9 files changed, 84 insertions, 373 deletions

diff --git a/rpkid/ext/POW.c b/rpkid/ext/POW.c
index 0a3b602f..786765b9 100644
--- a/rpkid/ext/POW.c
+++ b/rpkid/ext/POW.c
@@ -88,7 +88,6 @@
  * defer until I decide whether we need to fix it, so just omit the
  * code for now.
  */
-
 #define	ENABLE_X509_CERTIFICATE_SIGNATURE_AND_VERIFICATION	0	
 
 #include <Python.h>
@@ -3402,7 +3401,7 @@ x509_store_object_add_trust(x509_store_object *self, PyObject *args)
 static char x509_store_object_add_crl__doc__[] =
   "This method adds a CRL to the store object.\n"
   "\n"
-  "The \"crl\" parameter should be an instance of X509CRL.\n"
+  "The \"crl\" parameter should be an instance of CRL.\n"
   ;
 
 static PyObject *
@@ -4289,7 +4288,7 @@ static char x509_crltype__doc__[] =
 static PyTypeObject x509_crltype = {
   PyObject_HEAD_INIT(0)
   0,                                     /* ob_size */
-  "POW.X509CRL",                         /* tp_name */
+  "POW.CRL",                             /* tp_name */
   sizeof(x509_crl_object),               /* tp_basicsize */
   0,                                     /* tp_itemsize */
   (destructor)x509_crl_object_dealloc,   /* tp_dealloc */
@@ -4583,66 +4582,60 @@ asymmetric_object_der_read_public_file(PyTypeObject *type, PyObject *args)
   return read_from_file_helper(asymmetric_object_der_read_public_helper, type, args);
 }
 
-static char asymmetric_object_pem_write__doc__[] =
-  "This method is used to write \"Asymmetric objects out as strings.\n"
-  "\n"
-  "The \"keytype\" argument should be one of:\n"
+static char asymmetric_object_pem_write_private__doc__[] =
+  "This method writes an \"Asymmetric\" private key as a PEM string.\n"
   "\n"
-  "  * RSA_PUBLIC_KEY\n"
-  "  * RSA_PRIVATE_KEY\n"
-  "\n"
-  "Private keys are often saved in encrypted files to offer extra\n"
-  "security above access control mechanisms.  If the keytype parameter is\n"
-  "RSA_PRIVATE_KEY, a \"passphrase\" parameter can also be specified, in\n"
-  "which case the private key will be encrypted with AES-256-CBC using\n"
-  "the given passphrase.\n"
+  "This method takes an optional parameter \"passphrase\" which, if\n"
+  "specified, will be used to encrypt the private key with AES-256-CBC.\n"
+  "If you don't specify a passphrase, the key will not be encrypted.\n"
   ;
 
-#warning This probably ought to be separate methods for private and public keys.
-
 static PyObject *
-asymmetric_object_pem_write(asymmetric_object *self, PyObject *args)
+asymmetric_object_pem_write_private(asymmetric_object *self, PyObject *args)
 {
   PyObject *result = NULL;
   char *passphrase = NULL;
   const EVP_CIPHER *evp_method = NULL;
-  int key_type = 0;
   BIO *bio = NULL;
 
-  if (!PyArg_ParseTuple(args, "|is", &key_type, &passphrase))
+  if (!PyArg_ParseTuple(args, "|s", &passphrase))
     goto error;
 
-  if (key_type == 0)
-    key_type = self->key_type;
+  if (self->key_type != RSA_PRIVATE_KEY)
+    lose("Sorry, this object is not a private key");
 
   if ((bio = BIO_new(BIO_s_mem())) == NULL)
     lose_no_memory();
 
-  switch(key_type) {
-
-  case RSA_PRIVATE_KEY:
-
-    if (passphrase)
-      evp_method = EVP_aes_256_cbc();
+  if (passphrase)
+    evp_method = EVP_aes_256_cbc();
 
-    if (!PEM_write_bio_RSAPrivateKey(bio, self->cipher, evp_method, NULL, 0, NULL, passphrase))
-      lose_openssl_error("Unable to write key");
+  if (!PEM_write_bio_RSAPrivateKey(bio, self->cipher, evp_method, NULL, 0, NULL, passphrase))
+    lose_openssl_error("Unable to write key");
 
