aboutsummaryrefslogtreecommitdiff
path: root/rpkid
diff options
context:
space:
mode:
Diffstat (limited to 'rpkid')
-rw-r--r--rpkid/Makefile57
l---------rpkid/POW1
-rw-r--r--rpkid/README466
-rw-r--r--rpkid/apnic-poke-1.sh112
-rw-r--r--rpkid/apnic-poke-1.yaml28
-rw-r--r--rpkid/apnic-poke-2.sh123
-rw-r--r--rpkid/apnic-poke-2.yaml74
-rw-r--r--rpkid/biz-certs-setup.sh81
l---------rpkid/biz-certs/08fd5b15.01
l---------rpkid/biz-certs/0cb21e6a.01
l---------rpkid/biz-certs/33b6d09e.01
l---------rpkid/biz-certs/5210f268.01
l---------rpkid/biz-certs/5ebf1062.01
l---------rpkid/biz-certs/60ac264c.01
l---------rpkid/biz-certs/623ab26c.01
l---------rpkid/biz-certs/6878697a.01
l---------rpkid/biz-certs/71288ec9.01
l---------rpkid/biz-certs/7449ce31.01
l---------rpkid/biz-certs/7562977b.01
l---------rpkid/biz-certs/80e4ab61.01
l---------rpkid/biz-certs/826d8d65.01
l---------rpkid/biz-certs/9844d0ad.01
l---------rpkid/biz-certs/9970e247.01
-rw-r--r--rpkid/biz-certs/Alice-CA.cer19
-rw-r--r--rpkid/biz-certs/Alice-CA.cnf15
-rw-r--r--rpkid/biz-certs/Alice-CA.key27
-rw-r--r--rpkid/biz-certs/Alice-CA.req15
-rw-r--r--rpkid/biz-certs/Alice-CA.srl1
-rw-r--r--rpkid/biz-certs/Alice-EE.cer19
-rw-r--r--rpkid/biz-certs/Alice-EE.cnf15
-rw-r--r--rpkid/biz-certs/Alice-EE.key27
-rw-r--r--rpkid/biz-certs/Alice-EE.req15
-rw-r--r--rpkid/biz-certs/Alice-Root.cer19
-rw-r--r--rpkid/biz-certs/Alice-Root.cnf15
-rw-r--r--rpkid/biz-certs/Alice-Root.key27
-rw-r--r--rpkid/biz-certs/Alice-Root.req15
-rw-r--r--rpkid/biz-certs/Alice-Root.srl1
-rw-r--r--rpkid/biz-certs/Bob-CA.cer19
-rw-r--r--rpkid/biz-certs/Bob-CA.cnf15
-rw-r--r--rpkid/biz-certs/Bob-CA.key27
-rw-r--r--rpkid/biz-certs/Bob-CA.req15
-rw-r--r--rpkid/biz-certs/Bob-CA.srl1
-rw-r--r--rpkid/biz-certs/Bob-EE.cer19
-rw-r--r--rpkid/biz-certs/Bob-EE.cnf15
-rw-r--r--rpkid/biz-certs/Bob-EE.key27
-rw-r--r--rpkid/biz-certs/Bob-EE.req15
-rw-r--r--rpkid/biz-certs/Bob-Root.cer19
-rw-r--r--rpkid/biz-certs/Bob-Root.cnf15
-rw-r--r--rpkid/biz-certs/Bob-Root.key27
-rw-r--r--rpkid/biz-certs/Bob-Root.req15
-rw-r--r--rpkid/biz-certs/Bob-Root.srl1
-rw-r--r--rpkid/biz-certs/Carol-CA.cer19
-rw-r--r--rpkid/biz-certs/Carol-CA.cnf15
-rw-r--r--rpkid/biz-certs/Carol-CA.key27
-rw-r--r--rpkid/biz-certs/Carol-CA.req15
-rw-r--r--rpkid/biz-certs/Carol-CA.srl1
-rw-r--r--rpkid/biz-certs/Carol-EE.cer19
-rw-r--r--rpkid/biz-certs/Carol-EE.cnf15
-rw-r--r--rpkid/biz-certs/Carol-EE.key27
-rw-r--r--rpkid/biz-certs/Carol-EE.req15
-rw-r--r--rpkid/biz-certs/Carol-Root.cer19
-rw-r--r--rpkid/biz-certs/Carol-Root.cnf15
-rw-r--r--rpkid/biz-certs/Carol-Root.key27
-rw-r--r--rpkid/biz-certs/Carol-Root.req15
-rw-r--r--rpkid/biz-certs/Carol-Root.srl1
-rw-r--r--rpkid/biz-certs/Dave-CA.cer19
-rw-r--r--rpkid/biz-certs/Dave-CA.cnf15
-rw-r--r--rpkid/biz-certs/Dave-CA.key27
-rw-r--r--rpkid/biz-certs/Dave-CA.req15
-rw-r--r--rpkid/biz-certs/Dave-CA.srl1
-rw-r--r--rpkid/biz-certs/Dave-EE.cer19
-rw-r--r--rpkid/biz-certs/Dave-EE.cnf15
-rw-r--r--rpkid/biz-certs/Dave-EE.key27
-rw-r--r--rpkid/biz-certs/Dave-EE.req15
-rw-r--r--rpkid/biz-certs/Dave-Root.cer19
-rw-r--r--rpkid/biz-certs/Dave-Root.cnf15
-rw-r--r--rpkid/biz-certs/Dave-Root.key27
-rw-r--r--rpkid/biz-certs/Dave-Root.req15
-rw-r--r--rpkid/biz-certs/Dave-Root.srl1
-rw-r--r--rpkid/biz-certs/Elena-CA.cer19
-rw-r--r--rpkid/biz-certs/Elena-CA.cnf15
-rw-r--r--rpkid/biz-certs/Elena-CA.key27
-rw-r--r--rpkid/biz-certs/Elena-CA.req15
-rw-r--r--rpkid/biz-certs/Elena-CA.srl1
-rw-r--r--rpkid/biz-certs/Elena-EE.cer19
-rw-r--r--rpkid/biz-certs/Elena-EE.cnf15
-rw-r--r--rpkid/biz-certs/Elena-EE.key27
-rw-r--r--rpkid/biz-certs/Elena-EE.req15
-rw-r--r--rpkid/biz-certs/Elena-Root.cer19
-rw-r--r--rpkid/biz-certs/Elena-Root.cnf15
-rw-r--r--rpkid/biz-certs/Elena-Root.key27
-rw-r--r--rpkid/biz-certs/Elena-Root.req15
-rw-r--r--rpkid/biz-certs/Elena-Root.srl1
-rw-r--r--rpkid/biz-certs/Frank-CA.cer19
-rw-r--r--rpkid/biz-certs/Frank-CA.cnf15
-rw-r--r--rpkid/biz-certs/Frank-CA.key27
-rw-r--r--rpkid/biz-certs/Frank-CA.req15
-rw-r--r--rpkid/biz-certs/Frank-CA.srl1
-rw-r--r--rpkid/biz-certs/Frank-EE.cer19
-rw-r--r--rpkid/biz-certs/Frank-EE.cnf15
-rw-r--r--rpkid/biz-certs/Frank-EE.key27
-rw-r--r--rpkid/biz-certs/Frank-EE.req15
-rw-r--r--rpkid/biz-certs/Frank-Root.cer19
-rw-r--r--rpkid/biz-certs/Frank-Root.cnf15
-rw-r--r--rpkid/biz-certs/Frank-Root.key27
-rw-r--r--rpkid/biz-certs/Frank-Root.req15
-rw-r--r--rpkid/biz-certs/Frank-Root.srl1
-rw-r--r--rpkid/biz-certs/Ginny-CA.cer19
-rw-r--r--rpkid/biz-certs/Ginny-CA.cnf15
-rw-r--r--rpkid/biz-certs/Ginny-CA.key27
-rw-r--r--rpkid/biz-certs/Ginny-CA.req15
-rw-r--r--rpkid/biz-certs/Ginny-CA.srl1
-rw-r--r--rpkid/biz-certs/Ginny-EE.cer19
-rw-r--r--rpkid/biz-certs/Ginny-EE.cnf15
-rw-r--r--rpkid/biz-certs/Ginny-EE.key27
-rw-r--r--rpkid/biz-certs/Ginny-EE.req15
-rw-r--r--rpkid/biz-certs/Ginny-Root.cer19
-rw-r--r--rpkid/biz-certs/Ginny-Root.cnf15
-rw-r--r--rpkid/biz-certs/Ginny-Root.key27
-rw-r--r--rpkid/biz-certs/Ginny-Root.req15
-rw-r--r--rpkid/biz-certs/Ginny-Root.srl1
-rw-r--r--rpkid/biz-certs/Harry-CA.cer19
-rw-r--r--rpkid/biz-certs/Harry-CA.cnf15
-rw-r--r--rpkid/biz-certs/Harry-CA.key27
-rw-r--r--rpkid/biz-certs/Harry-CA.req15
-rw-r--r--rpkid/biz-certs/Harry-CA.srl1
-rw-r--r--rpkid/biz-certs/Harry-EE.cer19
-rw-r--r--rpkid/biz-certs/Harry-EE.cnf15
-rw-r--r--rpkid/biz-certs/Harry-EE.key27
-rw-r--r--rpkid/biz-certs/Harry-EE.req15
-rw-r--r--rpkid/biz-certs/Harry-Root.cer19
-rw-r--r--rpkid/biz-certs/Harry-Root.cnf15
-rw-r--r--rpkid/biz-certs/Harry-Root.key27
-rw-r--r--rpkid/biz-certs/Harry-Root.req15
-rw-r--r--rpkid/biz-certs/Harry-Root.srl1
l---------rpkid/biz-certs/a17ff8dd.01
l---------rpkid/biz-certs/b523b0af.01
l---------rpkid/biz-certs/c027faa7.01
l---------rpkid/biz-certs/cf3dacf7.01
l---------rpkid/biz-certs/d9bfc7a9.01
l---------rpkid/biz-certs/dfc82c8e.01
l---------rpkid/biz-certs/f97c9834.01
l---------rpkid/biz-certs/ff615a1f.01
l---------rpkid/biz-certs/ff8832dd.01
-rw-r--r--rpkid/cronjob.py47
-rwxr-xr-xrpkid/cronjob.sh44
-rwxr-xr-xrpkid/irbe-cli.py208
-rw-r--r--rpkid/irbe-setup.py125
-rw-r--r--rpkid/irbe-setup.sh32
-rwxr-xr-xrpkid/irdbd.py131
-rw-r--r--rpkid/left-right-protocol-samples.xsl37
-rw-r--r--rpkid/left-right-protocol-samples/pdu.001.xml8
-rw-r--r--rpkid/left-right-protocol-samples/pdu.002.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.003.xml7
-rw-r--r--rpkid/left-right-protocol-samples/pdu.004.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.005.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.006.xml9
-rw-r--r--rpkid/left-right-protocol-samples/pdu.007.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.008.xml14
-rw-r--r--rpkid/left-right-protocol-samples/pdu.009.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.010.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.011.xml25
-rw-r--r--rpkid/left-right-protocol-samples/pdu.012.xml7
-rw-r--r--rpkid/left-right-protocol-samples/pdu.013.xml25
-rw-r--r--rpkid/left-right-protocol-samples/pdu.014.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.015.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.016.xml53
-rw-r--r--rpkid/left-right-protocol-samples/pdu.017.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.018.xml53
-rw-r--r--rpkid/left-right-protocol-samples/pdu.019.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.020.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.021.xml44
-rw-r--r--rpkid/left-right-protocol-samples/pdu.022.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.023.xml44
-rw-r--r--rpkid/left-right-protocol-samples/pdu.024.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.025.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.026.xml44
-rw-r--r--rpkid/left-right-protocol-samples/pdu.027.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.028.xml44
-rw-r--r--rpkid/left-right-protocol-samples/pdu.029.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.030.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.031.xml25
-rw-r--r--rpkid/left-right-protocol-samples/pdu.032.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.033.xml25
-rw-r--r--rpkid/left-right-protocol-samples/pdu.034.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.035.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.036.xml25
-rw-r--r--rpkid/left-right-protocol-samples/pdu.037.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.038.xml25
-rw-r--r--rpkid/left-right-protocol-samples/pdu.039.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.040.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.041.xml44
-rw-r--r--rpkid/left-right-protocol-samples/pdu.042.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.043.xml44
-rw-r--r--rpkid/left-right-protocol-samples/pdu.044.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.045.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.046.xml44
-rw-r--r--rpkid/left-right-protocol-samples/pdu.047.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.048.xml44
-rw-r--r--rpkid/left-right-protocol-samples/pdu.049.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.050.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.051.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.052.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.053.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.054.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.055.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.056.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.057.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.058.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.059.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.060.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.061.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.062.xml5
-rw-r--r--rpkid/left-right-protocol-samples/pdu.063.xml5
-rw-r--r--rpkid/left-right-schema.rnc208
-rw-r--r--rpkid/left-right-schema.rng948
-rw-r--r--rpkid/make-relaxng.py27
-rw-r--r--rpkid/resource-cert-samples.py248
-rw-r--r--rpkid/resource-cert-samples/.stamp0
-rw-r--r--rpkid/resource-cert-samples/ISP1.cer93
-rw-r--r--rpkid/resource-cert-samples/ISP1.cnf64
-rw-r--r--rpkid/resource-cert-samples/ISP1.key27
-rw-r--r--rpkid/resource-cert-samples/ISP1.req21
-rw-r--r--rpkid/resource-cert-samples/ISP1/index0
-rw-r--r--rpkid/resource-cert-samples/ISP1/serial1
-rw-r--r--rpkid/resource-cert-samples/ISP2.cer88
-rw-r--r--rpkid/resource-cert-samples/ISP2.cnf64
-rw-r--r--rpkid/resource-cert-samples/ISP2.key27
-rw-r--r--rpkid/resource-cert-samples/ISP2.req21
-rw-r--r--rpkid/resource-cert-samples/ISP2/index0
-rw-r--r--rpkid/resource-cert-samples/ISP2/serial1
-rw-r--r--rpkid/resource-cert-samples/ISP3.cer89
-rw-r--r--rpkid/resource-cert-samples/ISP3.cnf64
-rw-r--r--rpkid/resource-cert-samples/ISP3.key27
-rw-r--r--rpkid/resource-cert-samples/ISP3.req21
-rw-r--r--rpkid/resource-cert-samples/ISP3/index0
-rw-r--r--rpkid/resource-cert-samples/ISP3/serial1
-rw-r--r--rpkid/resource-cert-samples/ISP4.cer93
-rw-r--r--rpkid/resource-cert-samples/ISP4.cnf64
-rw-r--r--rpkid/resource-cert-samples/ISP4.key27
-rw-r--r--rpkid/resource-cert-samples/ISP4.req21
-rw-r--r--rpkid/resource-cert-samples/ISP4/index0
-rw-r--r--rpkid/resource-cert-samples/ISP4/serial1
-rw-r--r--rpkid/resource-cert-samples/ISP5a.cer91
-rw-r--r--rpkid/resource-cert-samples/ISP5a.cnf64
-rw-r--r--rpkid/resource-cert-samples/ISP5a.key27
-rw-r--r--rpkid/resource-cert-samples/ISP5a.req21
-rw-r--r--rpkid/resource-cert-samples/ISP5a/index0
-rw-r--r--rpkid/resource-cert-samples/ISP5a/serial1
-rw-r--r--rpkid/resource-cert-samples/ISP5b.cer91
-rw-r--r--rpkid/resource-cert-samples/ISP5b.cnf64
-rw-r--r--rpkid/resource-cert-samples/ISP5b.key27
-rw-r--r--rpkid/resource-cert-samples/ISP5b.req21
-rw-r--r--rpkid/resource-cert-samples/ISP5b/index0
-rw-r--r--rpkid/resource-cert-samples/ISP5b/serial1
-rw-r--r--rpkid/resource-cert-samples/ISP5c.cer88
-rw-r--r--rpkid/resource-cert-samples/ISP5c.cnf64
-rw-r--r--rpkid/resource-cert-samples/ISP5c.key27
-rw-r--r--rpkid/resource-cert-samples/ISP5c.req21
-rw-r--r--rpkid/resource-cert-samples/ISP5c/index0
-rw-r--r--rpkid/resource-cert-samples/ISP5c/serial1
-rw-r--r--rpkid/resource-cert-samples/LIR1.cer94
-rw-r--r--rpkid/resource-cert-samples/LIR1.cnf64
-rw-r--r--rpkid/resource-cert-samples/LIR1.key27
-rw-r--r--rpkid/resource-cert-samples/LIR1.req22
-rw-r--r--rpkid/resource-cert-samples/LIR1/01.pem23
-rw-r--r--rpkid/resource-cert-samples/LIR1/02.pem23
-rw-r--r--rpkid/resource-cert-samples/LIR1/03.pem92
-rw-r--r--rpkid/resource-cert-samples/LIR1/04.pem96
-rw-r--r--rpkid/resource-cert-samples/LIR1/05.pem92
-rw-r--r--rpkid/resource-cert-samples/LIR1/06.pem96
-rw-r--r--rpkid/resource-cert-samples/LIR1/07.pem92
-rw-r--r--rpkid/resource-cert-samples/LIR1/08.pem96
-rw-r--r--rpkid/resource-cert-samples/LIR1/09.pem92
-rw-r--r--rpkid/resource-cert-samples/LIR1/0A.pem96
-rw-r--r--rpkid/resource-cert-samples/LIR1/0B.pem79
-rw-r--r--rpkid/resource-cert-samples/LIR1/0C.pem79
-rw-r--r--rpkid/resource-cert-samples/LIR1/0D.pem88
-rw-r--r--rpkid/resource-cert-samples/LIR1/0E.pem93
-rw-r--r--rpkid/resource-cert-samples/LIR1/0F.pem88
-rw-r--r--rpkid/resource-cert-samples/LIR1/10.pem93
-rw-r--r--rpkid/resource-cert-samples/LIR1/11.pem76
-rw-r--r--rpkid/resource-cert-samples/LIR1/12.pem76
-rw-r--r--rpkid/resource-cert-samples/LIR1/13.pem88
-rw-r--r--rpkid/resource-cert-samples/LIR1/14.pem93
-rw-r--r--rpkid/resource-cert-samples/LIR1/15.pem88
-rw-r--r--rpkid/resource-cert-samples/LIR1/16.pem93
-rw-r--r--rpkid/resource-cert-samples/LIR1/17.pem88
-rw-r--r--rpkid/resource-cert-samples/LIR1/18.pem93
-rw-r--r--rpkid/resource-cert-samples/LIR1/19.pem88
-rw-r--r--rpkid/resource-cert-samples/LIR1/1A.pem93
-rw-r--r--rpkid/resource-cert-samples/LIR1/index26
-rw-r--r--rpkid/resource-cert-samples/LIR1/index.attr1
-rw-r--r--rpkid/resource-cert-samples/LIR1/index.attr.old1
-rw-r--r--rpkid/resource-cert-samples/LIR1/index.old25
-rw-r--r--rpkid/resource-cert-samples/LIR1/serial1
-rw-r--r--rpkid/resource-cert-samples/LIR1/serial.old1
-rw-r--r--rpkid/resource-cert-samples/LIR2.cer95
-rw-r--r--rpkid/resource-cert-samples/LIR2.cnf64
-rw-r--r--rpkid/resource-cert-samples/LIR2.key27
-rw-r--r--rpkid/resource-cert-samples/LIR2.req22
-rw-r--r--rpkid/resource-cert-samples/LIR2/01.pem23
-rw-r--r--rpkid/resource-cert-samples/LIR2/02.pem23
-rw-r--r--rpkid/resource-cert-samples/LIR2/03.pem96
-rw-r--r--rpkid/resource-cert-samples/LIR2/04.pem92
-rw-r--r--rpkid/resource-cert-samples/LIR2/05.pem96
-rw-r--r--rpkid/resource-cert-samples/LIR2/06.pem92
-rw-r--r--rpkid/resource-cert-samples/LIR2/07.pem96
-rw-r--r--rpkid/resource-cert-samples/LIR2/08.pem92
-rw-r--r--rpkid/resource-cert-samples/LIR2/09.pem96
-rw-r--r--rpkid/resource-cert-samples/LIR2/0A.pem92
-rw-r--r--rpkid/resource-cert-samples/LIR2/0B.pem79
-rw-r--r--rpkid/resource-cert-samples/LIR2/0C.pem79
-rw-r--r--rpkid/resource-cert-samples/LIR2/0D.pem93
-rw-r--r--rpkid/resource-cert-samples/LIR2/0E.pem89
-rw-r--r--rpkid/resource-cert-samples/LIR2/0F.pem93
-rw-r--r--rpkid/resource-cert-samples/LIR2/10.pem89
-rw-r--r--rpkid/resource-cert-samples/LIR2/11.pem76
-rw-r--r--rpkid/resource-cert-samples/LIR2/12.pem76
-rw-r--r--rpkid/resource-cert-samples/LIR2/13.pem93
-rw-r--r--rpkid/resource-cert-samples/LIR2/14.pem89
-rw-r--r--rpkid/resource-cert-samples/LIR2/15.pem93
-rw-r--r--rpkid/resource-cert-samples/LIR2/16.pem89
-rw-r--r--rpkid/resource-cert-samples/LIR2/17.pem93
-rw-r--r--rpkid/resource-cert-samples/LIR2/18.pem89
-rw-r--r--rpkid/resource-cert-samples/LIR2/19.pem93
-rw-r--r--rpkid/resource-cert-samples/LIR2/1A.pem89
-rw-r--r--rpkid/resource-cert-samples/LIR2/index26
-rw-r--r--rpkid/resource-cert-samples/LIR2/index.attr1
-rw-r--r--rpkid/resource-cert-samples/LIR2/index.attr.old1
-rw-r--r--rpkid/resource-cert-samples/LIR2/index.old25
-rw-r--r--rpkid/resource-cert-samples/LIR2/serial1
-rw-r--r--rpkid/resource-cert-samples/LIR2/serial.old1
-rw-r--r--rpkid/resource-cert-samples/LIR3.cer98
-rw-r--r--rpkid/resource-cert-samples/LIR3.cnf64
-rw-r--r--rpkid/resource-cert-samples/LIR3.key27
-rw-r--r--rpkid/resource-cert-samples/LIR3.req22
-rw-r--r--rpkid/resource-cert-samples/LIR3/01.pem92
-rw-r--r--rpkid/resource-cert-samples/LIR3/02.pem94
-rw-r--r--rpkid/resource-cert-samples/LIR3/03.pem94
-rw-r--r--rpkid/resource-cert-samples/LIR3/04.pem79
-rw-r--r--rpkid/resource-cert-samples/LIR3/05.pem79
-rw-r--r--rpkid/resource-cert-samples/LIR3/06.pem79
-rw-r--r--rpkid/resource-cert-samples/LIR3/07.pem88
-rw-r--r--rpkid/resource-cert-samples/LIR3/08.pem91
-rw-r--r--rpkid/resource-cert-samples/LIR3/09.pem91
-rw-r--r--rpkid/resource-cert-samples/LIR3/0A.pem88
-rw-r--r--rpkid/resource-cert-samples/LIR3/0B.pem91
-rw-r--r--rpkid/resource-cert-samples/LIR3/0C.pem91
-rw-r--r--rpkid/resource-cert-samples/LIR3/0D.pem76
-rw-r--r--rpkid/resource-cert-samples/LIR3/0E.pem76
-rw-r--r--rpkid/resource-cert-samples/LIR3/0F.pem76
-rw-r--r--rpkid/resource-cert-samples/LIR3/10.pem88
-rw-r--r--rpkid/resource-cert-samples/LIR3/11.pem91
-rw-r--r--rpkid/resource-cert-samples/LIR3/12.pem91
-rw-r--r--rpkid/resource-cert-samples/LIR3/13.pem88
-rw-r--r--rpkid/resource-cert-samples/LIR3/14.pem91
-rw-r--r--rpkid/resource-cert-samples/LIR3/15.pem91
-rw-r--r--rpkid/resource-cert-samples/LIR3/16.pem88
-rw-r--r--rpkid/resource-cert-samples/LIR3/17.pem91
-rw-r--r--rpkid/resource-cert-samples/LIR3/18.pem91
-rw-r--r--rpkid/resource-cert-samples/LIR3/19.pem88
-rw-r--r--rpkid/resource-cert-samples/LIR3/1A.pem91
-rw-r--r--rpkid/resource-cert-samples/LIR3/1B.pem91
-rw-r--r--rpkid/resource-cert-samples/LIR3/index27
-rw-r--r--rpkid/resource-cert-samples/LIR3/index.attr1
-rw-r--r--rpkid/resource-cert-samples/LIR3/index.attr.old1
-rw-r--r--rpkid/resource-cert-samples/LIR3/index.old26
-rw-r--r--rpkid/resource-cert-samples/LIR3/serial1
-rw-r--r--rpkid/resource-cert-samples/LIR3/serial.old1
-rw-r--r--rpkid/resource-cert-samples/Makefile232
-rw-r--r--rpkid/resource-cert-samples/RIR.cer100
-rw-r--r--rpkid/resource-cert-samples/RIR.cnf64
-rw-r--r--rpkid/resource-cert-samples/RIR.key27
-rw-r--r--rpkid/resource-cert-samples/RIR.req23
-rw-r--r--rpkid/resource-cert-samples/RIR/01.pem24
-rw-r--r--rpkid/resource-cert-samples/RIR/02.pem24
-rw-r--r--rpkid/resource-cert-samples/RIR/03.pem24
-rw-r--r--rpkid/resource-cert-samples/RIR/04.pem99
-rw-r--r--rpkid/resource-cert-samples/RIR/05.pem98
-rw-r--r--rpkid/resource-cert-samples/RIR/06.pem98
-rw-r--r--rpkid/resource-cert-samples/RIR/07.pem99
-rw-r--r--rpkid/resource-cert-samples/RIR/08.pem98
-rw-r--r--rpkid/resource-cert-samples/RIR/09.pem98
-rw-r--r--rpkid/resource-cert-samples/RIR/0A.pem99
-rw-r--r--rpkid/resource-cert-samples/RIR/0B.pem98
-rw-r--r--rpkid/resource-cert-samples/RIR/0C.pem98
-rw-r--r--rpkid/resource-cert-samples/RIR/0D.pem104
-rw-r--r--rpkid/resource-cert-samples/RIR/0E.pem101
-rw-r--r--rpkid/resource-cert-samples/RIR/0F.pem98
-rw-r--r--rpkid/resource-cert-samples/RIR/10.pem98
-rw-r--r--rpkid/resource-cert-samples/RIR/11.pem100
-rw-r--r--rpkid/resource-cert-samples/RIR/12.pem100
-rw-r--r--rpkid/resource-cert-samples/RIR/13.pem79
-rw-r--r--rpkid/resource-cert-samples/RIR/14.pem79
-rw-r--r--rpkid/resource-cert-samples/RIR/15.pem79
-rw-r--r--rpkid/resource-cert-samples/RIR/16.pem79
-rw-r--r--rpkid/resource-cert-samples/RIR/17.pem100
-rw-r--r--rpkid/resource-cert-samples/RIR/18.pem98
-rw-r--r--rpkid/resource-cert-samples/RIR/19.pem95
-rw-r--r--rpkid/resource-cert-samples/RIR/1A.pem94
-rw-r--r--rpkid/resource-cert-samples/RIR/1B.pem100
-rw-r--r--rpkid/resource-cert-samples/RIR/1C.pem98
-rw-r--r--rpkid/resource-cert-samples/RIR/1D.pem95
-rw-r--r--rpkid/resource-cert-samples/RIR/1E.pem94
-rw-r--r--rpkid/resource-cert-samples/RIR/1F.pem76
-rw-r--r--rpkid/resource-cert-samples/RIR/20.pem76
-rw-r--r--rpkid/resource-cert-samples/RIR/21.pem76
-rw-r--r--rpkid/resource-cert-samples/RIR/22.pem76
-rw-r--r--rpkid/resource-cert-samples/RIR/23.pem100
-rw-r--r--rpkid/resource-cert-samples/RIR/24.pem98
-rw-r--r--rpkid/resource-cert-samples/RIR/25.pem95
-rw-r--r--rpkid/resource-cert-samples/RIR/26.pem94
-rw-r--r--rpkid/resource-cert-samples/RIR/27.pem100
-rw-r--r--rpkid/resource-cert-samples/RIR/28.pem98
-rw-r--r--rpkid/resource-cert-samples/RIR/29.pem95
-rw-r--r--rpkid/resource-cert-samples/RIR/2A.pem94
-rw-r--r--rpkid/resource-cert-samples/RIR/2B.pem100
-rw-r--r--rpkid/resource-cert-samples/RIR/2C.pem98
-rw-r--r--rpkid/resource-cert-samples/RIR/2D.pem95
-rw-r--r--rpkid/resource-cert-samples/RIR/2E.pem94
-rw-r--r--rpkid/resource-cert-samples/RIR/2F.pem100
-rw-r--r--rpkid/resource-cert-samples/RIR/30.pem98
-rw-r--r--rpkid/resource-cert-samples/RIR/31.pem95
-rw-r--r--rpkid/resource-cert-samples/RIR/32.pem94
-rw-r--r--rpkid/resource-cert-samples/RIR/index50
-rw-r--r--rpkid/resource-cert-samples/RIR/index.attr1
-rw-r--r--rpkid/resource-cert-samples/RIR/index.attr.old1
-rw-r--r--rpkid/resource-cert-samples/RIR/index.old49
-rw-r--r--rpkid/resource-cert-samples/RIR/serial1
-rw-r--r--rpkid/resource-cert-samples/RIR/serial.old1
-rw-r--r--rpkid/rootd.cer93
-rw-r--r--rpkid/rootd.cnf30
-rw-r--r--rpkid/rootd.key27
-rwxr-xr-xrpkid/rootd.py202
-rw-r--r--rpkid/rootd.sh143
-rw-r--r--rpkid/rootd.yaml24
-rw-r--r--rpkid/rpki/Doxyfile1269
-rw-r--r--rpkid/rpki/__init__.py42
-rw-r--r--rpkid/rpki/cms.py120
-rw-r--r--rpkid/rpki/config.py57
-rw-r--r--rpkid/rpki/exceptions.py86
-rw-r--r--rpkid/rpki/https.py146
-rw-r--r--rpkid/rpki/ipaddrs.py70
-rw-r--r--rpkid/rpki/left_right.py1002
-rw-r--r--rpkid/rpki/log.py54
-rw-r--r--rpkid/rpki/manifest.py53
-rw-r--r--rpkid/rpki/oids.py49
-rw-r--r--rpkid/rpki/pkcs10.py62
-rw-r--r--rpkid/rpki/relaxng.py1208
-rw-r--r--rpkid/rpki/resource_set.py528
-rw-r--r--rpkid/rpki/roa.py49
-rw-r--r--rpkid/rpki/sax_utils.py93
-rw-r--r--rpkid/rpki/sql.py801
-rw-r--r--rpkid/rpki/sundial.py147
-rw-r--r--rpkid/rpki/up_down.py518
-rw-r--r--rpkid/rpki/x509.py700
-rwxr-xr-xrpkid/rpkid.py137
-rw-r--r--rpkid/test-pow-tls.py59
-rw-r--r--rpkid/testbed.1.yaml47
-rw-r--r--rpkid/testbed.2.yaml92
-rw-r--r--rpkid/testbed.py941
-rw-r--r--rpkid/testbed.sql57
-rw-r--r--rpkid/testpoke.py139
-rw-r--r--rpkid/testpoke.sh8
-rw-r--r--rpkid/testpoke.yaml28
-rw-r--r--rpkid/up-down-protocol-samples/Makefile11
-rw-r--r--rpkid/up-down-protocol-samples/error_response.xml9
-rw-r--r--rpkid/up-down-protocol-samples/issue1.xml25
-rw-r--r--rpkid/up-down-protocol-samples/issue2.xml24
-rw-r--r--rpkid/up-down-protocol-samples/issue_response.xml116
-rw-r--r--rpkid/up-down-protocol-samples/list.xml6
-rw-r--r--rpkid/up-down-protocol-samples/list_response.xml169
-rw-r--r--rpkid/up-down-protocol-samples/revoke.xml9
-rw-r--r--rpkid/up-down-protocol-samples/revoke_response.xml9
-rw-r--r--rpkid/up-down-schema.rnc71
-rw-r--r--rpkid/up-down-schema.rng249
-rwxr-xr-xrpkid/xml-parse-test.py67
478 files changed, 29595 insertions, 0 deletions
diff --git a/rpkid/Makefile b/rpkid/Makefile
new file mode 100644
index 00000000..69f83f30
--- /dev/null
+++ b/rpkid/Makefile
@@ -0,0 +1,57 @@
+# $Id$
+
+all:: left-right-protocol-samples/.stamp
+
+left-right-protocol-samples/.stamp: left-right-protocol-samples.xsl ../docs/left-right-xml
+ xsltproc left-right-protocol-samples.xsl ../docs/left-right-xml
+ touch $@
+
+all:: left-right-schema.rng
+
+left-right-schema.rng: left-right-schema.rnc
+ trang left-right-schema.rnc left-right-schema.rng
+
+all:: up-down-schema.rng
+
+up-down-schema.rng: up-down-schema.rnc
+ trang up-down-schema.rnc up-down-schema.rng
+
+dont-run-trang:
+ touch *.rng
+
+relaxng: left-right-protocol-samples/.stamp left-right-schema.rng up-down-schema.rng
+ xmllint --noout --relaxng left-right-schema.rng left-right-protocol-samples/*.xml
+ xmllint --noout --relaxng up-down-schema.rng up-down-protocol-samples/*.xml
+
+# all:: resource-cert-samples-regen
+
+all-tests:: relaxng
+
+all-tests:: all ; python xml-parse-test.py
+
+resource-cert-samples-regen: resource-cert-samples/.stamp
+ cd resource-cert-samples && make
+
+resource-cert-samples/.stamp: generate-testrepo.py Makefile
+ python generate-testrepo.py
+ touch $@
+
+doxygen:
+ cd rpki && doxygen
+
+tags:
+ find . -type f -name '*.py' | etags -
+
+all:: rpki/relaxng.py
+
+rpki/relaxng.py: left-right-schema.rng up-down-schema.rng make-relaxng.py
+ python make-relaxng.py >$@.tmp
+ mv $@.tmp $@
+
+# all-tests:: all; sh -x rootd.sh run
+
+test all-tests:: all
+ python testbed.py -y testbed.1.yaml
+
+all-tests:: all
+ python testbed.py -y testbed.2.yaml
diff --git a/rpkid/POW b/rpkid/POW
new file mode 120000
index 00000000..43fccd7b
--- /dev/null
+++ b/rpkid/POW
@@ -0,0 +1 @@
+../pow/buildlib/POW \ No newline at end of file
diff --git a/rpkid/README b/rpkid/README
new file mode 100644
index 00000000..3bb44561
--- /dev/null
+++ b/rpkid/README
@@ -0,0 +1,466 @@
+$Id$ -*- Text -*-
+
+Python RPKI production tools.
+
+Requires Python 2.5.
+
+External Python packages required:
+
+- lxml, which in turn requires the libxml2 C libraries.
+
+ http://codespeak.net/lxml/
+
+ FreeBSD: /usr/ports/devel/py-lxml
+
+- MySQLdb, which in turn requires MySQL client and server. I'm
+ testing with MySQL 5.1.
+
+ http://sourceforge.net/projects/mysql-python/
+
+ FreeBSD: /usr/ports/databases/py-MySQLdb
+
+- TLSLite, which pulls in other crypto packages.
+
+ http://trevp.net/tlslite/
+
+ FreeBSD: /usr/ports/security/py-tlslite
+
+- Cryptlib, at the moment just to support TLSlite but may end up using
+ it for other things later.
+
+ http://www.cs.auckland.ac.nz/~pgut001/cryptlib/
+
+ FreeBSD: /usr/ports/security/cryptlib
+
+ ...but the FreeBSD port doesn't (yet?) install the Python bindings,
+ sigh, so at the moment you have to do that by hand:
+
+ # cd /usr/ports/security/cryptlib
+ # make install
+ # cd work/bindings
+ # python setup.py install
+ # cd ../..
+ # make clean
+
+- Eventually I expect that this will require an event-handling package
+ like Twisted, but I'm not there yet.
+
+- The testpoke tool (up-down protocol command line test client) and
+ testbed tools also uses PyYAML.
+
+ http://pyyaml.org/
+
+ FreeBSD: /usr/ports/devel/py-yaml
+
+We also use a hacked copy of the Python OpenSSL Wrappers (POW)
+package, but our copy has enough modifications that it's expanded in
+the Subversion tree. Depending on how this all works out, I may end
+up splitting the POW.pkix module out of the POW package and using it
+with Cryptlib, as the POW.pkix package is 98% about doing ASN.1 in
+pure Python and only 2% about any kind of crypto.
+
+
+
+$Revision$
+
+TO DO:
+
+- Scripted tests to grow and shrink and revoke and .... See
+ testbed.*.yaml, but more systematic testing needed.
+
+ PRIORITY: Required
+
+ TIME REQUIRED: open-ended
+
+ STATUS: Ongoing
+
+- Randy's "user validation tool" (fetch and validate certs and
+ probably the ROA for a prefix I want to accept in a route filter I
+ am building in Python/Perl). This probably uses rcync's output as
+ one of its inputs.
+
+ This is a basic tool for a sysadmin who wants to -use- all this crud
+ we're working so hard to generate. It's not required for the
+ generation tools to work, but without it the entire toolset does
+ nothing obviously useful, which will make it a very hard sell during
+ the limited public test stage.
+
+ PRIORITY: Required
+
+ DEPENDS ON: ROA generation
+
+ TIME REQUIRED: three days
+
+ STATUS: Not started
+
+- Common protocol dump format with APNIC and other implementors so we
+ can read each other's dumps. "Obvious" format would be an
+ OpenSSL-style PEM of the CMS, with a "text" portion (the place where
+ "openssl x509 -text" would put a text dump of a cert) showing the
+ wrapped XML.
+
+ PRIORITY: Desirable
+
+ TIME REQUIRED: one day
+
+ STATUS: Not started
+
+- Clean unused cruft out of left-right protocol, or at least have
+ control booleans we don't intend to implement at present signal an
+ error if used.
+
+ Bottleneck here has been deciding what to punt and what to
+ implement. Removing unused booleans or raising errors when they're
+ used is trivial.
+
+ PRIORITY: Required
+
+ TIME REQUIRED: Less than one day
+
+ STATUS: Error signalling done
+
+- resource_set_notafter attribute added to RelaxNG but not yet to
+ rpki.up_down.class_elt. Need to convert to and from
+ rpki.sundial.datetime. This is an up-down protocol feature that was
+ added fairly late and that none of us properly implement yet, but
+ failing to handle it would be a spec violation and eventually cause
+ an interop problem.
+
+ PRIORITY: Required
+
+ TIME REQUIRED: Less than one day
+
+ STATUS: Done
+
+- Publication protocol and implementation thereof. Protocol design
+ started, Randy had comments that sent me back to the drawing board
+ (he was right). Next step is to integrate Randy's advice, which
+ probably means picking up more of the left-right protocol framework.
+
+ Desirable although not strictly required that protcol be agreed upon
+ among the RIRs. Might not be practical given how long it takes
+ group to decide anything.
+
+ Tricky bit is making sure that repository receives enough
+ information to know whether parent has authorized child to use
+ parent's namespace in nesting case. In theory this is
+ straightforward but requires careful checking.
+
+ ARIN can't host output of non-hosted RPKI engines without this, and
+ that's critical both to the security model as discussed with ARIN
+ staff in late 2006, so I believe we need this capability even as
+ part of the initial limited test.
+
+ PRIORITY: Required
+
+ TIME REQUIRED: 1-2 weeks for implementation once protocol settled,
+ depending on how much of the protocol and implementation I can steal
+ from the existing left-right protocol.
+
+ STATUS: Started
+
+- Subsetting (req_* attributes in up-down protocol)
+
+ Minimal implementation would be to recognize this as correct
+ protocol and signal an internal server error if it's ever used.
+
+ More serious implementation would require expanding SQL child_cert
+ table to hold subset masks and tweaking almost every bit of code
+ that touches that table.
+
+ PRIORITY: Required
+
+ TIME REQUIRED (minimal version): One day
+
+ TIME REQUIRED (real version): 1-2 weeks
+
+ STATUS: Not started
+
+- Error handling: make sure that exceptions map correctly to up-down
+ error codes, flesh out left-right error codes. Note that the same
+ exception may produce different error codes depending on which
+ up-down PDU we're processing (sigh).
+
+ Will require code audit for coherency.
+
+ PRIORITY: Required
+
+ TIME REQUIRED: four days
+
+ DEPENDS ON: almost everything else, as almost any code change can
+ raise new exceptions that we'd need to handle.
+
+ STATUS: Not started
+
+- db.commit(), db.rollback(), code audit for data integrity issues,
+ fix any data integrity issues that turn up.
+
+ Among other issues, we need to handle loss of connnection to
+ database server and other MySQL errors. MySQLdb throws an
+ exception, which we can catch, and retrying is easy enough, but need
+ to be careful about recovery action depending on whether we had
+ uncommitted changes.
+
+ PRIORITY: Required
+
+ TIME REQUIRED (commit and rollback): Two weeks
+
+ TIME REQUIRED (data integrity audit): Three days
+
+ TIME REQUIRED (fix data integrity): Unknown, depends on code audit
+ and results of runtime testing.
+
+ DEPENDS ON: async tasking model, sort of -- could do it first, but
+ tasking change will affect the exception handling that triggers
+ rollback.
+
+ STATUS: Not started
+
+- Test with larger data set -- Tim gave me plenty of data, I have the
+ low-level tools and the glue logic to create child objects for all
+ the entities in the IRDB, but I don't yet have logic to poll on
+ behalf of each of them and check result for sanity.
+
+ Maybe it'd be easier to write something that dumps Tim's database in
+ YAML format for testbed.py to chew on?
+
+ PRIORITY: Highly desirable
+
+ TIME REQUIRED (setup): One day to convert Tim's data to YAML
+
+ TIME REQUIRED (testing): Unknown, depends on what we turn up
+
+ STATUS: Not started
+
+- Clean up rootd.py to be usable in a production system. Most urgent
+ issue is handling of private keys. May not need much else, as this
+ is not a high-traffic server.
+
+ PRIORITY: Highly desirable (not strictly needed for limited testing)
+
+ TIME REQUIRED: Two days
+
+ STATUS: Not started
+
+- Test framework, multiple self-instances per engine-instance (single
+ self-instance per engine-instance is already done).
+
+ PRIORITY: Required
+
+ DEPENDS ON: async tasking model.
+
+ TIME REQUIRED: One week
+
+ STATUS: Not started
+
+- tlslite code seems flakey under heavy use, and doesn't support all
+ the cert checks we want. Best bet for getting this right is
+ probably to hack on the POW Ssl class until it supports everything
+ shown in the OpenSSL book; aside from speed, the main advantage here
+ is that there -is- a list of all the things one needs to do to use
+ TLS properly if one follows this recipe, whereas with TLSlite it's
+ all a mystery.
+
+ Useful side effect of doing this via POW: it brings us back to only
+ needing one crypto library (in particular it lets us punt M2Crypto,
+ which appears to be coded as an accident waiting to happen).
+
+ PRIORITY: Required (cert checking is a security issue).
+
+ TIME REQUIRED: Two weeks.
+
+ DEPENDS ON: Async tasking model.
+
+ STATUS: Not started
+
+- ROA generation. We have a bunch of the primitives for this but we
+ aren't yet generating the ROAs themselves.
+
+ PRIORITY: Required
+
+ TIME REQUIRED: Three days
+
+ STATUS: Not started
+
+- Make rpkid fully event-driven (async tasking model), except for SQL
+ queries. This probably involves the "twisted" framework.
+
+ PRIORITY: Required (to implement hosting model)
+
+ TIME REQUIRED: one week.
+
+ STATUS: Not started
+
+- Update biz trust anchor model to what we came up with in Amsterdam.
+ This was a direct result of security review by Kent and Housley.
+
+ This has been waiting for work we hope RobK is doing. This is
+ probably not a lot of coding, probably a few extra cert fields in
+ the self object which we then need to toss into the
+ rpki.x509.X509_chain objects before verifying CMS or TLS, and
+ perhaps the existing TA fields in various objects become pairs of
+ certs instead of a single TA, but this is mostly just generalization
+ and reuse of existing code, no bold new adventures.
+
+ PRIORITY: Required (security issue)
+
+ TIME REQUIRED: One week.
+
+ STATUS: Not started
+
+- Performance testing
+
+ STATUS: Not started
+
+- rcynic handling of RPKI trust anchors probably needs updating.
+ Discussions over last N months of how RPKI trust anchors work, how
+ we package them, and how we roll them over. The last (TA rollover)
+ is the driver for this.
+
+ Last I recall (need to check email archives) APNIC had proposed a
+ relatively simple format (CMS signed PEM-encoded X.509 object set,
+ or something like that). Need to do analysis to make sure this is
+ adaquate for our needs, if so just use it. This would involve minor
+ changes to rcynic.
+
+ Alternatively, this could be a separate program to keep this grot
+ out of rcynic itself, but that's probably a usability nightmare.
+
+ PRIORITY: Required (usability issue for relying parties)
+
+ TIME REQUIRED: Three days.
+
+ STATUS: Not started
+
+- rcynic does not yet handle manifests. This is both a real problem
+ (manifests were added to plug a security hole) and a user acceptance
+ problem (without manifest support rcynic checks old certs that are
+ supposed to fail because they've been revoked, resulting in what
+ appear to be spurious errors, which just annoy the user).
+
+ PRIORITY: Required
+
+ TIME REQUIRED: One week.
+
+ STATUS: Not started
+
+- Update operation and installation docs.
+
+ Known current omissions: left-right "rekey" and "revoke" operations,
+ testbed.py's rootd_sia config option.
+
+ TIME REQUIRED (current work items): Less than one day
+
+ PRIORITY: Required
+
+ STATUS: Ongoing
+
+- Update internals docs (Doxygen). Mostly this means updating
+ function comments in the Python code, as the rest is automatic. May
+ require a bit of overview text to explain the workings of the code,
+ this overview text may well turn out to be just the current flat
+ text documents marked up for inclusion by Doxygen.
+
+ PRIORITY: Desirable
+
+ TIME REQUIRED: Two days
+
+ STATUS: Ongoing
+
+- Reorganize code (directory names, module names, which objects are in
+ which modules, add gctx pointers to objects so we can stop passing
+ all these flipping explicit gctx pointers in almost every function
+ call) to make it easier to understand and maintain. Portions of the
+ existing code were done in extreme haste to meet testing deadlines,
+ and it shows.
+
+ STATUS: Not started
+
+ TIME REQUIRED: two days
+
+ PRIORITY: Highly desirable (to preserve programmers' and
+ maintainers' sanity, if nothing else)
+
+- Add HSM support. Architecture includes it, current code does not.
+ First step here would be talking to somebody who understands PKCS#11
+ better than I do, ie, Richard Lamb or Francis Dupont.
+
+ STATUS: Not started
+
+ TIME REQUIRED: Unknown
+
+ PRIORITY: Desirable. Am guessing ARIN does not require this for
+ initial test
+
+
+
+Things implemented but not yet tested.
+
+- Client side of expiration now assumes that parent will reissue
+ when its IRDB changes.
+
+- Parent side of revocation (child_cert objects) and CRL generation
+ implemented.
+
+- Parent side of expiration implemented.
+
+- Child batch processing loop: regeneration or removal of expired
+ certs based on what's in the IRDB.
+
+- Batch regeneration of CRLs and manifests for all CAs.
+
+- Protection against up-down operations specifying a class_name that
+ belongs to some other self context.
+
+- Rewrote code that handles revoke on shrink to revoke -all- old certs
+ for that key, not just most recent. Not certain, but this may have
+ been the cause of a cert dropping not showing up in the CRL during
+ testing with APNIC in Vancouver.
+
+- Kludgy local publication hack seems to work now, including
+ withdrawal. rcynic still whines occasionally, but I think that's
+ just because, without manifest support, rcynic has no way of telling
+ the difference between certs we withdrew on purpose and certs that
+ were removed by an attacker, so the first rcynic run after a cert
+ has been revoked pulls the old cert from the previous rcynic pass,
+ find that it's listed in the CRL, and whines about it.
+
+
+
+Other random notes:
+
+Being able to specify interaction with other servers (not running
+under testbed) in a testbed.yaml might be useful for interop tests.
+Kind of breaks testbed's fundamental model, though. Replacing what
+testbed thinks is a leaf with somebody else would be easy, so maybe we
+could specify some way to hang a bunch of rpkids under an external
+parent? Hmm, data needed would look a lot like testpoke.yaml, maybe
+we can reuse some of that language?
+
+There's a three-way tradeoff lurking in the publication protocol,
+manifest generation, and CRL generation:
+
+1) Consistancy issues for relying parties (eg, don't want to withdraw
+ something that's still listed in the manifest);
+
+2) Efficiency issues for the RPKI engine (eg, generating a new
+ manifest for each individual change during a batch run could be
+ expensive, would prefer to batch up the changes into a single
+ manifest run); and
+
+3) Coherency issues for the RPKI engine (don't want to defer things
+ that could result in loss of state if something bad happens).
+
+Considerations (1) and (3) have to dominate, which may mean we take a
+hit on (2).
+
+Most of the explicit calls to sql_fetch*() are now encapsulated in
+one-line methods. The remaining ones are probably hints at minor bits
+of abstraction still to be done.
+
+Biz certs currently used by test scripts don't include SKI or AKI. I
+think this is because the test scripts use "openssl x509" rather than
+"openssl ca" when generating these certs. Not critical, and will
+probably become completely irrelevant with all-singing all-dancing
+post-Amsterdam biz cert scripts, but should not be a big problem to
+fix either if it gets in the way again.
diff --git a/rpkid/apnic-poke-1.sh b/rpkid/apnic-poke-1.sh
new file mode 100644
index 00000000..0bd8ff52
--- /dev/null
+++ b/rpkid/apnic-poke-1.sh
@@ -0,0 +1,112 @@
+#!/bin/sh -
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# Script to let APNIC test against my server.
+#
+# This blows away rpkid's database and rebuilds it with what we need
+# for this test, and knows far too much about the id numbers that
+# rpkid and mysql will assign. In the long run we must do better than
+# this, but gotta start somewhere.
+
+openssl=../openssl/openssl/apps/openssl
+
+# Halt on first error and show what's happening
+
+set -ex
+
+# Generate new key and cert for rootd.py if needed
+
+if test ! -r rootd.cer -o ! -r rootd.key
+then
+ $openssl req -new -newkey rsa:2048 -nodes -keyout rootd.key -out rootd.req -config rootd.cnf
+
+ $openssl x509 -req -in rootd.req -out rootd.cer -extfile rootd.cnf -extensions req_x509_ext \
+ -signkey rootd.key -text -sha256
+
+ rm -f rootd.req
+fi
+
+# Blow away old rpkid database (!) so we can start clean
+
+mysql -u rpki -p`awk '$1 == "sql-password" {print $3}' rpkid.conf` rpki <../docs/rpki-db-schema.sql
+
+# Clear out any old publication results
+
+rm -rf publication/*
+
+# Start rpkid so we can configure it, make sure we shut it down on exit
+# If we're running under screen, just run it in a different screen instead.
+
+if test -n "$STY"
+then
+ screen python rpkid.py
+else
+ python rpkid.py >>rpkid.log 2>&1 & rpkid=$!
+ trap "kill $rpkid" 0 1 2 3 13 15
+fi
+
+# Create a self instance
+
+python irbe-cli.py self --action create --crl_interval 84600
+
+# Create a business signing context, issue the necessary business cert, and set up the cert chain
+
+python irbe-cli.py --pem_out bsc.req bsc --action create --self_id 1 \
+ --generate_keypair --signing_cert biz-certs/Bob-CA.cer
+
+$openssl x509 -req -in bsc.req -out bsc.cer -CA biz-certs/Bob-CA.cer \
+ -CAkey biz-certs/Bob-CA.key -CAserial biz-certs/Bob-CA.srl
+
+python irbe-cli.py bsc --action set --self_id 1 --bsc_id 1 --signing_cert bsc.cer
+
+rm -f bsc.req bsc.cer
+
+# Create a repository context
+
+python irbe-cli.py repository --self_id 1 --action create --bsc_id 1
+
+# Create a parent context pointing at rootd.py
+
+python irbe-cli.py parent --self_id 1 --action create --bsc_id 1 --repository_id 1 \
+ --peer_contact_uri https://localhost:44333/ \
+ --cms_ta biz-certs/Elena-Root.cer \
+ --https_ta biz-certs/Elena-Root.cer \
+ --sia_base rsync://wombat.invalid/
+
+# Create a child context
+
+python irbe-cli.py child --self_id 1 --action create --bsc_id 1 --cms_ta biz-certs/Frank-Root.cer
+
+# Run the other daemons, arrange for everything to go away on shutdown,
+# run initial cron job to set things up, then wait
+
+if test -n "$STY"
+then
+ screen python rootd.py
+ screen python irdbd.py
+else
+ python rootd.py >>rootd.log 2>&1 & rootd=$!
+ python irdbd.py >>irdbd.log 2>&1 & irdbd=$!
+ trap "kill $rpkid $irdbd $rootd" 0 1 2 3 13 15
+fi
+
+python cronjob.py
+
+if test -z "$STY"
+then
+ tail +0f rpkid.log
+fi
diff --git a/rpkid/apnic-poke-1.yaml b/rpkid/apnic-poke-1.yaml
new file mode 100644
index 00000000..24b80561
--- /dev/null
+++ b/rpkid/apnic-poke-1.yaml
@@ -0,0 +1,28 @@
+---
+# $Id$
+
+version: 1
+posturl: https://adrilankha.hactrn.net:4433/up-down/1
+recipient-id: wombat
+sender-id: "1"
+
+cms-cert-file: biz-certs/Frank-EE.cer
+cms-key-file: biz-certs/Frank-EE.key
+cms-ca-cert-file: biz-certs/Bob-Root.cer
+cms-cert-chain-file: [ biz-certs/Frank-CA.cer ]
+
+ssl-cert-file: biz-certs/Frank-EE.cer
+ssl-key-file: biz-certs/Frank-EE.key
+ssl-ca-cert-file: biz-certs/Bob-Root.cer
+
+requests:
+ list:
+ type: list
+ issue:
+ type: issue
+ class: 1
+ sia: [ "rsync://bandicoot.invalid/some/where/" ]
+ revoke:
+ type: revoke
+ class: 1
+ ski: "CB5K6APY-4KcGAW9jaK_cVPXKX0"
diff --git a/rpkid/apnic-poke-2.sh b/rpkid/apnic-poke-2.sh
new file mode 100644
index 00000000..d10c9fa5
--- /dev/null
+++ b/rpkid/apnic-poke-2.sh
@@ -0,0 +1,123 @@
+#!/bin/sh -
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+openssl=../openssl/openssl/apps/openssl
+
+# Halt on first error and show what's happening
+
+set -ex
+
+# Blow away old rpkid database (!) so we can start clean
+
+mysql -u rpki -p`awk '$1 == "sql-password" {print $3}' rpkid.conf` rpki <../docs/rpki-db-schema.sql
+
+# Clear out any old publication results
+
+rm -rf publication/*
+
+# Start rpkid so we can configure it, make sure we shut it down on exit
+# If we're running under screen, just run it in a different screen instead.
+
+if test -n "$STY"
+then
+ screen python rpkid.py
+else
+ python rpkid.py >>rpkid.log 2>&1 & rpkid=$!
+ trap "kill $rpkid" 0 1 2 3 13 15
+fi
+
+# Create a self instance
+
+python irbe-cli.py self --action create --crl_interval 84600
+
+# Create a business signing context, issue the necessary business cert, and set up the cert chain
+
+python irbe-cli.py --pem_out bsc.req bsc --action create --self_id 1 \
+ --generate_keypair --signing_cert biz-certs/Bob-CA.cer
+$openssl x509 -req -in bsc.req -out bsc.cer \
+ -CA biz-certs/Bob-CA.cer -CAkey biz-certs/Bob-CA.key -CAserial biz-certs/Bob-CA.srl
+python irbe-cli.py bsc --action set --self_id 1 --bsc_id 1 --signing_cert bsc.cer
+rm -f bsc.req bsc.cer
+
+# List what's in the BSC, for today's debugging fun
+
+#python irbe-cli.py bsc --action list --self_id 1
+
+# Create a repository context
+
+python irbe-cli.py repository --self_id 1 --action create --bsc_id 1
+
+# Create a parent context pointing at APNIC -- this is where we plug in the values from their YAML
+
+cat >apnic.pem <<-'EOF'
+ -----BEGIN CERTIFICATE-----
+ MIIEFjCCAv6gAwIBAgIBADANBgkqhkiG9w0BAQsFADBJMUcwRQYDVQQDEz5Eb2N1
+ bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0gTm90IGZv
+ ciByZWFsIHVzZTAeFw0wNzEyMDEwNjMyNDdaFw0xNzExMjgwNjMyNDdaMEkxRzBF
+ BgNVBAMTPkRvY3VtZW50YXRpb24gUHJlZml4ZXMgQ01TIFBhcmVudCBUQSBzaWdu
+ ZXIgLSBOb3QgZm9yIHJlYWwgdXNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+ CgKCAQEAtsRcgBpO7cTN+QGPnBaPtmfdsUZbctrfSBycS3QhwAItzZryqIHN9stP
+ A+0WEOC4+cfaY9xETqGwbq725p8FRwxUx9NBQS7jrL1ToNCJ+2qSH5ThK2hOQiCT
+ 3fv2FNJ/7gFFqofWt3mLyNEmnis95pRwzTtqH6ZaAaZk+AzwL77ww8AlwL/qfLtD
+ mjrsUfoELfkbS4ywFK0orjVKeGvzG8Dx7WiGvwmdhNNJ8/IAZmJC0NI8r9VIfcw3
+ 2B7bnDGkKH3E0NNRIajPmLbaNfT0Dxw+BjIC3Ty48o3ghSScqviyThNFyj8cr9SB
+ Ww8ReAU6v9q4XWRnlZt8Lc9WIsF/MwIDAQABo4IBBzCCAQMwDAYDVR0TBAUwAwEB
+ /zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPzZTgRZylsJph8KV9AU3klSgl8r
+ MHEGA1UdIwRqMGiAFPzZTgRZylsJph8KV9AU3klSgl8roU2kSzBJMUcwRQYDVQQD
+ Ez5Eb2N1bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0g
+ Tm90IGZvciByZWFsIHVzZYIBADBRBgNVHR8ESjBIMEagRKBChkBodHRwOi8vbWly
+ aW4uYXBuaWMubmV0L2RvY3VtZW50YXRpb24tcHJlZml4ZXMvY21zL3BhcmVudC9j
+ bXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCNz/BUN5bsAyMPi0X7oKZV/cAwmr2S
+ gQgIxaUHnQ6EJp4b2CUmlpPQ9pT/m+gPbajaRgUZmANfMF0uAFZpCP3hTRAc6NMH
+ 3Pwjzw1ICGSRRJASSizYN4hSxGpWW1hgghGTB3w5CjCm2VlwrQKJjb7/9H/gb4hi
+ RRZpaudithCEDlgkFhgU4uttSDLH2Rv14GtfmtyqDpmCE33STA7K+e9rdxaCqHC8
+ u33zqm4oQxOX7wuJ/JxeJxExtZ0amu8yTZ+tDtQ4Iiu1VPl67o0mjYrBKRV4z2fC
+ wa/PKqombrC/qs+2+t/66mB9xaK1YpKnW2FL6Rjs+rZUJJQ16JhJkF7T
+ -----END CERTIFICATE-----
+EOF
+
+python irbe-cli.py parent --self_id 1 --action create --bsc_id 1 --repository_id 1 \
+ --peer_contact_uri https://mirin.apnic.net/cgi-bin/up-down-parent.cgi \
+ --cms_ta apnic.pem \
+ --https_ta apnic.pem \
+ --sia_base rsync://wombat.invalid/ \
+ --recipient_name PARENT \
+ --sender_name CHILD
+
+rm -f apnic.pem
+
+# Create a child context
+
+python irbe-cli.py child --self_id 1 --action create --bsc_id 1 --cms_ta biz-certs/Frank-Root.cer
+
+# Run the other daemons, arrange for everything to go away on shutdown,
+# run initial cron job to set things up, then wait
+
+if test -n "$STY"
+then
+ screen python irdbd.py
+else
+ python irdbd.py >>irdbd.log 2>&1 & irdbd=$!
+ trap "kill $rpkid $irdbd" 0 1 2 3 13 15
+fi
+
+python cronjob.py
+
+if test -z "$STY"
+then
+ tail +0f rpkid.log
+fi
diff --git a/rpkid/apnic-poke-2.yaml b/rpkid/apnic-poke-2.yaml
new file mode 100644
index 00000000..6ba93729
--- /dev/null
+++ b/rpkid/apnic-poke-2.yaml
@@ -0,0 +1,74 @@
+---
+# $Id$
+#
+# This sender config file was created by the make_cfg tool
+# Account: TELSTRA-AU
+
+version: 1
+recipient-id: PARENT
+sender-id: CHILD
+
+cms-cert-file: biz-certs/Bob-EE.cer
+cms-key-file: biz-certs/Bob-EE.key
+cms-cert-chain-file: [ biz-certs/Bob-CA.cer ]
+
+cms-ca-cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIEFjCCAv6gAwIBAgIBADANBgkqhkiG9w0BAQsFADBJMUcwRQYDVQQDEz5Eb2N1
+ bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0gTm90IGZv
+ ciByZWFsIHVzZTAeFw0wNzEyMDEwNjMyNDdaFw0xNzExMjgwNjMyNDdaMEkxRzBF
+ BgNVBAMTPkRvY3VtZW50YXRpb24gUHJlZml4ZXMgQ01TIFBhcmVudCBUQSBzaWdu
+ ZXIgLSBOb3QgZm9yIHJlYWwgdXNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+ CgKCAQEAtsRcgBpO7cTN+QGPnBaPtmfdsUZbctrfSBycS3QhwAItzZryqIHN9stP
+ A+0WEOC4+cfaY9xETqGwbq725p8FRwxUx9NBQS7jrL1ToNCJ+2qSH5ThK2hOQiCT
+ 3fv2FNJ/7gFFqofWt3mLyNEmnis95pRwzTtqH6ZaAaZk+AzwL77ww8AlwL/qfLtD
+ mjrsUfoELfkbS4ywFK0orjVKeGvzG8Dx7WiGvwmdhNNJ8/IAZmJC0NI8r9VIfcw3
+ 2B7bnDGkKH3E0NNRIajPmLbaNfT0Dxw+BjIC3Ty48o3ghSScqviyThNFyj8cr9SB
+ Ww8ReAU6v9q4XWRnlZt8Lc9WIsF/MwIDAQABo4IBBzCCAQMwDAYDVR0TBAUwAwEB
+ /zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPzZTgRZylsJph8KV9AU3klSgl8r
+ MHEGA1UdIwRqMGiAFPzZTgRZylsJph8KV9AU3klSgl8roU2kSzBJMUcwRQYDVQQD
+ Ez5Eb2N1bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0g
+ Tm90IGZvciByZWFsIHVzZYIBADBRBgNVHR8ESjBIMEagRKBChkBodHRwOi8vbWly
+ aW4uYXBuaWMubmV0L2RvY3VtZW50YXRpb24tcHJlZml4ZXMvY21zL3BhcmVudC9j
+ bXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCNz/BUN5bsAyMPi0X7oKZV/cAwmr2S
+ gQgIxaUHnQ6EJp4b2CUmlpPQ9pT/m+gPbajaRgUZmANfMF0uAFZpCP3hTRAc6NMH
+ 3Pwjzw1ICGSRRJASSizYN4hSxGpWW1hgghGTB3w5CjCm2VlwrQKJjb7/9H/gb4hi
+ RRZpaudithCEDlgkFhgU4uttSDLH2Rv14GtfmtyqDpmCE33STA7K+e9rdxaCqHC8
+ u33zqm4oQxOX7wuJ/JxeJxExtZ0amu8yTZ+tDtQ4Iiu1VPl67o0mjYrBKRV4z2fC
+ wa/PKqombrC/qs+2+t/66mB9xaK1YpKnW2FL6Rjs+rZUJJQ16JhJkF7T
+ -----END CERTIFICATE-----
+
+ssl-cert-file: biz-certs/Bob-EE.cer
+ssl-key-file: biz-certs/Bob-EE.key
+
+ssl-ca-cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIEFjCCAv6gAwIBAgIBADANBgkqhkiG9w0BAQsFADBJMUcwRQYDVQQDEz5Eb2N1
+ bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0gTm90IGZv
+ ciByZWFsIHVzZTAeFw0wNzEyMDEwNjMyNDdaFw0xNzExMjgwNjMyNDdaMEkxRzBF
+ BgNVBAMTPkRvY3VtZW50YXRpb24gUHJlZml4ZXMgQ01TIFBhcmVudCBUQSBzaWdu
+ ZXIgLSBOb3QgZm9yIHJlYWwgdXNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+ CgKCAQEAtsRcgBpO7cTN+QGPnBaPtmfdsUZbctrfSBycS3QhwAItzZryqIHN9stP
+ A+0WEOC4+cfaY9xETqGwbq725p8FRwxUx9NBQS7jrL1ToNCJ+2qSH5ThK2hOQiCT
+ 3fv2FNJ/7gFFqofWt3mLyNEmnis95pRwzTtqH6ZaAaZk+AzwL77ww8AlwL/qfLtD
+ mjrsUfoELfkbS4ywFK0orjVKeGvzG8Dx7WiGvwmdhNNJ8/IAZmJC0NI8r9VIfcw3
+ 2B7bnDGkKH3E0NNRIajPmLbaNfT0Dxw+BjIC3Ty48o3ghSScqviyThNFyj8cr9SB
+ Ww8ReAU6v9q4XWRnlZt8Lc9WIsF/MwIDAQABo4IBBzCCAQMwDAYDVR0TBAUwAwEB
+ /zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPzZTgRZylsJph8KV9AU3klSgl8r
+ MHEGA1UdIwRqMGiAFPzZTgRZylsJph8KV9AU3klSgl8roU2kSzBJMUcwRQYDVQQD
+ Ez5Eb2N1bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0g
+ Tm90IGZvciByZWFsIHVzZYIBADBRBgNVHR8ESjBIMEagRKBChkBodHRwOi8vbWly
+ aW4uYXBuaWMubmV0L2RvY3VtZW50YXRpb24tcHJlZml4ZXMvY21zL3BhcmVudC9j
+ bXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCNz/BUN5bsAyMPi0X7oKZV/cAwmr2S
+ gQgIxaUHnQ6EJp4b2CUmlpPQ9pT/m+gPbajaRgUZmANfMF0uAFZpCP3hTRAc6NMH
+ 3Pwjzw1ICGSRRJASSizYN4hSxGpWW1hgghGTB3w5CjCm2VlwrQKJjb7/9H/gb4hi
+ RRZpaudithCEDlgkFhgU4uttSDLH2Rv14GtfmtyqDpmCE33STA7K+e9rdxaCqHC8
+ u33zqm4oQxOX7wuJ/JxeJxExtZ0amu8yTZ+tDtQ4Iiu1VPl67o0mjYrBKRV4z2fC
+ wa/PKqombrC/qs+2+t/66mB9xaK1YpKnW2FL6Rjs+rZUJJQ16JhJkF7T
+ -----END CERTIFICATE-----
+
+posturl: https://mirin.apnic.net/cgi-bin/up-down-parent.cgi
+
+requests:
+ list:
+ type: list
diff --git a/rpkid/biz-certs-setup.sh b/rpkid/biz-certs-setup.sh
new file mode 100644
index 00000000..26164496
--- /dev/null
+++ b/rpkid/biz-certs-setup.sh
@@ -0,0 +1,81 @@
+#!/bin/sh -
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# Quick hack to generate a set of business keys and certs for use with
+# early prototype code. Not for production use.
+#
+# All we're trying to do here is generate a three-level-deep set of
+# certs for each of several independent entities. Could easily be
+# deeper in practice but this should be enough for simple tests: a
+# self-signed root cert to use as a trust anchor, a working CA, and an
+# EE cert used for CMS or TLS.
+#
+# Among other things missing here, we're not doing any restrictions
+# beyond basicConstraints and we're not doing CRLs.
+#
+# One can extract the public key from a .key file by doing:
+#
+# $ openssl rsa -in foo.key -pubout
+#
+# I ended up needing this to build simulated packets for the
+# left-right protocol.
+
+for i in Alice Bob Carol Dave Elena Frank Ginny Harry
+do
+ for j in Root CA EE
+ do
+
+ case $j in
+ EE) ca=false;;
+ *) ca=true;;
+ esac
+
+ test -r $i-$j.cnf || cat >$i-$j.cnf <<-EOF
+
+ [ req ]
+ distinguished_name = req_dn
+ x509_extensions = req_x509_ext
+ prompt = no
+ default_md = sha256
+
+ [ req_dn ]
+ CN = Test Certificate $i $j
+
+ [ req_x509_ext ]
+ basicConstraints = CA:$ca
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always
+
+ EOF
+
+ test -r $i-$j.key -a -r $i-$j.req ||
+ openssl req -new -newkey rsa:2048 -nodes -keyout $i-$j.key -out $i-$j.req -config $i-$j.cnf
+
+ done
+
+ test -r $i-Root.cer || openssl x509 -req -in $i-Root.req -out $i-Root.cer -extfile $i-Root.cnf -extensions req_x509_ext -signkey $i-Root.key -days 60
+ test -r $i-CA.cer || openssl x509 -req -in $i-CA.req -out $i-CA.cer -extfile $i-CA.cnf -extensions req_x509_ext -CA $i-Root.cer -CAkey $i-Root.key -CAcreateserial
+ test -r $i-EE.cer || openssl x509 -req -in $i-EE.req -out $i-EE.cer -extfile $i-EE.cnf -extensions req_x509_ext -CA $i-CA.cer -CAkey $i-CA.key -CAcreateserial
+
+done
+
+for i in *.cer
+do
+ h=`openssl x509 -noout -hash -in $i`.0
+ test -r $h ||
+ ln -s $i $h
+done
diff --git a/rpkid/biz-certs/08fd5b15.0 b/rpkid/biz-certs/08fd5b15.0
new file mode 120000
index 00000000..4e65bd46
--- /dev/null
+++ b/rpkid/biz-certs/08fd5b15.0
@@ -0,0 +1 @@
+Carol-Root.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/0cb21e6a.0 b/rpkid/biz-certs/0cb21e6a.0
new file mode 120000
index 00000000..0bbc896d
--- /dev/null
+++ b/rpkid/biz-certs/0cb21e6a.0
@@ -0,0 +1 @@
+Alice-Root.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/33b6d09e.0 b/rpkid/biz-certs/33b6d09e.0
new file mode 120000
index 00000000..6a20c98c
--- /dev/null
+++ b/rpkid/biz-certs/33b6d09e.0
@@ -0,0 +1 @@
+Ginny-Root.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/5210f268.0 b/rpkid/biz-certs/5210f268.0
new file mode 120000
index 00000000..2a347add
--- /dev/null
+++ b/rpkid/biz-certs/5210f268.0
@@ -0,0 +1 @@
+Bob-EE.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/5ebf1062.0 b/rpkid/biz-certs/5ebf1062.0
new file mode 120000
index 00000000..16d11802
--- /dev/null
+++ b/rpkid/biz-certs/5ebf1062.0
@@ -0,0 +1 @@
+Frank-CA.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/60ac264c.0 b/rpkid/biz-certs/60ac264c.0
new file mode 120000
index 00000000..2f3644fd
--- /dev/null
+++ b/rpkid/biz-certs/60ac264c.0
@@ -0,0 +1 @@
+Elena-Root.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/623ab26c.0 b/rpkid/biz-certs/623ab26c.0
new file mode 120000
index 00000000..95960a41
--- /dev/null
+++ b/rpkid/biz-certs/623ab26c.0
@@ -0,0 +1 @@
+Harry-EE.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/6878697a.0 b/rpkid/biz-certs/6878697a.0
new file mode 120000
index 00000000..efc1dc95
--- /dev/null
+++ b/rpkid/biz-certs/6878697a.0
@@ -0,0 +1 @@
+Harry-CA.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/71288ec9.0 b/rpkid/biz-certs/71288ec9.0
new file mode 120000
index 00000000..b05a359f
--- /dev/null
+++ b/rpkid/biz-certs/71288ec9.0
@@ -0,0 +1 @@
+Alice-CA.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/7449ce31.0 b/rpkid/biz-certs/7449ce31.0
new file mode 120000
index 00000000..30a5b8ce
--- /dev/null
+++ b/rpkid/biz-certs/7449ce31.0
@@ -0,0 +1 @@
+Carol-CA.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/7562977b.0 b/rpkid/biz-certs/7562977b.0
new file mode 120000
index 00000000..808e8a92
--- /dev/null
+++ b/rpkid/biz-certs/7562977b.0
@@ -0,0 +1 @@
+Harry-Root.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/80e4ab61.0 b/rpkid/biz-certs/80e4ab61.0
new file mode 120000
index 00000000..17d44d15
--- /dev/null
+++ b/rpkid/biz-certs/80e4ab61.0
@@ -0,0 +1 @@
+Alice-EE.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/826d8d65.0 b/rpkid/biz-certs/826d8d65.0
new file mode 120000
index 00000000..21b78ac1
--- /dev/null
+++ b/rpkid/biz-certs/826d8d65.0
@@ -0,0 +1 @@
+Frank-Root.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/9844d0ad.0 b/rpkid/biz-certs/9844d0ad.0
new file mode 120000
index 00000000..75a23567
--- /dev/null
+++ b/rpkid/biz-certs/9844d0ad.0
@@ -0,0 +1 @@
+Bob-Root.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/9970e247.0 b/rpkid/biz-certs/9970e247.0
new file mode 120000
index 00000000..a40c06f6
--- /dev/null
+++ b/rpkid/biz-certs/9970e247.0
@@ -0,0 +1 @@
+Bob-CA.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/Alice-CA.cer b/rpkid/biz-certs/Alice-CA.cer
new file mode 100644
index 00000000..00aceaa8
--- /dev/null
+++ b/rpkid/biz-certs/Alice-CA.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHTCCAgWgAwIBAgIJAJOnBwhQWiIBMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV
+BAMTG1Rlc3QgQ2VydGlmaWNhdGUgQWxpY2UgUm9vdDAeFw0wODAxMTgxNzIzNDda
+Fw0wODAyMTcxNzIzNDdaMCQxIjAgBgNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxp
+Y2UgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD468em/gEH9CFH
+NJoqVteNF7T5Uuuuuh8BXqLyvHGKAbiW+QjRqa1iOCR5ePIBF+GZvp0gqMCAsVYT
+BUjEsZGZz9HNoC5oSCB6B3qVOPM4m0KKzkI2oJ7QvxiI4gAd8+aLh5Bw9+GmvuBn
+C5qKc23O7Vx5zcqRoT8sEDRuEQVkLkX1eFdO4iUVnYKJGGmveEMuCo0HwEQmOTrl
+YSOPLcTkXqka+zPvE5b2RRAnC4822rI5eBPoRxw+T9roijVzpJwaxo2Io+zJVryl
+bNpekca6jzPMwXu5WXiDOP+sVUYsR7knHyLQuHGIZVwp74SYeEggQZEb3CXfFCE0
+SJDEzj1VAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFF9NTjS860sH
+rK3H0DUkwFkAPwjiMB8GA1UdIwQYMBaAFNYW2u1P4EplGEwsRN5mU9TrozdtMA0G
+CSqGSIb3DQEBBQUAA4IBAQAr57d1RknjqNEIgQi4oZ8vTz9u3BO59vJAcwbagAZY
+bG3CXRD8f3r7CO5/HYNdN9q5agkJU1Jo4E1SLUik0SLwxJ4QzB5QKI/Xv14ibT6/
+Ln26XVe+c97Gexsj13QpNy3OPX4B0u1EiaYcyb1o6h5azxmRyKH+g4chYF8LBSsa
+mDW7ruLvI2e+mWPXZlBL6djHSpRpyI7H3KkLHt7W86bPVyCt/WSTWmqOtwZ2jzY1
+mR5VKASC3wClfnx071y4Jyv2tqWGO9KW5u9KTcVMX/jd1wwWjIz1Iv791Zro0lCV
+njI/F/ljKa+Y7IqlCoLhgSXLI4K1/vNA4dbQRo71Mm1U
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Alice-CA.cnf b/rpkid/biz-certs/Alice-CA.cnf
new file mode 100644
index 00000000..b6e1971e
--- /dev/null
+++ b/rpkid/biz-certs/Alice-CA.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Alice CA
+
+[ req_x509_ext ]
+basicConstraints = CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Alice-CA.key b/rpkid/biz-certs/Alice-CA.key
new file mode 100644
index 00000000..a5b32f93
--- /dev/null
+++ b/rpkid/biz-certs/Alice-CA.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA+OvHpv4BB/QhRzSaKlbXjRe0+VLrrrofAV6i8rxxigG4lvkI
+0amtYjgkeXjyARfhmb6dIKjAgLFWEwVIxLGRmc/RzaAuaEggegd6lTjzOJtCis5C
+NqCe0L8YiOIAHfPmi4eQcPfhpr7gZwuainNtzu1cec3KkaE/LBA0bhEFZC5F9XhX
+TuIlFZ2CiRhpr3hDLgqNB8BEJjk65WEjjy3E5F6pGvsz7xOW9kUQJwuPNtqyOXgT
+6EccPk/a6Io1c6ScGsaNiKPsyVa8pWzaXpHGuo8zzMF7uVl4gzj/rFVGLEe5Jx8i
+0LhxiGVcKe+EmHhIIEGRG9wl3xQhNEiQxM49VQIDAQABAoIBAExEcbfIu6gkNM4M
+X+/5C7I/QUPjFDNE85sH1AVrl54hSN15ECqtQmKFsSdG119eYdEphhsrmU/VBfpt
+9A3QGjx2YGIQYiexccHx6K0v9dWyPIErET6LmB19b5cBJ+gFgu3da3QxfwIIGdl4
+xLEHDO4J6/umAhr8vM5TaL0QmgZHTJO8IaTMomBHqbUm/Dm1x5RJQAQp1jGgWhDC
+8LC8II5VuzVpbe/hnady9wxzuzPSsRVoiewC/apoTFPVUQ8hjnxNFC1u3uYDNL89
+8ztimGB7U9BxVZpfJ8tM8r5px6AokoLCnDlN8+17MtNXQRNx9nbKu0HnDi7bsqqW
+aS+RU0ECgYEA/9JTuaKVyRzMV6z6OobCwrDq9Iy4R+qZxPYSVj3vyLkmJIMKLQrZ
+aa0cxyilRs4FkTO+XKZQkLC8XWSJWcr1U5cyoWriGBAo37n9jahyVn+E2YJyQoJB
+iV6VPkwkJOhqQQ4fbCEPp78i3ocMyD7Haqqbmd76rH+BzbJ/GZgjiv8CgYEA+Rg4
+iau1Uc/kayfJg2VERjmYGGlc6iLbfKbugMbHC74CVyrAO2aUKlB+Lnu2WdsXKEM0
+ug4wwt2qdGK7pSNzI2qLWVFThbgh5Qw952qTDKWtR/xSaQCRr13mEzuE4/Fz+a/h
+vax4RnqIdBFRCOl1/cgK6Wjpbau8U9W2cmgYm6sCgYEAsydQiwhZbWZFlIEHHEWT
+z1Smtmx2AadB2LWbUdo+OouvMpKyZajbaS5aoP7OAC/3piBeh/PRKAMdZyopJkEE
+XW3dfz2i6McoWMWf07zLldfn6Yt5CSq/Srx6OA6KoW5COxzw1ICyvf8VJFHfmbyd
+Ww3vump1kqgY9zyx1fK9sXECgYEAmtSTT/+LFO9D69cvSp0Hcx8ZixLyzhYcl76r
+QSBNWN8iVUwdcM6yChs+U2ZSUkf8fOpJO9zWMknWScGVIXCHgNwZAcurPtLVPqn9
+UHrOLG5O5w/PqbTQ2VBkUlAMqiLLE8hfaKZrnGNNrdeVpxR2YuiU38B2V9UHmpSc
+c0CBC0ECgYEA4+QQ81qRfzBGmleMEZ3mVM/aIk2psX9A8x3Pghn4OHqWpkalkkCK
+QBVOqUDvR0j9zIWSkXR5cnzxaj/HVAvi4tiITQo4pH1m+1tNOWfJAAsDrP+B52/Y
+OOOQYTTz5xbYPWEEaFOisnJ96LoknFieANc3ZX2P1vVfoqe3y6yj4CY=
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Alice-CA.req b/rpkid/biz-certs/Alice-CA.req
new file mode 100644
index 00000000..1d6a39e1
--- /dev/null
+++ b/rpkid/biz-certs/Alice-CA.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICaTCCAVECAQAwJDEiMCAGA1UEAxMZVGVzdCBDZXJ0aWZpY2F0ZSBBbGljZSBD
+QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPjrx6b+AQf0IUc0mipW
+140XtPlS6666HwFeovK8cYoBuJb5CNGprWI4JHl48gEX4Zm+nSCowICxVhMFSMSx
+kZnP0c2gLmhIIHoHepU48zibQorOQjagntC/GIjiAB3z5ouHkHD34aa+4GcLmopz
+bc7tXHnNypGhPywQNG4RBWQuRfV4V07iJRWdgokYaa94Qy4KjQfARCY5OuVhI48t
+xOReqRr7M+8TlvZFECcLjzbasjl4E+hHHD5P2uiKNXOknBrGjYij7MlWvKVs2l6R
+xrqPM8zBe7lZeIM4/6xVRixHuScfItC4cYhlXCnvhJh4SCBBkRvcJd8UITRIkMTO
+PVUCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQC/XNBkANITakpqRmw/50DnMXEx
+9bIlgXNME3UmxbWusltwerI4NlhecI5QFJoMcu1dYNvbohHJiXhQKA+OeraX9Szl
+e4/6h5fHR+o/xwq4VlTKPFz1wlw3lDZTAHG5B3tjC4eQQ8DJYXkJGKL9qj975WLQ
+o6FfgBv7JsUc7eC/wIzqa+EXgHGneBf8+Mg860pbeUHV/W5QQqDu+euKIJ5IweAa
+MFS5ATRhjv+IDI9FyTxLQ7UqK+rmC75IhdgIOS2wPo+1vPWufmVvWJDZG/GfajEJ
+OFfKheiAhkbk8iwsW7o0HYTb5iZduVatTp5iGyxzdo5iHg/duSLqCEVzm/pV
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Alice-CA.srl b/rpkid/biz-certs/Alice-CA.srl
new file mode 100644
index 00000000..a4acb46b
--- /dev/null
+++ b/rpkid/biz-certs/Alice-CA.srl
@@ -0,0 +1 @@
+9B985E838A1A1B13
diff --git a/rpkid/biz-certs/Alice-EE.cer b/rpkid/biz-certs/Alice-EE.cer
new file mode 100644
index 00000000..7a535623
--- /dev/null
+++ b/rpkid/biz-certs/Alice-EE.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGDCCAgCgAwIBAgIJAJuYXoOKGhsTMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+BAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxpY2UgQ0EwHhcNMDgwMTE4MTcyMzQ3WhcN
+MDgwMjE3MTcyMzQ3WjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEFsaWNl
+IEVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwInHWCqaezl1ZC2X
+16mmWXSBVrOvIQMKq1HxbijymfjZYWR5JqTDicWG1yJDiwecOQzxV6rlzLPQmFwj
+F/f3PJ0EZNooJigVU8McOlKWtT1c+CQKsUGETSrn7wbDWj8aPCLNHpCP3dWQ4Rxj
+GJp3xuhB1vxxnNPaxV99SBJHzJwXeNiVPSl8pOqfdq4XGG78sEM/0Bt+MqngPhUC
+cAP3LUhg3edFRjTu8SVIjccHVkZydFajKN6trsn2G4bvM3g2vBAdV9TFd6xQkIyO
+CX3XA7MsTqbcA5PVZIBL54HSYk65EGzy0cfObZvoaHFnNYmOXfZyBt7O8owy9HG3
+7ye3rQIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQT21/Yztl10qmJjFV+
+m8RFKQN17jAfBgNVHSMEGDAWgBRfTU40vOtLB6ytx9A1JMBZAD8I4jANBgkqhkiG
+9w0BAQUFAAOCAQEAfWfqc1MaIhCdqC5gjHwB0WV1rvkC1RtvAGBf026DbpbKbENs
+tqM/5n2SYyBAWtQKvuT9ivfDeq9Q81uARFXYA/vHAMKG8N7YOvd6tiwofvNeHsAV
+OoQOM/oNaThNK+ADVYJ7+EV+baWRKRO20MbdQkDnhPPZyJXqNGeMT/KXGSTB9puS
+HhUAE94h9qLmLPvPREy536CSRq2RBBBMhb/zcX0bQQggvclaBKZTT1lW2x5jHnCC
+n+IHToCVjzjVJqdNneKf4NVbEXfzp6IkXol8CPcNMdGKRxivl8rSBj4pRs5t2azd
+ZJIkznwZkDmiIbEmHPvzL9wcXi7Mu7jr8tp5Iw==
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Alice-EE.cnf b/rpkid/biz-certs/Alice-EE.cnf
new file mode 100644
index 00000000..bd9c175c
--- /dev/null
+++ b/rpkid/biz-certs/Alice-EE.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Alice EE
+
+[ req_x509_ext ]
+basicConstraints = CA:false
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Alice-EE.key b/rpkid/biz-certs/Alice-EE.key
new file mode 100644
index 00000000..709a07a9
--- /dev/null
+++ b/rpkid/biz-certs/Alice-EE.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAwInHWCqaezl1ZC2X16mmWXSBVrOvIQMKq1HxbijymfjZYWR5
+JqTDicWG1yJDiwecOQzxV6rlzLPQmFwjF/f3PJ0EZNooJigVU8McOlKWtT1c+CQK
+sUGETSrn7wbDWj8aPCLNHpCP3dWQ4RxjGJp3xuhB1vxxnNPaxV99SBJHzJwXeNiV
+PSl8pOqfdq4XGG78sEM/0Bt+MqngPhUCcAP3LUhg3edFRjTu8SVIjccHVkZydFaj
+KN6trsn2G4bvM3g2vBAdV9TFd6xQkIyOCX3XA7MsTqbcA5PVZIBL54HSYk65EGzy
+0cfObZvoaHFnNYmOXfZyBt7O8owy9HG37ye3rQIDAQABAoIBAQCp/7zUGuHFVUlS
+R3NfRvqK13Rvoj1KD453D+X01xDFZFRDStwxg57m4VIaV7V9Zx3HvabGOi2mnUnb
+jNarjhRtH1JG3dw/PHsANzCQSmWo5uJUcjZCpc9z9yNMCBOqdjbqy+uCRi/QtYWz
+TUYt7g09wcqIUOLbjq8GQDa00Pc2Lz+M8qRMTnmQ4C85C1Kv57CkoJooOXNpcaSi
+U/OqVWMHxMmm9FmwBoR9+R181ESuPoqZFuQGu1zGNk+bk09A7kAqcwJYgDygBK22
+BvVyY0pzyVFFpOxK1bx3NB1V9vTYErCxbY0vD7Z6jduvwD12cONzJsnB8qJmUElu
+g7DDNZnhAoGBAOiLjwjsjHf0ughQ6qhkE9uCYs+34dAzuXVS3TWO/AYrKYYZMGd+
+YkSQ7oQrEaHbVbTSow+BCh9PPBs/FrW5XbtqmYUKZnOMpw8/0M1jF1JxHP0X3fLI
+UXACX5RQS7HZdjOyiE8daIYNENhAA2/5FziuIIepVl+J5hsrmli3daeZAoGBANP1
+OAXwE4bo6GJoK8e9AyLuA42GQjO7boNCoqoMAaPSC3P8Eq04VwOrZO0R3AHy/vcD
+hBVqdALrQNUSCV6du5tOQ4z5ezKtrLwVzlTlM5srpwErEab5EyifhLHdlGjj8t8z
+qyQrKfYQ1BYKDde1AGSK82703tlzNeLFg4sFW001AoGARI6IT7A1RVQf2D3KwHQo
+qolJCkYCy7fEEEOqtZR+1m65IjCg5ZIL9Hzp5Isx+o7IOLP0oKiBTHO2m63Ayzhn
+2s31jpRfWed4hPViYHq7MHHqgu8bXu0RnT0F4pq9hiQ/RcR3jSN1YjfN5IMSwFsm
+Lm6fZn9U2Hu2HAKB0W/cvtkCgYBAPls0sYe5pG6LJTff2pJQzAOXqdH3DCB6+H+F
+Ow5kMQ33obeneSQmoJR+pqMglB5jkFVAiHuRRuznqAfe/cAXWqlu2U9WFP3+JD3d
+zXrO1XRRDlTTXztHXNJDdv28rRq4PFjrJYoaYw9lfrajYuEzmEogn2fMUPdMPMGa
+KY164QKBgQDL/aFPY7QKYhszS2afcXtGFKCfEodfPm5/iZa0Eksd8zdRJCG4LZHR
+zE6d4IEfcdGZOih9Y2YfKFUWARNWL80DKixQxmY6MAfhBao2y/OAMyrLnR0F6ueY
+D3tDy37ogAHD+GegLJf2o1Hsty/WyQo1KoheHXJ25R3On09gVbxpMA==
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Alice-EE.req b/rpkid/biz-certs/Alice-EE.req
new file mode 100644
index 00000000..9d7388b7
--- /dev/null
+++ b/rpkid/biz-certs/Alice-EE.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICaTCCAVECAQAwJDEiMCAGA1UEAxMZVGVzdCBDZXJ0aWZpY2F0ZSBBbGljZSBF
+RTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMCJx1gqmns5dWQtl9ep
+pll0gVazryEDCqtR8W4o8pn42WFkeSakw4nFhtciQ4sHnDkM8Veq5cyz0JhcIxf3
+9zydBGTaKCYoFVPDHDpSlrU9XPgkCrFBhE0q5+8Gw1o/GjwizR6Qj93VkOEcYxia
+d8boQdb8cZzT2sVffUgSR8ycF3jYlT0pfKTqn3auFxhu/LBDP9AbfjKp4D4VAnAD
+9y1IYN3nRUY07vElSI3HB1ZGcnRWoyjera7J9huG7zN4NrwQHVfUxXesUJCMjgl9
+1wOzLE6m3AOT1WSAS+eB0mJOuRBs8tHHzm2b6GhxZzWJjl32cgbezvKMMvRxt+8n
+t60CAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQBgf6fyu5ZkZViSYEQ6aVkOmvoM
++f0700E3T6TTq3bnjNXZL/uMGzHK8sXH9hbUq6m4LA1C2Sw5HKSYYRhbUD8MDdLk
+jCNQjFKnQPdhbknO7Rb6VABQLJ4rOSjv1i01Jnbu0soIyGMoUrb7i3bUY3KGRqmX
+ZxY30SBDu7kFcA7qKVH93sQm/QeNO7lLUtPJ0lLwrR0DcZ/GNsIx1FrRSWtMOqnL
++ORzjGir0IZVGigpp/6AxuITJoNb40McptcqRzuDHlU8pFG9dKL2uHWDCSsG9V1w
+yA8ESECBg4J1RkpJEOk6E1b8xsMUIyBPtmKKj0JlCMd7GfoVIlknZ58OfLRl
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Alice-Root.cer b/rpkid/biz-certs/Alice-Root.cer
new file mode 100644
index 00000000..5f08ecd3
--- /dev/null
+++ b/rpkid/biz-certs/Alice-Root.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHzCCAgegAwIBAgIJAKgtUQl0EcAgMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV
+BAMTG1Rlc3QgQ2VydGlmaWNhdGUgQWxpY2UgUm9vdDAeFw0wODAxMTgxNzIzNDda
+Fw0wODAzMTgxNzIzNDdaMCYxJDAiBgNVBAMTG1Rlc3QgQ2VydGlmaWNhdGUgQWxp
+Y2UgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKUzjQ7dObY7
+fUKAxi/7znJ60Mi/s1rByfHs4Onduc27dw+7tS6D0r0k+zgCFpkNPl98XRR6LvJJ
+ckRMVIjPvSIoe3EN683Bwajq24VUAayZ1Nn2muy4yN4XHtRep7Wi51aRWVSR3mTk
+NUn+a7dEtWlONtHANbbBcob8/Ufe4L+jO9PkNOWEtIJMjcxZsq4Zq1QXvKGNZbPh
+/Ous7orKsdVCOp5mEjuLpCYef4cTlZxk7q2CItk4hRDi6bG7BaMcmlm1Rne8YTvu
+oUXrbWgfxSeis2augNKQ2NvEmIqS2Njau/5x4WD5qyTGqj5CrTOCNZfa21G+dshn
+cj11ksaax6ECAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU1hba7U/g
+SmUYTCxE3mZT1OujN20wHwYDVR0jBBgwFoAU1hba7U/gSmUYTCxE3mZT1OujN20w
+DQYJKoZIhvcNAQEFBQADggEBAFGdMrMoeal6enLiD9YFVGRw3GsUzzpvKHawTiLz
+UeGcEwZc7aMiaz3z4f9ddEL0VDbl0h22uFqT2C42r1mNUDzF4xR8VtJVrKQCF6Aw
+gLNGo/7+q3Ns/Q1/LCRu9SjH4Y7rqBUbHH4JVn5xfdRpiI7SoNb24tSDUtMRMdes
+40hLNY8lkvTa82XVEKs1K0pWnzd/98gq8asQMPrNK+y66SKBDjGFxORf/v4jgWLM
+XfRGVGfgXbjQJZch4+nEte0AzwgjrwCKbJOHsq2BuG79WiGDY/UpzTCCcqnNrkYY
+SgcSPJKcERid0XcYNu+tTERJ4HcNfEiNfItMiRSTJIgorL4=
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Alice-Root.cnf b/rpkid/biz-certs/Alice-Root.cnf
new file mode 100644
index 00000000..78089bba
--- /dev/null
+++ b/rpkid/biz-certs/Alice-Root.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Alice Root
+
+[ req_x509_ext ]
+basicConstraints = CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Alice-Root.key b/rpkid/biz-certs/Alice-Root.key
new file mode 100644
index 00000000..1c417192
--- /dev/null
+++ b/rpkid/biz-certs/Alice-Root.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEApTONDt05tjt9QoDGL/vOcnrQyL+zWsHJ8ezg6d25zbt3D7u1
+LoPSvST7OAIWmQ0+X3xdFHou8klyRExUiM+9Iih7cQ3rzcHBqOrbhVQBrJnU2faa
+7LjI3hce1F6ntaLnVpFZVJHeZOQ1Sf5rt0S1aU420cA1tsFyhvz9R97gv6M70+Q0
+5YS0gkyNzFmyrhmrVBe8oY1ls+H866zuisqx1UI6nmYSO4ukJh5/hxOVnGTurYIi
+2TiFEOLpsbsFoxyaWbVGd7xhO+6hRettaB/FJ6KzZq6A0pDY28SYipLY2Nq7/nHh
+YPmrJMaqPkKtM4I1l9rbUb52yGdyPXWSxprHoQIDAQABAoIBAEM7p7zU7BfuPhxC
+rGX65RpSQYZx/lyBYd7DuQV055mDIgGVMzerDqlL07IHp4rCiQ/zXS5oS5LvsUF6
+jyze3up370UjlUQ4BsjoTE8G0Wedc7MBWivdSGKapkFoBHk3w07H+MMiWpBVEBr9
+IHmFzQ7+dfEHeNTYBfRKIgqN+ooDDYBAQVmu2fbJqE+9dfhlej0gR8YkWOB7jM9G
+OPUVp6EvII7LUyJcNBJs60AYIvLClmr2nUchr8pN3H6nlZCWu7RkBOSoJKwjmQga
+I15SPQP7XhoHQigk/Yb9JCs1OsU/Ia/49HrUa1KsaxdVnAOTbLAhlP7UuFOgxGjK
+jHre/MECgYEAz5OMGmoYSVD0DFnhswA2W2Nr7kKSNVt81S4IfVfdTodae7f2E7N1
+APO4CkuT6EKEvnzH/HVZmtzOYgXvgL4vY/GxDEg7mcd28l29aIQLWamdC3/68UTf
+KcnLtRn/bvM0zdXVA7w7lKGmNvb27+gVtKj5rsUBDHGyfyRm9YlQvr8CgYEAy71e
+/6pp7TY5pZlrgTxKVPugjG2bhkw4fhiuCbz/2Qa84hZj/1JYdPxVlm6a1Ggaw3ye
+bar7uC2nH5WkUYYOa0fsVb6odso7vdgtmhQ/KCtSRFYkKeV3lIqTRaTaTidvMW47
+Jyq5HVrROuHu85Hq432P4vxx8bTpPVVreRk+cZ8CgYEAnkIR+TmWVp9/0cLdTwoE
+Z1y/tyHOMxwTarz0AAxzUCHmHJk+5fpWZGlskXzZwaSlbE3ac2JM9MMQHrAD0BYw
+L3Tf1UtlFXN7/oD1na++r5efglsKydQGiOevhd3SX5bRVXWIOJbUnhc4kINt9a7u
+jZSe+F5+1CwDOOhaDy2oACUCgYBr39zI6eYkHy3urIjraIzC6mhbcj2CoiDXQyID
+LfsZYiPoYYqYyXTknCaE/BMmm+hv0S/hSUL2hdWTN5xFPgGsc+yCieyQ2QtAvZGH
+n2jBUA7C+Ak11bW3BJhtq5ebAe4x8feICWryS/+0eaQXew8vXHAu8xMxs2Q7gVri
+R6d0aQKBgB2icc334t8YErRr5t+iykls2QHPpRESxW2d8YDt8LFQKi0QfQoLpFPO
+W1XMVX88rwCIr2dK6+CgHgSPrwdaefxlgT7bzvnkircVotpe48PkFI6W3Wm398iE
+V29ErS5e5gW1zvrKlk7m/mteOf9E26hYUZDN3kNALiZ2k5GfGnsh
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Alice-Root.req b/rpkid/biz-certs/Alice-Root.req
new file mode 100644
index 00000000..ba90a1b6
--- /dev/null
+++ b/rpkid/biz-certs/Alice-Root.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICazCCAVMCAQAwJjEkMCIGA1UEAxMbVGVzdCBDZXJ0aWZpY2F0ZSBBbGljZSBS
+b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApTONDt05tjt9QoDG
+L/vOcnrQyL+zWsHJ8ezg6d25zbt3D7u1LoPSvST7OAIWmQ0+X3xdFHou8klyRExU
+iM+9Iih7cQ3rzcHBqOrbhVQBrJnU2faa7LjI3hce1F6ntaLnVpFZVJHeZOQ1Sf5r
+t0S1aU420cA1tsFyhvz9R97gv6M70+Q05YS0gkyNzFmyrhmrVBe8oY1ls+H866zu
+isqx1UI6nmYSO4ukJh5/hxOVnGTurYIi2TiFEOLpsbsFoxyaWbVGd7xhO+6hRett
+aB/FJ6KzZq6A0pDY28SYipLY2Nq7/nHhYPmrJMaqPkKtM4I1l9rbUb52yGdyPXWS
+xprHoQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAJ8l9c/L8ksoqCPClE2Qmzuk
+E/MeAcpMMM+m0mMOTNFL66luwRqaCj3X9jF1ZKfpGRhXh1u+FUzo/zIIgUvGtvYZ
+vhhl9CJJeN3eweRJzyqDCWHSlwVvZlr1Hgeapwcaf4qxOb1ZLlYgvMKCaPsZ6Q/e
+wOdjBHQy7j0FEuvcd/AZGWI4aGfsXWptMnHVgR3FT0KrQhsCgqgJLfvv17R3vrkm
+FhqRImwIq2HXNSEHKaCIK+05K2Ke6KRhDI1ry4HJUZQrbg/me5+xlA9NlLWkRjwY
+xS94d6Cx0Is+3dYRDTK0SEpbT9/QcOOisBsKNEN8NSHIoRJG4OFEx9olUBGFe2g=
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Alice-Root.srl b/rpkid/biz-certs/Alice-Root.srl
new file mode 100644
index 00000000..2f14dc02
--- /dev/null
+++ b/rpkid/biz-certs/Alice-Root.srl
@@ -0,0 +1 @@
+93A70708505A2201
diff --git a/rpkid/biz-certs/Bob-CA.cer b/rpkid/biz-certs/Bob-CA.cer
new file mode 100644
index 00000000..98e21886
--- /dev/null
+++ b/rpkid/biz-certs/Bob-CA.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGTCCAgGgAwIBAgIJAJMWVNPEHXnyMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDgwMTE4MTcyMzQ3WhcN
+MDgwMjE3MTcyMzQ3WjAiMSAwHgYDVQQDExdUZXN0IENlcnRpZmljYXRlIEJvYiBD
+QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANs7D3bWU8rxiAn+Mhap
+INpgBhMWazoSWDramC5xIInJj7cwa3zisJ487q5dUqsWyGOS3MNTNJg/NTGz2zEG
+HI1GmBh4jGAhZYQCwqdEk6wm5aWPvICLZFIGKHtugPk0V8eN4QxdNm/0Yo6j2ne+
+1XHL3BS2quKTlTGE4bEcneH2397RJFjgWS2JKMFXXlOg6WwHEvFVl8fiFHpxueWQ
+dVSBHwl10osBxzeK6W90ofeX2PJ12U4uMO2vBAMIiosmQ8QPtUICohPdJ3zM6b2G
+q5/NpG/0cH8Yd6HI/VrgXeP1g78VHw3oTnui2w04PTT07a+0GKzos4ssH/CmqD3k
+m3UCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUu8ac0kfdNo5qjTPZ
+mvBg0urCTkgwHwYDVR0jBBgwFoAUJUQ5+BR+Qt1BwUU7/P+fVgkRe/cwDQYJKoZI
+hvcNAQEFBQADggEBAD2dZzAEW41g4OnEsOo5XPtlgGBIF/WP9iV4uaqDyfgo95D9
+PcJn6ngg2QW9NHIpbse/HuQHX4xvkO+q5Be4bu0wAW2aSAQuFJ+WDM1KSQCLuacx
+qqDmbpZ1/gpnSXzAzzNqzAq0WkYr0ybJ6f4jqy7vbSRRJS6pzmIUhfqfxE2gTVS/
+IPq6iAqw5g0t3E0RfVNIT68Kfv3VBhOv62Mq66NpiwwDauOqL0l0waTVXRiSVwdO
+WZKFjSVA8bcsz7egThw7zc1CHG1P01xWi62I3CLCKMvPabDp0APbprEE29ATS3lc
+oytsQZ35W3lZkvR14yYNVaks9xxQWiK2RKpQYOU=
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Bob-CA.cnf b/rpkid/biz-certs/Bob-CA.cnf
new file mode 100644
index 00000000..91dbff0c
--- /dev/null
+++ b/rpkid/biz-certs/Bob-CA.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Bob CA
+
+[ req_x509_ext ]
+basicConstraints = CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Bob-CA.key b/rpkid/biz-certs/Bob-CA.key
new file mode 100644
index 00000000..d331ba47
--- /dev/null
+++ b/rpkid/biz-certs/Bob-CA.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA2zsPdtZTyvGICf4yFqkg2mAGExZrOhJYOtqYLnEgicmPtzBr
+fOKwnjzurl1SqxbIY5Lcw1M0mD81MbPbMQYcjUaYGHiMYCFlhALCp0STrCblpY+8
+gItkUgYoe26A+TRXx43hDF02b/RijqPad77VccvcFLaq4pOVMYThsRyd4fbf3tEk
+WOBZLYkowVdeU6DpbAcS8VWXx+IUenG55ZB1VIEfCXXSiwHHN4rpb3Sh95fY8nXZ
+Ti4w7a8EAwiKiyZDxA+1QgKiE90nfMzpvYarn82kb/Rwfxh3ocj9WuBd4/WDvxUf
+DehOe6LbDTg9NPTtr7QYrOiziywf8KaoPeSbdQIDAQABAoIBAC1IgMQ6NyqnQ0NV
+J0F5A9k3lmmg6tse6OyXNHH7Wg47/RyIutsb9AFrcp2/lxDR7uhqcIFEEYwVGka+
+8NqqeYFRAJ+lXtGIdHCVJWHpj1sy2aKeEwC2Si2LKhd81tUi07Lbgo3MPy9W2ni+
+LaUoXOxZgIciyB9u/pUw7nFoCNCgjN6/VmYZO8R75SYPf+XfKawKkkZH6Gc0LiiY
+NN5Am4fpmGKCdPHUFoZPA3tkTAnwoZ8a7Vckt4DSOn+Eh6R1DU7u9k08zTqSj6Tk
+ToKah9hXi8kxkHMqkaKQcrZiwJNbdVqJlJiJMKadOsWS9lOjdIQC7VVh+7V2fIyb
+/OPLcm0CgYEA9yDubu/EN2Lu/i4T8SR2kGOYfH3EmjXgy5LMfDRFNK81yer6mrLy
+xQhPvyEPVnz7lvUShP4igIuBermD6PhLm4pXrQnd8Kpu7Qina1xe8R/5HZHgyVXA
+J2PFtmoqowMwUMbQ6jwNKtWybKzJDKKf6WaLNaqGgawJObNTuLaKK0sCgYEA4xnA
+fuGs4V3U7h4AieJilEcUeF3aWk70OrAdkFNVnrMnW59dGmACmJ10NIeMnzGtJ1lX
+q/IOZmSag91O3SADOddp5+CjuqvU37Wi+ve+Z2f+qI2acHnBN54PlUEhUO+O5Eyv
+3WkJIKn4MkMNLNqJ9woGpq1L4MDbHMvdrVzfXD8CgYEAmDWbRY69ztNLmhhtRfAM
+aqA9MigQaF7Y5umysqlLGsjzmzr0QUYIity0qWbGWKHAH9kwH+ObAotqI1mR6nLL
+trA9kiFqpimDCtFytIh/HYpw2AqaZcdAA8LK6rB3NFHpd0cNM8fq4EAglhjR98tO
+LOZwxYwTLlj0kapm3XToowMCgYAMzdPjk3e60R6DOl/PZlsmfwdxbeE0vETa1jkk
+fP5Tz0gFy2tlZEphLmdx2r6b7yITGN9vi1syfLOVgbHDl912smV/NFQm3y9GWahR
+vAwZKmzaNfmiI8s4BopcYOqu9IK67nPv6M8h71NWCh/BCqVCr2cGmLixeE4iRoA+
+GQFi4wKBgEdZI39hulduXBo0LM5+Gc2WowNAGMk5cu9JS05Ypm+fpepn9Z7yXX+g
+y5PHJthN5IHDOWxPDuOI8vKdWumqwMJwZaXnuiaTzRcfHKHTQsFuFJz0KbkLFd0o
+NPdLjn20zsJ3ZniHgWwt231trs81f9ZApUO2NAa0KcVGdB6iYk2j
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Bob-CA.req b/rpkid/biz-certs/Bob-CA.req
new file mode 100644
index 00000000..ec8cb2b2
--- /dev/null
+++ b/rpkid/biz-certs/Bob-CA.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICZzCCAU8CAQAwIjEgMB4GA1UEAxMXVGVzdCBDZXJ0aWZpY2F0ZSBCb2IgQ0Ew
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbOw921lPK8YgJ/jIWqSDa
+YAYTFms6Elg62pgucSCJyY+3MGt84rCePO6uXVKrFshjktzDUzSYPzUxs9sxBhyN
+RpgYeIxgIWWEAsKnRJOsJuWlj7yAi2RSBih7boD5NFfHjeEMXTZv9GKOo9p3vtVx
+y9wUtqrik5UxhOGxHJ3h9t/e0SRY4FktiSjBV15ToOlsBxLxVZfH4hR6cbnlkHVU
+gR8JddKLAcc3iulvdKH3l9jyddlOLjDtrwQDCIqLJkPED7VCAqIT3Sd8zOm9hquf
+zaRv9HB/GHehyP1a4F3j9YO/FR8N6E57otsNOD009O2vtBis6LOLLB/wpqg95Jt1
+AgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAqTkkoDoNpJ0j4E5FKEWTRA2jTKXh
+Ij4W7WUYs0XSqyHaBgT59+WXEXq4VQfxRAWyfZxMzt08/7wJQJaa7FgE1meQA/dT
+0/0ObBL8ebLACAuLGNnRhfF9q1uO5qRMLEPyl6SeRdbTEo6pjzE2sIA9OYtV1AK2
+UeXVTL60KRL3IA9tyLEPBKpmVN6IeIUbpbeDa8DWA6zWJd8A4i9UukjUqO/Of5ZZ
+c2pXR5MF2PXDzwerbrSQQ8qIDB6PDuiqPFG7RhYpo7zeOiJBATUBzeO9EWt3Ij7H
+zGOtqwFd1jhFS4pTYKPGS86SFEk0xyDFR5fivkYhLK5aNDm0KJaWlNxZHg==
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Bob-CA.srl b/rpkid/biz-certs/Bob-CA.srl
new file mode 100644
index 00000000..89899213
--- /dev/null
+++ b/rpkid/biz-certs/Bob-CA.srl
@@ -0,0 +1 @@
+90801F1ED1945562
diff --git a/rpkid/biz-certs/Bob-EE.cer b/rpkid/biz-certs/Bob-EE.cer
new file mode 100644
index 00000000..88411f1b
--- /dev/null
+++ b/rpkid/biz-certs/Bob-EE.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFDCCAfygAwIBAgIJAJCAHx7RlFViMA0GCSqGSIb3DQEBBQUAMCIxIDAeBgNV
+BAMTF1Rlc3QgQ2VydGlmaWNhdGUgQm9iIENBMB4XDTA4MDExODE3MjM0N1oXDTA4
+MDIxNzE3MjM0N1owIjEgMB4GA1UEAxMXVGVzdCBDZXJ0aWZpY2F0ZSBCb2IgRUUw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCn/+Kvikpx8u3PIhKhfNdJ
+B4rdyQ6ixHJAItlSyI1CmWZLp1j1f7tDC39B3uLMLWHuSQDeDwSR84vGuFxMKtCf
+E0uuUpkxR49ADsz1vFTM8SxVkqKAerM1zaQOC/RD4CkZxaIrfOcfZnqShUEUrJAR
+MAb/zPfLZ2wiS7RlsUipfx+/LforuNfft+SoNDQmZIU8buhTUFgwhdTtE4Nbj+dJ
+yaQ7Gw/m9QjStm0SUDs4duxE9XLS1eZpYLdLpnf1UDQKOmW+PHFDyVEmPuE0y/b2
+b3aFYEpegdxa97wTNm5vsFE2ESSZ4lrIHFAHwsK9H9rZkdGIgm0Zg6JEiiUdyw5J
+AgMBAAGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFK8qXFH8u10Oq2Oid5YHUqOd
+OFNuMB8GA1UdIwQYMBaAFLvGnNJH3TaOao0z2ZrwYNLqwk5IMA0GCSqGSIb3DQEB
+BQUAA4IBAQAsunjCQnQjnV4bNVNM2QAA8r9LUuJQyb8aI/ie/ysAarao4csu2fSw
+tfcdpgB8PKTFp5lQw69/aqDw1V/8oPKnw5X18T0sEEk9OxR6PILWdmRCcuIw9lOa
+YtRZ/NSWnpaluFKc/nLxwXaeFbur3EFnavEOZD63+ETIldkbKI2KNO3tGUsJWXgT
+yAYEiJjGX2j3Ysq0VIBIYseYRGIp8tTRAEFLrjz0elSURPO+/Q9xrhqOUeEC/2AL
+rLX79K30VmwKh6Fuplt+ibh39+8duK6nAvRK80gnCh7yJGVKLK+dk5YNDLcFksm/
+Ik1FY90CZ0Yly+6AagjXnjuLjWaGekbS
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Bob-EE.cnf b/rpkid/biz-certs/Bob-EE.cnf
new file mode 100644
index 00000000..03a517ec
--- /dev/null
+++ b/rpkid/biz-certs/Bob-EE.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Bob EE
+
+[ req_x509_ext ]
+basicConstraints = CA:false
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Bob-EE.key b/rpkid/biz-certs/Bob-EE.key
new file mode 100644
index 00000000..fe2d8a29
--- /dev/null
+++ b/rpkid/biz-certs/Bob-EE.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAp//ir4pKcfLtzyISoXzXSQeK3ckOosRyQCLZUsiNQplmS6dY
+9X+7Qwt/Qd7izC1h7kkA3g8EkfOLxrhcTCrQnxNLrlKZMUePQA7M9bxUzPEsVZKi
+gHqzNc2kDgv0Q+ApGcWiK3znH2Z6koVBFKyQETAG/8z3y2dsIku0ZbFIqX8fvy36
+K7jX37fkqDQ0JmSFPG7oU1BYMIXU7RODW4/nScmkOxsP5vUI0rZtElA7OHbsRPVy
+0tXmaWC3S6Z39VA0CjplvjxxQ8lRJj7hNMv29m92hWBKXoHcWve8EzZub7BRNhEk
+meJayBxQB8LCvR/a2ZHRiIJtGYOiRIolHcsOSQIDAQABAoIBAC2DgotiINcMJGc4
+aOm9I6oSVAnP/ZoVNIqxpkTqNnLzkiYu2Ufxae84/yn+U11TcjOXLZf7Y5aS76xP
+qBmug8SE+rzofb4/D80f9WEhu6umLwej6Uh7dW+/HZH8pRl6ckgcJdo4RXlZTx3A
+4ifStFkjtNG6WuuNQltsPRxL0k6wxHNERCYnU7biV6G0QhOtQfXuUo2f5eud1vfv
+mM+N0DA51EAfFxQw/J3P1OxOgj8k20aehbm7j1eLiFitXHBEA/Mt4I6RAULxm3hj
+a249inqlRAJJZ69XTSpLBazH0Z3vcfRtOeniC01IO2jtDeBukor20jjSQ0HOU4KS
+H0yDwgECgYEA3US5w30FrBHbGxyunM0HKolo7wPHlGAwXoXiAlPZq75awBxCKa1o
+IJH+nZlKeUqIt1kzLAZ4mSYsOdtT1unOD4+2+mg31mmPw+WnXTcBGter0u5r9BHf
+aY9La1EHpsm7kZleSR+GOwRdkY9u5psm63B2pJ6UkbgQScq2dWE3iMECgYEAwl6l
+EmKT8U4r7/DT30xXB6G7Q8hphtD1EQth/zub/qP1b/r7zbWXcy194X5sVkWM0Xv5
+sjoG+jI4zXyyspyucoXgqtfOE6MBAs5ifK+lC1LVP7vYaK/DAzAjaZq6BxuF/MNA
+RNFY3OMVScO+cbBDCDePHJjj6+c7LlxrI9bjn4kCgYAfC2Rw3BquoLa4IBcTouSN
+gEf7uPEIjVJcALbMEs2ofgWnjI9v34eLglBR9k7vo5h4+Qfn9mR3QFbWK0KhFZ62
+qjhG+9ZRu+/S0Wbg+jWqeXX/GzqEPPm2isdPIEhNi2JItFb5NXYU07D5GkG6Eyyr
+vdS3lhRMOaH3aHyfDWvIQQKBgD/VO1sNWs7NwGo9aieUd6R+/fQl1lo7N7CQT2+2
+EOYQzKMpBxcowwNFdmjezw+KKdQGZhudKPt0EOmTQVCdWkEsLHuPAhO63bMhOoD+
+YjKU0onq1AiVaHMclRSyhtOcu2Umbm3rXsa0ISKnkVze6TTColJe98Nanjn8igcs
+JHcZAoGANXOUvLjB7V9xrf3ixdbmh4/I1jFkBM/csYHjTYLIWlaxYRIiIib8FaYx
+npZ7dRoZ+IrLPqwRwaaUYo+1iWa8lH0C3cNnRKDxkvDdjjMmdoGX+RjTroWzoN16
+zOVZXQNHzGKIMjGeAOZ0poIEWho5Q3JLiLETfV9e9JYuWmudjK8=
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Bob-EE.req b/rpkid/biz-certs/Bob-EE.req
new file mode 100644
index 00000000..497f54be
--- /dev/null
+++ b/rpkid/biz-certs/Bob-EE.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICZzCCAU8CAQAwIjEgMB4GA1UEAxMXVGVzdCBDZXJ0aWZpY2F0ZSBCb2IgRUUw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCn/+Kvikpx8u3PIhKhfNdJ
+B4rdyQ6ixHJAItlSyI1CmWZLp1j1f7tDC39B3uLMLWHuSQDeDwSR84vGuFxMKtCf
+E0uuUpkxR49ADsz1vFTM8SxVkqKAerM1zaQOC/RD4CkZxaIrfOcfZnqShUEUrJAR
+MAb/zPfLZ2wiS7RlsUipfx+/LforuNfft+SoNDQmZIU8buhTUFgwhdTtE4Nbj+dJ
+yaQ7Gw/m9QjStm0SUDs4duxE9XLS1eZpYLdLpnf1UDQKOmW+PHFDyVEmPuE0y/b2
+b3aFYEpegdxa97wTNm5vsFE2ESSZ4lrIHFAHwsK9H9rZkdGIgm0Zg6JEiiUdyw5J
+AgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAXJT1EVOwOaGyjCMepYaDwsk7U11G
+7uEmGwX6I1Ry1kZwyxiItnaIDhlB4fj3kKKUgXHk61IoFzYiLAU++di40dYNuULT
+Y+/HJ/CDiYIOweGSj+c43otItX2ak0fTmS57KySlrk+Q0MLYdhsGfkgH+suKa0WT
+KEMM7p7pnnzXVDS6EakdOnp+1LOtHz1n5wu9NzKNL1FKBmMiR3sSRobw3mCiNgPx
+0kHXONEq5nsTjmAOMeqxmuguJObMmXAU0ZLrTqdi9bxRkfKHhKRjDgeSqEKVSmpN
+Lw3gKB3Rk48hvxVP3rp/sRJ65Ja0bbwVAJ1DnNagzyPxNH/HAr17qt6mmg==
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Bob-Root.cer b/rpkid/biz-certs/Bob-Root.cer
new file mode 100644
index 00000000..f7a041ae
--- /dev/null
+++ b/rpkid/biz-certs/Bob-Root.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGzCCAgOgAwIBAgIJAP9xmM46o4DbMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDgwMTE4MTcyMzQ3WhcN
+MDgwMzE4MTcyMzQ3WjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5EdHnAvefaawcNq9
+jBUnfB927TeborbiIst1bZmYLid1RMz5JjFWr/pUqKU/wsLKxJK2h8bBW+K21ePD
+mJZrhyBDj6zNnlJUzyVysLER/jQ6hoHIhqZv/OR8q6D7eeXIFZGm4fsQLM0RsyYx
+6dF0JyI2uBpRVEbvyZUhsxjmfGwf7oygvaNp5c2kWftt9YADs1VnBy6HITUvyUPB
+Dc2rQWPtOqYo6jhRn3Cj+uY++pJVuL0IgHaofEu7n//t+f52BC31+qW5UlKjhkg+
+S+dlPxqwSf6Bml+wxN0y37fFuTGdL5IK9HMfC104b7fInsytrVAVjkMHAp8d5XSu
+pbfctwIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBQlRDn4FH5C3UHB
+RTv8/59WCRF79zAfBgNVHSMEGDAWgBQlRDn4FH5C3UHBRTv8/59WCRF79zANBgkq
+hkiG9w0BAQUFAAOCAQEAlAiW6kYCpLOqpG5PJw5EDBVheffUrSjBO1iBDwKG9gus
+qgl16XgeEAZfvCAQ6/xHN8yOerKcrVuESnHwvhlhzBDGXZ23AH0Ng73wiVGcya7h
+urFvGf044k+6NdFqnh8fVRTZy1wwZIDG6/GFTOL7QPppKTb1c2VZNAl9E/6nKqby
+EvQr3tgA0mwfXrB/gMt+RRsDOrAO55zSbtme6u9JeSAR/kGJbgGVlO/r1k6M2MeC
+0G6b9wnlzQlojIgarZbnzUOTatVZHARScG+o3YjNCe8NLrGNNwS+rwJZ/0nfpctL
+Nn8720ehXs1PjBQXJyrF5UHh8lhKzKHXTy3xP1SIWA==
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Bob-Root.cnf b/rpkid/biz-certs/Bob-Root.cnf
new file mode 100644
index 00000000..d90595fd
--- /dev/null
+++ b/rpkid/biz-certs/Bob-Root.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Bob Root
+
+[ req_x509_ext ]
+basicConstraints = CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Bob-Root.key b/rpkid/biz-certs/Bob-Root.key
new file mode 100644
index 00000000..bb9a897e
--- /dev/null
+++ b/rpkid/biz-certs/Bob-Root.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA5EdHnAvefaawcNq9jBUnfB927TeborbiIst1bZmYLid1RMz5
+JjFWr/pUqKU/wsLKxJK2h8bBW+K21ePDmJZrhyBDj6zNnlJUzyVysLER/jQ6hoHI
+hqZv/OR8q6D7eeXIFZGm4fsQLM0RsyYx6dF0JyI2uBpRVEbvyZUhsxjmfGwf7oyg
+vaNp5c2kWftt9YADs1VnBy6HITUvyUPBDc2rQWPtOqYo6jhRn3Cj+uY++pJVuL0I
+gHaofEu7n//t+f52BC31+qW5UlKjhkg+S+dlPxqwSf6Bml+wxN0y37fFuTGdL5IK
+9HMfC104b7fInsytrVAVjkMHAp8d5XSupbfctwIDAQABAoIBAQCpnUjY6nzDkfIx
+uGX0SteOw3ZDJflPOmHmBpTW/bP0Pz9EAqTxOuG1WeRDdp1cog21Z2mWkxiipF7D
+qDtyCfoVaeSpQXV6OKRpUeLY5IiA/9+oh5AudEZren4jrDaOSSyU0idUa46GK00G
+ds/JcubCGQrdWjipzRdoCZYDk/HV6b0znawQybmiDrMKsxfXB8GyPTBMhddHDUN0
+Kkth+hEJfszcf2+00x45X0lA6SEh2zMKKHwlMze74jkrQJkq/CjYTWYAxRsNNXJs
+I/gLJcClU5LId1ro3o8TYZGiZ7X+USNjVjOoXkEsIlCymPRFd6Ib4+RLp+cFldUS
+Fiqr1PchAoGBAP/JBDa21Cd8uAeRLOFYXQJxLbXFXdtja/GnjB6lZ5kky1QfJRIH
+gXY0qVQwnR7yg7jUvsa1ANNWy+S7bwEaDRJA5C0/HKdhstaIQ/LPhg4tB6/wcmT9
+KzE+8w8Ki0/GePoqdNHxJx4jSR1DewjN5QCQnzd6zaQfF3/I45YhtRxRAoGBAOR4
+WbSbt0zSJ0FP4ozVfwX6uyzp3HgW/NbvhHvtyEky92Tu6+jeKu+k77nRDg9jIERi
+L0CtOAjO/1ZLLCBkdFu43f0VP8vFL77EtgpPw2od+Ftzq3ACEUfFSsyMHhyYrMyS
+C+JrFyvEPijThLXw1noSgfYuxiOGuu4JlOyeMY6HAoGAWmo2ARkzeRnO+23HzYgs
+qHZVUBGKEcjdGTi+gP661hl5fizcL7lTe/M1f7sHby8OfMFHBnpo5kuiGyJeJKeO
+w0sI3S2X9VrFmqvkSOouWsh0FS8LYMNVBz1XMZPqlrJzhQqI7MUvrKmQaLW3we71
+6fM1NKlGE6Oh7NuYBzO3D2ECgYAfXVpLThlC5ZLYB4R9ew2+H2a0ysImhlldlHIm
+pUUar3GBHL+sL1vLnGQAqW95s00JtkTwZxdLNkedbCJ5q/DBasam6NTiP4bHdK/d
+CIg2ODkRLPb7IH2I0c/r9sxndpo6V05kXflHW+CAsFEGvTJkfcfzqQYweF2PMieM
+uEbrXwKBgQDFKDn3BcawfaRnuKMLI3iyKk8qoIAQGcKDsmPWjD+CiYLbSC+2Ppcb
+wZ3mCRpuI1GYM0UKHBgTZ7OQspO84Mc3ZIpt+CiGQRXighayFKsx3czLpqOoQhkT
+h9YSfDfrAb2fsHEbMsTtbdqe/b7ciEIyHiyoWMTmosmirL8/nz4uWg==
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Bob-Root.req b/rpkid/biz-certs/Bob-Root.req
new file mode 100644
index 00000000..265ed9ef
--- /dev/null
+++ b/rpkid/biz-certs/Bob-Root.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICaTCCAVECAQAwJDEiMCAGA1UEAxMZVGVzdCBDZXJ0aWZpY2F0ZSBCb2IgUm9v
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAORHR5wL3n2msHDavYwV
+J3wfdu03m6K24iLLdW2ZmC4ndUTM+SYxVq/6VKilP8LCysSStofGwVvittXjw5iW
+a4cgQ4+szZ5SVM8lcrCxEf40OoaByIamb/zkfKug+3nlyBWRpuH7ECzNEbMmMenR
+dCciNrgaUVRG78mVIbMY5nxsH+6MoL2jaeXNpFn7bfWAA7NVZwcuhyE1L8lDwQ3N
+q0Fj7TqmKOo4UZ9wo/rmPvqSVbi9CIB2qHxLu5//7fn+dgQt9fqluVJSo4ZIPkvn
+ZT8asEn+gZpfsMTdMt+3xbkxnS+SCvRzHwtdOG+3yJ7Mra1QFY5DBwKfHeV0rqW3
+3LcCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQCBo0gMFf/fCHsdXAwmaHUSvIRt
+aJ1dLazv2CywkLnubjCpFj6Ih5rbvYa4ugCJK+qpCA75Lbjl2pA3BaX05ehwROAx
+RF5lAagMLzrPI69gQNCI496SCpa3E0FOQgCebIPAnLpsx60KRcd1zIWF50MB6lKq
+Sh9NgNrtTNuzRnSiDSBvsdaFl3jK0zckwit3Kj4VhIMlVAKn3FfToxXN/LxFuX6q
+fEguUfIqcdlTvqLV7F1eY3o4IgpCeeK/o+CLIqCFl2HT5m9pVFw8td8SzG52mnCa
+P4acOFkYn05s5ST6kJnbLBiMTl0Y5xQs3SyB5Qdro6sdP+GxH49fLUvr/ySW
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Bob-Root.srl b/rpkid/biz-certs/Bob-Root.srl
new file mode 100644
index 00000000..22d5b92c
--- /dev/null
+++ b/rpkid/biz-certs/Bob-Root.srl
@@ -0,0 +1 @@
+931654D3C41D79F2
diff --git a/rpkid/biz-certs/Carol-CA.cer b/rpkid/biz-certs/Carol-CA.cer
new file mode 100644
index 00000000..c8b8416c
--- /dev/null
+++ b/rpkid/biz-certs/Carol-CA.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHTCCAgWgAwIBAgIJAP1coEG/CqK6MA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV
+BAMTG1Rlc3QgQ2VydGlmaWNhdGUgQ2Fyb2wgUm9vdDAeFw0wODAxMTgxNzIzNDda
+Fw0wODAyMTcxNzIzNDdaMCQxIjAgBgNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQ2Fy
+b2wgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8vLVEG2FuAwas
+1Q03hc7BHPGCBEUwP1h+/i+hEh6r0AllAhJJieTmYo3Pfj1whxGSxalM48H6yPe4
+ENIaQpTmi4I6xg+SHjrTWU31xQlGkdXDQU87jYlrk28OoGtXa1uE+6P9F6IXdhSJ
+13qhCSgDNDjrn2tfWCKzPvMcO/fV+WPrbHEBztbxzuTmpeP+3XdfkEQ7WNmUggSl
+Dki4OPT50vZLJXLgtKmbtEKixvrUU9ezlB4hugZOU0ECNw3YOLfMw1Nkcxl3jusT
+ldi+Z4CviGmdr8dlc/+ouQGUN5u/MgkQJimAf0XCrHh5kf9s+EpZ3kDpwBFELzw1
+h0qiwyLNAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFJoijL2BTU8B
+LXzcJFxiZaUmoBYlMB8GA1UdIwQYMBaAFE8lYk6YRDutZ5nlTe3KdSUPSqMtMA0G
+CSqGSIb3DQEBBQUAA4IBAQA+ulH8vqQGhFKUA0v5d/P18vI5MgRY9/Eb+pslPWwY
+y/JyyRvMXwB9LAxLp0hUway+/8wzp7XXiUp4bcdygUs/6PChJht1iF6qsiQYMOU7
+XTBBDlrnV4CJnmmQI1MQrMWYYicFWWrI09CzW0KQXrBUbCsI+U1+iE5ZHKbWn3rd
+lZGznOx68MmkzbmAIa/dCKpoZLMfE17ss/65w6c+SU2Y67J3npEDSe/X67oxQQnI
+I+FCT4W/H6Af7nzT6uJ3XrRv2gzih7FLKDL99YeRuis0H5Z4QaY0gAyaCFSE5OjS
+/Rbb/2mLAjGo/R4D+TKpn9RhhSMdKwL1/AbPOhx32prZ
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Carol-CA.cnf b/rpkid/biz-certs/Carol-CA.cnf
new file mode 100644
index 00000000..2247466d
--- /dev/null
+++ b/rpkid/biz-certs/Carol-CA.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Carol CA
+
+[ req_x509_ext ]
+basicConstraints = CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Carol-CA.key b/rpkid/biz-certs/Carol-CA.key
new file mode 100644
index 00000000..3c80b76d
--- /dev/null
+++ b/rpkid/biz-certs/Carol-CA.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAvLy1RBthbgMGrNUNN4XOwRzxggRFMD9Yfv4voRIeq9AJZQIS
+SYnk5mKNz349cIcRksWpTOPB+sj3uBDSGkKU5ouCOsYPkh4601lN9cUJRpHVw0FP
+O42Ja5NvDqBrV2tbhPuj/ReiF3YUidd6oQkoAzQ4659rX1gisz7zHDv31flj62xx
+Ac7W8c7k5qXj/t13X5BEO1jZlIIEpQ5IuDj0+dL2SyVy4LSpm7RCosb61FPXs5Qe
+IboGTlNBAjcN2Di3zMNTZHMZd47rE5XYvmeAr4hpna/HZXP/qLkBlDebvzIJECYp
+gH9Fwqx4eZH/bPhKWd5A6cARRC88NYdKosMizQIDAQABAoIBAQCesQy4d000ctbp
++zlhteBh/zQRXgXOy3RdUtw5UkL3s7Qyectmicss6zDRhhOiye68ufXf8KDpfJDM
+81e1PMZ2Elctk9sDwOc1TaF/RGzIKVbTFdbI+/jPuudmJPwcROhuqCb6ZySjFWWv
+gL5bKJe8GezCMQjW4gRLMmK3GrUH83TKqk5KCAjLGLNPT4Oda+VCur+9OvK3y2CX
+y3pdg4Wej670BWmLYvKGES07mGH9pvZtu2PKhDxp1LInSM2wNPcnxI9J2rYkRK6E
+zQS5oyvi8EuTHdaaC8StkOtfqRdfUo5+oDOBbxVfEQDCYafgU37mWof63NokBRlp
+bogVvHMBAoGBAPkDE0LmuwSa1uagvlvLU1nepNfuvwZW+nmgkFgQXhTgEFYRHyyA
+LhvDqowK94zxXAwyY9NuHnn9e2mqFez3QBXEUZEj6rY1I5T6ib0nS1fv9/6CKsFs
+WP1d4FXyNdr9Ct4F6bh2yK/2nVs+SPiQBJRa4ftl33mbnRxUplo9Si1LAoGBAMII
+nNrobYcG1Op2pzibFiUEfM4oWflcKcVtiqQNQP5FEj9HwXRijIKm9iYILKcrLV6W
+EUnIPBLKqxyj+L4yuWqYqy9OA8d2xe8tlW3rXbHJ1vduSCyp2zzlp37OzvOQAcoH
+8Beu3gYfIf7QYmaX/kUKKnCHRi5may+3z3bE5NlHAoGAUDZsYvWeMsqKBTqsdzdU
+/zMYGLLAeBNWlg1h0exb0g+nU4Iqb5ROxgTOkFQMECvDge5Nd9MWICfGNHBkpbOz
+wg8+UymlttIBR0E5U2QwAgC7+xEFIs97DwrJdAYU0RkIAiMXeaNR3FTttXGn4eHK
+h9uKxge36B13i6O8/n6VwWcCgYEAo/iRTXEz9fKxBX7F69ErkpbLPZDeEBtxdVUP
+33kP3pDSTcW+1zLc2SBtTVCFI7QaQB+Ddp2PHrZEigyLjXfiNxHTQEOmb+6QcIJO
+EDjh0ffnAOwidBQKoNjWhhQQ0cV1rZytqeXt3LB8kxDYxyhVCVUA7l1y0o1csVOd
+MBpN5ssCgYAGbybyKyaKB/evqBqysvG+CBbYsMQx/ubKlwMScfAyr6nG/+ZhjM6F
+0cfM3HwbGS0i0qJdwJ5nPPbYR9kceV+qytU5K2gUQp0QM+Zhc2lprr1r+TikFo5g
+sq2rVbjCT8whW1nZKXjbOA86/2F+qcnXfemsuM51VuOrfnXTjTGDpg==
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Carol-CA.req b/rpkid/biz-certs/Carol-CA.req
new file mode 100644
index 00000000..8e9a99bb
--- /dev/null
+++ b/rpkid/biz-certs/Carol-CA.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICaTCCAVECAQAwJDEiMCAGA1UEAxMZVGVzdCBDZXJ0aWZpY2F0ZSBDYXJvbCBD
+QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALy8tUQbYW4DBqzVDTeF
+zsEc8YIERTA/WH7+L6ESHqvQCWUCEkmJ5OZijc9+PXCHEZLFqUzjwfrI97gQ0hpC
+lOaLgjrGD5IeOtNZTfXFCUaR1cNBTzuNiWuTbw6ga1drW4T7o/0Xohd2FInXeqEJ
+KAM0OOufa19YIrM+8xw799X5Y+tscQHO1vHO5Oal4/7dd1+QRDtY2ZSCBKUOSLg4
+9PnS9kslcuC0qZu0QqLG+tRT17OUHiG6Bk5TQQI3Ddg4t8zDU2RzGXeO6xOV2L5n
+gK+IaZ2vx2Vz/6i5AZQ3m78yCRAmKYB/RcKseHmR/2z4SlneQOnAEUQvPDWHSqLD
+Is0CAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQAJmEoGPDnwNGguSCE9wp1/eH0r
+W/vwQ6HOPEOYtrwvLiaRDgn3n1rRZ2gvElA1v10K6dccAVBldnPjZ04ciNWcYF6Q
+fVN9MNJ+iRc3zNBsoz1D8eoDX9g+YdB0GW9RDjSzeGh3jyH7eC4RfsolMLCtjS7r
+gUOLHEiQXEh0XKRAuTV86Pgj30Fnj++LNb/VXtlXu7T9wgf5mr3O5Fz8aLc4tLPL
+0rGq8oZ5PWKzZmvf3UhhSEKNo3cWQeqQ4sdjZjM8fozLcokXQsuKrbBm4loO951M
+TmSRWCNAAy1lz4n8c/I8TW7/POplhNDTn6ayu7fjSLlSoaBltsQ41sxEUeEe
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Carol-CA.srl b/rpkid/biz-certs/Carol-CA.srl
new file mode 100644
index 00000000..730b3714
--- /dev/null
+++ b/rpkid/biz-certs/Carol-CA.srl
@@ -0,0 +1 @@
+FB70BD504214F1E2
diff --git a/rpkid/biz-certs/Carol-EE.cer b/rpkid/biz-certs/Carol-EE.cer
new file mode 100644
index 00000000..c3cef4c3
--- /dev/null
+++ b/rpkid/biz-certs/Carol-EE.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGDCCAgCgAwIBAgIJAPtwvVBCFPHiMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+BAMTGVRlc3QgQ2VydGlmaWNhdGUgQ2Fyb2wgQ0EwHhcNMDgwMTE4MTcyMzQ3WhcN
+MDgwMjE3MTcyMzQ3WjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIENhcm9s
+IEVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwWzpaQT9wW8xme1w
+QD9hPghfFQoQBLWu5qFWyZu9aPTiSs/qiQMNQARlUst6eBhnCz3TedQnXAdfJA2+
+Nahl2Vqj6Eqzn9HFA5h79+ScZsgHSl0l8qeyKbvlkS5F1l9UdgNdGv6BsATHUVri
+DUlhGRr8dBydYukm11spxeJj8+3KlY0if/lQJdSPL9n4auQb5RuWqckBbHb1BUrH
+XygOZkh+cq2twqKlSkS0/55ME16OqmvSz1fNKi3pDikbVZUml6ye3RN2TIhCQta3
+pOe0vMajqBYKkph8D/ZW9t6BsCQyOD1z7xVnwHmh/7T0d3HObJvZcMC6tcHauaTj
+39m1VwIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRA/hhf5DbmnlikPnO6
+L9K8BJXDjzAfBgNVHSMEGDAWgBSaIoy9gU1PAS183CRcYmWlJqAWJTANBgkqhkiG
+9w0BAQUFAAOCAQEAAnMHx0ZLktJ7ds4tpMybTpMQj+Ws2DHBrXb50rktrbB7zDz6
+bkqX7uBHo13KI9elzt8H8rS+507AT+LTIktAD/qL30Kqisyo/Wig/abkEmqAMTNE
+hrYfyRr4CXBdlISBWO2JSV8FT1xkAT2X+l4/z4MwvTbMr7QmRYMxf39LHey1b9/K
+ft1KfrxpPBOZ/MNYN3su/++ycpxS7yr6z5gQRI4nj6NCWMlJF0wcEeWw76IjyqHd
+RG0s4HIQ2e/p7ICY3A01zd/ewEFIFi4kxLO1Ot+y2xfc6hWFB4pbjtYWynWE5qSx
+Oaol1ThR6v94BgGLgyN/ubSnKRv4rZ5aVl6Ngg==
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Carol-EE.cnf b/rpkid/biz-certs/Carol-EE.cnf
new file mode 100644
index 00000000..4febbc99
--- /dev/null
+++ b/rpkid/biz-certs/Carol-EE.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Carol EE
+
+[ req_x509_ext ]
+basicConstraints = CA:false
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Carol-EE.key b/rpkid/biz-certs/Carol-EE.key
new file mode 100644
index 00000000..2d785124
--- /dev/null
+++ b/rpkid/biz-certs/Carol-EE.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAwWzpaQT9wW8xme1wQD9hPghfFQoQBLWu5qFWyZu9aPTiSs/q
+iQMNQARlUst6eBhnCz3TedQnXAdfJA2+Nahl2Vqj6Eqzn9HFA5h79+ScZsgHSl0l
+8qeyKbvlkS5F1l9UdgNdGv6BsATHUVriDUlhGRr8dBydYukm11spxeJj8+3KlY0i
+f/lQJdSPL9n4auQb5RuWqckBbHb1BUrHXygOZkh+cq2twqKlSkS0/55ME16OqmvS
+z1fNKi3pDikbVZUml6ye3RN2TIhCQta3pOe0vMajqBYKkph8D/ZW9t6BsCQyOD1z
+7xVnwHmh/7T0d3HObJvZcMC6tcHauaTj39m1VwIDAQABAoIBADicVLAc+tvbXGwN
+tzXGlwJd1t5EhK2sMxVjERCOmWAXlAeLVLxm/UDISJNz5FMz6Sy8GqHkeuSPb8QQ
+laQEtlJoGeLJwkq7TWsg/N9vtGrMjn2wR4P+msFmMelM3rnASusDTwOwi2pl66Qe
+8lwrJtT/NfYRzep+DJUpJE+7U7+3TJ5rlfxd3Wm/gdsRoTXPvAW8w4vrJD4/YSpd
+3mJZ7VAnLwRnNY1wVqDYEHqhH5jf1nFVE9RKPMDYHbCtIBoap350qgACBTuVs94q
+TsKNWFJE35S/wbwNKMsjbaMkGngl1oZ/XMxFhLGJvZFcG05Z9I73WRtvcdOHVi8a
+pyZlHrECgYEA/Y1X0c7iwf0zrRjyJwuv8mdfyKAr1h1T47rY+HDp+e/2J4LfOBC8
+KnzNVkoErA7iHIN/59tG3M3Kv9TUmcUJ9tk8Ft42B/XdrVRXKtFBwmq4maxu/dTK
+BK4LQ1Gi2AhRG4xvitDdCgj5wVyVkXYwh4BFcqT4JWoGujNcBBw2cx8CgYEAw0r3
+BX97I0V8F4+2QihZp5wSuiD2EX3hsM/iAK8An6OL4zpNyU1m/h3lipVjCOGegIYk
+Ze/VnOrPXh56tPWG4YSzSNgXzjmxHZNFtQqwHkoH7aPXVMMNmPjFcUb04Lu/MXdr
+sIHEjwE7vfK9M2DaT0d4DBUdizTJPPk2wmoebskCgYEAn38sQTUNe85VlYvduCYn
+9iqFHGV1belg/h5pok8VQD5s8AnpdRFB7NA5MxC4w6tRHXKzIRzVBM0Hv4iYfGpw
+jDG3FQOPpY5KdmBZvPuJjE0p9rF72Hzk3/DD8QMHlzIUI2pCOGaOxWNECRi+lZRt
+jq9oAGg6GP8LYFIyjftZXS0CgYAWOt5LfetiZHJvrCgu97Dc52MqVL4t14ptOfyb
+30/O3Cr8PpLEK09h9b0/PSn8xNHqB1r1T4udRQ09xXJqTth/qz9NN2veSarjlvQE
+W6cYi4zDfDbyqxFNLGQtNMqDGlv1IYbcnKjnLljCknL++jNfet8rYOvwAJ43lpap
+IrM8IQKBgQCP3yhZHw1dzIBTUTE4NLGIxN/7Sz9O2IUoAR8V5szEHvxhWTEIyqgA
+t9tHpXJRdtpdXmdHa+vuszougEQKz3tsz7KWOUu3kdmpCm7OQqD6fANB+/2y/Euh
+OlBHsWOgxCHdiFQCj+kD/sBDYXH+nl2tk/chOcuf2m9DHypO0OdL+Q==
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Carol-EE.req b/rpkid/biz-certs/Carol-EE.req
new file mode 100644
index 00000000..5d9fa36d
--- /dev/null
+++ b/rpkid/biz-certs/Carol-EE.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICaTCCAVECAQAwJDEiMCAGA1UEAxMZVGVzdCBDZXJ0aWZpY2F0ZSBDYXJvbCBF
+RTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFs6WkE/cFvMZntcEA/
+YT4IXxUKEAS1ruahVsmbvWj04krP6okDDUAEZVLLengYZws903nUJ1wHXyQNvjWo
+Zdlao+hKs5/RxQOYe/fknGbIB0pdJfKnsim75ZEuRdZfVHYDXRr+gbAEx1Fa4g1J
+YRka/HQcnWLpJtdbKcXiY/PtypWNIn/5UCXUjy/Z+GrkG+UblqnJAWx29QVKx18o
