aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--scripts/regeng-api77
1 files changed, 40 insertions, 37 deletions
diff --git a/scripts/regeng-api b/scripts/regeng-api
index 4c7ec4e6..0be103af 100644
--- a/scripts/regeng-api
+++ b/scripts/regeng-api
@@ -1,17 +1,23 @@
;;; -*- Lisp -*-
;;; $Id$
;;;
-;;; Scratch pad for working out API design for registration engine.
+;;; Scratch pad for working out API design for RPKI engine.
;;;
;;; This file is psuedocode, I just wanted to take advantage of
;;; emacs's built-in support for languages with reasonable syntax.
+;;;
+;;; Terminology:
+;;;
+;;; - IRBE: Internet Registry Back End
+;;;
+;;; - RE: RPKI Engine
-;;; Protocol operations between registration engine and signing engine.
-;;; This assumes the model in which the signing engine stores nothing
-;;; but keypairs and takes orders from the registration engine on what
-;;; to sign; this still needs to be checked by competent paranoids.
+;;; Protocol operations between RE and signing engine. This assumes
+;;; the model in which the signing engine stores nothing but keypairs
+;;; and takes orders from the RE on what to sign; this still needs to
+;;; be checked by competent paranoids.
;; Create a keypair. :length is the number of bits for the key
;; (default 2048?).
@@ -29,34 +35,30 @@
;; List existing keypairs
(list-keypairs :cust-id 42)
-=> ((key-id . public-key)
- (key-id . public-key)
+=> ((key-id public-key)
+ (key-id public-key)
...)
-;; Sign something. Will probably need to break this down into
-;; separate signing calls for each kind of thing to be signed, but
-;; most likely they will all look pretty much alike. One of
-;; :key-to-use or :key-handle must be specified.
+;; Sign something. how-to-sign tells us both what signature method to
+;; use (ie, what kind of object we're signing) and also the signature
+;; algorithm to use (where there are multiple choices, which perhaps
+;; there should not be?).
(sign-thing :cust-id 42
- :what-to-sign blob
- :how-to-sign :rsa/sha256
+ :what-to-sign cert-without-signature
+ :how-to-sign :cert-rsa/sha256
:key-id key-id)
=> (signed-thing)
-;; Do we need a verify operation here that can take a handle so we can
-;; verify things that were signed by keys that don't exist yet at the
-;; time we're queuing up the sneakernet channel? Hope not, sounds
-;; complicated. Punt for now.
-
-;;; Protocol operations between IR back-end and registration engine.
+;;; Protocol operations between IRBE and RE.
+;;;
+;;; This is really two separate protocols over channels that might or
+;;; not be the same. Both are client/server protocols, but for some
+;;; the rpki engine and for others the irbe is the client.
;;;
-;;; At the moment this is not even 1/4 baked, it's just a list of
-;;; functions to be filled in with arguments and results, and some of
-;;; these may not really need to cross the IR back-end / registration
-;;; engine boundary at all. To be refined....
+;;; This set of operations are initiated by the IRBE.
(create-cust-id)
=> (customer-id)
@@ -76,20 +78,6 @@
:value "obsidian")
=> ()
-(add-resource :cust-id 42
- :name :ipv4-address
- :value "10.0.0.44/32")
-=> ()
-
-(del-resource :cust-id 42
- :name :ipv4-address
- :value "10.0.0.44/32")
-=> ()
-
-;;; backwards because resources now live in the irdb not the re
-(list-resources :cust-id 42)
-=> ((:ipv4-address . "10.0.0.44/32") ...)
-
(get-biz-private-key :cust-id 42)
=> (private-key)
@@ -112,6 +100,21 @@
+;;; Protocol operations between IRBE and RE.
+;;;
+;;; This is really two separate protocols over channels that might or
+;;; not be the same. Both are client/server protocols, but for some
+;;; the rpki engine and for others the irbe is the client.
+;;;
+;;; This set of operations are initiated by the IRBE.
+
+(list-resources :cust-id 42)
+=> ((:ipv4-address "10.0.0.44/32" "10.3.0.44/32")
+ (:ipv6-address "fe80:dead:beef::/24")
+ ...)
+
+
+
;;; Stuff below this line is not even close to baked yet
;; These two may take a bit more thought. What's a ca-handle?
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-08 07:47:31 +0000
/ .highlight .se { color: #04D; background-color: #FFF0F0 } /* Literal.String.Escape */ .highlight .sh { color: #D20; background-color: #FFF0F0 } /* Literal.String.Heredoc */ .highlight .si { color: #33B; background-color: #FFF0F0 } /* Literal.String.Interpol */ .highlight .sx { color: #2B2; background-color: #F0FFF0 } /* Literal.String.Other */ .highlight .sr { color: #080; background-color: #FFF0FF } /* Literal.String.Regex */ .highlight .s1 { color: #D20; background-color: #FFF0F0 } /* Literal.String.Single */ .highlight .ss { color: #A60; background-color: #FFF0F0 } /* Literal.String.Symbol */ .highlight .bp { color: #038 } /* Name.Builtin.Pseudo */ .highlight .fm { color: #06B; font-weight: bold } /* Name.Function.Magic */ .highlight .vc { color: #369 } /* Name.Variable.Class */ .highlight .vg { color: #D70 } /* Name.Variable.Global */ .highlight .vi { color: #33B } /* Name.Variable.Instance */ .highlight .vm { color: #369 } /* Name.Variable.Magic */ .highlight .il { color: #00D; font-weight: bold } /* Literal.Number.Integer.Long */
"""
Grope towards testing TLS functionality in POW

$Id$

Copyright (C) 2008  American Registry for Internet Numbers ("ARIN")

Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS.  IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""

# openssl s_server -tls1 -Verify 9 -cert biz-certs/Alice-EE.cer -key biz-certs/Alice-EE.key -www -CApath biz-certs -chain

# openssl s_client -connect localhost:4433 -tls1 -cert biz-certs/Bob-EE.cer -key biz-certs/Bob-EE.key -verify 9 -CApath biz-certs -crlf

import POW, socket

def pow_error_iterator():
  err = POW.getError()
  if err is None:
    raise StopIteration
  else:
    yield err

key = POW.pemRead(POW.RSA_PRIVATE_KEY,  open("biz-certs/Bob-EE.key").read())
cer = POW.pemRead(POW.X509_CERTIFICATE, open("biz-certs/Bob-EE.cer").read())
ca  = POW.pemRead(POW.X509_CERTIFICATE, open("biz-certs/Bob-CA.cer").read())

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("localhost", 4433))

try:
  t = POW.Ssl(POW.TLSV1_CLIENT_METHOD)
  t.useCertificate(cer)
  t.useKey(key)
  t.addCertificate(ca)
  t.setFd(s.fileno())
  t.connect()
  x = t.peerCertificate()
  if x is not None:
    print "Peer", x.pprint()
  t.write("GET / HTTP/1.0\r\n")
  if False:
    print t.read(10000)
  else:
    while True:
      print t.read()
except:
  print "ERROR:"
  for e in pow_error_iterator():
    print e
  raise