-    break;
+  result = BIO_to_PyString_helper(bio);
 
-  case RSA_PUBLIC_KEY:
+ error:                         /* Fall through */
+  BIO_free(bio);
+  return result;
+}
 
-    if (passphrase)
-      lose("Public keys should not encrypted");
+static char asymmetric_object_pem_write_public__doc__[] =
+  "This method writes an \"Asymmetric\" public key as a PEM string.\n"
+  ;
 
-    if (!PEM_write_bio_RSA_PUBKEY(bio, self->cipher))
-      lose_openssl_error("Unable to write key");
+static PyObject *
+asymmetric_object_pem_write_public(asymmetric_object *self)
+{
+  PyObject *result = NULL;
+  const EVP_CIPHER *evp_method = NULL;
+  BIO *bio = NULL;
 
-    break;
+  if ((bio = BIO_new(BIO_s_mem())) == NULL)
+    lose_no_memory();
 
-  default:
-    lose("Unsupported key type");
-  }
+  if (!PEM_write_bio_RSA_PUBKEY(bio, self->cipher))
+    lose_openssl_error("Unable to write key");
 
   result = BIO_to_PyString_helper(bio);
 
@@ -4651,48 +4644,47 @@ asymmetric_object_pem_write(asymmetric_object *self, PyObject *args)
   return result;
 }
 
-static char asymmetric_object_der_write__doc__[] =
-  "This method is used to write Asymmetric objects out as strings.\n"
-  "\n"
-  "The \"keytype\" parameter should be one of:\n"
-  "\n"
-  "  * RSA_PUBLIC_KEY\n"
-  "  * RSA_PRIVATE_KEY\n"
+static char asymmetric_object_der_write_private__doc__[] =
+  "This method writes an \"Asymmetric\" private key as a DER string.\n"
   ;
 
-#warning This also probably ought to be separate methods for private and public keys.
-
 static PyObject *
-asymmetric_object_der_write(asymmetric_object *self, PyObject *args)
+asymmetric_object_der_write_private(asymmetric_object *self)
 {
   PyObject *result = NULL;
   BIO *bio = NULL;
-  int key_type = 0;
-
-  if (!PyArg_ParseTuple(args, "|i", &key_type))
-    goto error;
 
-  if (key_type == 0)
-    key_type = self->key_type;
+  if (self->key_type != RSA_PRIVATE_KEY)
+    lose("Sorry, this object is not an RSA private key");
 
   if ((bio = BIO_new(BIO_s_mem())) == NULL)
     lose_no_memory();
 
-  switch (key_type) {
+  if (!i2d_RSAPrivateKey_bio(bio, self->cipher))
+    lose_openssl_error("Unable to write private key");
 
-  case RSA_PRIVATE_KEY:
-    if (!i2d_RSAPrivateKey_bio(bio, self->cipher))
-      lose_openssl_error("Unable to write private key");
-    break;
+  result = BIO_to_PyString_helper(bio);
 
-  case RSA_PUBLIC_KEY:
-    if (!i2d_RSA_PUBKEY_bio(bio, self->cipher))
-      lose_openssl_error("Unable to write public key");
-    break;
+ error:                         /* Fall through */
+  BIO_free(bio);
+  return result;
+}
 
-  default:
-    lose("Unsupported key type");
-  }
+static char asymmetric_object_der_write_public__doc__[] =
+  "This method writes an \"Asymmetric\" public key as a DER string.\n"
+  ;
+
+static PyObject *
+asymmetric_object_der_write_public(asymmetric_object *self)
+{
+  PyObject *result = NULL;
+  BIO *bio = NULL;
+
+  if ((bio = BIO_new(BIO_s_mem())) == NULL)
+    lose_no_memory();
+
+  if (!i2d_RSA_PUBKEY_bio(bio, self->cipher))
+    lose_openssl_error("Unable to write public key");
 
   result = BIO_to_PyString_helper(bio);
 