+DmZIfnKtrcKipUpEtP+eTBNejqpr0s9XzSot6Q4pG1WVJpesnt0TdkyIQkLWt6Tn
+tLzGo6gWCpKYfA/2VvbegbAkMjg9c+8VZ8B5of+09Hdxzmyb2XDAurXB2rmk49/Z
+tVcCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQAUmZ8fO3IXtSIqKQOQu8rpHz6A
+RcaPg3alGV2bG/3SewfgTMv7GupACytmPogLbkhrWMe3UpY9vj8xuTTEnOAddkdk
+rSWrwHfk6uwqJM4kor390+aCe9ZZ6yNo9JEv8hMgoCY3HHw+CEX34IJpC35H122a
+Mpy62SG0j2tRZJv/DQG6fi6ecMjcjYAPyYhKA2v+xf5Q3N6D5zQ1mUmJRAhPpSti
+o79XRy2Zwu7raO6nxetmBoms8UjdxmpqyxV5VhJ5fOMvdLBUEOF/D+9NUPSXpf2/
+SxKOA3BytSMrw4OLp3Dqxhf37Ri8q1+apTW1kOGd4zHrzjd81eA/p505AlTf
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Carol-Root.cer b/rpkid/biz-certs/Carol-Root.cer
new file mode 100644
index 00000000..307d9976
--- /dev/null
+++ b/rpkid/biz-certs/Carol-Root.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHzCCAgegAwIBAgIJAIL+wCyy3a1PMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV
+BAMTG1Rlc3QgQ2VydGlmaWNhdGUgQ2Fyb2wgUm9vdDAeFw0wODAxMTgxNzIzNDda
+Fw0wODAzMTgxNzIzNDdaMCYxJDAiBgNVBAMTG1Rlc3QgQ2VydGlmaWNhdGUgQ2Fy
+b2wgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALkgdmWcufSC
+w/WjWc5NvUEerHF3gtP4LB9OHsHe4lHUKIl7llZes9JDFWdweZaGgabsFsB9Lhxh
+YjqCbeLnbBgf8gdPHQdmwtQBeZpzJNfNcoc/ucvUmvc2thZFBxj8SOtQUOZH3Tqn
+o88A1zOHftU/WFrgF/lFv97v3ahLNc0UfgPr1iEQonqC1ff1oAg3iOB7T5rujW1r
+8cd8t3oDKjjbXxZqt5n5qhoHRsQu+EcoiJhbERkXHQdJl1URcJQCZoo1rRMtqp9F
+mbinqag/Fiv8c3r9GgLahsmCtz4UkirVqu0o+9/HMUoghWJukOUTYOi7d/S6IqYP
+v8/PBwcgW1kCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUTyViTphE
+O61nmeVN7cp1JQ9Koy0wHwYDVR0jBBgwFoAUTyViTphEO61nmeVN7cp1JQ9Koy0w
+DQYJKoZIhvcNAQEFBQADggEBADOasRwK2Gx9+fwLfBuuXRcuLj67ZROZlBYg7YlQ
+upOJgbOSHz3A5TW+05XjZzVTITNVaRbtwi+HaS/qNHgzll+L3FBC8LPZp/JZJiid
+/0T8Nc7gQLB9+DJF8ygsbN+6Zmesxmc/bg7hYDkm7UyDasje3yAmGRs+gWxjFuHD
+vleQO16njweves5eaZzuR52V/gCYe60ncNEJSw6BqSutjUKhehLw8MYCDql8S+Nd
+M8+2b601ij9WUgWZVuZeMmftErPno8r5yXuVa/8EdZgjgFjluJjbh5AZJLQEp08A
+gobgPqyMVUA/oXwHf/VGWiRhTN9oljZYDTdAUWBIPNYOD4M=
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Carol-Root.cnf b/rpkid/biz-certs/Carol-Root.cnf
new file mode 100644
index 00000000..01190973
--- /dev/null
+++ b/rpkid/biz-certs/Carol-Root.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Carol Root
+
+[ req_x509_ext ]
+basicConstraints = CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Carol-Root.key b/rpkid/biz-certs/Carol-Root.key
new file mode 100644
index 00000000..0e41137a
--- /dev/null
+++ b/rpkid/biz-certs/Carol-Root.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAuSB2ZZy59ILD9aNZzk29QR6scXeC0/gsH04ewd7iUdQoiXuW
+Vl6z0kMVZ3B5loaBpuwWwH0uHGFiOoJt4udsGB/yB08dB2bC1AF5mnMk181yhz+5
+y9Sa9za2FkUHGPxI61BQ5kfdOqejzwDXM4d+1T9YWuAX+UW/3u/dqEs1zRR+A+vW
+IRCieoLV9/WgCDeI4HtPmu6NbWvxx3y3egMqONtfFmq3mfmqGgdGxC74RyiImFsR
+GRcdB0mXVRFwlAJmijWtEy2qn0WZuKepqD8WK/xzev0aAtqGyYK3PhSSKtWq7Sj7
+38cxSiCFYm6Q5RNg6Lt39Loipg+/z88HByBbWQIDAQABAoIBAQCi2n/M25ZqFi60
+g8KYzaJTCty/5FZeic6mq147Rgrp2Szf5KxXxm+B5CmMGVGcrS6Y3M8W/gf2R2TV
++68XEGXywwdyjpIG1MtHHRUQXYJnpP+/IrwbJyg7mRGNfaPEwwqSltDUAxwGYTqk
++yRU3Dki9tqO9tugGU+0mmXviloF0SOq5fu3qmZoh2ZpoP5n4mqu1JOgDqXB/dw0
+REvbyn+ly5csMDhoZq8uBnmQBeyGI/dsydbFZd6pmf9izntA3Kwn/vsATIpMDDps
+ECLcki+0iD/ZcD64rGm14yGktbtyTG+Ec4JDnWB+HLukHNEvnTD1NJLjEma6jnKM
+xr1LXjpRAoGBAPOPUZ9lVsw+DFd8VD72Rmi/h+jLPBhCgzLfXxIq64cYXFRxML4x
+AVwLGc80bEsZkjMGJ3Sl2241uc2XIVu9V7B6FmDhMayIgMiomlDolyhoIPg7C/KO
+ee9k+/6hzclVfdMFT8ced4kFWzTKONNdsQI8SyaKJRtZJycBS6DXkQKjAoGBAMKV
+GVvG6AswTklDoVfvyEwwp8v2LTyO37sUF3bO7k7htj2j7rudOqEOR+TWplyg10y9
+ezp60IapYbWvdCYI6kaj/hr7DJ+uwzmSTi6LKlWSBKI6s64Vo9gx7+P3su9gT8D0
+G79M9KC9a7wMothPx4nFTGK3xNpXWOZE47rLGgXTAoGAbjs2KNr3nraSZWH6ywgx
+M6VDwKOCzkQEFxkrcRCFyn3HA9y6v8l0IRFRHAtQ2+h116v4XX3XQxkDv72ftmKK
+dm+7AxvInJqnFqngNbAfAYWnLlGjBaNgIm3k8wiOF4oeyUvFIIx0c0o+TjUb5OWp
+gCaDqKyrQKZn5upaLTCDC9sCgYApyhG/JzHQrVgy3eZ511KCInT3FfDTL7AXIpKD
+fp+pq0oTZPCxtGvSCRohqIPkItr6bTtY7OV59ki412yvenyuHSxGqSIl7UeaRrSp
+xFOcOxbprIfIXHdqyBbIM/tm851NSF/pLuLe3q+TnHcg08l76jakgOkzJ009bxAl
+ntcA5wKBgDORScP6A77UE9E+vIWkUyn23lNkow29BWpM8jBm0mBX6m+WgzW9soe8
+37GtvWlF82kLytFXIxju7ULLpF5652jDEa/mgFrZH/gE520tz0yiJ/PDtSRtxuGL
+O8ZEyyiwKVcET56Rklj7r/0kn3dKJQkfxG49krv8hRckSH3Y8Eb6
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Carol-Root.req b/rpkid/biz-certs/Carol-Root.req
new file mode 100644
index 00000000..1d911e4d
--- /dev/null
+++ b/rpkid/biz-certs/Carol-Root.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICazCCAVMCAQAwJjEkMCIGA1UEAxMbVGVzdCBDZXJ0aWZpY2F0ZSBDYXJvbCBS
+b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuSB2ZZy59ILD9aNZ
+zk29QR6scXeC0/gsH04ewd7iUdQoiXuWVl6z0kMVZ3B5loaBpuwWwH0uHGFiOoJt
+4udsGB/yB08dB2bC1AF5mnMk181yhz+5y9Sa9za2FkUHGPxI61BQ5kfdOqejzwDX
+M4d+1T9YWuAX+UW/3u/dqEs1zRR+A+vWIRCieoLV9/WgCDeI4HtPmu6NbWvxx3y3
+egMqONtfFmq3mfmqGgdGxC74RyiImFsRGRcdB0mXVRFwlAJmijWtEy2qn0WZuKep
+qD8WK/xzev0aAtqGyYK3PhSSKtWq7Sj738cxSiCFYm6Q5RNg6Lt39Loipg+/z88H
+ByBbWQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAAgScY6PIPSSy9Mrm6SF3bMB
+EB574vIbu7oEIXdS6j3n92ONXFO/m5npd+ygbbCc9P7JIpyuqYdSpq/wihIb+n6R
+qtn9psfU38eR3nVvdK+SHkeHTZnXvOMRZ/2ZOD7t/m8QpR8BZ8FiDqp/ka9izjdc
+Y1jGVRuJO2VLBk48nDoci8PbvC+Zn78pbywVybrBiNNDl3Th354luXTCOyMc+Pfe
+Zc0YffB5Xv+5C3zJtpvOtvybKQotEhbRpcuTDf2RP1UoUXnfq46KM6qq1YgJNB1r
+UXjErbXpA1BOHMPSXhLn62+UAZ9k+GTXz/808+MlRHREqM9OZoLvKQlAOCFOYIA=
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Carol-Root.srl b/rpkid/biz-certs/Carol-Root.srl
new file mode 100644
index 00000000..6dc25038
--- /dev/null
+++ b/rpkid/biz-certs/Carol-Root.srl
@@ -0,0 +1 @@
+FD5CA041BF0AA2BA
diff --git a/rpkid/biz-certs/Dave-CA.cer b/rpkid/biz-certs/Dave-CA.cer
new file mode 100644
index 00000000..c055bfa2
--- /dev/null
+++ b/rpkid/biz-certs/Dave-CA.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGzCCAgOgAwIBAgIJAJWglEInirfUMA0GCSqGSIb3DQEBBQUAMCUxIzAhBgNV
+BAMTGlRlc3QgQ2VydGlmaWNhdGUgRGF2ZSBSb290MB4XDTA4MDExODE3MjM0OFoX
+DTA4MDIxNzE3MjM0OFowIzEhMB8GA1UEAxMYVGVzdCBDZXJ0aWZpY2F0ZSBEYXZl
+IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuDg+csO4ExCO887N
+7aI5vpKa5bo+wPEi+6Jrvb+FVC27eI+UAA8hOHilAeYI/P+xK35Bjmg24H/OWPzz
+erkSvSPp2XB69GR4ffT4ZxMoQ/FNgp1iiYr2QE1EWphrhXnO9FwEZ7s/ry7ISUvs
+KuDnun7ymoLtRFTIO+F5B64yTrNYg/6YQ6rSKN/SpfWYwOLB9fRylAmYBPguP/3W
+gE4KJhrQ11JNsIH2AZ3hL+C6NQmbkNQjaNOxjbZT/Whbg87kemtQgo4/t+cTaALP
+qknVRrMrkCCVL0I3DRmYV70IEyzjEfHaB1LXt9RJX6uYjD9YmNjY7Hp0liX9czRn
++IsauwIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRvYR0qliEj7ExH
+JxCipJca7R0GWTAfBgNVHSMEGDAWgBS0fUwRgGNdBaom9pc0oe6+LSgY7jANBgkq
+hkiG9w0BAQUFAAOCAQEAk7hxx2rMsdWAj6im0fHeS+pDwAEdFloqj2qP1remujnE
+K4cgT0Pu67ovVcGZOFUkc7ECRDkysH1wQZZ+MQM9g6iXikYrCoKnVBFJ3xGoHMoW
+PnVxsqKaLxSEo0RdGbhhuct0ZKCu+XHC+DxRkvrWCgY/X1AwSqEsy+hFQcJprtJF
+XGU95OIm3pdv9XURn5l0ZUwzHvb96bxVw+BeqB7CFeBClRwkzkHK7zxc7jvKwK4Q
+65qUnpXeTqB8xebtbV0D/azzjCpz2MF1ylcfmSXEqaeqAEZd4hcr/YJg6CJr+x4n
+pzzS3sY6ZsATdTu7aKeWZeOPCIwnuq9qEMBjVF8bmA==
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Dave-CA.cnf b/rpkid/biz-certs/Dave-CA.cnf
new file mode 100644
index 00000000..47717a0a
--- /dev/null
+++ b/rpkid/biz-certs/Dave-CA.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Dave CA
+
+[ req_x509_ext ]
+basicConstraints = CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Dave-CA.key b/rpkid/biz-certs/Dave-CA.key
new file mode 100644
index 00000000..d8264c2c
--- /dev/null
+++ b/rpkid/biz-certs/Dave-CA.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAuDg+csO4ExCO887N7aI5vpKa5bo+wPEi+6Jrvb+FVC27eI+U
+AA8hOHilAeYI/P+xK35Bjmg24H/OWPzzerkSvSPp2XB69GR4ffT4ZxMoQ/FNgp1i
+iYr2QE1EWphrhXnO9FwEZ7s/ry7ISUvsKuDnun7ymoLtRFTIO+F5B64yTrNYg/6Y
+Q6rSKN/SpfWYwOLB9fRylAmYBPguP/3WgE4KJhrQ11JNsIH2AZ3hL+C6NQmbkNQj
+aNOxjbZT/Whbg87kemtQgo4/t+cTaALPqknVRrMrkCCVL0I3DRmYV70IEyzjEfHa
+B1LXt9RJX6uYjD9YmNjY7Hp0liX9czRn+IsauwIDAQABAoIBAQCOlCFpK6f1QXSS
+qLXjPRKaN9ehA9P7+uYLgfsHggrMSxT0y5NNtGgOz/lODd9ZCQDz26Ubdfc7LE/l
+ueksS7+AGiKtAwx2yKglPIthI4efhkxqUitort/Ghsbno15ckRknMWzLaDZy/K9R
+Y2ynByjyw7w68Ch5IXFUPz8wPZd8JqwAasLHjEdxizjUrjd5ikxNDKZetz/u4cm5
+xRhISJttS1hbWwTrvjTfiAv7LVCQtRYDzYjnhUtvBnW9ksZt9rl9Am2dCEb3ocql
+Dasanlc7HtPt21HGYR1kljSNzF4N7kjGpf9p4k8EB6bfBvL14rF1e27uYhHA+7cC
+jnr2Yj1BAoGBAOdS+RaocPRdOotE2SNjbIMl8kwd0DlFBklW85fknVhRGl8tRxl1
+1vMyJG1smYG7l/y5ZvDJVWmGU5W3237ACujNwe8gxa/3KhJ4maWd4uW/0ttweAmK
+EkG1H7axbruELPQum33+oWzciH2Q/BBOuszKnayZUmapfW1947a9XCSbAoGBAMve
+8B79tpqBJKie6q8YGMfIJ83PHoL7TzIEEAsXYMqsiS9G+VIvNzbOYS78Zh1d4kGX
+5FL0NijghOcU62sTrJuqlStCrJX90EGzCB6OEBZYoUz51bKve9tK3bAmADuEsnKe
+4sCNDr4LgcOwNnGzflyddRC/s+WDP8LQ0qFZUXRhAoGBALJ2uAc8ApD0UBNcFW2Q
+6gmwP+NraNaWIwh31czMqnuVbpQZOW4yFJhhiesFytRk5xgp7Xo8yfF0mY27X9LE
+1GXRQBp9nSZpuIKxmlBEo+V+fW2gsmsho34f/4ySDQ0MJyZnwryMsvtqlL7TGTR3
+mPQgKU8cpo7fmg3b/s9f/fObAoGALNa1nTtUBBtPQr7hAu2b1aTSDFP3c/tt6aQ3
+GxljMnBMI9fKUicMT8OIYFsm4mKZtq9/ijcoCkmHMYPKW1ySZBJaiI87gim2uhx0
+NrQsGZ4Yq+Nu+sPZy9tlcq6I8o426TrEyHC9w1Koka+Z6dv+eMQw0SQ4nswFJAXl
+rZMFdUECgYEAoR3oItFi2tWqbo/lSov6KQIBsCq1L5DfVj1GQp/hiMsIvNtNoy2G
+IbXfpHk0Kljwdf7GvU5pbFYcrCHJ2vIkKocE/6JArIQd4bExhM4oxI2vVbkBD1fq
+aWf63IIiq2gZfVFxCV3hK/ub3M02AqouqWDl/UKu2S6We5BaaWOuz4k=
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Dave-CA.req b/rpkid/biz-certs/Dave-CA.req
new file mode 100644
index 00000000..8ce0b3ba
--- /dev/null
+++ b/rpkid/biz-certs/Dave-CA.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICaDCCAVACAQAwIzEhMB8GA1UEAxMYVGVzdCBDZXJ0aWZpY2F0ZSBEYXZlIENB
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuDg+csO4ExCO887N7aI5
+vpKa5bo+wPEi+6Jrvb+FVC27eI+UAA8hOHilAeYI/P+xK35Bjmg24H/OWPzzerkS
+vSPp2XB69GR4ffT4ZxMoQ/FNgp1iiYr2QE1EWphrhXnO9FwEZ7s/ry7ISUvsKuDn
+un7ymoLtRFTIO+F5B64yTrNYg/6YQ6rSKN/SpfWYwOLB9fRylAmYBPguP/3WgE4K
+JhrQ11JNsIH2AZ3hL+C6NQmbkNQjaNOxjbZT/Whbg87kemtQgo4/t+cTaALPqknV
+RrMrkCCVL0I3DRmYV70IEyzjEfHaB1LXt9RJX6uYjD9YmNjY7Hp0liX9czRn+Isa
+uwIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAHA4Da1BJ6hY8MsyJJtK+Kbe0Ywd
+3muBq179Dl+HmYc9hZLRLLliXaRiyVofR67VK47D9KmHrbNhjhbcq6s9zEwr+VQc
+WmOpVNGwZJzeqxYCSUvvBC2wMWaHfgmzE/eHgf+P990xo0P3nnw5+sYl6tWaaz4g
+X1lfXjXHQmpzprCDBM5TJ2S5B9HxBwzRitCOvMCFFXJ9abiXZOg3zJIMJ+Gb/71c
+Aw/pqSFsT2xuDkP35/VyVUGM1htXwap+JwdPOVHPjjHiYtLTZmhNmHsIUTlZGp9o
+g9j2IrDsQ84kJqQRLH2iMrEO/kxlm/vj83arSXvtjAn5+89yZbZ1VcswwxM=
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Dave-CA.srl b/rpkid/biz-certs/Dave-CA.srl
new file mode 100644
index 00000000..5cba7d1c
--- /dev/null
+++ b/rpkid/biz-certs/Dave-CA.srl
@@ -0,0 +1 @@
+BE6923005A133A8F
diff --git a/rpkid/biz-certs/Dave-EE.cer b/rpkid/biz-certs/Dave-EE.cer
new file mode 100644
index 00000000..2dea377d
--- /dev/null
+++ b/rpkid/biz-certs/Dave-EE.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFjCCAf6gAwIBAgIJAL5pIwBaEzqPMA0GCSqGSIb3DQEBBQUAMCMxITAfBgNV
+BAMTGFRlc3QgQ2VydGlmaWNhdGUgRGF2ZSBDQTAeFw0wODAxMTgxNzIzNDhaFw0w
+ODAyMTcxNzIzNDhaMCMxITAfBgNVBAMTGFRlc3QgQ2VydGlmaWNhdGUgRGF2ZSBF
+RTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKUtdgOQpUQqXYOEukxx
+nQ4KfvoGFaFP+kJb0vpaxX4HlIwUiD8NjTePpAxS1cixiPmHn9pcz0zmopUsonZ9
+OD6FGYyDTQm+LNF4qPN8xUhKlHLE1A+V+Ajtb2lCbZAGnPh5Z4vmQnoNHvP2TVz4
+jly78lK+tuemn98sSYfzxxA6v8fmivs1k4u/M+vhquwfvQ7xhfyofFIytXFFHaBa
+0vHY1GE9wAufQ6uEK3sMNLBF6iZuruW6VVuX2NbeHqOgcAF4Hc8cKRmVZxTkkIUi
+TADyVQLKpDHsMI+6PTLlmKe4fcUny/qQKAFe7g2v8zFUb49ohqfW1UyU6+/kx1Rm
+6C8CAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUgm42L3S3iA3yv/JkQYwF
+ZKe3zhYwHwYDVR0jBBgwFoAUb2EdKpYhI+xMRycQoqSXGu0dBlkwDQYJKoZIhvcN
+AQEFBQADggEBAEGtqLbaxS4wcA8rzF57PEtrd+F2KFQZHt/d0mYWjZwnq4yymlj6
+IBtC2vtANJ2CGPlGmmgax+AKdN7QqTpCxFJsnQ3YgdFIN0MqwBM8lTlBS/lTHDRq
+bIXEB7Aw3u8SrS2nd3f1xdl8rNR/286MrcjEE3K+sQFNg8wUnZo3ZLBflVGgVBTt
+WMalESPRN2P+tNuc+qQJMhefK+spmgH4oNxblNm7V+RzUQoac5FpgtVN1vM4Z9sM
+iVuBVv4/+EYfLAQUl+EkHSd5GYPjV2juHqslRJKMtXynDIsl1IXJRmh15kGtSMh7
+y7/8HcdLVtyuzVZCXJhrnv1rYIhU6oP8cVQ=
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Dave-EE.cnf b/rpkid/biz-certs/Dave-EE.cnf
new file mode 100644
index 00000000..13517fdb
--- /dev/null
+++ b/rpkid/biz-certs/Dave-EE.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Dave EE
+
+[ req_x509_ext ]
+basicConstraints = CA:false
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Dave-EE.key b/rpkid/biz-certs/Dave-EE.key
new file mode 100644
index 00000000..283db731
--- /dev/null
+++ b/rpkid/biz-certs/Dave-EE.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEApS12A5ClRCpdg4S6THGdDgp++gYVoU/6QlvS+lrFfgeUjBSI
+Pw2NN4+kDFLVyLGI+Yef2lzPTOailSyidn04PoUZjINNCb4s0Xio83zFSEqUcsTU
+D5X4CO1vaUJtkAac+Hlni+ZCeg0e8/ZNXPiOXLvyUr6256af3yxJh/PHEDq/x+aK
++zWTi78z6+Gq7B+9DvGF/Kh8UjK1cUUdoFrS8djUYT3AC59Dq4Qreww0sEXqJm6u
+5bpVW5fY1t4eo6BwAXgdzxwpGZVnFOSQhSJMAPJVAsqkMewwj7o9MuWYp7h9xSfL
++pAoAV7uDa/zMVRvj2iGp9bVTJTr7+THVGboLwIDAQABAoIBAHvtOce+9F/KMVMF
+eAj2jNEGCvJnMj9PFAJJhmcTR20hHtBibz5vWm4/NOOSGpdyq8Qbf1GDpHyb5Ytq
+a5HerR4rGloUAO64YkPe9VOJXzK30dyx1DDFYczA53/fuPgAHjFGVOvfnCyaP4jm
+WHDSg20MDekK8Yuntfbo8VoxCj8fwDyPq2vSXnzwGcvT7X8cmpHnKEU/JQj4bNrJ
+XMMK3kQrKf0sFlO9kieEPsG//V9j5yverKvZdi8PQSCwA1e0nqrOWRSFYz5ePzob
+Njo1LJz/WaQ2YjEf07fRuiNgCp5r+/44c5xBvq07Fi1yhc6K8DBY8w/cH8foc8kw
+aO34HWECgYEA0Qht10TPKBAil/FXjYFcqQgCQxZl3rtt5ijVZtuYISMYaGj/Q8iO
+efXZKa1JgXtpVomkkjY2Wbdd5TwkXd27TqUIZ5uPYDs/I6uGZRXPIV14g6U1aBBV
+502LNbAqDWozYBwZRmDOopdU+hS1/Jc6DNoNvVKj//+lx4NbxmUmS7cCgYEAykp5
+IQd/GMGf7VsBcHbseJIqknDuZRvpDB5zXFyyRu9jdHmqQCjuCnDQ7eJNHLvLjyAt
+/+7YiQDyAhlxr305U6Mnum9T49l3Zi2jLy+/QhO3WBQ0FLNF76sN8ADM0aD4Uk6D
+wCtSEUj1XrDtHiJPShtHtpM2Gs5gB5UM8b2BN0kCgYEAtbouREh+EMZ2TMJ064Db
+ndhonwqJ5ens0XwOiy2+RJDOV3dw9O0XcNBby+/rR7aTDbj8amDXP4g7CWAP/csX
+XHf9ppWHQJJBgjFM1fTv7oHklA69L4uEI2M286YD6UW7BINpNdZTzubh6ci3rrGK
+tkGcUEvYaGdJKPr6frDRamECgYAjgk8g7R/ySIq6L29hPn7j60Rt0EUImo2eAvpd
+DCh/KyZaG8E24fhm/Mav+zluAckJpqxscJCx++h/VdgO5fxaIhmnMEOZi2LaHMi4
+T7lS8AMPAvzhZVaxa2VW680IPylXyVB3OyN8xUHNDWGSGJOyfndoJQ8qRW+15QQQ
+qyMzgQKBgQDEY1WxbCTM8A0aRn3SxoFuPDSqJtLdi8dbMxEHUrP9qUfg98ChF4fA
+jxZu35LeNB/E5gfP37VJZJPTQ8i8kPACiGzGvlwLMgV89KspkxL8QN+n62kfqoAD
+t2QoTiPJOb+pKqQ0sISXcFN8r047vMt5EYXri3RCV+amBYzBIMOAPQ==
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Dave-EE.req b/rpkid/biz-certs/Dave-EE.req
new file mode 100644
index 00000000..f989d254
--- /dev/null
+++ b/rpkid/biz-certs/Dave-EE.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICaDCCAVACAQAwIzEhMB8GA1UEAxMYVGVzdCBDZXJ0aWZpY2F0ZSBEYXZlIEVF
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApS12A5ClRCpdg4S6THGd
+Dgp++gYVoU/6QlvS+lrFfgeUjBSIPw2NN4+kDFLVyLGI+Yef2lzPTOailSyidn04
+PoUZjINNCb4s0Xio83zFSEqUcsTUD5X4CO1vaUJtkAac+Hlni+ZCeg0e8/ZNXPiO
+XLvyUr6256af3yxJh/PHEDq/x+aK+zWTi78z6+Gq7B+9DvGF/Kh8UjK1cUUdoFrS
+8djUYT3AC59Dq4Qreww0sEXqJm6u5bpVW5fY1t4eo6BwAXgdzxwpGZVnFOSQhSJM
+APJVAsqkMewwj7o9MuWYp7h9xSfL+pAoAV7uDa/zMVRvj2iGp9bVTJTr7+THVGbo
+LwIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAG6UNnBSYglSYCTsg/g7FVBh6ROG
+QYIiVrAdiJgZf7elUEtpmzAZ8YDVbwYbN6SYrVId4jvPStHkScf6/LC76tFbRp37
+7pGEf7Ijou0xCXmk4LIm3xeQT/AjvPiOtoWNr1H+OdYUYQeyXoqNcgxZ4j3yal10
+etp1ZMR2lHgGd0ZvulYJJw7E4s7c3f9mB0+qTaAz6Wcu49e6THo27gPq+ZZ4YMGZ
+TfWldXk4IBqDuLauaiwWeWYMfkRC9aEMq6lVlIAvmjeKHOfUttQz0ievG7yJ7/En
+wRoGBSQM8/Pzc0MFiTSyFcpYyyNqIQ8uHivKH/dZtXTOjkd9/wPajglNeyU=
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Dave-Root.cer b/rpkid/biz-certs/Dave-Root.cer
new file mode 100644
index 00000000..c746d1d5
--- /dev/null
+++ b/rpkid/biz-certs/Dave-Root.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHTCCAgWgAwIBAgIJAOxMm5H7E48oMA0GCSqGSIb3DQEBBQUAMCUxIzAhBgNV
+BAMTGlRlc3QgQ2VydGlmaWNhdGUgRGF2ZSBSb290MB4XDTA4MDExODE3MjM0OFoX
+DTA4MDMxODE3MjM0OFowJTEjMCEGA1UEAxMaVGVzdCBDZXJ0aWZpY2F0ZSBEYXZl
+IFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzOScJlBkVwfoN
+KP5/0qIM/ZisBYicqHXErDE7WCtBXh05bwRKzGYtn3dARnJa1EoLKnVFzPxZ/mvx
+Ntmqax3/B3+Je6KzCCEtmgNfIoSwxY1Ms+/vEo/SLpVYrk33K7mpx3rDXqpUSiZ9
+BAXZAlK4slB8A/Di8H3hdsR7H927JS1LlbfFBKvpv/uYvmJhBdDKIW+k4DtQe7j0
+KhoYliCfUoX7Yxc8XlDO14uS4wiaU2n929B/va+pZSp+00A+Vj13gbNW0rcdG3A/
+vc6Xb5B07d9Q3g7VyoI922bU7e59+TqZdYvdfqqijROVkZTCYEL6Vc2ooK7/hYzf
+JnVAtojbAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLR9TBGAY10F
+qib2lzSh7r4tKBjuMB8GA1UdIwQYMBaAFLR9TBGAY10Fqib2lzSh7r4tKBjuMA0G
+CSqGSIb3DQEBBQUAA4IBAQCu6sdRWG2eTlgOABPhAjh/2y6c3L917QaLpqYhvAGY
+0lCrOyE46aNUjTiRV0X95wx2pknSfuuzKF8T24TYX/hwlisUuKbnvBfNORtMnK+E
+PZpcQ5I80nYnDGHtPZUEBdX4OEO/WaIzrpSol+aFn0VpJP4NB8/IqQ1IN2EJhhSP
+lH1dYf3VrIQelmMALrbPqYgAm3l36BOtRFmuQaDQ4J3nO++j1a3WFHojoQJcw05L
+o2EKTmPS5nhSzxfHttyKdzt8Qlu45CKdheC9J9N6gFiyWiJMVv5vRHXrROqevNVq
+jnwxLJUXdjdHKUL7IYV7hL4H3GUbaf46FsOimR1YDDka
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Dave-Root.cnf b/rpkid/biz-certs/Dave-Root.cnf
new file mode 100644
index 00000000..58df8105
--- /dev/null
+++ b/rpkid/biz-certs/Dave-Root.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Dave Root
+
+[ req_x509_ext ]
+basicConstraints = CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Dave-Root.key b/rpkid/biz-certs/Dave-Root.key
new file mode 100644
index 00000000..4c5b73bf
--- /dev/null
+++ b/rpkid/biz-certs/Dave-Root.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAszknCZQZFcH6DSj+f9KiDP2YrAWInKh1xKwxO1grQV4dOW8E
+SsxmLZ93QEZyWtRKCyp1Rcz8Wf5r8TbZqmsd/wd/iXuiswghLZoDXyKEsMWNTLPv
+7xKP0i6VWK5N9yu5qcd6w16qVEomfQQF2QJSuLJQfAPw4vB94XbEex/duyUtS5W3
+xQSr6b/7mL5iYQXQyiFvpOA7UHu49CoaGJYgn1KF+2MXPF5QzteLkuMImlNp/dvQ
+f72vqWUqftNAPlY9d4GzVtK3HRtwP73Ol2+QdO3fUN4O1cqCPdtm1O3uffk6mXWL
+3X6qoo0TlZGUwmBC+lXNqKCu/4WM3yZ1QLaI2wIDAQABAoIBAGMRGnT++ga+3Htd
+x5/cTFsl6rhbrrH5pG98RxJooDBX14uhxBucdHaPiRlsV1XBttQJOh3FO1B7hCsn
+iJXc9A2+lU7nmn2f5scQNQDnUbVs3bgiVmQuPHWP7lnAr7QK5WvlqgRIVZqWCkRc
+bucPk64oUrjabNLk4JA6WE0+xg/lhPxeS2m2FK0fwR+XQ6kDQ25Qpu6DCoWIABWK
+5xHPUyOvFX2aszA6pUQM+uFDlK7WfhrLPLe3O/EJR291RTnjy+CwTGhoLet/ul1z
+K9FYrOsijfjxSrXzv7KO876buRNo9wqKjZIkWNN+LsBL7HB0QPCCuW8mGD6o8JnC
+RE+7fIECgYEA7EjNSJcTfUtVSB4a2cNAMXhjlLk3AvQiXL18nkSn8FT7I4lh2Iqd
+UR9hg3CvzCCbI9Pa+rmslB9gkIvv1G/Q+FWIrptGQEMr23jOtUCbn4smvJDQw26C
+cN7DuWyupVRrd5JCy4FVx3RX3GKPbUa1lsWASHXdfdB5eQBCpCdBTPsCgYEAwi18
+Pf6u6+oSAvwOdXak1/gmGFKGWHQwRuAPhf+6Mu0df+UJOYdwe9t8M5elb2x7iSlx
+THlkmLez88pKvwt4m6st8NBDpWxnXQ31RDAyk7t+kQmUXu1ZPhZxFW7PFQtLLP2M
+Ra0lLXefzwgxe2tSzxxX1N6kqwX3hMObK43HLaECgYB/d6rfHTlTX3+LX0pG7fFE
+ftjh06Vcv42GEGcZDpq2qXGuMyAI7IZ/y/kUKod8DJ8FDfZVSjNS2TaD5CompYfL
+YIFTCMs2QcZ4KM0CtO7/e9cS5ODqfUR7VYGrF3mEEW3EXLASDxzSc+4uIzGS1xGB
+W9yfuo4ZoIzXfQ92dQLiXwKBgQCye7zH/2Ip123W8HkZ34SGP8JEeRakF6iIfUvH
+j9hHF00WUiC4kJYEQytXAP0//idPXJiYAr1E4xa18Cvkj1a9QAtqXwTO+WXJUxsv
+Il5bDOy5xGRtHR36xAYN/Vy7qzXelPBq20xhDqQGWTGikHP9i7/wGvahfUqW7nWj
+Ax8iAQKBgQDBXi0DuR8qrKrZMmvK+oJbx7wlrirAXm+2WGuzvazSFBdjV77w3aoG
+lLWhYELFsGZS9uACY/yWkvXX2+I59m0vrRCSZy/4WTOnIl1JyQXI3ZaMBaBTTUr0
+cQQnzaOs8kkBF+ndYZvMY19hhs6s8bvOcfLeDya1bgJdlkbAA4Oy9A==
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Dave-Root.req b/rpkid/biz-certs/Dave-Root.req
new file mode 100644
index 00000000..e9905363
--- /dev/null
+++ b/rpkid/biz-certs/Dave-Root.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICajCCAVICAQAwJTEjMCEGA1UEAxMaVGVzdCBDZXJ0aWZpY2F0ZSBEYXZlIFJv
+b3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzOScJlBkVwfoNKP5/
+0qIM/ZisBYicqHXErDE7WCtBXh05bwRKzGYtn3dARnJa1EoLKnVFzPxZ/mvxNtmq
+ax3/B3+Je6KzCCEtmgNfIoSwxY1Ms+/vEo/SLpVYrk33K7mpx3rDXqpUSiZ9BAXZ
+AlK4slB8A/Di8H3hdsR7H927JS1LlbfFBKvpv/uYvmJhBdDKIW+k4DtQe7j0KhoY
+liCfUoX7Yxc8XlDO14uS4wiaU2n929B/va+pZSp+00A+Vj13gbNW0rcdG3A/vc6X
+b5B07d9Q3g7VyoI922bU7e59+TqZdYvdfqqijROVkZTCYEL6Vc2ooK7/hYzfJnVA
+tojbAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAGYgH9IJSKNqJTysTIfjaHNRM
+cZbKu+tjQF7e97CwygG0dnAB+3XdjEIxb4NCVCNOfUPeb4lfYmhwerggJ9O4pZnU
+RYjL8alNDcmHB5PG+tPCePRmGV7Ao+Gj5p5TMnUrfjaVTCCN/39NOql0jbvwCl5t
+cKA19olB/YeMcwyr17DgJm197n07iuQFk/+ieQJ7znyViMV76MMmXv5d80jBkRb9
+OhcLdDPXLJ7Yz/XRJcK8GC8uD5rO53bfIe+XJMgT/K2QvJ+FB2eiwyP49wxLb3bs
+4GoVL0HKdYm0cJUSjTho9Ro8KOh9eJIauW3UI0S44gV1lPsOr64BE8f+7jU7EQ==
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Dave-Root.srl b/rpkid/biz-certs/Dave-Root.srl
new file mode 100644
index 00000000..6bc6d25f
--- /dev/null
+++ b/rpkid/biz-certs/Dave-Root.srl
@@ -0,0 +1 @@
+95A09442278AB7D4
diff --git a/rpkid/biz-certs/Elena-CA.cer b/rpkid/biz-certs/Elena-CA.cer
new file mode 100644
index 00000000..afa23794
--- /dev/null
+++ b/rpkid/biz-certs/Elena-CA.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHTCCAgWgAwIBAgIJANw51pG5UQLzMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV
+BAMTG1Rlc3QgQ2VydGlmaWNhdGUgRWxlbmEgUm9vdDAeFw0wODAxMTgxNzIzNDha
+Fw0wODAyMTcxNzIzNDhaMCQxIjAgBgNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgRWxl
+bmEgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDheo8bzzgwGwVP
+tGIl6jTTe/WMy7nKUHG0AJZLBMEZv62JVxBauroeADfhEzYIkLxhnclA1Ij61u2J
+SxHpmLf+mD5xJyhJwiOA9dtcnqMpUq4nql9zg5oOID7XMlPZrNmNEDqs7f28BfT6
+7cdMC2IifO6kPJKGameETraEgdrroo6zgUhDJDYaqMHidU/J3nTTIlgw+h8EQBeX
+oW9o4aBHO/GNR1uC+I76Bpl1vWSAcSatHB8xNsF74JhQNq36j6SGPSEiDxHXgX2V
+GchwltTfDvYB8Fwc6w4/bvQXfXGdE9KoSVsh4BTFrV4TX58CAiPdkHBLQVU0cvl+
+2/gxLPCvAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFDUkefOGghlI
+UfR+9vX1DOe0MwbZMB8GA1UdIwQYMBaAFH0pngEFpjbgE0OUC7c5ARkAkJ4OMA0G
+CSqGSIb3DQEBBQUAA4IBAQAtjJqju+ZR9ZtWaqOdTj78jGuzSHubbPCJXcsxRIWe
+Ja0MOrQv0OUV19OhmAH1qCLX23wH3xrguoy5d1sIh+dm9xYIdX4vf1LjnE3An0C/
+m4GyqvrQLxSkle6V2nMIpanVAEMG6Gg4VR9xVbtuWNDr6OwdagdOg9YVRjklxAc9
+CEuIdiIRdhbfkwLv122W6fgny5KZyrfruM4NuJYRLcg5lvAaMztZGzQI/EyQY5lu
+AR5oMa8/+OWM76se3GlYx8ZyzaHSHWIfWo1KDoH18Eixlium4kP4PqpfLh8FeykP
+H/ho2gXjHZf7yKPGnGURvsTGWq9P0RXoqo8SF+C7VeGE
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Elena-CA.cnf b/rpkid/biz-certs/Elena-CA.cnf
new file mode 100644
index 00000000..bd8d7d1c
--- /dev/null
+++ b/rpkid/biz-certs/Elena-CA.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Elena CA
+
+[ req_x509_ext ]
+basicConstraints = CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Elena-CA.key b/rpkid/biz-certs/Elena-CA.key
new file mode 100644
index 00000000..40a3c768
--- /dev/null
+++ b/rpkid/biz-certs/Elena-CA.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEA4XqPG884MBsFT7RiJeo003v1jMu5ylBxtACWSwTBGb+tiVcQ
+Wrq6HgA34RM2CJC8YZ3JQNSI+tbtiUsR6Zi3/pg+cScoScIjgPXbXJ6jKVKuJ6pf
+c4OaDiA+1zJT2azZjRA6rO39vAX0+u3HTAtiInzupDyShmpnhE62hIHa66KOs4FI
+QyQ2GqjB4nVPyd500yJYMPofBEAXl6FvaOGgRzvxjUdbgviO+gaZdb1kgHEmrRwf
+MTbBe+CYUDat+o+khj0hIg8R14F9lRnIcJbU3w72AfBcHOsOP270F31xnRPSqElb
+IeAUxa1eE1+fAgIj3ZBwS0FVNHL5ftv4MSzwrwIDAQABAoIBAEAqOnN1gs3dwqMt
++AhGIAZW7kfE6fgy8EiDKkHq9nC3ZVECH7tSDAjhkwVQDD5fwdwdpNn4IYsQgsRh
+QpWxShr/hDV7KTHkN2pJjMVMt63Yw4qyJzueJccDUh63SblWQQqtpaT0jRJmt5J4
+/BAd5S1fVCIUwrXRreeu5q3KrlwDe6/278pQDYWswXyAJxN2n5H6ATIFOVFg20fd
+hflxQwCex6qDj6w1mhppx/sYLa1uotHr1LfRWgrt+KVNITtJ5yigvbBzKkCu26Uv
+Nxf2V1JjOYhO/q8n4A6YPtIkLKOrWZFFl2KwXTEEd5pL/91XTxGIlALsIu/4C00C
+Tb/vcTECgYEA+oRmq8qtC8YfN+cvwx/ujfUJ/QnhFlxHb+PjLQGWncnKeNOgeVVv
+i7HktH8KKvz5t1QYCR7EhVKxH0zxInQe6Q+eT3fZoQ1Vf6rWcF+KR1w+R7gdqDAl
+GY/tbTLtRWcin2oMggz4dvufdIJ82+fz2RTvmudGQ46yiyYPtDL8Fg0CgYEA5mnf
+V+cvmPFDWlxSwp1JDiUKLJeKNFpp+O0G2PhrpTTAHuiNZ4xQLj7h3k7Zid/Cbu2j
+VTEHK341Gz43bUQgJr4jFWcaCGNDL2mUInZGvFYBFOoWQFFhkhhYWvZr5X5kGg9j
+BrRwJGZ1kRL9zRqPs0k5LU1bfHBCdXhf18wLjqsCgYBqWrF393iVygvQ4O5PCYxu
+afxOl9YedxjA8N+uaME3xcaWm0nCmTnc9a4hztlTPMkLQsFdhdlqvJuDrVemB+Rj
+j4TnOfuDuzR0GeQmGvmKqCesrQayM5ZcjtT+iiNfVpTFVvFuePE3GkYs4YT+my/U
+FmZOvib/YWJ9XrBGEWsiNQKBgDhLbbIAXfS0HYyaOe4ql4rJKe8zJyUbYgDbiGzC
+ZSp79OSYVNQTyBNEcdLq2OOCs/J+RQWvcN0DfN4nGUus9V4B3niANDAQcH3JAdRZ
+qXaiXKlLeBxGxdv37r5qrnnno3VqhPtCYpPCJL9JMJFICAv5u+qBl/STSOmCe4gx
+5jD5AoGAUNyLLGuqFI8UJZP7m7YXAylRiR2IWF6/ia3e7Az6t6HvHhXkjBWkQ3Gl
+q9zOsBlFxHQUA5o5zolMdCyT6bsfDkzf3l7RAP0ZgE3gqIY10pDbedSa8/9K/hX4
+q89JPkj3wa6AciesEcCXML2ttYZEIKsgK7p6NE0SEejCdSs1v5M=
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Elena-CA.req b/rpkid/biz-certs/Elena-CA.req
new file mode 100644
index 00000000..743fd18d
--- /dev/null
+++ b/rpkid/biz-certs/Elena-CA.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICaTCCAVECAQAwJDEiMCAGA1UEAxMZVGVzdCBDZXJ0aWZpY2F0ZSBFbGVuYSBD
+QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOF6jxvPODAbBU+0YiXq
+NNN79YzLucpQcbQAlksEwRm/rYlXEFq6uh4AN+ETNgiQvGGdyUDUiPrW7YlLEemY
+t/6YPnEnKEnCI4D121yeoylSrieqX3ODmg4gPtcyU9ms2Y0QOqzt/bwF9Prtx0wL
+YiJ87qQ8koZqZ4ROtoSB2uuijrOBSEMkNhqoweJ1T8nedNMiWDD6HwRAF5ehb2jh
+oEc78Y1HW4L4jvoGmXW9ZIBxJq0cHzE2wXvgmFA2rfqPpIY9ISIPEdeBfZUZyHCW
+1N8O9gHwXBzrDj9u9Bd9cZ0T0qhJWyHgFMWtXhNfnwICI92QcEtBVTRy+X7b+DEs
+8K8CAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQDfMOoML7luTIWr5gGWeph0EnpY
+Cl5foKYn34FuMZSw0ZPU1WOt819G1YVZ9hND0M8d5rQzcsc91DjQ6sVtJIUtuSvj
+5i95s1tn5UZHuEuwdq+4phMjAbfgtidxZs5y4aJzp0+kL+NhrRlnKT3S0GAxQyJ2
+6AiVHO7IEJDjAe7U8hkKIJ3i1hQ16Tz+vSDr+KBlt3gUOLTgGW+jkJQ32jOEWhOu
+lFM61uag904sm6P5gx3bjVHHjwTb3FHYQFnQ5biWZklAC21Al74BDB4Cec9xKBHb
+Bp9UwJXXYTI2K1zr5Tlowl+p+yh6pQDMMUcDnxS2ADQk96IkQr7aZEEOHKlE
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Elena-CA.srl b/rpkid/biz-certs/Elena-CA.srl
new file mode 100644
index 00000000..b71d9d9d
--- /dev/null
+++ b/rpkid/biz-certs/Elena-CA.srl
@@ -0,0 +1 @@
+BE5ADAEC3C739076
diff --git a/rpkid/biz-certs/Elena-EE.cer b/rpkid/biz-certs/Elena-EE.cer
new file mode 100644
index 00000000..f6ffa506
--- /dev/null
+++ b/rpkid/biz-certs/Elena-EE.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGDCCAgCgAwIBAgIJAL5a2uw8c5B2MA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+BAMTGVRlc3QgQ2VydGlmaWNhdGUgRWxlbmEgQ0EwHhcNMDgwMTE4MTcyMzQ4WhcN
+MDgwMjE3MTcyMzQ4WjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEVsZW5h
+IEVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA20zGWcQ9LkKL87A0
+bPHIX4oDZplZHuC44zT/eWuWACyktqjqjWK+ZvbwceNOfamccCGko1FSFNRXs1OH
+1B3MkOHY7OqjthjrvWoMuWDl6k2dMUmZiIASXJJPDXpXklA6YVmDXnYReYe3cc3M
+9cPKB+nBtcRQZ9ZppnC/CIsNAordEemkNMk/H3EPcgrsAPakYfuH5J+e5BawHgpX
+dhTT7fEG70FMJF5M/bUyN4AfXATfE0IC7bRhfcsLs6VX1rzzhLk4FbgE6W/+d/xV
+nrCVimWwH6xO/DxskV1GSYaASsyDzIbzjwQLMRgyPqfAc9PzQX0hAFFu2EmPRBvd
+3NQjbQIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRC+sYdSXpKjNo/7+e7
+rcktSMpxSzAfBgNVHSMEGDAWgBQ1JHnzhoIZSFH0fvb19QzntDMG2TANBgkqhkiG
+9w0BAQUFAAOCAQEAXvh42B7iCFjI5ylIIuDtQNWQBhqb4FW3dUM5zF1Bai+tS6YO
+JCQf1Fge1QVHb70GChQy7AhICq+1z63fyJfJ6Djk5idyU2eAbLzZuG1TkrGLuXOw
+KL87WkjVdpcVOaqqe3sMxGjS0F/jv7xeo5kV6Xv7aDyf3DJXU2LJ+vPU0LcvBJvf
+3Qzf/VXzXZ57MKQ3iUqjy1/JjaZC+xSw0eL+5+HfeZ7+unEwRMw9B2WSF3u3YGWF
+2L3rHtdycJ6y7FRRvgp8duX2+S6TjAxZIWWlw8cV7AAui182cTJ8haVLTQg37fdL
+TjOWvHr6THqTTO88845AmV6v1U9OyxMJYaOviQ==
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Elena-EE.cnf b/rpkid/biz-certs/Elena-EE.cnf
new file mode 100644
index 00000000..126031e9
--- /dev/null
+++ b/rpkid/biz-certs/Elena-EE.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Elena EE
+
+[ req_x509_ext ]
+basicConstraints = CA:false
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Elena-EE.key b/rpkid/biz-certs/Elena-EE.key
new file mode 100644
index 00000000..dd05db61
--- /dev/null
+++ b/rpkid/biz-certs/Elena-EE.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA20zGWcQ9LkKL87A0bPHIX4oDZplZHuC44zT/eWuWACyktqjq
+jWK+ZvbwceNOfamccCGko1FSFNRXs1OH1B3MkOHY7OqjthjrvWoMuWDl6k2dMUmZ
+iIASXJJPDXpXklA6YVmDXnYReYe3cc3M9cPKB+nBtcRQZ9ZppnC/CIsNAordEemk
+NMk/H3EPcgrsAPakYfuH5J+e5BawHgpXdhTT7fEG70FMJF5M/bUyN4AfXATfE0IC
+7bRhfcsLs6VX1rzzhLk4FbgE6W/+d/xVnrCVimWwH6xO/DxskV1GSYaASsyDzIbz
+jwQLMRgyPqfAc9PzQX0hAFFu2EmPRBvd3NQjbQIDAQABAoIBAEJQoyJ+DyowAXY9
+cH0JWFhbuc+Ky8JknkRGwIKNIB0JYv3BcrwygfVM80TdQd0KLz5RTiH8819NHwAh
+YE+qezPMt/ZctgjY3GC48wQT4zLJKaG/6ee3ItZPgAxJVLXwANdzZCBqf7pKahTF
+8RbYj/14mJVIui/MTMKCEaKZueNsX0PZGWmSsDiQAZc4OXNuxb+ogI8mqQGJsACa
+fj7sGXgTh/XN9INT8RdQS7H4FQ83mCnbPeM8t7kU4HXX+9OtLitWOgUoJQ65raAq
+vdS8nizQCfpefQr4Bl0xI0YA8MFmmspCqD6q1zAtpnCe7dtzEzFuRJ/XxsRP0Ee9
+aoDQ1QECgYEA7l2L+9gXIf4AmAmVQ5rEOR8B2yHcdwpuKeM+CSZ/o5sesApJlRkn
+ha5Cit30HlpgSQmNAvlSQ+FzU1loKRR9vDGIfZp/LRX+Zwue7z9MtrhJb8rDKqVO
+p50LLwVvH7eir5S7pBylzEjuOXlIc7nSkrJ2UQIiuolm5WhsSIbUbY0CgYEA64Yk
+ZAufuMv5UB9ztiXdWsX0vM8R5iYlplAoRJQea3Ux+wHuDHAlVZ6j7x3EcLn3yHmh
+4pmKC1kPcH7rSiX7tgN75BwRudiTTUCy42U5Gf2P7j+QnNdrNRa9TO/DRjFcJz2j
+2oab3UNMom00iVSxpEqzIcJyTpGBsl0ZCgEWZWECgYABhTM5Xf13yAj070q2baxG
+uP3oCeVAFR7ywXJJ2KcDwh+F++rQOqLX5W6jOBswfl8S2C7AEBsIN83mgDF74ZeT
+tbUrJ+sbvIIs4hQXbo3stGwzfFWWVguUYhoKKLy2tRMij45K06vzC5wJXc6qfkrr
+iJvclGjoS6wOVoYqSEHemQKBgDOq3MbZyfM3Q/0wuSinS9UDAjp9TpbnnXDLutm4
+iKfYMNu4w6kU3QvYXmwxYou8MEBZdosIVcFBi2KJZUKB7KM0RnR3N+hGO6JB5DyA
+UzOBbZa9eRL/KvSdhW+gVX1LjMTK/+wLhZvXjLNBM7pAyyuYe42XY44a25HuXHTW
+YjxhAoGBAO4AxeL/zVOZxkZH9b/8xo/31wj5DPunGGF/igIauXg9G9rdCQcNtWLw
+rhZxj13OqfpbEuS5V0vzLSN0JMVXWc18ekLY1fcdXRV7IZ5mh8QFQiqslTKL0u74
+CH5PJX/5OCQoz5vEcg7mrO+a34ew3uf03q6TSlTtWuLrEzoQKu83
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Elena-EE.req b/rpkid/biz-certs/Elena-EE.req
new file mode 100644
index 00000000..69b845ec
--- /dev/null
+++ b/rpkid/biz-certs/Elena-EE.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICaTCCAVECAQAwJDEiMCAGA1UEAxMZVGVzdCBDZXJ0aWZpY2F0ZSBFbGVuYSBF
+RTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANtMxlnEPS5Ci/OwNGzx
+yF+KA2aZWR7guOM0/3lrlgAspLao6o1ivmb28HHjTn2pnHAhpKNRUhTUV7NTh9Qd
+zJDh2Ozqo7YY671qDLlg5epNnTFJmYiAElySTw16V5JQOmFZg152EXmHt3HNzPXD
+ygfpwbXEUGfWaaZwvwiLDQKK3RHppDTJPx9xD3IK7AD2pGH7h+SfnuQWsB4KV3YU
+0+3xBu9BTCReTP21MjeAH1wE3xNCAu20YX3LC7OlV9a884S5OBW4BOlv/nf8VZ6w
+lYplsB+sTvw8bJFdRkmGgErMg8yG848ECzEYMj6nwHPT80F9IQBRbthJj0Qb3dzU
+I20CAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQAlRnvSyz3kmqYWx06NF/pAksHg
+SjUiL7rxnl9/9kOwAUCZV24L4M4bUtcM9W99AP6snTB/xLhAfWcAUa0F5s+sLC8s
+WVMMitm7ykjRX4ebP0PvTk1eM3SkzhE2nq12493n2pmhmfH+MoHhE8QMBZN1C3t0
+VE5lpo75Avl+zvH96hPJGwKbDko8zaaDFODctq23O6mTeZsUC/mrDw/uq08L/czG
+JJU2A7k7/AAZ+0gAiaBIC0sb5rvT8EkswvOZ1wwT9HGSKHM4lS1BQtK8m9olH5MI
+ul4C7nmpK/3eCHBdZR81Ecibb8mU831B4pp60uiJZgmyQihCN3YyDb5+QKFG
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Elena-Root.cer b/rpkid/biz-certs/Elena-Root.cer
new file mode 100644
index 00000000..ef1efa93
--- /dev/null
+++ b/rpkid/biz-certs/Elena-Root.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHzCCAgegAwIBAgIJAPF6T/jli1fvMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV
+BAMTG1Rlc3QgQ2VydGlmaWNhdGUgRWxlbmEgUm9vdDAeFw0wODAxMTgxNzIzNDha
+Fw0wODAzMTgxNzIzNDhaMCYxJDAiBgNVBAMTG1Rlc3QgQ2VydGlmaWNhdGUgRWxl
+bmEgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANfp5CkWcw3a
+9iz8WT3x/A0NZQERIIziGApTWEmVhXxBz2whxF0JnAp1vkUOkeF8kOK4AQu2s5TP
+jwc0dIlZ9pJk6X7jsuVry+uGNe0DJdYBuxFTYyzZK29M79qXZF17yU0ENAE/9eMA
+kdHiB0CAJXpOjK7sjhL2eC2fch9UtWMD0z5l0aWqW8ij1KebXNF9ihaZij+fY/px
+NB2dqjdkJRr8wGN3fksS58JcGo4S1BgRqpIGdaAPogI3/Rp66xEDYmoWUhB1jvPl
+uqQ+w0dj1h9eNEBigDwO5gyjyAs+lljOwj2GCzhffaTvsM190oSbCrU5uvGX02bU
+493dsxFZbfsCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUfSmeAQWm
+NuATQ5QLtzkBGQCQng4wHwYDVR0jBBgwFoAUfSmeAQWmNuATQ5QLtzkBGQCQng4w
+DQYJKoZIhvcNAQEFBQADggEBALIbG/+58WYEPGntUHP4wXmH1xGLoHC4NrGmZkBY
+tRazZSU+dQbVD/hG7gv75p9341NptI+sPotz6ly0enDI3MssS5mEplUIPIXqvJJ4
+UXxYZLiq6DLV+udc8GbCgcbxSriPjMpP1riP7mOr4byjHfWD4JKWcLtZB9SyWuo4
+9jVHq4yHmYIXpr4Qwo0+6OMUVa+rxVmAFciQv9/y9g+Sy0g8WuKoFbqKGvz87mxy
+E2L+Vm3Ak01NaH+lgsLnbzIE9nM5dC+xZlcBsQy/0AS91Z+ByGyIpIg0YbECx9SE
+iYzrmpmACvzafW7rDddiyOx23SzHbSKgeP9ADrFoJ4W8yrU=
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Elena-Root.cnf b/rpkid/biz-certs/Elena-Root.cnf
new file mode 100644
index 00000000..920e7c7d
--- /dev/null
+++ b/rpkid/biz-certs/Elena-Root.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Elena Root
+
+[ req_x509_ext ]
+basicConstraints = CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Elena-Root.key b/rpkid/biz-certs/Elena-Root.key
new file mode 100644
index 00000000..20ce11c7
--- /dev/null
+++ b/rpkid/biz-certs/Elena-Root.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA1+nkKRZzDdr2LPxZPfH8DQ1lAREgjOIYClNYSZWFfEHPbCHE
+XQmcCnW+RQ6R4XyQ4rgBC7azlM+PBzR0iVn2kmTpfuOy5WvL64Y17QMl1gG7EVNj
+LNkrb0zv2pdkXXvJTQQ0AT/14wCR0eIHQIAlek6MruyOEvZ4LZ9yH1S1YwPTPmXR
+papbyKPUp5tc0X2KFpmKP59j+nE0HZ2qN2QlGvzAY3d+SxLnwlwajhLUGBGqkgZ1
+oA+iAjf9GnrrEQNiahZSEHWO8+W6pD7DR2PWH140QGKAPA7mDKPICz6WWM7CPYYL
+OF99pO+wzX3ShJsKtTm68ZfTZtTj3d2zEVlt+wIDAQABAoIBAQCvcLmYOUmbxIOr
+4hCRqQLpiCy+RTBxyXVHTpm6kOg6Iy9r6bQo9Rn51dqZOlGHKzR/RIx0/CvHiy/o
+5tKamKMmKSEhndtLV+AGrLM8twYTcqySU3OOiZglhBqRP9qpq1/SWMv5CAPAREI4
+jLTf0ECjtRfTOxvmhKb6S0jr9GS+4mpth7YabrwRiMVw5YrbpKP0Elp3Jb45+els
+rwU1IRGFIDOjVfNcpA7jwXhaYsPHizTSS27fCG+ECJxXaf+guR8q7Jh3Ww6MUvGw
+W+45NHaoxA6v3elCeiLBO3XpQa0tItvih538Ro9pqJ53TMFjT2IdGnAHjj6Gs3qb
+GlaodrwBAoGBAPTFv/cjNF/aQ7LX2sNSj/7/Kh+FmnTmZfbkgwuuD4F937icYNzw
+gD5RsCbaFyF8MqwDzYnj8C/0qMeMan1On1+oyc720IOPSA4sEEfoEwZUIiphizVg
+4M/h6teQl2pfquvakfzoa7egFX+PuZt3VugZ08L4XLw52vu4F3Kspw2BAoGBAOHR
+Q/phq7y+B2mzs574cL84BJELIKfuX3xXKENUvygmohzkykH2wZpYk1ttPiTR6Qyu
+kJnYM3N0VuxUXW11M1eEiQyISuNmJadghY8idg8+p7TH9IjoRzG00Rh0FB0JqGZF
+3Jzl9SPqKW+QXDNIVb4N9sd8ohKiDc2KfjqwIHF7AoGAOX+Wh5SCgh3Al2tzXTyw
+zMLd/0egL+PLggLN8dlylQWfnztE2cG5Lmp8CbRjiJ8nPBcsmj6sNmevmiiW/1aP
+w6XfujlqY+0tjP622F1g0rTCzdfaHrDiPpMgWoEBwKA2g271qkZiv2Dgi/WUMTwI
+cz9V6k/zYNfqZAUrpOl/2IECgYEAoZLF/OTdqJKfYzY9E0XYBjniqpU3rHCWybTj
+DioZDHV4EQxy23ffVryB0yz7BgVbpsNQm4NibP2VJEvI/YSaU8h09w6d5s8zqesa
+JSwXJRlDjcp0YXExX5Ns+P41VgGPCH58N5ciK6xkMXstPVRIZVBAfsPig0qIbcTm
+RL+4tvkCgYAmcv+/9rPHm05RoPalnvhphQod9f5u6h2xr6GrwwmaUH6ZvovGs4jA
+M+k0NGMDmIkU54NakBRp+HF8L2ztJlhg85DymJZVRzPo7mGw0jYxM9OjUWkZB2Rt
+eqymf/c6PnwLUtl6ktc0FsvmIbn7tyO+NLmMqZy9ipvgnQKVhs/K+A==
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Elena-Root.req b/rpkid/biz-certs/Elena-Root.req
new file mode 100644
index 00000000..6797e57d
--- /dev/null
+++ b/rpkid/biz-certs/Elena-Root.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICazCCAVMCAQAwJjEkMCIGA1UEAxMbVGVzdCBDZXJ0aWZpY2F0ZSBFbGVuYSBS
+b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1+nkKRZzDdr2LPxZ
+PfH8DQ1lAREgjOIYClNYSZWFfEHPbCHEXQmcCnW+RQ6R4XyQ4rgBC7azlM+PBzR0
+iVn2kmTpfuOy5WvL64Y17QMl1gG7EVNjLNkrb0zv2pdkXXvJTQQ0AT/14wCR0eIH
+QIAlek6MruyOEvZ4LZ9yH1S1YwPTPmXRpapbyKPUp5tc0X2KFpmKP59j+nE0HZ2q
+N2QlGvzAY3d+SxLnwlwajhLUGBGqkgZ1oA+iAjf9GnrrEQNiahZSEHWO8+W6pD7D
+R2PWH140QGKAPA7mDKPICz6WWM7CPYYLOF99pO+wzX3ShJsKtTm68ZfTZtTj3d2z
+EVlt+wIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBABYl3Zj1P04ONOYjQrKZ/BR5
+u2IBr0S6NgwNK2MC5kyCUjEkunaIO6qSJOfcbuo/EI9GAkNJQxvk1zXfoPAAs9o7
+te39oCtHb/hUnc/jaoFQmrpTC9CmUSzotcgasoc5NdVE5pjDwD1ba/RecQZh4PMd
+ndC3COKH2ssCZnEdqZmgUUsd0s94Gt1/1FP6YuA6FabBIsMK0RkAaMswpia6/I0g
+7Gjarc+eml+NoO0BPNdjUItFyen6piS60W1N+XcIM2Y0+cXM3JvkoyCBCKPev9j3
+ogVRXIczSPzRcb6jol43qnhKKFkfSDdovY005lspruxlJowTdy3cR7JEkwELxnI=
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Elena-Root.srl b/rpkid/biz-certs/Elena-Root.srl
new file mode 100644
index 00000000..ffc8fb8f
--- /dev/null
+++ b/rpkid/biz-certs/Elena-Root.srl
@@ -0,0 +1 @@
+DC39D691B95102F3
diff --git a/rpkid/biz-certs/Frank-CA.cer b/rpkid/biz-certs/Frank-CA.cer
new file mode 100644
index 00000000..ce4b267e
--- /dev/null
+++ b/rpkid/biz-certs/Frank-CA.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHTCCAgWgAwIBAgIJAMqO64hXw9BEMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV
+BAMTG1Rlc3QgQ2VydGlmaWNhdGUgRnJhbmsgUm9vdDAeFw0wODAxMTgxNzIzNDha
+Fw0wODAyMTcxNzIzNDhaMCQxIjAgBgNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgRnJh
+bmsgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJIEuqlgIImsHj
+L64vwnEuQf1LEoj0N5OzZ8bXB0/kg6cCIZHpp8mxN75/SXRvQbgEGSt5oeb1F8cU
+4sVl6YJ4/1dETDUgR38Txw017vrXgUTusWXEw+i8lBwtlnK5XNUfGJPOoQR3C0Wn
+a0M5ZXLmaXuKgKLcWadWruoXsfCAqPabtjCFfJbx2mbBXMyWgOGmv19FO+RS3B1K
+njpXNz70pc/2P0BA05f/rH4qjVafpiTYq/FeINdDWT69ohUEblOrAuM9Y1WO7uGU
+XGanWyEDlhHU6NwiTfwXdnPQ3YRRxuCz0f3MJL98GFYbWAkF45aERUGkZ1OlRNEM
+3SdA8ezzAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFMGFt7dtC5NJ
+e0d/9mIHY3wsSBxEMB8GA1UdIwQYMBaAFOUmkyh0+BWywAg8nf1Gl2JtpGJoMA0G
+CSqGSIb3DQEBBQUAA4IBAQDDBh+8Df8qPJXRJ8tMehIPYNEfcpobg4sRGzNfgup+
+aoZz6f3RohhNeK53eupzDG9bjE3oiMSu1uqn1eY3gAq+8SKs9+q84o7BZJKFrk1h
+QC+uUrPWMQmlTBXLt6J+y3QvMCRW03H+FC4rTbiFXQoqzRE+rJRmZgzsBjthnylf
+jok+AMeaHhQRgac/Vu21pRs+HghzIQ9+gecwqcyXw2gcOe3qPmYzOTuqIez1qCi4
+/3EYlnr/135fedPe51OxLjIyGaKIzHWTB41MbLmSWLzL05XDSe6uzYuHwlgDffEs
+e4VqH/kKkU4D2ZT0UavfpjwjL2Y6nZAQCEf67H31ZMor
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Frank-CA.cnf b/rpkid/biz-certs/Frank-CA.cnf
new file mode 100644
index 00000000..97703886
--- /dev/null
+++ b/rpkid/biz-certs/Frank-CA.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Frank CA
+
+[ req_x509_ext ]
+basicConstraints = CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Frank-CA.key b/rpkid/biz-certs/Frank-CA.key
new file mode 100644
index 00000000..eecb7253
--- /dev/null
+++ b/rpkid/biz-certs/Frank-CA.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAySBLqpYCCJrB4y+uL8JxLkH9SxKI9DeTs2fG1wdP5IOnAiGR
+6afJsTe+f0l0b0G4BBkreaHm9RfHFOLFZemCeP9XREw1IEd/E8cNNe7614FE7rFl
+xMPovJQcLZZyuVzVHxiTzqEEdwtFp2tDOWVy5ml7ioCi3FmnVq7qF7HwgKj2m7Yw
+hXyW8dpmwVzMloDhpr9fRTvkUtwdSp46Vzc+9KXP9j9AQNOX/6x+Ko1Wn6Yk2Kvx
+XiDXQ1k+vaIVBG5TqwLjPWNVju7hlFxmp1shA5YR1OjcIk38F3Zz0N2EUcbgs9H9
+zCS/fBhWG1gJBeOWhEVBpGdTpUTRDN0nQPHs8wIDAQABAoIBAGXHpyL7aKoMDuQ2
+Q9K9dmMvV8v+5DmaSm92q+QzOhXtHb3xWRLCK0o4aHmnpXmL62B/kEWsTeFoGAIU
+xEpPggxTQ0k3u4bLR56tk5zghCY8r7KPKW4KqiOMXDohsYrmVJ+440ukpkrL9ILF
+wC4yjZPWe4Nal5Ak+o7eU26MSKYCdRIDGsW2BhTKjH2stwzojyb4Ru+ferkryF+l
+8chWpf0srfabyVojkVMceRWJ+wFHycff6uZsnXTQgx5yGCown5ziZP3XoDNn7UGo
+0M9960OaOB9own1AxQO0/0jOMh+/h2WE+/fWK0+FIZWQYf9RXE0ppruzLLRMqCZS
+dwVpGwkCgYEA88Q38ZjUbccMLGt9D6LEIuW5qI6Lpds6179VPpTcdRZHOAC79pl7
+bgsazDLdufE2IWiObaJrTGt4cn/Zgy1HyYscRECD4euAFyLdWm40ehZRe3fgMtXJ
+CkxTf1iYLG8VkSVUt3XAXbaRvBikPbvXoo78kQLvLohvRIMCabc3Kp8CgYEA0zhB
+xudHQCfgDnl28Ip7+YWw4Ai69I2ULwwyhJNxbQDAnalAUXFV1j7XvFd8WpLzrPUD
+65D7CYoQNVPvcBFUg+wfM78EEfpFNBqcYkuUCiSAT60E0WwMomhnKPHpHBg/5QjH
+Of8HEuDXAG+iAVcBDIn/iblv/Zhza/za1JKJMS0CgYEAx1JmvDJPYQQlPB0YQbTB
+1Bcr3FvSbGf6kXdt6KIoMcVprq1LBLUzbCPAYcAl9Wj67g5kh9kLC43FCzrnTI+1
+52LMVjK6o/zA3Cox/UOnvTyKm/7FYEvW+4i1radvpsWeSPTRdMHf7cDfIYK0qZXz
+GIT6mEhh8xa0hLzrOC4L+dkCgYAun2JVh0OA88xPJZyNZ+QJperu6L5rsLyezfBw
+tyL4Tow1wOBDmeK6kdCI8D6wt3M2IDcnTi87YdBGFSrq78hZ/kq831MErNuNrroK
+MGiS/I+eBrDjkRgQ2T68GPm9i9S+t3tSX+qtzhdnLzzxUsUWgXd4bQg9T+NaWMvs
+1BOYWQKBgQCAG1lfL1QAx+ZvOa9zbL7U1Z/XJNTM9wCsOpFIvP2VDnLiwsvspjUE
+0sz/6Bh5a75zKUaf0njSZIwNsu/rY3ky+NUK+71MpYWaZdbp3qHSUn0aX8EyueF+
+rkj3RFEX/bVqxzEyJhhTdMDNwppFPkQmBhuJRIQMpoerKZqgK/z0OA==
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Frank-CA.req b/rpkid/biz-certs/Frank-CA.req
new file mode 100644
index 00000000..6946aea2
--- /dev/null
+++ b/rpkid/biz-certs/Frank-CA.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICaTCCAVECAQAwJDEiMCAGA1UEAxMZVGVzdCBDZXJ0aWZpY2F0ZSBGcmFuayBD
+QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMkgS6qWAgiaweMvri/C
+cS5B/UsSiPQ3k7NnxtcHT+SDpwIhkemnybE3vn9JdG9BuAQZK3mh5vUXxxTixWXp
+gnj/V0RMNSBHfxPHDTXu+teBRO6xZcTD6LyUHC2Wcrlc1R8Yk86hBHcLRadrQzll
+cuZpe4qAotxZp1au6hex8ICo9pu2MIV8lvHaZsFczJaA4aa/X0U75FLcHUqeOlc3
+PvSlz/Y/QEDTl/+sfiqNVp+mJNir8V4g10NZPr2iFQRuU6sC4z1jVY7u4ZRcZqdb
+IQOWEdTo3CJN/Bd2c9DdhFHG4LPR/cwkv3wYVhtYCQXjloRFQaRnU6VE0QzdJ0Dx
+7PMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQBcEtGyCsZojfSMMtSjE0pKSBhx
+j2WE6QNlGsWVrzDrBn+yPf8YhYWtTmJcf5pANcyODuNLMxP6EO8pfGiZlijgk1gp
+C9fUBr6iVorkUQcsjRKmS/LqrEHC/V54pfeaLU7k8o3EgveWMHUiXFjBaUzBK74V
+6sPOMLAziCq2TPOiN9CSgTlDTfyugPzRvqRFNTm88wPT2YcgWr/ZO7R2rSafZFX2
+oD96AfqPsnWWAPOeqtyOWiF6eNks90r3PoKYWxpZZ5A2ijVPrZSYtYUIeyJqE/9f
+FPeLadoTEFdJ7/sPvtVTnj9O7oF5EERSHbxaWC6TCT79NF3SLxfyK+ANxawc
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Frank-CA.srl b/rpkid/biz-certs/Frank-CA.srl
new file mode 100644
index 00000000..3d68aea7
--- /dev/null
+++ b/rpkid/biz-certs/Frank-CA.srl
@@ -0,0 +1 @@
+B05767B1F50A040B
diff --git a/rpkid/biz-certs/Frank-EE.cer b/rpkid/biz-certs/Frank-EE.cer
new file mode 100644
index 00000000..b67c4114
--- /dev/null
+++ b/rpkid/biz-certs/Frank-EE.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGDCCAgCgAwIBAgIJALBXZ7H1CgQLMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+BAMTGVRlc3QgQ2VydGlmaWNhdGUgRnJhbmsgQ0EwHhcNMDgwMTE4MTcyMzQ4WhcN
+MDgwMjE3MTcyMzQ4WjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEZyYW5r
+IEVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3W1VWDmwozts2rpm
+4vU3U/SJvaNRYUISNDiNsdj7rEekcoTR8J+MdgDjV/PEXv7xRleKUf/H+HRrG25h
+XL+xJSMTowWvSEuNaGB/gCFOhbFKLHAjKwvV1eMsstpF0oYSARjPpefF6BMhTHmq
+SmeT1zyqPFP0vOiyYpRbnTy28IfkzxcsF+Z5EvMujqnvjLcP5AXOYVSDC7r0ZzpR
+bu3hcnr2ubBscGZIG6PynmP+xLnkSQs2b9gMaksBdgvRFSYJ5g1mcxr3zR4igZI9
+I4mSxqMbQowmJJSuWZzHIzyxteuD04RIPAjJvwA55/5LLrdVs3VqMlRpsUCetPXx
+fckxGwIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQIHkroA9j7gpwYBb2N
+or9xU9cpfTAfBgNVHSMEGDAWgBTBhbe3bQuTSXtHf/ZiB2N8LEgcRDANBgkqhkiG
+9w0BAQUFAAOCAQEAVIX5WxILGYwfKxLUfx2ahDKFP9EMPmiUvhHCIpbjhT6sROxd
+aO2z3GFRWrZ6FiDg4nIhrILv/ar1B51EUubX5lZ/6OCJMvQd9e7o8RPkN2fqMKF8
+R4jayJ6XNepbxsJ9oWIYT8/+WxcyzvepV7hkCXkrAd3qplyaMe60ZNjHg13Bi4gU
+lNZ/77+HI0pXvtTYZ/C+9iwWTosKeUdx16t7XxgRiPrhNjuSDPfM6W4SZ017Zcza
+AtAp9Rd3tDzKlz3AHkyuRJbR77+4hnec3v+UFY7BV0XDAytdsReHRppqxZCamoqn
+jFp2plVkYCgGU7N0AVp/trbK/IdO2bo5fF1X4Q==
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Frank-EE.cnf b/rpkid/biz-certs/Frank-EE.cnf
new file mode 100644
index 00000000..68f62d38
--- /dev/null
+++ b/rpkid/biz-certs/Frank-EE.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Frank EE
+
+[ req_x509_ext ]
+basicConstraints = CA:false
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Frank-EE.key b/rpkid/biz-certs/Frank-EE.key
new file mode 100644
index 00000000..9c8c497d
--- /dev/null
+++ b/rpkid/biz-certs/Frank-EE.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA3W1VWDmwozts2rpm4vU3U/SJvaNRYUISNDiNsdj7rEekcoTR
+8J+MdgDjV/PEXv7xRleKUf/H+HRrG25hXL+xJSMTowWvSEuNaGB/gCFOhbFKLHAj
+KwvV1eMsstpF0oYSARjPpefF6BMhTHmqSmeT1zyqPFP0vOiyYpRbnTy28Ifkzxcs
+F+Z5EvMujqnvjLcP5AXOYVSDC7r0ZzpRbu3hcnr2ubBscGZIG6PynmP+xLnkSQs2
+b9gMaksBdgvRFSYJ5g1mcxr3zR4igZI9I4mSxqMbQowmJJSuWZzHIzyxteuD04RI
+PAjJvwA55/5LLrdVs3VqMlRpsUCetPXxfckxGwIDAQABAoIBACNDVzUest+8BgDr
+cJkyXiZTql/2E26+u/FvFDm/iY0NN8Y5GsoMTq04RPxryNksFraSGGgoqOsLd0c+
+E+lWadq1NFpg/GIyDgoSXBvGsh+edWaQUTl4wAw5CpRNKJN3YISmM+OC/sSPz1zD
+f3gr+KJtedrzr+Up1cbXQ6PN2ICDh++nInWn9ZMMfQ9ZPdZuX2Qhl8W7RN8S7hc4
+935HZ/f5dod7+4TdVIb/Lbxa0r4Kfz1FkYulyllL1DqYeJP0YzL3mrT79ZLUrbyK
+nBOhtG1eHfLOzlX7y5vVGWEN8dhK5HJqi//DHtgFpYOFU+x8YuWS5wqiYfqMWy4d
+883oUFECgYEA9jCjDGbbXuk5U3rL1ChOIAO7U0iVO3kFSLQSxbkwQpfUV9NCY6MN
+ZH0e0o1AFui8WTS76xO/riywbZHZ9OO3xfHODNO1Qt+k67m75mvW4hzlzOS9B+J7
+UATHOTyi/Cy3shI4W+FDyjxX9iNG8l+Bieu+7Fh/DeZNkJ3Ejnb3PwMCgYEA5kAX
+mdjExkCJHaBbdzWBydIW7NNbKmBPKeSs4zhhRB2BAbmnSG6Mu2KUm+u+5YIKN6o0
+r5OLhxo0k69LgyVD/+3NJ7fPmwGtsLRaeykShR+01g7PXCXW6EMbhyCTs8OcPfDn
+4yxoj67k3E4BBLtJI6pVRYVr+IEvZqAhUqUx/gkCgYEA8zE6b47PlyMmGNvNq8cg
+3akyC+RAXp5+5MHVZXI5RR88iIFNLKWuHh0nLHCR5c+D908Lbv10NPc6VRJlzu5/
+5E6n763Webf4707rWYQfof9P1iYCwV4t1+7Qai8HBbqav5IWEFUnJQiVD7TraZOE
+oBy73jbRU4a0Cm5+8wh71scCgYA2lDTD/DVQxVV7V1q3HFDitVFH3CX9Go1JYfJ1
+fhTYX6IH9akoq0Pi21Bc0XoTz0p6vXb1s6TcZqLV6zScJsZCsWzzIEgu9yvj+iyE
+i0zfj49/Ok1/C10w+09YLam1cAXmTOe62vkCLjQD4N2u8HI66RKDg0f/xSemTQj5
+HT2HeQKBgEZB0W4xdOPYU5lTzYmn3hPH/F8R5DismczNXpe5XOcle+IUPyMkNpJR
+xVy98muszdIhYnroQIBCHDEMDNnAP0OCCZ0PjcuObf+RYdJOEznxMxIB2g5BWGZV
+gCoEYWLFVJpS5mQZz6PdogjnudWVae116cAB6i7SAWqVste/+t+X
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Frank-EE.req b/rpkid/biz-certs/Frank-EE.req
new file mode 100644
index 00000000..b7731a9d
--- /dev/null
+++ b/rpkid/biz-certs/Frank-EE.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICaTCCAVECAQAwJDEiMCAGA1UEAxMZVGVzdCBDZXJ0aWZpY2F0ZSBGcmFuayBF
+RTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN1tVVg5sKM7bNq6ZuL1
+N1P0ib2jUWFCEjQ4jbHY+6xHpHKE0fCfjHYA41fzxF7+8UZXilH/x/h0axtuYVy/
+sSUjE6MFr0hLjWhgf4AhToWxSixwIysL1dXjLLLaRdKGEgEYz6XnxegTIUx5qkpn
+k9c8qjxT9LzosmKUW508tvCH5M8XLBfmeRLzLo6p74y3D+QFzmFUgwu69Gc6UW7t
+4XJ69rmwbHBmSBuj8p5j/sS55EkLNm/YDGpLAXYL0RUmCeYNZnMa980eIoGSPSOJ
+ksajG0KMJiSUrlmcxyM8sbXrg9OESDwIyb8AOef+Sy63VbN1ajJUabFAnrT18X3J
+MRsCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQAS4EWFkN0KI0PkZyTKOYJ6S9q4
+UyEjMi7fgTJuRSMPpKiMDv1l3suirbPhnW3+yRau++h/Wxa3xE2cgHmFdFSGsp9Q
+GpGiw0xy9/UHmaxuian+Xgwo5iYBsAXks+HnrXjpj+PulLPHtX2DqYTjOLk/T9aZ
+ue8OKClukL4G+jmYptY4ILaufmnqJHqPv+JBdZUJT97LFEGVLdv0TD5pzsuSQu+A
+eJJ5SNAUyt1PF6zhC8ZJAjL1ZIa33y0dI0iKbx9G4cnnL2cm/3SWiHGtXTzRGunh
+4HwhKMr+Y9A6VKR/LT3Gbkuvih9G3mnVDenKgjKXb7HGhfkWtE47DZwjBlYd
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Frank-Root.cer b/rpkid/biz-certs/Frank-Root.cer
new file mode 100644
index 00000000..0ec9f629
--- /dev/null
+++ b/rpkid/biz-certs/Frank-Root.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHzCCAgegAwIBAgIJAMsTRJ57iUNrMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV
+BAMTG1Rlc3QgQ2VydGlmaWNhdGUgRnJhbmsgUm9vdDAeFw0wODAxMTgxNzIzNDha
+Fw0wODAzMTgxNzIzNDhaMCYxJDAiBgNVBAMTG1Rlc3QgQ2VydGlmaWNhdGUgRnJh
+bmsgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOy5GeJ8pCtu
+S2QhidJecLQ8gpeDxUS6z075A8VIowtNOiywceeZLWNCcSG0YSYnHCyQCkCAtEb7
+mpTWHPPId8cd7CcbHqIKZNw7mhzmRVPy6+ZS1GQm9AXK3p7yUj2Gl+yxtfFXWCxz
+1FgAYiOSN7eyvkjLHmORqBv/UA19M+iLnPMjLKaQugy4J/6Zju0v2LqpPS8Xzh7t
+qjrP/1HDmjIRgBrzwibRcPhlGPx79k/GQwxQYWB1bjfQiuZYsVKoWMhMaHTcWUKa
+o4ZJNpBDZM7Gc62bYGuwlLITSr1MJtwgNZKmTAslunHx8SBf6fp56iVjZhqzB3eP
+szbwC/HL4EMCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU5SaTKHT4
+FbLACDyd/UaXYm2kYmgwHwYDVR0jBBgwFoAU5SaTKHT4FbLACDyd/UaXYm2kYmgw
+DQYJKoZIhvcNAQEFBQADggEBAClPGF3JcqqBJcczowlbm7Aubt3meLRUbDj1U39a
+dQIf0eGNyY79WNVy5uJ7gvUq0MPj4nM2prgk+ZoNsQE++dYdp/J97ahIqfnsr0UN
+W+HuzAzfxNNvMRTBsHJZv9uc5hODKPqSw7XpLL8wfDrg+UHJSf84tT0lqTLk0id0
+dMyQ2+GoFSI7q71hfuQ4TIay8RmFPiTx4haA+E5MNnawFukjtb9pGYTiZvEB18IH
+HgQMxo7CfNaA05FpHd6OfLbXEyf6WanL7oD6drOJcMuvbWiPeTQ6v0rQy77F8gSd
+4PflMK/AtGPzp2tTT6fE7PwVoKPqyVExeKH4kpd+jj/8Uvo=
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Frank-Root.cnf b/rpkid/biz-certs/Frank-Root.cnf
new file mode 100644
index 00000000..8993417b
--- /dev/null
+++ b/rpkid/biz-certs/Frank-Root.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Frank Root
+
+[ req_x509_ext ]
+basicConstraints = CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Frank-Root.key b/rpkid/biz-certs/Frank-Root.key
new file mode 100644
index 00000000..ad4700e5
--- /dev/null
+++ b/rpkid/biz-certs/Frank-Root.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA7LkZ4nykK25LZCGJ0l5wtDyCl4PFRLrPTvkDxUijC006LLBx
+55ktY0JxIbRhJiccLJAKQIC0RvualNYc88h3xx3sJxseogpk3DuaHOZFU/Lr5lLU
+ZCb0BcrenvJSPYaX7LG18VdYLHPUWABiI5I3t7K+SMseY5GoG/9QDX0z6Iuc8yMs
+ppC6DLgn/pmO7S/Yuqk9LxfOHu2qOs//UcOaMhGAGvPCJtFw+GUY/Hv2T8ZDDFBh
+YHVuN9CK5lixUqhYyExodNxZQpqjhkk2kENkzsZzrZtga7CUshNKvUwm3CA1kqZM
+CyW6cfHxIF/p+nnqJWNmGrMHd4+zNvAL8cvgQwIDAQABAoIBAFOEkt9XfkxcY3j2
+ZDu2Wikc2C5ArU6sYgvIy03FbNDF9Gpj7iv53QuSG3v6ufPOBKCsSRGs1u3cQxOT
+3y8bYTb9FZ5OcSZWaHNTC/J6Q6d0o0nlm02ieKG6i4SkleNjIyK9KCX33QIB878A
+k59dLQ9AnuXr09LpRthp4YKA09mNCqFhTivsxJKswjoDbGeZHnz964f9yntuDqxP
+ROi+F371v67D1AYvk/BMRdA5G/CkbMLomgaQ8rf0sW4Wx9rqHm9xzMO62xe3ot7r
+hYByQmMO+6DGq4RpuoG5RdQLKACPdob2ZZ/fsRHUpjUMG4REKIMNMwmbWqbgk7te
+hWUCx6ECgYEA+Mw6FrdFej+Pob2xovOKIYJDg8dKcjj5TeNvPkEmmsHcV5Hhs8Dp
+x3h6GPLxHehw5fOBs88Y9ep6EUEE4xT1gBimBYbmt5u8jHWR92GMFnWhURWG6aMu
+XVhD5oLCE37i1j03q2I3Ax0MV5pIBwamcEyAKDNtFiEPm0voYY55POsCgYEA85Nk
+S+3MyF2yHRX+8kCqoW4Rh3kai7E/SvoQ9TwR2JCiS83gIuFs4CD8oASYG4A9oe0P
+GuB9sWZjdUC0kq248WzXNdnKglWuhQBNnjjtQqRUNFVnH0Kupdo+jnELqIwq5Is1
+UF1oq+7c9p455H+TpmiUWAYSA3iFbFn83487NAkCgYEAgqZETs95BaRBGa9Si/6V
+59jO+XF675ZpnHQ1Y5y02Am7WqT5v/orCZuDinxxD8KTHr4Lu0+ijOjPpyXcmh7U
+eKr46+gWWg7HKX9H4n9wIA8vYjQKv7/4Rf5m0bKSlchI+DX3eOE/gDwN0ibrcf0V
+A924YuP2getklal741b85XcCgYEA7XVMuyUqlk+Zu/dco6ldb6FRn4P12CfFL4AY
+liuorjtarZIYp4iizuH5xrqT24OrEjh8mFQw1Yie/4lEQRbxjRPxvwMDBQso52rD
+QLP4whZYLOjxbq1gfDoG8HDOz9NOYZ5BLIbT64Ijkp3wjI2/UOT1cdcBKrcNQ/N6
+riwBqJkCgYEAtCk/Lv5d8ZPtqnIb1yMXersoNpg+vZdBBD6esQ3/tPvIgfPJm5jb
+SmmoCJBCOuTMH79KzsP1/wEq4LAWpUflf9AW70MEVg+A58ixITuimsyHvQOb2EAv
+vYvVHW3yDG7p+gS+KEIvJNo2Tf1MQG892EHrOFg1m4Nnnkwi0IZrFr0=
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Frank-Root.req b/rpkid/biz-certs/Frank-Root.req
new file mode 100644
index 00000000..6dd4cbdd
--- /dev/null
+++ b/rpkid/biz-certs/Frank-Root.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICazCCAVMCAQAwJjEkMCIGA1UEAxMbVGVzdCBDZXJ0aWZpY2F0ZSBGcmFuayBS
+b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7LkZ4nykK25LZCGJ
+0l5wtDyCl4PFRLrPTvkDxUijC006LLBx55ktY0JxIbRhJiccLJAKQIC0RvualNYc
+88h3xx3sJxseogpk3DuaHOZFU/Lr5lLUZCb0BcrenvJSPYaX7LG18VdYLHPUWABi
+I5I3t7K+SMseY5GoG/9QDX0z6Iuc8yMsppC6DLgn/pmO7S/Yuqk9LxfOHu2qOs//
+UcOaMhGAGvPCJtFw+GUY/Hv2T8ZDDFBhYHVuN9CK5lixUqhYyExodNxZQpqjhkk2
+kENkzsZzrZtga7CUshNKvUwm3CA1kqZMCyW6cfHxIF/p+nnqJWNmGrMHd4+zNvAL
+8cvgQwIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBABf2mSgwPJc8lymCczXp6AtP
+38P+hNRD0UV3zirySIE6XptwHoPxkOoCMHQyDULEH2CLQ2JTJ7New7FRYf2OFPLS
+CTpVhi+3qS7k+zlfc1vH0rdlDlVm9Lt3Qi3yGzhreoxDaq9kE4SnCKG4q8vsWl2h
+Djicil/CoiyH7+Mk7RzUNGs37UyoifZF/uA6is3xCg8wflgabDRXqebDrmIFn7rZ
+ox4jiDL1Ym1SBhJRBCh7+ULCZQXtk5005KwrYETt2wbb4PzwxnAiTpkHjfy9qzEk
+NOhc9y2Urpk15/UtN3rhFTyK1mLbyeGU4foCzjArRvKGL4ueC89NpMe94X8F1b4=
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Frank-Root.srl b/rpkid/biz-certs/Frank-Root.srl
new file mode 100644
index 00000000..3c868fc0
--- /dev/null
+++ b/rpkid/biz-certs/Frank-Root.srl
@@ -0,0 +1 @@
+CA8EEB8857C3D044
diff --git a/rpkid/biz-certs/Ginny-CA.cer b/rpkid/biz-certs/Ginny-CA.cer
new file mode 100644
index 00000000..ba2154ed
--- /dev/null
+++ b/rpkid/biz-certs/Ginny-CA.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHTCCAgWgAwIBAgIJALTKl8dxTDdDMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV
+BAMTG1Rlc3QgQ2VydGlmaWNhdGUgR2lubnkgUm9vdDAeFw0wODAxMTgxNzIzNDha
+Fw0wODAyMTcxNzIzNDhaMCQxIjAgBgNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgR2lu
+bnkgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDueidWFU++2YuK
+aT8Lp+y67Miy1FgO1UNxyCevP880EoJ6tqDVRAczLh3uDJKhZ5pt92+/m6PPqpUq
+QtJQahjk55SRQQisnqC7dhkCnF7pXQPR/qPFzimtgkLXielt8GhvZSrqdxDdDnnL
+xGzW5zrgxW6+KhLRl9jgK81E1EIr8h2YxI+LVbCy4YzcwLWHmgXlY0cIZTiDpR1p
+TM30wQ5AGdjQE2IRHk7M5uG7KqDmVdMX+pG5fmma/ir9jSeKXGUV2BPWmsh5sQhn
+DTrZ/qy00q48uzPBCKiOnm1Rd6ygNAohDcZYeJGZ3naqEeCPpowxTg2p7IocXHEO
+LmBo543RAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFAi99B5feyZ8
+vA50GqPZAVnvFT2NMB8GA1UdIwQYMBaAFGMacgDTvnPGawQ5u/vXgL9dHca6MA0G
+CSqGSIb3DQEBBQUAA4IBAQBgzZJBBk9Zj9jvGptRpP9z/AwW4Xxx0xXu83W9PCfk
+bGUnbjvAKEOGxHWt1KgPN3rrjpU0PVjNmKw+TveO9FE+t/0sTXY2vj6kbbwngjYN
+JTxNcO1b5r0ZXvNDNU0hA5IvRkxNSxL+/cVp5WEg0zSkJbCLdH7lzyBWgCNIXL9S
+Ofd7azon/1SGUGQLZfTClKueOqUND9j6wM1R46tm4yape0TG9zTRnl3yKL8BSGJR
+2T0Bsdoou8lEaASz/edd1tSxfUGgKZKKyURtX+2t9NfbYhToyBs32D56F8cq4GtM
+6u53IAoPgXc6fXtDiYrS61WlTld611cJlUChtXOT0qVA
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Ginny-CA.cnf b/rpkid/biz-certs/Ginny-CA.cnf
new file mode 100644
index 00000000..d1846a6c
--- /dev/null
+++ b/rpkid/biz-certs/Ginny-CA.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Ginny CA
+
+[ req_x509_ext ]
+basicConstraints = CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Ginny-CA.key b/rpkid/biz-certs/Ginny-CA.key
new file mode 100644
index 00000000..281a45b8
--- /dev/null
+++ b/rpkid/biz-certs/Ginny-CA.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA7nonVhVPvtmLimk/C6fsuuzIstRYDtVDccgnrz/PNBKCerag
+1UQHMy4d7gySoWeabfdvv5ujz6qVKkLSUGoY5OeUkUEIrJ6gu3YZApxe6V0D0f6j
+xc4prYJC14npbfBob2Uq6ncQ3Q55y8Rs1uc64MVuvioS0ZfY4CvNRNRCK/IdmMSP
+i1WwsuGM3MC1h5oF5WNHCGU4g6UdaUzN9MEOQBnY0BNiER5OzObhuyqg5lXTF/qR
+uX5pmv4q/Y0nilxlFdgT1prIebEIZw062f6stNKuPLszwQiojp5tUXesoDQKIQ3G
+WHiRmd52qhHgj6aMMU4NqeyKHFxxDi5gaOeN0QIDAQABAoIBAQDTtNWe8iRtRSs/
+oNc7PcRG3VX+i8vwvxq0s/+m8Hq9u4Dh96coLNBHezVO0xKI/zR1Uyh9bWorPUBW
+2CNlCAs5iuy1Voqg0+HVCa6CRtdrTAvMLMavH6qYQf+c4O29j6Lm4WUL6M+rruIp
+JyOIVJZMXHlHkIpMTwVVXQ1JgTWNVBh82/Ze2tjnHvKOmqLDnjoqbPlY3jmJjHh/
+A5Ha0aF9RoMUzkgb38LARgIxZ5jrLPoxdjvOP3LXCBUZzVqNx1+sdIMX/Yuq6Kmp
+NqKC3w1ZL24nGIPvesMX5ujITK0Yej9xIh0VMccudVNpUmAUA9v12cfvVPk4kJz/
+sAAj8DnBAoGBAPpzbV0NiDjftD8sGiznIhRVGrq4FTqVSk+Z2QOu34v01M4FotPA
+9VjZx5uBflqU6C7foMbhSDai0wM69MLLKgcahA7wAbc38J/kyHi9EjQCb1/sbyg9
+gbG768fj0wBFpwb6dEdDeF+Sm6MTAjMQgVq4kwyflSBKbVWG5BnSD4/FAoGBAPPC
+z42dWuO5qCXe6shZN5aQ3jTiORC/Py3/6AU06o3lyPBpGkYkMcReaWoiC43IHjjG
+j7KAOtdCdxnh8tvahZx/6Y4uz2bdKbo4T01cpf92k+vqXEtnXz75O/ZydZpuaDo+
+Q/cw9JhSXEBHiLpnqpsDu2Inw/0cvvIPbQ4gfvqdAoGADZfYNrW2UAfsO4WEQi2l
+Tt8znTDCjjRuHRXnjmieX3VBW5E4vi954YGocMs9dWMhmvGuQz0U80oxE7rOcAgg
+1tPcmQbzwOL7X2JGcy8n3sTHELi/a7qy4Fenu2ilGh2trBZJ21hRHzbQ1bABbY4W
+xzq/WG8M4/zGJF824CPjjlUCgYEAlQ9v9F1hExiY5m+mitVj1MLJ3vTniIIqlGqE
+64osVJFLixf6ZSIE/NvvAmPHRPA26ukhPjqDwNZ4Fm/BHwhF5CmkHLorQe/EcIe2
+lswtBkbwtbcesU2JRO0L6eycVc9mFRe2YBaju/HBT91uku6JuTlTAPboNoO5kDQ2
+sAjXHVECgYEAggkANM+Kpg6JHDcQqJ6E0+d1vP0G8RPJO6l3KD40ZAqxp6XFg3Rs
+xFpsTtT7vqUeFqZ5V0zyY52TQcBCfYBWTH1JGv+Fw9YCa5AD4NQ0KEw0/wSaptId
+cH94wz9GFDpkXlZznHw0cuoQNFgmg2Djl3DjdFoAvlkdVf4m2I8NET0=
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Ginny-CA.req b/rpkid/biz-certs/Ginny-CA.req
new file mode 100644
index 00000000..11b558f3
--- /dev/null
+++ b/rpkid/biz-certs/Ginny-CA.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICaTCCAVECAQAwJDEiMCAGA1UEAxMZVGVzdCBDZXJ0aWZpY2F0ZSBHaW5ueSBD
+QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO56J1YVT77Zi4ppPwun
+7LrsyLLUWA7VQ3HIJ68/zzQSgnq2oNVEBzMuHe4MkqFnmm33b7+bo8+qlSpC0lBq
+GOTnlJFBCKyeoLt2GQKcXuldA9H+o8XOKa2CQteJ6W3waG9lKup3EN0OecvEbNbn
+OuDFbr4qEtGX2OArzUTUQivyHZjEj4tVsLLhjNzAtYeaBeVjRwhlOIOlHWlMzfTB
+DkAZ2NATYhEeTszm4bsqoOZV0xf6kbl+aZr+Kv2NJ4pcZRXYE9aayHmxCGcNOtn+
+rLTSrjy7M8EIqI6ebVF3rKA0CiENxlh4kZnedqoR4I+mjDFODansihxccQ4uYGjn
+jdECAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQCrxvWZm8ayOBmWic8G2Q2mTxRy
+n9oMtV3Iuqn+bGR1Xjd4HG1QfRlHNP7ekKh2z6jLiZ7KChwpnCeK1CnS48aw7GuJ
+s4KTzECrHWGBbV/eVJubnU1eDg+6tP/ZdVKVqv1frNKQIREaFMp8ndOUJ5FlXJ9+
+mNNQZzlcZxqRkxW0XaHoiMWETNMQYo7U9v++WZix9SuxpxKimG1OERAacwVYMHYJ
+NIBwLADzrOMxndjt2WVioyKmeicSM6POp9JjoG9RNgmZ7ALKP72zXObCS0Q94m0w
+Ky93o7iF/BWbM/M3pTMngGXLu4IFNmsp7X2bxGAeX5UsJuVxR4mlVhi3A8nH
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Ginny-CA.srl b/rpkid/biz-certs/Ginny-CA.srl
new file mode 100644
index 00000000..75f9d5e0
--- /dev/null
+++ b/rpkid/biz-certs/Ginny-CA.srl
@@ -0,0 +1 @@
+BF28F27B89252DAB
diff --git a/rpkid/biz-certs/Ginny-EE.cer b/rpkid/biz-certs/Ginny-EE.cer
new file mode 100644
index 00000000..5e4bd8b9
--- /dev/null
+++ b/rpkid/biz-certs/Ginny-EE.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGDCCAgCgAwIBAgIJAL8o8nuJJS2rMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+BAMTGVRlc3QgQ2VydGlmaWNhdGUgR2lubnkgQ0EwHhcNMDgwMTE4MTcyMzQ4WhcN
+MDgwMjE3MTcyMzQ4WjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEdpbm55
+IEVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo373ejcZ6WwnTj37
+FRnRx1+MJzfCQmslMRveBP2WjbiGP9Oq4O5+snORuDG6uIL60lsEOW48o8ONGtgO
+k0URC/iWlI6+dP1NOcfq25Vn3FSD/HiRj2SoaBmZa13wGxzDtOiXwH6R6kYrQOqs
+HWqLHGok5OnphEzVVzH4urnXB5ZWDV7n2yOQ2TPiBsJuYgNLCQn3sAVSepm8Occ5
+jkCQF7zjdPlnnxt/cKbow+JrCIX+B1B16Qmuk6PF3z2zdoTDyyUrn4ETLohzCnHg
+5pv8EOU9NhzUZHUIloZI6NhE25a865fAoxMh+zmkqv2SG+/mU65Ry4nuoVRqyFbi
+pOSanQIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBSAT1qp1gd5Bg2yTEdL
+pA6OcdMKhTAfBgNVHSMEGDAWgBQIvfQeX3smfLwOdBqj2QFZ7xU9jTANBgkqhkiG
+9w0BAQUFAAOCAQEAuRLJwIPSino5fmZhTVF35QFzj0is3Pd11+gk52v2pLwW48Sd
+vW7llaygLFGrY1KgJLYis8qdLqjbfdYeLUVDQ9JSiWxmDVFBNNtagDPNJY3KIanR
+v3zo3k6WRYaECMNxN7jl+tGI8GoB91zcQhcA2k8VvZPo17opN5hGP0OyYVrFFAj1
+fNT96DLGctuU2LpKP38DfEnRLpZSm3N/GOE4mnwReaVQ622PCcGHwbPJV2dN78rv
+51Mqt+pM0hhmL3lDoHznTKQ5AL6m6Bn4sFypa33oikTmcywJepLOWY61PwCC2sbk
+SxXEjsJJxi2pnxfnAbNH6XBvGir//nwIoRlGJA==
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Ginny-EE.cnf b/rpkid/biz-certs/Ginny-EE.cnf
new file mode 100644
index 00000000..949907cb
--- /dev/null
+++ b/rpkid/biz-certs/Ginny-EE.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Ginny EE
+
+[ req_x509_ext ]
+basicConstraints = CA:false
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Ginny-EE.key b/rpkid/biz-certs/Ginny-EE.key
new file mode 100644
index 00000000..1984ff44
--- /dev/null
+++ b/rpkid/biz-certs/Ginny-EE.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAo373ejcZ6WwnTj37FRnRx1+MJzfCQmslMRveBP2WjbiGP9Oq
+4O5+snORuDG6uIL60lsEOW48o8ONGtgOk0URC/iWlI6+dP1NOcfq25Vn3FSD/HiR
+j2SoaBmZa13wGxzDtOiXwH6R6kYrQOqsHWqLHGok5OnphEzVVzH4urnXB5ZWDV7n
+2yOQ2TPiBsJuYgNLCQn3sAVSepm8Occ5jkCQF7zjdPlnnxt/cKbow+JrCIX+B1B1
+6Qmuk6PF3z2zdoTDyyUrn4ETLohzCnHg5pv8EOU9NhzUZHUIloZI6NhE25a865fA
+oxMh+zmkqv2SG+/mU65Ry4nuoVRqyFbipOSanQIDAQABAoIBAQCdkYr+vUX6waIr
+9O4byvNzO3F+hm1wx4RjjODvXFqRoSm5L8z61L9ESr9AjqTOmGUVAGTU2JoWlitS
+mLGLWz/vkpfE+sExTMH1kueU0qvzG3zMgIKAeNkY4rsKT9FMv+8ZViSSfykvaIrd
+GI3iF8GUE/QUrh7Aw6/ERkPZ6asEAmOWJyQMxxLzdkcZfYSgKORmqAieD9r5jY4e
+UD3++GcmdhbVK59A6xkL3LUg9L4zGDJ0BuHLIv6wBtV9qA0IGGUgkZqZX9j1Ddc9
+PbItrwqC3OLpNgQELsG5k/vI20TPzC/i1B63axc4gVfDSoQplqAnQN8Oug9gbo4Q
+bYOcpLO9AoGBANXyG81JO0ZrAiIVd+Z6EkL2Y3TIeP2WABBm3Fa5t6MdSY4K1mJA
+SI2zEprgLNVC6+nnV2d5x9jIkHr2wZ3uj5GbHfFB/b2FEcg2OWdIjvN8mcNOXeuH
+e/AMfuTN1zUNytklgsDPblXYnhxRZgDxfJivu6WYVHcH1CEp26kcL2x3AoGBAMOi
+MSr4IYe7X4knOUOZkGDTfy26PHwW1CB3LGIpoPjyoYzjh8avvk9YAj7coQbkNq1l
+tbGroi3IXJhyWIb4OEMpi1fgUWkri6+HwSMOnywqivtLBgRShd+tKJfEcwJDGSPD
+uy8IChUnbrt0D9uxxfOoQ7GMOSrSukQBa4jvLHqLAoGAXW4ZjhDI/fuFNvVBIzlz
++CI5VKqni7aR2JfS6Vy5QVZs5Mb+0HFaPedR3KjBa3CKLd+FX/7is10DG2/fJeUk
+dWXUMaOr97PBDDoB34TkSJjFXXE/urez/CS41Zq+vMCFMUccTq9Hc93hTmSNsyPC
+UbuMqshXOpQEo2bwMm3ImAkCgYBfO7JRp46zA1yjaIuww62L5QkRGordIUPMNhdO
+BdPNvFc2PYDYEK9E8qPNNBvTPf778/o57kI5pUKmF2vO8EB7OVsSwSkAWGlcXmp/
+hVuo5WDYqZHZQs7WrvWGw+P0ovM2/M4/O9ukpph5+irKGMUzMqMZaBhgJ0rzVfmi
+JEPztwKBgFewP2zyOF53Y5PhAAsl2SzX+28dJ3trnhAIaZVi9aUaL6qgn1izpKGA
+OBhQZFNL7RE3A8VOF6264gTjkeb/4heYFV4KhDzVkDeTat0XX/AMahNWeyoV7oLh
+8mVEQbvLbSogvIXUF3fufU0rV66Ts7KiIlZW2VyVaNMTp1Ljpdlk
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Ginny-EE.req b/rpkid/biz-certs/Ginny-EE.req
new file mode 100644
index 00000000..30a62a71
--- /dev/null
+++ b/rpkid/biz-certs/Ginny-EE.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICaTCCAVECAQAwJDEiMCAGA1UEAxMZVGVzdCBDZXJ0aWZpY2F0ZSBHaW5ueSBF
+RTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKN+93o3GelsJ049+xUZ
+0cdfjCc3wkJrJTEb3gT9lo24hj/TquDufrJzkbgxuriC+tJbBDluPKPDjRrYDpNF
+EQv4lpSOvnT9TTnH6tuVZ9xUg/x4kY9kqGgZmWtd8Bscw7Tol8B+kepGK0DqrB1q
+ixxqJOTp6YRM1Vcx+Lq51weWVg1e59sjkNkz4gbCbmIDSwkJ97AFUnqZvDnHOY5A
+kBe843T5Z58bf3Cm6MPiawiF/gdQdekJrpOjxd89s3aEw8slK5+BEy6Icwpx4Oab
+/BDlPTYc1GR1CJaGSOjYRNuWvOuXwKMTIfs5pKr9khvv5lOuUcuJ7qFUashW4qTk
+mp0CAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQBPOqtrZca7xe5jFy5kHg9SAV3E
+2485qGK7GvtkcAfJifLXYiasb4FRkyNC/JS9x6ExLSIRKUFCD0XINyrePRqGe1Pr
+P7RThK9sI7UrRNE8NKvEhdw4gC1qIT0ox6tTUFbvfB87oRWIG6uEcW1NgaJ0SVlJ
+D0zJtjzgx+Uj368BS8SZuXaurXtcMGhVn+b3GzNFSiH2/CdZnisesthLmx3ZF6KE
+2ZRDjkpprOVq9+yr/8ZARsavPH4OIu1VbskaihjgdmBzl9dGna5VpLLU62gYi7ll
+AadWHJUfKvldEgCoWnde2lMjBnXo8FlevW5TAUYvtrGVL41gttEIwZ+Lx7JF
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Ginny-Root.cer b/rpkid/biz-certs/Ginny-Root.cer
new file mode 100644
index 00000000..a5d5e386
--- /dev/null
+++ b/rpkid/biz-certs/Ginny-Root.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHzCCAgegAwIBAgIJANKwi2P2kmUnMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV
+BAMTG1Rlc3QgQ2VydGlmaWNhdGUgR2lubnkgUm9vdDAeFw0wODAxMTgxNzIzNDha
+Fw0wODAzMTgxNzIzNDhaMCYxJDAiBgNVBAMTG1Rlc3QgQ2VydGlmaWNhdGUgR2lu
+bnkgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO1GzDMYa/xv
+byra6dpjKYtfajaNEdUZWkJhlu4HcqiuDflutby82+C3FPwHKmfoXOHgvcmac7kO
+49D+DDoWE4p72dAhCKuWb3h6rh1r9Xpl7HaHxoH4KsYT74dOKMu/DhMR7pZl9Tkr
+BNYTAEE/qTMFGUQ1JCuwZ+aGRUgzDIiVJ3DBuK0nXHBbOs7Gd/jas/1+lNSsh3lg
+RaebLNe0mwsw62TW7zqUjMq/7+Xb9ZWJLPN26nTfq2pyLgFVx+xpMowhaqdEOXKj
+VEaCT35cZGydvWIvad4xL/vuY6L0dNMAhTOOE2DzLw6amae4wkvNTwL5krJrtoJD
+HpLoFYKZ9vUCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUYxpyANO+
+c8ZrBDm7+9eAv10dxrowHwYDVR0jBBgwFoAUYxpyANO+c8ZrBDm7+9eAv10dxrow
+DQYJKoZIhvcNAQEFBQADggEBACaKmmggk78ITTw+a6HaQatuQmfh9YYvo+8DEERV
+7fD8+/1eo9Z4crqam2wtZJYtUDBUJYaglc8+9r3lqs8wAwVH8IFEXexXxaGSbojJ
+TTV9fp81jCp7wSJRKXC8q2JI8IQu0vBYqhrMG6xlyi13IHHpF+uZXX0IdVhvdk0O
+DySbF+W5p9yAEFDfyP7u0d8YlKGSVIrWgEKy24QrropbGlV4Gm2azwXTOeWIqw2Q
++btIXvPKjwwx2tZTr3zSinZ/gaxfNe8By23kmdgqTF980sBQEB5UcJ7hqt/c7gdZ
+qUBjEOvTslO0cSV1mGolqEsH8ZCbqlxlC5h+Ghe0ibM+ydQ=
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Ginny-Root.cnf b/rpkid/biz-certs/Ginny-Root.cnf
new file mode 100644
index 00000000..63b600d6
--- /dev/null
+++ b/rpkid/biz-certs/Ginny-Root.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Ginny Root
+
+[ req_x509_ext ]
+basicConstraints = CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Ginny-Root.key b/rpkid/biz-certs/Ginny-Root.key
new file mode 100644
index 00000000..710f4817
--- /dev/null
+++ b/rpkid/biz-certs/Ginny-Root.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA7UbMMxhr/G9vKtrp2mMpi19qNo0R1RlaQmGW7gdyqK4N+W61
+vLzb4LcU/AcqZ+hc4eC9yZpzuQ7j0P4MOhYTinvZ0CEIq5ZveHquHWv1emXsdofG
+gfgqxhPvh04oy78OExHulmX1OSsE1hMAQT+pMwUZRDUkK7Bn5oZFSDMMiJUncMG4
+rSdccFs6zsZ3+Nqz/X6U1KyHeWBFp5ss17SbCzDrZNbvOpSMyr/v5dv1lYks83bq
+dN+ranIuAVXH7GkyjCFqp0Q5cqNURoJPflxkbJ29Yi9p3jEv++5jovR00wCFM44T
+YPMvDpqZp7jCS81PAvmSsmu2gkMekugVgpn29QIDAQABAoIBAQDqzrAPNHDQvBoA
+B+l6Y71eHktGtq3Z+5/VpyusXJR8FtrfZ07T+vWA2M0cZ57wewNHyJcoJf+1N+X9
+ERtadDRcTBoNnFMvMs0XJhieJxMjUDAEUHMCdWsm392fQZqfnm84MfuwvC9Dpq2/
+h8gtyekQA1CwrgIgdg8sEt4HB/W0RjaOa4uFamu9es4veMRx79Y/Fj1DTuROmFlx
+ZdkPfTIJBs8qrTAKG1xYfky6tSDYwl27CL/pLwwHmXAB4kUwZ1V8KWGtZCuoFdwz
+6RIpK6go7MVHA6/MzMDIhbHPRf4fDKlj24omVrddwUNXub3QQ3bTumbloqZJnKWQ
+ZXoIp4kVAoGBAPmLbw5sz/25Y+Z1I3UWjyWCvlcfAXKkpIj4Nf9rJGo7HbLRbkEN
+706fo5Aa/k/C54plrpdkqt/XV4CvGAASpYnneoDIHiF12UYurH4OuprFmBNHKU1t
+l63eo8iOrou46TQLIPg4IuUsgWG0XSzvPR+juvecNodknZsXrOFU+HyTAoGBAPNq
+HtNo3jxSk7u+ZxygERjIvTdQGsBGUDijYe5UYp4OdVNbKbPtqEjOjoU3aYpnz0Ju
+rx4QSQw8d75JDAt4+alpMuRl0Hovwh+062nPu50Ft6NXPlc0b+niDo4AhI5apUJO
+ZjDBYkiMEr+kVEVexMYtN0sCJkeLXnVJba4Fn3tXAoGBAOtaeEmQkrHn0bKfM+vQ
+dP2Zy877LTBk29Fa2AKnmFagnqfyIhw0+kibA3Z8HvI3Do1WzU134jjvLlXtzaLz
+8zCXItCm7NP+BAfPKVxSo+gpB/7WlLuz6uRPIQWcnD6nDTrKbDPvLeobCYOOynoA
+wRNAJqw1prAXUxXdRG3Y5+sFAoGATrL/1nBwceZs92V/JwUlofK9IpYWoBXbuAQz
+FIBaBio8ir/NwuvS3f9SmwWobORVYXAx1DGFvJwMRwyNBWSOq9RkbO3yMp8gT2oK
+NwK/8Ou5TOlXMZC1olPBSu4l7XSnO8HnTlon8bbAFRAHYwpZ6o0R9IF0aOtJlfgw
+qvQMdS8CgYEA3dkRKJ8ma/GlheI6ylyt727cVCKnMXLV0GQwx4xVGzffIGcnUj4A
+8cbTBgBo/3aoZOJhqy6Hz85DKQon1FztE2hNR8Uhgjf8an3nbNzFaT3XkqbC1uUa
+bZZC1UNB/NA7wH6xJIRUFCYxLjw+L1u6vi6/vOtM0oEAmO1f1+7p3Nc=
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Ginny-Root.req b/rpkid/biz-certs/Ginny-Root.req
new file mode 100644
index 00000000..60d14eca
--- /dev/null
+++ b/rpkid/biz-certs/Ginny-Root.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICazCCAVMCAQAwJjEkMCIGA1UEAxMbVGVzdCBDZXJ0aWZpY2F0ZSBHaW5ueSBS
+b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7UbMMxhr/G9vKtrp
+2mMpi19qNo0R1RlaQmGW7gdyqK4N+W61vLzb4LcU/AcqZ+hc4eC9yZpzuQ7j0P4M
+OhYTinvZ0CEIq5ZveHquHWv1emXsdofGgfgqxhPvh04oy78OExHulmX1OSsE1hMA
+QT+pMwUZRDUkK7Bn5oZFSDMMiJUncMG4rSdccFs6zsZ3+Nqz/X6U1KyHeWBFp5ss
+17SbCzDrZNbvOpSMyr/v5dv1lYks83bqdN+ranIuAVXH7GkyjCFqp0Q5cqNURoJP
+flxkbJ29Yi9p3jEv++5jovR00wCFM44TYPMvDpqZp7jCS81PAvmSsmu2gkMekugV
+gpn29QIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAFLF9itaImaKZ8a5sRM0jJ9A
+V3kiR7qjepCHK6qDkEZUSY4oHYJr0h7RGU2zKe9YegZEBtfDdw16eMoJa4BPSx6O
+9UWmR1fLqzZmop7od4rywXFEFLv3xQdhSZsd8+zjwX8baPNlobGnuuLEUKEwjfXI
+FiUmlUr9pj7rA4mJjvZ9barYxNh3mlbA5eSijJ4MVjnUMJNNwouau/ZQM2VIzRuv
+xpyRkohyLW4Z3hXDcc9tf6AsYDrhC9SzuciXjG5K1ZA5zJLXFyFQJZ4Tc1RXSlPU
+Dsp3qvfjklc6aYvc2lwvTGWEyUWhoSj5d/MhRZWhSgmCc+aAbLwyxjSB7D4VqAA=
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Ginny-Root.srl b/rpkid/biz-certs/Ginny-Root.srl
new file mode 100644
index 00000000..a51501dd
--- /dev/null
+++ b/rpkid/biz-certs/Ginny-Root.srl
@@ -0,0 +1 @@
+B4CA97C7714C3743
diff --git a/rpkid/biz-certs/Harry-CA.cer b/rpkid/biz-certs/Harry-CA.cer
new file mode 100644
index 00000000..09af3f12
--- /dev/null
+++ b/rpkid/biz-certs/Harry-CA.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHTCCAgWgAwIBAgIJAPg07MgChQ7oMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV
+BAMTG1Rlc3QgQ2VydGlmaWNhdGUgSGFycnkgUm9vdDAeFw0wODAxMTgxNzIzNDha
+Fw0wODAyMTcxNzIzNDhaMCQxIjAgBgNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgSGFy
+cnkgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC94Wvpn36QVBts
+pOtt6gva7Zd4CP+b8cEsM4LGW7AEt+jSSic0xDI/WrQI5Rjtam0j6G5039bmtV6A
+Xyio9jK7QHnzgMmg82b4TDa4ary0XR5IZNPWK4pSOqzJ7aZlLxm52Nm+NfSd/5/e
+75Gi3dPiT+icQH1oR/oRQeOnE/rBXBmviRN5JlIe8e1E0fTB+vXOpd7o5g9sPdT+
+jYKcig7Y0xvjGhGK5s1EhjJXiVB0vpoOjmv5LIjYypsQjkgqNxM+nKzCs44W5m8S
+Z3M3/ILcn64UW36uBSCLInqHKEI8rJx3Se60/xBJnbNpD62nWhz2vz+egwQIXKOG
+tTVlGPelAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFNGU/Ua48bNX
+Sn5MzBo+LIsg4Cu7MB8GA1UdIwQYMBaAFG2UphsbenSKgdNpEONxXczUln1cMA0G
+CSqGSIb3DQEBBQUAA4IBAQCfhXZtDqtzWyPsGBcYHgo2mk6Y5KD5lZ83asQhJG18
+DDwllBZZJMIjfMOKwSluFGIaPM4uC4BrfV97eTxxwlfkeYA7xhDhGY+poh4U+J17
+slnuiyahe/0dvhMAmAmqwBfn2099y4/xqWjdudwmnN0/XKpbfA2GuvV27lso1ISx
+LurdfgcgedLUCeeSojuCmi5WF1pR1Qzqf9Da0fzcC50bRH0/iOHEJG7whXl7rxdg
+ueCsrQ7b8EAVHJifx0yZwhNxdnC/yvalFRO+BWyaPprDOhiwpHYh9phMeqtTgGrG
+aX2rFu3IDnQ5PPOY1a2pyUmQZBqbmiJe2OPdtD/Ui9js
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Harry-CA.cnf b/rpkid/biz-certs/Harry-CA.cnf
new file mode 100644
index 00000000..b6002949
--- /dev/null
+++ b/rpkid/biz-certs/Harry-CA.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Harry CA
+
+[ req_x509_ext ]
+basicConstraints = CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Harry-CA.key b/rpkid/biz-certs/Harry-CA.key
new file mode 100644
index 00000000..6bd1d298
--- /dev/null
+++ b/rpkid/biz-certs/Harry-CA.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAveFr6Z9+kFQbbKTrbeoL2u2XeAj/m/HBLDOCxluwBLfo0kon
+NMQyP1q0COUY7WptI+hudN/W5rVegF8oqPYyu0B584DJoPNm+Ew2uGq8tF0eSGTT
+1iuKUjqsye2mZS8ZudjZvjX0nf+f3u+Rot3T4k/onEB9aEf6EUHjpxP6wVwZr4kT
+eSZSHvHtRNH0wfr1zqXe6OYPbD3U/o2CnIoO2NMb4xoRiubNRIYyV4lQdL6aDo5r
++SyI2MqbEI5IKjcTPpyswrOOFuZvEmdzN/yC3J+uFFt+rgUgiyJ6hyhCPKycd0nu
+tP8QSZ2zaQ+tp1oc9r8/noMECFyjhrU1ZRj3pQIDAQABAoIBADFGQUnEIQT1PpSo
+C4xfcyoiA++bbjGawAVnbKVq/7eJvjpsEdaIn31/XT79rMVXm/D4jUl5GPyPznFD
+wHpwQWQEbGE7Z5eD8pG2vXCICmZHz+b7e1mVvPRv040nRcn2OhfXZVIOEGe8AVHK
+G6IHLMgK8pMxzRl1rDg0QA6IiccJW5Shu1Q1IMcmOce2uQP+Ez/HAMW4plHz09f0
+FVXFD6dIjMkH/j6NfDCtxa2dqESlaMu1UquE+kze14xtFjDO//znd1F07hI94gvC
+nEmcxRGvlMwAH1i/RC/gvJYLFQ79JCzLkckWygK549ikYwuIhbr9avYysByI6HJD
++rnoMFUCgYEA8kmTegmR5/pfTyT0GkcV8ZOCPI07tczkSY0GaVYWtSQtlm0ANz0A
+YX5YaGTey0B3BPALH7rGWKey5NUEOTEbQetEV63tKNg1rbxIqST+ZFxtd9MbDWki
+nQX5hDVJUtmxs+8CFhIXo7seULzsgo3WYO3R5ClzOgKGPxGGXxyhQtcCgYEAyKCK
+G/FqtDpLKfbbDsb0Qt4BOw5ZSoP/N4seSG/x2KeAqAsj7xGWmc13A7bL+BD0uefy
+ARLEVIBAkstuzc/U3Nee5U0wQK3x8Z2Ui5o5fdJ6o01qW9nlhnfifm3QQdvhOeCw
+Rcm/BXQU7LZHgpYztfYA+LfD38U/EZNL/n2HheMCgYEA3yBHAoJBrkLy9u3vJywD
+11+i9qSSMpCoQ9vt5Z/0dYkFupxTMIurCB3UyP7r9n49nXx6ohPdidOWegp6Qzko
+AwLpA14XJCBI/uCAgdShukcsQMdXCHij+buA1/JCvlvgvPYFE9JBlvVBq9TwciKx
+JL6fJuHNTcT5YKeA+aJiGC0CgYEAmuwVGdTHT9q/1ezQZU3Oqp/iFWdUHg1lk89y
+l/8Rovpdh+XqXp6XS7b0U0LhqHH3eGMaZifGwXWz52b97iGxvsMl6O08+IUZkjjb
+zx1NjdJtbxLFsZ3F9ps2o+hKa8DN37KYi5tpTV3BFrT+7WDtF3Kad3T35SDcPccf
+ZKosb38CgYAIGVyn4Bpll0kYoK71VdLKju5Rm6vW7GUSIwWELqkmorM5S7WYJcRt
+ixuN/bolhT8HNhwHBz2l98euAnG2GYM7QI6i2yYMxDSMR+8dxACK15bNk9QB0rWS
+Ro5DCKG/xdMWpUnzoOSYIItg05Kn8rWXZqnxyH/r5vdnBCQCcq9alg==
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Harry-CA.req b/rpkid/biz-certs/Harry-CA.req
new file mode 100644
index 00000000..01dfc3bc
--- /dev/null
+++ b/rpkid/biz-certs/Harry-CA.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICaTCCAVECAQAwJDEiMCAGA1UEAxMZVGVzdCBDZXJ0aWZpY2F0ZSBIYXJyeSBD
+QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3ha+mffpBUG2yk623q
+C9rtl3gI/5vxwSwzgsZbsAS36NJKJzTEMj9atAjlGO1qbSPobnTf1ua1XoBfKKj2
+MrtAefOAyaDzZvhMNrhqvLRdHkhk09YrilI6rMntpmUvGbnY2b419J3/n97vkaLd
+0+JP6JxAfWhH+hFB46cT+sFcGa+JE3kmUh7x7UTR9MH69c6l3ujmD2w91P6NgpyK
+DtjTG+MaEYrmzUSGMleJUHS+mg6Oa/ksiNjKmxCOSCo3Ez6crMKzjhbmbxJnczf8
+gtyfrhRbfq4FIIsieocoQjysnHdJ7rT/EEmds2kPradaHPa/P56DBAhco4a1NWUY
+96UCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQBdLyMhmwe7p3xrIfrVnm+CFk0k
+YW6jhV3jzlThgNOK3nStQyvs4zcVX3S7XmGYHFNoLu7LhyW8xXCuQpaf9JjF62TA
+87qbsjl7asMSGtndOP1B8jJYnBTX+qsQfVZT9Ypmr8pnfrYTBylEPoAzPdqje3gu
+gN2+/BCV/FW00jSeIhmkQ1YLiwRkY/uv2FsENcUuRO715phNNcHMgiQqnjGN/Iju
+do1DMHPsKDO/dIgl6y7TkkRlLATSO2qalOpsF8RDW1J3iCfcPvMQqXkgDVzNMXo3
+GWLe9C1R5xAfZVcDwuuZUhd+ZYGKNA56CqsD1e7n3aU5ieL8bXxa8g93GWfS
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Harry-CA.srl b/rpkid/biz-certs/Harry-CA.srl
new file mode 100644
index 00000000..88fc9e2c
--- /dev/null
+++ b/rpkid/biz-certs/Harry-CA.srl
@@ -0,0 +1 @@
+F26FDD5DC0623AAC
diff --git a/rpkid/biz-certs/Harry-EE.cer b/rpkid/biz-certs/Harry-EE.cer
new file mode 100644
index 00000000..85b5ff32
--- /dev/null
+++ b/rpkid/biz-certs/Harry-EE.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGDCCAgCgAwIBAgIJAPJv3V3AYjqsMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+BAMTGVRlc3QgQ2VydGlmaWNhdGUgSGFycnkgQ0EwHhcNMDgwMTE4MTcyMzQ4WhcN
+MDgwMjE3MTcyMzQ4WjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEhhcnJ5
+IEVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA240oiLNTwXq/uTlP
+vdSr4BnBQRWiFLIRUPhGKiCxmc+dnc2G5JLj4Of6wTcdyUOsAWSdl/yA59XvSp5z
+lXQrAc0wtubHHlwLrWbiqX8MXi6ch3XJsZk99fOW+k6snNnQmscOGVFBuaZFntMd
+XplRTtEO6ao/CXEb6Nl7c+30AFhkR0/qqPMcPgvvZZjfb7ZAqtMNr5Zz5GUbCuLg
+bPsL5LhinwyEVDwdTXR4OV77aEyMNpyRdLoiKB+NrNznuKmlQIG44jCrZrIqzB5p
+LKTDn/fHyZH2coTDSaZXYTW1FYJH/DL3byBgGuz1gFykB5/GSiIdnWYg0eF1mXV8
+Wjd5uQIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQ0eEAX0TOVTDsAUZCo
+Ihn8IfbKlTAfBgNVHSMEGDAWgBTRlP1GuPGzV0p+TMwaPiyLIOAruzANBgkqhkiG
+9w0BAQUFAAOCAQEAkjlwdqRAGHiYrnZVsGv03EmZEX9/GLA2kvMYee2Z9YP/J3zy
+c+eHHGYP97iGnxQkC4eo+a/1RkNWY+2RECTtYoddjE/ZTPBMyNYIifKV+mGn2sgA
+IKbSC+XUDeTboNqq6cCqZagOM8m1XrMCsCizqEAm/eaBoL9EKnqyAjwHGBLi+w+G
+rhAxoD/rmEevsrd5yydKRXDLKIb52mSPNAsabO5TsD2Fm9XaPThGpzWkfpDUrXiU
+OE93j4QP9fo6YoPmd7kBnviKCJVegQ8GuXZrk+MeWqPq4frS4EBGjEUPuQMXCTng
+AtsgMidTY6uzjmeak4PANtc2vqkPrWw3ak5SjA==
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Harry-EE.cnf b/rpkid/biz-certs/Harry-EE.cnf
new file mode 100644
index 00000000..cbfe45c4
--- /dev/null
+++ b/rpkid/biz-certs/Harry-EE.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Harry EE
+
+[ req_x509_ext ]
+basicConstraints = CA:false
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Harry-EE.key b/rpkid/biz-certs/Harry-EE.key
new file mode 100644
index 00000000..e33936f8
--- /dev/null
+++ b/rpkid/biz-certs/Harry-EE.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA240oiLNTwXq/uTlPvdSr4BnBQRWiFLIRUPhGKiCxmc+dnc2G
+5JLj4Of6wTcdyUOsAWSdl/yA59XvSp5zlXQrAc0wtubHHlwLrWbiqX8MXi6ch3XJ
+sZk99fOW+k6snNnQmscOGVFBuaZFntMdXplRTtEO6ao/CXEb6Nl7c+30AFhkR0/q
+qPMcPgvvZZjfb7ZAqtMNr5Zz5GUbCuLgbPsL5LhinwyEVDwdTXR4OV77aEyMNpyR
+dLoiKB+NrNznuKmlQIG44jCrZrIqzB5pLKTDn/fHyZH2coTDSaZXYTW1FYJH/DL3
+byBgGuz1gFykB5/GSiIdnWYg0eF1mXV8Wjd5uQIDAQABAoIBAFCDydOoABU6UMk6
+jVXOgmGi0E5wAoqYauVIx2J3run7S5AtaUS14b//EuR8s/21RYUVQv4T6aobuK+i
+wDyU55i3iR/qLieiFd43lvQV1ZFMgrbiqV7qFeD2ve15oK+86VV5nmAGfpX4thty
+zJh+nWTMIi3q80chJd0UtMNlBlCBbA6LMZuRUMfVGbFbN2Y5C3zbfD2Endd7hAC6
+qv9WIi3WI91NfNHS3kG1PxxkGFPsfbIxKYO0Zl2ItqEM28FVXLgF1q9fjOH1egcC
+n9rJZHkxoGRbPvHDzrAtS5njOmbsCa+HwJBjnMAYFYgyVZtzZwP0Ydoryph4HvY/
+4zLPlyECgYEA8CZnNQYqJT4g3I/18k6hFkN8a0/iUii3Uq0c9A8toGw7Pt9PkXwC
+wMhJwrhAjB4uiRK82R5wunf26BkWL+233qZ3MtLT3p92C+i/zZJjzYKdWSnwqgRm
+fmF7x5Ga3Gx+D1vcSlvszIxMG8H/kfFbQLjmmPau7tZfooEQsjmiZIUCgYEA6gq4
+GBdIOeaRmvplX5jYIpuVrg7/h8ukSXX3ZGNqFp7aN2AHqE/uCFhklLkBaYQjZ/B7
+R2DliPxTziQW2hFGilzqmqA+JFbmRONHBBnNwwYBAYJMqyeN3x7feHM5vlPyxHb+
+wce49vCB5qvwEINJVM+trw9W1TnKOAEfIlYQ8KUCgYEAmtroqlRzUNijMBbUrY7u
+aQDTdg9pDTmcHP/sL6Sp80xXV89/63xf+hgtGBbf6Hp9333psMfkQRmiaT/kArvz
+WOtW6brxTBjfcgZ/x/uhx591/00AF2IHBW+u9Z16krCTCSxe/MQSCkRdv3h1aJKO
+GUohyHkpjHFH8e3v6j0n7lECgYEAvRTJ5FSy+mxHyHBxhAlE3Ljb9ZKSaVBhuyO+
+KfGTXREbdU91AEsLINzg7bKF7Ixf2nJT9rfW2ZQZ1NodSDJaziABPckmS0+Vm6QO
+1MZQETaBi4mMjV5YZSFZI8Pbq+PAp28HpODJk199YzIXsg+PKCDczijTW1LkB9kI
+IUJtTy0CgYBZu0LXjr+GiVtoycBsYq52UYAanpTi2h6UI0UujHrPXVuQ7YnGUPuc
+/rih/mTRGy7pMmQwtZGgVIXixi8afvc3vguNf/5t4CKYs+b0JfJzFy9yyQk1hnT6
+1LuIlO28QkQrjEN+7XWbwIV6eUlXdwzaGTvq8oMViBEt9p2UGs0Lig==
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Harry-EE.req b/rpkid/biz-certs/Harry-EE.req
new file mode 100644
index 00000000..2d122147
--- /dev/null
+++ b/rpkid/biz-certs/Harry-EE.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICaTCCAVECAQAwJDEiMCAGA1UEAxMZVGVzdCBDZXJ0aWZpY2F0ZSBIYXJyeSBF
+RTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANuNKIizU8F6v7k5T73U
+q+AZwUEVohSyEVD4RiogsZnPnZ3NhuSS4+Dn+sE3HclDrAFknZf8gOfV70qec5V0
+KwHNMLbmxx5cC61m4ql/DF4unId1ybGZPfXzlvpOrJzZ0JrHDhlRQbmmRZ7THV6Z
+UU7RDumqPwlxG+jZe3Pt9ABYZEdP6qjzHD4L72WY32+2QKrTDa+Wc+RlGwri4Gz7
+C+S4Yp8MhFQ8HU10eDle+2hMjDackXS6Iigfjazc57ippUCBuOIwq2ayKsweaSyk
+w5/3x8mR9nKEw0mmV2E1tRWCR/wy928gYBrs9YBcpAefxkoiHZ1mINHhdZl1fFo3
+ebkCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQA9cvHRmvyZbP6YKBgSiir/bo6k
++GEt9Pc8ksqkhC9sNKgMAPripw65I7BVjmZXovig/AsumidJnqvcpdjeimWjFm2N
+ASPkrBnjN9Aiw4tzLdTzGE0Una6psCNkCLOOdDl6RaCf3f04YcaOpMvqrkO1/bLE
+Faql3kDFDBo5F5EUz7RIjdxqsN0AjkV0fJowDF6vmY0BNROmNWooqwkXSZuaD1nN
+5LUnFIlkVwpeyjbY3G5lG0rmppJCgda5mGfxAs5GDK5aJG6zOp5PQKAXN/wpK6eT
+A4hjT54C+wRkbY+d6tS18V8vOsllUVLKBwoisjogSl0ae9cQHKx7YO+X0Viu
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Harry-Root.cer b/rpkid/biz-certs/Harry-Root.cer
new file mode 100644
index 00000000..545028e5
--- /dev/null
+++ b/rpkid/biz-certs/Harry-Root.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHzCCAgegAwIBAgIJAP89M3bsKubWMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV
+BAMTG1Rlc3QgQ2VydGlmaWNhdGUgSGFycnkgUm9vdDAeFw0wODAxMTgxNzIzNDha
+Fw0wODAzMTgxNzIzNDhaMCYxJDAiBgNVBAMTG1Rlc3QgQ2VydGlmaWNhdGUgSGFy
+cnkgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMap178VPa/q
+0U9YN//4nCiwkwC4Rng3bJdcRwgFVpAda94rpSbheCkGGi9wl02wAHKLh1sJmsh7
+2xHtnCBi1E8TuZswEj0fAjy61RgKsJuTkx/FS8SpnmDjGrmdhXiixA3Wk0FUcH3R
+3jo1p8c2nATbNszSlf5/n7rbMC7Rsv4BD+derFegMgDvuYRhdcB6RsX6ZRHB8cMJ
+wGE0dEuetCBgIbyTvlA3AKa6P2LU/NQkOlRaSdarjisehsfVN/pHTkLIPfXIzYJU
+1KPMeLz1q6UarRXBtzUaEkzk+MJ9igW1gcVwpM7HkXRfXfXgJcexIQiSmrTF0yaS
+wXGgKUPYq2kCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUbZSmGxt6
+dIqB02kQ43FdzNSWfVwwHwYDVR0jBBgwFoAUbZSmGxt6dIqB02kQ43FdzNSWfVww
+DQYJKoZIhvcNAQEFBQADggEBAAuUw/LXcFT97SMjHG82mS2oPdkh+BJfpblMn0V1
+5ewZIL6CXQS5n/IxM0vBLgbOpXQ+2nEHFxSQz2lQwSh6SFza5y7JbFkk0MQwF/d1
+fW9pyVUB6O7KeABdA2IrJkcvI4P6JZsA063/zKWzEhCaHIE1XcbaC5MNNDsnRtQx
+D1Ao4DB+prVpKz+F4Vi1x3ZNvH1idvoxiDd/jFOXfdOPxMZxWbt8H7vRg067RlAt
+oC3fgJiCmo71Tjk2svMRuqNKKSxhE8X6MXdU/z3pHtyxsxWv5/xXchjFXU/elfbj
+IEch8+qeBo3Qc6WElEHhOsDcPx8cRRQdY2bjtr3bCFK7Pkc=
+-----END CERTIFICATE-----
diff --git a/rpkid/biz-certs/Harry-Root.cnf b/rpkid/biz-certs/Harry-Root.cnf
new file mode 100644
index 00000000..d6ef8a30
--- /dev/null
+++ b/rpkid/biz-certs/Harry-Root.cnf
@@ -0,0 +1,15 @@
+
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha1
+
+[ req_dn ]
+CN = Test Certificate Harry Root
+
+[ req_x509_ext ]
+basicConstraints = CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
diff --git a/rpkid/biz-certs/Harry-Root.key b/rpkid/biz-certs/Harry-Root.key
new file mode 100644
index 00000000..a941f9de
--- /dev/null
+++ b/rpkid/biz-certs/Harry-Root.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAxqnXvxU9r+rRT1g3//icKLCTALhGeDdsl1xHCAVWkB1r3iul
+JuF4KQYaL3CXTbAAcouHWwmayHvbEe2cIGLUTxO5mzASPR8CPLrVGAqwm5OTH8VL
+xKmeYOMauZ2FeKLEDdaTQVRwfdHeOjWnxzacBNs2zNKV/n+futswLtGy/gEP516s
+V6AyAO+5hGF1wHpGxfplEcHxwwnAYTR0S560IGAhvJO+UDcApro/YtT81CQ6VFpJ
+1quOKx6Gx9U3+kdOQsg99cjNglTUo8x4vPWrpRqtFcG3NRoSTOT4wn2KBbWBxXCk
+zseRdF9d9eAlx7EhCJKatMXTJpLBcaApQ9iraQIDAQABAoIBAC2lRI8BAGV1HJaQ
+fH1xz9+BgqU9seNZSLgWWbO8FkGSoQAxIwcl8wfqAQY5ZmpRMCkhaf4+3LOH0bPy
+1laSnpl0vMatauNkRo1RmDin7CAy7jD0kg4jsuIsDC3txYcMTuOnE7qE/jvKhrb1
+MRGSuJJdE+BH2nLZPAgg6Jc5U1kM2cEcQvsno8cfXbAr9mDgs5v6303j1Oh7/Tfc
+IzWHXYWJ95ygHVGMRXhMKMjPf6/yK5o87cGxVoK1LZ6ZuUbg6u7gP1+dapHnEnI4
+dhrMo2ZB2xD8O+AjMmr7CFWD2ZjIOVTox1/6cMlhAb+cMOwFnh11g7cCY24ZLq+6
+Hw93qckCgYEA56dntR5xo6IjXhz3gDCGiMXzZvXn/0EDpMI7BE4CSG8zCNaKlk4n
+XDP1tGDows1QHviLiKrhiHCsPqVynJCmOufCD+DaTDqwSynI036X/goeJ8Du9A1+
+b8i9CxAsT/dtD5WlkiqE44rb/f+tpnOCTIJ3tQEiKl5u7m+iBPw8ahMCgYEA24rW
+JwGCoHr3Y74Fx8gSIa6VrTSV3Kxf+tiENwJcjB1PjjqaYRGkE8K/FZUlYBWNw8NM
+3hiX7yZ5wbHZplElAYrG1I6lF4L7Z+USFzr8s5MTnp1LC9gpT6aTQAF4ci6fLs9L
+SfvaNm7FHYL3SoU0Vg15B0lhuOPxa48Eyu4JhBMCgYEAxiNKsgD7JAHPjHTsQQnA
+WIYvvVYBfDMooai7/9+VVk0+coXGfe8U/Wk39HObQtuHdyYRevDl/OSafu7WTBHx
+DJskQp6JOQBNv8xaiINUD6apykjcWYSdK5GgGDFaJX+1GcpeltmlVlZz+hnRdnh/
+7178cqYoieLBsVFsXCU+q18CgYBJE/ra+wa3Upc8rUkRSki2y31pLULhNMOyJRZF
+lVSnEy6jImC3BP8/0Kh4j6/kPuh0jHLuzvLsGTuYPRI86W/PBpnOsTjFDcWPvNF7
+yBfL0p5KQwNzCt4ddE45lQO5xkkYdMoT83Ccg9y7SRf1x0c3ib6KrWOI/t8itXWb
+8wZZ3wKBgFckz4Hcht/M0ajjIPSoD0PbasuLx0zErvG3RPrOasgnaoWLy33x7rKf
+daF2Gi2ZxrwzaAAfom+SgUrOSbUKAplGTnniXqZSN0B23xQFieIeVH4XcoDmDMAj
+wZTll9weagdDyYyzYi36g3g2woRqy6uTtYJxZkcxR5ZQBNQebWUu
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/biz-certs/Harry-Root.req b/rpkid/biz-certs/Harry-Root.req
new file mode 100644
index 00000000..4dcf75a8
--- /dev/null
+++ b/rpkid/biz-certs/Harry-Root.req
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICazCCAVMCAQAwJjEkMCIGA1UEAxMbVGVzdCBDZXJ0aWZpY2F0ZSBIYXJyeSBS
+b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxqnXvxU9r+rRT1g3
+//icKLCTALhGeDdsl1xHCAVWkB1r3iulJuF4KQYaL3CXTbAAcouHWwmayHvbEe2c
+IGLUTxO5mzASPR8CPLrVGAqwm5OTH8VLxKmeYOMauZ2FeKLEDdaTQVRwfdHeOjWn
+xzacBNs2zNKV/n+futswLtGy/gEP516sV6AyAO+5hGF1wHpGxfplEcHxwwnAYTR0
+S560IGAhvJO+UDcApro/YtT81CQ6VFpJ1quOKx6Gx9U3+kdOQsg99cjNglTUo8x4
+vPWrpRqtFcG3NRoSTOT4wn2KBbWBxXCkzseRdF9d9eAlx7EhCJKatMXTJpLBcaAp
+Q9iraQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBALvG7y4lFsRzbBup+RyjrxIU
+WaEXREGI9U0+s14g6f7DWpnNo/VKZv++iQbg/1oXAsTshwXtRsrKmZ2jFGR38aet
+JvQxtn0/3CUXczL0bA0ot7L8iwzPt2bOXFyVQBhVk2YuonL3nm0O4XtooElxNRUL
+36P9gbflah4wNqSSxpAF++lccCvtmMkS6Z95fBMo5xnDhlUbJ84jM/b7RbuX4k1Z
+nEYfy3gfFH7IeZM9lOq0SP3NgSm98tGQXknPeHLZXmdgxGc9JVxa7FnEhiuokwqJ
+kUDWhLwo5GGKHB6lPtigHnC1beP22/hYG8/JaCmQsSoCrK+/RWvgB9xZQPI/d+0=
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/biz-certs/Harry-Root.srl b/rpkid/biz-certs/Harry-Root.srl
new file mode 100644
index 00000000..5aecd158
--- /dev/null
+++ b/rpkid/biz-certs/Harry-Root.srl
@@ -0,0 +1 @@
+F834ECC802850EE8
diff --git a/rpkid/biz-certs/a17ff8dd.0 b/rpkid/biz-certs/a17ff8dd.0
new file mode 120000
index 00000000..df756426
--- /dev/null
+++ b/rpkid/biz-certs/a17ff8dd.0
@@ -0,0 +1 @@
+Elena-EE.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/b523b0af.0 b/rpkid/biz-certs/b523b0af.0
new file mode 120000
index 00000000..2af1f2c8
--- /dev/null
+++ b/rpkid/biz-certs/b523b0af.0
@@ -0,0 +1 @@
+Ginny-CA.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/c027faa7.0 b/rpkid/biz-certs/c027faa7.0
new file mode 120000
index 00000000..34794f44
--- /dev/null
+++ b/rpkid/biz-certs/c027faa7.0
@@ -0,0 +1 @@
+Carol-EE.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/cf3dacf7.0 b/rpkid/biz-certs/cf3dacf7.0
new file mode 120000
index 00000000..e2d0a776
--- /dev/null
+++ b/rpkid/biz-certs/cf3dacf7.0
@@ -0,0 +1 @@
+Dave-CA.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/d9bfc7a9.0 b/rpkid/biz-certs/d9bfc7a9.0
new file mode 120000
index 00000000..c3647c1c
--- /dev/null
+++ b/rpkid/biz-certs/d9bfc7a9.0
@@ -0,0 +1 @@
+Frank-EE.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/dfc82c8e.0 b/rpkid/biz-certs/dfc82c8e.0
new file mode 120000
index 00000000..846947ab
--- /dev/null
+++ b/rpkid/biz-certs/dfc82c8e.0
@@ -0,0 +1 @@
+Ginny-EE.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/f97c9834.0 b/rpkid/biz-certs/f97c9834.0
new file mode 120000
index 00000000..e6a1b1aa
--- /dev/null
+++ b/rpkid/biz-certs/f97c9834.0
@@ -0,0 +1 @@
+Elena-CA.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/ff615a1f.0 b/rpkid/biz-certs/ff615a1f.0
new file mode 120000
index 00000000..0d7c9e4a
--- /dev/null
+++ b/rpkid/biz-certs/ff615a1f.0
@@ -0,0 +1 @@
+Dave-EE.cer \ No newline at end of file
diff --git a/rpkid/biz-certs/ff8832dd.0 b/rpkid/biz-certs/ff8832dd.0
new file mode 120000
index 00000000..af1cacc8
--- /dev/null
+++ b/rpkid/biz-certs/ff8832dd.0
@@ -0,0 +1 @@
+Dave-Root.cer \ No newline at end of file
diff --git a/rpkid/cronjob.py b/rpkid/cronjob.py
new file mode 100644
index 00000000..c21caf05
--- /dev/null
+++ b/rpkid/cronjob.py
@@ -0,0 +1,47 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""
+Tool to trigger "cron" runs in rpkid.
+
+Usage: python cronjob.py [ { -c | --config } configfile ]
+ [ { -h | --help } ]
+
+Default configuration file is cronjob.conf, override with --config option.
+"""
+
+import rpki.config, rpki.https, getopt, sys
+
+cfg_file = "cronjob.conf"
+
+opts,argv = getopt.getopt(sys.argv[1:], "c:h?", ["config=", "help"])
+for o,a in opts:
+ if o in ("-h", "--help", "-?"):
+ print __doc__
+ sys.exit(0)
+ elif o in ("-c", "--config"):
+ cfg_file = a
+if argv:
+ print __doc__
+ raise RuntimeError, "Unexpected arguments %s" % argv
+
+cfg = rpki.config.parser(cfg_file, "cronjob")
+
+print rpki.https.client(privateKey = rpki.x509.RSA(Auto_file = cfg.get("https-key")),
+ certChain = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert")),
+ x509TrustList = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta")),
+ url = cfg.get("https-url"),
+ msg = "Please run cron now.")
diff --git a/rpkid/cronjob.sh b/rpkid/cronjob.sh
new file mode 100755
index 00000000..97438a86
--- /dev/null
+++ b/rpkid/cronjob.sh
@@ -0,0 +1,44 @@
+#!/bin/sh -
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# Generate Doxygen manual for RPKI code.
+#
+# At the moment this is just for the Python libraries.
+
+lock=cronjob.lock
+
+target=/usr/local/www/data/www.hactrn.net/rpki-dox
+
+cd `/usr/bin/dirname $0` || exit
+
+case "$1" in
+
+locked)
+ exec >cronjob.log 2>&1
+ set -x
+ cd rpki || exit
+ /usr/local/bin/svn update --quiet
+ /bin/rm -rf html
+ PATH=/bin:/usr/bin:/usr/local/bin /usr/local/bin/doxygen </dev/null
+ /usr/local/bin/rsync --archive --itemize-changes --delete-after html/ $target/
+ ;;
+
+*)
+ exec /usr/bin/lockf -s -t 0 $lock "$0" locked
+ ;;
+
+esac
diff --git a/rpkid/irbe-cli.py b/rpkid/irbe-cli.py
new file mode 100755
index 00000000..b6ce7479
--- /dev/null
+++ b/rpkid/irbe-cli.py
@@ -0,0 +1,208 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""
+Command line IR back-end control program.
+
+The query back-channel is handled by a separate program.
+"""
+
+import getopt, sys, lxml.etree, lxml.sax
+import rpki.left_right, rpki.relaxng, rpki.cms, rpki.https, rpki.x509, rpki.config, rpki.log
+
+pem_out = None
+
+class cmd_mixin(object):
+ """Left-right protocol mix-in for command line client."""
+
+ def client_getopt(self, argv):
+ """Parse options for this class."""
+ opts, argv = getopt.getopt(argv, "", [x + "=" for x in self.attributes + self.elements] + list(self.booleans))
+ for o, a in opts:
+ o = o[2:]
+ handler = getattr(self, "client_query_" + o, None)
+ if handler is not None:
+ handler(a)
+ elif o in self.booleans:
+ setattr(self, o, True)
+ else:
+ assert o in self.attributes
+ setattr(self, o, a)
+ return argv
+
+ def client_query_action(self, arg):
+ """Special handler for --action option."""
+ self.action = arg
+ self.type = "query"
+
+ def client_query_cms_ta(self, arg):
+ """Special handler for --cms_ta option."""
+ self.cms_ta = rpki.x509.X509(Auto_file=arg)
+
+ def client_query_https_ta(self, arg):
+ """Special handler for --https_ta option."""
+ self.https_ta = rpki.x509.X509(Auto_file=arg)
+
+ def client_reply_decode(self):
+ pass
+
+ def client_reply_show(self):
+ print self.element_name
+ for i in self.attributes + self.elements:
+ if getattr(self, i) is not None:
+ print " %s: %s" % (i, getattr(self, i))
+
+class self_elt(cmd_mixin, rpki.left_right.self_elt):
+
+ def client_query_extension_preference(self, arg):
+ """--extension_preferences option."""
+ k,v = arg.split("=", 1)
+ pref = rpki.left_right.extension_preference_elt()
+ pref.name = k
+ pref.value = v
+ self.prefs.append(pref)
+
+class bsc_elt(cmd_mixin, rpki.left_right.bsc_elt):
+
+ def client_query_signing_cert(self, arg):
+ """--signing_cert option."""
+ self.signing_cert.append(rpki.x509.X509(Auto_file=arg))
+
+ def client_reply_decode(self):
+ global pem_out
+ if pem_out is not None and self.pkcs10_cert_request is not None:
+ if isinstance(pem_out, str):
+ pem_out = open(pem_out, "w")
+ pem_out.write(self.pkcs10_cert_request.get_PEM())
+
+class parent_elt(cmd_mixin, rpki.left_right.parent_elt):
+ pass
+
+class child_elt(cmd_mixin, rpki.left_right.child_elt):
+ pass
+
+class repository_elt(cmd_mixin, rpki.left_right.repository_elt):
+ pass
+
+class route_origin_elt(cmd_mixin, rpki.left_right.route_origin_elt):
+
+ def client_query_as_number(self, arg):
+ """Handle autonomous sequence numbers."""
+ self.as_number = long(arg)
+
+ def client_query_ipv4(self, arg):
+ """Handle IPv4 addresses."""
+ self.ipv4 = resource_set.resource_set_ipv4(arg)
+
+ def client_query_ipv6(self, arg):
+ """Handle IPv6 addresses."""
+ self.ipv6 = resource_set.resource_set_ipv6(arg)
+
+class msg(rpki.left_right.msg):
+ pdus = dict((x.element_name, x)
+ for x in (self_elt, bsc_elt, parent_elt, child_elt, repository_elt, route_origin_elt))
+
+class sax_handler(rpki.left_right.sax_handler):
+ pdu = msg
+
+top_opts = ["config=", "help", "pem_out="]
+
+def usage(code=1):
+ print "Usage:", sys.argv[0], " ".join(["--" + x for x in top_opts])
+ for k,v in msg.pdus.items():
+ print " ", k, \
+ " ".join(["--" + x + "=" for x in v.attributes + v.elements]), \
+ " ".join(["--" + x for x in v.booleans])
+ sys.exit(code)
+
+# Main program
+
+rpki.log.init("irbe-cli")
+
+argv = sys.argv[1:]
+
+if not argv:
+ usage(0)
+
+cfg_file = "irbe.conf"
+
+opts, argv = getopt.getopt(argv, "c:h?", top_opts)
+for o, a in opts:
+ if o in ("-?", "-h", "--help"):
+ usage(0)
+ if o in ("-c", "--config"):
+ cfg_file = a
+ if o == "--pem_out":
+ pem_out = a
+
+if not argv:
+ usage(1)
+
+cfg = rpki.config.parser(cfg_file, "irbe-cli")
+
+q_msg = rpki.left_right.msg()
+
+while argv:
+ try:
+ q_pdu = msg.pdus[argv[0]]()
+ except KeyError:
+ usage(1)
+ argv = q_pdu.client_getopt(argv[1:])
+ q_msg.append(q_pdu)
+
+# We don't use rpki.cms.xml_sign() and rpki.cms.xml_verify() because
+# we want to display the raw XML. If and when that changes, we clean
+# up the following slightly.
+
+q_elt = q_msg.toXML()
+q_xml = lxml.etree.tostring(q_elt, pretty_print=True, encoding="us-ascii", xml_declaration=True)
+try:
+ rpki.relaxng.left_right.assertValid(q_elt)
+except lxml.etree.DocumentInvalid:
+ print "Generated query document does not pass schema check:"
+ print
+ print q_xml
+ raise
+
+q_cms = rpki.cms.sign(q_xml,
+ rpki.x509.RSA(Auto_file = cfg.get("cms-key")),
+ rpki.x509.X509_chain(Auto_files = cfg.multiget("cms-certs")))
+
+r_cms = rpki.https.client(privateKey = rpki.x509.RSA(Auto_file = cfg.get("https-key")),
+ certChain = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-certs")),
+ x509TrustList = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta")),
+ url = cfg.get("https-url"),
+ msg = q_cms)
+
+r_xml = rpki.cms.verify(r_cms, rpki.x509.X509(Auto_file = cfg.get("cms-ta")))
+
+r_elt = lxml.etree.fromstring(r_xml)
+try:
+ rpki.relaxng.left_right.assertValid(r_elt)
+except lxml.etree.DocumentInvalid:
+ print "Received reply document does not pass schema check:"
+ print r_xml
+ raise
+
+print r_xml
+
+handler = sax_handler()
+lxml.sax.saxify(r_elt, handler)
+r_msg = handler.result
+
+for r_pdu in r_msg:
+ r_pdu.client_reply_decode()
+ #r_pdu.client_reply_show()
diff --git a/rpkid/irbe-setup.py b/rpkid/irbe-setup.py
new file mode 100644
index 00000000..90ea5113
--- /dev/null
+++ b/rpkid/irbe-setup.py
@@ -0,0 +1,125 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""Set up the relationship between an IRBE and an RPKI engine given an
+IRDB. Our main task here is to create child objects in the RPKI
+engine for every registrant object in the IRDB.
+"""
+
+import os, MySQLdb, getopt, sys, lxml.etree, lxml.sax
+import rpki.left_right, rpki.relaxng, rpki.cms, rpki.https
+import rpki.x509, rpki.config, rpki.log
+
+rpki.log.init("irbe-setup")
+
+cfg = rpki.config.parser("irbe.conf", "irbe-cli")
+
+db = MySQLdb.connect(user = cfg.get("sql-username", section = "irdbd"),
+ db = cfg.get("sql-database", section = "irdbd"),
+ passwd = cfg.get("sql-password", section = "irdbd"))
+cur = db.cursor()
+
+cms_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("cms-cert"))
+cms_key = rpki.x509.RSA( Auto_file = cfg.get( "cms-key"))
+cms_ta = rpki.x509.X509( Auto_file = cfg.get( "cms-ta"))
+https_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert"))
+https_key = rpki.x509.RSA( Auto_file = cfg.get( "https-key"))
+https_tas = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta"))
+https_url = cfg.get( "https-url")
+
+def call_rpkid(pdu):
+ """Hand a PDU to rpkid and get back the response. Just throw an
+ exception if anything bad happens, no fancy error handling.
+ """
+
+ pdu.type = "query"
+ msg = rpki.left_right.msg((pdu,))
+ elt = msg.toXML()
+ try:
+ rpki.relaxng.left_right.assertValid(elt)
+ except lxml.etree.DocumentInvalid:
+ print lxml.etree.tostring(elt, pretty_print = True, encoding = "us-ascii")
+ raise
+ elt = rpki.cms.xml_verify(cms = rpki.https.client(privateKey = https_key,
+ certChain = https_certs,
+ x509TrustList = https_tas,
+ url = https_url,
+ msg = rpki.cms.xml_sign(elt = elt,
+ key = cms_key,
+ certs = cms_certs)),
+ ta = cms_ta)
+ try:
+ rpki.relaxng.left_right.assertValid(elt)
+ except lxml.etree.DocumentInvalid:
+ print lxml.etree.tostring(elt, pretty_print = True, encoding = "us-ascii")
+ raise
+ msg = rpki.left_right.sax_handler.saxify(elt)
+ pdu = msg[0]
+ assert len(msg) == 1 and pdu.type == "reply" and not isinstance(pdu, rpki.left_right.report_error_elt)
+ return pdu
+
+print "Create a self instance"
+pdu = call_rpkid(rpki.left_right.self_elt.make_pdu(action = "create", crl_interval = 84600))
+self_id = pdu.self_id
+
+print "Create a business signing context"
+pdu = rpki.left_right.bsc_elt.make_pdu(action = "create", self_id = self_id, generate_keypair = True)
+pdu.signing_cert.append(rpki.x509.X509(Auto_file = "biz-certs/Bob-CA.cer"))
+pdu = call_rpkid(pdu)
+bsc_id = pdu.bsc_id
+
+print "Issue the business cert"
+i,o = os.popen2(("openssl", "x509", "-req",
+ "-CA", "biz-certs/Bob-CA.cer",
+ "-CAkey", "biz-certs/Bob-CA.key",
+ "-CAserial", "biz-certs/Bob-CA.srl"))
+i.write(pdu.pkcs10_cert_request.get_PEM())
+i.close()
+cer = rpki.x509.X509(PEM = o.read())
+o.close()
+
+print "Set up the business cert chain"
+pdu = rpki.left_right.bsc_elt.make_pdu(action = "set", self_id = self_id, bsc_id = bsc_id)
+pdu.signing_cert.append(cer)
+call_rpkid(pdu)
+
+print "Create a repository context"
+pdu = call_rpkid(rpki.left_right.repository_elt.make_pdu(action = "create", self_id = self_id, bsc_id = bsc_id))
+repository_id = pdu.repository_id
+
+print "Create a parent context"
+ta = rpki.x509.X509(Auto_file = "biz-certs/Elena-Root.cer")
+pdu = call_rpkid(rpki.left_right.parent_elt.make_pdu(
+ action = "create", self_id = self_id, bsc_id = bsc_id, repository_id = repository_id, cms_ta = ta, https_ta = ta,
+ peer_contact_uri = "https://localhost:44333/", sia_base = "rsync://wombat.invalid/"))
+parent_id = pdu.parent_id
+
+print "Create child contexts for everybody"
+print "Using a single cert for all of these registrants is a crock"
+
+cer = rpki.x509.X509(Auto_file = "biz-certs/Frank-Root.cer")
+
+cur.execute("SELECT registrant_id, subject_name FROM registrant")
+registrants = cur.fetchall()
+
+for registrant_id, subject_name in registrants:
+ print "Attempting to bind", registrant_id, subject_name
+ pdu = call_rpkid(rpki.left_right.child_elt.make_pdu(action = "create", self_id = self_id, bsc_id = bsc_id, cms_ta = cer))
+ print "Attempting to bind", registrant_id, subject_name, pdu.child_id
+ cur.execute("""UPDATE registrant
+ SET rpki_self_id = %d, rpki_child_id = %d
+ WHERE registrant_id = %d
+ """, (self_id, pdu.child_id, registrant_id))
diff --git a/rpkid/irbe-setup.sh b/rpkid/irbe-setup.sh
new file mode 100644
index 00000000..31342aaa
--- /dev/null
+++ b/rpkid/irbe-setup.sh
@@ -0,0 +1,32 @@
+#!/bin/sh -
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# Run irbe-setup.py, under screen if possible.
+
+#make test
+
+if test -n "$STY"
+then
+ screen python rpkid.py
+else
+ python rpkid.py >>rpkid.log 2>&1 & rpkid=$!
+ trap "kill $rpkid" 0 1 2 3 13 15
+fi
+
+sleep 5
+
+exec python irbe-setup.py
diff --git a/rpkid/irdbd.py b/rpkid/irdbd.py
new file mode 100755
index 00000000..d7ecca2b
--- /dev/null
+++ b/rpkid/irdbd.py
@@ -0,0 +1,131 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""
+IR database daemon.
+
+Usage: python irdbd.py [ { -c | --config } configfile ] [ { -h | --help } ]
+
+Default configuration file is irdbd.conf, override with --config option.
+"""
+
+import sys, os, time, getopt, urlparse, traceback
+import tlslite.api, MySQLdb, lxml.etree
+import rpki.https, rpki.config, rpki.resource_set, rpki.cms, rpki.relaxng
+import rpki.exceptions, rpki.left_right, rpki.log
+
+def handler(query, path):
+ try:
+ q_elt = rpki.cms.xml_verify(query, cms_ta)
+ rpki.relaxng.left_right.assertValid(q_elt)
+ q_msg = rpki.left_right.sax_handler.saxify(q_elt)
+ if not isinstance(q_msg, rpki.left_right.msg):
+ raise rpki.exceptions.BadQuery, "Unexpected %s PDU" % repr(q_msg)
+
+ r_msg = rpki.left_right.msg()
+
+ for q_pdu in q_msg:
+
+ try:
+ if not isinstance(q_pdu, rpki.left_right.list_resources_elt) or q_pdu.type != "query":
+ raise rpki.exceptions.BadQuery, "Unexpected %s PDU" % repr(q_pdu)
+
+ r_pdu = rpki.left_right.list_resources_elt()
+ r_pdu.type = "reply"
+ r_pdu.tag = q_pdu.tag
+ r_pdu.self_id = q_pdu.self_id
+ r_pdu.child_id = q_pdu.child_id
+
+ cur.execute("""SELECT registrant_id, subject_name, valid_until FROM registrant
+ WHERE registrant.rpki_self_id = %s AND registrant.rpki_child_id = %s
+ """, (q_pdu.self_id, q_pdu.child_id))
+ if cur.rowcount != 1:
+ raise rpki.exceptions.NotInDatabase, \
+ "This query should have produced a single exact match, something's messed up (rowcount = %d, self_id = %s, child_id = %s)" \
+ % (cur.rowcount, q_pdu.self_id, q_pdu.child_id)
+
+ registrant_id, subject_name, valid_until = cur.fetchone()
+ r_pdu.subject_name = subject_name
+ r_pdu.valid_until = valid_until.strftime("%Y-%m-%dT%H:%M:%SZ")
+ r_pdu.as = rpki.resource_set.resource_set_as.from_sql(cur, "SELECT start_as, end_as FROM asn WHERE registrant_id = %s", (registrant_id,))
+ r_pdu.ipv4 = rpki.resource_set.resource_set_ipv4.from_sql(cur, "SELECT start_ip, end_ip FROM net WHERE registrant_id = %s AND version = 4", (registrant_id,))
+ r_pdu.ipv6 = rpki.resource_set.resource_set_ipv6.from_sql(cur, "SELECT start_ip, end_ip FROM net WHERE registrant_id = %s AND version = 6", (registrant_id,))
+
+ except Exception, data:
+ rpki.log.error(traceback.format_exc())
+ r_pdu = rpki.left_right.report_error_elt.from_exception(data, q_pdu.self_id)
+
+ r_msg.append(r_pdu)
+
+ r_elt = r_msg.toXML()
+ rpki.relaxng.left_right.assertValid(r_elt)
+ return 200, rpki.cms.xml_sign(r_elt, cms_key, cms_certs)
+
+ except Exception, data:
+ rpki.log.error(traceback.format_exc())
+
+ # We only get here in cases where we couldn't or wouldn't generate
+ # <report_error/>, so just return HTTP failure.
