diff options
Diffstat (limited to 'myrpki')
| -rw-r--r-- | myrpki/apnic-to-csv.py | 49 | ||||
| -rw-r--r-- | myrpki/arin-to-csv.py | 121 | ||||
| -rw-r--r-- | myrpki/convert-from-csv-to-entitydb.py | 233 | ||||
| -rw-r--r-- | myrpki/ripe-asns-to-csv.py | 106 | ||||
| -rw-r--r-- | myrpki/ripe-prefixes-to-csv.awk | 43 | ||||
| -rw-r--r-- | myrpki/test-myrpki-cms.py | 66 | ||||
| -rw-r--r-- | myrpki/testbed-rootcert.py | 65 | ||||
| -rw-r--r-- | myrpki/translate-handles.py | 49 | ||||
| -rwxr-xr-x | myrpki/verify-bpki.sh | 43 |
9 files changed, 0 insertions, 775 deletions
diff --git a/myrpki/apnic-to-csv.py b/myrpki/apnic-to-csv.py deleted file mode 100644 index 54e9137c..00000000 --- a/myrpki/apnic-to-csv.py +++ /dev/null @@ -1,49 +0,0 @@ -""" -Parse APNIC "Extended Allocation and Assignment" reports and write -out (just) the RPKI-relevant fields in myrpki-format CSV syntax. - -$Id$ - -Copyright (C) 2010 Internet Systems Consortium ("ISC") - -Permission to use, copy, modify, and distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -PERFORMANCE OF THIS SOFTWARE. -""" - -import csv, myrpki, rpki.ipaddrs - -translations = dict((src, dst) for src, dst in myrpki.csv_reader("translations.csv", columns = 2)) - -asns = myrpki.csv_writer("asns.csv") -prefixes = myrpki.csv_writer("prefixes.csv") - -for line in open("delegated-apnic-extended-latest"): - - line = line.rstrip() - - if not line.startswith("apnic|") or line.endswith("|summary"): - continue - - registry, cc, rectype, start, value, date, status, opaque_id = line.split("|") - - assert registry == "apnic" - - opaque_id = translations.get(opaque_id, opaque_id) - - if rectype == "asn": - asns.writerow((opaque_id, "%s-%s" % (start, int(start) + int(value) - 1))) - - elif rectype == "ipv4": - prefixes.writerow((opaque_id, "%s-%s" % (start, rpki.ipaddrs.v4addr(rpki.ipaddrs.v4addr(start) + long(value) - 1)))) - - elif rectype == "ipv6": - prefixes.writerow((opaque_id, "%s/%s" % (start, value))) diff --git a/myrpki/arin-to-csv.py b/myrpki/arin-to-csv.py deleted file mode 100644 index 55e5762a..00000000 --- a/myrpki/arin-to-csv.py +++ /dev/null @@ -1,121 +0,0 @@ -""" -Parse a WHOIS research dump and write out (just) the RPKI-relevant -fields in myrpki-format CSV syntax. - -NB: The input data for this script comes from ARIN under an agreement -that allows research use but forbids redistribution, so if you think -you need a copy of the data, please talk to ARIN about it, not us. - -$Id$ - -Copyright (C) 2009 Internet Systems Consortium ("ISC") - -Permission to use, copy, modify, and distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -PERFORMANCE OF THIS SOFTWARE. -""" - -import gzip, csv, myrpki - -class Handle(object): - - want_tags = () - - debug = False - - def set(self, tag, val): - if tag in self.want_tags: - setattr(self, tag, "".join(val.split(" "))) - - def check(self): - for tag in self.want_tags: - if not hasattr(self, tag): - return False - if self.debug: - print repr(self) - return True - -class ASHandle(Handle): - - want_tags = ("ASHandle", "ASNumber", "OrgID") - - def __repr__(self): - return "<%s %s.%s %s>" % (self.__class__.__name__, - self.OrgID, self.ASHandle, self.ASNumber) - - def finish(self, ctx): - if self.check(): - ctx.asns.writerow((ctx.translations.get(self.OrgID, self.OrgID), self.ASNumber)) - -class NetHandle(Handle): - - NetType = None - - want_tags = ("NetHandle", "NetRange", "NetType", "OrgID") - - def finish(self, ctx): - if self.NetType in ("allocation", "assignment") and self.check(): - ctx.prefixes.writerow((ctx.translations.get(self.OrgID, self.OrgID), self.NetRange)) - - def __repr__(self): - return "<%s %s.