@@ -4790,10 +4782,12 @@ asymmetric_object_verify(asymmetric_object *self, PyObject *args)
 }
 
 static struct PyMethodDef asymmetric_object_methods[] = {
-  Define_Method(pemWrite,       asymmetric_object_pem_write,            METH_VARARGS),
-  Define_Method(derWrite,       asymmetric_object_der_write,            METH_VARARGS),
-  Define_Method(sign,           asymmetric_object_sign,                 METH_VARARGS),
-  Define_Method(verify,         asymmetric_object_verify,               METH_VARARGS),
+  Define_Method(pemWritePrivate,          asymmetric_object_pem_write_private,		METH_VARARGS),
+  Define_Method(pemWritePublic,		  asymmetric_object_pem_write_public,		METH_NOARGS),
+  Define_Method(derWritePrivate,          asymmetric_object_der_write_private,		METH_NOARGS),
+  Define_Method(derWritePublic,		  asymmetric_object_der_write_public,		METH_NOARGS),
+  Define_Method(sign,                     asymmetric_object_sign,                       METH_VARARGS),
+  Define_Method(verify,                   asymmetric_object_verify,                     METH_VARARGS),
   Define_Class_Method(pemReadPublic,      asymmetric_object_pem_read_public,       	METH_VARARGS),
   Define_Class_Method(pemReadPublicFile,  asymmetric_object_pem_read_public_file,       METH_VARARGS),
   Define_Class_Method(derReadPublic,	  asymmetric_object_der_read_public,		METH_VARARGS),
@@ -5675,159 +5669,6 @@ static PyTypeObject cmstype = {
 