+
+ return 500, "Unhandled exception %s: %s" % (data.__class__.__name__, data)
+
+os.environ["TZ"] = "UTC"
+time.tzset()
+
+rpki.log.init("irdbd")
+
+cfg_file = "irdbd.conf"
+
+opts,argv = getopt.getopt(sys.argv[1:], "c:h?", ["config=", "help"])
+for o,a in opts:
+ if o in ("-h", "--help", "-?"):
+ print __doc__
+ sys.exit(0)
+ if o in ("-c", "--config"):
+ cfg_file = a
+if argv:
+ raise RuntimeError, "Unexpected arguments %s" % argv
+
+cfg = rpki.config.parser(cfg_file, "irdbd")
+
+startup_msg = cfg.get("startup-message", "")
+if startup_msg:
+ rpki.log.info(startup_msg)
+
+db = MySQLdb.connect(user = cfg.get("sql-username"),
+ db = cfg.get("sql-database"),
+ passwd = cfg.get("sql-password"))
+
+cur = db.cursor()
+
+cms_ta = rpki.x509.X509(Auto_file = cfg.get("cms-ta"))
+cms_key = rpki.x509.RSA(Auto_file = cfg.get("cms-key"))
+cms_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("cms-certs"))
+
+u = urlparse.urlparse(cfg.get("https-url"))
+
+assert u.scheme in ("", "https") and \
+ u.username is None and \
+ u.password is None and \
+ u.params == "" and \
+ u.query == "" and \
+ u.fragment == ""
+
+rpki.https.server(privateKey = rpki.x509.RSA(Auto_file = cfg.get("https-key")),
+ certChain = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-certs")),
+ host = u.hostname or "localhost",
+ port = u.port or 443,
+ handlers = ((u.path, handler),))
diff --git a/rpkid/left-right-protocol-samples.xsl b/rpkid/left-right-protocol-samples.xsl
new file mode 100644
index 00000000..da313544
--- /dev/null
+++ b/rpkid/left-right-protocol-samples.xsl
@@ -0,0 +1,37 @@
+<!-- $Id$
+ -
+ - Generate test case PDUs for left-right protocol. Invoke thusly:
+ -
+ - $ xsltproc left-right-protocol-samples.xsl ../docs/left-right-xml
+ -->
+
+<xsl:transform xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"
+ xmlns:exsl="http://exslt.org/common"
+ extension-element-prefixes="exsl">
+
+ <xsl:param name="dir">left-right-protocol-samples</xsl:param>
+ <xsl:param name="msgs" select="1"/>
+
+ <xsl:strip-space elements="*"/>
+
+ <xsl:template match="/completely_gratuitous_wrapper_element_to_let_me_run_this_through_xmllint">
+ <xsl:for-each select="*">
+ <xsl:variable name="filename" select="concat($dir, '/pdu.', format-number(position(), '000'), '.xml')"/>
+ <xsl:if test="$msgs">
+ <xsl:message><xsl:text>Writing </xsl:text><xsl:value-of select="$filename"/></xsl:message>
+ </xsl:if>
+ <exsl:document href="{$filename}" indent="yes" encoding="US-ASCII">
+ <xsl:comment>Automatically generated, do not edit.</xsl:comment>
+ <xsl:copy-of select="." />
+ </exsl:document>
+ </xsl:for-each>
+ </xsl:template>
+</xsl:transform>
+
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - compile-command: "xsltproc left-right-protocol-samples.xsl ../docs/left-right-xml"
+ - End:
+ -->
diff --git a/rpkid/left-right-protocol-samples/pdu.001.xml b/rpkid/left-right-protocol-samples/pdu.001.xml
new file mode 100644
index 00000000..7d6b1bd5
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.001.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <self action="create" type="query" tag="a000">
+ <extension_preference name="name">Launcelot</extension_preference>
+ <extension_preference name="quest">Holy Grail</extension_preference>
+ </self>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.002.xml b/rpkid/left-right-protocol-samples/pdu.002.xml
new file mode 100644
index 00000000..248adc19
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.002.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <self action="create" type="reply" tag="a000" self_id="42"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.003.xml b/rpkid/left-right-protocol-samples/pdu.003.xml
new file mode 100644
index 00000000..b53bb031
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.003.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <self action="set" type="query" self_id="42" rekey="yes" reissue="yes" revoke="yes" run_now="yes" publish_world_now="yes" clear_extension_preferences="yes" crl_interval="3600" use_hsm="no">
+ <extension_preference name="color">Blue</extension_preference>
+ </self>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.004.xml b/rpkid/left-right-protocol-samples/pdu.004.xml
new file mode 100644
index 00000000..ae9a2f54
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.004.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <self action="set" type="reply" self_id="42"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.005.xml b/rpkid/left-right-protocol-samples/pdu.005.xml
new file mode 100644
index 00000000..f039e484
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.005.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <self action="get" type="query" self_id="42"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.006.xml b/rpkid/left-right-protocol-samples/pdu.006.xml
new file mode 100644
index 00000000..7f51884a
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.006.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <self action="get" type="reply" self_id="42">
+ <extension_preference name="name">Launcelot</extension_preference>
+ <extension_preference name="quest">Holy Grail</extension_preference>
+ <extension_preference name="color">Blue</extension_preference>
+ </self>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.007.xml b/rpkid/left-right-protocol-samples/pdu.007.xml
new file mode 100644
index 00000000..19e8d75e
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.007.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <self action="list" type="query"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.008.xml b/rpkid/left-right-protocol-samples/pdu.008.xml
new file mode 100644
index 00000000..ce6ded4a
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.008.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <self action="list" type="reply" self_id="42">
+ <extension_preference name="name">Launcelot</extension_preference>
+ <extension_preference name="quest">Holy Grail</extension_preference>
+ <extension_preference name="color">Blue</extension_preference>
+ </self>
+ <self action="list" type="reply" self_id="99">
+ <extension_preference name="name">Arthur, King of the Britons</extension_preference>
+ <extension_preference name="quest">Holy Grail</extension_preference>
+ <extension_preference name="airspeed_velocity_of_an_unladen_swallow">African or European swallow?</extension_preference>
+ </self>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.009.xml b/rpkid/left-right-protocol-samples/pdu.009.xml
new file mode 100644
index 00000000..bc7da935
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.009.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <self action="destroy" type="query" self_id="42"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.010.xml b/rpkid/left-right-protocol-samples/pdu.010.xml
new file mode 100644
index 00000000..1fd0bb69
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.010.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <self action="destroy" type="reply" self_id="42"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.011.xml b/rpkid/left-right-protocol-samples/pdu.011.xml
new file mode 100644
index 00000000..5a061211
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.011.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <bsc action="create" type="query" self_id="42" generate_keypair="yes" key_type="rsa" hash_alg="sha256" key_length="2048">
+ <signing_cert>
+ MIIDHTCCAgWgAwIBAgIJAKUUCoKn9ovVMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV
+ BAMTG1Rlc3QgQ2VydGlmaWNhdGUgQWxpY2UgUm9vdDAeFw0wNzA4MDExOTUzMDda
+ Fw0wNzA4MzExOTUzMDdaMCQxIjAgBgNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxp
+ Y2UgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmLngkGT5kWsXd
+ IgLeV+5zNvcDt0+D4cds1cu+bw6Y/23z1+ooA8fU1gXQ28bl6ELM8WRLHgcntqzr
+ 5UX6S1xPdNfFYt8z4E1ZuvwCPsxcSwVdlYRvzAGNQivDpcJ75Mf5DTeDpr6wm7yn
+ 2pzxvQIet5djOX51RVGA3hOwCbhq2ceHs0ZruWG3T70H3Sa1ZVxP7m0DJlsSZa6v
+ 3oEeFOKZQlqrgeU74mJyLAGx/fNbIw+UBrvejfjZobIv985vQ06DZ5S2AquQ2bht
+ O/2bW3yqeOjH98YK0zlOpYtaZ2fyx4JLjHCspoki6+4W9UG+TuqdkB20mRsr25XT
+ 9kLuwIGZAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFF6I4IR33h/s
+ vOa4Vsw2icPo8TgaMB8GA1UdIwQYMBaAFG9ed1KlOQDyB+k7Yeb8LSjG5FDtMA0G
+ CSqGSIb3DQEBBQUAA4IBAQDVzBuGyXIq/rfMjoNKIHTUgppkc+FjS02cFASpB5mk
+ ksSpGWYHMZKlqz47qDi44KAG+kmPIPOT0em81+/VGeY1oizJyKSeNDhNboth5oTu
+ ShDr4flTQCoYvRxm1wh8WIIg09nwibzGztuV1XxtdzfQV5kK5bMBlDXnUfAYydsO
+ jc52x5f4tgdcfBhjnMzkCAx2kvw5Wp3NekkOKl5YYnPK++zT9IBwqrqJmsJvyLPO
+ vvqVBYkoBWRbmcy6wVU8JpYegNNgVRbi6zeAq33gS75m9uy+4z8Ql6DqVF0s/y+/
+ 240tLCW62X98EzrALKsxhkqVZCtdc5HSRaOQr0K3I03S
+ </signing_cert>
+ </bsc>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.012.xml b/rpkid/left-right-protocol-samples/pdu.012.xml
new file mode 100644
index 00000000..cca6c8c7
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.012.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <bsc action="create" type="reply" self_id="42" bsc_id="17">
+ <pkcs10_cert_request>cmVxdWVzdAo=</pkcs10_cert_request>
+ </bsc>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.013.xml b/rpkid/left-right-protocol-samples/pdu.013.xml
new file mode 100644
index 00000000..3c1c5adc
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.013.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <bsc action="set" type="query" self_id="42" bsc_id="17" clear_signing_certs="yes">
+ <signing_cert>
+ MIIDHTCCAgWgAwIBAgIJAKUUCoKn9ovVMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV
+ BAMTG1Rlc3QgQ2VydGlmaWNhdGUgQWxpY2UgUm9vdDAeFw0wNzA4MDExOTUzMDda
+ Fw0wNzA4MzExOTUzMDdaMCQxIjAgBgNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxp
+ Y2UgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmLngkGT5kWsXd
+ IgLeV+5zNvcDt0+D4cds1cu+bw6Y/23z1+ooA8fU1gXQ28bl6ELM8WRLHgcntqzr
+ 5UX6S1xPdNfFYt8z4E1ZuvwCPsxcSwVdlYRvzAGNQivDpcJ75Mf5DTeDpr6wm7yn
+ 2pzxvQIet5djOX51RVGA3hOwCbhq2ceHs0ZruWG3T70H3Sa1ZVxP7m0DJlsSZa6v
+ 3oEeFOKZQlqrgeU74mJyLAGx/fNbIw+UBrvejfjZobIv985vQ06DZ5S2AquQ2bht
+ O/2bW3yqeOjH98YK0zlOpYtaZ2fyx4JLjHCspoki6+4W9UG+TuqdkB20mRsr25XT
+ 9kLuwIGZAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFF6I4IR33h/s
+ vOa4Vsw2icPo8TgaMB8GA1UdIwQYMBaAFG9ed1KlOQDyB+k7Yeb8LSjG5FDtMA0G
+ CSqGSIb3DQEBBQUAA4IBAQDVzBuGyXIq/rfMjoNKIHTUgppkc+FjS02cFASpB5mk
+ ksSpGWYHMZKlqz47qDi44KAG+kmPIPOT0em81+/VGeY1oizJyKSeNDhNboth5oTu
+ ShDr4flTQCoYvRxm1wh8WIIg09nwibzGztuV1XxtdzfQV5kK5bMBlDXnUfAYydsO
+ jc52x5f4tgdcfBhjnMzkCAx2kvw5Wp3NekkOKl5YYnPK++zT9IBwqrqJmsJvyLPO
+ vvqVBYkoBWRbmcy6wVU8JpYegNNgVRbi6zeAq33gS75m9uy+4z8Ql6DqVF0s/y+/
+ 240tLCW62X98EzrALKsxhkqVZCtdc5HSRaOQr0K3I03S
+ </signing_cert>
+ </bsc>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.014.xml b/rpkid/left-right-protocol-samples/pdu.014.xml
new file mode 100644
index 00000000..dbb00bf7
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.014.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <bsc action="set" type="reply" self_id="42" bsc_id="17"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.015.xml b/rpkid/left-right-protocol-samples/pdu.015.xml
new file mode 100644
index 00000000..25137d90
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.015.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <bsc action="get" type="query" self_id="42" bsc_id="17"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.016.xml b/rpkid/left-right-protocol-samples/pdu.016.xml
new file mode 100644
index 00000000..bfa6009a
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.016.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <bsc action="get" type="reply" self_id="42" bsc_id="17">
+ <signing_cert>
+ MIIDHTCCAgWgAwIBAgIJAKUUCoKn9ovVMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV
+ BAMTG1Rlc3QgQ2VydGlmaWNhdGUgQWxpY2UgUm9vdDAeFw0wNzA4MDExOTUzMDda
+ Fw0wNzA4MzExOTUzMDdaMCQxIjAgBgNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxp
+ Y2UgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmLngkGT5kWsXd
+ IgLeV+5zNvcDt0+D4cds1cu+bw6Y/23z1+ooA8fU1gXQ28bl6ELM8WRLHgcntqzr
+ 5UX6S1xPdNfFYt8z4E1ZuvwCPsxcSwVdlYRvzAGNQivDpcJ75Mf5DTeDpr6wm7yn
+ 2pzxvQIet5djOX51RVGA3hOwCbhq2ceHs0ZruWG3T70H3Sa1ZVxP7m0DJlsSZa6v
+ 3oEeFOKZQlqrgeU74mJyLAGx/fNbIw+UBrvejfjZobIv985vQ06DZ5S2AquQ2bht
+ O/2bW3yqeOjH98YK0zlOpYtaZ2fyx4JLjHCspoki6+4W9UG+TuqdkB20mRsr25XT
+ 9kLuwIGZAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFF6I4IR33h/s
+ vOa4Vsw2icPo8TgaMB8GA1UdIwQYMBaAFG9ed1KlOQDyB+k7Yeb8LSjG5FDtMA0G
+ CSqGSIb3DQEBBQUAA4IBAQDVzBuGyXIq/rfMjoNKIHTUgppkc+FjS02cFASpB5mk
+ ksSpGWYHMZKlqz47qDi44KAG+kmPIPOT0em81+/VGeY1oizJyKSeNDhNboth5oTu
+ ShDr4flTQCoYvRxm1wh8WIIg09nwibzGztuV1XxtdzfQV5kK5bMBlDXnUfAYydsO
+ jc52x5f4tgdcfBhjnMzkCAx2kvw5Wp3NekkOKl5YYnPK++zT9IBwqrqJmsJvyLPO
+ vvqVBYkoBWRbmcy6wVU8JpYegNNgVRbi6zeAq33gS75m9uy+4z8Ql6DqVF0s/y+/
+ 240tLCW62X98EzrALKsxhkqVZCtdc5HSRaOQr0K3I03S
+ </signing_cert>
+ <signing_cert>
+ MIIDGDCCAgCgAwIBAgIJANkdU8+R7K3fMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+ BAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxpY2UgQ0EwHhcNMDcwODAxMTk1MzA3WhcN
+ MDcwODMxMTk1MzA3WjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEFsaWNl
+ IEVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA64aCougbqPB/PjR9
+ ipPd5c/QGlKh8QsCvh4ka3VjRp+zCUEiOI6W7hKUGVoNlqwFjZo2CsqX8qoW0e/S
+ sQp9RMH80jgYjfxVPvK3S+sMoXredH+PhOqttf1rCEXbvqP4t9FWUdKJz558oHbO
+ MXirP7MFUrWk96F/id+BFG01aKy9RE68DlkcPZAJjpcQ0kEYCIyAQckqgVrIaH2X
+ QiEtB5asHrvGH0N5fmUWDeBfHTGVI3dbc6nLU9RYlVo/RCo0C38fi44/PIdnJCZG
+ 4+m2ZXG+QbhNWVr4BsSIpF0oiQDelrebDrK4TYJ4skfwLHdlmJbtaeG7zwukDQkN
+ CIIXRwIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTjSaMtxysroFSek8cD
+ OTdc6+ZY0jAfBgNVHSMEGDAWgBReiOCEd94f7LzmuFbMNonD6PE4GjANBgkqhkiG
+ 9w0BAQUFAAOCAQEAH8ccePGVdGeytS14upV+20hxsGHLS66XxZJlQyQmYOwy4OL9
+ F17VODm7UC3h6qnAGbNCvRa6TPah1gRWfwkZDlYC48whDlxi2QX23PcuVKstrv3i
+ MiVcTm6AuVyfDn4DJ89TDUY+bPFne46lpSBxt9xXg6UsHMSthoerTYVcaYNHoGpt
+ wQPCgrYT/bdQeUpAL7rtha+by0x74vUgO8W84MX0XjCWqXgyP/XBlqxjx7B9Gydw
+ 5tNbASf9blRIQcQ9uy+S8mOlHQWfOhe6nN++LhVxYlOzdDKFboTmCwYZwNJHhnRl
+ okQ8do5ItBt92MoJgI26PoOiE3xXVyuYb1b7vw==
+ </signing_cert>
+ <public_key>
+ MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA64aCougbqPB/PjR9ipPd
+ 5c/QGlKh8QsCvh4ka3VjRp+zCUEiOI6W7hKUGVoNlqwFjZo2CsqX8qoW0e/SsQp9
+ RMH80jgYjfxVPvK3S+sMoXredH+PhOqttf1rCEXbvqP4t9FWUdKJz558oHbOMXir
+ P7MFUrWk96F/id+BFG01aKy9RE68DlkcPZAJjpcQ0kEYCIyAQckqgVrIaH2XQiEt
+ B5asHrvGH0N5fmUWDeBfHTGVI3dbc6nLU9RYlVo/RCo0C38fi44/PIdnJCZG4+m2
+ ZXG+QbhNWVr4BsSIpF0oiQDelrebDrK4TYJ4skfwLHdlmJbtaeG7zwukDQkNCIIX
+ RwIDAQAB
+ </public_key>
+ </bsc>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.017.xml b/rpkid/left-right-protocol-samples/pdu.017.xml
new file mode 100644
index 00000000..dc882a50
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.017.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <bsc action="list" type="query" self_id="42"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.018.xml b/rpkid/left-right-protocol-samples/pdu.018.xml
new file mode 100644
index 00000000..bfa6009a
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.018.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <bsc action="get" type="reply" self_id="42" bsc_id="17">
+ <signing_cert>
+ MIIDHTCCAgWgAwIBAgIJAKUUCoKn9ovVMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV
+ BAMTG1Rlc3QgQ2VydGlmaWNhdGUgQWxpY2UgUm9vdDAeFw0wNzA4MDExOTUzMDda
+ Fw0wNzA4MzExOTUzMDdaMCQxIjAgBgNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxp
+ Y2UgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmLngkGT5kWsXd
+ IgLeV+5zNvcDt0+D4cds1cu+bw6Y/23z1+ooA8fU1gXQ28bl6ELM8WRLHgcntqzr
+ 5UX6S1xPdNfFYt8z4E1ZuvwCPsxcSwVdlYRvzAGNQivDpcJ75Mf5DTeDpr6wm7yn
+ 2pzxvQIet5djOX51RVGA3hOwCbhq2ceHs0ZruWG3T70H3Sa1ZVxP7m0DJlsSZa6v
+ 3oEeFOKZQlqrgeU74mJyLAGx/fNbIw+UBrvejfjZobIv985vQ06DZ5S2AquQ2bht
+ O/2bW3yqeOjH98YK0zlOpYtaZ2fyx4JLjHCspoki6+4W9UG+TuqdkB20mRsr25XT
+ 9kLuwIGZAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFF6I4IR33h/s
+ vOa4Vsw2icPo8TgaMB8GA1UdIwQYMBaAFG9ed1KlOQDyB+k7Yeb8LSjG5FDtMA0G
+ CSqGSIb3DQEBBQUAA4IBAQDVzBuGyXIq/rfMjoNKIHTUgppkc+FjS02cFASpB5mk
+ ksSpGWYHMZKlqz47qDi44KAG+kmPIPOT0em81+/VGeY1oizJyKSeNDhNboth5oTu
+ ShDr4flTQCoYvRxm1wh8WIIg09nwibzGztuV1XxtdzfQV5kK5bMBlDXnUfAYydsO
+ jc52x5f4tgdcfBhjnMzkCAx2kvw5Wp3NekkOKl5YYnPK++zT9IBwqrqJmsJvyLPO
+ vvqVBYkoBWRbmcy6wVU8JpYegNNgVRbi6zeAq33gS75m9uy+4z8Ql6DqVF0s/y+/
+ 240tLCW62X98EzrALKsxhkqVZCtdc5HSRaOQr0K3I03S
+ </signing_cert>
+ <signing_cert>
+ MIIDGDCCAgCgAwIBAgIJANkdU8+R7K3fMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+ BAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxpY2UgQ0EwHhcNMDcwODAxMTk1MzA3WhcN
+ MDcwODMxMTk1MzA3WjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEFsaWNl
+ IEVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA64aCougbqPB/PjR9
+ ipPd5c/QGlKh8QsCvh4ka3VjRp+zCUEiOI6W7hKUGVoNlqwFjZo2CsqX8qoW0e/S
+ sQp9RMH80jgYjfxVPvK3S+sMoXredH+PhOqttf1rCEXbvqP4t9FWUdKJz558oHbO
+ MXirP7MFUrWk96F/id+BFG01aKy9RE68DlkcPZAJjpcQ0kEYCIyAQckqgVrIaH2X
+ QiEtB5asHrvGH0N5fmUWDeBfHTGVI3dbc6nLU9RYlVo/RCo0C38fi44/PIdnJCZG
+ 4+m2ZXG+QbhNWVr4BsSIpF0oiQDelrebDrK4TYJ4skfwLHdlmJbtaeG7zwukDQkN
+ CIIXRwIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTjSaMtxysroFSek8cD
+ OTdc6+ZY0jAfBgNVHSMEGDAWgBReiOCEd94f7LzmuFbMNonD6PE4GjANBgkqhkiG
+ 9w0BAQUFAAOCAQEAH8ccePGVdGeytS14upV+20hxsGHLS66XxZJlQyQmYOwy4OL9
+ F17VODm7UC3h6qnAGbNCvRa6TPah1gRWfwkZDlYC48whDlxi2QX23PcuVKstrv3i
+ MiVcTm6AuVyfDn4DJ89TDUY+bPFne46lpSBxt9xXg6UsHMSthoerTYVcaYNHoGpt
+ wQPCgrYT/bdQeUpAL7rtha+by0x74vUgO8W84MX0XjCWqXgyP/XBlqxjx7B9Gydw
+ 5tNbASf9blRIQcQ9uy+S8mOlHQWfOhe6nN++LhVxYlOzdDKFboTmCwYZwNJHhnRl
+ okQ8do5ItBt92MoJgI26PoOiE3xXVyuYb1b7vw==
+ </signing_cert>
+ <public_key>
+ MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA64aCougbqPB/PjR9ipPd
+ 5c/QGlKh8QsCvh4ka3VjRp+zCUEiOI6W7hKUGVoNlqwFjZo2CsqX8qoW0e/SsQp9
+ RMH80jgYjfxVPvK3S+sMoXredH+PhOqttf1rCEXbvqP4t9FWUdKJz558oHbOMXir
+ P7MFUrWk96F/id+BFG01aKy9RE68DlkcPZAJjpcQ0kEYCIyAQckqgVrIaH2XQiEt
+ B5asHrvGH0N5fmUWDeBfHTGVI3dbc6nLU9RYlVo/RCo0C38fi44/PIdnJCZG4+m2
+ ZXG+QbhNWVr4BsSIpF0oiQDelrebDrK4TYJ4skfwLHdlmJbtaeG7zwukDQkNCIIX
+ RwIDAQAB
+ </public_key>
+ </bsc>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.019.xml b/rpkid/left-right-protocol-samples/pdu.019.xml
new file mode 100644
index 00000000..62c3e9de
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.019.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <bsc action="destroy" type="query" self_id="42" bsc_id="17"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.020.xml b/rpkid/left-right-protocol-samples/pdu.020.xml
new file mode 100644
index 00000000..75375dad
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.020.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <bsc action="destroy" type="reply" self_id="42" bsc_id="17"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.021.xml b/rpkid/left-right-protocol-samples/pdu.021.xml
new file mode 100644
index 00000000..41bc67af
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.021.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <parent action="create" type="query" self_id="42" peer_contact_uri="https://re.bar.example/bandicoot/" sia_base="rsync://repo.foo.example/wombat/" bsc_id="17" repository_id="120" sender_name="tweedledee" recipient_name="tweedledum">
+ <cms_ta>
+ MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+ BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+ MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+ b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+ G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+ Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+ DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+ uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+ 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+ diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+ ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+ hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+ cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+ XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+ sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+ YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+ 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+ </cms_ta>
+ <https_ta>
+ MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+ BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+ MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+ b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+ G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+ Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+ DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+ uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+ 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+ diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+ ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+ hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+ cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+ XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+ sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+ YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+ 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+ </https_ta>
+ </parent>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.022.xml b/rpkid/left-right-protocol-samples/pdu.022.xml
new file mode 100644
index 00000000..8c0a8d7d
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.022.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <parent action="create" type="reply" self_id="42" parent_id="666"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.023.xml b/rpkid/left-right-protocol-samples/pdu.023.xml
new file mode 100644
index 00000000..1f3633c0
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.023.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <parent action="set" type="query" self_id="42" parent_id="666" peer_contact_uri="https://re.bar.example/bandicoot/" sia_base="rsync://repo.foo.example/wombat/" bsc_id="17" repository_id="120" rekey="yes" reissue="yes" revoke="yes">
+ <cms_ta>
+ MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+ BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+ MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+ b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+ G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+ Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+ DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+ uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+ 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+ diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+ ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+ hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+ cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+ XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+ sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+ YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+ 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+ </cms_ta>
+ <https_ta>
+ MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+ BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+ MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+ b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+ G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+ Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+ DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+ uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+ 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+ diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+ ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+ hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+ cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+ XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+ sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+ YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+ 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+ </https_ta>
+ </parent>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.024.xml b/rpkid/left-right-protocol-samples/pdu.024.xml
new file mode 100644
index 00000000..902e89ef
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.024.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <parent action="set" type="reply" self_id="42" parent_id="666"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.025.xml b/rpkid/left-right-protocol-samples/pdu.025.xml
new file mode 100644
index 00000000..51e077ba
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.025.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <parent action="get" type="query" self_id="42" parent_id="666"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.026.xml b/rpkid/left-right-protocol-samples/pdu.026.xml
new file mode 100644
index 00000000..8cddc8d8
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.026.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <parent action="get" type="reply" self_id="42" parent_id="666" peer_contact_uri="https://re.bar.example/bandicoot/" sia_base="rsync://repo.foo.example/wombat/" bsc_id="17" repository_id="120">
+ <cms_ta>
+ MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+ BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+ MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+ b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+ G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+ Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+ DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+ uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+ 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+ diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+ ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+ hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+ cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+ XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+ sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+ YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+ 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+ </cms_ta>
+ <https_ta>
+ MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+ BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+ MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+ b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+ G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+ Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+ DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+ uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+ 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+ diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+ ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+ hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+ cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+ XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+ sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+ YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+ 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+ </https_ta>
+ </parent>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.027.xml b/rpkid/left-right-protocol-samples/pdu.027.xml
new file mode 100644
index 00000000..6c417adb
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.027.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <parent action="list" type="query" self_id="42"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.028.xml b/rpkid/left-right-protocol-samples/pdu.028.xml
new file mode 100644
index 00000000..1e8f5c95
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.028.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <parent action="list" type="reply" self_id="42" parent_id="666" peer_contact_uri="https://re.bar.example/bandicoot/" sia_base="rsync://repo.foo.example/wombat/" bsc_id="17" repository_id="120">
+ <cms_ta>
+ MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+ BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+ MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+ b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+ G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+ Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+ DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+ uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+ 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+ diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+ ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+ hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+ cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+ XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+ sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+ YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+ 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+ </cms_ta>
+ <https_ta>
+ MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+ BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+ MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+ b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+ G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+ Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+ DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+ uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+ 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+ diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+ ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+ hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+ cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+ XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+ sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+ YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+ 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+ </https_ta>
+ </parent>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.029.xml b/rpkid/left-right-protocol-samples/pdu.029.xml
new file mode 100644
index 00000000..2cb9dc8b
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.029.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <parent action="destroy" type="query" self_id="42" parent_id="666"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.030.xml b/rpkid/left-right-protocol-samples/pdu.030.xml
new file mode 100644
index 00000000..8e3d4c65
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.030.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <parent action="destroy" type="reply" self_id="42" parent_id="666"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.031.xml b/rpkid/left-right-protocol-samples/pdu.031.xml
new file mode 100644
index 00000000..4871b271
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.031.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <child action="create" type="query" self_id="42" bsc_id="17">
+ <cms_ta>
+ MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+ BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+ MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+ b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+ G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+ Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+ DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+ uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+ 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+ diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+ ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+ hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+ cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+ XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+ sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+ YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+ 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+ </cms_ta>
+ </child>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.032.xml b/rpkid/left-right-protocol-samples/pdu.032.xml
new file mode 100644
index 00000000..f5b3dbe9
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.032.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <child action="create" type="reply" self_id="42" child_id="3"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.033.xml b/rpkid/left-right-protocol-samples/pdu.033.xml
new file mode 100644
index 00000000..37bac784
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.033.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <child action="set" type="query" self_id="42" child_id="3" bsc_id="17" reissue="yes">
+ <cms_ta>
+ MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+ BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+ MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+ b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+ G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+ Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+ DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+ uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+ 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+ diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+ ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+ hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+ cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+ XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+ sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+ YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+ 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+ </cms_ta>
+ </child>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.034.xml b/rpkid/left-right-protocol-samples/pdu.034.xml
new file mode 100644
index 00000000..f3332bb6
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.034.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <child action="set" type="reply" self_id="42" child_id="3"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.035.xml b/rpkid/left-right-protocol-samples/pdu.035.xml
new file mode 100644
index 00000000..1fa3192c
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.035.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <child action="get" type="query" self_id="42" child_id="3"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.036.xml b/rpkid/left-right-protocol-samples/pdu.036.xml
new file mode 100644
index 00000000..4c2576e1
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.036.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <child action="get" type="reply" self_id="42" child_id="3" bsc_id="17">
+ <cms_ta>
+ MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+ BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+ MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+ b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+ G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+ Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+ DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+ uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+ 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+ diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+ ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+ hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+ cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+ XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+ sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+ YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+ 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+ </cms_ta>
+ </child>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.037.xml b/rpkid/left-right-protocol-samples/pdu.037.xml
new file mode 100644
index 00000000..fcfe3199
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.037.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <child action="list" type="query" self_id="42"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.038.xml b/rpkid/left-right-protocol-samples/pdu.038.xml
new file mode 100644
index 00000000..42d203a4
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.038.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <child action="list" type="reply" self_id="42" child_id="3" bsc_id="17">
+ <cms_ta>
+ MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+ BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+ MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+ b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+ G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+ Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+ DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+ uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+ 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+ diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+ ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+ hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+ cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+ XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+ sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+ YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+ 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+ </cms_ta>
+ </child>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.039.xml b/rpkid/left-right-protocol-samples/pdu.039.xml
new file mode 100644
index 00000000..dc4fb285
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.039.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <child action="destroy" type="query" self_id="42" child_id="3"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.040.xml b/rpkid/left-right-protocol-samples/pdu.040.xml
new file mode 100644
index 00000000..82f28511
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.040.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <child action="destroy" type="reply" self_id="42" child_id="3"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.041.xml b/rpkid/left-right-protocol-samples/pdu.041.xml
new file mode 100644
index 00000000..40cccf4d
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.041.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <repository action="create" type="query" self_id="42" peer_contact_uri="https://re.bar.example/bandicoot/" bsc_id="17">
+ <cms_ta>
+ MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+ BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+ MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+ b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+ G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+ Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+ DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+ uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+ 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+ diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+ ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+ hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+ cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+ XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+ sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+ YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+ 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+ </cms_ta>
+ <https_ta>
+ MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+ BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+ MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+ b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+ G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+ Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+ DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+ uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+ 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+ diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+ ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+ hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+ cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+ XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+ sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+ YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+ 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+ </https_ta>
+ </repository>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.042.xml b/rpkid/left-right-protocol-samples/pdu.042.xml
new file mode 100644
index 00000000..e7398c7f
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.042.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <repository action="create" type="reply" self_id="42" repository_id="120"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.043.xml b/rpkid/left-right-protocol-samples/pdu.043.xml
new file mode 100644
index 00000000..e8f391a5
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.043.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <repository action="set" type="query" self_id="42" repository_id="120" peer_contact_uri="https://re.bar.example/bandicoot/" bsc_id="17">
+ <cms_ta>
+ MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+ BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+ MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+ b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+ G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+ Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+ DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+ uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+ 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+ diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+ ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+ hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+ cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+ XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+ sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+ YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+ 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+ </cms_ta>
+ <https_ta>
+ MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+ BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+ MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+ b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+ G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+ Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+ DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+ uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+ 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+ diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+ ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+ hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+ cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+ XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+ sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+ YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+ 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+ </https_ta>
+ </repository>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.044.xml b/rpkid/left-right-protocol-samples/pdu.044.xml
new file mode 100644
index 00000000..d7506e3d
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.044.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <repository action="set" type="reply" self_id="42" repository_id="120"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.045.xml b/rpkid/left-right-protocol-samples/pdu.045.xml
new file mode 100644
index 00000000..78866dad
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.045.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <repository action="get" type="query" self_id="42" repository_id="120"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.046.xml b/rpkid/left-right-protocol-samples/pdu.046.xml
new file mode 100644
index 00000000..ad7e42a4
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.046.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <repository action="get" type="reply" self_id="42" repository_id="120" peer_contact_uri="https://re.bar.example/bandicoot/" bsc_id="17">
+ <cms_ta>
+ MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+ BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+ MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+ b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+ G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+ Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+ DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+ uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+ 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+ diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+ ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+ hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+ cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+ XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+ sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+ YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+ 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+ </cms_ta>
+ <https_ta>
+ MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+ BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+ MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+ b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+ G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+ Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+ DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+ uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+ 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+ diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+ ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+ hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+ cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+ XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+ sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+ YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+ 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+ </https_ta>
+ </repository>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.047.xml b/rpkid/left-right-protocol-samples/pdu.047.xml
new file mode 100644
index 00000000..5ca17d89
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.047.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <repository action="list" type="query" self_id="42"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.048.xml b/rpkid/left-right-protocol-samples/pdu.048.xml
new file mode 100644
index 00000000..ff92dc33
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.048.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <repository action="list" type="reply" self_id="42" repository_id="120" peer_contact_uri="https://re.bar.example/bandicoot/" bsc_id="17">
+ <cms_ta>
+ MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+ BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+ MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+ b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+ G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+ Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+ DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+ uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+ 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+ diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+ ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+ hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+ cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+ XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+ sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+ YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+ 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+ </cms_ta>
+ <https_ta>
+ MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+ BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+ MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+ b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+ G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+ Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+ DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+ uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+ 2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+ diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+ ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+ hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+ cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+ XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+ sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+ YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+ 3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+ </https_ta>
+ </repository>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.049.xml b/rpkid/left-right-protocol-samples/pdu.049.xml
new file mode 100644
index 00000000..b89ad078
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.049.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <repository action="destroy" type="query" self_id="42" repository_id="120"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.050.xml b/rpkid/left-right-protocol-samples/pdu.050.xml
new file mode 100644
index 00000000..92f1ce11
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.050.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <repository action="destroy" type="reply" self_id="42" repository_id="120"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.051.xml b/rpkid/left-right-protocol-samples/pdu.051.xml
new file mode 100644
index 00000000..afbbc82a
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.051.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <route_origin action="create" type="query" self_id="42"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.052.xml b/rpkid/left-right-protocol-samples/pdu.052.xml
new file mode 100644
index 00000000..87ab3b1d
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.052.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <route_origin action="create" type="reply" self_id="42" route_origin_id="88"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.053.xml b/rpkid/left-right-protocol-samples/pdu.053.xml
new file mode 100644
index 00000000..a36dc495
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.053.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <route_origin action="set" type="query" self_id="42" route_origin_id="88" suppress_publication="yes" as_number="12345" ipv4="10.0.0.44/32,10.2.0.6-10.2.0.77" ipv6="2002:a00::/48,2002:a02:6::-2002:a02:4d::"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.054.xml b/rpkid/left-right-protocol-samples/pdu.054.xml
new file mode 100644
index 00000000..263b189c
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.054.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <route_origin action="set" type="reply" self_id="42" route_origin_id="88"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.055.xml b/rpkid/left-right-protocol-samples/pdu.055.xml
new file mode 100644
index 00000000..44a6af0b
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.055.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <route_origin action="get" type="query" self_id="42" route_origin_id="88"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.056.xml b/rpkid/left-right-protocol-samples/pdu.056.xml
new file mode 100644
index 00000000..554cf859
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.056.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <route_origin action="get" type="reply" self_id="42" route_origin_id="88" as_number="12345" ipv4="10.0.0.44/32,10.2.0.6-10.2.0.77" ipv6="2002:a00::/48,2002:a02:6::-2002:a02:4d::"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.057.xml b/rpkid/left-right-protocol-samples/pdu.057.xml
new file mode 100644
index 00000000..3eaa4d01
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.057.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <route_origin action="list" type="query" self_id="42"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.058.xml b/rpkid/left-right-protocol-samples/pdu.058.xml
new file mode 100644
index 00000000..d4d72210
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.058.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <route_origin action="list" type="reply" self_id="42" route_origin_id="88" as_number="12345" ipv4="10.0.0.44/32,10.2.0.6-10.2.0.77" ipv6="2002:a00::/48,2002:a02:6::-2002:a02:4d::"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.059.xml b/rpkid/left-right-protocol-samples/pdu.059.xml
new file mode 100644
index 00000000..1d352b83
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.059.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <route_origin action="destroy" type="query" self_id="42" route_origin_id="88"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.060.xml b/rpkid/left-right-protocol-samples/pdu.060.xml
new file mode 100644
index 00000000..5e651518
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.060.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <route_origin action="destroy" type="reply" self_id="42" route_origin_id="88"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.061.xml b/rpkid/left-right-protocol-samples/pdu.061.xml
new file mode 100644
index 00000000..05c6ef32
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.061.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <list_resources type="query" self_id="42" child_id="289"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.062.xml b/rpkid/left-right-protocol-samples/pdu.062.xml
new file mode 100644
index 00000000..5d218eb1
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.062.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <list_resources type="reply" self_id="42" child_id="289" valid_until="2008-04-01T00:00:00Z" subject_name="Wombats are us" ipv4="10.0.0.44/32,10.3.0.44/32" ipv6="fe80:deed:f00d::/48,fe80:dead:beef:2::-fe80:dead:beef:2::49" as="666"/>
+</msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.063.xml b/rpkid/left-right-protocol-samples/pdu.063.xml
new file mode 100644
index 00000000..6b9f5cb2
--- /dev/null
+++ b/rpkid/left-right-protocol-samples/pdu.063.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1">
+ <report_error self_id="42" error_code="your_hair_is_on_fire">bag_of_data</report_error>
+</msg>
diff --git a/rpkid/left-right-schema.rnc b/rpkid/left-right-schema.rnc
new file mode 100644
index 00000000..44ae964f
--- /dev/null
+++ b/rpkid/left-right-schema.rnc
@@ -0,0 +1,208 @@
+# $Id$
+#
+# RelaxNG (Compact Syntax) Schema for RPKI left-right protocol.
+#
+# libxml2 (including xmllint) only groks the XML syntax of RelaxNG, so
+# run the compact syntax through trang to get XML syntax.
+
+default namespace = "http://www.hactrn.net/uris/rpki/left-right-spec/"
+
+# Top level PDU
+
+start = element msg {
+ attribute version { xsd:positiveInteger { maxInclusive="1" } },
+ ( self_elt | bsc_elt | parent_elt | child_elt | repository_elt | ro_elt |
+ list_resources_elt | report_error_elt )*
+}
+
+# Tag attributes for bulk operations
+tag = attribute tag { xsd:token {maxLength="1024" } }?
+
+# Combinations of action and type attributes used in later definitions.
+# The same patterns repeat in most of the elements in this protocol.
+
+ctl_cq = attribute action { "create" }, attribute type { "query" }, tag
+ctl_sq = attribute action { "set" }, attribute type { "query" }, tag
+ctl_gq = attribute action { "get" }, attribute type { "query" }, tag
+ctl_lq = attribute action { "list" }, attribute type { "query" }, tag
+ctl_dq = attribute action { "destroy" }, attribute type { "query" }, tag
+ctl_cr = attribute action { "create" }, attribute type { "reply" }, tag
+ctl_sr = attribute action { "set" }, attribute type { "reply" }, tag
+ctl_gr = attribute action { "get" }, attribute type { "reply" }, tag
+ctl_lr = attribute action { "list" }, attribute type { "reply" }, tag
+ctl_dr = attribute action { "destroy" }, attribute type { "reply" }, tag
+
+# Base64 encoded DER stuff
+base64 = xsd:base64Binary { maxLength="512000" }
+
+# How we wrap trust anchor elements
+cms_ta = element cms_ta { base64 }
+https_ta = element https_ta { base64 }
+
+# Base definition for all fields that are really just SQL primary indices
+sql_id = xsd:token { maxLength="1024" }
+
+# <self/> element
+
+self_bool = (attribute rekey { "yes" }?,
+ attribute reissue { "yes" }?,
+ attribute revoke { "yes" }?,
+ attribute run_now { "yes" }?,
+ attribute publish_world_now { "yes" }?,
+ attribute clear_extension_preferences { "yes" }?)
+
+self_payload = (attribute use_hsm { "yes" | "no" }?,
+ attribute crl_interval { xsd:token { maxLength="1024" } }?,
+ element extension_preference {
+ attribute name { xsd:token { maxLength="1024" } },
+ xsd:string { maxLength="512000" }
+ }*)
+
+self_id = attribute self_id { sql_id }
+
+self_elt |= element self { ctl_cq, self_bool, self_payload }
+self_elt |= element self { ctl_cr, self_id }
+self_elt |= element self { ctl_sq, self_id, self_bool, self_payload }
+self_elt |= element self { ctl_sr, self_id }
+self_elt |= element self { ctl_gq, self_id }
+self_elt |= element self { ctl_gr, self_id, self_payload }
+self_elt |= element self { ctl_lq }
+self_elt |= element self { ctl_lr, self_id, self_payload }
+self_elt |= element self { ctl_dq, self_id }
+self_elt |= element self { ctl_dr, self_id }
+
+# <bsc/> element. Key parameters hardwired for now.
+
+bsc_bool = ((attribute generate_keypair { "yes" },
+ attribute key_type { "rsa" }?,
+ attribute hash_alg { "sha256" }?,
+ attribute key_length { "2048" }?)?,
+ attribute clear_signing_certs { "yes" }?)
+
+bsc_id = attribute bsc_id { sql_id }
+
+bsc_payload = (element signing_cert { base64 }*,
+ element public_key { base64 }?)
+
+bsc_pkcs10 = element pkcs10_cert_request { base64 }?
+
+bsc_elt |= element bsc { ctl_cq, self_id, bsc_bool, bsc_payload }
+bsc_elt |= element bsc { ctl_cr, self_id, bsc_id, bsc_pkcs10 }
+bsc_elt |= element bsc { ctl_sq, self_id, bsc_id, bsc_bool, bsc_payload }
+bsc_elt |= element bsc { ctl_sr, self_id, bsc_id, bsc_pkcs10 }
+bsc_elt |= element bsc { ctl_gq, self_id, bsc_id }
+bsc_elt |= element bsc { ctl_gr, self_id, bsc_id, bsc_payload }
+bsc_elt |= element bsc { ctl_lq, self_id }
+bsc_elt |= element bsc { ctl_lr, self_id, bsc_id, bsc_payload }
+bsc_elt |= element bsc { ctl_dq, self_id, bsc_id }
+bsc_elt |= element bsc { ctl_dr, self_id, bsc_id }
+
+# <parent/> element
+
+parent_id = attribute parent_id { sql_id }
+
+parent_bool = (attribute rekey { "yes" }?,
+ attribute reissue { "yes" }?,
+ attribute revoke { "yes" }?)
+
+parent_payload = (attribute peer_contact_uri { xsd:anyURI { maxLength="1024" } }?,
+ attribute sia_base { xsd:anyURI { maxLength="1024" } }?,
+ attribute bsc_id { xsd:token { maxLength="1024" } }?,
+ attribute repository_id { xsd:token { maxLength="1024" } }?,
+ attribute sender_name { xsd:token { maxLength="1024" } }?,
+ attribute recipient_name { xsd:token { maxLength="1024" } }?,
+ cms_ta?,
+ https_ta?)
+
+parent_elt |= element parent { ctl_cq, self_id, parent_bool, parent_payload }
+parent_elt |= element parent { ctl_cr, self_id, parent_id }
+parent_elt |= element parent { ctl_sq, self_id, parent_id, parent_bool, parent_payload }
+parent_elt |= element parent { ctl_sr, self_id, parent_id }
+parent_elt |= element parent { ctl_gq, self_id, parent_id }
+parent_elt |= element parent { ctl_gr, self_id, parent_id, parent_payload }
+parent_elt |= element parent { ctl_lq, self_id }
+parent_elt |= element parent { ctl_lr, self_id, parent_id, parent_payload }
+parent_elt |= element parent { ctl_dq, self_id, parent_id }
+parent_elt |= element parent { ctl_dr, self_id, parent_id }
+
+# <child/> element
+
+child_id = attribute child_id { sql_id }
+
+child_bool = attribute reissue { "yes" }?
+
+child_payload = (attribute bsc_id { xsd:token { maxLength="1024" } }?,
+ cms_ta?)
+
+child_elt |= element child { ctl_cq, self_id, child_bool, child_payload }
+child_elt |= element child { ctl_cr, self_id, child_id }
+child_elt |= element child { ctl_sq, self_id, child_id, child_bool, child_payload }
+child_elt |= element child { ctl_sr, self_id, child_id }
+child_elt |= element child { ctl_gq, self_id, child_id }
+child_elt |= element child { ctl_gr, self_id, child_id, child_payload }
+child_elt |= element child { ctl_lq, self_id }
+child_elt |= element child { ctl_lr, self_id, child_id, child_payload }
+child_elt |= element child { ctl_dq, self_id, child_id }
+child_elt |= element child { ctl_dr, self_id, child_id }
+
+# <repository/> element
+
+repository_id = attribute repository_id { sql_id }
+
+repository_payload = (attribute peer_contact_uri { xsd:anyURI { maxLength="1024" } }?,
+ attribute bsc_id { xsd:token { maxLength="1024" } }?,
+ cms_ta?,
+ https_ta?)
+
+repository_elt |= element repository { ctl_cq, self_id, repository_payload }
+repository_elt |= element repository { ctl_cr, self_id, repository_id }
+repository_elt |= element repository { ctl_sq, self_id, repository_id, repository_payload }
+repository_elt |= element repository { ctl_sr, self_id, repository_id }
+repository_elt |= element repository { ctl_gq, self_id, repository_id }
+repository_elt |= element repository { ctl_gr, self_id, repository_id, repository_payload }
+repository_elt |= element repository { ctl_lq, self_id }
+repository_elt |= element repository { ctl_lr, self_id, repository_id, repository_payload }
+repository_elt |= element repository { ctl_dq, self_id, repository_id }
+repository_elt |= element repository { ctl_dr, self_id, repository_id }
+
+# <route_origin/> element
+
+ro_id = attribute route_origin_id { sql_id }
+
+ro_bool = attribute suppress_publication { "yes" }?
+
+ro_payload = (attribute as_number { xsd:token { maxLength="1024" } }?,
+ attribute ipv4 { xsd:token { maxLength="1024" } }?,
+ attribute ipv6 { xsd:token { maxLength="1024" } }?)
+
+ro_elt |= element route_origin { ctl_cq, self_id, ro_bool, ro_payload }
+ro_elt |= element route_origin { ctl_cr, self_id, ro_id }
+ro_elt |= element route_origin { ctl_sq, self_id, ro_id, ro_bool, ro_payload }
+ro_elt |= element route_origin { ctl_sr, self_id, ro_id }
+ro_elt |= element route_origin { ctl_gq, self_id, ro_id }
+ro_elt |= element route_origin { ctl_gr, self_id, ro_id, ro_payload }
+ro_elt |= element route_origin { ctl_lq, self_id }
+ro_elt |= element route_origin { ctl_lr, self_id, ro_id, ro_payload }
+ro_elt |= element route_origin { ctl_dq, self_id, ro_id }
+ro_elt |= element route_origin { ctl_dr, self_id, ro_id }
+
+# <list_resources/> element
+
+list_resources_elt = element list_resources {
+ ( attribute type { "query" }, tag, self_id, child_id ) |
+ ( attribute type { "reply" }, tag, self_id, child_id,
+ attribute valid_until { xsd:token { maxLength="1024" } },
+ attribute subject_name { xsd:token { maxLength="1024" } }?,
+ attribute as { xsd:token { maxLength="1024" } }?,
+ attribute ipv4 { xsd:token { maxLength="1024" } }?,
+ attribute ipv6 { xsd:token { maxLength="1024" } }?
+ )
+}
+
+# <report_error/> element
+
+report_error_elt = element report_error {
+ tag, self_id,
+ attribute error_code { xsd:token { maxLength="1024" } },
+ xsd:string { maxLength="512000" }?
+}
diff --git a/rpkid/left-right-schema.rng b/rpkid/left-right-schema.rng
new file mode 100644
index 00000000..e0917fa9
--- /dev/null
+++ b/rpkid/left-right-schema.rng
@@ -0,0 +1,948 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ $Id$
+
+ RelaxNG (Compact Syntax) Schema for RPKI left-right protocol.
+
+ libxml2 (including xmllint) only groks the XML syntax of RelaxNG, so
+ run the compact syntax through trang to get XML syntax.
+-->
+<grammar ns="http://www.hactrn.net/uris/rpki/left-right-spec/" xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">
+ <!-- Top level PDU -->
+ <start>
+ <element name="msg">
+ <attribute name="version">
+ <data type="positiveInteger">
+ <param name="maxInclusive">1</param>
+ </data>
+ </attribute>
+ <zeroOrMore>
+ <choice>
+ <ref name="self_elt"/>
+ <ref name="bsc_elt"/>
+ <ref name="parent_elt"/>
+ <ref name="child_elt"/>
+ <ref name="repository_elt"/>
+ <ref name="ro_elt"/>
+ <ref name="list_resources_elt"/>
+ <ref name="report_error_elt"/>
+ </choice>
+ </zeroOrMore>
+ </element>
+ </start>
+ <!-- Tag attributes for bulk operations -->
+ <define name="tag">
+ <optional>
+ <attribute name="tag">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ </define>
+ <!--
+ Combinations of action and type attributes used in later definitions.
+ The same patterns repeat in most of the elements in this protocol.
+ -->
+ <define name="ctl_cq">
+ <attribute name="action">
+ <value>create</value>
+ </attribute>
+ <attribute name="type">
+ <value>query</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <define name="ctl_sq">
+ <attribute name="action">
+ <value>set</value>
+ </attribute>
+ <attribute name="type">
+ <value>query</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <define name="ctl_gq">
+ <attribute name="action">
+ <value>get</value>
+ </attribute>
+ <attribute name="type">
+ <value>query</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <define name="ctl_lq">
+ <attribute name="action">
+ <value>list</value>
+ </attribute>
+ <attribute name="type">
+ <value>query</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <define name="ctl_dq">
+ <attribute name="action">
+ <value>destroy</value>
+ </attribute>
+ <attribute name="type">
+ <value>query</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <define name="ctl_cr">
+ <attribute name="action">
+ <value>create</value>
+ </attribute>
+ <attribute name="type">
+ <value>reply</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <define name="ctl_sr">
+ <attribute name="action">
+ <value>set</value>
+ </attribute>
+ <attribute name="type">
+ <value>reply</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <define name="ctl_gr">
+ <attribute name="action">
+ <value>get</value>
+ </attribute>
+ <attribute name="type">
+ <value>reply</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <define name="ctl_lr">
+ <attribute name="action">
+ <value>list</value>
+ </attribute>
+ <attribute name="type">
+ <value>reply</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <define name="ctl_dr">
+ <attribute name="action">
+ <value>destroy</value>
+ </attribute>
+ <attribute name="type">
+ <value>reply</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <!-- Base64 encoded DER stuff -->
+ <define name="base64">
+ <data type="base64Binary">
+ <param name="maxLength">512000</param>
+ </data>
+ </define>
+ <!-- How we wrap trust anchor elements -->
+ <define name="cms_ta">
+ <element name="cms_ta">
+ <ref name="base64"/>
+ </element>
+ </define>
+ <define name="https_ta">
+ <element name="https_ta">
+ <ref name="base64"/>
+ </element>
+ </define>
+ <!-- Base definition for all fields that are really just SQL primary indices -->
+ <define name="sql_id">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </define>
+ <!-- <self/> element -->
+ <define name="self_bool">
+ <optional>
+ <attribute name="rekey">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="reissue">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="revoke">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="run_now">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="publish_world_now">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="clear_extension_preferences">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ </define>
+ <define name="self_payload">
+ <optional>
+ <attribute name="use_hsm">
+ <choice>
+ <value>yes</value>
+ <value>no</value>
+ </choice>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="crl_interval">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <zeroOrMore>
+ <element name="extension_preference">
+ <attribute name="name">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ <data type="string">
+ <param name="maxLength">512000</param>
+ </data>
+ </element>
+ </zeroOrMore>
+ </define>
+ <define name="self_id">
+ <attribute name="self_id">
+ <ref name="sql_id"/>
+ </attribute>
+ </define>
+ <define name="self_elt" combine="choice">
+ <element name="self">
+ <ref name="ctl_cq"/>
+ <ref name="self_bool"/>
+ <ref name="self_payload"/>
+ </element>
+ </define>
+ <define name="self_elt" combine="choice">
+ <element name="self">
+ <ref name="ctl_cr"/>
+ <ref name="self_id"/>
+ </element>
+ </define>
+ <define name="self_elt" combine="choice">
+ <element name="self">
+ <ref name="ctl_sq"/>
+ <ref name="self_id"/>
+ <ref name="self_bool"/>
+ <ref name="self_payload"/>
+ </element>
+ </define>
+ <define name="self_elt" combine="choice">
+ <element name="self">
+ <ref name="ctl_sr"/>
+ <ref name="self_id"/>
+ </element>
+ </define>
+ <define name="self_elt" combine="choice">
+ <element name="self">
+ <ref name="ctl_gq"/>
+ <ref name="self_id"/>
+ </element>
+ </define>
+ <define name="self_elt" combine="choice">
+ <element name="self">
+ <ref name="ctl_gr"/>
+ <ref name="self_id"/>
+ <ref name="self_payload"/>
+ </element>
+ </define>
+ <define name="self_elt" combine="choice">
+ <element name="self">
+ <ref name="ctl_lq"/>
+ </element>
+ </define>
+ <define name="self_elt" combine="choice">
+ <element name="self">
+ <ref name="ctl_lr"/>
+ <ref name="self_id"/>
+ <ref name="self_payload"/>
+ </element>
+ </define>
+ <define name="self_elt" combine="choice">
+ <element name="self">
+ <ref name="ctl_dq"/>
+ <ref name="self_id"/>
+ </element>
+ </define>
+ <define name="self_elt" combine="choice">
+ <element name="self">
+ <ref name="ctl_dr"/>
+ <ref name="self_id"/>
+ </element>
+ </define>
+ <!-- <bsc/> element. Key parameters hardwired for now. -->
+ <define name="bsc_bool">
+ <optional>
+ <attribute name="generate_keypair">
+ <value>yes</value>
+ </attribute>
+ <optional>
+ <attribute name="key_type">
+ <value>rsa</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="hash_alg">
+ <value>sha256</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="key_length">
+ <value>2048</value>
+ </attribute>
+ </optional>
+ </optional>
+ <optional>
+ <attribute name="clear_signing_certs">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ </define>
+ <define name="bsc_id">
+ <attribute name="bsc_id">
+ <ref name="sql_id"/>
+ </attribute>
+ </define>
+ <define name="bsc_payload">
+ <zeroOrMore>
+ <element name="signing_cert">
+ <ref name="base64"/>
+ </element>
+ </zeroOrMore>
+ <optional>
+ <element name="public_key">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ </define>
+ <define name="bsc_pkcs10">
+ <optional>
+ <element name="pkcs10_cert_request">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ </define>
+ <define name="bsc_elt" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_cq"/>
+ <ref name="self_id"/>
+ <ref name="bsc_bool"/>
+ <ref name="bsc_payload"/>
+ </element>
+ </define>
+ <define name="bsc_elt" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_cr"/>
+ <ref name="self_id"/>
+ <ref name="bsc_id"/>
+ <ref name="bsc_pkcs10"/>
+ </element>
+ </define>
+ <define name="bsc_elt" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_sq"/>
+ <ref name="self_id"/>
+ <ref name="bsc_id"/>
+ <ref name="bsc_bool"/>
+ <ref name="bsc_payload"/>
+ </element>
+ </define>
+ <define name="bsc_elt" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_sr"/>
+ <ref name="self_id"/>
+ <ref name="bsc_id"/>
+ <ref name="bsc_pkcs10"/>
+ </element>
+ </define>
+ <define name="bsc_elt" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_gq"/>
+ <ref name="self_id"/>
+ <ref name="bsc_id"/>
+ </element>
+ </define>
+ <define name="bsc_elt" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_gr"/>
+ <ref name="self_id"/>
+ <ref name="bsc_id"/>
+ <ref name="bsc_payload"/>
+ </element>
+ </define>
+ <define name="bsc_elt" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_lq"/>
+ <ref name="self_id"/>
+ </element>
+ </define>
+ <define name="bsc_elt" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_lr"/>
+ <ref name="self_id"/>
+ <ref name="bsc_id"/>
+ <ref name="bsc_payload"/>
+ </element>
+ </define>
+ <define name="bsc_elt" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_dq"/>
+ <ref name="self_id"/>
+ <ref name="bsc_id"/>
+ </element>
+ </define>
+ <define name="bsc_elt" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_dr"/>
+ <ref name="self_id"/>
+ <ref name="bsc_id"/>
+ </element>
+ </define>
+ <!-- <parent/> element -->
+ <define name="parent_id">
+ <attribute name="parent_id">
+ <ref name="sql_id"/>
+ </attribute>
+ </define>
+ <define name="parent_bool">
+ <optional>
+ <attribute name="rekey">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="reissue">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="revoke">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ </define>
+ <define name="parent_payload">
+ <optional>
+ <attribute name="peer_contact_uri">
+ <data type="anyURI">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="sia_base">
+ <data type="anyURI">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="bsc_id">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="repository_id">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="sender_name">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="recipient_name">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <ref name="cms_ta"/>
+ </optional>
+ <optional>
+ <ref name="https_ta"/>
+ </optional>
+ </define>
+ <define name="parent_elt" combine="choice">
+ <element name="parent">
+ <ref name="ctl_cq"/>
+ <ref name="self_id"/>
+ <ref name="parent_bool"/>
+ <ref name="parent_payload"/>
+ </element>
+ </define>
+ <define name="parent_elt" combine="choice">
+ <element name="parent">
+ <ref name="ctl_cr"/>
+ <ref name="self_id"/>
+ <ref name="parent_id"/>
+ </element>
+ </define>
+ <define name="parent_elt" combine="choice">
+ <element name="parent">
+ <ref name="ctl_sq"/>
+ <ref name="self_id"/>
+ <ref name="parent_id"/>
+ <ref name="parent_bool"/>
+ <ref name="parent_payload"/>
+ </element>
+ </define>
+ <define name="parent_elt" combine="choice">
+ <element name="parent">
+ <ref name="ctl_sr"/>
+ <ref name="self_id"/>
+ <ref name="parent_id"/>
+ </element>
+ </define>
+ <define name="parent_elt" combine="choice">
+ <element name="parent">
+ <ref name="ctl_gq"/>
+ <ref name="self_id"/>
+ <ref name="parent_id"/>
+ </element>
+ </define>
+ <define name="parent_elt" combine="choice">
+ <element name="parent">
+ <ref name="ctl_gr"/>
+ <ref name="self_id"/>
+ <ref name="parent_id"/>
+ <ref name="parent_payload"/>
+ </element>
+ </define>
+ <define name="parent_elt" combine="choice">
+ <element name="parent">
+ <ref name="ctl_lq"/>
+ <ref name="self_id"/>
+ </element>
+ </define>
+ <define name="parent_elt" combine="choice">
+ <element name="parent">
+ <ref name="ctl_lr"/>
+ <ref name="self_id"/>
+ <ref name="parent_id"/>
+ <ref name="parent_payload"/>
+ </element>
+ </define>
+ <define name="parent_elt" combine="choice">
+ <element name="parent">
+ <ref name="ctl_dq"/>
+ <ref name="self_id"/>
+ <ref name="parent_id"/>
+ </element>
+ </define>
+ <define name="parent_elt" combine="choice">
+ <element name="parent">
+ <ref name="ctl_dr"/>
+ <ref name="self_id"/>
+ <ref name="parent_id"/>
+ </element>
+ </define>
+ <!-- <child/> element -->
+ <define name="child_id">
+ <attribute name="child_id">
+ <ref name="sql_id"/>
+ </attribute>
+ </define>
+ <define name="child_bool">
+ <optional>
+ <attribute name="reissue">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ </define>
+ <define name="child_payload">
+ <optional>
+ <attribute name="bsc_id">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <ref name="cms_ta"/>
+ </optional>
+ </define>
+ <define name="child_elt" combine="choice">
+ <element name="child">
+ <ref name="ctl_cq"/>
+ <ref name="self_id"/>
+ <ref name="child_bool"/>
+ <ref name="child_payload"/>
+ </element>
+ </define>
+ <define name="child_elt" combine="choice">
+ <element name="child">
+ <ref name="ctl_cr"/>
+ <ref name="self_id"/>
+ <ref name="child_id"/>
+ </element>
+ </define>
+ <define name="child_elt" combine="choice">
+ <element name="child">
+ <ref name="ctl_sq"/>
+ <ref name="self_id"/>
+ <ref name="child_id"/>
+ <ref name="child_bool"/>
+ <ref name="child_payload"/>
+ </element>
+ </define>
+ <define name="child_elt" combine="choice">
+ <element name="child">
+ <ref name="ctl_sr"/>
+ <ref name="self_id"/>
+ <ref name="child_id"/>
+ </element>
+ </define>
+ <define name="child_elt" combine="choice">
+ <element name="child">
+ <ref name="ctl_gq"/>
+ <ref name="self_id"/>
+ <ref name="child_id"/>
+ </element>
+ </define>
+ <define name="child_elt" combine="choice">
+ <element name="child">
+ <ref name="ctl_gr"/>
+ <ref name="self_id"/>
+ <ref name="child_id"/>
+ <ref name="child_payload"/>
+ </element>
+ </define>
+ <define name="child_elt" combine="choice">
+ <element name="child">
+ <ref name="ctl_lq"/>
+ <ref name="self_id"/>
+ </element>
+ </define>
+ <define name="child_elt" combine="choice">
+ <element name="child">
+ <ref name="ctl_lr"/>
+ <ref name="self_id"/>
+ <ref name="child_id"/>
+ <ref name="child_payload"/>
+ </element>
+ </define>
+ <define name="child_elt" combine="choice">
+ <element name="child">
+ <ref name="ctl_dq"/>
+ <ref name="self_id"/>
+ <ref name="child_id"/>
+ </element>
+ </define>
+ <define name="child_elt" combine="choice">
+ <element name="child">
+ <ref name="ctl_dr"/>
+ <ref name="self_id"/>
+ <ref name="child_id"/>
+ </element>
+ </define>
+ <!-- <repository/> element -->
+ <define name="repository_id">
+ <attribute name="repository_id">
+ <ref name="sql_id"/>
+ </attribute>
+ </define>
+ <define name="repository_payload">
+ <optional>
+ <attribute name="peer_contact_uri">
+ <data type="anyURI">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="bsc_id">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <ref name="cms_ta"/>
+ </optional>
+ <optional>
+ <ref name="https_ta"/>
+ </optional>
+ </define>
+ <define name="repository_elt" combine="choice">
+ <element name="repository">
+ <ref name="ctl_cq"/>
+ <ref name="self_id"/>
+ <ref name="repository_payload"/>
+ </element>
+ </define>
+ <define name="repository_elt" combine="choice">
+ <element name="repository">
+ <ref name="ctl_cr"/>
+ <ref name="self_id"/>
+ <ref name="repository_id"/>
+ </element>
+ </define>
+ <define name="repository_elt" combine="choice">
+ <element name="repository">
+ <ref name="ctl_sq"/>
+ <ref name="self_id"/>
+ <ref name="repository_id"/>
+ <ref name="repository_payload"/>
+ </element>
+ </define>
+ <define name="repository_elt" combine="choice">
+ <element name="repository">
+ <ref name="ctl_sr"/>
+ <ref name="self_id"/>
+ <ref name="repository_id"/>
+ </element>
+ </define>
+ <define name="repository_elt" combine="choice">
+ <element name="repository">
+ <ref name="ctl_gq"/>
+ <ref name="self_id"/>
+ <ref name="repository_id"/>
+ </element>
+ </define>
+ <define name="repository_elt" combine="choice">
+ <element name="repository">
+ <ref name="ctl_gr"/>
+ <ref name="self_id"/>
+ <ref name="repository_id"/>
+ <ref name="repository_payload"/>
+ </element>
+ </define>
+ <define name="repository_elt" combine="choice">
+ <element name="repository">
+ <ref name="ctl_lq"/>
+ <ref name="self_id"/>
+ </element>
+ </define>
+ <define name="repository_elt" combine="choice">
+ <element name="repository">
+ <ref name="ctl_lr"/>
+ <ref name="self_id"/>
+ <ref name="repository_id"/>
+ <ref name="repository_payload"/>
+ </element>
+ </define>
+ <define name="repository_elt" combine="choice">
+ <element name="repository">
+ <ref name="ctl_dq"/>
+ <ref name="self_id"/>
+ <ref name="repository_id"/>
+ </element>
+ </define>
+ <define name="repository_elt" combine="choice">
+ <element name="repository">
+ <ref name="ctl_dr"/>
+ <ref name="self_id"/>
+ <ref name="repository_id"/>
+ </element>
+ </define>
+ <!-- <route_origin/> element -->
+ <define name="ro_id">
+ <attribute name="route_origin_id">
+ <ref name="sql_id"/>
+ </attribute>
+ </define>
+ <define name="ro_bool">
+ <optional>
+ <attribute name="suppress_publication">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ </define>
+ <define name="ro_payload">
+ <optional>
+ <attribute name="as_number">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="ipv4">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="ipv6">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ </define>
+ <define name="ro_elt" combine="choice">
+ <element name="route_origin">
+ <ref name="ctl_cq"/>
+ <ref name="self_id"/>
+ <ref name="ro_bool"/>
+ <ref name="ro_payload"/>
+ </element>
+ </define>
+ <define name="ro_elt" combine="choice">
+ <element name="route_origin">
+ <ref name="ctl_cr"/>
+ <ref name="self_id"/>
+ <ref name="ro_id"/>
+ </element>
+ </define>
+ <define name="ro_elt" combine="choice">
+ <element name="route_origin">
+ <ref name="ctl_sq"/>
+ <ref name="self_id"/>
+ <ref name="ro_id"/>
+ <ref name="ro_bool"/>
+ <ref name="ro_payload"/>
+ </element>
+ </define>
+ <define name="ro_elt" combine="choice">
+ <element name="route_origin">
+ <ref name="ctl_sr"/>
+ <ref name="self_id"/>
+ <ref name="ro_id"/>
+ </element>
+ </define>
+ <define name="ro_elt" combine="choice">
+ <element name="route_origin">
+ <ref name="ctl_gq"/>
+ <ref name="self_id"/>
+ <ref name="ro_id"/>
+ </element>
+ </define>
+ <define name="ro_elt" combine="choice">
+ <element name="route_origin">
+ <ref name="ctl_gr"/>
+ <ref name="self_id"/>
+ <ref name="ro_id"/>
+ <ref name="ro_payload"/>
+ </element>
+ </define>
+ <define name="ro_elt" combine="choice">
+ <element name="route_origin">
+ <ref name="ctl_lq"/>
+ <ref name="self_id"/>
+ </element>
+ </define>
+ <define name="ro_elt" combine="choice">
+ <element name="route_origin">
+ <ref name="ctl_lr"/>
+ <ref name="self_id"/>
+ <ref name="ro_id"/>
+ <ref name="ro_payload"/>
+ </element>
+ </define>
+ <define name="ro_elt" combine="choice">
+ <element name="route_origin">
+ <ref name="ctl_dq"/>
+ <ref name="self_id"/>
+ <ref name="ro_id"/>
+ </element>
+ </define>
+ <define name="ro_elt" combine="choice">
+ <element name="route_origin">
+ <ref name="ctl_dr"/>
+ <ref name="self_id"/>
+ <ref name="ro_id"/>
+ </element>
+ </define>
+ <!-- <list_resources/> element -->
+ <define name="list_resources_elt">
+ <element name="list_resources">
+ <choice>
+ <group>
+ <attribute name="type">
+ <value>query</value>
+ </attribute>
+ <ref name="tag"/>
+ <ref name="self_id"/>
+ <ref name="child_id"/>
+ </group>
+ <group>
+ <attribute name="type">
+ <value>reply</value>
+ </attribute>
+ <ref name="tag"/>
+ <ref name="self_id"/>
+ <ref name="child_id"/>
+ <attribute name="valid_until">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ <optional>
+ <attribute name="subject_name">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="as">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="ipv4">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="ipv6">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ </group>
+ </choice>
+ </element>
+ </define>
+ <!-- <report_error/> element -->
+ <define name="report_error_elt">
+ <element name="report_error">
+ <ref name="tag"/>
+ <ref name="self_id"/>
+ <attribute name="error_code">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ <optional>
+ <data type="string">
+ <param name="maxLength">512000</param>
+ </data>
+ </optional>
+ </element>
+ </define>
+</grammar>
diff --git a/rpkid/make-relaxng.py b/rpkid/make-relaxng.py
new file mode 100644
index 00000000..8011893a
--- /dev/null
+++ b/rpkid/make-relaxng.py
@@ -0,0 +1,27 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""Script to generate rpki/relaxng.py."""
+
+print "# Automatically generated, do not edit."
+print
+print "import lxml.etree"
+
+for varname, filename in (("left_right", "left-right-schema.rng"),
+ ("up_down", "up-down-schema.rng")):
+ f = open(filename)
+ print "\n## @var %s\n## Parsed RelaxNG %s schema\n%s = lxml.etree.RelaxNG(lxml.etree.fromstring('''%s'''))" % (varname, varname, varname, f.read())
+ f.close()
diff --git a/rpkid/resource-cert-samples.py b/rpkid/resource-cert-samples.py
new file mode 100644
index 00000000..987734cc
--- /dev/null
+++ b/rpkid/resource-cert-samples.py
@@ -0,0 +1,248 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""Generate an RPKI test repository.
+
+This script generates a toy RPKI repository for test purposes. It's
+designed to be relatively easy to reconfigure, making it simple to
+test whatever is of interest on a given day, without a lot of setup
+overhead.
+
+Outputs are a bunch of config files for the OpenSSL CLI tool and a
+makefile to drive everything.
+"""
+
+import rpki.resource_set, os
+
+subdir = "resource-cert-samples"
+openssl = "../../openssl/openssl/apps/openssl"
+keybits = 2048
+
+def main():
+ """Main program, including the toy database itself."""
+
+ db = allocation_db()
+ db.add("ISP1", ipv4="192.0.2.1-192.0.2.33", asn="64533")
+ db.add("ISP2", ipv4="192.0.2.44-192.0.2.100")
+ db.add("ISP3", ipv6="2001:db8::44-2001:db8::100")
+ db.add("ISP4", ipv6="2001:db8::10:0:44/128", asn="64544")
+ db.add("ISP5a", ipv4="10.0.0.0/24", ipv6="2001:db8::a00:0/120")
+ db.add("ISP5b", ipv4="10.3.0.0/24", ipv6="2001:db8::a03:0/120")
+ db.add("ISP5c", asn="64534-64540")
+ db.add("LIR1", children=["ISP1", "ISP2"])
+ db.add("LIR2", children=["ISP3", "ISP4"])
+ db.add("LIR3", children=["ISP5a", "ISP5b", "ISP5c"])
+ db.add("RIR", children=["LIR1", "LIR2", "LIR3"])
+
+ if not os.path.isdir(subdir):
+ os.mkdir(subdir)
+
+ for i in db:
+ write_maybe("%s/%s.cnf" % (subdir, i.name), i.cfg_string())
+
+ write_maybe("%s/Makefile" % subdir,
+ "# Automatically generated, do not edit.\n" +
+ "".join([i.makefile_rules() for i in db]))
+
+def write_maybe(name, new_content):
+ """Write a file if and only if its contents have changed.
+ This simplifies interactions with "make".
+ """
+ old_content = None
+ if os.path.isfile(name):
+ f = open(name, "r")
+ old_content = f.read()
+ f.close()
+ if old_content != new_content:
+ print "Writing", name
+ f = open(name, "w")
+ f.write(new_content)
+ f.close()
+
+class allocation_db(list):
+ """Class to represent an allocation database."""
+
+ def __init__(self):
+ self.allocation_map = {}
+
+ def add(self, name, **kw):
+ """Add a new entry to this allocation database.
+ All arguments passed through to the allocation constructor.
+ """
+ self.insert(0, allocation(name = name, allocation_map = self.allocation_map, **kw))
+
+class allocation(object):
+ """Class representing one entity holding allocated resources.
+
+ In order to simplify configuration, this class automatically
+ computes the set of resources that this entity must hold in order to
+ serve both itself and its children.
+ """
+
+ parent = None
+
+ def __init__(self, name, asn = None, ipv4 = None, ipv6 = None, children = [], allocation_map = None):
+ """Create a new allocation entry.
+
+ This binds the parent attributes of any children, and computes the
+ transitive closure of the set of resources this entity needs.
+ """
+ self.name = name
+ self.children = [allocation_map[i] for i in children]
+ for child in self.children:
+ assert child.parent is None
+ child.parent = self
+ self.asn = self.summarize("asn", rpki.resource_set.resource_set_as(asn))
+ self.ipv4 = self.summarize("ipv4", rpki.resource_set.resource_set_ipv4(ipv4))
+ self.ipv6 = self.summarize("ipv6", rpki.resource_set.resource_set_ipv6(ipv6))
+ allocation_map[name] = self
+
+ def summarize(self, attrname, seed = None):
+ """Compute the transitive resource closure for one resource attribute."""
+ if seed is None:
+ seed = getattr(self, attrname)
+ for child in self.children:
+ seed = seed.union(child.summarize(attrname))
+ return seed
+
+ def __str__(self):
+ return "%s\n ASN: %s\n IPv4: %s\n IPv6: %s" % (self.name, self.asn, self.ipv4, self.ipv6)
+
+ def cfg_string(self):
+ """Generate the OpenSSL configuration file needed for this entity."""
+ keys = { "self" : self.name,
+ "keybits" : keybits,
+ "no_parent" : "#",
+ "no_asid" : "#",
+ "no_addr" : "#",
+ "parent" : "???",
+ "asid" : "???",
+ "addr" : "???" }
+ if self.parent:
+ keys["no_parent"] = ""
+ keys["parent"] = self.parent.name
+ if self.asn:
+ keys["no_asid"] = ""
+ keys["asid"] = ",".join(["AS:" + str(x) for x in self.asn])
+ if self.ipv4 or self.ipv6:
+ keys["no_addr"] = ""
+ keys["addr"] = ",".join(["IPv4:" + str(x) for x in self.ipv4] + ["IPv6:" + str(x) for x in self.ipv6])
+ return openssl_cfg_fmt % keys
+
+ def makefile_rules(self):
+ """Generate the makefile rules needed for this entity."""
+ keys = { "self" : self.name,
+ "keybits" : keybits,
+ "openssl" : openssl }
+ if self.parent:
+ keys["signconf"] = "%s.cnf" % self.parent.name
+ keys["signdeps"] = "%s.key" % self.parent.name
+ else:
+ keys["signconf"] = "%s.cnf -selfsign" % self.name
+ keys["signdeps"] = "%s.key" % self.name
+ return makefile_fmt % keys
+
+makefile_fmt = '''\
+
+all:: %(self)s.cer
+
+%(self)s.key:
+ %(openssl)s genrsa -out $@ %(keybits)d
+
+%(self)s.req: %(self)s.key %(self)s.cnf Makefile
+ %(openssl)s req -new -config %(self)s.cnf -key %(self)s.key -out $@
+
+%(self)s.cer: %(self)s.req %(self)s.cnf %(signdeps)s Makefile
+ @test -d %(self)s || mkdir %(self)s
+ @test -f %(self)s/index || touch %(self)s/index
+ @test -f %(self)s/serial || echo 01 >%(self)s/serial
+ %(openssl)s ca -batch -out $@ -in %(self)s.req -extfile %(self)s.cnf -config %(signconf)s
+
+
+show_req::
+ %(openssl)s req -noout -text -in %(self)s.req -config /dev/null
+
+show_cer::
+ %(openssl)s x509 -noout -text -in %(self)s.cer
+'''
+
+openssl_cfg_fmt = '''# Automatically generated, do not edit.
+
+[ ca ]
+default_ca = ca_default
+
+[ ca_default ]
+certificate = %(self)s.cer
+serial = %(self)s/serial
+private_key = %(self)s.key
+database = %(self)s/index
+new_certs_dir = %(self)s
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 365
+default_crl_days = 30
+default_md = sha256
+preserve = no
+copy_extensions = copy
+policy = ca_policy_anything
+unique_subject = no
+x509_extensions = ca_x509_ext
+crl_extensions = crl_x509_ext
+
+[ ca_policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+givenName = optional
+surname = optional
+
+[ req ]
+default_bits = %(keybits)d
+encrypt_key = no
+distinguished_name = req_dn
+req_extensions = req_x509_ext
+prompt = no
+
+[ req_dn ]
+CN = TEST ENTITY %(self)s
+
+[ req_x509_ext ]
+basicConstraints = critical,CA:true
+subjectKeyIdentifier = hash
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/%(self)s/
+%(no_parent)sauthorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/%(parent)s.cer
+%(no_asid)ssbgp-autonomousSysNum = critical,%(asid)s
+%(no_addr)ssbgp-ipAddrBlock = critical,%(addr)s
+
+[ ca_x509_ext ]
+basicConstraints = critical,CA:true
+%(no_parent)sauthorityKeyIdentifier = keyid:always
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/%(self)s/
+%(no_parent)sauthorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/%(parent)s.cer
+%(no_asid)ssbgp-autonomousSysNum = critical,%(asid)s
+%(no_addr)ssbgp-ipAddrBlock = critical,%(addr)s
+
+[ crl_x509_ext ]
+authorityKeyIdentifier = keyid:always
+'''
+
+main()
diff --git a/rpkid/resource-cert-samples/.stamp b/rpkid/resource-cert-samples/.stamp
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/rpkid/resource-cert-samples/.stamp
diff --git a/rpkid/resource-cert-samples/ISP1.cer b/rpkid/resource-cert-samples/ISP1.cer
new file mode 100644
index 00000000..db526ea5
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP1.cer
@@ -0,0 +1,93 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 26 (0x1a)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Oct 29 16:32:34 2007 GMT
+ Not After : Oct 28 16:32:34 2008 GMT
+ Subject: CN=TEST ENTITY ISP1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:eb:80:54:7a:74:4b:e4:81:15:d0:25:2d:5e:21:
+ be:47:e6:31:ab:e2:fe:79:55:48:b7:36:55:3d:dc:
+ 11:88:5b:b7:36:be:d3:bb:d7:16:8d:f8:4b:f4:c5:
+ bd:34:c4:8e:2c:67:97:e6:27:10:40:c5:36:f4:b6:
+ 6c:b9:29:82:2e:76:b0:29:ea:43:9a:d1:30:de:05:
+ a1:c1:54:7c:17:67:1d:fc:29:dd:80:53:b2:81:30:
+ db:13:ee:3e:e6:5d:c7:bc:3d:a6:11:6d:81:77:b7:
+ 9f:3e:36:df:7c:d6:d2:5a:22:36:68:7c:14:cc:ac:
+ 54:ed:ae:fd:e2:cd:b1:a3:5d:a9:65:ec:1b:8b:4b:
+ cf:80:8e:a6:98:8f:69:b1:a6:35:bd:69:c9:2e:66:
+ 7f:22:11:66:56:c5:75:4c:81:a3:6e:49:71:0d:f5:
+ 75:87:13:e8:62:e8:1a:0c:a8:30:81:6a:be:90:59:
+ 23:3b:61:c0:15:5f:68:bf:b5:c9:3f:af:3a:a2:7f:
+ 80:01:78:f6:f4:55:ca:ee:ca:8d:08:9b:c5:3e:74:
+ 98:02:b2:0b:a6:d8:e8:6e:78:88:7b:95:76:b6:ca:
+ be:f1:80:a9:dd:e8:3c:80:91:ce:3f:fd:0b:dd:b7:
+ d8:a6:8c:94:20:07:19:74:fa:86:ff:cb:97:c3:f6:
+ a4:e7
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 66:EC:29:21:2E:76:83:19:39:ED:8E:ED:B7:06:A8:4C:E5:0E:2E:11
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP1/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 2f:cc:ba:e1:32:d5:77:93:89:d2:62:00:83:52:99:02:11:31:
+ 50:c2:8f:84:ba:52:22:cd:76:f0:b6:ef:f1:3d:9e:20:02:11:
+ be:41:38:d0:88:df:2f:8b:f8:86:0c:f7:f4:50:4a:5e:7a:e8:
+ b2:63:9a:dc:eb:0a:eb:c8:a4:3c:b5:83:c8:ef:22:61:28:35:
+ 14:23:1e:be:f6:2b:af:76:59:a3:1c:47:e9:db:60:0f:5a:18:
+ 87:c3:c5:96:27:68:bd:2d:cc:24:e2:b6:e9:8d:5e:7f:ba:d9:
+ bc:7d:5a:14:67:8c:17:40:ea:09:31:4d:83:39:e0:a9:e7:eb:
+ fe:a3:37:cc:f9:45:80:17:20:57:50:be:38:48:6a:e5:4f:13:
+ 55:05:07:2a:7b:9f:f2:da:96:27:a2:df:67:07:44:6c:c5:a7:
+ 14:73:ac:58:97:83:5c:28:e3:4b:f0:18:f7:9d:be:6b:50:e9:
+ 90:c8:64:5c:6d:17:98:ed:8c:ba:b0:2c:26:61:bc:d2:75:a8:
+ 30:63:7a:5e:61:62:aa:91:e8:b2:11:b1:7d:b7:65:46:c9:17:
+ 02:5a:e9:da:96:fa:5d:1b:de:0d:ff:c0:5c:33:b5:81:6e:a5:
+ 3b:cc:11:c8:b0:7e:88:bc:d9:98:2c:96:c1:ed:fe:98:ff:d3:
+ f1:96:e2:5c
+-----BEGIN CERTIFICATE-----
+MIIDxzCCAq+gAwIBAgIBGjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MTAyOTE2MzIzNFoXDTA4MTAyODE2MzIzNFowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAOuAVHp0S+SBFdAlLV4hvkfmMavi/nlVSLc2VT3cEYhbtza+07vX
+Fo34S/TFvTTEjixnl+YnEEDFNvS2bLkpgi52sCnqQ5rRMN4FocFUfBdnHfwp3YBT
+soEw2xPuPuZdx7w9phFtgXe3nz4233zW0loiNmh8FMysVO2u/eLNsaNdqWXsG4tL
+z4COppiPabGmNb1pyS5mfyIRZlbFdUyBo25JcQ31dYcT6GLoGgyoMIFqvpBZIzth
+wBVfaL+1yT+vOqJ/gAF49vRVyu7KjQibxT50mAKyC6bY6G54iHuVdrbKvvGAqd3o
+PICRzj/9C9232KaMlCAHGXT6hv/Ll8P2pOcCAwEAAaOCARQwggEQMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFGbsKSEudoMZOe2O7bcGqEzlDi4RMA4GA1UdDwEB
+/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29t
+YmF0cy1yLXVzLmhhY3Rybi5uZXQvSVNQMS8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjEuY2Vy
+MBoGCCsGAQUFBwEIAQH/BAswCaAHMAUCAwD8FTApBggrBgEFBQcBBwEB/wQaMBgw
+FgQCAAEwEDAOAwUAwAACAQMFAcAAAiAwDQYJKoZIhvcNAQELBQADggEBAC/MuuEy
+1XeTidJiAINSmQIRMVDCj4S6UiLNdvC27/E9niACEb5BONCI3y+L+IYM9/RQSl56
+6LJjmtzrCuvIpDy1g8jvImEoNRQjHr72K692WaMcR+nbYA9aGIfDxZYnaL0tzCTi
+tumNXn+62bx9WhRnjBdA6gkxTYM54Knn6/6jN8z5RYAXIFdQvjhIauVPE1UFByp7
+n/Laliei32cHRGzFpxRzrFiXg1wo40vwGPedvmtQ6ZDIZFxtF5jtjLqwLCZhvNJ1
+qDBjel5hYqqR6LIRsX23ZUbJFwJa6dqW+l0b3g3/wFwztYFupTvMEciwfoi82Zgs
+lsHt/pj/0/GW4lw=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/ISP1.cnf b/rpkid/resource-cert-samples/ISP1.cnf
new file mode 100644
index 00000000..b43440bf
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP1.cnf
@@ -0,0 +1,64 @@
+# Automatically generated, do not edit.
+
+[ ca ]
+default_ca = ca_default
+
+[ ca_default ]
+certificate = ISP1.cer
+serial = ISP1/serial
+private_key = ISP1.key
+database = ISP1/index
+new_certs_dir = ISP1
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 365
+default_crl_days = 30
+default_md = sha256
+preserve = no
+copy_extensions = copy
+policy = ca_policy_anything
+unique_subject = no
+x509_extensions = ca_x509_ext
+crl_extensions = crl_x509_ext
+
+[ ca_policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+givenName = optional
+surname = optional
+
+[ req ]
+default_bits = 2048
+encrypt_key = no
+distinguished_name = req_dn
+req_extensions = req_x509_ext
+prompt = no
+
+[ req_dn ]
+CN = TEST ENTITY ISP1
+
+[ req_x509_ext ]
+basicConstraints = critical,CA:true
+subjectKeyIdentifier = hash
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/ISP1/
+authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+sbgp-autonomousSysNum = critical,AS:64533
+sbgp-ipAddrBlock = critical,IPv4:192.0.2.1-192.0.2.33
+
+[ ca_x509_ext ]
+basicConstraints = critical,CA:true
+authorityKeyIdentifier = keyid:always
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/ISP1/
+authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+sbgp-autonomousSysNum = critical,AS:64533
+sbgp-ipAddrBlock = critical,IPv4:192.0.2.1-192.0.2.33
+
+[ crl_x509_ext ]
+authorityKeyIdentifier = keyid:always
diff --git a/rpkid/resource-cert-samples/ISP1.key b/rpkid/resource-cert-samples/ISP1.key
new file mode 100644
index 00000000..515efd60
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP1.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA64BUenRL5IEV0CUtXiG+R+Yxq+L+eVVItzZVPdwRiFu3Nr7T
+u9cWjfhL9MW9NMSOLGeX5icQQMU29LZsuSmCLnawKepDmtEw3gWhwVR8F2cd/Cnd
+gFOygTDbE+4+5l3HvD2mEW2Bd7efPjbffNbSWiI2aHwUzKxU7a794s2xo12pZewb
+i0vPgI6mmI9psaY1vWnJLmZ/IhFmVsV1TIGjbklxDfV1hxPoYugaDKgwgWq+kFkj
+O2HAFV9ov7XJP686on+AAXj29FXK7sqNCJvFPnSYArILptjobniIe5V2tsq+8YCp
+3eg8gJHOP/0L3bfYpoyUIAcZdPqG/8uXw/ak5wIDAQABAoIBAQDGU9TRK4+eaHeO
+S0DhvVkaA+pg71GPrRsH8GHpLqQ1ScgJ+rslvgXomeqdwMmO3tk83CE4Wj19zphx
+jhAR/7r6lknVgsxcXT/iOqv2vMekjdraugcoQ1RZKGPXbRTbvK6xANoSYz5dK+6X
+3m5oHCIadiWL6LM7iwYbBPwbPU8UW/bevhjBGLQLaeFooQ/MFFxKiVnvTMd6lzGA
+M9r83GcvB7S+rj6TcJRFq9YDajtjHoOeTNljy7bTPlbG+wtxVK3y6/BbH0tMO9mv
+snyktOyLWB/wue9/9H46Hzt8vExw8URT0k/hvJeTOwemIpWy7++QXRa+vW/02kqq
+A6GFhhbBAoGBAPqZ43SzlNPj8hccbjsjTQfoq4iW3BJTyMfba+VZfs+g+d+Rg60I
+UKnrCM4SCDOiw6d3sI+lrkyOepgzW5FdwORvncYIxUCxonDzwVv4uAVSR6JMl47X
+MrJkMm4lImo/VzSxRyYDmYaXARGNiSQN73Bv9rVm+auDIW3hb08ofoSVAoGBAPCT
+KcDbty6A1ANInSde3pOLw9WvJYmHhvCHH/6sNsuV4NxzCuYPvjLmJzrW0NNvBstp
+xZhxWYd+x9MofU9jUmrLfk1TugcGl2txBCl++u+HhS9ClMpkilowSHOiqvaWHLkE
+3CyYiI3Wevqo+utiqaJItYa5jXQ+BJbtiSqeoAiLAoGBALhAFw1B0AXujZtSavWO
+Id/TwPK/QHU1JuVSvcS2BVexGqa2/WJmP7B+v02L0n3siQADL0yeW0WsaBSphgSe
+MumB6zWkUysar71uatctSleXRFXfDHuYW4zvwGhdYy1M/tgeE5qugN2E/uMh9hgN
+KuO3XmPHn3/r/NMmMcm4kzT1AoGBANUwxLaIvttyBO/oAIRsOPgtylzpum0W8gji
+5gKM4H4nkr4pIMZhux5mAOvOg/5qjG3kjNubz0gYnMJORkX88YN8U6/4+4jQWY03
++QVA5uUvhmIsMajt0gE8emgnBjRBMLDxUqAeiByRrifFaZ8Aru0GW/9JHcaeUvjh
+BUYEjjMjAoGAW3wL8KyxoJMfC6BRC1rU6ZQovwVLa0dpRaUNh5Qi/G4wkzRKiu7l
+04MXoMggDF1XOl4noyjFsbnaZRUAbfVXalHOMIGWMXVlQy7u/RXOXcVJ2rgZj5z+
+Tt9aoZ1exEXzkm+IMfj8GqsXuv5qcgN1WibkhrC4KpJFbEFz35FGBTI=
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/resource-cert-samples/ISP1.req b/rpkid/resource-cert-samples/ISP1.req
new file mode 100644
index 00000000..eebdcca1
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP1.req
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDiTCCAnECAQAwGzEZMBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOuAVHp0S+SBFdAlLV4hvkfmMavi/nlV
+SLc2VT3cEYhbtza+07vXFo34S/TFvTTEjixnl+YnEEDFNvS2bLkpgi52sCnqQ5rR
+MN4FocFUfBdnHfwp3YBTsoEw2xPuPuZdx7w9phFtgXe3nz4233zW0loiNmh8FMys
+VO2u/eLNsaNdqWXsG4tLz4COppiPabGmNb1pyS5mfyIRZlbFdUyBo25JcQ31dYcT
+6GLoGgyoMIFqvpBZIzthwBVfaL+1yT+vOqJ/gAF49vRVyu7KjQibxT50mAKyC6bY
+6G54iHuVdrbKvvGAqd3oPICRzj/9C9232KaMlCAHGXT6hv/Ll8P2pOcCAwEAAaCC
+AScwggEjBgkqhkiG9w0BCQ4xggEUMIIBEDAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
+DgQWBBRm7CkhLnaDGTntju23BqhM5Q4uETAOBgNVHQ8BAf8EBAMCAQYwQQYIKwYB
+BQUHAQsENTAzMDEGCCsGAQUFBzAFhiVyc3luYzovL3dvbWJhdHMtci11cy5oYWN0
+cm4ubmV0L0lTUDEvMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcwAoYocnN5bmM6
+Ly93b21iYXRzLXItdXMuaGFjdHJuLm5ldC9MSVIxLmNlcjAaBggrBgEFBQcBCAEB
+/wQLMAmgBzAFAgMA/BUwKQYIKwYBBQUHAQcBAf8EGjAYMBYEAgABMBAwDgMFAMAA
+AgEDBQHAAAIgMA0GCSqGSIb3DQEBBQUAA4IBAQCx9lXfyZUDlBicMfvtaMwLWtGr
+kkYIccWF1QALOSihij3D1eZk5gRVElivTHwFr/FAVceNmbWij7Bj62qV19ayVju4
+kfuYQKzAA+ncMk4VxYCrJAbhcnF7OCwGM90S5MX2n/SfHqaufNv86aJCJ/q09Knl
+wta4E45lKUt3GGwHPeXxqCPGqmtUOFt1L//ZDBn9NEB9xZQK4+iZGYvx1TVfXLR6
+w7uUIwkWKD0mY1+JJ2iJuFWvs4hWiWQFnesMEBthIYIWEceXrvYK96jG3Q6PwpxK
+zLrGOdYQunifeSNoxis2jJ8cyKcBNNEa+XxEc1IJP5ySJyfJU651IGboFNiL
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/resource-cert-samples/ISP1/index b/rpkid/resource-cert-samples/ISP1/index
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP1/index
diff --git a/rpkid/resource-cert-samples/ISP1/serial b/rpkid/resource-cert-samples/ISP1/serial
new file mode 100644
index 00000000..8a0f05e1
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP1/serial
@@ -0,0 +1 @@
+01
diff --git a/rpkid/resource-cert-samples/ISP2.cer b/rpkid/resource-cert-samples/ISP2.cer
new file mode 100644
index 00000000..e6fdd880
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP2.cer
@@ -0,0 +1,88 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 25 (0x19)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Oct 29 16:32:34 2007 GMT
+ Not After : Oct 28 16:32:34 2008 GMT
+ Subject: CN=TEST ENTITY ISP2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d0:77:df:c4:21:af:1b:5a:6b:a8:a7:28:d7:43:
+ c8:9b:6d:25:d8:8d:7f:91:2b:e3:95:fd:92:60:ac:
+ 14:12:d7:23:68:85:4b:0e:db:2b:e6:38:e0:48:db:
+ 18:37:8f:40:c0:90:58:0e:3f:09:67:5f:8e:3f:04:
+ 75:06:60:92:42:f3:e4:45:04:35:95:5d:e9:22:42:
+ 2c:f6:5c:a6:7d:79:8c:e1:08:19:7c:35:9d:3a:fd:
+ e7:ff:9b:29:b5:ee:89:47:cc:0d:83:a0:e1:73:af:
+ 1f:09:84:a8:0b:83:cc:79:88:bf:7c:1d:73:d6:ab:
+ 42:1b:64:9a:5c:19:83:2b:9d:e5:ad:4c:58:05:76:
+ 95:70:23:ee:a5:c0:31:ca:a2:a7:c8:1d:1e:f2:c9:
+ f2:3d:38:82:c2:53:e5:54:86:f2:7c:b1:73:e1:dc:
+ e9:86:73:08:ac:59:3b:be:2f:58:c1:42:c5:80:18:
+ 8c:3a:0a:2a:32:f6:fe:28:d0:28:52:83:c6:30:69:
+ 51:90:59:19:9b:d3:d4:c2:e0:52:6a:c1:4e:59:9a:
+ 18:e4:78:2e:57:f9:7f:2b:5d:76:28:c9:c9:c5:7e:
+ e5:43:a1:9b:68:d2:06:1c:be:3f:69:f9:c2:fa:9e:
+ 4f:68:cf:63:6f:db:6d:fc:67:35:c0:b1:6e:0a:37:
+ ec:33
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 73:B2:16:1A:CD:DC:D7:30:60:0F:FA:81:95:F8:A2:F5:4E:95:F3:AD
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP2/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.44-192.0.2.100
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 3d:68:dd:9f:54:93:58:2f:8b:c5:22:5a:10:22:09:ed:5d:90:
+ c9:57:ea:9f:e9:99:eb:58:42:26:38:81:ef:14:a0:3f:64:ca:
+ 06:ae:87:24:3d:6a:d5:94:b7:78:95:8d:00:7d:5b:eb:6d:2f:
+ 72:ff:4c:a6:a9:a2:cf:9b:fa:41:04:b2:71:b4:cf:eb:91:0e:
+ 71:98:72:05:84:b0:a2:bb:fe:68:6f:e3:92:f9:a6:c9:97:19:
+ 79:c5:39:c0:87:ad:e7:89:bb:bc:84:86:ee:87:55:31:be:da:
+ 26:8d:e8:84:bf:44:94:0b:b4:e5:52:bb:1a:0d:04:d6:a6:3c:
+ 66:ef:d1:44:3b:a1:b2:bc:a3:8e:5a:43:39:28:a0:2a:6a:10:
+ 3b:da:b6:5f:bd:e0:d7:ba:c5:d3:51:de:79:39:8f:92:91:a4:
+ ca:cd:62:b4:66:a1:02:f3:50:91:27:22:1f:bc:3d:68:da:e0:
+ 15:6c:9a:b0:1b:49:e2:53:84:3a:d3:75:09:87:d5:29:d8:58:
+ 86:8d:38:8a:87:fa:2d:43:f0:3a:06:e5:58:e9:32:84:c4:3f:
+ d0:c2:cd:2b:2e:75:ec:d7:dc:3b:39:14:0f:e7:99:23:1f:88:
+ 84:9f:a6:73:90:4b:e4:60:92:07:c5:90:a4:f2:ed:e3:7e:a8:
+ 8c:2d:f6:e8
+-----BEGIN CERTIFICATE-----
+MIIDqTCCApGgAwIBAgIBGTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MTAyOTE2MzIzNFoXDTA4MTAyODE2MzIzNFowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANB338Qhrxtaa6inKNdDyJttJdiNf5Er45X9kmCsFBLXI2iFSw7b
+K+Y44EjbGDePQMCQWA4/CWdfjj8EdQZgkkLz5EUENZVd6SJCLPZcpn15jOEIGXw1
+nTr95/+bKbXuiUfMDYOg4XOvHwmEqAuDzHmIv3wdc9arQhtkmlwZgyud5a1MWAV2
+lXAj7qXAMcqip8gdHvLJ8j04gsJT5VSG8nyxc+Hc6YZzCKxZO74vWMFCxYAYjDoK
+KjL2/ijQKFKDxjBpUZBZGZvT1MLgUmrBTlmaGOR4Llf5fytddijJycV+5UOhm2jS
+Bhy+P2n5wvqeT2jPY2/bbfxnNcCxbgo37DMCAwEAAaOB9zCB9DAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBRzshYazdzXMGAP+oGV+KL1TpXzrTAOBgNVHQ8BAf8E
+BAMCAQYwQQYIKwYBBQUHAQsENTAzMDEGCCsGAQUFBzAFhiVyc3luYzovL3dvbWJh
+dHMtci11cy5oYWN0cm4ubmV0L0lTUDIvMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEF
+BQcwAoYocnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJuLm5ldC9MSVIxLmNlcjAp
+BggrBgEFBQcBBwEB/wQaMBgwFgQCAAEwEDAOAwUCwAACLAMFAMAAAmQwDQYJKoZI
+hvcNAQELBQADggEBAD1o3Z9Uk1gvi8UiWhAiCe1dkMlX6p/pmetYQiY4ge8UoD9k
+ygauhyQ9atWUt3iVjQB9W+ttL3L/TKapos+b+kEEsnG0z+uRDnGYcgWEsKK7/mhv
+45L5psmXGXnFOcCHreeJu7yEhu6HVTG+2iaN6IS/RJQLtOVSuxoNBNamPGbv0UQ7
+obK8o45aQzkooCpqEDvatl+94Ne6xdNR3nk5j5KRpMrNYrRmoQLzUJEnIh+8PWja
+4BVsmrAbSeJThDrTdQmH1SnYWIaNOIqH+i1D8DoG5VjpMoTEP9DCzSsudezX3Ds5
+FA/nmSMfiISfpnOQS+RgkgfFkKTy7eN+qIwt9ug=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/ISP2.cnf b/rpkid/resource-cert-samples/ISP2.cnf
new file mode 100644
index 00000000..befdf77b
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP2.cnf
@@ -0,0 +1,64 @@
+# Automatically generated, do not edit.
+
+[ ca ]
+default_ca = ca_default
+
+[ ca_default ]
+certificate = ISP2.cer
+serial = ISP2/serial
+private_key = ISP2.key
+database = ISP2/index
+new_certs_dir = ISP2
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 365
+default_crl_days = 30
+default_md = sha256
+preserve = no
+copy_extensions = copy
+policy = ca_policy_anything
+unique_subject = no
+x509_extensions = ca_x509_ext
+crl_extensions = crl_x509_ext
+
+[ ca_policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+givenName = optional
+surname = optional
+
+[ req ]
+default_bits = 2048
+encrypt_key = no
+distinguished_name = req_dn
+req_extensions = req_x509_ext
+prompt = no
+
+[ req_dn ]
+CN = TEST ENTITY ISP2
+
+[ req_x509_ext ]
+basicConstraints = critical,CA:true
+subjectKeyIdentifier = hash
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/ISP2/
+authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+#sbgp-autonomousSysNum = critical,???
+sbgp-ipAddrBlock = critical,IPv4:192.0.2.44-192.0.2.100
+
+[ ca_x509_ext ]
+basicConstraints = critical,CA:true
+authorityKeyIdentifier = keyid:always
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/ISP2/
+authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+#sbgp-autonomousSysNum = critical,???
+sbgp-ipAddrBlock = critical,IPv4:192.0.2.44-192.0.2.100
+
+[ crl_x509_ext ]
+authorityKeyIdentifier = keyid:always
diff --git a/rpkid/resource-cert-samples/ISP2.key b/rpkid/resource-cert-samples/ISP2.key
new file mode 100644
index 00000000..fdff214b
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP2.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA0HffxCGvG1prqKco10PIm20l2I1/kSvjlf2SYKwUEtcjaIVL
+Dtsr5jjgSNsYN49AwJBYDj8JZ1+OPwR1BmCSQvPkRQQ1lV3pIkIs9lymfXmM4QgZ
+fDWdOv3n/5spte6JR8wNg6Dhc68fCYSoC4PMeYi/fB1z1qtCG2SaXBmDK53lrUxY
+BXaVcCPupcAxyqKnyB0e8snyPTiCwlPlVIbyfLFz4dzphnMIrFk7vi9YwULFgBiM
+OgoqMvb+KNAoUoPGMGlRkFkZm9PUwuBSasFOWZoY5HguV/l/K112KMnJxX7lQ6Gb
+aNIGHL4/afnC+p5PaM9jb9tt/Gc1wLFuCjfsMwIDAQABAoIBAQCXyZCOGBCNlAqr
+Y/risiIQuSpDQNPPeetdvKGl7eU3ypmnctYx3Pdby7HSmmRJn+5/xxm2VcOdFwBV
+dgNXP11/jmF4txXkydoD7bcbMl6vIZ+oAeO8grUWzOTtQabfJu2h7zsvyiYduzaY
+EZThvXdWTnFOB4velBewJlIWGSVezWqRr5T156dGA6RetSIZhGidm+HGA2o5cSPW
+jRC9gPL9PGEXmjpFeKqLMobIZvPnSnM03oZ76IJ/B/nInfk3uCBGmldspBa3Pcyl
+mP85VfYR83UQUigZeVHxgQN+ijDSGJHLp5dXCfkp/DO0MiRtobHBgvRP8+e8t2J7
+p2q+bRaBAoGBAOfyNu6z26DGIm1iYBeK114EiN/cXzIUD62eFmU9DESiGIrJzrfJ
+xpJyb70v42nCXCFoyM4HLeNqXEGhzOb3s1ueUlSqMoxp2RJ8ygedlN/YwtAb8+4+
+sQjQxGH1zwDbKeNSvKU3wtNs1HC1FU3I7yZaYc2NxB2y1Qmct/EIvO+TAoGBAOYW
+XERTVFkTDjTzn8orgGIkS0FtXTgdQMDBvJj1yiQCJn94imQrEQq/XMY/Kp2/w/W8
+rdtOWDlPP7vDLOtsFOzsAxsIkvfJpt/plpU1zaNN/BTthE1BX1HY1ql74QE5Kp13
+gzVwmrcaR79nZz/hH/yLBz8bcK7YTV38MzkDMrThAoGBAK3uo6TiuOraSYzPPZHJ
+6vC049NDVRufkZY3O0IVwnJhP5gr91k49TByojozhAyV1DK1egeNuKqV4rLQ22/E
+BfrJQaH9s0Q6R66mZ3XIhJBL4uLeY1CgMG+U5f8zrlRNBR9TtuUKaI3VSYVvNZeL
++1I+aqMTESLYLQs1O3aDf/MDAoGBAKKjSaMOWAACpTcuwlNQvpYg24Uq/gqtOtlF
+2L8ydilPz9Co7wHxI0G6lKSZf9Ez/RtVvHrZfSk9aGqbgsQCiSQTi/pu7Bv00V1T
+KxrbhjkZ5ccRQUSuoecj5FC2/Qw1UXcvRHLg3qvxCqg0OlqAEnEcAQpNpjAhO0bk
+/3wcU5phAoGAWkhNG8ehVyEeoAbw4A/ij66C3QjTQVMISqzGPERhxKKfAPdmgOeZ
+C6Gs+XTV3Y5w6cO6S74lLNvI0n2C759P4eAk2HxN/NwC5yxJNH/z+3lIV4LfY54+
+O96PzPOAAaHbjl7LklcM/E3AEZgI0Sx+U9yr+EQcijoR0QvyjdFXY38=
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/resource-cert-samples/ISP2.req b/rpkid/resource-cert-samples/ISP2.req
new file mode 100644
index 00000000..63ee5838
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP2.req
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDazCCAlMCAQAwGzEZMBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMjCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBANB338Qhrxtaa6inKNdDyJttJdiNf5Er
+45X9kmCsFBLXI2iFSw7bK+Y44EjbGDePQMCQWA4/CWdfjj8EdQZgkkLz5EUENZVd
+6SJCLPZcpn15jOEIGXw1nTr95/+bKbXuiUfMDYOg4XOvHwmEqAuDzHmIv3wdc9ar
+QhtkmlwZgyud5a1MWAV2lXAj7qXAMcqip8gdHvLJ8j04gsJT5VSG8nyxc+Hc6YZz
+CKxZO74vWMFCxYAYjDoKKjL2/ijQKFKDxjBpUZBZGZvT1MLgUmrBTlmaGOR4Llf5
+fytddijJycV+5UOhm2jSBhy+P2n5wvqeT2jPY2/bbfxnNcCxbgo37DMCAwEAAaCC
+AQkwggEFBgkqhkiG9w0BCQ4xgfcwgfQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
+FgQUc7IWGs3c1zBgD/qBlfii9U6V860wDgYDVR0PAQH/BAQDAgEGMEEGCCsGAQUF
+BwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJu
+Lm5ldC9JU1AyLzBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAKGKHJzeW5jOi8v
+d29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMS5jZXIwKQYIKwYBBQUHAQcBAf8E
+GjAYMBYEAgABMBAwDgMFAsAAAiwDBQDAAAJkMA0GCSqGSIb3DQEBBQUAA4IBAQAA
+OhLVxJb0yeEqJ1TPd9J95a+mbWXtF2QbEDk6cJ+9Xd+5S/G7e7O7oVZfDyN4K5VT
+IsI+G4Rm9+bt1OaGsFz5DUC7fxVUnvTWykP8w/LMBdJcLxVc/ugPvKQZ0Z6TxaZo
+excGiDlkYCdUUxl3CoALC/pIMnNruqHCad2b9WkphGyk89diN5enRV14bcS622na
+FOfmpt+5RqO4EQK3NivX9T6YbLj80vZW95CxI/PRjqt5RsDhl1cYJ5+pexVOa10B
+BwA/R7S658Rs35Ad/DWM36DHVrGYBU2IRpyhnsADixZLXxWlhz9CqNvj+DWQvqpa
+IH++V9c1MUulNBZdmf7K
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/resource-cert-samples/ISP2/index b/rpkid/resource-cert-samples/ISP2/index
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP2/index
diff --git a/rpkid/resource-cert-samples/ISP2/serial b/rpkid/resource-cert-samples/ISP2/serial
new file mode 100644
index 00000000..8a0f05e1
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP2/serial
@@ -0,0 +1 @@
+01
diff --git a/rpkid/resource-cert-samples/ISP3.cer b/rpkid/resource-cert-samples/ISP3.cer
new file mode 100644
index 00000000..e8e63c2a
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP3.cer
@@ -0,0 +1,89 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 26 (0x1a)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Oct 29 16:32:34 2007 GMT
+ Not After : Oct 28 16:32:34 2008 GMT
+ Subject: CN=TEST ENTITY ISP3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d1:24:75:c1:44:29:12:9a:fe:8c:1d:1e:01:aa:
+ 05:ea:1f:47:ab:1a:8d:cf:d2:42:a1:31:7d:9c:3e:
+ 66:72:ce:2c:df:01:17:15:40:40:94:d1:ae:6d:d7:
+ ca:fd:52:d9:ec:5f:f0:64:30:a3:42:70:a1:a1:6f:
+ 05:2d:10:ee:b1:05:65:3f:f2:c1:78:84:cc:1d:66:
+ ee:35:52:c7:ae:99:76:b1:63:4d:c1:2e:24:fb:f7:
+ 43:2d:0b:21:0d:d3:d6:b7:cf:60:50:49:3d:17:53:
+ 3e:2b:f8:68:95:7e:1c:c5:e2:1e:73:06:8c:b2:53:
+ a1:70:39:d9:9e:e5:56:fc:58:d0:b3:f3:90:37:5a:
+ 6e:5a:3b:ef:05:be:f1:64:2f:31:2e:5a:58:f2:30:
+ 7a:73:52:7f:b8:0d:71:3c:63:52:17:0f:b7:07:3b:
+ c3:46:b9:9c:88:bc:73:df:14:5a:bc:16:fc:f8:79:
+ b0:a1:41:87:05:f9:52:a8:36:61:62:de:90:68:21:
+ 83:bb:8c:83:47:af:bb:82:3e:44:28:97:2b:02:a8:
+ 81:04:05:16:cd:bf:ef:9e:02:f9:54:66:2a:28:99:
+ 79:2b:b5:19:10:d4:df:35:95:f3:3f:fa:13:6a:06:
+ 6f:f5:38:28:d6:b6:0b:8a:70:5b:8d:70:8d:34:99:
+ 96:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ E1:97:2E:19:70:B5:7F:FC:82:4F:33:3D:6B:2C:DE:9A:9B:36:3D:7E
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP3/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 01:16:7e:4c:bd:b7:d8:6c:23:58:7f:26:76:ac:97:37:06:64:
+ 2d:a8:66:59:65:d3:9a:1c:d6:79:11:d3:e9:87:cc:1f:a9:9d:
+ 8b:74:1e:f0:b7:47:58:e9:40:e0:d5:29:2b:1f:5b:89:72:2c:
+ fe:ca:cf:8a:04:e6:3e:e8:d9:f6:26:15:18:c4:67:10:c4:a8:
+ 13:59:1b:cc:04:e8:96:a9:68:c8:90:54:e9:16:16:c0:7f:dd:
+ 1a:7d:5a:af:82:26:70:ff:c4:34:3f:d6:f3:3e:0b:45:61:f9:
+ a4:5e:59:b9:cf:6b:6b:32:f1:8d:2e:4f:78:de:ac:0d:5f:1e:
+ b0:59:b2:a9:c5:a4:cc:48:87:50:6c:8d:7d:41:ef:cd:68:4d:
+ 3b:e7:a9:f2:2d:50:ad:7e:d0:84:51:03:55:b6:a3:f1:e3:0a:
+ 46:f8:e7:23:b6:7b:76:5d:8b:13:a5:14:ac:07:e5:9c:13:df:
+ 6f:b2:a0:48:3d:00:3e:f0:16:7f:6d:b4:c0:e7:1f:8d:86:7b:
+ 9e:6e:31:17:22:98:d4:53:82:6b:21:01:d2:82:10:9f:43:fc:
+ c5:df:92:56:b9:eb:10:44:dc:46:58:82:3b:05:54:14:58:e1:
+ 2c:f8:2f:ca:e3:54:0b:d1:f1:87:5a:67:9f:3b:b3:a7:28:b3:
+ bb:5b:bf:1c
+-----BEGIN CERTIFICATE-----
+MIIDwzCCAqugAwIBAgIBGjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MTAyOTE2MzIzNFoXDTA4MTAyODE2MzIzNFowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMzCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANEkdcFEKRKa/owdHgGqBeofR6sajc/SQqExfZw+ZnLOLN8BFxVA
+QJTRrm3Xyv1S2exf8GQwo0JwoaFvBS0Q7rEFZT/ywXiEzB1m7jVSx66ZdrFjTcEu
+JPv3Qy0LIQ3T1rfPYFBJPRdTPiv4aJV+HMXiHnMGjLJToXA52Z7lVvxY0LPzkDda
+blo77wW+8WQvMS5aWPIwenNSf7gNcTxjUhcPtwc7w0a5nIi8c98UWrwW/Ph5sKFB
+hwX5Uqg2YWLekGghg7uMg0evu4I+RCiXKwKogQQFFs2/754C+VRmKiiZeSu1GRDU
+3zWV8z/6E2oGb/U4KNa2C4pwW41wjTSZlj8CAwEAAaOCARAwggEMMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFOGXLhlwtX/8gk8zPWss3pqbNj1+MA4GA1UdDwEB
+/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29t
+YmF0cy1yLXVzLmhhY3Rybi5uZXQvSVNQMy8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2Vy
+MEEGCCsGAQUFBwEHAQH/BDIwMDAuBAIAAjAoMCYDEQIgAQ24AAAAAAAAAAAAAABE
+AxEAIAENuAAAAAAAAAAAAAABADANBgkqhkiG9w0BAQsFAAOCAQEAARZ+TL232Gwj
+WH8mdqyXNwZkLahmWWXTmhzWeRHT6YfMH6mdi3Qe8LdHWOlA4NUpKx9biXIs/srP
+igTmPujZ9iYVGMRnEMSoE1kbzATolqloyJBU6RYWwH/dGn1ar4ImcP/END/W8z4L
+RWH5pF5Zuc9razLxjS5PeN6sDV8esFmyqcWkzEiHUGyNfUHvzWhNO+ep8i1QrX7Q
+hFEDVbaj8eMKRvjnI7Z7dl2LE6UUrAflnBPfb7KgSD0APvAWf220wOcfjYZ7nm4x
+FyKY1FOCayEB0oIQn0P8xd+SVrnrEETcRliCOwVUFFjhLPgvyuNUC9Hxh1pnnzuz
+pyizu1u/HA==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/ISP3.cnf b/rpkid/resource-cert-samples/ISP3.cnf
new file mode 100644
index 00000000..ded3be5d
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP3.cnf
@@ -0,0 +1,64 @@
+# Automatically generated, do not edit.
+
+[ ca ]
+default_ca = ca_default
+
+[ ca_default ]
+certificate = ISP3.cer
+serial = ISP3/serial
+private_key = ISP3.key
+database = ISP3/index
+new_certs_dir = ISP3
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 365
+default_crl_days = 30
+default_md = sha256
+preserve = no
+copy_extensions = copy
+policy = ca_policy_anything
+unique_subject = no
+x509_extensions = ca_x509_ext
+crl_extensions = crl_x509_ext
+
+[ ca_policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+givenName = optional
+surname = optional
+
+[ req ]
+default_bits = 2048
+encrypt_key = no
+distinguished_name = req_dn
+req_extensions = req_x509_ext
+prompt = no
+
+[ req_dn ]
+CN = TEST ENTITY ISP3
+
+[ req_x509_ext ]
+basicConstraints = critical,CA:true
+subjectKeyIdentifier = hash
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/ISP3/
+authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+#sbgp-autonomousSysNum = critical,???
+sbgp-ipAddrBlock = critical,IPv6:2001:db8::44-2001:db8::100
+
+[ ca_x509_ext ]
+basicConstraints = critical,CA:true
+authorityKeyIdentifier = keyid:always
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/ISP3/
+authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+#sbgp-autonomousSysNum = critical,???
+sbgp-ipAddrBlock = critical,IPv6:2001:db8::44-2001:db8::100
+
+[ crl_x509_ext ]
+authorityKeyIdentifier = keyid:always
diff --git a/rpkid/resource-cert-samples/ISP3.key b/rpkid/resource-cert-samples/ISP3.key
new file mode 100644
index 00000000..ad66c7a0
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP3.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA0SR1wUQpEpr+jB0eAaoF6h9HqxqNz9JCoTF9nD5mcs4s3wEX
+FUBAlNGubdfK/VLZ7F/wZDCjQnChoW8FLRDusQVlP/LBeITMHWbuNVLHrpl2sWNN
+wS4k+/dDLQshDdPWt89gUEk9F1M+K/holX4cxeIecwaMslOhcDnZnuVW/FjQs/OQ
+N1puWjvvBb7xZC8xLlpY8jB6c1J/uA1xPGNSFw+3BzvDRrmciLxz3xRavBb8+Hmw
+oUGHBflSqDZhYt6QaCGDu4yDR6+7gj5EKJcrAqiBBAUWzb/vngL5VGYqKJl5K7UZ
+ENTfNZXzP/oTagZv9Tgo1rYLinBbjXCNNJmWPwIDAQABAoIBAD88rv5JBcJCa0Ui
+aLhIGJG584mg9dAo20yyEjD0DTYZcSfcxIYAb4aQABXmcdI3Av2d5Knmqvaj57tQ
+PlhqDkIoR30WgblXLgCV5uDorsf0TxdD13bZ5QTqtr0f6Fat/vaFFbIw8u/ik6Hn
+8neBMmIDBQHysQgakW3FkC+jWLHj/OgtEfCxa4eE3chJkkiGmTFVnHsYEdv+yZVS
+3lLAoRyl6yfU/AH7QSM/UXPq41kkGViKgB4MgIBUuoHxCOnPomlGKZ8A83ba2Prf
+h1/RQPWdQCQJkVai4tC3sDsiJPzxF97zTBl2vjXE2TY7Ow2jF+cxY81F3qXGecef
+ATrevYECgYEA8YgdTsZqAaPBkWUReqBFJSusxQzcMQQTCN81mPqiGDYqUuTKbG/i
+86LGnw/2/J03bhdydak9BbsXqcpClqdV6RcDng49VW0HZsS5mebPqh9dkT7qFhf0
+JE0ocC0MHypl0zti1BfR3GL6yVD1fkzRl72s3tVhRPCJ3uchWBEGcukCgYEA3auo
+B8zgw55kYwnlp1AmYbBtHXJYJnMQQ6KhOniLVJQD/EvIAD6cvjU5dyGizZWG9E9A
+/rVL8G+A4vekElFiq1X3hED24rh4YNyeyKaJywFJnz416GuJHTn7FDo79149TQ51
+eQAAvdRS1NYNjrHzw+5AbKUe4R2Ay6JfN0j89ucCgYEA0x6cJ5BNdrNx7in+1kYj
+SnNbqD4udfXOwZGB4v8pEqq94gk0WwaNxVKB9OVaicLOgb+i/+/3c/vumi4+eDs6
+X+0K72wY9oO/1XedmEXlPRn/iocIzFkRwW1kLHFjyBYiPToKj8NmYBJwjenjPAvf
+pJhZ88lmJYFvsdQsFDOFhIkCgYBBcg2xB98QQjJXPzPLexFp5CHDAOBfsbcKkPhT
+AAX62Zx3n5QT5mh2i9ZEguzDD7OBa+i/ip06BmGiIQUS125vMXlbVabOdzIrPteu
+W+Twx5eJ6V8XGLCprVWgujS8KtmkZ3FtYP/XC9nMtsnX6FgU78GbkgCU7BX7iRvd
+gbIV3wKBgQDwLIYE6CuhmD68vELr2PLX8Su9VsxSBBwZKYAfLIOkacANFRSKkngN
+eFwWUOzhF6kc1cIrZJHLRUsqYx6VGgWZbXLQ0eOYgicdmXRYAOwH5569i5bQTjvp
+wBQ49yr3PKKbJiuNSpHAfXtmN8PlTcH7KOBqWBMzM7+XNld2yEn6Dg==
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/resource-cert-samples/ISP3.req b/rpkid/resource-cert-samples/ISP3.req
new file mode 100644
index 00000000..778b5d87
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP3.req
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDhTCCAm0CAQAwGzEZMBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMzCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBANEkdcFEKRKa/owdHgGqBeofR6sajc/S
+QqExfZw+ZnLOLN8BFxVAQJTRrm3Xyv1S2exf8GQwo0JwoaFvBS0Q7rEFZT/ywXiE
+zB1m7jVSx66ZdrFjTcEuJPv3Qy0LIQ3T1rfPYFBJPRdTPiv4aJV+HMXiHnMGjLJT
+oXA52Z7lVvxY0LPzkDdablo77wW+8WQvMS5aWPIwenNSf7gNcTxjUhcPtwc7w0a5
+nIi8c98UWrwW/Ph5sKFBhwX5Uqg2YWLekGghg7uMg0evu4I+RCiXKwKogQQFFs2/
+754C+VRmKiiZeSu1GRDU3zWV8z/6E2oGb/U4KNa2C4pwW41wjTSZlj8CAwEAAaCC
+ASMwggEfBgkqhkiG9w0BCQ4xggEQMIIBDDAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
+DgQWBBThly4ZcLV//IJPMz1rLN6amzY9fjAOBgNVHQ8BAf8EBAMCAQYwQQYIKwYB
+BQUHAQsENTAzMDEGCCsGAQUFBzAFhiVyc3luYzovL3dvbWJhdHMtci11cy5oYWN0
+cm4ubmV0L0lTUDMvMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcwAoYocnN5bmM6
+Ly93b21iYXRzLXItdXMuaGFjdHJuLm5ldC9MSVIyLmNlcjBBBggrBgEFBQcBBwEB
+/wQyMDAwLgQCAAIwKDAmAxECIAENuAAAAAAAAAAAAAAARAMRACABDbgAAAAAAAAA
+AAAAAQAwDQYJKoZIhvcNAQEFBQADggEBAMA7nOGLldNHO8nRhTnDGiNPWIf+YRB1
+tsbUmD1IhvZiQQnl4s871cxid0cBAOJpY7glGJZ6XbHmLRtLpROkDHURt23QmFy5
+0RL3iQSRb0/yW7yP5hxtmPyU5FlgM/4Ft5np3OD2n9zNeAI/biH7VUMKQ12CzLf7
+PLBsfBK1dbUojxA8gi2s8xbIH9OMxPqJybx664JPOxR0NTaQRdS55jQhpHG10SxY
+mvbB6htt/nM4GG6FKfOsggMp0J6tdWhqJOljFGW07jZwUbHBZX1AsQJAl6B5Ykx7
+4B4SMGLiZXMfG1r72UcWCUlNyd/xo4GT9ay7hB6isl9U2Ac1nsTrdEw=
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/resource-cert-samples/ISP3/index b/rpkid/resource-cert-samples/ISP3/index
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP3/index
diff --git a/rpkid/resource-cert-samples/ISP3/serial b/rpkid/resource-cert-samples/ISP3/serial
new file mode 100644
index 00000000..8a0f05e1
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP3/serial
@@ -0,0 +1 @@
+01
diff --git a/rpkid/resource-cert-samples/ISP4.cer b/rpkid/resource-cert-samples/ISP4.cer
new file mode 100644
index 00000000..b8a5574d
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP4.cer
@@ -0,0 +1,93 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 25 (0x19)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Oct 29 16:32:34 2007 GMT
+ Not After : Oct 28 16:32:34 2008 GMT
+ Subject: CN=TEST ENTITY ISP4
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:b3:05:ad:fb:06:db:49:81:ad:df:50:04:e0:18:
+ e8:f1:f4:83:e6:26:4b:9e:fc:2d:1c:df:e2:2b:57:
+ 38:48:eb:c4:13:a3:fd:6c:c5:e2:1c:d5:3a:fd:66:
+ d7:ff:2e:ff:4a:b7:5a:c5:f4:19:b1:8d:9e:a8:49:
+ 4e:3b:20:46:da:08:de:b0:9c:71:5e:77:a9:14:e2:
+ 4c:20:0e:ff:c5:20:fa:f3:6d:3b:0b:ce:e1:72:b6:
+ ff:f5:75:7f:3e:35:af:1c:4f:e0:92:45:f0:1f:57:
+ ce:38:6c:3e:f6:2f:96:73:1f:60:db:63:8e:63:b3:
+ f3:35:85:e9:00:39:92:b3:9f:4a:6b:bd:e9:a0:00:
+ ca:be:fe:27:78:9b:44:23:53:56:13:48:7d:cd:d1:
+ 01:3a:88:36:66:4f:7f:f3:2c:9f:c7:c4:52:75:1e:
+ 0e:3c:50:29:c9:39:e0:ff:90:4d:95:47:56:13:e1:
+ 30:f3:30:33:ee:02:60:70:b0:bd:dd:3b:aa:b9:2a:
+ 86:bf:e7:e2:a8:ec:64:2a:0b:12:05:08:03:7e:d8:
+ 41:bb:23:de:29:e5:0f:9b:3b:00:2e:4f:0e:f5:31:
+ 91:ec:bd:34:02:68:6d:d7:71:a9:8c:4d:23:d2:43:
+ ae:d7:f8:e5:69:2b:ae:13:86:13:27:38:72:48:70:
+ f8:1f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 98:CF:F8:00:82:EC:D7:E9:17:4F:BD:7A:87:60:32:A5:BB:9D:B5:0E
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP4/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 7d:61:80:4e:39:a7:2f:32:90:94:a0:93:18:80:b5:2c:28:44:
+ ab:84:74:d5:e2:94:b6:7a:b2:1a:ae:54:f1:61:53:c8:b1:fc:
+ cc:96:0e:44:b3:62:a1:05:a0:e4:d5:ad:0b:96:86:53:0e:f9:
+ 17:04:e5:30:ab:21:20:3e:91:66:30:08:a4:c2:4e:14:a6:80:
+ 41:90:0c:a6:d6:14:43:0e:2b:60:55:8f:01:64:d6:72:24:43:
+ e9:b1:67:6b:da:a1:fe:93:0d:03:85:bb:49:49:13:13:70:db:
+ a7:a8:70:e5:93:12:7c:4d:fe:ba:d0:13:f4:7e:23:c7:2c:ea:
+ 7b:a1:2a:75:39:39:ba:b3:58:ec:c6:8e:89:ce:6b:3e:d0:0d:
+ 90:e5:e0:ef:41:f8:0b:5c:0a:cf:ec:3d:1e:c7:33:ad:2a:57:
+ 34:cc:77:2a:f7:e6:7c:73:f0:79:c0:34:d1:a5:07:f6:fb:66:
+ 4a:c4:1f:72:51:30:e5:af:9a:f6:63:da:8d:b3:90:b5:62:9e:
+ 53:ff:29:77:50:2f:6c:cc:86:80:e9:3a:a9:eb:4b:d2:bf:d0:
+ c0:77:4f:9e:ed:57:7a:0d:f9:65:93:87:5a:f4:a9:35:8c:4d:
+ 19:d0:56:a0:36:38:51:5d:52:54:a5:1f:ce:6f:30:7c:27:71:
+ da:42:79:8e
+-----BEGIN CERTIFICATE-----
+MIIDyjCCArKgAwIBAgIBGTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MTAyOTE2MzIzNFoXDTA4MTAyODE2MzIzNFowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQNDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALMFrfsG20mBrd9QBOAY6PH0g+YmS578LRzf4itXOEjrxBOj/WzF
+4hzVOv1m1/8u/0q3WsX0GbGNnqhJTjsgRtoI3rCccV53qRTiTCAO/8Ug+vNtOwvO
+4XK2//V1fz41rxxP4JJF8B9XzjhsPvYvlnMfYNtjjmOz8zWF6QA5krOfSmu96aAA
+yr7+J3ibRCNTVhNIfc3RATqINmZPf/Msn8fEUnUeDjxQKck54P+QTZVHVhPhMPMw
+M+4CYHCwvd07qrkqhr/n4qjsZCoLEgUIA37YQbsj3inlD5s7AC5PDvUxkey9NAJo
+bddxqYxNI9JDrtf45WkrrhOGEyc4ckhw+B8CAwEAAaOCARcwggETMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFJjP+ACC7NfpF0+9eodgMqW7nbUOMA4GA1UdDwEB
+/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29t
+YmF0cy1yLXVzLmhhY3Rybi5uZXQvSVNQNC8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2Vy
+MBoGCCsGAQUFBwEIAQH/BAswCaAHMAUCAwD8IDAsBggrBgEFBQcBBwEB/wQdMBsw
+GQQCAAIwEwMRACABDbgAAAAAAAAAEAAAAEQwDQYJKoZIhvcNAQELBQADggEBAH1h
+gE45py8ykJSgkxiAtSwoRKuEdNXilLZ6shquVPFhU8ix/MyWDkSzYqEFoOTVrQuW
+hlMO+RcE5TCrISA+kWYwCKTCThSmgEGQDKbWFEMOK2BVjwFk1nIkQ+mxZ2vaof6T
+DQOFu0lJExNw26eocOWTEnxN/rrQE/R+I8cs6nuhKnU5ObqzWOzGjonOaz7QDZDl
+4O9B+AtcCs/sPR7HM60qVzTMdyr35nxz8HnANNGlB/b7ZkrEH3JRMOWvmvZj2o2z
+kLVinlP/KXdQL2zMhoDpOqnrS9K/0MB3T57tV3oN+WWTh1r0qTWMTRnQVqA2OFFd
+UlSlH85vMHwncdpCeY4=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/ISP4.cnf b/rpkid/resource-cert-samples/ISP4.cnf
new file mode 100644
index 00000000..f9effea4
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP4.cnf
@@ -0,0 +1,64 @@
+# Automatically generated, do not edit.
+
+[ ca ]
+default_ca = ca_default
+
+[ ca_default ]
+certificate = ISP4.cer
+serial = ISP4/serial
+private_key = ISP4.key
+database = ISP4/index
+new_certs_dir = ISP4
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 365
+default_crl_days = 30
+default_md = sha256
+preserve = no
+copy_extensions = copy
+policy = ca_policy_anything
+unique_subject = no
+x509_extensions = ca_x509_ext
+crl_extensions = crl_x509_ext
+
+[ ca_policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+givenName = optional
+surname = optional
+
+[ req ]
+default_bits = 2048
+encrypt_key = no
+distinguished_name = req_dn
+req_extensions = req_x509_ext
+prompt = no
+
+[ req_dn ]
+CN = TEST ENTITY ISP4
+
+[ req_x509_ext ]
+basicConstraints = critical,CA:true
+subjectKeyIdentifier = hash
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/ISP4/
+authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+sbgp-autonomousSysNum = critical,AS:64544
+sbgp-ipAddrBlock = critical,IPv6:2001:db8::10:0:44/128
+
+[ ca_x509_ext ]
+basicConstraints = critical,CA:true
+authorityKeyIdentifier = keyid:always
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/ISP4/
+authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+sbgp-autonomousSysNum = critical,AS:64544
+sbgp-ipAddrBlock = critical,IPv6:2001:db8::10:0:44/128
+
+[ crl_x509_ext ]
+authorityKeyIdentifier = keyid:always
diff --git a/rpkid/resource-cert-samples/ISP4.key b/rpkid/resource-cert-samples/ISP4.key
new file mode 100644
index 00000000..20370dc9
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP4.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAswWt+wbbSYGt31AE4Bjo8fSD5iZLnvwtHN/iK1c4SOvEE6P9
+bMXiHNU6/WbX/y7/SrdaxfQZsY2eqElOOyBG2gjesJxxXnepFOJMIA7/xSD68207
+C87hcrb/9XV/PjWvHE/gkkXwH1fOOGw+9i+Wcx9g22OOY7PzNYXpADmSs59Ka73p
+oADKvv4neJtEI1NWE0h9zdEBOog2Zk9/8yyfx8RSdR4OPFApyTng/5BNlUdWE+Ew
+8zAz7gJgcLC93TuquSqGv+fiqOxkKgsSBQgDfthBuyPeKeUPmzsALk8O9TGR7L00
+Amht13GpjE0j0kOu1/jlaSuuE4YTJzhySHD4HwIDAQABAoIBAQCcCoNPnvZc5+/K
+ClF1k8DXxS2C2jZn6Z7Y4DyfUnL4/Kf4BqTKvuEMCMBWR+JVx302fwNcMByFKs/0
+F5Fc8BFR0xFoF7SphtuWHHoGJ4zBIrIapEcnT7gq6V/JcBTtAJYVs3onhVZ7u2lA
+vPlUVL5qshsWn3xpY1zGdmZVj9lTPjr186AVg+Di2D8RWKrBiLgT0gy9nK0dX7AU
+8C4w/C2b/1Yp6D8L7benbRCRjYcuyoS211B/yC7KDP+YoHv2AYqPXEUdyBMnk+KR
+lhw793xI5ec7ryinBtjmiIds0iDrJOztiWgLdGHrxT5OFOUJNjtZ6W9PvYi5Reu7
+vin+ugrhAoGBAOTIA0urho2JA1wsmMYtpUpsr+Ep+4SMpu0Gbrqs9uFHIFYGRrT8
+hgO1yZk3TwJVPsbYiROIIPkv9pJQKGzkyF+zEaJsnR40iybbW3arPr5UqKVauNLc
+KbqtChetfY81vA/8HjFB6mKq2K6tdOTqLGhJlX9Y9baNBNrRn0ReLnUtAoGBAMhS
+J4suczgkv27PWqa2nmzAxsArsCcubFTYJE0qV6qRbtN3eH+S8c1/tTk29MPRgzX4
++3oLowRhiArVui79X43Y+6J5akbnLoR3duGOpqdza+UmE5UExokpDag2/hKuUEZu
+youzuik3pMipu9rjc45CXGbvuaqg6mw48bnAS4n7AoGBAKFQLpKydQNjMo1RnL9P
+/BZIIJOBSKmjiyfhuz3BK6qYvkIp1r1SuSPwkB+KkhkxBjyq/axZ9fX+TbvI7Vgq
+0OY5mxuNvhNINT3Gue0overyQp+lImD7gCjyTgV3/Op3lw0mVhuhQKUllfdEswGd
+5IX8LH9IuKhpMp0f5U8NoXBZAoGBAL33EqLtYLxcNOHbZ2bzhVcylQgGJh1x66+l
+7P70aYBKPGPzRuUML5wmQHBKimDsXVagj7JUOLpd10oXFmGbS7NTkoWoSD2G3Fko
+hScvRSFE1ovOyQEnLzNBKD9eLyD+BwhT5mYHAUI3D2BvfcL8sUe17LR9H4AM62HH
+uovhLIFjAoGAVa8vZTyEude+ZCu5RmBmNx0N4uj7M2zLTUjWoyssZOnS1z7MIuFL
+9xr511YAc3FIkQj1byn7O9CkwaYfEeGaTr18aw7b1BZqOA9Sk329kH3Uahi2JTE1
+0eXQ2ExBRexCq5Aoz8tnmFhTEMS0ECN7poa+VAT7c9OsrDeB0XMOJJ4=
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/resource-cert-samples/ISP4.req b/rpkid/resource-cert-samples/ISP4.req
new file mode 100644
index 00000000..5c9d865c
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP4.req
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDjDCCAnQCAQAwGzEZMBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQNDCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALMFrfsG20mBrd9QBOAY6PH0g+YmS578
+LRzf4itXOEjrxBOj/WzF4hzVOv1m1/8u/0q3WsX0GbGNnqhJTjsgRtoI3rCccV53
+qRTiTCAO/8Ug+vNtOwvO4XK2//V1fz41rxxP4JJF8B9XzjhsPvYvlnMfYNtjjmOz
+8zWF6QA5krOfSmu96aAAyr7+J3ibRCNTVhNIfc3RATqINmZPf/Msn8fEUnUeDjxQ
+Kck54P+QTZVHVhPhMPMwM+4CYHCwvd07qrkqhr/n4qjsZCoLEgUIA37YQbsj3inl
+D5s7AC5PDvUxkey9NAJobddxqYxNI9JDrtf45WkrrhOGEyc4ckhw+B8CAwEAAaCC
+ASowggEmBgkqhkiG9w0BCQ4xggEXMIIBEzAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
+DgQWBBSYz/gAguzX6RdPvXqHYDKlu521DjAOBgNVHQ8BAf8EBAMCAQYwQQYIKwYB
+BQUHAQsENTAzMDEGCCsGAQUFBzAFhiVyc3luYzovL3dvbWJhdHMtci11cy5oYWN0
+cm4ubmV0L0lTUDQvMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcwAoYocnN5bmM6
+Ly93b21iYXRzLXItdXMuaGFjdHJuLm5ldC9MSVIyLmNlcjAaBggrBgEFBQcBCAEB
+/wQLMAmgBzAFAgMA/CAwLAYIKwYBBQUHAQcBAf8EHTAbMBkEAgACMBMDEQAgAQ24
+AAAAAAAAABAAAABEMA0GCSqGSIb3DQEBBQUAA4IBAQBq2qdZveIZPxJTOaKb5JUV
+0VlBFjDht7k9mw7dxqvFZ2CL7oNbTTG3n0t9060xR89jp2+4760LdAkNn62MQlzw
+p42DZy65fBnNpwDY9+0khoJqZIjYdYnUrW+002S+sxRFToAdpTd13RKre/KFPAx4
+jaMzCZ8ARONVR8TfjT0FGsh/0PpdwNsdihltVqw/SfPGK50kXX1Xlp1Yo82wjmZ/
+R9ohWBBJzcf//GdHp5yBoKFjBD6ZJ7QRP6I/vxYOpq4VrqkCa6MVmsoirRAHVgoe
+JsHjusxM9SRyBPaZXywaswuCC3jm1R6s6FYH0df+3IjfNXb6PqUXIFX3/xMIZI44
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/resource-cert-samples/ISP4/index b/rpkid/resource-cert-samples/ISP4/index
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP4/index
diff --git a/rpkid/resource-cert-samples/ISP4/serial b/rpkid/resource-cert-samples/ISP4/serial
new file mode 100644
index 00000000..8a0f05e1
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP4/serial
@@ -0,0 +1 @@
+01
diff --git a/rpkid/resource-cert-samples/ISP5a.cer b/rpkid/resource-cert-samples/ISP5a.cer
new file mode 100644
index 00000000..787aacd7
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP5a.cer
@@ -0,0 +1,91 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 27 (0x1b)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Oct 29 16:32:33 2007 GMT
+ Not After : Oct 28 16:32:33 2008 GMT
+ Subject: CN=TEST ENTITY ISP5a
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:e6:4b:ad:78:28:6b:e6:50:1b:65:81:d5:8d:2b:
+ 56:77:cd:bb:c9:47:a0:aa:32:b0:2c:ac:1f:f1:e4:
+ 90:2b:c2:33:6f:e7:53:b1:d0:1d:ab:05:27:9d:b7:
+ a1:ee:a8:4f:c8:5b:36:23:e3:12:e4:51:59:27:cd:
+ fd:7a:aa:dc:56:05:a1:73:ab:79:dd:3c:82:b2:8f:
+ ae:f9:ec:c0:36:38:e6:02:aa:fd:89:60:21:52:5b:
+ b6:33:80:75:e5:7f:fd:ac:6e:ec:d4:9a:26:2f:7e:
+ 28:45:16:29:47:7d:f3:8a:72:d5:e4:65:fa:f4:54:
+ 6f:ae:48:33:62:c1:32:f1:2b:83:33:36:63:60:9e:
+ bc:c7:e7:99:5d:51:da:cd:2f:8f:83:47:20:9e:e9:
+ cc:a3:72:c0:72:bd:49:2d:c4:52:ea:6f:da:42:46:
+ 71:90:c7:af:7f:9f:c7:dd:0b:96:96:3c:45:9f:c0:
+ ea:65:6a:43:e3:f3:92:d5:e1:73:c0:6e:20:f5:17:
+ e5:d1:58:da:21:b3:e9:0c:4d:f0:e8:bd:7c:b7:ef:
+ 81:c9:f5:70:cf:a8:20:7d:e2:6a:f9:1b:66:a9:c8:
+ 71:d6:32:f8:72:3d:83:99:19:0d:0c:6b:e9:f8:92:
+ cd:33:17:86:6a:3d:af:0d:05:94:ab:1c:d4:2c:a4:
+ 45:cb
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 09:F0:14:0B:79:FB:0B:FF:A8:EF:54:B9:EC:3E:B9:8B:D0:CB:9C:EC
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5a/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a00::/120
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 38:f3:dc:20:93:3e:ff:25:8d:0e:90:b3:7f:65:ea:67:69:9a:
+ f0:6a:a1:77:5b:49:da:26:66:ac:3d:4d:20:a9:39:bb:e1:85:
+ 8a:a2:eb:5c:e8:b6:d2:d8:6b:04:19:32:cc:a7:1b:f6:24:d9:
+ 30:ee:ef:e3:d7:9f:85:01:02:6e:4e:4b:ad:af:97:71:59:e2:
+ 24:b3:29:86:16:79:ae:04:be:9c:43:70:99:63:98:f9:6e:1c:
+ 8a:69:48:64:90:70:b4:51:e6:12:95:b3:c1:bc:d4:1d:c0:dc:
+ 3e:cc:af:6e:a5:a5:d2:79:b3:bb:d7:b5:8a:a6:d7:64:83:87:
+ 8c:54:49:b8:c9:e8:76:18:40:20:ec:2c:52:0a:57:4c:7a:a0:
+ 87:f2:c7:13:42:24:c6:10:e7:db:d3:4c:6a:d7:65:ec:19:13:
+ 7c:15:13:74:9b:95:13:0a:91:9f:ad:ad:e7:85:40:16:8d:44:
+ ff:fa:e7:3b:a1:96:da:46:cb:e8:18:92:7f:9a:42:bb:8b:7f:
+ 25:bb:da:46:a3:2f:92:59:26:eb:66:17:b9:12:3f:52:58:a7:
+ b6:31:f6:2a:68:35:11:a7:f0:b9:aa:44:c3:f3:ad:05:7e:3a:
+ 25:96:9e:01:ce:6b:e5:87:b5:c5:99:da:e3:b6:00:8a:e7:11:
+ f7:98:16:3a
+-----BEGIN CERTIFICATE-----
+MIIDvTCCAqWgAwIBAgIBGzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MTAyOTE2MzIzM1oXDTA4MTAyODE2MzIzM1owHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDmS614KGvmUBtlgdWNK1Z3zbvJR6CqMrAsrB/x5JArwjNv51Ox
+0B2rBSedt6HuqE/IWzYj4xLkUVknzf16qtxWBaFzq3ndPIKyj6757MA2OOYCqv2J
+YCFSW7YzgHXlf/2sbuzUmiYvfihFFilHffOKctXkZfr0VG+uSDNiwTLxK4MzNmNg
+nrzH55ldUdrNL4+DRyCe6cyjcsByvUktxFLqb9pCRnGQx69/n8fdC5aWPEWfwOpl
+akPj85LV4XPAbiD1F+XRWNohs+kMTfDovXy374HJ9XDPqCB94mr5G2apyHHWMvhy
+PYOZGQ0Ma+n4ks0zF4ZqPa8NBZSrHNQspEXLAgMBAAGjggEJMIIBBTAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBQJ8BQLefsL/6jvVLnsPrmL0Muc7DAOBgNVHQ8B
+Af8EBAMCAQYwQgYIKwYBBQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dv
+bWJhdHMtci11cy5oYWN0cm4ubmV0L0lTUDVhLzBEBggrBgEFBQcBAQQ4MDYwNAYI
+KwYBBQUHMAKGKHJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5j
+ZXIwOQYIKwYBBQUHAQcBAf8EKjAoMAwEAgABMAYDBAAKAAAwGAQCAAIwEgMQACAB
+DbgAAAAAAAAAAAoAADANBgkqhkiG9w0BAQsFAAOCAQEAOPPcIJM+/yWNDpCzf2Xq
+Z2ma8Gqhd1tJ2iZmrD1NIKk5u+GFiqLrXOi20thrBBkyzKcb9iTZMO7v49efhQEC
+bk5Lra+XcVniJLMphhZ5rgS+nENwmWOY+W4cimlIZJBwtFHmEpWzwbzUHcDcPsyv
+bqWl0nmzu9e1iqbXZIOHjFRJuMnodhhAIOwsUgpXTHqgh/LHE0IkxhDn29NMatdl
+7BkTfBUTdJuVEwqRn62t54VAFo1E//rnO6GW2kbL6BiSf5pCu4t/JbvaRqMvklkm
+62YXuRI/UlintjH2Kmg1EafwuapEw/OtBX46JZaeAc5r5Ye1xZna47YAiucR95gW
+Og==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/ISP5a.cnf b/rpkid/resource-cert-samples/ISP5a.cnf
new file mode 100644
index 00000000..fa470452
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP5a.cnf
@@ -0,0 +1,64 @@
+# Automatically generated, do not edit.
+
+[ ca ]
+default_ca = ca_default
+
+[ ca_default ]
+certificate = ISP5a.cer
+serial = ISP5a/serial
+private_key = ISP5a.key
+database = ISP5a/index
+new_certs_dir = ISP5a
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 365
+default_crl_days = 30
+default_md = sha256
+preserve = no
+copy_extensions = copy
+policy = ca_policy_anything
+unique_subject = no
+x509_extensions = ca_x509_ext
+crl_extensions = crl_x509_ext
+
+[ ca_policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+givenName = optional
+surname = optional
+
+[ req ]
+default_bits = 2048
+encrypt_key = no
+distinguished_name = req_dn
+req_extensions = req_x509_ext
+prompt = no
+
+[ req_dn ]
+CN = TEST ENTITY ISP5a
+
+[ req_x509_ext ]
+basicConstraints = critical,CA:true
+subjectKeyIdentifier = hash
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/ISP5a/
+authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+#sbgp-autonomousSysNum = critical,???
+sbgp-ipAddrBlock = critical,IPv4:10.0.0.0/24,IPv6:2001:db8::a00:0/120
+
+[ ca_x509_ext ]
+basicConstraints = critical,CA:true
+authorityKeyIdentifier = keyid:always
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/ISP5a/
+authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+#sbgp-autonomousSysNum = critical,???
+sbgp-ipAddrBlock = critical,IPv4:10.0.0.0/24,IPv6:2001:db8::a00:0/120
+
+[ crl_x509_ext ]
+authorityKeyIdentifier = keyid:always
diff --git a/rpkid/resource-cert-samples/ISP5a.key b/rpkid/resource-cert-samples/ISP5a.key
new file mode 100644
index 00000000..0bec780e
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP5a.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpgIBAAKCAQEA5kuteChr5lAbZYHVjStWd827yUegqjKwLKwf8eSQK8Izb+dT
+sdAdqwUnnbeh7qhPyFs2I+MS5FFZJ839eqrcVgWhc6t53TyCso+u+ezANjjmAqr9
+iWAhUlu2M4B15X/9rG7s1JomL34oRRYpR33zinLV5GX69FRvrkgzYsEy8SuDMzZj
+YJ68x+eZXVHazS+Pg0cgnunMo3LAcr1JLcRS6m/aQkZxkMevf5/H3QuWljxFn8Dq
+ZWpD4/OS1eFzwG4g9Rfl0VjaIbPpDE3w6L18t++ByfVwz6ggfeJq+Rtmqchx1jL4
+cj2DmRkNDGvp+JLNMxeGaj2vDQWUqxzULKRFywIDAQABAoIBAQDf6vFOBa90Dqu0
+tNrZGixG7IkMGlMDaamWpf2hiuULRxYQVlIwb/SI1shAN86BaLG6U8V+e0lhKh+P
+7l/qJ7t5AJyNBUvGaxGBYOd3JlV14zjxmyRNsGR12ap8xQjdDueuA2TPCtraDsZE
+9llIpBRqp2GFZArwCjFUuesMuGE5z4aqQ1A0lno3bibyGx/bGTWxJi54djyGr/T/
+5htxmoGsAw7PWnJQ0Vi9XQ+ZcHTfVK0KVBUYHnWSRCGuW0oriwT8O5g90dU4O+tI
+vFDOAV8ANVAWBCKpQ/YxBS4c/txVUZJpUIDvWmvJiWwrXv5cmzOjvBEX1K/nwjw0
+oFjL0xdRAoGBAPpjxMVzmbDzbDHbctWnKafLVSrY2Guetvs04x+wuVAkSZNMgXpn
+vd2ETOmB/rqXf7cv406HctGYUSxcNIOrfQKXy69Ew9w5WwjrExRBLbbFET5kBIn2
+5kCiENydWZuEhK1KwLYKAu5ZN9fQ4zVRyHROPkr8DpCcnGrl6jR/IZLNAoGBAOt0
+pkaYTAX3A7siLulKZpwsRmRvkb+mXJL//K7BqUkFZbesBy6zVBKSStJfpV5aqml/
+GnWgzoSWh2Ur8zV98fnpwOTeYpGSoFLjwapSl4G9+zIeKhNMVj2369FQA5wwWm9v
+ey9nuaiOvMdka0A0C7XOR5qxTvp0/4dI+dfp0ir3AoGBANBi3i3ykrOpM5+e4sib
+0dg7Kot5Y0zWD7WsA2apfuELAkzb/FpyIptMc3JXZTfHxFwiN8xwgAed+9iueGoo
+++Z/jN42nccX2QLoGb3erPwSsNI7DWgBGwopl1z0e9IpjP5oW1BlrqDNkeNEjwQe
+J3VcdQ2VD04deTSiWrQMJlX1AoGBAI0STPWLFjGUuDWM25KHM0dq95oBhs/O+zRQ
+D7Mc8TKA+1q6xWrjowGliRLWn5wSsnuW3eGQQWwLTH//fy6TkUFtHleCLoiN02UW
+dNh5t7DShQiYLhl16U39Plsgl6kjB2ww3RugCArHyq+kqOXEySdaumgix/Ej3F3Q
+CXGl9HgtAoGBAK2r9s+RrQX4g/vnrFKXSv9LuxM0tWyAcfg6rug6vcKiWI8zHS6k
+zDTJnldKS0q+K76W07oSx2kDJYHeXimXoh9V4LE2n20hoJF4+qRIDLrcMU7nb4Sq
+gyE5TaX4CluAMoTCRmdUQFaVZ26nSk4GyCM1aXVQIYeWp7IXiufiyIUc
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/resource-cert-samples/ISP5a.req b/rpkid/resource-cert-samples/ISP5a.req
new file mode 100644
index 00000000..66bc9022
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP5a.req
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDfzCCAmcCAQAwHDEaMBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWEwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmS614KGvmUBtlgdWNK1Z3zbvJR6Cq
+MrAsrB/x5JArwjNv51Ox0B2rBSedt6HuqE/IWzYj4xLkUVknzf16qtxWBaFzq3nd
+PIKyj6757MA2OOYCqv2JYCFSW7YzgHXlf/2sbuzUmiYvfihFFilHffOKctXkZfr0
+VG+uSDNiwTLxK4MzNmNgnrzH55ldUdrNL4+DRyCe6cyjcsByvUktxFLqb9pCRnGQ
+x69/n8fdC5aWPEWfwOplakPj85LV4XPAbiD1F+XRWNohs+kMTfDovXy374HJ9XDP
+qCB94mr5G2apyHHWMvhyPYOZGQ0Ma+n4ks0zF4ZqPa8NBZSrHNQspEXLAgMBAAGg
+ggEcMIIBGAYJKoZIhvcNAQkOMYIBCTCCAQUwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
+HQ4EFgQUCfAUC3n7C/+o71S57D65i9DLnOwwDgYDVR0PAQH/BAQDAgEGMEIGCCsG
+AQUFBwELBDYwNDAyBggrBgEFBQcwBYYmcnN5bmM6Ly93b21iYXRzLXItdXMuaGFj
+dHJuLm5ldC9JU1A1YS8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3lu
+YzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjMuY2VyMDkGCCsGAQUFBwEH
+AQH/BCowKDAMBAIAATAGAwQACgAAMBgEAgACMBIDEAAgAQ24AAAAAAAAAAAKAAAw
+DQYJKoZIhvcNAQEFBQADggEBABc2bf9ptC+SWMjUqZJ+WSb6DvrU2VKIDK75cbD9
+OVLCBqyjxDcctO1ZT8wXJNwEJaB6P4i83LfSttGpkWr6sBR+H1HVNptuXWo31m6D
+rRSZZ+DEx+01nzmEXJ2+Iskm1+/YQbxygqHQqm+i4ca/Y9PXTl1unH69ONdSfD3c
+qee4VepkOdru3LWkxoF/oPSg9WRjbBXTOfwJ1jGBTqRGYFA5cvzKKciHPhL0EPOZ
+XencgWNNzkumzH60Bu6TVf1TDSne/nDOMdMZaYgwOyaN7nyPXbjr+WhQT9GrZIIi
+YI3RaCitfdN9pPS2CLqHWXxHrJ5MdREdefks1XMfQk8dlWo=
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/resource-cert-samples/ISP5a/index b/rpkid/resource-cert-samples/ISP5a/index
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP5a/index
diff --git a/rpkid/resource-cert-samples/ISP5a/serial b/rpkid/resource-cert-samples/ISP5a/serial
new file mode 100644
index 00000000..8a0f05e1
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP5a/serial
@@ -0,0 +1 @@
+01
diff --git a/rpkid/resource-cert-samples/ISP5b.cer b/rpkid/resource-cert-samples/ISP5b.cer
new file mode 100644
index 00000000..8f133ac8
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP5b.cer
@@ -0,0 +1,91 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 26 (0x1a)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Oct 29 16:32:33 2007 GMT
+ Not After : Oct 28 16:32:33 2008 GMT
+ Subject: CN=TEST ENTITY ISP5b
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:bf:8f:59:d8:fc:fa:1d:04:70:29:ce:7b:01:64:
+ 21:40:dc:5c:43:fe:4c:af:88:c8:62:9b:be:9c:72:
+ 8f:8a:a5:34:8a:3b:23:8d:9b:8a:4f:bf:66:ac:68:
+ 71:9c:fd:68:59:f5:bf:9f:4d:2e:b5:d6:e3:fa:bd:
+ f3:60:53:5c:b7:11:ac:95:0b:c0:87:cd:99:9e:94:
+ 57:8d:ec:05:b8:df:aa:fc:8e:38:d3:0f:65:6d:09:
+ 60:f2:e1:98:81:72:d8:51:3e:41:91:b3:10:95:f5:
+ f5:d0:f9:e5:5c:a1:85:fa:71:26:85:e3:d1:4c:02:
+ 7f:14:e2:1e:4a:8a:96:68:9e:d6:16:a5:ef:ad:b5:
+ 83:62:cd:23:74:7c:82:56:b4:d1:34:53:5a:8a:7a:
+ 61:9f:ae:54:5b:ef:f9:56:de:87:6b:42:92:bc:49:
+ f4:b5:c3:35:07:4a:18:47:d2:92:c6:1c:16:74:74:
+ b1:e9:39:3c:53:12:05:9d:eb:dc:9c:72:2b:97:4d:
+ 27:21:77:96:7d:4c:ce:79:0c:fb:a7:b8:99:6b:66:
+ 20:2e:56:9c:44:b4:e3:5e:80:c4:7d:78:a1:b4:05:
+ f7:20:7d:26:1e:44:bf:5d:69:15:3c:7a:24:67:bd:
+ b9:b5:08:0f:33:4d:af:3b:2d:e7:b9:ab:1d:2b:d6:
+ fb:73
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 6C:B3:65:94:FE:C6:9F:4A:50:9D:4D:8B:40:1A:A1:FD:97:17:97:92
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5b/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.3.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a03::/120
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 3a:6d:f2:b8:e4:50:4d:f6:f0:f3:04:1b:73:bf:36:13:d5:e6:
+ 70:d9:31:b4:47:b7:5e:ca:8a:25:93:fc:6c:dd:63:5e:09:dc:
+ 47:d9:d4:43:39:f3:ed:c5:f2:64:d5:ac:72:02:76:f2:07:ca:
+ a5:d9:1a:e3:9d:6a:7d:90:4c:d5:c7:09:c9:64:dd:38:f0:2f:
+ ab:0d:5f:e4:13:02:2c:85:02:56:f4:6d:31:07:f9:0b:c7:e9:
+ a4:0a:ee:13:03:18:9d:81:b8:78:68:d2:99:a3:e4:4f:e7:96:
+ 86:99:06:10:8c:b5:c2:39:03:8a:94:2e:21:00:67:82:f5:25:
+ 6c:cb:71:6b:8c:e6:31:0a:19:ed:1a:34:0c:a9:48:ca:c8:69:
+ fc:91:4e:f9:0c:e5:24:2b:70:52:1c:ff:1c:cf:38:28:17:3a:
+ 3d:22:a7:fa:93:dd:8f:46:03:2e:b0:ce:10:57:4a:3c:fc:a8:
+ 1a:a6:c1:0e:fa:09:49:9e:d1:89:b8:4c:b0:7a:5b:76:25:05:
+ fe:80:d9:8d:c1:9e:84:0b:83:53:16:9a:1e:2d:55:9a:b7:81:
+ d4:3f:0a:c7:56:ac:87:58:fa:3b:27:77:c6:f6:31:c1:c8:56:
+ 4a:28:6a:de:20:32:c4:80:b0:d1:36:25:ac:2c:94:28:8a:b8:
+ 2b:f2:04:f0
+-----BEGIN CERTIFICATE-----
+MIIDvTCCAqWgAwIBAgIBGjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MTAyOTE2MzIzM1oXDTA4MTAyODE2MzIzM1owHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC/j1nY/PodBHApznsBZCFA3FxD/kyviMhim76cco+KpTSKOyON
+m4pPv2asaHGc/WhZ9b+fTS611uP6vfNgU1y3EayVC8CHzZmelFeN7AW436r8jjjT
+D2VtCWDy4ZiBcthRPkGRsxCV9fXQ+eVcoYX6cSaF49FMAn8U4h5KipZontYWpe+t
+tYNizSN0fIJWtNE0U1qKemGfrlRb7/lW3odrQpK8SfS1wzUHShhH0pLGHBZ0dLHp
+OTxTEgWd69ycciuXTSchd5Z9TM55DPunuJlrZiAuVpxEtONegMR9eKG0BfcgfSYe
+RL9daRU8eiRnvbm1CA8zTa87Lee5qx0r1vtzAgMBAAGjggEJMIIBBTAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBRss2WU/safSlCdTYtAGqH9lxeXkjAOBgNVHQ8B
+Af8EBAMCAQYwQgYIKwYBBQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dv
+bWJhdHMtci11cy5oYWN0cm4ubmV0L0lTUDViLzBEBggrBgEFBQcBAQQ4MDYwNAYI
+KwYBBQUHMAKGKHJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5j
+ZXIwOQYIKwYBBQUHAQcBAf8EKjAoMAwEAgABMAYDBAAKAwAwGAQCAAIwEgMQACAB
+DbgAAAAAAAAAAAoDADANBgkqhkiG9w0BAQsFAAOCAQEAOm3yuORQTfbw8wQbc782
+E9XmcNkxtEe3XsqKJZP8bN1jXgncR9nUQznz7cXyZNWscgJ28gfKpdka451qfZBM
+1ccJyWTdOPAvqw1f5BMCLIUCVvRtMQf5C8fppAruEwMYnYG4eGjSmaPkT+eWhpkG
+EIy1wjkDipQuIQBngvUlbMtxa4zmMQoZ7Ro0DKlIyshp/JFO+QzlJCtwUhz/HM84
+KBc6PSKn+pPdj0YDLrDOEFdKPPyoGqbBDvoJSZ7RibhMsHpbdiUF/oDZjcGehAuD
+UxaaHi1VmreB1D8Kx1ash1j6Oyd3xvYxwchWSihq3iAyxICw0TYlrCyUKIq4K/IE
+8A==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/ISP5b.cnf b/rpkid/resource-cert-samples/ISP5b.cnf
new file mode 100644
index 00000000..c7127044
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP5b.cnf
@@ -0,0 +1,64 @@
+# Automatically generated, do not edit.
+
+[ ca ]
+default_ca = ca_default
+
+[ ca_default ]
+certificate = ISP5b.cer
+serial = ISP5b/serial
+private_key = ISP5b.key
+database = ISP5b/index
+new_certs_dir = ISP5b
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 365
+default_crl_days = 30
+default_md = sha256
+preserve = no
+copy_extensions = copy
+policy = ca_policy_anything
+unique_subject = no
+x509_extensions = ca_x509_ext
+crl_extensions = crl_x509_ext
+
+[ ca_policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+givenName = optional
+surname = optional
+
+[ req ]
+default_bits = 2048
+encrypt_key = no
+distinguished_name = req_dn
+req_extensions = req_x509_ext
+prompt = no
+
+[ req_dn ]
+CN = TEST ENTITY ISP5b
+
+[ req_x509_ext ]
+basicConstraints = critical,CA:true
+subjectKeyIdentifier = hash
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/ISP5b/
+authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+#sbgp-autonomousSysNum = critical,???
+sbgp-ipAddrBlock = critical,IPv4:10.3.0.0/24,IPv6:2001:db8::a03:0/120
+
+[ ca_x509_ext ]
+basicConstraints = critical,CA:true
+authorityKeyIdentifier = keyid:always
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/ISP5b/
+authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+#sbgp-autonomousSysNum = critical,???
+sbgp-ipAddrBlock = critical,IPv4:10.3.0.0/24,IPv6:2001:db8::a03:0/120
+
+[ crl_x509_ext ]
+authorityKeyIdentifier = keyid:always
diff --git a/rpkid/resource-cert-samples/ISP5b.key b/rpkid/resource-cert-samples/ISP5b.key
new file mode 100644
index 00000000..60313862
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP5b.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAv49Z2Pz6HQRwKc57AWQhQNxcQ/5Mr4jIYpu+nHKPiqU0ijsj
+jZuKT79mrGhxnP1oWfW/n00utdbj+r3zYFNctxGslQvAh82ZnpRXjewFuN+q/I44
+0w9lbQlg8uGYgXLYUT5BkbMQlfX10PnlXKGF+nEmhePRTAJ/FOIeSoqWaJ7WFqXv
+rbWDYs0jdHyCVrTRNFNainphn65UW+/5Vt6Ha0KSvEn0tcM1B0oYR9KSxhwWdHSx
+6Tk8UxIFnevcnHIrl00nIXeWfUzOeQz7p7iZa2YgLlacRLTjXoDEfXihtAX3IH0m
+HkS/XWkVPHokZ725tQgPM02vOy3nuasdK9b7cwIDAQABAoIBAEURnOW+ITiBNyf7
+ySIxRkQqsCHb+S55dTcIzOt/6v2kn5MPy7vtTyt96blUV1KxlASLtTHtFGCAQOdR
+wgUDSbTAbKe4+wx8N12UQxVq+o00KGSzqw1+yaVM8mXgrapPDGwOtHmiROKtMprM
+38RMgRBR5//yqq5rYALZnO5nld/WdcthhCjrb6zltE4n9E/jDwIC1ug5vfIX/wWq
+6f8lrQ/Lq5IduFntShh8Ld4rQewSjul6wprGsSeG3CLS+9+2cnR2uunhA9c2CS/X
+qnZgoUVrDI9ooBU/IQ7y68j+0JPureM/XMy2poyi+KmI8PTz3G6IgEqNDmbcc16Q
+K5hvBOECgYEA37OoIV+616WQme4uW2Wmk4ZLu5Qs4VeIIXg1WUi+s3YcHDfL/oib
+sNfDy7pEOvGA2F6hO5vuZ2QGZx8J7qJOCE2AbgVbvF4w70ft/g3ftDtZQHhp+NBN
+XyeIJeBcY0PVsUMgS4gKPqNib5bSDpMYN2w/rsO4ylSKs/cI5d/GB7sCgYEA2zev
+kem0+22dmBCggTWpTfvWxdJkkzMAoxvIfvfrN6Ic6h2Dw29qxYlw8+38PS/Xrw77
+kUhnMfMNvwWTkqQ/i5XLxsZ66Or6f/GEoQQMgsCXAOv4vAFWZVwLVQ3Lu4mcyPmJ
+1bX6KKKFpanMof9+54KPOxz+H0uesWBxLleLE6kCgYBTzhJmrl5o+3W4tSpYwzQs
+gFtO4qwNn6U4JLiXwlDvGohdaenaaYMqNSr838M/8cm7RXhRxJED2s0rRM2LwPJK
+2f4LOaasYv0iJ2hZjQkJlFJTfMj2ldLmmwC+b9csuPUNe4BVy5lK7hqqg24eV6zy
+1nLlHh3UbuenlByZQcQGkQKBgQDY1tpKILyuv5zVYA0EAkp4IxYtE5H8sMR+kurd
+/OmkXCzxv0QouzsILo2WG+AXvg1A0jcxXEcHd34vZ5qzwNhCgGfTNV06q8Qhbotc
+oh6l707u0Ht3rHMDS+rBtSXDWbnGal9XD+xk6W39kloiHBIxekmnlWQhHLHajqUl
+y958EQKBgQCIanjEpqaekayux7wQXPiJEAl3vQ71rbasqufX5f2x4TwIu4dUFoVo
+PoYfEesJ2iZYkK8jQJA9eGbq8c6AZFDcTkKW7rf3W8pxunXk0qF5FaVQMPl6jMLr
+aR6sRBSlwppoBgol/DcTphmTUgeTKhgNMyQ0LAQteLySqgzzouTG9g==
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/resource-cert-samples/ISP5b.req b/rpkid/resource-cert-samples/ISP5b.req
new file mode 100644
index 00000000..7ec17a74
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP5b.req
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDfzCCAmcCAQAwHDEaMBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWIwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/j1nY/PodBHApznsBZCFA3FxD/kyv
+iMhim76cco+KpTSKOyONm4pPv2asaHGc/WhZ9b+fTS611uP6vfNgU1y3EayVC8CH
+zZmelFeN7AW436r8jjjTD2VtCWDy4ZiBcthRPkGRsxCV9fXQ+eVcoYX6cSaF49FM
+An8U4h5KipZontYWpe+ttYNizSN0fIJWtNE0U1qKemGfrlRb7/lW3odrQpK8SfS1
+wzUHShhH0pLGHBZ0dLHpOTxTEgWd69ycciuXTSchd5Z9TM55DPunuJlrZiAuVpxE
+tONegMR9eKG0BfcgfSYeRL9daRU8eiRnvbm1CA8zTa87Lee5qx0r1vtzAgMBAAGg
+ggEcMIIBGAYJKoZIhvcNAQkOMYIBCTCCAQUwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
+HQ4EFgQUbLNllP7Gn0pQnU2LQBqh/ZcXl5IwDgYDVR0PAQH/BAQDAgEGMEIGCCsG
+AQUFBwELBDYwNDAyBggrBgEFBQcwBYYmcnN5bmM6Ly93b21iYXRzLXItdXMuaGFj
+dHJuLm5ldC9JU1A1Yi8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3lu
+YzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjMuY2VyMDkGCCsGAQUFBwEH
+AQH/BCowKDAMBAIAATAGAwQACgMAMBgEAgACMBIDEAAgAQ24AAAAAAAAAAAKAwAw
+DQYJKoZIhvcNAQEFBQADggEBAA/icNEGnX4wn19sxuN9GlvQnMVPiUeX3rMyFJxp
+VODe9wcHWIzz02tXVxaPbsbi5DVQih10HCgw/TC/zYoNjtjL3ygsWUZqCaCGhYUd
+hAKJhhZPwCB5ZX3F17JsWxDqDTjc6+DuUXhMS4jbAGWYeOSeTXfHGiP9IErJOL53
+e58y2QVVtlkjweUYy5bvu0xBS4pA/5PBcYIWxvmc+0tYMmaSpNWv80cMvaWnZ/Dd
+dzcEJJDiX7QcK8fFu4rzFiS7Kkr6zfzehgdrKBCLpWGoO0dYzYoq5tgShXxFAjR1
+l2Z6vyqq/NSYmTMYVFiyY7zY13gnFX9NyMQEnjsvtuLP4Ls=
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/resource-cert-samples/ISP5b/index b/rpkid/resource-cert-samples/ISP5b/index
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP5b/index
diff --git a/rpkid/resource-cert-samples/ISP5b/serial b/rpkid/resource-cert-samples/ISP5b/serial
new file mode 100644
index 00000000..8a0f05e1
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP5b/serial
@@ -0,0 +1 @@
+01
diff --git a/rpkid/resource-cert-samples/ISP5c.cer b/rpkid/resource-cert-samples/ISP5c.cer
new file mode 100644
index 00000000..969f45e5
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP5c.cer
@@ -0,0 +1,88 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 25 (0x19)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Oct 29 16:32:33 2007 GMT
+ Not After : Oct 28 16:32:33 2008 GMT
+ Subject: CN=TEST ENTITY ISP5c
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:c8:8b:a1:25:65:df:ee:a2:7f:54:af:52:0a:1a:
+ 1a:fa:0d:75:b3:3c:e9:e0:29:d3:89:20:e9:51:49:
+ 67:2c:43:da:a0:2c:d4:44:b3:96:14:a9:07:77:60:
+ b9:6f:01:ef:8e:54:a5:74:ac:5a:67:f8:30:4d:10:
+ f9:ac:9f:b8:75:61:0b:f6:e7:7c:ea:9b:5c:98:7a:
+ 4b:3e:c4:e2:59:42:d3:19:ca:0f:58:0e:b7:c8:82:
+ 4e:e5:bb:ac:fd:92:e5:88:b2:fc:64:cf:6e:38:3b:
+ 18:83:fc:e7:a6:ae:fb:90:36:d0:e1:ca:4d:90:41:
+ 0f:0f:3b:2a:c0:0c:d9:7b:7d:e8:50:13:f6:09:73:
+ 82:a3:d2:e3:bb:82:08:87:7f:d2:bb:0e:0e:7a:28:
+ b6:25:02:b5:d9:51:fc:33:32:47:47:ff:cf:7f:bc:
+ ee:00:01:bb:05:5e:2e:03:9a:ad:95:3b:ca:c2:c6:
+ 87:64:74:39:aa:59:6b:ae:e0:a7:51:1a:07:f2:8e:
+ 4c:8e:65:2f:df:f2:99:ba:e0:b6:8a:4f:c0:20:72:
+ 79:98:00:8f:0d:50:13:3d:d1:3e:8c:bd:dc:74:a9:
+ 33:a8:56:1d:31:78:7c:e7:02:9e:8d:0a:14:12:6d:
+ d3:37:c7:7a:f0:84:10:fe:fe:4d:28:97:26:6e:08:
+ 85:a1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 2D:87:C1:9A:F8:58:2B:BD:C2:F8:7E:30:47:B3:A9:88:37:C9:EB:46
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5c/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64534-64540
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 2c:6e:f1:28:d7:06:69:d5:38:e5:77:75:9c:d0:9f:3b:52:f4:
+ ff:83:1d:51:70:18:b1:76:57:29:1c:f4:0c:fc:bd:6d:dc:c6:
+ 95:68:2d:38:fc:5b:b8:66:b8:92:95:3e:0d:cb:f6:49:3f:6e:
+ 63:01:88:9b:44:7a:d1:7a:48:03:20:73:c7:f1:c8:f6:8d:be:
+ 1c:6e:ca:28:0e:32:93:90:9a:76:d1:7f:f3:33:55:24:67:65:
+ fd:05:03:c8:1f:7e:68:7d:c9:83:f9:47:26:d1:dc:4b:04:a2:
+ 68:bb:74:2c:9c:f3:33:ec:d7:0e:d9:23:f9:a4:10:9e:af:94:
+ 41:09:a0:67:2d:21:d7:b5:0a:e1:41:b3:b6:4d:bc:8d:74:6c:
+ f6:b6:32:fe:ee:c4:71:b6:73:e1:bc:2a:25:54:df:91:84:4e:
+ 15:09:05:98:a1:99:33:48:38:7e:7e:b1:38:73:c7:66:a2:19:
+ 31:2e:93:86:65:40:20:c0:0f:86:e9:a4:77:d9:61:a5:a4:92:
+ 35:c7:9c:51:15:a0:dd:21:56:76:a4:d1:75:76:0a:b6:51:9a:
+ 08:c3:d4:21:ec:86:f0:b7:66:2e:7c:8b:0f:76:5c:29:3d:a6:
+ 9c:ea:0c:e0:5d:14:14:b5:cc:cc:84:e0:33:95:17:06:11:c4:
+ d9:d9:98:d1
+-----BEGIN CERTIFICATE-----
+MIIDozCCAougAwIBAgIBGTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MTAyOTE2MzIzM1oXDTA4MTAyODE2MzIzM1owHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDIi6ElZd/uon9Ur1IKGhr6DXWzPOngKdOJIOlRSWcsQ9qgLNRE
+s5YUqQd3YLlvAe+OVKV0rFpn+DBNEPmsn7h1YQv253zqm1yYeks+xOJZQtMZyg9Y
+DrfIgk7lu6z9kuWIsvxkz244OxiD/OemrvuQNtDhyk2QQQ8POyrADNl7fehQE/YJ
+c4Kj0uO7ggiHf9K7Dg56KLYlArXZUfwzMkdH/89/vO4AAbsFXi4Dmq2VO8rCxodk
+dDmqWWuu4KdRGgfyjkyOZS/f8pm64LaKT8AgcnmYAI8NUBM90T6Mvdx0qTOoVh0x
+eHznAp6NChQSbdM3x3rwhBD+/k0olyZuCIWhAgMBAAGjgfAwge0wDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQULYfBmvhYK73C+H4wR7OpiDfJ60YwDgYDVR0PAQH/
+BAQDAgEGMEIGCCsGAQUFBwELBDYwNDAyBggrBgEFBQcwBYYmcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9JU1A1Yy8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjMuY2Vy
+MCEGCCsGAQUFBwEIAQH/BBIwEKAOMAwwCgIDAPwWAgMA/BwwDQYJKoZIhvcNAQEL
+BQADggEBACxu8SjXBmnVOOV3dZzQnztS9P+DHVFwGLF2Vykc9Az8vW3cxpVoLTj8
+W7hmuJKVPg3L9kk/bmMBiJtEetF6SAMgc8fxyPaNvhxuyigOMpOQmnbRf/MzVSRn
+Zf0FA8gffmh9yYP5RybR3EsEomi7dCyc8zPs1w7ZI/mkEJ6vlEEJoGctIde1CuFB
+s7ZNvI10bPa2Mv7uxHG2c+G8KiVU35GEThUJBZihmTNIOH5+sThzx2aiGTEuk4Zl
+QCDAD4bppHfZYaWkkjXHnFEVoN0hVnak0XV2CrZRmgjD1CHshvC3Zi58iw92XCk9
+ppzqDOBdFBS1zMyE4DOVFwYRxNnZmNE=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/ISP5c.cnf b/rpkid/resource-cert-samples/ISP5c.cnf
new file mode 100644
index 00000000..cc689a77
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP5c.cnf
@@ -0,0 +1,64 @@
+# Automatically generated, do not edit.
+
+[ ca ]
+default_ca = ca_default
+
+[ ca_default ]
+certificate = ISP5c.cer
+serial = ISP5c/serial
+private_key = ISP5c.key
+database = ISP5c/index
+new_certs_dir = ISP5c
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 365
+default_crl_days = 30
+default_md = sha256
+preserve = no
+copy_extensions = copy
+policy = ca_policy_anything
+unique_subject = no
+x509_extensions = ca_x509_ext
+crl_extensions = crl_x509_ext
+
+[ ca_policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+givenName = optional
+surname = optional
+
+[ req ]
+default_bits = 2048
+encrypt_key = no
+distinguished_name = req_dn
+req_extensions = req_x509_ext
+prompt = no
+
+[ req_dn ]
+CN = TEST ENTITY ISP5c
+
+[ req_x509_ext ]
+basicConstraints = critical,CA:true
+subjectKeyIdentifier = hash
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/ISP5c/
+authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+sbgp-autonomousSysNum = critical,AS:64534-64540
+#sbgp-ipAddrBlock = critical,???
+
+[ ca_x509_ext ]
+basicConstraints = critical,CA:true
+authorityKeyIdentifier = keyid:always
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/ISP5c/
+authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+sbgp-autonomousSysNum = critical,AS:64534-64540
+#sbgp-ipAddrBlock = critical,???