%s %s %s>" % (self.__class__.__name__, - self.OrgID, self.NetHandle, - self.NetType, self.NetRange) - -class V6NetHandle(NetHandle): - - want_tags = ("V6NetHandle", "NetRange", "NetType", "OrgID") - - def __repr__(self): - return "<%s %s.%s %s %s>" % (self.__class__.__name__, - ctx.translations.get(self.OrgID, self.OrgID), - self.V6NetHandle, self.NetType, self.NetRange) - -class main(object): - - types = { - "ASHandle" : ASHandle, - "NetHandle" : NetHandle, - "V6NetHandle" : V6NetHandle } - - translations = {} - - @staticmethod - def parseline(line): - tag, sep, val = line.partition(":") - assert sep, "Couldn't find separator in %r" % line - return tag.strip(), val.strip() - - def __init__(self): - self.asns = myrpki.csv_writer("asns.csv") - self.prefixes = myrpki.csv_writer("prefixes.csv") - try: - self.translations = dict((src, dst) for src, dst in myrpki.csv_reader("translations.csv", columns = 2)) - except IOError: - pass - f = gzip.open("arin_db.txt.gz") - cur = None - for line in f: - line = line.expandtabs().strip() - if not line: - if cur: - cur.finish(self) - cur = None - elif not line.startswith("#"): - tag, val = self.parseline(line) - if cur is None: - cur = self.types[tag]() if tag in self.types else False - if cur: - cur.set(tag, val) - if cur: - cur.finish(self) - -main() diff --git a/myrpki/convert-from-csv-to-entitydb.py b/myrpki/convert-from-csv-to-entitydb.py deleted file mode 100644 index 282d2e75..00000000 --- a/myrpki/convert-from-csv-to-entitydb.py +++ /dev/null @@ -1,233 +0,0 @@ -""" -Convert {parents,children,pubclients}.csv into new XML formats. - -$Id$ - -Copyright (C) 2010 Internet Systems Consortium ("ISC") - -Permission to use, copy, modify, and distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -PERFORMANCE OF THIS SOFTWARE. -""" - -import subprocess, csv, re, os, getopt, sys, base64, urlparse -import rpki.sundial, myrpki, rpki.config - -from lxml.etree import Element, SubElement, ElementTree - -section_regexp = re.compile("\s*\[\s*(.+?)\s*\]\s*$") -variable_regexp = re.compile("\s*([-a-zA-Z0-9_]+)(\s*=\s*)(.+?)\s*$") - -cfg_file = "myrpki.conf" -template_file = os.path.join(os.path.dirname(sys.argv[0]), "examples", "myrpki.conf") -new_cfg_file = None -preserve_valid_until = False - -opts, argv = getopt.getopt(sys.argv[1:], "c:hn:pt:?", ["config=", "new_config=", "preserve_valid_until", "template_config=", "help"]) -for o, a in opts: - if o in ("-h", "--help", "-?"): - print __doc__ - sys.exit(0) - elif o in ("-c", "--config"): - cfg_file = a - elif o in ("-n", "--new_config"): - new_cfg_file = a - elif o in ("-p", "--preserve_valid_until"): - preserve_valid_until = True - elif o in ("-t", "--template_config"): - template_file = a -if argv: - raise RuntimeError, "Unexpected arguments %r" % (argv,) -if os.path.samefile(cfg_file, template_file): - raise RuntimeError, "Old config and template for new config can't be the same file" -if new_cfg_file is None: - new_cfg_file = cfg_file + ".new" -if os.path.exists(new_cfg_file): - raise RuntimeError, "%s already exists, NOT overwriting" % new_cfg_file - -cfg = rpki.config.parser(cfg_file) - -# These have no counterparts in new config file, just read them from old - -repository_bpki_certificate = cfg.get(option = "repository_bpki_certificate", section = "myrpki") -repository_handle = cfg.get(option = "repository_handle", section = "myrpki") -parents_csv = cfg.get(option = "parents_csv", section = "myrpki", default = "parents.csv") -children_csv = cfg.get(option = "children_csv", section = "myrpki", default = "children.csv") -pubclients_csv = cfg.get(option = "pubclients_csv", section = "myrpki", default = "pubclients.csv") -pubd_base = cfg.get(option = "pubd_base", section = "myirbe") - -# Here we need to construct values for the new config file from the -# old one. Basic model here is to look at whatever variables need to -# be set in the template (mostly just the [myrpki], I hope), pull -# necessary data from old config file any way we can. Stuff that -# didn't make the jump from old config file to new we can just ignore, -# stuff that is automated via macro expansions in the new config file -# should be ok without modification. - -r = {} - -if cfg.has_section("myrpki"): - for i in ("handle", "roa_csv", "prefix_csv", "asn_csv", "xml_filename"): - r["myrpki", i] = cfg.get(section = "myrpki", option = i) - r["myrpki", "bpki_resources_directory"] = cfg.get(option = "bpki_directory", section = "myrpki") - -if cfg.has_section("myirbe"): - r["myrpki", "bpki_servers_directory"] = cfg.get(option = "bpki_directory", section = "myirbe") - r["myrpki", "run_rpkid"] = True - r["myrpki", "run_pubd"] = cfg.getboolean(option = "want_pubd", section = "myirbe", default = False) - r["myrpki", "run_rootd"] = cfg.getboolean(option = "want_rootd", section = "myirbe", default = False) -else: - for i in ("run_rpkid", "run_pubd", "run_rootd"): - r["myrpki", i] = False - -if cfg.has_section("rpkid"): - r["myrpki", "rpkid_server_host"] = cfg.get(option = "server-host", section = "rpkid") - r["myrpki", "rpkid_server_port"] = cfg.get(option = "server-port", section = "rpkid") - -if cfg.has_section("irdbd"): - u = urlparse.urlparse(cfg.get(option = "https-url", section = "irdbd")) - r["myrpki", "irdbd_server_host"] = u.hostname or "localhost" - r["myrpki", "irdbd_server_port"] = u.port or 443 - -if cfg.has_section("pubd"): - r["myrpki", "pubd_server_host"] = cfg.get(option = "server-host", section = "pubd") - r["myrpki", "pubd_server_port"] = cfg.get(option = "server-port", section = "pubd") - r["myrpki", "publication_base_directory"] = cfg.get(option = "publication-base", section = "pubd") - -if cfg.has_section("rootd"): - r["myrpki", "rootd_server_port"] = cfg.get(option = "server-port", section = "rootd") - u = urlparse.urlparse(cfg.get(option = "rpki-base-uri", section = "rootd")) - r["myrpki", "publication_rsync_server"] = u.netloc - -for i in ("rpkid", "irdbd", "pubd"): - if cfg.has_section(i): - for j in ("sql-database", "sql-username", "sql-password"): - r[i, j] = cfg.get(section = i, option = j) - -f = open(new_cfg_file, "w") -f.write("# Automatically converted from %s using %s as a template.\n\n" % (cfg_file, template_file)) -section = None -for line in open(template_file): - m = section_regexp.match(line) - if m: - section = m.group(1) - m = variable_regexp.match(line) - if m: - option, whitespace = m.group(1, 2) - else: - option = None - if (section, option) in r: - line = "%s%s%s\n" % (option, whitespace, r[section, option]) - f.write(line) -f.close() -print "Wrote", new_cfg_file - -# Get all of these from the new config file; in theory we just set all -# of them, but we want to use values matching new config in any case. - -newcfg = rpki.config.parser(new_cfg_file, "myrpki") - -handle = newcfg.get("handle") -bpki_resources_directory = newcfg.get("bpki_resources_directory") -bpki_servers_directory = newcfg.get("bpki_servers_directory") -pubd_server_host = newcfg.get("pubd_server_host") -pubd_server_port = newcfg.get("pubd_server_port") -rpkid_server_host = newcfg.get("rpkid_server_host") -rpkid_server_port = newcfg.get("rpkid_server_port") -entitydb_dir = newcfg.get("entitydb_dir", "entitydb") - -bpki_resources_pemfile = bpki_resources_directory + "/ca.cer" -bpki_servers_pemfile = bpki_servers_directory + "/ca.cer" - -def entitydb(*args): - return os.path.join(entitydb_dir, *args) - -# Now convert the .csv files. It'd be nice to have XML validation -# enabled for this, so try to turn it on ourselves if the magic -# environment variable hasn't already been set. - -rng_file = os.path.join(os.path.dirname(sys.argv[0]), "myrpki.rng") -if not os.getenv("MYRPKI_RNG") and os.path.exists(rng_file): - os.putenv("MYRPKI_RNG", rng_file) - -for d in map(entitydb, ("children", "parents", "repositories", "pubclients")): - if not os.path.exists(d): - os.makedirs(d) - -one_year_from_now = str(rpki.sundial.now() + rpki.sundial.timedelta(days = 365)) - -if os.path.exists(children_csv): - for child_handle, valid_until, child_resource_pemfile in myrpki.csv_reader(children_csv, columns = 3): - try: - - e = Element("parent", - valid_until = valid_until if preserve_valid_until else one_year_from_now, - service_uri = "https://%s:%s/up-down/%s/%s" % (rpkid_server_host, rpkid_server_port, handle, child_handle), - child_handle = child_handle, - parent_handle = handle) - myrpki.PEMElement(e, "bpki_resource_ta", bpki_resources_pemfile) - myrpki.PEMElement(e, "bpki_server_ta", bpki_servers_pemfile) - myrpki.PEMElement(e, "bpki_child_ta", child_resource_pemfile) - myrpki.etree_write(e, entitydb("children", "%s.xml" % child_handle)) - - except IOError: - pass - -if os.path.exists(parents_csv): - for parent_handle, parent_service_uri, parent_cms_pemfile, parent_https_pemfile, parent_myhandle, parent_sia_base in myrpki.csv_reader(parents_csv, columns = 6): - try: - - e = Element("parent", - valid_until = one_year_from_now, - service_uri = parent_service_uri, - child_handle = parent_myhandle, - parent_handle = parent_handle) - myrpki.PEMElement(e, "bpki_resource_ta", parent_cms_pemfile) - myrpki.PEMElement(e, "bpki_server_ta", parent_https_pemfile) - myrpki.PEMElement(e, "bpki_child_ta", bpki_resources_pemfile) - myrpki.etree_write(e, entitydb("parents", "%s.xml" % parent_handle)) - - client_handle = "/".join(parent_sia_base.rstrip("/").split("/")[3:]) - assert client_handle.startswith(repository_handle) - - e = Element("repository", - parent_handle = parent_handle, - client_handle = client_handle, - service_uri = "%s/client/%s" % (pubd_base.rstrip("/"), client_handle), - sia_base = parent_sia_base, - type = "confirmed") - myrpki.PEMElement(e, "bpki_server_ta", repository_bpki_certificate) - myrpki.PEMElement(e, "bpki_client_ta", bpki_resources_pemfile) - SubElement(e, "contact_info").text = "Automatically generated by convert-csv.py" - myrpki.etree_write(e, entitydb("repositories", "%s.xml" % parent_handle)) - - except IOError: - pass - -if os.path.exists(pubclients_csv): - for client_handle, client_resource_pemfile, client_sia_base in myrpki.csv_reader(pubclients_csv, columns = 3): - try: - - parent_handle = client_handle.split("/")[-2] if "/" in client_handle else handle - - e = Element("repository", - parent_handle = parent_handle, - client_handle = client_handle, - service_uri = "https://%s:%s/client/%s" % (pubd_server_host, pubd_server_port, client_handle), - sia_base = client_sia_base, - type = "confirmed") - myrpki.PEMElement(e, "bpki_server_ta", bpki_servers_pemfile) - myrpki.PEMElement(e, "bpki_client_ta", client_resource_pemfile) - SubElement(e, "contact_info").text = "Automatically generated by convert-csv.py" - myrpki.etree_write(e, entitydb("pubclients", "%s.xml" % client_handle.replace("/", "."))) - - except IOError: - pass diff --git a/myrpki/ripe-asns-to-csv.py b/myrpki/ripe-asns-to-csv.py deleted file mode 100644 index 04a92627..00000000 --- a/myrpki/ripe-asns-to-csv.py +++ /dev/null @@ -1,106 +0,0 @@ -""" -Parse a WHOIS research dump and write out (just) the RPKI-relevant -fields in myrpki-format CSV syntax. - -NB: The input data for this script is publicly available via FTP, but -you'll have to fetch the data from RIPE yourself, and be sure to see -the terms and conditions referenced by the data file header comments. - -$Id$ - -Copyright (C) 2009 Internet Systems Consortium ("ISC") - -Permission to use, copy, modify, and distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -PERFORMANCE OF THIS SOFTWARE. -""" - -import gzip, csv, myrpki - -class Handle(dict): - - want_tags = () - - debug = False - - def set(self, tag, val): - if tag in self.want_tags: - self[tag] = "".join(val.split(" ")) - - def check(self): - for tag in self.want_tags: - if not tag in self: - return False - if self.debug: - self.log() - return True - - def __repr__(self): - return "<%s %s>" % (self.__class__.__name__, - " ".join("%s:%s" % (tag, self.get(tag, "?")) - for tag in self.want_tags)) - - def log(self): - print repr(self) - - def finish(self, ctx): - self.check() - -class aut_num(Handle): - want_tags = ("aut-num", "mnt-by", "as-name") - - def set(self, tag, val): - if tag == "aut-num" and val.startswith("AS"): - val = val[2:] - Handle.set(self, tag, val) - - def finish(self, ctx): - if self.check(): - ctx.asns.writerow((self["mnt-by"], self["aut-num"])) - -class main(object): - - types = dict((x.want_tags[0], x) for x in (aut_num,)) - - - def finish_statement(self, done): - if self.statement: - tag, sep, val = self.statement.partition(":") - assert sep, "Couldn't find separator in %r" % self.statement - tag = tag.strip().lower() - val = val.strip().upper() - if self.cur is None: - self.cur = self.types[tag]() if tag in self.types else False - if self.cur is not False: - self.cur.set(tag, val) - if done and self.cur: - self.cur.finish(self) - self.cur = None - - filenames = ("ripe.db.aut-num.gz",) - - def __init__(self): - self.asns = myrpki.csv_writer("asns.csv") - for fn in self.filenames: - f = gzip.open(fn) - self.statement = "" - self.cur = None - for line in f: - line = line.expandtabs().partition("#")[0].rstrip("\n") - if line and not line[0].isalpha(): - self.statement += line[1:] if line[0] == "+" else line - else: - self.finish_statement(not line) - self.statement = line - self.finish_statement(True) - f.close() - -main() diff --git a/myrpki/ripe-prefixes-to-csv.awk b/myrpki/ripe-prefixes-to-csv.awk deleted file mode 100644 index 582d5ce7..00000000 --- a/myrpki/ripe-prefixes-to-csv.awk +++ /dev/null @@ -1,43 +0,0 @@ -#!/usr/bin/awk -f -# $Id$ - -# ftp -pa ftp://ftp.ripe.net/pub/stats/ripencc/membership/alloclist.txt - -BEGIN { - translation["ie.google"] = "GoogleIreland"; -} - -function done() { - if (handle in translation) - handle = translation[handle]; - for (i = 1; i <= n_allocs; i++) - print handle "\t" alloc[i]; - n_allocs = 0; -} - -/^[a-z]/ { - done(); - handle = $0; - nr = NR; -} - -NR == nr + 1 { - name = $0; -} - -NR > nr + 2 && NF > 1 && $2 !