8 files changed, 495 insertions, 0 deletions
diff --git a/myrpki.rototill/examples/asns.csv b/myrpki.rototill/examples/asns.csv
new file mode 100644
index 00000000..804cf839
--- /dev/null
+++ b/myrpki.rototill/examples/asns.csv
@@ -0,0 +1,8 @@
+# $Id$
+#
+# Syntax: <child_handle> <asn>
+#
+# NB: Comment lines are not allowed in these files, this one is only
+# present to explain the example
+#
+Alice	64533
diff --git a/myrpki.rototill/examples/children.csv b/myrpki.rototill/examples/children.csv
new file mode 100644
index 00000000..da29e8b5
--- /dev/null
+++ b/myrpki.rototill/examples/children.csv
@@ -0,0 +1,9 @@
+# $Id$
+#
+# Syntax: <child_handle> <validitydate> <bpki_cert_filename>
+#
+# NB: Comment lines are not allowed in these files, this one is only
+# present to explain the example
+#
+Alice	2009-07-27T08:24:53Z	Alice.ta.cer
+Bob	2009-07-27T08:24:53Z	Bob.ta.cer
diff --git a/myrpki.rototill/examples/myrpki.conf b/myrpki.rototill/examples/myrpki.conf
new file mode 100644
index 00000000..0eded59b
--- /dev/null
+++ b/myrpki.rototill/examples/myrpki.conf
@@ -0,0 +1,411 @@
+# $Id: myrpki.conf 2722 2009-08-31 22:24:48Z sra $
+#
+# Config file for myrpki.py, myirbe.py, and RPKI daemons when used
+# with myrpki.py etc.  Notes:
+#
+# - There's some duplication of settings between some of the sections,
+#   because each of the several daemons and control programs was
+#   written as a free-standing program.  Lumping all of the config for
+#   all of them into a single config file is just a convenience for
+#   simple configurations; in complex cases you might not have any two
+#   of them running on the same machine.
+#
+# - This config file is also read by the OpenSSL command line tool
+#   running under mypki.py, so syntax must remain compatable with both
+#   OpenSSL and Python config file parsers, and there's a big chunk of
+#   OpenSSL voodoo towards the end of this file.
+
+################################################################
+
+[myrpki]
+
+# Handle naming hosted resource-holding entity (<self/>) represented
+# by this myrpki instance.  Syntax is an identifier (ASCII letters,
+# digits, hyphen, underscore -- no whitespace, non-ASCII characters,
+# or other punctuation).  You need to set this.
+
+handle				= Me
+
+# BPKI trust anchor for the repository in which this <self/> will be
+# publishing its outputs.  You need to set this.
+
+repository_bpki_certificate	= repository-ta.cer
+
+# Name by which repository will know this <self/>.  This may be a
+# structured handle, eg, "Grandma/Mom/Me" or might be a simple handle,
+# depending on how the repository is set up.  Syntax is same as
+# "handle", with the addition of "/" characters as an allowed
+# delimiter.  You need to set this.
+
+repository_handle		= Me
+
+# Names of various input and output files.  Don't change these without
+# a good reason.
+
+roa_csv				= roas.csv
+children_csv			= children.csv
+parents_csv			= parents.csv
+prefix_csv			= prefixes.csv
+asn_csv				= asns.csv
+xml_filename			= myrpki.xml
+bpki_directory			= bpki.myrpki
+
+#################################################################
+
+[myirbe]
+
+# Base of service URL for pubd.  myirbe.py uses this value to
+# configure <repository/> objects in rpkid.  If you are running your
+# own copy of pubd (see "want_pubd"), myirbe.py also uses this to
+# contact your copy of pubd in order to configure it.
+#
+# You need to configure this.
+
+pubd_base			= https://pubd.example.org:4402/
+
+# Base of service URL for rpkid.  myirbe.py uses this to contact your
+# rpkid so it can configure it.
+#
+# You need to configure this.