+
+[ crl_x509_ext ]
+authorityKeyIdentifier = keyid:always
diff --git a/rpkid/resource-cert-samples/ISP5c.key b/rpkid/resource-cert-samples/ISP5c.key
new file mode 100644
index 00000000..dc7595d0
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP5c.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAyIuhJWXf7qJ/VK9SChoa+g11szzp4CnTiSDpUUlnLEPaoCzU
+RLOWFKkHd2C5bwHvjlSldKxaZ/gwTRD5rJ+4dWEL9ud86ptcmHpLPsTiWULTGcoP
+WA63yIJO5bus/ZLliLL8ZM9uODsYg/znpq77kDbQ4cpNkEEPDzsqwAzZe33oUBP2
+CXOCo9Lju4IIh3/Suw4Oeii2JQK12VH8MzJHR//Pf7zuAAG7BV4uA5qtlTvKwsaH
+ZHQ5qllrruCnURoH8o5MjmUv3/KZuuC2ik/AIHJ5mACPDVATPdE+jL3cdKkzqFYd
+MXh85wKejQoUEm3TN8d68IQQ/v5NKJcmbgiFoQIDAQABAoIBAC5Y5rMn6irSby75
+HbKr+dQUTEFSMJLX18V3T7SzjB6Ux/AArEX8YxD/R3R1bCWVgvGX6m0eb/5bQ35s
+D+evOggWl5dGRH5LzYiHquAkzFLouLTbF9S4Ag1a4DUDvKUVz+pZwy7hKY3hSncm
+ebrx8b2QjZHBGU/fWUWh3O1pitGZDJ+D7zN4gsS+Q+L5heVuWlLKGsDBllIFEx+A
+lYHik6bnCWASv/ZRxxyv1v9Nc6+S1kLGkWAq/dzdRz5hS6/1/BYkYJYF+N+yOJlh
+dc8nknY3RqphRoUfKNF1mo2/CX3TiTIkI9RADl/JG7MvN8QcvsZtPY9HFvl8l3Jr
+bMeB+gECgYEA8qWQpwftUj4MFSa6H8N/cNfoNVDt6CRpy3BhqcGKstfdDNWxUEyW
+jKQnh4z+bypKuwtAzf26dlJzVz1tpTx81bvTyN/mhCd51ZLG/pWM/rmt0Hqt59M1
+AhDRaBVAN+mXZYv/4ULy0jcBzQJxRtSOGzb0CRT+SFyhlJ2aTBYh5xECgYEA05Tv
+tPhEREDYRexYEeOsAs9uxZuM1F07OYCSqsRFWjO3Qg3MvUowtZbPnryT4KCUirQY
+GCRt3zNWRkbHczxw6WWsxwv88tEQEb6HU2llZPvqz45MP77LBP7qvmASQmUOX6TI
+Qav/SLmuEwPwVrwxI2nbDQtYPryaBq5vBglcVZECgYA1AgBYzP2GYvGmyUAN4lp7
+317mDtj6RsIp5FIhkJtpOIkc3a4PubuF2/KaxS1sQZPzyqCMn6pVYOu7mjrSxyUK
+WC8LCgbExg7ynk8EnM0hdJTJH5PQOi6xVdU5ZLMTw98EGxJ6NnLvg37MN4VhkNu+
+jEHBnilyy3GtEsT7bDZZ0QKBgHqc1ej+8rjHB05GL6d2U+lxAlWb1hn/SWICY3x4
+r2QdkjbCPoL3qpChLAJmcB/9jvdudIQRIGb3niitvcnHHfvzwxO6m8SvaOuPiWbK
+Lks+Pg43/XH3hDmJ7MmUbSBy5ciBeter8A3aJMm6P55UAvntz1aY23PH4k666XYL
+GKoxAoGAB+YRlWhaIeUgTlImA33lZ89g8juxuttShAEZGtMOsX9I7J5XoxktOGI0
+Sqc2eCf/HLvcLrt1g66foAPvLmkxEHqncqLAE7MKIvMIIvCu7GVrVx/8O2vcFDed
+QV1Ruj41vFLljQqArXZ3dxCSxNRrWPFOO8c0Thfps2zBfRF1Rq0=
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/resource-cert-samples/ISP5c.req b/rpkid/resource-cert-samples/ISP5c.req
new file mode 100644
index 00000000..fe5a3802
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP5c.req
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDZDCCAkwCAQAwHDEaMBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWMwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIi6ElZd/uon9Ur1IKGhr6DXWzPOng
+KdOJIOlRSWcsQ9qgLNREs5YUqQd3YLlvAe+OVKV0rFpn+DBNEPmsn7h1YQv253zq
+m1yYeks+xOJZQtMZyg9YDrfIgk7lu6z9kuWIsvxkz244OxiD/OemrvuQNtDhyk2Q
+QQ8POyrADNl7fehQE/YJc4Kj0uO7ggiHf9K7Dg56KLYlArXZUfwzMkdH/89/vO4A
+AbsFXi4Dmq2VO8rCxodkdDmqWWuu4KdRGgfyjkyOZS/f8pm64LaKT8AgcnmYAI8N
+UBM90T6Mvdx0qTOoVh0xeHznAp6NChQSbdM3x3rwhBD+/k0olyZuCIWhAgMBAAGg
+ggEBMIH+BgkqhkiG9w0BCQ4xgfAwge0wDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
+FgQULYfBmvhYK73C+H4wR7OpiDfJ60YwDgYDVR0PAQH/BAQDAgEGMEIGCCsGAQUF
+BwELBDYwNDAyBggrBgEFBQcwBYYmcnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJu
+Lm5ldC9JU1A1Yy8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov
+L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjMuY2VyMCEGCCsGAQUFBwEIAQH/
+BBIwEKAOMAwwCgIDAPwWAgMA/BwwDQYJKoZIhvcNAQEFBQADggEBAEmtz8vZK79t
+8D6z0UadBwNhrxSQzoXBJQkjq0rRxAePomXejmnzLdFaCtMkgqVQ/bow4VGlqlzM
+tLUb7sqlKFw61vC1K80WwMjag4l3mQv7XJ0BQujhwzVvtfHhnRLuCCnN9yh30yDs
+2WE6cRoQl44zHNakXlGTW00sX8kA3o73r9Key40sa0UmOcDLKUvvxP0VCOjYOyl+
+I6V/GNAI+7dBDyAdkEXynOYuAkkcRMPAmgx+Nt+I8lxbyXPRtcD84ZwMbQ95RBBY
+QgjxJLABunz5i8L/XFp/6vXBGdLKsLv40IwxoaWCrbxsz5zqD+yemg8r3sXBQCs/
+OuVcypkSpdk=
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/resource-cert-samples/ISP5c/index b/rpkid/resource-cert-samples/ISP5c/index
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP5c/index
diff --git a/rpkid/resource-cert-samples/ISP5c/serial b/rpkid/resource-cert-samples/ISP5c/serial
new file mode 100644
index 00000000..8a0f05e1
--- /dev/null
+++ b/rpkid/resource-cert-samples/ISP5c/serial
@@ -0,0 +1 @@
+01
diff --git a/rpkid/resource-cert-samples/LIR1.cer b/rpkid/resource-cert-samples/LIR1.cer
new file mode 100644
index 00000000..348c6275
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1.cer
@@ -0,0 +1,94 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 50 (0x32)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Oct 29 16:32:33 2007 GMT
+ Not After : Oct 28 16:32:33 2008 GMT
+ Subject: CN=TEST ENTITY LIR1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:af:5d:1c:f9:d9:bb:d5:01:e1:5b:36:cc:51:f6:
+ fd:86:57:60:aa:9e:c7:ec:4e:05:af:fb:51:5c:7a:
+ c2:58:c4:a8:57:ae:14:62:e9:bc:b6:72:7d:cf:49:
+ c8:4a:40:82:4a:f4:3e:30:b5:94:25:9e:6c:78:81:
+ 57:43:d6:85:02:8d:d1:9c:b5:d7:34:2f:e2:a9:7d:
+ 18:27:b5:47:9a:42:16:c8:90:7f:96:2c:dd:b8:98:
+ 17:1f:77:62:4a:08:00:2d:e0:73:0c:39:37:ba:0f:
+ a7:59:59:4c:7c:cd:e2:5c:d7:98:36:10:6c:88:3e:
+ 45:99:a6:88:2f:f6:7f:31:49:ba:42:2b:13:79:c2:
+ b2:f1:09:d9:ad:37:a4:41:b6:6d:46:a1:18:05:a0:
+ 53:07:8e:e0:98:b2:d1:fd:67:68:77:64:d5:f3:fe:
+ 1d:22:36:9e:26:5a:1a:aa:18:94:c3:2c:7e:9a:af:
+ be:2c:9d:5e:75:2c:49:d6:37:2b:06:1f:cc:63:97:
+ 7e:ee:2c:5f:67:af:4d:62:3e:7a:1f:0c:e1:1e:02:
+ f2:d2:06:75:ae:3f:11:bc:8e:0f:13:64:38:14:36:
+ 1d:5d:02:ec:af:65:d5:b9:68:f4:22:66:2b:ef:47:
+ 5b:ad:3b:f2:af:b6:71:0c:94:56:8a:7c:01:36:f0:
+ 3a:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 8A:94:17:F9:53:F2:5B:94:54:56:DF:76:51:13:29:F6:71:19:A8:B3
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR1/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 71:ca:3c:b4:39:4f:ec:c2:ba:bd:c4:e5:9d:b8:9e:12:5a:0d:
+ af:f6:e0:f5:65:0c:54:ac:5c:17:d2:29:92:a4:84:ea:47:09:
+ 53:75:52:7c:af:67:11:7b:fb:35:14:77:9e:8e:34:a9:39:5a:
+ 87:65:7f:5e:e7:81:80:82:4b:b2:e4:07:c3:7d:1e:bf:0a:31:
+ ff:43:9c:66:31:b0:19:0a:ea:52:14:67:62:f6:91:15:5c:d4:
+ da:f7:bb:87:1c:9d:31:4c:0d:8c:f6:c9:1c:44:68:21:09:49:
+ a9:d7:cc:7f:54:c2:cd:44:09:98:e9:7c:73:a3:9d:36:38:e8:
+ e2:bd:16:19:94:fd:97:ff:91:ca:62:22:1a:ff:f7:2c:a0:b9:
+ 79:a4:07:84:37:bb:50:8b:6a:6b:25:9a:8e:3c:fb:4f:09:2b:
+ e1:75:c4:d4:2e:73:a2:cd:ce:f5:83:3c:a5:ca:33:f6:c8:39:
+ f8:dd:78:3f:61:05:7a:ae:09:3c:d4:bc:b1:4e:0d:4d:83:f8:
+ 77:6c:a0:ea:6d:e6:5d:df:c4:e4:e0:7f:0f:9c:da:d0:f1:3b:
+ 37:05:e4:77:1f:54:7b:d0:57:6d:55:dd:ba:41:ba:4b:90:df:
+ 54:8e:a3:cd:0c:a8:ae:c9:09:e8:02:a6:23:e3:f9:62:f8:0e:
+ 39:f7:87:f9
+-----BEGIN CERTIFICATE-----
+MIID1TCCAr2gAwIBAgIBMjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcxMDI5MTYzMjMzWhcNMDgxMDI4MTYzMjMzWjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAr10c+dm71QHhWzbMUfb9hldgqp7H7E4Fr/tRXHrCWMSoV64UYum8
+tnJ9z0nISkCCSvQ+MLWUJZ5seIFXQ9aFAo3RnLXXNC/iqX0YJ7VHmkIWyJB/lizd
+uJgXH3diSggALeBzDDk3ug+nWVlMfM3iXNeYNhBsiD5FmaaIL/Z/MUm6QisTecKy
+8QnZrTekQbZtRqEYBaBTB47gmLLR/Wdod2TV8/4dIjaeJloaqhiUwyx+mq++LJ1e
+dSxJ1jcrBh/MY5d+7ixfZ69NYj56HwzhHgLy0gZ1rj8RvI4PE2Q4FDYdXQLsr2XV
+uWj0ImYr70dbrTvyr7ZxDJRWinwBNvA6PwIDAQABo4IBIzCCAR8wDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUipQX+VPyW5RUVt92URMp9nEZqLMwDgYDVR0PAQH/
+BAQDAgEGMEEGCCsGAQUFBwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9MSVIxLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYB
+BQUHMAKGJ3JzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAa
+BggrBgEFBQcBCAEB/wQLMAmgBzAFAgMA/BUwOQYIKwYBBQUHAQcBAf8EKjAoMCYE
+AgABMCAwDgMFAMAAAgEDBQHAAAIgMA4DBQLAAAIsAwUAwAACZDANBgkqhkiG9w0B
+AQsFAAOCAQEAcco8tDlP7MK6vcTlnbieEloNr/bg9WUMVKxcF9IpkqSE6kcJU3VS
+fK9nEXv7NRR3no40qTlah2V/XueBgIJLsuQHw30evwox/0OcZjGwGQrqUhRnYvaR
+FVzU2ve7hxydMUwNjPbJHERoIQlJqdfMf1TCzUQJmOl8c6OdNjjo4r0WGZT9l/+R
+ymIiGv/3LKC5eaQHhDe7UItqayWajjz7Twkr4XXE1C5zos3O9YM8pcoz9sg5+N14
+P2EFeq4JPNS8sU4NTYP4d2yg6m3mXd/E5OB/D5za0PE7NwXkdx9Ue9BXbVXdukG6
+S5DfVI6jzQyorskJ6AKmI+P5YvgOOfeH+Q==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1.cnf b/rpkid/resource-cert-samples/LIR1.cnf
new file mode 100644
index 00000000..7e2fa61f
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1.cnf
@@ -0,0 +1,64 @@
+# Automatically generated, do not edit.
+
+[ ca ]
+default_ca = ca_default
+
+[ ca_default ]
+certificate = LIR1.cer
+serial = LIR1/serial
+private_key = LIR1.key
+database = LIR1/index
+new_certs_dir = LIR1
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 365
+default_crl_days = 30
+default_md = sha256
+preserve = no
+copy_extensions = copy
+policy = ca_policy_anything
+unique_subject = no
+x509_extensions = ca_x509_ext
+crl_extensions = crl_x509_ext
+
+[ ca_policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+givenName = optional
+surname = optional
+
+[ req ]
+default_bits = 2048
+encrypt_key = no
+distinguished_name = req_dn
+req_extensions = req_x509_ext
+prompt = no
+
+[ req_dn ]
+CN = TEST ENTITY LIR1
+
+[ req_x509_ext ]
+basicConstraints = critical,CA:true
+subjectKeyIdentifier = hash
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/LIR1/
+authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+sbgp-autonomousSysNum = critical,AS:64533
+sbgp-ipAddrBlock = critical,IPv4:192.0.2.1-192.0.2.33,IPv4:192.0.2.44-192.0.2.100
+
+[ ca_x509_ext ]
+basicConstraints = critical,CA:true
+authorityKeyIdentifier = keyid:always
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/LIR1/
+authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+sbgp-autonomousSysNum = critical,AS:64533
+sbgp-ipAddrBlock = critical,IPv4:192.0.2.1-192.0.2.33,IPv4:192.0.2.44-192.0.2.100
+
+[ crl_x509_ext ]
+authorityKeyIdentifier = keyid:always
diff --git a/rpkid/resource-cert-samples/LIR1.key b/rpkid/resource-cert-samples/LIR1.key
new file mode 100644
index 00000000..0f79c031
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAr10c+dm71QHhWzbMUfb9hldgqp7H7E4Fr/tRXHrCWMSoV64U
+Yum8tnJ9z0nISkCCSvQ+MLWUJZ5seIFXQ9aFAo3RnLXXNC/iqX0YJ7VHmkIWyJB/
+lizduJgXH3diSggALeBzDDk3ug+nWVlMfM3iXNeYNhBsiD5FmaaIL/Z/MUm6QisT
+ecKy8QnZrTekQbZtRqEYBaBTB47gmLLR/Wdod2TV8/4dIjaeJloaqhiUwyx+mq++
+LJ1edSxJ1jcrBh/MY5d+7ixfZ69NYj56HwzhHgLy0gZ1rj8RvI4PE2Q4FDYdXQLs
+r2XVuWj0ImYr70dbrTvyr7ZxDJRWinwBNvA6PwIDAQABAoIBAQCeqVFRIVWXiGb7
+3x2Hvz9sb9wPIy/hNkphCbJ4SL1UEUH6ao8ZWz8Zl4cKqEfmHm2EIW2vJmpOiwK7
+GNL6lrmrMOMItWFrXzPlgz/6lUKeZ9MzTcGR/y/wFvM8zggI0SpQV7XfxlkMJ6OS
+7H+On7yBobKen8eCkUzpksm/E3fK/9llCsY14arag7CxIR+G239Eh9yfKlIYPb7D
+U1UR7wrDeLvRVkP3C+BBCYrP4fNkSpdd5Xn02nrNXdSM+BR3O7cWXjtvGiUJbdSw
+Ec4sfApj0YCFP7ZBx+WvMavRGKfz8VCDzs2LNvu5szOGt87CVxVvjsheNCzDfmwD
+JzBo9q7hAoGBANe2RljcUbbEBF+PjjUHgmt/HCbyqhcwjiwJsQh6m6AY7HjrWawf
+zB7ud1oTrMUzW87qTZcn5XnNPl266bEjo54Xbm1QHvNxzWKmHclYjzYbyPnz6z91
+9WY/PKs7+VtHz/XZD9q8UbbrDM5GLBtNR2bd3AmKjDtnprIXhq30LCPxAoGBANAd
+r9gWSA6qnuhiCG5/b9LtR1hBYftchw3UQNdMrmmqK1OteuyPG5CkyMinq49uHRjX
+ZWU58y97PvSy+oqXeDQBNp85/ojkqBooV1JiA/leu0AzYNCOV2j/NaaTk35IoqFm
+OQyc90JA1yDAzSBaEGXc1L59Rrng/tPnRKEJvLEvAoGBAJYi6YeDoOQiPiD826+R
+EHcdO0zobPZC91EzVaJfI94kOsJWnE0uvHVy6GMren6upmG3tlVUkWVbMuMt6uU9
+tu2bxWIT99bdCGR21hiDqPmyEQnXeY7r3OdTcDiGP6IGs3mboGtP01gK9RjEwoIm
+IWI5XKLPaZcXJ3Cg6z47ylUhAoGBAMIN/Go8FIKAe93pkz0dXPLLx0u245sTIuc1
+NCTNXpAuWWoUB9vOcQCFdqcLGQCLx1vjdKtXxrdOb1ySCuXx6OZs/zanR/zzYP/K
+/+lUdaovt+BcR/kP0NeZqLgjQVNufR6MB8QIFNJVTYM/48U31bR1nnXksG8gKd0C
+905FmwmHAoGAa2SzsiVuvx+ROq7zsN/L32tJY8iL5N0r4qYQWuPK/+C6VK3zUtjb
+jcj76nGADSxGapDciZI2p/QCAxLQnLJHn4f67VctaifiaslmI2uHbN3opvtc1E7I
+PmPL7Jm4Ib3C6Q3Y4+TKHPRZvjDfmUfQdk2mWF72DlUBZE4EnTUYWVA=
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/resource-cert-samples/LIR1.req b/rpkid/resource-cert-samples/LIR1.req
new file mode 100644
index 00000000..d1390df5
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1.req
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDmDCCAoACAQAwGzEZMBcGA1UEAxMQVEVTVCBFTlRJVFkgTElSMTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK9dHPnZu9UB4Vs2zFH2/YZXYKqex+xO
+Ba/7UVx6wljEqFeuFGLpvLZyfc9JyEpAgkr0PjC1lCWebHiBV0PWhQKN0Zy11zQv
+4ql9GCe1R5pCFsiQf5Ys3biYFx93YkoIAC3gcww5N7oPp1lZTHzN4lzXmDYQbIg+
+RZmmiC/2fzFJukIrE3nCsvEJ2a03pEG2bUahGAWgUweO4Jiy0f1naHdk1fP+HSI2
+niZaGqoYlMMsfpqvviydXnUsSdY3KwYfzGOXfu4sX2evTWI+eh8M4R4C8tIGda4/
+EbyODxNkOBQ2HV0C7K9l1blo9CJmK+9HW6078q+2cQyUVop8ATbwOj8CAwEAAaCC
+ATYwggEyBgkqhkiG9w0BCQ4xggEjMIIBHzAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
+DgQWBBSKlBf5U/JblFRW33ZREyn2cRmoszAOBgNVHQ8BAf8EBAMCAQYwQQYIKwYB
+BQUHAQsENTAzMDEGCCsGAQUFBzAFhiVyc3luYzovL3dvbWJhdHMtci11cy5oYWN0
+cm4ubmV0L0xJUjEvMEMGCCsGAQUFBwEBBDcwNTAzBggrBgEFBQcwAoYncnN5bmM6
+Ly93b21iYXRzLXItdXMuaGFjdHJuLm5ldC9SSVIuY2VyMBoGCCsGAQUFBwEIAQH/
+BAswCaAHMAUCAwD8FTA5BggrBgEFBQcBBwEB/wQqMCgwJgQCAAEwIDAOAwUAwAAC
+AQMFAcAAAiAwDgMFAsAAAiwDBQDAAAJkMA0GCSqGSIb3DQEBBQUAA4IBAQA/lEvf
+enGH4JCh23gVr/cnd19rfe4RgglfFtk0uUKFws2s9C8yIJjF13RhLURe9WD/kqh6
+aj/pZ3zvgKqe1gHK5WquZWTikK2l2O+E0HAgGIB2HY9WbGlfVdGcoQ72Fnu1u2KJ
+/SuZSiBCJIdbKhUi82T1JdDajSqrLuoFjWZhe6A0YUrcfcSeaGS7po+rLx7k58a6
+cxyXd69qKOGbDcx5RfEujCgQcWVMnbmOdhrbjbN9RoLSyLsLkYGPtLhLgKorFN2I
+e9tTJOMvoKwawKffimHAaZjv7+d7WYc4XjPl2IcDwyo41Mo0l+rjN/lwkOu6Y3qm
+XiKfe7oTJ5XJAmin
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/resource-cert-samples/LIR1/01.pem b/rpkid/resource-cert-samples/LIR1/01.pem
new file mode 100644
index 00000000..29733e89
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/01.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDzDCCArSgAwIBAgIBATANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MDgwMTA1NDUyOVoXDTA4MDczMTA1NDUyOVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANB338Qhrxtaa6inKNdDyJttJdiNf5Er45X9kmCsFBLXI2iFSw7b
+K+Y44EjbGDePQMCQWA4/CWdfjj8EdQZgkkLz5EUENZVd6SJCLPZcpn15jOEIGXw1
+nTr95/+bKbXuiUfMDYOg4XOvHwmEqAuDzHmIv3wdc9arQhtkmlwZgyud5a1MWAV2
+lXAj7qXAMcqip8gdHvLJ8j04gsJT5VSG8nyxc+Hc6YZzCKxZO74vWMFCxYAYjDoK
+KjL2/ijQKFKDxjBpUZBZGZvT1MLgUmrBTlmaGOR4Llf5fytddijJycV+5UOhm2jS
+Bhy+P2n5wvqeT2jPY2/bbfxnNcCxbgo37DMCAwEAAaOCARkwggEVMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFHOyFhrN3NcwYA/6gZX4ovVOlfOtMB8GA1UdIwQY
+MBaAFIqUF/lT8luUVFbfdlETKfZxGaizMA4GA1UdDwEB/wQEAwIBBjBBBggrBgEF
+BQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry
+bi5uZXQvSVNQMi8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov
+L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjEuY2VyMCkGCCsGAQUFBwEHAQH/
+BBowGDAWBAIAATAQMA4DBQLAAAIsAwUAwAACZDANBgkqhkiG9w0BAQUFAAOCAQEA
+FmbqWBmcgPw3k/OjxA3mZX807TFQiP7mB8SCzWNbXeCRuWdhcNzcLSgxZovfvREB
+Op6/dlpd3XXrY94uwKsZbgq2+qRQZFdYHJh1WE0KHkgvf6krFNTl6hVKrbosSY9A
+T9uHihn6L4kBYp29D4wLINNDgJR4QdzhKjvH+l/pYACteUcFb5MFI2RvmNjRlCj4
+9QWwl0o1to0LlIvS+k1ROu69a6EvzBCO5JMpp8o6+yzz8UCbn+4rcJYaoxkq4cR/
+esIYsghTavMYgTm13U3IZfRoKTu32t9k8aYsQ/bcmF9l31pI7HQIUI6KwhgBAtkE
+Ivo8c0ekAlpRKRlodSrb+w==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/02.pem b/rpkid/resource-cert-samples/LIR1/02.pem
new file mode 100644
index 00000000..0bcefb6f
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/02.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID6DCCAtCgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MDgwMTA1NDUzMloXDTA4MDczMTA1NDUzMlowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAOuAVHp0S+SBFdAlLV4hvkfmMavi/nlVSLc2VT3cEYhbtza+07vX
+Fo34S/TFvTTEjixnl+YnEEDFNvS2bLkpgi52sCnqQ5rRMN4FocFUfBdnHfwp3YBT
+soEw2xPuPuZdx7w9phFtgXe3nz4233zW0loiNmh8FMysVO2u/eLNsaNdqWXsG4tL
+z4COppiPabGmNb1pyS5mfyIRZlbFdUyBo25JcQ31dYcT6GLoGgyoMIFqvpBZIzth
+wBVfaL+1yT+vOqJ/gAF49vRVyu7KjQibxT50mAKyC6bY6G54iHuVdrbKvvGAqd3o
+PICRzj/9C9232KaMlCAHGXT6hv/Ll8P2pOcCAwEAAaOCATUwggExMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFGbsKSEudoMZOe2O7bcGqEzlDi4RMB8GA1UdIwQY
+MBaAFIqUF/lT8luUVFbfdlETKfZxGaizMA4GA1UdDwEB/wQEAwIBBjBBBggrBgEF
+BQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry
+bi5uZXQvSVNQMS8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov
+L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjEuY2VyMBoGCCsGAQUFBwEIAQH/
+BAswCaAHMAUCAwD8FTApBggrBgEFBQcBBwEB/wQaMBgwFgQCAAEwEDAOAwUAwAAC
+AQMFAcAAAiAwDQYJKoZIhvcNAQEFBQADggEBABJPI16u1ywCxckILgDoEsNompwz
+KH1JqwC3ItaXvsUPmnMU1H4eN8Ehh226p10JmPlTEiEu3nnZGfmNN3D1fKvfeqdU
+C3Hwws/H1L/O1zymy/NBSp+bEAkdsmR1TX3brCfjigjxUY7CjI33Bjx9WI50ZVZn
++Pmj30Ojef8QhGwML7qiLE5xBzLoTyIMrIBiBq6H2DAUaL1PhSCXzUdHQNAYz9nK
+KrU4HP7Q8O2YtjNItgxyt7uGy0WbT13PdbmWasgf6lfLXMAqrqDXaWr6wGS9hlER
+SKRH53fVsd1oGtkJ0LbPuHu6p99CGMz6+Ah8UryjFQxGeZPdVEWbwTBZSms=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/03.pem b/rpkid/resource-cert-samples/LIR1/03.pem
new file mode 100644
index 00000000..e6b6ac76
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/03.pem
@@ -0,0 +1,92 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 3 (0x3)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Aug 1 14:05:29 2007 GMT
+ Not After : Jul 31 14:05:29 2008 GMT
+ Subject: CN=TEST ENTITY ISP2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d0:77:df:c4:21:af:1b:5a:6b:a8:a7:28:d7:43:
+ c8:9b:6d:25:d8:8d:7f:91:2b:e3:95:fd:92:60:ac:
+ 14:12:d7:23:68:85:4b:0e:db:2b:e6:38:e0:48:db:
+ 18:37:8f:40:c0:90:58:0e:3f:09:67:5f:8e:3f:04:
+ 75:06:60:92:42:f3:e4:45:04:35:95:5d:e9:22:42:
+ 2c:f6:5c:a6:7d:79:8c:e1:08:19:7c:35:9d:3a:fd:
+ e7:ff:9b:29:b5:ee:89:47:cc:0d:83:a0:e1:73:af:
+ 1f:09:84:a8:0b:83:cc:79:88:bf:7c:1d:73:d6:ab:
+ 42:1b:64:9a:5c:19:83:2b:9d:e5:ad:4c:58:05:76:
+ 95:70:23:ee:a5:c0:31:ca:a2:a7:c8:1d:1e:f2:c9:
+ f2:3d:38:82:c2:53:e5:54:86:f2:7c:b1:73:e1:dc:
+ e9:86:73:08:ac:59:3b:be:2f:58:c1:42:c5:80:18:
+ 8c:3a:0a:2a:32:f6:fe:28:d0:28:52:83:c6:30:69:
+ 51:90:59:19:9b:d3:d4:c2:e0:52:6a:c1:4e:59:9a:
+ 18:e4:78:2e:57:f9:7f:2b:5d:76:28:c9:c9:c5:7e:
+ e5:43:a1:9b:68:d2:06:1c:be:3f:69:f9:c2:fa:9e:
+ 4f:68:cf:63:6f:db:6d:fc:67:35:c0:b1:6e:0a:37:
+ ec:33
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 73:B2:16:1A:CD:DC:D7:30:60:0F:FA:81:95:F8:A2:F5:4E:95:F3:AD
+ X509v3 Authority Key Identifier:
+ keyid:8A:94:17:F9:53:F2:5B:94:54:56:DF:76:51:13:29:F6:71:19:A8:B3
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP2/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.44-192.0.2.100
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 2c:66:2e:23:8b:0c:9a:b9:a4:48:06:1e:da:0d:8a:51:f0:f3:
+ c2:0c:0b:d8:ea:10:2e:24:a9:f1:a8:a2:da:dd:8c:09:0f:7a:
+ 9a:fb:54:b2:44:6a:32:91:9e:88:d3:db:5e:53:49:dc:12:59:
+ 9b:b5:7c:55:86:85:48:74:9e:03:e4:42:3d:68:f2:ee:e8:ca:
+ fa:cc:56:9f:1e:b0:49:61:af:b1:6d:f1:d5:1a:3c:3e:2e:86:
+ 4c:a3:ff:31:a5:2f:91:64:3a:f5:7e:6a:78:b5:cd:80:d7:34:
+ 38:72:f4:18:0c:c6:de:f5:bb:d8:89:84:6d:69:1f:da:42:b4:
+ fc:73:34:76:fa:42:df:bd:a1:e0:6e:f4:5b:b1:18:70:15:b3:
+ 75:02:a6:0d:e0:79:de:fd:d5:bd:2e:a0:22:df:bf:4f:dc:15:
+ 1f:8e:23:26:26:ab:7b:67:5a:c0:f3:39:25:fd:d6:97:47:f3:
+ e0:c5:8c:6e:b3:19:b6:f2:0f:98:f4:8c:57:59:88:9f:b0:b4:
+ c6:0e:f8:56:60:f2:1a:f5:ad:20:5e:dc:93:2d:7e:e8:2f:44:
+ 54:ff:5d:21:d6:df:17:36:31:c8:d7:af:c4:f8:c6:58:31:59:
+ df:34:12:81:4d:eb:5c:ca:ee:7f:b7:4c:c2:17:8a:94:66:f1:
+ e5:4d:e4:67
+-----BEGIN CERTIFICATE-----
+MIIDzDCCArSgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MDgwMTE0MDUyOVoXDTA4MDczMTE0MDUyOVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANB338Qhrxtaa6inKNdDyJttJdiNf5Er45X9kmCsFBLXI2iFSw7b
+K+Y44EjbGDePQMCQWA4/CWdfjj8EdQZgkkLz5EUENZVd6SJCLPZcpn15jOEIGXw1
+nTr95/+bKbXuiUfMDYOg4XOvHwmEqAuDzHmIv3wdc9arQhtkmlwZgyud5a1MWAV2
+lXAj7qXAMcqip8gdHvLJ8j04gsJT5VSG8nyxc+Hc6YZzCKxZO74vWMFCxYAYjDoK
+KjL2/ijQKFKDxjBpUZBZGZvT1MLgUmrBTlmaGOR4Llf5fytddijJycV+5UOhm2jS
+Bhy+P2n5wvqeT2jPY2/bbfxnNcCxbgo37DMCAwEAAaOCARkwggEVMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFHOyFhrN3NcwYA/6gZX4ovVOlfOtMB8GA1UdIwQY
+MBaAFIqUF/lT8luUVFbfdlETKfZxGaizMA4GA1UdDwEB/wQEAwIBBjBBBggrBgEF
+BQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry
+bi5uZXQvSVNQMi8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov
+L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjEuY2VyMCkGCCsGAQUFBwEHAQH/
+BBowGDAWBAIAATAQMA4DBQLAAAIsAwUAwAACZDANBgkqhkiG9w0BAQUFAAOCAQEA
+LGYuI4sMmrmkSAYe2g2KUfDzwgwL2OoQLiSp8aii2t2MCQ96mvtUskRqMpGeiNPb
+XlNJ3BJZm7V8VYaFSHSeA+RCPWjy7ujK+sxWnx6wSWGvsW3x1Ro8Pi6GTKP/MaUv
+kWQ69X5qeLXNgNc0OHL0GAzG3vW72ImEbWkf2kK0/HM0dvpC372h4G70W7EYcBWz
+dQKmDeB53v3VvS6gIt+/T9wVH44jJiare2dawPM5Jf3Wl0fz4MWMbrMZtvIPmPSM
+V1mIn7C0xg74VmDyGvWtIF7cky1+6C9EVP9dIdbfFzYxyNevxPjGWDFZ3zQSgU3r
+XMruf7dMwheKlGbx5U3kZw==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/04.pem b/rpkid/resource-cert-samples/LIR1/04.pem
new file mode 100644
index 00000000..193985fc
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/04.pem
@@ -0,0 +1,96 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4 (0x4)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Aug 1 14:05:29 2007 GMT
+ Not After : Jul 31 14:05:29 2008 GMT
+ Subject: CN=TEST ENTITY ISP1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:eb:80:54:7a:74:4b:e4:81:15:d0:25:2d:5e:21:
+ be:47:e6:31:ab:e2:fe:79:55:48:b7:36:55:3d:dc:
+ 11:88:5b:b7:36:be:d3:bb:d7:16:8d:f8:4b:f4:c5:
+ bd:34:c4:8e:2c:67:97:e6:27:10:40:c5:36:f4:b6:
+ 6c:b9:29:82:2e:76:b0:29:ea:43:9a:d1:30:de:05:
+ a1:c1:54:7c:17:67:1d:fc:29:dd:80:53:b2:81:30:
+ db:13:ee:3e:e6:5d:c7:bc:3d:a6:11:6d:81:77:b7:
+ 9f:3e:36:df:7c:d6:d2:5a:22:36:68:7c:14:cc:ac:
+ 54:ed:ae:fd:e2:cd:b1:a3:5d:a9:65:ec:1b:8b:4b:
+ cf:80:8e:a6:98:8f:69:b1:a6:35:bd:69:c9:2e:66:
+ 7f:22:11:66:56:c5:75:4c:81:a3:6e:49:71:0d:f5:
+ 75:87:13:e8:62:e8:1a:0c:a8:30:81:6a:be:90:59:
+ 23:3b:61:c0:15:5f:68:bf:b5:c9:3f:af:3a:a2:7f:
+ 80:01:78:f6:f4:55:ca:ee:ca:8d:08:9b:c5:3e:74:
+ 98:02:b2:0b:a6:d8:e8:6e:78:88:7b:95:76:b6:ca:
+ be:f1:80:a9:dd:e8:3c:80:91:ce:3f:fd:0b:dd:b7:
+ d8:a6:8c:94:20:07:19:74:fa:86:ff:cb:97:c3:f6:
+ a4:e7
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 66:EC:29:21:2E:76:83:19:39:ED:8E:ED:B7:06:A8:4C:E5:0E:2E:11
+ X509v3 Authority Key Identifier:
+ keyid:8A:94:17:F9:53:F2:5B:94:54:56:DF:76:51:13:29:F6:71:19:A8:B3
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP1/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 7b:5f:02:90:6c:dc:6a:39:29:5a:23:3a:03:ab:7b:7e:80:fe:
+ ed:ce:07:e2:9e:e9:0d:4d:dd:c2:40:6a:9d:07:ce:b3:af:ba:
+ cf:b5:7b:45:77:bd:c2:bf:b5:52:94:f6:14:37:2a:3c:a4:00:
+ c6:6a:bd:26:66:b8:51:5a:9d:16:1c:9b:69:8e:a4:8f:42:39:
+ 39:97:9f:77:0d:08:73:5d:8f:e3:d4:d9:2f:c0:8d:d2:e5:18:
+ f0:6a:4b:d2:15:d3:f6:8a:fd:1a:e9:da:28:98:93:87:21:97:
+ e6:dc:73:ac:80:e3:08:ff:0e:27:a5:f5:37:0d:dc:0a:29:eb:
+ 5a:48:03:57:24:29:fe:7f:62:07:7f:77:c0:11:ae:d7:27:c6:
+ f4:21:78:26:10:cb:f8:04:ba:21:5f:c3:4f:dc:b5:60:4b:44:
+ 0f:a5:64:f6:4d:d6:6e:08:9f:f2:bb:9a:04:89:44:65:1c:b5:
+ c2:01:0d:4f:03:c1:97:31:d5:0b:4e:66:99:85:df:d0:45:b1:
+ f2:a8:ba:47:9e:4d:c9:b9:73:d7:e4:fa:1f:e9:0a:d5:be:a5:
+ 34:32:c9:07:df:6d:2f:b3:9d:11:8c:f4:0a:68:bb:b1:fa:43:
+ 77:be:fd:84:d5:36:5c:f3:cb:ad:c4:ff:96:9b:79:77:79:01:
+ 46:e0:92:91
+-----BEGIN CERTIFICATE-----
+MIID6DCCAtCgAwIBAgIBBDANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MDgwMTE0MDUyOVoXDTA4MDczMTE0MDUyOVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAOuAVHp0S+SBFdAlLV4hvkfmMavi/nlVSLc2VT3cEYhbtza+07vX
+Fo34S/TFvTTEjixnl+YnEEDFNvS2bLkpgi52sCnqQ5rRMN4FocFUfBdnHfwp3YBT
+soEw2xPuPuZdx7w9phFtgXe3nz4233zW0loiNmh8FMysVO2u/eLNsaNdqWXsG4tL
+z4COppiPabGmNb1pyS5mfyIRZlbFdUyBo25JcQ31dYcT6GLoGgyoMIFqvpBZIzth
+wBVfaL+1yT+vOqJ/gAF49vRVyu7KjQibxT50mAKyC6bY6G54iHuVdrbKvvGAqd3o
+PICRzj/9C9232KaMlCAHGXT6hv/Ll8P2pOcCAwEAAaOCATUwggExMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFGbsKSEudoMZOe2O7bcGqEzlDi4RMB8GA1UdIwQY
+MBaAFIqUF/lT8luUVFbfdlETKfZxGaizMA4GA1UdDwEB/wQEAwIBBjBBBggrBgEF
+BQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry
+bi5uZXQvSVNQMS8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov
+L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjEuY2VyMBoGCCsGAQUFBwEIAQH/
+BAswCaAHMAUCAwD8FTApBggrBgEFBQcBBwEB/wQaMBgwFgQCAAEwEDAOAwUAwAAC
+AQMFAcAAAiAwDQYJKoZIhvcNAQEFBQADggEBAHtfApBs3Go5KVojOgOre36A/u3O
+B+Ke6Q1N3cJAap0HzrOvus+1e0V3vcK/tVKU9hQ3KjykAMZqvSZmuFFanRYcm2mO
+pI9COTmXn3cNCHNdj+PU2S/AjdLlGPBqS9IV0/aK/Rrp2iiYk4chl+bcc6yA4wj/
+Diel9TcN3Aop61pIA1ckKf5/Ygd/d8ARrtcnxvQheCYQy/gEuiFfw0/ctWBLRA+l
+ZPZN1m4In/K7mgSJRGUctcIBDU8DwZcx1QtOZpmF39BFsfKoukeeTcm5c9fk+h/p
+CtW+pTQyyQffbS+znRGM9Apou7H6Q3e+/YTVNlzzy63E/5abeXd5AUbgkpE=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/05.pem b/rpkid/resource-cert-samples/LIR1/05.pem
new file mode 100644
index 00000000..d39a4c28
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/05.pem
@@ -0,0 +1,92 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 5 (0x5)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Aug 1 14:08:29 2007 GMT
+ Not After : Jul 31 14:08:29 2008 GMT
+ Subject: CN=TEST ENTITY ISP2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d0:77:df:c4:21:af:1b:5a:6b:a8:a7:28:d7:43:
+ c8:9b:6d:25:d8:8d:7f:91:2b:e3:95:fd:92:60:ac:
+ 14:12:d7:23:68:85:4b:0e:db:2b:e6:38:e0:48:db:
+ 18:37:8f:40:c0:90:58:0e:3f:09:67:5f:8e:3f:04:
+ 75:06:60:92:42:f3:e4:45:04:35:95:5d:e9:22:42:
+ 2c:f6:5c:a6:7d:79:8c:e1:08:19:7c:35:9d:3a:fd:
+ e7:ff:9b:29:b5:ee:89:47:cc:0d:83:a0:e1:73:af:
+ 1f:09:84:a8:0b:83:cc:79:88:bf:7c:1d:73:d6:ab:
+ 42:1b:64:9a:5c:19:83:2b:9d:e5:ad:4c:58:05:76:
+ 95:70:23:ee:a5:c0:31:ca:a2:a7:c8:1d:1e:f2:c9:
+ f2:3d:38:82:c2:53:e5:54:86:f2:7c:b1:73:e1:dc:
+ e9:86:73:08:ac:59:3b:be:2f:58:c1:42:c5:80:18:
+ 8c:3a:0a:2a:32:f6:fe:28:d0:28:52:83:c6:30:69:
+ 51:90:59:19:9b:d3:d4:c2:e0:52:6a:c1:4e:59:9a:
+ 18:e4:78:2e:57:f9:7f:2b:5d:76:28:c9:c9:c5:7e:
+ e5:43:a1:9b:68:d2:06:1c:be:3f:69:f9:c2:fa:9e:
+ 4f:68:cf:63:6f:db:6d:fc:67:35:c0:b1:6e:0a:37:
+ ec:33
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 73:B2:16:1A:CD:DC:D7:30:60:0F:FA:81:95:F8:A2:F5:4E:95:F3:AD
+ X509v3 Authority Key Identifier:
+ keyid:8A:94:17:F9:53:F2:5B:94:54:56:DF:76:51:13:29:F6:71:19:A8:B3
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP2/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.44-192.0.2.100
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 46:2c:90:67:a5:55:7e:77:09:b8:1e:6a:87:44:25:86:d1:82:
+ 3a:c9:a8:54:5f:fd:cc:92:fe:55:32:11:12:6c:61:7c:13:aa:
+ 80:85:bf:68:1a:7f:98:67:32:23:0f:ff:61:70:6f:50:cb:e1:
+ 64:4a:76:85:f1:99:6b:b8:59:6a:1a:23:65:14:e5:dc:ae:de:
+ 50:92:54:98:eb:b2:80:2b:4a:32:77:87:71:1a:52:a8:64:a6:
+ b9:22:91:74:35:33:29:43:f2:db:0c:ba:21:99:e8:e3:98:e2:
+ 6d:a9:1e:7a:9f:db:fb:a7:2a:ab:8a:f5:f6:28:99:4b:11:5c:
+ f2:d2:d3:e7:4d:02:09:8a:b1:1b:b2:41:5d:72:fa:89:37:a6:
+ ec:f7:ed:7a:b2:0c:d7:2e:c0:17:16:1c:33:7f:22:49:3e:13:
+ 88:67:c3:b1:ac:1b:5f:b5:81:4d:25:9e:87:7b:6c:95:90:57:
+ e5:4e:2c:ab:4a:96:4a:e8:9c:d8:19:58:d0:a2:c5:9a:bc:f4:
+ 9a:96:17:bd:dd:a4:55:20:87:25:4c:91:70:73:99:fc:86:a9:
+ 1a:0f:8f:63:6a:9a:85:37:69:48:9d:b9:ff:59:7b:2e:ae:bb:
+ 70:27:0c:a2:1b:4d:2a:21:1f:b6:89:fa:c7:0a:5a:47:6d:22:
+ 1b:3f:97:a7
+-----BEGIN CERTIFICATE-----
+MIIDzDCCArSgAwIBAgIBBTANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MDgwMTE0MDgyOVoXDTA4MDczMTE0MDgyOVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANB338Qhrxtaa6inKNdDyJttJdiNf5Er45X9kmCsFBLXI2iFSw7b
+K+Y44EjbGDePQMCQWA4/CWdfjj8EdQZgkkLz5EUENZVd6SJCLPZcpn15jOEIGXw1
+nTr95/+bKbXuiUfMDYOg4XOvHwmEqAuDzHmIv3wdc9arQhtkmlwZgyud5a1MWAV2
+lXAj7qXAMcqip8gdHvLJ8j04gsJT5VSG8nyxc+Hc6YZzCKxZO74vWMFCxYAYjDoK
+KjL2/ijQKFKDxjBpUZBZGZvT1MLgUmrBTlmaGOR4Llf5fytddijJycV+5UOhm2jS
+Bhy+P2n5wvqeT2jPY2/bbfxnNcCxbgo37DMCAwEAAaOCARkwggEVMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFHOyFhrN3NcwYA/6gZX4ovVOlfOtMB8GA1UdIwQY
+MBaAFIqUF/lT8luUVFbfdlETKfZxGaizMA4GA1UdDwEB/wQEAwIBBjBBBggrBgEF
+BQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry
+bi5uZXQvSVNQMi8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov
+L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjEuY2VyMCkGCCsGAQUFBwEHAQH/
+BBowGDAWBAIAATAQMA4DBQLAAAIsAwUAwAACZDANBgkqhkiG9w0BAQUFAAOCAQEA
+RiyQZ6VVfncJuB5qh0QlhtGCOsmoVF/9zJL+VTIREmxhfBOqgIW/aBp/mGcyIw//
+YXBvUMvhZEp2hfGZa7hZahojZRTl3K7eUJJUmOuygCtKMneHcRpSqGSmuSKRdDUz
+KUPy2wy6IZno45jibakeep/b+6cqq4r19iiZSxFc8tLT500CCYqxG7JBXXL6iTem
+7PfterIM1y7AFxYcM38iST4TiGfDsawbX7WBTSWeh3tslZBX5U4sq0qWSuic2BlY
+0KLFmrz0mpYXvd2kVSCHJUyRcHOZ/IapGg+PY2qahTdpSJ25/1l7Lq67cCcMohtN
+KiEfton6xwpaR20iGz+Xpw==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/06.pem b/rpkid/resource-cert-samples/LIR1/06.pem
new file mode 100644
index 00000000..c03635c3
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/06.pem
@@ -0,0 +1,96 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 6 (0x6)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Aug 1 14:08:29 2007 GMT
+ Not After : Jul 31 14:08:29 2008 GMT
+ Subject: CN=TEST ENTITY ISP1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:eb:80:54:7a:74:4b:e4:81:15:d0:25:2d:5e:21:
+ be:47:e6:31:ab:e2:fe:79:55:48:b7:36:55:3d:dc:
+ 11:88:5b:b7:36:be:d3:bb:d7:16:8d:f8:4b:f4:c5:
+ bd:34:c4:8e:2c:67:97:e6:27:10:40:c5:36:f4:b6:
+ 6c:b9:29:82:2e:76:b0:29:ea:43:9a:d1:30:de:05:
+ a1:c1:54:7c:17:67:1d:fc:29:dd:80:53:b2:81:30:
+ db:13:ee:3e:e6:5d:c7:bc:3d:a6:11:6d:81:77:b7:
+ 9f:3e:36:df:7c:d6:d2:5a:22:36:68:7c:14:cc:ac:
+ 54:ed:ae:fd:e2:cd:b1:a3:5d:a9:65:ec:1b:8b:4b:
+ cf:80:8e:a6:98:8f:69:b1:a6:35:bd:69:c9:2e:66:
+ 7f:22:11:66:56:c5:75:4c:81:a3:6e:49:71:0d:f5:
+ 75:87:13:e8:62:e8:1a:0c:a8:30:81:6a:be:90:59:
+ 23:3b:61:c0:15:5f:68:bf:b5:c9:3f:af:3a:a2:7f:
+ 80:01:78:f6:f4:55:ca:ee:ca:8d:08:9b:c5:3e:74:
+ 98:02:b2:0b:a6:d8:e8:6e:78:88:7b:95:76:b6:ca:
+ be:f1:80:a9:dd:e8:3c:80:91:ce:3f:fd:0b:dd:b7:
+ d8:a6:8c:94:20:07:19:74:fa:86:ff:cb:97:c3:f6:
+ a4:e7
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 66:EC:29:21:2E:76:83:19:39:ED:8E:ED:B7:06:A8:4C:E5:0E:2E:11
+ X509v3 Authority Key Identifier:
+ keyid:8A:94:17:F9:53:F2:5B:94:54:56:DF:76:51:13:29:F6:71:19:A8:B3
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP1/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+
+ Signature Algorithm: sha1WithRSAEncryption
+ a2:f2:1a:a9:b9:28:fd:c0:26:62:1f:01:e1:02:29:b7:8c:b8:
+ 96:4e:b7:e9:6d:00:f2:85:6c:c9:7c:af:b1:d7:e6:b5:90:21:
+ 7c:33:94:95:72:9c:c9:36:5e:68:1a:71:af:47:a7:ca:b5:4c:
+ 16:aa:ea:5d:fd:1b:c1:b9:52:a7:05:db:66:93:c4:95:a5:c6:
+ 58:16:60:04:73:94:3b:be:7c:a3:34:84:af:d5:7a:03:26:57:
+ 09:b2:db:02:59:0b:54:58:23:a5:3f:9c:f1:ad:b4:2e:2b:1b:
+ e5:67:9d:c5:41:01:05:b2:7b:76:26:00:dd:1c:c5:c4:d4:31:
+ 3d:9a:ba:1d:4f:7c:93:31:5f:fa:43:4a:ce:ab:db:6f:9d:d6:
+ fa:9b:c4:ad:be:2c:68:1b:64:23:fb:01:d3:b7:db:fc:a4:1c:
+ ec:f6:36:79:02:d8:b4:99:af:de:1f:a2:68:15:ad:bc:66:18:
+ 31:3e:6d:3b:97:2e:f8:b0:f0:89:36:67:8e:e3:54:45:65:bf:
+ aa:87:a7:81:83:c2:d3:19:4f:77:91:6a:50:12:9e:85:e8:b6:
+ 95:b1:7a:27:db:15:a7:19:66:04:d3:c6:47:49:10:a1:9f:72:
+ 3c:c3:62:1c:4a:66:5c:42:a0:2b:fd:fd:c6:48:ab:c7:55:6a:
+ 26:6e:12:8e
+-----BEGIN CERTIFICATE-----
+MIID6DCCAtCgAwIBAgIBBjANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MDgwMTE0MDgyOVoXDTA4MDczMTE0MDgyOVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAOuAVHp0S+SBFdAlLV4hvkfmMavi/nlVSLc2VT3cEYhbtza+07vX
+Fo34S/TFvTTEjixnl+YnEEDFNvS2bLkpgi52sCnqQ5rRMN4FocFUfBdnHfwp3YBT
+soEw2xPuPuZdx7w9phFtgXe3nz4233zW0loiNmh8FMysVO2u/eLNsaNdqWXsG4tL
+z4COppiPabGmNb1pyS5mfyIRZlbFdUyBo25JcQ31dYcT6GLoGgyoMIFqvpBZIzth
+wBVfaL+1yT+vOqJ/gAF49vRVyu7KjQibxT50mAKyC6bY6G54iHuVdrbKvvGAqd3o
+PICRzj/9C9232KaMlCAHGXT6hv/Ll8P2pOcCAwEAAaOCATUwggExMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFGbsKSEudoMZOe2O7bcGqEzlDi4RMB8GA1UdIwQY
+MBaAFIqUF/lT8luUVFbfdlETKfZxGaizMA4GA1UdDwEB/wQEAwIBBjBBBggrBgEF
+BQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry
+bi5uZXQvSVNQMS8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov
+L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjEuY2VyMBoGCCsGAQUFBwEIAQH/
+BAswCaAHMAUCAwD8FTApBggrBgEFBQcBBwEB/wQaMBgwFgQCAAEwEDAOAwUAwAAC
+AQMFAcAAAiAwDQYJKoZIhvcNAQEFBQADggEBAKLyGqm5KP3AJmIfAeECKbeMuJZO
+t+ltAPKFbMl8r7HX5rWQIXwzlJVynMk2Xmgaca9Hp8q1TBaq6l39G8G5UqcF22aT
+xJWlxlgWYARzlDu+fKM0hK/VegMmVwmy2wJZC1RYI6U/nPGttC4rG+VnncVBAQWy
+e3YmAN0cxcTUMT2auh1PfJMxX/pDSs6r22+d1vqbxK2+LGgbZCP7AdO32/ykHOz2
+NnkC2LSZr94fomgVrbxmGDE+bTuXLviw8Ik2Z47jVEVlv6qHp4GDwtMZT3eRalAS
+noXotpWxeifbFacZZgTTxkdJEKGfcjzDYhxKZlxCoCv9/cZIq8dVaiZuEo4=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/07.pem b/rpkid/resource-cert-samples/LIR1/07.pem
new file mode 100644
index 00000000..a8742d9b
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/07.pem
@@ -0,0 +1,92 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 7 (0x7)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Aug 1 14:09:35 2007 GMT
+ Not After : Jul 31 14:09:35 2008 GMT
+ Subject: CN=TEST ENTITY ISP2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d0:77:df:c4:21:af:1b:5a:6b:a8:a7:28:d7:43:
+ c8:9b:6d:25:d8:8d:7f:91:2b:e3:95:fd:92:60:ac:
+ 14:12:d7:23:68:85:4b:0e:db:2b:e6:38:e0:48:db:
+ 18:37:8f:40:c0:90:58:0e:3f:09:67:5f:8e:3f:04:
+ 75:06:60:92:42:f3:e4:45:04:35:95:5d:e9:22:42:
+ 2c:f6:5c:a6:7d:79:8c:e1:08:19:7c:35:9d:3a:fd:
+ e7:ff:9b:29:b5:ee:89:47:cc:0d:83:a0:e1:73:af:
+ 1f:09:84:a8:0b:83:cc:79:88:bf:7c:1d:73:d6:ab:
+ 42:1b:64:9a:5c:19:83:2b:9d:e5:ad:4c:58:05:76:
+ 95:70:23:ee:a5:c0:31:ca:a2:a7:c8:1d:1e:f2:c9:
+ f2:3d:38:82:c2:53:e5:54:86:f2:7c:b1:73:e1:dc:
+ e9:86:73:08:ac:59:3b:be:2f:58:c1:42:c5:80:18:
+ 8c:3a:0a:2a:32:f6:fe:28:d0:28:52:83:c6:30:69:
+ 51:90:59:19:9b:d3:d4:c2:e0:52:6a:c1:4e:59:9a:
+ 18:e4:78:2e:57:f9:7f:2b:5d:76:28:c9:c9:c5:7e:
+ e5:43:a1:9b:68:d2:06:1c:be:3f:69:f9:c2:fa:9e:
+ 4f:68:cf:63:6f:db:6d:fc:67:35:c0:b1:6e:0a:37:
+ ec:33
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 73:B2:16:1A:CD:DC:D7:30:60:0F:FA:81:95:F8:A2:F5:4E:95:F3:AD
+ X509v3 Authority Key Identifier:
+ keyid:8A:94:17:F9:53:F2:5B:94:54:56:DF:76:51:13:29:F6:71:19:A8:B3
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP2/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.44-192.0.2.100
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 2d:8b:40:01:ec:c8:92:30:65:52:2b:3b:a0:66:e5:c6:e5:09:
+ 87:2b:c0:a4:10:4f:a9:e1:e2:da:17:ff:5e:30:19:16:68:78:
+ 91:5c:70:56:90:e8:e9:1a:06:94:3f:ed:0c:ef:94:aa:8a:85:
+ 55:ad:ee:ba:56:c0:fd:c1:59:6c:ac:3f:11:d5:fc:1f:10:74:
+ 3d:62:a1:c2:c3:46:76:ff:34:dd:b1:0b:c6:c1:b1:8c:7c:0c:
+ 14:aa:3b:34:a5:fb:da:6a:6c:cc:a5:3d:bc:29:66:f6:d1:7a:
+ db:84:fe:69:10:b7:02:c0:8b:29:98:1b:06:5c:fd:7b:02:64:
+ 25:91:4d:38:25:0f:2a:7a:3a:02:85:11:af:71:cc:cd:f3:45:
+ 93:e3:ae:bd:db:00:54:44:5c:c2:3e:6d:82:c1:fb:a0:13:44:
+ 02:6a:ae:25:98:8e:57:f0:b7:5f:13:e7:22:5d:36:0a:99:f7:
+ ab:21:b1:7d:79:27:ae:94:d0:97:b8:7d:a0:4e:5f:63:18:ef:
+ 7b:95:be:e6:df:e0:6c:75:a9:17:01:7e:18:41:0c:95:9f:b9:
+ a2:48:f9:13:e1:86:9a:1a:2a:9f:b8:a0:c3:8c:32:f5:10:40:
+ 77:72:65:40:c9:cf:17:fa:f3:4f:43:fe:9f:91:77:98:33:74:
+ cd:c4:6f:d9
+-----BEGIN CERTIFICATE-----
+MIIDzDCCArSgAwIBAgIBBzANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MDgwMTE0MDkzNVoXDTA4MDczMTE0MDkzNVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANB338Qhrxtaa6inKNdDyJttJdiNf5Er45X9kmCsFBLXI2iFSw7b
+K+Y44EjbGDePQMCQWA4/CWdfjj8EdQZgkkLz5EUENZVd6SJCLPZcpn15jOEIGXw1
+nTr95/+bKbXuiUfMDYOg4XOvHwmEqAuDzHmIv3wdc9arQhtkmlwZgyud5a1MWAV2
+lXAj7qXAMcqip8gdHvLJ8j04gsJT5VSG8nyxc+Hc6YZzCKxZO74vWMFCxYAYjDoK
+KjL2/ijQKFKDxjBpUZBZGZvT1MLgUmrBTlmaGOR4Llf5fytddijJycV+5UOhm2jS
+Bhy+P2n5wvqeT2jPY2/bbfxnNcCxbgo37DMCAwEAAaOCARkwggEVMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFHOyFhrN3NcwYA/6gZX4ovVOlfOtMB8GA1UdIwQY
+MBaAFIqUF/lT8luUVFbfdlETKfZxGaizMA4GA1UdDwEB/wQEAwIBBjBBBggrBgEF
+BQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry
+bi5uZXQvSVNQMi8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov
+L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjEuY2VyMCkGCCsGAQUFBwEHAQH/
+BBowGDAWBAIAATAQMA4DBQLAAAIsAwUAwAACZDANBgkqhkiG9w0BAQUFAAOCAQEA
+LYtAAezIkjBlUis7oGblxuUJhyvApBBPqeHi2hf/XjAZFmh4kVxwVpDo6RoGlD/t
+DO+UqoqFVa3uulbA/cFZbKw/EdX8HxB0PWKhwsNGdv803bELxsGxjHwMFKo7NKX7
+2mpszKU9vClm9tF624T+aRC3AsCLKZgbBlz9ewJkJZFNOCUPKno6AoURr3HMzfNF
+k+OuvdsAVERcwj5tgsH7oBNEAmquJZiOV/C3XxPnIl02Cpn3qyGxfXknrpTQl7h9
+oE5fYxjve5W+5t/gbHWpFwF+GEEMlZ+5okj5E+GGmhoqn7igw4wy9RBAd3JlQMnP
+F/rzT0P+n5F3mDN0zcRv2Q==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/08.pem b/rpkid/resource-cert-samples/LIR1/08.pem
new file mode 100644
index 00000000..7f2b5154
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/08.pem
@@ -0,0 +1,96 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 8 (0x8)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Aug 1 14:09:35 2007 GMT
+ Not After : Jul 31 14:09:35 2008 GMT
+ Subject: CN=TEST ENTITY ISP1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:eb:80:54:7a:74:4b:e4:81:15:d0:25:2d:5e:21:
+ be:47:e6:31:ab:e2:fe:79:55:48:b7:36:55:3d:dc:
+ 11:88:5b:b7:36:be:d3:bb:d7:16:8d:f8:4b:f4:c5:
+ bd:34:c4:8e:2c:67:97:e6:27:10:40:c5:36:f4:b6:
+ 6c:b9:29:82:2e:76:b0:29:ea:43:9a:d1:30:de:05:
+ a1:c1:54:7c:17:67:1d:fc:29:dd:80:53:b2:81:30:
+ db:13:ee:3e:e6:5d:c7:bc:3d:a6:11:6d:81:77:b7:
+ 9f:3e:36:df:7c:d6:d2:5a:22:36:68:7c:14:cc:ac:
+ 54:ed:ae:fd:e2:cd:b1:a3:5d:a9:65:ec:1b:8b:4b:
+ cf:80:8e:a6:98:8f:69:b1:a6:35:bd:69:c9:2e:66:
+ 7f:22:11:66:56:c5:75:4c:81:a3:6e:49:71:0d:f5:
+ 75:87:13:e8:62:e8:1a:0c:a8:30:81:6a:be:90:59:
+ 23:3b:61:c0:15:5f:68:bf:b5:c9:3f:af:3a:a2:7f:
+ 80:01:78:f6:f4:55:ca:ee:ca:8d:08:9b:c5:3e:74:
+ 98:02:b2:0b:a6:d8:e8:6e:78:88:7b:95:76:b6:ca:
+ be:f1:80:a9:dd:e8:3c:80:91:ce:3f:fd:0b:dd:b7:
+ d8:a6:8c:94:20:07:19:74:fa:86:ff:cb:97:c3:f6:
+ a4:e7
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 66:EC:29:21:2E:76:83:19:39:ED:8E:ED:B7:06:A8:4C:E5:0E:2E:11
+ X509v3 Authority Key Identifier:
+ keyid:8A:94:17:F9:53:F2:5B:94:54:56:DF:76:51:13:29:F6:71:19:A8:B3
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP1/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 17:33:25:69:a3:33:ba:c8:75:1b:55:bd:1d:fb:4a:8f:f6:f5:
+ 51:f6:b6:5a:ff:e3:de:4f:cc:e9:f5:53:b1:2b:5d:7f:e4:2e:
+ a5:6d:c9:24:fa:5d:0b:dc:26:e4:45:1c:31:7e:8e:5f:3b:b4:
+ 6d:0f:6c:08:4c:90:8e:a6:50:7d:6b:32:47:2a:1e:24:f3:8f:
+ bf:4a:5a:93:1c:09:63:c1:97:2a:67:48:55:2f:95:57:41:48:
+ 48:60:6b:ef:b4:cc:9e:53:85:88:d5:b9:77:b6:a4:f2:d1:71:
+ 44:91:a1:e5:44:c5:05:2f:1d:b3:10:dd:28:39:24:1f:99:1f:
+ 12:21:4e:a8:bb:55:03:de:d0:82:7e:53:a1:9c:e9:d8:da:20:
+ 2d:3e:03:73:00:47:26:93:cc:e2:7e:84:0d:0d:67:f8:8d:e8:
+ c4:20:36:79:75:0b:d4:90:17:bf:b6:65:6f:24:07:f3:95:cd:
+ ba:49:28:c6:62:64:3a:1a:60:ea:34:7f:23:20:6f:1d:82:82:
+ 20:89:50:30:30:1a:e1:c8:8b:18:bc:eb:55:67:68:6b:12:05:
+ 42:ac:1b:1e:f2:0b:15:c3:5f:9e:8a:70:13:d5:0e:d2:d5:17:
+ 74:32:b1:32:93:a9:f1:4c:bf:8f:94:ca:70:11:4b:d5:02:8a:
+ 49:4a:df:30
+-----BEGIN CERTIFICATE-----
+MIID6DCCAtCgAwIBAgIBCDANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MDgwMTE0MDkzNVoXDTA4MDczMTE0MDkzNVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAOuAVHp0S+SBFdAlLV4hvkfmMavi/nlVSLc2VT3cEYhbtza+07vX
+Fo34S/TFvTTEjixnl+YnEEDFNvS2bLkpgi52sCnqQ5rRMN4FocFUfBdnHfwp3YBT
+soEw2xPuPuZdx7w9phFtgXe3nz4233zW0loiNmh8FMysVO2u/eLNsaNdqWXsG4tL
+z4COppiPabGmNb1pyS5mfyIRZlbFdUyBo25JcQ31dYcT6GLoGgyoMIFqvpBZIzth
+wBVfaL+1yT+vOqJ/gAF49vRVyu7KjQibxT50mAKyC6bY6G54iHuVdrbKvvGAqd3o
+PICRzj/9C9232KaMlCAHGXT6hv/Ll8P2pOcCAwEAAaOCATUwggExMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFGbsKSEudoMZOe2O7bcGqEzlDi4RMB8GA1UdIwQY
+MBaAFIqUF/lT8luUVFbfdlETKfZxGaizMA4GA1UdDwEB/wQEAwIBBjBBBggrBgEF
+BQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry
+bi5uZXQvSVNQMS8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov
+L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjEuY2VyMBoGCCsGAQUFBwEIAQH/
+BAswCaAHMAUCAwD8FTApBggrBgEFBQcBBwEB/wQaMBgwFgQCAAEwEDAOAwUAwAAC
+AQMFAcAAAiAwDQYJKoZIhvcNAQEFBQADggEBABczJWmjM7rIdRtVvR37So/29VH2
+tlr/495PzOn1U7ErXX/kLqVtyST6XQvcJuRFHDF+jl87tG0PbAhMkI6mUH1rMkcq
+HiTzj79KWpMcCWPBlypnSFUvlVdBSEhga++0zJ5ThYjVuXe2pPLRcUSRoeVExQUv
+HbMQ3Sg5JB+ZHxIhTqi7VQPe0IJ+U6Gc6djaIC0+A3MARyaTzOJ+hA0NZ/iN6MQg
+Nnl1C9SQF7+2ZW8kB/OVzbpJKMZiZDoaYOo0fyMgbx2CgiCJUDAwGuHIixi861Vn
+aGsSBUKsGx7yCxXDX56KcBPVDtLVF3QysTKTqfFMv4+UynARS9UCiklK3zA=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/09.pem b/rpkid/resource-cert-samples/LIR1/09.pem
new file mode 100644
index 00000000..0a5c3837
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/09.pem
@@ -0,0 +1,92 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 9 (0x9)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Aug 1 14:48:22 2007 GMT
+ Not After : Jul 31 14:48:22 2008 GMT
+ Subject: CN=TEST ENTITY ISP2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d0:77:df:c4:21:af:1b:5a:6b:a8:a7:28:d7:43:
+ c8:9b:6d:25:d8:8d:7f:91:2b:e3:95:fd:92:60:ac:
+ 14:12:d7:23:68:85:4b:0e:db:2b:e6:38:e0:48:db:
+ 18:37:8f:40:c0:90:58:0e:3f:09:67:5f:8e:3f:04:
+ 75:06:60:92:42:f3:e4:45:04:35:95:5d:e9:22:42:
+ 2c:f6:5c:a6:7d:79:8c:e1:08:19:7c:35:9d:3a:fd:
+ e7:ff:9b:29:b5:ee:89:47:cc:0d:83:a0:e1:73:af:
+ 1f:09:84:a8:0b:83:cc:79:88:bf:7c:1d:73:d6:ab:
+ 42:1b:64:9a:5c:19:83:2b:9d:e5:ad:4c:58:05:76:
+ 95:70:23:ee:a5:c0:31:ca:a2:a7:c8:1d:1e:f2:c9:
+ f2:3d:38:82:c2:53:e5:54:86:f2:7c:b1:73:e1:dc:
+ e9:86:73:08:ac:59:3b:be:2f:58:c1:42:c5:80:18:
+ 8c:3a:0a:2a:32:f6:fe:28:d0:28:52:83:c6:30:69:
+ 51:90:59:19:9b:d3:d4:c2:e0:52:6a:c1:4e:59:9a:
+ 18:e4:78:2e:57:f9:7f:2b:5d:76:28:c9:c9:c5:7e:
+ e5:43:a1:9b:68:d2:06:1c:be:3f:69:f9:c2:fa:9e:
+ 4f:68:cf:63:6f:db:6d:fc:67:35:c0:b1:6e:0a:37:
+ ec:33
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 73:B2:16:1A:CD:DC:D7:30:60:0F:FA:81:95:F8:A2:F5:4E:95:F3:AD
+ X509v3 Authority Key Identifier:
+ keyid:8A:94:17:F9:53:F2:5B:94:54:56:DF:76:51:13:29:F6:71:19:A8:B3
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP2/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.44-192.0.2.100
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 0a:f1:b5:af:38:f9:7d:93:95:d4:ea:bf:48:ef:8d:63:3c:4e:
+ 1c:80:3d:7a:06:20:42:0e:0d:52:99:aa:4b:3e:af:d7:b4:61:
+ 47:4f:b7:b4:f7:cc:9b:3c:5e:a5:3b:3c:ba:dd:b7:2a:27:8e:
+ 1b:b4:5c:3c:6b:d1:d9:ff:c2:12:f7:9d:82:ba:cf:75:34:bc:
+ d7:0b:b4:d6:a8:4f:58:93:6a:ae:23:7a:37:e3:2e:f1:70:8a:
+ dd:f5:0e:fa:df:b0:3f:12:d4:5a:ac:33:ad:15:1c:a5:dc:be:
+ 08:c3:8e:1a:0f:35:12:0e:de:ef:b8:80:78:90:a9:eb:8f:00:
+ 0a:15:1d:05:12:3a:1d:37:e9:f4:f9:4a:77:6e:69:27:b7:e3:
+ 7f:ae:78:32:92:86:6d:39:16:5e:59:4f:93:10:b5:b0:be:1c:
+ 25:47:2a:e2:8f:92:9f:5c:c0:2a:48:d7:53:00:14:8e:9e:86:
+ ea:cf:a6:21:66:50:89:95:39:3e:ff:27:95:85:ef:3d:c8:98:
+ 7f:cd:fe:c1:30:65:94:b1:ad:48:5c:ae:b7:c8:64:e9:69:a2:
+ 07:ca:c2:d7:fe:63:4b:de:a9:25:a1:91:4b:17:a3:a9:dd:2b:
+ f7:d1:a5:3e:b7:be:42:03:1e:d9:34:5f:16:e3:35:7a:ca:1d:
+ ee:3d:4c:d5
+-----BEGIN CERTIFICATE-----
+MIIDzDCCArSgAwIBAgIBCTANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MDgwMTE0NDgyMloXDTA4MDczMTE0NDgyMlowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANB338Qhrxtaa6inKNdDyJttJdiNf5Er45X9kmCsFBLXI2iFSw7b
+K+Y44EjbGDePQMCQWA4/CWdfjj8EdQZgkkLz5EUENZVd6SJCLPZcpn15jOEIGXw1
+nTr95/+bKbXuiUfMDYOg4XOvHwmEqAuDzHmIv3wdc9arQhtkmlwZgyud5a1MWAV2
+lXAj7qXAMcqip8gdHvLJ8j04gsJT5VSG8nyxc+Hc6YZzCKxZO74vWMFCxYAYjDoK
+KjL2/ijQKFKDxjBpUZBZGZvT1MLgUmrBTlmaGOR4Llf5fytddijJycV+5UOhm2jS
+Bhy+P2n5wvqeT2jPY2/bbfxnNcCxbgo37DMCAwEAAaOCARkwggEVMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFHOyFhrN3NcwYA/6gZX4ovVOlfOtMB8GA1UdIwQY
+MBaAFIqUF/lT8luUVFbfdlETKfZxGaizMA4GA1UdDwEB/wQEAwIBBjBBBggrBgEF
+BQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry
+bi5uZXQvSVNQMi8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov
+L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjEuY2VyMCkGCCsGAQUFBwEHAQH/
+BBowGDAWBAIAATAQMA4DBQLAAAIsAwUAwAACZDANBgkqhkiG9w0BAQUFAAOCAQEA
+CvG1rzj5fZOV1Oq/SO+NYzxOHIA9egYgQg4NUpmqSz6v17RhR0+3tPfMmzxepTs8
+ut23KieOG7RcPGvR2f/CEvedgrrPdTS81wu01qhPWJNqriN6N+Mu8XCK3fUO+t+w
+PxLUWqwzrRUcpdy+CMOOGg81Eg7e77iAeJCp648AChUdBRI6HTfp9PlKd25pJ7fj
+f654MpKGbTkWXllPkxC1sL4cJUcq4o+Sn1zAKkjXUwAUjp6G6s+mIWZQiZU5Pv8n
+lYXvPciYf83+wTBllLGtSFyut8hk6WmiB8rC1/5jS96pJaGRSxejqd0r99GlPre+
+QgMe2TRfFuM1esod7j1M1Q==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/0A.pem b/rpkid/resource-cert-samples/LIR1/0A.pem
new file mode 100644
index 00000000..86da6423
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/0A.pem
@@ -0,0 +1,96 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 10 (0xa)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Aug 1 14:48:22 2007 GMT
+ Not After : Jul 31 14:48:22 2008 GMT
+ Subject: CN=TEST ENTITY ISP1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:eb:80:54:7a:74:4b:e4:81:15:d0:25:2d:5e:21:
+ be:47:e6:31:ab:e2:fe:79:55:48:b7:36:55:3d:dc:
+ 11:88:5b:b7:36:be:d3:bb:d7:16:8d:f8:4b:f4:c5:
+ bd:34:c4:8e:2c:67:97:e6:27:10:40:c5:36:f4:b6:
+ 6c:b9:29:82:2e:76:b0:29:ea:43:9a:d1:30:de:05:
+ a1:c1:54:7c:17:67:1d:fc:29:dd:80:53:b2:81:30:
+ db:13:ee:3e:e6:5d:c7:bc:3d:a6:11:6d:81:77:b7:
+ 9f:3e:36:df:7c:d6:d2:5a:22:36:68:7c:14:cc:ac:
+ 54:ed:ae:fd:e2:cd:b1:a3:5d:a9:65:ec:1b:8b:4b:
+ cf:80:8e:a6:98:8f:69:b1:a6:35:bd:69:c9:2e:66:
+ 7f:22:11:66:56:c5:75:4c:81:a3:6e:49:71:0d:f5:
+ 75:87:13:e8:62:e8:1a:0c:a8:30:81:6a:be:90:59:
+ 23:3b:61:c0:15:5f:68:bf:b5:c9:3f:af:3a:a2:7f:
+ 80:01:78:f6:f4:55:ca:ee:ca:8d:08:9b:c5:3e:74:
+ 98:02:b2:0b:a6:d8:e8:6e:78:88:7b:95:76:b6:ca:
+ be:f1:80:a9:dd:e8:3c:80:91:ce:3f:fd:0b:dd:b7:
+ d8:a6:8c:94:20:07:19:74:fa:86:ff:cb:97:c3:f6:
+ a4:e7
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 66:EC:29:21:2E:76:83:19:39:ED:8E:ED:B7:06:A8:4C:E5:0E:2E:11
+ X509v3 Authority Key Identifier:
+ keyid:8A:94:17:F9:53:F2:5B:94:54:56:DF:76:51:13:29:F6:71:19:A8:B3
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP1/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 77:f8:b2:d3:a4:61:38:f7:23:0d:a8:bc:33:a9:5e:fe:b5:1d:
+ 09:ea:ee:5b:93:4c:b1:76:ea:27:9c:ad:ab:ba:b7:44:a1:8b:
+ 69:89:71:a7:50:39:05:e5:69:e6:f2:7b:33:70:2a:a1:1d:87:
+ ad:48:45:2a:ab:02:a2:fd:df:08:36:8d:2b:25:8d:c2:06:d5:
+ 10:49:8b:88:62:94:47:5a:27:78:2e:2d:51:aa:b8:9b:13:27:
+ ef:38:af:43:1f:61:f7:da:48:13:2a:0b:66:b4:7d:b4:3a:02:
+ 1a:d3:88:c3:c4:df:1c:1b:86:29:05:da:61:ef:f2:b4:d4:86:
+ 67:14:54:cb:21:b9:8f:38:7b:f8:ba:87:71:66:7d:cf:61:ee:
+ 0b:bb:55:89:46:9d:b4:96:ab:55:90:bd:2c:c6:cf:fa:2d:c3:
+ 18:a2:40:44:0e:85:dd:65:de:b1:2c:79:1b:12:e7:f6:2d:af:
+ 1d:88:61:4a:67:38:17:f1:dc:2e:7c:6a:79:c2:94:8e:f4:e6:
+ c2:6a:6a:7f:3f:40:bf:03:fd:22:ad:ee:df:9b:e4:bc:4b:a0:
+ 73:2d:14:75:ca:c9:7c:06:2c:79:b2:c8:6f:83:d2:81:72:a8:
+ 09:0b:a2:39:cb:68:b5:38:f4:09:bc:4a:83:53:26:f4:b2:ca:
+ 3d:31:ed:e7
+-----BEGIN CERTIFICATE-----
+MIID6DCCAtCgAwIBAgIBCjANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MDgwMTE0NDgyMloXDTA4MDczMTE0NDgyMlowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAOuAVHp0S+SBFdAlLV4hvkfmMavi/nlVSLc2VT3cEYhbtza+07vX
+Fo34S/TFvTTEjixnl+YnEEDFNvS2bLkpgi52sCnqQ5rRMN4FocFUfBdnHfwp3YBT
+soEw2xPuPuZdx7w9phFtgXe3nz4233zW0loiNmh8FMysVO2u/eLNsaNdqWXsG4tL
+z4COppiPabGmNb1pyS5mfyIRZlbFdUyBo25JcQ31dYcT6GLoGgyoMIFqvpBZIzth
+wBVfaL+1yT+vOqJ/gAF49vRVyu7KjQibxT50mAKyC6bY6G54iHuVdrbKvvGAqd3o
+PICRzj/9C9232KaMlCAHGXT6hv/Ll8P2pOcCAwEAAaOCATUwggExMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFGbsKSEudoMZOe2O7bcGqEzlDi4RMB8GA1UdIwQY
+MBaAFIqUF/lT8luUVFbfdlETKfZxGaizMA4GA1UdDwEB/wQEAwIBBjBBBggrBgEF
+BQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry
+bi5uZXQvSVNQMS8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov
+L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjEuY2VyMBoGCCsGAQUFBwEIAQH/
+BAswCaAHMAUCAwD8FTApBggrBgEFBQcBBwEB/wQaMBgwFgQCAAEwEDAOAwUAwAAC
+AQMFAcAAAiAwDQYJKoZIhvcNAQEFBQADggEBAHf4stOkYTj3Iw2ovDOpXv61HQnq
+7luTTLF26iecrau6t0Shi2mJcadQOQXlaebyezNwKqEdh61IRSqrAqL93wg2jSsl
+jcIG1RBJi4hilEdaJ3guLVGquJsTJ+84r0MfYffaSBMqC2a0fbQ6AhrTiMPE3xwb
+hikF2mHv8rTUhmcUVMshuY84e/i6h3Fmfc9h7gu7VYlGnbSWq1WQvSzGz/otwxii
+QEQOhd1l3rEseRsS5/Ytrx2IYUpnOBfx3C58annClI705sJqan8/QL8D/SKt7t+b
+5LxLoHMtFHXKyXwGLHmyyG+D0oFyqAkLojnLaLU49Am8SoNTJvSyyj0x7ec=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/0B.pem b/rpkid/resource-cert-samples/LIR1/0B.pem
new file mode 100644
index 00000000..f078c91f
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/0B.pem
@@ -0,0 +1,79 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 11 (0xb)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Aug 10 00:58:18 2007 GMT
+ Not After : Aug 9 00:58:18 2008 GMT
+ Subject: CN=TEST ENTITY ISP2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d0:77:df:c4:21:af:1b:5a:6b:a8:a7:28:d7:43:
+ c8:9b:6d:25:d8:8d:7f:91:2b:e3:95:fd:92:60:ac:
+ 14:12:d7:23:68:85:4b:0e:db:2b:e6:38:e0:48:db:
+ 18:37:8f:40:c0:90:58:0e:3f:09:67:5f:8e:3f:04:
+ 75:06:60:92:42:f3:e4:45:04:35:95:5d:e9:22:42:
+ 2c:f6:5c:a6:7d:79:8c:e1:08:19:7c:35:9d:3a:fd:
+ e7:ff:9b:29:b5:ee:89:47:cc:0d:83:a0:e1:73:af:
+ 1f:09:84:a8:0b:83:cc:79:88:bf:7c:1d:73:d6:ab:
+ 42:1b:64:9a:5c:19:83:2b:9d:e5:ad:4c:58:05:76:
+ 95:70:23:ee:a5:c0:31:ca:a2:a7:c8:1d:1e:f2:c9:
+ f2:3d:38:82:c2:53:e5:54:86:f2:7c:b1:73:e1:dc:
+ e9:86:73:08:ac:59:3b:be:2f:58:c1:42:c5:80:18:
+ 8c:3a:0a:2a:32:f6:fe:28:d0:28:52:83:c6:30:69:
+ 51:90:59:19:9b:d3:d4:c2:e0:52:6a:c1:4e:59:9a:
+ 18:e4:78:2e:57:f9:7f:2b:5d:76:28:c9:c9:c5:7e:
+ e5:43:a1:9b:68:d2:06:1c:be:3f:69:f9:c2:fa:9e:
+ 4f:68:cf:63:6f:db:6d:fc:67:35:c0:b1:6e:0a:37:
+ ec:33
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 73:B2:16:1A:CD:DC:D7:30:60:0F:FA:81:95:F8:A2:F5:4E:95:F3:AD
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP2/
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 48:2e:66:23:11:dd:1c:f1:3a:9a:28:62:9a:5c:73:75:4a:7a:
+ 2d:25:24:60:36:62:e5:92:ad:ff:69:08:49:d6:35:7f:e1:53:
+ c4:6c:17:30:d0:6d:f1:35:4c:9a:54:67:e2:78:d8:a3:88:c9:
+ ef:29:be:ad:5b:f1:2e:66:4e:b6:df:a5:f2:2b:c6:45:48:a5:
+ b6:54:2d:bb:35:96:75:0a:c1:7b:79:fc:00:ad:9b:a1:d3:dd:
+ f6:b3:72:1b:68:3a:24:92:96:46:1f:46:1e:a8:ea:50:27:f6:
+ d4:3c:ba:ce:11:d2:79:88:a9:fc:43:55:ed:1f:38:92:6c:e3:
+ 23:26:51:26:c4:5f:f5:11:a3:0f:bf:dd:ff:45:0c:54:08:0a:
+ 48:cd:7f:91:70:b2:e7:83:83:55:33:10:ba:36:27:5d:c5:e0:
+ d4:44:94:f7:19:25:8f:c0:e3:c4:99:5c:fd:f8:03:58:57:75:
+ 6d:de:e2:71:55:1f:1c:20:51:17:ae:98:8f:93:30:6c:59:49:
+ c9:a4:f1:cc:81:83:ae:49:10:d3:13:e8:44:61:c3:16:a2:f1:
+ c4:02:9e:0f:44:3b:9d:a5:3e:81:b1:01:37:e9:33:28:87:f0:
+ 4a:7b:c9:5a:25:ba:76:b0:09:97:b5:11:8c:60:96:1d:17:22:
+ 8e:72:80:4c
+-----BEGIN CERTIFICATE-----
+MIIDODCCAiCgAwIBAgIBCzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MDgxMDAwNTgxOFoXDTA4MDgwOTAwNTgxOFowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANB338Qhrxtaa6inKNdDyJttJdiNf5Er45X9kmCsFBLXI2iFSw7b
+K+Y44EjbGDePQMCQWA4/CWdfjj8EdQZgkkLz5EUENZVd6SJCLPZcpn15jOEIGXw1
+nTr95/+bKbXuiUfMDYOg4XOvHwmEqAuDzHmIv3wdc9arQhtkmlwZgyud5a1MWAV2
+lXAj7qXAMcqip8gdHvLJ8j04gsJT5VSG8nyxc+Hc6YZzCKxZO74vWMFCxYAYjDoK
+KjL2/ijQKFKDxjBpUZBZGZvT1MLgUmrBTlmaGOR4Llf5fytddijJycV+5UOhm2jS
+Bhy+P2n5wvqeT2jPY2/bbfxnNcCxbgo37DMCAwEAAaOBhjCBgzAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBRzshYazdzXMGAP+oGV+KL1TpXzrTAOBgNVHQ8BAf8E
+BAMCAQYwQQYIKwYBBQUHAQsENTAzMDEGCCsGAQUFBzAFhiVyc3luYzovL3dvbWJh
+dHMtci11cy5oYWN0cm4ubmV0L0lTUDIvMA0GCSqGSIb3DQEBCwUAA4IBAQBILmYj
+Ed0c8TqaKGKaXHN1SnotJSRgNmLlkq3/aQhJ1jV/4VPEbBcw0G3xNUyaVGfieNij
+iMnvKb6tW/EuZk6236XyK8ZFSKW2VC27NZZ1CsF7efwArZuh0932s3IbaDokkpZG
+H0YeqOpQJ/bUPLrOEdJ5iKn8Q1XtHziSbOMjJlEmxF/1EaMPv93/RQxUCApIzX+R
+cLLng4NVMxC6NiddxeDURJT3GSWPwOPEmVz9+ANYV3Vt3uJxVR8cIFEXrpiPkzBs
+WUnJpPHMgYOuSRDTE+hEYcMWovHEAp4PRDudpT6BsQE36TMoh/BKe8laJbp2sAmX
+tRGMYJYdFyKOcoBM
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/0C.pem b/rpkid/resource-cert-samples/LIR1/0C.pem
new file mode 100644
index 00000000..f10e0062
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/0C.pem
@@ -0,0 +1,79 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 12 (0xc)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Aug 10 00:58:18 2007 GMT
+ Not After : Aug 9 00:58:18 2008 GMT
+ Subject: CN=TEST ENTITY ISP1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:eb:80:54:7a:74:4b:e4:81:15:d0:25:2d:5e:21:
+ be:47:e6:31:ab:e2:fe:79:55:48:b7:36:55:3d:dc:
+ 11:88:5b:b7:36:be:d3:bb:d7:16:8d:f8:4b:f4:c5:
+ bd:34:c4:8e:2c:67:97:e6:27:10:40:c5:36:f4:b6:
+ 6c:b9:29:82:2e:76:b0:29:ea:43:9a:d1:30:de:05:
+ a1:c1:54:7c:17:67:1d:fc:29:dd:80:53:b2:81:30:
+ db:13:ee:3e:e6:5d:c7:bc:3d:a6:11:6d:81:77:b7:
+ 9f:3e:36:df:7c:d6:d2:5a:22:36:68:7c:14:cc:ac:
+ 54:ed:ae:fd:e2:cd:b1:a3:5d:a9:65:ec:1b:8b:4b:
+ cf:80:8e:a6:98:8f:69:b1:a6:35:bd:69:c9:2e:66:
+ 7f:22:11:66:56:c5:75:4c:81:a3:6e:49:71:0d:f5:
+ 75:87:13:e8:62:e8:1a:0c:a8:30:81:6a:be:90:59:
+ 23:3b:61:c0:15:5f:68:bf:b5:c9:3f:af:3a:a2:7f:
+ 80:01:78:f6:f4:55:ca:ee:ca:8d:08:9b:c5:3e:74:
+ 98:02:b2:0b:a6:d8:e8:6e:78:88:7b:95:76:b6:ca:
+ be:f1:80:a9:dd:e8:3c:80:91:ce:3f:fd:0b:dd:b7:
+ d8:a6:8c:94:20:07:19:74:fa:86:ff:cb:97:c3:f6:
+ a4:e7
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 66:EC:29:21:2E:76:83:19:39:ED:8E:ED:B7:06:A8:4C:E5:0E:2E:11
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP1/
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 91:b8:bc:18:27:a1:ec:e7:7b:49:59:f6:83:d7:e9:7a:86:73:
+ 54:84:23:20:5d:00:cc:a4:08:68:9e:ef:33:ad:75:1b:ed:34:
+ bb:36:82:b6:e9:ae:00:5d:a6:9e:11:98:cb:72:f7:a0:77:bd:
+ d0:8e:32:28:b6:cf:e9:3a:8c:bf:4c:94:2b:db:ca:1b:ee:07:
+ 37:c9:51:15:9b:f0:43:b7:31:a2:67:cc:7f:f9:2e:6a:33:ae:
+ 23:6b:de:04:03:03:99:bc:8a:e9:6c:e9:dd:8c:62:3c:b2:df:
+ c0:5c:19:c7:50:c5:5a:86:68:2a:52:fd:7d:85:8c:5f:a8:a2:
+ 5c:7d:58:70:1f:05:c3:cb:4b:f6:91:a3:9d:00:64:0e:1c:f2:
+ ed:1b:45:f4:e0:82:a1:0b:22:e0:77:c0:7a:e9:9d:ce:e3:62:
+ e7:f6:12:0d:4d:bb:be:fc:7a:3d:fd:54:14:4f:0b:5c:44:f5:
+ 7e:6a:74:20:cd:15:9d:3c:86:21:9c:54:ef:d5:ed:8d:b4:36:
+ 34:45:c1:3f:8b:49:27:4d:f5:2d:03:ab:b4:c6:b4:aa:74:da:
+ 37:23:b7:88:70:8e:e9:37:88:54:98:91:b3:42:50:8f:61:ce:
+ 8c:5f:99:4e:f7:61:0a:aa:b9:15:95:87:92:1f:ef:00:02:2b:
+ ea:5f:09:60
+-----BEGIN CERTIFICATE-----
+MIIDODCCAiCgAwIBAgIBDDANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MDgxMDAwNTgxOFoXDTA4MDgwOTAwNTgxOFowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAOuAVHp0S+SBFdAlLV4hvkfmMavi/nlVSLc2VT3cEYhbtza+07vX
+Fo34S/TFvTTEjixnl+YnEEDFNvS2bLkpgi52sCnqQ5rRMN4FocFUfBdnHfwp3YBT
+soEw2xPuPuZdx7w9phFtgXe3nz4233zW0loiNmh8FMysVO2u/eLNsaNdqWXsG4tL
+z4COppiPabGmNb1pyS5mfyIRZlbFdUyBo25JcQ31dYcT6GLoGgyoMIFqvpBZIzth
+wBVfaL+1yT+vOqJ/gAF49vRVyu7KjQibxT50mAKyC6bY6G54iHuVdrbKvvGAqd3o
+PICRzj/9C9232KaMlCAHGXT6hv/Ll8P2pOcCAwEAAaOBhjCBgzAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBRm7CkhLnaDGTntju23BqhM5Q4uETAOBgNVHQ8BAf8E
+BAMCAQYwQQYIKwYBBQUHAQsENTAzMDEGCCsGAQUFBzAFhiVyc3luYzovL3dvbWJh
+dHMtci11cy5oYWN0cm4ubmV0L0lTUDEvMA0GCSqGSIb3DQEBCwUAA4IBAQCRuLwY
+J6Hs53tJWfaD1+l6hnNUhCMgXQDMpAhonu8zrXUb7TS7NoK26a4AXaaeEZjLcveg
+d73QjjIots/pOoy/TJQr28ob7gc3yVEVm/BDtzGiZ8x/+S5qM64ja94EAwOZvIrp
+bOndjGI8st/AXBnHUMVahmgqUv19hYxfqKJcfVhwHwXDy0v2kaOdAGQOHPLtG0X0
+4IKhCyLgd8B66Z3O42Ln9hINTbu+/Ho9/VQUTwtcRPV+anQgzRWdPIYhnFTv1e2N
+tDY0RcE/i0knTfUtA6u0xrSqdNo3I7eIcI7pN4hUmJGzQlCPYc6MX5lO92EKqrkV
+lYeSH+8AAivqXwlg
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/0D.pem b/rpkid/resource-cert-samples/LIR1/0D.pem
new file mode 100644
index 00000000..cc8d1185
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/0D.pem
@@ -0,0 +1,88 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 13 (0xd)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Aug 10 01:02:31 2007 GMT
+ Not After : Aug 9 01:02:31 2008 GMT
+ Subject: CN=TEST ENTITY ISP2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d0:77:df:c4:21:af:1b:5a:6b:a8:a7:28:d7:43:
+ c8:9b:6d:25:d8:8d:7f:91:2b:e3:95:fd:92:60:ac:
+ 14:12:d7:23:68:85:4b:0e:db:2b:e6:38:e0:48:db:
+ 18:37:8f:40:c0:90:58:0e:3f:09:67:5f:8e:3f:04:
+ 75:06:60:92:42:f3:e4:45:04:35:95:5d:e9:22:42:
+ 2c:f6:5c:a6:7d:79:8c:e1:08:19:7c:35:9d:3a:fd:
+ e7:ff:9b:29:b5:ee:89:47:cc:0d:83:a0:e1:73:af:
+ 1f:09:84:a8:0b:83:cc:79:88:bf:7c:1d:73:d6:ab:
+ 42:1b:64:9a:5c:19:83:2b:9d:e5:ad:4c:58:05:76:
+ 95:70:23:ee:a5:c0:31:ca:a2:a7:c8:1d:1e:f2:c9:
+ f2:3d:38:82:c2:53:e5:54:86:f2:7c:b1:73:e1:dc:
+ e9:86:73:08:ac:59:3b:be:2f:58:c1:42:c5:80:18:
+ 8c:3a:0a:2a:32:f6:fe:28:d0:28:52:83:c6:30:69:
+ 51:90:59:19:9b:d3:d4:c2:e0:52:6a:c1:4e:59:9a:
+ 18:e4:78:2e:57:f9:7f:2b:5d:76:28:c9:c9:c5:7e:
+ e5:43:a1:9b:68:d2:06:1c:be:3f:69:f9:c2:fa:9e:
+ 4f:68:cf:63:6f:db:6d:fc:67:35:c0:b1:6e:0a:37:
+ ec:33
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 73:B2:16:1A:CD:DC:D7:30:60:0F:FA:81:95:F8:A2:F5:4E:95:F3:AD
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP2/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.44-192.0.2.100
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 94:90:a1:91:c0:51:6b:ee:1c:74:7a:1f:7e:6e:4e:cc:50:c0:
+ 97:c7:15:df:63:ab:71:65:77:44:2f:f5:4f:91:1c:67:84:42:
+ 78:0a:ef:8c:cd:66:16:92:90:32:76:ca:d9:f0:6a:b4:e3:38:
+ 21:59:a5:13:a7:f7:bc:51:ac:6f:f6:f0:95:85:f3:bb:c7:4c:
+ cf:68:fd:07:9c:f5:cf:79:47:47:71:76:54:4f:8c:37:f1:d5:
+ 1f:85:a9:2c:27:80:57:40:6a:80:71:10:c6:ff:12:74:cb:1a:
+ 8a:a4:92:6a:66:2b:5c:3a:99:8c:d1:2f:ac:e1:66:17:19:20:
+ a9:27:2c:a4:e2:54:dc:d3:a9:71:30:0c:2b:48:a1:af:a4:52:
+ e8:a3:03:b2:03:00:b8:f2:51:b6:6c:c4:b4:c7:d5:cc:a4:d3:
+ f4:2d:70:de:99:76:21:6e:08:29:0f:90:f3:c9:bf:2c:7d:f2:
+ 9c:4f:6f:30:ed:75:a6:64:28:7a:e6:46:ed:ac:d4:b6:71:5d:
+ 91:da:20:2b:eb:eb:d7:32:82:30:5a:68:9a:2d:e8:ef:90:3b:
+ c9:85:fd:5a:0e:3c:55:f0:2b:59:ae:00:e3:d8:cc:e9:90:59:
+ 93:80:9c:26:87:90:15:6e:9e:00:17:b1:c7:95:e7:9e:0d:4a:
+ 92:68:8c:a0
+-----BEGIN CERTIFICATE-----
+MIIDqTCCApGgAwIBAgIBDTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MDgxMDAxMDIzMVoXDTA4MDgwOTAxMDIzMVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANB338Qhrxtaa6inKNdDyJttJdiNf5Er45X9kmCsFBLXI2iFSw7b
+K+Y44EjbGDePQMCQWA4/CWdfjj8EdQZgkkLz5EUENZVd6SJCLPZcpn15jOEIGXw1
+nTr95/+bKbXuiUfMDYOg4XOvHwmEqAuDzHmIv3wdc9arQhtkmlwZgyud5a1MWAV2
+lXAj7qXAMcqip8gdHvLJ8j04gsJT5VSG8nyxc+Hc6YZzCKxZO74vWMFCxYAYjDoK
+KjL2/ijQKFKDxjBpUZBZGZvT1MLgUmrBTlmaGOR4Llf5fytddijJycV+5UOhm2jS
+Bhy+P2n5wvqeT2jPY2/bbfxnNcCxbgo37DMCAwEAAaOB9zCB9DAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBRzshYazdzXMGAP+oGV+KL1TpXzrTAOBgNVHQ8BAf8E
+BAMCAQYwQQYIKwYBBQUHAQsENTAzMDEGCCsGAQUFBzAFhiVyc3luYzovL3dvbWJh
+dHMtci11cy5oYWN0cm4ubmV0L0lTUDIvMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEF
+BQcwAoYocnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJuLm5ldC9MSVIxLmNlcjAp
+BggrBgEFBQcBBwEB/wQaMBgwFgQCAAEwEDAOAwUCwAACLAMFAMAAAmQwDQYJKoZI
+hvcNAQELBQADggEBAJSQoZHAUWvuHHR6H35uTsxQwJfHFd9jq3Fld0Qv9U+RHGeE
+QngK74zNZhaSkDJ2ytnwarTjOCFZpROn97xRrG/28JWF87vHTM9o/Qec9c95R0dx
+dlRPjDfx1R+FqSwngFdAaoBxEMb/EnTLGoqkkmpmK1w6mYzRL6zhZhcZIKknLKTi
+VNzTqXEwDCtIoa+kUuijA7IDALjyUbZsxLTH1cyk0/QtcN6ZdiFuCCkPkPPJvyx9
+8pxPbzDtdaZkKHrmRu2s1LZxXZHaICvr69cygjBaaJot6O+QO8mF/VoOPFXwK1mu
+AOPYzOmQWZOAnCaHkBVungAXsceV554NSpJojKA=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/0E.pem b/rpkid/resource-cert-samples/LIR1/0E.pem
new file mode 100644
index 00000000..08cab1ec
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/0E.pem
@@ -0,0 +1,93 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 14 (0xe)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Aug 10 01:02:31 2007 GMT
+ Not After : Aug 9 01:02:31 2008 GMT
+ Subject: CN=TEST ENTITY ISP1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:eb:80:54:7a:74:4b:e4:81:15:d0:25:2d:5e:21:
+ be:47:e6:31:ab:e2:fe:79:55:48:b7:36:55:3d:dc:
+ 11:88:5b:b7:36:be:d3:bb:d7:16:8d:f8:4b:f4:c5:
+ bd:34:c4:8e:2c:67:97:e6:27:10:40:c5:36:f4:b6:
+ 6c:b9:29:82:2e:76:b0:29:ea:43:9a:d1:30:de:05:
+ a1:c1:54:7c:17:67:1d:fc:29:dd:80:53:b2:81:30:
+ db:13:ee:3e:e6:5d:c7:bc:3d:a6:11:6d:81:77:b7:
+ 9f:3e:36:df:7c:d6:d2:5a:22:36:68:7c:14:cc:ac:
+ 54:ed:ae:fd:e2:cd:b1:a3:5d:a9:65:ec:1b:8b:4b:
+ cf:80:8e:a6:98:8f:69:b1:a6:35:bd:69:c9:2e:66:
+ 7f:22:11:66:56:c5:75:4c:81:a3:6e:49:71:0d:f5:
+ 75:87:13:e8:62:e8:1a:0c:a8:30:81:6a:be:90:59:
+ 23:3b:61:c0:15:5f:68:bf:b5:c9:3f:af:3a:a2:7f:
+ 80:01:78:f6:f4:55:ca:ee:ca:8d:08:9b:c5:3e:74:
+ 98:02:b2:0b:a6:d8:e8:6e:78:88:7b:95:76:b6:ca:
+ be:f1:80:a9:dd:e8:3c:80:91:ce:3f:fd:0b:dd:b7:
+ d8:a6:8c:94:20:07:19:74:fa:86:ff:cb:97:c3:f6:
+ a4:e7
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 66:EC:29:21:2E:76:83:19:39:ED:8E:ED:B7:06:A8:4C:E5:0E:2E:11
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP1/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 99:05:da:53:ce:ce:f7:7b:64:64:ad:31:94:37:41:ee:e1:05:
+ 25:5f:20:df:04:ae:b1:8b:56:98:b9:6e:f6:f8:e1:a1:03:e4:
+ 2b:28:58:4b:9f:fe:4b:bc:67:c0:3f:76:94:a7:2d:52:7e:81:
+ 5a:f4:9e:d8:36:59:ad:98:1e:0e:79:63:26:08:cf:c6:a9:37:
+ 39:3b:75:53:22:6f:e8:ad:3d:6e:3a:00:50:62:b3:4e:87:c3:
+ f3:38:58:15:b9:34:d5:0e:37:1e:2a:f9:16:42:ee:40:6b:6b:
+ 30:2b:1f:c1:ca:23:9d:66:66:ac:09:d2:e1:f3:63:41:12:d4:
+ 9c:d7:7c:5a:61:37:f1:70:a5:5a:50:bc:12:b0:cd:4a:7d:57:
+ cb:82:f3:bc:72:58:81:ab:ce:07:3b:e1:8e:4a:d7:03:f2:79:
+ 7a:2d:83:b5:27:4e:53:2a:99:1e:3c:01:cc:eb:ee:7e:47:34:
+ da:59:27:73:54:20:d2:cd:2d:a2:8d:c5:93:7e:4f:0a:8a:ee:
+ b2:3a:d0:5a:cb:c9:19:5b:55:d5:41:22:90:6e:a2:2f:df:81:
+ ad:ec:f4:ab:e7:31:68:e9:32:b3:9c:e3:87:b5:1e:22:5e:f8:
+ 8c:0e:da:7f:b0:cd:29:24:4b:c3:a5:cd:28:69:89:b2:1c:05:
+ b9:18:c5:2b
+-----BEGIN CERTIFICATE-----
+MIIDxzCCAq+gAwIBAgIBDjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MDgxMDAxMDIzMVoXDTA4MDgwOTAxMDIzMVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAOuAVHp0S+SBFdAlLV4hvkfmMavi/nlVSLc2VT3cEYhbtza+07vX
+Fo34S/TFvTTEjixnl+YnEEDFNvS2bLkpgi52sCnqQ5rRMN4FocFUfBdnHfwp3YBT
+soEw2xPuPuZdx7w9phFtgXe3nz4233zW0loiNmh8FMysVO2u/eLNsaNdqWXsG4tL
+z4COppiPabGmNb1pyS5mfyIRZlbFdUyBo25JcQ31dYcT6GLoGgyoMIFqvpBZIzth
+wBVfaL+1yT+vOqJ/gAF49vRVyu7KjQibxT50mAKyC6bY6G54iHuVdrbKvvGAqd3o
+PICRzj/9C9232KaMlCAHGXT6hv/Ll8P2pOcCAwEAAaOCARQwggEQMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFGbsKSEudoMZOe2O7bcGqEzlDi4RMA4GA1UdDwEB
+/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29t
+YmF0cy1yLXVzLmhhY3Rybi5uZXQvSVNQMS8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjEuY2Vy
+MBoGCCsGAQUFBwEIAQH/BAswCaAHMAUCAwD8FTApBggrBgEFBQcBBwEB/wQaMBgw
+FgQCAAEwEDAOAwUAwAACAQMFAcAAAiAwDQYJKoZIhvcNAQELBQADggEBAJkF2lPO
+zvd7ZGStMZQ3Qe7hBSVfIN8ErrGLVpi5bvb44aED5CsoWEuf/ku8Z8A/dpSnLVJ+
+gVr0ntg2Wa2YHg55YyYIz8apNzk7dVMib+itPW46AFBis06Hw/M4WBW5NNUONx4q
++RZC7kBrazArH8HKI51mZqwJ0uHzY0ES1JzXfFphN/FwpVpQvBKwzUp9V8uC87xy
+WIGrzgc74Y5K1wPyeXotg7UnTlMqmR48Aczr7n5HNNpZJ3NUINLNLaKNxZN+TwqK
+7rI60FrLyRlbVdVBIpBuoi/fga3s9KvnMWjpMrOc44e1HiJe+IwO2n+wzSkkS8Ol
+zShpibIcBbkYxSs=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/0F.pem b/rpkid/resource-cert-samples/LIR1/0F.pem
new file mode 100644
index 00000000..8fc7b413
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/0F.pem
@@ -0,0 +1,88 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 15 (0xf)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Aug 10 01:07:09 2007 GMT
+ Not After : Aug 9 01:07:09 2008 GMT
+ Subject: CN=TEST ENTITY ISP2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d0:77:df:c4:21:af:1b:5a:6b:a8:a7:28:d7:43:
+ c8:9b:6d:25:d8:8d:7f:91:2b:e3:95:fd:92:60:ac:
+ 14:12:d7:23:68:85:4b:0e:db:2b:e6:38:e0:48:db:
+ 18:37:8f:40:c0:90:58:0e:3f:09:67:5f:8e:3f:04:
+ 75:06:60:92:42:f3:e4:45:04:35:95:5d:e9:22:42:
+ 2c:f6:5c:a6:7d:79:8c:e1:08:19:7c:35:9d:3a:fd:
+ e7:ff:9b:29:b5:ee:89:47:cc:0d:83:a0:e1:73:af:
+ 1f:09:84:a8:0b:83:cc:79:88:bf:7c:1d:73:d6:ab:
+ 42:1b:64:9a:5c:19:83:2b:9d:e5:ad:4c:58:05:76:
+ 95:70:23:ee:a5:c0:31:ca:a2:a7:c8:1d:1e:f2:c9:
+ f2:3d:38:82:c2:53:e5:54:86:f2:7c:b1:73:e1:dc:
+ e9:86:73:08:ac:59:3b:be:2f:58:c1:42:c5:80:18:
+ 8c:3a:0a:2a:32:f6:fe:28:d0:28:52:83:c6:30:69:
+ 51:90:59:19:9b:d3:d4:c2:e0:52:6a:c1:4e:59:9a:
+ 18:e4:78:2e:57:f9:7f:2b:5d:76:28:c9:c9:c5:7e:
+ e5:43:a1:9b:68:d2:06:1c:be:3f:69:f9:c2:fa:9e:
+ 4f:68:cf:63:6f:db:6d:fc:67:35:c0:b1:6e:0a:37:
+ ec:33
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 73:B2:16:1A:CD:DC:D7:30:60:0F:FA:81:95:F8:A2:F5:4E:95:F3:AD
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP2/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.44-192.0.2.100
+
+ Signature Algorithm: sha256WithRSAEncryption
+ a5:94:a6:fa:e0:84:ac:c4:8d:f8:46:1b:4d:69:0b:ca:0d:ba:
+ 20:e9:51:0d:7f:76:0b:ae:9a:76:0e:11:0e:7c:6a:2f:c8:a0:
+ 6e:83:6d:51:3c:93:f7:7d:1b:5f:8f:da:06:c5:2b:28:0f:41:
+ 96:a2:9a:d9:ca:0d:57:16:15:79:e5:58:7a:72:45:b9:63:a5:
+ 27:84:d8:e5:b5:8a:2b:27:90:b0:d8:58:67:30:7d:dc:7e:33:
+ 8d:d8:42:e4:af:04:3a:6a:b8:79:07:a3:30:85:7a:29:3c:7d:
+ 44:15:a8:48:f6:e1:f9:d1:50:f9:70:29:3a:ba:e5:43:37:e0:
+ 93:67:2e:a9:1a:03:ea:95:f2:14:46:bf:96:b2:c5:7e:d8:74:
+ 2f:23:e0:60:56:12:52:90:1f:f5:ce:b9:e4:5c:e7:69:64:62:
+ 56:b8:34:77:7a:c7:25:03:16:ff:fc:93:67:e5:54:4f:5f:23:
+ 19:05:59:9c:c9:01:97:6d:54:81:fd:1d:c8:3c:9f:c0:1e:a9:
+ ca:ba:52:ca:d4:7f:23:e7:1d:e9:b4:cd:56:82:d8:f2:58:83:
+ c8:28:fd:41:4d:fc:81:54:e2:24:be:7d:32:f4:02:10:cb:dc:
+ 6a:07:28:a2:4f:7d:bd:6d:f8:56:4f:74:87:fc:b4:88:20:17:
+ 0c:b9:28:fb
+-----BEGIN CERTIFICATE-----
+MIIDqTCCApGgAwIBAgIBDzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MDgxMDAxMDcwOVoXDTA4MDgwOTAxMDcwOVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANB338Qhrxtaa6inKNdDyJttJdiNf5Er45X9kmCsFBLXI2iFSw7b
+K+Y44EjbGDePQMCQWA4/CWdfjj8EdQZgkkLz5EUENZVd6SJCLPZcpn15jOEIGXw1
+nTr95/+bKbXuiUfMDYOg4XOvHwmEqAuDzHmIv3wdc9arQhtkmlwZgyud5a1MWAV2
+lXAj7qXAMcqip8gdHvLJ8j04gsJT5VSG8nyxc+Hc6YZzCKxZO74vWMFCxYAYjDoK
+KjL2/ijQKFKDxjBpUZBZGZvT1MLgUmrBTlmaGOR4Llf5fytddijJycV+5UOhm2jS
+Bhy+P2n5wvqeT2jPY2/bbfxnNcCxbgo37DMCAwEAAaOB9zCB9DAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBRzshYazdzXMGAP+oGV+KL1TpXzrTAOBgNVHQ8BAf8E
+BAMCAQYwQQYIKwYBBQUHAQsENTAzMDEGCCsGAQUFBzAFhiVyc3luYzovL3dvbWJh
+dHMtci11cy5oYWN0cm4ubmV0L0lTUDIvMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEF
+BQcwAoYocnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJuLm5ldC9MSVIxLmNlcjAp
+BggrBgEFBQcBBwEB/wQaMBgwFgQCAAEwEDAOAwUCwAACLAMFAMAAAmQwDQYJKoZI
+hvcNAQELBQADggEBAKWUpvrghKzEjfhGG01pC8oNuiDpUQ1/dguumnYOEQ58ai/I
+oG6DbVE8k/d9G1+P2gbFKygPQZaimtnKDVcWFXnlWHpyRbljpSeE2OW1iisnkLDY
+WGcwfdx+M43YQuSvBDpquHkHozCFeik8fUQVqEj24fnRUPlwKTq65UM34JNnLqka
+A+qV8hRGv5ayxX7YdC8j4GBWElKQH/XOueRc52lkYla4NHd6xyUDFv/8k2flVE9f
+IxkFWZzJAZdtVIH9Hcg8n8Aeqcq6UsrUfyPnHem0zVaC2PJYg8go/UFN/IFU4iS+
+fTL0AhDL3GoHKKJPfb1t+FZPdIf8tIggFwy5KPs=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/10.pem b/rpkid/resource-cert-samples/LIR1/10.pem
new file mode 100644
index 00000000..6c572f7c
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/10.pem
@@ -0,0 +1,93 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 16 (0x10)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Aug 10 01:07:09 2007 GMT
+ Not After : Aug 9 01:07:09 2008 GMT
+ Subject: CN=TEST ENTITY ISP1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:eb:80:54:7a:74:4b:e4:81:15:d0:25:2d:5e:21:
+ be:47:e6:31:ab:e2:fe:79:55:48:b7:36:55:3d:dc:
+ 11:88:5b:b7:36:be:d3:bb:d7:16:8d:f8:4b:f4:c5:
+ bd:34:c4:8e:2c:67:97:e6:27:10:40:c5:36:f4:b6:
+ 6c:b9:29:82:2e:76:b0:29:ea:43:9a:d1:30:de:05:
+ a1:c1:54:7c:17:67:1d:fc:29:dd:80:53:b2:81:30:
+ db:13:ee:3e:e6:5d:c7:bc:3d:a6:11:6d:81:77:b7:
+ 9f:3e:36:df:7c:d6:d2:5a:22:36:68:7c:14:cc:ac:
+ 54:ed:ae:fd:e2:cd:b1:a3:5d:a9:65:ec:1b:8b:4b:
+ cf:80:8e:a6:98:8f:69:b1:a6:35:bd:69:c9:2e:66:
+ 7f:22:11:66:56:c5:75:4c:81:a3:6e:49:71:0d:f5:
+ 75:87:13:e8:62:e8:1a:0c:a8:30:81:6a:be:90:59:
+ 23:3b:61:c0:15:5f:68:bf:b5:c9:3f:af:3a:a2:7f:
+ 80:01:78:f6:f4:55:ca:ee:ca:8d:08:9b:c5:3e:74:
+ 98:02:b2:0b:a6:d8:e8:6e:78:88:7b:95:76:b6:ca:
+ be:f1:80:a9:dd:e8:3c:80:91:ce:3f:fd:0b:dd:b7:
+ d8:a6:8c:94:20:07:19:74:fa:86:ff:cb:97:c3:f6:
+ a4:e7
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 66:EC:29:21:2E:76:83:19:39:ED:8E:ED:B7:06:A8:4C:E5:0E:2E:11
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP1/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 8a:0e:25:de:ee:ec:8e:ac:b0:c5:2c:20:60:1d:65:aa:c6:9c:
+ 60:a1:87:25:ae:fd:18:37:40:e5:8d:a2:7e:5f:fb:3d:df:25:
+ ca:4f:32:48:7b:4e:bc:b1:a9:d0:7a:10:67:84:cf:40:87:45:
+ 97:fd:2e:8e:4c:53:fa:0d:71:f9:33:d7:82:7a:76:d3:90:a4:
+ 46:e3:1a:55:a1:ec:3b:4d:29:0f:e1:49:6b:e7:e2:02:c8:79:
+ 73:99:92:85:b6:4e:b0:54:cc:9a:34:24:b3:0e:3d:64:3a:57:
+ 51:e4:a0:40:04:a2:e0:bb:38:fa:e7:52:49:e8:26:45:1e:07:
+ 98:93:a8:7b:2d:d0:08:74:75:1f:51:46:f5:2a:cf:e1:b7:79:
+ 4b:93:a1:c3:f8:0c:b3:67:ef:15:a8:64:10:51:bf:ac:6c:97:
+ ae:12:79:ec:2e:4e:b2:a1:b5:55:db:78:c6:6f:99:c4:42:cf:
+ 1e:49:cd:c2:2b:e6:ed:bb:c1:83:11:7b:c5:a1:ab:04:1a:2c:
+ 75:56:66:dc:cc:43:8e:61:07:88:22:21:6e:9c:a3:73:0d:b8:
+ f5:3f:71:89:05:2e:52:3c:7a:d3:90:af:4b:0b:cc:d6:e3:b1:
+ c6:dd:c4:0d:5c:36:79:05:1e:24:71:19:29:2a:68:13:e9:0a:
+ 10:8e:25:99
+-----BEGIN CERTIFICATE-----
+MIIDxzCCAq+gAwIBAgIBEDANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MDgxMDAxMDcwOVoXDTA4MDgwOTAxMDcwOVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAOuAVHp0S+SBFdAlLV4hvkfmMavi/nlVSLc2VT3cEYhbtza+07vX
+Fo34S/TFvTTEjixnl+YnEEDFNvS2bLkpgi52sCnqQ5rRMN4FocFUfBdnHfwp3YBT
+soEw2xPuPuZdx7w9phFtgXe3nz4233zW0loiNmh8FMysVO2u/eLNsaNdqWXsG4tL
+z4COppiPabGmNb1pyS5mfyIRZlbFdUyBo25JcQ31dYcT6GLoGgyoMIFqvpBZIzth
+wBVfaL+1yT+vOqJ/gAF49vRVyu7KjQibxT50mAKyC6bY6G54iHuVdrbKvvGAqd3o
+PICRzj/9C9232KaMlCAHGXT6hv/Ll8P2pOcCAwEAAaOCARQwggEQMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFGbsKSEudoMZOe2O7bcGqEzlDi4RMA4GA1UdDwEB
+/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29t
+YmF0cy1yLXVzLmhhY3Rybi5uZXQvSVNQMS8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjEuY2Vy
+MBoGCCsGAQUFBwEIAQH/BAswCaAHMAUCAwD8FTApBggrBgEFBQcBBwEB/wQaMBgw
+FgQCAAEwEDAOAwUAwAACAQMFAcAAAiAwDQYJKoZIhvcNAQELBQADggEBAIoOJd7u
+7I6ssMUsIGAdZarGnGChhyWu/Rg3QOWNon5f+z3fJcpPMkh7TryxqdB6EGeEz0CH
+RZf9Lo5MU/oNcfkz14J6dtOQpEbjGlWh7DtNKQ/hSWvn4gLIeXOZkoW2TrBUzJo0
+JLMOPWQ6V1HkoEAEouC7OPrnUknoJkUeB5iTqHst0Ah0dR9RRvUqz+G3eUuTocP4
+DLNn7xWoZBBRv6xsl64SeewuTrKhtVXbeMZvmcRCzx5JzcIr5u27wYMRe8WhqwQa
+LHVWZtzMQ45hB4giIW6co3MNuPU/cYkFLlI8etOQr0sLzNbjscbdxA1cNnkFHiRx
+GSkqaBPpChCOJZk=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/11.pem b/rpkid/resource-cert-samples/LIR1/11.pem
new file mode 100644
index 00000000..b9659189
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/11.pem
@@ -0,0 +1,76 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 17 (0x11)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Aug 10 01:13:40 2007 GMT
+ Not After : Aug 9 01:13:40 2008 GMT
+ Subject: CN=TEST ENTITY ISP2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d0:77:df:c4:21:af:1b:5a:6b:a8:a7:28:d7:43:
+ c8:9b:6d:25:d8:8d:7f:91:2b:e3:95:fd:92:60:ac:
+ 14:12:d7:23:68:85:4b:0e:db:2b:e6:38:e0:48:db:
+ 18:37:8f:40:c0:90:58:0e:3f:09:67:5f:8e:3f:04:
+ 75:06:60:92:42:f3:e4:45:04:35:95:5d:e9:22:42:
+ 2c:f6:5c:a6:7d:79:8c:e1:08:19:7c:35:9d:3a:fd:
+ e7:ff:9b:29:b5:ee:89:47:cc:0d:83:a0:e1:73:af:
+ 1f:09:84:a8:0b:83:cc:79:88:bf:7c:1d:73:d6:ab:
+ 42:1b:64:9a:5c:19:83:2b:9d:e5:ad:4c:58:05:76:
+ 95:70:23:ee:a5:c0:31:ca:a2:a7:c8:1d:1e:f2:c9:
+ f2:3d:38:82:c2:53:e5:54:86:f2:7c:b1:73:e1:dc:
+ e9:86:73:08:ac:59:3b:be:2f:58:c1:42:c5:80:18:
+ 8c:3a:0a:2a:32:f6:fe:28:d0:28:52:83:c6:30:69:
+ 51:90:59:19:9b:d3:d4:c2:e0:52:6a:c1:4e:59:9a:
+ 18:e4:78:2e:57:f9:7f:2b:5d:76:28:c9:c9:c5:7e:
+ e5:43:a1:9b:68:d2:06:1c:be:3f:69:f9:c2:fa:9e:
+ 4f:68:cf:63:6f:db:6d:fc:67:35:c0:b1:6e:0a:37:
+ ec:33
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP2/
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 6d:01:ed:47:42:63:b1:28:58:2b:d2:a2:fc:c5:b2:b8:49:3b:
+ dd:1a:cf:5a:28:c2:35:ae:e8:7e:ec:39:e8:7f:ca:d3:eb:a5:
+ c6:7a:ef:46:6f:c8:48:5f:9d:eb:dc:c8:4c:cf:88:68:be:59:
+ a5:be:03:22:18:27:1c:3a:f2:90:3a:db:ae:6a:b0:fe:ce:4e:
+ 71:cb:3c:c9:d7:c1:ff:69:a8:78:6e:45:15:c5:b5:a5:74:92:
+ 87:7d:76:d1:ec:38:91:25:86:71:a0:5b:fb:e2:97:c4:b6:a3:
+ ec:21:22:89:71:d4:36:da:c2:90:a7:09:c9:3f:4a:a7:ed:eb:
+ 64:b5:4e:6f:44:16:60:42:72:49:38:e2:92:f4:62:a9:de:56:
+ a9:70:fb:aa:8e:63:1f:d6:71:a2:b0:6b:c2:76:a2:27:05:69:
+ 53:5b:fd:b8:9e:29:ee:ba:eb:a8:32:8c:28:0c:39:94:64:72:
+ 6f:d3:33:a9:6d:be:9a:62:86:62:60:95:57:1a:c4:fa:c9:cd:
+ dd:19:a2:90:76:24:01:47:32:8b:3a:95:dc:24:d9:79:07:c8:
+ 30:5d:7f:e8:23:ea:3d:5a:bd:d6:99:b3:1c:01:0e:6d:5d:0b:
+ 87:eb:88:4e:8c:78:2b:d0:b6:80:07:c6:10:3c:79:bd:ba:95:
+ 9c:0e:84:3e
+-----BEGIN CERTIFICATE-----
+MIIDFzCCAf+gAwIBAgIBETANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MDgxMDAxMTM0MFoXDTA4MDgwOTAxMTM0MFowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANB338Qhrxtaa6inKNdDyJttJdiNf5Er45X9kmCsFBLXI2iFSw7b
+K+Y44EjbGDePQMCQWA4/CWdfjj8EdQZgkkLz5EUENZVd6SJCLPZcpn15jOEIGXw1
+nTr95/+bKbXuiUfMDYOg4XOvHwmEqAuDzHmIv3wdc9arQhtkmlwZgyud5a1MWAV2
+lXAj7qXAMcqip8gdHvLJ8j04gsJT5VSG8nyxc+Hc6YZzCKxZO74vWMFCxYAYjDoK
+KjL2/ijQKFKDxjBpUZBZGZvT1MLgUmrBTlmaGOR4Llf5fytddijJycV+5UOhm2jS
+Bhy+P2n5wvqeT2jPY2/bbfxnNcCxbgo37DMCAwEAAaNmMGQwDwYDVR0TAQH/BAUw
+AwEB/zAOBgNVHQ8BAf8EBAMCAQYwQQYIKwYBBQUHAQsENTAzMDEGCCsGAQUFBzAF
+hiVyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0lTUDIvMA0GCSqGSIb3
+DQEBCwUAA4IBAQBtAe1HQmOxKFgr0qL8xbK4STvdGs9aKMI1ruh+7Dnof8rT66XG
+eu9Gb8hIX53r3MhMz4hovlmlvgMiGCccOvKQOtuuarD+zk5xyzzJ18H/aah4bkUV
+xbWldJKHfXbR7DiRJYZxoFv74pfEtqPsISKJcdQ22sKQpwnJP0qn7etktU5vRBZg
+QnJJOOKS9GKp3lapcPuqjmMf1nGisGvCdqInBWlTW/24ninuuuuoMowoDDmUZHJv
+0zOpbb6aYoZiYJVXGsT6yc3dGaKQdiQBRzKLOpXcJNl5B8gwXX/oI+o9Wr3WmbMc
+AQ5tXQuH64hOjHgr0LaAB8YQPHm9upWcDoQ+
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/12.pem b/rpkid/resource-cert-samples/LIR1/12.pem
new file mode 100644
index 00000000..88877bb3
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/12.pem
@@ -0,0 +1,76 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 18 (0x12)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Aug 10 01:13:40 2007 GMT
+ Not After : Aug 9 01:13:40 2008 GMT
+ Subject: CN=TEST ENTITY ISP1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:eb:80:54:7a:74:4b:e4:81:15:d0:25:2d:5e:21:
+ be:47:e6:31:ab:e2:fe:79:55:48:b7:36:55:3d:dc:
+ 11:88:5b:b7:36:be:d3:bb:d7:16:8d:f8:4b:f4:c5:
+ bd:34:c4:8e:2c:67:97:e6:27:10:40:c5:36:f4:b6:
+ 6c:b9:29:82:2e:76:b0:29:ea:43:9a:d1:30:de:05:
+ a1:c1:54:7c:17:67:1d:fc:29:dd:80:53:b2:81:30:
+ db:13:ee:3e:e6:5d:c7:bc:3d:a6:11:6d:81:77:b7:
+ 9f:3e:36:df:7c:d6:d2:5a:22:36:68:7c:14:cc:ac:
+ 54:ed:ae:fd:e2:cd:b1:a3:5d:a9:65:ec:1b:8b:4b:
+ cf:80:8e:a6:98:8f:69:b1:a6:35:bd:69:c9:2e:66:
+ 7f:22:11:66:56:c5:75:4c:81:a3:6e:49:71:0d:f5:
+ 75:87:13:e8:62:e8:1a:0c:a8:30:81:6a:be:90:59:
+ 23:3b:61:c0:15:5f:68:bf:b5:c9:3f:af:3a:a2:7f:
+ 80:01:78:f6:f4:55:ca:ee:ca:8d:08:9b:c5:3e:74:
+ 98:02:b2:0b:a6:d8:e8:6e:78:88:7b:95:76:b6:ca:
+ be:f1:80:a9:dd:e8:3c:80:91:ce:3f:fd:0b:dd:b7:
+ d8:a6:8c:94:20:07:19:74:fa:86:ff:cb:97:c3:f6:
+ a4:e7
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP1/
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 95:4a:1c:f9:a4:d7:b8:75:16:2e:25:5a:ae:7d:e4:d0:eb:27:
+ 51:b9:40:12:86:f2:98:9d:f2:76:ee:d4:be:0b:74:8f:81:f3:
+ 14:a7:57:10:be:2c:19:b6:80:1c:4f:8e:e0:8d:96:70:8d:50:
+ 0f:55:22:27:d1:1a:a4:e9:cf:77:32:89:54:3f:10:9d:d8:ab:
+ 17:26:67:3e:ea:99:89:d8:57:6c:e5:7b:9b:bd:5a:1c:f4:18:
+ 14:8f:d1:2f:6b:93:34:ad:19:8b:a0:90:dc:69:48:96:65:7c:
+ 7b:f0:6d:25:f9:5d:9d:2d:2f:57:bf:1c:c1:ee:01:e0:f7:e9:
+ 52:bc:45:4b:4e:fc:94:78:92:98:66:56:d3:e0:cb:38:7f:4e:
+ dd:97:b7:03:16:fa:fa:7b:2d:b8:78:f2:9f:f3:61:d3:02:3c:
+ 47:7a:a3:a7:36:27:19:d3:c9:53:a8:e7:09:d0:50:84:a7:fc:
+ 53:b3:37:8e:72:1f:a6:b9:1c:09:35:20:d9:ed:0c:66:ec:ef:
+ 93:39:9b:29:50:5b:ed:1f:0c:3d:30:f6:22:1a:0e:7d:4d:8d:
+ 17:07:96:4f:c3:a9:72:3d:6d:c0:da:af:a7:8b:14:85:0c:fc:
+ de:cd:cc:58:5c:a0:7b:bf:a9:de:0e:3b:92:0a:57:ab:e3:e4:
+ cb:83:1e:30
+-----BEGIN CERTIFICATE-----
+MIIDFzCCAf+gAwIBAgIBEjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MDgxMDAxMTM0MFoXDTA4MDgwOTAxMTM0MFowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAOuAVHp0S+SBFdAlLV4hvkfmMavi/nlVSLc2VT3cEYhbtza+07vX
+Fo34S/TFvTTEjixnl+YnEEDFNvS2bLkpgi52sCnqQ5rRMN4FocFUfBdnHfwp3YBT
+soEw2xPuPuZdx7w9phFtgXe3nz4233zW0loiNmh8FMysVO2u/eLNsaNdqWXsG4tL
+z4COppiPabGmNb1pyS5mfyIRZlbFdUyBo25JcQ31dYcT6GLoGgyoMIFqvpBZIzth
+wBVfaL+1yT+vOqJ/gAF49vRVyu7KjQibxT50mAKyC6bY6G54iHuVdrbKvvGAqd3o
+PICRzj/9C9232KaMlCAHGXT6hv/Ll8P2pOcCAwEAAaNmMGQwDwYDVR0TAQH/BAUw
+AwEB/zAOBgNVHQ8BAf8EBAMCAQYwQQYIKwYBBQUHAQsENTAzMDEGCCsGAQUFBzAF
+hiVyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0lTUDEvMA0GCSqGSIb3
+DQEBCwUAA4IBAQCVShz5pNe4dRYuJVqufeTQ6ydRuUAShvKYnfJ27tS+C3SPgfMU
+p1cQviwZtoAcT47gjZZwjVAPVSIn0Rqk6c93MolUPxCd2KsXJmc+6pmJ2Fds5Xub
+vVoc9BgUj9Eva5M0rRmLoJDcaUiWZXx78G0l+V2dLS9XvxzB7gHg9+lSvEVLTvyU
+eJKYZlbT4Ms4f07dl7cDFvr6ey24ePKf82HTAjxHeqOnNicZ08lTqOcJ0FCEp/xT
+szeOch+muRwJNSDZ7Qxm7O+TOZspUFvtHww9MPYiGg59TY0XB5ZPw6lyPW3A2q+n
+ixSFDPzezcxYXKB7v6neDjuSCler4+TLgx4w
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/13.pem b/rpkid/resource-cert-samples/LIR1/13.pem
new file mode 100644
index 00000000..ca17b5f4
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/13.pem
@@ -0,0 +1,88 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 19 (0x13)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Aug 10 01:15:10 2007 GMT
+ Not After : Aug 9 01:15:10 2008 GMT
+ Subject: CN=TEST ENTITY ISP2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d0:77:df:c4:21:af:1b:5a:6b:a8:a7:28:d7:43:
+ c8:9b:6d:25:d8:8d:7f:91:2b:e3:95:fd:92:60:ac:
+ 14:12:d7:23:68:85:4b:0e:db:2b:e6:38:e0:48:db:
+ 18:37:8f:40:c0:90:58:0e:3f:09:67:5f:8e:3f:04:
+ 75:06:60:92:42:f3:e4:45:04:35:95:5d:e9:22:42:
+ 2c:f6:5c:a6:7d:79:8c:e1:08:19:7c:35:9d:3a:fd:
+ e7:ff:9b:29:b5:ee:89:47:cc:0d:83:a0:e1:73:af:
+ 1f:09:84:a8:0b:83:cc:79:88:bf:7c:1d:73:d6:ab:
+ 42:1b:64:9a:5c:19:83:2b:9d:e5:ad:4c:58:05:76:
+ 95:70:23:ee:a5:c0:31:ca:a2:a7:c8:1d:1e:f2:c9:
+ f2:3d:38:82:c2:53:e5:54:86:f2:7c:b1:73:e1:dc:
+ e9:86:73:08:ac:59:3b:be:2f:58:c1:42:c5:80:18:
+ 8c:3a:0a:2a:32:f6:fe:28:d0:28:52:83:c6:30:69:
+ 51:90:59:19:9b:d3:d4:c2:e0:52:6a:c1:4e:59:9a:
+ 18:e4:78:2e:57:f9:7f:2b:5d:76:28:c9:c9:c5:7e:
+ e5:43:a1:9b:68:d2:06:1c:be:3f:69:f9:c2:fa:9e:
+ 4f:68:cf:63:6f:db:6d:fc:67:35:c0:b1:6e:0a:37:
+ ec:33
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 73:B2:16:1A:CD:DC:D7:30:60:0F:FA:81:95:F8:A2:F5:4E:95:F3:AD
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP2/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.44-192.0.2.100
+
+ Signature Algorithm: sha256WithRSAEncryption
+ a0:55:12:46:3d:61:d3:08:29:a5:43:f1:62:19:a9:75:90:17:
+ 51:85:19:8c:98:29:3c:ed:b8:13:5f:14:e4:8f:1a:85:18:4f:
+ 92:b5:5b:5f:2b:97:49:c2:ec:7b:cb:87:b5:28:4e:99:77:6c:
+ f9:8f:2a:14:86:fc:1b:93:90:92:c8:21:0c:c3:ab:02:e8:e3:
+ 6d:c2:cf:55:51:54:08:58:a0:2f:b4:70:56:21:48:ce:1c:ba:
+ c6:1f:08:cb:59:e0:37:9c:75:4d:ca:cb:5d:6d:6b:53:4f:7f:
+ 6e:b0:21:06:52:dd:0a:24:13:b8:95:c1:0b:62:4f:31:27:b5:
+ df:0c:31:ce:51:62:1e:a3:89:40:2b:14:34:58:ac:62:a6:1d:
+ 70:09:b1:e3:ee:bb:cc:ca:61:e2:27:2b:51:81:17:73:5f:a5:
+ 7b:1a:9b:fb:f9:4e:6f:d3:68:ad:43:8a:0e:87:32:6f:3e:9d:
+ 03:4b:61:d0:b2:30:38:ec:23:3a:48:f7:1e:5c:d6:6a:eb:03:
+ 14:4e:69:33:04:07:3e:87:6c:7f:cd:8d:0a:2d:75:32:18:cc:
+ 0e:9b:74:14:87:61:39:18:5c:53:d4:90:39:56:5e:14:ae:70:
+ 33:1c:88:58:a7:42:7e:35:88:c9:ba:a0:af:c1:03:18:fe:4d:
+ 9e:40:54:a5
+-----BEGIN CERTIFICATE-----
+MIIDqTCCApGgAwIBAgIBEzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MDgxMDAxMTUxMFoXDTA4MDgwOTAxMTUxMFowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANB338Qhrxtaa6inKNdDyJttJdiNf5Er45X9kmCsFBLXI2iFSw7b
+K+Y44EjbGDePQMCQWA4/CWdfjj8EdQZgkkLz5EUENZVd6SJCLPZcpn15jOEIGXw1
+nTr95/+bKbXuiUfMDYOg4XOvHwmEqAuDzHmIv3wdc9arQhtkmlwZgyud5a1MWAV2
+lXAj7qXAMcqip8gdHvLJ8j04gsJT5VSG8nyxc+Hc6YZzCKxZO74vWMFCxYAYjDoK
+KjL2/ijQKFKDxjBpUZBZGZvT1MLgUmrBTlmaGOR4Llf5fytddijJycV+5UOhm2jS
+Bhy+P2n5wvqeT2jPY2/bbfxnNcCxbgo37DMCAwEAAaOB9zCB9DAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBRzshYazdzXMGAP+oGV+KL1TpXzrTAOBgNVHQ8BAf8E
+BAMCAQYwQQYIKwYBBQUHAQsENTAzMDEGCCsGAQUFBzAFhiVyc3luYzovL3dvbWJh
+dHMtci11cy5oYWN0cm4ubmV0L0lTUDIvMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEF
+BQcwAoYocnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJuLm5ldC9MSVIxLmNlcjAp
+BggrBgEFBQcBBwEB/wQaMBgwFgQCAAEwEDAOAwUCwAACLAMFAMAAAmQwDQYJKoZI
+hvcNAQELBQADggEBAKBVEkY9YdMIKaVD8WIZqXWQF1GFGYyYKTztuBNfFOSPGoUY
+T5K1W18rl0nC7HvLh7UoTpl3bPmPKhSG/BuTkJLIIQzDqwLo423Cz1VRVAhYoC+0
+cFYhSM4cusYfCMtZ4DecdU3Ky11ta1NPf26wIQZS3QokE7iVwQtiTzEntd8MMc5R
+Yh6jiUArFDRYrGKmHXAJsePuu8zKYeInK1GBF3NfpXsam/v5Tm/TaK1Dig6HMm8+
+nQNLYdCyMDjsIzpI9x5c1mrrAxROaTMEBz6HbH/NjQotdTIYzA6bdBSHYTkYXFPU
+kDlWXhSucDMciFinQn41iMm6oK/BAxj+TZ5AVKU=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/14.pem b/rpkid/resource-cert-samples/LIR1/14.pem
new file mode 100644
index 00000000..9121acc8
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/14.pem
@@ -0,0 +1,93 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 20 (0x14)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Aug 10 01:15:11 2007 GMT
+ Not After : Aug 9 01:15:11 2008 GMT
+ Subject: CN=TEST ENTITY ISP1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:eb:80:54:7a:74:4b:e4:81:15:d0:25:2d:5e:21:
+ be:47:e6:31:ab:e2:fe:79:55:48:b7:36:55:3d:dc:
+ 11:88:5b:b7:36:be:d3:bb:d7:16:8d:f8:4b:f4:c5:
+ bd:34:c4:8e:2c:67:97:e6:27:10:40:c5:36:f4:b6:
+ 6c:b9:29:82:2e:76:b0:29:ea:43:9a:d1:30:de:05:
+ a1:c1:54:7c:17:67:1d:fc:29:dd:80:53:b2:81:30:
+ db:13:ee:3e:e6:5d:c7:bc:3d:a6:11:6d:81:77:b7:
+ 9f:3e:36:df:7c:d6:d2:5a:22:36:68:7c:14:cc:ac:
+ 54:ed:ae:fd:e2:cd:b1:a3:5d:a9:65:ec:1b:8b:4b:
+ cf:80:8e:a6:98:8f:69:b1:a6:35:bd:69:c9:2e:66:
+ 7f:22:11:66:56:c5:75:4c:81:a3:6e:49:71:0d:f5:
+ 75:87:13:e8:62:e8:1a:0c:a8:30:81:6a:be:90:59:
+ 23:3b:61:c0:15:5f:68:bf:b5:c9:3f:af:3a:a2:7f:
+ 80:01:78:f6:f4:55:ca:ee:ca:8d:08:9b:c5:3e:74:
+ 98:02:b2:0b:a6:d8:e8:6e:78:88:7b:95:76:b6:ca:
+ be:f1:80:a9:dd:e8:3c:80:91:ce:3f:fd:0b:dd:b7:
+ d8:a6:8c:94:20:07:19:74:fa:86:ff:cb:97:c3:f6:
+ a4:e7
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 66:EC:29:21:2E:76:83:19:39:ED:8E:ED:B7:06:A8:4C:E5:0E:2E:11
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP1/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 66:6a:10:37:c5:13:94:1c:b1:ca:85:50:7a:20:6e:d7:a1:e5:
+ b5:70:cb:bc:f9:99:b6:58:64:fa:2a:fb:f2:15:77:b8:ea:94:
+ 28:68:c6:e7:22:69:07:57:55:4f:02:5e:5a:60:cd:fd:d7:d0:
+ b9:c3:df:23:f8:af:22:25:48:e5:a9:48:ab:38:d9:91:33:fc:
+ 88:f7:0e:94:df:a0:4e:da:06:8d:91:ed:ba:41:e5:42:ac:58:
+ af:84:da:d1:69:ca:f5:c3:42:52:2e:9c:5d:e5:72:7f:66:4b:
+ 54:8b:55:87:3c:f8:e7:16:42:ea:a8:92:2a:4c:c3:ff:f9:8d:
+ 1c:74:5f:7e:48:fe:24:18:4e:59:6e:44:a2:2c:19:3f:48:fb:
+ 50:c9:33:0f:92:9e:f7:d0:da:4b:f3:e7:a6:51:a1:da:ba:a5:
+ 8c:b6:55:46:0c:33:2c:3c:92:f5:90:ca:d9:f4:88:eb:c5:9f:
+ 31:23:3f:1f:48:66:a0:5c:b1:c0:45:45:ff:ad:0e:e8:e5:2f:
+ 22:0d:e0:f5:3a:9f:ee:e9:c5:0e:48:2b:70:c1:44:5b:69:fe:
+ 10:83:10:7e:b4:e6:e2:90:cf:dd:fd:22:6c:8a:54:69:88:99:
+ bd:bc:2e:11:c7:47:62:78:45:34:73:1e:73:43:38:fc:15:07:
+ 24:ea:82:5c
+-----BEGIN CERTIFICATE-----
+MIIDxzCCAq+gAwIBAgIBFDANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MDgxMDAxMTUxMVoXDTA4MDgwOTAxMTUxMVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAOuAVHp0S+SBFdAlLV4hvkfmMavi/nlVSLc2VT3cEYhbtza+07vX
+Fo34S/TFvTTEjixnl+YnEEDFNvS2bLkpgi52sCnqQ5rRMN4FocFUfBdnHfwp3YBT
+soEw2xPuPuZdx7w9phFtgXe3nz4233zW0loiNmh8FMysVO2u/eLNsaNdqWXsG4tL
+z4COppiPabGmNb1pyS5mfyIRZlbFdUyBo25JcQ31dYcT6GLoGgyoMIFqvpBZIzth
+wBVfaL+1yT+vOqJ/gAF49vRVyu7KjQibxT50mAKyC6bY6G54iHuVdrbKvvGAqd3o
+PICRzj/9C9232KaMlCAHGXT6hv/Ll8P2pOcCAwEAAaOCARQwggEQMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFGbsKSEudoMZOe2O7bcGqEzlDi4RMA4GA1UdDwEB
+/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29t
+YmF0cy1yLXVzLmhhY3Rybi5uZXQvSVNQMS8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjEuY2Vy
+MBoGCCsGAQUFBwEIAQH/BAswCaAHMAUCAwD8FTApBggrBgEFBQcBBwEB/wQaMBgw
+FgQCAAEwEDAOAwUAwAACAQMFAcAAAiAwDQYJKoZIhvcNAQELBQADggEBAGZqEDfF
+E5QcscqFUHogbteh5bVwy7z5mbZYZPoq+/IVd7jqlChoxuciaQdXVU8CXlpgzf3X
+0LnD3yP4ryIlSOWpSKs42ZEz/Ij3DpTfoE7aBo2R7bpB5UKsWK+E2tFpyvXDQlIu
+nF3lcn9mS1SLVYc8+OcWQuqokipMw//5jRx0X35I/iQYTlluRKIsGT9I+1DJMw+S
+nvfQ2kvz56ZRodq6pYy2VUYMMyw8kvWQytn0iOvFnzEjPx9IZqBcscBFRf+tDujl
+LyIN4PU6n+7pxQ5IK3DBRFtp/hCDEH605uKQz939ImyKVGmImb28LhHHR2J4RTRz
+HnNDOPwVByTqglw=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/15.pem b/rpkid/resource-cert-samples/LIR1/15.pem
new file mode 100644
index 00000000..4ff96ef1
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/15.pem
@@ -0,0 +1,88 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 21 (0x15)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Oct 19 19:06:07 2007 GMT
+ Not After : Oct 18 19:06:07 2008 GMT
+ Subject: CN=TEST ENTITY ISP2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d0:77:df:c4:21:af:1b:5a:6b:a8:a7:28:d7:43:
+ c8:9b:6d:25:d8:8d:7f:91:2b:e3:95:fd:92:60:ac:
+ 14:12:d7:23:68:85:4b:0e:db:2b:e6:38:e0:48:db:
+ 18:37:8f:40:c0:90:58:0e:3f:09:67:5f:8e:3f:04:
+ 75:06:60:92:42:f3:e4:45:04:35:95:5d:e9:22:42:
+ 2c:f6:5c:a6:7d:79:8c:e1:08:19:7c:35:9d:3a:fd:
+ e7:ff:9b:29:b5:ee:89:47:cc:0d:83:a0:e1:73:af:
+ 1f:09:84:a8:0b:83:cc:79:88:bf:7c:1d:73:d6:ab:
+ 42:1b:64:9a:5c:19:83:2b:9d:e5:ad:4c:58:05:76:
+ 95:70:23:ee:a5:c0:31:ca:a2:a7:c8:1d:1e:f2:c9:
+ f2:3d:38:82:c2:53:e5:54:86:f2:7c:b1:73:e1:dc:
+ e9:86:73:08:ac:59:3b:be:2f:58:c1:42:c5:80:18:
+ 8c:3a:0a:2a:32:f6:fe:28:d0:28:52:83:c6:30:69:
+ 51:90:59:19:9b:d3:d4:c2:e0:52:6a:c1:4e:59:9a:
+ 18:e4:78:2e:57:f9:7f:2b:5d:76:28:c9:c9:c5:7e:
+ e5:43:a1:9b:68:d2:06:1c:be:3f:69:f9:c2:fa:9e:
+ 4f:68:cf:63:6f:db:6d:fc:67:35:c0:b1:6e:0a:37:
+ ec:33
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 73:B2:16:1A:CD:DC:D7:30:60:0F:FA:81:95:F8:A2:F5:4E:95:F3:AD
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP2/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.44-192.0.2.100
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 5b:99:30:44:06:73:ab:e3:9b:92:9d:76:e1:4b:ac:71:0e:10:
+ d5:e9:1c:40:3a:c3:92:ae:b0:71:5e:0d:32:f6:4e:81:c6:37:
+ d3:19:ea:15:0e:12:6f:e6:65:0d:2c:cd:8c:41:b5:1f:bb:79:
+ dc:2a:ab:fe:7a:43:2b:97:45:d2:54:66:67:f2:3b:6a:3c:68:
+ e4:7c:d5:1d:83:47:2c:a0:91:71:29:a7:c1:6a:4a:44:1c:7a:
+ 42:6f:ab:1f:af:3e:b5:89:52:e1:8c:9e:d5:55:e6:b1:f0:db:
+ 7c:5d:51:bc:87:41:61:2f:e6:72:33:43:d2:8e:83:16:26:d0:
+ 1d:c4:21:2c:18:a5:7b:d3:3d:7d:fb:70:c2:6e:ec:1c:9b:a4:
+ b4:59:3a:bd:fa:65:a9:3f:ae:73:28:a4:25:df:80:cd:14:61:
+ 63:05:49:31:5d:3c:b3:f9:ff:ec:07:6a:28:c1:43:e9:bc:37:
+ 08:ee:af:d6:41:cf:9f:63:a0:2b:63:e3:a5:84:83:74:23:19:
+ b4:ac:36:bb:91:cd:ec:9d:c4:66:8a:f8:11:e8:d4:c3:f7:eb:
+ 28:c2:95:5e:9c:7f:b5:03:14:c0:db:ce:ca:fc:b5:85:16:80:
+ 36:94:fc:ab:af:d3:6f:a4:de:db:13:51:95:5d:c2:49:5a:14:
+ 8d:27:55:e2
+-----BEGIN CERTIFICATE-----
+MIIDqTCCApGgAwIBAgIBFTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MTAxOTE5MDYwN1oXDTA4MTAxODE5MDYwN1owGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANB338Qhrxtaa6inKNdDyJttJdiNf5Er45X9kmCsFBLXI2iFSw7b
+K+Y44EjbGDePQMCQWA4/CWdfjj8EdQZgkkLz5EUENZVd6SJCLPZcpn15jOEIGXw1
+nTr95/+bKbXuiUfMDYOg4XOvHwmEqAuDzHmIv3wdc9arQhtkmlwZgyud5a1MWAV2
+lXAj7qXAMcqip8gdHvLJ8j04gsJT5VSG8nyxc+Hc6YZzCKxZO74vWMFCxYAYjDoK
+KjL2/ijQKFKDxjBpUZBZGZvT1MLgUmrBTlmaGOR4Llf5fytddijJycV+5UOhm2jS
+Bhy+P2n5wvqeT2jPY2/bbfxnNcCxbgo37DMCAwEAAaOB9zCB9DAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBRzshYazdzXMGAP+oGV+KL1TpXzrTAOBgNVHQ8BAf8E
+BAMCAQYwQQYIKwYBBQUHAQsENTAzMDEGCCsGAQUFBzAFhiVyc3luYzovL3dvbWJh
+dHMtci11cy5oYWN0cm4ubmV0L0lTUDIvMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEF
+BQcwAoYocnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJuLm5ldC9MSVIxLmNlcjAp
+BggrBgEFBQcBBwEB/wQaMBgwFgQCAAEwEDAOAwUCwAACLAMFAMAAAmQwDQYJKoZI
+hvcNAQELBQADggEBAFuZMEQGc6vjm5KdduFLrHEOENXpHEA6w5KusHFeDTL2ToHG
+N9MZ6hUOEm/mZQ0szYxBtR+7edwqq/56QyuXRdJUZmfyO2o8aOR81R2DRyygkXEp
+p8FqSkQcekJvqx+vPrWJUuGMntVV5rHw23xdUbyHQWEv5nIzQ9KOgxYm0B3EISwY
+pXvTPX37cMJu7BybpLRZOr36Zak/rnMopCXfgM0UYWMFSTFdPLP5/+wHaijBQ+m8
+Nwjur9ZBz59joCtj46WEg3QjGbSsNruRzeydxGaK+BHo1MP36yjClV6cf7UDFMDb
+zsr8tYUWgDaU/Kuv02+k3tsTUZVdwklaFI0nVeI=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/16.pem b/rpkid/resource-cert-samples/LIR1/16.pem
new file mode 100644
index 00000000..beb187b4
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/16.pem
@@ -0,0 +1,93 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 22 (0x16)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Oct 19 19:06:08 2007 GMT
+ Not After : Oct 18 19:06:08 2008 GMT
+ Subject: CN=TEST ENTITY ISP1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:eb:80:54:7a:74:4b:e4:81:15:d0:25:2d:5e:21:
+ be:47:e6:31:ab:e2:fe:79:55:48:b7:36:55:3d:dc:
+ 11:88:5b:b7:36:be:d3:bb:d7:16:8d:f8:4b:f4:c5:
+ bd:34:c4:8e:2c:67:97:e6:27:10:40:c5:36:f4:b6:
+ 6c:b9:29:82:2e:76:b0:29:ea:43:9a:d1:30:de:05:
+ a1:c1:54:7c:17:67:1d:fc:29:dd:80:53:b2:81:30:
+ db:13:ee:3e:e6:5d:c7:bc:3d:a6:11:6d:81:77:b7:
+ 9f:3e:36:df:7c:d6:d2:5a:22:36:68:7c:14:cc:ac:
+ 54:ed:ae:fd:e2:cd:b1:a3:5d:a9:65:ec:1b:8b:4b:
+ cf:80:8e:a6:98:8f:69:b1:a6:35:bd:69:c9:2e:66:
+ 7f:22:11:66:56:c5:75:4c:81:a3:6e:49:71:0d:f5:
+ 75:87:13:e8:62:e8:1a:0c:a8:30:81:6a:be:90:59:
+ 23:3b:61:c0:15:5f:68:bf:b5:c9:3f:af:3a:a2:7f:
+ 80:01:78:f6:f4:55:ca:ee:ca:8d:08:9b:c5:3e:74:
+ 98:02:b2:0b:a6:d8:e8:6e:78:88:7b:95:76:b6:ca:
+ be:f1:80:a9:dd:e8:3c:80:91:ce:3f:fd:0b:dd:b7:
+ d8:a6:8c:94:20:07:19:74:fa:86:ff:cb:97:c3:f6:
+ a4:e7
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 66:EC:29:21:2E:76:83:19:39:ED:8E:ED:B7:06:A8:4C:E5:0E:2E:11
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP1/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 54:69:df:3c:bc:66:16:55:27:c3:11:85:7e:3b:f8:49:09:68:
+ ea:ad:50:0d:e2:a8:b1:9e:bc:eb:ca:9f:80:7b:6e:5d:c5:65:
+ 23:6c:c8:70:9d:b3:f1:2f:c4:a9:2f:2e:aa:43:39:fe:3f:f8:
+ 45:e1:db:b2:5b:a8:83:31:73:11:43:ae:88:a7:bf:17:9e:28:
+ 2f:f7:97:8b:eb:39:2b:7b:c1:4d:57:79:fb:e8:d1:18:43:3e:
+ 9d:3d:6a:c5:10:51:21:cd:f0:0d:ef:68:5a:85:0c:7b:1c:36:
+ 93:a0:4c:7f:82:8e:90:ef:77:5d:41:4c:71:9f:72:1a:fc:bc:
+ 22:c3:8f:2a:48:1e:98:bd:a6:cf:6c:a5:8c:c4:fd:0d:2a:6c:
+ 3c:f5:6c:ab:e0:04:ed:02:26:f6:fb:0c:a8:4f:12:27:f6:26:
+ 9b:e3:a3:37:0c:f7:ac:a9:aa:40:07:e1:08:67:d6:46:25:2a:
+ 00:03:c2:a7:78:1f:d8:90:f7:27:6e:97:ce:ef:0c:23:e5:3c:
+ 41:02:3c:1e:d9:ce:8b:6f:b6:f3:8d:9f:01:20:57:cf:fb:02:
+ ee:b6:c1:d8:8e:72:37:c6:db:7c:ae:a2:9d:e1:44:b8:58:26:
+ 95:30:d1:dc:b2:6a:47:c1:2e:70:86:c5:db:6e:ca:ec:8f:cc:
+ 9b:10:17:22
+-----BEGIN CERTIFICATE-----
+MIIDxzCCAq+gAwIBAgIBFjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MTAxOTE5MDYwOFoXDTA4MTAxODE5MDYwOFowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAOuAVHp0S+SBFdAlLV4hvkfmMavi/nlVSLc2VT3cEYhbtza+07vX
+Fo34S/TFvTTEjixnl+YnEEDFNvS2bLkpgi52sCnqQ5rRMN4FocFUfBdnHfwp3YBT
+soEw2xPuPuZdx7w9phFtgXe3nz4233zW0loiNmh8FMysVO2u/eLNsaNdqWXsG4tL
+z4COppiPabGmNb1pyS5mfyIRZlbFdUyBo25JcQ31dYcT6GLoGgyoMIFqvpBZIzth
+wBVfaL+1yT+vOqJ/gAF49vRVyu7KjQibxT50mAKyC6bY6G54iHuVdrbKvvGAqd3o
+PICRzj/9C9232KaMlCAHGXT6hv/Ll8P2pOcCAwEAAaOCARQwggEQMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFGbsKSEudoMZOe2O7bcGqEzlDi4RMA4GA1UdDwEB
+/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29t
+YmF0cy1yLXVzLmhhY3Rybi5uZXQvSVNQMS8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjEuY2Vy
+MBoGCCsGAQUFBwEIAQH/BAswCaAHMAUCAwD8FTApBggrBgEFBQcBBwEB/wQaMBgw
+FgQCAAEwEDAOAwUAwAACAQMFAcAAAiAwDQYJKoZIhvcNAQELBQADggEBAFRp3zy8
+ZhZVJ8MRhX47+EkJaOqtUA3iqLGevOvKn4B7bl3FZSNsyHCds/EvxKkvLqpDOf4/
++EXh27JbqIMxcxFDroinvxeeKC/3l4vrOSt7wU1Xefvo0RhDPp09asUQUSHN8A3v
+aFqFDHscNpOgTH+CjpDvd11BTHGfchr8vCLDjypIHpi9ps9spYzE/Q0qbDz1bKvg
+BO0CJvb7DKhPEif2JpvjozcM96ypqkAH4Qhn1kYlKgADwqd4H9iQ9ydul87vDCPl
+PEECPB7ZzotvtvONnwEgV8/7Au62wdiOcjfG23yuop3hRLhYJpUw0dyyakfBLnCG
+xdtuyuyPzJsQFyI=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/17.pem b/rpkid/resource-cert-samples/LIR1/17.pem
new file mode 100644
index 00000000..1d6affa1
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/17.pem
@@ -0,0 +1,88 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 23 (0x17)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Oct 29 16:03:52 2007 GMT
+ Not After : Oct 28 16:03:52 2008 GMT
+ Subject: CN=TEST ENTITY ISP2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d0:77:df:c4:21:af:1b:5a:6b:a8:a7:28:d7:43:
+ c8:9b:6d:25:d8:8d:7f:91:2b:e3:95:fd:92:60:ac:
+ 14:12:d7:23:68:85:4b:0e:db:2b:e6:38:e0:48:db:
+ 18:37:8f:40:c0:90:58:0e:3f:09:67:5f:8e:3f:04:
+ 75:06:60:92:42:f3:e4:45:04:35:95:5d:e9:22:42:
+ 2c:f6:5c:a6:7d:79:8c:e1:08:19:7c:35:9d:3a:fd:
+ e7:ff:9b:29:b5:ee:89:47:cc:0d:83:a0:e1:73:af:
+ 1f:09:84:a8:0b:83:cc:79:88:bf:7c:1d:73:d6:ab:
+ 42:1b:64:9a:5c:19:83:2b:9d:e5:ad:4c:58:05:76:
+ 95:70:23:ee:a5:c0:31:ca:a2:a7:c8:1d:1e:f2:c9:
+ f2:3d:38:82:c2:53:e5:54:86:f2:7c:b1:73:e1:dc:
+ e9:86:73:08:ac:59:3b:be:2f:58:c1:42:c5:80:18:
+ 8c:3a:0a:2a:32:f6:fe:28:d0:28:52:83:c6:30:69:
+ 51:90:59:19:9b:d3:d4:c2:e0:52:6a:c1:4e:59:9a:
+ 18:e4:78:2e:57:f9:7f:2b:5d:76:28:c9:c9:c5:7e:
+ e5:43:a1:9b:68:d2:06:1c:be:3f:69:f9:c2:fa:9e:
+ 4f:68:cf:63:6f:db:6d:fc:67:35:c0:b1:6e:0a:37:
+ ec:33
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 73:B2:16:1A:CD:DC:D7:30:60:0F:FA:81:95:F8:A2:F5:4E:95:F3:AD
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP2/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.44-192.0.2.100
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 26:19:f6:80:86:41:d6:c1:4f:73:58:9c:58:e4:79:9a:2e:9b:
+ d6:ab:1e:1e:e4:75:62:bb:7b:7e:e7:a1:fa:ea:81:83:f2:e3:
+ c8:e0:c2:fa:a1:5c:42:e9:f4:e0:41:2e:fa:3c:64:23:2f:d1:
+ 77:52:59:2d:a5:1e:fe:6e:fa:32:a4:1e:07:cd:d7:f9:f7:b7:
+ c3:95:62:a0:c8:88:33:76:2f:9e:e5:75:d6:8e:18:20:ef:4f:
+ 0a:b3:33:39:14:04:1d:87:42:ba:8f:f9:14:b0:48:c8:e3:4e:
+ 41:d9:25:f5:95:58:23:03:4c:3a:ab:60:7e:1e:3c:e1:77:d7:
+ a4:a8:14:04:d0:5e:68:89:42:5d:3c:ee:d1:f7:3c:3a:e5:18:
+ 0d:95:77:5f:fe:24:f8:dd:3d:0b:9d:df:56:3f:ff:ff:3b:aa:
+ d2:50:cf:34:17:d5:bb:09:50:72:ed:83:85:4f:a9:07:fe:ec:
+ 82:36:74:61:79:b7:54:37:0a:10:dc:fc:69:17:d5:31:89:63:
+ f6:e2:45:2a:b1:8f:b2:58:23:8e:5b:25:1f:c0:42:c6:76:67:
+ eb:85:62:cb:94:c0:d2:5f:1a:1a:c6:cb:46:c3:e8:2f:6b:e4:
+ 62:f2:ab:4c:0d:f5:aa:8c:32:10:b2:cd:a7:23:2c:a6:3d:b2:
+ 3b:8e:6f:f4
+-----BEGIN CERTIFICATE-----
+MIIDqTCCApGgAwIBAgIBFzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MTAyOTE2MDM1MloXDTA4MTAyODE2MDM1MlowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANB338Qhrxtaa6inKNdDyJttJdiNf5Er45X9kmCsFBLXI2iFSw7b
+K+Y44EjbGDePQMCQWA4/CWdfjj8EdQZgkkLz5EUENZVd6SJCLPZcpn15jOEIGXw1
+nTr95/+bKbXuiUfMDYOg4XOvHwmEqAuDzHmIv3wdc9arQhtkmlwZgyud5a1MWAV2
+lXAj7qXAMcqip8gdHvLJ8j04gsJT5VSG8nyxc+Hc6YZzCKxZO74vWMFCxYAYjDoK
+KjL2/ijQKFKDxjBpUZBZGZvT1MLgUmrBTlmaGOR4Llf5fytddijJycV+5UOhm2jS
+Bhy+P2n5wvqeT2jPY2/bbfxnNcCxbgo37DMCAwEAAaOB9zCB9DAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBRzshYazdzXMGAP+oGV+KL1TpXzrTAOBgNVHQ8BAf8E
+BAMCAQYwQQYIKwYBBQUHAQsENTAzMDEGCCsGAQUFBzAFhiVyc3luYzovL3dvbWJh
+dHMtci11cy5oYWN0cm4ubmV0L0lTUDIvMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEF
+BQcwAoYocnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJuLm5ldC9MSVIxLmNlcjAp
+BggrBgEFBQcBBwEB/wQaMBgwFgQCAAEwEDAOAwUCwAACLAMFAMAAAmQwDQYJKoZI
+hvcNAQELBQADggEBACYZ9oCGQdbBT3NYnFjkeZoum9arHh7kdWK7e37nofrqgYPy
+48jgwvqhXELp9OBBLvo8ZCMv0XdSWS2lHv5u+jKkHgfN1/n3t8OVYqDIiDN2L57l
+ddaOGCDvTwqzMzkUBB2HQrqP+RSwSMjjTkHZJfWVWCMDTDqrYH4ePOF316SoFATQ
+XmiJQl087tH3PDrlGA2Vd1/+JPjdPQud31Y///87qtJQzzQX1bsJUHLtg4VPqQf+
+7II2dGF5t1Q3ChDc/GkX1TGJY/biRSqxj7JYI45bJR/AQsZ2Z+uFYsuUwNJfGhrG
+y0bD6C9r5GLyq0wN9aqMMhCyzacjLKY9sjuOb/Q=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/18.pem b/rpkid/resource-cert-samples/LIR1/18.pem
new file mode 100644
index 00000000..c74d669a
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/18.pem
@@ -0,0 +1,93 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 24 (0x18)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Oct 29 16:03:52 2007 GMT
+ Not After : Oct 28 16:03:52 2008 GMT
+ Subject: CN=TEST ENTITY ISP1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:eb:80:54:7a:74:4b:e4:81:15:d0:25:2d:5e:21:
+ be:47:e6:31:ab:e2:fe:79:55:48:b7:36:55:3d:dc:
+ 11:88:5b:b7:36:be:d3:bb:d7:16:8d:f8:4b:f4:c5:
+ bd:34:c4:8e:2c:67:97:e6:27:10:40:c5:36:f4:b6:
+ 6c:b9:29:82:2e:76:b0:29:ea:43:9a:d1:30:de:05:
+ a1:c1:54:7c:17:67:1d:fc:29:dd:80:53:b2:81:30:
+ db:13:ee:3e:e6:5d:c7:bc:3d:a6:11:6d:81:77:b7:
+ 9f:3e:36:df:7c:d6:d2:5a:22:36:68:7c:14:cc:ac:
+ 54:ed:ae:fd:e2:cd:b1:a3:5d:a9:65:ec:1b:8b:4b:
+ cf:80:8e:a6:98:8f:69:b1:a6:35:bd:69:c9:2e:66:
+ 7f:22:11:66:56:c5:75:4c:81:a3:6e:49:71:0d:f5:
+ 75:87:13:e8:62:e8:1a:0c:a8:30:81:6a:be:90:59:
+ 23:3b:61:c0:15:5f:68:bf:b5:c9:3f:af:3a:a2:7f:
+ 80:01:78:f6:f4:55:ca:ee:ca:8d:08:9b:c5:3e:74:
+ 98:02:b2:0b:a6:d8:e8:6e:78:88:7b:95:76:b6:ca:
+ be:f1:80:a9:dd:e8:3c:80:91:ce:3f:fd:0b:dd:b7:
+ d8:a6:8c:94:20:07:19:74:fa:86:ff:cb:97:c3:f6:
+ a4:e7
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 66:EC:29:21:2E:76:83:19:39:ED:8E:ED:B7:06:A8:4C:E5:0E:2E:11
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP1/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 04:44:50:5a:c4:68:fd:0c:7a:51:99:27:80:ae:0a:ea:ca:62:
+ 4d:34:65:ec:c0:1b:16:59:fe:41:76:fa:06:06:be:4f:37:26:
+ ec:75:de:53:c7:c6:dd:27:bb:72:ab:4f:0f:6b:a9:3c:19:23:
+ 76:9f:bd:63:c8:f4:1b:f6:a4:bd:da:84:7d:8d:c4:96:58:5a:
+ 09:8f:e0:6c:ac:70:68:12:c5:74:db:c9:46:40:1e:20:d3:b8:
+ 19:8c:18:27:8a:9d:a4:47:2e:ed:29:a3:38:d9:0b:f2:fe:d9:
+ 22:80:2c:2c:92:9d:54:42:7e:68:ad:32:d0:4d:ad:f4:2f:d2:
+ 80:1c:9b:ac:13:68:a7:0a:fa:41:c4:f3:1c:02:da:f8:cb:d5:
+ 5e:62:a6:16:56:81:ce:82:ec:37:56:c2:59:9a:41:f2:c1:22:
+ 3f:63:ee:a6:ca:23:e9:60:62:07:84:2c:73:21:5a:16:8f:6f:
+ 06:7c:b0:c7:bb:66:f0:a8:75:6f:36:26:24:2b:7a:0e:a1:9a:
+ 11:28:6f:53:1f:76:fb:60:9d:9f:84:97:1f:cd:76:c6:de:c8:
+ f8:f9:66:a8:d0:79:31:2c:39:7f:e5:f6:76:36:ba:1e:6e:ea:
+ 31:02:86:60:75:8d:f7:d4:c7:35:f3:5e:8a:b5:18:31:46:30:
+ 7f:e0:33:d7
+-----BEGIN CERTIFICATE-----
+MIIDxzCCAq+gAwIBAgIBGDANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MTAyOTE2MDM1MloXDTA4MTAyODE2MDM1MlowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAOuAVHp0S+SBFdAlLV4hvkfmMavi/nlVSLc2VT3cEYhbtza+07vX
+Fo34S/TFvTTEjixnl+YnEEDFNvS2bLkpgi52sCnqQ5rRMN4FocFUfBdnHfwp3YBT
+soEw2xPuPuZdx7w9phFtgXe3nz4233zW0loiNmh8FMysVO2u/eLNsaNdqWXsG4tL
+z4COppiPabGmNb1pyS5mfyIRZlbFdUyBo25JcQ31dYcT6GLoGgyoMIFqvpBZIzth
+wBVfaL+1yT+vOqJ/gAF49vRVyu7KjQibxT50mAKyC6bY6G54iHuVdrbKvvGAqd3o
+PICRzj/9C9232KaMlCAHGXT6hv/Ll8P2pOcCAwEAAaOCARQwggEQMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFGbsKSEudoMZOe2O7bcGqEzlDi4RMA4GA1UdDwEB
+/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29t
+YmF0cy1yLXVzLmhhY3Rybi5uZXQvSVNQMS8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjEuY2Vy
+MBoGCCsGAQUFBwEIAQH/BAswCaAHMAUCAwD8FTApBggrBgEFBQcBBwEB/wQaMBgw
+FgQCAAEwEDAOAwUAwAACAQMFAcAAAiAwDQYJKoZIhvcNAQELBQADggEBAAREUFrE
+aP0MelGZJ4CuCurKYk00ZezAGxZZ/kF2+gYGvk83Jux13lPHxt0nu3KrTw9rqTwZ
+I3afvWPI9Bv2pL3ahH2NxJZYWgmP4GyscGgSxXTbyUZAHiDTuBmMGCeKnaRHLu0p
+ozjZC/L+2SKALCySnVRCfmitMtBNrfQv0oAcm6wTaKcK+kHE8xwC2vjL1V5iphZW
+gc6C7DdWwlmaQfLBIj9j7qbKI+lgYgeELHMhWhaPbwZ8sMe7ZvCodW82JiQreg6h
+mhEob1MfdvtgnZ+Elx/NdsbeyPj5ZqjQeTEsOX/l9nY2uh5u6jEChmB1jffUxzXz
+Xoq1GDFGMH/gM9c=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/19.pem b/rpkid/resource-cert-samples/LIR1/19.pem
new file mode 100644
index 00000000..e6fdd880
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/19.pem
@@ -0,0 +1,88 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 25 (0x19)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Oct 29 16:32:34 2007 GMT
+ Not After : Oct 28 16:32:34 2008 GMT
+ Subject: CN=TEST ENTITY ISP2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d0:77:df:c4:21:af:1b:5a:6b:a8:a7:28:d7:43:
+ c8:9b:6d:25:d8:8d:7f:91:2b:e3:95:fd:92:60:ac:
+ 14:12:d7:23:68:85:4b:0e:db:2b:e6:38:e0:48:db:
+ 18:37:8f:40:c0:90:58:0e:3f:09:67:5f:8e:3f:04:
+ 75:06:60:92:42:f3:e4:45:04:35:95:5d:e9:22:42:
+ 2c:f6:5c:a6:7d:79:8c:e1:08:19:7c:35:9d:3a:fd:
+ e7:ff:9b:29:b5:ee:89:47:cc:0d:83:a0:e1:73:af:
+ 1f:09:84:a8:0b:83:cc:79:88:bf:7c:1d:73:d6:ab:
+ 42:1b:64:9a:5c:19:83:2b:9d:e5:ad:4c:58:05:76:
+ 95:70:23:ee:a5:c0:31:ca:a2:a7:c8:1d:1e:f2:c9:
+ f2:3d:38:82:c2:53:e5:54:86:f2:7c:b1:73:e1:dc:
+ e9:86:73:08:ac:59:3b:be:2f:58:c1:42:c5:80:18:
+ 8c:3a:0a:2a:32:f6:fe:28:d0:28:52:83:c6:30:69:
+ 51:90:59:19:9b:d3:d4:c2:e0:52:6a:c1:4e:59:9a:
+ 18:e4:78:2e:57:f9:7f:2b:5d:76:28:c9:c9:c5:7e:
+ e5:43:a1:9b:68:d2:06:1c:be:3f:69:f9:c2:fa:9e:
+ 4f:68:cf:63:6f:db:6d:fc:67:35:c0:b1:6e:0a:37:
+ ec:33
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 73:B2:16:1A:CD:DC:D7:30:60:0F:FA:81:95:F8:A2:F5:4E:95:F3:AD
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP2/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.44-192.0.2.100
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 3d:68:dd:9f:54:93:58:2f:8b:c5:22:5a:10:22:09:ed:5d:90:
+ c9:57:ea:9f:e9:99:eb:58:42:26:38:81:ef:14:a0:3f:64:ca:
+ 06:ae:87:24:3d:6a:d5:94:b7:78:95:8d:00:7d:5b:eb:6d:2f:
+ 72:ff:4c:a6:a9:a2:cf:9b:fa:41:04:b2:71:b4:cf:eb:91:0e:
+ 71:98:72:05:84:b0:a2:bb:fe:68:6f:e3:92:f9:a6:c9:97:19:
+ 79:c5:39:c0:87:ad:e7:89:bb:bc:84:86:ee:87:55:31:be:da:
+ 26:8d:e8:84:bf:44:94:0b:b4:e5:52:bb:1a:0d:04:d6:a6:3c:
+ 66:ef:d1:44:3b:a1:b2:bc:a3:8e:5a:43:39:28:a0:2a:6a:10:
+ 3b:da:b6:5f:bd:e0:d7:ba:c5:d3:51:de:79:39:8f:92:91:a4:
+ ca:cd:62:b4:66:a1:02:f3:50:91:27:22:1f:bc:3d:68:da:e0:
+ 15:6c:9a:b0:1b:49:e2:53:84:3a:d3:75:09:87:d5:29:d8:58:
+ 86:8d:38:8a:87:fa:2d:43:f0:3a:06:e5:58:e9:32:84:c4:3f:
+ d0:c2:cd:2b:2e:75:ec:d7:dc:3b:39:14:0f:e7:99:23:1f:88:
+ 84:9f:a6:73:90:4b:e4:60:92:07:c5:90:a4:f2:ed:e3:7e:a8:
+ 8c:2d:f6:e8
+-----BEGIN CERTIFICATE-----
+MIIDqTCCApGgAwIBAgIBGTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MTAyOTE2MzIzNFoXDTA4MTAyODE2MzIzNFowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANB338Qhrxtaa6inKNdDyJttJdiNf5Er45X9kmCsFBLXI2iFSw7b
+K+Y44EjbGDePQMCQWA4/CWdfjj8EdQZgkkLz5EUENZVd6SJCLPZcpn15jOEIGXw1
+nTr95/+bKbXuiUfMDYOg4XOvHwmEqAuDzHmIv3wdc9arQhtkmlwZgyud5a1MWAV2
+lXAj7qXAMcqip8gdHvLJ8j04gsJT5VSG8nyxc+Hc6YZzCKxZO74vWMFCxYAYjDoK
+KjL2/ijQKFKDxjBpUZBZGZvT1MLgUmrBTlmaGOR4Llf5fytddijJycV+5UOhm2jS
+Bhy+P2n5wvqeT2jPY2/bbfxnNcCxbgo37DMCAwEAAaOB9zCB9DAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBRzshYazdzXMGAP+oGV+KL1TpXzrTAOBgNVHQ8BAf8E
+BAMCAQYwQQYIKwYBBQUHAQsENTAzMDEGCCsGAQUFBzAFhiVyc3luYzovL3dvbWJh
+dHMtci11cy5oYWN0cm4ubmV0L0lTUDIvMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEF
+BQcwAoYocnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJuLm5ldC9MSVIxLmNlcjAp
+BggrBgEFBQcBBwEB/wQaMBgwFgQCAAEwEDAOAwUCwAACLAMFAMAAAmQwDQYJKoZI
+hvcNAQELBQADggEBAD1o3Z9Uk1gvi8UiWhAiCe1dkMlX6p/pmetYQiY4ge8UoD9k
+ygauhyQ9atWUt3iVjQB9W+ttL3L/TKapos+b+kEEsnG0z+uRDnGYcgWEsKK7/mhv
+45L5psmXGXnFOcCHreeJu7yEhu6HVTG+2iaN6IS/RJQLtOVSuxoNBNamPGbv0UQ7
+obK8o45aQzkooCpqEDvatl+94Ne6xdNR3nk5j5KRpMrNYrRmoQLzUJEnIh+8PWja
+4BVsmrAbSeJThDrTdQmH1SnYWIaNOIqH+i1D8DoG5VjpMoTEP9DCzSsudezX3Ds5
+FA/nmSMfiISfpnOQS+RgkgfFkKTy7eN+qIwt9ug=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/1A.pem b/rpkid/resource-cert-samples/LIR1/1A.pem
new file mode 100644
index 00000000..db526ea5
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/1A.pem
@@ -0,0 +1,93 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 26 (0x1a)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR1
+ Validity
+ Not Before: Oct 29 16:32:34 2007 GMT
+ Not After : Oct 28 16:32:34 2008 GMT
+ Subject: CN=TEST ENTITY ISP1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:eb:80:54:7a:74:4b:e4:81:15:d0:25:2d:5e:21:
+ be:47:e6:31:ab:e2:fe:79:55:48:b7:36:55:3d:dc:
+ 11:88:5b:b7:36:be:d3:bb:d7:16:8d:f8:4b:f4:c5:
+ bd:34:c4:8e:2c:67:97:e6:27:10:40:c5:36:f4:b6:
+ 6c:b9:29:82:2e:76:b0:29:ea:43:9a:d1:30:de:05:
+ a1:c1:54:7c:17:67:1d:fc:29:dd:80:53:b2:81:30:
+ db:13:ee:3e:e6:5d:c7:bc:3d:a6:11:6d:81:77:b7:
+ 9f:3e:36:df:7c:d6:d2:5a:22:36:68:7c:14:cc:ac:
+ 54:ed:ae:fd:e2:cd:b1:a3:5d:a9:65:ec:1b:8b:4b:
+ cf:80:8e:a6:98:8f:69:b1:a6:35:bd:69:c9:2e:66:
+ 7f:22:11:66:56:c5:75:4c:81:a3:6e:49:71:0d:f5:
+ 75:87:13:e8:62:e8:1a:0c:a8:30:81:6a:be:90:59:
+ 23:3b:61:c0:15:5f:68:bf:b5:c9:3f:af:3a:a2:7f:
+ 80:01:78:f6:f4:55:ca:ee:ca:8d:08:9b:c5:3e:74:
+ 98:02:b2:0b:a6:d8:e8:6e:78:88:7b:95:76:b6:ca:
+ be:f1:80:a9:dd:e8:3c:80:91:ce:3f:fd:0b:dd:b7:
+ d8:a6:8c:94:20:07:19:74:fa:86:ff:cb:97:c3:f6:
+ a4:e7
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 66:EC:29:21:2E:76:83:19:39:ED:8E:ED:B7:06:A8:4C:E5:0E:2E:11
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP1/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR1.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 2f:cc:ba:e1:32:d5:77:93:89:d2:62:00:83:52:99:02:11:31:
+ 50:c2:8f:84:ba:52:22:cd:76:f0:b6:ef:f1:3d:9e:20:02:11:
+ be:41:38:d0:88:df:2f:8b:f8:86:0c:f7:f4:50:4a:5e:7a:e8:
+ b2:63:9a:dc:eb:0a:eb:c8:a4:3c:b5:83:c8:ef:22:61:28:35:
+ 14:23:1e:be:f6:2b:af:76:59:a3:1c:47:e9:db:60:0f:5a:18:
+ 87:c3:c5:96:27:68:bd:2d:cc:24:e2:b6:e9:8d:5e:7f:ba:d9:
+ bc:7d:5a:14:67:8c:17:40:ea:09:31:4d:83:39:e0:a9:e7:eb:
+ fe:a3:37:cc:f9:45:80:17:20:57:50:be:38:48:6a:e5:4f:13:
+ 55:05:07:2a:7b:9f:f2:da:96:27:a2:df:67:07:44:6c:c5:a7:
+ 14:73:ac:58:97:83:5c:28:e3:4b:f0:18:f7:9d:be:6b:50:e9:
+ 90:c8:64:5c:6d:17:98:ed:8c:ba:b0:2c:26:61:bc:d2:75:a8:
+ 30:63:7a:5e:61:62:aa:91:e8:b2:11:b1:7d:b7:65:46:c9:17:
+ 02:5a:e9:da:96:fa:5d:1b:de:0d:ff:c0:5c:33:b5:81:6e:a5:
+ 3b:cc:11:c8:b0:7e:88:bc:d9:98:2c:96:c1:ed:fe:98:ff:d3:
+ f1:96:e2:5c
+-----BEGIN CERTIFICATE-----
+MIIDxzCCAq+gAwIBAgIBGjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIxMB4XDTA3MTAyOTE2MzIzNFoXDTA4MTAyODE2MzIzNFowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAOuAVHp0S+SBFdAlLV4hvkfmMavi/nlVSLc2VT3cEYhbtza+07vX
+Fo34S/TFvTTEjixnl+YnEEDFNvS2bLkpgi52sCnqQ5rRMN4FocFUfBdnHfwp3YBT
+soEw2xPuPuZdx7w9phFtgXe3nz4233zW0loiNmh8FMysVO2u/eLNsaNdqWXsG4tL
+z4COppiPabGmNb1pyS5mfyIRZlbFdUyBo25JcQ31dYcT6GLoGgyoMIFqvpBZIzth
+wBVfaL+1yT+vOqJ/gAF49vRVyu7KjQibxT50mAKyC6bY6G54iHuVdrbKvvGAqd3o
+PICRzj/9C9232KaMlCAHGXT6hv/Ll8P2pOcCAwEAAaOCARQwggEQMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFGbsKSEudoMZOe2O7bcGqEzlDi4RMA4GA1UdDwEB
+/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29t
+YmF0cy1yLXVzLmhhY3Rybi5uZXQvSVNQMS8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjEuY2Vy
+MBoGCCsGAQUFBwEIAQH/BAswCaAHMAUCAwD8FTApBggrBgEFBQcBBwEB/wQaMBgw
+FgQCAAEwEDAOAwUAwAACAQMFAcAAAiAwDQYJKoZIhvcNAQELBQADggEBAC/MuuEy
+1XeTidJiAINSmQIRMVDCj4S6UiLNdvC27/E9niACEb5BONCI3y+L+IYM9/RQSl56
+6LJjmtzrCuvIpDy1g8jvImEoNRQjHr72K692WaMcR+nbYA9aGIfDxZYnaL0tzCTi
+tumNXn+62bx9WhRnjBdA6gkxTYM54Knn6/6jN8z5RYAXIFdQvjhIauVPE1UFByp7
+n/Laliei32cHRGzFpxRzrFiXg1wo40vwGPedvmtQ6ZDIZFxtF5jtjLqwLCZhvNJ1
+qDBjel5hYqqR6LIRsX23ZUbJFwJa6dqW+l0b3g3/wFwztYFupTvMEciwfoi82Zgs
+lsHt/pj/0/GW4lw=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR1/index b/rpkid/resource-cert-samples/LIR1/index
new file mode 100644
index 00000000..69a21e9d
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/index
@@ -0,0 +1,26 @@
+V 080731054529Z 01 unknown /CN=TEST ENTITY ISP2
+V 080731054532Z 02 unknown /CN=TEST ENTITY ISP1
+V 080731140529Z 03 unknown /CN=TEST ENTITY ISP2
+V 080731140529Z 04 unknown /CN=TEST ENTITY ISP1
+V 080731140829Z 05 unknown /CN=TEST ENTITY ISP2
+V 080731140829Z 06 unknown /CN=TEST ENTITY ISP1
+V 080731140935Z 07 unknown /CN=TEST ENTITY ISP2
+V 080731140935Z 08 unknown /CN=TEST ENTITY ISP1
+V 080731144822Z 09 unknown /CN=TEST ENTITY ISP2
+V 080731144822Z 0A unknown /CN=TEST ENTITY ISP1
+V 080809005818Z 0B unknown /CN=TEST ENTITY ISP2
+V 080809005818Z 0C unknown /CN=TEST ENTITY ISP1
+V 080809010231Z 0D unknown /CN=TEST ENTITY ISP2
+V 080809010231Z 0E unknown /CN=TEST ENTITY ISP1
+V 080809010709Z 0F unknown /CN=TEST ENTITY ISP2
+V 080809010709Z 10 unknown /CN=TEST ENTITY ISP1
+V 080809011340Z 11 unknown /CN=TEST ENTITY ISP2
+V 080809011340Z 12 unknown /CN=TEST ENTITY ISP1
+V 080809011510Z 13 unknown /CN=TEST ENTITY ISP2
+V 080809011511Z 14 unknown /CN=TEST ENTITY ISP1
+V 081018190607Z 15 unknown /CN=TEST ENTITY ISP2
+V 081018190608Z 16 unknown /CN=TEST ENTITY ISP1
+V 081028160352Z 17 unknown /CN=TEST ENTITY ISP2
+V 081028160352Z 18 unknown /CN=TEST ENTITY ISP1
+V 081028163234Z 19 unknown /CN=TEST ENTITY ISP2
+V 081028163234Z 1A unknown /CN=TEST ENTITY ISP1
diff --git a/rpkid/resource-cert-samples/LIR1/index.attr b/rpkid/resource-cert-samples/LIR1/index.attr
new file mode 100644
index 00000000..3a7e39e6
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/index.attr
@@ -0,0 +1 @@
+unique_subject = no
diff --git a/rpkid/resource-cert-samples/LIR1/index.attr.old b/rpkid/resource-cert-samples/LIR1/index.attr.old
new file mode 100644
index 00000000..3a7e39e6
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/index.attr.old
@@ -0,0 +1 @@
+unique_subject = no
diff --git a/rpkid/resource-cert-samples/LIR1/index.old b/rpkid/resource-cert-samples/LIR1/index.old
new file mode 100644
index 00000000..c484ba08
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/index.old
@@ -0,0 +1,25 @@
+V 080731054529Z 01 unknown /CN=TEST ENTITY ISP2
+V 080731054532Z 02 unknown /CN=TEST ENTITY ISP1
+V 080731140529Z 03 unknown /CN=TEST ENTITY ISP2
+V 080731140529Z 04 unknown /CN=TEST ENTITY ISP1
+V 080731140829Z 05 unknown /CN=TEST ENTITY ISP2
+V 080731140829Z 06 unknown /CN=TEST ENTITY ISP1
+V 080731140935Z 07 unknown /CN=TEST ENTITY ISP2
+V 080731140935Z 08 unknown /CN=TEST ENTITY ISP1
+V 080731144822Z 09 unknown /CN=TEST ENTITY ISP2
+V 080731144822Z 0A unknown /CN=TEST ENTITY ISP1
+V 080809005818Z 0B unknown /CN=TEST ENTITY ISP2
+V 080809005818Z 0C unknown /CN=TEST ENTITY ISP1
+V 080809010231Z 0D unknown /CN=TEST ENTITY ISP2
+V 080809010231Z 0E unknown /CN=TEST ENTITY ISP1
+V 080809010709Z 0F unknown /CN=TEST ENTITY ISP2
+V 080809010709Z 10 unknown /CN=TEST ENTITY ISP1
+V 080809011340Z 11 unknown /CN=TEST ENTITY ISP2
+V 080809011340Z 12 unknown /CN=TEST ENTITY ISP1
+V 080809011510Z 13 unknown /CN=TEST ENTITY ISP2
+V 080809011511Z 14 unknown /CN=TEST ENTITY ISP1
+V 081018190607Z 15 unknown /CN=TEST ENTITY ISP2
+V 081018190608Z 16 unknown /CN=TEST ENTITY ISP1
+V 081028160352Z 17 unknown /CN=TEST ENTITY ISP2
+V 081028160352Z 18 unknown /CN=TEST ENTITY ISP1
+V 081028163234Z 19 unknown /CN=TEST ENTITY ISP2
diff --git a/rpkid/resource-cert-samples/LIR1/serial b/rpkid/resource-cert-samples/LIR1/serial
new file mode 100644
index 00000000..8787ed81
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/serial
@@ -0,0 +1 @@
+1B
diff --git a/rpkid/resource-cert-samples/LIR1/serial.old b/rpkid/resource-cert-samples/LIR1/serial.old
new file mode 100644
index 00000000..268de3f3
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR1/serial.old
@@ -0,0 +1 @@
+1A
diff --git a/rpkid/resource-cert-samples/LIR2.cer b/rpkid/resource-cert-samples/LIR2.cer
new file mode 100644
index 00000000..dcc97dd1
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2.cer
@@ -0,0 +1,95 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 49 (0x31)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Oct 29 16:32:33 2007 GMT
+ Not After : Oct 28 16:32:33 2008 GMT
+ Subject: CN=TEST ENTITY LIR2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:f1:18:b6:79:0b:35:c5:83:64:48:83:31:03:9e:
+ e7:72:28:65:b1:ac:61:e1:77:2e:c0:4d:f0:b1:1c:
+ 61:d8:cc:5a:2d:c7:0b:9b:78:7a:3e:fd:37:ad:fa:
+ b0:73:0b:9c:fc:bb:6f:60:ea:38:ef:ae:d1:27:b8:
+ 81:59:0f:b3:e7:d0:67:b2:a2:f5:4f:e2:04:c6:cc:
+ 13:9f:33:28:35:96:7a:db:ce:ac:9d:d3:64:3d:b8:
+ 44:bc:cb:43:22:92:d6:3c:2e:bf:97:6e:39:6a:6e:
+ 68:93:5d:1c:a8:58:b7:a3:7a:26:44:fe:fe:30:ad:
+ e2:05:89:4c:c9:ef:2c:e0:4e:31:69:3f:dd:91:1c:
+ f0:b0:25:4c:3e:84:8a:ea:5e:03:b3:a8:cd:90:1a:
+ 1e:c8:e0:af:fe:11:ed:21:06:bd:3c:5e:08:a1:93:
+ e2:41:43:43:38:d3:21:b3:4c:fa:85:8b:43:57:60:
+ 5d:bb:a0:78:e5:33:47:a8:33:76:be:df:6e:63:61:
+ e3:31:8b:5d:8e:0c:c7:f5:c8:91:0c:be:57:c7:f2:
+ bc:be:0b:ba:7a:1f:f6:19:f1:eb:00:74:c1:12:c2:
+ dc:2b:2e:8d:f0:0a:ff:7f:e8:60:08:90:ba:51:fc:
+ d0:90:11:37:f3:9e:44:b6:64:43:69:5d:61:d3:e1:
+ 8d:77
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 03:7A:DF:0C:DF:DC:93:3D:F7:A5:CC:27:7B:DC:22:F6:E9:55:97:F0
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR2/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 02:2b:a6:e7:ef:15:1e:a6:bf:dc:1f:4e:c5:5d:41:de:c2:82:
+ 03:1b:94:25:3e:35:3f:ed:ac:cc:25:49:cb:f2:a3:91:cb:33:
+ 72:3a:ef:f8:93:24:42:f9:3e:13:5d:50:07:6c:00:40:60:80:
+ 06:22:db:07:43:d2:58:17:37:bd:22:89:d2:8d:9f:a0:e3:7e:
+ 10:cd:e7:98:3d:4e:fa:5a:8b:05:23:b1:c6:88:9c:41:72:a9:
+ b7:7c:b8:a2:37:9f:76:6f:98:23:e2:90:02:75:dc:94:ae:3f:
+ 72:1d:51:53:f3:dc:ec:a1:00:28:6e:13:5f:66:4f:6e:4a:61:
+ c1:0e:4e:b9:db:4e:11:bc:d9:57:fd:07:05:6e:05:5d:7a:52:
+ ae:7f:d5:50:cf:e3:6b:ff:87:03:9f:6c:b2:aa:f4:28:c3:75:
+ 6d:09:bf:31:da:cb:40:fa:8f:ed:15:32:59:a7:9e:5b:8b:0d:
+ b2:4b:f1:1d:fd:37:ac:dc:6b:56:b5:64:1b:ce:56:12:41:e0:
+ d6:ff:7e:f4:84:f5:27:42:a2:2c:c5:b7:47:14:e1:f9:84:80:
+ a9:6e:cf:5f:64:40:ac:36:6e:03:f2:db:ae:e2:bf:ba:d4:98:
+ 99:35:21:6f:5d:d9:db:f1:a9:1b:dc:13:11:aa:86:e7:a8:bc:
+ aa:ee:dd:ce
+-----BEGIN CERTIFICATE-----
+MIID8DCCAtigAwIBAgIBMTANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcxMDI5MTYzMjMzWhcNMDgxMDI4MTYzMjMzWjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA8Ri2eQs1xYNkSIMxA57ncihlsaxh4XcuwE3wsRxh2MxaLccLm3h6
+Pv03rfqwcwuc/LtvYOo4767RJ7iBWQ+z59BnsqL1T+IExswTnzMoNZZ6286sndNk
+PbhEvMtDIpLWPC6/l245am5ok10cqFi3o3omRP7+MK3iBYlMye8s4E4xaT/dkRzw
+sCVMPoSK6l4Ds6jNkBoeyOCv/hHtIQa9PF4IoZPiQUNDONMhs0z6hYtDV2Bdu6B4
+5TNHqDN2vt9uY2HjMYtdjgzH9ciRDL5Xx/K8vgu6eh/2GfHrAHTBEsLcKy6N8Ar/
+f+hgCJC6UfzQkBE3855EtmRDaV1h0+GNdwIDAQABo4IBPjCCATowDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUA3rfDN/ckz33pcwne9wi9ulVl/AwDgYDVR0PAQH/
+BAQDAgEGMEEGCCsGAQUFBwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9MSVIyLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYB
+BQUHMAKGJ3JzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAa
+BggrBgEFBQcBCAEB/wQLMAmgBzAFAgMA/CAwVAYIKwYBBQUHAQcBAf8ERTBDMEEE
+AgACMDswJgMRAiABDbgAAAAAAAAAAAAAAEQDEQAgAQ24AAAAAAAAAAAAAAEAAxEA
+IAENuAAAAAAAAAAQAAAARDANBgkqhkiG9w0BAQsFAAOCAQEAAium5+8VHqa/3B9O
+xV1B3sKCAxuUJT41P+2szCVJy/Kjkcszcjrv+JMkQvk+E11QB2wAQGCABiLbB0PS
+WBc3vSKJ0o2foON+EM3nmD1O+lqLBSOxxoicQXKpt3y4ojefdm+YI+KQAnXclK4/
+ch1RU/Pc7KEAKG4TX2ZPbkphwQ5OudtOEbzZV/0HBW4FXXpSrn/VUM/ja/+HA59s
+sqr0KMN1bQm/MdrLQPqP7RUyWaeeW4sNskvxHf03rNxrVrVkG85WEkHg1v9+9IT1
+J0KiLMW3RxTh+YSAqW7PX2RArDZuA/LbruK/utSYmTUhb13Z2/GpG9wTEaqG56i8
+qu7dzg==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2.cnf b/rpkid/resource-cert-samples/LIR2.cnf
new file mode 100644
index 00000000..7e691e6d
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2.cnf
@@ -0,0 +1,64 @@
+# Automatically generated, do not edit.