 /*========== module functions ==========*/
 
-static char pow_module_pem_read__doc__[] =
-  "This function should be replaced by class methods for the several\n"
-  "kinds of objects this function currently returns.\n"
-  "\n"
-  "For now, here is the old documentation for this function.\n"
-  "\n"
-  "<modulefunction>\n"
-  "   <header>\n"
-  "      <name>pemRead</name>\n"
-  "      <parameter>type</parameter>\n"
-  "      <parameter>string</parameter>\n"
-  "      <parameter>pass = None</parameter>\n"
-  "   </header>\n"
-  "   <body>\n"
-  "      <para>\n"
-  "         This function attempts to parse the <parameter>string</parameter> according to the PEM\n"
-  "         type passed. <parameter>type</parameter> should be one of the\n"
-  "         following:\n"
-  "      </para>\n"
-  "      <simplelist>\n"
-  "         <member><constant>RSA_PUBLIC_KEY</constant></member>\n"
-  "         <member><constant>RSA_PRIVATE_KEY</constant></member>\n"
-  "         <member><constant>X509_CERTIFICATE</constant></member>\n"
-  "         <member><constant>X509_CRL</constant></member>\n"
-  "         <member><constant>CMS_MESSAGE</constant></member>\n"
-  "      </simplelist>\n"
-  "      <para>\n"
-  "         <parameter>pass</parameter> should only be provided if an encrypted\n"
-  "         <classname>Asymmetric</classname> is being loaded.  If the password\n"
-  "         is incorrect an exception will be raised, if no password is provided\n"
-  "         and the PEM file is encrypted the user will be prompted.  If this is\n"
-  "         not desirable, always supply a password.  The object returned will be\n"
-  "         and instance of <classname>Asymmetric</classname>,\n"
-  "         <classname>X509</classname>, <classname>X509CRL</classname>,\n"
-  "         or <classname>CMS</classname>.\n"
-  "      </para>\n"
-  "   </body>\n"
-  "</modulefunction>\n"
-  ;
-
-static PyObject *
-pow_module_pem_read (PyObject *self, PyObject *args)
-{
-  BIO *bio = NULL;
-  PyObject *obj = NULL;
-  int object_type = 0, len = 0;
-  char *pass = NULL, *src = NULL;
-
-  if (!PyArg_ParseTuple(args, "is#|s", &object_type, &src, &len, &pass))
-    goto error;
-
-  if ((bio = BIO_new_mem_buf(src, len)) == NULL)
-    lose_no_memory();
-
-  switch(object_type) {
-  case RSA_PRIVATE_KEY:
-    obj = asymmetric_object_pem_read_private_helper(&asymmetrictype, bio, pass);
-    break;
-  case RSA_PUBLIC_KEY:
-    obj = asymmetric_object_pem_read_public_helper(&asymmetrictype, bio);
-    break;
-  case X509_CERTIFICATE:
-    obj = x509_object_pem_read_helper(&x509type, bio);
-    break;
-  case X_X509_CRL:
-    obj = x509_crl_object_pem_read_helper(&x509_crltype, bio);
-    break;
-  case CMS_MESSAGE:
-    obj = cms_object_pem_read_helper(&cmstype, bio);
-    break;
-  default:
-    lose("Unknown PEM encoding");
-  }
-
- error:
-  BIO_free(bio);
-  return obj;
-}
-
-static
- char pow_module_der_read__doc__[] =
-  "This function should be replaced by class methods for the several\n"
-  "kinds of objects this function currently returns.\n"
-  "\n"
-  "For now, here is the old documentation for this function.\n"
-  "\n"
-  "<modulefunction>\n"
-  "   <header>\n"
-  "      <name>derRead</name>\n"
-  "      <parameter>type</parameter>\n"
-  "      <parameter>string</parameter>\n"
-  "   </header>\n"
-  "   <body>\n"
-  "      <para>\n"
-  "         This function attempts to parse the <parameter>string</parameter> according to the PEM\n"
-  "         type passed. <parameter>type</parameter> should be one of the\n"
-  "         following:\n"
-  "      </para>\n"
-  "      <simplelist>\n"
-  "         <member><constant>RSA_PUBLIC_KEY</constant></member>\n"
-  "         <member><constant>RSA_PRIVATE_KEY</constant></member>\n"
-  "         <member><constant>X509_CERTIFICATE</constant></member>\n"
-  "         <member><constant>X509_CRL</constant></member>\n"
-  "         <member><constant>CMS_MESSAGE</constant></member>\n"
-  "      </simplelist>\n"
-  "      <para>\n"
-  "         As with the PEM operations, the object returned will be and instance\n"
-  "         of <classname>Asymmetric</classname>, <classname>X509</classname>,\n"
-  "         <classname>X509CRL</classname>, or <classname>CMS</classname>.\n"
-  "      </para>\n"
-  "   </body>\n"
-  "</modulefunction>\n"
-  ;
-
-static PyObject *
-pow_module_der_read (PyObject *self, PyObject *args)
-{
-  BIO *bio = NULL;
-  PyObject *obj = NULL;
-  int object_type = 0, len = 0;
-  unsigned char *src = NULL;
-
-  if (!PyArg_ParseTuple(args, "is#", &object_type, &src, &len))
-    goto error;
-
-  if ((bio = BIO_new_mem_buf(src, len)) == NULL)
-    lose_no_memory();
-
-  switch(object_type) {
-  case RSA_PRIVATE_KEY:
-    obj = asymmetric_object_der_read_private_helper(&asymmetrictype, bio);
-    break;
-  case RSA_PUBLIC_KEY:
-    obj = asymmetric_object_der_read_public_helper(&asymmetrictype, bio);
-    break;
-  case X509_CERTIFICATE:
-    obj = x509_object_der_read_helper(&x509type, bio);
-    break;
-  case X_X509_CRL:
-    obj = x509_crl_object_der_read_helper(&x509_crltype, bio);
-    break;
-  case CMS_MESSAGE:
-    obj = cms_object_der_read_helper(&cmstype, bio);
-    break;
-  default:
-    lose("Unknown DER encoding");
-  }
-
- error:
-  BIO_free(bio);
-  return obj;
-}
-
 static char pow_module_add_object__doc__[] =
   "This function dynamically adds new a new object identifier to OpenSSL's\n"
   "internal database.\n"
@@ -5993,8 +5834,6 @@ pow_module_read_random_file(PyObject *self, PyObject *args)
 }
 
 static struct PyMethodDef pow_module_methods[] = {
-  Define_Method(pemRead,        pow_module_pem_read,            METH_VARARGS),
-  Define_Method(derRead,        pow_module_der_read,            METH_VARARGS),
   Define_Method(getError,       pow_module_get_error,           METH_NOARGS),
   Define_Method(clearError,     pow_module_clear_error,         METH_NOARGS),
   Define_Method(seed,           pow_module_seed,                METH_VARARGS),
diff --git a/rpkid/rpki/POW/pkix.py b/rpkid/rpki/POW/pkix.py
index e7d9dde1..9c64aec0 100644
--- a/rpkid/rpki/POW/pkix.py
+++ b/rpkid/rpki/POW/pkix.py
@@ -131,10 +131,10 @@ class POWCryptoDriver(CryptoDriver):
       return key.verify(signature, self._digest(oid, plaintext), self.OID2driver[oid])
 