+
+rpkid_base			= https://rpkid.example.org:4404
+
+# Whether you want myirbe.py to attempt to configure your own copy of
+# pubd.  In general, it's best to use your parent's pubd if you can,
+# to reduce the overall number of publication sites that relying
+# parties need to check, so don't enable this unless you have a good
+# reason.  See the [pubd] section if you do enable this.
+#
+# Enabling this when you are -not- running your own copy of pubd will
+# cause myirbe.py to fail when it attempts to perform runtime
+# configuration of your nonexistant pubd.
+
+want_pubd			= false
+
+# Whether you want myirbe.py to generate BPKI certs for running your
+# very own copy of rootd.  Don't enable this unless you really know
+# what you're doing.  See [rootd] section below for further comments.
+
+want_rootd			= false
+
+# Where to put BPKI stuff for the IRBE operator (entity that operates
+# rpkid etc).  Don't change this without a reason.
+
+bpki_directory			= bpki.myirbe
+
+#################################################################
+
+[rpkid]
+
+# MySQL database name, user name, and password for rpkid to use to
+# store its data.  You need  to configure these.
+
+sql-database			= rpki
+sql-username			= rpki
+sql-password    		= fnord
+
+# Host and port on which rpkid should listen for HTTPS service
+# requests.  These should match rpkid_base in the [myirbe] section.
+# You need to configure these.
+
+server-host     		= rpkid.example.org
+server-port     		= 4404
+
+# HTTPS service URL rpkid should use to contact irdbd.  If irdbd is
+# running on the same machine as rpkid, this can and probably should
+# be a loopback URL, since nobody but rpkid needs to talk to irdbd.
+
+irdb-url        		= https://localhost:4403/
+
+# Where rpkid should look for BPKI certs and keys used in the
+# left-right protocol.  The following values match where myirbe.py
+# will have placed things.  Don't change these without a reason.
+
+bpki-ta         		= bpki.myirbe/ca.cer
+rpkid-key       		= bpki.myirbe/rpkid.key
+rpkid-cert      		= bpki.myirbe/rpkid.cer
+irdb-cert       		= bpki.myirbe/irdbd.cer
+irbe-cert       		= bpki.myirbe/irbe.cer
+
+#################################################################
+
+[irdbd]
+
+# MySQL database name, user name, and password for irdbd to use to
+# store its data.  You need to configure these.
+
+sql-database    		= irdb
+sql-username    		= irdb
+sql-password    		= fnord
+
+# HTTP service URL irdbd should listen on.  This should match the
+# irdb-url parameter in the [rpkid] section; see comments there.
+
+https-url			= https://localhost:4403/
+
+# Where irdbd should look for BPKI certs and keys used in the
+# left-right protocol.  The following values match where myirbe.py
+# will have placed things.  Don't change these without a reason.
+
+bpki-ta         		= bpki.myirbe/ca.cer
+rpkid-cert      		= bpki.myirbe/rpkid.cer
+irdbd-cert      		= bpki.myirbe/irdbd.cer
+irdbd-key       		= bpki.myirbe/irdbd.key
+
+#################################################################
+
+[pubd]
+
+# MySQL database name, user name, and password for pubd to use to
+# store (some of) its data.  You need to configure these.
+
+sql-database            	= pubd
+sql-username            	= pubd
+sql-password            	= fnord
+
+# Root of directory tree where pubd should write out published data.
+# You need to configure this, and the configuration should match up
+# with the directory where you point rsyncd.  Neither pubd nor rsyncd
+# much cares -where- you tell them to put this stuff, the important
+# thing is that the rsync:// URIs in generated certificates match up
+# with the published objects so that relying parties can find and
+# verify rpkid's published outputs.
+
+publication-base        	= publication/
+
+# Host and port on which pubd should listen for HTTPS service
+# requests.  These should match pubd_base in the [myirbe] section.
+# You need to configure these.
+
+server-host             	= pubd.example.org
+server-port             	= 4402
+
+# Where pubd should look for BPKI certs and keys used in the
+# left-right protocol.  The following values match where myirbe.py
+# will have placed things.  Don't change these without a reason.