+
+[ ca ]
+default_ca = ca_default
+
+[ ca_default ]
+certificate = LIR2.cer
+serial = LIR2/serial
+private_key = LIR2.key
+database = LIR2/index
+new_certs_dir = LIR2
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 365
+default_crl_days = 30
+default_md = sha256
+preserve = no
+copy_extensions = copy
+policy = ca_policy_anything
+unique_subject = no
+x509_extensions = ca_x509_ext
+crl_extensions = crl_x509_ext
+
+[ ca_policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+givenName = optional
+surname = optional
+
+[ req ]
+default_bits = 2048
+encrypt_key = no
+distinguished_name = req_dn
+req_extensions = req_x509_ext
+prompt = no
+
+[ req_dn ]
+CN = TEST ENTITY LIR2
+
+[ req_x509_ext ]
+basicConstraints = critical,CA:true
+subjectKeyIdentifier = hash
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/LIR2/
+authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+sbgp-autonomousSysNum = critical,AS:64544
+sbgp-ipAddrBlock = critical,IPv6:2001:db8::44-2001:db8::100,IPv6:2001:db8::10:0:44/128
+
+[ ca_x509_ext ]
+basicConstraints = critical,CA:true
+authorityKeyIdentifier = keyid:always
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/LIR2/
+authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+sbgp-autonomousSysNum = critical,AS:64544
+sbgp-ipAddrBlock = critical,IPv6:2001:db8::44-2001:db8::100,IPv6:2001:db8::10:0:44/128
+
+[ crl_x509_ext ]
+authorityKeyIdentifier = keyid:always
diff --git a/rpkid/resource-cert-samples/LIR2.key b/rpkid/resource-cert-samples/LIR2.key
new file mode 100644
index 00000000..4259796f
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA8Ri2eQs1xYNkSIMxA57ncihlsaxh4XcuwE3wsRxh2MxaLccL
+m3h6Pv03rfqwcwuc/LtvYOo4767RJ7iBWQ+z59BnsqL1T+IExswTnzMoNZZ6286s
+ndNkPbhEvMtDIpLWPC6/l245am5ok10cqFi3o3omRP7+MK3iBYlMye8s4E4xaT/d
+kRzwsCVMPoSK6l4Ds6jNkBoeyOCv/hHtIQa9PF4IoZPiQUNDONMhs0z6hYtDV2Bd
+u6B45TNHqDN2vt9uY2HjMYtdjgzH9ciRDL5Xx/K8vgu6eh/2GfHrAHTBEsLcKy6N
+8Ar/f+hgCJC6UfzQkBE3855EtmRDaV1h0+GNdwIDAQABAoIBAQDGF27931cL9Nv1
+tE0WU36IzmZX6HH3xWwVNzS24MIIVkcV68A+umt+y6DvAtXtgLI4+WwW7ftf+3wA
+LdmhKoS/x/0bykbSnrsb99t7Z5X3Ca/iYFp1xpVLHNblZADCLHF3u1VR/4+PQi4M
+PmnobBRebmN5NyX1KzlVIS2FkU2G8T/TOmEv7ffzMAtBkZIdodUPVwQD2nCOeFeT
+pw0ih1g+r+/RZKXZBU/tPEPhJQhEm91Sos3s1LsgRI6XuJux4Qdp3zrXHglnOpMN
+tzoK4AUlDQOhm0xA0F0Ds2do1v3sQS2Bek0qGU/xUs469/wJljs+sFMwg1WfHyQn
+TZ4jkE8BAoGBAP2jp08Kv6q4vVudGSQVYfp893lI7DprhNTZi4byug8RAGdaPvat
+6UwRTEocl091i7k1bbNR7M2KFIRrqv81BXKWY9IF+jSHLMdkQiA9ftEPAPIPSMWk
+aIa4+gE+7QzK5YMJZN3iDLF+FUNQOLMqm08C6pLFmCsKcdWhBqeY4n73AoGBAPNX
+LHQZd+lmtPX4q22bEt820OGXxAcwkKua9+qchNVae95/PmhrAaWPXgbViD6YzMxX
+lZXGz1gE9gsiEL/KaQWrxFfCUaMDjoJKXOAw0/n1nLscE1FGcgnmXC3MDdOOuI50
+9ESkEAJa5880KVioRWGFyyHLDYyrSsLB2bHB8UWBAoGAXGlyHgRmjQc+RtDYRiNc
+TW2WpSQCnc5q2Tph8csiKzcglId3BV2b8NEkoKQGJTdIrzReQcWJp+G1VAH+jXl+
+AJ/2wqDW5qiRkhxfU2vUdssmpwsWkpwyUVO4ExggOlb6hGG51HX19f1gNeRWpEDT
+0VfYq50+sf/eNd2zlQDJFUUCgYBp6BfN08PPjkbWAstBYcud4HKarH3Bj053kXOy
+5ToezUm59XFI6sGFt9b5bHfmnoQLr1bIIAXfzhDzmXjmsAZzVGWYuFbldsfQRuMT
+I80uLcpv2PFDX0CEtICL4hJmb+g9AAPL2AerrrrTAGW6U0oW/q8A3ynffjGEf+/q
+IHmMgQKBgG+nAjRSJvdc7sMhHSbXCO4G3Jzy39iK0UeSKZHHHbJzmsPTJ5eJ36Zh
+yA19eiX8eC7/GTgrGg+daW8YADPS/wZ2KWZTgavvRhUkAsBW2MSybJgZ5QWEgSa3
+TxH462NH6PiJ755pEcU+ILwIJAcwskR0z2SsL6LaQbXlHNinYWMj
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/resource-cert-samples/LIR2.req b/rpkid/resource-cert-samples/LIR2.req
new file mode 100644
index 00000000..96d673be
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2.req
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDszCCApsCAQAwGzEZMBcGA1UEAxMQVEVTVCBFTlRJVFkgTElSMjCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAPEYtnkLNcWDZEiDMQOe53IoZbGsYeF3
+LsBN8LEcYdjMWi3HC5t4ej79N636sHMLnPy7b2DqOO+u0Se4gVkPs+fQZ7Ki9U/i
+BMbME58zKDWWetvOrJ3TZD24RLzLQyKS1jwuv5duOWpuaJNdHKhYt6N6JkT+/jCt
+4gWJTMnvLOBOMWk/3ZEc8LAlTD6EiupeA7OozZAaHsjgr/4R7SEGvTxeCKGT4kFD
+QzjTIbNM+oWLQ1dgXbugeOUzR6gzdr7fbmNh4zGLXY4Mx/XIkQy+V8fyvL4Lunof
+9hnx6wB0wRLC3CsujfAK/3/oYAiQulH80JARN/OeRLZkQ2ldYdPhjXcCAwEAAaCC
+AVEwggFNBgkqhkiG9w0BCQ4xggE+MIIBOjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
+DgQWBBQDet8M39yTPfelzCd73CL26VWX8DAOBgNVHQ8BAf8EBAMCAQYwQQYIKwYB
+BQUHAQsENTAzMDEGCCsGAQUFBzAFhiVyc3luYzovL3dvbWJhdHMtci11cy5oYWN0
+cm4ubmV0L0xJUjIvMEMGCCsGAQUFBwEBBDcwNTAzBggrBgEFBQcwAoYncnN5bmM6
+Ly93b21iYXRzLXItdXMuaGFjdHJuLm5ldC9SSVIuY2VyMBoGCCsGAQUFBwEIAQH/
+BAswCaAHMAUCAwD8IDBUBggrBgEFBQcBBwEB/wRFMEMwQQQCAAIwOzAmAxECIAEN
+uAAAAAAAAAAAAAAARAMRACABDbgAAAAAAAAAAAAAAQADEQAgAQ24AAAAAAAAABAA
+AABEMA0GCSqGSIb3DQEBBQUAA4IBAQCFx6Mb43W5xnHDV/cqywQ3qJjVQUsl6Gcg
+1h426JuSWoB526DFqFxBAmZR5DK+L8jU7jxBJn7tG6P22GrITSbU4BDVdFCD9znO
+juds7+q/qvfTDSNrNwyzldW/UaL3VJ0YF2xXutLJC4jbkH4QfEcmGriGFTRiwvJS
+LJvotN7i2TNKtj3ARaIaKhonzPZg7Qn/bck2KJutG00gm9u3m9wGZ37+tDQE1yMd
+sqX/uhtZB/YM7q3OGeaj8hkjCMkInZL/1FCzxp4qo3F25KLiWNVz+0xxW4A/1kA8
+a1Rdzb9+y318vQce1eAgMo/64tABUYEILwkAXJ6sPBV2V7PdksW4
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/resource-cert-samples/LIR2/01.pem b/rpkid/resource-cert-samples/LIR2/01.pem
new file mode 100644
index 00000000..832d72fb
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/01.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID6zCCAtOgAwIBAgIBATANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MDgwMTA1NDUyN1oXDTA4MDczMTA1NDUyN1owGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQNDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALMFrfsG20mBrd9QBOAY6PH0g+YmS578LRzf4itXOEjrxBOj/WzF
+4hzVOv1m1/8u/0q3WsX0GbGNnqhJTjsgRtoI3rCccV53qRTiTCAO/8Ug+vNtOwvO
+4XK2//V1fz41rxxP4JJF8B9XzjhsPvYvlnMfYNtjjmOz8zWF6QA5krOfSmu96aAA
+yr7+J3ibRCNTVhNIfc3RATqINmZPf/Msn8fEUnUeDjxQKck54P+QTZVHVhPhMPMw
+M+4CYHCwvd07qrkqhr/n4qjsZCoLEgUIA37YQbsj3inlD5s7AC5PDvUxkey9NAJo
+bddxqYxNI9JDrtf45WkrrhOGEyc4ckhw+B8CAwEAAaOCATgwggE0MA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFJjP+ACC7NfpF0+9eodgMqW7nbUOMB8GA1UdIwQY
+MBaAFAN63wzf3JM996XMJ3vcIvbpVZfwMA4GA1UdDwEB/wQEAwIBBjBBBggrBgEF
+BQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry
+bi5uZXQvSVNQNC8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov
+L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2VyMBoGCCsGAQUFBwEIAQH/
+BAswCaAHMAUCAwD8IDAsBggrBgEFBQcBBwEB/wQdMBswGQQCAAIwEwMRACABDbgA
+AAAAAAAAEAAAAEQwDQYJKoZIhvcNAQEFBQADggEBAMqX2PAuB9SLv2QsFdzblcv1
+84gGa2Raf1OXAe7J6j45YUxzwGsO1MlJ/lN5XWW6VDu3GayE/uZpuuD0jur0m1N0
+AweSWd9WVOF2kbR4QNPNTgbfNRCKTlWMUyiNoozf1wbAUVFE4VrVKY8k9eDBcECS
+3Kw+f2O5ozocba3ciWY7yVrQ6HquDMF3pmqpAcwsaOXHaMsAp6989fY81lg07sL3
+eeGef71CmplynfI3DNTkznlKOwC9rDLBROCvFBAKBswEQTZEfHBr+kjifJLh2Nsy
+wXE8Xx67UeerTmxnyyP1mOAkQcQ7TcE9xBELp+GrcgdYSTMmtlFuDsBPanAnVow=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/02.pem b/rpkid/resource-cert-samples/LIR2/02.pem
new file mode 100644
index 00000000..055a369b
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/02.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID5DCCAsygAwIBAgIBAjANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MDgwMTA1NDUyOFoXDTA4MDczMTA1NDUyOFowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMzCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANEkdcFEKRKa/owdHgGqBeofR6sajc/SQqExfZw+ZnLOLN8BFxVA
+QJTRrm3Xyv1S2exf8GQwo0JwoaFvBS0Q7rEFZT/ywXiEzB1m7jVSx66ZdrFjTcEu
+JPv3Qy0LIQ3T1rfPYFBJPRdTPiv4aJV+HMXiHnMGjLJToXA52Z7lVvxY0LPzkDda
+blo77wW+8WQvMS5aWPIwenNSf7gNcTxjUhcPtwc7w0a5nIi8c98UWrwW/Ph5sKFB
+hwX5Uqg2YWLekGghg7uMg0evu4I+RCiXKwKogQQFFs2/754C+VRmKiiZeSu1GRDU
+3zWV8z/6E2oGb/U4KNa2C4pwW41wjTSZlj8CAwEAAaOCATEwggEtMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFOGXLhlwtX/8gk8zPWss3pqbNj1+MB8GA1UdIwQY
+MBaAFAN63wzf3JM996XMJ3vcIvbpVZfwMA4GA1UdDwEB/wQEAwIBBjBBBggrBgEF
+BQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry
+bi5uZXQvSVNQMy8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov
+L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2VyMEEGCCsGAQUFBwEHAQH/
+BDIwMDAuBAIAAjAoMCYDEQIgAQ24AAAAAAAAAAAAAABEAxEAIAENuAAAAAAAAAAA
+AAABADANBgkqhkiG9w0BAQUFAAOCAQEAFiSiwdirDq2HcTM/KB/mU1NpVOf2CWFE
+nsU+gqeXMBOGdF9g0KzHXi09pYapo4xQGDJQmuQhDOOAJI0zKEM0hhito1vKD1xv
+Gxaw+VzXgqHkUaMQxPW+TsCi5+Gu0va7kBobK7i+6QYoSHcqMeahJPsiRT/Ni226
+vhoHDkmZmFfhbgIFg1Mysr9yZwDwECikCspsFjGrHRLqocDrEtnhLgWgK7c3L7Ia
+DVpmFhRzHor2XOu6heyu+FwUTy/MH+OcsVt8hMrdLcWig6iKXOJYbz5NB8y/azmY
+Dl5+MgWa3zFn/142ENc7JUegb/+dLia0ZuoUl5emkDy9zZ8tCrEFzg==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/03.pem b/rpkid/resource-cert-samples/LIR2/03.pem
new file mode 100644
index 00000000..380a3354
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/03.pem
@@ -0,0 +1,96 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 3 (0x3)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Aug 1 14:05:29 2007 GMT
+ Not After : Jul 31 14:05:29 2008 GMT
+ Subject: CN=TEST ENTITY ISP4
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:b3:05:ad:fb:06:db:49:81:ad:df:50:04:e0:18:
+ e8:f1:f4:83:e6:26:4b:9e:fc:2d:1c:df:e2:2b:57:
+ 38:48:eb:c4:13:a3:fd:6c:c5:e2:1c:d5:3a:fd:66:
+ d7:ff:2e:ff:4a:b7:5a:c5:f4:19:b1:8d:9e:a8:49:
+ 4e:3b:20:46:da:08:de:b0:9c:71:5e:77:a9:14:e2:
+ 4c:20:0e:ff:c5:20:fa:f3:6d:3b:0b:ce:e1:72:b6:
+ ff:f5:75:7f:3e:35:af:1c:4f:e0:92:45:f0:1f:57:
+ ce:38:6c:3e:f6:2f:96:73:1f:60:db:63:8e:63:b3:
+ f3:35:85:e9:00:39:92:b3:9f:4a:6b:bd:e9:a0:00:
+ ca:be:fe:27:78:9b:44:23:53:56:13:48:7d:cd:d1:
+ 01:3a:88:36:66:4f:7f:f3:2c:9f:c7:c4:52:75:1e:
+ 0e:3c:50:29:c9:39:e0:ff:90:4d:95:47:56:13:e1:
+ 30:f3:30:33:ee:02:60:70:b0:bd:dd:3b:aa:b9:2a:
+ 86:bf:e7:e2:a8:ec:64:2a:0b:12:05:08:03:7e:d8:
+ 41:bb:23:de:29:e5:0f:9b:3b:00:2e:4f:0e:f5:31:
+ 91:ec:bd:34:02:68:6d:d7:71:a9:8c:4d:23:d2:43:
+ ae:d7:f8:e5:69:2b:ae:13:86:13:27:38:72:48:70:
+ f8:1f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 98:CF:F8:00:82:EC:D7:E9:17:4F:BD:7A:87:60:32:A5:BB:9D:B5:0E
+ X509v3 Authority Key Identifier:
+ keyid:03:7A:DF:0C:DF:DC:93:3D:F7:A5:CC:27:7B:DC:22:F6:E9:55:97:F0
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP4/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 55:03:75:e5:85:6b:3b:7d:fd:6b:04:94:5c:6b:65:bb:c2:46:
+ 93:29:ba:ec:40:93:6c:65:b7:e4:eb:f9:47:cf:ed:cd:bf:a5:
+ 3e:32:1e:ce:d4:1c:39:9e:47:e4:31:c7:d9:8a:68:ea:ec:fa:
+ 5b:74:df:2d:5e:e4:7c:1a:41:53:1f:07:4f:7b:51:df:0d:0f:
+ e3:48:87:51:7c:81:72:25:1a:43:4f:f7:2e:1c:f5:3e:86:ae:
+ 72:b4:0c:5a:1e:4b:5d:57:16:4a:bf:ab:1f:23:4e:80:5b:b6:
+ de:09:f6:36:03:dc:9a:34:d5:52:47:c6:65:98:3a:2e:e1:4d:
+ 18:37:c9:24:f3:18:11:f1:81:0e:0c:9d:f5:6c:4d:c1:1c:bb:
+ 21:73:3c:b0:62:4d:83:28:40:2b:ce:9f:9e:2d:2b:59:f3:e2:
+ 5d:dc:03:98:db:c3:99:35:22:e7:a8:93:43:41:91:56:c0:6e:
+ af:df:83:a0:8e:2c:16:9c:00:ce:c6:db:86:f8:75:62:d8:fe:
+ af:e5:4d:dd:38:9d:bd:67:f8:2f:27:b1:f3:26:cd:7f:ad:af:
+ d0:e4:aa:09:6a:47:17:95:62:33:08:40:d5:09:c4:ee:ee:3a:
+ 4f:b2:82:f8:3a:74:d4:a5:b9:db:54:33:9b:c1:00:27:a7:8d:
+ 38:25:77:a4
+-----BEGIN CERTIFICATE-----
+MIID6zCCAtOgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MDgwMTE0MDUyOVoXDTA4MDczMTE0MDUyOVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQNDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALMFrfsG20mBrd9QBOAY6PH0g+YmS578LRzf4itXOEjrxBOj/WzF
+4hzVOv1m1/8u/0q3WsX0GbGNnqhJTjsgRtoI3rCccV53qRTiTCAO/8Ug+vNtOwvO
+4XK2//V1fz41rxxP4JJF8B9XzjhsPvYvlnMfYNtjjmOz8zWF6QA5krOfSmu96aAA
+yr7+J3ibRCNTVhNIfc3RATqINmZPf/Msn8fEUnUeDjxQKck54P+QTZVHVhPhMPMw
+M+4CYHCwvd07qrkqhr/n4qjsZCoLEgUIA37YQbsj3inlD5s7AC5PDvUxkey9NAJo
+bddxqYxNI9JDrtf45WkrrhOGEyc4ckhw+B8CAwEAAaOCATgwggE0MA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFJjP+ACC7NfpF0+9eodgMqW7nbUOMB8GA1UdIwQY
+MBaAFAN63wzf3JM996XMJ3vcIvbpVZfwMA4GA1UdDwEB/wQEAwIBBjBBBggrBgEF
+BQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry
+bi5uZXQvSVNQNC8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov
+L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2VyMBoGCCsGAQUFBwEIAQH/
+BAswCaAHMAUCAwD8IDAsBggrBgEFBQcBBwEB/wQdMBswGQQCAAIwEwMRACABDbgA
+AAAAAAAAEAAAAEQwDQYJKoZIhvcNAQEFBQADggEBAFUDdeWFazt9/WsElFxrZbvC
+RpMpuuxAk2xlt+Tr+UfP7c2/pT4yHs7UHDmeR+Qxx9mKaOrs+lt03y1e5HwaQVMf
+B097Ud8ND+NIh1F8gXIlGkNP9y4c9T6GrnK0DFoeS11XFkq/qx8jToBbtt4J9jYD
+3Jo01VJHxmWYOi7hTRg3ySTzGBHxgQ4MnfVsTcEcuyFzPLBiTYMoQCvOn54tK1nz
+4l3cA5jbw5k1Iueok0NBkVbAbq/fg6COLBacAM7G24b4dWLY/q/lTd04nb1n+C8n
+sfMmzX+tr9DkqglqRxeVYjMIQNUJxO7uOk+ygvg6dNSludtUM5vBACenjTgld6Q=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/04.pem b/rpkid/resource-cert-samples/LIR2/04.pem
new file mode 100644
index 00000000..55678af1
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/04.pem
@@ -0,0 +1,92 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4 (0x4)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Aug 1 14:05:29 2007 GMT
+ Not After : Jul 31 14:05:29 2008 GMT
+ Subject: CN=TEST ENTITY ISP3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d1:24:75:c1:44:29:12:9a:fe:8c:1d:1e:01:aa:
+ 05:ea:1f:47:ab:1a:8d:cf:d2:42:a1:31:7d:9c:3e:
+ 66:72:ce:2c:df:01:17:15:40:40:94:d1:ae:6d:d7:
+ ca:fd:52:d9:ec:5f:f0:64:30:a3:42:70:a1:a1:6f:
+ 05:2d:10:ee:b1:05:65:3f:f2:c1:78:84:cc:1d:66:
+ ee:35:52:c7:ae:99:76:b1:63:4d:c1:2e:24:fb:f7:
+ 43:2d:0b:21:0d:d3:d6:b7:cf:60:50:49:3d:17:53:
+ 3e:2b:f8:68:95:7e:1c:c5:e2:1e:73:06:8c:b2:53:
+ a1:70:39:d9:9e:e5:56:fc:58:d0:b3:f3:90:37:5a:
+ 6e:5a:3b:ef:05:be:f1:64:2f:31:2e:5a:58:f2:30:
+ 7a:73:52:7f:b8:0d:71:3c:63:52:17:0f:b7:07:3b:
+ c3:46:b9:9c:88:bc:73:df:14:5a:bc:16:fc:f8:79:
+ b0:a1:41:87:05:f9:52:a8:36:61:62:de:90:68:21:
+ 83:bb:8c:83:47:af:bb:82:3e:44:28:97:2b:02:a8:
+ 81:04:05:16:cd:bf:ef:9e:02:f9:54:66:2a:28:99:
+ 79:2b:b5:19:10:d4:df:35:95:f3:3f:fa:13:6a:06:
+ 6f:f5:38:28:d6:b6:0b:8a:70:5b:8d:70:8d:34:99:
+ 96:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ E1:97:2E:19:70:B5:7F:FC:82:4F:33:3D:6B:2C:DE:9A:9B:36:3D:7E
+ X509v3 Authority Key Identifier:
+ keyid:03:7A:DF:0C:DF:DC:93:3D:F7:A5:CC:27:7B:DC:22:F6:E9:55:97:F0
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP3/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+
+ Signature Algorithm: sha1WithRSAEncryption
+ e5:f9:79:e8:d7:09:da:a8:1b:3b:35:a2:2a:47:66:5e:ef:c7:
+ 0e:a3:0a:d5:28:d6:2c:78:42:c5:73:69:31:9b:89:fa:2e:7a:
+ 95:95:36:bd:bf:c7:09:de:04:3f:4e:fc:8b:52:d0:2b:db:da:
+ 91:a9:2c:c0:1e:d1:a4:2d:22:0a:e4:57:e4:06:e3:9c:08:22:
+ f9:02:1f:a9:b1:a2:ae:15:eb:40:d7:08:78:83:f4:de:0b:54:
+ 93:a6:c9:1c:0f:73:f3:43:d0:12:64:c8:29:19:d3:9b:07:91:
+ 24:4a:33:85:45:03:a7:73:01:80:b6:17:cf:24:18:1a:1e:e4:
+ 33:9d:1f:53:34:c6:fa:a3:ab:fa:2f:ea:ff:eb:69:a4:6e:d7:
+ 87:d6:aa:ed:64:d4:81:2f:aa:de:35:c4:44:3a:65:72:05:8e:
+ 3e:30:a4:30:3d:2b:b4:a5:53:12:af:0e:3c:56:bb:e3:24:d3:
+ bd:c7:b5:ad:25:19:2a:d0:f7:f3:9f:cf:21:33:9a:46:23:43:
+ 0b:13:9d:62:ac:bb:3d:3e:8a:f5:19:37:1f:05:4c:8f:be:2e:
+ 69:d6:78:ac:76:25:64:15:0c:12:65:6a:f9:4d:1d:eb:95:8c:
+ ef:00:d0:08:c0:5a:59:e0:cd:c5:78:51:cc:63:40:7e:36:a3:
+ 05:82:9e:67
+-----BEGIN CERTIFICATE-----
+MIID5DCCAsygAwIBAgIBBDANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MDgwMTE0MDUyOVoXDTA4MDczMTE0MDUyOVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMzCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANEkdcFEKRKa/owdHgGqBeofR6sajc/SQqExfZw+ZnLOLN8BFxVA
+QJTRrm3Xyv1S2exf8GQwo0JwoaFvBS0Q7rEFZT/ywXiEzB1m7jVSx66ZdrFjTcEu
+JPv3Qy0LIQ3T1rfPYFBJPRdTPiv4aJV+HMXiHnMGjLJToXA52Z7lVvxY0LPzkDda
+blo77wW+8WQvMS5aWPIwenNSf7gNcTxjUhcPtwc7w0a5nIi8c98UWrwW/Ph5sKFB
+hwX5Uqg2YWLekGghg7uMg0evu4I+RCiXKwKogQQFFs2/754C+VRmKiiZeSu1GRDU
+3zWV8z/6E2oGb/U4KNa2C4pwW41wjTSZlj8CAwEAAaOCATEwggEtMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFOGXLhlwtX/8gk8zPWss3pqbNj1+MB8GA1UdIwQY
+MBaAFAN63wzf3JM996XMJ3vcIvbpVZfwMA4GA1UdDwEB/wQEAwIBBjBBBggrBgEF
+BQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry
+bi5uZXQvSVNQMy8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov
+L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2VyMEEGCCsGAQUFBwEHAQH/
+BDIwMDAuBAIAAjAoMCYDEQIgAQ24AAAAAAAAAAAAAABEAxEAIAENuAAAAAAAAAAA
+AAABADANBgkqhkiG9w0BAQUFAAOCAQEA5fl56NcJ2qgbOzWiKkdmXu/HDqMK1SjW
+LHhCxXNpMZuJ+i56lZU2vb/HCd4EP078i1LQK9vakakswB7RpC0iCuRX5AbjnAgi
++QIfqbGirhXrQNcIeIP03gtUk6bJHA9z80PQEmTIKRnTmweRJEozhUUDp3MBgLYX
+zyQYGh7kM50fUzTG+qOr+i/q/+tppG7Xh9aq7WTUgS+q3jXERDplcgWOPjCkMD0r
+tKVTEq8OPFa74yTTvce1rSUZKtD385/PITOaRiNDCxOdYqy7PT6K9Rk3HwVMj74u
+adZ4rHYlZBUMEmVq+U0d65WM7wDQCMBaWeDNxXhRzGNAfjajBYKeZw==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/05.pem b/rpkid/resource-cert-samples/LIR2/05.pem
new file mode 100644
index 00000000..21fc68de
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/05.pem
@@ -0,0 +1,96 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 5 (0x5)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Aug 1 14:08:29 2007 GMT
+ Not After : Jul 31 14:08:29 2008 GMT
+ Subject: CN=TEST ENTITY ISP4
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:b3:05:ad:fb:06:db:49:81:ad:df:50:04:e0:18:
+ e8:f1:f4:83:e6:26:4b:9e:fc:2d:1c:df:e2:2b:57:
+ 38:48:eb:c4:13:a3:fd:6c:c5:e2:1c:d5:3a:fd:66:
+ d7:ff:2e:ff:4a:b7:5a:c5:f4:19:b1:8d:9e:a8:49:
+ 4e:3b:20:46:da:08:de:b0:9c:71:5e:77:a9:14:e2:
+ 4c:20:0e:ff:c5:20:fa:f3:6d:3b:0b:ce:e1:72:b6:
+ ff:f5:75:7f:3e:35:af:1c:4f:e0:92:45:f0:1f:57:
+ ce:38:6c:3e:f6:2f:96:73:1f:60:db:63:8e:63:b3:
+ f3:35:85:e9:00:39:92:b3:9f:4a:6b:bd:e9:a0:00:
+ ca:be:fe:27:78:9b:44:23:53:56:13:48:7d:cd:d1:
+ 01:3a:88:36:66:4f:7f:f3:2c:9f:c7:c4:52:75:1e:
+ 0e:3c:50:29:c9:39:e0:ff:90:4d:95:47:56:13:e1:
+ 30:f3:30:33:ee:02:60:70:b0:bd:dd:3b:aa:b9:2a:
+ 86:bf:e7:e2:a8:ec:64:2a:0b:12:05:08:03:7e:d8:
+ 41:bb:23:de:29:e5:0f:9b:3b:00:2e:4f:0e:f5:31:
+ 91:ec:bd:34:02:68:6d:d7:71:a9:8c:4d:23:d2:43:
+ ae:d7:f8:e5:69:2b:ae:13:86:13:27:38:72:48:70:
+ f8:1f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 98:CF:F8:00:82:EC:D7:E9:17:4F:BD:7A:87:60:32:A5:BB:9D:B5:0E
+ X509v3 Authority Key Identifier:
+ keyid:03:7A:DF:0C:DF:DC:93:3D:F7:A5:CC:27:7B:DC:22:F6:E9:55:97:F0
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP4/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha1WithRSAEncryption
+ cf:89:36:be:f0:e0:c8:98:8d:4d:af:19:f7:14:c6:98:8c:7d:
+ 80:88:38:7e:4a:86:21:11:11:48:d1:5d:ab:45:c7:13:ea:40:
+ de:69:2b:a4:ed:b9:19:34:74:95:2d:65:5a:38:4d:5c:04:0b:
+ 1e:5c:59:15:ac:6c:0e:38:b0:ec:bf:f4:61:3c:78:5b:61:24:
+ 2a:e0:ec:38:df:f8:f0:6e:9f:91:52:56:c1:14:8f:b1:57:4a:
+ 3f:62:8d:55:a3:83:38:e2:e7:3f:bb:16:14:59:9a:97:b7:60:
+ 05:29:cc:0f:2d:74:1c:71:0e:1f:fb:59:31:76:c5:69:8f:98:
+ aa:9a:d2:d9:50:07:c8:67:23:cd:31:9a:ae:70:bd:be:82:7e:
+ a5:7d:4a:2a:eb:77:8e:59:cd:4b:eb:6b:78:39:82:ac:46:5d:
+ 0b:7c:26:76:ce:cc:c4:94:b3:3e:c6:7d:75:d0:32:ab:32:fd:
+ 5c:96:fa:aa:b3:c2:56:4d:6f:43:a4:7a:28:94:ce:40:1d:1c:
+ a6:72:d1:a3:66:7b:9b:5c:d2:cc:69:55:15:09:1d:aa:84:d2:
+ 4c:c1:65:d5:6c:d3:c0:82:7a:a9:6e:dc:37:77:ab:29:b3:8f:
+ 10:19:49:21:b4:e3:85:8d:d7:2a:34:5c:8c:fb:88:12:3c:23:
+ ea:18:34:22
+-----BEGIN CERTIFICATE-----
+MIID6zCCAtOgAwIBAgIBBTANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MDgwMTE0MDgyOVoXDTA4MDczMTE0MDgyOVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQNDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALMFrfsG20mBrd9QBOAY6PH0g+YmS578LRzf4itXOEjrxBOj/WzF
+4hzVOv1m1/8u/0q3WsX0GbGNnqhJTjsgRtoI3rCccV53qRTiTCAO/8Ug+vNtOwvO
+4XK2//V1fz41rxxP4JJF8B9XzjhsPvYvlnMfYNtjjmOz8zWF6QA5krOfSmu96aAA
+yr7+J3ibRCNTVhNIfc3RATqINmZPf/Msn8fEUnUeDjxQKck54P+QTZVHVhPhMPMw
+M+4CYHCwvd07qrkqhr/n4qjsZCoLEgUIA37YQbsj3inlD5s7AC5PDvUxkey9NAJo
+bddxqYxNI9JDrtf45WkrrhOGEyc4ckhw+B8CAwEAAaOCATgwggE0MA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFJjP+ACC7NfpF0+9eodgMqW7nbUOMB8GA1UdIwQY
+MBaAFAN63wzf3JM996XMJ3vcIvbpVZfwMA4GA1UdDwEB/wQEAwIBBjBBBggrBgEF
+BQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry
+bi5uZXQvSVNQNC8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov
+L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2VyMBoGCCsGAQUFBwEIAQH/
+BAswCaAHMAUCAwD8IDAsBggrBgEFBQcBBwEB/wQdMBswGQQCAAIwEwMRACABDbgA
+AAAAAAAAEAAAAEQwDQYJKoZIhvcNAQEFBQADggEBAM+JNr7w4MiYjU2vGfcUxpiM
+fYCIOH5KhiEREUjRXatFxxPqQN5pK6TtuRk0dJUtZVo4TVwECx5cWRWsbA44sOy/
+9GE8eFthJCrg7Djf+PBun5FSVsEUj7FXSj9ijVWjgzji5z+7FhRZmpe3YAUpzA8t
+dBxxDh/7WTF2xWmPmKqa0tlQB8hnI80xmq5wvb6CfqV9Sirrd45ZzUvra3g5gqxG
+XQt8JnbOzMSUsz7GfXXQMqsy/VyW+qqzwlZNb0OkeiiUzkAdHKZy0aNme5tc0sxp
+VRUJHaqE0kzBZdVs08CCeqlu3Dd3qymzjxAZSSG044WN1yo0XIz7iBI8I+oYNCI=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/06.pem b/rpkid/resource-cert-samples/LIR2/06.pem
new file mode 100644
index 00000000..cdd0108c
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/06.pem
@@ -0,0 +1,92 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 6 (0x6)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Aug 1 14:08:29 2007 GMT
+ Not After : Jul 31 14:08:29 2008 GMT
+ Subject: CN=TEST ENTITY ISP3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d1:24:75:c1:44:29:12:9a:fe:8c:1d:1e:01:aa:
+ 05:ea:1f:47:ab:1a:8d:cf:d2:42:a1:31:7d:9c:3e:
+ 66:72:ce:2c:df:01:17:15:40:40:94:d1:ae:6d:d7:
+ ca:fd:52:d9:ec:5f:f0:64:30:a3:42:70:a1:a1:6f:
+ 05:2d:10:ee:b1:05:65:3f:f2:c1:78:84:cc:1d:66:
+ ee:35:52:c7:ae:99:76:b1:63:4d:c1:2e:24:fb:f7:
+ 43:2d:0b:21:0d:d3:d6:b7:cf:60:50:49:3d:17:53:
+ 3e:2b:f8:68:95:7e:1c:c5:e2:1e:73:06:8c:b2:53:
+ a1:70:39:d9:9e:e5:56:fc:58:d0:b3:f3:90:37:5a:
+ 6e:5a:3b:ef:05:be:f1:64:2f:31:2e:5a:58:f2:30:
+ 7a:73:52:7f:b8:0d:71:3c:63:52:17:0f:b7:07:3b:
+ c3:46:b9:9c:88:bc:73:df:14:5a:bc:16:fc:f8:79:
+ b0:a1:41:87:05:f9:52:a8:36:61:62:de:90:68:21:
+ 83:bb:8c:83:47:af:bb:82:3e:44:28:97:2b:02:a8:
+ 81:04:05:16:cd:bf:ef:9e:02:f9:54:66:2a:28:99:
+ 79:2b:b5:19:10:d4:df:35:95:f3:3f:fa:13:6a:06:
+ 6f:f5:38:28:d6:b6:0b:8a:70:5b:8d:70:8d:34:99:
+ 96:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ E1:97:2E:19:70:B5:7F:FC:82:4F:33:3D:6B:2C:DE:9A:9B:36:3D:7E
+ X509v3 Authority Key Identifier:
+ keyid:03:7A:DF:0C:DF:DC:93:3D:F7:A5:CC:27:7B:DC:22:F6:E9:55:97:F0
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP3/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 82:d3:6f:ff:0f:ea:b2:49:89:b9:7a:6f:9f:7a:67:11:40:9e:
+ aa:00:cd:04:3e:6d:1f:88:c9:af:63:1e:ec:bd:7e:11:38:3c:
+ a0:cf:7f:89:9f:18:e5:ae:f6:3c:a9:f3:2a:84:4d:15:b3:6d:
+ 83:39:08:45:f6:ab:e0:d4:96:0d:38:93:0e:92:6a:ec:3e:ed:
+ ae:fc:42:1f:2e:d3:ef:e3:18:32:da:4c:ed:18:a6:08:a1:3d:
+ 79:af:41:b5:b4:f6:17:12:32:6a:bd:88:76:89:76:50:52:3d:
+ 71:01:b9:bf:79:6a:bf:e5:dd:d1:89:2d:8e:4f:89:7b:d2:9d:
+ 12:bc:42:d1:0b:a2:ff:b6:61:4e:86:79:af:f3:a5:57:a0:39:
+ 3b:e8:2e:6d:aa:65:1c:e7:58:36:47:de:3c:5f:a2:04:02:5b:
+ 63:d4:86:d1:2b:4a:1a:ce:00:8b:81:5b:9c:d1:71:a4:dd:4e:
+ d2:41:34:f7:69:f8:e0:df:80:08:35:90:c6:52:3b:4a:97:e0:
+ de:09:ad:36:f6:c1:aa:77:3d:26:e1:c9:7d:a3:34:3b:09:b9:
+ 83:40:86:d8:c9:7b:d1:05:48:8a:f6:90:97:bd:05:9b:6a:8f:
+ cf:96:7e:9b:f5:fa:aa:21:1a:95:aa:31:ce:fb:78:5d:d5:a8:
+ a6:2e:ca:c6
+-----BEGIN CERTIFICATE-----
+MIID5DCCAsygAwIBAgIBBjANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MDgwMTE0MDgyOVoXDTA4MDczMTE0MDgyOVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMzCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANEkdcFEKRKa/owdHgGqBeofR6sajc/SQqExfZw+ZnLOLN8BFxVA
+QJTRrm3Xyv1S2exf8GQwo0JwoaFvBS0Q7rEFZT/ywXiEzB1m7jVSx66ZdrFjTcEu
+JPv3Qy0LIQ3T1rfPYFBJPRdTPiv4aJV+HMXiHnMGjLJToXA52Z7lVvxY0LPzkDda
+blo77wW+8WQvMS5aWPIwenNSf7gNcTxjUhcPtwc7w0a5nIi8c98UWrwW/Ph5sKFB
+hwX5Uqg2YWLekGghg7uMg0evu4I+RCiXKwKogQQFFs2/754C+VRmKiiZeSu1GRDU
+3zWV8z/6E2oGb/U4KNa2C4pwW41wjTSZlj8CAwEAAaOCATEwggEtMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFOGXLhlwtX/8gk8zPWss3pqbNj1+MB8GA1UdIwQY
+MBaAFAN63wzf3JM996XMJ3vcIvbpVZfwMA4GA1UdDwEB/wQEAwIBBjBBBggrBgEF
+BQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry
+bi5uZXQvSVNQMy8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov
+L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2VyMEEGCCsGAQUFBwEHAQH/
+BDIwMDAuBAIAAjAoMCYDEQIgAQ24AAAAAAAAAAAAAABEAxEAIAENuAAAAAAAAAAA
+AAABADANBgkqhkiG9w0BAQUFAAOCAQEAgtNv/w/qskmJuXpvn3pnEUCeqgDNBD5t
+H4jJr2Me7L1+ETg8oM9/iZ8Y5a72PKnzKoRNFbNtgzkIRfar4NSWDTiTDpJq7D7t
+rvxCHy7T7+MYMtpM7RimCKE9ea9BtbT2FxIyar2Idol2UFI9cQG5v3lqv+Xd0Ykt
+jk+Je9KdErxC0Qui/7ZhToZ5r/OlV6A5O+gubaplHOdYNkfePF+iBAJbY9SG0StK
+Gs4Ai4FbnNFxpN1O0kE092n44N+ACDWQxlI7Spfg3gmtNvbBqnc9JuHJfaM0Owm5
+g0CG2Ml70QVIivaQl70Fm2qPz5Z+m/X6qiEalaoxzvt4XdWopi7Kxg==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/07.pem b/rpkid/resource-cert-samples/LIR2/07.pem
new file mode 100644
index 00000000..00cf79e5
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/07.pem
@@ -0,0 +1,96 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 7 (0x7)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Aug 1 14:09:35 2007 GMT
+ Not After : Jul 31 14:09:35 2008 GMT
+ Subject: CN=TEST ENTITY ISP4
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:b3:05:ad:fb:06:db:49:81:ad:df:50:04:e0:18:
+ e8:f1:f4:83:e6:26:4b:9e:fc:2d:1c:df:e2:2b:57:
+ 38:48:eb:c4:13:a3:fd:6c:c5:e2:1c:d5:3a:fd:66:
+ d7:ff:2e:ff:4a:b7:5a:c5:f4:19:b1:8d:9e:a8:49:
+ 4e:3b:20:46:da:08:de:b0:9c:71:5e:77:a9:14:e2:
+ 4c:20:0e:ff:c5:20:fa:f3:6d:3b:0b:ce:e1:72:b6:
+ ff:f5:75:7f:3e:35:af:1c:4f:e0:92:45:f0:1f:57:
+ ce:38:6c:3e:f6:2f:96:73:1f:60:db:63:8e:63:b3:
+ f3:35:85:e9:00:39:92:b3:9f:4a:6b:bd:e9:a0:00:
+ ca:be:fe:27:78:9b:44:23:53:56:13:48:7d:cd:d1:
+ 01:3a:88:36:66:4f:7f:f3:2c:9f:c7:c4:52:75:1e:
+ 0e:3c:50:29:c9:39:e0:ff:90:4d:95:47:56:13:e1:
+ 30:f3:30:33:ee:02:60:70:b0:bd:dd:3b:aa:b9:2a:
+ 86:bf:e7:e2:a8:ec:64:2a:0b:12:05:08:03:7e:d8:
+ 41:bb:23:de:29:e5:0f:9b:3b:00:2e:4f:0e:f5:31:
+ 91:ec:bd:34:02:68:6d:d7:71:a9:8c:4d:23:d2:43:
+ ae:d7:f8:e5:69:2b:ae:13:86:13:27:38:72:48:70:
+ f8:1f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 98:CF:F8:00:82:EC:D7:E9:17:4F:BD:7A:87:60:32:A5:BB:9D:B5:0E
+ X509v3 Authority Key Identifier:
+ keyid:03:7A:DF:0C:DF:DC:93:3D:F7:A5:CC:27:7B:DC:22:F6:E9:55:97:F0
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP4/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha1WithRSAEncryption
+ b8:19:54:a2:c8:99:67:2c:52:0c:a7:ab:fa:60:12:7e:3e:e9:
+ 72:81:c0:89:11:85:e0:cf:b7:f8:27:b4:18:3d:fd:cc:3c:69:
+ 9b:ec:f8:73:f8:81:ef:06:63:90:95:ad:9c:85:bf:ec:ad:13:
+ 53:59:d8:a3:1e:17:49:0d:94:ba:f1:38:4a:1e:9b:9d:a4:34:
+ b5:1b:c8:d4:8c:b8:35:07:04:d0:9f:54:81:05:3e:8f:56:10:
+ 32:6a:e8:32:ce:89:bb:44:c1:09:7a:c6:69:9b:12:2d:05:e2:
+ d9:5c:f9:ba:16:07:bc:d0:8b:92:68:5a:93:5b:d0:25:0a:4e:
+ 3c:7c:f4:62:44:43:98:7f:97:81:43:43:ef:1f:38:59:55:64:
+ ca:68:a6:bb:91:0f:26:51:47:d3:6c:19:c2:30:4d:55:55:91:
+ e9:fb:30:01:10:cd:eb:7e:42:33:1b:5b:82:95:c7:38:54:ab:
+ e5:0b:fc:8a:15:3d:7e:48:45:57:4c:26:e9:22:79:71:58:86:
+ 25:22:38:4d:c7:78:8c:58:a2:17:1b:ce:ff:ff:34:22:ba:6f:
+ 17:be:f0:47:76:a5:01:e6:33:07:62:f0:d8:47:8c:00:15:04:
+ d5:37:73:6d:62:7e:b9:de:60:41:e5:e3:f2:e4:96:c9:e2:7a:
+ db:56:f0:3a
+-----BEGIN CERTIFICATE-----
+MIID6zCCAtOgAwIBAgIBBzANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MDgwMTE0MDkzNVoXDTA4MDczMTE0MDkzNVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQNDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALMFrfsG20mBrd9QBOAY6PH0g+YmS578LRzf4itXOEjrxBOj/WzF
+4hzVOv1m1/8u/0q3WsX0GbGNnqhJTjsgRtoI3rCccV53qRTiTCAO/8Ug+vNtOwvO
+4XK2//V1fz41rxxP4JJF8B9XzjhsPvYvlnMfYNtjjmOz8zWF6QA5krOfSmu96aAA
+yr7+J3ibRCNTVhNIfc3RATqINmZPf/Msn8fEUnUeDjxQKck54P+QTZVHVhPhMPMw
+M+4CYHCwvd07qrkqhr/n4qjsZCoLEgUIA37YQbsj3inlD5s7AC5PDvUxkey9NAJo
+bddxqYxNI9JDrtf45WkrrhOGEyc4ckhw+B8CAwEAAaOCATgwggE0MA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFJjP+ACC7NfpF0+9eodgMqW7nbUOMB8GA1UdIwQY
+MBaAFAN63wzf3JM996XMJ3vcIvbpVZfwMA4GA1UdDwEB/wQEAwIBBjBBBggrBgEF
+BQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry
+bi5uZXQvSVNQNC8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov
+L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2VyMBoGCCsGAQUFBwEIAQH/
+BAswCaAHMAUCAwD8IDAsBggrBgEFBQcBBwEB/wQdMBswGQQCAAIwEwMRACABDbgA
+AAAAAAAAEAAAAEQwDQYJKoZIhvcNAQEFBQADggEBALgZVKLImWcsUgynq/pgEn4+
+6XKBwIkRheDPt/gntBg9/cw8aZvs+HP4ge8GY5CVrZyFv+ytE1NZ2KMeF0kNlLrx
+OEoem52kNLUbyNSMuDUHBNCfVIEFPo9WEDJq6DLOibtEwQl6xmmbEi0F4tlc+boW
+B7zQi5JoWpNb0CUKTjx89GJEQ5h/l4FDQ+8fOFlVZMpopruRDyZRR9NsGcIwTVVV
+ken7MAEQzet+QjMbW4KVxzhUq+UL/IoVPX5IRVdMJukieXFYhiUiOE3HeIxYohcb
+zv//NCK6bxe+8Ed2pQHmMwdi8NhHjAAVBNU3c21ifrneYEHl4/LklsniettW8Do=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/08.pem b/rpkid/resource-cert-samples/LIR2/08.pem
new file mode 100644
index 00000000..0d2eebd5
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/08.pem
@@ -0,0 +1,92 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 8 (0x8)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Aug 1 14:09:35 2007 GMT
+ Not After : Jul 31 14:09:35 2008 GMT
+ Subject: CN=TEST ENTITY ISP3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d1:24:75:c1:44:29:12:9a:fe:8c:1d:1e:01:aa:
+ 05:ea:1f:47:ab:1a:8d:cf:d2:42:a1:31:7d:9c:3e:
+ 66:72:ce:2c:df:01:17:15:40:40:94:d1:ae:6d:d7:
+ ca:fd:52:d9:ec:5f:f0:64:30:a3:42:70:a1:a1:6f:
+ 05:2d:10:ee:b1:05:65:3f:f2:c1:78:84:cc:1d:66:
+ ee:35:52:c7:ae:99:76:b1:63:4d:c1:2e:24:fb:f7:
+ 43:2d:0b:21:0d:d3:d6:b7:cf:60:50:49:3d:17:53:
+ 3e:2b:f8:68:95:7e:1c:c5:e2:1e:73:06:8c:b2:53:
+ a1:70:39:d9:9e:e5:56:fc:58:d0:b3:f3:90:37:5a:
+ 6e:5a:3b:ef:05:be:f1:64:2f:31:2e:5a:58:f2:30:
+ 7a:73:52:7f:b8:0d:71:3c:63:52:17:0f:b7:07:3b:
+ c3:46:b9:9c:88:bc:73:df:14:5a:bc:16:fc:f8:79:
+ b0:a1:41:87:05:f9:52:a8:36:61:62:de:90:68:21:
+ 83:bb:8c:83:47:af:bb:82:3e:44:28:97:2b:02:a8:
+ 81:04:05:16:cd:bf:ef:9e:02:f9:54:66:2a:28:99:
+ 79:2b:b5:19:10:d4:df:35:95:f3:3f:fa:13:6a:06:
+ 6f:f5:38:28:d6:b6:0b:8a:70:5b:8d:70:8d:34:99:
+ 96:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ E1:97:2E:19:70:B5:7F:FC:82:4F:33:3D:6B:2C:DE:9A:9B:36:3D:7E
+ X509v3 Authority Key Identifier:
+ keyid:03:7A:DF:0C:DF:DC:93:3D:F7:A5:CC:27:7B:DC:22:F6:E9:55:97:F0
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP3/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+
+ Signature Algorithm: sha1WithRSAEncryption
+ c9:76:93:8c:9f:ac:9a:b1:29:fb:5b:b0:ad:c4:e4:70:74:5b:
+ e3:a2:91:cd:39:ab:25:82:6b:8b:46:3d:86:74:73:04:95:5d:
+ f4:5d:6f:9b:78:91:44:f9:16:07:ca:75:56:2f:ac:84:3c:3c:
+ b4:1d:fe:f3:62:f2:70:16:86:7f:94:16:22:f3:7a:a5:98:7e:
+ 6b:1b:cc:61:3e:7c:a0:57:f4:80:3d:69:0b:a0:3c:3b:a1:3f:
+ f6:50:a6:1a:40:c0:85:e6:20:88:94:20:f2:b7:41:a1:42:39:
+ 91:b0:46:4f:07:df:b5:59:30:18:22:97:ad:95:4b:92:cc:d7:
+ 31:ee:cb:99:90:ec:82:e2:19:34:99:9e:94:2c:16:9f:6e:f4:
+ 89:9a:79:40:96:d2:1b:d6:79:e0:da:f2:a2:f7:ee:c4:3a:91:
+ 21:02:77:8a:6c:5f:c6:aa:77:c7:ae:15:6e:3f:38:b9:97:69:
+ ac:cf:44:95:74:dc:a6:bc:c8:e4:a0:f4:e4:c4:f9:55:de:5a:
+ ba:f5:ae:d7:e9:b9:44:c7:46:54:53:dc:74:cd:f7:fe:48:9a:
+ 1a:1a:57:bc:af:3d:47:38:9f:67:10:7f:6a:4f:17:d7:7d:45:
+ d0:05:ec:fd:8b:a2:aa:52:c3:7b:73:eb:96:f8:11:cc:12:4f:
+ e8:81:ad:f1
+-----BEGIN CERTIFICATE-----
+MIID5DCCAsygAwIBAgIBCDANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MDgwMTE0MDkzNVoXDTA4MDczMTE0MDkzNVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMzCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANEkdcFEKRKa/owdHgGqBeofR6sajc/SQqExfZw+ZnLOLN8BFxVA
+QJTRrm3Xyv1S2exf8GQwo0JwoaFvBS0Q7rEFZT/ywXiEzB1m7jVSx66ZdrFjTcEu
+JPv3Qy0LIQ3T1rfPYFBJPRdTPiv4aJV+HMXiHnMGjLJToXA52Z7lVvxY0LPzkDda
+blo77wW+8WQvMS5aWPIwenNSf7gNcTxjUhcPtwc7w0a5nIi8c98UWrwW/Ph5sKFB
+hwX5Uqg2YWLekGghg7uMg0evu4I+RCiXKwKogQQFFs2/754C+VRmKiiZeSu1GRDU
+3zWV8z/6E2oGb/U4KNa2C4pwW41wjTSZlj8CAwEAAaOCATEwggEtMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFOGXLhlwtX/8gk8zPWss3pqbNj1+MB8GA1UdIwQY
+MBaAFAN63wzf3JM996XMJ3vcIvbpVZfwMA4GA1UdDwEB/wQEAwIBBjBBBggrBgEF
+BQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry
+bi5uZXQvSVNQMy8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov
+L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2VyMEEGCCsGAQUFBwEHAQH/
+BDIwMDAuBAIAAjAoMCYDEQIgAQ24AAAAAAAAAAAAAABEAxEAIAENuAAAAAAAAAAA
+AAABADANBgkqhkiG9w0BAQUFAAOCAQEAyXaTjJ+smrEp+1uwrcTkcHRb46KRzTmr
+JYJri0Y9hnRzBJVd9F1vm3iRRPkWB8p1Vi+shDw8tB3+82LycBaGf5QWIvN6pZh+
+axvMYT58oFf0gD1pC6A8O6E/9lCmGkDAheYgiJQg8rdBoUI5kbBGTwfftVkwGCKX
+rZVLkszXMe7LmZDsguIZNJmelCwWn270iZp5QJbSG9Z54NryovfuxDqRIQJ3imxf
+xqp3x64Vbj84uZdprM9ElXTcprzI5KD05MT5Vd5auvWu1+m5RMdGVFPcdM33/kia
+GhpXvK89RzifZxB/ak8X131F0AXs/YuiqlLDe3PrlvgRzBJP6IGt8Q==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/09.pem b/rpkid/resource-cert-samples/LIR2/09.pem
new file mode 100644
index 00000000..b117c94d
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/09.pem
@@ -0,0 +1,96 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 9 (0x9)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Aug 1 14:48:22 2007 GMT
+ Not After : Jul 31 14:48:22 2008 GMT
+ Subject: CN=TEST ENTITY ISP4
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:b3:05:ad:fb:06:db:49:81:ad:df:50:04:e0:18:
+ e8:f1:f4:83:e6:26:4b:9e:fc:2d:1c:df:e2:2b:57:
+ 38:48:eb:c4:13:a3:fd:6c:c5:e2:1c:d5:3a:fd:66:
+ d7:ff:2e:ff:4a:b7:5a:c5:f4:19:b1:8d:9e:a8:49:
+ 4e:3b:20:46:da:08:de:b0:9c:71:5e:77:a9:14:e2:
+ 4c:20:0e:ff:c5:20:fa:f3:6d:3b:0b:ce:e1:72:b6:
+ ff:f5:75:7f:3e:35:af:1c:4f:e0:92:45:f0:1f:57:
+ ce:38:6c:3e:f6:2f:96:73:1f:60:db:63:8e:63:b3:
+ f3:35:85:e9:00:39:92:b3:9f:4a:6b:bd:e9:a0:00:
+ ca:be:fe:27:78:9b:44:23:53:56:13:48:7d:cd:d1:
+ 01:3a:88:36:66:4f:7f:f3:2c:9f:c7:c4:52:75:1e:
+ 0e:3c:50:29:c9:39:e0:ff:90:4d:95:47:56:13:e1:
+ 30:f3:30:33:ee:02:60:70:b0:bd:dd:3b:aa:b9:2a:
+ 86:bf:e7:e2:a8:ec:64:2a:0b:12:05:08:03:7e:d8:
+ 41:bb:23:de:29:e5:0f:9b:3b:00:2e:4f:0e:f5:31:
+ 91:ec:bd:34:02:68:6d:d7:71:a9:8c:4d:23:d2:43:
+ ae:d7:f8:e5:69:2b:ae:13:86:13:27:38:72:48:70:
+ f8:1f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 98:CF:F8:00:82:EC:D7:E9:17:4F:BD:7A:87:60:32:A5:BB:9D:B5:0E
+ X509v3 Authority Key Identifier:
+ keyid:03:7A:DF:0C:DF:DC:93:3D:F7:A5:CC:27:7B:DC:22:F6:E9:55:97:F0
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP4/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 1c:53:2a:8f:55:44:b1:71:d1:50:79:f1:3c:3d:fe:15:1d:72:
+ 5e:22:91:d1:54:3d:a4:e0:9e:ba:e4:8d:b3:71:c5:93:cd:5b:
+ 54:5c:e5:2c:af:a1:a9:d7:8d:32:b7:92:95:8c:0e:2e:05:d3:
+ 9d:da:ac:a9:7a:01:d2:19:9e:b7:88:80:92:b1:26:95:6d:0a:
+ b4:01:a3:f1:9f:15:fe:0b:29:0f:0f:72:b7:72:d2:18:9e:5d:
+ 7e:65:59:7b:30:75:33:7f:95:fc:cb:9d:7b:0f:36:44:0f:d0:
+ e6:a3:c1:a5:6b:d0:db:13:4b:fa:06:35:df:66:01:c3:d8:51:
+ 47:e7:89:26:56:6f:2a:2a:ba:46:29:a8:cb:9d:cc:5f:d9:9f:
+ 14:01:d5:fd:08:e9:db:1a:7a:89:3e:c8:36:6b:b4:6c:ca:a9:
+ df:43:46:89:48:a0:13:32:bb:c9:17:14:01:2d:21:fe:68:11:
+ 61:5a:b4:6f:af:ba:3b:0a:96:4c:25:33:5a:a6:cf:29:21:45:
+ 76:b8:e1:d9:20:0c:22:f7:7c:85:b2:45:90:94:c5:2c:ca:e1:
+ 82:65:36:75:9d:46:9b:f8:9a:d6:85:2f:71:8b:cd:88:fd:87:
+ 1b:1c:36:f8:36:f5:1c:18:e5:5b:68:3f:36:60:de:a0:59:e1:
+ cd:54:61:4c
+-----BEGIN CERTIFICATE-----
+MIID6zCCAtOgAwIBAgIBCTANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MDgwMTE0NDgyMloXDTA4MDczMTE0NDgyMlowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQNDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALMFrfsG20mBrd9QBOAY6PH0g+YmS578LRzf4itXOEjrxBOj/WzF
+4hzVOv1m1/8u/0q3WsX0GbGNnqhJTjsgRtoI3rCccV53qRTiTCAO/8Ug+vNtOwvO
+4XK2//V1fz41rxxP4JJF8B9XzjhsPvYvlnMfYNtjjmOz8zWF6QA5krOfSmu96aAA
+yr7+J3ibRCNTVhNIfc3RATqINmZPf/Msn8fEUnUeDjxQKck54P+QTZVHVhPhMPMw
+M+4CYHCwvd07qrkqhr/n4qjsZCoLEgUIA37YQbsj3inlD5s7AC5PDvUxkey9NAJo
+bddxqYxNI9JDrtf45WkrrhOGEyc4ckhw+B8CAwEAAaOCATgwggE0MA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFJjP+ACC7NfpF0+9eodgMqW7nbUOMB8GA1UdIwQY
+MBaAFAN63wzf3JM996XMJ3vcIvbpVZfwMA4GA1UdDwEB/wQEAwIBBjBBBggrBgEF
+BQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry
+bi5uZXQvSVNQNC8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov
+L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2VyMBoGCCsGAQUFBwEIAQH/
+BAswCaAHMAUCAwD8IDAsBggrBgEFBQcBBwEB/wQdMBswGQQCAAIwEwMRACABDbgA
+AAAAAAAAEAAAAEQwDQYJKoZIhvcNAQEFBQADggEBABxTKo9VRLFx0VB58Tw9/hUd
+cl4ikdFUPaTgnrrkjbNxxZPNW1Rc5SyvoanXjTK3kpWMDi4F053arKl6AdIZnreI
+gJKxJpVtCrQBo/GfFf4LKQ8Pcrdy0hieXX5lWXswdTN/lfzLnXsPNkQP0OajwaVr
+0NsTS/oGNd9mAcPYUUfniSZWbyoqukYpqMudzF/ZnxQB1f0I6dsaeok+yDZrtGzK
+qd9DRolIoBMyu8kXFAEtIf5oEWFatG+vujsKlkwlM1qmzykhRXa44dkgDCL3fIWy
+RZCUxSzK4YJlNnWdRpv4mtaFL3GLzYj9hxscNvg29RwY5VtoPzZg3qBZ4c1UYUw=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/0A.pem b/rpkid/resource-cert-samples/LIR2/0A.pem
new file mode 100644
index 00000000..c8f4890e
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/0A.pem
@@ -0,0 +1,92 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 10 (0xa)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Aug 1 14:48:22 2007 GMT
+ Not After : Jul 31 14:48:22 2008 GMT
+ Subject: CN=TEST ENTITY ISP3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d1:24:75:c1:44:29:12:9a:fe:8c:1d:1e:01:aa:
+ 05:ea:1f:47:ab:1a:8d:cf:d2:42:a1:31:7d:9c:3e:
+ 66:72:ce:2c:df:01:17:15:40:40:94:d1:ae:6d:d7:
+ ca:fd:52:d9:ec:5f:f0:64:30:a3:42:70:a1:a1:6f:
+ 05:2d:10:ee:b1:05:65:3f:f2:c1:78:84:cc:1d:66:
+ ee:35:52:c7:ae:99:76:b1:63:4d:c1:2e:24:fb:f7:
+ 43:2d:0b:21:0d:d3:d6:b7:cf:60:50:49:3d:17:53:
+ 3e:2b:f8:68:95:7e:1c:c5:e2:1e:73:06:8c:b2:53:
+ a1:70:39:d9:9e:e5:56:fc:58:d0:b3:f3:90:37:5a:
+ 6e:5a:3b:ef:05:be:f1:64:2f:31:2e:5a:58:f2:30:
+ 7a:73:52:7f:b8:0d:71:3c:63:52:17:0f:b7:07:3b:
+ c3:46:b9:9c:88:bc:73:df:14:5a:bc:16:fc:f8:79:
+ b0:a1:41:87:05:f9:52:a8:36:61:62:de:90:68:21:
+ 83:bb:8c:83:47:af:bb:82:3e:44:28:97:2b:02:a8:
+ 81:04:05:16:cd:bf:ef:9e:02:f9:54:66:2a:28:99:
+ 79:2b:b5:19:10:d4:df:35:95:f3:3f:fa:13:6a:06:
+ 6f:f5:38:28:d6:b6:0b:8a:70:5b:8d:70:8d:34:99:
+ 96:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ E1:97:2E:19:70:B5:7F:FC:82:4F:33:3D:6B:2C:DE:9A:9B:36:3D:7E
+ X509v3 Authority Key Identifier:
+ keyid:03:7A:DF:0C:DF:DC:93:3D:F7:A5:CC:27:7B:DC:22:F6:E9:55:97:F0
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP3/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 05:ba:27:d4:55:52:1b:f7:61:da:37:98:b3:16:e6:53:6a:2c:
+ 65:f5:80:7f:d4:cb:8f:fb:c2:1d:1a:9f:54:ed:a0:7a:03:a6:
+ ff:5a:e7:d6:c1:06:31:11:b5:c1:dc:ab:33:87:d7:57:0e:cd:
+ 19:44:16:9f:92:84:43:32:8b:d0:64:12:00:a7:ad:b7:fb:79:
+ c1:ec:e3:d0:77:3c:73:8a:5f:90:6b:da:a4:d4:e0:28:0a:45:
+ 99:5a:b8:b0:fa:96:3e:c3:a3:de:a6:df:f9:55:e9:1b:3e:37:
+ f0:21:38:7f:5f:b2:e0:75:f2:8c:82:10:e9:60:76:3b:de:dd:
+ 85:f2:1e:3c:22:f5:77:40:d9:a4:f9:72:46:29:99:a8:2e:5d:
+ b8:05:5c:b3:2b:d0:44:c5:8b:07:c7:69:d0:a9:cf:83:31:d1:
+ ed:36:d7:ce:b4:c6:7e:4a:58:10:20:46:16:ed:b5:e3:60:47:
+ e8:b2:36:1e:79:ed:ac:08:da:8b:a0:6d:92:f1:e4:73:60:6b:
+ 10:61:07:69:78:78:a9:51:fd:24:1d:3d:d6:63:62:c3:d4:1e:
+ 70:8d:f6:41:fc:42:09:cc:7b:1c:19:c7:59:0b:a0:da:5b:00:
+ fd:33:24:8b:9f:1e:d8:d8:04:cd:f4:71:06:ea:c6:2e:8d:8b:
+ 6f:cd:b9:a6
+-----BEGIN CERTIFICATE-----
+MIID5DCCAsygAwIBAgIBCjANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MDgwMTE0NDgyMloXDTA4MDczMTE0NDgyMlowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMzCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANEkdcFEKRKa/owdHgGqBeofR6sajc/SQqExfZw+ZnLOLN8BFxVA
+QJTRrm3Xyv1S2exf8GQwo0JwoaFvBS0Q7rEFZT/ywXiEzB1m7jVSx66ZdrFjTcEu
+JPv3Qy0LIQ3T1rfPYFBJPRdTPiv4aJV+HMXiHnMGjLJToXA52Z7lVvxY0LPzkDda
+blo77wW+8WQvMS5aWPIwenNSf7gNcTxjUhcPtwc7w0a5nIi8c98UWrwW/Ph5sKFB
+hwX5Uqg2YWLekGghg7uMg0evu4I+RCiXKwKogQQFFs2/754C+VRmKiiZeSu1GRDU
+3zWV8z/6E2oGb/U4KNa2C4pwW41wjTSZlj8CAwEAAaOCATEwggEtMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFOGXLhlwtX/8gk8zPWss3pqbNj1+MB8GA1UdIwQY
+MBaAFAN63wzf3JM996XMJ3vcIvbpVZfwMA4GA1UdDwEB/wQEAwIBBjBBBggrBgEF
+BQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry
+bi5uZXQvSVNQMy8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov
+L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2VyMEEGCCsGAQUFBwEHAQH/
+BDIwMDAuBAIAAjAoMCYDEQIgAQ24AAAAAAAAAAAAAABEAxEAIAENuAAAAAAAAAAA
+AAABADANBgkqhkiG9w0BAQUFAAOCAQEABbon1FVSG/dh2jeYsxbmU2osZfWAf9TL
+j/vCHRqfVO2gegOm/1rn1sEGMRG1wdyrM4fXVw7NGUQWn5KEQzKL0GQSAKett/t5
+wezj0Hc8c4pfkGvapNTgKApFmVq4sPqWPsOj3qbf+VXpGz438CE4f1+y4HXyjIIQ
+6WB2O97dhfIePCL1d0DZpPlyRimZqC5duAVcsyvQRMWLB8dp0KnPgzHR7TbXzrTG
+fkpYECBGFu2142BH6LI2HnntrAjai6BtkvHkc2BrEGEHaXh4qVH9JB091mNiw9Qe
+cI32QfxCCcx7HBnHWQug2lsA/TMki58e2NgEzfRxBurGLo2Lb825pg==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/0B.pem b/rpkid/resource-cert-samples/LIR2/0B.pem
new file mode 100644
index 00000000..d4720f0d
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/0B.pem
@@ -0,0 +1,79 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 11 (0xb)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Aug 10 00:58:17 2007 GMT
+ Not After : Aug 9 00:58:17 2008 GMT
+ Subject: CN=TEST ENTITY ISP4
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:b3:05:ad:fb:06:db:49:81:ad:df:50:04:e0:18:
+ e8:f1:f4:83:e6:26:4b:9e:fc:2d:1c:df:e2:2b:57:
+ 38:48:eb:c4:13:a3:fd:6c:c5:e2:1c:d5:3a:fd:66:
+ d7:ff:2e:ff:4a:b7:5a:c5:f4:19:b1:8d:9e:a8:49:
+ 4e:3b:20:46:da:08:de:b0:9c:71:5e:77:a9:14:e2:
+ 4c:20:0e:ff:c5:20:fa:f3:6d:3b:0b:ce:e1:72:b6:
+ ff:f5:75:7f:3e:35:af:1c:4f:e0:92:45:f0:1f:57:
+ ce:38:6c:3e:f6:2f:96:73:1f:60:db:63:8e:63:b3:
+ f3:35:85:e9:00:39:92:b3:9f:4a:6b:bd:e9:a0:00:
+ ca:be:fe:27:78:9b:44:23:53:56:13:48:7d:cd:d1:
+ 01:3a:88:36:66:4f:7f:f3:2c:9f:c7:c4:52:75:1e:
+ 0e:3c:50:29:c9:39:e0:ff:90:4d:95:47:56:13:e1:
+ 30:f3:30:33:ee:02:60:70:b0:bd:dd:3b:aa:b9:2a:
+ 86:bf:e7:e2:a8:ec:64:2a:0b:12:05:08:03:7e:d8:
+ 41:bb:23:de:29:e5:0f:9b:3b:00:2e:4f:0e:f5:31:
+ 91:ec:bd:34:02:68:6d:d7:71:a9:8c:4d:23:d2:43:
+ ae:d7:f8:e5:69:2b:ae:13:86:13:27:38:72:48:70:
+ f8:1f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 98:CF:F8:00:82:EC:D7:E9:17:4F:BD:7A:87:60:32:A5:BB:9D:B5:0E
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP4/
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 87:7d:49:12:b5:b5:ca:35:8f:2c:ae:da:fc:4a:35:b2:09:2b:
+ ed:7e:64:3d:a2:3c:ce:a5:e6:f4:77:ca:6f:a0:fb:ff:d0:46:
+ db:d8:fc:2b:09:35:a3:f6:ca:c1:00:ae:e6:02:93:96:ff:f8:
+ 2c:f5:40:18:d1:43:aa:ba:80:a7:71:7c:aa:99:ba:bb:59:74:
+ fb:b9:64:40:4c:d6:ec:4a:f4:a1:7e:32:ae:94:8d:15:f0:ba:
+ bb:0c:20:0c:58:3c:eb:52:5a:02:32:56:1b:97:95:38:8e:a4:
+ a7:4d:33:92:d5:5e:8c:e4:ab:81:c9:48:dd:39:28:c3:0b:5d:
+ ea:13:8e:69:b0:e3:b6:e3:fb:d3:fe:a6:24:4c:48:fe:55:63:
+ dd:27:36:68:a5:51:86:8b:b5:8a:95:4c:ef:89:47:0e:d9:af:
+ 98:b6:e5:3d:52:5b:a7:b8:5d:d2:d0:bc:b8:7e:cf:65:d3:51:
+ 78:58:49:27:6c:3b:12:36:21:20:36:dd:e8:ea:d0:9d:55:9d:
+ e0:06:49:d2:27:58:a4:4a:64:65:72:8e:f9:43:80:53:94:04:
+ c0:de:0b:e1:42:81:da:c6:a0:1c:c6:d6:8b:d2:1b:ee:39:3b:
+ e5:c4:9e:99:da:2a:37:88:d7:e5:51:f8:55:d9:c3:4a:a3:69:
+ ff:3c:20:0c
+-----BEGIN CERTIFICATE-----
+MIIDODCCAiCgAwIBAgIBCzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MDgxMDAwNTgxN1oXDTA4MDgwOTAwNTgxN1owGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQNDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALMFrfsG20mBrd9QBOAY6PH0g+YmS578LRzf4itXOEjrxBOj/WzF
+4hzVOv1m1/8u/0q3WsX0GbGNnqhJTjsgRtoI3rCccV53qRTiTCAO/8Ug+vNtOwvO
+4XK2//V1fz41rxxP4JJF8B9XzjhsPvYvlnMfYNtjjmOz8zWF6QA5krOfSmu96aAA
+yr7+J3ibRCNTVhNIfc3RATqINmZPf/Msn8fEUnUeDjxQKck54P+QTZVHVhPhMPMw
+M+4CYHCwvd07qrkqhr/n4qjsZCoLEgUIA37YQbsj3inlD5s7AC5PDvUxkey9NAJo
+bddxqYxNI9JDrtf45WkrrhOGEyc4ckhw+B8CAwEAAaOBhjCBgzAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBSYz/gAguzX6RdPvXqHYDKlu521DjAOBgNVHQ8BAf8E
+BAMCAQYwQQYIKwYBBQUHAQsENTAzMDEGCCsGAQUFBzAFhiVyc3luYzovL3dvbWJh
+dHMtci11cy5oYWN0cm4ubmV0L0lTUDQvMA0GCSqGSIb3DQEBCwUAA4IBAQCHfUkS
+tbXKNY8srtr8SjWyCSvtfmQ9ojzOpeb0d8pvoPv/0Ebb2PwrCTWj9srBAK7mApOW
+//gs9UAY0UOquoCncXyqmbq7WXT7uWRATNbsSvShfjKulI0V8Lq7DCAMWDzrUloC
+MlYbl5U4jqSnTTOS1V6M5KuByUjdOSjDC13qE45psOO24/vT/qYkTEj+VWPdJzZo
+pVGGi7WKlUzviUcO2a+YtuU9UlunuF3S0Ly4fs9l01F4WEknbDsSNiEgNt3o6tCd
+VZ3gBknSJ1ikSmRlco75Q4BTlATA3gvhQoHaxqAcxtaL0hvuOTvlxJ6Z2io3iNfl
+UfhV2cNKo2n/PCAM
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/0C.pem b/rpkid/resource-cert-samples/LIR2/0C.pem
new file mode 100644
index 00000000..42755368
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/0C.pem
@@ -0,0 +1,79 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 12 (0xc)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Aug 10 00:58:18 2007 GMT
+ Not After : Aug 9 00:58:18 2008 GMT
+ Subject: CN=TEST ENTITY ISP3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d1:24:75:c1:44:29:12:9a:fe:8c:1d:1e:01:aa:
+ 05:ea:1f:47:ab:1a:8d:cf:d2:42:a1:31:7d:9c:3e:
+ 66:72:ce:2c:df:01:17:15:40:40:94:d1:ae:6d:d7:
+ ca:fd:52:d9:ec:5f:f0:64:30:a3:42:70:a1:a1:6f:
+ 05:2d:10:ee:b1:05:65:3f:f2:c1:78:84:cc:1d:66:
+ ee:35:52:c7:ae:99:76:b1:63:4d:c1:2e:24:fb:f7:
+ 43:2d:0b:21:0d:d3:d6:b7:cf:60:50:49:3d:17:53:
+ 3e:2b:f8:68:95:7e:1c:c5:e2:1e:73:06:8c:b2:53:
+ a1:70:39:d9:9e:e5:56:fc:58:d0:b3:f3:90:37:5a:
+ 6e:5a:3b:ef:05:be:f1:64:2f:31:2e:5a:58:f2:30:
+ 7a:73:52:7f:b8:0d:71:3c:63:52:17:0f:b7:07:3b:
+ c3:46:b9:9c:88:bc:73:df:14:5a:bc:16:fc:f8:79:
+ b0:a1:41:87:05:f9:52:a8:36:61:62:de:90:68:21:
+ 83:bb:8c:83:47:af:bb:82:3e:44:28:97:2b:02:a8:
+ 81:04:05:16:cd:bf:ef:9e:02:f9:54:66:2a:28:99:
+ 79:2b:b5:19:10:d4:df:35:95:f3:3f:fa:13:6a:06:
+ 6f:f5:38:28:d6:b6:0b:8a:70:5b:8d:70:8d:34:99:
+ 96:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ E1:97:2E:19:70:B5:7F:FC:82:4F:33:3D:6B:2C:DE:9A:9B:36:3D:7E
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP3/
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 97:a4:c3:69:4c:4d:c3:a6:15:69:99:75:4b:04:37:02:b4:f2:
+ 02:ad:5d:22:4b:c8:73:e3:34:d0:20:34:e3:83:48:ef:e2:75:
+ f8:d7:67:4f:9f:d6:20:a4:0d:b1:ab:ba:64:cd:c6:98:0b:67:
+ c3:a8:a5:7a:48:fe:4c:a0:34:1c:01:ea:91:79:2c:37:05:56:
+ 4e:fe:4b:97:c5:f4:65:7b:a2:31:a5:6d:e2:47:c1:15:55:d7:
+ 90:cb:83:3b:d9:d6:62:3e:09:e1:a4:8b:aa:82:21:de:4b:39:
+ d5:c2:d1:c8:88:fc:73:ad:f7:e2:ca:c6:ec:7e:12:67:4c:f1:
+ e2:78:21:bf:b9:59:21:d1:3a:36:bc:6f:e8:1e:be:7a:74:4b:
+ 6e:60:d2:9d:62:21:ac:26:7d:f4:df:da:37:2e:b2:dd:4c:f1:
+ 64:b6:ef:75:2a:a8:dd:d2:d2:fb:64:c5:fe:e0:f5:68:44:e4:
+ 1c:48:99:a9:fb:5d:4b:34:bd:d3:4b:c0:40:e7:21:7c:dd:43:
+ f1:f7:4d:6b:f2:32:bd:34:14:c5:6c:3c:df:bb:ff:eb:bc:5b:
+ d2:76:d1:2c:e8:c0:8e:0c:03:3c:2d:a3:6e:76:00:9d:8d:b9:
+ 7d:86:8a:84:f9:76:7e:af:f3:ef:3c:8b:a6:0b:59:c0:8c:cf:
+ f8:6f:90:6d
+-----BEGIN CERTIFICATE-----
+MIIDODCCAiCgAwIBAgIBDDANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MDgxMDAwNTgxOFoXDTA4MDgwOTAwNTgxOFowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMzCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANEkdcFEKRKa/owdHgGqBeofR6sajc/SQqExfZw+ZnLOLN8BFxVA
+QJTRrm3Xyv1S2exf8GQwo0JwoaFvBS0Q7rEFZT/ywXiEzB1m7jVSx66ZdrFjTcEu
+JPv3Qy0LIQ3T1rfPYFBJPRdTPiv4aJV+HMXiHnMGjLJToXA52Z7lVvxY0LPzkDda
+blo77wW+8WQvMS5aWPIwenNSf7gNcTxjUhcPtwc7w0a5nIi8c98UWrwW/Ph5sKFB
+hwX5Uqg2YWLekGghg7uMg0evu4I+RCiXKwKogQQFFs2/754C+VRmKiiZeSu1GRDU
+3zWV8z/6E2oGb/U4KNa2C4pwW41wjTSZlj8CAwEAAaOBhjCBgzAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBThly4ZcLV//IJPMz1rLN6amzY9fjAOBgNVHQ8BAf8E
+BAMCAQYwQQYIKwYBBQUHAQsENTAzMDEGCCsGAQUFBzAFhiVyc3luYzovL3dvbWJh
+dHMtci11cy5oYWN0cm4ubmV0L0lTUDMvMA0GCSqGSIb3DQEBCwUAA4IBAQCXpMNp
+TE3DphVpmXVLBDcCtPICrV0iS8hz4zTQIDTjg0jv4nX412dPn9YgpA2xq7pkzcaY
+C2fDqKV6SP5MoDQcAeqReSw3BVZO/kuXxfRle6IxpW3iR8EVVdeQy4M72dZiPgnh
+pIuqgiHeSznVwtHIiPxzrffiysbsfhJnTPHieCG/uVkh0To2vG/oHr56dEtuYNKd
+YiGsJn3039o3LrLdTPFktu91Kqjd0tL7ZMX+4PVoROQcSJmp+11LNL3TS8BA5yF8
+3UPx901r8jK9NBTFbDzfu//rvFvSdtEs6MCODAM8LaNudgCdjbl9hoqE+XZ+r/Pv
+PIumC1nAjM/4b5Bt
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/0D.pem b/rpkid/resource-cert-samples/LIR2/0D.pem
new file mode 100644
index 00000000..a3e8fbab
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/0D.pem
@@ -0,0 +1,93 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 13 (0xd)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Aug 10 01:02:31 2007 GMT
+ Not After : Aug 9 01:02:31 2008 GMT
+ Subject: CN=TEST ENTITY ISP4
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:b3:05:ad:fb:06:db:49:81:ad:df:50:04:e0:18:
+ e8:f1:f4:83:e6:26:4b:9e:fc:2d:1c:df:e2:2b:57:
+ 38:48:eb:c4:13:a3:fd:6c:c5:e2:1c:d5:3a:fd:66:
+ d7:ff:2e:ff:4a:b7:5a:c5:f4:19:b1:8d:9e:a8:49:
+ 4e:3b:20:46:da:08:de:b0:9c:71:5e:77:a9:14:e2:
+ 4c:20:0e:ff:c5:20:fa:f3:6d:3b:0b:ce:e1:72:b6:
+ ff:f5:75:7f:3e:35:af:1c:4f:e0:92:45:f0:1f:57:
+ ce:38:6c:3e:f6:2f:96:73:1f:60:db:63:8e:63:b3:
+ f3:35:85:e9:00:39:92:b3:9f:4a:6b:bd:e9:a0:00:
+ ca:be:fe:27:78:9b:44:23:53:56:13:48:7d:cd:d1:
+ 01:3a:88:36:66:4f:7f:f3:2c:9f:c7:c4:52:75:1e:
+ 0e:3c:50:29:c9:39:e0:ff:90:4d:95:47:56:13:e1:
+ 30:f3:30:33:ee:02:60:70:b0:bd:dd:3b:aa:b9:2a:
+ 86:bf:e7:e2:a8:ec:64:2a:0b:12:05:08:03:7e:d8:
+ 41:bb:23:de:29:e5:0f:9b:3b:00:2e:4f:0e:f5:31:
+ 91:ec:bd:34:02:68:6d:d7:71:a9:8c:4d:23:d2:43:
+ ae:d7:f8:e5:69:2b:ae:13:86:13:27:38:72:48:70:
+ f8:1f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 98:CF:F8:00:82:EC:D7:E9:17:4F:BD:7A:87:60:32:A5:BB:9D:B5:0E
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP4/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 39:43:cf:68:33:e0:80:03:70:71:f7:ae:88:a1:cb:0e:11:a3:
+ 5c:aa:a4:09:a3:4c:cc:b6:73:92:09:2f:50:57:f3:f8:4a:c2:
+ eb:f0:b8:64:19:37:7b:d2:3b:c9:43:50:ed:89:69:73:05:85:
+ bd:3c:dd:5b:47:b7:1b:0f:d2:ab:18:93:3a:bf:0a:20:9a:b3:
+ 2b:4c:b2:e1:08:df:39:53:9b:36:be:6b:54:b4:f3:7f:4d:5d:
+ 6f:b6:68:ee:26:3f:5f:a0:3f:89:8e:d2:10:54:0e:03:da:4f:
+ 22:4f:b8:d3:07:e8:51:6b:df:20:4f:2d:5b:67:fa:66:49:34:
+ 45:77:9f:88:57:aa:53:68:3c:9b:50:b3:71:74:34:79:26:29:
+ b2:2b:b3:8b:e1:24:fe:56:94:af:cc:56:cb:c6:5d:f3:cf:bb:
+ ff:16:32:90:96:72:76:14:10:d6:64:52:44:98:49:1b:9b:10:
+ 17:f8:8d:6d:27:6e:2e:8d:d7:d2:6d:73:31:70:31:fe:8a:be:
+ 74:06:62:33:13:c5:87:7a:89:c1:af:96:77:1f:af:da:e8:0d:
+ 38:8f:00:da:b3:3f:29:31:80:a1:32:a1:60:cc:6c:56:cb:8f:
+ 63:59:1f:a0:e4:50:9c:3e:4e:c3:53:8b:6f:88:b3:3c:97:d3:
+ 66:91:6e:a7
+-----BEGIN CERTIFICATE-----
+MIIDyjCCArKgAwIBAgIBDTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MDgxMDAxMDIzMVoXDTA4MDgwOTAxMDIzMVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQNDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALMFrfsG20mBrd9QBOAY6PH0g+YmS578LRzf4itXOEjrxBOj/WzF
+4hzVOv1m1/8u/0q3WsX0GbGNnqhJTjsgRtoI3rCccV53qRTiTCAO/8Ug+vNtOwvO
+4XK2//V1fz41rxxP4JJF8B9XzjhsPvYvlnMfYNtjjmOz8zWF6QA5krOfSmu96aAA
+yr7+J3ibRCNTVhNIfc3RATqINmZPf/Msn8fEUnUeDjxQKck54P+QTZVHVhPhMPMw
+M+4CYHCwvd07qrkqhr/n4qjsZCoLEgUIA37YQbsj3inlD5s7AC5PDvUxkey9NAJo
+bddxqYxNI9JDrtf45WkrrhOGEyc4ckhw+B8CAwEAAaOCARcwggETMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFJjP+ACC7NfpF0+9eodgMqW7nbUOMA4GA1UdDwEB
+/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29t
+YmF0cy1yLXVzLmhhY3Rybi5uZXQvSVNQNC8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2Vy
+MBoGCCsGAQUFBwEIAQH/BAswCaAHMAUCAwD8IDAsBggrBgEFBQcBBwEB/wQdMBsw
+GQQCAAIwEwMRACABDbgAAAAAAAAAEAAAAEQwDQYJKoZIhvcNAQELBQADggEBADlD
+z2gz4IADcHH3roihyw4Ro1yqpAmjTMy2c5IJL1BX8/hKwuvwuGQZN3vSO8lDUO2J
+aXMFhb083VtHtxsP0qsYkzq/CiCasytMsuEI3zlTmza+a1S0839NXW+2aO4mP1+g
+P4mO0hBUDgPaTyJPuNMH6FFr3yBPLVtn+mZJNEV3n4hXqlNoPJtQs3F0NHkmKbIr
+s4vhJP5WlK/MVsvGXfPPu/8WMpCWcnYUENZkUkSYSRubEBf4jW0nbi6N19JtczFw
+Mf6KvnQGYjMTxYd6icGvlncfr9roDTiPANqzPykxgKEyoWDMbFbLj2NZH6DkUJw+
+TsNTi2+IszyX02aRbqc=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/0E.pem b/rpkid/resource-cert-samples/LIR2/0E.pem
new file mode 100644
index 00000000..05f06437
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/0E.pem
@@ -0,0 +1,89 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 14 (0xe)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Aug 10 01:02:31 2007 GMT
+ Not After : Aug 9 01:02:31 2008 GMT
+ Subject: CN=TEST ENTITY ISP3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d1:24:75:c1:44:29:12:9a:fe:8c:1d:1e:01:aa:
+ 05:ea:1f:47:ab:1a:8d:cf:d2:42:a1:31:7d:9c:3e:
+ 66:72:ce:2c:df:01:17:15:40:40:94:d1:ae:6d:d7:
+ ca:fd:52:d9:ec:5f:f0:64:30:a3:42:70:a1:a1:6f:
+ 05:2d:10:ee:b1:05:65:3f:f2:c1:78:84:cc:1d:66:
+ ee:35:52:c7:ae:99:76:b1:63:4d:c1:2e:24:fb:f7:
+ 43:2d:0b:21:0d:d3:d6:b7:cf:60:50:49:3d:17:53:
+ 3e:2b:f8:68:95:7e:1c:c5:e2:1e:73:06:8c:b2:53:
+ a1:70:39:d9:9e:e5:56:fc:58:d0:b3:f3:90:37:5a:
+ 6e:5a:3b:ef:05:be:f1:64:2f:31:2e:5a:58:f2:30:
+ 7a:73:52:7f:b8:0d:71:3c:63:52:17:0f:b7:07:3b:
+ c3:46:b9:9c:88:bc:73:df:14:5a:bc:16:fc:f8:79:
+ b0:a1:41:87:05:f9:52:a8:36:61:62:de:90:68:21:
+ 83:bb:8c:83:47:af:bb:82:3e:44:28:97:2b:02:a8:
+ 81:04:05:16:cd:bf:ef:9e:02:f9:54:66:2a:28:99:
+ 79:2b:b5:19:10:d4:df:35:95:f3:3f:fa:13:6a:06:
+ 6f:f5:38:28:d6:b6:0b:8a:70:5b:8d:70:8d:34:99:
+ 96:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ E1:97:2E:19:70:B5:7F:FC:82:4F:33:3D:6B:2C:DE:9A:9B:36:3D:7E
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP3/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+
+ Signature Algorithm: sha256WithRSAEncryption
+ ab:ee:14:3e:c4:4b:ea:20:a8:9a:0d:48:6e:12:6d:da:9c:c5:
+ e5:c0:23:8e:d8:13:5f:cf:ed:b6:b6:b7:4a:b7:50:81:c1:61:
+ 92:22:af:a3:47:60:21:89:74:6e:8a:5a:c6:16:2d:60:8e:c9:
+ 45:44:62:a6:73:07:3f:d7:db:85:a9:22:a1:f1:7c:b7:a5:e1:
+ 40:42:e5:0b:1a:a4:80:63:24:79:e8:87:82:6c:fa:ce:74:97:
+ c0:e2:81:77:bd:9b:06:ea:c8:3c:4d:84:93:44:38:c5:c9:b7:
+ 94:0a:d1:e9:ee:5f:02:a1:0f:2c:db:af:f4:7a:bb:a7:65:b0:
+ d6:a5:cb:df:21:ce:b5:4e:46:33:76:95:6b:c8:e5:2e:c6:54:
+ 14:e0:25:ee:9b:e9:14:42:a6:2b:53:59:36:6d:43:55:91:4f:
+ 97:08:e0:56:f4:f7:46:83:1d:46:34:6b:26:d7:14:4c:47:23:
+ 7c:31:73:d7:0d:1f:68:c5:19:ae:b4:c4:db:24:89:ae:a7:3c:
+ a3:90:7b:db:0d:fa:cc:1f:3f:f9:78:97:ec:c3:72:10:8b:44:
+ 4d:c7:1d:ae:20:ec:af:19:90:0d:ac:95:16:eb:73:d8:e5:30:
+ 2e:bc:f9:4e:d3:6a:48:13:f4:d7:b4:c5:a1:1a:c3:ef:b9:81:
+ e7:6a:fc:a4
+-----BEGIN CERTIFICATE-----
+MIIDwzCCAqugAwIBAgIBDjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MDgxMDAxMDIzMVoXDTA4MDgwOTAxMDIzMVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMzCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANEkdcFEKRKa/owdHgGqBeofR6sajc/SQqExfZw+ZnLOLN8BFxVA
+QJTRrm3Xyv1S2exf8GQwo0JwoaFvBS0Q7rEFZT/ywXiEzB1m7jVSx66ZdrFjTcEu
+JPv3Qy0LIQ3T1rfPYFBJPRdTPiv4aJV+HMXiHnMGjLJToXA52Z7lVvxY0LPzkDda
+blo77wW+8WQvMS5aWPIwenNSf7gNcTxjUhcPtwc7w0a5nIi8c98UWrwW/Ph5sKFB
+hwX5Uqg2YWLekGghg7uMg0evu4I+RCiXKwKogQQFFs2/754C+VRmKiiZeSu1GRDU
+3zWV8z/6E2oGb/U4KNa2C4pwW41wjTSZlj8CAwEAAaOCARAwggEMMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFOGXLhlwtX/8gk8zPWss3pqbNj1+MA4GA1UdDwEB
+/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29t
+YmF0cy1yLXVzLmhhY3Rybi5uZXQvSVNQMy8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2Vy
+MEEGCCsGAQUFBwEHAQH/BDIwMDAuBAIAAjAoMCYDEQIgAQ24AAAAAAAAAAAAAABE
+AxEAIAENuAAAAAAAAAAAAAABADANBgkqhkiG9w0BAQsFAAOCAQEAq+4UPsRL6iCo
+mg1IbhJt2pzF5cAjjtgTX8/ttra3SrdQgcFhkiKvo0dgIYl0bopaxhYtYI7JRURi
+pnMHP9fbhakiofF8t6XhQELlCxqkgGMkeeiHgmz6znSXwOKBd72bBurIPE2Ek0Q4
+xcm3lArR6e5fAqEPLNuv9Hq7p2Ww1qXL3yHOtU5GM3aVa8jlLsZUFOAl7pvpFEKm
+K1NZNm1DVZFPlwjgVvT3RoMdRjRrJtcUTEcjfDFz1w0faMUZrrTE2ySJrqc8o5B7
+2w36zB8/+XiX7MNyEItETccdriDsrxmQDayVFutz2OUwLrz5TtNqSBP017TFoRrD
+77mB52r8pA==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/0F.pem b/rpkid/resource-cert-samples/LIR2/0F.pem
new file mode 100644
index 00000000..0509dec8
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/0F.pem
@@ -0,0 +1,93 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 15 (0xf)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Aug 10 01:07:09 2007 GMT
+ Not After : Aug 9 01:07:09 2008 GMT
+ Subject: CN=TEST ENTITY ISP4
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:b3:05:ad:fb:06:db:49:81:ad:df:50:04:e0:18:
+ e8:f1:f4:83:e6:26:4b:9e:fc:2d:1c:df:e2:2b:57:
+ 38:48:eb:c4:13:a3:fd:6c:c5:e2:1c:d5:3a:fd:66:
+ d7:ff:2e:ff:4a:b7:5a:c5:f4:19:b1:8d:9e:a8:49:
+ 4e:3b:20:46:da:08:de:b0:9c:71:5e:77:a9:14:e2:
+ 4c:20:0e:ff:c5:20:fa:f3:6d:3b:0b:ce:e1:72:b6:
+ ff:f5:75:7f:3e:35:af:1c:4f:e0:92:45:f0:1f:57:
+ ce:38:6c:3e:f6:2f:96:73:1f:60:db:63:8e:63:b3:
+ f3:35:85:e9:00:39:92:b3:9f:4a:6b:bd:e9:a0:00:
+ ca:be:fe:27:78:9b:44:23:53:56:13:48:7d:cd:d1:
+ 01:3a:88:36:66:4f:7f:f3:2c:9f:c7:c4:52:75:1e:
+ 0e:3c:50:29:c9:39:e0:ff:90:4d:95:47:56:13:e1:
+ 30:f3:30:33:ee:02:60:70:b0:bd:dd:3b:aa:b9:2a:
+ 86:bf:e7:e2:a8:ec:64:2a:0b:12:05:08:03:7e:d8:
+ 41:bb:23:de:29:e5:0f:9b:3b:00:2e:4f:0e:f5:31:
+ 91:ec:bd:34:02:68:6d:d7:71:a9:8c:4d:23:d2:43:
+ ae:d7:f8:e5:69:2b:ae:13:86:13:27:38:72:48:70:
+ f8:1f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 98:CF:F8:00:82:EC:D7:E9:17:4F:BD:7A:87:60:32:A5:BB:9D:B5:0E
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP4/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha256WithRSAEncryption
+ d5:b7:00:47:e6:b8:94:45:1f:7b:52:17:86:bc:e3:6c:37:b5:
+ f8:78:15:78:f9:8f:f1:59:b0:a5:ad:1d:d8:59:d4:9b:09:38:
+ 36:95:24:3a:9a:18:bb:52:52:19:30:80:1c:08:8c:7d:0c:de:
+ d5:59:5b:19:99:6c:53:69:d6:bc:b4:8a:f6:df:90:57:29:68:
+ 4e:db:81:8a:6b:ab:c8:2a:2b:cd:ed:7e:14:09:67:83:5b:ae:
+ d8:0d:b0:05:56:e5:4b:91:ed:5e:5b:88:b5:cc:71:c4:93:4a:
+ 57:c5:d5:c2:fb:da:ef:ab:d1:96:84:6b:af:53:80:12:75:7d:
+ 6c:37:9f:8c:45:e7:8e:3b:e1:a1:20:2e:2c:78:24:0e:98:82:
+ b7:73:21:0d:9d:8e:12:3a:cc:04:ea:94:e7:7b:c5:ee:c7:66:
+ 09:ac:b6:7e:d3:07:16:2c:48:3f:f5:38:e4:12:a7:24:50:26:
+ 7d:8c:1d:07:15:9a:1d:c1:bb:7f:95:44:30:7b:3d:06:ee:10:
+ 23:be:b0:91:0c:62:77:0f:3f:f1:51:d1:5a:8a:09:0d:83:d6:
+ 90:7f:41:8e:17:03:f2:c9:04:4e:7f:fb:4d:ab:49:73:de:96:
+ fd:33:3f:23:90:5b:38:38:73:c8:9a:dc:03:2e:d7:3f:7b:c5:
+ 96:96:5c:f2
+-----BEGIN CERTIFICATE-----
+MIIDyjCCArKgAwIBAgIBDzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MDgxMDAxMDcwOVoXDTA4MDgwOTAxMDcwOVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQNDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALMFrfsG20mBrd9QBOAY6PH0g+YmS578LRzf4itXOEjrxBOj/WzF
+4hzVOv1m1/8u/0q3WsX0GbGNnqhJTjsgRtoI3rCccV53qRTiTCAO/8Ug+vNtOwvO
+4XK2//V1fz41rxxP4JJF8B9XzjhsPvYvlnMfYNtjjmOz8zWF6QA5krOfSmu96aAA
+yr7+J3ibRCNTVhNIfc3RATqINmZPf/Msn8fEUnUeDjxQKck54P+QTZVHVhPhMPMw
+M+4CYHCwvd07qrkqhr/n4qjsZCoLEgUIA37YQbsj3inlD5s7AC5PDvUxkey9NAJo
+bddxqYxNI9JDrtf45WkrrhOGEyc4ckhw+B8CAwEAAaOCARcwggETMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFJjP+ACC7NfpF0+9eodgMqW7nbUOMA4GA1UdDwEB
+/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29t
+YmF0cy1yLXVzLmhhY3Rybi5uZXQvSVNQNC8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2Vy
+MBoGCCsGAQUFBwEIAQH/BAswCaAHMAUCAwD8IDAsBggrBgEFBQcBBwEB/wQdMBsw
+GQQCAAIwEwMRACABDbgAAAAAAAAAEAAAAEQwDQYJKoZIhvcNAQELBQADggEBANW3
+AEfmuJRFH3tSF4a842w3tfh4FXj5j/FZsKWtHdhZ1JsJODaVJDqaGLtSUhkwgBwI
+jH0M3tVZWxmZbFNp1ry0ivbfkFcpaE7bgYprq8gqK83tfhQJZ4NbrtgNsAVW5UuR
+7V5biLXMccSTSlfF1cL72u+r0ZaEa69TgBJ1fWw3n4xF54474aEgLix4JA6Ygrdz
+IQ2djhI6zATqlOd7xe7HZgmstn7TBxYsSD/1OOQSpyRQJn2MHQcVmh3Bu3+VRDB7
+PQbuECO+sJEMYncPP/FR0VqKCQ2D1pB/QY4XA/LJBE5/+02rSXPelv0zPyOQWzg4
+c8ia3AMu1z97xZaWXPI=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/10.pem b/rpkid/resource-cert-samples/LIR2/10.pem
new file mode 100644
index 00000000..a1ca8f31
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/10.pem
@@ -0,0 +1,89 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 16 (0x10)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Aug 10 01:07:09 2007 GMT
+ Not After : Aug 9 01:07:09 2008 GMT
+ Subject: CN=TEST ENTITY ISP3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d1:24:75:c1:44:29:12:9a:fe:8c:1d:1e:01:aa:
+ 05:ea:1f:47:ab:1a:8d:cf:d2:42:a1:31:7d:9c:3e:
+ 66:72:ce:2c:df:01:17:15:40:40:94:d1:ae:6d:d7:
+ ca:fd:52:d9:ec:5f:f0:64:30:a3:42:70:a1:a1:6f:
+ 05:2d:10:ee:b1:05:65:3f:f2:c1:78:84:cc:1d:66:
+ ee:35:52:c7:ae:99:76:b1:63:4d:c1:2e:24:fb:f7:
+ 43:2d:0b:21:0d:d3:d6:b7:cf:60:50:49:3d:17:53:
+ 3e:2b:f8:68:95:7e:1c:c5:e2:1e:73:06:8c:b2:53:
+ a1:70:39:d9:9e:e5:56:fc:58:d0:b3:f3:90:37:5a:
+ 6e:5a:3b:ef:05:be:f1:64:2f:31:2e:5a:58:f2:30:
+ 7a:73:52:7f:b8:0d:71:3c:63:52:17:0f:b7:07:3b:
+ c3:46:b9:9c:88:bc:73:df:14:5a:bc:16:fc:f8:79:
+ b0:a1:41:87:05:f9:52:a8:36:61:62:de:90:68:21:
+ 83:bb:8c:83:47:af:bb:82:3e:44:28:97:2b:02:a8:
+ 81:04:05:16:cd:bf:ef:9e:02:f9:54:66:2a:28:99:
+ 79:2b:b5:19:10:d4:df:35:95:f3:3f:fa:13:6a:06:
+ 6f:f5:38:28:d6:b6:0b:8a:70:5b:8d:70:8d:34:99:
+ 96:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ E1:97:2E:19:70:B5:7F:FC:82:4F:33:3D:6B:2C:DE:9A:9B:36:3D:7E
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP3/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 46:39:56:56:54:34:70:e5:dd:f8:30:56:02:6f:45:81:e2:c3:
+ f4:1c:fa:82:1e:87:11:3f:64:28:14:22:b2:9b:6d:d0:84:ca:
+ 78:81:cb:f6:ed:45:5e:fd:7a:f8:e0:9d:a4:c9:8c:f5:a6:f8:
+ 63:a1:5d:b2:6f:e9:fd:83:1e:1b:82:a9:3a:03:f9:57:3c:81:
+ 0f:ef:6d:a6:5c:14:8f:38:49:38:c1:26:4b:d1:e5:13:94:77:
+ 63:b9:f8:7c:fc:bc:82:01:d0:f7:90:94:14:d9:32:b1:49:e3:
+ b1:e5:0f:da:8c:8e:0f:4a:e3:b1:60:38:b4:88:2f:a0:ed:68:
+ ee:f8:90:23:b1:1f:9a:6c:7a:24:12:a7:0f:57:aa:81:57:b3:
+ 37:66:79:1c:a0:9b:dc:f6:80:30:5d:02:5d:1f:9f:cb:e8:fe:
+ 4e:3d:67:85:2c:40:b4:f9:94:11:57:9c:22:4d:b0:51:83:1d:
+ bb:aa:83:a1:20:f0:ed:68:c5:82:9e:23:db:e4:ab:45:71:f6:
+ c6:fd:69:23:fb:dd:7e:cd:f8:32:49:a8:e7:42:c9:64:4b:c0:
+ e5:c2:c6:88:20:2c:df:89:82:01:f4:4d:e3:a4:fc:71:f5:a8:
+ 49:cb:88:00:48:a0:2c:19:04:ea:e9:74:b1:e4:a2:7a:63:d1:
+ 53:5d:e3:13
+-----BEGIN CERTIFICATE-----
+MIIDwzCCAqugAwIBAgIBEDANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MDgxMDAxMDcwOVoXDTA4MDgwOTAxMDcwOVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMzCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANEkdcFEKRKa/owdHgGqBeofR6sajc/SQqExfZw+ZnLOLN8BFxVA
+QJTRrm3Xyv1S2exf8GQwo0JwoaFvBS0Q7rEFZT/ywXiEzB1m7jVSx66ZdrFjTcEu
+JPv3Qy0LIQ3T1rfPYFBJPRdTPiv4aJV+HMXiHnMGjLJToXA52Z7lVvxY0LPzkDda
+blo77wW+8WQvMS5aWPIwenNSf7gNcTxjUhcPtwc7w0a5nIi8c98UWrwW/Ph5sKFB
+hwX5Uqg2YWLekGghg7uMg0evu4I+RCiXKwKogQQFFs2/754C+VRmKiiZeSu1GRDU
+3zWV8z/6E2oGb/U4KNa2C4pwW41wjTSZlj8CAwEAAaOCARAwggEMMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFOGXLhlwtX/8gk8zPWss3pqbNj1+MA4GA1UdDwEB
+/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29t
+YmF0cy1yLXVzLmhhY3Rybi5uZXQvSVNQMy8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2Vy
+MEEGCCsGAQUFBwEHAQH/BDIwMDAuBAIAAjAoMCYDEQIgAQ24AAAAAAAAAAAAAABE
+AxEAIAENuAAAAAAAAAAAAAABADANBgkqhkiG9w0BAQsFAAOCAQEARjlWVlQ0cOXd
++DBWAm9FgeLD9Bz6gh6HET9kKBQisptt0ITKeIHL9u1FXv16+OCdpMmM9ab4Y6Fd
+sm/p/YMeG4KpOgP5VzyBD+9tplwUjzhJOMEmS9HlE5R3Y7n4fPy8ggHQ95CUFNky
+sUnjseUP2oyOD0rjsWA4tIgvoO1o7viQI7Efmmx6JBKnD1eqgVezN2Z5HKCb3PaA
+MF0CXR+fy+j+Tj1nhSxAtPmUEVecIk2wUYMdu6qDoSDw7WjFgp4j2+SrRXH2xv1p
+I/vdfs34Mkmo50LJZEvA5cLGiCAs34mCAfRN46T8cfWoScuIAEigLBkE6ul0seSi
+emPRU13jEw==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/11.pem b/rpkid/resource-cert-samples/LIR2/11.pem
new file mode 100644
index 00000000..44471417
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/11.pem
@@ -0,0 +1,76 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 17 (0x11)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Aug 10 01:13:39 2007 GMT
+ Not After : Aug 9 01:13:39 2008 GMT
+ Subject: CN=TEST ENTITY ISP4
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:b3:05:ad:fb:06:db:49:81:ad:df:50:04:e0:18:
+ e8:f1:f4:83:e6:26:4b:9e:fc:2d:1c:df:e2:2b:57:
+ 38:48:eb:c4:13:a3:fd:6c:c5:e2:1c:d5:3a:fd:66:
+ d7:ff:2e:ff:4a:b7:5a:c5:f4:19:b1:8d:9e:a8:49:
+ 4e:3b:20:46:da:08:de:b0:9c:71:5e:77:a9:14:e2:
+ 4c:20:0e:ff:c5:20:fa:f3:6d:3b:0b:ce:e1:72:b6:
+ ff:f5:75:7f:3e:35:af:1c:4f:e0:92:45:f0:1f:57:
+ ce:38:6c:3e:f6:2f:96:73:1f:60:db:63:8e:63:b3:
+ f3:35:85:e9:00:39:92:b3:9f:4a:6b:bd:e9:a0:00:
+ ca:be:fe:27:78:9b:44:23:53:56:13:48:7d:cd:d1:
+ 01:3a:88:36:66:4f:7f:f3:2c:9f:c7:c4:52:75:1e:
+ 0e:3c:50:29:c9:39:e0:ff:90:4d:95:47:56:13:e1:
+ 30:f3:30:33:ee:02:60:70:b0:bd:dd:3b:aa:b9:2a:
+ 86:bf:e7:e2:a8:ec:64:2a:0b:12:05:08:03:7e:d8:
+ 41:bb:23:de:29:e5:0f:9b:3b:00:2e:4f:0e:f5:31:
+ 91:ec:bd:34:02:68:6d:d7:71:a9:8c:4d:23:d2:43:
+ ae:d7:f8:e5:69:2b:ae:13:86:13:27:38:72:48:70:
+ f8:1f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP4/
+
+ Signature Algorithm: sha256WithRSAEncryption
+ a8:55:fe:aa:11:d7:ec:08:34:d2:a3:70:f6:13:67:b5:7e:68:
+ 6e:b1:e8:3e:f6:e8:49:3f:4d:aa:86:19:01:43:2a:93:de:f3:
+ 43:06:cc:ff:bf:23:81:a4:42:50:92:cf:d9:64:de:a3:92:1c:
+ 3c:08:f3:97:6d:76:3c:b3:5f:cb:70:49:52:ec:bf:5d:c0:fc:
+ 72:4a:79:d9:19:02:96:cc:f5:3c:3d:b8:ea:b1:5a:6e:9d:17:
+ 08:d8:3e:4e:9f:d6:b6:6d:3f:0c:f5:28:ca:84:3d:65:1a:ba:
+ d5:72:52:e5:e6:01:d9:66:df:a7:42:4c:6e:76:f6:50:13:78:
+ 29:13:bd:0c:bc:a8:15:fb:9d:56:5e:cb:c2:36:86:b9:41:74:
+ 2c:79:83:06:fb:83:6b:80:56:9f:a3:b6:01:ab:58:d9:20:ba:
+ 9c:2c:47:b7:06:f0:55:18:89:02:34:e1:ae:f1:53:a2:66:5a:
+ 86:3c:2a:c2:ba:92:33:6e:18:20:2c:ae:f8:4f:bc:2f:2f:e4:
+ cc:f2:80:de:f5:2c:4d:4a:dc:29:3e:af:f9:f0:86:4a:a7:b7:
+ 3e:7a:42:11:69:5a:35:8a:5c:96:00:eb:65:d9:a8:2b:03:db:
+ fb:7e:c8:c9:dd:8c:55:b8:b6:da:58:51:a9:b6:59:60:45:6d:
+ b2:b5:64:7e
+-----BEGIN CERTIFICATE-----
+MIIDFzCCAf+gAwIBAgIBETANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MDgxMDAxMTMzOVoXDTA4MDgwOTAxMTMzOVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQNDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALMFrfsG20mBrd9QBOAY6PH0g+YmS578LRzf4itXOEjrxBOj/WzF
+4hzVOv1m1/8u/0q3WsX0GbGNnqhJTjsgRtoI3rCccV53qRTiTCAO/8Ug+vNtOwvO
+4XK2//V1fz41rxxP4JJF8B9XzjhsPvYvlnMfYNtjjmOz8zWF6QA5krOfSmu96aAA
+yr7+J3ibRCNTVhNIfc3RATqINmZPf/Msn8fEUnUeDjxQKck54P+QTZVHVhPhMPMw
+M+4CYHCwvd07qrkqhr/n4qjsZCoLEgUIA37YQbsj3inlD5s7AC5PDvUxkey9NAJo
+bddxqYxNI9JDrtf45WkrrhOGEyc4ckhw+B8CAwEAAaNmMGQwDwYDVR0TAQH/BAUw
+AwEB/zAOBgNVHQ8BAf8EBAMCAQYwQQYIKwYBBQUHAQsENTAzMDEGCCsGAQUFBzAF
+hiVyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0lTUDQvMA0GCSqGSIb3
+DQEBCwUAA4IBAQCoVf6qEdfsCDTSo3D2E2e1fmhuseg+9uhJP02qhhkBQyqT3vND
+Bsz/vyOBpEJQks/ZZN6jkhw8CPOXbXY8s1/LcElS7L9dwPxySnnZGQKWzPU8Pbjq
+sVpunRcI2D5On9a2bT8M9SjKhD1lGrrVclLl5gHZZt+nQkxudvZQE3gpE70MvKgV
++51WXsvCNoa5QXQseYMG+4NrgFafo7YBq1jZILqcLEe3BvBVGIkCNOGu8VOiZlqG
+PCrCupIzbhggLK74T7wvL+TM8oDe9SxNStwpPq/58IZKp7c+ekIRaVo1ilyWAOtl
+2agrA9v7fsjJ3YxVuLbaWFGptllgRW2ytWR+
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/12.pem b/rpkid/resource-cert-samples/LIR2/12.pem
new file mode 100644
index 00000000..91e549e7
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/12.pem
@@ -0,0 +1,76 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 18 (0x12)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Aug 10 01:13:39 2007 GMT
+ Not After : Aug 9 01:13:39 2008 GMT
+ Subject: CN=TEST ENTITY ISP3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d1:24:75:c1:44:29:12:9a:fe:8c:1d:1e:01:aa:
+ 05:ea:1f:47:ab:1a:8d:cf:d2:42:a1:31:7d:9c:3e:
+ 66:72:ce:2c:df:01:17:15:40:40:94:d1:ae:6d:d7:
+ ca:fd:52:d9:ec:5f:f0:64:30:a3:42:70:a1:a1:6f:
+ 05:2d:10:ee:b1:05:65:3f:f2:c1:78:84:cc:1d:66:
+ ee:35:52:c7:ae:99:76:b1:63:4d:c1:2e:24:fb:f7:
+ 43:2d:0b:21:0d:d3:d6:b7:cf:60:50:49:3d:17:53:
+ 3e:2b:f8:68:95:7e:1c:c5:e2:1e:73:06:8c:b2:53:
+ a1:70:39:d9:9e:e5:56:fc:58:d0:b3:f3:90:37:5a:
+ 6e:5a:3b:ef:05:be:f1:64:2f:31:2e:5a:58:f2:30:
+ 7a:73:52:7f:b8:0d:71:3c:63:52:17:0f:b7:07:3b:
+ c3:46:b9:9c:88:bc:73:df:14:5a:bc:16:fc:f8:79:
+ b0:a1:41:87:05:f9:52:a8:36:61:62:de:90:68:21:
+ 83:bb:8c:83:47:af:bb:82:3e:44:28:97:2b:02:a8:
+ 81:04:05:16:cd:bf:ef:9e:02:f9:54:66:2a:28:99:
+ 79:2b:b5:19:10:d4:df:35:95:f3:3f:fa:13:6a:06:
+ 6f:f5:38:28:d6:b6:0b:8a:70:5b:8d:70:8d:34:99:
+ 96:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP3/
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 7c:d9:69:a5:fc:d6:93:9c:2a:ee:7e:1b:f5:86:69:22:8c:66:
+ fb:d1:97:63:65:5c:1d:7c:81:c0:ff:ce:6f:48:bd:37:14:7b:
+ a6:51:c0:8d:82:a8:a0:97:e4:9a:cd:e8:b8:f8:6c:66:78:50:
+ 69:b4:66:82:a0:a4:4d:d8:0e:44:60:92:11:49:ab:70:28:95:
+ 41:a2:6f:8f:b9:8e:45:81:6f:74:4e:14:f9:a5:b6:07:bd:12:
+ 99:f9:7b:57:9a:0c:06:52:a0:93:d4:dd:23:ab:ae:92:0f:6d:
+ 8f:76:7b:30:cd:f6:07:ee:63:ff:82:88:bf:e1:25:73:98:f4:
+ 77:b0:00:16:cc:df:47:8d:c9:54:d0:f3:6b:04:f2:f1:5e:96:
+ e6:22:9b:3b:bf:25:89:2f:60:6e:4d:1a:ae:ed:d8:79:7a:8c:
+ e6:37:ac:ec:23:60:65:d6:63:38:64:77:1e:2f:b9:17:5f:8d:
+ 02:06:43:36:01:3f:20:f5:eb:ea:f6:a3:a4:f3:7f:da:d7:ae:
+ 92:6f:fe:b1:f7:4c:8c:ef:4d:e1:06:98:43:77:de:ea:07:1a:
+ 6a:3e:75:79:c1:5e:62:f3:f2:1d:8c:5e:d3:2f:6b:a5:f0:6e:
+ 8b:da:58:97:ec:16:35:3c:a5:7a:56:8f:80:c5:97:e3:30:df:
+ ab:8d:cd:36
+-----BEGIN CERTIFICATE-----
+MIIDFzCCAf+gAwIBAgIBEjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MDgxMDAxMTMzOVoXDTA4MDgwOTAxMTMzOVowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMzCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANEkdcFEKRKa/owdHgGqBeofR6sajc/SQqExfZw+ZnLOLN8BFxVA
+QJTRrm3Xyv1S2exf8GQwo0JwoaFvBS0Q7rEFZT/ywXiEzB1m7jVSx66ZdrFjTcEu
+JPv3Qy0LIQ3T1rfPYFBJPRdTPiv4aJV+HMXiHnMGjLJToXA52Z7lVvxY0LPzkDda
+blo77wW+8WQvMS5aWPIwenNSf7gNcTxjUhcPtwc7w0a5nIi8c98UWrwW/Ph5sKFB
+hwX5Uqg2YWLekGghg7uMg0evu4I+RCiXKwKogQQFFs2/754C+VRmKiiZeSu1GRDU
+3zWV8z/6E2oGb/U4KNa2C4pwW41wjTSZlj8CAwEAAaNmMGQwDwYDVR0TAQH/BAUw
+AwEB/zAOBgNVHQ8BAf8EBAMCAQYwQQYIKwYBBQUHAQsENTAzMDEGCCsGAQUFBzAF
+hiVyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0lTUDMvMA0GCSqGSIb3
+DQEBCwUAA4IBAQB82Wml/NaTnCrufhv1hmkijGb70ZdjZVwdfIHA/85vSL03FHum
+UcCNgqigl+Sazei4+GxmeFBptGaCoKRN2A5EYJIRSatwKJVBom+PuY5FgW90ThT5
+pbYHvRKZ+XtXmgwGUqCT1N0jq66SD22PdnswzfYH7mP/goi/4SVzmPR3sAAWzN9H
+jclU0PNrBPLxXpbmIps7vyWJL2BuTRqu7dh5eozmN6zsI2Bl1mM4ZHceL7kXX40C
+BkM2AT8g9evq9qOk83/a166Sb/6x90yM703hBphDd97qBxpqPnV5wV5i8/IdjF7T
+L2ul8G6L2liX7BY1PKV6Vo+AxZfjMN+rjc02
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/13.pem b/rpkid/resource-cert-samples/LIR2/13.pem
new file mode 100644
index 00000000..415517d5
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/13.pem
@@ -0,0 +1,93 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 19 (0x13)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Aug 10 01:15:10 2007 GMT
+ Not After : Aug 9 01:15:10 2008 GMT
+ Subject: CN=TEST ENTITY ISP4
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:b3:05:ad:fb:06:db:49:81:ad:df:50:04:e0:18:
+ e8:f1:f4:83:e6:26:4b:9e:fc:2d:1c:df:e2:2b:57:
+ 38:48:eb:c4:13:a3:fd:6c:c5:e2:1c:d5:3a:fd:66:
+ d7:ff:2e:ff:4a:b7:5a:c5:f4:19:b1:8d:9e:a8:49:
+ 4e:3b:20:46:da:08:de:b0:9c:71:5e:77:a9:14:e2:
+ 4c:20:0e:ff:c5:20:fa:f3:6d:3b:0b:ce:e1:72:b6:
+ ff:f5:75:7f:3e:35:af:1c:4f:e0:92:45:f0:1f:57:
+ ce:38:6c:3e:f6:2f:96:73:1f:60:db:63:8e:63:b3:
+ f3:35:85:e9:00:39:92:b3:9f:4a:6b:bd:e9:a0:00:
+ ca:be:fe:27:78:9b:44:23:53:56:13:48:7d:cd:d1:
+ 01:3a:88:36:66:4f:7f:f3:2c:9f:c7:c4:52:75:1e:
+ 0e:3c:50:29:c9:39:e0:ff:90:4d:95:47:56:13:e1:
+ 30:f3:30:33:ee:02:60:70:b0:bd:dd:3b:aa:b9:2a:
+ 86:bf:e7:e2:a8:ec:64:2a:0b:12:05:08:03:7e:d8:
+ 41:bb:23:de:29:e5:0f:9b:3b:00:2e:4f:0e:f5:31:
+ 91:ec:bd:34:02:68:6d:d7:71:a9:8c:4d:23:d2:43:
+ ae:d7:f8:e5:69:2b:ae:13:86:13:27:38:72:48:70:
+ f8:1f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 98:CF:F8:00:82:EC:D7:E9:17:4F:BD:7A:87:60:32:A5:BB:9D:B5:0E
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP4/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha256WithRSAEncryption
+ c4:46:cc:b9:a5:85:42:ff:9b:32:39:a8:0f:f6:51:35:09:fa:
+ b0:a8:1c:14:4f:72:ff:2c:17:fb:ab:6a:c2:c4:48:2a:2a:fe:
+ 42:c5:c2:92:4a:37:01:b7:69:b1:6c:83:52:2d:8e:8c:aa:04:
+ 82:bb:93:64:c2:0a:a9:7f:bd:82:2a:82:e4:df:2c:0e:5c:16:
+ 12:c7:33:39:0b:f7:99:5b:f5:5d:e0:d3:f8:48:3e:ff:25:a0:
+ e2:38:bb:fe:f1:fa:44:da:54:41:b2:1a:2c:1b:41:d2:54:3e:
+ 3b:43:35:a0:71:72:ff:a8:76:03:e2:9f:78:75:45:6c:8f:5e:
+ c2:5b:4f:e7:6b:ab:66:0a:d4:6c:47:10:ab:90:c5:b2:c9:53:
+ a6:2a:a4:c2:ca:b9:b3:f1:3d:9a:75:d0:d4:94:aa:79:6d:ec:
+ 16:1a:85:91:1d:d8:4a:ef:79:88:9e:2c:96:b0:bd:33:6b:e4:
+ 21:f1:ee:68:14:4b:58:cc:11:8f:6f:05:2d:6f:c3:99:9b:e6:
+ 8f:06:6b:a6:f9:45:2f:41:9f:38:9b:c8:80:98:1f:15:02:7d:
+ f1:08:19:a5:5a:30:c1:eb:72:ee:f4:a7:c5:fa:7a:35:af:24:
+ 62:b1:54:4c:d5:4c:42:ef:fe:9e:5f:65:80:4f:42:7e:e3:7f:
+ 35:18:5c:6b
+-----BEGIN CERTIFICATE-----
+MIIDyjCCArKgAwIBAgIBEzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MDgxMDAxMTUxMFoXDTA4MDgwOTAxMTUxMFowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQNDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALMFrfsG20mBrd9QBOAY6PH0g+YmS578LRzf4itXOEjrxBOj/WzF
+4hzVOv1m1/8u/0q3WsX0GbGNnqhJTjsgRtoI3rCccV53qRTiTCAO/8Ug+vNtOwvO
+4XK2//V1fz41rxxP4JJF8B9XzjhsPvYvlnMfYNtjjmOz8zWF6QA5krOfSmu96aAA
+yr7+J3ibRCNTVhNIfc3RATqINmZPf/Msn8fEUnUeDjxQKck54P+QTZVHVhPhMPMw
+M+4CYHCwvd07qrkqhr/n4qjsZCoLEgUIA37YQbsj3inlD5s7AC5PDvUxkey9NAJo
+bddxqYxNI9JDrtf45WkrrhOGEyc4ckhw+B8CAwEAAaOCARcwggETMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFJjP+ACC7NfpF0+9eodgMqW7nbUOMA4GA1UdDwEB
+/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29t
+YmF0cy1yLXVzLmhhY3Rybi5uZXQvSVNQNC8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2Vy
+MBoGCCsGAQUFBwEIAQH/BAswCaAHMAUCAwD8IDAsBggrBgEFBQcBBwEB/wQdMBsw
+GQQCAAIwEwMRACABDbgAAAAAAAAAEAAAAEQwDQYJKoZIhvcNAQELBQADggEBAMRG
+zLmlhUL/mzI5qA/2UTUJ+rCoHBRPcv8sF/urasLESCoq/kLFwpJKNwG3abFsg1It
+joyqBIK7k2TCCql/vYIqguTfLA5cFhLHMzkL95lb9V3g0/hIPv8loOI4u/7x+kTa
+VEGyGiwbQdJUPjtDNaBxcv+odgPin3h1RWyPXsJbT+drq2YK1GxHEKuQxbLJU6Yq
+pMLKubPxPZp10NSUqnlt7BYahZEd2ErveYieLJawvTNr5CHx7mgUS1jMEY9vBS1v
+w5mb5o8Ga6b5RS9BnzibyICYHxUCffEIGaVaMMHrcu70p8X6ejWvJGKxVEzVTELv
+/p5fZYBPQn7jfzUYXGs=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/14.pem b/rpkid/resource-cert-samples/LIR2/14.pem
new file mode 100644
index 00000000..c31add0d
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/14.pem
@@ -0,0 +1,89 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 20 (0x14)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Aug 10 01:15:10 2007 GMT
+ Not After : Aug 9 01:15:10 2008 GMT
+ Subject: CN=TEST ENTITY ISP3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d1:24:75:c1:44:29:12:9a:fe:8c:1d:1e:01:aa:
+ 05:ea:1f:47:ab:1a:8d:cf:d2:42:a1:31:7d:9c:3e:
+ 66:72:ce:2c:df:01:17:15:40:40:94:d1:ae:6d:d7:
+ ca:fd:52:d9:ec:5f:f0:64:30:a3:42:70:a1:a1:6f:
+ 05:2d:10:ee:b1:05:65:3f:f2:c1:78:84:cc:1d:66:
+ ee:35:52:c7:ae:99:76:b1:63:4d:c1:2e:24:fb:f7:
+ 43:2d:0b:21:0d:d3:d6:b7:cf:60:50:49:3d:17:53:
+ 3e:2b:f8:68:95:7e:1c:c5:e2:1e:73:06:8c:b2:53:
+ a1:70:39:d9:9e:e5:56:fc:58:d0:b3:f3:90:37:5a:
+ 6e:5a:3b:ef:05:be:f1:64:2f:31:2e:5a:58:f2:30:
+ 7a:73:52:7f:b8:0d:71:3c:63:52:17:0f:b7:07:3b:
+ c3:46:b9:9c:88:bc:73:df:14:5a:bc:16:fc:f8:79:
+ b0:a1:41:87:05:f9:52:a8:36:61:62:de:90:68:21:
+ 83:bb:8c:83:47:af:bb:82:3e:44:28:97:2b:02:a8:
+ 81:04:05:16:cd:bf:ef:9e:02:f9:54:66:2a:28:99:
+ 79:2b:b5:19:10:d4:df:35:95:f3:3f:fa:13:6a:06:
+ 6f:f5:38:28:d6:b6:0b:8a:70:5b:8d:70:8d:34:99:
+ 96:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ E1:97:2E:19:70:B5:7F:FC:82:4F:33:3D:6B:2C:DE:9A:9B:36:3D:7E
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP3/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 58:b8:cd:b3:34:ce:a2:4f:39:c1:15:09:b4:95:f8:5e:7b:23:
+ 9b:fb:42:6f:92:5a:29:ce:17:c1:99:d6:c7:39:00:43:e1:60:
+ bb:17:f5:34:df:33:86:73:77:f4:8f:6f:d5:88:1d:68:be:f8:
+ 13:fd:02:38:fa:aa:9c:39:80:1b:dc:50:72:23:d6:0a:64:55:
+ 14:78:fe:64:1a:63:53:bb:e6:78:35:88:2c:d1:7a:1b:3c:23:
+ 72:8a:a5:c0:5b:5c:7c:85:b1:26:a1:c0:ce:a9:c0:16:5d:30:
+ eb:2d:7e:69:48:57:6b:dc:34:88:56:47:99:ed:31:47:c1:3e:
+ ff:b6:9e:69:cc:68:2e:1c:4c:77:27:d4:a5:45:f9:cb:a5:21:
+ 23:46:18:20:2a:a0:7c:b9:eb:d1:d8:91:30:2e:b4:16:07:b6:
+ 9f:3a:28:71:1d:ee:f9:a7:88:59:45:78:b7:36:0e:15:f6:77:
+ e4:69:b4:b1:61:9a:5c:66:0f:c5:7c:67:d7:af:d3:24:24:4e:
+ e7:94:ce:a6:d6:3b:5a:c8:d7:49:58:93:d7:f5:41:2f:b3:9a:
+ 93:c8:6c:ec:2f:be:6a:c1:74:2a:44:bb:5c:7b:d8:16:f6:01:
+ ed:5b:e8:6b:02:48:ef:5b:57:f4:07:fd:5f:47:e6:06:38:3c:
+ a2:4b:d0:f9
+-----BEGIN CERTIFICATE-----
+MIIDwzCCAqugAwIBAgIBFDANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MDgxMDAxMTUxMFoXDTA4MDgwOTAxMTUxMFowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMzCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANEkdcFEKRKa/owdHgGqBeofR6sajc/SQqExfZw+ZnLOLN8BFxVA
+QJTRrm3Xyv1S2exf8GQwo0JwoaFvBS0Q7rEFZT/ywXiEzB1m7jVSx66ZdrFjTcEu
+JPv3Qy0LIQ3T1rfPYFBJPRdTPiv4aJV+HMXiHnMGjLJToXA52Z7lVvxY0LPzkDda
+blo77wW+8WQvMS5aWPIwenNSf7gNcTxjUhcPtwc7w0a5nIi8c98UWrwW/Ph5sKFB
+hwX5Uqg2YWLekGghg7uMg0evu4I+RCiXKwKogQQFFs2/754C+VRmKiiZeSu1GRDU
+3zWV8z/6E2oGb/U4KNa2C4pwW41wjTSZlj8CAwEAAaOCARAwggEMMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFOGXLhlwtX/8gk8zPWss3pqbNj1+MA4GA1UdDwEB
+/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29t
+YmF0cy1yLXVzLmhhY3Rybi5uZXQvSVNQMy8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2Vy
+MEEGCCsGAQUFBwEHAQH/BDIwMDAuBAIAAjAoMCYDEQIgAQ24AAAAAAAAAAAAAABE
+AxEAIAENuAAAAAAAAAAAAAABADANBgkqhkiG9w0BAQsFAAOCAQEAWLjNszTOok85
+wRUJtJX4Xnsjm/tCb5JaKc4XwZnWxzkAQ+Fguxf1NN8zhnN39I9v1YgdaL74E/0C
+OPqqnDmAG9xQciPWCmRVFHj+ZBpjU7vmeDWILNF6GzwjcoqlwFtcfIWxJqHAzqnA
+Fl0w6y1+aUhXa9w0iFZHme0xR8E+/7aeacxoLhxMdyfUpUX5y6UhI0YYICqgfLnr
+0diRMC60Fge2nzoocR3u+aeIWUV4tzYOFfZ35Gm0sWGaXGYPxXxn16/TJCRO55TO
+ptY7WsjXSViT1/VBL7Oak8hs7C++asF0KkS7XHvYFvYB7VvoawJI71tX9Af9X0fm
+Bjg8okvQ+Q==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/15.pem b/rpkid/resource-cert-samples/LIR2/15.pem
new file mode 100644
index 00000000..8b2c9de2
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/15.pem
@@ -0,0 +1,93 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 21 (0x15)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Oct 19 19:06:07 2007 GMT
+ Not After : Oct 18 19:06:07 2008 GMT
+ Subject: CN=TEST ENTITY ISP4
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:b3:05:ad:fb:06:db:49:81:ad:df:50:04:e0:18:
+ e8:f1:f4:83:e6:26:4b:9e:fc:2d:1c:df:e2:2b:57:
+ 38:48:eb:c4:13:a3:fd:6c:c5:e2:1c:d5:3a:fd:66:
+ d7:ff:2e:ff:4a:b7:5a:c5:f4:19:b1:8d:9e:a8:49:
+ 4e:3b:20:46:da:08:de:b0:9c:71:5e:77:a9:14:e2:
+ 4c:20:0e:ff:c5:20:fa:f3:6d:3b:0b:ce:e1:72:b6:
+ ff:f5:75:7f:3e:35:af:1c:4f:e0:92:45:f0:1f:57:
+ ce:38:6c:3e:f6:2f:96:73:1f:60:db:63:8e:63:b3:
+ f3:35:85:e9:00:39:92:b3:9f:4a:6b:bd:e9:a0:00:
+ ca:be:fe:27:78:9b:44:23:53:56:13:48:7d:cd:d1:
+ 01:3a:88:36:66:4f:7f:f3:2c:9f:c7:c4:52:75:1e:
+ 0e:3c:50:29:c9:39:e0:ff:90:4d:95:47:56:13:e1:
+ 30:f3:30:33:ee:02:60:70:b0:bd:dd:3b:aa:b9:2a:
+ 86:bf:e7:e2:a8:ec:64:2a:0b:12:05:08:03:7e:d8:
+ 41:bb:23:de:29:e5:0f:9b:3b:00:2e:4f:0e:f5:31:
+ 91:ec:bd:34:02:68:6d:d7:71:a9:8c:4d:23:d2:43:
+ ae:d7:f8:e5:69:2b:ae:13:86:13:27:38:72:48:70:
+ f8:1f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 98:CF:F8:00:82:EC:D7:E9:17:4F:BD:7A:87:60:32:A5:BB:9D:B5:0E
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP4/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha256WithRSAEncryption
+ d5:47:18:ec:04:c6:96:47:1d:cc:78:2c:ca:f4:89:7a:bb:9f:
+ 92:b3:3a:f0:64:2e:36:34:25:98:0d:d7:74:95:5b:2a:9d:ee:
+ 00:42:52:17:35:c9:66:b4:7c:8c:15:84:1a:35:ee:e7:9e:21:
+ 93:6e:ab:67:a1:e3:7d:66:51:47:14:cb:13:f9:ae:e3:0e:75:
+ c6:ec:34:1d:97:85:7f:a2:c0:e0:f5:c7:d6:e4:ce:67:97:46:
+ 9c:72:2d:32:27:d3:05:c9:5e:d4:67:81:c9:7c:0a:e5:16:4f:
+ 37:6d:c2:e0:2b:a1:e9:de:ce:e9:05:28:3c:98:6b:51:0b:1f:
+ d7:27:98:3e:90:8a:79:24:29:72:d6:0d:f7:db:78:16:53:bd:
+ 94:b6:04:40:37:a7:bc:ca:38:d4:eb:9a:5f:de:45:8d:1d:c7:
+ 5f:58:a6:95:eb:77:1a:b1:66:cb:f6:cc:a2:f2:34:2c:db:b2:
+ d4:71:6e:08:9e:ad:58:40:13:13:5d:2e:5d:5a:5a:f0:38:1c:
+ 51:fa:ba:2d:9c:cb:6b:3c:86:bf:b6:73:53:83:66:a0:97:f6:
+ 37:9d:37:f4:9e:82:0f:f8:be:2c:a6:28:a9:04:fa:70:bb:f8:
+ d3:6a:1a:2c:c0:c7:97:6b:d6:8a:9c:f4:50:7b:0e:26:6a:a4:
+ 05:e2:b1:0f
+-----BEGIN CERTIFICATE-----
+MIIDyjCCArKgAwIBAgIBFTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MTAxOTE5MDYwN1oXDTA4MTAxODE5MDYwN1owGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQNDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALMFrfsG20mBrd9QBOAY6PH0g+YmS578LRzf4itXOEjrxBOj/WzF
+4hzVOv1m1/8u/0q3WsX0GbGNnqhJTjsgRtoI3rCccV53qRTiTCAO/8Ug+vNtOwvO
+4XK2//V1fz41rxxP4JJF8B9XzjhsPvYvlnMfYNtjjmOz8zWF6QA5krOfSmu96aAA
+yr7+J3ibRCNTVhNIfc3RATqINmZPf/Msn8fEUnUeDjxQKck54P+QTZVHVhPhMPMw
+M+4CYHCwvd07qrkqhr/n4qjsZCoLEgUIA37YQbsj3inlD5s7AC5PDvUxkey9NAJo
+bddxqYxNI9JDrtf45WkrrhOGEyc4ckhw+B8CAwEAAaOCARcwggETMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFJjP+ACC7NfpF0+9eodgMqW7nbUOMA4GA1UdDwEB
+/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29t
+YmF0cy1yLXVzLmhhY3Rybi5uZXQvSVNQNC8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2Vy
+MBoGCCsGAQUFBwEIAQH/BAswCaAHMAUCAwD8IDAsBggrBgEFBQcBBwEB/wQdMBsw
+GQQCAAIwEwMRACABDbgAAAAAAAAAEAAAAEQwDQYJKoZIhvcNAQELBQADggEBANVH
+GOwExpZHHcx4LMr0iXq7n5KzOvBkLjY0JZgN13SVWyqd7gBCUhc1yWa0fIwVhBo1
+7ueeIZNuq2eh431mUUcUyxP5ruMOdcbsNB2XhX+iwOD1x9bkzmeXRpxyLTIn0wXJ
+XtRngcl8CuUWTzdtwuAroenezukFKDyYa1ELH9cnmD6QinkkKXLWDffbeBZTvZS2
+BEA3p7zKONTrml/eRY0dx19YppXrdxqxZsv2zKLyNCzbstRxbgierVhAExNdLl1a
+WvA4HFH6ui2cy2s8hr+2c1ODZqCX9jedN/Segg/4viymKKkE+nC7+NNqGizAx5dr
+1oqc9FB7DiZqpAXisQ8=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/16.pem b/rpkid/resource-cert-samples/LIR2/16.pem
new file mode 100644
index 00000000..45d8df97
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/16.pem
@@ -0,0 +1,89 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 22 (0x16)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Oct 19 19:06:07 2007 GMT
+ Not After : Oct 18 19:06:07 2008 GMT
+ Subject: CN=TEST ENTITY ISP3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d1:24:75:c1:44:29:12:9a:fe:8c:1d:1e:01:aa:
+ 05:ea:1f:47:ab:1a:8d:cf:d2:42:a1:31:7d:9c:3e:
+ 66:72:ce:2c:df:01:17:15:40:40:94:d1:ae:6d:d7:
+ ca:fd:52:d9:ec:5f:f0:64:30:a3:42:70:a1:a1:6f:
+ 05:2d:10:ee:b1:05:65:3f:f2:c1:78:84:cc:1d:66:
+ ee:35:52:c7:ae:99:76:b1:63:4d:c1:2e:24:fb:f7:
+ 43:2d:0b:21:0d:d3:d6:b7:cf:60:50:49:3d:17:53:
+ 3e:2b:f8:68:95:7e:1c:c5:e2:1e:73:06:8c:b2:53:
+ a1:70:39:d9:9e:e5:56:fc:58:d0:b3:f3:90:37:5a:
+ 6e:5a:3b:ef:05:be:f1:64:2f:31:2e:5a:58:f2:30:
+ 7a:73:52:7f:b8:0d:71:3c:63:52:17:0f:b7:07:3b:
+ c3:46:b9:9c:88:bc:73:df:14:5a:bc:16:fc:f8:79:
+ b0:a1:41:87:05:f9:52:a8:36:61:62:de:90:68:21:
+ 83:bb:8c:83:47:af:bb:82:3e:44:28:97:2b:02:a8:
+ 81:04:05:16:cd:bf:ef:9e:02:f9:54:66:2a:28:99:
+ 79:2b:b5:19:10:d4:df:35:95:f3:3f:fa:13:6a:06:
+ 6f:f5:38:28:d6:b6:0b:8a:70:5b:8d:70:8d:34:99:
+ 96:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ E1:97:2E:19:70:B5:7F:FC:82:4F:33:3D:6B:2C:DE:9A:9B:36:3D:7E
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP3/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+
+ Signature Algorithm: sha256WithRSAEncryption
+ c9:f3:8e:d8:05:88:2d:19:ef:5d:2a:09:16:52:73:01:fa:86:
+ 22:a6:ec:1c:27:02:13:5c:0e:25:8f:0a:8b:da:a9:d3:5b:68:
+ db:54:0f:6b:28:47:3e:cf:16:e8:15:d1:01:eb:c0:f3:30:f5:
+ 8b:62:3c:29:97:be:29:45:2d:60:36:04:eb:cc:38:24:8f:eb:
+ 2c:5b:e9:c0:36:ff:a9:22:b3:6b:f5:fb:e9:a9:69:71:c5:f2:
+ 41:64:a4:2f:1f:b4:ad:56:01:c3:d9:02:c6:b8:88:de:fb:9a:
+ fd:31:95:47:87:ba:97:7c:3c:0c:7d:ad:31:3f:0f:67:66:b7:
+ c3:15:46:7c:7b:2c:8d:3d:82:2b:6f:85:91:97:9d:9c:4e:f1:
+ 0d:92:d6:5e:48:ed:d6:94:f5:e5:ad:17:09:38:af:97:1f:0d:
+ af:b3:f1:f1:88:37:83:05:c0:1b:d7:32:5d:4a:9e:ae:ae:05:
+ db:a5:51:e2:20:a3:88:29:73:ac:9d:31:f0:20:79:5f:e1:95:
+ cb:79:68:bf:36:16:61:71:db:05:57:92:d1:cc:f4:6d:99:a8:
+ 8b:14:8f:40:03:0b:91:7e:68:42:3a:ab:fd:de:1c:4b:3c:33:
+ 0e:2f:89:be:67:28:a8:e5:47:cd:c5:dc:26:1b:d2:fe:22:7b:
+ 7c:75:7f:9b
+-----BEGIN CERTIFICATE-----
+MIIDwzCCAqugAwIBAgIBFjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MTAxOTE5MDYwN1oXDTA4MTAxODE5MDYwN1owGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMzCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANEkdcFEKRKa/owdHgGqBeofR6sajc/SQqExfZw+ZnLOLN8BFxVA
+QJTRrm3Xyv1S2exf8GQwo0JwoaFvBS0Q7rEFZT/ywXiEzB1m7jVSx66ZdrFjTcEu
+JPv3Qy0LIQ3T1rfPYFBJPRdTPiv4aJV+HMXiHnMGjLJToXA52Z7lVvxY0LPzkDda
+blo77wW+8WQvMS5aWPIwenNSf7gNcTxjUhcPtwc7w0a5nIi8c98UWrwW/Ph5sKFB
+hwX5Uqg2YWLekGghg7uMg0evu4I+RCiXKwKogQQFFs2/754C+VRmKiiZeSu1GRDU
+3zWV8z/6E2oGb/U4KNa2C4pwW41wjTSZlj8CAwEAAaOCARAwggEMMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFOGXLhlwtX/8gk8zPWss3pqbNj1+MA4GA1UdDwEB
+/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29t
+YmF0cy1yLXVzLmhhY3Rybi5uZXQvSVNQMy8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2Vy
+MEEGCCsGAQUFBwEHAQH/BDIwMDAuBAIAAjAoMCYDEQIgAQ24AAAAAAAAAAAAAABE
+AxEAIAENuAAAAAAAAAAAAAABADANBgkqhkiG9w0BAQsFAAOCAQEAyfOO2AWILRnv
+XSoJFlJzAfqGIqbsHCcCE1wOJY8Ki9qp01to21QPayhHPs8W6BXRAevA8zD1i2I8
+KZe+KUUtYDYE68w4JI/rLFvpwDb/qSKza/X76alpccXyQWSkLx+0rVYBw9kCxriI
+3vua/TGVR4e6l3w8DH2tMT8PZ2a3wxVGfHssjT2CK2+FkZednE7xDZLWXkjt1pT1
+5a0XCTivlx8Nr7Px8Yg3gwXAG9cyXUqerq4F26VR4iCjiClzrJ0x8CB5X+GVy3lo
+vzYWYXHbBVeS0cz0bZmoixSPQAMLkX5oQjqr/d4cSzwzDi+JvmcoqOVHzcXcJhvS
+/iJ7fHV/mw==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/17.pem b/rpkid/resource-cert-samples/LIR2/17.pem
new file mode 100644
index 00000000..881741df
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/17.pem
@@ -0,0 +1,93 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 23 (0x17)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Oct 29 16:03:52 2007 GMT
+ Not After : Oct 28 16:03:52 2008 GMT
+ Subject: CN=TEST ENTITY ISP4
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:b3:05:ad:fb:06:db:49:81:ad:df:50:04:e0:18:
+ e8:f1:f4:83:e6:26:4b:9e:fc:2d:1c:df:e2:2b:57:
+ 38:48:eb:c4:13:a3:fd:6c:c5:e2:1c:d5:3a:fd:66:
+ d7:ff:2e:ff:4a:b7:5a:c5:f4:19:b1:8d:9e:a8:49:
+ 4e:3b:20:46:da:08:de:b0:9c:71:5e:77:a9:14:e2:
+ 4c:20:0e:ff:c5:20:fa:f3:6d:3b:0b:ce:e1:72:b6:
+ ff:f5:75:7f:3e:35:af:1c:4f:e0:92:45:f0:1f:57:
+ ce:38:6c:3e:f6:2f:96:73:1f:60:db:63:8e:63:b3:
+ f3:35:85:e9:00:39:92:b3:9f:4a:6b:bd:e9:a0:00:
+ ca:be:fe:27:78:9b:44:23:53:56:13:48:7d:cd:d1:
+ 01:3a:88:36:66:4f:7f:f3:2c:9f:c7:c4:52:75:1e:
+ 0e:3c:50:29:c9:39:e0:ff:90:4d:95:47:56:13:e1:
+ 30:f3:30:33:ee:02:60:70:b0:bd:dd:3b:aa:b9:2a:
+ 86:bf:e7:e2:a8:ec:64:2a:0b:12:05:08:03:7e:d8:
+ 41:bb:23:de:29:e5:0f:9b:3b:00:2e:4f:0e:f5:31:
+ 91:ec:bd:34:02:68:6d:d7:71:a9:8c:4d:23:d2:43:
+ ae:d7:f8:e5:69:2b:ae:13:86:13:27:38:72:48:70:
+ f8:1f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 98:CF:F8:00:82:EC:D7:E9:17:4F:BD:7A:87:60:32:A5:BB:9D:B5:0E
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP4/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 16:93:aa:d0:4e:99:13:31:ad:92:a7:ed:88:46:05:31:3e:ea:
+ 46:16:93:44:64:30:98:c3:20:62:b6:f4:05:e8:f5:ca:2d:46:
+ 65:6b:d0:47:24:cf:aa:95:56:6c:61:22:ce:38:8a:3c:33:6e:
+ ef:2e:f6:f0:6f:35:47:7e:bb:c9:97:be:da:87:38:9c:dd:d4:
+ 2f:b1:0a:43:c0:60:65:92:aa:c1:a7:6b:4a:b0:bd:65:e8:89:
+ f1:20:0e:02:f5:31:79:aa:32:9e:fb:e2:c6:0f:43:58:e5:3b:
+ 41:10:8c:8b:2b:64:0b:10:68:6e:a5:f1:b2:8c:38:be:b5:5b:
+ 82:df:af:17:58:ff:fc:37:ee:fe:9b:37:53:2c:d7:90:01:d3:
+ c5:38:8b:5f:85:bd:02:3e:00:1f:e1:e4:75:19:ad:e2:d3:5f:
+ eb:48:32:e6:82:79:fc:36:cf:9e:dc:aa:13:f4:36:69:87:e0:
+ f3:4e:d1:21:2d:f6:04:d1:c0:37:55:5e:2f:58:b3:65:49:ed:
+ 24:96:33:9a:fe:d9:ba:a8:61:ab:45:2f:95:8d:39:33:17:15:
+ c1:bf:26:01:79:40:43:1b:50:40:0d:98:39:5a:d5:2b:af:9f:
+ fd:8a:5d:b6:20:01:c6:0f:03:00:d5:39:75:f7:24:62:9c:bf:
+ 6b:a5:f8:a8
+-----BEGIN CERTIFICATE-----
+MIIDyjCCArKgAwIBAgIBFzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MTAyOTE2MDM1MloXDTA4MTAyODE2MDM1MlowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQNDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALMFrfsG20mBrd9QBOAY6PH0g+YmS578LRzf4itXOEjrxBOj/WzF
+4hzVOv1m1/8u/0q3WsX0GbGNnqhJTjsgRtoI3rCccV53qRTiTCAO/8Ug+vNtOwvO
+4XK2//V1fz41rxxP4JJF8B9XzjhsPvYvlnMfYNtjjmOz8zWF6QA5krOfSmu96aAA
+yr7+J3ibRCNTVhNIfc3RATqINmZPf/Msn8fEUnUeDjxQKck54P+QTZVHVhPhMPMw
+M+4CYHCwvd07qrkqhr/n4qjsZCoLEgUIA37YQbsj3inlD5s7AC5PDvUxkey9NAJo
+bddxqYxNI9JDrtf45WkrrhOGEyc4ckhw+B8CAwEAAaOCARcwggETMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFJjP+ACC7NfpF0+9eodgMqW7nbUOMA4GA1UdDwEB
+/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29t
+YmF0cy1yLXVzLmhhY3Rybi5uZXQvSVNQNC8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2Vy
+MBoGCCsGAQUFBwEIAQH/BAswCaAHMAUCAwD8IDAsBggrBgEFBQcBBwEB/wQdMBsw
+GQQCAAIwEwMRACABDbgAAAAAAAAAEAAAAEQwDQYJKoZIhvcNAQELBQADggEBABaT
+qtBOmRMxrZKn7YhGBTE+6kYWk0RkMJjDIGK29AXo9cotRmVr0Eckz6qVVmxhIs44
+ijwzbu8u9vBvNUd+u8mXvtqHOJzd1C+xCkPAYGWSqsGna0qwvWXoifEgDgL1MXmq
+Mp774sYPQ1jlO0EQjIsrZAsQaG6l8bKMOL61W4LfrxdY//w37v6bN1Ms15AB08U4
+i1+FvQI+AB/h5HUZreLTX+tIMuaCefw2z57cqhP0NmmH4PNO0SEt9gTRwDdVXi9Y
+s2VJ7SSWM5r+2bqoYatFL5WNOTMXFcG/JgF5QEMbUEANmDla1Suvn/2KXbYgAcYP
+AwDVOXX3JGKcv2ul+Kg=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/18.pem b/rpkid/resource-cert-samples/LIR2/18.pem
new file mode 100644
index 00000000..d3d0cfac
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/18.pem
@@ -0,0 +1,89 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 24 (0x18)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Oct 29 16:03:52 2007 GMT
+ Not After : Oct 28 16:03:52 2008 GMT
+ Subject: CN=TEST ENTITY ISP3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d1:24:75:c1:44:29:12:9a:fe:8c:1d:1e:01:aa:
+ 05:ea:1f:47:ab:1a:8d:cf:d2:42:a1:31:7d:9c:3e:
+ 66:72:ce:2c:df:01:17:15:40:40:94:d1:ae:6d:d7:
+ ca:fd:52:d9:ec:5f:f0:64:30:a3:42:70:a1:a1:6f:
+ 05:2d:10:ee:b1:05:65:3f:f2:c1:78:84:cc:1d:66:
+ ee:35:52:c7:ae:99:76:b1:63:4d:c1:2e:24:fb:f7:
+ 43:2d:0b:21:0d:d3:d6:b7:cf:60:50:49:3d:17:53:
+ 3e:2b:f8:68:95:7e:1c:c5:e2:1e:73:06:8c:b2:53:
+ a1:70:39:d9:9e:e5:56:fc:58:d0:b3:f3:90:37:5a:
+ 6e:5a:3b:ef:05:be:f1:64:2f:31:2e:5a:58:f2:30:
+ 7a:73:52:7f:b8:0d:71:3c:63:52:17:0f:b7:07:3b:
+ c3:46:b9:9c:88:bc:73:df:14:5a:bc:16:fc:f8:79:
+ b0:a1:41:87:05:f9:52:a8:36:61:62:de:90:68:21:
+ 83:bb:8c:83:47:af:bb:82:3e:44:28:97:2b:02:a8:
+ 81:04:05:16:cd:bf:ef:9e:02:f9:54:66:2a:28:99:
+ 79:2b:b5:19:10:d4:df:35:95:f3:3f:fa:13:6a:06:
+ 6f:f5:38:28:d6:b6:0b:8a:70:5b:8d:70:8d:34:99:
+ 96:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ E1:97:2E:19:70:B5:7F:FC:82:4F:33:3D:6B:2C:DE:9A:9B:36:3D:7E
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP3/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 1f:e4:62:d3:16:47:b1:20:de:bd:de:98:ec:ec:0e:8f:89:3e:
+ 61:c7:4c:40:6f:4c:41:e8:f6:e7:b1:c1:f3:09:5a:6d:e6:53:
+ 62:fd:44:de:d5:42:01:73:d6:5c:ca:39:dc:97:8d:2c:29:83:
+ 4a:a3:09:dd:dc:44:9b:12:6e:d7:be:93:e0:2e:d2:a4:6f:16:
+ 1c:4a:e7:fc:3d:d9:5a:59:95:2f:6c:54:a5:cb:25:82:9b:4f:
+ ed:3e:24:13:5b:38:69:37:dc:f2:58:1b:c9:b0:74:a7:12:36:
+ b4:23:b7:db:63:bb:ff:3e:bd:82:e2:b4:bf:1c:13:22:2a:b8:
+ 5a:cc:f2:4c:55:e0:48:36:fe:07:62:b7:8a:3a:4e:51:19:7c:
+ 0d:1b:19:0c:83:28:45:e4:c1:9b:b7:bd:4a:9c:eb:f4:90:87:
+ 83:39:7c:b2:cf:4d:78:2a:2b:b4:e7:4f:ee:63:54:13:5a:ac:
+ 1e:82:c0:e4:3d:7d:a3:40:6d:a0:22:64:25:e8:af:5d:e9:f6:
+ 85:1a:a7:98:e0:77:f4:94:03:3c:84:62:e0:f1:be:f5:e4:53:
+ aa:0c:b9:24:19:b4:92:e1:05:4b:eb:16:ab:3c:3d:cc:60:c2:
+ ce:69:d5:66:4a:29:12:72:3e:85:f7:06:97:f3:b4:ba:26:5a:
+ d1:f5:2c:a8
+-----BEGIN CERTIFICATE-----
+MIIDwzCCAqugAwIBAgIBGDANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MTAyOTE2MDM1MloXDTA4MTAyODE2MDM1MlowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMzCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANEkdcFEKRKa/owdHgGqBeofR6sajc/SQqExfZw+ZnLOLN8BFxVA
+QJTRrm3Xyv1S2exf8GQwo0JwoaFvBS0Q7rEFZT/ywXiEzB1m7jVSx66ZdrFjTcEu
+JPv3Qy0LIQ3T1rfPYFBJPRdTPiv4aJV+HMXiHnMGjLJToXA52Z7lVvxY0LPzkDda
+blo77wW+8WQvMS5aWPIwenNSf7gNcTxjUhcPtwc7w0a5nIi8c98UWrwW/Ph5sKFB
+hwX5Uqg2YWLekGghg7uMg0evu4I+RCiXKwKogQQFFs2/754C+VRmKiiZeSu1GRDU
+3zWV8z/6E2oGb/U4KNa2C4pwW41wjTSZlj8CAwEAAaOCARAwggEMMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFOGXLhlwtX/8gk8zPWss3pqbNj1+MA4GA1UdDwEB
+/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29t
+YmF0cy1yLXVzLmhhY3Rybi5uZXQvSVNQMy8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2Vy
+MEEGCCsGAQUFBwEHAQH/BDIwMDAuBAIAAjAoMCYDEQIgAQ24AAAAAAAAAAAAAABE
+AxEAIAENuAAAAAAAAAAAAAABADANBgkqhkiG9w0BAQsFAAOCAQEAH+Ri0xZHsSDe
+vd6Y7OwOj4k+YcdMQG9MQej257HB8wlabeZTYv1E3tVCAXPWXMo53JeNLCmDSqMJ
+3dxEmxJu176T4C7SpG8WHErn/D3ZWlmVL2xUpcslgptP7T4kE1s4aTfc8lgbybB0
+pxI2tCO322O7/z69guK0vxwTIiq4WszyTFXgSDb+B2K3ijpOURl8DRsZDIMoReTB
+m7e9Spzr9JCHgzl8ss9NeCortOdP7mNUE1qsHoLA5D19o0BtoCJkJeivXen2hRqn
+mOB39JQDPIRi4PG+9eRTqgy5JBm0kuEFS+sWqzw9zGDCzmnVZkopEnI+hfcGl/O0
+uiZa0fUsqA==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/19.pem b/rpkid/resource-cert-samples/LIR2/19.pem
new file mode 100644
index 00000000..b8a5574d
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/19.pem
@@ -0,0 +1,93 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 25 (0x19)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Oct 29 16:32:34 2007 GMT
+ Not After : Oct 28 16:32:34 2008 GMT
+ Subject: CN=TEST ENTITY ISP4
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:b3:05:ad:fb:06:db:49:81:ad:df:50:04:e0:18:
+ e8:f1:f4:83:e6:26:4b:9e:fc:2d:1c:df:e2:2b:57:
+ 38:48:eb:c4:13:a3:fd:6c:c5:e2:1c:d5:3a:fd:66:
+ d7:ff:2e:ff:4a:b7:5a:c5:f4:19:b1:8d:9e:a8:49:
+ 4e:3b:20:46:da:08:de:b0:9c:71:5e:77:a9:14:e2:
+ 4c:20:0e:ff:c5:20:fa:f3:6d:3b:0b:ce:e1:72:b6:
+ ff:f5:75:7f:3e:35:af:1c:4f:e0:92:45:f0:1f:57:
+ ce:38:6c:3e:f6:2f:96:73:1f:60:db:63:8e:63:b3:
+ f3:35:85:e9:00:39:92:b3:9f:4a:6b:bd:e9:a0:00:
+ ca:be:fe:27:78:9b:44:23:53:56:13:48:7d:cd:d1:
+ 01:3a:88:36:66:4f:7f:f3:2c:9f:c7:c4:52:75:1e:
+ 0e:3c:50:29:c9:39:e0:ff:90:4d:95:47:56:13:e1:
+ 30:f3:30:33:ee:02:60:70:b0:bd:dd:3b:aa:b9:2a:
+ 86:bf:e7:e2:a8:ec:64:2a:0b:12:05:08:03:7e:d8:
+ 41:bb:23:de:29:e5:0f:9b:3b:00:2e:4f:0e:f5:31:
+ 91:ec:bd:34:02:68:6d:d7:71:a9:8c:4d:23:d2:43:
+ ae:d7:f8:e5:69:2b:ae:13:86:13:27:38:72:48:70:
+ f8:1f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 98:CF:F8:00:82:EC:D7:E9:17:4F:BD:7A:87:60:32:A5:BB:9D:B5:0E
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP4/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 7d:61:80:4e:39:a7:2f:32:90:94:a0:93:18:80:b5:2c:28:44:
+ ab:84:74:d5:e2:94:b6:7a:b2:1a:ae:54:f1:61:53:c8:b1:fc:
+ cc:96:0e:44:b3:62:a1:05:a0:e4:d5:ad:0b:96:86:53:0e:f9:
+ 17:04:e5:30:ab:21:20:3e:91:66:30:08:a4:c2:4e:14:a6:80:
+ 41:90:0c:a6:d6:14:43:0e:2b:60:55:8f:01:64:d6:72:24:43:
+ e9:b1:67:6b:da:a1:fe:93:0d:03:85:bb:49:49:13:13:70:db:
+ a7:a8:70:e5:93:12:7c:4d:fe:ba:d0:13:f4:7e:23:c7:2c:ea:
+ 7b:a1:2a:75:39:39:ba:b3:58:ec:c6:8e:89:ce:6b:3e:d0:0d:
+ 90:e5:e0:ef:41:f8:0b:5c:0a:cf:ec:3d:1e:c7:33:ad:2a:57:
+ 34:cc:77:2a:f7:e6:7c:73:f0:79:c0:34:d1:a5:07:f6:fb:66:
+ 4a:c4:1f:72:51:30:e5:af:9a:f6:63:da:8d:b3:90:b5:62:9e:
+ 53:ff:29:77:50:2f:6c:cc:86:80:e9:3a:a9:eb:4b:d2:bf:d0:
+ c0:77:4f:9e:ed:57:7a:0d:f9:65:93:87:5a:f4:a9:35:8c:4d:
+ 19:d0:56:a0:36:38:51:5d:52:54:a5:1f:ce:6f:30:7c:27:71:
+ da:42:79:8e
+-----BEGIN CERTIFICATE-----
+MIIDyjCCArKgAwIBAgIBGTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MTAyOTE2MzIzNFoXDTA4MTAyODE2MzIzNFowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQNDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALMFrfsG20mBrd9QBOAY6PH0g+YmS578LRzf4itXOEjrxBOj/WzF
+4hzVOv1m1/8u/0q3WsX0GbGNnqhJTjsgRtoI3rCccV53qRTiTCAO/8Ug+vNtOwvO
+4XK2//V1fz41rxxP4JJF8B9XzjhsPvYvlnMfYNtjjmOz8zWF6QA5krOfSmu96aAA
+yr7+J3ibRCNTVhNIfc3RATqINmZPf/Msn8fEUnUeDjxQKck54P+QTZVHVhPhMPMw
+M+4CYHCwvd07qrkqhr/n4qjsZCoLEgUIA37YQbsj3inlD5s7AC5PDvUxkey9NAJo
+bddxqYxNI9JDrtf45WkrrhOGEyc4ckhw+B8CAwEAAaOCARcwggETMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFJjP+ACC7NfpF0+9eodgMqW7nbUOMA4GA1UdDwEB
+/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29t
+YmF0cy1yLXVzLmhhY3Rybi5uZXQvSVNQNC8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2Vy
+MBoGCCsGAQUFBwEIAQH/BAswCaAHMAUCAwD8IDAsBggrBgEFBQcBBwEB/wQdMBsw
+GQQCAAIwEwMRACABDbgAAAAAAAAAEAAAAEQwDQYJKoZIhvcNAQELBQADggEBAH1h
+gE45py8ykJSgkxiAtSwoRKuEdNXilLZ6shquVPFhU8ix/MyWDkSzYqEFoOTVrQuW
+hlMO+RcE5TCrISA+kWYwCKTCThSmgEGQDKbWFEMOK2BVjwFk1nIkQ+mxZ2vaof6T
+DQOFu0lJExNw26eocOWTEnxN/rrQE/R+I8cs6nuhKnU5ObqzWOzGjonOaz7QDZDl
+4O9B+AtcCs/sPR7HM60qVzTMdyr35nxz8HnANNGlB/b7ZkrEH3JRMOWvmvZj2o2z
+kLVinlP/KXdQL2zMhoDpOqnrS9K/0MB3T57tV3oN+WWTh1r0qTWMTRnQVqA2OFFd
+UlSlH85vMHwncdpCeY4=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/1A.pem b/rpkid/resource-cert-samples/LIR2/1A.pem
new file mode 100644
index 00000000..e8e63c2a
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/1A.pem
@@ -0,0 +1,89 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 26 (0x1a)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR2
+ Validity
+ Not Before: Oct 29 16:32:34 2007 GMT
+ Not After : Oct 28 16:32:34 2008 GMT
+ Subject: CN=TEST ENTITY ISP3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d1:24:75:c1:44:29:12:9a:fe:8c:1d:1e:01:aa:
+ 05:ea:1f:47:ab:1a:8d:cf:d2:42:a1:31:7d:9c:3e:
+ 66:72:ce:2c:df:01:17:15:40:40:94:d1:ae:6d:d7:
+ ca:fd:52:d9:ec:5f:f0:64:30:a3:42:70:a1:a1:6f:
+ 05:2d:10:ee:b1:05:65:3f:f2:c1:78:84:cc:1d:66:
+ ee:35:52:c7:ae:99:76:b1:63:4d:c1:2e:24:fb:f7:
+ 43:2d:0b:21:0d:d3:d6:b7:cf:60:50:49:3d:17:53:
+ 3e:2b:f8:68:95:7e:1c:c5:e2:1e:73:06:8c:b2:53:
+ a1:70:39:d9:9e:e5:56:fc:58:d0:b3:f3:90:37:5a:
+ 6e:5a:3b:ef:05:be:f1:64:2f:31:2e:5a:58:f2:30:
+ 7a:73:52:7f:b8:0d:71:3c:63:52:17:0f:b7:07:3b:
+ c3:46:b9:9c:88:bc:73:df:14:5a:bc:16:fc:f8:79:
+ b0:a1:41:87:05:f9:52:a8:36:61:62:de:90:68:21:
+ 83:bb:8c:83:47:af:bb:82:3e:44:28:97:2b:02:a8:
+ 81:04:05:16:cd:bf:ef:9e:02:f9:54:66:2a:28:99:
+ 79:2b:b5:19:10:d4:df:35:95:f3:3f:fa:13:6a:06:
+ 6f:f5:38:28:d6:b6:0b:8a:70:5b:8d:70:8d:34:99:
+ 96:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ E1:97:2E:19:70:B5:7F:FC:82:4F:33:3D:6B:2C:DE:9A:9B:36:3D:7E
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP3/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR2.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 01:16:7e:4c:bd:b7:d8:6c:23:58:7f:26:76:ac:97:37:06:64:
+ 2d:a8:66:59:65:d3:9a:1c:d6:79:11:d3:e9:87:cc:1f:a9:9d:
+ 8b:74:1e:f0:b7:47:58:e9:40:e0:d5:29:2b:1f:5b:89:72:2c:
+ fe:ca:cf:8a:04:e6:3e:e8:d9:f6:26:15:18:c4:67:10:c4:a8:
+ 13:59:1b:cc:04:e8:96:a9:68:c8:90:54:e9:16:16:c0:7f:dd:
+ 1a:7d:5a:af:82:26:70:ff:c4:34:3f:d6:f3:3e:0b:45:61:f9:
+ a4:5e:59:b9:cf:6b:6b:32:f1:8d:2e:4f:78:de:ac:0d:5f:1e:
+ b0:59:b2:a9:c5:a4:cc:48:87:50:6c:8d:7d:41:ef:cd:68:4d:
+ 3b:e7:a9:f2:2d:50:ad:7e:d0:84:51:03:55:b6:a3:f1:e3:0a:
+ 46:f8:e7:23:b6:7b:76:5d:8b:13:a5:14:ac:07:e5:9c:13:df:
+ 6f:b2:a0:48:3d:00:3e:f0:16:7f:6d:b4:c0:e7:1f:8d:86:7b:
+ 9e:6e:31:17:22:98:d4:53:82:6b:21:01:d2:82:10:9f:43:fc:
+ c5:df:92:56:b9:eb:10:44:dc:46:58:82:3b:05:54:14:58:e1:
+ 2c:f8:2f:ca:e3:54:0b:d1:f1:87:5a:67:9f:3b:b3:a7:28:b3:
+ bb:5b:bf:1c
+-----BEGIN CERTIFICATE-----
+MIIDwzCCAqugAwIBAgIBGjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIyMB4XDTA3MTAyOTE2MzIzNFoXDTA4MTAyODE2MzIzNFowGzEZ
+MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMzCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANEkdcFEKRKa/owdHgGqBeofR6sajc/SQqExfZw+ZnLOLN8BFxVA
+QJTRrm3Xyv1S2exf8GQwo0JwoaFvBS0Q7rEFZT/ywXiEzB1m7jVSx66ZdrFjTcEu
+JPv3Qy0LIQ3T1rfPYFBJPRdTPiv4aJV+HMXiHnMGjLJToXA52Z7lVvxY0LPzkDda
+blo77wW+8WQvMS5aWPIwenNSf7gNcTxjUhcPtwc7w0a5nIi8c98UWrwW/Ph5sKFB
+hwX5Uqg2YWLekGghg7uMg0evu4I+RCiXKwKogQQFFs2/754C+VRmKiiZeSu1GRDU
+3zWV8z/6E2oGb/U4KNa2C4pwW41wjTSZlj8CAwEAAaOCARAwggEMMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFOGXLhlwtX/8gk8zPWss3pqbNj1+MA4GA1UdDwEB
+/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29t
+YmF0cy1yLXVzLmhhY3Rybi5uZXQvSVNQMy8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjIuY2Vy
+MEEGCCsGAQUFBwEHAQH/BDIwMDAuBAIAAjAoMCYDEQIgAQ24AAAAAAAAAAAAAABE
+AxEAIAENuAAAAAAAAAAAAAABADANBgkqhkiG9w0BAQsFAAOCAQEAARZ+TL232Gwj
+WH8mdqyXNwZkLahmWWXTmhzWeRHT6YfMH6mdi3Qe8LdHWOlA4NUpKx9biXIs/srP
+igTmPujZ9iYVGMRnEMSoE1kbzATolqloyJBU6RYWwH/dGn1ar4ImcP/END/W8z4L
+RWH5pF5Zuc9razLxjS5PeN6sDV8esFmyqcWkzEiHUGyNfUHvzWhNO+ep8i1QrX7Q
+hFEDVbaj8eMKRvjnI7Z7dl2LE6UUrAflnBPfb7KgSD0APvAWf220wOcfjYZ7nm4x
+FyKY1FOCayEB0oIQn0P8xd+SVrnrEETcRliCOwVUFFjhLPgvyuNUC9Hxh1pnnzuz
+pyizu1u/HA==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR2/index b/rpkid/resource-cert-samples/LIR2/index
new file mode 100644
index 00000000..50320ebe
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/index
@@ -0,0 +1,26 @@
+V 080731054527Z 01 unknown /CN=TEST ENTITY ISP4
+V 080731054528Z 02 unknown /CN=TEST ENTITY ISP3
+V 080731140529Z 03 unknown /CN=TEST ENTITY ISP4
+V 080731140529Z 04 unknown /CN=TEST ENTITY ISP3
+V 080731140829Z 05 unknown /CN=TEST ENTITY ISP4
+V 080731140829Z 06 unknown /CN=TEST ENTITY ISP3
+V 080731140935Z 07 unknown /CN=TEST ENTITY ISP4
+V 080731140935Z 08 unknown /CN=TEST ENTITY ISP3
+V 080731144822Z 09 unknown /CN=TEST ENTITY ISP4
+V 080731144822Z 0A unknown /CN=TEST ENTITY ISP3
+V 080809005817Z 0B unknown /CN=TEST ENTITY ISP4
+V 080809005818Z 0C unknown /CN=TEST ENTITY ISP3
+V 080809010231Z 0D unknown /CN=TEST ENTITY ISP4
+V 080809010231Z 0E unknown /CN=TEST ENTITY ISP3
+V 080809010709Z 0F unknown /CN=TEST ENTITY ISP4
+V 080809010709Z 10 unknown /CN=TEST ENTITY ISP3
+V 080809011339Z 11 unknown /CN=TEST ENTITY ISP4
+V 080809011339Z 12 unknown /CN=TEST ENTITY ISP3
+V 080809011510Z 13 unknown /CN=TEST ENTITY ISP4
+V 080809011510Z 14 unknown /CN=TEST ENTITY ISP3
+V 081018190607Z 15 unknown /CN=TEST ENTITY ISP4
+V 081018190607Z 16 unknown /CN=TEST ENTITY ISP3
+V 081028160352Z 17 unknown /CN=TEST ENTITY ISP4
+V 081028160352Z 18 unknown /CN=TEST ENTITY ISP3
+V 081028163234Z 19 unknown /CN=TEST ENTITY ISP4
+V 081028163234Z 1A unknown /CN=TEST ENTITY ISP3
diff --git a/rpkid/resource-cert-samples/LIR2/index.attr b/rpkid/resource-cert-samples/LIR2/index.attr
new file mode 100644
index 00000000..3a7e39e6
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/index.attr
@@ -0,0 +1 @@
+unique_subject = no
diff --git a/rpkid/resource-cert-samples/LIR2/index.attr.old b/rpkid/resource-cert-samples/LIR2/index.attr.old
new file mode 100644
index 00000000..3a7e39e6
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/index.attr.old
@@ -0,0 +1 @@
+unique_subject = no
diff --git a/rpkid/resource-cert-samples/LIR2/index.old b/rpkid/resource-cert-samples/LIR2/index.old
new file mode 100644
index 00000000..219f32cb
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/index.old
@@ -0,0 +1,25 @@
+V 080731054527Z 01 unknown /CN=TEST ENTITY ISP4
+V 080731054528Z 02 unknown /CN=TEST ENTITY ISP3
+V 080731140529Z 03 unknown /CN=TEST ENTITY ISP4
+V 080731140529Z 04 unknown /CN=TEST ENTITY ISP3
+V 080731140829Z 05 unknown /CN=TEST ENTITY ISP4
+V 080731140829Z 06 unknown /CN=TEST ENTITY ISP3
+V 080731140935Z 07 unknown /CN=TEST ENTITY ISP4
+V 080731140935Z 08 unknown /CN=TEST ENTITY ISP3
+V 080731144822Z 09 unknown /CN=TEST ENTITY ISP4
+V 080731144822Z 0A unknown /CN=TEST ENTITY ISP3
+V 080809005817Z 0B unknown /CN=TEST ENTITY ISP4
+V 080809005818Z 0C unknown /CN=TEST ENTITY ISP3
+V 080809010231Z 0D unknown /CN=TEST ENTITY ISP4
+V 080809010231Z 0E unknown /CN=TEST ENTITY ISP3
+V 080809010709Z 0F unknown /CN=TEST ENTITY ISP4
+V 080809010709Z 10 unknown /CN=TEST ENTITY ISP3
+V 080809011339Z 11 unknown /CN=TEST ENTITY ISP4
+V 080809011339Z 12 unknown /CN=TEST ENTITY ISP3
+V 080809011510Z 13 unknown /CN=TEST ENTITY ISP4
+V 080809011510Z 14 unknown /CN=TEST ENTITY ISP3
+V 081018190607Z 15 unknown /CN=TEST ENTITY ISP4
+V 081018190607Z 16 unknown /CN=TEST ENTITY ISP3
+V 081028160352Z 17 unknown /CN=TEST ENTITY ISP4
+V 081028160352Z 18 unknown /CN=TEST ENTITY ISP3
+V 081028163234Z 19 unknown /CN=TEST ENTITY ISP4
diff --git a/rpkid/resource-cert-samples/LIR2/serial b/rpkid/resource-cert-samples/LIR2/serial
new file mode 100644
index 00000000..8787ed81
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/serial
@@ -0,0 +1 @@
+1B
diff --git a/rpkid/resource-cert-samples/LIR2/serial.old b/rpkid/resource-cert-samples/LIR2/serial.old
new file mode 100644
index 00000000..268de3f3
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR2/serial.old
@@ -0,0 +1 @@
+1A
diff --git a/rpkid/resource-cert-samples/LIR3.cer b/rpkid/resource-cert-samples/LIR3.cer
new file mode 100644
index 00000000..c466f22e
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3.cer
@@ -0,0 +1,98 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 48 (0x30)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Oct 29 16:32:33 2007 GMT
+ Not After : Oct 28 16:32:33 2008 GMT
+ Subject: CN=TEST ENTITY LIR3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a3:21:57:61:64:af:11:18:d4:cb:de:a6:dc:ad:
+ d9:2c:0f:0f:58:9f:7e:c8:85:55:11:26:4c:7c:f0:
+ 6b:68:1a:9e:6a:0c:8f:e6:dc:3d:83:58:2a:cc:77:
+ ac:19:73:6f:5a:f3:6e:24:ac:cd:1a:dc:1d:0b:4c:
+ 44:f5:6d:8b:0a:17:3d:86:f9:e8:fe:e6:60:e5:9f:
+ 40:6a:e5:94:e8:9a:56:17:17:1c:ab:c1:8c:37:40:
+ 2b:55:bf:2c:5e:dc:8d:ca:25:7f:8a:5f:ee:fb:16:
+ 86:eb:e0:08:d3:26:e5:e3:70:c5:0c:6b:fb:1b:8f:
+ 6b:5c:f6:e2:4a:58:a5:35:01:ea:05:1b:3e:ce:84:
+ be:b5:3f:6d:18:16:4b:68:e5:79:4c:88:7d:b6:a5:
+ 65:a3:3a:c2:32:dc:ad:8f:8a:05:ee:f6:e9:7a:80:
+ da:12:a9:0f:5a:b5:d2:d3:31:ac:3e:d3:19:25:2d:
+ 28:de:79:6c:ce:fd:77:66:d5:e3:2f:a9:cb:f9:85:
+ 8c:20:bb:a2:86:23:f0:93:95:20:04:78:c7:c7:07:
+ a6:fe:f0:f4:45:bb:cf:78:2b:dd:ce:9c:08:a5:46:
+ 68:10:4c:d7:05:62:6c:86:5a:2d:7f:06:38:c2:4d:
+ bb:44:87:00:43:79:d2:8f:f3:6b:b2:f4:5c:1c:b9:
+ 68:01
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 98:BE:04:FF:80:D1:AB:95:39:AA:3D:F2:0E:67:7D:00:AD:A3:FD:C5
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR3/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64534-64540
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ 10.3.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a00::/120
+ 2001:db8:0:0:0:0:a03::/120
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 18:25:58:2e:ac:98:93:f2:ce:b9:cf:fe:31:1d:4e:a4:64:bc:
+ f6:59:19:88:af:01:cb:72:68:04:4a:41:5f:d6:dc:86:f6:c3:
+ a3:83:06:ba:96:4c:fd:eb:26:a5:5d:64:07:08:fa:87:94:df:
+ 00:b2:44:2e:dd:23:f6:cb:6b:80:b4:65:3d:61:e1:4c:3f:de:
+ db:a1:90:0f:da:0d:f1:cc:7c:72:1d:0e:07:50:87:3b:76:4b:
+ 17:06:67:b8:a4:65:4e:94:7c:1e:e0:3f:99:3f:90:8e:9a:c5:
+ 42:6f:35:bb:78:48:6b:0f:83:59:b9:57:70:94:dc:ad:d9:c4:
+ c0:bb:72:9c:c4:0d:e9:d8:69:7b:f1:dc:72:52:95:38:3c:6c:
+ c0:ed:e9:19:f3:48:9c:e5:60:d9:46:55:66:ab:b2:fb:bd:cd:
+ f0:c3:43:eb:48:1a:86:1f:71:6a:b6:11:65:e2:88:43:ab:4e:
+ 69:a3:a7:ba:5c:09:f6:30:c5:93:f3:6a:72:be:9a:cf:5f:ba:
+ ea:3a:76:4f:43:03:13:12:4f:a6:ca:ed:c5:09:2f:2d:be:4a:
+ 02:50:05:7d:f5:2c:61:af:1b:79:31:ad:b1:3b:4c:61:b0:99:
+ 9f:95:19:ab:71:5f:b0:df:0f:9b:bf:38:42:a6:38:b3:a8:e8:
+ 2c:c1:68:13
+-----BEGIN CERTIFICATE-----
+MIID9DCCAtygAwIBAgIBMDANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcxMDI5MTYzMjMzWhcNMDgxMDI4MTYzMjMzWjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAoyFXYWSvERjUy96m3K3ZLA8PWJ9+yIVVESZMfPBraBqeagyP5tw9
+g1gqzHesGXNvWvNuJKzNGtwdC0xE9W2LChc9hvno/uZg5Z9AauWU6JpWFxccq8GM
+N0ArVb8sXtyNyiV/il/u+xaG6+AI0ybl43DFDGv7G49rXPbiSlilNQHqBRs+zoS+
+tT9tGBZLaOV5TIh9tqVlozrCMtytj4oF7vbpeoDaEqkPWrXS0zGsPtMZJS0o3nls
+zv13ZtXjL6nL+YWMILuihiPwk5UgBHjHxwem/vD0RbvPeCvdzpwIpUZoEEzXBWJs
+hlotfwY4wk27RIcAQ3nSj/NrsvRcHLloAQIDAQABo4IBQjCCAT4wDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUmL4E/4DRq5U5qj3yDmd9AK2j/cUwDgYDVR0PAQH/
+BAQDAgEGMEEGCCsGAQUFBwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9MSVIzLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYB
+BQUHMAKGJ3JzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAh
+BggrBgEFBQcBCAEB/wQSMBCgDjAMMAoCAwD8FgIDAPwcMFEGCCsGAQUFBwEHAQH/
+BEIwQDASBAIAATAMAwQACgAAAwQACgMAMCoEAgACMCQDEAAgAQ24AAAAAAAAAAAK
+AAADEAAgAQ24AAAAAAAAAAAKAwAwDQYJKoZIhvcNAQELBQADggEBABglWC6smJPy
+zrnP/jEdTqRkvPZZGYivActyaARKQV/W3Ib2w6ODBrqWTP3rJqVdZAcI+oeU3wCy
+RC7dI/bLa4C0ZT1h4Uw/3tuhkA/aDfHMfHIdDgdQhzt2SxcGZ7ikZU6UfB7gP5k/
+kI6axUJvNbt4SGsPg1m5V3CU3K3ZxMC7cpzEDenYaXvx3HJSlTg8bMDt6RnzSJzl
+YNlGVWarsvu9zfDDQ+tIGoYfcWq2EWXiiEOrTmmjp7pcCfYwxZPzanK+ms9fuuo6
+dk9DAxMST6bK7cUJLy2+SgJQBX31LGGvG3kxrbE7TGGwmZ+VGatxX7DfD5u/OEKm
+OLOo6CzBaBM=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3.cnf b/rpkid/resource-cert-samples/LIR3.cnf
new file mode 100644
index 00000000..0f65ce12
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3.cnf
@@ -0,0 +1,64 @@
+# Automatically generated, do not edit.
