diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/doc.RPKI.Utils | 112 | ||||
| -rw-r--r-- | doc/manual.pdf | bin | 760333 -> 760081 bytes |
2 files changed, 72 insertions, 40 deletions
diff --git a/doc/doc.RPKI.Utils b/doc/doc.RPKI.Utils index b9cd79b5..ce36dcbd 100644 --- a/doc/doc.RPKI.Utils +++ b/doc/doc.RPKI.Utils @@ -1,28 +1,36 @@ ****** RPKI utility programs ****** The distribution contains a few small utility programs. Most of these are -nominally relying party tools. Some but not all of them are installed by "make -install". +nominally relying party tools, but work at a low enough level that they may +also be useful in diagnosing CA problems. + +Unless otherwise specified, all of these tools expect RPKI objects +(certificates, CRLs, CMS signed objects) to be in DER format. + +Several of these tools accept an rcynic_directory argument. Which directory to +specify here depends on what you're trying to do, but if you're just trying to +look at authenticated data in your RP cache, and assuming you've installed +everything in the default locations, the directory you want is probably /var/ +rcynic/data/authenticated. ***** uri ***** uri is a utility program to extract URIs from the SIA, AIA, and CRLDP extensions of one or more X.509v3 certificates, either specified directly or as -CMS objects containing X.509v3 certificates within the CMS wrapper. Input files -must be in DER format. +CMS objects containing X.509v3 certificates within the CMS wrapper. Usage: $ uri [-h | --help] [-s | --single-line] cert [cert...] --h --help show help - --s --single-line Single output line per input file + -h --help + Show help - cert Object(s) to examine + -s --single-line + Single output line per input file -The rp/utils directory in the source tree also includes a few experimental AWK -scripts to post-process the uri program's output in various ways. + cert + Object(s) to examine ***** hashdir ***** @@ -30,59 +38,71 @@ hashdir copies an authenticated result tree from an rcynic run into the format expected by most OpenSSL-based programs: a collection of "PEM" format files with names in the form that OpenSSL's -CApath lookup routines expect. This can be useful for validating RPKI objects which are not distributed as part of the -repository system. Input files must be in DER format. +repository system. Usage: $ hashdir [-h | --help] [-v | --verbose] rcynic_directory output_directory --h --help Show help + -h --help + Show help --v --verbose Whistle while you work + -v --verbose + Whistle while you work - rcynic_directory rcynic authenticated output tree + rcynic_directory + rcynic authenticated output tree - output_directory Output directory to create + output_directory + Output directory to create ***** print_rpki_manifest ***** print_rpki_manifest pretty-prints the content of a manifest. It does NOT -attempt to verify the signature. Input files must be in DER format. +attempt to verify the signature. Usage: $ print_rpki_manifest [-h | --help] [-c | --cms] manifest [manifest...] --h --help Show help + -h --help + Show help --c --cms Print text representation of entire CMS blob + -c --cms + Print text representation of entire CMS blob - manifest Manifest(s) to print + manifest + Manifest(s) to print ***** print_roa ***** print_roa pretty-prints the content of a ROA. It does NOT attempt to verify the -signature. Input files must be in DER format. +signature. Usage: $ print_roa [-h | --help] [-b | --brief] [-c | --cms] [-s | --signing-time] ROA [ROA...] --h --help Show help + -h --help + Show help --b --brief Brief mode (only show ASN and prefix) + -b --brief + Brief mode (only show ASN and prefix) --c --cms Print text representation of entire CMS blob + -c --cms + Print text representation of entire CMS blob --s --signing-time Show CMS signingTime + -s --signing-time + Show CMS signingTime - ROA ROA object(s) to print + ROA + ROA object(s) to print ***** find_roa ***** find_roa searches the authenticated result tree from an rcynic run for ROAs -matching specified prefixes. Input files must be in DER format. +matching specified prefixes. Usage: @@ -91,21 +111,29 @@ Usage: [-i | --show-inception] [-e | --show-expiration] authtree [prefix...] --h --help Show help + -h --help + Show help --a --all Show all ROAs, do no prefix matching at all + -a --all + Show all ROAs, do no prefix matching at all --e --show-expiration Show ROA chain expiration dates + -e --show-expiration + Show ROA chain expiration dates --f --show-filenames Show filenames instead of URIs + -f --show-filenames + Show filenames instead of URIs --i --show-inception Show inception dates + -i --show-inception + Show inception dates --m -match-maxlength Pay attention to maxLength values + -m -match-maxlength + Pay attention to maxLength values - authtree rcynic authenticated output tree + authtree + rcynic authenticated output tree - prefix ROA prefix(es) to on which to match + prefix + ROA prefix(es) to on which to match ***** scan_roas ***** @@ -118,11 +146,13 @@ validated ROA payload after an rcynic validation run. Usage: - $ scan_roas [-h | --help] rcynic_dir [rcynic_dir...] + $ scan_roas [-h | --help] rcynic_directory [rcynic_directory...] --h --help Show help + -h --help + Show help - rcynic_dir rcynic authenticated output tree + rcynic_directory + rcynic authenticated output tree ***** scan_routercerts ***** @@ -135,8 +165,10 @@ validated ROA payload after an rcynic validation run. Usage: - $ scan_routercerts [-h | --help] rcynic_dir [rcynic_dir...] + $ scan_routercerts [-h | --help] rcynic_directory [rcynic_directory...] --h --help Show help + -h --help + Show help - rcynic_dir rcynic authenticated output tree + rcynic_directory + rcynic authenticated output tree diff --git a/doc/manual.pdf b/doc/manual.pdf Binary files differindex 7da7fd39..13bbfa09 100644 --- a/doc/manual.pdf +++ b/doc/manual.pdf |