    def toPublicDER(self, key):
-      return key.derWrite(POW.RSA_PUBLIC_KEY)
+      return key.derWritePublic()
 
    def fromPublicDER(self, der):
-      return POW.derRead(POW.RSA_PUBLIC_KEY, der)
+      return POW.Asymmetric.derReadPublic(der)
 
 _cryptoDriver = None                    # Don't touch this directly
 
diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py
index fd149373..b5683a47 100644
--- a/rpkid/rpki/x509.py
+++ b/rpkid/rpki/x509.py
@@ -554,7 +554,7 @@ class X509(DER_object):
     """
     self.check()
     if not self.POW:
-      self.POW = rpki.POW.derRead(rpki.POW.X509_CERTIFICATE, self.get_DER())
+      self.POW = rpki.POW.X509.derRead(self.get_DER())
     return self.POW
 
   def get_POWpkix(self):
@@ -988,10 +988,10 @@ class insecure_debug_only_rsa_key_generator(object):
   def __call__(self):
     k = str(self.keyno)
     try:
-      v = rpki.POW.derRead(rpki.POW.RSA_PRIVATE_KEY, self.db[k])
+      v = rpki.POW.Asymmetric.derReadPrivate(self.db[k])
     except KeyError:
       v = rpki.POW.Asymmetric(rpki.POW.RSA_CIPHER, 2048)
-      self.db[k] = v.derWrite(rpki.POW.RSA_PRIVATE_KEY)
+      self.db[k] = v.derWritePrivate()
     self.keyno += 1
     return v
 
@@ -1011,7 +1011,7 @@ class RSA(DER_object):
     if self.DER:
       return self.DER
     if self.POW:
-      self.DER = self.POW.derWrite(rpki.POW.RSA_PRIVATE_KEY)
+      self.DER = self.POW.derWritePrivate()
       return self.get_DER()
     raise rpki.exceptions.DERObjectConversionError, "No conversion path to DER available"
 
@@ -1021,7 +1021,7 @@ class RSA(DER_object):
     """
     self.check()
     if not self.POW:
-      self.POW = rpki.POW.derRead(rpki.POW.RSA_PRIVATE_KEY, self.get_DER())
+      self.POW = rpki.POW.Asymmetric.derReadPrivate(self.get_DER())
     return self.POW
 
   @classmethod
@@ -1040,7 +1040,7 @@ class RSA(DER_object):
     """
     Get the DER encoding of the public key from this keypair.
     """
-    return self.get_POW().derWrite(rpki.POW.RSA_PUBLIC_KEY)
+    return self.get_POW().derWritePublic()
 
   def get_SKI(self):
     """
@@ -1070,7 +1070,7 @@ class RSApublic(DER_object):
     if self.DER:
       return self.DER
     if self.POW:
-      self.DER = self.POW.derWrite(rpki.POW.RSA_PUBLIC_KEY)
+      self.DER = self.POW.derWritePublic()
       return self.get_DER()
     raise rpki.exceptions.DERObjectConversionError, "No conversion path to DER available"
 
@@ -1080,7 +1080,7 @@ class RSApublic(DER_object):
     """
     self.check()
     if not self.POW:
-      self.POW = rpki.POW.derRead(rpki.POW.RSA_PUBLIC_KEY, self.get_DER())
+      self.POW = rpki.POW.Asymmetric.derReadPublic(self.get_DER())
     return self.POW
 
   def get_SKI(self):
@@ -1175,7 +1175,7 @@ class CMS_object(DER_object):
     """
     self.check()
     if not self.POW:
-      self.POW = rpki.POW.derRead(rpki.POW.CMS_MESSAGE, self.get_DER())
+      self.POW = rpki.POW.CMS.derRead(self.get_DER())
     return self.POW
 