+
+[ ca ]
+default_ca = ca_default
+
+[ ca_default ]
+certificate = LIR3.cer
+serial = LIR3/serial
+private_key = LIR3.key
+database = LIR3/index
+new_certs_dir = LIR3
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 365
+default_crl_days = 30
+default_md = sha256
+preserve = no
+copy_extensions = copy
+policy = ca_policy_anything
+unique_subject = no
+x509_extensions = ca_x509_ext
+crl_extensions = crl_x509_ext
+
+[ ca_policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+givenName = optional
+surname = optional
+
+[ req ]
+default_bits = 2048
+encrypt_key = no
+distinguished_name = req_dn
+req_extensions = req_x509_ext
+prompt = no
+
+[ req_dn ]
+CN = TEST ENTITY LIR3
+
+[ req_x509_ext ]
+basicConstraints = critical,CA:true
+subjectKeyIdentifier = hash
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/LIR3/
+authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+sbgp-autonomousSysNum = critical,AS:64534-64540
+sbgp-ipAddrBlock = critical,IPv4:10.0.0.0/24,IPv4:10.3.0.0/24,IPv6:2001:db8::a00:0/120,IPv6:2001:db8::a03:0/120
+
+[ ca_x509_ext ]
+basicConstraints = critical,CA:true
+authorityKeyIdentifier = keyid:always
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/LIR3/
+authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+sbgp-autonomousSysNum = critical,AS:64534-64540
+sbgp-ipAddrBlock = critical,IPv4:10.0.0.0/24,IPv4:10.3.0.0/24,IPv6:2001:db8::a00:0/120,IPv6:2001:db8::a03:0/120
+
+[ crl_x509_ext ]
+authorityKeyIdentifier = keyid:always
diff --git a/rpkid/resource-cert-samples/LIR3.key b/rpkid/resource-cert-samples/LIR3.key
new file mode 100644
index 00000000..d4d89f21
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAoyFXYWSvERjUy96m3K3ZLA8PWJ9+yIVVESZMfPBraBqeagyP
+5tw9g1gqzHesGXNvWvNuJKzNGtwdC0xE9W2LChc9hvno/uZg5Z9AauWU6JpWFxcc
+q8GMN0ArVb8sXtyNyiV/il/u+xaG6+AI0ybl43DFDGv7G49rXPbiSlilNQHqBRs+
+zoS+tT9tGBZLaOV5TIh9tqVlozrCMtytj4oF7vbpeoDaEqkPWrXS0zGsPtMZJS0o
+3nlszv13ZtXjL6nL+YWMILuihiPwk5UgBHjHxwem/vD0RbvPeCvdzpwIpUZoEEzX
+BWJshlotfwY4wk27RIcAQ3nSj/NrsvRcHLloAQIDAQABAoIBAFqJhaqrK7KsemYP
+08JExnR6g0TneIEn5veWrvrkoGft5h/riu5RK966zz4d6SlS9Omgk2/NbCRNJ91+
+XgNs4a8fCOnhx9u41ux6P1FUzBlwlvlHvYTh7cU4WxTC/ohDlnor56ZP6h32+bjt
+5VfzjcF2dBaZ04sPRUIaT6t9mWtaGmUolbHPAV6nsVfE+n6O5zLC2rTVhvdRuE83
+OUuw0PsgmathhpCSdm+kYhjgYEKb5gIv9EUQ8k0+b1+JTczJXJ0UbJpAQFGAnUPm
+kW3D4G4RedlIlP5ngCwPGa6cgTixTVZqMkP7BaBfPdkKuwvPOAHWjhy5JU37GQfj
+YubemXECgYEA2IYt0k1rHjT3r2hfMdUcScx2tTGzHBa0YkeDMtz3gpSDQEzehhHj
+UtP/vj+/XrVGK8V0Zv5bkKdJLjUCzCSVPjS5vESVHdzXrRFQUItMcG7FoqDV/hIt
+sFE2yYnrEx93xoHgSK6r0Btnn7GGKeYg8p8nLPI2Ed+vgmVsQ3C0VnUCgYEAwN8c
+iA5YNZKCOnL3ZFN7cYVVar6k04/T+StWRCqQyoKCUqTU2w0TMQ6HRzwpoCbTIPow
+Zz6cHY121pP0CI0Pdl0YYCbyQXLH0+hhRxBZ8LNBWVkuvn6Fv81J9idpO+yeCD0L
+dZzBXj1ZFa4T4zSWN5TdpcHd5yMjxl9Xo9J5Ed0CgYBtarDxG0pMQ3v+2gFxDz5y
+VK6QNgNK6HZTS8wTAfLZu+7vqWix24xCqPsNyu0MERLav7do7JSc7sxeW0+EleAN
+RVuutgGcy6L5xEwPx7TjBDc/TYOWFt2bwg6rndR7H2XJnIwYbpxIV/DvlCg2OCLi
+OGb1oZiNQ7pPbK1fDy8ymQKBgF5WAoeNtJlncqkSCG0a5BsPY0sVulr8U2rhRo2K
+4E0c7o9rre0ChSuOdp5iD94Uf1n25WvqVMOjqMelkEwKatCzEjQdeIqIkLLWS5ZN
+qiAwHTuNgm6MRfEdgRqUBkXYIyfWa99376Cfkw4mmfWciAjhmFP18gqWxm3FvoET
+dkJFAoGBAMVd38IG4NUbjhHs/8X0YyOD5CASxgFo29ByzCVpl/NUascqkpHRDh0l
+nhvGleI9YZvXSR8K8SJCkg65DwMfbAdlZKyrzr+Eo6/x6LlLOVDLMXFHiri+1Oaz
+nqjwZBLkzWGxtbVr+q1qWJUPzxzODgdPaaagMzrEK5BriWdw4Fil
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/resource-cert-samples/LIR3.req b/rpkid/resource-cert-samples/LIR3.req
new file mode 100644
index 00000000..e22e9dd3
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3.req
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDtzCCAp8CAQAwGzEZMBcGA1UEAxMQVEVTVCBFTlRJVFkgTElSMzCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMhV2FkrxEY1Mveptyt2SwPD1iffsiF
+VREmTHzwa2ganmoMj+bcPYNYKsx3rBlzb1rzbiSszRrcHQtMRPVtiwoXPYb56P7m
+YOWfQGrllOiaVhcXHKvBjDdAK1W/LF7cjcolf4pf7vsWhuvgCNMm5eNwxQxr+xuP
+a1z24kpYpTUB6gUbPs6EvrU/bRgWS2jleUyIfbalZaM6wjLcrY+KBe726XqA2hKp
+D1q10tMxrD7TGSUtKN55bM79d2bV4y+py/mFjCC7ooYj8JOVIAR4x8cHpv7w9EW7
+z3gr3c6cCKVGaBBM1wVibIZaLX8GOMJNu0SHAEN50o/za7L0XBy5aAECAwEAAaCC
+AVUwggFRBgkqhkiG9w0BCQ4xggFCMIIBPjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
+DgQWBBSYvgT/gNGrlTmqPfIOZ30AraP9xTAOBgNVHQ8BAf8EBAMCAQYwQQYIKwYB
+BQUHAQsENTAzMDEGCCsGAQUFBzAFhiVyc3luYzovL3dvbWJhdHMtci11cy5oYWN0
+cm4ubmV0L0xJUjMvMEMGCCsGAQUFBwEBBDcwNTAzBggrBgEFBQcwAoYncnN5bmM6
+Ly93b21iYXRzLXItdXMuaGFjdHJuLm5ldC9SSVIuY2VyMCEGCCsGAQUFBwEIAQH/
+BBIwEKAOMAwwCgIDAPwWAgMA/BwwUQYIKwYBBQUHAQcBAf8EQjBAMBIEAgABMAwD
+BAAKAAADBAAKAwAwKgQCAAIwJAMQACABDbgAAAAAAAAAAAoAAAMQACABDbgAAAAA
+AAAAAAoDADANBgkqhkiG9w0BAQUFAAOCAQEAmuU3fGe4uEXPaD9zY3elmjHYcZ2m
+rMClydTpxMjNwJIoNdEP7DNolC3aHkDj27gbD2MVuMeKDb7XksmLgnAiJc9f6hMb
+NxpfLPVLHL5GTLQoaKUeLnNZenWElgFU3J2ebPFkhsqItb3YE3ok/0VGRhS+fMrI
+vNfPlx/7JpeuS0IZuEHrhQ4qy5xq+c9E9xFlytT2Txsqz6xWBccOO18cZ24nrexJ
+9xLS9RuD16z0RCM/WsGqlA6AiQXYKd3T8fOuB6CEklZNSCY4iLjK5jJDx/8HgHtg
+6FOQWM1bFGmOpKBFuSjQjNqgfpYpKaIIT81gPSUy/oG9bT5G8mkN4iWDOg==
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/resource-cert-samples/LIR3/01.pem b/rpkid/resource-cert-samples/LIR3/01.pem
new file mode 100644
index 00000000..5f7a0a59
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/01.pem
@@ -0,0 +1,92 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 1 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Aug 1 14:48:18 2007 GMT
+ Not After : Jul 31 14:48:18 2008 GMT
+ Subject: CN=TEST ENTITY ISP5c
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:c8:8b:a1:25:65:df:ee:a2:7f:54:af:52:0a:1a:
+ 1a:fa:0d:75:b3:3c:e9:e0:29:d3:89:20:e9:51:49:
+ 67:2c:43:da:a0:2c:d4:44:b3:96:14:a9:07:77:60:
+ b9:6f:01:ef:8e:54:a5:74:ac:5a:67:f8:30:4d:10:
+ f9:ac:9f:b8:75:61:0b:f6:e7:7c:ea:9b:5c:98:7a:
+ 4b:3e:c4:e2:59:42:d3:19:ca:0f:58:0e:b7:c8:82:
+ 4e:e5:bb:ac:fd:92:e5:88:b2:fc:64:cf:6e:38:3b:
+ 18:83:fc:e7:a6:ae:fb:90:36:d0:e1:ca:4d:90:41:
+ 0f:0f:3b:2a:c0:0c:d9:7b:7d:e8:50:13:f6:09:73:
+ 82:a3:d2:e3:bb:82:08:87:7f:d2:bb:0e:0e:7a:28:
+ b6:25:02:b5:d9:51:fc:33:32:47:47:ff:cf:7f:bc:
+ ee:00:01:bb:05:5e:2e:03:9a:ad:95:3b:ca:c2:c6:
+ 87:64:74:39:aa:59:6b:ae:e0:a7:51:1a:07:f2:8e:
+ 4c:8e:65:2f:df:f2:99:ba:e0:b6:8a:4f:c0:20:72:
+ 79:98:00:8f:0d:50:13:3d:d1:3e:8c:bd:dc:74:a9:
+ 33:a8:56:1d:31:78:7c:e7:02:9e:8d:0a:14:12:6d:
+ d3:37:c7:7a:f0:84:10:fe:fe:4d:28:97:26:6e:08:
+ 85:a1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 2D:87:C1:9A:F8:58:2B:BD:C2:F8:7E:30:47:B3:A9:88:37:C9:EB:46
+ X509v3 Authority Key Identifier:
+ keyid:98:BE:04:FF:80:D1:AB:95:39:AA:3D:F2:0E:67:7D:00:AD:A3:FD:C5
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5c/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64534-64540
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 50:6b:1b:84:77:e5:93:08:5e:dc:42:24:86:70:11:24:f8:11:
+ 91:68:0f:08:9b:49:f6:4a:27:85:13:93:ed:59:49:d0:f8:a6:
+ d2:44:ab:25:69:41:59:40:8b:78:ab:d2:8d:09:a8:c0:fe:20:
+ 49:d7:47:c4:de:19:a1:79:d2:8d:bd:29:08:37:a8:9a:b6:5e:
+ 56:25:50:da:1c:47:e8:bf:ed:1e:49:79:48:81:07:97:d3:2f:
+ 14:e7:bc:8e:e9:ef:82:9a:bd:18:60:08:08:57:22:6e:45:bb:
+ 1a:9f:69:e0:0f:86:42:49:ec:d2:5f:6f:fb:01:b0:b9:56:66:
+ aa:62:64:e1:80:68:ee:11:d9:45:b8:3a:fc:81:4b:d4:c0:f7:
+ 1c:a7:97:9a:7d:f7:94:2c:05:86:35:2e:0c:83:17:45:b6:3f:
+ d6:4e:5f:ba:2d:77:41:4a:25:37:b9:8b:4a:4e:b4:36:f5:c9:
+ f7:84:e0:6b:af:1c:d5:e0:88:a5:aa:6f:87:10:18:c3:af:46:
+ ee:63:97:e3:66:98:bb:51:67:89:d6:4d:8f:b2:ed:f6:33:ae:
+ 5b:44:44:1e:56:af:ac:6d:7b:1f:13:f9:96:84:ee:08:db:4b:
+ 1f:56:48:ac:97:0e:ee:b5:33:f4:2d:03:62:a3:32:6d:85:85:
+ 52:a6:47:ca
+-----BEGIN CERTIFICATE-----
+MIIDxjCCAq6gAwIBAgIBATANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MDgwMTE0NDgxOFoXDTA4MDczMTE0NDgxOFowHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDIi6ElZd/uon9Ur1IKGhr6DXWzPOngKdOJIOlRSWcsQ9qgLNRE
+s5YUqQd3YLlvAe+OVKV0rFpn+DBNEPmsn7h1YQv253zqm1yYeks+xOJZQtMZyg9Y
+DrfIgk7lu6z9kuWIsvxkz244OxiD/OemrvuQNtDhyk2QQQ8POyrADNl7fehQE/YJ
+c4Kj0uO7ggiHf9K7Dg56KLYlArXZUfwzMkdH/89/vO4AAbsFXi4Dmq2VO8rCxodk
+dDmqWWuu4KdRGgfyjkyOZS/f8pm64LaKT8AgcnmYAI8NUBM90T6Mvdx0qTOoVh0x
+eHznAp6NChQSbdM3x3rwhBD+/k0olyZuCIWhAgMBAAGjggESMIIBDjAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBQth8Ga+FgrvcL4fjBHs6mIN8nrRjAfBgNVHSME
+GDAWgBSYvgT/gNGrlTmqPfIOZ30AraP9xTAOBgNVHQ8BAf8EBAMCAQYwQgYIKwYB
+BQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dvbWJhdHMtci11cy5oYWN0
+cm4ubmV0L0lTUDVjLzBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAKGKHJzeW5j
+Oi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5jZXIwIQYIKwYBBQUHAQgB
+Af8EEjAQoA4wDDAKAgMA/BYCAwD8HDANBgkqhkiG9w0BAQUFAAOCAQEAUGsbhHfl
+kwhe3EIkhnARJPgRkWgPCJtJ9konhROT7VlJ0Pim0kSrJWlBWUCLeKvSjQmowP4g
+SddHxN4ZoXnSjb0pCDeomrZeViVQ2hxH6L/tHkl5SIEHl9MvFOe8junvgpq9GGAI
+CFcibkW7Gp9p4A+GQkns0l9v+wGwuVZmqmJk4YBo7hHZRbg6/IFL1MD3HKeXmn33
+lCwFhjUuDIMXRbY/1k5fui13QUolN7mLSk60NvXJ94Tga68c1eCIpapvhxAYw69G
+7mOX42aYu1FnidZNj7Lt9jOuW0REHlavrG17HxP5loTuCNtLH1ZIrJcO7rUz9C0D
+YqMybYWFUqZHyg==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/02.pem b/rpkid/resource-cert-samples/LIR3/02.pem
new file mode 100644
index 00000000..47299c75
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/02.pem
@@ -0,0 +1,94 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 2 (0x2)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Aug 1 14:48:20 2007 GMT
+ Not After : Jul 31 14:48:20 2008 GMT
+ Subject: CN=TEST ENTITY ISP5b
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:bf:8f:59:d8:fc:fa:1d:04:70:29:ce:7b:01:64:
+ 21:40:dc:5c:43:fe:4c:af:88:c8:62:9b:be:9c:72:
+ 8f:8a:a5:34:8a:3b:23:8d:9b:8a:4f:bf:66:ac:68:
+ 71:9c:fd:68:59:f5:bf:9f:4d:2e:b5:d6:e3:fa:bd:
+ f3:60:53:5c:b7:11:ac:95:0b:c0:87:cd:99:9e:94:
+ 57:8d:ec:05:b8:df:aa:fc:8e:38:d3:0f:65:6d:09:
+ 60:f2:e1:98:81:72:d8:51:3e:41:91:b3:10:95:f5:
+ f5:d0:f9:e5:5c:a1:85:fa:71:26:85:e3:d1:4c:02:
+ 7f:14:e2:1e:4a:8a:96:68:9e:d6:16:a5:ef:ad:b5:
+ 83:62:cd:23:74:7c:82:56:b4:d1:34:53:5a:8a:7a:
+ 61:9f:ae:54:5b:ef:f9:56:de:87:6b:42:92:bc:49:
+ f4:b5:c3:35:07:4a:18:47:d2:92:c6:1c:16:74:74:
+ b1:e9:39:3c:53:12:05:9d:eb:dc:9c:72:2b:97:4d:
+ 27:21:77:96:7d:4c:ce:79:0c:fb:a7:b8:99:6b:66:
+ 20:2e:56:9c:44:b4:e3:5e:80:c4:7d:78:a1:b4:05:
+ f7:20:7d:26:1e:44:bf:5d:69:15:3c:7a:24:67:bd:
+ b9:b5:08:0f:33:4d:af:3b:2d:e7:b9:ab:1d:2b:d6:
+ fb:73
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 6C:B3:65:94:FE:C6:9F:4A:50:9D:4D:8B:40:1A:A1:FD:97:17:97:92
+ X509v3 Authority Key Identifier:
+ keyid:98:BE:04:FF:80:D1:AB:95:39:AA:3D:F2:0E:67:7D:00:AD:A3:FD:C5
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5b/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.3.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a03::/120
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 44:d8:15:ad:71:7e:e9:6e:ec:33:2b:42:ed:8c:8a:4a:df:82:
+ a4:91:99:57:b0:2f:cc:a3:59:2a:ff:24:c5:ac:e1:79:fa:d7:
+ 92:ba:72:2b:47:1a:cf:80:6d:08:76:e9:b5:91:60:35:1f:dd:
+ 0c:e0:bd:33:7c:27:d0:f7:11:4e:1f:48:4a:05:bc:6d:e3:5f:
+ ba:dd:7a:ba:3d:45:7d:97:72:94:9b:cd:31:76:b8:96:df:f0:
+ 7d:16:f3:2a:a3:e2:72:eb:02:1f:49:ee:b6:44:48:5b:69:99:
+ b8:bb:80:3b:cb:f5:bc:aa:f8:ba:68:19:53:ec:ff:ad:75:ae:
+ 82:51:00:ec:e7:81:c2:6b:cf:a2:a2:a2:c5:b8:04:47:91:ad:
+ 9d:33:72:48:a2:15:55:ad:43:52:8f:f6:09:a3:d3:fd:88:d3:
+ e3:c3:f4:cd:71:e8:cb:aa:e7:36:07:27:d9:e9:a4:a1:e8:33:
+ cd:2d:9c:37:ee:48:e4:8f:8e:f0:84:67:64:89:ea:9a:23:e0:
+ 12:01:25:80:41:70:fa:b8:3a:c7:0d:b7:c9:ac:79:37:2a:b1:
+ d7:62:79:ea:db:74:b4:f5:86:86:b6:1e:d5:d0:b0:29:96:a3:
+ 58:a9:f7:3f:df:8d:31:c1:90:d1:df:1b:c3:f4:14:f8:1d:d1:
+ c9:57:95:7f
+-----BEGIN CERTIFICATE-----
+MIID3jCCAsagAwIBAgIBAjANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MDgwMTE0NDgyMFoXDTA4MDczMTE0NDgyMFowHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC/j1nY/PodBHApznsBZCFA3FxD/kyviMhim76cco+KpTSKOyON
+m4pPv2asaHGc/WhZ9b+fTS611uP6vfNgU1y3EayVC8CHzZmelFeN7AW436r8jjjT
+D2VtCWDy4ZiBcthRPkGRsxCV9fXQ+eVcoYX6cSaF49FMAn8U4h5KipZontYWpe+t
+tYNizSN0fIJWtNE0U1qKemGfrlRb7/lW3odrQpK8SfS1wzUHShhH0pLGHBZ0dLHp
+OTxTEgWd69ycciuXTSchd5Z9TM55DPunuJlrZiAuVpxEtONegMR9eKG0BfcgfSYe
+RL9daRU8eiRnvbm1CA8zTa87Lee5qx0r1vtzAgMBAAGjggEqMIIBJjAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBRss2WU/safSlCdTYtAGqH9lxeXkjAfBgNVHSME
+GDAWgBSYvgT/gNGrlTmqPfIOZ30AraP9xTAOBgNVHQ8BAf8EBAMCAQYwQgYIKwYB
+BQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dvbWJhdHMtci11cy5oYWN0
+cm4ubmV0L0lTUDViLzBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAKGKHJzeW5j
+Oi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5jZXIwOQYIKwYBBQUHAQcB
+Af8EKjAoMAwEAgABMAYDBAAKAwAwGAQCAAIwEgMQACABDbgAAAAAAAAAAAoDADAN
+BgkqhkiG9w0BAQUFAAOCAQEARNgVrXF+6W7sMytC7YyKSt+CpJGZV7AvzKNZKv8k
+xazhefrXkrpyK0caz4BtCHbptZFgNR/dDOC9M3wn0PcRTh9ISgW8beNfut16uj1F
+fZdylJvNMXa4lt/wfRbzKqPicusCH0nutkRIW2mZuLuAO8v1vKr4umgZU+z/rXWu
+glEA7OeBwmvPoqKixbgER5GtnTNySKIVVa1DUo/2CaPT/YjT48P0zXHoy6rnNgcn
+2emkoegzzS2cN+5I5I+O8IRnZInqmiPgEgElgEFw+rg6xw23yax5Nyqx12J56tt0
+tPWGhrYe1dCwKZajWKn3P9+NMcGQ0d8bw/QU+B3RyVeVfw==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/03.pem b/rpkid/resource-cert-samples/LIR3/03.pem
new file mode 100644
index 00000000..50780320
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/03.pem
@@ -0,0 +1,94 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 3 (0x3)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Aug 1 14:48:22 2007 GMT
+ Not After : Jul 31 14:48:22 2008 GMT
+ Subject: CN=TEST ENTITY ISP5a
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:e6:4b:ad:78:28:6b:e6:50:1b:65:81:d5:8d:2b:
+ 56:77:cd:bb:c9:47:a0:aa:32:b0:2c:ac:1f:f1:e4:
+ 90:2b:c2:33:6f:e7:53:b1:d0:1d:ab:05:27:9d:b7:
+ a1:ee:a8:4f:c8:5b:36:23:e3:12:e4:51:59:27:cd:
+ fd:7a:aa:dc:56:05:a1:73:ab:79:dd:3c:82:b2:8f:
+ ae:f9:ec:c0:36:38:e6:02:aa:fd:89:60:21:52:5b:
+ b6:33:80:75:e5:7f:fd:ac:6e:ec:d4:9a:26:2f:7e:
+ 28:45:16:29:47:7d:f3:8a:72:d5:e4:65:fa:f4:54:
+ 6f:ae:48:33:62:c1:32:f1:2b:83:33:36:63:60:9e:
+ bc:c7:e7:99:5d:51:da:cd:2f:8f:83:47:20:9e:e9:
+ cc:a3:72:c0:72:bd:49:2d:c4:52:ea:6f:da:42:46:
+ 71:90:c7:af:7f:9f:c7:dd:0b:96:96:3c:45:9f:c0:
+ ea:65:6a:43:e3:f3:92:d5:e1:73:c0:6e:20:f5:17:
+ e5:d1:58:da:21:b3:e9:0c:4d:f0:e8:bd:7c:b7:ef:
+ 81:c9:f5:70:cf:a8:20:7d:e2:6a:f9:1b:66:a9:c8:
+ 71:d6:32:f8:72:3d:83:99:19:0d:0c:6b:e9:f8:92:
+ cd:33:17:86:6a:3d:af:0d:05:94:ab:1c:d4:2c:a4:
+ 45:cb
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 09:F0:14:0B:79:FB:0B:FF:A8:EF:54:B9:EC:3E:B9:8B:D0:CB:9C:EC
+ X509v3 Authority Key Identifier:
+ keyid:98:BE:04:FF:80:D1:AB:95:39:AA:3D:F2:0E:67:7D:00:AD:A3:FD:C5
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5a/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a00::/120
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:32:99:62:dd:c5:ea:f0:1f:58:50:10:37:d3:39:37:d9:f6:
+ 92:51:26:2f:d6:fd:6f:82:b8:56:6b:fd:0c:f3:42:04:56:ed:
+ 67:2b:42:02:98:56:07:f1:48:2d:2e:b4:32:bb:d7:1c:27:14:
+ a0:e9:ad:3b:1d:fe:0b:0e:43:df:22:97:f1:8f:73:d8:76:d6:
+ 9b:0d:bf:ee:20:e8:77:17:a3:83:01:b3:23:43:85:6b:bf:6f:
+ cc:2e:69:47:05:73:f4:21:45:94:c8:ae:21:28:41:16:91:ee:
+ 48:49:66:5a:67:31:71:04:c9:49:71:94:d5:f4:86:5c:7b:c6:
+ 3e:fe:91:1d:21:b3:14:98:54:ad:6e:51:28:e9:a8:22:ba:a4:
+ d0:9c:8c:e3:d4:7c:21:10:0c:f9:a3:00:f8:c3:9f:00:b4:53:
+ 34:06:af:5b:4a:43:95:cb:b2:fb:8c:18:00:86:11:28:5e:24:
+ e1:90:d8:67:d8:00:fc:b6:27:1f:9e:b1:be:91:17:c1:11:35:
+ 6e:9c:60:50:2e:67:f3:04:2b:74:89:f9:fe:92:73:dd:1e:44:
+ 81:67:b8:08:63:a8:9f:f4:8c:bc:47:de:f1:df:8b:11:cd:02:
+ ec:b9:ad:0b:06:28:0c:e2:84:36:83:85:f3:4f:46:56:46:d5:
+ f5:f8:cb:f3
+-----BEGIN CERTIFICATE-----
+MIID3jCCAsagAwIBAgIBAzANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MDgwMTE0NDgyMloXDTA4MDczMTE0NDgyMlowHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDmS614KGvmUBtlgdWNK1Z3zbvJR6CqMrAsrB/x5JArwjNv51Ox
+0B2rBSedt6HuqE/IWzYj4xLkUVknzf16qtxWBaFzq3ndPIKyj6757MA2OOYCqv2J
+YCFSW7YzgHXlf/2sbuzUmiYvfihFFilHffOKctXkZfr0VG+uSDNiwTLxK4MzNmNg
+nrzH55ldUdrNL4+DRyCe6cyjcsByvUktxFLqb9pCRnGQx69/n8fdC5aWPEWfwOpl
+akPj85LV4XPAbiD1F+XRWNohs+kMTfDovXy374HJ9XDPqCB94mr5G2apyHHWMvhy
+PYOZGQ0Ma+n4ks0zF4ZqPa8NBZSrHNQspEXLAgMBAAGjggEqMIIBJjAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBQJ8BQLefsL/6jvVLnsPrmL0Muc7DAfBgNVHSME
+GDAWgBSYvgT/gNGrlTmqPfIOZ30AraP9xTAOBgNVHQ8BAf8EBAMCAQYwQgYIKwYB
+BQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dvbWJhdHMtci11cy5oYWN0
+cm4ubmV0L0lTUDVhLzBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAKGKHJzeW5j
+Oi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5jZXIwOQYIKwYBBQUHAQcB
+Af8EKjAoMAwEAgABMAYDBAAKAAAwGAQCAAIwEgMQACABDbgAAAAAAAAAAAoAADAN
+BgkqhkiG9w0BAQUFAAOCAQEAkzKZYt3F6vAfWFAQN9M5N9n2klEmL9b9b4K4Vmv9
+DPNCBFbtZytCAphWB/FILS60MrvXHCcUoOmtOx3+Cw5D3yKX8Y9z2HbWmw2/7iDo
+dxejgwGzI0OFa79vzC5pRwVz9CFFlMiuIShBFpHuSElmWmcxcQTJSXGU1fSGXHvG
+Pv6RHSGzFJhUrW5RKOmoIrqk0JyM49R8IRAM+aMA+MOfALRTNAavW0pDlcuy+4wY
+AIYRKF4k4ZDYZ9gA/LYnH56xvpEXwRE1bpxgUC5n8wQrdIn5/pJz3R5EgWe4CGOo
+n/SMvEfe8d+LEc0C7LmtCwYoDOKENoOF809GVkbV9fjL8w==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/04.pem b/rpkid/resource-cert-samples/LIR3/04.pem
new file mode 100644
index 00000000..2f339d8c
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/04.pem
@@ -0,0 +1,79 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4 (0x4)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Aug 10 00:58:17 2007 GMT
+ Not After : Aug 9 00:58:17 2008 GMT
+ Subject: CN=TEST ENTITY ISP5c
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:c8:8b:a1:25:65:df:ee:a2:7f:54:af:52:0a:1a:
+ 1a:fa:0d:75:b3:3c:e9:e0:29:d3:89:20:e9:51:49:
+ 67:2c:43:da:a0:2c:d4:44:b3:96:14:a9:07:77:60:
+ b9:6f:01:ef:8e:54:a5:74:ac:5a:67:f8:30:4d:10:
+ f9:ac:9f:b8:75:61:0b:f6:e7:7c:ea:9b:5c:98:7a:
+ 4b:3e:c4:e2:59:42:d3:19:ca:0f:58:0e:b7:c8:82:
+ 4e:e5:bb:ac:fd:92:e5:88:b2:fc:64:cf:6e:38:3b:
+ 18:83:fc:e7:a6:ae:fb:90:36:d0:e1:ca:4d:90:41:
+ 0f:0f:3b:2a:c0:0c:d9:7b:7d:e8:50:13:f6:09:73:
+ 82:a3:d2:e3:bb:82:08:87:7f:d2:bb:0e:0e:7a:28:
+ b6:25:02:b5:d9:51:fc:33:32:47:47:ff:cf:7f:bc:
+ ee:00:01:bb:05:5e:2e:03:9a:ad:95:3b:ca:c2:c6:
+ 87:64:74:39:aa:59:6b:ae:e0:a7:51:1a:07:f2:8e:
+ 4c:8e:65:2f:df:f2:99:ba:e0:b6:8a:4f:c0:20:72:
+ 79:98:00:8f:0d:50:13:3d:d1:3e:8c:bd:dc:74:a9:
+ 33:a8:56:1d:31:78:7c:e7:02:9e:8d:0a:14:12:6d:
+ d3:37:c7:7a:f0:84:10:fe:fe:4d:28:97:26:6e:08:
+ 85:a1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 2D:87:C1:9A:F8:58:2B:BD:C2:F8:7E:30:47:B3:A9:88:37:C9:EB:46
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5c/
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 54:9d:09:01:1d:1f:b7:ac:f9:0a:05:b4:68:22:0d:e2:d4:b3:
+ 28:80:eb:2b:e9:86:2b:6a:03:e5:a7:d4:34:cd:58:fd:0d:90:
+ d9:f4:1d:0d:95:ff:cf:23:1c:9d:dd:38:e4:54:4d:1f:9a:1d:
+ 20:8e:c0:b9:06:37:0b:06:ba:e9:6d:df:f4:07:d6:1d:2b:0b:
+ c4:16:24:38:98:6e:56:85:0f:c3:43:87:af:0c:b5:90:c1:c4:
+ 84:96:1d:d9:d0:d0:35:fe:ff:c1:ab:38:42:70:19:bd:3e:b2:
+ eb:4e:0a:20:a5:18:c0:aa:e8:8e:6b:ad:4f:51:a2:04:82:d6:
+ ef:12:33:57:fb:6e:9b:a3:9b:9e:a9:49:15:cd:f1:e1:38:40:
+ 11:af:06:88:48:52:2e:0a:ec:9a:03:4a:1b:3f:86:cf:67:f3:
+ 83:34:f9:53:f7:af:8f:cb:67:1a:23:b2:0c:89:38:4a:1e:44:
+ d1:25:4d:22:02:41:8a:1f:45:7d:8b:99:c1:83:90:1e:5b:f1:
+ 1b:ba:67:ba:c2:b8:93:2e:cd:5f:23:41:ba:f2:d5:2a:6e:33:
+ 1f:63:4c:ac:a5:be:fa:d9:18:13:42:71:43:2e:e2:24:5c:fb:
+ 25:5a:39:ab:b0:0a:81:31:51:13:65:eb:7d:0d:2b:7a:7c:3e:
+ 09:c0:4c:c8
+-----BEGIN CERTIFICATE-----
+MIIDOjCCAiKgAwIBAgIBBDANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MDgxMDAwNTgxN1oXDTA4MDgwOTAwNTgxN1owHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDIi6ElZd/uon9Ur1IKGhr6DXWzPOngKdOJIOlRSWcsQ9qgLNRE
+s5YUqQd3YLlvAe+OVKV0rFpn+DBNEPmsn7h1YQv253zqm1yYeks+xOJZQtMZyg9Y
+DrfIgk7lu6z9kuWIsvxkz244OxiD/OemrvuQNtDhyk2QQQ8POyrADNl7fehQE/YJ
+c4Kj0uO7ggiHf9K7Dg56KLYlArXZUfwzMkdH/89/vO4AAbsFXi4Dmq2VO8rCxodk
+dDmqWWuu4KdRGgfyjkyOZS/f8pm64LaKT8AgcnmYAI8NUBM90T6Mvdx0qTOoVh0x
+eHznAp6NChQSbdM3x3rwhBD+/k0olyZuCIWhAgMBAAGjgYcwgYQwDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQULYfBmvhYK73C+H4wR7OpiDfJ60YwDgYDVR0PAQH/
+BAQDAgEGMEIGCCsGAQUFBwELBDYwNDAyBggrBgEFBQcwBYYmcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9JU1A1Yy8wDQYJKoZIhvcNAQELBQADggEBAFSd
+CQEdH7es+QoFtGgiDeLUsyiA6yvphitqA+Wn1DTNWP0NkNn0HQ2V/88jHJ3dOORU
+TR+aHSCOwLkGNwsGuult3/QH1h0rC8QWJDiYblaFD8NDh68MtZDBxISWHdnQ0DX+
+/8GrOEJwGb0+sutOCiClGMCq6I5rrU9RogSC1u8SM1f7bpujm56pSRXN8eE4QBGv
+BohIUi4K7JoDShs/hs9n84M0+VP3r4/LZxojsgyJOEoeRNElTSICQYofRX2LmcGD
+kB5b8Ru6Z7rCuJMuzV8jQbry1SpuMx9jTKylvvrZGBNCcUMu4iRc+yVaOauwCoEx
+URNl630NK3p8PgnATMg=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/05.pem b/rpkid/resource-cert-samples/LIR3/05.pem
new file mode 100644
index 00000000..b3efd764
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/05.pem
@@ -0,0 +1,79 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 5 (0x5)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Aug 10 00:58:17 2007 GMT
+ Not After : Aug 9 00:58:17 2008 GMT
+ Subject: CN=TEST ENTITY ISP5b
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:bf:8f:59:d8:fc:fa:1d:04:70:29:ce:7b:01:64:
+ 21:40:dc:5c:43:fe:4c:af:88:c8:62:9b:be:9c:72:
+ 8f:8a:a5:34:8a:3b:23:8d:9b:8a:4f:bf:66:ac:68:
+ 71:9c:fd:68:59:f5:bf:9f:4d:2e:b5:d6:e3:fa:bd:
+ f3:60:53:5c:b7:11:ac:95:0b:c0:87:cd:99:9e:94:
+ 57:8d:ec:05:b8:df:aa:fc:8e:38:d3:0f:65:6d:09:
+ 60:f2:e1:98:81:72:d8:51:3e:41:91:b3:10:95:f5:
+ f5:d0:f9:e5:5c:a1:85:fa:71:26:85:e3:d1:4c:02:
+ 7f:14:e2:1e:4a:8a:96:68:9e:d6:16:a5:ef:ad:b5:
+ 83:62:cd:23:74:7c:82:56:b4:d1:34:53:5a:8a:7a:
+ 61:9f:ae:54:5b:ef:f9:56:de:87:6b:42:92:bc:49:
+ f4:b5:c3:35:07:4a:18:47:d2:92:c6:1c:16:74:74:
+ b1:e9:39:3c:53:12:05:9d:eb:dc:9c:72:2b:97:4d:
+ 27:21:77:96:7d:4c:ce:79:0c:fb:a7:b8:99:6b:66:
+ 20:2e:56:9c:44:b4:e3:5e:80:c4:7d:78:a1:b4:05:
+ f7:20:7d:26:1e:44:bf:5d:69:15:3c:7a:24:67:bd:
+ b9:b5:08:0f:33:4d:af:3b:2d:e7:b9:ab:1d:2b:d6:
+ fb:73
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 6C:B3:65:94:FE:C6:9F:4A:50:9D:4D:8B:40:1A:A1:FD:97:17:97:92
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5b/
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 60:54:f0:88:c1:6e:25:22:90:35:05:b5:d9:a0:ca:1c:22:da:
+ 3e:32:f7:a2:c3:b7:31:f0:02:11:66:8f:be:be:ae:c7:69:bc:
+ 47:b9:ed:6e:d2:8f:b4:cc:0d:43:00:7a:3e:e0:d4:3d:08:c7:
+ c3:4e:5e:40:6a:30:bb:30:7c:f4:5e:2e:e0:74:fc:5d:8e:b4:
+ 2f:2e:98:12:41:31:0b:4c:d3:14:f5:1d:5c:66:e3:4f:e2:e1:
+ 1e:cb:48:80:b2:3b:59:10:30:90:7a:cd:9c:e4:a5:14:f8:b9:
+ 2a:39:3b:0b:a5:5d:5b:f2:4f:93:d9:2c:fb:3e:14:1b:f1:cd:
+ 8b:0c:9d:85:9e:1f:7c:b1:a9:97:fd:9b:51:12:62:c9:a7:9f:
+ a2:d0:86:ac:40:e5:6f:f5:57:00:df:60:5a:65:20:ae:a2:25:
+ 84:c3:04:d0:de:2e:15:28:22:cf:0d:d6:3a:03:70:2b:89:4e:
+ 72:08:00:ef:5f:fb:3f:82:6b:5b:a1:55:4f:60:54:aa:60:cb:
+ 3a:e4:5e:16:f7:e6:ca:30:5a:c9:1e:51:5f:b1:70:e8:7f:e4:
+ eb:be:e1:c0:37:b3:e3:46:a5:c1:e7:e7:30:81:8f:23:c7:24:
+ 63:c1:36:4a:fa:df:4d:34:35:86:fb:cc:ce:ba:2e:0e:d1:27:
+ bd:bc:55:54
+-----BEGIN CERTIFICATE-----
+MIIDOjCCAiKgAwIBAgIBBTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MDgxMDAwNTgxN1oXDTA4MDgwOTAwNTgxN1owHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC/j1nY/PodBHApznsBZCFA3FxD/kyviMhim76cco+KpTSKOyON
+m4pPv2asaHGc/WhZ9b+fTS611uP6vfNgU1y3EayVC8CHzZmelFeN7AW436r8jjjT
+D2VtCWDy4ZiBcthRPkGRsxCV9fXQ+eVcoYX6cSaF49FMAn8U4h5KipZontYWpe+t
+tYNizSN0fIJWtNE0U1qKemGfrlRb7/lW3odrQpK8SfS1wzUHShhH0pLGHBZ0dLHp
+OTxTEgWd69ycciuXTSchd5Z9TM55DPunuJlrZiAuVpxEtONegMR9eKG0BfcgfSYe
+RL9daRU8eiRnvbm1CA8zTa87Lee5qx0r1vtzAgMBAAGjgYcwgYQwDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUbLNllP7Gn0pQnU2LQBqh/ZcXl5IwDgYDVR0PAQH/
+BAQDAgEGMEIGCCsGAQUFBwELBDYwNDAyBggrBgEFBQcwBYYmcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9JU1A1Yi8wDQYJKoZIhvcNAQELBQADggEBAGBU
+8IjBbiUikDUFtdmgyhwi2j4y96LDtzHwAhFmj76+rsdpvEe57W7Sj7TMDUMAej7g
+1D0Ix8NOXkBqMLswfPReLuB0/F2OtC8umBJBMQtM0xT1HVxm40/i4R7LSICyO1kQ
+MJB6zZzkpRT4uSo5OwulXVvyT5PZLPs+FBvxzYsMnYWeH3yxqZf9m1ESYsmnn6LQ
+hqxA5W/1VwDfYFplIK6iJYTDBNDeLhUoIs8N1joDcCuJTnIIAO9f+z+Ca1uhVU9g
+VKpgyzrkXhb35sowWskeUV+xcOh/5Ou+4cA3s+NGpcHn5zCBjyPHJGPBNkr63000
+NYb7zM66Lg7RJ728VVQ=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/06.pem b/rpkid/resource-cert-samples/LIR3/06.pem
new file mode 100644
index 00000000..cbf5d122
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/06.pem
@@ -0,0 +1,79 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 6 (0x6)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Aug 10 00:58:17 2007 GMT
+ Not After : Aug 9 00:58:17 2008 GMT
+ Subject: CN=TEST ENTITY ISP5a
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:e6:4b:ad:78:28:6b:e6:50:1b:65:81:d5:8d:2b:
+ 56:77:cd:bb:c9:47:a0:aa:32:b0:2c:ac:1f:f1:e4:
+ 90:2b:c2:33:6f:e7:53:b1:d0:1d:ab:05:27:9d:b7:
+ a1:ee:a8:4f:c8:5b:36:23:e3:12:e4:51:59:27:cd:
+ fd:7a:aa:dc:56:05:a1:73:ab:79:dd:3c:82:b2:8f:
+ ae:f9:ec:c0:36:38:e6:02:aa:fd:89:60:21:52:5b:
+ b6:33:80:75:e5:7f:fd:ac:6e:ec:d4:9a:26:2f:7e:
+ 28:45:16:29:47:7d:f3:8a:72:d5:e4:65:fa:f4:54:
+ 6f:ae:48:33:62:c1:32:f1:2b:83:33:36:63:60:9e:
+ bc:c7:e7:99:5d:51:da:cd:2f:8f:83:47:20:9e:e9:
+ cc:a3:72:c0:72:bd:49:2d:c4:52:ea:6f:da:42:46:
+ 71:90:c7:af:7f:9f:c7:dd:0b:96:96:3c:45:9f:c0:
+ ea:65:6a:43:e3:f3:92:d5:e1:73:c0:6e:20:f5:17:
+ e5:d1:58:da:21:b3:e9:0c:4d:f0:e8:bd:7c:b7:ef:
+ 81:c9:f5:70:cf:a8:20:7d:e2:6a:f9:1b:66:a9:c8:
+ 71:d6:32:f8:72:3d:83:99:19:0d:0c:6b:e9:f8:92:
+ cd:33:17:86:6a:3d:af:0d:05:94:ab:1c:d4:2c:a4:
+ 45:cb
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 09:F0:14:0B:79:FB:0B:FF:A8:EF:54:B9:EC:3E:B9:8B:D0:CB:9C:EC
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5a/
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 6b:75:56:d5:11:aa:e9:73:f5:1c:b8:ec:d8:52:52:8f:84:c4:
+ 3f:80:26:cc:f3:57:f5:71:db:2d:e6:33:9b:25:e4:c0:d8:ff:
+ 6e:96:30:d0:be:e4:0c:16:c1:0c:2f:5f:bc:94:44:14:64:74:
+ 11:37:2e:42:c5:2e:31:ca:09:2e:ca:d1:4e:76:74:a4:0d:2a:
+ 92:50:3e:c4:6d:85:98:23:e2:ce:28:9e:67:8e:35:27:af:06:
+ af:fb:af:e4:28:c6:ac:ad:e9:29:f9:5d:ba:fb:26:5a:e4:7c:
+ 0c:29:f0:d3:a5:b7:b8:b0:3b:93:6b:cb:6a:3f:73:b1:e0:2c:
+ c2:6e:35:6b:c9:56:e0:0e:b4:64:94:6a:7e:eb:be:52:2d:22:
+ 2c:4e:9d:09:8d:cb:20:5d:c2:f9:51:40:d4:f9:a5:0d:b3:4b:
+ 0c:a2:8a:fe:d1:63:16:54:68:1c:8d:d3:12:9b:96:84:9d:d9:
+ ba:02:68:04:7f:88:ac:2a:5b:f5:31:0a:d1:35:36:6b:ab:96:
+ c3:de:56:16:a8:71:a7:af:c5:a4:42:24:ba:a4:cf:2b:99:96:
+ 8a:eb:ce:5a:6b:40:0a:36:55:be:c5:ab:50:46:8f:66:4d:7d:
+ 6c:04:11:2a:0c:e0:2b:11:5e:53:48:32:39:f8:62:58:25:59:
+ c8:7e:31:22
+-----BEGIN CERTIFICATE-----
+MIIDOjCCAiKgAwIBAgIBBjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MDgxMDAwNTgxN1oXDTA4MDgwOTAwNTgxN1owHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDmS614KGvmUBtlgdWNK1Z3zbvJR6CqMrAsrB/x5JArwjNv51Ox
+0B2rBSedt6HuqE/IWzYj4xLkUVknzf16qtxWBaFzq3ndPIKyj6757MA2OOYCqv2J
+YCFSW7YzgHXlf/2sbuzUmiYvfihFFilHffOKctXkZfr0VG+uSDNiwTLxK4MzNmNg
+nrzH55ldUdrNL4+DRyCe6cyjcsByvUktxFLqb9pCRnGQx69/n8fdC5aWPEWfwOpl
+akPj85LV4XPAbiD1F+XRWNohs+kMTfDovXy374HJ9XDPqCB94mr5G2apyHHWMvhy
+PYOZGQ0Ma+n4ks0zF4ZqPa8NBZSrHNQspEXLAgMBAAGjgYcwgYQwDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUCfAUC3n7C/+o71S57D65i9DLnOwwDgYDVR0PAQH/
+BAQDAgEGMEIGCCsGAQUFBwELBDYwNDAyBggrBgEFBQcwBYYmcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9JU1A1YS8wDQYJKoZIhvcNAQELBQADggEBAGt1
+VtURqulz9Ry47NhSUo+ExD+AJszzV/Vx2y3mM5sl5MDY/26WMNC+5AwWwQwvX7yU
+RBRkdBE3LkLFLjHKCS7K0U52dKQNKpJQPsRthZgj4s4onmeONSevBq/7r+Qoxqyt
+6Sn5Xbr7JlrkfAwp8NOlt7iwO5Nry2o/c7HgLMJuNWvJVuAOtGSUan7rvlItIixO
+nQmNyyBdwvlRQNT5pQ2zSwyiiv7RYxZUaByN0xKbloSd2boCaAR/iKwqW/UxCtE1
+NmurlsPeVhaocaevxaRCJLqkzyuZlorrzlprQAo2Vb7Fq1BGj2ZNfWwEESoM4CsR
+XlNIMjn4YlglWch+MSI=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/07.pem b/rpkid/resource-cert-samples/LIR3/07.pem
new file mode 100644
index 00000000..96c90b92
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/07.pem
@@ -0,0 +1,88 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 7 (0x7)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Aug 10 01:02:31 2007 GMT
+ Not After : Aug 9 01:02:31 2008 GMT
+ Subject: CN=TEST ENTITY ISP5c
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:c8:8b:a1:25:65:df:ee:a2:7f:54:af:52:0a:1a:
+ 1a:fa:0d:75:b3:3c:e9:e0:29:d3:89:20:e9:51:49:
+ 67:2c:43:da:a0:2c:d4:44:b3:96:14:a9:07:77:60:
+ b9:6f:01:ef:8e:54:a5:74:ac:5a:67:f8:30:4d:10:
+ f9:ac:9f:b8:75:61:0b:f6:e7:7c:ea:9b:5c:98:7a:
+ 4b:3e:c4:e2:59:42:d3:19:ca:0f:58:0e:b7:c8:82:
+ 4e:e5:bb:ac:fd:92:e5:88:b2:fc:64:cf:6e:38:3b:
+ 18:83:fc:e7:a6:ae:fb:90:36:d0:e1:ca:4d:90:41:
+ 0f:0f:3b:2a:c0:0c:d9:7b:7d:e8:50:13:f6:09:73:
+ 82:a3:d2:e3:bb:82:08:87:7f:d2:bb:0e:0e:7a:28:
+ b6:25:02:b5:d9:51:fc:33:32:47:47:ff:cf:7f:bc:
+ ee:00:01:bb:05:5e:2e:03:9a:ad:95:3b:ca:c2:c6:
+ 87:64:74:39:aa:59:6b:ae:e0:a7:51:1a:07:f2:8e:
+ 4c:8e:65:2f:df:f2:99:ba:e0:b6:8a:4f:c0:20:72:
+ 79:98:00:8f:0d:50:13:3d:d1:3e:8c:bd:dc:74:a9:
+ 33:a8:56:1d:31:78:7c:e7:02:9e:8d:0a:14:12:6d:
+ d3:37:c7:7a:f0:84:10:fe:fe:4d:28:97:26:6e:08:
+ 85:a1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 2D:87:C1:9A:F8:58:2B:BD:C2:F8:7E:30:47:B3:A9:88:37:C9:EB:46
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5c/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64534-64540
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 0c:a5:20:ee:a9:16:f5:45:6f:f6:55:c7:42:48:01:84:8a:e6:
+ be:11:15:47:85:bd:8b:f1:11:b9:32:0f:77:52:bf:64:cd:f9:
+ f2:c9:70:78:0e:d7:21:e0:79:4e:7e:08:a3:9f:07:0d:73:55:
+ 79:31:3f:93:a0:cb:88:3f:91:7b:83:6a:da:57:92:71:6c:a2:
+ 03:dc:e8:3d:dc:ab:07:5d:30:d1:62:fe:28:40:29:07:80:b1:
+ 41:36:58:fa:f0:a6:6a:ae:c8:a5:7d:01:e9:cb:84:7d:c7:39:
+ ec:87:c2:14:3b:ae:7a:85:66:6c:da:72:88:7e:aa:6b:81:a6:
+ 3d:bc:5d:de:fd:ad:20:42:8f:1e:75:73:4e:18:11:95:0e:87:
+ 15:d6:be:01:0a:77:ca:33:ce:d2:3b:9e:07:4a:55:e5:7a:70:
+ 46:e6:59:46:79:6e:0f:3d:1d:98:d1:a4:59:50:d6:22:e0:f1:
+ cd:44:97:72:9f:67:3a:23:ec:c7:68:44:5c:84:ba:30:60:01:
+ 06:78:dd:96:cf:98:e0:24:9b:f7:38:ea:6c:55:7a:f2:78:d6:
+ 0f:b3:03:1b:d9:d6:cc:b6:c4:b5:42:75:f8:fd:6f:bc:f0:8f:
+ 23:ba:8a:22:6b:f9:cc:d8:90:76:d4:7c:78:b5:ff:ee:96:6e:
+ f8:3b:db:31
+-----BEGIN CERTIFICATE-----
+MIIDozCCAougAwIBAgIBBzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MDgxMDAxMDIzMVoXDTA4MDgwOTAxMDIzMVowHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDIi6ElZd/uon9Ur1IKGhr6DXWzPOngKdOJIOlRSWcsQ9qgLNRE
+s5YUqQd3YLlvAe+OVKV0rFpn+DBNEPmsn7h1YQv253zqm1yYeks+xOJZQtMZyg9Y
+DrfIgk7lu6z9kuWIsvxkz244OxiD/OemrvuQNtDhyk2QQQ8POyrADNl7fehQE/YJ
+c4Kj0uO7ggiHf9K7Dg56KLYlArXZUfwzMkdH/89/vO4AAbsFXi4Dmq2VO8rCxodk
+dDmqWWuu4KdRGgfyjkyOZS/f8pm64LaKT8AgcnmYAI8NUBM90T6Mvdx0qTOoVh0x
+eHznAp6NChQSbdM3x3rwhBD+/k0olyZuCIWhAgMBAAGjgfAwge0wDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQULYfBmvhYK73C+H4wR7OpiDfJ60YwDgYDVR0PAQH/
+BAQDAgEGMEIGCCsGAQUFBwELBDYwNDAyBggrBgEFBQcwBYYmcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9JU1A1Yy8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjMuY2Vy
+MCEGCCsGAQUFBwEIAQH/BBIwEKAOMAwwCgIDAPwWAgMA/BwwDQYJKoZIhvcNAQEL
+BQADggEBAAylIO6pFvVFb/ZVx0JIAYSK5r4RFUeFvYvxEbkyD3dSv2TN+fLJcHgO
+1yHgeU5+CKOfBw1zVXkxP5Ogy4g/kXuDatpXknFsogPc6D3cqwddMNFi/ihAKQeA
+sUE2WPrwpmquyKV9AenLhH3HOeyHwhQ7rnqFZmzacoh+qmuBpj28Xd79rSBCjx51
+c04YEZUOhxXWvgEKd8ozztI7ngdKVeV6cEbmWUZ5bg89HZjRpFlQ1iLg8c1El3Kf
+Zzoj7MdoRFyEujBgAQZ43ZbPmOAkm/c46mxVevJ41g+zAxvZ1sy2xLVCdfj9b7zw
+jyO6iiJr+czYkHbUfHi1/+6Wbvg72zE=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/08.pem b/rpkid/resource-cert-samples/LIR3/08.pem
new file mode 100644
index 00000000..eda14481
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/08.pem
@@ -0,0 +1,91 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 8 (0x8)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Aug 10 01:02:31 2007 GMT
+ Not After : Aug 9 01:02:31 2008 GMT
+ Subject: CN=TEST ENTITY ISP5b
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:bf:8f:59:d8:fc:fa:1d:04:70:29:ce:7b:01:64:
+ 21:40:dc:5c:43:fe:4c:af:88:c8:62:9b:be:9c:72:
+ 8f:8a:a5:34:8a:3b:23:8d:9b:8a:4f:bf:66:ac:68:
+ 71:9c:fd:68:59:f5:bf:9f:4d:2e:b5:d6:e3:fa:bd:
+ f3:60:53:5c:b7:11:ac:95:0b:c0:87:cd:99:9e:94:
+ 57:8d:ec:05:b8:df:aa:fc:8e:38:d3:0f:65:6d:09:
+ 60:f2:e1:98:81:72:d8:51:3e:41:91:b3:10:95:f5:
+ f5:d0:f9:e5:5c:a1:85:fa:71:26:85:e3:d1:4c:02:
+ 7f:14:e2:1e:4a:8a:96:68:9e:d6:16:a5:ef:ad:b5:
+ 83:62:cd:23:74:7c:82:56:b4:d1:34:53:5a:8a:7a:
+ 61:9f:ae:54:5b:ef:f9:56:de:87:6b:42:92:bc:49:
+ f4:b5:c3:35:07:4a:18:47:d2:92:c6:1c:16:74:74:
+ b1:e9:39:3c:53:12:05:9d:eb:dc:9c:72:2b:97:4d:
+ 27:21:77:96:7d:4c:ce:79:0c:fb:a7:b8:99:6b:66:
+ 20:2e:56:9c:44:b4:e3:5e:80:c4:7d:78:a1:b4:05:
+ f7:20:7d:26:1e:44:bf:5d:69:15:3c:7a:24:67:bd:
+ b9:b5:08:0f:33:4d:af:3b:2d:e7:b9:ab:1d:2b:d6:
+ fb:73
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 6C:B3:65:94:FE:C6:9F:4A:50:9D:4D:8B:40:1A:A1:FD:97:17:97:92
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5b/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.3.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a03::/120
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 13:01:ba:b0:04:4c:97:5c:4a:37:a9:4f:0d:4e:ba:3a:b4:7f:
+ ba:30:a6:e8:d6:ad:5a:6f:d2:67:23:a4:92:33:b2:b7:3d:8f:
+ e6:57:95:d4:98:b5:d4:4d:95:dc:36:e0:39:02:7d:b9:49:6e:
+ 27:6e:d6:a1:37:85:fa:59:bf:97:5d:73:63:64:88:a7:87:36:
+ 17:8b:ed:40:8c:3c:29:f6:75:3e:cf:22:5b:83:d6:f6:b7:5d:
+ d3:05:c7:93:5d:d0:f3:5e:38:3b:21:66:0d:ef:ac:66:d9:a9:
+ 38:ee:0a:cc:8a:d5:1a:5a:8e:8d:05:df:f9:29:18:b7:0c:11:
+ 4f:e4:b3:34:f3:b7:f8:da:c5:6b:15:e1:1f:a4:29:e1:26:99:
+ 57:1c:08:83:2d:1c:15:39:bb:d6:23:4c:40:9d:be:2c:ce:12:
+ 31:ea:47:15:2d:c2:59:d1:02:95:cb:7f:21:6c:86:2b:b5:58:
+ 02:80:9c:81:5f:b9:34:c8:d9:b9:47:64:22:2b:ec:37:41:ac:
+ f5:b7:3d:d2:f4:da:56:c3:ed:dd:f3:fe:13:83:b5:e7:23:53:
+ 18:63:87:9a:6b:b6:89:16:c1:72:0a:95:7d:74:93:6d:ee:2d:
+ 54:ac:69:d0:06:03:71:fc:e9:7d:8f:ec:b3:a9:12:ef:06:a3:
+ 85:85:f4:13
+-----BEGIN CERTIFICATE-----
+MIIDvTCCAqWgAwIBAgIBCDANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MDgxMDAxMDIzMVoXDTA4MDgwOTAxMDIzMVowHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC/j1nY/PodBHApznsBZCFA3FxD/kyviMhim76cco+KpTSKOyON
+m4pPv2asaHGc/WhZ9b+fTS611uP6vfNgU1y3EayVC8CHzZmelFeN7AW436r8jjjT
+D2VtCWDy4ZiBcthRPkGRsxCV9fXQ+eVcoYX6cSaF49FMAn8U4h5KipZontYWpe+t
+tYNizSN0fIJWtNE0U1qKemGfrlRb7/lW3odrQpK8SfS1wzUHShhH0pLGHBZ0dLHp
+OTxTEgWd69ycciuXTSchd5Z9TM55DPunuJlrZiAuVpxEtONegMR9eKG0BfcgfSYe
+RL9daRU8eiRnvbm1CA8zTa87Lee5qx0r1vtzAgMBAAGjggEJMIIBBTAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBRss2WU/safSlCdTYtAGqH9lxeXkjAOBgNVHQ8B
+Af8EBAMCAQYwQgYIKwYBBQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dv
+bWJhdHMtci11cy5oYWN0cm4ubmV0L0lTUDViLzBEBggrBgEFBQcBAQQ4MDYwNAYI
+KwYBBQUHMAKGKHJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5j
+ZXIwOQYIKwYBBQUHAQcBAf8EKjAoMAwEAgABMAYDBAAKAwAwGAQCAAIwEgMQACAB
+DbgAAAAAAAAAAAoDADANBgkqhkiG9w0BAQsFAAOCAQEAEwG6sARMl1xKN6lPDU66
+OrR/ujCm6NatWm/SZyOkkjOytz2P5leV1Ji11E2V3DbgOQJ9uUluJ27WoTeF+lm/
+l11zY2SIp4c2F4vtQIw8KfZ1Ps8iW4PW9rdd0wXHk13Q8144OyFmDe+sZtmpOO4K
+zIrVGlqOjQXf+SkYtwwRT+SzNPO3+NrFaxXhH6Qp4SaZVxwIgy0cFTm71iNMQJ2+
+LM4SMepHFS3CWdEClct/IWyGK7VYAoCcgV+5NMjZuUdkIivsN0Gs9bc90vTaVsPt
+3fP+E4O15yNTGGOHmmu2iRbBcgqVfXSTbe4tVKxp0AYDcfzpfY/ss6kS7wajhYX0
+Ew==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/09.pem b/rpkid/resource-cert-samples/LIR3/09.pem
new file mode 100644
index 00000000..280892fd
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/09.pem
@@ -0,0 +1,91 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 9 (0x9)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Aug 10 01:02:31 2007 GMT
+ Not After : Aug 9 01:02:31 2008 GMT
+ Subject: CN=TEST ENTITY ISP5a
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:e6:4b:ad:78:28:6b:e6:50:1b:65:81:d5:8d:2b:
+ 56:77:cd:bb:c9:47:a0:aa:32:b0:2c:ac:1f:f1:e4:
+ 90:2b:c2:33:6f:e7:53:b1:d0:1d:ab:05:27:9d:b7:
+ a1:ee:a8:4f:c8:5b:36:23:e3:12:e4:51:59:27:cd:
+ fd:7a:aa:dc:56:05:a1:73:ab:79:dd:3c:82:b2:8f:
+ ae:f9:ec:c0:36:38:e6:02:aa:fd:89:60:21:52:5b:
+ b6:33:80:75:e5:7f:fd:ac:6e:ec:d4:9a:26:2f:7e:
+ 28:45:16:29:47:7d:f3:8a:72:d5:e4:65:fa:f4:54:
+ 6f:ae:48:33:62:c1:32:f1:2b:83:33:36:63:60:9e:
+ bc:c7:e7:99:5d:51:da:cd:2f:8f:83:47:20:9e:e9:
+ cc:a3:72:c0:72:bd:49:2d:c4:52:ea:6f:da:42:46:
+ 71:90:c7:af:7f:9f:c7:dd:0b:96:96:3c:45:9f:c0:
+ ea:65:6a:43:e3:f3:92:d5:e1:73:c0:6e:20:f5:17:
+ e5:d1:58:da:21:b3:e9:0c:4d:f0:e8:bd:7c:b7:ef:
+ 81:c9:f5:70:cf:a8:20:7d:e2:6a:f9:1b:66:a9:c8:
+ 71:d6:32:f8:72:3d:83:99:19:0d:0c:6b:e9:f8:92:
+ cd:33:17:86:6a:3d:af:0d:05:94:ab:1c:d4:2c:a4:
+ 45:cb
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 09:F0:14:0B:79:FB:0B:FF:A8:EF:54:B9:EC:3E:B9:8B:D0:CB:9C:EC
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5a/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a00::/120
+
+ Signature Algorithm: sha256WithRSAEncryption
+ a2:9f:a6:5b:b3:c0:3c:68:b5:0f:d2:2f:fb:1a:6e:88:bb:29:
+ 53:68:29:48:c1:0e:8a:b6:02:58:24:16:d9:9c:e6:75:da:c6:
+ f1:24:51:d9:2e:a1:e1:46:ae:03:bb:55:2f:5c:0e:01:ce:cf:
+ 1b:65:3c:c7:7e:3c:37:84:88:86:70:91:eb:31:03:ba:48:f0:
+ 70:2f:b3:fe:a6:9d:62:75:a1:16:c8:10:a9:27:38:b1:34:53:
+ d7:4c:30:58:3f:49:c8:a5:59:b5:0c:7d:e1:70:40:ad:57:83:
+ 2b:66:cd:d7:82:28:85:f2:b0:ef:0e:ee:28:02:ac:59:27:b9:
+ e7:9f:a3:5a:09:da:34:b5:27:62:f5:7f:6b:d3:0b:85:66:f7:
+ fd:7d:cc:30:28:49:5a:da:1d:9f:21:38:d6:10:59:9e:e8:a8:
+ 5b:02:23:18:c8:20:e2:e7:df:34:a9:c0:aa:99:ec:20:25:35:
+ 38:a8:36:2a:08:e2:98:23:2c:ed:f0:85:2d:0c:2f:dc:a2:81:
+ 60:7b:f3:1b:53:ab:dd:f2:ea:1e:e7:bc:4d:20:a9:5e:a3:02:
+ 3c:24:c0:73:66:e1:2b:c1:8b:c5:7d:f7:04:09:8b:38:1a:95:
+ 6b:c0:d8:23:10:18:9d:61:37:03:d5:76:29:f2:a8:4e:a4:78:
+ 37:d1:5d:59
+-----BEGIN CERTIFICATE-----
+MIIDvTCCAqWgAwIBAgIBCTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MDgxMDAxMDIzMVoXDTA4MDgwOTAxMDIzMVowHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDmS614KGvmUBtlgdWNK1Z3zbvJR6CqMrAsrB/x5JArwjNv51Ox
+0B2rBSedt6HuqE/IWzYj4xLkUVknzf16qtxWBaFzq3ndPIKyj6757MA2OOYCqv2J
+YCFSW7YzgHXlf/2sbuzUmiYvfihFFilHffOKctXkZfr0VG+uSDNiwTLxK4MzNmNg
+nrzH55ldUdrNL4+DRyCe6cyjcsByvUktxFLqb9pCRnGQx69/n8fdC5aWPEWfwOpl
+akPj85LV4XPAbiD1F+XRWNohs+kMTfDovXy374HJ9XDPqCB94mr5G2apyHHWMvhy
+PYOZGQ0Ma+n4ks0zF4ZqPa8NBZSrHNQspEXLAgMBAAGjggEJMIIBBTAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBQJ8BQLefsL/6jvVLnsPrmL0Muc7DAOBgNVHQ8B
+Af8EBAMCAQYwQgYIKwYBBQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dv
+bWJhdHMtci11cy5oYWN0cm4ubmV0L0lTUDVhLzBEBggrBgEFBQcBAQQ4MDYwNAYI
+KwYBBQUHMAKGKHJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5j
+ZXIwOQYIKwYBBQUHAQcBAf8EKjAoMAwEAgABMAYDBAAKAAAwGAQCAAIwEgMQACAB
+DbgAAAAAAAAAAAoAADANBgkqhkiG9w0BAQsFAAOCAQEAop+mW7PAPGi1D9Iv+xpu
+iLspU2gpSMEOirYCWCQW2ZzmddrG8SRR2S6h4UauA7tVL1wOAc7PG2U8x348N4SI
+hnCR6zEDukjwcC+z/qadYnWhFsgQqSc4sTRT10wwWD9JyKVZtQx94XBArVeDK2bN
+14IohfKw7w7uKAKsWSe555+jWgnaNLUnYvV/a9MLhWb3/X3MMChJWtodnyE41hBZ
+nuioWwIjGMgg4uffNKnAqpnsICU1OKg2KgjimCMs7fCFLQwv3KKBYHvzG1Or3fLq
+Hue8TSCpXqMCPCTAc2bhK8GLxX33BAmLOBqVa8DYIxAYnWE3A9V2KfKoTqR4N9Fd
+WQ==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/0A.pem b/rpkid/resource-cert-samples/LIR3/0A.pem
new file mode 100644
index 00000000..e34e0d82
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/0A.pem
@@ -0,0 +1,88 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 10 (0xa)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Aug 10 01:07:09 2007 GMT
+ Not After : Aug 9 01:07:09 2008 GMT
+ Subject: CN=TEST ENTITY ISP5c
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:c8:8b:a1:25:65:df:ee:a2:7f:54:af:52:0a:1a:
+ 1a:fa:0d:75:b3:3c:e9:e0:29:d3:89:20:e9:51:49:
+ 67:2c:43:da:a0:2c:d4:44:b3:96:14:a9:07:77:60:
+ b9:6f:01:ef:8e:54:a5:74:ac:5a:67:f8:30:4d:10:
+ f9:ac:9f:b8:75:61:0b:f6:e7:7c:ea:9b:5c:98:7a:
+ 4b:3e:c4:e2:59:42:d3:19:ca:0f:58:0e:b7:c8:82:
+ 4e:e5:bb:ac:fd:92:e5:88:b2:fc:64:cf:6e:38:3b:
+ 18:83:fc:e7:a6:ae:fb:90:36:d0:e1:ca:4d:90:41:
+ 0f:0f:3b:2a:c0:0c:d9:7b:7d:e8:50:13:f6:09:73:
+ 82:a3:d2:e3:bb:82:08:87:7f:d2:bb:0e:0e:7a:28:
+ b6:25:02:b5:d9:51:fc:33:32:47:47:ff:cf:7f:bc:
+ ee:00:01:bb:05:5e:2e:03:9a:ad:95:3b:ca:c2:c6:
+ 87:64:74:39:aa:59:6b:ae:e0:a7:51:1a:07:f2:8e:
+ 4c:8e:65:2f:df:f2:99:ba:e0:b6:8a:4f:c0:20:72:
+ 79:98:00:8f:0d:50:13:3d:d1:3e:8c:bd:dc:74:a9:
+ 33:a8:56:1d:31:78:7c:e7:02:9e:8d:0a:14:12:6d:
+ d3:37:c7:7a:f0:84:10:fe:fe:4d:28:97:26:6e:08:
+ 85:a1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 2D:87:C1:9A:F8:58:2B:BD:C2:F8:7E:30:47:B3:A9:88:37:C9:EB:46
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5c/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64534-64540
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 2b:e4:c0:d0:33:fd:74:82:bc:70:b2:2f:e9:5d:9b:9e:b0:f8:
+ fb:be:db:ec:36:e5:55:03:82:a0:53:f1:9f:bb:06:b1:b2:3c:
+ cb:f5:b8:6d:f8:0d:b8:f3:00:b8:2d:84:0a:ca:ac:08:b9:0c:
+ 73:d9:5f:d9:87:97:8b:67:81:59:16:52:8a:f4:da:1c:94:5b:
+ 4b:4a:bf:01:7d:6e:1e:99:cf:fe:c3:93:79:ef:7a:d3:51:72:
+ 51:6d:cc:c3:60:25:f6:0a:ce:1b:de:3d:2a:82:3e:6c:ae:17:
+ 9a:ae:86:44:b6:7c:9d:41:ee:89:81:18:32:18:8b:46:42:7b:
+ 11:d2:03:71:93:d5:1e:3a:a5:90:d1:a3:45:16:a8:d5:37:63:
+ a7:89:01:6a:e6:1a:25:bb:68:e6:4c:13:ee:e3:3e:36:a7:33:
+ 8c:f3:b9:8d:fd:0d:db:73:e8:af:42:14:c7:bc:32:b7:2a:fd:
+ 9c:1d:fe:f0:2a:32:9d:35:6b:08:dc:06:81:ec:06:be:ad:56:
+ 77:6b:26:95:9d:09:ae:90:23:5d:50:30:1d:4a:67:70:80:88:
+ 72:ea:de:17:b4:03:35:0e:a7:36:b6:e2:aa:30:ba:1d:90:0e:
+ 1d:e6:9d:f0:f7:00:74:ee:39:09:3a:3e:e3:23:12:41:25:fc:
+ 9f:e6:8d:0c
+-----BEGIN CERTIFICATE-----
+MIIDozCCAougAwIBAgIBCjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MDgxMDAxMDcwOVoXDTA4MDgwOTAxMDcwOVowHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDIi6ElZd/uon9Ur1IKGhr6DXWzPOngKdOJIOlRSWcsQ9qgLNRE
+s5YUqQd3YLlvAe+OVKV0rFpn+DBNEPmsn7h1YQv253zqm1yYeks+xOJZQtMZyg9Y
+DrfIgk7lu6z9kuWIsvxkz244OxiD/OemrvuQNtDhyk2QQQ8POyrADNl7fehQE/YJ
+c4Kj0uO7ggiHf9K7Dg56KLYlArXZUfwzMkdH/89/vO4AAbsFXi4Dmq2VO8rCxodk
+dDmqWWuu4KdRGgfyjkyOZS/f8pm64LaKT8AgcnmYAI8NUBM90T6Mvdx0qTOoVh0x
+eHznAp6NChQSbdM3x3rwhBD+/k0olyZuCIWhAgMBAAGjgfAwge0wDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQULYfBmvhYK73C+H4wR7OpiDfJ60YwDgYDVR0PAQH/
+BAQDAgEGMEIGCCsGAQUFBwELBDYwNDAyBggrBgEFBQcwBYYmcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9JU1A1Yy8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjMuY2Vy
+MCEGCCsGAQUFBwEIAQH/BBIwEKAOMAwwCgIDAPwWAgMA/BwwDQYJKoZIhvcNAQEL
+BQADggEBACvkwNAz/XSCvHCyL+ldm56w+Pu+2+w25VUDgqBT8Z+7BrGyPMv1uG34
+DbjzALgthArKrAi5DHPZX9mHl4tngVkWUor02hyUW0tKvwF9bh6Zz/7Dk3nvetNR
+clFtzMNgJfYKzhvePSqCPmyuF5quhkS2fJ1B7omBGDIYi0ZCexHSA3GT1R46pZDR
+o0UWqNU3Y6eJAWrmGiW7aOZME+7jPjanM4zzuY39Ddtz6K9CFMe8Mrcq/Zwd/vAq
+Mp01awjcBoHsBr6tVndrJpWdCa6QI11QMB1KZ3CAiHLq3he0AzUOpza24qowuh2Q
+Dh3mnfD3AHTuOQk6PuMjEkEl/J/mjQw=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/0B.pem b/rpkid/resource-cert-samples/LIR3/0B.pem
new file mode 100644
index 00000000..78d2f693
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/0B.pem
@@ -0,0 +1,91 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 11 (0xb)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Aug 10 01:07:09 2007 GMT
+ Not After : Aug 9 01:07:09 2008 GMT
+ Subject: CN=TEST ENTITY ISP5b
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:bf:8f:59:d8:fc:fa:1d:04:70:29:ce:7b:01:64:
+ 21:40:dc:5c:43:fe:4c:af:88:c8:62:9b:be:9c:72:
+ 8f:8a:a5:34:8a:3b:23:8d:9b:8a:4f:bf:66:ac:68:
+ 71:9c:fd:68:59:f5:bf:9f:4d:2e:b5:d6:e3:fa:bd:
+ f3:60:53:5c:b7:11:ac:95:0b:c0:87:cd:99:9e:94:
+ 57:8d:ec:05:b8:df:aa:fc:8e:38:d3:0f:65:6d:09:
+ 60:f2:e1:98:81:72:d8:51:3e:41:91:b3:10:95:f5:
+ f5:d0:f9:e5:5c:a1:85:fa:71:26:85:e3:d1:4c:02:
+ 7f:14:e2:1e:4a:8a:96:68:9e:d6:16:a5:ef:ad:b5:
+ 83:62:cd:23:74:7c:82:56:b4:d1:34:53:5a:8a:7a:
+ 61:9f:ae:54:5b:ef:f9:56:de:87:6b:42:92:bc:49:
+ f4:b5:c3:35:07:4a:18:47:d2:92:c6:1c:16:74:74:
+ b1:e9:39:3c:53:12:05:9d:eb:dc:9c:72:2b:97:4d:
+ 27:21:77:96:7d:4c:ce:79:0c:fb:a7:b8:99:6b:66:
+ 20:2e:56:9c:44:b4:e3:5e:80:c4:7d:78:a1:b4:05:
+ f7:20:7d:26:1e:44:bf:5d:69:15:3c:7a:24:67:bd:
+ b9:b5:08:0f:33:4d:af:3b:2d:e7:b9:ab:1d:2b:d6:
+ fb:73
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 6C:B3:65:94:FE:C6:9F:4A:50:9D:4D:8B:40:1A:A1:FD:97:17:97:92
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5b/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.3.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a03::/120
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 3f:f3:c1:ed:2e:d8:80:65:aa:b8:ea:d0:78:a9:fe:62:aa:70:
+ 6e:2e:af:19:8a:75:69:37:a0:d1:42:7e:da:c0:24:96:bc:00:
+ 7d:af:e9:a9:ab:c3:f1:e2:73:69:46:1c:61:83:ef:c9:7a:e3:
+ 75:4b:ca:93:91:9c:1f:c9:ab:2b:e5:71:f6:b2:06:55:eb:06:
+ b5:e4:89:76:44:c7:05:9e:b1:ee:7c:02:23:2e:6f:b0:ae:e8:
+ 80:ad:8f:de:20:e7:a8:6f:bf:8d:a5:6d:cf:c0:4a:c8:a0:24:
+ d1:65:34:29:58:87:eb:f1:4f:4b:bd:0a:ba:d0:e5:19:39:7b:
+ 8f:03:78:37:a6:fd:95:22:7d:be:ed:c6:af:90:e2:e3:bb:8a:
+ 74:73:93:2d:b8:76:ac:56:d8:a3:2b:d1:48:d6:51:46:32:72:
+ 7f:1d:b6:5b:ef:07:4f:f2:87:16:cd:8b:e5:f7:5a:c4:37:6f:
+ b7:dd:38:dc:c7:8b:21:91:46:b0:ba:76:3a:00:a8:fa:5d:24:
+ 80:56:14:d3:c3:8e:90:a8:4f:fa:de:79:91:9c:24:cc:aa:a1:
+ 85:b9:13:aa:88:12:f3:19:77:18:0e:62:a2:91:d9:fb:82:9e:
+ 13:83:b9:26:2e:cd:55:02:07:f4:53:35:f0:c4:e1:ec:99:ae:
+ 0f:ff:08:02
+-----BEGIN CERTIFICATE-----
+MIIDvTCCAqWgAwIBAgIBCzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MDgxMDAxMDcwOVoXDTA4MDgwOTAxMDcwOVowHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC/j1nY/PodBHApznsBZCFA3FxD/kyviMhim76cco+KpTSKOyON
+m4pPv2asaHGc/WhZ9b+fTS611uP6vfNgU1y3EayVC8CHzZmelFeN7AW436r8jjjT
+D2VtCWDy4ZiBcthRPkGRsxCV9fXQ+eVcoYX6cSaF49FMAn8U4h5KipZontYWpe+t
+tYNizSN0fIJWtNE0U1qKemGfrlRb7/lW3odrQpK8SfS1wzUHShhH0pLGHBZ0dLHp
+OTxTEgWd69ycciuXTSchd5Z9TM55DPunuJlrZiAuVpxEtONegMR9eKG0BfcgfSYe
+RL9daRU8eiRnvbm1CA8zTa87Lee5qx0r1vtzAgMBAAGjggEJMIIBBTAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBRss2WU/safSlCdTYtAGqH9lxeXkjAOBgNVHQ8B
+Af8EBAMCAQYwQgYIKwYBBQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dv
+bWJhdHMtci11cy5oYWN0cm4ubmV0L0lTUDViLzBEBggrBgEFBQcBAQQ4MDYwNAYI
+KwYBBQUHMAKGKHJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5j
+ZXIwOQYIKwYBBQUHAQcBAf8EKjAoMAwEAgABMAYDBAAKAwAwGAQCAAIwEgMQACAB
+DbgAAAAAAAAAAAoDADANBgkqhkiG9w0BAQsFAAOCAQEAP/PB7S7YgGWquOrQeKn+
+Yqpwbi6vGYp1aTeg0UJ+2sAklrwAfa/pqavD8eJzaUYcYYPvyXrjdUvKk5GcH8mr
+K+Vx9rIGVesGteSJdkTHBZ6x7nwCIy5vsK7ogK2P3iDnqG+/jaVtz8BKyKAk0WU0
+KViH6/FPS70KutDlGTl7jwN4N6b9lSJ9vu3Gr5Di47uKdHOTLbh2rFbYoyvRSNZR
+RjJyfx22W+8HT/KHFs2L5fdaxDdvt9043MeLIZFGsLp2OgCo+l0kgFYU08OOkKhP
++t55kZwkzKqhhbkTqogS8xl3GA5iopHZ+4KeE4O5Ji7NVQIH9FM18MTh7JmuD/8I
+Ag==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/0C.pem b/rpkid/resource-cert-samples/LIR3/0C.pem
new file mode 100644
index 00000000..e3a801b4
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/0C.pem
@@ -0,0 +1,91 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 12 (0xc)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Aug 10 01:07:09 2007 GMT
+ Not After : Aug 9 01:07:09 2008 GMT
+ Subject: CN=TEST ENTITY ISP5a
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:e6:4b:ad:78:28:6b:e6:50:1b:65:81:d5:8d:2b:
+ 56:77:cd:bb:c9:47:a0:aa:32:b0:2c:ac:1f:f1:e4:
+ 90:2b:c2:33:6f:e7:53:b1:d0:1d:ab:05:27:9d:b7:
+ a1:ee:a8:4f:c8:5b:36:23:e3:12:e4:51:59:27:cd:
+ fd:7a:aa:dc:56:05:a1:73:ab:79:dd:3c:82:b2:8f:
+ ae:f9:ec:c0:36:38:e6:02:aa:fd:89:60:21:52:5b:
+ b6:33:80:75:e5:7f:fd:ac:6e:ec:d4:9a:26:2f:7e:
+ 28:45:16:29:47:7d:f3:8a:72:d5:e4:65:fa:f4:54:
+ 6f:ae:48:33:62:c1:32:f1:2b:83:33:36:63:60:9e:
+ bc:c7:e7:99:5d:51:da:cd:2f:8f:83:47:20:9e:e9:
+ cc:a3:72:c0:72:bd:49:2d:c4:52:ea:6f:da:42:46:
+ 71:90:c7:af:7f:9f:c7:dd:0b:96:96:3c:45:9f:c0:
+ ea:65:6a:43:e3:f3:92:d5:e1:73:c0:6e:20:f5:17:
+ e5:d1:58:da:21:b3:e9:0c:4d:f0:e8:bd:7c:b7:ef:
+ 81:c9:f5:70:cf:a8:20:7d:e2:6a:f9:1b:66:a9:c8:
+ 71:d6:32:f8:72:3d:83:99:19:0d:0c:6b:e9:f8:92:
+ cd:33:17:86:6a:3d:af:0d:05:94:ab:1c:d4:2c:a4:
+ 45:cb
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 09:F0:14:0B:79:FB:0B:FF:A8:EF:54:B9:EC:3E:B9:8B:D0:CB:9C:EC
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5a/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a00::/120
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 9c:79:5a:46:1a:3d:cc:72:7d:86:1f:86:4e:b9:13:a6:82:be:
+ 43:15:5b:dd:b0:1e:e0:f8:98:dc:5e:6b:b7:f4:05:45:36:29:
+ 73:1f:22:89:0a:7d:d9:7a:7c:b7:c0:31:f0:93:80:a0:66:68:
+ 72:15:4a:5a:09:9d:96:36:08:7c:78:ff:6f:81:ca:54:15:1f:
+ 57:4e:b2:b8:63:98:4d:12:20:6a:b1:91:ab:b0:a0:c0:dc:a6:
+ c2:03:88:58:e4:4d:2d:de:32:8f:1a:22:ef:c3:36:4c:ad:f6:
+ af:74:4f:2c:b2:55:3f:e2:0d:82:d1:d8:0d:c4:15:c9:3b:f4:
+ 9e:5c:de:47:62:e4:b5:59:6b:59:db:48:ca:46:10:af:2c:9c:
+ 31:c7:dc:50:bb:18:a7:ce:ec:50:f5:fb:90:55:4d:ff:3f:c1:
+ 6f:82:8f:0f:a3:00:00:fe:cf:5e:cf:48:59:15:de:36:37:ff:
+ c2:c8:bf:f8:82:39:52:eb:43:84:c4:d5:5f:de:e8:d8:56:58:
+ 7e:dd:82:a4:76:b8:31:42:45:cd:36:0b:52:87:4f:41:55:c4:
+ 42:4f:6b:2b:e5:57:1a:19:04:f9:70:d1:47:7a:ab:6e:94:91:
+ c8:d5:a4:17:01:56:ec:21:85:f9:03:1a:a8:6b:14:fc:a5:51:
+ cb:80:84:e3
+-----BEGIN CERTIFICATE-----
+MIIDvTCCAqWgAwIBAgIBDDANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MDgxMDAxMDcwOVoXDTA4MDgwOTAxMDcwOVowHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDmS614KGvmUBtlgdWNK1Z3zbvJR6CqMrAsrB/x5JArwjNv51Ox
+0B2rBSedt6HuqE/IWzYj4xLkUVknzf16qtxWBaFzq3ndPIKyj6757MA2OOYCqv2J
+YCFSW7YzgHXlf/2sbuzUmiYvfihFFilHffOKctXkZfr0VG+uSDNiwTLxK4MzNmNg
+nrzH55ldUdrNL4+DRyCe6cyjcsByvUktxFLqb9pCRnGQx69/n8fdC5aWPEWfwOpl
+akPj85LV4XPAbiD1F+XRWNohs+kMTfDovXy374HJ9XDPqCB94mr5G2apyHHWMvhy
+PYOZGQ0Ma+n4ks0zF4ZqPa8NBZSrHNQspEXLAgMBAAGjggEJMIIBBTAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBQJ8BQLefsL/6jvVLnsPrmL0Muc7DAOBgNVHQ8B
+Af8EBAMCAQYwQgYIKwYBBQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dv
+bWJhdHMtci11cy5oYWN0cm4ubmV0L0lTUDVhLzBEBggrBgEFBQcBAQQ4MDYwNAYI
+KwYBBQUHMAKGKHJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5j
+ZXIwOQYIKwYBBQUHAQcBAf8EKjAoMAwEAgABMAYDBAAKAAAwGAQCAAIwEgMQACAB
+DbgAAAAAAAAAAAoAADANBgkqhkiG9w0BAQsFAAOCAQEAnHlaRho9zHJ9hh+GTrkT
+poK+QxVb3bAe4PiY3F5rt/QFRTYpcx8iiQp92Xp8t8Ax8JOAoGZochVKWgmdljYI
+fHj/b4HKVBUfV06yuGOYTRIgarGRq7CgwNymwgOIWORNLd4yjxoi78M2TK32r3RP
+LLJVP+INgtHYDcQVyTv0nlzeR2LktVlrWdtIykYQryycMcfcULsYp87sUPX7kFVN
+/z/Bb4KPD6MAAP7PXs9IWRXeNjf/wsi/+II5UutDhMTVX97o2FZYft2CpHa4MUJF
+zTYLUodPQVXEQk9rK+VXGhkE+XDRR3qrbpSRyNWkFwFW7CGF+QMaqGsU/KVRy4CE
+4w==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/0D.pem b/rpkid/resource-cert-samples/LIR3/0D.pem
new file mode 100644
index 00000000..6634de32
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/0D.pem
@@ -0,0 +1,76 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 13 (0xd)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Aug 10 01:13:39 2007 GMT
+ Not After : Aug 9 01:13:39 2008 GMT
+ Subject: CN=TEST ENTITY ISP5c
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:c8:8b:a1:25:65:df:ee:a2:7f:54:af:52:0a:1a:
+ 1a:fa:0d:75:b3:3c:e9:e0:29:d3:89:20:e9:51:49:
+ 67:2c:43:da:a0:2c:d4:44:b3:96:14:a9:07:77:60:
+ b9:6f:01:ef:8e:54:a5:74:ac:5a:67:f8:30:4d:10:
+ f9:ac:9f:b8:75:61:0b:f6:e7:7c:ea:9b:5c:98:7a:
+ 4b:3e:c4:e2:59:42:d3:19:ca:0f:58:0e:b7:c8:82:
+ 4e:e5:bb:ac:fd:92:e5:88:b2:fc:64:cf:6e:38:3b:
+ 18:83:fc:e7:a6:ae:fb:90:36:d0:e1:ca:4d:90:41:
+ 0f:0f:3b:2a:c0:0c:d9:7b:7d:e8:50:13:f6:09:73:
+ 82:a3:d2:e3:bb:82:08:87:7f:d2:bb:0e:0e:7a:28:
+ b6:25:02:b5:d9:51:fc:33:32:47:47:ff:cf:7f:bc:
+ ee:00:01:bb:05:5e:2e:03:9a:ad:95:3b:ca:c2:c6:
+ 87:64:74:39:aa:59:6b:ae:e0:a7:51:1a:07:f2:8e:
+ 4c:8e:65:2f:df:f2:99:ba:e0:b6:8a:4f:c0:20:72:
+ 79:98:00:8f:0d:50:13:3d:d1:3e:8c:bd:dc:74:a9:
+ 33:a8:56:1d:31:78:7c:e7:02:9e:8d:0a:14:12:6d:
+ d3:37:c7:7a:f0:84:10:fe:fe:4d:28:97:26:6e:08:
+ 85:a1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5c/
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 1f:7e:d1:95:bc:b5:52:1b:fc:3f:0b:29:18:d2:72:db:70:8b:
+ 00:7b:9a:d0:1e:f1:cc:bc:c7:7b:bf:eb:0f:01:13:8f:d4:29:
+ 5b:53:46:7b:d3:cb:72:a9:7b:98:ca:25:d3:8a:72:d2:f5:53:
+ 67:c6:e1:59:7b:1a:6b:92:37:fd:ce:98:12:5c:ae:f2:37:c4:
+ 41:7c:30:5d:19:54:9d:d2:ad:59:a2:df:b5:4a:d8:fb:ca:06:
+ bf:fb:2a:a5:85:64:d2:80:ab:d2:67:4e:a5:fa:92:cb:70:14:
+ 62:5d:ac:bf:1e:13:1f:7e:51:e7:56:08:7e:f7:6a:ae:d1:a2:
+ 14:d2:e7:e3:c7:aa:c6:29:65:66:f1:71:7f:59:8a:20:ba:01:
+ a4:12:c1:53:01:b4:c3:7c:fe:50:df:d9:7c:61:6f:e1:5d:54:
+ e4:1f:91:9c:80:ce:c9:e6:e9:c6:1c:8e:60:c2:dd:bf:72:6f:
+ 32:cb:37:fb:4b:b8:c3:46:16:53:ee:74:40:d4:f3:78:8a:1e:
+ e1:2d:2b:2b:fa:16:ea:f5:e3:85:10:57:43:68:33:54:cc:4d:
+ a7:16:ad:ce:79:da:dc:28:94:1d:54:36:2b:6a:37:9e:b0:85:
+ 44:9d:5c:f4:97:25:b0:3a:42:cf:c6:d0:c2:7c:f1:fc:81:53:
+ 0b:b7:b4:71
+-----BEGIN CERTIFICATE-----
+MIIDGTCCAgGgAwIBAgIBDTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MDgxMDAxMTMzOVoXDTA4MDgwOTAxMTMzOVowHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDIi6ElZd/uon9Ur1IKGhr6DXWzPOngKdOJIOlRSWcsQ9qgLNRE
+s5YUqQd3YLlvAe+OVKV0rFpn+DBNEPmsn7h1YQv253zqm1yYeks+xOJZQtMZyg9Y
+DrfIgk7lu6z9kuWIsvxkz244OxiD/OemrvuQNtDhyk2QQQ8POyrADNl7fehQE/YJ
+c4Kj0uO7ggiHf9K7Dg56KLYlArXZUfwzMkdH/89/vO4AAbsFXi4Dmq2VO8rCxodk
+dDmqWWuu4KdRGgfyjkyOZS/f8pm64LaKT8AgcnmYAI8NUBM90T6Mvdx0qTOoVh0x
+eHznAp6NChQSbdM3x3rwhBD+/k0olyZuCIWhAgMBAAGjZzBlMA8GA1UdEwEB/wQF
+MAMBAf8wDgYDVR0PAQH/BAQDAgEGMEIGCCsGAQUFBwELBDYwNDAyBggrBgEFBQcw
+BYYmcnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJuLm5ldC9JU1A1Yy8wDQYJKoZI
+hvcNAQELBQADggEBAB9+0ZW8tVIb/D8LKRjScttwiwB7mtAe8cy8x3u/6w8BE4/U
+KVtTRnvTy3Kpe5jKJdOKctL1U2fG4Vl7GmuSN/3OmBJcrvI3xEF8MF0ZVJ3SrVmi
+37VK2PvKBr/7KqWFZNKAq9JnTqX6kstwFGJdrL8eEx9+UedWCH73aq7RohTS5+PH
+qsYpZWbxcX9ZiiC6AaQSwVMBtMN8/lDf2Xxhb+FdVOQfkZyAzsnm6cYcjmDC3b9y
+bzLLN/tLuMNGFlPudEDU83iKHuEtKyv6Fur144UQV0NoM1TMTacWrc552twolB1U
+NitqN56whUSdXPSXJbA6Qs/G0MJ88fyBUwu3tHE=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/0E.pem b/rpkid/resource-cert-samples/LIR3/0E.pem
new file mode 100644
index 00000000..a6a893b1
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/0E.pem
@@ -0,0 +1,76 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 14 (0xe)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Aug 10 01:13:39 2007 GMT
+ Not After : Aug 9 01:13:39 2008 GMT
+ Subject: CN=TEST ENTITY ISP5b
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:bf:8f:59:d8:fc:fa:1d:04:70:29:ce:7b:01:64:
+ 21:40:dc:5c:43:fe:4c:af:88:c8:62:9b:be:9c:72:
+ 8f:8a:a5:34:8a:3b:23:8d:9b:8a:4f:bf:66:ac:68:
+ 71:9c:fd:68:59:f5:bf:9f:4d:2e:b5:d6:e3:fa:bd:
+ f3:60:53:5c:b7:11:ac:95:0b:c0:87:cd:99:9e:94:
+ 57:8d:ec:05:b8:df:aa:fc:8e:38:d3:0f:65:6d:09:
+ 60:f2:e1:98:81:72:d8:51:3e:41:91:b3:10:95:f5:
+ f5:d0:f9:e5:5c:a1:85:fa:71:26:85:e3:d1:4c:02:
+ 7f:14:e2:1e:4a:8a:96:68:9e:d6:16:a5:ef:ad:b5:
+ 83:62:cd:23:74:7c:82:56:b4:d1:34:53:5a:8a:7a:
+ 61:9f:ae:54:5b:ef:f9:56:de:87:6b:42:92:bc:49:
+ f4:b5:c3:35:07:4a:18:47:d2:92:c6:1c:16:74:74:
+ b1:e9:39:3c:53:12:05:9d:eb:dc:9c:72:2b:97:4d:
+ 27:21:77:96:7d:4c:ce:79:0c:fb:a7:b8:99:6b:66:
+ 20:2e:56:9c:44:b4:e3:5e:80:c4:7d:78:a1:b4:05:
+ f7:20:7d:26:1e:44:bf:5d:69:15:3c:7a:24:67:bd:
+ b9:b5:08:0f:33:4d:af:3b:2d:e7:b9:ab:1d:2b:d6:
+ fb:73
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5b/
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 96:34:8a:58:26:99:07:8d:0c:24:fe:84:fb:00:19:d6:cc:64:
+ 39:28:1b:33:69:82:b7:1f:3b:0c:ae:96:94:d6:fa:a3:00:2c:
+ 7e:f7:68:60:e3:11:98:5c:86:1e:7b:47:44:0d:b0:e7:62:60:
+ ec:57:d6:ea:64:7c:66:45:57:5e:c9:b3:c3:54:9a:18:59:7d:
+ d4:2e:5e:30:cd:a8:41:51:21:83:ad:b2:b1:27:4d:a1:e7:72:
+ 25:43:f3:34:50:5a:dd:67:4e:72:ba:fa:5a:6d:c9:aa:01:67:
+ b5:71:4a:28:ee:1e:e7:5f:27:59:11:be:ee:25:f3:a5:b2:2e:
+ 8f:9a:6d:19:54:17:0b:97:a9:4a:49:bf:c3:44:3e:73:7d:93:
+ 03:f6:e2:a1:b1:7c:0a:a5:62:b5:5c:9e:9c:c7:f1:3f:ce:f3:
+ 35:2b:47:30:e6:f4:a4:b3:27:9e:37:08:1f:da:d5:ac:19:e8:
+ ba:72:ab:85:fe:c1:c9:d2:cc:75:f2:62:bc:37:21:ff:0f:df:
+ 8f:7f:6e:07:c6:8f:84:80:16:4a:1d:a3:fe:28:78:ba:10:9a:
+ ad:ef:03:f9:0a:c0:b9:fe:20:f7:6d:49:30:c0:26:e3:63:8d:
+ f3:6d:88:6a:b3:74:28:a2:a3:5c:2e:4e:2c:1f:46:d3:4a:c5:
+ b1:6f:aa:06
+-----BEGIN CERTIFICATE-----
+MIIDGTCCAgGgAwIBAgIBDjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MDgxMDAxMTMzOVoXDTA4MDgwOTAxMTMzOVowHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC/j1nY/PodBHApznsBZCFA3FxD/kyviMhim76cco+KpTSKOyON
+m4pPv2asaHGc/WhZ9b+fTS611uP6vfNgU1y3EayVC8CHzZmelFeN7AW436r8jjjT
+D2VtCWDy4ZiBcthRPkGRsxCV9fXQ+eVcoYX6cSaF49FMAn8U4h5KipZontYWpe+t
+tYNizSN0fIJWtNE0U1qKemGfrlRb7/lW3odrQpK8SfS1wzUHShhH0pLGHBZ0dLHp
+OTxTEgWd69ycciuXTSchd5Z9TM55DPunuJlrZiAuVpxEtONegMR9eKG0BfcgfSYe
+RL9daRU8eiRnvbm1CA8zTa87Lee5qx0r1vtzAgMBAAGjZzBlMA8GA1UdEwEB/wQF
+MAMBAf8wDgYDVR0PAQH/BAQDAgEGMEIGCCsGAQUFBwELBDYwNDAyBggrBgEFBQcw
+BYYmcnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJuLm5ldC9JU1A1Yi8wDQYJKoZI
+hvcNAQELBQADggEBAJY0ilgmmQeNDCT+hPsAGdbMZDkoGzNpgrcfOwyulpTW+qMA
+LH73aGDjEZhchh57R0QNsOdiYOxX1upkfGZFV17Js8NUmhhZfdQuXjDNqEFRIYOt
+srEnTaHnciVD8zRQWt1nTnK6+lptyaoBZ7VxSijuHudfJ1kRvu4l86WyLo+abRlU
+FwuXqUpJv8NEPnN9kwP24qGxfAqlYrVcnpzH8T/O8zUrRzDm9KSzJ543CB/a1awZ
+6Lpyq4X+wcnSzHXyYrw3If8P349/bgfGj4SAFkodo/4oeLoQmq3vA/kKwLn+IPdt
+STDAJuNjjfNtiGqzdCiio1wuTiwfRtNKxbFvqgY=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/0F.pem b/rpkid/resource-cert-samples/LIR3/0F.pem
new file mode 100644
index 00000000..cca0bb04
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/0F.pem
@@ -0,0 +1,76 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 15 (0xf)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Aug 10 01:13:39 2007 GMT
+ Not After : Aug 9 01:13:39 2008 GMT
+ Subject: CN=TEST ENTITY ISP5a
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:e6:4b:ad:78:28:6b:e6:50:1b:65:81:d5:8d:2b:
+ 56:77:cd:bb:c9:47:a0:aa:32:b0:2c:ac:1f:f1:e4:
+ 90:2b:c2:33:6f:e7:53:b1:d0:1d:ab:05:27:9d:b7:
+ a1:ee:a8:4f:c8:5b:36:23:e3:12:e4:51:59:27:cd:
+ fd:7a:aa:dc:56:05:a1:73:ab:79:dd:3c:82:b2:8f:
+ ae:f9:ec:c0:36:38:e6:02:aa:fd:89:60:21:52:5b:
+ b6:33:80:75:e5:7f:fd:ac:6e:ec:d4:9a:26:2f:7e:
+ 28:45:16:29:47:7d:f3:8a:72:d5:e4:65:fa:f4:54:
+ 6f:ae:48:33:62:c1:32:f1:2b:83:33:36:63:60:9e:
+ bc:c7:e7:99:5d:51:da:cd:2f:8f:83:47:20:9e:e9:
+ cc:a3:72:c0:72:bd:49:2d:c4:52:ea:6f:da:42:46:
+ 71:90:c7:af:7f:9f:c7:dd:0b:96:96:3c:45:9f:c0:
+ ea:65:6a:43:e3:f3:92:d5:e1:73:c0:6e:20:f5:17:
+ e5:d1:58:da:21:b3:e9:0c:4d:f0:e8:bd:7c:b7:ef:
+ 81:c9:f5:70:cf:a8:20:7d:e2:6a:f9:1b:66:a9:c8:
+ 71:d6:32:f8:72:3d:83:99:19:0d:0c:6b:e9:f8:92:
+ cd:33:17:86:6a:3d:af:0d:05:94:ab:1c:d4:2c:a4:
+ 45:cb
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5a/
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 71:9a:80:f3:ba:b7:60:6f:6c:f5:31:18:c9:e3:45:61:0a:93:
+ d9:c3:23:35:dc:11:da:cf:b4:c7:d5:36:cd:48:a7:63:c2:e9:
+ 44:3c:56:c1:60:e1:7a:ab:b1:03:32:22:c7:8d:d8:24:a9:e4:
+ 70:e9:d2:fd:7b:e6:20:2c:9d:ed:71:d2:9e:30:a0:f0:b2:67:
+ 87:87:f7:d5:96:da:67:d4:8a:e2:aa:f2:e8:2f:b2:cd:d7:92:
+ ed:9f:44:7f:f9:3d:f8:5d:c6:44:ef:a0:d3:98:41:ce:5b:c7:
+ c3:b1:bb:fc:08:ec:b4:4e:0c:4d:8e:30:63:f9:06:50:a3:b1:
+ 48:6e:c0:5b:ed:9a:7c:0e:ec:32:2e:c2:9e:12:28:94:9d:ed:
+ 3c:99:4c:74:73:6b:ec:58:41:b3:f9:58:fb:2c:31:00:7d:20:
+ 13:07:63:3e:a4:ca:59:95:37:3f:cf:b0:ae:6a:15:5a:09:8c:
+ 4b:77:c4:78:76:73:90:98:c6:2a:97:70:e1:c0:90:24:c0:3c:
+ a5:99:3f:74:d0:a2:e5:f5:d3:dc:52:35:71:7a:bd:48:38:a9:
+ 66:a7:42:28:ae:93:82:f3:1a:99:be:52:69:d4:f9:d1:15:4d:
+ 3f:2f:65:c6:9f:9f:73:00:59:f5:45:75:1f:35:06:e9:4a:b7:
+ b5:77:9a:bf
+-----BEGIN CERTIFICATE-----
+MIIDGTCCAgGgAwIBAgIBDzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MDgxMDAxMTMzOVoXDTA4MDgwOTAxMTMzOVowHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDmS614KGvmUBtlgdWNK1Z3zbvJR6CqMrAsrB/x5JArwjNv51Ox
+0B2rBSedt6HuqE/IWzYj4xLkUVknzf16qtxWBaFzq3ndPIKyj6757MA2OOYCqv2J
+YCFSW7YzgHXlf/2sbuzUmiYvfihFFilHffOKctXkZfr0VG+uSDNiwTLxK4MzNmNg
+nrzH55ldUdrNL4+DRyCe6cyjcsByvUktxFLqb9pCRnGQx69/n8fdC5aWPEWfwOpl
+akPj85LV4XPAbiD1F+XRWNohs+kMTfDovXy374HJ9XDPqCB94mr5G2apyHHWMvhy
+PYOZGQ0Ma+n4ks0zF4ZqPa8NBZSrHNQspEXLAgMBAAGjZzBlMA8GA1UdEwEB/wQF
+MAMBAf8wDgYDVR0PAQH/BAQDAgEGMEIGCCsGAQUFBwELBDYwNDAyBggrBgEFBQcw
+BYYmcnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJuLm5ldC9JU1A1YS8wDQYJKoZI
+hvcNAQELBQADggEBAHGagPO6t2BvbPUxGMnjRWEKk9nDIzXcEdrPtMfVNs1Ip2PC
+6UQ8VsFg4XqrsQMyIseN2CSp5HDp0v175iAsne1x0p4woPCyZ4eH99WW2mfUiuKq
+8ugvss3Xku2fRH/5PfhdxkTvoNOYQc5bx8Oxu/wI7LRODE2OMGP5BlCjsUhuwFvt
+mnwO7DIuwp4SKJSd7TyZTHRza+xYQbP5WPssMQB9IBMHYz6kylmVNz/PsK5qFVoJ
+jEt3xHh2c5CYxiqXcOHAkCTAPKWZP3TQouX109xSNXF6vUg4qWanQiiuk4LzGpm+
+UmnU+dEVTT8vZcafn3MAWfVFdR81BulKt7V3mr8=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/10.pem b/rpkid/resource-cert-samples/LIR3/10.pem
new file mode 100644
index 00000000..16656abb
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/10.pem
@@ -0,0 +1,88 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 16 (0x10)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Aug 10 01:15:10 2007 GMT
+ Not After : Aug 9 01:15:10 2008 GMT
+ Subject: CN=TEST ENTITY ISP5c
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:c8:8b:a1:25:65:df:ee:a2:7f:54:af:52:0a:1a:
+ 1a:fa:0d:75:b3:3c:e9:e0:29:d3:89:20:e9:51:49:
+ 67:2c:43:da:a0:2c:d4:44:b3:96:14:a9:07:77:60:
+ b9:6f:01:ef:8e:54:a5:74:ac:5a:67:f8:30:4d:10:
+ f9:ac:9f:b8:75:61:0b:f6:e7:7c:ea:9b:5c:98:7a:
+ 4b:3e:c4:e2:59:42:d3:19:ca:0f:58:0e:b7:c8:82:
+ 4e:e5:bb:ac:fd:92:e5:88:b2:fc:64:cf:6e:38:3b:
+ 18:83:fc:e7:a6:ae:fb:90:36:d0:e1:ca:4d:90:41:
+ 0f:0f:3b:2a:c0:0c:d9:7b:7d:e8:50:13:f6:09:73:
+ 82:a3:d2:e3:bb:82:08:87:7f:d2:bb:0e:0e:7a:28:
+ b6:25:02:b5:d9:51:fc:33:32:47:47:ff:cf:7f:bc:
+ ee:00:01:bb:05:5e:2e:03:9a:ad:95:3b:ca:c2:c6:
+ 87:64:74:39:aa:59:6b:ae:e0:a7:51:1a:07:f2:8e:
+ 4c:8e:65:2f:df:f2:99:ba:e0:b6:8a:4f:c0:20:72:
+ 79:98:00:8f:0d:50:13:3d:d1:3e:8c:bd:dc:74:a9:
+ 33:a8:56:1d:31:78:7c:e7:02:9e:8d:0a:14:12:6d:
+ d3:37:c7:7a:f0:84:10:fe:fe:4d:28:97:26:6e:08:
+ 85:a1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 2D:87:C1:9A:F8:58:2B:BD:C2:F8:7E:30:47:B3:A9:88:37:C9:EB:46
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5c/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64534-64540
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 67:a7:55:49:7b:68:d4:dd:67:16:e5:09:f3:ac:fb:1b:ea:83:
+ 58:e4:ba:4f:a4:2f:88:af:1e:05:da:46:b5:85:1a:14:87:c1:
+ 34:74:2d:35:4f:3d:2e:63:9a:cc:ac:28:8d:e5:61:a0:a5:73:
+ f5:25:c0:1b:11:27:b6:dc:4c:41:81:f4:d6:0d:f1:8a:af:69:
+ ae:32:23:d0:4a:fe:1d:d2:c6:ef:87:f5:93:01:42:c5:54:4d:
+ ce:73:d5:19:c7:c9:e6:1d:4c:2f:92:28:03:b2:cd:c5:a6:f6:
+ 6b:b1:bf:7c:1d:71:38:ac:85:93:c8:c2:a4:73:06:4b:f4:ff:
+ 5e:44:e0:57:9a:7e:f5:5f:4c:7d:6f:b6:6a:30:27:5e:ff:7d:
+ 8d:49:04:34:05:1a:87:2e:36:c3:aa:13:b1:91:f0:57:ad:a7:
+ 9e:d3:be:fa:de:af:db:42:f6:bd:06:04:2e:71:e0:5e:82:4a:
+ 4f:dd:57:0f:29:ca:09:db:a8:e4:fd:82:5d:ff:55:24:a4:9a:
+ 64:26:d0:02:1f:f2:4d:92:28:9b:1d:bb:f6:6f:2a:d3:25:48:
+ 87:04:96:37:9f:90:7c:15:6d:c7:18:ef:a7:6b:0e:b1:37:6c:
+ ae:69:7e:49:81:8c:de:b9:f7:34:ee:6d:48:26:92:7f:8f:0c:
+ 95:7d:08:eb
+-----BEGIN CERTIFICATE-----
+MIIDozCCAougAwIBAgIBEDANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MDgxMDAxMTUxMFoXDTA4MDgwOTAxMTUxMFowHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDIi6ElZd/uon9Ur1IKGhr6DXWzPOngKdOJIOlRSWcsQ9qgLNRE
+s5YUqQd3YLlvAe+OVKV0rFpn+DBNEPmsn7h1YQv253zqm1yYeks+xOJZQtMZyg9Y
+DrfIgk7lu6z9kuWIsvxkz244OxiD/OemrvuQNtDhyk2QQQ8POyrADNl7fehQE/YJ
+c4Kj0uO7ggiHf9K7Dg56KLYlArXZUfwzMkdH/89/vO4AAbsFXi4Dmq2VO8rCxodk
+dDmqWWuu4KdRGgfyjkyOZS/f8pm64LaKT8AgcnmYAI8NUBM90T6Mvdx0qTOoVh0x
+eHznAp6NChQSbdM3x3rwhBD+/k0olyZuCIWhAgMBAAGjgfAwge0wDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQULYfBmvhYK73C+H4wR7OpiDfJ60YwDgYDVR0PAQH/
+BAQDAgEGMEIGCCsGAQUFBwELBDYwNDAyBggrBgEFBQcwBYYmcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9JU1A1Yy8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjMuY2Vy
+MCEGCCsGAQUFBwEIAQH/BBIwEKAOMAwwCgIDAPwWAgMA/BwwDQYJKoZIhvcNAQEL
+BQADggEBAGenVUl7aNTdZxblCfOs+xvqg1jkuk+kL4ivHgXaRrWFGhSHwTR0LTVP
+PS5jmsysKI3lYaClc/UlwBsRJ7bcTEGB9NYN8Yqvaa4yI9BK/h3Sxu+H9ZMBQsVU
+Tc5z1RnHyeYdTC+SKAOyzcWm9muxv3wdcTishZPIwqRzBkv0/15E4FeafvVfTH1v
+tmowJ17/fY1JBDQFGocuNsOqE7GR8Fetp57Tvvrer9tC9r0GBC5x4F6CSk/dVw8p
+ygnbqOT9gl3/VSSkmmQm0AIf8k2SKJsdu/ZvKtMlSIcEljefkHwVbccY76drDrE3
+bK5pfkmBjN659zTubUgmkn+PDJV9COs=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/11.pem b/rpkid/resource-cert-samples/LIR3/11.pem
new file mode 100644
index 00000000..7342b3c4
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/11.pem
@@ -0,0 +1,91 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 17 (0x11)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Aug 10 01:15:10 2007 GMT
+ Not After : Aug 9 01:15:10 2008 GMT
+ Subject: CN=TEST ENTITY ISP5b
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:bf:8f:59:d8:fc:fa:1d:04:70:29:ce:7b:01:64:
+ 21:40:dc:5c:43:fe:4c:af:88:c8:62:9b:be:9c:72:
+ 8f:8a:a5:34:8a:3b:23:8d:9b:8a:4f:bf:66:ac:68:
+ 71:9c:fd:68:59:f5:bf:9f:4d:2e:b5:d6:e3:fa:bd:
+ f3:60:53:5c:b7:11:ac:95:0b:c0:87:cd:99:9e:94:
+ 57:8d:ec:05:b8:df:aa:fc:8e:38:d3:0f:65:6d:09:
+ 60:f2:e1:98:81:72:d8:51:3e:41:91:b3:10:95:f5:
+ f5:d0:f9:e5:5c:a1:85:fa:71:26:85:e3:d1:4c:02:
+ 7f:14:e2:1e:4a:8a:96:68:9e:d6:16:a5:ef:ad:b5:
+ 83:62:cd:23:74:7c:82:56:b4:d1:34:53:5a:8a:7a:
+ 61:9f:ae:54:5b:ef:f9:56:de:87:6b:42:92:bc:49:
+ f4:b5:c3:35:07:4a:18:47:d2:92:c6:1c:16:74:74:
+ b1:e9:39:3c:53:12:05:9d:eb:dc:9c:72:2b:97:4d:
+ 27:21:77:96:7d:4c:ce:79:0c:fb:a7:b8:99:6b:66:
+ 20:2e:56:9c:44:b4:e3:5e:80:c4:7d:78:a1:b4:05:
+ f7:20:7d:26:1e:44:bf:5d:69:15:3c:7a:24:67:bd:
+ b9:b5:08:0f:33:4d:af:3b:2d:e7:b9:ab:1d:2b:d6:
+ fb:73
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 6C:B3:65:94:FE:C6:9F:4A:50:9D:4D:8B:40:1A:A1:FD:97:17:97:92
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5b/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.3.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a03::/120
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 76:a6:64:04:5d:a3:16:7a:fe:0a:e7:44:c0:de:82:1c:c8:06:
+ a3:08:2b:4a:fb:44:99:79:dc:52:c8:8c:af:6f:17:24:9a:08:
+ 29:37:e2:ae:e7:39:cf:7e:ef:53:d1:82:87:1d:f8:a3:5c:ee:
+ db:a8:dc:6f:7b:78:9f:29:6b:c7:1c:98:28:e0:e3:e5:35:bb:
+ 87:46:fd:14:c1:d2:b7:92:6f:9d:d0:74:8a:54:30:97:ef:b5:
+ d3:4f:18:10:fc:ec:21:3f:76:08:7d:e9:ac:c5:5d:a7:b7:e8:
+ 4d:24:00:fa:e6:2b:82:b9:65:5f:b6:a3:7f:8c:bf:5d:9e:1b:
+ 9c:61:66:a3:37:db:59:d1:c4:eb:c3:06:3a:1b:2a:a1:a8:21:
+ 05:77:ab:bc:36:ef:08:7e:40:87:e3:c7:4c:eb:0c:5a:2a:03:
+ f8:26:b6:30:a8:04:a4:af:ad:63:e3:5c:19:7f:a9:50:30:e8:
+ f7:cc:fb:ef:ee:ba:90:e0:1b:24:dd:aa:dc:d9:90:11:5e:cb:
+ 3f:3a:d8:fd:c0:80:6b:1e:c2:eb:bb:70:57:b4:54:78:a2:12:
+ eb:6f:cd:5f:65:c3:3d:cf:62:0c:18:02:f1:8f:6e:04:30:25:
+ 82:15:6e:25:0f:3c:09:5e:e6:49:cd:73:e5:68:a9:82:3c:93:
+ 22:47:07:4f
+-----BEGIN CERTIFICATE-----
+MIIDvTCCAqWgAwIBAgIBETANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MDgxMDAxMTUxMFoXDTA4MDgwOTAxMTUxMFowHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC/j1nY/PodBHApznsBZCFA3FxD/kyviMhim76cco+KpTSKOyON
+m4pPv2asaHGc/WhZ9b+fTS611uP6vfNgU1y3EayVC8CHzZmelFeN7AW436r8jjjT
+D2VtCWDy4ZiBcthRPkGRsxCV9fXQ+eVcoYX6cSaF49FMAn8U4h5KipZontYWpe+t
+tYNizSN0fIJWtNE0U1qKemGfrlRb7/lW3odrQpK8SfS1wzUHShhH0pLGHBZ0dLHp
+OTxTEgWd69ycciuXTSchd5Z9TM55DPunuJlrZiAuVpxEtONegMR9eKG0BfcgfSYe
+RL9daRU8eiRnvbm1CA8zTa87Lee5qx0r1vtzAgMBAAGjggEJMIIBBTAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBRss2WU/safSlCdTYtAGqH9lxeXkjAOBgNVHQ8B
+Af8EBAMCAQYwQgYIKwYBBQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dv
+bWJhdHMtci11cy5oYWN0cm4ubmV0L0lTUDViLzBEBggrBgEFBQcBAQQ4MDYwNAYI
+KwYBBQUHMAKGKHJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5j
+ZXIwOQYIKwYBBQUHAQcBAf8EKjAoMAwEAgABMAYDBAAKAwAwGAQCAAIwEgMQACAB
+DbgAAAAAAAAAAAoDADANBgkqhkiG9w0BAQsFAAOCAQEAdqZkBF2jFnr+CudEwN6C
+HMgGowgrSvtEmXncUsiMr28XJJoIKTfiruc5z37vU9GChx34o1zu26jcb3t4nylr
+xxyYKODj5TW7h0b9FMHSt5JvndB0ilQwl++1008YEPzsIT92CH3prMVdp7foTSQA
++uYrgrllX7ajf4y/XZ4bnGFmozfbWdHE68MGOhsqoaghBXervDbvCH5Ah+PHTOsM
+WioD+Ca2MKgEpK+tY+NcGX+pUDDo98z77+66kOAbJN2q3NmQEV7LPzrY/cCAax7C
+67twV7RUeKIS62/NX2XDPc9iDBgC8Y9uBDAlghVuJQ88CV7mSc1z5WipgjyTIkcH
+Tw==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/12.pem b/rpkid/resource-cert-samples/LIR3/12.pem
new file mode 100644
index 00000000..2ca7eef4
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/12.pem
@@ -0,0 +1,91 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 18 (0x12)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Aug 10 01:15:10 2007 GMT
+ Not After : Aug 9 01:15:10 2008 GMT
+ Subject: CN=TEST ENTITY ISP5a
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:e6:4b:ad:78:28:6b:e6:50:1b:65:81:d5:8d:2b:
+ 56:77:cd:bb:c9:47:a0:aa:32:b0:2c:ac:1f:f1:e4:
+ 90:2b:c2:33:6f:e7:53:b1:d0:1d:ab:05:27:9d:b7:
+ a1:ee:a8:4f:c8:5b:36:23:e3:12:e4:51:59:27:cd:
+ fd:7a:aa:dc:56:05:a1:73:ab:79:dd:3c:82:b2:8f:
+ ae:f9:ec:c0:36:38:e6:02:aa:fd:89:60:21:52:5b:
+ b6:33:80:75:e5:7f:fd:ac:6e:ec:d4:9a:26:2f:7e:
+ 28:45:16:29:47:7d:f3:8a:72:d5:e4:65:fa:f4:54:
+ 6f:ae:48:33:62:c1:32:f1:2b:83:33:36:63:60:9e:
+ bc:c7:e7:99:5d:51:da:cd:2f:8f:83:47:20:9e:e9:
+ cc:a3:72:c0:72:bd:49:2d:c4:52:ea:6f:da:42:46:
+ 71:90:c7:af:7f:9f:c7:dd:0b:96:96:3c:45:9f:c0:
+ ea:65:6a:43:e3:f3:92:d5:e1:73:c0:6e:20:f5:17:
+ e5:d1:58:da:21:b3:e9:0c:4d:f0:e8:bd:7c:b7:ef:
+ 81:c9:f5:70:cf:a8:20:7d:e2:6a:f9:1b:66:a9:c8:
+ 71:d6:32:f8:72:3d:83:99:19:0d:0c:6b:e9:f8:92:
+ cd:33:17:86:6a:3d:af:0d:05:94:ab:1c:d4:2c:a4:
+ 45:cb
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 09:F0:14:0B:79:FB:0B:FF:A8:EF:54:B9:EC:3E:B9:8B:D0:CB:9C:EC
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5a/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a00::/120
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 36:9d:84:eb:95:7f:1e:45:82:16:54:14:e6:50:f9:61:6f:a2:
+ 16:01:57:9c:f6:c3:00:d7:00:8f:a4:af:12:c7:71:f9:ac:e7:
+ f5:57:5e:8a:92:6e:00:08:d4:b1:2e:bf:07:cc:e8:f9:05:97:
+ 21:fe:00:12:ab:33:ad:77:3d:01:54:be:c7:57:1d:b6:ba:e8:
+ 71:56:35:71:67:10:5f:78:67:92:d9:b2:3f:26:12:78:e2:5b:
+ 24:ed:b3:45:95:d7:6c:c3:0a:c9:7c:e7:db:e3:e9:90:24:cb:
+ a1:a0:3e:05:7f:8d:4e:bc:a5:39:c6:b1:ac:29:21:28:9f:d4:
+ 58:3f:cd:07:d0:81:fd:d4:e2:b8:cc:ef:b1:75:cb:eb:73:30:
+ f8:84:7a:bb:42:bf:bf:23:4e:e9:34:1e:c0:49:ea:ed:9a:62:
+ 70:f8:79:08:4b:b1:80:a1:da:a6:c5:3e:78:20:5e:10:da:81:
+ 29:8f:ff:6d:0e:d8:91:be:ee:2e:f7:c0:cc:87:88:45:3f:73:
+ 63:ba:a0:66:73:94:6c:79:aa:f4:ec:85:62:32:2b:aa:f2:0d:
+ a5:66:42:f4:ca:83:8b:b5:73:a5:78:2f:0e:bc:87:e4:ec:1a:
+ 2b:c3:83:55:8e:35:65:39:62:41:86:74:d5:2a:a5:c6:05:03:
+ 0a:e2:ea:76
+-----BEGIN CERTIFICATE-----
+MIIDvTCCAqWgAwIBAgIBEjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MDgxMDAxMTUxMFoXDTA4MDgwOTAxMTUxMFowHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDmS614KGvmUBtlgdWNK1Z3zbvJR6CqMrAsrB/x5JArwjNv51Ox
+0B2rBSedt6HuqE/IWzYj4xLkUVknzf16qtxWBaFzq3ndPIKyj6757MA2OOYCqv2J
+YCFSW7YzgHXlf/2sbuzUmiYvfihFFilHffOKctXkZfr0VG+uSDNiwTLxK4MzNmNg
+nrzH55ldUdrNL4+DRyCe6cyjcsByvUktxFLqb9pCRnGQx69/n8fdC5aWPEWfwOpl
+akPj85LV4XPAbiD1F+XRWNohs+kMTfDovXy374HJ9XDPqCB94mr5G2apyHHWMvhy
+PYOZGQ0Ma+n4ks0zF4ZqPa8NBZSrHNQspEXLAgMBAAGjggEJMIIBBTAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBQJ8BQLefsL/6jvVLnsPrmL0Muc7DAOBgNVHQ8B
+Af8EBAMCAQYwQgYIKwYBBQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dv
+bWJhdHMtci11cy5oYWN0cm4ubmV0L0lTUDVhLzBEBggrBgEFBQcBAQQ4MDYwNAYI
+KwYBBQUHMAKGKHJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5j
+ZXIwOQYIKwYBBQUHAQcBAf8EKjAoMAwEAgABMAYDBAAKAAAwGAQCAAIwEgMQACAB
+DbgAAAAAAAAAAAoAADANBgkqhkiG9w0BAQsFAAOCAQEANp2E65V/HkWCFlQU5lD5
+YW+iFgFXnPbDANcAj6SvEsdx+azn9VdeipJuAAjUsS6/B8zo+QWXIf4AEqszrXc9
+AVS+x1cdtrrocVY1cWcQX3hnktmyPyYSeOJbJO2zRZXXbMMKyXzn2+PpkCTLoaA+
+BX+NTrylOcaxrCkhKJ/UWD/NB9CB/dTiuMzvsXXL63Mw+IR6u0K/vyNO6TQewEnq
+7ZpicPh5CEuxgKHapsU+eCBeENqBKY//bQ7Ykb7uLvfAzIeIRT9zY7qgZnOUbHmq
+9OyFYjIrqvINpWZC9MqDi7VzpXgvDryH5OwaK8ODVY41ZTliQYZ01SqlxgUDCuLq
+dg==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/13.pem b/rpkid/resource-cert-samples/LIR3/13.pem
new file mode 100644
index 00000000..3fea16ec
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/13.pem
@@ -0,0 +1,88 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 19 (0x13)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Oct 19 19:06:07 2007 GMT
+ Not After : Oct 18 19:06:07 2008 GMT
+ Subject: CN=TEST ENTITY ISP5c
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:c8:8b:a1:25:65:df:ee:a2:7f:54:af:52:0a:1a:
+ 1a:fa:0d:75:b3:3c:e9:e0:29:d3:89:20:e9:51:49:
+ 67:2c:43:da:a0:2c:d4:44:b3:96:14:a9:07:77:60:
+ b9:6f:01:ef:8e:54:a5:74:ac:5a:67:f8:30:4d:10:
+ f9:ac:9f:b8:75:61:0b:f6:e7:7c:ea:9b:5c:98:7a:
+ 4b:3e:c4:e2:59:42:d3:19:ca:0f:58:0e:b7:c8:82:
+ 4e:e5:bb:ac:fd:92:e5:88:b2:fc:64:cf:6e:38:3b:
+ 18:83:fc:e7:a6:ae:fb:90:36:d0:e1:ca:4d:90:41:
+ 0f:0f:3b:2a:c0:0c:d9:7b:7d:e8:50:13:f6:09:73:
+ 82:a3:d2:e3:bb:82:08:87:7f:d2:bb:0e:0e:7a:28:
+ b6:25:02:b5:d9:51:fc:33:32:47:47:ff:cf:7f:bc:
+ ee:00:01:bb:05:5e:2e:03:9a:ad:95:3b:ca:c2:c6:
+ 87:64:74:39:aa:59:6b:ae:e0:a7:51:1a:07:f2:8e:
+ 4c:8e:65:2f:df:f2:99:ba:e0:b6:8a:4f:c0:20:72:
+ 79:98:00:8f:0d:50:13:3d:d1:3e:8c:bd:dc:74:a9:
+ 33:a8:56:1d:31:78:7c:e7:02:9e:8d:0a:14:12:6d:
+ d3:37:c7:7a:f0:84:10:fe:fe:4d:28:97:26:6e:08:
+ 85:a1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 2D:87:C1:9A:F8:58:2B:BD:C2:F8:7E:30:47:B3:A9:88:37:C9:EB:46
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5c/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64534-64540
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 36:12:96:70:b8:91:46:d3:30:35:cf:9b:f2:ce:98:5b:0c:25:
+ a6:3e:10:60:44:b3:1a:fc:3d:93:b6:f3:e9:50:30:aa:16:29:
+ 18:6f:62:f1:02:2a:fd:51:02:79:5b:30:ee:2a:f9:fb:16:fb:
+ 31:eb:ab:cf:cb:f8:af:82:ad:42:24:06:0c:c2:bd:88:c4:d9:
+ d3:b2:7a:51:e7:70:24:d1:33:73:ae:3f:9a:ec:7c:56:88:ae:
+ b3:0a:49:03:4a:74:11:02:96:c0:be:8c:8c:f3:d0:53:3e:63:
+ 08:72:ce:6c:3d:6a:2f:c2:6a:7f:f5:1a:aa:af:f0:9a:03:be:
+ 15:38:27:9a:e3:c4:53:8d:d3:69:bb:18:c6:2e:a5:25:ba:08:
+ f7:86:fe:c0:a1:a0:b0:60:3b:66:aa:52:d1:a0:92:87:1b:96:
+ 52:ba:4e:32:0f:72:5d:6f:61:52:2c:c5:1b:b8:74:34:f5:77:
+ 16:47:44:af:de:10:f7:0f:e8:ff:6e:6f:dd:a0:8e:3c:0b:b7:
+ 5c:d8:76:00:1c:dd:26:ba:fd:a5:42:6e:ea:69:12:59:64:8d:
+ bc:5d:90:eb:5b:04:85:2f:e8:b7:a2:cb:af:9e:a8:0c:f6:c3:
+ bd:e0:b1:5b:58:12:36:b2:ed:bd:61:53:33:5c:4a:a2:d3:79:
+ e5:dc:54:56
+-----BEGIN CERTIFICATE-----
+MIIDozCCAougAwIBAgIBEzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MTAxOTE5MDYwN1oXDTA4MTAxODE5MDYwN1owHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDIi6ElZd/uon9Ur1IKGhr6DXWzPOngKdOJIOlRSWcsQ9qgLNRE
+s5YUqQd3YLlvAe+OVKV0rFpn+DBNEPmsn7h1YQv253zqm1yYeks+xOJZQtMZyg9Y
+DrfIgk7lu6z9kuWIsvxkz244OxiD/OemrvuQNtDhyk2QQQ8POyrADNl7fehQE/YJ
+c4Kj0uO7ggiHf9K7Dg56KLYlArXZUfwzMkdH/89/vO4AAbsFXi4Dmq2VO8rCxodk
+dDmqWWuu4KdRGgfyjkyOZS/f8pm64LaKT8AgcnmYAI8NUBM90T6Mvdx0qTOoVh0x
+eHznAp6NChQSbdM3x3rwhBD+/k0olyZuCIWhAgMBAAGjgfAwge0wDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQULYfBmvhYK73C+H4wR7OpiDfJ60YwDgYDVR0PAQH/
+BAQDAgEGMEIGCCsGAQUFBwELBDYwNDAyBggrBgEFBQcwBYYmcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9JU1A1Yy8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjMuY2Vy
+MCEGCCsGAQUFBwEIAQH/BBIwEKAOMAwwCgIDAPwWAgMA/BwwDQYJKoZIhvcNAQEL
+BQADggEBADYSlnC4kUbTMDXPm/LOmFsMJaY+EGBEsxr8PZO28+lQMKoWKRhvYvEC
+Kv1RAnlbMO4q+fsW+zHrq8/L+K+CrUIkBgzCvYjE2dOyelHncCTRM3OuP5rsfFaI
+rrMKSQNKdBEClsC+jIzz0FM+Ywhyzmw9ai/Can/1Gqqv8JoDvhU4J5rjxFON02m7
+GMYupSW6CPeG/sChoLBgO2aqUtGgkocbllK6TjIPcl1vYVIsxRu4dDT1dxZHRK/e
+EPcP6P9ub92gjjwLt1zYdgAc3Sa6/aVCbuppEllkjbxdkOtbBIUv6Leiy6+eqAz2
+w73gsVtYEjay7b1hUzNcSqLTeeXcVFY=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/14.pem b/rpkid/resource-cert-samples/LIR3/14.pem
new file mode 100644
index 00000000..6173347f
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/14.pem
@@ -0,0 +1,91 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 20 (0x14)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Oct 19 19:06:07 2007 GMT
+ Not After : Oct 18 19:06:07 2008 GMT
+ Subject: CN=TEST ENTITY ISP5b
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:bf:8f:59:d8:fc:fa:1d:04:70:29:ce:7b:01:64:
+ 21:40:dc:5c:43:fe:4c:af:88:c8:62:9b:be:9c:72:
+ 8f:8a:a5:34:8a:3b:23:8d:9b:8a:4f:bf:66:ac:68:
+ 71:9c:fd:68:59:f5:bf:9f:4d:2e:b5:d6:e3:fa:bd:
+ f3:60:53:5c:b7:11:ac:95:0b:c0:87:cd:99:9e:94:
+ 57:8d:ec:05:b8:df:aa:fc:8e:38:d3:0f:65:6d:09:
+ 60:f2:e1:98:81:72:d8:51:3e:41:91:b3:10:95:f5:
+ f5:d0:f9:e5:5c:a1:85:fa:71:26:85:e3:d1:4c:02:
+ 7f:14:e2:1e:4a:8a:96:68:9e:d6:16:a5:ef:ad:b5:
+ 83:62:cd:23:74:7c:82:56:b4:d1:34:53:5a:8a:7a:
+ 61:9f:ae:54:5b:ef:f9:56:de:87:6b:42:92:bc:49:
+ f4:b5:c3:35:07:4a:18:47:d2:92:c6:1c:16:74:74:
+ b1:e9:39:3c:53:12:05:9d:eb:dc:9c:72:2b:97:4d:
+ 27:21:77:96:7d:4c:ce:79:0c:fb:a7:b8:99:6b:66:
+ 20:2e:56:9c:44:b4:e3:5e:80:c4:7d:78:a1:b4:05:
+ f7:20:7d:26:1e:44:bf:5d:69:15:3c:7a:24:67:bd:
+ b9:b5:08:0f:33:4d:af:3b:2d:e7:b9:ab:1d:2b:d6:
+ fb:73
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 6C:B3:65:94:FE:C6:9F:4A:50:9D:4D:8B:40:1A:A1:FD:97:17:97:92
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5b/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.3.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a03::/120
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 22:c9:29:33:23:37:da:af:8a:41:20:fe:35:f1:2a:25:86:ba:
+ 88:08:d5:a5:26:79:f7:86:75:50:9b:ef:69:e0:c6:04:6b:0a:
+ e0:3f:06:78:ee:b5:9c:c3:23:45:8c:2b:f0:26:4d:9e:94:da:
+ c8:d0:a0:b3:71:bd:b5:89:dc:f5:0a:c5:56:a6:f8:1e:0f:fc:
+ 27:cc:ec:42:ae:ca:7b:f6:61:f9:df:80:8d:87:85:e0:79:1b:
+ 0c:32:82:37:e2:59:7c:65:7b:bd:48:ba:c0:13:24:74:f2:6a:
+ 73:f8:47:a8:c7:7b:b3:89:0d:2e:5e:fc:09:06:5c:4d:4d:6e:
+ 3b:c4:c1:57:c7:59:68:96:bd:97:91:df:91:d9:9d:8c:08:ef:
+ 82:7c:0a:dc:54:5b:7b:1d:d9:cb:1b:a6:ca:ce:82:1b:1c:4e:
+ cb:42:2e:42:7a:8c:0b:00:74:2c:b6:14:41:fc:e8:51:f0:20:
+ 1b:81:61:3d:47:ef:a2:9b:0d:0b:89:57:11:34:9f:f2:21:9e:
+ c9:9f:f1:39:d0:2f:73:97:86:8a:cb:ab:90:67:76:25:06:8b:
+ a2:cf:94:1a:84:09:bd:0e:d1:28:52:7f:f1:52:69:9b:d2:66:
+ b9:51:7a:87:e2:b1:cf:b2:d2:c4:00:fe:16:d1:29:ac:f6:61:
+ 6b:58:89:0d
+-----BEGIN CERTIFICATE-----
+MIIDvTCCAqWgAwIBAgIBFDANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MTAxOTE5MDYwN1oXDTA4MTAxODE5MDYwN1owHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC/j1nY/PodBHApznsBZCFA3FxD/kyviMhim76cco+KpTSKOyON
+m4pPv2asaHGc/WhZ9b+fTS611uP6vfNgU1y3EayVC8CHzZmelFeN7AW436r8jjjT
+D2VtCWDy4ZiBcthRPkGRsxCV9fXQ+eVcoYX6cSaF49FMAn8U4h5KipZontYWpe+t
+tYNizSN0fIJWtNE0U1qKemGfrlRb7/lW3odrQpK8SfS1wzUHShhH0pLGHBZ0dLHp
+OTxTEgWd69ycciuXTSchd5Z9TM55DPunuJlrZiAuVpxEtONegMR9eKG0BfcgfSYe
+RL9daRU8eiRnvbm1CA8zTa87Lee5qx0r1vtzAgMBAAGjggEJMIIBBTAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBRss2WU/safSlCdTYtAGqH9lxeXkjAOBgNVHQ8B
+Af8EBAMCAQYwQgYIKwYBBQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dv
+bWJhdHMtci11cy5oYWN0cm4ubmV0L0lTUDViLzBEBggrBgEFBQcBAQQ4MDYwNAYI
+KwYBBQUHMAKGKHJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5j
+ZXIwOQYIKwYBBQUHAQcBAf8EKjAoMAwEAgABMAYDBAAKAwAwGAQCAAIwEgMQACAB
+DbgAAAAAAAAAAAoDADANBgkqhkiG9w0BAQsFAAOCAQEAIskpMyM32q+KQSD+NfEq
+JYa6iAjVpSZ594Z1UJvvaeDGBGsK4D8GeO61nMMjRYwr8CZNnpTayNCgs3G9tYnc
+9QrFVqb4Hg/8J8zsQq7Ke/Zh+d+AjYeF4HkbDDKCN+JZfGV7vUi6wBMkdPJqc/hH
+qMd7s4kNLl78CQZcTU1uO8TBV8dZaJa9l5HfkdmdjAjvgnwK3FRbex3Zyxumys6C
+GxxOy0IuQnqMCwB0LLYUQfzoUfAgG4FhPUfvopsNC4lXETSf8iGeyZ/xOdAvc5eG
+isurkGd2JQaLos+UGoQJvQ7RKFJ/8VJpm9JmuVF6h+Kxz7LSxAD+FtEprPZha1iJ
+DQ==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/15.pem b/rpkid/resource-cert-samples/LIR3/15.pem
new file mode 100644
index 00000000..53d5d71f
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/15.pem
@@ -0,0 +1,91 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 21 (0x15)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Oct 19 19:06:07 2007 GMT
+ Not After : Oct 18 19:06:07 2008 GMT
+ Subject: CN=TEST ENTITY ISP5a
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:e6:4b:ad:78:28:6b:e6:50:1b:65:81:d5:8d:2b:
+ 56:77:cd:bb:c9:47:a0:aa:32:b0:2c:ac:1f:f1:e4:
+ 90:2b:c2:33:6f:e7:53:b1:d0:1d:ab:05:27:9d:b7:
+ a1:ee:a8:4f:c8:5b:36:23:e3:12:e4:51:59:27:cd:
+ fd:7a:aa:dc:56:05:a1:73:ab:79:dd:3c:82:b2:8f:
+ ae:f9:ec:c0:36:38:e6:02:aa:fd:89:60:21:52:5b:
+ b6:33:80:75:e5:7f:fd:ac:6e:ec:d4:9a:26:2f:7e:
+ 28:45:16:29:47:7d:f3:8a:72:d5:e4:65:fa:f4:54:
+ 6f:ae:48:33:62:c1:32:f1:2b:83:33:36:63:60:9e:
+ bc:c7:e7:99:5d:51:da:cd:2f:8f:83:47:20:9e:e9:
+ cc:a3:72:c0:72:bd:49:2d:c4:52:ea:6f:da:42:46:
+ 71:90:c7:af:7f:9f:c7:dd:0b:96:96:3c:45:9f:c0:
+ ea:65:6a:43:e3:f3:92:d5:e1:73:c0:6e:20:f5:17:
+ e5:d1:58:da:21:b3:e9:0c:4d:f0:e8:bd:7c:b7:ef:
+ 81:c9:f5:70:cf:a8:20:7d:e2:6a:f9:1b:66:a9:c8:
+ 71:d6:32:f8:72:3d:83:99:19:0d:0c:6b:e9:f8:92:
+ cd:33:17:86:6a:3d:af:0d:05:94:ab:1c:d4:2c:a4:
+ 45:cb
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 09:F0:14:0B:79:FB:0B:FF:A8:EF:54:B9:EC:3E:B9:8B:D0:CB:9C:EC
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5a/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a00::/120
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 88:85:75:52:a4:57:62:32:86:d7:72:f8:f5:a2:ea:4c:a9:a7:
+ 09:c7:a8:b0:12:0e:e1:69:d2:99:de:46:59:52:d8:ef:9e:3f:
+ 45:8e:b4:03:cf:64:e1:db:f0:57:37:e8:f3:23:d2:7e:f4:6a:
+ 74:64:3a:7a:3b:e1:e6:bb:0d:f0:1d:12:e3:1a:59:c3:b5:6f:
+ 29:b7:80:3c:c2:76:2a:b2:be:09:3a:95:99:5a:82:05:b4:10:
+ 70:f0:29:2f:96:27:0c:c4:83:e6:df:e0:ce:37:ad:32:0a:0b:
+ a8:38:4b:a8:50:e9:17:61:c6:fb:bc:41:54:8b:fc:e4:a7:e9:
+ 69:03:23:90:2c:bd:3f:e5:74:13:91:89:77:df:88:cb:4c:58:
+ af:be:7e:af:e7:2c:e2:28:64:e6:5f:f3:09:a0:21:89:12:85:
+ 89:50:a2:ff:d6:88:c0:9f:25:5b:40:b1:b2:6f:6c:bb:d3:32:
+ b9:24:9c:70:bb:94:be:63:a2:da:fb:a8:2c:8b:ff:83:00:8b:
+ 8d:cb:8f:cc:6d:b8:05:ba:0d:b3:67:05:ff:f6:40:2d:bb:7d:
+ c5:0d:df:6d:42:d4:79:11:2c:12:34:55:8a:63:4b:50:e4:95:
+ 92:86:36:b8:a6:24:15:33:40:7f:c7:32:b9:de:fc:fd:eb:60:
+ eb:81:3d:e2
+-----BEGIN CERTIFICATE-----
+MIIDvTCCAqWgAwIBAgIBFTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MTAxOTE5MDYwN1oXDTA4MTAxODE5MDYwN1owHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDmS614KGvmUBtlgdWNK1Z3zbvJR6CqMrAsrB/x5JArwjNv51Ox
+0B2rBSedt6HuqE/IWzYj4xLkUVknzf16qtxWBaFzq3ndPIKyj6757MA2OOYCqv2J
+YCFSW7YzgHXlf/2sbuzUmiYvfihFFilHffOKctXkZfr0VG+uSDNiwTLxK4MzNmNg
+nrzH55ldUdrNL4+DRyCe6cyjcsByvUktxFLqb9pCRnGQx69/n8fdC5aWPEWfwOpl
+akPj85LV4XPAbiD1F+XRWNohs+kMTfDovXy374HJ9XDPqCB94mr5G2apyHHWMvhy
+PYOZGQ0Ma+n4ks0zF4ZqPa8NBZSrHNQspEXLAgMBAAGjggEJMIIBBTAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBQJ8BQLefsL/6jvVLnsPrmL0Muc7DAOBgNVHQ8B
+Af8EBAMCAQYwQgYIKwYBBQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dv
+bWJhdHMtci11cy5oYWN0cm4ubmV0L0lTUDVhLzBEBggrBgEFBQcBAQQ4MDYwNAYI
+KwYBBQUHMAKGKHJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5j
+ZXIwOQYIKwYBBQUHAQcBAf8EKjAoMAwEAgABMAYDBAAKAAAwGAQCAAIwEgMQACAB
+DbgAAAAAAAAAAAoAADANBgkqhkiG9w0BAQsFAAOCAQEAiIV1UqRXYjKG13L49aLq
+TKmnCceosBIO4WnSmd5GWVLY754/RY60A89k4dvwVzfo8yPSfvRqdGQ6ejvh5rsN
+8B0S4xpZw7VvKbeAPMJ2KrK+CTqVmVqCBbQQcPApL5YnDMSD5t/gzjetMgoLqDhL
+qFDpF2HG+7xBVIv85KfpaQMjkCy9P+V0E5GJd9+Iy0xYr75+r+cs4ihk5l/zCaAh
+iRKFiVCi/9aIwJ8lW0Cxsm9su9MyuSSccLuUvmOi2vuoLIv/gwCLjcuPzG24BboN
+s2cF//ZALbt9xQ3fbULUeREsEjRVimNLUOSVkoY2uKYkFTNAf8cyud78/etg64E9
+4g==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/16.pem b/rpkid/resource-cert-samples/LIR3/16.pem
new file mode 100644
index 00000000..a35e6d8c
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/16.pem
@@ -0,0 +1,88 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 22 (0x16)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Oct 29 16:03:51 2007 GMT
+ Not After : Oct 28 16:03:51 2008 GMT
+ Subject: CN=TEST ENTITY ISP5c
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:c8:8b:a1:25:65:df:ee:a2:7f:54:af:52:0a:1a:
+ 1a:fa:0d:75:b3:3c:e9:e0:29:d3:89:20:e9:51:49:
+ 67:2c:43:da:a0:2c:d4:44:b3:96:14:a9:07:77:60:
+ b9:6f:01:ef:8e:54:a5:74:ac:5a:67:f8:30:4d:10:
+ f9:ac:9f:b8:75:61:0b:f6:e7:7c:ea:9b:5c:98:7a:
+ 4b:3e:c4:e2:59:42:d3:19:ca:0f:58:0e:b7:c8:82:
+ 4e:e5:bb:ac:fd:92:e5:88:b2:fc:64:cf:6e:38:3b:
+ 18:83:fc:e7:a6:ae:fb:90:36:d0:e1:ca:4d:90:41:
+ 0f:0f:3b:2a:c0:0c:d9:7b:7d:e8:50:13:f6:09:73:
+ 82:a3:d2:e3:bb:82:08:87:7f:d2:bb:0e:0e:7a:28:
+ b6:25:02:b5:d9:51:fc:33:32:47:47:ff:cf:7f:bc:
+ ee:00:01:bb:05:5e:2e:03:9a:ad:95:3b:ca:c2:c6:
+ 87:64:74:39:aa:59:6b:ae:e0:a7:51:1a:07:f2:8e:
+ 4c:8e:65:2f:df:f2:99:ba:e0:b6:8a:4f:c0:20:72:
+ 79:98:00:8f:0d:50:13:3d:d1:3e:8c:bd:dc:74:a9:
+ 33:a8:56:1d:31:78:7c:e7:02:9e:8d:0a:14:12:6d:
+ d3:37:c7:7a:f0:84:10:fe:fe:4d:28:97:26:6e:08:
+ 85:a1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 2D:87:C1:9A:F8:58:2B:BD:C2:F8:7E:30:47:B3:A9:88:37:C9:EB:46
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5c/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64534-64540
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 8b:32:d1:76:91:99:a4:fe:a9:47:f9:ad:1b:e4:09:b2:91:49:
+ 01:ea:21:09:e1:db:ae:45:07:73:e1:be:99:6b:e5:73:30:20:
+ 57:95:c0:e0:9f:32:29:75:e7:fd:15:06:0c:48:aa:17:0a:4b:
+ 21:9e:b2:b8:ba:03:d7:fb:40:69:19:80:28:c7:a4:bd:e0:63:
+ ec:e4:88:db:82:b9:03:bb:88:bb:48:40:c5:ea:34:4d:39:38:
+ 5f:a1:0b:4b:8b:60:b6:a5:08:01:20:2b:44:b9:1b:2f:c6:72:
+ dc:90:4c:b3:56:9d:0c:64:dc:5e:d2:da:4e:4f:c5:63:22:18:
+ 67:0b:77:fc:fd:7f:31:73:70:81:cd:f8:9a:67:07:6f:b2:b7:
+ ea:f4:68:19:86:9a:60:59:c4:3c:a1:ea:ba:09:6d:13:9d:3f:
+ 76:cc:5f:2e:3f:e0:9b:5b:3c:72:5f:39:ed:9f:34:48:97:b3:
+ c1:bb:c5:de:5a:6b:11:71:ba:d1:c4:63:20:2c:bf:75:e8:c2:
+ 4a:b8:80:b8:ac:bf:46:cc:d7:2a:8b:c3:63:23:ca:9e:8d:94:
+ 2c:6a:53:2f:68:7e:cd:3d:71:fd:32:c7:f7:16:11:c6:a3:3a:
+ 2f:1f:05:0c:98:3f:17:3d:8c:7a:e4:47:cd:75:55:f8:b3:1b:
+ a3:bc:27:3d
+-----BEGIN CERTIFICATE-----
+MIIDozCCAougAwIBAgIBFjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MTAyOTE2MDM1MVoXDTA4MTAyODE2MDM1MVowHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDIi6ElZd/uon9Ur1IKGhr6DXWzPOngKdOJIOlRSWcsQ9qgLNRE
+s5YUqQd3YLlvAe+OVKV0rFpn+DBNEPmsn7h1YQv253zqm1yYeks+xOJZQtMZyg9Y
+DrfIgk7lu6z9kuWIsvxkz244OxiD/OemrvuQNtDhyk2QQQ8POyrADNl7fehQE/YJ
+c4Kj0uO7ggiHf9K7Dg56KLYlArXZUfwzMkdH/89/vO4AAbsFXi4Dmq2VO8rCxodk
+dDmqWWuu4KdRGgfyjkyOZS/f8pm64LaKT8AgcnmYAI8NUBM90T6Mvdx0qTOoVh0x
+eHznAp6NChQSbdM3x3rwhBD+/k0olyZuCIWhAgMBAAGjgfAwge0wDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQULYfBmvhYK73C+H4wR7OpiDfJ60YwDgYDVR0PAQH/
+BAQDAgEGMEIGCCsGAQUFBwELBDYwNDAyBggrBgEFBQcwBYYmcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9JU1A1Yy8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjMuY2Vy
+MCEGCCsGAQUFBwEIAQH/BBIwEKAOMAwwCgIDAPwWAgMA/BwwDQYJKoZIhvcNAQEL
+BQADggEBAIsy0XaRmaT+qUf5rRvkCbKRSQHqIQnh265FB3Phvplr5XMwIFeVwOCf
+Mil15/0VBgxIqhcKSyGesri6A9f7QGkZgCjHpL3gY+zkiNuCuQO7iLtIQMXqNE05
+OF+hC0uLYLalCAEgK0S5Gy/GctyQTLNWnQxk3F7S2k5PxWMiGGcLd/z9fzFzcIHN
++JpnB2+yt+r0aBmGmmBZxDyh6roJbROdP3bMXy4/4JtbPHJfOe2fNEiXs8G7xd5a
+axFxutHEYyAsv3Xowkq4gLisv0bM1yqLw2Mjyp6NlCxqUy9ofs09cf0yx/cWEcaj
+Oi8fBQyYPxc9jHrkR811VfizG6O8Jz0=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/17.pem b/rpkid/resource-cert-samples/LIR3/17.pem
new file mode 100644
index 00000000..b4d63508
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/17.pem
@@ -0,0 +1,91 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 23 (0x17)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Oct 29 16:03:52 2007 GMT
+ Not After : Oct 28 16:03:52 2008 GMT
+ Subject: CN=TEST ENTITY ISP5b
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:bf:8f:59:d8:fc:fa:1d:04:70:29:ce:7b:01:64:
+ 21:40:dc:5c:43:fe:4c:af:88:c8:62:9b:be:9c:72:
+ 8f:8a:a5:34:8a:3b:23:8d:9b:8a:4f:bf:66:ac:68:
+ 71:9c:fd:68:59:f5:bf:9f:4d:2e:b5:d6:e3:fa:bd:
+ f3:60:53:5c:b7:11:ac:95:0b:c0:87:cd:99:9e:94:
+ 57:8d:ec:05:b8:df:aa:fc:8e:38:d3:0f:65:6d:09:
+ 60:f2:e1:98:81:72:d8:51:3e:41:91:b3:10:95:f5:
+ f5:d0:f9:e5:5c:a1:85:fa:71:26:85:e3:d1:4c:02:
+ 7f:14:e2:1e:4a:8a:96:68:9e:d6:16:a5:ef:ad:b5:
+ 83:62:cd:23:74:7c:82:56:b4:d1:34:53:5a:8a:7a:
+ 61:9f:ae:54:5b:ef:f9:56:de:87:6b:42:92:bc:49:
+ f4:b5:c3:35:07:4a:18:47:d2:92:c6:1c:16:74:74:
+ b1:e9:39:3c:53:12:05:9d:eb:dc:9c:72:2b:97:4d:
+ 27:21:77:96:7d:4c:ce:79:0c:fb:a7:b8:99:6b:66:
+ 20:2e:56:9c:44:b4:e3:5e:80:c4:7d:78:a1:b4:05:
+ f7:20:7d:26:1e:44:bf:5d:69:15:3c:7a:24:67:bd:
+ b9:b5:08:0f:33:4d:af:3b:2d:e7:b9:ab:1d:2b:d6:
+ fb:73
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 6C:B3:65:94:FE:C6:9F:4A:50:9D:4D:8B:40:1A:A1:FD:97:17:97:92
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5b/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.3.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a03::/120
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 6c:20:82:cb:ed:5f:a4:c6:fa:b5:4c:20:7d:e8:18:e7:a9:8a:
+ a4:43:aa:1b:0a:47:01:e9:d5:29:f2:58:40:e1:b0:64:37:b1:
+ 54:e0:49:4c:b9:98:a4:41:b0:cf:33:87:c7:47:30:58:f9:46:
+ 51:5d:d4:8c:65:24:59:a6:8a:01:c0:bc:46:38:45:fa:64:51:
+ eb:ff:87:7c:18:33:41:7e:e9:52:98:a6:0f:1a:d8:43:2f:34:
+ 9d:14:b4:14:e8:68:2e:16:5f:06:a7:85:96:7e:dc:49:67:f9:
+ 56:5b:42:1a:af:00:fb:b5:d3:84:b8:e0:79:3c:b6:b7:b9:f3:
+ 04:fc:e4:9a:9f:74:6c:ea:ff:8a:14:9d:69:15:ac:b6:5b:09:
+ eb:78:64:a7:7d:81:f9:f1:c9:4c:73:ae:88:43:da:39:32:37:
+ 4c:df:16:74:4d:dd:27:3a:bf:99:39:5c:a8:8d:f5:47:a8:60:
+ 7c:3d:56:5b:ab:73:f7:57:26:00:55:16:f1:dc:ae:d7:e1:48:
+ ed:b0:32:75:aa:76:4c:5b:7e:ef:be:6f:bc:8c:1e:12:70:27:
+ 25:3d:b6:fd:6e:34:3f:9b:9f:cb:13:37:26:f4:56:fc:5b:9d:
+ 7c:b5:b9:7a:29:ff:ca:c0:55:bb:57:55:25:45:b5:a1:c4:2d:
+ 3c:2d:9c:8d
+-----BEGIN CERTIFICATE-----
+MIIDvTCCAqWgAwIBAgIBFzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MTAyOTE2MDM1MloXDTA4MTAyODE2MDM1MlowHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC/j1nY/PodBHApznsBZCFA3FxD/kyviMhim76cco+KpTSKOyON
+m4pPv2asaHGc/WhZ9b+fTS611uP6vfNgU1y3EayVC8CHzZmelFeN7AW436r8jjjT
+D2VtCWDy4ZiBcthRPkGRsxCV9fXQ+eVcoYX6cSaF49FMAn8U4h5KipZontYWpe+t
+tYNizSN0fIJWtNE0U1qKemGfrlRb7/lW3odrQpK8SfS1wzUHShhH0pLGHBZ0dLHp
+OTxTEgWd69ycciuXTSchd5Z9TM55DPunuJlrZiAuVpxEtONegMR9eKG0BfcgfSYe
+RL9daRU8eiRnvbm1CA8zTa87Lee5qx0r1vtzAgMBAAGjggEJMIIBBTAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBRss2WU/safSlCdTYtAGqH9lxeXkjAOBgNVHQ8B
+Af8EBAMCAQYwQgYIKwYBBQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dv
+bWJhdHMtci11cy5oYWN0cm4ubmV0L0lTUDViLzBEBggrBgEFBQcBAQQ4MDYwNAYI
+KwYBBQUHMAKGKHJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5j
+ZXIwOQYIKwYBBQUHAQcBAf8EKjAoMAwEAgABMAYDBAAKAwAwGAQCAAIwEgMQACAB
+DbgAAAAAAAAAAAoDADANBgkqhkiG9w0BAQsFAAOCAQEAbCCCy+1fpMb6tUwgfegY
+56mKpEOqGwpHAenVKfJYQOGwZDexVOBJTLmYpEGwzzOHx0cwWPlGUV3UjGUkWaaK
+AcC8RjhF+mRR6/+HfBgzQX7pUpimDxrYQy80nRS0FOhoLhZfBqeFln7cSWf5VltC
+Gq8A+7XThLjgeTy2t7nzBPzkmp90bOr/ihSdaRWstlsJ63hkp32B+fHJTHOuiEPa
+OTI3TN8WdE3dJzq/mTlcqI31R6hgfD1WW6tz91cmAFUW8dyu1+FI7bAydap2TFt+
+775vvIweEnAnJT22/W40P5ufyxM3JvRW/FudfLW5ein/ysBVu1dVJUW1ocQtPC2c
+jQ==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/18.pem b/rpkid/resource-cert-samples/LIR3/18.pem
new file mode 100644
index 00000000..d264ae2f
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/18.pem
@@ -0,0 +1,91 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 24 (0x18)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Oct 29 16:03:52 2007 GMT
+ Not After : Oct 28 16:03:52 2008 GMT
+ Subject: CN=TEST ENTITY ISP5a
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:e6:4b:ad:78:28:6b:e6:50:1b:65:81:d5:8d:2b:
+ 56:77:cd:bb:c9:47:a0:aa:32:b0:2c:ac:1f:f1:e4:
+ 90:2b:c2:33:6f:e7:53:b1:d0:1d:ab:05:27:9d:b7:
+ a1:ee:a8:4f:c8:5b:36:23:e3:12:e4:51:59:27:cd:
+ fd:7a:aa:dc:56:05:a1:73:ab:79:dd:3c:82:b2:8f:
+ ae:f9:ec:c0:36:38:e6:02:aa:fd:89:60:21:52:5b:
+ b6:33:80:75:e5:7f:fd:ac:6e:ec:d4:9a:26:2f:7e:
+ 28:45:16:29:47:7d:f3:8a:72:d5:e4:65:fa:f4:54:
+ 6f:ae:48:33:62:c1:32:f1:2b:83:33:36:63:60:9e:
+ bc:c7:e7:99:5d:51:da:cd:2f:8f:83:47:20:9e:e9:
+ cc:a3:72:c0:72:bd:49:2d:c4:52:ea:6f:da:42:46:
+ 71:90:c7:af:7f:9f:c7:dd:0b:96:96:3c:45:9f:c0:
+ ea:65:6a:43:e3:f3:92:d5:e1:73:c0:6e:20:f5:17:
+ e5:d1:58:da:21:b3:e9:0c:4d:f0:e8:bd:7c:b7:ef:
+ 81:c9:f5:70:cf:a8:20:7d:e2:6a:f9:1b:66:a9:c8:
+ 71:d6:32:f8:72:3d:83:99:19:0d:0c:6b:e9:f8:92:
+ cd:33:17:86:6a:3d:af:0d:05:94:ab:1c:d4:2c:a4:
+ 45:cb
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 09:F0:14:0B:79:FB:0B:FF:A8:EF:54:B9:EC:3E:B9:8B:D0:CB:9C:EC
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5a/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a00::/120
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 31:60:cb:59:95:02:29:ad:2e:2d:92:c4:e9:61:2b:e7:a2:bc:
+ 39:70:7b:b0:62:af:56:08:81:c5:50:7f:ec:4e:d4:ff:7f:4a:
+ c7:34:4c:d5:dd:dc:dd:92:64:f7:5f:7b:ab:3c:9d:9d:15:b8:
+ c4:73:31:eb:c6:2d:af:0c:1f:a9:05:e7:3e:28:a8:1d:f0:6f:
+ ca:4b:c9:76:ff:5b:95:dd:d8:48:4a:d6:93:10:3a:1a:36:3d:
+ 2a:10:2c:89:c5:19:fa:e8:fa:eb:b8:51:37:de:af:30:e3:ae:
+ 09:d3:21:9c:83:4a:c1:70:ec:f6:f3:4b:72:40:75:61:02:bd:
+ fc:1b:96:e2:24:39:be:9a:43:29:8c:d7:c6:90:e2:14:fd:5e:
+ 22:9f:32:45:67:d2:f6:6d:45:5e:43:e6:1c:ed:74:18:2c:9c:
+ ba:eb:a5:ee:76:2b:5f:b1:7a:06:18:94:95:52:58:fe:ef:61:
+ d9:f0:fd:ba:b4:88:af:a3:78:f1:d9:36:42:4f:df:55:f9:9e:
+ 4d:f1:c9:12:85:f6:6c:1f:a5:1b:17:f2:2a:4a:1e:65:fa:18:
+ 1a:22:ee:c6:fb:b9:65:1d:30:1a:a7:f9:78:87:27:a5:c8:4a:
+ 35:6d:92:2d:f0:13:75:a2:77:df:fa:28:d0:68:0b:19:7f:38:
+ f3:64:0c:93
+-----BEGIN CERTIFICATE-----
+MIIDvTCCAqWgAwIBAgIBGDANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MTAyOTE2MDM1MloXDTA4MTAyODE2MDM1MlowHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDmS614KGvmUBtlgdWNK1Z3zbvJR6CqMrAsrB/x5JArwjNv51Ox
+0B2rBSedt6HuqE/IWzYj4xLkUVknzf16qtxWBaFzq3ndPIKyj6757MA2OOYCqv2J
+YCFSW7YzgHXlf/2sbuzUmiYvfihFFilHffOKctXkZfr0VG+uSDNiwTLxK4MzNmNg
+nrzH55ldUdrNL4+DRyCe6cyjcsByvUktxFLqb9pCRnGQx69/n8fdC5aWPEWfwOpl
+akPj85LV4XPAbiD1F+XRWNohs+kMTfDovXy374HJ9XDPqCB94mr5G2apyHHWMvhy
+PYOZGQ0Ma+n4ks0zF4ZqPa8NBZSrHNQspEXLAgMBAAGjggEJMIIBBTAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBQJ8BQLefsL/6jvVLnsPrmL0Muc7DAOBgNVHQ8B
+Af8EBAMCAQYwQgYIKwYBBQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dv
+bWJhdHMtci11cy5oYWN0cm4ubmV0L0lTUDVhLzBEBggrBgEFBQcBAQQ4MDYwNAYI
+KwYBBQUHMAKGKHJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5j
+ZXIwOQYIKwYBBQUHAQcBAf8EKjAoMAwEAgABMAYDBAAKAAAwGAQCAAIwEgMQACAB
+DbgAAAAAAAAAAAoAADANBgkqhkiG9w0BAQsFAAOCAQEAMWDLWZUCKa0uLZLE6WEr
+56K8OXB7sGKvVgiBxVB/7E7U/39KxzRM1d3c3ZJk9197qzydnRW4xHMx68Ytrwwf
+qQXnPiioHfBvykvJdv9bld3YSErWkxA6GjY9KhAsicUZ+uj667hRN96vMOOuCdMh
+nINKwXDs9vNLckB1YQK9/BuW4iQ5vppDKYzXxpDiFP1eIp8yRWfS9m1FXkPmHO10
+GCycuuul7nYrX7F6BhiUlVJY/u9h2fD9urSIr6N48dk2Qk/fVfmeTfHJEoX2bB+l
+GxfyKkoeZfoYGiLuxvu5ZR0wGqf5eIcnpchKNW2SLfATdaJ33/oo0GgLGX8482QM
+kw==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/19.pem b/rpkid/resource-cert-samples/LIR3/19.pem
new file mode 100644
index 00000000..969f45e5
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/19.pem
@@ -0,0 +1,88 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 25 (0x19)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Oct 29 16:32:33 2007 GMT
+ Not After : Oct 28 16:32:33 2008 GMT
+ Subject: CN=TEST ENTITY ISP5c
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:c8:8b:a1:25:65:df:ee:a2:7f:54:af:52:0a:1a:
+ 1a:fa:0d:75:b3:3c:e9:e0:29:d3:89:20:e9:51:49:
+ 67:2c:43:da:a0:2c:d4:44:b3:96:14:a9:07:77:60:
+ b9:6f:01:ef:8e:54:a5:74:ac:5a:67:f8:30:4d:10:
+ f9:ac:9f:b8:75:61:0b:f6:e7:7c:ea:9b:5c:98:7a:
+ 4b:3e:c4:e2:59:42:d3:19:ca:0f:58:0e:b7:c8:82:
+ 4e:e5:bb:ac:fd:92:e5:88:b2:fc:64:cf:6e:38:3b:
+ 18:83:fc:e7:a6:ae:fb:90:36:d0:e1:ca:4d:90:41:
+ 0f:0f:3b:2a:c0:0c:d9:7b:7d:e8:50:13:f6:09:73:
+ 82:a3:d2:e3:bb:82:08:87:7f:d2:bb:0e:0e:7a:28:
+ b6:25:02:b5:d9:51:fc:33:32:47:47:ff:cf:7f:bc:
+ ee:00:01:bb:05:5e:2e:03:9a:ad:95:3b:ca:c2:c6:
+ 87:64:74:39:aa:59:6b:ae:e0:a7:51:1a:07:f2:8e:
+ 4c:8e:65:2f:df:f2:99:ba:e0:b6:8a:4f:c0:20:72:
+ 79:98:00:8f:0d:50:13:3d:d1:3e:8c:bd:dc:74:a9:
+ 33:a8:56:1d:31:78:7c:e7:02:9e:8d:0a:14:12:6d:
+ d3:37:c7:7a:f0:84:10:fe:fe:4d:28:97:26:6e:08:
+ 85:a1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 2D:87:C1:9A:F8:58:2B:BD:C2:F8:7E:30:47:B3:A9:88:37:C9:EB:46
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5c/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64534-64540
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 2c:6e:f1:28:d7:06:69:d5:38:e5:77:75:9c:d0:9f:3b:52:f4:
+ ff:83:1d:51:70:18:b1:76:57:29:1c:f4:0c:fc:bd:6d:dc:c6:
+ 95:68:2d:38:fc:5b:b8:66:b8:92:95:3e:0d:cb:f6:49:3f:6e:
+ 63:01:88:9b:44:7a:d1:7a:48:03:20:73:c7:f1:c8:f6:8d:be:
+ 1c:6e:ca:28:0e:32:93:90:9a:76:d1:7f:f3:33:55:24:67:65:
+ fd:05:03:c8:1f:7e:68:7d:c9:83:f9:47:26:d1:dc:4b:04:a2:
+ 68:bb:74:2c:9c:f3:33:ec:d7:0e:d9:23:f9:a4:10:9e:af:94:
+ 41:09:a0:67:2d:21:d7:b5:0a:e1:41:b3:b6:4d:bc:8d:74:6c:
+ f6:b6:32:fe:ee:c4:71:b6:73:e1:bc:2a:25:54:df:91:84:4e:
+ 15:09:05:98:a1:99:33:48:38:7e:7e:b1:38:73:c7:66:a2:19:
+ 31:2e:93:86:65:40:20:c0:0f:86:e9:a4:77:d9:61:a5:a4:92:
+ 35:c7:9c:51:15:a0:dd:21:56:76:a4:d1:75:76:0a:b6:51:9a:
+ 08:c3:d4:21:ec:86:f0:b7:66:2e:7c:8b:0f:76:5c:29:3d:a6:
+ 9c:ea:0c:e0:5d:14:14:b5:cc:cc:84:e0:33:95:17:06:11:c4:
+ d9:d9:98:d1
+-----BEGIN CERTIFICATE-----
+MIIDozCCAougAwIBAgIBGTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MTAyOTE2MzIzM1oXDTA4MTAyODE2MzIzM1owHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDIi6ElZd/uon9Ur1IKGhr6DXWzPOngKdOJIOlRSWcsQ9qgLNRE
+s5YUqQd3YLlvAe+OVKV0rFpn+DBNEPmsn7h1YQv253zqm1yYeks+xOJZQtMZyg9Y
+DrfIgk7lu6z9kuWIsvxkz244OxiD/OemrvuQNtDhyk2QQQ8POyrADNl7fehQE/YJ
+c4Kj0uO7ggiHf9K7Dg56KLYlArXZUfwzMkdH/89/vO4AAbsFXi4Dmq2VO8rCxodk
+dDmqWWuu4KdRGgfyjkyOZS/f8pm64LaKT8AgcnmYAI8NUBM90T6Mvdx0qTOoVh0x
+eHznAp6NChQSbdM3x3rwhBD+/k0olyZuCIWhAgMBAAGjgfAwge0wDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQULYfBmvhYK73C+H4wR7OpiDfJ60YwDgYDVR0PAQH/
+BAQDAgEGMEIGCCsGAQUFBwELBDYwNDAyBggrBgEFBQcwBYYmcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9JU1A1Yy8wRAYIKwYBBQUHAQEEODA2MDQGCCsG
+AQUFBzAChihyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjMuY2Vy
+MCEGCCsGAQUFBwEIAQH/BBIwEKAOMAwwCgIDAPwWAgMA/BwwDQYJKoZIhvcNAQEL
+BQADggEBACxu8SjXBmnVOOV3dZzQnztS9P+DHVFwGLF2Vykc9Az8vW3cxpVoLTj8
+W7hmuJKVPg3L9kk/bmMBiJtEetF6SAMgc8fxyPaNvhxuyigOMpOQmnbRf/MzVSRn
+Zf0FA8gffmh9yYP5RybR3EsEomi7dCyc8zPs1w7ZI/mkEJ6vlEEJoGctIde1CuFB
+s7ZNvI10bPa2Mv7uxHG2c+G8KiVU35GEThUJBZihmTNIOH5+sThzx2aiGTEuk4Zl
+QCDAD4bppHfZYaWkkjXHnFEVoN0hVnak0XV2CrZRmgjD1CHshvC3Zi58iw92XCk9
+ppzqDOBdFBS1zMyE4DOVFwYRxNnZmNE=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/1A.pem b/rpkid/resource-cert-samples/LIR3/1A.pem
new file mode 100644
index 00000000..8f133ac8
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/1A.pem
@@ -0,0 +1,91 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 26 (0x1a)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Oct 29 16:32:33 2007 GMT
+ Not After : Oct 28 16:32:33 2008 GMT
+ Subject: CN=TEST ENTITY ISP5b
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:bf:8f:59:d8:fc:fa:1d:04:70:29:ce:7b:01:64:
+ 21:40:dc:5c:43:fe:4c:af:88:c8:62:9b:be:9c:72:
+ 8f:8a:a5:34:8a:3b:23:8d:9b:8a:4f:bf:66:ac:68:
+ 71:9c:fd:68:59:f5:bf:9f:4d:2e:b5:d6:e3:fa:bd:
+ f3:60:53:5c:b7:11:ac:95:0b:c0:87:cd:99:9e:94:
+ 57:8d:ec:05:b8:df:aa:fc:8e:38:d3:0f:65:6d:09:
+ 60:f2:e1:98:81:72:d8:51:3e:41:91:b3:10:95:f5:
+ f5:d0:f9:e5:5c:a1:85:fa:71:26:85:e3:d1:4c:02:
+ 7f:14:e2:1e:4a:8a:96:68:9e:d6:16:a5:ef:ad:b5:
+ 83:62:cd:23:74:7c:82:56:b4:d1:34:53:5a:8a:7a:
+ 61:9f:ae:54:5b:ef:f9:56:de:87:6b:42:92:bc:49:
+ f4:b5:c3:35:07:4a:18:47:d2:92:c6:1c:16:74:74:
+ b1:e9:39:3c:53:12:05:9d:eb:dc:9c:72:2b:97:4d:
+ 27:21:77:96:7d:4c:ce:79:0c:fb:a7:b8:99:6b:66:
+ 20:2e:56:9c:44:b4:e3:5e:80:c4:7d:78:a1:b4:05:
+ f7:20:7d:26:1e:44:bf:5d:69:15:3c:7a:24:67:bd:
+ b9:b5:08:0f:33:4d:af:3b:2d:e7:b9:ab:1d:2b:d6:
+ fb:73
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 6C:B3:65:94:FE:C6:9F:4A:50:9D:4D:8B:40:1A:A1:FD:97:17:97:92
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5b/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.3.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a03::/120
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 3a:6d:f2:b8:e4:50:4d:f6:f0:f3:04:1b:73:bf:36:13:d5:e6:
+ 70:d9:31:b4:47:b7:5e:ca:8a:25:93:fc:6c:dd:63:5e:09:dc:
+ 47:d9:d4:43:39:f3:ed:c5:f2:64:d5:ac:72:02:76:f2:07:ca:
+ a5:d9:1a:e3:9d:6a:7d:90:4c:d5:c7:09:c9:64:dd:38:f0:2f:
+ ab:0d:5f:e4:13:02:2c:85:02:56:f4:6d:31:07:f9:0b:c7:e9:
+ a4:0a:ee:13:03:18:9d:81:b8:78:68:d2:99:a3:e4:4f:e7:96:
+ 86:99:06:10:8c:b5:c2:39:03:8a:94:2e:21:00:67:82:f5:25:
+ 6c:cb:71:6b:8c:e6:31:0a:19:ed:1a:34:0c:a9:48:ca:c8:69:
+ fc:91:4e:f9:0c:e5:24:2b:70:52:1c:ff:1c:cf:38:28:17:3a:
+ 3d:22:a7:fa:93:dd:8f:46:03:2e:b0:ce:10:57:4a:3c:fc:a8:
+ 1a:a6:c1:0e:fa:09:49:9e:d1:89:b8:4c:b0:7a:5b:76:25:05:
+ fe:80:d9:8d:c1:9e:84:0b:83:53:16:9a:1e:2d:55:9a:b7:81:
+ d4:3f:0a:c7:56:ac:87:58:fa:3b:27:77:c6:f6:31:c1:c8:56:
+ 4a:28:6a:de:20:32:c4:80:b0:d1:36:25:ac:2c:94:28:8a:b8:
+ 2b:f2:04:f0
+-----BEGIN CERTIFICATE-----
+MIIDvTCCAqWgAwIBAgIBGjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MTAyOTE2MzIzM1oXDTA4MTAyODE2MzIzM1owHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC/j1nY/PodBHApznsBZCFA3FxD/kyviMhim76cco+KpTSKOyON
+m4pPv2asaHGc/WhZ9b+fTS611uP6vfNgU1y3EayVC8CHzZmelFeN7AW436r8jjjT
+D2VtCWDy4ZiBcthRPkGRsxCV9fXQ+eVcoYX6cSaF49FMAn8U4h5KipZontYWpe+t
+tYNizSN0fIJWtNE0U1qKemGfrlRb7/lW3odrQpK8SfS1wzUHShhH0pLGHBZ0dLHp
+OTxTEgWd69ycciuXTSchd5Z9TM55DPunuJlrZiAuVpxEtONegMR9eKG0BfcgfSYe
+RL9daRU8eiRnvbm1CA8zTa87Lee5qx0r1vtzAgMBAAGjggEJMIIBBTAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBRss2WU/safSlCdTYtAGqH9lxeXkjAOBgNVHQ8B
+Af8EBAMCAQYwQgYIKwYBBQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dv
+bWJhdHMtci11cy5oYWN0cm4ubmV0L0lTUDViLzBEBggrBgEFBQcBAQQ4MDYwNAYI
+KwYBBQUHMAKGKHJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5j
+ZXIwOQYIKwYBBQUHAQcBAf8EKjAoMAwEAgABMAYDBAAKAwAwGAQCAAIwEgMQACAB
+DbgAAAAAAAAAAAoDADANBgkqhkiG9w0BAQsFAAOCAQEAOm3yuORQTfbw8wQbc782
+E9XmcNkxtEe3XsqKJZP8bN1jXgncR9nUQznz7cXyZNWscgJ28gfKpdka451qfZBM
+1ccJyWTdOPAvqw1f5BMCLIUCVvRtMQf5C8fppAruEwMYnYG4eGjSmaPkT+eWhpkG
+EIy1wjkDipQuIQBngvUlbMtxa4zmMQoZ7Ro0DKlIyshp/JFO+QzlJCtwUhz/HM84
+KBc6PSKn+pPdj0YDLrDOEFdKPPyoGqbBDvoJSZ7RibhMsHpbdiUF/oDZjcGehAuD
+UxaaHi1VmreB1D8Kx1ash1j6Oyd3xvYxwchWSihq3iAyxICw0TYlrCyUKIq4K/IE
+8A==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/1B.pem b/rpkid/resource-cert-samples/LIR3/1B.pem
new file mode 100644
index 00000000..787aacd7
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/1B.pem
@@ -0,0 +1,91 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 27 (0x1b)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY LIR3
+ Validity
+ Not Before: Oct 29 16:32:33 2007 GMT
+ Not After : Oct 28 16:32:33 2008 GMT
+ Subject: CN=TEST ENTITY ISP5a
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:e6:4b:ad:78:28:6b:e6:50:1b:65:81:d5:8d:2b:
+ 56:77:cd:bb:c9:47:a0:aa:32:b0:2c:ac:1f:f1:e4:
+ 90:2b:c2:33:6f:e7:53:b1:d0:1d:ab:05:27:9d:b7:
+ a1:ee:a8:4f:c8:5b:36:23:e3:12:e4:51:59:27:cd:
+ fd:7a:aa:dc:56:05:a1:73:ab:79:dd:3c:82:b2:8f:
+ ae:f9:ec:c0:36:38:e6:02:aa:fd:89:60:21:52:5b:
+ b6:33:80:75:e5:7f:fd:ac:6e:ec:d4:9a:26:2f:7e:
+ 28:45:16:29:47:7d:f3:8a:72:d5:e4:65:fa:f4:54:
+ 6f:ae:48:33:62:c1:32:f1:2b:83:33:36:63:60:9e:
+ bc:c7:e7:99:5d:51:da:cd:2f:8f:83:47:20:9e:e9:
+ cc:a3:72:c0:72:bd:49:2d:c4:52:ea:6f:da:42:46:
+ 71:90:c7:af:7f:9f:c7:dd:0b:96:96:3c:45:9f:c0:
+ ea:65:6a:43:e3:f3:92:d5:e1:73:c0:6e:20:f5:17:
+ e5:d1:58:da:21:b3:e9:0c:4d:f0:e8:bd:7c:b7:ef:
+ 81:c9:f5:70:cf:a8:20:7d:e2:6a:f9:1b:66:a9:c8:
+ 71:d6:32:f8:72:3d:83:99:19:0d:0c:6b:e9:f8:92:
+ cd:33:17:86:6a:3d:af:0d:05:94:ab:1c:d4:2c:a4:
+ 45:cb
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 09:F0:14:0B:79:FB:0B:FF:A8:EF:54:B9:EC:3E:B9:8B:D0:CB:9C:EC
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/ISP5a/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/LIR3.cer
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a00::/120
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 38:f3:dc:20:93:3e:ff:25:8d:0e:90:b3:7f:65:ea:67:69:9a:
+ f0:6a:a1:77:5b:49:da:26:66:ac:3d:4d:20:a9:39:bb:e1:85:
+ 8a:a2:eb:5c:e8:b6:d2:d8:6b:04:19:32:cc:a7:1b:f6:24:d9:
+ 30:ee:ef:e3:d7:9f:85:01:02:6e:4e:4b:ad:af:97:71:59:e2:
+ 24:b3:29:86:16:79:ae:04:be:9c:43:70:99:63:98:f9:6e:1c:
+ 8a:69:48:64:90:70:b4:51:e6:12:95:b3:c1:bc:d4:1d:c0:dc:
+ 3e:cc:af:6e:a5:a5:d2:79:b3:bb:d7:b5:8a:a6:d7:64:83:87:
+ 8c:54:49:b8:c9:e8:76:18:40:20:ec:2c:52:0a:57:4c:7a:a0:
+ 87:f2:c7:13:42:24:c6:10:e7:db:d3:4c:6a:d7:65:ec:19:13:
+ 7c:15:13:74:9b:95:13:0a:91:9f:ad:ad:e7:85:40:16:8d:44:
+ ff:fa:e7:3b:a1:96:da:46:cb:e8:18:92:7f:9a:42:bb:8b:7f:
+ 25:bb:da:46:a3:2f:92:59:26:eb:66:17:b9:12:3f:52:58:a7:
+ b6:31:f6:2a:68:35:11:a7:f0:b9:aa:44:c3:f3:ad:05:7e:3a:
+ 25:96:9e:01:ce:6b:e5:87:b5:c5:99:da:e3:b6:00:8a:e7:11:
+ f7:98:16:3a
+-----BEGIN CERTIFICATE-----
+MIIDvTCCAqWgAwIBAgIBGzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBURVNU
+IEVOVElUWSBMSVIzMB4XDTA3MTAyOTE2MzIzM1oXDTA4MTAyODE2MzIzM1owHDEa
+MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDmS614KGvmUBtlgdWNK1Z3zbvJR6CqMrAsrB/x5JArwjNv51Ox
+0B2rBSedt6HuqE/IWzYj4xLkUVknzf16qtxWBaFzq3ndPIKyj6757MA2OOYCqv2J
+YCFSW7YzgHXlf/2sbuzUmiYvfihFFilHffOKctXkZfr0VG+uSDNiwTLxK4MzNmNg
+nrzH55ldUdrNL4+DRyCe6cyjcsByvUktxFLqb9pCRnGQx69/n8fdC5aWPEWfwOpl
+akPj85LV4XPAbiD1F+XRWNohs+kMTfDovXy374HJ9XDPqCB94mr5G2apyHHWMvhy
+PYOZGQ0Ma+n4ks0zF4ZqPa8NBZSrHNQspEXLAgMBAAGjggEJMIIBBTAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBQJ8BQLefsL/6jvVLnsPrmL0Muc7DAOBgNVHQ8B
+Af8EBAMCAQYwQgYIKwYBBQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dv
+bWJhdHMtci11cy5oYWN0cm4ubmV0L0lTUDVhLzBEBggrBgEFBQcBAQQ4MDYwNAYI
+KwYBBQUHMAKGKHJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5j
+ZXIwOQYIKwYBBQUHAQcBAf8EKjAoMAwEAgABMAYDBAAKAAAwGAQCAAIwEgMQACAB
+DbgAAAAAAAAAAAoAADANBgkqhkiG9w0BAQsFAAOCAQEAOPPcIJM+/yWNDpCzf2Xq
+Z2ma8Gqhd1tJ2iZmrD1NIKk5u+GFiqLrXOi20thrBBkyzKcb9iTZMO7v49efhQEC
+bk5Lra+XcVniJLMphhZ5rgS+nENwmWOY+W4cimlIZJBwtFHmEpWzwbzUHcDcPsyv
+bqWl0nmzu9e1iqbXZIOHjFRJuMnodhhAIOwsUgpXTHqgh/LHE0IkxhDn29NMatdl
+7BkTfBUTdJuVEwqRn62t54VAFo1E//rnO6GW2kbL6BiSf5pCu4t/JbvaRqMvklkm
+62YXuRI/UlintjH2Kmg1EafwuapEw/OtBX46JZaeAc5r5Ye1xZna47YAiucR95gW
+Og==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/LIR3/index b/rpkid/resource-cert-samples/LIR3/index
new file mode 100644
index 00000000..c03799ef
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/index
@@ -0,0 +1,27 @@
+V 080731144818Z 01 unknown /CN=TEST ENTITY ISP5c
+V 080731144820Z 02 unknown /CN=TEST ENTITY ISP5b
+V 080731144822Z 03 unknown /CN=TEST ENTITY ISP5a
+V 080809005817Z 04 unknown /CN=TEST ENTITY ISP5c
+V 080809005817Z 05 unknown /CN=TEST ENTITY ISP5b
+V 080809005817Z 06 unknown /CN=TEST ENTITY ISP5a
+V 080809010231Z 07 unknown /CN=TEST ENTITY ISP5c
+V 080809010231Z 08 unknown /CN=TEST ENTITY ISP5b
+V 080809010231Z 09 unknown /CN=TEST ENTITY ISP5a
+V 080809010709Z 0A unknown /CN=TEST ENTITY ISP5c
+V 080809010709Z 0B unknown /CN=TEST ENTITY ISP5b
+V 080809010709Z 0C unknown /CN=TEST ENTITY ISP5a
+V 080809011339Z 0D unknown /CN=TEST ENTITY ISP5c
+V 080809011339Z 0E unknown /CN=TEST ENTITY ISP5b
+V 080809011339Z 0F unknown /CN=TEST ENTITY ISP5a
+V 080809011510Z 10 unknown /CN=TEST ENTITY ISP5c
+V 080809011510Z 11 unknown /CN=TEST ENTITY ISP5b
+V 080809011510Z 12 unknown /CN=TEST ENTITY ISP5a
+V 081018190607Z 13 unknown /CN=TEST ENTITY ISP5c
+V 081018190607Z 14 unknown /CN=TEST ENTITY ISP5b
+V 081018190607Z 15 unknown /CN=TEST ENTITY ISP5a
+V 081028160351Z 16 unknown /CN=TEST ENTITY ISP5c
+V 081028160352Z 17 unknown /CN=TEST ENTITY ISP5b
+V 081028160352Z 18 unknown /CN=TEST ENTITY ISP5a
+V 081028163233Z 19 unknown /CN=TEST ENTITY ISP5c
+V 081028163233Z 1A unknown /CN=TEST ENTITY ISP5b
+V 081028163233Z 1B unknown /CN=TEST ENTITY ISP5a
diff --git a/rpkid/resource-cert-samples/LIR3/index.attr b/rpkid/resource-cert-samples/LIR3/index.attr
new file mode 100644
index 00000000..3a7e39e6
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/index.attr
@@ -0,0 +1 @@
+unique_subject = no
diff --git a/rpkid/resource-cert-samples/LIR3/index.attr.old b/rpkid/resource-cert-samples/LIR3/index.attr.old
new file mode 100644
index 00000000..3a7e39e6
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/index.attr.old
@@ -0,0 +1 @@
+unique_subject = no
diff --git a/rpkid/resource-cert-samples/LIR3/index.old b/rpkid/resource-cert-samples/LIR3/index.old
new file mode 100644
index 00000000..82ed2ae6
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/index.old
@@ -0,0 +1,26 @@
+V 080731144818Z 01 unknown /CN=TEST ENTITY ISP5c
+V 080731144820Z 02 unknown /CN=TEST ENTITY ISP5b
+V 080731144822Z 03 unknown /CN=TEST ENTITY ISP5a
+V 080809005817Z 04 unknown /CN=TEST ENTITY ISP5c
+V 080809005817Z 05 unknown /CN=TEST ENTITY ISP5b
+V 080809005817Z 06 unknown /CN=TEST ENTITY ISP5a
+V 080809010231Z 07 unknown /CN=TEST ENTITY ISP5c
+V 080809010231Z 08 unknown /CN=TEST ENTITY ISP5b
+V 080809010231Z 09 unknown /CN=TEST ENTITY ISP5a
+V 080809010709Z 0A unknown /CN=TEST ENTITY ISP5c
+V 080809010709Z 0B unknown /CN=TEST ENTITY ISP5b
+V 080809010709Z 0C unknown /CN=TEST ENTITY ISP5a
+V 080809011339Z 0D unknown /CN=TEST ENTITY ISP5c
+V 080809011339Z 0E unknown /CN=TEST ENTITY ISP5b
+V 080809011339Z 0F unknown /CN=TEST ENTITY ISP5a
+V 080809011510Z 10 unknown /CN=TEST ENTITY ISP5c
+V 080809011510Z 11 unknown /CN=TEST ENTITY ISP5b
+V 080809011510Z 12 unknown /CN=TEST ENTITY ISP5a
+V 081018190607Z 13 unknown /CN=TEST ENTITY ISP5c
+V 081018190607Z 14 unknown /CN=TEST ENTITY ISP5b
+V 081018190607Z 15 unknown /CN=TEST ENTITY ISP5a
+V 081028160351Z 16 unknown /CN=TEST ENTITY ISP5c
+V 081028160352Z 17 unknown /CN=TEST ENTITY ISP5b
+V 081028160352Z 18 unknown /CN=TEST ENTITY ISP5a
+V 081028163233Z 19 unknown /CN=TEST ENTITY ISP5c
+V 081028163233Z 1A unknown /CN=TEST ENTITY ISP5b
diff --git a/rpkid/resource-cert-samples/LIR3/serial b/rpkid/resource-cert-samples/LIR3/serial
new file mode 100644
index 00000000..cc9c0531
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/serial
@@ -0,0 +1 @@
+1C
diff --git a/rpkid/resource-cert-samples/LIR3/serial.old b/rpkid/resource-cert-samples/LIR3/serial.old
new file mode 100644
index 00000000..8787ed81
--- /dev/null
+++ b/rpkid/resource-cert-samples/LIR3/serial.old
@@ -0,0 +1 @@
+1B
diff --git a/rpkid/resource-cert-samples/Makefile b/rpkid/resource-cert-samples/Makefile
new file mode 100644
index 00000000..90c85ac0
--- /dev/null
+++ b/rpkid/resource-cert-samples/Makefile
@@ -0,0 +1,232 @@
+# Automatically generated, do not edit.
+
+all:: RIR.cer
+
+RIR.key:
+ ../../openssl/openssl/apps/openssl genrsa -out $@ 2048
+
+RIR.req: RIR.key RIR.cnf Makefile
+ ../../openssl/openssl/apps/openssl req -new -config RIR.cnf -key RIR.key -out $@
+
+RIR.cer: RIR.req RIR.cnf RIR.key Makefile
+ @test -d RIR || mkdir RIR
+ @test -f RIR/index || touch RIR/index
+ @test -f RIR/serial || echo 01 >RIR/serial
+ ../../openssl/openssl/apps/openssl ca -batch -out $@ -in RIR.req -extfile RIR.cnf -config RIR.cnf -selfsign
+
+
+show_req::
+ ../../openssl/openssl/apps/openssl req -noout -text -in RIR.req -config /dev/null
+
+show_cer::
+ ../../openssl/openssl/apps/openssl x509 -noout -text -in RIR.cer
+
+all:: LIR3.cer
+
+LIR3.key:
+ ../../openssl/openssl/apps/openssl genrsa -out $@ 2048
+
+LIR3.req: LIR3.key LIR3.cnf Makefile
+ ../../openssl/openssl/apps/openssl req -new -config LIR3.cnf -key LIR3.key -out $@
+
+LIR3.cer: LIR3.req LIR3.cnf RIR.key Makefile
+ @test -d LIR3 || mkdir LIR3
+ @test -f LIR3/index || touch LIR3/index
+ @test -f LIR3/serial || echo 01 >LIR3/serial
+ ../../openssl/openssl/apps/openssl ca -batch -out $@ -in LIR3.req -extfile LIR3.cnf -config RIR.cnf
+
+
+show_req::
+ ../../openssl/openssl/apps/openssl req -noout -text -in LIR3.req -config /dev/null
+
+show_cer::
+ ../../openssl/openssl/apps/openssl x509 -noout -text -in LIR3.cer
+
+all:: LIR2.cer
+
+LIR2.key:
+ ../../openssl/openssl/apps/openssl genrsa -out $@ 2048
+
+LIR2.req: LIR2.key LIR2.cnf Makefile
+ ../../openssl/openssl/apps/openssl req -new -config LIR2.cnf -key LIR2.key -out $@
+
+LIR2.cer: LIR2.req LIR2.cnf RIR.key Makefile
+ @test -d LIR2 || mkdir LIR2
+ @test -f LIR2/index || touch LIR2/index
+ @test -f LIR2/serial || echo 01 >LIR2/serial
+ ../../openssl/openssl/apps/openssl ca -batch -out $@ -in LIR2.req -extfile LIR2.cnf -config RIR.cnf
+
+
+show_req::
+ ../../openssl/openssl/apps/openssl req -noout -text -in LIR2.req -config /dev/null
+
+show_cer::
+ ../../openssl/openssl/apps/openssl x509 -noout -text -in LIR2.cer
+
+all:: LIR1.cer
+
+LIR1.key:
+ ../../openssl/openssl/apps/openssl genrsa -out $@ 2048
+
+LIR1.req: LIR1.key LIR1.cnf Makefile
+ ../../openssl/openssl/apps/openssl req -new -config LIR1.cnf -key LIR1.key -out $@
+
+LIR1.cer: LIR1.req LIR1.cnf RIR.key Makefile
+ @test -d LIR1 || mkdir LIR1
+ @test -f LIR1/index || touch LIR1/index
+ @test -f LIR1/serial || echo 01 >LIR1/serial
+ ../../openssl/openssl/apps/openssl ca -batch -out $@ -in LIR1.req -extfile LIR1.cnf -config RIR.cnf
+
+
+show_req::
+ ../../openssl/openssl/apps/openssl req -noout -text -in LIR1.req -config /dev/null
+
+show_cer::
+ ../../openssl/openssl/apps/openssl x509 -noout -text -in LIR1.cer
+
+all:: ISP5c.cer
+
+ISP5c.key:
+ ../../openssl/openssl/apps/openssl genrsa -out $@ 2048
+
+ISP5c.req: ISP5c.key ISP5c.cnf Makefile
+ ../../openssl/openssl/apps/openssl req -new -config ISP5c.cnf -key ISP5c.key -out $@
+
+ISP5c.cer: ISP5c.req ISP5c.cnf LIR3.key Makefile
+ @test -d ISP5c || mkdir ISP5c
+ @test -f ISP5c/index || touch ISP5c/index
+ @test -f ISP5c/serial || echo 01 >ISP5c/serial
+ ../../openssl/openssl/apps/openssl ca -batch -out $@ -in ISP5c.req -extfile ISP5c.cnf -config LIR3.cnf
+
+
+show_req::
+ ../../openssl/openssl/apps/openssl req -noout -text -in ISP5c.req -config /dev/null
+
+show_cer::
+ ../../openssl/openssl/apps/openssl x509 -noout -text -in ISP5c.cer
+
+all:: ISP5b.cer
+
+ISP5b.key:
+ ../../openssl/openssl/apps/openssl genrsa -out $@ 2048
+
+ISP5b.req: ISP5b.key ISP5b.cnf Makefile
+ ../../openssl/openssl/apps/openssl req -new -config ISP5b.cnf -key ISP5b.key -out $@
+
+ISP5b.cer: ISP5b.req ISP5b.cnf LIR3.key Makefile
+ @test -d ISP5b || mkdir ISP5b
+ @test -f ISP5b/index || touch ISP5b/index
+ @test -f ISP5b/serial || echo 01 >ISP5b/serial
+ ../../openssl/openssl/apps/openssl ca -batch -out $@ -in ISP5b.req -extfile ISP5b.cnf -config LIR3.cnf
+
+
+show_req::
+ ../../openssl/openssl/apps/openssl req -noout -text -in ISP5b.req -config /dev/null
+
+show_cer::
+ ../../openssl/openssl/apps/openssl x509 -noout -text -in ISP5b.cer
+
+all:: ISP5a.cer
+
+ISP5a.key:
+ ../../openssl/openssl/apps/openssl genrsa -out $@ 2048
+
+ISP5a.req: ISP5a.key ISP5a.cnf Makefile
+ ../../openssl/openssl/apps/openssl req -new -config ISP5a.cnf -key ISP5a.key -out $@
+
+ISP5a.cer: ISP5a.req ISP5a.cnf LIR3.key Makefile
+ @test -d ISP5a || mkdir ISP5a
+ @test -f ISP5a/index || touch ISP5a/index
+ @test -f ISP5a/serial || echo 01 >ISP5a/serial
+ ../../openssl/openssl/apps/openssl ca -batch -out $@ -in ISP5a.req -extfile ISP5a.cnf -config LIR3.cnf
+
+
+show_req::
+ ../../openssl/openssl/apps/openssl req -noout -text -in ISP5a.req -config /dev/null
+
+show_cer::
+ ../../openssl/openssl/apps/openssl x509 -noout -text -in ISP5a.cer
+
+all:: ISP4.cer
+
+ISP4.key:
+ ../../openssl/openssl/apps/openssl genrsa -out $@ 2048
+
+ISP4.req: ISP4.key ISP4.cnf Makefile
+ ../../openssl/openssl/apps/openssl req -new -config ISP4.cnf -key ISP4.key -out $@
+
+ISP4.cer: ISP4.req ISP4.cnf LIR2.key Makefile
+ @test -d ISP4 || mkdir ISP4
+ @test -f ISP4/index || touch ISP4/index
+ @test -f ISP4/serial || echo 01 >ISP4/serial
+ ../../openssl/openssl/apps/openssl ca -batch -out $@ -in ISP4.req -extfile ISP4.cnf -config LIR2.cnf
+
+
+show_req::
+ ../../openssl/openssl/apps/openssl req -noout -text -in ISP4.req -config /dev/null
+
+show_cer::
+ ../../openssl/openssl/apps/openssl x509 -noout -text -in ISP4.cer
+
+all:: ISP3.cer
+
+ISP3.key:
+ ../../openssl/openssl/apps/openssl genrsa -out $@ 2048
+
+ISP3.req: ISP3.key ISP3.cnf Makefile
+ ../../openssl/openssl/apps/openssl req -new -config ISP3.cnf -key ISP3.key -out $@
+
+ISP3.cer: ISP3.req ISP3.cnf LIR2.key Makefile
+ @test -d ISP3 || mkdir ISP3
+ @test -f ISP3/index || touch ISP3/index
+ @test -f ISP3/serial || echo 01 >ISP3/serial
+ ../../openssl/openssl/apps/openssl ca -batch -out $@ -in ISP3.req -extfile ISP3.cnf -config LIR2.cnf
+
+
+show_req::
+ ../../openssl/openssl/apps/openssl req -noout -text -in ISP3.req -config /dev/null
+
+show_cer::
+ ../../openssl/openssl/apps/openssl x509 -noout -text -in ISP3.cer
+
+all:: ISP2.cer
+
+ISP2.key:
+ ../../openssl/openssl/apps/openssl genrsa -out $@ 2048
+
+ISP2.req: ISP2.key ISP2.cnf Makefile
+ ../../openssl/openssl/apps/openssl req -new -config ISP2.cnf -key ISP2.key -out $@
+
+ISP2.cer: ISP2.req ISP2.cnf LIR1.key Makefile
+ @test -d ISP2 || mkdir ISP2
+ @test -f ISP2/index || touch ISP2/index
+ @test -f ISP2/serial || echo 01 >ISP2/serial
+ ../../openssl/openssl/apps/openssl ca -batch -out $@ -in ISP2.req -extfile ISP2.cnf -config LIR1.cnf
+
+
+show_req::
+ ../../openssl/openssl/apps/openssl req -noout -text -in ISP2.req -config /dev/null
+
+show_cer::
+ ../../openssl/openssl/apps/openssl x509 -noout -text -in ISP2.cer
+
+all:: ISP1.cer
+
+ISP1.key:
+ ../../openssl/openssl/apps/openssl genrsa -out $@ 2048
+
+ISP1.req: ISP1.key ISP1.cnf Makefile
+ ../../openssl/openssl/apps/openssl req -new -config ISP1.cnf -key ISP1.key -out $@
+
+ISP1.cer: ISP1.req ISP1.cnf LIR1.key Makefile
+ @test -d ISP1 || mkdir ISP1
+ @test -f ISP1/index || touch ISP1/index
+ @test -f ISP1/serial || echo 01 >ISP1/serial
+ ../../openssl/openssl/apps/openssl ca -batch -out $@ -in ISP1.req -extfile ISP1.cnf -config LIR1.cnf
+
+
+show_req::
+ ../../openssl/openssl/apps/openssl req -noout -text -in ISP1.req -config /dev/null
+
+show_cer::
+ ../../openssl/openssl/apps/openssl x509 -noout -text -in ISP1.cer
diff --git a/rpkid/resource-cert-samples/RIR.cer b/rpkid/resource-cert-samples/RIR.cer
new file mode 100644
index 00000000..d7154c7c
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR.cer
@@ -0,0 +1,100 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 47 (0x2f)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Oct 29 16:32:33 2007 GMT
+ Not After : Oct 28 16:32:33 2008 GMT
+ Subject: CN=TEST ENTITY RIR
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:ac:a7:26:c4:98:68:99:b6:f2:e7:c5:97:05:7e:
+ f9:d7:f2:ec:39:e6:2b:8e:c2:42:88:b9:8f:22:b6:
+ 3c:59:b0:0e:8a:1d:0e:f8:81:b1:c8:ff:4a:8a:1a:
+ 43:bc:78:91:3e:af:b2:b0:95:60:a9:3e:9d:c2:ff:
+ 99:8f:8f:b6:dc:d8:46:b7:86:35:a6:f6:42:05:c2:
+ c5:9b:84:15:e2:58:0f:70:9c:bc:53:d7:28:76:f8:
+ f2:14:79:22:bd:d6:8b:6c:0e:2b:02:e5:d8:f3:33:
+ fa:16:43:9b:80:87:f9:b2:45:ab:bd:7d:14:b2:24:
+ 2f:41:13:6f:45:c4:dc:f9:4d:7f:d8:d3:e1:aa:5c:
+ 52:9d:c9:7a:38:b7:b0:43:bd:b7:6a:37:43:ec:e7:
+ 34:c4:3b:4c:ca:cc:7b:1f:91:ef:ab:d4:35:76:42:
+ 82:d4:f5:79:e0:12:3c:24:92:2e:dc:a2:5c:83:f0:
+ 71:8a:26:96:30:d4:b8:96:4d:00:2c:1a:f0:0f:79:
+ 52:c7:27:73:54:77:c1:86:f9:86:61:ce:e0:69:a7:
+ a8:3d:77:39:e7:24:ee:41:8d:52:19:3b:57:8c:84:
+ cc:9a:d5:05:7c:e6:83:2c:e3:13:6d:66:1b:87:20:
+ 82:47:e1:05:26:f0:3b:29:69:6d:bc:af:48:91:c4:
+ 40:f1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/RIR/
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533-64540
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ 10.3.0.0/24
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:0:a00::/120
+ 2001:db8:0:0:0:0:a03::/120
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 90:3c:6e:1d:89:9d:00:53:b4:b1:36:ea:2b:cf:21:d5:b2:77:
+ 66:be:da:ad:db:92:35:0d:83:55:f5:92:11:73:93:af:1a:ec:
+ 1d:7a:1a:84:8f:c0:61:29:f1:51:c7:a6:7c:95:7c:a8:38:40:
+ 57:6b:fc:51:38:fd:6b:8a:7a:58:d8:c6:36:a5:0d:9b:7a:b9:
+ b4:47:e1:a5:fc:66:b6:51:22:45:50:94:b4:f2:47:f2:a2:29:
+ 6a:33:6a:3c:26:44:c5:5a:17:ce:7a:f3:4a:46:0e:f4:fd:36:
+ 01:7c:c5:1e:59:bc:3a:e7:36:f3:64:d4:0c:7a:f7:6a:ef:11:
+ ae:32:5a:77:62:b3:e4:b3:9e:16:9f:11:28:cb:11:dd:79:ff:
+ a5:b8:3e:3f:fd:df:34:92:2f:f4:0e:d2:50:a8:80:a1:17:91:
+ 50:c7:d3:af:c5:6e:d8:ca:cd:28:e0:92:28:b3:c4:13:39:9d:
+ fc:a1:57:61:22:22:70:57:27:5f:33:72:17:a8:04:89:9d:44:
+ 9b:7d:1a:66:10:19:f3:b9:9c:17:48:22:71:c6:a5:e0:ba:00:
+ ab:a4:01:bb:c7:2b:8f:0f:25:8a:20:71:21:4f:c0:74:34:14:
+ e5:23:3a:70:48:c2:04:9a:93:97:29:f9:39:7b:ac:1a:e4:2b:
+ 0d:13:b6:b7
+-----BEGIN CERTIFICATE-----
+MIIEEDCCAvigAwIBAgIBLzANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcxMDI5MTYzMjMzWhcNMDgxMDI4MTYzMjMzWjAaMRgw
+FgYDVQQDEw9URVNUIEVOVElUWSBSSVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCspybEmGiZtvLnxZcFfvnX8uw55iuOwkKIuY8itjxZsA6KHQ74gbHI
+/0qKGkO8eJE+r7KwlWCpPp3C/5mPj7bc2Ea3hjWm9kIFwsWbhBXiWA9wnLxT1yh2
++PIUeSK91otsDisC5djzM/oWQ5uAh/myRau9fRSyJC9BE29FxNz5TX/Y0+GqXFKd
+yXo4t7BDvbdqN0Ps5zTEO0zKzHsfke+r1DV2QoLU9XngEjwkki7colyD8HGKJpYw
+1LiWTQAsGvAPeVLHJ3NUd8GG+YZhzuBpp6g9dznnJO5BjVIZO1eMhMya1QV85oMs
+4xNtZhuHIIJH4QUm8DspaW28r0iRxEDxAgMBAAGjggFfMIIBWzAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBT7uKejNkgKoJ/wLtyLaLyzXEUl1zAOBgNVHQ8BAf8E
+BAMCAQYwQAYIKwYBBQUHAQsENDAyMDAGCCsGAQUFBzAFhiRyc3luYzovL3dvbWJh
+dHMtci11cy5oYWN0cm4ubmV0L1JJUi8wJgYIKwYBBQUHAQgBAf8EFzAVoBMwETAK
+AgMA/BUCAwD8HAIDAPwgMIGuBggrBgEFBQcBBwEB/wSBnjCBmzAyBAIAATAsAwQA
+CgAAAwQACgMAMA4DBQDAAAIBAwUBwAACIDAOAwUCwAACLAMFAMAAAmQwZQQCAAIw
+XzAmAxECIAENuAAAAAAAAAAAAAAARAMRACABDbgAAAAAAAAAAAAAAQADEAAgAQ24
+AAAAAAAAAAAKAAADEAAgAQ24AAAAAAAAAAAKAwADEQAgAQ24AAAAAAAAABAAAABE
+MA0GCSqGSIb3DQEBCwUAA4IBAQCQPG4diZ0AU7SxNuorzyHVsndmvtqt25I1DYNV
+9ZIRc5OvGuwdehqEj8BhKfFRx6Z8lXyoOEBXa/xROP1rinpY2MY2pQ2berm0R+Gl
+/Ga2USJFUJS08kfyoilqM2o8JkTFWhfOevNKRg70/TYBfMUeWbw65zbzZNQMevdq
+7xGuMlp3YrPks54WnxEoyxHdef+luD4//d80ki/0DtJQqIChF5FQx9OvxW7Yys0o
+4JIos8QTOZ38oVdhIiJwVydfM3IXqASJnUSbfRpmEBnzuZwXSCJxxqXgugCrpAG7
+xyuPDyWKIHEhT8B0NBTlIzpwSMIEmpOXKfk5e6wa5CsNE7a3
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR.cnf b/rpkid/resource-cert-samples/RIR.cnf
new file mode 100644
index 00000000..b70b41e8
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR.cnf
@@ -0,0 +1,64 @@
+# Automatically generated, do not edit.
+
+[ ca ]
+default_ca = ca_default
+
+[ ca_default ]
+certificate = RIR.cer
+serial = RIR/serial
+private_key = RIR.key
+database = RIR/index
+new_certs_dir = RIR
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 365
+default_crl_days = 30
+default_md = sha256
+preserve = no
+copy_extensions = copy
+policy = ca_policy_anything
+unique_subject = no
+x509_extensions = ca_x509_ext
+crl_extensions = crl_x509_ext
+
+[ ca_policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+givenName = optional
+surname = optional
+
+[ req ]
+default_bits = 2048
+encrypt_key = no
+distinguished_name = req_dn
+req_extensions = req_x509_ext
+prompt = no
+
+[ req_dn ]
+CN = TEST ENTITY RIR
+
+[ req_x509_ext ]
+basicConstraints = critical,CA:true
+subjectKeyIdentifier = hash
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/RIR/
+#authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/???.cer
+sbgp-autonomousSysNum = critical,AS:64533,AS:64534-64540,AS:64544
+sbgp-ipAddrBlock = critical,IPv4:10.0.0.0/24,IPv4:10.3.0.0/24,IPv4:192.0.2.1-192.0.2.33,IPv4:192.0.2.44-192.0.2.100,IPv6:2001:db8::44-2001:db8::100,IPv6:2001:db8::a00:0/120,IPv6:2001:db8::a03:0/120,IPv6:2001:db8::10:0:44/128
+
+[ ca_x509_ext ]
+basicConstraints = critical,CA:true
+#authorityKeyIdentifier = keyid:always
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/RIR/
+#authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/???.cer
+sbgp-autonomousSysNum = critical,AS:64533,AS:64534-64540,AS:64544
+sbgp-ipAddrBlock = critical,IPv4:10.0.0.0/24,IPv4:10.3.0.0/24,IPv4:192.0.2.1-192.0.2.33,IPv4:192.0.2.44-192.0.2.100,IPv6:2001:db8::44-2001:db8::100,IPv6:2001:db8::a00:0/120,IPv6:2001:db8::a03:0/120,IPv6:2001:db8::10:0:44/128
+
+[ crl_x509_ext ]
+authorityKeyIdentifier = keyid:always
diff --git a/rpkid/resource-cert-samples/RIR.key b/rpkid/resource-cert-samples/RIR.key
new file mode 100644
index 00000000..5721f051
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEArKcmxJhombby58WXBX751/LsOeYrjsJCiLmPIrY8WbAOih0O
++IGxyP9KihpDvHiRPq+ysJVgqT6dwv+Zj4+23NhGt4Y1pvZCBcLFm4QV4lgPcJy8
+U9codvjyFHkivdaLbA4rAuXY8zP6FkObgIf5skWrvX0UsiQvQRNvRcTc+U1/2NPh
+qlxSncl6OLewQ723ajdD7Oc0xDtMysx7H5Hvq9Q1dkKC1PV54BI8JJIu3KJcg/Bx
+iiaWMNS4lk0ALBrwD3lSxydzVHfBhvmGYc7gaaeoPXc55yTuQY1SGTtXjITMmtUF
+fOaDLOMTbWYbhyCCR+EFJvA7KWltvK9IkcRA8QIDAQABAoIBAQCUKyLfJvjlqhcO
+BwlTQyRBSo2mJr0M1/PniG+pV4G1ap0ftE5rwEoF9+lNWbr13PaxOHF+j8OTm1Qi
+y95KUQiawNT3nSsgLUh9zyhtDU8Gn5Ioj6ojvYtRhtWh8k95YcznH8WTyBOGq/2c
+68pg5NDKSHZZuSVwuBMBox8kXg1RuOI7iEcj1q3QjkzZDQURzkW4jSrWgTeIXt6p
++0fngY15xhYP3FGNAOuqfs1GJK33sQO7A7XWew2UAiiPCxfgGDFRe/tV1I4KuS3/
+Uw23ZtGLQ3nu+SEvTK491uZ38Gld2qEBzNdQv+DwhBRyGl0K5QWFmr90Ko0zYgV8
+9OAGebYBAoGBAOBG2+6erAjy+wdeNLcY+pmgsNBZ9rPkHB2XQaxagId5WTYza0Yv
+JwjEiRo6/r1lZ1F0su7rtjQK9V0jfCHVe4jlpLA/qB+HRIbcTFI+GTr3onZwWLuK
+CX21a6Nw+FS462DBYWqh8qOUbi/14csGOYwU1ZB7vfSvlZZZyZYosbihAoGBAMUS
++XP0BCPtnY19BnrWBaQqzLNFiuDA/uBcxq9/BlLifu419Ado6EmqVn8A6aD0zWoE
+OSQrtJJhvMMLM/2ihYZaW/YtI1IAnDzV51QSbc/biFrSzvT102ABFOwpB33uFeWK
+hrQF+7n6imU4f+9iGceAOe/si3fieDUjJ2aEyxZRAoGAO7oDJgfxjqyOt4aaCUzI
+qBMII2Rh88RCzIqUfb7YTbu+S1XkMpuqDIaycF7Xqj6QBjxKzp/NNQzaDQS/MQ92
+R53Ifvtk3YibckLGvHw3IeICzQHcT41SO70Nvkf+iil43ZqCQ/B++pszwOf9SqEM
+wEZoHYMmsjv0XUbqDWgm9CECgYBliV8pFOJFOJniWjZKd5a0fLC29O+W2Rj4tBRS
+O1ogvj2zseynHLABtFeYW/oDSd3D76UZM8N3YBAHVfBVj7TIAio7bgoyp8nXtkXX
+lR8q5uscEF087KMZZbVH7+PCSDbT60l321VU/vbrK+8OgTbTCQfQy8kX3YEdr50P
+Pv/74QKBgAn1B3+6n6WYFkpIPFKrs4MhVmVveqXQy2DcZb+W0WTm+Z7xBCP496mc
+E3FEyKSYocIrDdmtcGDWO4kudrkXmpFJvd6Mi7v076khvQwDQ0++F7JWkAeUFEm4
+kBOCpCRpGlDgr14klqRJzO9swvt2TbPstE3Tofl9mIXaflud3bd3
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/resource-cert-samples/RIR.req b/rpkid/resource-cert-samples/RIR.req
new file mode 100644
index 00000000..d86020df
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR.req
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIID0zCCArsCAQAwGjEYMBYGA1UEAxMPVEVTVCBFTlRJVFkgUklSMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKcmxJhombby58WXBX751/LsOeYrjsJC
+iLmPIrY8WbAOih0O+IGxyP9KihpDvHiRPq+ysJVgqT6dwv+Zj4+23NhGt4Y1pvZC
+BcLFm4QV4lgPcJy8U9codvjyFHkivdaLbA4rAuXY8zP6FkObgIf5skWrvX0UsiQv
+QRNvRcTc+U1/2NPhqlxSncl6OLewQ723ajdD7Oc0xDtMysx7H5Hvq9Q1dkKC1PV5
+4BI8JJIu3KJcg/BxiiaWMNS4lk0ALBrwD3lSxydzVHfBhvmGYc7gaaeoPXc55yTu
+QY1SGTtXjITMmtUFfOaDLOMTbWYbhyCCR+EFJvA7KWltvK9IkcRA8QIDAQABoIIB
+cjCCAW4GCSqGSIb3DQEJDjGCAV8wggFbMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
+BBYEFPu4p6M2SAqgn/Au3ItovLNcRSXXMA4GA1UdDwEB/wQEAwIBBjBABggrBgEF
+BQcBCwQ0MDIwMAYIKwYBBQUHMAWGJHJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry
+bi5uZXQvUklSLzAmBggrBgEFBQcBCAEB/wQXMBWgEzARMAoCAwD8FQIDAPwcAgMA
+/CAwga4GCCsGAQUFBwEHAQH/BIGeMIGbMDIEAgABMCwDBAAKAAADBAAKAwAwDgMF
+AMAAAgEDBQHAAAIgMA4DBQLAAAIsAwUAwAACZDBlBAIAAjBfMCYDEQIgAQ24AAAA
+AAAAAAAAAABEAxEAIAENuAAAAAAAAAAAAAABAAMQACABDbgAAAAAAAAAAAoAAAMQ
+ACABDbgAAAAAAAAAAAoDAAMRACABDbgAAAAAAAAAEAAAAEQwDQYJKoZIhvcNAQEF
+BQADggEBACxlBDXYMPg+b4ob7rJxpi+V7mYAUkkdk3GlPuSJMyURO+51kSrEpp+q
+V7F8bWccjXR123Qjo6agabR22r+d961GflRKimhMZAY8rVRGHO+Pdca7eqxMRxwF
+kfuxb2W3TPGcdpuUsoMfe2vxjHZRd3uKL47SrctNpXYrvesjhQpLz1UTQ4Hnv/aw
+Ks0pxPqaVNcGXbJKSUwu5x36Cuky4r3dK299QBAuAsv0qPuxOPOLOY0bKTliEHlg
+qkadGSvnzLkTvFn41SDBZpFZY2o3RbIwMY0tSvnLN8lvlS9P20Wgl4xUJ39qRRfO
+94XlYnKios+AFEUAEzqFh/VnNclb1dw=
+-----END CERTIFICATE REQUEST-----
diff --git a/rpkid/resource-cert-samples/RIR/01.pem b/rpkid/resource-cert-samples/RIR/01.pem
new file mode 100644
index 00000000..07ee97f6
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/01.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID9zCCAt+gAwIBAgIBATANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODAxMDU0NTIzWhcNMDgwNzMxMDU0NTIzWjAaMRgw
+FgYDVQQDEw9URVNUIEVOVElUWSBSSVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCspybEmGiZtvLnxZcFfvnX8uw55iuOwkKIuY8itjxZsA6KHQ74gbHI
+/0qKGkO8eJE+r7KwlWCpPp3C/5mPj7bc2Ea3hjWm9kIFwsWbhBXiWA9wnLxT1yh2
++PIUeSK91otsDisC5djzM/oWQ5uAh/myRau9fRSyJC9BE29FxNz5TX/Y0+GqXFKd
+yXo4t7BDvbdqN0Ps5zTEO0zKzHsfke+r1DV2QoLU9XngEjwkki7colyD8HGKJpYw
+1LiWTQAsGvAPeVLHJ3NUd8GG+YZhzuBpp6g9dznnJO5BjVIZO1eMhMya1QV85oMs
+4xNtZhuHIIJH4QUm8DspaW28r0iRxEDxAgMBAAGjggFGMIIBQjAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBT7uKejNkgKoJ/wLtyLaLyzXEUl1zAfBgNVHSMEGDAW
+gBT7uKejNkgKoJ/wLtyLaLyzXEUl1zAOBgNVHQ8BAf8EBAMCAQYwQAYIKwYBBQUH
+AQsENDAyMDAGCCsGAQUFBzAFhiRyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4u
+bmV0L1JJUi8wHwYIKwYBBQUHAQgBAf8EEDAOoAwwCgIDAPwVAgMA/CAwfAYIKwYB
+BQUHAQcBAf8EbTBrMCYEAgABMCAwDgMFAMAAAgEDBQHAAAIgMA4DBQLAAAIsAwUA
+wAACZDBBBAIAAjA7MCYDEQIgAQ24AAAAAAAAAAAAAABEAxEAIAENuAAAAAAAAAAA
+AAABAAMRACABDbgAAAAAAAAAEAAAAEQwDQYJKoZIhvcNAQEFBQADggEBAAMSdVb0
+8uyFbF8CPlOzqgJv/jG+qPWDRUh8XqHiMvoGtUXbHUn7dO/XHJ2rsdL14F7mUPbI
+jzdtbVeK4aMKQBJ9u2ZYsCcpmJYiF/GBMva93X5Fpbnzzj7pJ5AeoIo2qEi7zqqq
+hhnInDZmTNRvV21u18VMaz1YBsEJZjr99lqNibba6UsoISVU2KEPVxob/nRHisGX
+Sd7mxhkkpTKO11Z4/viUxEQORfjtqnkIk3lmJwTjz2ASmBfuwH4QsLLu9m92ueF5
+PoHO/P8c2TZg1go8jYlBAd61AZHNaixF9EFObfcRNRuFiUfdnMpn8msPpiM3WCbj
+CgdEWb4i5d2+jZM=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/02.pem b/rpkid/resource-cert-samples/RIR/02.pem
new file mode 100644
index 00000000..b9922644
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/02.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEETCCAvmgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODAxMDU0NTI0WhcNMDgwNzMxMDU0NTI0WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA8Ri2eQs1xYNkSIMxA57ncihlsaxh4XcuwE3wsRxh2MxaLccLm3h6
+Pv03rfqwcwuc/LtvYOo4767RJ7iBWQ+z59BnsqL1T+IExswTnzMoNZZ6286sndNk
+PbhEvMtDIpLWPC6/l245am5ok10cqFi3o3omRP7+MK3iBYlMye8s4E4xaT/dkRzw
+sCVMPoSK6l4Ds6jNkBoeyOCv/hHtIQa9PF4IoZPiQUNDONMhs0z6hYtDV2Bdu6B4
+5TNHqDN2vt9uY2HjMYtdjgzH9ciRDL5Xx/K8vgu6eh/2GfHrAHTBEsLcKy6N8Ar/
+f+hgCJC6UfzQkBE3855EtmRDaV1h0+GNdwIDAQABo4IBXzCCAVswDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUA3rfDN/ckz33pcwne9wi9ulVl/AwHwYDVR0jBBgw
+FoAU+7inozZICqCf8C7ci2i8s1xFJdcwDgYDVR0PAQH/BAQDAgEGMEEGCCsGAQUF
+BwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJu
+Lm5ldC9MSVIyLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ3JzeW5jOi8v
+d29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAaBggrBgEFBQcBCAEB/wQL
+MAmgBzAFAgMA/CAwVAYIKwYBBQUHAQcBAf8ERTBDMEEEAgACMDswJgMRAiABDbgA
+AAAAAAAAAAAAAEQDEQAgAQ24AAAAAAAAAAAAAAEAAxEAIAENuAAAAAAAAAAQAAAA
+RDANBgkqhkiG9w0BAQUFAAOCAQEAiSIKq9RWuFEow+iALzmf/bwwB8cn7TOcfQjf
+6U5/CHb4FlSMCfrcsxXdHQtDD2CAVhj3J3o2CDZ4FRVnROahg9QGbUv9CExEvAVZ
+PJWFvU2/i3yWblucCWonl9ObxmNiScYgU/wpjoSwO7uxlGujc8Weraqq9qW85vk3
+F17jB8O2aEGnKn2/wmAhgXcwrnZTVRSEtEqXc2CucpFkonLrGID1UCwkY83z5XRy
+h6UUSHf+XtpRLmEwxtTSYGLTUgMQFQPzyBL+OBSPJSJyAm1NbZuY9hvJ4Yn9at0d
+S6H1J1l1y6MTQBMF84qSaAVsuy0tZrsPaBh5tMK9Wtl6ACrHtQ==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/03.pem b/rpkid/resource-cert-samples/RIR/03.pem
new file mode 100644
index 00000000..3b7fe4ac
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/03.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID9jCCAt6gAwIBAgIBAzANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODAxMDU0NTI1WhcNMDgwNzMxMDU0NTI1WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAr10c+dm71QHhWzbMUfb9hldgqp7H7E4Fr/tRXHrCWMSoV64UYum8
+tnJ9z0nISkCCSvQ+MLWUJZ5seIFXQ9aFAo3RnLXXNC/iqX0YJ7VHmkIWyJB/lizd
+uJgXH3diSggALeBzDDk3ug+nWVlMfM3iXNeYNhBsiD5FmaaIL/Z/MUm6QisTecKy
+8QnZrTekQbZtRqEYBaBTB47gmLLR/Wdod2TV8/4dIjaeJloaqhiUwyx+mq++LJ1e
+dSxJ1jcrBh/MY5d+7ixfZ69NYj56HwzhHgLy0gZ1rj8RvI4PE2Q4FDYdXQLsr2XV
+uWj0ImYr70dbrTvyr7ZxDJRWinwBNvA6PwIDAQABo4IBRDCCAUAwDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUipQX+VPyW5RUVt92URMp9nEZqLMwHwYDVR0jBBgw
+FoAU+7inozZICqCf8C7ci2i8s1xFJdcwDgYDVR0PAQH/BAQDAgEGMEEGCCsGAQUF
+BwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJu
+Lm5ldC9MSVIxLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ3JzeW5jOi8v
+d29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAaBggrBgEFBQcBCAEB/wQL
+MAmgBzAFAgMA/BUwOQYIKwYBBQUHAQcBAf8EKjAoMCYEAgABMCAwDgMFAMAAAgED
+BQHAAAIgMA4DBQLAAAIsAwUAwAACZDANBgkqhkiG9w0BAQUFAAOCAQEAPENXZekh
+lKRhT+y1XgSOwZ2C9y7Gk6Ogdwj7yv8CIuCD/Es5+ekAYqW4vpch9jYvRind+MAU
+5DriEtdsjhn7cxQVgSgGJk3dyymhRvODLSR0r+KUYj0Yo4I6XB71ZdbsfCcY5KpG
+/r0MkM6aJxwDR26WvzMUcfU5tN1Dug2iW7dzKfnt/yo3w2vfr/f7ForU/eOde9Jr
+JAVXctcYLfYrAmaYEYZBMnWBeHKhLSzWEkhsW5EeFULIlSDvCDB0zXPvEjOY+PhT
+IM0GCPNv2OruGLAmCdc6MGfmhUKIxXMyXGBES3kjphudTF+zcZx9TV9U+M4/35M3
+X51eZH/pyqBKBw==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/04.pem b/rpkid/resource-cert-samples/RIR/04.pem
new file mode 100644
index 00000000..29900503
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/04.pem
@@ -0,0 +1,99 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4 (0x4)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 1 14:05:29 2007 GMT
+ Not After : Jul 31 14:05:29 2008 GMT
+ Subject: CN=TEST ENTITY RIR
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:ac:a7:26:c4:98:68:99:b6:f2:e7:c5:97:05:7e:
+ f9:d7:f2:ec:39:e6:2b:8e:c2:42:88:b9:8f:22:b6:
+ 3c:59:b0:0e:8a:1d:0e:f8:81:b1:c8:ff:4a:8a:1a:
+ 43:bc:78:91:3e:af:b2:b0:95:60:a9:3e:9d:c2:ff:
+ 99:8f:8f:b6:dc:d8:46:b7:86:35:a6:f6:42:05:c2:
+ c5:9b:84:15:e2:58:0f:70:9c:bc:53:d7:28:76:f8:
+ f2:14:79:22:bd:d6:8b:6c:0e:2b:02:e5:d8:f3:33:
+ fa:16:43:9b:80:87:f9:b2:45:ab:bd:7d:14:b2:24:
+ 2f:41:13:6f:45:c4:dc:f9:4d:7f:d8:d3:e1:aa:5c:
+ 52:9d:c9:7a:38:b7:b0:43:bd:b7:6a:37:43:ec:e7:
+ 34:c4:3b:4c:ca:cc:7b:1f:91:ef:ab:d4:35:76:42:
+ 82:d4:f5:79:e0:12:3c:24:92:2e:dc:a2:5c:83:f0:
+ 71:8a:26:96:30:d4:b8:96:4d:00:2c:1a:f0:0f:79:
+ 52:c7:27:73:54:77:c1:86:f9:86:61:ce:e0:69:a7:
+ a8:3d:77:39:e7:24:ee:41:8d:52:19:3b:57:8c:84:
+ cc:9a:d5:05:7c:e6:83:2c:e3:13:6d:66:1b:87:20:
+ 82:47:e1:05:26:f0:3b:29:69:6d:bc:af:48:91:c4:
+ 40:f1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+ X509v3 Authority Key Identifier:
+ keyid:FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/RIR/
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 0a:c5:a7:72:a7:bf:b4:e6:ab:04:40:0f:39:bd:54:88:30:2b:
+ e7:a7:91:f4:e8:2f:38:8a:ff:99:68:0a:ab:ce:d8:7d:51:e3:
+ 73:2b:64:bf:6a:b5:78:db:96:2e:0d:5b:ec:99:da:aa:63:62:
+ 43:5c:f7:df:a8:c0:93:ab:5e:ff:de:8f:c6:c9:de:fd:f9:b6:
+ 6e:6e:96:81:db:db:cc:2c:47:3b:60:33:e2:8d:6d:28:23:13:
+ f8:e1:84:2d:6f:1c:45:fc:54:91:0e:21:53:3b:a3:23:37:2b:
+ 64:ab:99:33:66:30:b6:bb:20:c1:d6:d4:34:b4:2a:c8:84:5b:
+ 87:38:69:ea:82:ef:6d:59:2a:ed:7f:d3:ba:02:34:47:b7:75:
+ a8:43:30:15:24:9d:58:ed:0a:d3:a0:3f:32:f5:9b:4c:7b:2d:
+ 9d:73:91:5f:37:08:aa:e4:b3:48:5c:b8:64:dc:09:c4:13:72:
+ 15:f8:3d:f9:d4:96:d0:9a:83:52:8d:17:b9:c7:ea:33:10:08:
+ 67:c7:85:23:26:57:f2:cc:b5:d2:a0:65:cc:57:4e:77:7d:2f:
+ 68:7c:d7:e6:9a:9c:2f:c3:0b:c6:9d:05:5d:56:17:45:81:7f:
+ 7c:2c:77:fc:2a:f4:33:18:0d:ea:e8:3d:fd:00:55:90:8a:1d:
+ b8:2c:64:69
+-----BEGIN CERTIFICATE-----
+MIID9zCCAt+gAwIBAgIBBDANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODAxMTQwNTI5WhcNMDgwNzMxMTQwNTI5WjAaMRgw
+FgYDVQQDEw9URVNUIEVOVElUWSBSSVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCspybEmGiZtvLnxZcFfvnX8uw55iuOwkKIuY8itjxZsA6KHQ74gbHI
+/0qKGkO8eJE+r7KwlWCpPp3C/5mPj7bc2Ea3hjWm9kIFwsWbhBXiWA9wnLxT1yh2
++PIUeSK91otsDisC5djzM/oWQ5uAh/myRau9fRSyJC9BE29FxNz5TX/Y0+GqXFKd
+yXo4t7BDvbdqN0Ps5zTEO0zKzHsfke+r1DV2QoLU9XngEjwkki7colyD8HGKJpYw
+1LiWTQAsGvAPeVLHJ3NUd8GG+YZhzuBpp6g9dznnJO5BjVIZO1eMhMya1QV85oMs
+4xNtZhuHIIJH4QUm8DspaW28r0iRxEDxAgMBAAGjggFGMIIBQjAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBT7uKejNkgKoJ/wLtyLaLyzXEUl1zAfBgNVHSMEGDAW
+gBT7uKejNkgKoJ/wLtyLaLyzXEUl1zAOBgNVHQ8BAf8EBAMCAQYwQAYIKwYBBQUH
+AQsENDAyMDAGCCsGAQUFBzAFhiRyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4u
+bmV0L1JJUi8wHwYIKwYBBQUHAQgBAf8EEDAOoAwwCgIDAPwVAgMA/CAwfAYIKwYB
+BQUHAQcBAf8EbTBrMCYEAgABMCAwDgMFAMAAAgEDBQHAAAIgMA4DBQLAAAIsAwUA
+wAACZDBBBAIAAjA7MCYDEQIgAQ24AAAAAAAAAAAAAABEAxEAIAENuAAAAAAAAAAA
+AAABAAMRACABDbgAAAAAAAAAEAAAAEQwDQYJKoZIhvcNAQEFBQADggEBAArFp3Kn
+v7TmqwRADzm9VIgwK+enkfToLziK/5loCqvO2H1R43MrZL9qtXjbli4NW+yZ2qpj
+YkNc99+owJOrXv/ej8bJ3v35tm5uloHb28wsRztgM+KNbSgjE/jhhC1vHEX8VJEO
+IVM7oyM3K2SrmTNmMLa7IMHW1DS0KsiEW4c4aeqC721ZKu1/07oCNEe3dahDMBUk
+nVjtCtOgPzL1m0x7LZ1zkV83CKrks0hcuGTcCcQTchX4PfnUltCag1KNF7nH6jMQ
+CGfHhSMmV/LMtdKgZcxXTnd9L2h81+aanC/DC8adBV1WF0WBf3wsd/wq9DMYDero
+Pf0AVZCKHbgsZGk=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/05.pem b/rpkid/resource-cert-samples/RIR/05.pem
new file mode 100644
index 00000000..3e86b43b
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/05.pem
@@ -0,0 +1,98 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 5 (0x5)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 1 14:05:29 2007 GMT
+ Not After : Jul 31 14:05:29 2008 GMT
+ Subject: CN=TEST ENTITY LIR2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:f1:18:b6:79:0b:35:c5:83:64:48:83:31:03:9e:
+ e7:72:28:65:b1:ac:61:e1:77:2e:c0:4d:f0:b1:1c:
+ 61:d8:cc:5a:2d:c7:0b:9b:78:7a:3e:fd:37:ad:fa:
+ b0:73:0b:9c:fc:bb:6f:60:ea:38:ef:ae:d1:27:b8:
+ 81:59:0f:b3:e7:d0:67:b2:a2:f5:4f:e2:04:c6:cc:
+ 13:9f:33:28:35:96:7a:db:ce:ac:9d:d3:64:3d:b8:
+ 44:bc:cb:43:22:92:d6:3c:2e:bf:97:6e:39:6a:6e:
+ 68:93:5d:1c:a8:58:b7:a3:7a:26:44:fe:fe:30:ad:
+ e2:05:89:4c:c9:ef:2c:e0:4e:31:69:3f:dd:91:1c:
+ f0:b0:25:4c:3e:84:8a:ea:5e:03:b3:a8:cd:90:1a:
+ 1e:c8:e0:af:fe:11:ed:21:06:bd:3c:5e:08:a1:93:
+ e2:41:43:43:38:d3:21:b3:4c:fa:85:8b:43:57:60:
+ 5d:bb:a0:78:e5:33:47:a8:33:76:be:df:6e:63:61:
+ e3:31:8b:5d:8e:0c:c7:f5:c8:91:0c:be:57:c7:f2:
+ bc:be:0b:ba:7a:1f:f6:19:f1:eb:00:74:c1:12:c2:
+ dc:2b:2e:8d:f0:0a:ff:7f:e8:60:08:90:ba:51:fc:
+ d0:90:11:37:f3:9e:44:b6:64:43:69:5d:61:d3:e1:
+ 8d:77
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 03:7A:DF:0C:DF:DC:93:3D:F7:A5:CC:27:7B:DC:22:F6:E9:55:97:F0
+ X509v3 Authority Key Identifier:
+ keyid:FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR2/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 2c:7e:f1:e6:b5:3f:58:22:09:5d:48:ab:9a:3b:67:b8:6c:c6:
+ 3d:f4:2e:81:f5:63:42:a0:3f:78:4a:9c:0f:6d:d5:64:21:7a:
+ a9:56:1c:2c:f6:d3:1e:7b:f8:c9:3a:69:09:18:4b:56:88:de:
+ c7:51:19:bf:63:2f:8b:a7:24:63:b9:a9:b1:93:21:14:e4:3d:
+ 38:68:0d:b8:f1:33:6b:1c:fa:5f:87:40:42:5e:f5:8d:15:f7:
+ 9d:7f:89:02:23:f3:fb:7e:29:4c:32:61:d5:b4:8e:68:5d:00:
+ a0:25:3a:99:76:c2:f2:48:b8:1f:05:5a:65:84:e6:71:a1:02:
+ ad:6e:b0:72:39:06:49:bc:ab:f9:d7:b4:76:a9:84:8b:fe:8a:
+ 45:11:1f:c3:58:f0:b4:9d:ee:0a:90:a7:2b:4b:11:ab:7a:90:
+ aa:b6:a2:63:c6:7d:bc:07:1d:f5:6e:67:b9:7d:bd:8e:c4:11:
+ cc:4f:96:2c:8e:95:ec:50:3c:e0:cf:e3:e1:ea:7e:4e:92:54:
+ 58:5b:82:58:8b:51:8a:79:3f:0b:00:d5:c1:00:7b:8d:75:ce:
+ 7b:36:2d:26:36:63:0e:43:01:17:6e:28:fe:d1:5d:12:68:34:
+ 85:0d:59:d3:81:33:73:b0:7c:57:cb:3b:f2:43:e0:7c:4a:44:
+ 89:6d:a3:4c
+-----BEGIN CERTIFICATE-----
+MIIEETCCAvmgAwIBAgIBBTANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODAxMTQwNTI5WhcNMDgwNzMxMTQwNTI5WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA8Ri2eQs1xYNkSIMxA57ncihlsaxh4XcuwE3wsRxh2MxaLccLm3h6
+Pv03rfqwcwuc/LtvYOo4767RJ7iBWQ+z59BnsqL1T+IExswTnzMoNZZ6286sndNk
+PbhEvMtDIpLWPC6/l245am5ok10cqFi3o3omRP7+MK3iBYlMye8s4E4xaT/dkRzw
+sCVMPoSK6l4Ds6jNkBoeyOCv/hHtIQa9PF4IoZPiQUNDONMhs0z6hYtDV2Bdu6B4
+5TNHqDN2vt9uY2HjMYtdjgzH9ciRDL5Xx/K8vgu6eh/2GfHrAHTBEsLcKy6N8Ar/
+f+hgCJC6UfzQkBE3855EtmRDaV1h0+GNdwIDAQABo4IBXzCCAVswDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUA3rfDN/ckz33pcwne9wi9ulVl/AwHwYDVR0jBBgw
+FoAU+7inozZICqCf8C7ci2i8s1xFJdcwDgYDVR0PAQH/BAQDAgEGMEEGCCsGAQUF
+BwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJu
+Lm5ldC9MSVIyLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ3JzeW5jOi8v
+d29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAaBggrBgEFBQcBCAEB/wQL
+MAmgBzAFAgMA/CAwVAYIKwYBBQUHAQcBAf8ERTBDMEEEAgACMDswJgMRAiABDbgA
+AAAAAAAAAAAAAEQDEQAgAQ24AAAAAAAAAAAAAAEAAxEAIAENuAAAAAAAAAAQAAAA
+RDANBgkqhkiG9w0BAQUFAAOCAQEALH7x5rU/WCIJXUirmjtnuGzGPfQugfVjQqA/
+eEqcD23VZCF6qVYcLPbTHnv4yTppCRhLVojex1EZv2Mvi6ckY7mpsZMhFOQ9OGgN
+uPEzaxz6X4dAQl71jRX3nX+JAiPz+34pTDJh1bSOaF0AoCU6mXbC8ki4HwVaZYTm
+caECrW6wcjkGSbyr+de0dqmEi/6KRREfw1jwtJ3uCpCnK0sRq3qQqraiY8Z9vAcd
+9W5nuX29jsQRzE+WLI6V7FA84M/j4ep+TpJUWFuCWItRink/CwDVwQB7jXXOezYt
+JjZjDkMBF24o/tFdEmg0hQ1Z04Ezc7B8V8s78kPgfEpEiW2jTA==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/06.pem b/rpkid/resource-cert-samples/RIR/06.pem
new file mode 100644
index 00000000..3a8ea7f2
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/06.pem
@@ -0,0 +1,98 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 6 (0x6)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 1 14:05:29 2007 GMT
+ Not After : Jul 31 14:05:29 2008 GMT
+ Subject: CN=TEST ENTITY LIR1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:af:5d:1c:f9:d9:bb:d5:01:e1:5b:36:cc:51:f6:
+ fd:86:57:60:aa:9e:c7:ec:4e:05:af:fb:51:5c:7a:
+ c2:58:c4:a8:57:ae:14:62:e9:bc:b6:72:7d:cf:49:
+ c8:4a:40:82:4a:f4:3e:30:b5:94:25:9e:6c:78:81:
+ 57:43:d6:85:02:8d:d1:9c:b5:d7:34:2f:e2:a9:7d:
+ 18:27:b5:47:9a:42:16:c8:90:7f:96:2c:dd:b8:98:
+ 17:1f:77:62:4a:08:00:2d:e0:73:0c:39:37:ba:0f:
+ a7:59:59:4c:7c:cd:e2:5c:d7:98:36:10:6c:88:3e:
+ 45:99:a6:88:2f:f6:7f:31:49:ba:42:2b:13:79:c2:
+ b2:f1:09:d9:ad:37:a4:41:b6:6d:46:a1:18:05:a0:
+ 53:07:8e:e0:98:b2:d1:fd:67:68:77:64:d5:f3:fe:
+ 1d:22:36:9e:26:5a:1a:aa:18:94:c3:2c:7e:9a:af:
+ be:2c:9d:5e:75:2c:49:d6:37:2b:06:1f:cc:63:97:
+ 7e:ee:2c:5f:67:af:4d:62:3e:7a:1f:0c:e1:1e:02:
+ f2:d2:06:75:ae:3f:11:bc:8e:0f:13:64:38:14:36:
+ 1d:5d:02:ec:af:65:d5:b9:68:f4:22:66:2b:ef:47:
+ 5b:ad:3b:f2:af:b6:71:0c:94:56:8a:7c:01:36:f0:
+ 3a:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 8A:94:17:F9:53:F2:5B:94:54:56:DF:76:51:13:29:F6:71:19:A8:B3
+ X509v3 Authority Key Identifier:
+ keyid:FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR1/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 9c:f0:67:dc:b1:6f:9b:d1:1f:45:d2:2f:8d:09:75:80:39:4c:
+ 51:0b:73:7d:99:8e:e6:8a:89:55:c4:5d:69:6d:fb:55:ea:af:
+ ba:8c:45:3d:ee:b5:e4:7e:76:b9:d6:78:49:23:c9:df:c3:f5:
+ cb:f8:a8:d6:9a:6b:55:92:06:7d:58:84:35:78:df:5c:cc:28:
+ 4e:6c:43:17:31:89:6a:73:86:da:ec:42:ab:1f:94:a3:a4:7a:
+ aa:6b:31:99:22:b1:43:c0:e3:c0:ae:40:88:43:98:cf:8e:b6:
+ b4:e2:b3:46:ca:10:c9:35:8d:cc:8e:1b:d8:fa:a3:2c:24:29:
+ 03:7c:3c:65:78:70:e0:eb:89:96:e6:7f:76:da:cf:c9:d1:c7:
+ 2d:41:b2:3c:e6:8c:39:ca:52:2e:ed:74:81:dd:c2:e9:54:b3:
+ b7:05:53:96:67:6c:50:a3:b9:1c:a6:5a:23:02:c6:5a:df:f4:
+ 27:3f:13:25:25:e9:7f:14:96:90:eb:bd:4d:a7:b4:f5:42:f3:
+ 50:81:34:b9:c9:0b:19:a1:fd:62:96:b1:ed:24:f4:1a:41:60:
+ 9b:59:22:33:69:d3:d2:1e:73:ac:06:68:1c:4a:82:46:6d:57:
+ 9d:6a:d6:64:75:0b:d3:bb:33:31:fb:76:e6:9f:8e:48:de:3f:
+ b4:d7:12:18
+-----BEGIN CERTIFICATE-----
+MIID9jCCAt6gAwIBAgIBBjANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODAxMTQwNTI5WhcNMDgwNzMxMTQwNTI5WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAr10c+dm71QHhWzbMUfb9hldgqp7H7E4Fr/tRXHrCWMSoV64UYum8
+tnJ9z0nISkCCSvQ+MLWUJZ5seIFXQ9aFAo3RnLXXNC/iqX0YJ7VHmkIWyJB/lizd
+uJgXH3diSggALeBzDDk3ug+nWVlMfM3iXNeYNhBsiD5FmaaIL/Z/MUm6QisTecKy
+8QnZrTekQbZtRqEYBaBTB47gmLLR/Wdod2TV8/4dIjaeJloaqhiUwyx+mq++LJ1e
+dSxJ1jcrBh/MY5d+7ixfZ69NYj56HwzhHgLy0gZ1rj8RvI4PE2Q4FDYdXQLsr2XV
+uWj0ImYr70dbrTvyr7ZxDJRWinwBNvA6PwIDAQABo4IBRDCCAUAwDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUipQX+VPyW5RUVt92URMp9nEZqLMwHwYDVR0jBBgw
+FoAU+7inozZICqCf8C7ci2i8s1xFJdcwDgYDVR0PAQH/BAQDAgEGMEEGCCsGAQUF
+BwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJu
+Lm5ldC9MSVIxLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ3JzeW5jOi8v
+d29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAaBggrBgEFBQcBCAEB/wQL
+MAmgBzAFAgMA/BUwOQYIKwYBBQUHAQcBAf8EKjAoMCYEAgABMCAwDgMFAMAAAgED
+BQHAAAIgMA4DBQLAAAIsAwUAwAACZDANBgkqhkiG9w0BAQUFAAOCAQEAnPBn3LFv
+m9EfRdIvjQl1gDlMUQtzfZmO5oqJVcRdaW37VeqvuoxFPe615H52udZ4SSPJ38P1
+y/io1pprVZIGfViENXjfXMwoTmxDFzGJanOG2uxCqx+Uo6R6qmsxmSKxQ8DjwK5A
+iEOYz462tOKzRsoQyTWNzI4b2PqjLCQpA3w8ZXhw4OuJluZ/dtrPydHHLUGyPOaM
+OcpSLu10gd3C6VSztwVTlmdsUKO5HKZaIwLGWt/0Jz8TJSXpfxSWkOu9Tae09ULz
+UIE0uckLGaH9Ypax7ST0GkFgm1kiM2nT0h5zrAZoHEqCRm1XnWrWZHUL07szMft2
+5p+OSN4/tNcSGA==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/07.pem b/rpkid/resource-cert-samples/RIR/07.pem
new file mode 100644
index 00000000..3d305e50
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/07.pem
@@ -0,0 +1,99 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 7 (0x7)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 1 14:08:29 2007 GMT
+ Not After : Jul 31 14:08:29 2008 GMT
+ Subject: CN=TEST ENTITY RIR
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:ac:a7:26:c4:98:68:99:b6:f2:e7:c5:97:05:7e:
+ f9:d7:f2:ec:39:e6:2b:8e:c2:42:88:b9:8f:22:b6:
+ 3c:59:b0:0e:8a:1d:0e:f8:81:b1:c8:ff:4a:8a:1a:
+ 43:bc:78:91:3e:af:b2:b0:95:60:a9:3e:9d:c2:ff:
+ 99:8f:8f:b6:dc:d8:46:b7:86:35:a6:f6:42:05:c2:
+ c5:9b:84:15:e2:58:0f:70:9c:bc:53:d7:28:76:f8:
+ f2:14:79:22:bd:d6:8b:6c:0e:2b:02:e5:d8:f3:33:
+ fa:16:43:9b:80:87:f9:b2:45:ab:bd:7d:14:b2:24:
+ 2f:41:13:6f:45:c4:dc:f9:4d:7f:d8:d3:e1:aa:5c:
+ 52:9d:c9:7a:38:b7:b0:43:bd:b7:6a:37:43:ec:e7:
+ 34:c4:3b:4c:ca:cc:7b:1f:91:ef:ab:d4:35:76:42:
+ 82:d4:f5:79:e0:12:3c:24:92:2e:dc:a2:5c:83:f0:
+ 71:8a:26:96:30:d4:b8:96:4d:00:2c:1a:f0:0f:79:
+ 52:c7:27:73:54:77:c1:86:f9:86:61:ce:e0:69:a7:
+ a8:3d:77:39:e7:24:ee:41:8d:52:19:3b:57:8c:84:
+ cc:9a:d5:05:7c:e6:83:2c:e3:13:6d:66:1b:87:20:
+ 82:47:e1:05:26:f0:3b:29:69:6d:bc:af:48:91:c4:
+ 40:f1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+ X509v3 Authority Key Identifier:
+ keyid:FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/RIR/
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 86:f6:b9:a8:10:25:3d:b8:28:c9:14:27:cc:5c:ef:31:6e:cc:
+ 30:b5:0e:9d:ab:c9:ec:4d:ae:8f:62:c9:11:ac:ef:1a:df:05:
+ e2:45:63:66:a4:cd:24:98:49:f0:e7:a2:8c:2c:5a:27:bc:03:
+ 60:1a:f9:0c:d5:dc:27:15:99:9f:c2:dd:cf:dc:b5:6d:1d:ef:
+ b5:1c:6c:14:49:15:ea:a2:1c:84:b8:95:0b:21:91:dd:e9:ee:
+ 26:59:0c:3b:f5:4a:b3:f7:90:42:af:3c:b6:bb:8a:d5:66:a4:
+ 42:28:48:53:81:c0:77:f5:65:27:7f:f0:3f:cf:a5:61:cd:6e:
+ 27:78:63:ea:ab:f5:34:d4:78:99:5e:a4:8f:df:61:32:97:55:
+ 16:55:68:01:83:ee:43:22:6d:7c:6d:cb:da:02:6b:24:68:78:
+ e8:f1:99:eb:f1:78:6b:6e:69:d8:9f:de:a5:bc:65:65:b1:c8:
+ 05:91:ce:ec:76:ef:81:01:e8:af:8f:c7:f8:89:98:8e:1e:77:
+ c4:81:22:96:3f:48:38:29:af:0f:f4:57:68:b2:83:13:95:55:
+ a5:02:64:1c:ed:0b:bb:59:35:69:d4:7a:cf:89:48:86:93:2f:
+ 03:1d:8f:3d:f3:bb:7c:06:f9:c3:aa:39:0d:c5:f0:15:f4:b4:
+ e2:85:6b:71
+-----BEGIN CERTIFICATE-----
+MIID9zCCAt+gAwIBAgIBBzANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODAxMTQwODI5WhcNMDgwNzMxMTQwODI5WjAaMRgw
+FgYDVQQDEw9URVNUIEVOVElUWSBSSVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCspybEmGiZtvLnxZcFfvnX8uw55iuOwkKIuY8itjxZsA6KHQ74gbHI
+/0qKGkO8eJE+r7KwlWCpPp3C/5mPj7bc2Ea3hjWm9kIFwsWbhBXiWA9wnLxT1yh2
++PIUeSK91otsDisC5djzM/oWQ5uAh/myRau9fRSyJC9BE29FxNz5TX/Y0+GqXFKd
+yXo4t7BDvbdqN0Ps5zTEO0zKzHsfke+r1DV2QoLU9XngEjwkki7colyD8HGKJpYw
+1LiWTQAsGvAPeVLHJ3NUd8GG+YZhzuBpp6g9dznnJO5BjVIZO1eMhMya1QV85oMs
+4xNtZhuHIIJH4QUm8DspaW28r0iRxEDxAgMBAAGjggFGMIIBQjAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBT7uKejNkgKoJ/wLtyLaLyzXEUl1zAfBgNVHSMEGDAW
+gBT7uKejNkgKoJ/wLtyLaLyzXEUl1zAOBgNVHQ8BAf8EBAMCAQYwQAYIKwYBBQUH
+AQsENDAyMDAGCCsGAQUFBzAFhiRyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4u
+bmV0L1JJUi8wHwYIKwYBBQUHAQgBAf8EEDAOoAwwCgIDAPwVAgMA/CAwfAYIKwYB
+BQUHAQcBAf8EbTBrMCYEAgABMCAwDgMFAMAAAgEDBQHAAAIgMA4DBQLAAAIsAwUA
+wAACZDBBBAIAAjA7MCYDEQIgAQ24AAAAAAAAAAAAAABEAxEAIAENuAAAAAAAAAAA
+AAABAAMRACABDbgAAAAAAAAAEAAAAEQwDQYJKoZIhvcNAQEFBQADggEBAIb2uagQ
+JT24KMkUJ8xc7zFuzDC1Dp2ryexNro9iyRGs7xrfBeJFY2akzSSYSfDnoowsWie8
+A2Aa+QzV3CcVmZ/C3c/ctW0d77UcbBRJFeqiHIS4lQshkd3p7iZZDDv1SrP3kEKv
+PLa7itVmpEIoSFOBwHf1ZSd/8D/PpWHNbid4Y+qr9TTUeJlepI/fYTKXVRZVaAGD
+7kMibXxty9oCayRoeOjxmevxeGtuadif3qW8ZWWxyAWRzux274EB6K+Px/iJmI4e
+d8SBIpY/SDgprw/0V2iygxOVVaUCZBztC7tZNWnUes+JSIaTLwMdjz3zu3wG+cOq
+OQ3F8BX0tOKFa3E=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/08.pem b/rpkid/resource-cert-samples/RIR/08.pem
new file mode 100644
index 00000000..056b591f
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/08.pem
@@ -0,0 +1,98 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 8 (0x8)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 1 14:08:29 2007 GMT
+ Not After : Jul 31 14:08:29 2008 GMT
+ Subject: CN=TEST ENTITY LIR2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:f1:18:b6:79:0b:35:c5:83:64:48:83:31:03:9e:
+ e7:72:28:65:b1:ac:61:e1:77:2e:c0:4d:f0:b1:1c:
+ 61:d8:cc:5a:2d:c7:0b:9b:78:7a:3e:fd:37:ad:fa:
+ b0:73:0b:9c:fc:bb:6f:60:ea:38:ef:ae:d1:27:b8:
+ 81:59:0f:b3:e7:d0:67:b2:a2:f5:4f:e2:04:c6:cc:
+ 13:9f:33:28:35:96:7a:db:ce:ac:9d:d3:64:3d:b8:
+ 44:bc:cb:43:22:92:d6:3c:2e:bf:97:6e:39:6a:6e:
+ 68:93:5d:1c:a8:58:b7:a3:7a:26:44:fe:fe:30:ad:
+ e2:05:89:4c:c9:ef:2c:e0:4e:31:69:3f:dd:91:1c:
+ f0:b0:25:4c:3e:84:8a:ea:5e:03:b3:a8:cd:90:1a:
+ 1e:c8:e0:af:fe:11:ed:21:06:bd:3c:5e:08:a1:93:
+ e2:41:43:43:38:d3:21:b3:4c:fa:85:8b:43:57:60:
+ 5d:bb:a0:78:e5:33:47:a8:33:76:be:df:6e:63:61:
+ e3:31:8b:5d:8e:0c:c7:f5:c8:91:0c:be:57:c7:f2:
+ bc:be:0b:ba:7a:1f:f6:19:f1:eb:00:74:c1:12:c2:
+ dc:2b:2e:8d:f0:0a:ff:7f:e8:60:08:90:ba:51:fc:
+ d0:90:11:37:f3:9e:44:b6:64:43:69:5d:61:d3:e1:
+ 8d:77
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 03:7A:DF:0C:DF:DC:93:3D:F7:A5:CC:27:7B:DC:22:F6:E9:55:97:F0
+ X509v3 Authority Key Identifier:
+ keyid:FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR2/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha1WithRSAEncryption
+ a5:ff:47:52:d6:cf:31:7d:5d:61:f7:71:ca:49:aa:94:9d:82:
+ c6:79:7d:b3:a4:f8:79:6d:df:35:91:a8:2f:d5:98:77:26:6d:
+ a6:9c:78:dd:cd:85:72:b4:4a:7c:b7:7d:01:18:61:29:e1:33:
+ 49:72:3e:f8:21:2c:70:2d:90:fd:5a:84:71:d6:86:79:ee:a4:
+ 4e:47:d3:cc:51:50:44:48:9f:f1:40:f2:4a:11:d0:2b:6d:b5:
+ 83:44:81:f5:18:0f:59:15:60:98:60:b0:81:98:4d:22:49:d6:
+ 1f:0d:8e:f4:7a:87:26:e9:e1:ac:dc:e3:b4:8e:3e:cb:be:25:
+ 7c:79:9d:d5:5a:ee:99:59:b7:ce:2f:29:3a:6f:af:73:28:46:
+ 9c:c6:d3:78:c8:62:c1:d1:79:bd:19:07:ff:75:68:20:29:4e:
+ ef:e9:73:9b:ff:86:ff:3f:7f:d0:a3:5e:15:df:2b:e4:35:1e:
+ 6c:03:fe:7a:6b:e2:94:ae:d5:fe:00:b1:4a:e0:48:e0:72:30:
+ d2:26:73:83:c1:df:6a:bf:f8:9f:be:69:db:c6:2c:7b:e1:57:
+ 45:05:c0:e4:ee:d9:f9:59:53:8f:68:01:9b:0c:6b:8f:a5:80:
+ 23:c2:26:76:8f:79:26:a1:31:e1:c8:42:c8:b3:4f:22:d6:32:
+ 46:62:dc:d2
+-----BEGIN CERTIFICATE-----
+MIIEETCCAvmgAwIBAgIBCDANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODAxMTQwODI5WhcNMDgwNzMxMTQwODI5WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA8Ri2eQs1xYNkSIMxA57ncihlsaxh4XcuwE3wsRxh2MxaLccLm3h6
+Pv03rfqwcwuc/LtvYOo4767RJ7iBWQ+z59BnsqL1T+IExswTnzMoNZZ6286sndNk
+PbhEvMtDIpLWPC6/l245am5ok10cqFi3o3omRP7+MK3iBYlMye8s4E4xaT/dkRzw
+sCVMPoSK6l4Ds6jNkBoeyOCv/hHtIQa9PF4IoZPiQUNDONMhs0z6hYtDV2Bdu6B4
+5TNHqDN2vt9uY2HjMYtdjgzH9ciRDL5Xx/K8vgu6eh/2GfHrAHTBEsLcKy6N8Ar/
+f+hgCJC6UfzQkBE3855EtmRDaV1h0+GNdwIDAQABo4IBXzCCAVswDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUA3rfDN/ckz33pcwne9wi9ulVl/AwHwYDVR0jBBgw
+FoAU+7inozZICqCf8C7ci2i8s1xFJdcwDgYDVR0PAQH/BAQDAgEGMEEGCCsGAQUF
+BwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJu
+Lm5ldC9MSVIyLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ3JzeW5jOi8v
+d29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAaBggrBgEFBQcBCAEB/wQL
+MAmgBzAFAgMA/CAwVAYIKwYBBQUHAQcBAf8ERTBDMEEEAgACMDswJgMRAiABDbgA
+AAAAAAAAAAAAAEQDEQAgAQ24AAAAAAAAAAAAAAEAAxEAIAENuAAAAAAAAAAQAAAA
+RDANBgkqhkiG9w0BAQUFAAOCAQEApf9HUtbPMX1dYfdxykmqlJ2Cxnl9s6T4eW3f
+NZGoL9WYdyZtppx43c2FcrRKfLd9ARhhKeEzSXI++CEscC2Q/VqEcdaGee6kTkfT
+zFFQREif8UDyShHQK221g0SB9RgPWRVgmGCwgZhNIknWHw2O9HqHJunhrNzjtI4+
+y74lfHmd1VrumVm3zi8pOm+vcyhGnMbTeMhiwdF5vRkH/3VoIClO7+lzm/+G/z9/
+0KNeFd8r5DUebAP+emvilK7V/gCxSuBI4HIw0iZzg8Hfar/4n75p28Yse+FXRQXA
+5O7Z+VlTj2gBmwxrj6WAI8Imdo95JqEx4chCyLNPItYyRmLc0g==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/09.pem b/rpkid/resource-cert-samples/RIR/09.pem
new file mode 100644
index 00000000..b490cd62
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/09.pem
@@ -0,0 +1,98 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 9 (0x9)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 1 14:08:29 2007 GMT
+ Not After : Jul 31 14:08:29 2008 GMT
+ Subject: CN=TEST ENTITY LIR1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:af:5d:1c:f9:d9:bb:d5:01:e1:5b:36:cc:51:f6:
+ fd:86:57:60:aa:9e:c7:ec:4e:05:af:fb:51:5c:7a:
+ c2:58:c4:a8:57:ae:14:62:e9:bc:b6:72:7d:cf:49:
+ c8:4a:40:82:4a:f4:3e:30:b5:94:25:9e:6c:78:81:
+ 57:43:d6:85:02:8d:d1:9c:b5:d7:34:2f:e2:a9:7d:
+ 18:27:b5:47:9a:42:16:c8:90:7f:96:2c:dd:b8:98:
+ 17:1f:77:62:4a:08:00:2d:e0:73:0c:39:37:ba:0f:
+ a7:59:59:4c:7c:cd:e2:5c:d7:98:36:10:6c:88:3e:
+ 45:99:a6:88:2f:f6:7f:31:49:ba:42:2b:13:79:c2:
+ b2:f1:09:d9:ad:37:a4:41:b6:6d:46:a1:18:05:a0:
+ 53:07:8e:e0:98:b2:d1:fd:67:68:77:64:d5:f3:fe:
+ 1d:22:36:9e:26:5a:1a:aa:18:94:c3:2c:7e:9a:af:
+ be:2c:9d:5e:75:2c:49:d6:37:2b:06:1f:cc:63:97:
+ 7e:ee:2c:5f:67:af:4d:62:3e:7a:1f:0c:e1:1e:02:
+ f2:d2:06:75:ae:3f:11:bc:8e:0f:13:64:38:14:36:
+ 1d:5d:02:ec:af:65:d5:b9:68:f4:22:66:2b:ef:47:
+ 5b:ad:3b:f2:af:b6:71:0c:94:56:8a:7c:01:36:f0:
+ 3a:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 8A:94:17:F9:53:F2:5B:94:54:56:DF:76:51:13:29:F6:71:19:A8:B3
+ X509v3 Authority Key Identifier:
+ keyid:FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR1/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 9a:f2:47:ba:06:1a:9f:bd:cc:87:8a:8f:14:ac:99:bb:3f:9c:
+ d4:2c:71:5e:3e:75:75:49:e4:9c:bf:57:83:f7:c9:d4:de:6d:
+ d2:53:0a:0b:9b:95:69:b2:26:52:6b:b0:d7:09:7f:40:4d:34:
+ 7e:5d:42:80:b4:9a:1c:82:d0:e0:13:d9:7c:d0:15:81:cb:77:
+ d8:dc:4b:68:fa:33:8f:cd:6b:44:ba:fb:9e:79:23:f9:2b:f1:
+ c5:34:84:3b:e1:80:e8:08:e6:b4:f3:3f:17:ee:be:b0:57:6a:
+ 49:79:8f:c8:b8:75:8f:88:49:29:db:32:ee:4d:fb:f1:b4:96:
+ 28:26:f2:2e:00:27:ae:0c:b2:77:a6:f7:5a:e4:db:a2:0d:9a:
+ c1:77:90:9f:85:40:ef:d3:67:f2:51:99:57:ee:09:07:6a:43:
+ 82:ab:a7:4b:aa:9a:a7:87:84:de:29:ef:64:bd:e6:9b:be:9d:
+ 8f:17:f2:c0:0b:e8:21:ee:42:00:69:f8:9e:c3:06:c2:4f:08:
+ 49:84:a7:33:76:6d:77:ae:be:24:9c:9e:d3:d6:7d:72:5f:79:
+ 5b:ab:b8:1c:5f:95:0c:11:78:e3:94:11:ae:48:ae:33:fa:c4:
+ cb:af:b3:6a:0f:04:c9:a4:54:a6:c0:a5:a3:a2:57:31:53:bc:
+ 8e:e1:f3:28
+-----BEGIN CERTIFICATE-----
+MIID9jCCAt6gAwIBAgIBCTANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODAxMTQwODI5WhcNMDgwNzMxMTQwODI5WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAr10c+dm71QHhWzbMUfb9hldgqp7H7E4Fr/tRXHrCWMSoV64UYum8
+tnJ9z0nISkCCSvQ+MLWUJZ5seIFXQ9aFAo3RnLXXNC/iqX0YJ7VHmkIWyJB/lizd
+uJgXH3diSggALeBzDDk3ug+nWVlMfM3iXNeYNhBsiD5FmaaIL/Z/MUm6QisTecKy
+8QnZrTekQbZtRqEYBaBTB47gmLLR/Wdod2TV8/4dIjaeJloaqhiUwyx+mq++LJ1e
+dSxJ1jcrBh/MY5d+7ixfZ69NYj56HwzhHgLy0gZ1rj8RvI4PE2Q4FDYdXQLsr2XV
+uWj0ImYr70dbrTvyr7ZxDJRWinwBNvA6PwIDAQABo4IBRDCCAUAwDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUipQX+VPyW5RUVt92URMp9nEZqLMwHwYDVR0jBBgw
+FoAU+7inozZICqCf8C7ci2i8s1xFJdcwDgYDVR0PAQH/BAQDAgEGMEEGCCsGAQUF
+BwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJu
+Lm5ldC9MSVIxLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ3JzeW5jOi8v
+d29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAaBggrBgEFBQcBCAEB/wQL
+MAmgBzAFAgMA/BUwOQYIKwYBBQUHAQcBAf8EKjAoMCYEAgABMCAwDgMFAMAAAgED
+BQHAAAIgMA4DBQLAAAIsAwUAwAACZDANBgkqhkiG9w0BAQUFAAOCAQEAmvJHugYa
+n73Mh4qPFKyZuz+c1CxxXj51dUnknL9Xg/fJ1N5t0lMKC5uVabImUmuw1wl/QE00
+fl1CgLSaHILQ4BPZfNAVgct32NxLaPozj81rRLr7nnkj+SvxxTSEO+GA6AjmtPM/
+F+6+sFdqSXmPyLh1j4hJKdsy7k378bSWKCbyLgAnrgyyd6b3WuTbog2awXeQn4VA
+79Nn8lGZV+4JB2pDgqunS6qap4eE3invZL3mm76djxfywAvoIe5CAGn4nsMGwk8I
+SYSnM3Ztd66+JJye09Z9cl95W6u4HF+VDBF445QRrkiuM/rEy6+zag8EyaRUpsCl
+o6JXMVO8juHzKA==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/0A.pem b/rpkid/resource-cert-samples/RIR/0A.pem
new file mode 100644
index 00000000..433dc6c9
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/0A.pem
@@ -0,0 +1,99 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 10 (0xa)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 1 14:09:34 2007 GMT
+ Not After : Jul 31 14:09:34 2008 GMT
+ Subject: CN=TEST ENTITY RIR
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:ac:a7:26:c4:98:68:99:b6:f2:e7:c5:97:05:7e:
+ f9:d7:f2:ec:39:e6:2b:8e:c2:42:88:b9:8f:22:b6:
+ 3c:59:b0:0e:8a:1d:0e:f8:81:b1:c8:ff:4a:8a:1a:
+ 43:bc:78:91:3e:af:b2:b0:95:60:a9:3e:9d:c2:ff:
+ 99:8f:8f:b6:dc:d8:46:b7:86:35:a6:f6:42:05:c2:
+ c5:9b:84:15:e2:58:0f:70:9c:bc:53:d7:28:76:f8:
+ f2:14:79:22:bd:d6:8b:6c:0e:2b:02:e5:d8:f3:33:
+ fa:16:43:9b:80:87:f9:b2:45:ab:bd:7d:14:b2:24:
+ 2f:41:13:6f:45:c4:dc:f9:4d:7f:d8:d3:e1:aa:5c:
+ 52:9d:c9:7a:38:b7:b0:43:bd:b7:6a:37:43:ec:e7:
+ 34:c4:3b:4c:ca:cc:7b:1f:91:ef:ab:d4:35:76:42:
+ 82:d4:f5:79:e0:12:3c:24:92:2e:dc:a2:5c:83:f0:
+ 71:8a:26:96:30:d4:b8:96:4d:00:2c:1a:f0:0f:79:
+ 52:c7:27:73:54:77:c1:86:f9:86:61:ce:e0:69:a7:
+ a8:3d:77:39:e7:24:ee:41:8d:52:19:3b:57:8c:84:
+ cc:9a:d5:05:7c:e6:83:2c:e3:13:6d:66:1b:87:20:
+ 82:47:e1:05:26:f0:3b:29:69:6d:bc:af:48:91:c4:
+ 40:f1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+ X509v3 Authority Key Identifier:
+ keyid:FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/RIR/
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 67:ed:a0:29:b8:66:7d:a6:2c:4f:76:52:df:45:15:6f:23:3d:
+ 9c:57:05:19:57:31:f0:76:17:32:17:a0:aa:55:6a:5d:ee:51:
+ 2b:06:6e:75:bd:f2:6c:79:2f:5a:ee:f0:2d:e8:59:dc:a3:86:
+ 5d:b2:98:e1:59:b3:ec:c9:9b:ed:3a:b0:c7:72:56:28:77:a1:
+ 4a:a7:17:03:37:e8:b1:d7:19:a3:85:5c:c8:5c:fb:ad:bc:6a:
+ 0a:65:d7:90:c3:f8:12:83:53:89:c5:7a:71:b4:1f:61:69:5a:
+ 23:b5:24:5a:6f:23:9d:b0:ac:bc:83:01:c1:e9:41:f8:9e:ae:
+ e0:2b:a7:76:03:10:86:7f:76:3d:3d:f4:5f:04:2f:1b:e0:37:
+ 14:6d:97:7c:4f:ba:34:84:d7:6d:c0:90:7c:6d:97:11:c9:a8:
+ aa:96:7f:65:f7:f4:b6:57:0f:13:2a:3e:68:23:98:b5:f6:11:
+ 5b:1a:b4:ab:0f:db:77:5b:0d:ff:a7:71:7c:21:93:b4:e3:76:
+ 22:9a:0e:dc:f3:a3:1f:34:b0:10:f9:f1:4e:ef:b2:42:c8:ed:
+ e3:03:1f:2d:65:09:20:9e:66:a2:b6:05:df:39:63:e3:ce:ff:
+ 11:ed:f0:46:39:ca:2f:43:39:59:b2:1e:1b:ea:61:12:e9:02:
+ 1b:0c:1d:95
+-----BEGIN CERTIFICATE-----
+MIID9zCCAt+gAwIBAgIBCjANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODAxMTQwOTM0WhcNMDgwNzMxMTQwOTM0WjAaMRgw
+FgYDVQQDEw9URVNUIEVOVElUWSBSSVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCspybEmGiZtvLnxZcFfvnX8uw55iuOwkKIuY8itjxZsA6KHQ74gbHI
+/0qKGkO8eJE+r7KwlWCpPp3C/5mPj7bc2Ea3hjWm9kIFwsWbhBXiWA9wnLxT1yh2
++PIUeSK91otsDisC5djzM/oWQ5uAh/myRau9fRSyJC9BE29FxNz5TX/Y0+GqXFKd
+yXo4t7BDvbdqN0Ps5zTEO0zKzHsfke+r1DV2QoLU9XngEjwkki7colyD8HGKJpYw
+1LiWTQAsGvAPeVLHJ3NUd8GG+YZhzuBpp6g9dznnJO5BjVIZO1eMhMya1QV85oMs
+4xNtZhuHIIJH4QUm8DspaW28r0iRxEDxAgMBAAGjggFGMIIBQjAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBT7uKejNkgKoJ/wLtyLaLyzXEUl1zAfBgNVHSMEGDAW
+gBT7uKejNkgKoJ/wLtyLaLyzXEUl1zAOBgNVHQ8BAf8EBAMCAQYwQAYIKwYBBQUH
+AQsENDAyMDAGCCsGAQUFBzAFhiRyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4u
+bmV0L1JJUi8wHwYIKwYBBQUHAQgBAf8EEDAOoAwwCgIDAPwVAgMA/CAwfAYIKwYB
+BQUHAQcBAf8EbTBrMCYEAgABMCAwDgMFAMAAAgEDBQHAAAIgMA4DBQLAAAIsAwUA
+wAACZDBBBAIAAjA7MCYDEQIgAQ24AAAAAAAAAAAAAABEAxEAIAENuAAAAAAAAAAA
+AAABAAMRACABDbgAAAAAAAAAEAAAAEQwDQYJKoZIhvcNAQEFBQADggEBAGftoCm4
+Zn2mLE92Ut9FFW8jPZxXBRlXMfB2FzIXoKpVal3uUSsGbnW98mx5L1ru8C3oWdyj
+hl2ymOFZs+zJm+06sMdyVih3oUqnFwM36LHXGaOFXMhc+628agpl15DD+BKDU4nF
+enG0H2FpWiO1JFpvI52wrLyDAcHpQfieruArp3YDEIZ/dj099F8ELxvgNxRtl3xP
+ujSE123AkHxtlxHJqKqWf2X39LZXDxMqPmgjmLX2EVsatKsP23dbDf+ncXwhk7Tj
+diKaDtzzox80sBD58U7vskLI7eMDHy1lCSCeZqK2Bd85Y+PO/xHt8EY5yi9DOVmy
+HhvqYRLpAhsMHZU=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/0B.pem b/rpkid/resource-cert-samples/RIR/0B.pem
new file mode 100644
index 00000000..0d858937
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/0B.pem
@@ -0,0 +1,98 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 11 (0xb)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 1 14:09:34 2007 GMT
+ Not After : Jul 31 14:09:34 2008 GMT
+ Subject: CN=TEST ENTITY LIR2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:f1:18:b6:79:0b:35:c5:83:64:48:83:31:03:9e:
+ e7:72:28:65:b1:ac:61:e1:77:2e:c0:4d:f0:b1:1c:
+ 61:d8:cc:5a:2d:c7:0b:9b:78:7a:3e:fd:37:ad:fa:
+ b0:73:0b:9c:fc:bb:6f:60:ea:38:ef:ae:d1:27:b8:
+ 81:59:0f:b3:e7:d0:67:b2:a2:f5:4f:e2:04:c6:cc:
+ 13:9f:33:28:35:96:7a:db:ce:ac:9d:d3:64:3d:b8:
+ 44:bc:cb:43:22:92:d6:3c:2e:bf:97:6e:39:6a:6e:
+ 68:93:5d:1c:a8:58:b7:a3:7a:26:44:fe:fe:30:ad:
+ e2:05:89:4c:c9:ef:2c:e0:4e:31:69:3f:dd:91:1c:
+ f0:b0:25:4c:3e:84:8a:ea:5e:03:b3:a8:cd:90:1a:
+ 1e:c8:e0:af:fe:11:ed:21:06:bd:3c:5e:08:a1:93:
+ e2:41:43:43:38:d3:21:b3:4c:fa:85:8b:43:57:60:
+ 5d:bb:a0:78:e5:33:47:a8:33:76:be:df:6e:63:61:
+ e3:31:8b:5d:8e:0c:c7:f5:c8:91:0c:be:57:c7:f2:
+ bc:be:0b:ba:7a:1f:f6:19:f1:eb:00:74:c1:12:c2:
+ dc:2b:2e:8d:f0:0a:ff:7f:e8:60:08:90:ba:51:fc:
+ d0:90:11:37:f3:9e:44:b6:64:43:69:5d:61:d3:e1:
+ 8d:77
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 03:7A:DF:0C:DF:DC:93:3D:F7:A5:CC:27:7B:DC:22:F6:E9:55:97:F0
+ X509v3 Authority Key Identifier:
+ keyid:FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR2/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 98:f6:66:a8:a7:f1:b4:d9:11:3c:57:d8:d6:45:e4:73:8f:ca:
+ a5:e2:1d:d0:7b:46:a0:1a:c5:96:df:3c:f8:6b:1b:07:12:75:
+ 80:74:64:2e:e6:6b:cf:df:25:d5:c9:2f:2e:06:4e:ca:c2:bf:
+ ba:35:0c:ae:ed:27:85:70:8f:2b:7f:71:bf:68:c9:bf:ed:4f:
+ 19:7c:31:69:84:3e:47:1a:05:96:bd:06:16:a9:46:42:98:22:
+ 3c:24:7b:fb:1f:c0:a3:b6:ce:f1:e1:37:d2:d3:52:f9:bc:e4:
+ 6d:30:26:3e:79:70:71:62:85:ad:cf:93:15:97:19:2c:f3:86:
+ 5e:33:13:8e:3d:83:6b:af:5c:b4:2b:f0:9e:fe:cc:1c:8e:79:
+ b6:28:26:5d:9d:4b:84:4b:81:5b:fa:f7:bc:e6:cd:5f:dc:4a:
+ ae:61:eb:83:6d:d1:63:68:f5:de:7f:97:1c:80:9d:43:e1:6b:
+ 6b:6d:43:fb:7a:32:73:26:ab:bb:c2:cf:bd:ae:cf:0a:dd:5b:
+ ee:bc:76:ea:57:0f:ed:9e:43:8d:6a:eb:8a:39:13:1d:13:85:
+ 85:4e:80:73:57:d8:7d:4a:ef:75:3e:cd:70:cc:f6:b0:f6:f9:
+ 5c:9a:50:32:c4:d3:f3:76:07:54:98:54:fa:c1:6a:78:33:36:
+ c6:eb:60:87
+-----BEGIN CERTIFICATE-----
+MIIEETCCAvmgAwIBAgIBCzANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODAxMTQwOTM0WhcNMDgwNzMxMTQwOTM0WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA8Ri2eQs1xYNkSIMxA57ncihlsaxh4XcuwE3wsRxh2MxaLccLm3h6
+Pv03rfqwcwuc/LtvYOo4767RJ7iBWQ+z59BnsqL1T+IExswTnzMoNZZ6286sndNk
+PbhEvMtDIpLWPC6/l245am5ok10cqFi3o3omRP7+MK3iBYlMye8s4E4xaT/dkRzw
+sCVMPoSK6l4Ds6jNkBoeyOCv/hHtIQa9PF4IoZPiQUNDONMhs0z6hYtDV2Bdu6B4
+5TNHqDN2vt9uY2HjMYtdjgzH9ciRDL5Xx/K8vgu6eh/2GfHrAHTBEsLcKy6N8Ar/
+f+hgCJC6UfzQkBE3855EtmRDaV1h0+GNdwIDAQABo4IBXzCCAVswDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUA3rfDN/ckz33pcwne9wi9ulVl/AwHwYDVR0jBBgw
+FoAU+7inozZICqCf8C7ci2i8s1xFJdcwDgYDVR0PAQH/BAQDAgEGMEEGCCsGAQUF
+BwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJu
+Lm5ldC9MSVIyLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ3JzeW5jOi8v
+d29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAaBggrBgEFBQcBCAEB/wQL
+MAmgBzAFAgMA/CAwVAYIKwYBBQUHAQcBAf8ERTBDMEEEAgACMDswJgMRAiABDbgA
+AAAAAAAAAAAAAEQDEQAgAQ24AAAAAAAAAAAAAAEAAxEAIAENuAAAAAAAAAAQAAAA
+RDANBgkqhkiG9w0BAQUFAAOCAQEAmPZmqKfxtNkRPFfY1kXkc4/KpeId0HtGoBrF
+lt88+GsbBxJ1gHRkLuZrz98l1ckvLgZOysK/ujUMru0nhXCPK39xv2jJv+1PGXwx
+aYQ+RxoFlr0GFqlGQpgiPCR7+x/Ao7bO8eE30tNS+bzkbTAmPnlwcWKFrc+TFZcZ
+LPOGXjMTjj2Da69ctCvwnv7MHI55tigmXZ1LhEuBW/r3vObNX9xKrmHrg23RY2j1
+3n+XHICdQ+Fra21D+3oycyaru8LPva7PCt1b7rx26lcP7Z5DjWrrijkTHROFhU6A
+c1fYfUrvdT7NcMz2sPb5XJpQMsTT83YHVJhU+sFqeDM2xutghw==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/0C.pem b/rpkid/resource-cert-samples/RIR/0C.pem
new file mode 100644
index 00000000..0e7d6905
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/0C.pem
@@ -0,0 +1,98 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 12 (0xc)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 1 14:09:34 2007 GMT
+ Not After : Jul 31 14:09:34 2008 GMT
+ Subject: CN=TEST ENTITY LIR1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:af:5d:1c:f9:d9:bb:d5:01:e1:5b:36:cc:51:f6:
+ fd:86:57:60:aa:9e:c7:ec:4e:05:af:fb:51:5c:7a:
+ c2:58:c4:a8:57:ae:14:62:e9:bc:b6:72:7d:cf:49:
+ c8:4a:40:82:4a:f4:3e:30:b5:94:25:9e:6c:78:81:
+ 57:43:d6:85:02:8d:d1:9c:b5:d7:34:2f:e2:a9:7d:
+ 18:27:b5:47:9a:42:16:c8:90:7f:96:2c:dd:b8:98:
+ 17:1f:77:62:4a:08:00:2d:e0:73:0c:39:37:ba:0f:
+ a7:59:59:4c:7c:cd:e2:5c:d7:98:36:10:6c:88:3e:
+ 45:99:a6:88:2f:f6:7f:31:49:ba:42:2b:13:79:c2:
+ b2:f1:09:d9:ad:37:a4:41:b6:6d:46:a1:18:05:a0:
+ 53:07:8e:e0:98:b2:d1:fd:67:68:77:64:d5:f3:fe:
+ 1d:22:36:9e:26:5a:1a:aa:18:94:c3:2c:7e:9a:af:
+ be:2c:9d:5e:75:2c:49:d6:37:2b:06:1f:cc:63:97:
+ 7e:ee:2c:5f:67:af:4d:62:3e:7a:1f:0c:e1:1e:02:
+ f2:d2:06:75:ae:3f:11:bc:8e:0f:13:64:38:14:36:
+ 1d:5d:02:ec:af:65:d5:b9:68:f4:22:66:2b:ef:47:
+ 5b:ad:3b:f2:af:b6:71:0c:94:56:8a:7c:01:36:f0:
+ 3a:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 8A:94:17:F9:53:F2:5B:94:54:56:DF:76:51:13:29:F6:71:19:A8:B3
+ X509v3 Authority Key Identifier:
+ keyid:FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR1/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 4c:57:4d:fd:a9:e6:f1:92:4a:d1:28:22:c5:f2:97:5f:3b:fd:
+ e6:c1:bf:a6:8f:20:43:45:c3:b1:20:ea:d4:9f:2e:6f:2c:0a:
+ 0b:74:d8:87:1e:b3:15:47:1d:78:7d:61:65:ae:2e:38:6e:9b:
+ d6:68:d0:21:21:e5:6c:45:b7:18:95:e4:05:94:52:93:b4:5e:
+ 02:e8:c9:fc:4f:2d:f6:de:3a:9b:35:c2:9e:e5:98:c3:77:40:
+ 41:eb:ca:55:33:5f:74:9a:27:44:b3:37:63:55:ae:1c:f2:26:
+ d7:ae:33:73:53:8a:7d:9f:89:82:19:9e:e1:05:04:a6:6e:ce:
+ 74:b3:aa:46:63:58:79:bf:49:ca:f0:c4:ac:1d:0d:29:bf:e4:
+ 43:66:fc:26:a4:4f:13:55:4f:0b:ae:b1:67:8c:f2:2c:7e:32:
+ 21:80:a6:1d:03:44:9d:50:98:8a:62:3b:ff:88:64:c8:e8:29:
+ ff:8b:dd:53:84:c7:5f:1a:42:12:64:6b:9d:18:c9:1c:6f:aa:
+ 48:cd:68:e3:d9:ed:fd:d9:85:7c:fc:00:8a:5f:8b:27:eb:05:
+ b0:40:f3:4e:f4:d7:17:0c:98:7d:58:f2:8c:0f:d6:8c:70:30:
+ cd:37:2e:bf:00:78:91:a4:ed:4a:61:87:b6:88:bd:bb:22:52:
+ 0f:9f:e1:4d
+-----BEGIN CERTIFICATE-----
+MIID9jCCAt6gAwIBAgIBDDANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODAxMTQwOTM0WhcNMDgwNzMxMTQwOTM0WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAr10c+dm71QHhWzbMUfb9hldgqp7H7E4Fr/tRXHrCWMSoV64UYum8
+tnJ9z0nISkCCSvQ+MLWUJZ5seIFXQ9aFAo3RnLXXNC/iqX0YJ7VHmkIWyJB/lizd
+uJgXH3diSggALeBzDDk3ug+nWVlMfM3iXNeYNhBsiD5FmaaIL/Z/MUm6QisTecKy
+8QnZrTekQbZtRqEYBaBTB47gmLLR/Wdod2TV8/4dIjaeJloaqhiUwyx+mq++LJ1e
+dSxJ1jcrBh/MY5d+7ixfZ69NYj56HwzhHgLy0gZ1rj8RvI4PE2Q4FDYdXQLsr2XV
+uWj0ImYr70dbrTvyr7ZxDJRWinwBNvA6PwIDAQABo4IBRDCCAUAwDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUipQX+VPyW5RUVt92URMp9nEZqLMwHwYDVR0jBBgw
+FoAU+7inozZICqCf8C7ci2i8s1xFJdcwDgYDVR0PAQH/BAQDAgEGMEEGCCsGAQUF
+BwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJu
+Lm5ldC9MSVIxLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ3JzeW5jOi8v
+d29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAaBggrBgEFBQcBCAEB/wQL
+MAmgBzAFAgMA/BUwOQYIKwYBBQUHAQcBAf8EKjAoMCYEAgABMCAwDgMFAMAAAgED
+BQHAAAIgMA4DBQLAAAIsAwUAwAACZDANBgkqhkiG9w0BAQUFAAOCAQEATFdN/anm
+8ZJK0SgixfKXXzv95sG/po8gQ0XDsSDq1J8ubywKC3TYhx6zFUcdeH1hZa4uOG6b
+1mjQISHlbEW3GJXkBZRSk7ReAujJ/E8t9t46mzXCnuWYw3dAQevKVTNfdJonRLM3
+Y1WuHPIm164zc1OKfZ+Jghme4QUEpm7OdLOqRmNYeb9JyvDErB0NKb/kQ2b8JqRP
+E1VPC66xZ4zyLH4yIYCmHQNEnVCYimI7/4hkyOgp/4vdU4THXxpCEmRrnRjJHG+q
+SM1o49nt/dmFfPwAil+LJ+sFsEDzTvTXFwyYfVjyjA/WjHAwzTcuvwB4kaTtSmGH
+toi9uyJSD5/hTQ==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/0D.pem b/rpkid/resource-cert-samples/RIR/0D.pem
new file mode 100644
index 00000000..86579fdb
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/0D.pem
@@ -0,0 +1,104 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 13 (0xd)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 1 14:48:16 2007 GMT
+ Not After : Jul 31 14:48:16 2008 GMT
+ Subject: CN=TEST ENTITY RIR
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:ac:a7:26:c4:98:68:99:b6:f2:e7:c5:97:05:7e:
+ f9:d7:f2:ec:39:e6:2b:8e:c2:42:88:b9:8f:22:b6:
+ 3c:59:b0:0e:8a:1d:0e:f8:81:b1:c8:ff:4a:8a:1a:
+ 43:bc:78:91:3e:af:b2:b0:95:60:a9:3e:9d:c2:ff:
+ 99:8f:8f:b6:dc:d8:46:b7:86:35:a6:f6:42:05:c2:
+ c5:9b:84:15:e2:58:0f:70:9c:bc:53:d7:28:76:f8:
+ f2:14:79:22:bd:d6:8b:6c:0e:2b:02:e5:d8:f3:33:
+ fa:16:43:9b:80:87:f9:b2:45:ab:bd:7d:14:b2:24:
+ 2f:41:13:6f:45:c4:dc:f9:4d:7f:d8:d3:e1:aa:5c:
+ 52:9d:c9:7a:38:b7:b0:43:bd:b7:6a:37:43:ec:e7:
+ 34:c4:3b:4c:ca:cc:7b:1f:91:ef:ab:d4:35:76:42:
+ 82:d4:f5:79:e0:12:3c:24:92:2e:dc:a2:5c:83:f0:
+ 71:8a:26:96:30:d4:b8:96:4d:00:2c:1a:f0:0f:79:
+ 52:c7:27:73:54:77:c1:86:f9:86:61:ce:e0:69:a7:
+ a8:3d:77:39:e7:24:ee:41:8d:52:19:3b:57:8c:84:
+ cc:9a:d5:05:7c:e6:83:2c:e3:13:6d:66:1b:87:20:
+ 82:47:e1:05:26:f0:3b:29:69:6d:bc:af:48:91:c4:
+ 40:f1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+ X509v3 Authority Key Identifier:
+ keyid:FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/RIR/
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533-64540
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ 10.3.0.0/24
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:0:a00::/120
+ 2001:db8:0:0:0:0:a03::/120
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 4c:d4:6d:b2:81:45:07:3e:7b:b4:8b:6c:db:42:2b:30:73:cd:
+ e7:07:39:c3:e6:13:4b:ac:21:33:13:11:00:1c:e6:d1:d4:cf:
+ 96:08:6e:86:7b:41:64:93:88:20:ac:04:81:65:1a:ae:a9:52:
+ be:36:c0:2a:6a:c9:3a:2e:86:83:a2:cc:3e:5d:12:60:49:fb:
+ 48:23:6c:d7:9f:98:fa:b4:b0:d5:48:01:29:74:ca:d1:74:3c:
+ a7:8c:bb:1c:b3:85:90:2a:99:52:9e:e2:31:9a:09:28:2d:d6:
+ ca:eb:f5:c6:da:6f:1b:89:83:eb:b7:d9:6d:56:71:e9:82:8e:
+ b7:84:e1:40:ab:87:15:d2:a6:df:30:11:e1:52:a0:a1:4b:ef:
+ 8e:3a:db:e1:d1:23:74:39:ff:48:d4:4d:2f:74:4e:e3:77:3c:
+ f7:1b:16:0b:b3:1a:c7:46:8b:7c:63:3d:9d:2b:75:82:b7:5c:
+ 9d:7b:df:f9:78:d2:e8:98:48:6c:54:5f:71:2a:a6:95:c6:56:
+ 3e:6c:e2:0c:20:a2:2c:22:f4:1d:3c:05:b2:31:bd:58:f3:23:
+ 60:dd:1d:d2:5e:ab:65:72:06:d2:da:c9:d4:c4:33:c2:b0:7d:
+ 37:13:66:25:b7:28:9b:a3:9c:92:c4:58:b8:02:a2:82:63:fc:
+ a8:93:65:69
+-----BEGIN CERTIFICATE-----
+MIIEMTCCAxmgAwIBAgIBDTANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODAxMTQ0ODE2WhcNMDgwNzMxMTQ0ODE2WjAaMRgw
+FgYDVQQDEw9URVNUIEVOVElUWSBSSVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCspybEmGiZtvLnxZcFfvnX8uw55iuOwkKIuY8itjxZsA6KHQ74gbHI
+/0qKGkO8eJE+r7KwlWCpPp3C/5mPj7bc2Ea3hjWm9kIFwsWbhBXiWA9wnLxT1yh2
++PIUeSK91otsDisC5djzM/oWQ5uAh/myRau9fRSyJC9BE29FxNz5TX/Y0+GqXFKd
+yXo4t7BDvbdqN0Ps5zTEO0zKzHsfke+r1DV2QoLU9XngEjwkki7colyD8HGKJpYw
+1LiWTQAsGvAPeVLHJ3NUd8GG+YZhzuBpp6g9dznnJO5BjVIZO1eMhMya1QV85oMs
+4xNtZhuHIIJH4QUm8DspaW28r0iRxEDxAgMBAAGjggGAMIIBfDAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBT7uKejNkgKoJ/wLtyLaLyzXEUl1zAfBgNVHSMEGDAW
+gBT7uKejNkgKoJ/wLtyLaLyzXEUl1zAOBgNVHQ8BAf8EBAMCAQYwQAYIKwYBBQUH
+AQsENDAyMDAGCCsGAQUFBzAFhiRyc3luYzovL3dvbWJhdHMtci11cy5oYWN0cm4u
+bmV0L1JJUi8wJgYIKwYBBQUHAQgBAf8EFzAVoBMwETAKAgMA/BUCAwD8HAIDAPwg
+MIGuBggrBgEFBQcBBwEB/wSBnjCBmzAyBAIAATAsAwQACgAAAwQACgMAMA4DBQDA
+AAIBAwUBwAACIDAOAwUCwAACLAMFAMAAAmQwZQQCAAIwXzAmAxECIAENuAAAAAAA
+AAAAAAAARAMRACABDbgAAAAAAAAAAAAAAQADEAAgAQ24AAAAAAAAAAAKAAADEAAg
+AQ24AAAAAAAAAAAKAwADEQAgAQ24AAAAAAAAABAAAABEMA0GCSqGSIb3DQEBBQUA
+A4IBAQBM1G2ygUUHPnu0i2zbQiswc83nBznD5hNLrCEzExEAHObR1M+WCG6Ge0Fk
+k4ggrASBZRquqVK+NsAqask6LoaDosw+XRJgSftII2zXn5j6tLDVSAEpdMrRdDyn
+jLscs4WQKplSnuIxmgkoLdbK6/XG2m8biYPrt9ltVnHpgo63hOFAq4cV0qbfMBHh
+UqChS++OOtvh0SN0Of9I1E0vdE7jdzz3GxYLsxrHRot8Yz2dK3WCt1yde9/5eNLo
+mEhsVF9xKqaVxlY+bOIMIKIsIvQdPAWyMb1Y8yNg3R3SXqtlcgbS2snUxDPCsH03
+E2Yltyibo5ySxFi4AqKCY/yok2Vp
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/0E.pem b/rpkid/resource-cert-samples/RIR/0E.pem
new file mode 100644
index 00000000..54acaf38
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/0E.pem
@@ -0,0 +1,101 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 14 (0xe)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 1 14:48:18 2007 GMT
+ Not After : Jul 31 14:48:18 2008 GMT
+ Subject: CN=TEST ENTITY LIR3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a3:21:57:61:64:af:11:18:d4:cb:de:a6:dc:ad:
+ d9:2c:0f:0f:58:9f:7e:c8:85:55:11:26:4c:7c:f0:
+ 6b:68:1a:9e:6a:0c:8f:e6:dc:3d:83:58:2a:cc:77:
+ ac:19:73:6f:5a:f3:6e:24:ac:cd:1a:dc:1d:0b:4c:
+ 44:f5:6d:8b:0a:17:3d:86:f9:e8:fe:e6:60:e5:9f:
+ 40:6a:e5:94:e8:9a:56:17:17:1c:ab:c1:8c:37:40:
+ 2b:55:bf:2c:5e:dc:8d:ca:25:7f:8a:5f:ee:fb:16:
+ 86:eb:e0:08:d3:26:e5:e3:70:c5:0c:6b:fb:1b:8f:
+ 6b:5c:f6:e2:4a:58:a5:35:01:ea:05:1b:3e:ce:84:
+ be:b5:3f:6d:18:16:4b:68:e5:79:4c:88:7d:b6:a5:
+ 65:a3:3a:c2:32:dc:ad:8f:8a:05:ee:f6:e9:7a:80:
+ da:12:a9:0f:5a:b5:d2:d3:31:ac:3e:d3:19:25:2d:
+ 28:de:79:6c:ce:fd:77:66:d5:e3:2f:a9:cb:f9:85:
+ 8c:20:bb:a2:86:23:f0:93:95:20:04:78:c7:c7:07:
+ a6:fe:f0:f4:45:bb:cf:78:2b:dd:ce:9c:08:a5:46:
+ 68:10:4c:d7:05:62:6c:86:5a:2d:7f:06:38:c2:4d:
+ bb:44:87:00:43:79:d2:8f:f3:6b:b2:f4:5c:1c:b9:
+ 68:01
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 98:BE:04:FF:80:D1:AB:95:39:AA:3D:F2:0E:67:7D:00:AD:A3:FD:C5
+ X509v3 Authority Key Identifier:
+ keyid:FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR3/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64534-64540
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ 10.3.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a00::/120
+ 2001:db8:0:0:0:0:a03::/120
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 48:66:09:ae:e4:52:ea:33:07:a6:92:4f:41:9d:d9:74:ad:24:
+ 17:11:d6:85:88:f2:66:52:e5:61:0e:8e:78:db:56:fb:ab:c8:
+ 31:1b:d1:f2:ec:df:1d:87:80:21:d9:81:9e:c8:00:e8:37:d5:
+ c3:71:26:97:35:15:fe:99:60:41:be:9b:72:e9:91:c1:bf:c8:
+ e3:25:95:f3:95:2b:c4:50:49:8f:a7:2a:ec:9a:d9:f9:b6:27:
+ 77:42:38:aa:20:12:30:56:db:41:f0:c4:d7:75:5a:01:4b:ac:
+ 36:8e:4d:1f:55:fa:24:4e:04:f2:ac:de:9a:4c:3e:9e:a4:b0:
+ fa:84:a8:35:3f:dc:dd:db:2c:74:4e:20:84:a5:17:05:87:8a:
+ 55:ee:4c:ae:59:02:7c:e7:70:32:10:9e:6f:b3:52:ec:48:ff:
+ 47:77:bf:a1:69:f1:5c:55:94:d0:47:ab:3a:34:56:96:a4:64:
+ e9:31:c2:aa:34:d6:a2:51:b2:8c:55:68:8c:5e:7a:d1:8d:43:
+ 89:e8:3e:1b:63:e9:b1:0c:e1:8f:31:0d:2f:5f:dd:1e:e8:78:
+ 41:d4:49:39:ca:a2:73:1e:9a:6f:c0:07:72:99:9e:3c:0b:ee:
+ b9:0b:d8:52:35:4e:19:83:44:ed:d9:de:5a:6b:6d:38:63:4e:
+ 12:45:f0:45
+-----BEGIN CERTIFICATE-----
+MIIEFTCCAv2gAwIBAgIBDjANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODAxMTQ0ODE4WhcNMDgwNzMxMTQ0ODE4WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAoyFXYWSvERjUy96m3K3ZLA8PWJ9+yIVVESZMfPBraBqeagyP5tw9
+g1gqzHesGXNvWvNuJKzNGtwdC0xE9W2LChc9hvno/uZg5Z9AauWU6JpWFxccq8GM
+N0ArVb8sXtyNyiV/il/u+xaG6+AI0ybl43DFDGv7G49rXPbiSlilNQHqBRs+zoS+
+tT9tGBZLaOV5TIh9tqVlozrCMtytj4oF7vbpeoDaEqkPWrXS0zGsPtMZJS0o3nls
+zv13ZtXjL6nL+YWMILuihiPwk5UgBHjHxwem/vD0RbvPeCvdzpwIpUZoEEzXBWJs
+hlotfwY4wk27RIcAQ3nSj/NrsvRcHLloAQIDAQABo4IBYzCCAV8wDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUmL4E/4DRq5U5qj3yDmd9AK2j/cUwHwYDVR0jBBgw
+FoAU+7inozZICqCf8C7ci2i8s1xFJdcwDgYDVR0PAQH/BAQDAgEGMEEGCCsGAQUF
+BwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJu
+Lm5ldC9MSVIzLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ3JzeW5jOi8v
+d29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAhBggrBgEFBQcBCAEB/wQS
+MBCgDjAMMAoCAwD8FgIDAPwcMFEGCCsGAQUFBwEHAQH/BEIwQDASBAIAATAMAwQA
+CgAAAwQACgMAMCoEAgACMCQDEAAgAQ24AAAAAAAAAAAKAAADEAAgAQ24AAAAAAAA
+AAAKAwAwDQYJKoZIhvcNAQEFBQADggEBAEhmCa7kUuozB6aST0Gd2XStJBcR1oWI
+8mZS5WEOjnjbVvuryDEb0fLs3x2HgCHZgZ7IAOg31cNxJpc1Ff6ZYEG+m3LpkcG/
+yOMllfOVK8RQSY+nKuya2fm2J3dCOKogEjBW20HwxNd1WgFLrDaOTR9V+iROBPKs
+3ppMPp6ksPqEqDU/3N3bLHROIISlFwWHilXuTK5ZAnzncDIQnm+zUuxI/0d3v6Fp
+8VxVlNBHqzo0VpakZOkxwqo01qJRsoxVaIxeetGNQ4noPhtj6bEM4Y8xDS9f3R7o
+eEHUSTnKonMemm/AB3KZnjwL7rkL2FI1ThmDRO3Z3lprbThjThJF8EU=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/0F.pem b/rpkid/resource-cert-samples/RIR/0F.pem
new file mode 100644
index 00000000..1094cb06
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/0F.pem
@@ -0,0 +1,98 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 15 (0xf)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 1 14:48:18 2007 GMT
+ Not After : Jul 31 14:48:18 2008 GMT
+ Subject: CN=TEST ENTITY LIR2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:f1:18:b6:79:0b:35:c5:83:64:48:83:31:03:9e:
+ e7:72:28:65:b1:ac:61:e1:77:2e:c0:4d:f0:b1:1c:
+ 61:d8:cc:5a:2d:c7:0b:9b:78:7a:3e:fd:37:ad:fa:
+ b0:73:0b:9c:fc:bb:6f:60:ea:38:ef:ae:d1:27:b8:
+ 81:59:0f:b3:e7:d0:67:b2:a2:f5:4f:e2:04:c6:cc:
+ 13:9f:33:28:35:96:7a:db:ce:ac:9d:d3:64:3d:b8:
+ 44:bc:cb:43:22:92:d6:3c:2e:bf:97:6e:39:6a:6e:
+ 68:93:5d:1c:a8:58:b7:a3:7a:26:44:fe:fe:30:ad:
+ e2:05:89:4c:c9:ef:2c:e0:4e:31:69:3f:dd:91:1c:
+ f0:b0:25:4c:3e:84:8a:ea:5e:03:b3:a8:cd:90:1a:
+ 1e:c8:e0:af:fe:11:ed:21:06:bd:3c:5e:08:a1:93:
+ e2:41:43:43:38:d3:21:b3:4c:fa:85:8b:43:57:60:
+ 5d:bb:a0:78:e5:33:47:a8:33:76:be:df:6e:63:61:
+ e3:31:8b:5d:8e:0c:c7:f5:c8:91:0c:be:57:c7:f2:
+ bc:be:0b:ba:7a:1f:f6:19:f1:eb:00:74:c1:12:c2:
+ dc:2b:2e:8d:f0:0a:ff:7f:e8:60:08:90:ba:51:fc:
+ d0:90:11:37:f3:9e:44:b6:64:43:69:5d:61:d3:e1:
+ 8d:77
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 03:7A:DF:0C:DF:DC:93:3D:F7:A5:CC:27:7B:DC:22:F6:E9:55:97:F0
+ X509v3 Authority Key Identifier:
+ keyid:FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR2/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 1b:9a:85:77:61:fe:eb:5a:f8:ef:ad:5d:4d:79:4b:09:b3:c9:
+ 3e:46:f2:cf:4f:0c:26:28:7c:ec:72:da:17:6e:a0:2a:f2:4b:
+ 0f:af:e6:2e:b5:d7:2d:03:ae:8c:13:65:ec:cb:c2:4a:02:8f:
+ 81:60:44:60:eb:d2:d2:22:12:63:04:8c:6d:56:5a:c2:b8:f6:
+ c8:f5:17:99:69:25:bd:3e:1d:2a:ef:ce:51:48:4a:67:d0:b4:
+ ee:64:99:35:42:10:26:88:ac:e0:26:c8:27:cc:89:30:40:18:
+ 72:9c:82:03:ea:62:9d:83:c9:ab:c8:32:0a:59:98:50:0c:50:
+ 23:5a:93:ff:43:ba:08:b3:7d:61:d5:ed:a4:42:f2:cf:ab:2e:
+ 62:6b:67:bd:06:74:2c:bc:b7:b1:7e:1b:f4:c9:e4:40:94:ec:
+ 14:55:04:54:ce:44:26:d0:93:e3:ff:e2:e2:a2:a4:3f:44:87:
+ 7a:c2:29:a3:48:5f:12:1d:e4:eb:18:b3:1f:30:f4:e6:d3:a7:
+ 5a:7c:73:da:0a:8f:1e:29:63:cb:b6:16:2e:fe:76:84:93:88:
+ a1:72:83:4d:3d:8d:16:ef:16:df:c7:c6:d7:67:00:68:ec:4d:
+ b8:ed:b8:ff:3e:bf:c9:d5:3a:34:cf:4c:c0:7b:6e:11:60:46:
+ 25:91:d8:ad
+-----BEGIN CERTIFICATE-----