~ /:/ { - split($2, a, "/"); - len = a[2]; - split(a[1], a, /[.]/); - for (i = length(a); i < 4; i++) - a[i+1] = 0; - alloc[++n_allocs] = sprintf("%d.%d.%d.%d/%d", a[1], a[2], a[3], a[4], len); -} - -NR > nr + 2 && NF > 1 && $2 ~ /:/ { - alloc[++n_allocs] = $2; -} - -END { - done(); -} diff --git a/myrpki/test-myrpki-cms.py b/myrpki/test-myrpki-cms.py deleted file mode 100644 index 29bea39c..00000000 --- a/myrpki/test-myrpki-cms.py +++ /dev/null @@ -1,66 +0,0 @@ -""" -Scratch pad for working out what CMS referral code looks like. - -This is only in subversion for archival and backup, I don't expect -users to run this, and will delete it in the near future. - - -$Id$ - -Copyright (C) 2010 Internet Systems Consortium ("ISC") - -Permission to use, copy, modify, and distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -PERFORMANCE OF THIS SOFTWARE. -""" - -import subprocess, os, sys, myrpki - -original_xml = '''\ -<publication_referral xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" - sia_base=rsync://repository.example/path/to/me/space-i-give-to-my-child"> - Base64 encoded BPKI TA of resource holding aspect of my child xxx blah blah blah blah xxx -</publication_referral> -''' - -f = open("original.xml", "w") -f.write(original_xml) -f.close() - -myrpki.openssl = "/u/sra/rpki/subvert-rpki.hactrn.net/openssl/openssl/apps/openssl" -os.putenv("OPENSSL_CONF", "/dev/null") - -bpki = myrpki.CA("test/Alice/myrpki.conf", "test/Alice/bpki/resources") -bpki.ee("/CN=Alice Signed Referral CMS Test EE Certificate", "CMSEE") - -# "id-ct-xml" from rpki.oids -oid = ".".join(map(str, (1, 2, 840, 113549, 1, 9, 16, 1, 28))) - -format = "DER" # PEM or DER - -subprocess.check_call((myrpki.openssl, "cms", "-sign", - "-binary", "-nodetach", "-nosmimecap", "-keyid", "-outform", format, - "-econtent_type", oid, "-md", "sha256", - "-inkey", "test/Alice/bpki/resources/CMSEE.key", - "-signer", "test/Alice/bpki/resources/CMSEE.cer", - "-in", "original.xml", - "-out", "original.%s" % format.lower())) - -if format == "DER": - subprocess.call(("dumpasn1", "-a", "original.cms")) - -# verifying may not be necessary here, that might be pubd's job. or -# at least we can make it the job of the code formerly known as irdbd, -# where we have full libraries available to us. but blunder ahead... - -subprocess.check_call((myrpki.openssl, "cms", "-verify", "-inform", format, - "-CAfile", "test/Alice/bpki/resources/ca.cer", - "-in", "original.%s" % format.lower())) diff --git a/myrpki/testbed-rootcert.py b/myrpki/testbed-rootcert.py deleted file mode 100644 index 54d1480c..00000000 --- a/myrpki/testbed-rootcert.py +++ /dev/null @@ -1,65 +0,0 @@ -""" -Generate config for a test RPKI root certificate for resources -specified in asns.csv and prefixes.csv. - -This script is separate from arin-to-csv.py so that we can convert on -the fly rather than having to pull the entire database into memory. - -$Id$ - -Copyright (C) 2009-2010 Internet Systems Consortium ("ISC") - -Permission to use, copy, modify, and distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -PERFORMANCE OF THIS SOFTWARE. -""" - -import csv, myrpki, sys - -if len(sys.argv) != 2: - raise RuntimeError, "Usage: %s [holder]" % sys.argv[0] - -print '''\ -[req] -default_bits = 2048 -default_md = sha256 -distinguished_name = req_dn -prompt = no -encrypt_key = no - -[req_dn] -CN = Pseudo-%(HOLDER)s testbed root RPKI certificate - -[x509v3_extensions] -basicConstraints = critical,CA:true -subjectKeyIdentifier = hash -keyUsage = critical,keyCertSign,cRLSign -subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://%(holder)s.rpki.net/rpki/%(holder)s/,1.3.6.1.5.5.7.48.10;URI:rsync://%(holder)s.rpki.net/rpki/%(holder)s/root.mnf -certificatePolicies = critical,1.3.6.1.5.5.7.14.2 -sbgp-autonomousSysNum = critical,@rfc3779_asns -sbgp-ipAddrBlock = critical,@rfc3997_addrs - -[rfc3779_asns] -''' % { "holder" : sys.argv[1].lower(), - "HOLDER" : sys.argv[1].upper() } - -for i, asn in enumerate(asn for handle, asn in myrpki.csv_reader("asns.csv", columns = 2)): - print "AS.%d = %s" % (i, asn) - -print '''\ - -[rfc3997_addrs] - -''' - -for i, prefix in enumerate(prefix for handle, prefix in myrpki.csv_reader("prefixes.csv", columns = 2)): - v = 6 if ":" in prefix else 4 - print "IPv%d.%d = %s" % (v, i, prefix) diff --git a/myrpki/translate-handles.py b/myrpki/translate-handles.py deleted file mode 100644 index 308b878e..00000000 --- a/myrpki/translate-handles.py +++ /dev/null @@ -1,49 +0,0 @@ -""" -Translate handles from the ones provided in a database dump into the -ones we use in our testbed. This has been broken out into a separate -program for two reasons: - -- Conversion of some of the RIR data is a very slow process, and it's - both annoying and unnecessary to run it every time we add a new - participant to the testbed. - -- This handle translation business now has fingers into half a dozen - scripts, so it needs refactoring in any case, either as a common - library function or as a separate script. - -This program takes a list of .CSV files on its command line, and -rewrites them as needed after performing the translation. - -$Id$ - -Copyright (C) 2010 Internet Systems Consortium ("ISC") - -Permission to use, copy, modify, and distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -PERFORMANCE OF THIS SOFTWARE. -""" - -import os, sys, myrpki - -translations = dict((src, dst) for src, dst in myrpki.csv_reader("translations.csv", columns = 2)) - -for filename in sys.argv[1:]: - - tmpfile = "%s.%d" % os.getpid() - csvout = myrpki.csv_writer(tmpfile) - - for cols in myrpki.csv_reader(filename): - if cols[0] in translations: - cols[0] = translations[cols[0]] - csvout(cols) - - del csvout - os.rename(tmpfile, filename) diff --git a/myrpki/verify-bpki.sh b/myrpki/verify-bpki.sh deleted file mode 100755 index 0e36d796..00000000 --- a/myrpki/verify-bpki.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/sh - -# $Id$ -# -# Copyright (C) 2009-2010 Internet Systems Consortium ("ISC") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# Tests of generated BPKI certificates. Kind of cheesy, but does test -# the basic stuff. - -exec 2>&1 - -for bpki in bpki/* -do - crls=$(find $bpki -name '*.crl') - - # Check that CRLs verify properly - for crl in $crls - do - echo -n "$crl: " - openssl crl -CAfile $bpki/ca.cer -noout -in $crl - done - - # Check that issued certificates verify properly - cat $bpki/ca.cer $crls | openssl verify -crl_check -CAfile /dev/stdin $(find $bpki -name '*.cer' ! -name 'ca.cer' ! -name '*.cacert.cer') - -done - -# Check that cross-certified BSC certificates verify properly -if test -d bpki/servers -then - cat bpki/servers/xcert.*.cer | openssl verify -verbose -CAfile bpki/servers/ca.cer -untrusted /dev/stdin bpki/resources/bsc.*.cer -fi |