+
+bpki-ta                 	= bpki.myirbe/ca.cer
+pubd-cert               	= bpki.myirbe/pubd.cer
+pubd-key                	= bpki.myirbe/pubd.key
+irbe-cert               	= bpki.myirbe/irbe.cer
+
+#################################################################
+
+[irbe_cli]
+
+# HTTPS service URL for rpkid
+
+rpkid-url                       = https://rpkid.example.org:4404/left-right/
+
+# BPKI certificates and keys for talking to rpkid
+
+rpkid-bpki-ta                   = bpki.myirbe/ca.cer
+rpkid-irbe-key                  = bpki.myirbe/irbe.key
+rpkid-irbe-cert                 = bpki.myirbe/irbe.cer
+rpkid-cert                      = bpki.myirbe/rpkid.cer
+
+# HTTPS service URL for pubd
+
+pubd-url                        = https://localhost:4402/control/
+
+# BPKI certificates and keys for talking to pubd
+
+pubd-bpki-ta                    = bpki.myirbe/ca.cer
+pubd-irbe-key                   = bpki.myirbe/irbe.key
+pubd-irbe-cert                  = bpki.myirbe/irbe.cer
+pubd-cert                       = bpki.myirbe/pubd.cer
+
+#################################################################
+
+# You don't need to run rootd unless you're IANA, are certifying
+# private address space, or are an RIR which refuses to accept IANA as
+# the root of the public address hierarchy.
+#
+# Ok, if that wasn't enough to scare you off: rootd is a kludge, and
+# needs to be rewritten, or, better, merged into rpkid.  It does a
+# number of things wrong, and requires far too many configuration
+# parameters.  You have been warned....
+
+[rootd]
+
+# BPKI certificates and keys for rootd
+
+bpki-ta                 	= bpki.myirbe/ca.cer
+rootd-bpki-crl          	= bpki.myirbe/ca.crl
+rootd-bpki-cert         	= bpki.myirbe/rootd.cer
+rootd-bpki-key          	= bpki.myirbe/rootd.key
+child-bpki-cert         	= bpki.myirbe/child.cer
+
+# Server port on which rootd should listen.
+
+server-port             	= 4401
+
+# Where rootd should write its output.  Yes, rootd should be using
+# pubd instead of publishing directly, but it doesn't.
+
+rpki-root-dir           	= publication/
+
+# rsync URI for directory containing rootd's outputs
+
+rpki-base-uri           	= rsync://rpki.example.org/Me/
+
+# rsync URI for rootd's root (self-signed) RPKI certificate
+
+rpki-root-cert-uri      	= rsync://rpki.example.org/Me/root.cer
+
+# Private key corresponding to rootd's root RPKI certificate
+
+rpki-root-key           	= bpki.myirbe/ca.key
+
+# Filename (as opposed to rsync URI) of rootd's root RPKI certificate
+
+rpki-root-cert          	= publication/root.cer
+
+# Where rootd should stash a copy of the PKCS #10 request it gets from
+# its one (and only) child
+
+rpki-subject-pkcs10     	= rootd.subject.pkcs10
+
+# Lifetime of the one and only certificate rootd issues
+
+rpki-subject-lifetime   	= 30d
+
+# Filename (relative to rootd-base-uri and rpki-root-dir) of the CRL
+# for rootd's root RPKI certificate
+
+rpki-root-crl           	= root.crl
+
+# Filename (relative to rootd-base-uri and rpki-root-dir) of the
+# manifest for rootd's root RPKI certificate
+
+rpki-root-manifest      	= root.mnf
+
+# Up-down protocol class name for RPKI certificate rootd issues to its
+# one (and only) child
+
+rpki-class-name         	= Me
+
+# Filename (relative to rootd-base-uri and rpki-root-dir) of the one
+# (and only) RPKI certificate rootd issues
+
+rpki-subject-cert       	= Me.cer
+
+# The last four paramters in this section are really parameters for
+# myirbe.py to use when constructing rootd's root RPKI certificate,
+# via an indirection hack in the OpenSSL voodoo portion of this file.