   def get_content(self):
@@ -1724,7 +1724,7 @@ class CRL(DER_object):
     """
     self.check()
     if not self.POW:
-      self.POW = rpki.POW.derRead(rpki.POW.X509_CRL, self.get_DER())
+      self.POW = rpki.POW.CRL.derRead(self.get_DER())
     return self.POW
 
   def get_POWpkix(self):
diff --git a/scripts/Old/test-pow-tls.py b/scripts/Old/test-pow-tls.py
deleted file mode 100644
index bc9ea9a0..00000000
--- a/scripts/Old/test-pow-tls.py
+++ /dev/null
@@ -1,61 +0,0 @@
-"""
-Grope towards testing TLS functionality in POW
-
-$Id$
-
-Copyright (C) 2008  American Registry for Internet Numbers ("ARIN")
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
-REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS.  IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
-INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-PERFORMANCE OF THIS SOFTWARE.
-"""
-
-# openssl s_server -tls1 -Verify 9 -cert biz-certs/Alice-EE.cer -key biz-certs/Alice-EE.key -www -CApath biz-certs -chain
-
-# openssl s_client -connect localhost:4433 -tls1 -cert biz-certs/Bob-EE.cer -key biz-certs/Bob-EE.key -verify 9 -CApath biz-certs -crlf
-
-import POW, socket
-
-def pow_error_iterator():
-  err = POW.getError()
-  if err is None:
-    raise StopIteration
-  else:
-    yield err
-
-key = POW.pemRead(POW.RSA_PRIVATE_KEY,  open("biz-certs/Bob-EE.key").read())
-cer = POW.pemRead(POW.X509_CERTIFICATE, open("biz-certs/Bob-EE.cer").read())
-ca  = POW.pemRead(POW.X509_CERTIFICATE, open("biz-certs/Bob-CA.cer").read())
-
-s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-s.connect(("localhost", 4433))
-
-try:
-  t = POW.Ssl(POW.TLSV1_CLIENT_METHOD)
-  t.useCertificate(cer)
-  t.useKey(key)
-  t.addCertificate(ca)
-  t.setFd(s.fileno())
-  t.connect()
-  x = t.peerCertificate()
-  if x is not None:
-    print "Peer", x.pprint()
-  t.write("GET / HTTP/1.0\r\n")
-  if False:
-    print t.read(10000)
-  else:
-    while True:
-      print t.read()
-except:
-  print "ERROR:"
-  for e in pow_error_iterator():
-    print e
-  raise
diff --git a/scripts/Old/tls-client.py b/scripts/Old/tls-client.py
deleted file mode 100644
index ef879a5c..00000000
--- a/scripts/Old/tls-client.py
+++ /dev/null
@@ -1,27 +0,0 @@
-# $Id$
-
-import socket, POW, time
-
-key = POW.pemRead(POW.RSA_PRIVATE_KEY, open("Carol.key", "r").read())
-cer = POW.pemRead(POW.X509_CERTIFICATE, open("Carol.cer", "r").read())
-ta  = POW.pemRead(POW.X509_CERTIFICATE, open("Alice-TA.cer", "r").read())
-
-s = socket.socket()
-s.connect(('',6666))
-
-ssl = POW.Ssl(POW.TLSV1_CLIENT_METHOD)
-
-ssl.useCertificate(cer)
-ssl.useKey(key)
-ssl.setVerifyMode(POW.SSL_VERIFY_PEER | POW.SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
-ssl.trustCertificate(ta)
-
-ssl.setFd(s.fileno())
-ssl.connect()
-
-peer = ssl.peerCertificate()
-if peer is not None:
-  print peer.pprint()
-
-print ssl.read(100)
-ssl.write("Bye")
diff --git a/scripts/Old/tls-server.py b/scripts/Old/tls-server.py
deleted file mode 100644
index d3798a32..00000000
--- a/scripts/Old/tls-server.py
+++ /dev/null
@@ -1,40 +0,0 @@
-# $Id$
-
-import socket, POW, time
-
-key = POW.pemRead(POW.RSA_PRIVATE_KEY, open("Alice.key", "r").read())
-cer = POW.pemRead(POW.X509_CERTIFICATE, open("Alice.cer", "r").read())
-ta  = POW.pemRead(POW.X509_CERTIFICATE, open("Carol-TA.cer", "r").read())
-
-listener = socket.socket()
-listener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-listener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1)
-listener.bind(('',6666))
-listener.listen(5)
-
-s, addr = listener.accept()
-while not s:
-  time.sleep(2)
-  s, addr = listener.accept()
-
-s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1)
-
-print "Got connection %r from %r" % (s, addr)
-
-ssl = POW.Ssl(POW.TLSV1_SERVER_METHOD)
-
-ssl.useCertificate(cer)
-ssl.useKey(key)
-ssl.setVerifyMode(POW.SSL_VERIFY_PEER | POW.SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
-ssl.trustCertificate(ta)
-
-ssl.setFd(s.fileno())
-ssl.accept()
-
-peer = ssl.peerCertificate()
-if peer is not None:
-  print peer.pprint()
-
-ssl.write("Hello, TLS")
-print ssl.read(100)
diff --git a/scripts/find-roa-expiration.py b/scripts/find-roa-expiration.py
index 0ae6fa66..151de446 100644
--- a/scripts/find-roa-expiration.py
+++ b/scripts/find-roa-expiration.py
@@ -48,13 +48,13 @@ for line in subprocess.check_output(["find_roa"] + sys.argv[1:]).splitlines():
   del words[-1]
   print " ".join(words)
 
