix) --b Brief mode (only show ASN and prefix) +-c --cms Print text representation of entire CMS blob --c Print text representation of entire CMS blob +-s --signing-time Show CMS signingTime --s Show CMS signingTime + ROA ROA object(s) to print ***** find_roa ***** find_roa searches the authenticated result tree from an rcynic run for ROAs -matching specified prefixes. +matching specified prefixes. Input files must be in DER format. Usage: - $ find_roa authtree prefix [prefix...] + $ find_roa [-h | --help] [-a | --all] + [-m | --match-maxlength ] [-f | --show-filenames] + [-i | --show-inception] [-e | --show-expiration] + authtree [prefix...] -The find_roa directory also includes a script {{{test_roa.sh}, which uses -hashdir, print_roa, find_roa, and the OpenSSL command line tool. find_roa -builds a hashed directory, searches for ROAs matching specified prefixes, -verifies the CMS signature and certificate path of each ROA found, and -prettyprints each ROA that passes the checks. +-h --help Show help -Usage: +-a --all Show all ROAs, do no prefix matching at all + +-e --show-expiration Show ROA chain expiration dates + +-f --show-filenames Show filenames instead of URIs - $ test_roa.sh authtree prefix [prefix...] +-i --show-inception Show inception dates + +-m -match-maxlength Pay attention to maxLength values + + authtree rcynic authenticated output tree + + prefix ROA prefix(es) to on which to match ***** scan_roas ***** @@ -90,4 +118,25 @@ validated ROA payload after an rcynic validation run. Usage: - $ scan_roas authtree + $ scan_roas [-h | --help] rcynic_dir [rcynic_dir...] + +-h --help Show help + + rcynic_dir rcynic authenticated output tree + +***** scan_routercerts ***** + +scan_routercerts searchs the authenticated result tree from an rcynic run for +BGPSEC router certificates, and prints out data of interest to the rpki-rtr +code. + +Other programs such as the rpki-rtr client use scan_routercerts to extract the +validated ROA payload after an rcynic validation run. + +Usage: + + $ scan_routercerts [-h | --help] rcynic_dir [rcynic_dir...] + +-h --help Show help + + rcynic_dir rcynic authenticated output tree diff --git a/doc/manual.pdf b/doc/manual.pdf Binary files differindex 2cc41a1b..7da7fd39 100644 --- a/doc/manual.pdf +++ b/doc/manual.pdf |