+# Don't ask why some of these are duplicated from other paramters in
+# this section, you don't want to know (really, you don't).
+
+# ASNs to include in rootd's root RPKI certificate, in openssl.conf format
+
+root_cert_asns			= AS:0-4294967295
+
+# IP addresses to include in rootd's root RPKI certificate, in
+# openssl.conf format
+
+root_cert_addrs			= IPv4:0.0.0.0/0,IPv6:0::/0
+
+# Whatever you put in rpki-base-uri, earlier in this section
+
+root_cert_sia			= rsync://rpki.example.org/Me/
+
+# root_cert_sia + rpki-root-manifest
+
+root_cert_manifest		= rsync://rpki.example.org/Me/root.mnf
+
+#################################################################
+
+# Constants for OpenSSL voodoo portion of this file, to make them
+# easier to find.
+
+[constants]
+
+# Digest algorithm.  Don't change this.
+
+digest				= sha256
+
+# RSA key length.   Don't change this.
+
+key_length			= 2048
+
+# Lifetime of BPKI certificates (and rootd RPKI root certificate).
+# Don't change this unless you know what you're doing.
+
+cert_days			= 365
+
+# Lifetime of BPKI CRLs.  Don't change this unless you know what
+# you're doing.
+
+crl_days			= 365
+
+#################################################################
+
+# The rest of this file is OpenSSL configuration voodoo.  Don't touch
+# anything below here even if you -do- know what you're doing.  Even
+# by OpenSSL standards, some of this is weird, and interacts in
+# non-obvious ways with code in myrpki.py and myirbe.py.  If you touch
+# this stuff and something breaks, don't say you weren't warned.
+
+[req]
+default_bits			= ${constants::key_length}
+default_md			= ${constants::digest}
+distinguished_name		= req_dn
+prompt				= no
+encrypt_key			= no
+
+[req_dn]
+CN                      	= Dummy name for certificate request
+
+[ca_x509_ext_ee]
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid:always
+
+[ca_x509_ext_xcert0]
+basicConstraints		= critical,CA:true,pathlen:0
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid:always
+
+[ca_x509_ext_xcert1]
+basicConstraints		= critical,CA:true,pathlen:1
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid:always
+
+[ca_x509_ext_ca]
+basicConstraints		= critical,CA:true
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid:always
+
+[ca]
+default_ca			= ca
+dir				= ${ENV::BPKI_DIRECTORY}
+new_certs_dir			= $dir
+database			= $dir/index
+certificate			= $dir/ca.cer
+private_key			= $dir/ca.key
+default_days			= ${constants::cert_days}
+default_crl_days		= ${constants::crl_days}
+default_md			= ${constants::digest}
+policy				= ca_dn_policy
+unique_subject			= no
+serial				= $dir/serial
+crlnumber			= $dir/crl_number
+
+[ca_dn_policy]
+countryName			= optional
+stateOrProvinceName		= optional
+localityName			= optional
+organizationName		= optional
+organizationalUnitName		= optional
+commonName			= supplied
+emailAddress			= optional
+givenName			= optional
+surname				= optional
+
+[rootd_x509_extensions]
+basicConstraints        	= critical,CA:true
+subjectKeyIdentifier    	= hash
+keyUsage                	= critical,keyCertSign,cRLSign
+subjectInfoAccess       	= 1.3.6.1.5.5.7.48.5;URI:${rootd::root_cert_sia},1.3.6.1.5.5.7.48.10;URI:${rootd::root_cert_manifest}
+sbgp-autonomousSysNum   	= critical,${rootd::root_cert_asns}