-  x = rpki.POW.derRead(rpki.POW.CMS_MESSAGE, open(fn, "rb").read()).certs()[0]
+  x = rpki.POW.CMS.derReadFile(fn).certs()[0]
   uri = get_aia(x)
   print x.getNotAfter(), filename_to_uri(fn)
 
   while uri:
     fn = uri_to_filename(uri)
-    x = rpki.POW.derRead(rpki.POW.X509_CERTIFICATE, open(fn, "rb").read())
+    x = rpki.POW.X509.derReadFile(fn)
     print x.getNotAfter(), uri
     uri = get_aia(x)
 
diff --git a/scripts/format-application-x-rpki.py b/scripts/format-application-x-rpki.py
index a7e58f49..accefa7f 100644
--- a/scripts/format-application-x-rpki.py
+++ b/scripts/format-application-x-rpki.py
@@ -56,7 +56,7 @@ if argv or source_name is None or destination_name is None:
   usage(ok = False)
 
 def pprint_cert(b64):
-  return rpki.POW.derRead(rpki.POW.X509_CERTIFICATE, base64.b64decode(b64)).pprint()
+  return rpki.POW.X509.derRead(base64.b64decode(b64)).pprint()
   
 def up_down():
   msg["X-RPKI-Up-Down-Type"] = xml.get("type")
@@ -101,7 +101,7 @@ try:
       continue
     assert not srcmsg.is_multipart() and srcmsg.get_content_type() == "application/x-rpki"
     payload = srcmsg.get_payload(decode = True)
-    cms = rpki.POW.derRead(rpki.POW.CMS_MESSAGE, payload)
+    cms = rpki.POW.CMS.derRead(payload)
     txt = cms.verify(rpki.POW.X509Store(), None, rpki.POW.CMS_NOCRL | rpki.POW.CMS_NO_SIGNER_CERT_VERIFY | rpki.POW.CMS_NO_ATTR_VERIFY | rpki.POW.CMS_NO_CONTENT_VERIFY)
     xml = lxml.etree.fromstring(txt)
     tag = xml.tag
diff --git a/scripts/x509-dot.py b/scripts/x509-dot.py
index 9ad5b79d..df892198 100644
--- a/scripts/x509-dot.py
+++ b/scripts/x509-dot.py
@@ -61,9 +61,9 @@ class x509(object):
     f.close()
 
     if "-----BEGIN" in text:
-      self.pow = rpki.POW.pemRead(rpki.POW.X509_CERTIFICATE, text)
+      self.pow = rpki.POW.X509.pemRead(text)
     else:
-      self.pow = rpki.POW.derRead(rpki.POW.X509_CERTIFICATE, text)
+      self.pow = rpki.POW.X509.derRead(text)
 
     self.extensions = dict((e[0], e[2]) for e in (self.pow.getExtension(i) for i in xrange(self.pow.countExtensions())))