+sbgp-ipAddrBlock        	= critical,${rootd::root_cert_addrs}
+certificatePolicies     	= critical,1.3.6.1.5.5.7.14.2
diff --git a/myrpki.rototill/examples/parents.csv b/myrpki.rototill/examples/parents.csv
new file mode 100644
index 00000000..f92eddeb
--- /dev/null
+++ b/myrpki.rototill/examples/parents.csv
@@ -0,0 +1,8 @@
+# $Id$
+#
+# Syntax: <parent_handle> <service_uri> <cms_bpki_cert_filename> <https_bpki_cert_filename> <myhandle>	<sia_base>
+#
+# NB: Comment lines are not allowed in these files, this one is only
+# present to explain the example
+#
+Mom	https://localhost:4414/up-down/Mom/Becca	Mom.ta.cer	Mom.rpkid.cer	Becca	rsync://rpki.example.org/Me/
diff --git a/myrpki.rototill/examples/prefixes.csv b/myrpki.rototill/examples/prefixes.csv
new file mode 100644
index 00000000..160f9339
--- /dev/null
+++ b/myrpki.rototill/examples/prefixes.csv
@@ -0,0 +1,11 @@
+# $Id$
+#
+# Syntax: <child_handle> <prefix>/<length>
+#     or: <child_handle> <min>-<max>
+#
+# NB: Comment lines are not allowed in these files, this one is only
+# present to explain the example
+#
+Alice	192.0.2.0/27
+Bob	192.0.2.44-192.0.2.100
+Bob	10.0.0.0/8
diff --git a/myrpki.rototill/examples/pubclients.csv b/myrpki.rototill/examples/pubclients.csv
new file mode 100644
index 00000000..6336a1a6
--- /dev/null
+++ b/myrpki.rototill/examples/pubclients.csv
@@ -0,0 +1,10 @@
+# $Id$
+#
+# Syntax: <client_handle> <bpki_cert_filename> <sia_base>
+#
+# NB: Comment lines are not allowed in these files, this one is only
+# present to explain the example
+#
+Me	bpki.myrpki/ca.cer	rsync://rpki.example.org/Me/
+Me/Alice	pubd-client-certs/Alice.cer	rsync://rpki.example.org/Me/Alice/
+Me/Bob	pubd-client-certs/Bob.cer	rsync://rpki.example.org/Me/Bob/
diff --git a/myrpki.rototill/examples/roas.csv b/myrpki.rototill/examples/roas.csv
new file mode 100644
index 00000000..4343ada0
--- /dev/null
+++ b/myrpki.rototill/examples/roas.csv
@@ -0,0 +1,8 @@
+# $Id$
+#
+# Syntax: <prefix>/<length>-<maxlength> <asn> <group>
+#
+# NB: Comment lines are not allowed in these files, this one is only
+# present to explain the example
+#
+10.3.0.44/32	666	Mom
diff --git a/myrpki.rototill/examples/rsyncd.conf b/myrpki.rototill/examples/rsyncd.conf
new file mode 100644
index 00000000..d0a9cd97
--- /dev/null
+++ b/myrpki.rototill/examples/rsyncd.conf
@@ -0,0 +1,30 @@
+# $Id$
+#
+# Sample rsyncd.conf file for use with pubd.  You may need to
+# customize this for the conventions on your system.  See the rsync
+# and rsyncd.conf manual pages for a complete explanation of how to
+# configure rsyncd, this is just a simple configuration to get you
+# started.
+#
+# There are two parameters in the following which you should set to
+# appropriate values for your system:
+#
+# "myname" is the rsync module name to configure, as in
+# "rsync://rpki.example.org/myname/"
+#
+# "/some/where/publication" is the absolute pathname of the directory
+# where you told pubd to place its outputs (see the publication_base
+# parameter in the [pubd] section of myrpki.conf)
+#
+# You may need to adjust other parameters for your system environment.
+
+pid file	= /var/run/rsyncd.pid
+uid		= nobody
+gid		= nobody
+
+[myname]
+    use chroot		= no
+    read only		= yes
+    transfer logging	= yes
+    path		= /some/where/publication
+    comment		= RPKI Testbed