+MIIEETCCAvmgAwIBAgIBDzANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODAxMTQ0ODE4WhcNMDgwNzMxMTQ0ODE4WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA8Ri2eQs1xYNkSIMxA57ncihlsaxh4XcuwE3wsRxh2MxaLccLm3h6
+Pv03rfqwcwuc/LtvYOo4767RJ7iBWQ+z59BnsqL1T+IExswTnzMoNZZ6286sndNk
+PbhEvMtDIpLWPC6/l245am5ok10cqFi3o3omRP7+MK3iBYlMye8s4E4xaT/dkRzw
+sCVMPoSK6l4Ds6jNkBoeyOCv/hHtIQa9PF4IoZPiQUNDONMhs0z6hYtDV2Bdu6B4
+5TNHqDN2vt9uY2HjMYtdjgzH9ciRDL5Xx/K8vgu6eh/2GfHrAHTBEsLcKy6N8Ar/
+f+hgCJC6UfzQkBE3855EtmRDaV1h0+GNdwIDAQABo4IBXzCCAVswDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUA3rfDN/ckz33pcwne9wi9ulVl/AwHwYDVR0jBBgw
+FoAU+7inozZICqCf8C7ci2i8s1xFJdcwDgYDVR0PAQH/BAQDAgEGMEEGCCsGAQUF
+BwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJu
+Lm5ldC9MSVIyLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ3JzeW5jOi8v
+d29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAaBggrBgEFBQcBCAEB/wQL
+MAmgBzAFAgMA/CAwVAYIKwYBBQUHAQcBAf8ERTBDMEEEAgACMDswJgMRAiABDbgA
+AAAAAAAAAAAAAEQDEQAgAQ24AAAAAAAAAAAAAAEAAxEAIAENuAAAAAAAAAAQAAAA
+RDANBgkqhkiG9w0BAQUFAAOCAQEAG5qFd2H+61r4761dTXlLCbPJPkbyz08MJih8
+7HLaF26gKvJLD6/mLrXXLQOujBNl7MvCSgKPgWBEYOvS0iISYwSMbVZawrj2yPUX
+mWklvT4dKu/OUUhKZ9C07mSZNUIQJois4CbIJ8yJMEAYcpyCA+pinYPJq8gyClmY
+UAxQI1qT/0O6CLN9YdXtpELyz6suYmtnvQZ0LLy3sX4b9MnkQJTsFFUEVM5EJtCT
+4//i4qKkP0SHesIpo0hfEh3k6xizHzD05tOnWnxz2gqPHiljy7YWLv52hJOIoXKD
+TT2NFu8W38fG12cAaOxNuO24/z6/ydU6NM9MwHtuEWBGJZHYrQ==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/10.pem b/rpkid/resource-cert-samples/RIR/10.pem
new file mode 100644
index 00000000..64f73b83
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/10.pem
@@ -0,0 +1,98 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 16 (0x10)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 1 14:48:18 2007 GMT
+ Not After : Jul 31 14:48:18 2008 GMT
+ Subject: CN=TEST ENTITY LIR1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:af:5d:1c:f9:d9:bb:d5:01:e1:5b:36:cc:51:f6:
+ fd:86:57:60:aa:9e:c7:ec:4e:05:af:fb:51:5c:7a:
+ c2:58:c4:a8:57:ae:14:62:e9:bc:b6:72:7d:cf:49:
+ c8:4a:40:82:4a:f4:3e:30:b5:94:25:9e:6c:78:81:
+ 57:43:d6:85:02:8d:d1:9c:b5:d7:34:2f:e2:a9:7d:
+ 18:27:b5:47:9a:42:16:c8:90:7f:96:2c:dd:b8:98:
+ 17:1f:77:62:4a:08:00:2d:e0:73:0c:39:37:ba:0f:
+ a7:59:59:4c:7c:cd:e2:5c:d7:98:36:10:6c:88:3e:
+ 45:99:a6:88:2f:f6:7f:31:49:ba:42:2b:13:79:c2:
+ b2:f1:09:d9:ad:37:a4:41:b6:6d:46:a1:18:05:a0:
+ 53:07:8e:e0:98:b2:d1:fd:67:68:77:64:d5:f3:fe:
+ 1d:22:36:9e:26:5a:1a:aa:18:94:c3:2c:7e:9a:af:
+ be:2c:9d:5e:75:2c:49:d6:37:2b:06:1f:cc:63:97:
+ 7e:ee:2c:5f:67:af:4d:62:3e:7a:1f:0c:e1:1e:02:
+ f2:d2:06:75:ae:3f:11:bc:8e:0f:13:64:38:14:36:
+ 1d:5d:02:ec:af:65:d5:b9:68:f4:22:66:2b:ef:47:
+ 5b:ad:3b:f2:af:b6:71:0c:94:56:8a:7c:01:36:f0:
+ 3a:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 8A:94:17:F9:53:F2:5B:94:54:56:DF:76:51:13:29:F6:71:19:A8:B3
+ X509v3 Authority Key Identifier:
+ keyid:FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR1/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 72:7d:dd:a4:60:23:71:e4:99:28:0b:9a:ba:5c:d3:97:4b:72:
+ eb:89:81:3c:11:85:8c:25:ed:79:b2:50:a5:e8:ae:0e:37:74:
+ f9:2c:a1:be:96:83:35:40:0d:36:f9:32:16:74:25:9c:f7:0f:
+ cd:46:47:8e:b9:cd:ac:0c:7e:d3:ac:84:5e:f6:31:f4:a9:f2:
+ 05:cd:82:d7:e0:d7:3b:24:9b:c7:15:d1:db:9d:c2:1d:92:f7:
+ 19:a9:b8:a1:67:0a:fb:3d:23:3a:05:83:29:05:50:e3:00:27:
+ a9:80:fe:bb:51:f1:3e:3b:0c:98:ae:f1:ee:d1:13:72:46:64:
+ 8f:4b:32:4e:cf:64:cf:1a:a5:b1:34:a6:f0:5f:18:f8:44:bb:
+ 13:ea:8d:5f:24:7d:3b:15:60:8e:be:f4:bd:d8:04:a7:d0:10:
+ 7e:d3:10:67:bf:35:49:c9:56:cf:b7:8b:7b:9b:17:0b:54:ee:
+ 21:cb:75:b0:3e:8d:b2:c1:c6:7c:26:b1:7c:58:a9:4a:31:24:
+ cd:e5:3f:a5:9a:1d:7d:11:14:41:2a:e5:55:b6:db:f4:75:34:
+ 37:9f:5e:1d:f1:86:2a:f6:74:be:88:e1:b9:63:ce:ad:5c:e9:
+ 3c:91:8a:4c:8d:b4:69:03:e7:f9:52:79:28:7d:cd:7f:52:02:
+ 49:ae:d5:c7
+-----BEGIN CERTIFICATE-----
+MIID9jCCAt6gAwIBAgIBEDANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODAxMTQ0ODE4WhcNMDgwNzMxMTQ0ODE4WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAr10c+dm71QHhWzbMUfb9hldgqp7H7E4Fr/tRXHrCWMSoV64UYum8
+tnJ9z0nISkCCSvQ+MLWUJZ5seIFXQ9aFAo3RnLXXNC/iqX0YJ7VHmkIWyJB/lizd
+uJgXH3diSggALeBzDDk3ug+nWVlMfM3iXNeYNhBsiD5FmaaIL/Z/MUm6QisTecKy
+8QnZrTekQbZtRqEYBaBTB47gmLLR/Wdod2TV8/4dIjaeJloaqhiUwyx+mq++LJ1e
+dSxJ1jcrBh/MY5d+7ixfZ69NYj56HwzhHgLy0gZ1rj8RvI4PE2Q4FDYdXQLsr2XV
+uWj0ImYr70dbrTvyr7ZxDJRWinwBNvA6PwIDAQABo4IBRDCCAUAwDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUipQX+VPyW5RUVt92URMp9nEZqLMwHwYDVR0jBBgw
+FoAU+7inozZICqCf8C7ci2i8s1xFJdcwDgYDVR0PAQH/BAQDAgEGMEEGCCsGAQUF
+BwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJu
+Lm5ldC9MSVIxLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ3JzeW5jOi8v
+d29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAaBggrBgEFBQcBCAEB/wQL
+MAmgBzAFAgMA/BUwOQYIKwYBBQUHAQcBAf8EKjAoMCYEAgABMCAwDgMFAMAAAgED
+BQHAAAIgMA4DBQLAAAIsAwUAwAACZDANBgkqhkiG9w0BAQUFAAOCAQEAcn3dpGAj
+ceSZKAuaulzTl0ty64mBPBGFjCXtebJQpeiuDjd0+SyhvpaDNUANNvkyFnQlnPcP
+zUZHjrnNrAx+06yEXvYx9KnyBc2C1+DXOySbxxXR253CHZL3Gam4oWcK+z0jOgWD
+KQVQ4wAnqYD+u1HxPjsMmK7x7tETckZkj0syTs9kzxqlsTSm8F8Y+ES7E+qNXyR9
+OxVgjr70vdgEp9AQftMQZ781SclWz7eLe5sXC1TuIct1sD6NssHGfCaxfFipSjEk
+zeU/pZodfREUQSrlVbbb9HU0N59eHfGGKvZ0vojhuWPOrVzpPJGKTI20aQPn+VJ5
+KH3Nf1ICSa7Vxw==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/11.pem b/rpkid/resource-cert-samples/RIR/11.pem
new file mode 100644
index 00000000..f8e33d59
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/11.pem
@@ -0,0 +1,100 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 17 (0x11)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 9 23:30:59 2007 GMT
+ Not After : Aug 8 23:30:59 2008 GMT
+ Subject: CN=TEST ENTITY RIR
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:ac:a7:26:c4:98:68:99:b6:f2:e7:c5:97:05:7e:
+ f9:d7:f2:ec:39:e6:2b:8e:c2:42:88:b9:8f:22:b6:
+ 3c:59:b0:0e:8a:1d:0e:f8:81:b1:c8:ff:4a:8a:1a:
+ 43:bc:78:91:3e:af:b2:b0:95:60:a9:3e:9d:c2:ff:
+ 99:8f:8f:b6:dc:d8:46:b7:86:35:a6:f6:42:05:c2:
+ c5:9b:84:15:e2:58:0f:70:9c:bc:53:d7:28:76:f8:
+ f2:14:79:22:bd:d6:8b:6c:0e:2b:02:e5:d8:f3:33:
+ fa:16:43:9b:80:87:f9:b2:45:ab:bd:7d:14:b2:24:
+ 2f:41:13:6f:45:c4:dc:f9:4d:7f:d8:d3:e1:aa:5c:
+ 52:9d:c9:7a:38:b7:b0:43:bd:b7:6a:37:43:ec:e7:
+ 34:c4:3b:4c:ca:cc:7b:1f:91:ef:ab:d4:35:76:42:
+ 82:d4:f5:79:e0:12:3c:24:92:2e:dc:a2:5c:83:f0:
+ 71:8a:26:96:30:d4:b8:96:4d:00:2c:1a:f0:0f:79:
+ 52:c7:27:73:54:77:c1:86:f9:86:61:ce:e0:69:a7:
+ a8:3d:77:39:e7:24:ee:41:8d:52:19:3b:57:8c:84:
+ cc:9a:d5:05:7c:e6:83:2c:e3:13:6d:66:1b:87:20:
+ 82:47:e1:05:26:f0:3b:29:69:6d:bc:af:48:91:c4:
+ 40:f1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/RIR/
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533-64540
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ 10.3.0.0/24
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:0:a00::/120
+ 2001:db8:0:0:0:0:a03::/120
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 7b:22:d4:c2:f4:0b:74:d7:34:f4:f0:42:fa:cd:94:79:82:c3:
+ 12:dd:34:a3:e1:16:ea:de:f4:f6:b4:4d:fc:93:0e:f6:6f:7a:
+ e1:f9:bc:66:ee:56:b3:5b:28:36:ca:e8:0d:25:5b:62:31:c8:
+ 55:21:3f:4a:59:e7:cd:68:c7:6b:7c:e9:33:00:d2:59:80:23:
+ d8:58:17:e5:c6:3a:a3:d6:c3:fa:27:b2:12:9e:13:58:c3:37:
+ c2:c9:e9:d0:aa:4c:d4:82:e5:ce:ba:cc:11:d9:6d:95:24:04:
+ 75:bc:1c:56:57:2d:5f:90:19:54:38:06:13:fa:3f:b1:b4:8c:
+ 83:6c:2e:8a:e1:ca:e8:c0:6b:5c:2b:36:c5:9d:f0:65:1d:f2:
+ ab:97:77:20:5b:28:13:8f:d7:b4:1e:c3:89:5d:0f:03:fb:2c:
+ 9e:ac:59:98:ca:62:9c:cf:63:a3:ed:31:dd:0f:8f:d0:26:e8:
+ 40:bc:94:7c:b0:e6:44:07:7f:59:19:9d:1a:f7:04:d7:05:d9:
+ fc:0d:16:16:66:9c:2b:cd:87:dc:00:02:f1:e8:48:de:5f:8f:
+ b4:3e:22:fb:74:3b:7f:cb:90:7f:d6:6c:1d:26:65:e2:cc:55:
+ 3a:07:01:6c:48:61:7a:d4:55:09:c1:13:bb:ed:f5:69:e6:ba:
+ b6:80:9d:e5
+-----BEGIN CERTIFICATE-----
+MIIEEDCCAvigAwIBAgIBETANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODA5MjMzMDU5WhcNMDgwODA4MjMzMDU5WjAaMRgw
+FgYDVQQDEw9URVNUIEVOVElUWSBSSVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCspybEmGiZtvLnxZcFfvnX8uw55iuOwkKIuY8itjxZsA6KHQ74gbHI
+/0qKGkO8eJE+r7KwlWCpPp3C/5mPj7bc2Ea3hjWm9kIFwsWbhBXiWA9wnLxT1yh2
++PIUeSK91otsDisC5djzM/oWQ5uAh/myRau9fRSyJC9BE29FxNz5TX/Y0+GqXFKd
+yXo4t7BDvbdqN0Ps5zTEO0zKzHsfke+r1DV2QoLU9XngEjwkki7colyD8HGKJpYw
+1LiWTQAsGvAPeVLHJ3NUd8GG+YZhzuBpp6g9dznnJO5BjVIZO1eMhMya1QV85oMs
+4xNtZhuHIIJH4QUm8DspaW28r0iRxEDxAgMBAAGjggFfMIIBWzAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBT7uKejNkgKoJ/wLtyLaLyzXEUl1zAOBgNVHQ8BAf8E
+BAMCAQYwQAYIKwYBBQUHAQsENDAyMDAGCCsGAQUFBzAFhiRyc3luYzovL3dvbWJh
+dHMtci11cy5oYWN0cm4ubmV0L1JJUi8wJgYIKwYBBQUHAQgBAf8EFzAVoBMwETAK
+AgMA/BUCAwD8HAIDAPwgMIGuBggrBgEFBQcBBwEB/wSBnjCBmzAyBAIAATAsAwQA
+CgAAAwQACgMAMA4DBQDAAAIBAwUBwAACIDAOAwUCwAACLAMFAMAAAmQwZQQCAAIw
+XzAmAxECIAENuAAAAAAAAAAAAAAARAMRACABDbgAAAAAAAAAAAAAAQADEAAgAQ24
+AAAAAAAAAAAKAAADEAAgAQ24AAAAAAAAAAAKAwADEQAgAQ24AAAAAAAAABAAAABE
+MA0GCSqGSIb3DQEBBQUAA4IBAQB7ItTC9At01zT08EL6zZR5gsMS3TSj4Rbq3vT2
+tE38kw72b3rh+bxm7lazWyg2yugNJVtiMchVIT9KWefNaMdrfOkzANJZgCPYWBfl
+xjqj1sP6J7ISnhNYwzfCyenQqkzUguXOuswR2W2VJAR1vBxWVy1fkBlUOAYT+j+x
+tIyDbC6K4crowGtcKzbFnfBlHfKrl3cgWygTj9e0HsOJXQ8D+yyerFmYymKcz2Oj
+7THdD4/QJuhAvJR8sOZEB39ZGZ0a9wTXBdn8DRYWZpwrzYfcAALx6EjeX4+0PiL7
+dDt/y5B/1mwdJmXizFU6BwFsSGF61FUJwRO77fVp5rq2gJ3l
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/12.pem b/rpkid/resource-cert-samples/RIR/12.pem
new file mode 100644
index 00000000..71bb1954
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/12.pem
@@ -0,0 +1,100 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 18 (0x12)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 9 23:35:48 2007 GMT
+ Not After : Aug 8 23:35:48 2008 GMT
+ Subject: CN=TEST ENTITY RIR
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:ac:a7:26:c4:98:68:99:b6:f2:e7:c5:97:05:7e:
+ f9:d7:f2:ec:39:e6:2b:8e:c2:42:88:b9:8f:22:b6:
+ 3c:59:b0:0e:8a:1d:0e:f8:81:b1:c8:ff:4a:8a:1a:
+ 43:bc:78:91:3e:af:b2:b0:95:60:a9:3e:9d:c2:ff:
+ 99:8f:8f:b6:dc:d8:46:b7:86:35:a6:f6:42:05:c2:
+ c5:9b:84:15:e2:58:0f:70:9c:bc:53:d7:28:76:f8:
+ f2:14:79:22:bd:d6:8b:6c:0e:2b:02:e5:d8:f3:33:
+ fa:16:43:9b:80:87:f9:b2:45:ab:bd:7d:14:b2:24:
+ 2f:41:13:6f:45:c4:dc:f9:4d:7f:d8:d3:e1:aa:5c:
+ 52:9d:c9:7a:38:b7:b0:43:bd:b7:6a:37:43:ec:e7:
+ 34:c4:3b:4c:ca:cc:7b:1f:91:ef:ab:d4:35:76:42:
+ 82:d4:f5:79:e0:12:3c:24:92:2e:dc:a2:5c:83:f0:
+ 71:8a:26:96:30:d4:b8:96:4d:00:2c:1a:f0:0f:79:
+ 52:c7:27:73:54:77:c1:86:f9:86:61:ce:e0:69:a7:
+ a8:3d:77:39:e7:24:ee:41:8d:52:19:3b:57:8c:84:
+ cc:9a:d5:05:7c:e6:83:2c:e3:13:6d:66:1b:87:20:
+ 82:47:e1:05:26:f0:3b:29:69:6d:bc:af:48:91:c4:
+ 40:f1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/RIR/
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533-64540
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ 10.3.0.0/24
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:0:a00::/120
+ 2001:db8:0:0:0:0:a03::/120
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 80:5c:c5:27:3a:5d:bb:11:2c:ec:b4:89:ab:3f:79:a7:31:ef:
+ 7f:ed:93:75:2c:9d:4b:5c:f1:28:38:3e:cc:c4:98:e5:81:01:
+ db:e1:61:5c:37:0a:3f:91:52:34:a5:6b:28:8c:b7:ae:38:95:
+ a7:67:26:39:b2:43:cb:a5:db:fc:4f:12:6c:f4:69:82:ab:80:
+ 9c:8f:aa:d9:21:6e:3e:e1:f5:78:f4:59:d0:2e:97:1d:23:3d:
+ 27:86:70:5b:b7:59:e7:98:1c:ae:19:42:e8:65:ef:eb:bf:6c:
+ f8:94:6a:27:b9:11:5e:81:b6:ee:5f:10:ae:9f:b7:30:50:30:
+ e6:84:5c:90:ef:3d:24:e7:6a:20:5c:d2:4c:96:66:28:15:46:
+ 40:63:00:65:96:a5:5f:78:2a:66:d2:16:b1:86:77:e0:39:7d:
+ fc:14:e1:bc:54:5b:b1:08:65:aa:f1:1b:39:2f:bf:ca:07:a0:
+ ab:e7:e4:b0:8c:cb:48:c7:44:94:ff:04:a4:c9:85:6d:40:ca:
+ 8f:0c:01:e6:11:f6:eb:07:96:b5:83:15:87:27:88:72:b3:d9:
+ 41:4e:d0:f0:88:1a:17:10:72:89:85:c0:12:79:c1:5c:07:bb:
+ d7:39:ef:ce:49:85:11:62:01:50:71:91:b9:e3:7e:45:a8:45:
+ d6:d0:a9:3a
+-----BEGIN CERTIFICATE-----
+MIIEEDCCAvigAwIBAgIBEjANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODA5MjMzNTQ4WhcNMDgwODA4MjMzNTQ4WjAaMRgw
+FgYDVQQDEw9URVNUIEVOVElUWSBSSVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCspybEmGiZtvLnxZcFfvnX8uw55iuOwkKIuY8itjxZsA6KHQ74gbHI
+/0qKGkO8eJE+r7KwlWCpPp3C/5mPj7bc2Ea3hjWm9kIFwsWbhBXiWA9wnLxT1yh2
++PIUeSK91otsDisC5djzM/oWQ5uAh/myRau9fRSyJC9BE29FxNz5TX/Y0+GqXFKd
+yXo4t7BDvbdqN0Ps5zTEO0zKzHsfke+r1DV2QoLU9XngEjwkki7colyD8HGKJpYw
+1LiWTQAsGvAPeVLHJ3NUd8GG+YZhzuBpp6g9dznnJO5BjVIZO1eMhMya1QV85oMs
+4xNtZhuHIIJH4QUm8DspaW28r0iRxEDxAgMBAAGjggFfMIIBWzAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBT7uKejNkgKoJ/wLtyLaLyzXEUl1zAOBgNVHQ8BAf8E
+BAMCAQYwQAYIKwYBBQUHAQsENDAyMDAGCCsGAQUFBzAFhiRyc3luYzovL3dvbWJh
+dHMtci11cy5oYWN0cm4ubmV0L1JJUi8wJgYIKwYBBQUHAQgBAf8EFzAVoBMwETAK
+AgMA/BUCAwD8HAIDAPwgMIGuBggrBgEFBQcBBwEB/wSBnjCBmzAyBAIAATAsAwQA
+CgAAAwQACgMAMA4DBQDAAAIBAwUBwAACIDAOAwUCwAACLAMFAMAAAmQwZQQCAAIw
+XzAmAxECIAENuAAAAAAAAAAAAAAARAMRACABDbgAAAAAAAAAAAAAAQADEAAgAQ24
+AAAAAAAAAAAKAAADEAAgAQ24AAAAAAAAAAAKAwADEQAgAQ24AAAAAAAAABAAAABE
+MA0GCSqGSIb3DQEBBQUAA4IBAQCAXMUnOl27ESzstImrP3mnMe9/7ZN1LJ1LXPEo
+OD7MxJjlgQHb4WFcNwo/kVI0pWsojLeuOJWnZyY5skPLpdv8TxJs9GmCq4Ccj6rZ
+IW4+4fV49FnQLpcdIz0nhnBbt1nnmByuGULoZe/rv2z4lGonuRFegbbuXxCun7cw
+UDDmhFyQ7z0k52ogXNJMlmYoFUZAYwBllqVfeCpm0haxhnfgOX38FOG8VFuxCGWq
+8Rs5L7/KB6Cr5+SwjMtIx0SU/wSkyYVtQMqPDAHmEfbrB5a1gxWHJ4hys9lBTtDw
+iBoXEHKJhcASecFcB7vXOe/OSYURYgFQcZG5435FqEXW0Kk6
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/13.pem b/rpkid/resource-cert-samples/RIR/13.pem
new file mode 100644
index 00000000..3b1e67f4
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/13.pem
@@ -0,0 +1,79 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 19 (0x13)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 10 00:58:17 2007 GMT
+ Not After : Aug 9 00:58:17 2008 GMT
+ Subject: CN=TEST ENTITY RIR
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:ac:a7:26:c4:98:68:99:b6:f2:e7:c5:97:05:7e:
+ f9:d7:f2:ec:39:e6:2b:8e:c2:42:88:b9:8f:22:b6:
+ 3c:59:b0:0e:8a:1d:0e:f8:81:b1:c8:ff:4a:8a:1a:
+ 43:bc:78:91:3e:af:b2:b0:95:60:a9:3e:9d:c2:ff:
+ 99:8f:8f:b6:dc:d8:46:b7:86:35:a6:f6:42:05:c2:
+ c5:9b:84:15:e2:58:0f:70:9c:bc:53:d7:28:76:f8:
+ f2:14:79:22:bd:d6:8b:6c:0e:2b:02:e5:d8:f3:33:
+ fa:16:43:9b:80:87:f9:b2:45:ab:bd:7d:14:b2:24:
+ 2f:41:13:6f:45:c4:dc:f9:4d:7f:d8:d3:e1:aa:5c:
+ 52:9d:c9:7a:38:b7:b0:43:bd:b7:6a:37:43:ec:e7:
+ 34:c4:3b:4c:ca:cc:7b:1f:91:ef:ab:d4:35:76:42:
+ 82:d4:f5:79:e0:12:3c:24:92:2e:dc:a2:5c:83:f0:
+ 71:8a:26:96:30:d4:b8:96:4d:00:2c:1a:f0:0f:79:
+ 52:c7:27:73:54:77:c1:86:f9:86:61:ce:e0:69:a7:
+ a8:3d:77:39:e7:24:ee:41:8d:52:19:3b:57:8c:84:
+ cc:9a:d5:05:7c:e6:83:2c:e3:13:6d:66:1b:87:20:
+ 82:47:e1:05:26:f0:3b:29:69:6d:bc:af:48:91:c4:
+ 40:f1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/RIR/
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 62:6a:d0:3e:02:bf:ad:3c:e5:c9:23:1f:66:6d:cc:80:59:a5:
+ 64:61:f2:20:64:bc:91:5d:76:d9:ce:6e:db:d1:c0:89:77:9d:
+ cc:a6:e2:4a:43:0e:bb:f3:36:60:3f:1d:b7:9a:38:ad:10:e0:
+ 89:82:61:c7:4a:48:70:c3:03:73:ae:ab:37:31:0c:36:cc:46:
+ 12:ea:54:3d:03:d6:ba:4c:d6:cf:73:ea:90:4c:37:da:a3:f6:
+ b6:f3:af:d8:a7:82:e7:1a:7b:05:23:77:20:52:b3:53:64:d0:
+ bd:24:83:21:49:2f:30:fc:12:3b:fa:73:c3:c9:de:3f:af:bb:
+ 5e:ed:b3:bf:9b:9e:71:83:37:f1:98:e3:77:e1:72:4f:1d:c6:
+ 7b:59:32:34:f7:e4:76:70:52:41:72:97:bb:61:c0:c8:26:ac:
+ 28:6e:e7:ef:f8:6c:ea:b2:4c:62:d0:28:5e:6c:50:94:09:a1:
+ d4:ab:0c:d3:b3:d1:4a:ea:ef:33:ed:08:43:54:71:fb:6d:40:
+ c8:dc:75:84:28:ff:4e:47:2c:08:54:72:40:af:cc:94:00:a8:
+ 9f:8e:d9:35:64:49:f1:db:69:a8:d5:71:86:41:46:e0:27:62:
+ 50:a4:0a:1e:f5:99:b4:d8:db:1c:4f:8b:af:51:4d:80:2b:af:
+ e3:b6:b0:6b
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIBEzANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODEwMDA1ODE3WhcNMDgwODA5MDA1ODE3WjAaMRgw
+FgYDVQQDEw9URVNUIEVOVElUWSBSSVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCspybEmGiZtvLnxZcFfvnX8uw55iuOwkKIuY8itjxZsA6KHQ74gbHI
+/0qKGkO8eJE+r7KwlWCpPp3C/5mPj7bc2Ea3hjWm9kIFwsWbhBXiWA9wnLxT1yh2
++PIUeSK91otsDisC5djzM/oWQ5uAh/myRau9fRSyJC9BE29FxNz5TX/Y0+GqXFKd
+yXo4t7BDvbdqN0Ps5zTEO0zKzHsfke+r1DV2QoLU9XngEjwkki7colyD8HGKJpYw
+1LiWTQAsGvAPeVLHJ3NUd8GG+YZhzuBpp6g9dznnJO5BjVIZO1eMhMya1QV85oMs
+4xNtZhuHIIJH4QUm8DspaW28r0iRxEDxAgMBAAGjgYUwgYIwDwYDVR0TAQH/BAUw
+AwEB/zAdBgNVHQ4EFgQU+7inozZICqCf8C7ci2i8s1xFJdcwDgYDVR0PAQH/BAQD
+AgEGMEAGCCsGAQUFBwELBDQwMjAwBggrBgEFBQcwBYYkcnN5bmM6Ly93b21iYXRz
+LXItdXMuaGFjdHJuLm5ldC9SSVIvMA0GCSqGSIb3DQEBCwUAA4IBAQBiatA+Ar+t
+POXJIx9mbcyAWaVkYfIgZLyRXXbZzm7b0cCJd53MpuJKQw678zZgPx23mjitEOCJ
+gmHHSkhwwwNzrqs3MQw2zEYS6lQ9A9a6TNbPc+qQTDfao/a286/Yp4LnGnsFI3cg
+UrNTZNC9JIMhSS8w/BI7+nPDyd4/r7te7bO/m55xgzfxmON34XJPHcZ7WTI09+R2
+cFJBcpe7YcDIJqwobufv+Gzqskxi0ChebFCUCaHUqwzTs9FK6u8z7QhDVHH7bUDI
+3HWEKP9ORywIVHJAr8yUAKifjtk1ZEnx22mo1XGGQUbgJ2JQpAoe9Zm02NscT4uv
+UU2AK6/jtrBr
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/14.pem b/rpkid/resource-cert-samples/RIR/14.pem
new file mode 100644
index 00000000..430d3895
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/14.pem
@@ -0,0 +1,79 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 20 (0x14)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 10 00:58:17 2007 GMT
+ Not After : Aug 9 00:58:17 2008 GMT
+ Subject: CN=TEST ENTITY LIR3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a3:21:57:61:64:af:11:18:d4:cb:de:a6:dc:ad:
+ d9:2c:0f:0f:58:9f:7e:c8:85:55:11:26:4c:7c:f0:
+ 6b:68:1a:9e:6a:0c:8f:e6:dc:3d:83:58:2a:cc:77:
+ ac:19:73:6f:5a:f3:6e:24:ac:cd:1a:dc:1d:0b:4c:
+ 44:f5:6d:8b:0a:17:3d:86:f9:e8:fe:e6:60:e5:9f:
+ 40:6a:e5:94:e8:9a:56:17:17:1c:ab:c1:8c:37:40:
+ 2b:55:bf:2c:5e:dc:8d:ca:25:7f:8a:5f:ee:fb:16:
+ 86:eb:e0:08:d3:26:e5:e3:70:c5:0c:6b:fb:1b:8f:
+ 6b:5c:f6:e2:4a:58:a5:35:01:ea:05:1b:3e:ce:84:
+ be:b5:3f:6d:18:16:4b:68:e5:79:4c:88:7d:b6:a5:
+ 65:a3:3a:c2:32:dc:ad:8f:8a:05:ee:f6:e9:7a:80:
+ da:12:a9:0f:5a:b5:d2:d3:31:ac:3e:d3:19:25:2d:
+ 28:de:79:6c:ce:fd:77:66:d5:e3:2f:a9:cb:f9:85:
+ 8c:20:bb:a2:86:23:f0:93:95:20:04:78:c7:c7:07:
+ a6:fe:f0:f4:45:bb:cf:78:2b:dd:ce:9c:08:a5:46:
+ 68:10:4c:d7:05:62:6c:86:5a:2d:7f:06:38:c2:4d:
+ bb:44:87:00:43:79:d2:8f:f3:6b:b2:f4:5c:1c:b9:
+ 68:01
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 98:BE:04:FF:80:D1:AB:95:39:AA:3D:F2:0E:67:7D:00:AD:A3:FD:C5
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR3/
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 5a:9b:65:02:d5:6c:fc:4f:b2:df:3b:a8:a2:44:3b:fd:bc:4d:
+ 9f:32:30:e7:4f:e6:44:37:3f:35:68:d0:7e:ee:a5:cc:6e:0a:
+ 79:2d:6a:2d:35:45:13:ed:f8:67:fb:5b:41:fa:00:04:f5:28:
+ d4:72:0e:fe:05:d6:76:20:cf:4b:15:13:05:6c:9f:aa:05:8c:
+ 77:eb:e7:1d:57:ed:32:11:45:ba:3e:e8:53:68:85:98:bd:bf:
+ 56:7e:04:85:f1:7f:70:ba:e8:16:03:46:ff:c5:be:df:42:79:
+ 57:01:2f:1a:e2:bc:6b:79:3e:fa:79:ec:08:ca:7d:32:02:0c:
+ 94:47:9e:c8:01:60:de:b9:43:76:be:22:64:89:47:d7:b9:63:
+ 9f:1d:7d:c8:93:e6:48:2a:a6:f7:51:9c:bd:06:8a:c9:01:5d:
+ 51:83:85:09:1a:18:03:49:10:e9:fa:80:0a:d1:7c:2c:69:c0:
+ 6b:53:e6:97:24:cd:f1:ad:e2:b6:5f:ac:72:28:0c:e8:cb:ab:
+ 00:15:29:9e:cb:af:74:1e:dc:3b:c6:24:bc:2d:50:e3:12:fc:
+ 00:63:ec:b6:09:c9:27:33:d6:42:a2:87:d4:35:48:63:16:1a:
+ e0:f7:50:ed:e3:d9:11:d9:f1:1c:cd:a5:21:e0:56:ad:4d:fc:
+ da:a6:97:e9
+-----BEGIN CERTIFICATE-----
+MIIDNzCCAh+gAwIBAgIBFDANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODEwMDA1ODE3WhcNMDgwODA5MDA1ODE3WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAoyFXYWSvERjUy96m3K3ZLA8PWJ9+yIVVESZMfPBraBqeagyP5tw9
+g1gqzHesGXNvWvNuJKzNGtwdC0xE9W2LChc9hvno/uZg5Z9AauWU6JpWFxccq8GM
+N0ArVb8sXtyNyiV/il/u+xaG6+AI0ybl43DFDGv7G49rXPbiSlilNQHqBRs+zoS+
+tT9tGBZLaOV5TIh9tqVlozrCMtytj4oF7vbpeoDaEqkPWrXS0zGsPtMZJS0o3nls
+zv13ZtXjL6nL+YWMILuihiPwk5UgBHjHxwem/vD0RbvPeCvdzpwIpUZoEEzXBWJs
+hlotfwY4wk27RIcAQ3nSj/NrsvRcHLloAQIDAQABo4GGMIGDMA8GA1UdEwEB/wQF
+MAMBAf8wHQYDVR0OBBYEFJi+BP+A0auVOao98g5nfQCto/3FMA4GA1UdDwEB/wQE
+AwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0
+cy1yLXVzLmhhY3Rybi5uZXQvTElSMy8wDQYJKoZIhvcNAQELBQADggEBAFqbZQLV
+bPxPst87qKJEO/28TZ8yMOdP5kQ3PzVo0H7upcxuCnktai01RRPt+Gf7W0H6AAT1
+KNRyDv4F1nYgz0sVEwVsn6oFjHfr5x1X7TIRRbo+6FNohZi9v1Z+BIXxf3C66BYD
+Rv/Fvt9CeVcBLxrivGt5Pvp57AjKfTICDJRHnsgBYN65Q3a+ImSJR9e5Y58dfciT
+5kgqpvdRnL0GiskBXVGDhQkaGANJEOn6gArRfCxpwGtT5pckzfGt4rZfrHIoDOjL
+qwAVKZ7Lr3Qe3DvGJLwtUOMS/ABj7LYJyScz1kKih9Q1SGMWGuD3UO3j2RHZ8RzN
+pSHgVq1N/Nqml+k=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/15.pem b/rpkid/resource-cert-samples/RIR/15.pem
new file mode 100644
index 00000000..625589ac
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/15.pem
@@ -0,0 +1,79 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 21 (0x15)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 10 00:58:17 2007 GMT
+ Not After : Aug 9 00:58:17 2008 GMT
+ Subject: CN=TEST ENTITY LIR2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:f1:18:b6:79:0b:35:c5:83:64:48:83:31:03:9e:
+ e7:72:28:65:b1:ac:61:e1:77:2e:c0:4d:f0:b1:1c:
+ 61:d8:cc:5a:2d:c7:0b:9b:78:7a:3e:fd:37:ad:fa:
+ b0:73:0b:9c:fc:bb:6f:60:ea:38:ef:ae:d1:27:b8:
+ 81:59:0f:b3:e7:d0:67:b2:a2:f5:4f:e2:04:c6:cc:
+ 13:9f:33:28:35:96:7a:db:ce:ac:9d:d3:64:3d:b8:
+ 44:bc:cb:43:22:92:d6:3c:2e:bf:97:6e:39:6a:6e:
+ 68:93:5d:1c:a8:58:b7:a3:7a:26:44:fe:fe:30:ad:
+ e2:05:89:4c:c9:ef:2c:e0:4e:31:69:3f:dd:91:1c:
+ f0:b0:25:4c:3e:84:8a:ea:5e:03:b3:a8:cd:90:1a:
+ 1e:c8:e0:af:fe:11:ed:21:06:bd:3c:5e:08:a1:93:
+ e2:41:43:43:38:d3:21:b3:4c:fa:85:8b:43:57:60:
+ 5d:bb:a0:78:e5:33:47:a8:33:76:be:df:6e:63:61:
+ e3:31:8b:5d:8e:0c:c7:f5:c8:91:0c:be:57:c7:f2:
+ bc:be:0b:ba:7a:1f:f6:19:f1:eb:00:74:c1:12:c2:
+ dc:2b:2e:8d:f0:0a:ff:7f:e8:60:08:90:ba:51:fc:
+ d0:90:11:37:f3:9e:44:b6:64:43:69:5d:61:d3:e1:
+ 8d:77
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 03:7A:DF:0C:DF:DC:93:3D:F7:A5:CC:27:7B:DC:22:F6:E9:55:97:F0
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR2/
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 6f:1a:6a:59:42:4b:0d:64:9e:e4:6e:80:ae:d4:ed:00:cc:52:
+ eb:04:bf:e2:48:2e:24:89:bd:df:a9:cf:93:27:47:80:c5:d6:
+ e1:94:f5:4a:d0:f7:52:48:49:c3:2a:20:de:87:76:e1:a0:11:
+ d5:a0:19:f5:70:df:45:1c:72:47:6b:af:5b:53:5d:1d:49:5a:
+ 62:21:f9:3b:49:18:9d:b1:6c:53:6d:9d:85:2c:fc:83:72:ff:
+ b7:7d:4f:01:36:41:df:a3:03:51:34:e2:5e:25:65:4c:d1:25:
+ f8:e3:92:06:7a:ca:97:42:6c:60:58:05:54:f5:9d:b9:90:fc:
+ ae:32:a3:c5:dc:db:75:55:97:2e:db:1a:32:65:44:e6:ab:81:
+ 14:b2:e1:8c:c5:a5:09:a4:07:2e:ed:ee:44:28:6a:29:0e:6f:
+ a0:08:aa:2a:28:24:e8:cf:7f:22:db:56:b4:fc:45:26:13:9a:
+ 41:55:5c:81:31:b3:6d:d0:3e:cc:62:6d:d1:d8:b9:2a:0f:2b:
+ 58:40:7a:e0:02:d2:31:4c:4f:df:c5:2c:d1:ba:c9:8c:e3:b9:
+ 74:7e:5c:dd:a5:f8:75:93:fe:26:69:52:70:bd:2e:01:1a:37:
+ d1:53:ae:80:d5:5b:56:0c:72:e4:c6:ba:7b:3f:99:2a:bf:a7:
+ b0:d7:3b:ec
+-----BEGIN CERTIFICATE-----
+MIIDNzCCAh+gAwIBAgIBFTANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODEwMDA1ODE3WhcNMDgwODA5MDA1ODE3WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA8Ri2eQs1xYNkSIMxA57ncihlsaxh4XcuwE3wsRxh2MxaLccLm3h6
+Pv03rfqwcwuc/LtvYOo4767RJ7iBWQ+z59BnsqL1T+IExswTnzMoNZZ6286sndNk
+PbhEvMtDIpLWPC6/l245am5ok10cqFi3o3omRP7+MK3iBYlMye8s4E4xaT/dkRzw
+sCVMPoSK6l4Ds6jNkBoeyOCv/hHtIQa9PF4IoZPiQUNDONMhs0z6hYtDV2Bdu6B4
+5TNHqDN2vt9uY2HjMYtdjgzH9ciRDL5Xx/K8vgu6eh/2GfHrAHTBEsLcKy6N8Ar/
+f+hgCJC6UfzQkBE3855EtmRDaV1h0+GNdwIDAQABo4GGMIGDMA8GA1UdEwEB/wQF
+MAMBAf8wHQYDVR0OBBYEFAN63wzf3JM996XMJ3vcIvbpVZfwMA4GA1UdDwEB/wQE
+AwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0
+cy1yLXVzLmhhY3Rybi5uZXQvTElSMi8wDQYJKoZIhvcNAQELBQADggEBAG8aallC
+Sw1knuRugK7U7QDMUusEv+JILiSJvd+pz5MnR4DF1uGU9UrQ91JIScMqIN6HduGg
+EdWgGfVw30Ucckdrr1tTXR1JWmIh+TtJGJ2xbFNtnYUs/INy/7d9TwE2Qd+jA1E0
+4l4lZUzRJfjjkgZ6ypdCbGBYBVT1nbmQ/K4yo8Xc23VVly7bGjJlROargRSy4YzF
+pQmkBy7t7kQoaikOb6AIqiooJOjPfyLbVrT8RSYTmkFVXIExs23QPsxibdHYuSoP
+K1hAeuAC0jFMT9/FLNG6yYzjuXR+XN2l+HWT/iZpUnC9LgEaN9FTroDVW1YMcuTG
+uns/mSq/p7DXO+w=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/16.pem b/rpkid/resource-cert-samples/RIR/16.pem
new file mode 100644
index 00000000..ebfd1e7b
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/16.pem
@@ -0,0 +1,79 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 22 (0x16)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 10 00:58:17 2007 GMT
+ Not After : Aug 9 00:58:17 2008 GMT
+ Subject: CN=TEST ENTITY LIR1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:af:5d:1c:f9:d9:bb:d5:01:e1:5b:36:cc:51:f6:
+ fd:86:57:60:aa:9e:c7:ec:4e:05:af:fb:51:5c:7a:
+ c2:58:c4:a8:57:ae:14:62:e9:bc:b6:72:7d:cf:49:
+ c8:4a:40:82:4a:f4:3e:30:b5:94:25:9e:6c:78:81:
+ 57:43:d6:85:02:8d:d1:9c:b5:d7:34:2f:e2:a9:7d:
+ 18:27:b5:47:9a:42:16:c8:90:7f:96:2c:dd:b8:98:
+ 17:1f:77:62:4a:08:00:2d:e0:73:0c:39:37:ba:0f:
+ a7:59:59:4c:7c:cd:e2:5c:d7:98:36:10:6c:88:3e:
+ 45:99:a6:88:2f:f6:7f:31:49:ba:42:2b:13:79:c2:
+ b2:f1:09:d9:ad:37:a4:41:b6:6d:46:a1:18:05:a0:
+ 53:07:8e:e0:98:b2:d1:fd:67:68:77:64:d5:f3:fe:
+ 1d:22:36:9e:26:5a:1a:aa:18:94:c3:2c:7e:9a:af:
+ be:2c:9d:5e:75:2c:49:d6:37:2b:06:1f:cc:63:97:
+ 7e:ee:2c:5f:67:af:4d:62:3e:7a:1f:0c:e1:1e:02:
+ f2:d2:06:75:ae:3f:11:bc:8e:0f:13:64:38:14:36:
+ 1d:5d:02:ec:af:65:d5:b9:68:f4:22:66:2b:ef:47:
+ 5b:ad:3b:f2:af:b6:71:0c:94:56:8a:7c:01:36:f0:
+ 3a:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 8A:94:17:F9:53:F2:5B:94:54:56:DF:76:51:13:29:F6:71:19:A8:B3
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR1/
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 45:76:2c:fa:d1:3b:02:23:5f:e3:3f:07:7e:ad:92:c0:7d:ba:
+ 8b:6d:ff:3c:33:c2:d4:06:4d:ca:71:41:6a:36:a2:e3:3a:34:
+ 0c:9e:b1:21:a2:17:91:3b:e9:e3:50:57:25:2e:dc:4f:1a:67:
+ 30:52:3e:36:04:0a:ce:03:84:f6:b0:1b:1c:59:66:4b:d1:68:
+ 5a:cf:3b:7d:f4:28:74:6d:16:ba:7c:ad:5c:f0:6a:39:73:33:
+ fe:c0:8d:d7:55:c0:cb:df:f3:d4:51:34:fe:62:42:97:70:61:
+ bd:cc:bc:1c:c7:37:5f:d4:f1:2b:cb:3b:11:4c:84:77:db:5e:
+ 66:2d:37:71:d5:f5:91:01:be:4e:97:8b:ae:6e:83:9a:9a:e3:
+ d8:47:a9:fc:7f:b3:80:67:c1:60:60:3e:66:64:e8:ae:d8:7a:
+ 72:50:fd:59:75:dd:fd:f0:69:92:ce:f6:c9:cc:49:72:eb:70:
+ 48:28:e7:f7:1c:d4:a0:75:40:ef:50:f4:9f:e4:74:26:e5:90:
+ ae:c4:fb:c5:b9:0a:5f:da:61:c2:78:f4:0d:0b:b8:ed:28:d9:
+ b7:26:6a:8f:1d:43:22:72:f3:a6:3c:36:d8:40:9f:d7:49:68:
+ d0:af:64:48:f8:69:55:98:9c:e9:47:5b:1b:15:06:5f:60:80:
+ e9:e2:72:f7
+-----BEGIN CERTIFICATE-----
+MIIDNzCCAh+gAwIBAgIBFjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODEwMDA1ODE3WhcNMDgwODA5MDA1ODE3WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAr10c+dm71QHhWzbMUfb9hldgqp7H7E4Fr/tRXHrCWMSoV64UYum8
+tnJ9z0nISkCCSvQ+MLWUJZ5seIFXQ9aFAo3RnLXXNC/iqX0YJ7VHmkIWyJB/lizd
+uJgXH3diSggALeBzDDk3ug+nWVlMfM3iXNeYNhBsiD5FmaaIL/Z/MUm6QisTecKy
+8QnZrTekQbZtRqEYBaBTB47gmLLR/Wdod2TV8/4dIjaeJloaqhiUwyx+mq++LJ1e
+dSxJ1jcrBh/MY5d+7ixfZ69NYj56HwzhHgLy0gZ1rj8RvI4PE2Q4FDYdXQLsr2XV
+uWj0ImYr70dbrTvyr7ZxDJRWinwBNvA6PwIDAQABo4GGMIGDMA8GA1UdEwEB/wQF
+MAMBAf8wHQYDVR0OBBYEFIqUF/lT8luUVFbfdlETKfZxGaizMA4GA1UdDwEB/wQE
+AwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0
+cy1yLXVzLmhhY3Rybi5uZXQvTElSMS8wDQYJKoZIhvcNAQELBQADggEBAEV2LPrR
+OwIjX+M/B36tksB9uott/zwzwtQGTcpxQWo2ouM6NAyesSGiF5E76eNQVyUu3E8a
+ZzBSPjYECs4DhPawGxxZZkvRaFrPO330KHRtFrp8rVzwajlzM/7AjddVwMvf89RR
+NP5iQpdwYb3MvBzHN1/U8SvLOxFMhHfbXmYtN3HV9ZEBvk6Xi65ug5qa49hHqfx/
+s4BnwWBgPmZk6K7YenJQ/Vl13f3waZLO9snMSXLrcEgo5/cc1KB1QO9Q9J/kdCbl
+kK7E+8W5Cl/aYcJ49A0LuO0o2bcmao8dQyJy86Y8NthAn9dJaNCvZEj4aVWYnOlH
+WxsVBl9ggOnicvc=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/17.pem b/rpkid/resource-cert-samples/RIR/17.pem
new file mode 100644
index 00000000..08089ed2
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/17.pem
@@ -0,0 +1,100 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 23 (0x17)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 10 01:02:31 2007 GMT
+ Not After : Aug 9 01:02:31 2008 GMT
+ Subject: CN=TEST ENTITY RIR
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:ac:a7:26:c4:98:68:99:b6:f2:e7:c5:97:05:7e:
+ f9:d7:f2:ec:39:e6:2b:8e:c2:42:88:b9:8f:22:b6:
+ 3c:59:b0:0e:8a:1d:0e:f8:81:b1:c8:ff:4a:8a:1a:
+ 43:bc:78:91:3e:af:b2:b0:95:60:a9:3e:9d:c2:ff:
+ 99:8f:8f:b6:dc:d8:46:b7:86:35:a6:f6:42:05:c2:
+ c5:9b:84:15:e2:58:0f:70:9c:bc:53:d7:28:76:f8:
+ f2:14:79:22:bd:d6:8b:6c:0e:2b:02:e5:d8:f3:33:
+ fa:16:43:9b:80:87:f9:b2:45:ab:bd:7d:14:b2:24:
+ 2f:41:13:6f:45:c4:dc:f9:4d:7f:d8:d3:e1:aa:5c:
+ 52:9d:c9:7a:38:b7:b0:43:bd:b7:6a:37:43:ec:e7:
+ 34:c4:3b:4c:ca:cc:7b:1f:91:ef:ab:d4:35:76:42:
+ 82:d4:f5:79:e0:12:3c:24:92:2e:dc:a2:5c:83:f0:
+ 71:8a:26:96:30:d4:b8:96:4d:00:2c:1a:f0:0f:79:
+ 52:c7:27:73:54:77:c1:86:f9:86:61:ce:e0:69:a7:
+ a8:3d:77:39:e7:24:ee:41:8d:52:19:3b:57:8c:84:
+ cc:9a:d5:05:7c:e6:83:2c:e3:13:6d:66:1b:87:20:
+ 82:47:e1:05:26:f0:3b:29:69:6d:bc:af:48:91:c4:
+ 40:f1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/RIR/
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533-64540
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ 10.3.0.0/24
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:0:a00::/120
+ 2001:db8:0:0:0:0:a03::/120
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 98:59:33:64:37:e0:05:3f:f1:4a:d6:c3:45:92:92:f4:da:0e:
+ 35:de:70:0a:ab:49:10:c9:a2:74:c6:ad:2b:cb:de:3e:0e:3f:
+ 2e:2d:0d:f1:65:0a:b9:f6:c6:fe:80:8a:d2:a9:fe:41:f7:6d:
+ 8f:92:f4:f6:4a:d0:36:6f:06:de:f6:30:91:ac:1d:c3:a7:d0:
+ 7a:4a:40:9c:88:fd:0f:b8:f7:46:0c:d0:a5:85:48:e7:47:e1:
+ 9a:d2:e7:3e:36:fc:e5:e4:13:98:b2:48:a7:b1:bb:b5:86:11:
+ 35:42:20:97:6a:d6:a1:ae:1b:33:1b:6d:1c:9b:e8:9d:8c:05:
+ 44:e3:d3:7e:53:d6:d8:da:76:85:6d:8f:dc:d1:1b:c4:cd:87:
+ de:73:dd:09:26:eb:ac:49:62:5f:fb:44:42:d5:81:0f:11:eb:
+ 3f:5c:83:2d:ed:51:12:66:e6:ff:2c:83:ac:40:0a:85:01:b4:
+ 08:4b:32:14:ff:a5:a6:33:30:f2:10:ac:bb:55:9c:65:3b:78:
+ 35:0e:45:c6:0d:64:b0:ef:1f:f7:7f:79:43:fd:97:b9:ea:8b:
+ 8e:5d:56:76:fa:cb:39:17:f3:27:b2:b0:1d:87:1f:52:50:54:
+ 55:69:5a:37:f1:42:07:ed:68:90:b0:63:7c:f1:10:19:29:44:
+ f7:58:ee:eb
+-----BEGIN CERTIFICATE-----
+MIIEEDCCAvigAwIBAgIBFzANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODEwMDEwMjMxWhcNMDgwODA5MDEwMjMxWjAaMRgw
+FgYDVQQDEw9URVNUIEVOVElUWSBSSVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCspybEmGiZtvLnxZcFfvnX8uw55iuOwkKIuY8itjxZsA6KHQ74gbHI
+/0qKGkO8eJE+r7KwlWCpPp3C/5mPj7bc2Ea3hjWm9kIFwsWbhBXiWA9wnLxT1yh2
++PIUeSK91otsDisC5djzM/oWQ5uAh/myRau9fRSyJC9BE29FxNz5TX/Y0+GqXFKd
+yXo4t7BDvbdqN0Ps5zTEO0zKzHsfke+r1DV2QoLU9XngEjwkki7colyD8HGKJpYw
+1LiWTQAsGvAPeVLHJ3NUd8GG+YZhzuBpp6g9dznnJO5BjVIZO1eMhMya1QV85oMs
+4xNtZhuHIIJH4QUm8DspaW28r0iRxEDxAgMBAAGjggFfMIIBWzAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBT7uKejNkgKoJ/wLtyLaLyzXEUl1zAOBgNVHQ8BAf8E
+BAMCAQYwQAYIKwYBBQUHAQsENDAyMDAGCCsGAQUFBzAFhiRyc3luYzovL3dvbWJh
+dHMtci11cy5oYWN0cm4ubmV0L1JJUi8wJgYIKwYBBQUHAQgBAf8EFzAVoBMwETAK
+AgMA/BUCAwD8HAIDAPwgMIGuBggrBgEFBQcBBwEB/wSBnjCBmzAyBAIAATAsAwQA
+CgAAAwQACgMAMA4DBQDAAAIBAwUBwAACIDAOAwUCwAACLAMFAMAAAmQwZQQCAAIw
+XzAmAxECIAENuAAAAAAAAAAAAAAARAMRACABDbgAAAAAAAAAAAAAAQADEAAgAQ24
+AAAAAAAAAAAKAAADEAAgAQ24AAAAAAAAAAAKAwADEQAgAQ24AAAAAAAAABAAAABE
+MA0GCSqGSIb3DQEBCwUAA4IBAQCYWTNkN+AFP/FK1sNFkpL02g413nAKq0kQyaJ0
+xq0ry94+Dj8uLQ3xZQq59sb+gIrSqf5B922PkvT2StA2bwbe9jCRrB3Dp9B6SkCc
+iP0PuPdGDNClhUjnR+Ga0uc+Nvzl5BOYskinsbu1hhE1QiCXatahrhszG20cm+id
+jAVE49N+U9bY2naFbY/c0RvEzYfec90JJuusSWJf+0RC1YEPEes/XIMt7VESZub/
+LIOsQAqFAbQISzIU/6WmMzDyEKy7VZxlO3g1DkXGDWSw7x/3f3lD/Ze56ouOXVZ2
++ss5F/MnsrAdhx9SUFRVaVo38UIH7WiQsGN88RAZKUT3WO7r
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/18.pem b/rpkid/resource-cert-samples/RIR/18.pem
new file mode 100644
index 00000000..61f31504
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/18.pem
@@ -0,0 +1,98 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 24 (0x18)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 10 01:02:31 2007 GMT
+ Not After : Aug 9 01:02:31 2008 GMT
+ Subject: CN=TEST ENTITY LIR3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a3:21:57:61:64:af:11:18:d4:cb:de:a6:dc:ad:
+ d9:2c:0f:0f:58:9f:7e:c8:85:55:11:26:4c:7c:f0:
+ 6b:68:1a:9e:6a:0c:8f:e6:dc:3d:83:58:2a:cc:77:
+ ac:19:73:6f:5a:f3:6e:24:ac:cd:1a:dc:1d:0b:4c:
+ 44:f5:6d:8b:0a:17:3d:86:f9:e8:fe:e6:60:e5:9f:
+ 40:6a:e5:94:e8:9a:56:17:17:1c:ab:c1:8c:37:40:
+ 2b:55:bf:2c:5e:dc:8d:ca:25:7f:8a:5f:ee:fb:16:
+ 86:eb:e0:08:d3:26:e5:e3:70:c5:0c:6b:fb:1b:8f:
+ 6b:5c:f6:e2:4a:58:a5:35:01:ea:05:1b:3e:ce:84:
+ be:b5:3f:6d:18:16:4b:68:e5:79:4c:88:7d:b6:a5:
+ 65:a3:3a:c2:32:dc:ad:8f:8a:05:ee:f6:e9:7a:80:
+ da:12:a9:0f:5a:b5:d2:d3:31:ac:3e:d3:19:25:2d:
+ 28:de:79:6c:ce:fd:77:66:d5:e3:2f:a9:cb:f9:85:
+ 8c:20:bb:a2:86:23:f0:93:95:20:04:78:c7:c7:07:
+ a6:fe:f0:f4:45:bb:cf:78:2b:dd:ce:9c:08:a5:46:
+ 68:10:4c:d7:05:62:6c:86:5a:2d:7f:06:38:c2:4d:
+ bb:44:87:00:43:79:d2:8f:f3:6b:b2:f4:5c:1c:b9:
+ 68:01
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 98:BE:04:FF:80:D1:AB:95:39:AA:3D:F2:0E:67:7D:00:AD:A3:FD:C5
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR3/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64534-64540
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ 10.3.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a00::/120
+ 2001:db8:0:0:0:0:a03::/120
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 48:75:33:bf:1e:19:3b:50:a8:af:35:67:af:b3:e9:f5:53:68:
+ ea:41:f9:cf:21:a6:cb:ad:f3:ac:20:2b:79:c9:15:7a:9b:7f:
+ 88:70:ac:34:64:44:92:7f:56:41:f1:8e:af:9f:e6:28:6f:74:
+ d5:d3:d3:7b:99:1f:92:8f:58:9d:03:b3:f9:b1:9f:c4:8e:b1:
+ ea:bb:cf:11:02:70:7b:9c:0e:36:f9:13:41:fb:3f:94:aa:95:
+ 33:25:f4:4b:4c:cf:11:c4:39:1b:74:fc:98:92:84:4a:58:09:
+ f3:e5:d2:1c:06:cf:73:79:98:68:ec:17:c2:4f:24:38:7d:47:
+ b9:6d:62:c6:70:69:2e:83:0c:d1:77:e1:78:a2:b5:ea:0e:17:
+ d4:93:7b:9c:c1:1d:48:aa:ba:95:03:9d:0f:1a:d8:65:36:84:
+ 5b:2b:57:44:af:ef:0e:56:f8:3f:63:34:79:d4:98:8d:c6:7c:
+ 3c:b5:cc:26:ab:5c:04:01:aa:ff:c7:00:2c:12:4c:e4:9e:29:
+ f4:30:95:ab:28:d5:f0:91:b1:4b:cc:a9:43:58:d1:81:45:7b:
+ 48:50:7e:b8:21:25:2a:58:d7:65:e7:1f:09:30:25:09:08:83:
+ 5b:fd:c4:42:bd:d7:a1:72:e4:97:ce:f6:c9:72:38:59:2f:e6:
+ e4:06:a4:99
+-----BEGIN CERTIFICATE-----
+MIID9DCCAtygAwIBAgIBGDANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODEwMDEwMjMxWhcNMDgwODA5MDEwMjMxWjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAoyFXYWSvERjUy96m3K3ZLA8PWJ9+yIVVESZMfPBraBqeagyP5tw9
+g1gqzHesGXNvWvNuJKzNGtwdC0xE9W2LChc9hvno/uZg5Z9AauWU6JpWFxccq8GM
+N0ArVb8sXtyNyiV/il/u+xaG6+AI0ybl43DFDGv7G49rXPbiSlilNQHqBRs+zoS+
+tT9tGBZLaOV5TIh9tqVlozrCMtytj4oF7vbpeoDaEqkPWrXS0zGsPtMZJS0o3nls
+zv13ZtXjL6nL+YWMILuihiPwk5UgBHjHxwem/vD0RbvPeCvdzpwIpUZoEEzXBWJs
+hlotfwY4wk27RIcAQ3nSj/NrsvRcHLloAQIDAQABo4IBQjCCAT4wDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUmL4E/4DRq5U5qj3yDmd9AK2j/cUwDgYDVR0PAQH/
+BAQDAgEGMEEGCCsGAQUFBwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9MSVIzLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYB
+BQUHMAKGJ3JzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAh
+BggrBgEFBQcBCAEB/wQSMBCgDjAMMAoCAwD8FgIDAPwcMFEGCCsGAQUFBwEHAQH/
+BEIwQDASBAIAATAMAwQACgAAAwQACgMAMCoEAgACMCQDEAAgAQ24AAAAAAAAAAAK
+AAADEAAgAQ24AAAAAAAAAAAKAwAwDQYJKoZIhvcNAQELBQADggEBAEh1M78eGTtQ
+qK81Z6+z6fVTaOpB+c8hpsut86wgK3nJFXqbf4hwrDRkRJJ/VkHxjq+f5ihvdNXT
+03uZH5KPWJ0Ds/mxn8SOseq7zxECcHucDjb5E0H7P5SqlTMl9EtMzxHEORt0/JiS
+hEpYCfPl0hwGz3N5mGjsF8JPJDh9R7ltYsZwaS6DDNF34XiiteoOF9STe5zBHUiq
+upUDnQ8a2GU2hFsrV0Sv7w5W+D9jNHnUmI3GfDy1zCarXAQBqv/HACwSTOSeKfQw
+laso1fCRsUvMqUNY0YFFe0hQfrghJSpY12XnHwkwJQkIg1v9xEK916Fy5JfO9sly
+OFkv5uQGpJk=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/19.pem b/rpkid/resource-cert-samples/RIR/19.pem
new file mode 100644
index 00000000..e258d4d7
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/19.pem
@@ -0,0 +1,95 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 25 (0x19)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 10 01:02:31 2007 GMT
+ Not After : Aug 9 01:02:31 2008 GMT
+ Subject: CN=TEST ENTITY LIR2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:f1:18:b6:79:0b:35:c5:83:64:48:83:31:03:9e:
+ e7:72:28:65:b1:ac:61:e1:77:2e:c0:4d:f0:b1:1c:
+ 61:d8:cc:5a:2d:c7:0b:9b:78:7a:3e:fd:37:ad:fa:
+ b0:73:0b:9c:fc:bb:6f:60:ea:38:ef:ae:d1:27:b8:
+ 81:59:0f:b3:e7:d0:67:b2:a2:f5:4f:e2:04:c6:cc:
+ 13:9f:33:28:35:96:7a:db:ce:ac:9d:d3:64:3d:b8:
+ 44:bc:cb:43:22:92:d6:3c:2e:bf:97:6e:39:6a:6e:
+ 68:93:5d:1c:a8:58:b7:a3:7a:26:44:fe:fe:30:ad:
+ e2:05:89:4c:c9:ef:2c:e0:4e:31:69:3f:dd:91:1c:
+ f0:b0:25:4c:3e:84:8a:ea:5e:03:b3:a8:cd:90:1a:
+ 1e:c8:e0:af:fe:11:ed:21:06:bd:3c:5e:08:a1:93:
+ e2:41:43:43:38:d3:21:b3:4c:fa:85:8b:43:57:60:
+ 5d:bb:a0:78:e5:33:47:a8:33:76:be:df:6e:63:61:
+ e3:31:8b:5d:8e:0c:c7:f5:c8:91:0c:be:57:c7:f2:
+ bc:be:0b:ba:7a:1f:f6:19:f1:eb:00:74:c1:12:c2:
+ dc:2b:2e:8d:f0:0a:ff:7f:e8:60:08:90:ba:51:fc:
+ d0:90:11:37:f3:9e:44:b6:64:43:69:5d:61:d3:e1:
+ 8d:77
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 03:7A:DF:0C:DF:DC:93:3D:F7:A5:CC:27:7B:DC:22:F6:E9:55:97:F0
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR2/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha256WithRSAEncryption
+ ab:e6:eb:32:dd:27:9e:57:ba:21:b7:f2:7f:38:ba:b9:35:c6:
+ fb:73:c8:70:83:63:80:8f:10:99:56:fc:27:66:d3:19:36:61:
+ 0d:96:f5:aa:1e:2b:8d:75:3f:cf:9a:5e:8c:17:51:21:31:6f:
+ ac:ce:d7:18:21:03:3e:b9:b5:4b:50:23:3a:1c:45:5e:51:d9:
+ 91:73:84:19:98:bd:52:3f:77:f9:c1:ae:94:e0:be:5a:70:20:
+ 1b:68:55:4a:9b:02:7b:7f:a0:4c:86:d8:41:54:58:f0:65:b9:
+ 18:03:9e:92:d0:5e:bf:6b:d9:42:b3:20:fe:f8:87:65:54:17:
+ 88:69:cd:e1:b7:73:37:2b:bf:e0:10:52:0a:4f:72:e7:3e:c8:
+ 6c:91:37:cb:16:6b:e3:76:45:4d:68:80:92:45:7d:0f:7d:46:
+ 11:6d:5a:e9:63:38:c3:7f:84:87:4c:66:28:11:d9:a3:db:75:
+ d8:72:5e:a6:46:3a:14:28:9d:86:e3:bc:a5:15:4c:8c:0c:54:
+ 8c:9a:0b:4a:ad:72:9a:c5:60:f5:92:ef:9e:ef:be:38:c4:28:
+ 44:a8:26:80:dc:26:4a:27:4c:d0:ba:f6:ba:fb:9c:5c:7c:3b:
+ 80:7a:37:3f:bd:eb:8f:f5:21:db:b4:80:77:a8:bb:b0:19:07:
+ 00:65:9a:82
+-----BEGIN CERTIFICATE-----
+MIID8DCCAtigAwIBAgIBGTANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODEwMDEwMjMxWhcNMDgwODA5MDEwMjMxWjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA8Ri2eQs1xYNkSIMxA57ncihlsaxh4XcuwE3wsRxh2MxaLccLm3h6
+Pv03rfqwcwuc/LtvYOo4767RJ7iBWQ+z59BnsqL1T+IExswTnzMoNZZ6286sndNk
+PbhEvMtDIpLWPC6/l245am5ok10cqFi3o3omRP7+MK3iBYlMye8s4E4xaT/dkRzw
+sCVMPoSK6l4Ds6jNkBoeyOCv/hHtIQa9PF4IoZPiQUNDONMhs0z6hYtDV2Bdu6B4
+5TNHqDN2vt9uY2HjMYtdjgzH9ciRDL5Xx/K8vgu6eh/2GfHrAHTBEsLcKy6N8Ar/
+f+hgCJC6UfzQkBE3855EtmRDaV1h0+GNdwIDAQABo4IBPjCCATowDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUA3rfDN/ckz33pcwne9wi9ulVl/AwDgYDVR0PAQH/
+BAQDAgEGMEEGCCsGAQUFBwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9MSVIyLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYB
+BQUHMAKGJ3JzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAa
+BggrBgEFBQcBCAEB/wQLMAmgBzAFAgMA/CAwVAYIKwYBBQUHAQcBAf8ERTBDMEEE
+AgACMDswJgMRAiABDbgAAAAAAAAAAAAAAEQDEQAgAQ24AAAAAAAAAAAAAAEAAxEA
+IAENuAAAAAAAAAAQAAAARDANBgkqhkiG9w0BAQsFAAOCAQEAq+brMt0nnle6Ibfy
+fzi6uTXG+3PIcINjgI8QmVb8J2bTGTZhDZb1qh4rjXU/z5pejBdRITFvrM7XGCED
+Prm1S1AjOhxFXlHZkXOEGZi9Uj93+cGulOC+WnAgG2hVSpsCe3+gTIbYQVRY8GW5
+GAOektBev2vZQrMg/viHZVQXiGnN4bdzNyu/4BBSCk9y5z7IbJE3yxZr43ZFTWiA
+kkV9D31GEW1a6WM4w3+Eh0xmKBHZo9t12HJepkY6FCidhuO8pRVMjAxUjJoLSq1y
+msVg9ZLvnu++OMQoRKgmgNwmSidM0Lr2uvucXHw7gHo3P73rj/Uh27SAd6i7sBkH
+AGWagg==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/1A.pem b/rpkid/resource-cert-samples/RIR/1A.pem
new file mode 100644
index 00000000..9b92b771
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/1A.pem
@@ -0,0 +1,94 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 26 (0x1a)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 10 01:02:31 2007 GMT
+ Not After : Aug 9 01:02:31 2008 GMT
+ Subject: CN=TEST ENTITY LIR1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:af:5d:1c:f9:d9:bb:d5:01:e1:5b:36:cc:51:f6:
+ fd:86:57:60:aa:9e:c7:ec:4e:05:af:fb:51:5c:7a:
+ c2:58:c4:a8:57:ae:14:62:e9:bc:b6:72:7d:cf:49:
+ c8:4a:40:82:4a:f4:3e:30:b5:94:25:9e:6c:78:81:
+ 57:43:d6:85:02:8d:d1:9c:b5:d7:34:2f:e2:a9:7d:
+ 18:27:b5:47:9a:42:16:c8:90:7f:96:2c:dd:b8:98:
+ 17:1f:77:62:4a:08:00:2d:e0:73:0c:39:37:ba:0f:
+ a7:59:59:4c:7c:cd:e2:5c:d7:98:36:10:6c:88:3e:
+ 45:99:a6:88:2f:f6:7f:31:49:ba:42:2b:13:79:c2:
+ b2:f1:09:d9:ad:37:a4:41:b6:6d:46:a1:18:05:a0:
+ 53:07:8e:e0:98:b2:d1:fd:67:68:77:64:d5:f3:fe:
+ 1d:22:36:9e:26:5a:1a:aa:18:94:c3:2c:7e:9a:af:
+ be:2c:9d:5e:75:2c:49:d6:37:2b:06:1f:cc:63:97:
+ 7e:ee:2c:5f:67:af:4d:62:3e:7a:1f:0c:e1:1e:02:
+ f2:d2:06:75:ae:3f:11:bc:8e:0f:13:64:38:14:36:
+ 1d:5d:02:ec:af:65:d5:b9:68:f4:22:66:2b:ef:47:
+ 5b:ad:3b:f2:af:b6:71:0c:94:56:8a:7c:01:36:f0:
+ 3a:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 8A:94:17:F9:53:F2:5B:94:54:56:DF:76:51:13:29:F6:71:19:A8:B3
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR1/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 1f:83:71:23:e8:ef:c9:a9:7f:c1:a3:c3:73:64:67:f3:0a:c0:
+ b8:1f:17:71:b0:f6:97:be:db:5d:bf:79:ea:d8:af:cc:16:f4:
+ ee:f1:01:e3:df:a4:f5:a7:d9:d0:12:28:fc:02:69:91:eb:1f:
+ e5:fa:b3:3c:ba:9a:34:20:ce:0a:68:73:b8:aa:62:dd:b1:54:
+ f9:b6:ab:70:23:e0:c6:55:d5:a7:ad:ab:5b:bf:12:38:44:7b:
+ b1:36:20:6e:1b:d1:30:5e:c2:a3:c6:db:19:4e:f1:e8:71:32:
+ 1a:04:b4:96:31:9b:5e:c8:25:94:72:05:f1:96:a4:82:69:62:
+ c6:67:7f:53:b6:71:b1:72:7f:9b:94:f4:04:fe:32:ed:7b:ee:
+ 4e:4a:6a:6c:b8:70:db:2d:4a:7c:b9:23:8b:d0:39:b1:a5:9f:
+ c8:ee:51:95:3d:e0:e6:d2:45:0b:8a:83:d0:41:13:f6:39:ce:
+ 5f:a6:91:00:6c:e1:dc:51:e0:b8:7c:6c:e4:a7:54:b8:26:04:
+ 8c:bb:5a:35:0b:d9:4f:dd:52:78:21:e2:a7:ca:ef:a7:10:cf:
+ 44:27:2b:f4:88:d8:18:c3:e1:5a:42:12:a3:05:1e:08:7a:06:
+ 1f:24:64:05:14:d9:b2:2d:92:4e:cd:45:8b:45:c6:9e:ca:10:
+ 72:0d:43:09
+-----BEGIN CERTIFICATE-----
+MIID1TCCAr2gAwIBAgIBGjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODEwMDEwMjMxWhcNMDgwODA5MDEwMjMxWjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAr10c+dm71QHhWzbMUfb9hldgqp7H7E4Fr/tRXHrCWMSoV64UYum8
+tnJ9z0nISkCCSvQ+MLWUJZ5seIFXQ9aFAo3RnLXXNC/iqX0YJ7VHmkIWyJB/lizd
+uJgXH3diSggALeBzDDk3ug+nWVlMfM3iXNeYNhBsiD5FmaaIL/Z/MUm6QisTecKy
+8QnZrTekQbZtRqEYBaBTB47gmLLR/Wdod2TV8/4dIjaeJloaqhiUwyx+mq++LJ1e
+dSxJ1jcrBh/MY5d+7ixfZ69NYj56HwzhHgLy0gZ1rj8RvI4PE2Q4FDYdXQLsr2XV
+uWj0ImYr70dbrTvyr7ZxDJRWinwBNvA6PwIDAQABo4IBIzCCAR8wDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUipQX+VPyW5RUVt92URMp9nEZqLMwDgYDVR0PAQH/
+BAQDAgEGMEEGCCsGAQUFBwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9MSVIxLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYB
+BQUHMAKGJ3JzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAa
+BggrBgEFBQcBCAEB/wQLMAmgBzAFAgMA/BUwOQYIKwYBBQUHAQcBAf8EKjAoMCYE
+AgABMCAwDgMFAMAAAgEDBQHAAAIgMA4DBQLAAAIsAwUAwAACZDANBgkqhkiG9w0B
+AQsFAAOCAQEAH4NxI+jvyal/waPDc2Rn8wrAuB8XcbD2l77bXb956tivzBb07vEB
+49+k9afZ0BIo/AJpkesf5fqzPLqaNCDOCmhzuKpi3bFU+barcCPgxlXVp62rW78S
+OER7sTYgbhvRMF7Co8bbGU7x6HEyGgS0ljGbXsgllHIF8Zakgmlixmd/U7ZxsXJ/
+m5T0BP4y7XvuTkpqbLhw2y1KfLkji9A5saWfyO5RlT3g5tJFC4qD0EET9jnOX6aR
+AGzh3FHguHxs5KdUuCYEjLtaNQvZT91SeCHip8rvpxDPRCcr9IjYGMPhWkISowUe
+CHoGHyRkBRTZsi2STs1Fi0XGnsoQcg1DCQ==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/1B.pem b/rpkid/resource-cert-samples/RIR/1B.pem
new file mode 100644
index 00000000..300059d2
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/1B.pem
@@ -0,0 +1,100 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 27 (0x1b)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 10 01:07:08 2007 GMT
+ Not After : Aug 9 01:07:08 2008 GMT
+ Subject: CN=TEST ENTITY RIR
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:ac:a7:26:c4:98:68:99:b6:f2:e7:c5:97:05:7e:
+ f9:d7:f2:ec:39:e6:2b:8e:c2:42:88:b9:8f:22:b6:
+ 3c:59:b0:0e:8a:1d:0e:f8:81:b1:c8:ff:4a:8a:1a:
+ 43:bc:78:91:3e:af:b2:b0:95:60:a9:3e:9d:c2:ff:
+ 99:8f:8f:b6:dc:d8:46:b7:86:35:a6:f6:42:05:c2:
+ c5:9b:84:15:e2:58:0f:70:9c:bc:53:d7:28:76:f8:
+ f2:14:79:22:bd:d6:8b:6c:0e:2b:02:e5:d8:f3:33:
+ fa:16:43:9b:80:87:f9:b2:45:ab:bd:7d:14:b2:24:
+ 2f:41:13:6f:45:c4:dc:f9:4d:7f:d8:d3:e1:aa:5c:
+ 52:9d:c9:7a:38:b7:b0:43:bd:b7:6a:37:43:ec:e7:
+ 34:c4:3b:4c:ca:cc:7b:1f:91:ef:ab:d4:35:76:42:
+ 82:d4:f5:79:e0:12:3c:24:92:2e:dc:a2:5c:83:f0:
+ 71:8a:26:96:30:d4:b8:96:4d:00:2c:1a:f0:0f:79:
+ 52:c7:27:73:54:77:c1:86:f9:86:61:ce:e0:69:a7:
+ a8:3d:77:39:e7:24:ee:41:8d:52:19:3b:57:8c:84:
+ cc:9a:d5:05:7c:e6:83:2c:e3:13:6d:66:1b:87:20:
+ 82:47:e1:05:26:f0:3b:29:69:6d:bc:af:48:91:c4:
+ 40:f1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/RIR/
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533-64540
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ 10.3.0.0/24
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:0:a00::/120
+ 2001:db8:0:0:0:0:a03::/120
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 7c:1c:ce:a8:d1:0f:62:6e:a9:c2:b1:1a:5d:12:64:0b:07:3f:
+ 32:63:9e:f5:0c:29:f6:5a:72:40:7d:a2:02:a0:cb:2a:c0:e0:
+ 66:d7:bd:0a:1e:c4:59:ee:99:33:f8:c3:a7:4b:56:8c:1d:62:
+ f5:c3:ee:12:45:3e:2f:29:ed:11:29:ae:1f:c0:8f:d6:ac:dd:
+ f4:74:21:07:b0:54:cc:6b:ca:37:38:82:7b:d4:e1:1f:00:b4:
+ ac:be:b4:71:5f:74:96:1b:39:ef:fc:ae:0c:b5:b2:7b:be:e5:
+ 16:66:21:2f:aa:ba:1a:52:63:d3:3f:38:91:7b:2d:c8:fd:f6:
+ aa:f0:f1:c5:39:4f:7d:79:b3:e3:e6:a0:95:6b:a3:66:10:dd:
+ d4:0f:93:0f:34:13:b0:1c:a3:b4:88:ba:ba:b6:f5:55:ba:f2:
+ 1c:6c:1c:9d:1d:fe:e7:49:c9:10:9a:c7:68:b0:2c:d7:0e:c1:
+ 73:93:07:65:2b:3f:ed:98:ff:4d:f4:6b:b6:c0:4b:25:40:43:
+ 33:b6:44:b9:de:62:27:bf:cd:6d:36:9d:60:a8:bd:25:67:21:
+ 53:a4:64:d7:67:7b:0b:ff:a2:22:72:cd:8a:b2:57:7c:13:02:
+ 97:93:96:cc:3b:61:40:6d:5c:da:d6:79:b6:ac:e0:05:fe:dd:
+ f9:7f:24:2c
+-----BEGIN CERTIFICATE-----
+MIIEEDCCAvigAwIBAgIBGzANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODEwMDEwNzA4WhcNMDgwODA5MDEwNzA4WjAaMRgw
+FgYDVQQDEw9URVNUIEVOVElUWSBSSVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCspybEmGiZtvLnxZcFfvnX8uw55iuOwkKIuY8itjxZsA6KHQ74gbHI
+/0qKGkO8eJE+r7KwlWCpPp3C/5mPj7bc2Ea3hjWm9kIFwsWbhBXiWA9wnLxT1yh2
++PIUeSK91otsDisC5djzM/oWQ5uAh/myRau9fRSyJC9BE29FxNz5TX/Y0+GqXFKd
+yXo4t7BDvbdqN0Ps5zTEO0zKzHsfke+r1DV2QoLU9XngEjwkki7colyD8HGKJpYw
+1LiWTQAsGvAPeVLHJ3NUd8GG+YZhzuBpp6g9dznnJO5BjVIZO1eMhMya1QV85oMs
+4xNtZhuHIIJH4QUm8DspaW28r0iRxEDxAgMBAAGjggFfMIIBWzAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBT7uKejNkgKoJ/wLtyLaLyzXEUl1zAOBgNVHQ8BAf8E
+BAMCAQYwQAYIKwYBBQUHAQsENDAyMDAGCCsGAQUFBzAFhiRyc3luYzovL3dvbWJh
+dHMtci11cy5oYWN0cm4ubmV0L1JJUi8wJgYIKwYBBQUHAQgBAf8EFzAVoBMwETAK
+AgMA/BUCAwD8HAIDAPwgMIGuBggrBgEFBQcBBwEB/wSBnjCBmzAyBAIAATAsAwQA
+CgAAAwQACgMAMA4DBQDAAAIBAwUBwAACIDAOAwUCwAACLAMFAMAAAmQwZQQCAAIw
+XzAmAxECIAENuAAAAAAAAAAAAAAARAMRACABDbgAAAAAAAAAAAAAAQADEAAgAQ24
+AAAAAAAAAAAKAAADEAAgAQ24AAAAAAAAAAAKAwADEQAgAQ24AAAAAAAAABAAAABE
+MA0GCSqGSIb3DQEBCwUAA4IBAQB8HM6o0Q9ibqnCsRpdEmQLBz8yY571DCn2WnJA
+faICoMsqwOBm170KHsRZ7pkz+MOnS1aMHWL1w+4SRT4vKe0RKa4fwI/WrN30dCEH
+sFTMa8o3OIJ71OEfALSsvrRxX3SWGznv/K4MtbJ7vuUWZiEvqroaUmPTPziRey3I
+/faq8PHFOU99ebPj5qCVa6NmEN3UD5MPNBOwHKO0iLq6tvVVuvIcbBydHf7nSckQ
+msdosCzXDsFzkwdlKz/tmP9N9Gu2wEslQEMztkS53mInv81tNp1gqL0lZyFTpGTX
+Z3sL/6Iics2Ksld8EwKXk5bMO2FAbVza1nm2rOAF/t35fyQs
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/1C.pem b/rpkid/resource-cert-samples/RIR/1C.pem
new file mode 100644
index 00000000..786dc6b4
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/1C.pem
@@ -0,0 +1,98 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 28 (0x1c)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 10 01:07:08 2007 GMT
+ Not After : Aug 9 01:07:08 2008 GMT
+ Subject: CN=TEST ENTITY LIR3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a3:21:57:61:64:af:11:18:d4:cb:de:a6:dc:ad:
+ d9:2c:0f:0f:58:9f:7e:c8:85:55:11:26:4c:7c:f0:
+ 6b:68:1a:9e:6a:0c:8f:e6:dc:3d:83:58:2a:cc:77:
+ ac:19:73:6f:5a:f3:6e:24:ac:cd:1a:dc:1d:0b:4c:
+ 44:f5:6d:8b:0a:17:3d:86:f9:e8:fe:e6:60:e5:9f:
+ 40:6a:e5:94:e8:9a:56:17:17:1c:ab:c1:8c:37:40:
+ 2b:55:bf:2c:5e:dc:8d:ca:25:7f:8a:5f:ee:fb:16:
+ 86:eb:e0:08:d3:26:e5:e3:70:c5:0c:6b:fb:1b:8f:
+ 6b:5c:f6:e2:4a:58:a5:35:01:ea:05:1b:3e:ce:84:
+ be:b5:3f:6d:18:16:4b:68:e5:79:4c:88:7d:b6:a5:
+ 65:a3:3a:c2:32:dc:ad:8f:8a:05:ee:f6:e9:7a:80:
+ da:12:a9:0f:5a:b5:d2:d3:31:ac:3e:d3:19:25:2d:
+ 28:de:79:6c:ce:fd:77:66:d5:e3:2f:a9:cb:f9:85:
+ 8c:20:bb:a2:86:23:f0:93:95:20:04:78:c7:c7:07:
+ a6:fe:f0:f4:45:bb:cf:78:2b:dd:ce:9c:08:a5:46:
+ 68:10:4c:d7:05:62:6c:86:5a:2d:7f:06:38:c2:4d:
+ bb:44:87:00:43:79:d2:8f:f3:6b:b2:f4:5c:1c:b9:
+ 68:01
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 98:BE:04:FF:80:D1:AB:95:39:AA:3D:F2:0E:67:7D:00:AD:A3:FD:C5
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR3/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64534-64540
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ 10.3.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a00::/120
+ 2001:db8:0:0:0:0:a03::/120
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 59:02:31:4f:92:0b:01:2d:98:ab:45:b8:7b:a9:b8:60:88:a1:
+ 8c:e3:84:e7:0b:20:a7:9c:e1:a2:7c:aa:9f:e3:a2:f2:5c:0e:
+ 55:bd:a7:1d:96:e1:fb:0c:16:7d:85:07:42:95:bf:e9:14:c5:
+ 6f:e5:91:84:88:b7:e7:3b:16:7a:77:08:8e:68:ff:da:44:65:
+ 04:65:3e:7e:18:5f:ed:56:62:57:fb:b6:da:b4:08:c9:cf:17:
+ bb:83:34:7a:49:f6:22:02:a4:49:d7:55:c5:d1:22:df:92:f3:
+ 65:5d:2c:de:ac:0e:f3:9c:18:36:f9:b7:8a:5f:df:d6:5d:84:
+ 31:7f:76:95:e2:59:53:4a:40:8e:99:6d:ae:3b:9d:86:ce:2a:
+ 75:1d:49:7c:26:3e:90:2b:34:87:c9:4a:7a:aa:70:59:68:d3:
+ 81:7f:1b:ee:fc:ea:72:65:60:c9:9e:94:50:8d:62:93:d5:7e:
+ 52:68:06:c9:d8:e5:bf:a0:db:cd:c2:90:93:0e:9f:1a:66:2f:
+ 14:16:4a:57:4a:15:bb:0e:d4:73:96:91:1b:a6:00:5f:77:13:
+ 03:a7:93:65:9a:df:03:42:a8:7c:4e:dc:89:32:ae:80:94:f7:
+ c3:d7:ed:33:7c:45:ea:34:4d:ea:fe:bd:31:50:c3:81:3f:12:
+ c8:1f:f8:63
+-----BEGIN CERTIFICATE-----
+MIID9DCCAtygAwIBAgIBHDANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODEwMDEwNzA4WhcNMDgwODA5MDEwNzA4WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAoyFXYWSvERjUy96m3K3ZLA8PWJ9+yIVVESZMfPBraBqeagyP5tw9
+g1gqzHesGXNvWvNuJKzNGtwdC0xE9W2LChc9hvno/uZg5Z9AauWU6JpWFxccq8GM
+N0ArVb8sXtyNyiV/il/u+xaG6+AI0ybl43DFDGv7G49rXPbiSlilNQHqBRs+zoS+
+tT9tGBZLaOV5TIh9tqVlozrCMtytj4oF7vbpeoDaEqkPWrXS0zGsPtMZJS0o3nls
+zv13ZtXjL6nL+YWMILuihiPwk5UgBHjHxwem/vD0RbvPeCvdzpwIpUZoEEzXBWJs
+hlotfwY4wk27RIcAQ3nSj/NrsvRcHLloAQIDAQABo4IBQjCCAT4wDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUmL4E/4DRq5U5qj3yDmd9AK2j/cUwDgYDVR0PAQH/
+BAQDAgEGMEEGCCsGAQUFBwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9MSVIzLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYB
+BQUHMAKGJ3JzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAh
+BggrBgEFBQcBCAEB/wQSMBCgDjAMMAoCAwD8FgIDAPwcMFEGCCsGAQUFBwEHAQH/
+BEIwQDASBAIAATAMAwQACgAAAwQACgMAMCoEAgACMCQDEAAgAQ24AAAAAAAAAAAK
+AAADEAAgAQ24AAAAAAAAAAAKAwAwDQYJKoZIhvcNAQELBQADggEBAFkCMU+SCwEt
+mKtFuHupuGCIoYzjhOcLIKec4aJ8qp/jovJcDlW9px2W4fsMFn2FB0KVv+kUxW/l
+kYSIt+c7Fnp3CI5o/9pEZQRlPn4YX+1WYlf7ttq0CMnPF7uDNHpJ9iICpEnXVcXR
+It+S82VdLN6sDvOcGDb5t4pf39ZdhDF/dpXiWVNKQI6Zba47nYbOKnUdSXwmPpAr
+NIfJSnqqcFlo04F/G+786nJlYMmelFCNYpPVflJoBsnY5b+g283CkJMOnxpmLxQW
+SldKFbsO1HOWkRumAF93EwOnk2Wa3wNCqHxO3IkyroCU98PX7TN8Reo0Ter+vTFQ
+w4E/Esgf+GM=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/1D.pem b/rpkid/resource-cert-samples/RIR/1D.pem
new file mode 100644
index 00000000..ef7eb793
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/1D.pem
@@ -0,0 +1,95 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 29 (0x1d)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 10 01:07:08 2007 GMT
+ Not After : Aug 9 01:07:08 2008 GMT
+ Subject: CN=TEST ENTITY LIR2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:f1:18:b6:79:0b:35:c5:83:64:48:83:31:03:9e:
+ e7:72:28:65:b1:ac:61:e1:77:2e:c0:4d:f0:b1:1c:
+ 61:d8:cc:5a:2d:c7:0b:9b:78:7a:3e:fd:37:ad:fa:
+ b0:73:0b:9c:fc:bb:6f:60:ea:38:ef:ae:d1:27:b8:
+ 81:59:0f:b3:e7:d0:67:b2:a2:f5:4f:e2:04:c6:cc:
+ 13:9f:33:28:35:96:7a:db:ce:ac:9d:d3:64:3d:b8:
+ 44:bc:cb:43:22:92:d6:3c:2e:bf:97:6e:39:6a:6e:
+ 68:93:5d:1c:a8:58:b7:a3:7a:26:44:fe:fe:30:ad:
+ e2:05:89:4c:c9:ef:2c:e0:4e:31:69:3f:dd:91:1c:
+ f0:b0:25:4c:3e:84:8a:ea:5e:03:b3:a8:cd:90:1a:
+ 1e:c8:e0:af:fe:11:ed:21:06:bd:3c:5e:08:a1:93:
+ e2:41:43:43:38:d3:21:b3:4c:fa:85:8b:43:57:60:
+ 5d:bb:a0:78:e5:33:47:a8:33:76:be:df:6e:63:61:
+ e3:31:8b:5d:8e:0c:c7:f5:c8:91:0c:be:57:c7:f2:
+ bc:be:0b:ba:7a:1f:f6:19:f1:eb:00:74:c1:12:c2:
+ dc:2b:2e:8d:f0:0a:ff:7f:e8:60:08:90:ba:51:fc:
+ d0:90:11:37:f3:9e:44:b6:64:43:69:5d:61:d3:e1:
+ 8d:77
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 03:7A:DF:0C:DF:DC:93:3D:F7:A5:CC:27:7B:DC:22:F6:E9:55:97:F0
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR2/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 0c:51:a0:58:12:e3:9e:03:0a:45:a2:db:eb:7b:98:b1:32:a8:
+ 87:e2:0a:79:4d:a6:56:83:7c:a3:14:78:98:ba:4d:8f:e4:59:
+ 06:15:f6:3a:01:6c:5c:21:a5:1e:97:09:42:24:7c:11:a0:4e:
+ f3:9a:de:50:c2:88:2b:1b:59:6c:12:0e:26:10:40:21:16:e1:
+ 60:96:bb:4d:53:0f:79:47:28:e0:10:cf:61:f3:82:5f:3a:7f:
+ ec:e2:3f:f5:60:70:d8:ca:05:ce:cb:f9:49:f8:15:be:0e:18:
+ e2:f4:3c:f3:1f:5a:31:77:9d:e4:69:17:4a:4f:4d:d6:eb:58:
+ d6:c7:28:87:15:7c:d0:51:69:59:02:a9:e7:14:a8:d6:5f:6e:
+ 25:b3:2c:8b:ed:58:f7:84:40:ae:95:4d:67:f5:86:d8:2e:9b:
+ 1f:29:3a:38:a9:7b:8c:6f:62:df:31:a6:a3:17:ec:19:94:93:
+ c9:17:36:9b:51:6c:79:c7:4a:4a:08:25:ef:db:13:d8:de:95:
+ 80:87:28:aa:ae:3d:fb:d8:80:54:cb:31:f3:40:49:28:8f:08:
+ c9:dc:c3:6d:1d:de:16:57:11:f5:56:89:1d:5a:b9:54:d1:f0:
+ c4:48:c6:39:05:53:26:15:be:1a:dc:6c:70:6c:f9:71:59:d8:
+ 2f:f4:b4:81
+-----BEGIN CERTIFICATE-----
+MIID8DCCAtigAwIBAgIBHTANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODEwMDEwNzA4WhcNMDgwODA5MDEwNzA4WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA8Ri2eQs1xYNkSIMxA57ncihlsaxh4XcuwE3wsRxh2MxaLccLm3h6
+Pv03rfqwcwuc/LtvYOo4767RJ7iBWQ+z59BnsqL1T+IExswTnzMoNZZ6286sndNk
+PbhEvMtDIpLWPC6/l245am5ok10cqFi3o3omRP7+MK3iBYlMye8s4E4xaT/dkRzw
+sCVMPoSK6l4Ds6jNkBoeyOCv/hHtIQa9PF4IoZPiQUNDONMhs0z6hYtDV2Bdu6B4
+5TNHqDN2vt9uY2HjMYtdjgzH9ciRDL5Xx/K8vgu6eh/2GfHrAHTBEsLcKy6N8Ar/
+f+hgCJC6UfzQkBE3855EtmRDaV1h0+GNdwIDAQABo4IBPjCCATowDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUA3rfDN/ckz33pcwne9wi9ulVl/AwDgYDVR0PAQH/
+BAQDAgEGMEEGCCsGAQUFBwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9MSVIyLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYB
+BQUHMAKGJ3JzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAa
+BggrBgEFBQcBCAEB/wQLMAmgBzAFAgMA/CAwVAYIKwYBBQUHAQcBAf8ERTBDMEEE
+AgACMDswJgMRAiABDbgAAAAAAAAAAAAAAEQDEQAgAQ24AAAAAAAAAAAAAAEAAxEA
+IAENuAAAAAAAAAAQAAAARDANBgkqhkiG9w0BAQsFAAOCAQEADFGgWBLjngMKRaLb
+63uYsTKoh+IKeU2mVoN8oxR4mLpNj+RZBhX2OgFsXCGlHpcJQiR8EaBO85reUMKI
+KxtZbBIOJhBAIRbhYJa7TVMPeUco4BDPYfOCXzp/7OI/9WBw2MoFzsv5SfgVvg4Y
+4vQ88x9aMXed5GkXSk9N1utY1scohxV80FFpWQKp5xSo1l9uJbMsi+1Y94RArpVN
+Z/WG2C6bHyk6OKl7jG9i3zGmoxfsGZSTyRc2m1FsecdKSggl79sT2N6VgIcoqq49
++9iAVMsx80BJKI8IydzDbR3eFlcR9VaJHVq5VNHwxEjGOQVTJhW+GtxscGz5cVnY
+L/S0gQ==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/1E.pem b/rpkid/resource-cert-samples/RIR/1E.pem
new file mode 100644
index 00000000..93d846b8
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/1E.pem
@@ -0,0 +1,94 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 30 (0x1e)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 10 01:07:08 2007 GMT
+ Not After : Aug 9 01:07:08 2008 GMT
+ Subject: CN=TEST ENTITY LIR1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:af:5d:1c:f9:d9:bb:d5:01:e1:5b:36:cc:51:f6:
+ fd:86:57:60:aa:9e:c7:ec:4e:05:af:fb:51:5c:7a:
+ c2:58:c4:a8:57:ae:14:62:e9:bc:b6:72:7d:cf:49:
+ c8:4a:40:82:4a:f4:3e:30:b5:94:25:9e:6c:78:81:
+ 57:43:d6:85:02:8d:d1:9c:b5:d7:34:2f:e2:a9:7d:
+ 18:27:b5:47:9a:42:16:c8:90:7f:96:2c:dd:b8:98:
+ 17:1f:77:62:4a:08:00:2d:e0:73:0c:39:37:ba:0f:
+ a7:59:59:4c:7c:cd:e2:5c:d7:98:36:10:6c:88:3e:
+ 45:99:a6:88:2f:f6:7f:31:49:ba:42:2b:13:79:c2:
+ b2:f1:09:d9:ad:37:a4:41:b6:6d:46:a1:18:05:a0:
+ 53:07:8e:e0:98:b2:d1:fd:67:68:77:64:d5:f3:fe:
+ 1d:22:36:9e:26:5a:1a:aa:18:94:c3:2c:7e:9a:af:
+ be:2c:9d:5e:75:2c:49:d6:37:2b:06:1f:cc:63:97:
+ 7e:ee:2c:5f:67:af:4d:62:3e:7a:1f:0c:e1:1e:02:
+ f2:d2:06:75:ae:3f:11:bc:8e:0f:13:64:38:14:36:
+ 1d:5d:02:ec:af:65:d5:b9:68:f4:22:66:2b:ef:47:
+ 5b:ad:3b:f2:af:b6:71:0c:94:56:8a:7c:01:36:f0:
+ 3a:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 8A:94:17:F9:53:F2:5B:94:54:56:DF:76:51:13:29:F6:71:19:A8:B3
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR1/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 1e:aa:13:82:d7:ac:b4:cf:87:8f:61:5e:f4:b5:0a:2c:36:5f:
+ 6c:ae:a2:65:46:06:b2:f7:86:f5:81:a7:15:51:87:a8:f1:9d:
+ b8:37:e8:5a:27:9a:27:a6:c4:fc:eb:64:03:b1:b9:ee:93:e4:
+ 6f:b6:b8:d7:40:47:20:91:a2:ba:50:f0:c4:98:a6:96:14:3f:
+ 79:1a:8c:de:3e:b2:57:6a:7a:83:22:9d:8c:05:4e:22:46:4a:
+ de:98:7f:9d:78:9e:e4:43:10:8c:29:4f:9f:d0:51:a4:70:e4:
+ ed:ef:b6:72:99:08:8c:5d:c3:4e:60:82:66:05:ae:a0:b8:31:
+ 4f:77:33:c9:57:9a:7d:bc:d2:8c:1f:60:10:58:8d:db:0a:c0:
+ 96:f4:29:a7:e1:54:d5:fa:a7:50:93:fa:18:3d:e3:98:14:c4:
+ 9d:d5:61:af:31:79:f6:af:eb:07:ae:ce:58:e6:62:ed:a0:2a:
+ c3:4a:93:8b:03:06:6a:e8:2a:ef:c9:82:c7:ae:49:25:65:94:
+ 85:e6:94:d6:6f:71:17:c7:e6:ab:50:60:a3:c8:7e:e6:51:05:
+ de:e8:bf:d5:9d:90:9d:b6:a7:eb:97:4d:47:99:b0:d9:de:ae:
+ d9:de:fb:36:3c:c2:7b:f5:25:ed:72:1a:c4:6b:eb:7c:ad:37:
+ 34:04:c5:cb
+-----BEGIN CERTIFICATE-----
+MIID1TCCAr2gAwIBAgIBHjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODEwMDEwNzA4WhcNMDgwODA5MDEwNzA4WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAr10c+dm71QHhWzbMUfb9hldgqp7H7E4Fr/tRXHrCWMSoV64UYum8
+tnJ9z0nISkCCSvQ+MLWUJZ5seIFXQ9aFAo3RnLXXNC/iqX0YJ7VHmkIWyJB/lizd
+uJgXH3diSggALeBzDDk3ug+nWVlMfM3iXNeYNhBsiD5FmaaIL/Z/MUm6QisTecKy
+8QnZrTekQbZtRqEYBaBTB47gmLLR/Wdod2TV8/4dIjaeJloaqhiUwyx+mq++LJ1e
+dSxJ1jcrBh/MY5d+7ixfZ69NYj56HwzhHgLy0gZ1rj8RvI4PE2Q4FDYdXQLsr2XV
+uWj0ImYr70dbrTvyr7ZxDJRWinwBNvA6PwIDAQABo4IBIzCCAR8wDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUipQX+VPyW5RUVt92URMp9nEZqLMwDgYDVR0PAQH/
+BAQDAgEGMEEGCCsGAQUFBwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9MSVIxLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYB
+BQUHMAKGJ3JzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAa
+BggrBgEFBQcBCAEB/wQLMAmgBzAFAgMA/BUwOQYIKwYBBQUHAQcBAf8EKjAoMCYE
+AgABMCAwDgMFAMAAAgEDBQHAAAIgMA4DBQLAAAIsAwUAwAACZDANBgkqhkiG9w0B
+AQsFAAOCAQEAHqoTgtestM+Hj2Fe9LUKLDZfbK6iZUYGsveG9YGnFVGHqPGduDfo
+WieaJ6bE/OtkA7G57pPkb7a410BHIJGiulDwxJimlhQ/eRqM3j6yV2p6gyKdjAVO
+IkZK3ph/nXie5EMQjClPn9BRpHDk7e+2cpkIjF3DTmCCZgWuoLgxT3czyVeafbzS
+jB9gEFiN2wrAlvQpp+FU1fqnUJP6GD3jmBTEndVhrzF59q/rB67OWOZi7aAqw0qT
+iwMGaugq78mCx65JJWWUheaU1m9xF8fmq1Bgo8h+5lEF3ui/1Z2Qnban65dNR5mw
+2d6u2d77NjzCe/Ul7XIaxGvrfK03NATFyw==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/1F.pem b/rpkid/resource-cert-samples/RIR/1F.pem
new file mode 100644
index 00000000..9dd25967
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/1F.pem
@@ -0,0 +1,76 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 31 (0x1f)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 10 01:13:39 2007 GMT
+ Not After : Aug 9 01:13:39 2008 GMT
+ Subject: CN=TEST ENTITY RIR
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:ac:a7:26:c4:98:68:99:b6:f2:e7:c5:97:05:7e:
+ f9:d7:f2:ec:39:e6:2b:8e:c2:42:88:b9:8f:22:b6:
+ 3c:59:b0:0e:8a:1d:0e:f8:81:b1:c8:ff:4a:8a:1a:
+ 43:bc:78:91:3e:af:b2:b0:95:60:a9:3e:9d:c2:ff:
+ 99:8f:8f:b6:dc:d8:46:b7:86:35:a6:f6:42:05:c2:
+ c5:9b:84:15:e2:58:0f:70:9c:bc:53:d7:28:76:f8:
+ f2:14:79:22:bd:d6:8b:6c:0e:2b:02:e5:d8:f3:33:
+ fa:16:43:9b:80:87:f9:b2:45:ab:bd:7d:14:b2:24:
+ 2f:41:13:6f:45:c4:dc:f9:4d:7f:d8:d3:e1:aa:5c:
+ 52:9d:c9:7a:38:b7:b0:43:bd:b7:6a:37:43:ec:e7:
+ 34:c4:3b:4c:ca:cc:7b:1f:91:ef:ab:d4:35:76:42:
+ 82:d4:f5:79:e0:12:3c:24:92:2e:dc:a2:5c:83:f0:
+ 71:8a:26:96:30:d4:b8:96:4d:00:2c:1a:f0:0f:79:
+ 52:c7:27:73:54:77:c1:86:f9:86:61:ce:e0:69:a7:
+ a8:3d:77:39:e7:24:ee:41:8d:52:19:3b:57:8c:84:
+ cc:9a:d5:05:7c:e6:83:2c:e3:13:6d:66:1b:87:20:
+ 82:47:e1:05:26:f0:3b:29:69:6d:bc:af:48:91:c4:
+ 40:f1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/RIR/
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 4f:b2:00:11:14:e9:a9:dc:f3:20:a2:78:94:b7:c5:dd:0c:ff:
+ fc:e1:68:13:24:a6:e1:f5:32:47:b2:3a:d4:4c:90:e2:cd:64:
+ ef:6d:7d:5c:35:01:96:8f:68:69:dd:be:ff:fa:a2:33:a4:23:
+ 28:e5:8d:2e:f6:05:fd:54:85:84:86:2f:01:ba:71:cd:b0:ea:
+ d5:ab:06:8a:55:15:1e:1e:55:e5:c2:f5:93:0d:43:fc:c8:2d:
+ f6:d7:57:8b:d9:71:9a:e6:8b:5a:ce:ea:5d:3c:e8:ae:66:7d:
+ 69:3f:6d:1e:bd:5d:f4:7b:69:90:bb:72:4a:f3:7c:8e:08:33:
+ 75:c9:48:53:20:16:ca:02:71:0f:6d:e7:bd:14:73:60:42:69:
+ 8f:2e:b9:f5:fb:39:e5:5d:51:94:7b:3f:d3:6d:25:64:f8:0c:
+ 68:e6:cd:d5:e1:10:da:d5:24:00:b0:3c:97:b1:69:e5:67:0b:
+ 05:1b:46:86:d1:d7:2f:17:0e:17:98:bb:54:9f:4e:60:40:0f:
+ 7a:77:9e:f0:33:d4:0a:8e:56:f9:57:30:a0:cf:b1:86:41:35:
+ dd:d3:f3:b3:35:56:4b:e1:83:ba:a0:9d:40:8d:d0:70:dc:ff:
+ 60:9d:73:15:84:c5:8a:20:2b:28:02:16:5a:dd:b0:19:ee:cb:
+ bd:ea:1f:9b
+-----BEGIN CERTIFICATE-----
+MIIDFDCCAfygAwIBAgIBHzANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODEwMDExMzM5WhcNMDgwODA5MDExMzM5WjAaMRgw
+FgYDVQQDEw9URVNUIEVOVElUWSBSSVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCspybEmGiZtvLnxZcFfvnX8uw55iuOwkKIuY8itjxZsA6KHQ74gbHI
+/0qKGkO8eJE+r7KwlWCpPp3C/5mPj7bc2Ea3hjWm9kIFwsWbhBXiWA9wnLxT1yh2
++PIUeSK91otsDisC5djzM/oWQ5uAh/myRau9fRSyJC9BE29FxNz5TX/Y0+GqXFKd
+yXo4t7BDvbdqN0Ps5zTEO0zKzHsfke+r1DV2QoLU9XngEjwkki7colyD8HGKJpYw
+1LiWTQAsGvAPeVLHJ3NUd8GG+YZhzuBpp6g9dznnJO5BjVIZO1eMhMya1QV85oMs
+4xNtZhuHIIJH4QUm8DspaW28r0iRxEDxAgMBAAGjZTBjMA8GA1UdEwEB/wQFMAMB
+Af8wDgYDVR0PAQH/BAQDAgEGMEAGCCsGAQUFBwELBDQwMjAwBggrBgEFBQcwBYYk
+cnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJuLm5ldC9SSVIvMA0GCSqGSIb3DQEB
+CwUAA4IBAQBPsgARFOmp3PMgoniUt8XdDP/84WgTJKbh9TJHsjrUTJDizWTvbX1c
+NQGWj2hp3b7/+qIzpCMo5Y0u9gX9VIWEhi8BunHNsOrVqwaKVRUeHlXlwvWTDUP8
+yC3211eL2XGa5otazupdPOiuZn1pP20evV30e2mQu3JK83yOCDN1yUhTIBbKAnEP
+bee9FHNgQmmPLrn1+znlXVGUez/TbSVk+Axo5s3V4RDa1SQAsDyXsWnlZwsFG0aG
+0dcvFw4XmLtUn05gQA96d57wM9QKjlb5VzCgz7GGQTXd0/OzNVZL4YO6oJ1AjdBw
+3P9gnXMVhMWKICsoAhZa3bAZ7su96h+b
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/20.pem b/rpkid/resource-cert-samples/RIR/20.pem
new file mode 100644
index 00000000..fe5d4fc2
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/20.pem
@@ -0,0 +1,76 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 32 (0x20)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 10 01:13:39 2007 GMT
+ Not After : Aug 9 01:13:39 2008 GMT
+ Subject: CN=TEST ENTITY LIR3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a3:21:57:61:64:af:11:18:d4:cb:de:a6:dc:ad:
+ d9:2c:0f:0f:58:9f:7e:c8:85:55:11:26:4c:7c:f0:
+ 6b:68:1a:9e:6a:0c:8f:e6:dc:3d:83:58:2a:cc:77:
+ ac:19:73:6f:5a:f3:6e:24:ac:cd:1a:dc:1d:0b:4c:
+ 44:f5:6d:8b:0a:17:3d:86:f9:e8:fe:e6:60:e5:9f:
+ 40:6a:e5:94:e8:9a:56:17:17:1c:ab:c1:8c:37:40:
+ 2b:55:bf:2c:5e:dc:8d:ca:25:7f:8a:5f:ee:fb:16:
+ 86:eb:e0:08:d3:26:e5:e3:70:c5:0c:6b:fb:1b:8f:
+ 6b:5c:f6:e2:4a:58:a5:35:01:ea:05:1b:3e:ce:84:
+ be:b5:3f:6d:18:16:4b:68:e5:79:4c:88:7d:b6:a5:
+ 65:a3:3a:c2:32:dc:ad:8f:8a:05:ee:f6:e9:7a:80:
+ da:12:a9:0f:5a:b5:d2:d3:31:ac:3e:d3:19:25:2d:
+ 28:de:79:6c:ce:fd:77:66:d5:e3:2f:a9:cb:f9:85:
+ 8c:20:bb:a2:86:23:f0:93:95:20:04:78:c7:c7:07:
+ a6:fe:f0:f4:45:bb:cf:78:2b:dd:ce:9c:08:a5:46:
+ 68:10:4c:d7:05:62:6c:86:5a:2d:7f:06:38:c2:4d:
+ bb:44:87:00:43:79:d2:8f:f3:6b:b2:f4:5c:1c:b9:
+ 68:01
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR3/
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 21:11:08:a5:7c:20:fa:f3:da:ce:31:cd:f4:f4:e2:dc:46:9c:
+ 7c:3f:b0:02:04:9c:f8:2e:63:c9:d6:2d:8c:01:44:ea:99:5e:
+ 50:e2:33:f0:20:0b:df:3d:a5:59:2d:16:d7:e7:8f:3b:f0:84:
+ 57:d0:23:a3:52:7c:27:34:af:62:b3:97:aa:c4:21:93:8d:34:
+ 8d:56:9b:8e:b5:b7:da:24:46:e8:2f:e7:b5:f3:92:2b:46:21:
+ b2:b2:1f:7a:c2:be:f4:af:5d:1b:18:bb:39:3c:ee:e3:18:25:
+ 22:b4:fd:72:0c:4c:5a:e2:99:75:28:9b:9c:81:a1:da:64:83:
+ cf:26:22:99:d8:77:b4:6a:80:84:5d:cc:cb:62:5c:f5:00:dc:
+ 72:14:33:20:90:06:20:01:ed:3a:08:28:a4:7c:e4:51:00:33:
+ 8b:09:8a:bc:8a:fa:f0:81:a9:ae:69:a6:e6:df:4c:4d:08:47:
+ cf:46:6f:03:eb:7e:85:86:34:9a:0d:18:51:24:39:cf:47:23:
+ 25:b3:6e:27:3f:f9:59:7e:da:e0:bf:08:e5:8f:55:f0:cf:e4:
+ c5:c1:f4:a9:91:ae:09:3e:41:1b:f0:76:2d:0f:a8:4d:05:8d:
+ 3c:3e:81:81:ec:6c:62:2d:3a:63:81:12:b2:36:23:ed:25:8c:
+ b5:f4:3d:e1
+-----BEGIN CERTIFICATE-----
+MIIDFjCCAf6gAwIBAgIBIDANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODEwMDExMzM5WhcNMDgwODA5MDExMzM5WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAoyFXYWSvERjUy96m3K3ZLA8PWJ9+yIVVESZMfPBraBqeagyP5tw9
+g1gqzHesGXNvWvNuJKzNGtwdC0xE9W2LChc9hvno/uZg5Z9AauWU6JpWFxccq8GM
+N0ArVb8sXtyNyiV/il/u+xaG6+AI0ybl43DFDGv7G49rXPbiSlilNQHqBRs+zoS+
+tT9tGBZLaOV5TIh9tqVlozrCMtytj4oF7vbpeoDaEqkPWrXS0zGsPtMZJS0o3nls
+zv13ZtXjL6nL+YWMILuihiPwk5UgBHjHxwem/vD0RbvPeCvdzpwIpUZoEEzXBWJs
+hlotfwY4wk27RIcAQ3nSj/NrsvRcHLloAQIDAQABo2YwZDAPBgNVHRMBAf8EBTAD
+AQH/MA4GA1UdDwEB/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWG
+JXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy8wDQYJKoZIhvcN
+AQELBQADggEBACERCKV8IPrz2s4xzfT04txGnHw/sAIEnPguY8nWLYwBROqZXlDi
+M/AgC989pVktFtfnjzvwhFfQI6NSfCc0r2Kzl6rEIZONNI1Wm461t9okRugv57Xz
+kitGIbKyH3rCvvSvXRsYuzk87uMYJSK0/XIMTFrimXUom5yBodpkg88mIpnYd7Rq
+gIRdzMtiXPUA3HIUMyCQBiAB7ToIKKR85FEAM4sJiryK+vCBqa5ppubfTE0IR89G
+bwPrfoWGNJoNGFEkOc9HIyWzbic/+Vl+2uC/COWPVfDP5MXB9KmRrgk+QRvwdi0P
+qE0FjTw+gYHsbGItOmOBErI2I+0ljLX0PeE=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/21.pem b/rpkid/resource-cert-samples/RIR/21.pem
new file mode 100644
index 00000000..0465b7a4
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/21.pem
@@ -0,0 +1,76 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 33 (0x21)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 10 01:13:39 2007 GMT
+ Not After : Aug 9 01:13:39 2008 GMT
+ Subject: CN=TEST ENTITY LIR2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:f1:18:b6:79:0b:35:c5:83:64:48:83:31:03:9e:
+ e7:72:28:65:b1:ac:61:e1:77:2e:c0:4d:f0:b1:1c:
+ 61:d8:cc:5a:2d:c7:0b:9b:78:7a:3e:fd:37:ad:fa:
+ b0:73:0b:9c:fc:bb:6f:60:ea:38:ef:ae:d1:27:b8:
+ 81:59:0f:b3:e7:d0:67:b2:a2:f5:4f:e2:04:c6:cc:
+ 13:9f:33:28:35:96:7a:db:ce:ac:9d:d3:64:3d:b8:
+ 44:bc:cb:43:22:92:d6:3c:2e:bf:97:6e:39:6a:6e:
+ 68:93:5d:1c:a8:58:b7:a3:7a:26:44:fe:fe:30:ad:
+ e2:05:89:4c:c9:ef:2c:e0:4e:31:69:3f:dd:91:1c:
+ f0:b0:25:4c:3e:84:8a:ea:5e:03:b3:a8:cd:90:1a:
+ 1e:c8:e0:af:fe:11:ed:21:06:bd:3c:5e:08:a1:93:
+ e2:41:43:43:38:d3:21:b3:4c:fa:85:8b:43:57:60:
+ 5d:bb:a0:78:e5:33:47:a8:33:76:be:df:6e:63:61:
+ e3:31:8b:5d:8e:0c:c7:f5:c8:91:0c:be:57:c7:f2:
+ bc:be:0b:ba:7a:1f:f6:19:f1:eb:00:74:c1:12:c2:
+ dc:2b:2e:8d:f0:0a:ff:7f:e8:60:08:90:ba:51:fc:
+ d0:90:11:37:f3:9e:44:b6:64:43:69:5d:61:d3:e1:
+ 8d:77
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR2/
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 69:44:b7:68:fa:e8:4a:16:7e:93:63:18:39:f4:3b:12:19:62:
+ 6b:9a:b8:2e:cf:b4:26:a7:fc:e1:01:9a:c9:33:00:34:47:76:
+ 24:1d:c3:09:65:fb:d4:68:31:47:ca:e8:07:20:6f:af:fe:ad:
+ 28:19:d5:12:31:d7:dd:60:3f:35:6d:fd:02:7a:a6:99:42:d5:
+ f4:c7:42:34:8f:53:20:a2:fb:8c:f6:87:97:c9:81:95:09:02:
+ a5:60:ad:0c:2d:01:15:8a:92:16:34:d6:5b:2e:ac:95:4f:93:
+ 04:27:ac:47:d8:f4:48:53:36:bc:2a:77:4b:16:f9:21:be:a4:
+ 85:65:62:9d:75:68:dd:95:fb:0f:74:2d:e0:be:4a:8b:86:88:
+ 03:fa:e4:58:a9:46:51:26:b4:d7:5c:a8:cf:6a:29:86:be:68:
+ 66:46:e0:92:b2:18:9a:14:e9:c0:02:51:68:31:9c:17:75:ac:
+ 86:b1:e1:41:d7:22:4d:9c:ef:55:4d:2a:85:0b:62:e6:b2:5c:
+ 04:8e:09:21:0a:a7:f6:cd:1e:f3:00:20:71:01:55:cf:7d:a0:
+ 03:85:82:49:7e:7a:e0:ba:a8:c8:e7:43:a7:29:08:f7:b6:ad:
+ fe:f7:4a:69:a5:03:47:87:c5:87:bd:f1:86:6e:ea:5b:34:51:
+ fe:00:a9:a7
+-----BEGIN CERTIFICATE-----
+MIIDFjCCAf6gAwIBAgIBITANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODEwMDExMzM5WhcNMDgwODA5MDExMzM5WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA8Ri2eQs1xYNkSIMxA57ncihlsaxh4XcuwE3wsRxh2MxaLccLm3h6
+Pv03rfqwcwuc/LtvYOo4767RJ7iBWQ+z59BnsqL1T+IExswTnzMoNZZ6286sndNk
+PbhEvMtDIpLWPC6/l245am5ok10cqFi3o3omRP7+MK3iBYlMye8s4E4xaT/dkRzw
+sCVMPoSK6l4Ds6jNkBoeyOCv/hHtIQa9PF4IoZPiQUNDONMhs0z6hYtDV2Bdu6B4
+5TNHqDN2vt9uY2HjMYtdjgzH9ciRDL5Xx/K8vgu6eh/2GfHrAHTBEsLcKy6N8Ar/
+f+hgCJC6UfzQkBE3855EtmRDaV1h0+GNdwIDAQABo2YwZDAPBgNVHRMBAf8EBTAD
+AQH/MA4GA1UdDwEB/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWG
+JXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMi8wDQYJKoZIhvcN
+AQELBQADggEBAGlEt2j66EoWfpNjGDn0OxIZYmuauC7PtCan/OEBmskzADRHdiQd
+wwll+9RoMUfK6Acgb6/+rSgZ1RIx191gPzVt/QJ6pplC1fTHQjSPUyCi+4z2h5fJ
+gZUJAqVgrQwtARWKkhY01lsurJVPkwQnrEfY9EhTNrwqd0sW+SG+pIVlYp11aN2V
++w90LeC+SouGiAP65FipRlEmtNdcqM9qKYa+aGZG4JKyGJoU6cACUWgxnBd1rIax
+4UHXIk2c71VNKoULYuayXASOCSEKp/bNHvMAIHEBVc99oAOFgkl+euC6qMjnQ6cp
+CPe2rf73SmmlA0eHxYe98YZu6ls0Uf4Aqac=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/22.pem b/rpkid/resource-cert-samples/RIR/22.pem
new file mode 100644
index 00000000..f46564dd
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/22.pem
@@ -0,0 +1,76 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 34 (0x22)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 10 01:13:39 2007 GMT
+ Not After : Aug 9 01:13:39 2008 GMT
+ Subject: CN=TEST ENTITY LIR1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:af:5d:1c:f9:d9:bb:d5:01:e1:5b:36:cc:51:f6:
+ fd:86:57:60:aa:9e:c7:ec:4e:05:af:fb:51:5c:7a:
+ c2:58:c4:a8:57:ae:14:62:e9:bc:b6:72:7d:cf:49:
+ c8:4a:40:82:4a:f4:3e:30:b5:94:25:9e:6c:78:81:
+ 57:43:d6:85:02:8d:d1:9c:b5:d7:34:2f:e2:a9:7d:
+ 18:27:b5:47:9a:42:16:c8:90:7f:96:2c:dd:b8:98:
+ 17:1f:77:62:4a:08:00:2d:e0:73:0c:39:37:ba:0f:
+ a7:59:59:4c:7c:cd:e2:5c:d7:98:36:10:6c:88:3e:
+ 45:99:a6:88:2f:f6:7f:31:49:ba:42:2b:13:79:c2:
+ b2:f1:09:d9:ad:37:a4:41:b6:6d:46:a1:18:05:a0:
+ 53:07:8e:e0:98:b2:d1:fd:67:68:77:64:d5:f3:fe:
+ 1d:22:36:9e:26:5a:1a:aa:18:94:c3:2c:7e:9a:af:
+ be:2c:9d:5e:75:2c:49:d6:37:2b:06:1f:cc:63:97:
+ 7e:ee:2c:5f:67:af:4d:62:3e:7a:1f:0c:e1:1e:02:
+ f2:d2:06:75:ae:3f:11:bc:8e:0f:13:64:38:14:36:
+ 1d:5d:02:ec:af:65:d5:b9:68:f4:22:66:2b:ef:47:
+ 5b:ad:3b:f2:af:b6:71:0c:94:56:8a:7c:01:36:f0:
+ 3a:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR1/
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 64:a2:b2:a2:9e:50:69:0e:9f:15:f1:85:10:e8:5e:bf:22:c0:
+ 2e:4c:58:1c:43:c8:ba:7d:3d:67:8c:a6:94:99:b0:fc:ec:2c:
+ e2:0c:69:a7:d6:9e:35:b7:06:bd:d0:30:9a:ba:c9:1c:49:96:
+ ee:06:68:45:e3:ed:48:4d:7a:c0:68:4f:57:52:e6:e7:f1:1c:
+ 14:58:d5:a2:da:d0:19:c5:e9:c4:63:4f:bc:3b:10:8b:2e:fe:
+ b7:95:8a:f4:7e:00:ac:f8:5b:dc:4e:70:81:d7:9e:d8:4b:e8:
+ 89:03:05:3e:11:dc:8f:7a:45:a3:14:78:5f:9d:dc:fe:7f:fd:
+ 4a:b0:bb:33:e0:7c:46:f4:e3:df:f7:2b:9e:64:44:ba:39:b0:
+ d4:72:a3:cf:35:55:ae:04:29:ed:d8:23:22:b0:a3:16:d2:5d:
+ 69:b9:c6:5a:e5:53:42:71:2b:5e:37:e1:1e:26:42:ce:29:23:
+ 64:2e:51:fd:a9:e4:9b:20:65:b1:f1:c2:ce:14:56:10:68:2f:
+ fc:f3:eb:55:6d:d7:a0:0e:1a:0c:52:4a:81:47:e6:34:1f:9e:
+ 3a:c5:38:2e:e6:f2:43:bf:f8:e3:cb:cd:44:83:4f:7c:fb:69:
+ a9:41:96:d6:50:22:b7:3c:06:e0:09:ff:34:cb:41:f6:17:97:
+ 86:7d:f0:c5
+-----BEGIN CERTIFICATE-----
+MIIDFjCCAf6gAwIBAgIBIjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODEwMDExMzM5WhcNMDgwODA5MDExMzM5WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAr10c+dm71QHhWzbMUfb9hldgqp7H7E4Fr/tRXHrCWMSoV64UYum8
+tnJ9z0nISkCCSvQ+MLWUJZ5seIFXQ9aFAo3RnLXXNC/iqX0YJ7VHmkIWyJB/lizd
+uJgXH3diSggALeBzDDk3ug+nWVlMfM3iXNeYNhBsiD5FmaaIL/Z/MUm6QisTecKy
+8QnZrTekQbZtRqEYBaBTB47gmLLR/Wdod2TV8/4dIjaeJloaqhiUwyx+mq++LJ1e
+dSxJ1jcrBh/MY5d+7ixfZ69NYj56HwzhHgLy0gZ1rj8RvI4PE2Q4FDYdXQLsr2XV
+uWj0ImYr70dbrTvyr7ZxDJRWinwBNvA6PwIDAQABo2YwZDAPBgNVHRMBAf8EBTAD
+AQH/MA4GA1UdDwEB/wQEAwIBBjBBBggrBgEFBQcBCwQ1MDMwMQYIKwYBBQUHMAWG
+JXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMS8wDQYJKoZIhvcN
+AQELBQADggEBAGSisqKeUGkOnxXxhRDoXr8iwC5MWBxDyLp9PWeMppSZsPzsLOIM
+aafWnjW3Br3QMJq6yRxJlu4GaEXj7UhNesBoT1dS5ufxHBRY1aLa0BnF6cRjT7w7
+EIsu/reVivR+AKz4W9xOcIHXnthL6IkDBT4R3I96RaMUeF+d3P5//UqwuzPgfEb0
+49/3K55kRLo5sNRyo881Va4EKe3YIyKwoxbSXWm5xlrlU0JxK1434R4mQs4pI2Qu
+Uf2p5JsgZbHxws4UVhBoL/zz61Vt16AOGgxSSoFH5jQfnjrFOC7m8kO/+OPLzUSD
+T3z7aalBltZQIrc8BuAJ/zTLQfYXl4Z98MU=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/23.pem b/rpkid/resource-cert-samples/RIR/23.pem
new file mode 100644
index 00000000..62954cf1
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/23.pem
@@ -0,0 +1,100 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 35 (0x23)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 10 01:15:09 2007 GMT
+ Not After : Aug 9 01:15:09 2008 GMT
+ Subject: CN=TEST ENTITY RIR
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:ac:a7:26:c4:98:68:99:b6:f2:e7:c5:97:05:7e:
+ f9:d7:f2:ec:39:e6:2b:8e:c2:42:88:b9:8f:22:b6:
+ 3c:59:b0:0e:8a:1d:0e:f8:81:b1:c8:ff:4a:8a:1a:
+ 43:bc:78:91:3e:af:b2:b0:95:60:a9:3e:9d:c2:ff:
+ 99:8f:8f:b6:dc:d8:46:b7:86:35:a6:f6:42:05:c2:
+ c5:9b:84:15:e2:58:0f:70:9c:bc:53:d7:28:76:f8:
+ f2:14:79:22:bd:d6:8b:6c:0e:2b:02:e5:d8:f3:33:
+ fa:16:43:9b:80:87:f9:b2:45:ab:bd:7d:14:b2:24:
+ 2f:41:13:6f:45:c4:dc:f9:4d:7f:d8:d3:e1:aa:5c:
+ 52:9d:c9:7a:38:b7:b0:43:bd:b7:6a:37:43:ec:e7:
+ 34:c4:3b:4c:ca:cc:7b:1f:91:ef:ab:d4:35:76:42:
+ 82:d4:f5:79:e0:12:3c:24:92:2e:dc:a2:5c:83:f0:
+ 71:8a:26:96:30:d4:b8:96:4d:00:2c:1a:f0:0f:79:
+ 52:c7:27:73:54:77:c1:86:f9:86:61:ce:e0:69:a7:
+ a8:3d:77:39:e7:24:ee:41:8d:52:19:3b:57:8c:84:
+ cc:9a:d5:05:7c:e6:83:2c:e3:13:6d:66:1b:87:20:
+ 82:47:e1:05:26:f0:3b:29:69:6d:bc:af:48:91:c4:
+ 40:f1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/RIR/
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533-64540
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ 10.3.0.0/24
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:0:a00::/120
+ 2001:db8:0:0:0:0:a03::/120
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 6b:3e:b4:ef:05:b1:6c:d0:7f:e1:86:49:86:64:44:10:16:65:
+ d2:ae:52:cf:da:08:79:bd:08:a2:fc:3b:90:bf:ec:6a:a3:cc:
+ 78:51:cf:f9:c7:9a:65:5e:a9:11:b3:db:76:0a:2d:14:96:c5:
+ d0:21:22:f1:64:b3:2c:ea:2e:20:f1:52:32:8d:c9:9a:3c:eb:
+ d1:82:53:e9:57:c9:01:ed:4f:c7:0f:b5:1f:a7:8f:1a:9d:9b:
+ 42:b2:c8:fa:c0:e9:24:7c:ea:b3:26:55:54:6c:fb:fc:36:3d:
+ 42:84:e1:b1:40:62:d9:d8:59:fd:02:9d:c9:eb:69:54:47:1a:
+ d6:b8:0a:ee:27:0c:59:ea:a4:e7:73:a8:cd:47:14:e0:2e:68:
+ f3:46:79:a9:7c:d6:07:8c:06:26:d1:66:7a:a5:e8:56:f8:5e:
+ f8:37:49:0a:f1:52:5c:78:c0:92:90:81:05:a5:4a:a7:60:0f:
+ 4b:d3:62:14:70:be:5f:90:5b:54:9f:79:d9:a8:c9:50:bc:ab:
+ ed:17:e6:a2:e0:25:b8:74:56:8c:12:66:19:41:fc:ed:eb:37:
+ 21:e5:3f:56:d0:d5:ee:f2:e6:d4:53:4e:ae:78:d4:50:fd:dd:
+ 03:6a:e3:29:72:5a:40:d5:3c:90:8e:d2:77:d2:28:9e:cb:77:
+ 85:8c:c3:e1
+-----BEGIN CERTIFICATE-----
+MIIEEDCCAvigAwIBAgIBIzANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODEwMDExNTA5WhcNMDgwODA5MDExNTA5WjAaMRgw
+FgYDVQQDEw9URVNUIEVOVElUWSBSSVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCspybEmGiZtvLnxZcFfvnX8uw55iuOwkKIuY8itjxZsA6KHQ74gbHI
+/0qKGkO8eJE+r7KwlWCpPp3C/5mPj7bc2Ea3hjWm9kIFwsWbhBXiWA9wnLxT1yh2
++PIUeSK91otsDisC5djzM/oWQ5uAh/myRau9fRSyJC9BE29FxNz5TX/Y0+GqXFKd
+yXo4t7BDvbdqN0Ps5zTEO0zKzHsfke+r1DV2QoLU9XngEjwkki7colyD8HGKJpYw
+1LiWTQAsGvAPeVLHJ3NUd8GG+YZhzuBpp6g9dznnJO5BjVIZO1eMhMya1QV85oMs
+4xNtZhuHIIJH4QUm8DspaW28r0iRxEDxAgMBAAGjggFfMIIBWzAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBT7uKejNkgKoJ/wLtyLaLyzXEUl1zAOBgNVHQ8BAf8E
+BAMCAQYwQAYIKwYBBQUHAQsENDAyMDAGCCsGAQUFBzAFhiRyc3luYzovL3dvbWJh
+dHMtci11cy5oYWN0cm4ubmV0L1JJUi8wJgYIKwYBBQUHAQgBAf8EFzAVoBMwETAK
+AgMA/BUCAwD8HAIDAPwgMIGuBggrBgEFBQcBBwEB/wSBnjCBmzAyBAIAATAsAwQA
+CgAAAwQACgMAMA4DBQDAAAIBAwUBwAACIDAOAwUCwAACLAMFAMAAAmQwZQQCAAIw
+XzAmAxECIAENuAAAAAAAAAAAAAAARAMRACABDbgAAAAAAAAAAAAAAQADEAAgAQ24
+AAAAAAAAAAAKAAADEAAgAQ24AAAAAAAAAAAKAwADEQAgAQ24AAAAAAAAABAAAABE
+MA0GCSqGSIb3DQEBCwUAA4IBAQBrPrTvBbFs0H/hhkmGZEQQFmXSrlLP2gh5vQii
+/DuQv+xqo8x4Uc/5x5plXqkRs9t2Ci0UlsXQISLxZLMs6i4g8VIyjcmaPOvRglPp
+V8kB7U/HD7Ufp48anZtCssj6wOkkfOqzJlVUbPv8Nj1ChOGxQGLZ2Fn9Ap3J62lU
+RxrWuAruJwxZ6qTnc6jNRxTgLmjzRnmpfNYHjAYm0WZ6pehW+F74N0kK8VJceMCS
+kIEFpUqnYA9L02IUcL5fkFtUn3nZqMlQvKvtF+ai4CW4dFaMEmYZQfzt6zch5T9W
+0NXu8ubUU06ueNRQ/d0DauMpclpA1TyQjtJ30iiey3eFjMPh
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/24.pem b/rpkid/resource-cert-samples/RIR/24.pem
new file mode 100644
index 00000000..419b192d
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/24.pem
@@ -0,0 +1,98 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 36 (0x24)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 10 01:15:10 2007 GMT
+ Not After : Aug 9 01:15:10 2008 GMT
+ Subject: CN=TEST ENTITY LIR3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a3:21:57:61:64:af:11:18:d4:cb:de:a6:dc:ad:
+ d9:2c:0f:0f:58:9f:7e:c8:85:55:11:26:4c:7c:f0:
+ 6b:68:1a:9e:6a:0c:8f:e6:dc:3d:83:58:2a:cc:77:
+ ac:19:73:6f:5a:f3:6e:24:ac:cd:1a:dc:1d:0b:4c:
+ 44:f5:6d:8b:0a:17:3d:86:f9:e8:fe:e6:60:e5:9f:
+ 40:6a:e5:94:e8:9a:56:17:17:1c:ab:c1:8c:37:40:
+ 2b:55:bf:2c:5e:dc:8d:ca:25:7f:8a:5f:ee:fb:16:
+ 86:eb:e0:08:d3:26:e5:e3:70:c5:0c:6b:fb:1b:8f:
+ 6b:5c:f6:e2:4a:58:a5:35:01:ea:05:1b:3e:ce:84:
+ be:b5:3f:6d:18:16:4b:68:e5:79:4c:88:7d:b6:a5:
+ 65:a3:3a:c2:32:dc:ad:8f:8a:05:ee:f6:e9:7a:80:
+ da:12:a9:0f:5a:b5:d2:d3:31:ac:3e:d3:19:25:2d:
+ 28:de:79:6c:ce:fd:77:66:d5:e3:2f:a9:cb:f9:85:
+ 8c:20:bb:a2:86:23:f0:93:95:20:04:78:c7:c7:07:
+ a6:fe:f0:f4:45:bb:cf:78:2b:dd:ce:9c:08:a5:46:
+ 68:10:4c:d7:05:62:6c:86:5a:2d:7f:06:38:c2:4d:
+ bb:44:87:00:43:79:d2:8f:f3:6b:b2:f4:5c:1c:b9:
+ 68:01
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 98:BE:04:FF:80:D1:AB:95:39:AA:3D:F2:0E:67:7D:00:AD:A3:FD:C5
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR3/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64534-64540
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ 10.3.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a00::/120
+ 2001:db8:0:0:0:0:a03::/120
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 2a:bc:5b:b8:bc:0a:4f:52:b5:d5:01:bd:97:c3:79:df:8f:fd:
+ 7b:d7:0f:fd:fc:0c:8c:3f:69:b0:24:c0:b0:65:63:bf:ca:62:
+ 41:29:04:0a:52:73:b3:e1:c8:18:89:77:ba:b8:7c:6a:b7:19:
+ d7:b7:93:fa:dc:62:78:f9:bd:67:45:be:cd:97:bc:b7:f0:47:
+ 95:9b:97:92:70:ae:9c:58:04:49:d7:fa:af:2e:9e:d1:57:22:
+ 5b:10:c3:38:68:94:bf:0f:a8:a6:f4:1f:06:59:49:57:30:11:
+ 77:66:2a:f4:64:65:13:40:6b:e4:a9:6b:4d:75:4a:11:53:ab:
+ 28:44:67:b5:be:45:48:47:bf:67:61:4f:83:63:bf:33:3a:68:
+ 88:4e:0e:3a:60:79:86:52:65:a0:43:c6:0a:b8:ce:bc:37:eb:
+ 3c:7e:ed:11:f7:e6:42:c0:64:52:70:b3:5c:4c:dc:ed:49:96:
+ 64:2d:a6:19:27:87:11:ed:2d:10:96:c1:7f:ae:2d:a7:98:31:
+ 70:9b:35:1d:87:b9:ec:33:0a:f3:c3:d4:47:b6:7b:ff:7a:9f:
+ 04:a8:b6:bd:9d:10:12:e1:24:5a:44:5c:5b:68:c4:9a:09:64:
+ 27:21:aa:f1:d4:05:42:37:41:4f:8d:f9:0a:e2:c6:3b:94:76:
+ d9:d7:97:66
+-----BEGIN CERTIFICATE-----
+MIID9DCCAtygAwIBAgIBJDANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODEwMDExNTEwWhcNMDgwODA5MDExNTEwWjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAoyFXYWSvERjUy96m3K3ZLA8PWJ9+yIVVESZMfPBraBqeagyP5tw9
+g1gqzHesGXNvWvNuJKzNGtwdC0xE9W2LChc9hvno/uZg5Z9AauWU6JpWFxccq8GM
+N0ArVb8sXtyNyiV/il/u+xaG6+AI0ybl43DFDGv7G49rXPbiSlilNQHqBRs+zoS+
+tT9tGBZLaOV5TIh9tqVlozrCMtytj4oF7vbpeoDaEqkPWrXS0zGsPtMZJS0o3nls
+zv13ZtXjL6nL+YWMILuihiPwk5UgBHjHxwem/vD0RbvPeCvdzpwIpUZoEEzXBWJs
+hlotfwY4wk27RIcAQ3nSj/NrsvRcHLloAQIDAQABo4IBQjCCAT4wDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUmL4E/4DRq5U5qj3yDmd9AK2j/cUwDgYDVR0PAQH/
+BAQDAgEGMEEGCCsGAQUFBwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9MSVIzLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYB
+BQUHMAKGJ3JzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAh
+BggrBgEFBQcBCAEB/wQSMBCgDjAMMAoCAwD8FgIDAPwcMFEGCCsGAQUFBwEHAQH/
+BEIwQDASBAIAATAMAwQACgAAAwQACgMAMCoEAgACMCQDEAAgAQ24AAAAAAAAAAAK
+AAADEAAgAQ24AAAAAAAAAAAKAwAwDQYJKoZIhvcNAQELBQADggEBACq8W7i8Ck9S
+tdUBvZfDed+P/XvXD/38DIw/abAkwLBlY7/KYkEpBApSc7PhyBiJd7q4fGq3Gde3
+k/rcYnj5vWdFvs2XvLfwR5Wbl5JwrpxYBEnX+q8untFXIlsQwzholL8PqKb0HwZZ
+SVcwEXdmKvRkZRNAa+Spa011ShFTqyhEZ7W+RUhHv2dhT4NjvzM6aIhODjpgeYZS
+ZaBDxgq4zrw36zx+7RH35kLAZFJws1xM3O1JlmQtphknhxHtLRCWwX+uLaeYMXCb
+NR2HuewzCvPD1Ee2e/96nwSotr2dEBLhJFpEXFtoxJoJZCchqvHUBUI3QU+N+Qri
+xjuUdtnXl2Y=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/25.pem b/rpkid/resource-cert-samples/RIR/25.pem
new file mode 100644
index 00000000..06ca26ad
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/25.pem
@@ -0,0 +1,95 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 37 (0x25)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 10 01:15:10 2007 GMT
+ Not After : Aug 9 01:15:10 2008 GMT
+ Subject: CN=TEST ENTITY LIR2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:f1:18:b6:79:0b:35:c5:83:64:48:83:31:03:9e:
+ e7:72:28:65:b1:ac:61:e1:77:2e:c0:4d:f0:b1:1c:
+ 61:d8:cc:5a:2d:c7:0b:9b:78:7a:3e:fd:37:ad:fa:
+ b0:73:0b:9c:fc:bb:6f:60:ea:38:ef:ae:d1:27:b8:
+ 81:59:0f:b3:e7:d0:67:b2:a2:f5:4f:e2:04:c6:cc:
+ 13:9f:33:28:35:96:7a:db:ce:ac:9d:d3:64:3d:b8:
+ 44:bc:cb:43:22:92:d6:3c:2e:bf:97:6e:39:6a:6e:
+ 68:93:5d:1c:a8:58:b7:a3:7a:26:44:fe:fe:30:ad:
+ e2:05:89:4c:c9:ef:2c:e0:4e:31:69:3f:dd:91:1c:
+ f0:b0:25:4c:3e:84:8a:ea:5e:03:b3:a8:cd:90:1a:
+ 1e:c8:e0:af:fe:11:ed:21:06:bd:3c:5e:08:a1:93:
+ e2:41:43:43:38:d3:21:b3:4c:fa:85:8b:43:57:60:
+ 5d:bb:a0:78:e5:33:47:a8:33:76:be:df:6e:63:61:
+ e3:31:8b:5d:8e:0c:c7:f5:c8:91:0c:be:57:c7:f2:
+ bc:be:0b:ba:7a:1f:f6:19:f1:eb:00:74:c1:12:c2:
+ dc:2b:2e:8d:f0:0a:ff:7f:e8:60:08:90:ba:51:fc:
+ d0:90:11:37:f3:9e:44:b6:64:43:69:5d:61:d3:e1:
+ 8d:77
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 03:7A:DF:0C:DF:DC:93:3D:F7:A5:CC:27:7B:DC:22:F6:E9:55:97:F0
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR2/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 13:0b:5a:02:21:8a:26:5a:fd:8a:66:9c:ff:7c:61:aa:43:72:
+ d0:ac:b7:9f:91:85:a9:3d:97:2b:4c:cb:5b:c1:69:0d:d2:32:
+ 28:2b:5e:e6:fe:2b:71:1f:62:72:b0:ea:fd:5b:86:b0:86:09:
+ e8:a1:53:86:5a:7c:58:3d:b1:74:6d:9a:40:08:b6:33:46:7d:
+ 03:43:13:03:d3:c3:13:8c:71:92:5d:c0:76:bb:e0:08:95:4b:
+ ca:ac:0a:c5:3d:d2:50:f5:96:8a:db:c2:ea:d0:f7:a2:00:fa:
+ 10:19:44:1e:5b:93:30:ff:0f:e9:af:81:a2:6d:c4:46:d7:af:
+ e9:a7:42:7c:ba:db:9f:b9:46:3d:f5:b2:19:81:2c:a7:c6:56:
+ d1:37:3e:50:f1:93:0a:8a:0a:81:42:c6:f1:7f:e0:63:fa:a1:
+ 7b:74:c6:ea:be:d7:37:5c:df:c1:8f:46:81:d8:a2:ce:d9:ee:
+ d9:03:71:8c:cb:1c:69:2a:29:8e:09:58:de:09:7b:93:ab:7b:
+ b6:56:a0:22:1c:31:e9:4d:13:19:ae:ab:f5:fa:19:5a:ad:54:
+ 46:d1:6b:b3:48:7c:ac:41:75:9b:87:10:bd:ab:fa:df:37:a8:
+ 29:37:65:8b:f4:90:81:85:0f:e8:e4:6e:df:84:ab:4f:99:ae:
+ 67:b9:8c:db
+-----BEGIN CERTIFICATE-----
+MIID8DCCAtigAwIBAgIBJTANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODEwMDExNTEwWhcNMDgwODA5MDExNTEwWjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA8Ri2eQs1xYNkSIMxA57ncihlsaxh4XcuwE3wsRxh2MxaLccLm3h6
+Pv03rfqwcwuc/LtvYOo4767RJ7iBWQ+z59BnsqL1T+IExswTnzMoNZZ6286sndNk
+PbhEvMtDIpLWPC6/l245am5ok10cqFi3o3omRP7+MK3iBYlMye8s4E4xaT/dkRzw
+sCVMPoSK6l4Ds6jNkBoeyOCv/hHtIQa9PF4IoZPiQUNDONMhs0z6hYtDV2Bdu6B4
+5TNHqDN2vt9uY2HjMYtdjgzH9ciRDL5Xx/K8vgu6eh/2GfHrAHTBEsLcKy6N8Ar/
+f+hgCJC6UfzQkBE3855EtmRDaV1h0+GNdwIDAQABo4IBPjCCATowDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUA3rfDN/ckz33pcwne9wi9ulVl/AwDgYDVR0PAQH/
+BAQDAgEGMEEGCCsGAQUFBwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9MSVIyLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYB
+BQUHMAKGJ3JzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAa
+BggrBgEFBQcBCAEB/wQLMAmgBzAFAgMA/CAwVAYIKwYBBQUHAQcBAf8ERTBDMEEE
+AgACMDswJgMRAiABDbgAAAAAAAAAAAAAAEQDEQAgAQ24AAAAAAAAAAAAAAEAAxEA
+IAENuAAAAAAAAAAQAAAARDANBgkqhkiG9w0BAQsFAAOCAQEAEwtaAiGKJlr9imac
+/3xhqkNy0Ky3n5GFqT2XK0zLW8FpDdIyKCte5v4rcR9icrDq/VuGsIYJ6KFThlp8
+WD2xdG2aQAi2M0Z9A0MTA9PDE4xxkl3AdrvgCJVLyqwKxT3SUPWWitvC6tD3ogD6
+EBlEHluTMP8P6a+Bom3ERtev6adCfLrbn7lGPfWyGYEsp8ZW0Tc+UPGTCooKgULG
+8X/gY/qhe3TG6r7XN1zfwY9Ggdiiztnu2QNxjMscaSopjglY3gl7k6t7tlagIhwx
+6U0TGa6r9foZWq1URtFrs0h8rEF1m4cQvav63zeoKTdli/SQgYUP6ORu34SrT5mu
+Z7mM2w==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/26.pem b/rpkid/resource-cert-samples/RIR/26.pem
new file mode 100644
index 00000000..77486c96
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/26.pem
@@ -0,0 +1,94 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 38 (0x26)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Aug 10 01:15:10 2007 GMT
+ Not After : Aug 9 01:15:10 2008 GMT
+ Subject: CN=TEST ENTITY LIR1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:af:5d:1c:f9:d9:bb:d5:01:e1:5b:36:cc:51:f6:
+ fd:86:57:60:aa:9e:c7:ec:4e:05:af:fb:51:5c:7a:
+ c2:58:c4:a8:57:ae:14:62:e9:bc:b6:72:7d:cf:49:
+ c8:4a:40:82:4a:f4:3e:30:b5:94:25:9e:6c:78:81:
+ 57:43:d6:85:02:8d:d1:9c:b5:d7:34:2f:e2:a9:7d:
+ 18:27:b5:47:9a:42:16:c8:90:7f:96:2c:dd:b8:98:
+ 17:1f:77:62:4a:08:00:2d:e0:73:0c:39:37:ba:0f:
+ a7:59:59:4c:7c:cd:e2:5c:d7:98:36:10:6c:88:3e:
+ 45:99:a6:88:2f:f6:7f:31:49:ba:42:2b:13:79:c2:
+ b2:f1:09:d9:ad:37:a4:41:b6:6d:46:a1:18:05:a0:
+ 53:07:8e:e0:98:b2:d1:fd:67:68:77:64:d5:f3:fe:
+ 1d:22:36:9e:26:5a:1a:aa:18:94:c3:2c:7e:9a:af:
+ be:2c:9d:5e:75:2c:49:d6:37:2b:06:1f:cc:63:97:
+ 7e:ee:2c:5f:67:af:4d:62:3e:7a:1f:0c:e1:1e:02:
+ f2:d2:06:75:ae:3f:11:bc:8e:0f:13:64:38:14:36:
+ 1d:5d:02:ec:af:65:d5:b9:68:f4:22:66:2b:ef:47:
+ 5b:ad:3b:f2:af:b6:71:0c:94:56:8a:7c:01:36:f0:
+ 3a:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 8A:94:17:F9:53:F2:5B:94:54:56:DF:76:51:13:29:F6:71:19:A8:B3
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR1/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 5d:4b:e6:c3:ad:38:f8:49:32:34:7c:6a:06:ed:d0:7a:cf:9a:
+ c8:a9:22:e5:46:93:37:f1:ec:4d:cd:26:43:f6:e8:ea:7a:5c:
+ 08:2a:7d:e3:37:e4:98:45:16:d2:a8:0b:eb:df:d4:a0:91:04:
+ 35:40:a8:c7:a5:c9:db:86:03:e3:e0:c4:17:6a:27:49:e6:4b:
+ 63:68:84:0c:57:5a:ac:43:79:4e:05:41:05:e5:fc:89:f7:f4:
+ 03:95:7c:b2:9e:d8:aa:a4:b5:35:26:58:96:e0:f6:70:08:f2:
+ de:5c:f5:0a:c9:6a:21:3a:e6:c7:19:af:e3:d9:b1:50:e2:bf:
+ db:28:df:3c:ae:e3:29:8f:22:b6:7a:a9:f6:f4:f3:7f:48:92:
+ da:f4:f5:19:4d:50:63:e0:87:f6:9e:fc:8f:5e:3a:d0:81:3b:
+ 8d:8a:7a:8a:0c:e9:24:a3:83:16:ca:24:4e:ef:80:7a:61:1e:
+ 96:ee:5f:8d:07:68:e5:c2:13:44:30:60:02:71:9b:ef:5b:df:
+ cc:a6:62:60:95:38:41:ff:93:e9:9f:c7:b8:60:34:93:db:55:
+ 2b:e7:27:91:d9:06:56:8e:a4:38:28:ae:dc:02:b4:fd:33:d0:
+ 17:4a:29:0f:86:19:ed:48:dc:5a:b4:e4:7a:8d:de:bc:10:c1:
+ 14:d5:b2:59
+-----BEGIN CERTIFICATE-----
+MIID1TCCAr2gAwIBAgIBJjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcwODEwMDExNTEwWhcNMDgwODA5MDExNTEwWjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAr10c+dm71QHhWzbMUfb9hldgqp7H7E4Fr/tRXHrCWMSoV64UYum8
+tnJ9z0nISkCCSvQ+MLWUJZ5seIFXQ9aFAo3RnLXXNC/iqX0YJ7VHmkIWyJB/lizd
+uJgXH3diSggALeBzDDk3ug+nWVlMfM3iXNeYNhBsiD5FmaaIL/Z/MUm6QisTecKy
+8QnZrTekQbZtRqEYBaBTB47gmLLR/Wdod2TV8/4dIjaeJloaqhiUwyx+mq++LJ1e
+dSxJ1jcrBh/MY5d+7ixfZ69NYj56HwzhHgLy0gZ1rj8RvI4PE2Q4FDYdXQLsr2XV
+uWj0ImYr70dbrTvyr7ZxDJRWinwBNvA6PwIDAQABo4IBIzCCAR8wDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUipQX+VPyW5RUVt92URMp9nEZqLMwDgYDVR0PAQH/
+BAQDAgEGMEEGCCsGAQUFBwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9MSVIxLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYB
+BQUHMAKGJ3JzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAa
+BggrBgEFBQcBCAEB/wQLMAmgBzAFAgMA/BUwOQYIKwYBBQUHAQcBAf8EKjAoMCYE
+AgABMCAwDgMFAMAAAgEDBQHAAAIgMA4DBQLAAAIsAwUAwAACZDANBgkqhkiG9w0B
+AQsFAAOCAQEAXUvmw604+EkyNHxqBu3Qes+ayKki5UaTN/HsTc0mQ/bo6npcCCp9
+4zfkmEUW0qgL69/UoJEENUCox6XJ24YD4+DEF2onSeZLY2iEDFdarEN5TgVBBeX8
+iff0A5V8sp7YqqS1NSZYluD2cAjy3lz1CslqITrmxxmv49mxUOK/2yjfPK7jKY8i
+tnqp9vTzf0iS2vT1GU1QY+CH9p78j1460IE7jYp6igzpJKODFsokTu+AemEelu5f
+jQdo5cITRDBgAnGb71vfzKZiYJU4Qf+T6Z/HuGA0k9tVK+cnkdkGVo6kOCiu3AK0
+/TPQF0opD4YZ7UjcWrTkeo3evBDBFNWyWQ==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/27.pem b/rpkid/resource-cert-samples/RIR/27.pem
new file mode 100644
index 00000000..899f8afe
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/27.pem
@@ -0,0 +1,100 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 39 (0x27)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Oct 19 19:06:07 2007 GMT
+ Not After : Oct 18 19:06:07 2008 GMT
+ Subject: CN=TEST ENTITY RIR
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:ac:a7:26:c4:98:68:99:b6:f2:e7:c5:97:05:7e:
+ f9:d7:f2:ec:39:e6:2b:8e:c2:42:88:b9:8f:22:b6:
+ 3c:59:b0:0e:8a:1d:0e:f8:81:b1:c8:ff:4a:8a:1a:
+ 43:bc:78:91:3e:af:b2:b0:95:60:a9:3e:9d:c2:ff:
+ 99:8f:8f:b6:dc:d8:46:b7:86:35:a6:f6:42:05:c2:
+ c5:9b:84:15:e2:58:0f:70:9c:bc:53:d7:28:76:f8:
+ f2:14:79:22:bd:d6:8b:6c:0e:2b:02:e5:d8:f3:33:
+ fa:16:43:9b:80:87:f9:b2:45:ab:bd:7d:14:b2:24:
+ 2f:41:13:6f:45:c4:dc:f9:4d:7f:d8:d3:e1:aa:5c:
+ 52:9d:c9:7a:38:b7:b0:43:bd:b7:6a:37:43:ec:e7:
+ 34:c4:3b:4c:ca:cc:7b:1f:91:ef:ab:d4:35:76:42:
+ 82:d4:f5:79:e0:12:3c:24:92:2e:dc:a2:5c:83:f0:
+ 71:8a:26:96:30:d4:b8:96:4d:00:2c:1a:f0:0f:79:
+ 52:c7:27:73:54:77:c1:86:f9:86:61:ce:e0:69:a7:
+ a8:3d:77:39:e7:24:ee:41:8d:52:19:3b:57:8c:84:
+ cc:9a:d5:05:7c:e6:83:2c:e3:13:6d:66:1b:87:20:
+ 82:47:e1:05:26:f0:3b:29:69:6d:bc:af:48:91:c4:
+ 40:f1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/RIR/
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533-64540
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ 10.3.0.0/24
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:0:a00::/120
+ 2001:db8:0:0:0:0:a03::/120
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 2e:45:6d:53:05:ed:dd:c9:79:ad:3e:69:42:51:c2:83:f4:d6:
+ e6:9b:ab:ec:70:45:6f:8b:08:83:9e:db:91:69:e2:62:03:c8:
+ 84:e0:6b:9e:0a:76:80:ff:06:b3:28:ad:8b:7d:75:6c:89:0d:
+ d0:91:55:a3:ed:bb:00:9b:36:23:8e:b2:77:58:05:62:30:4d:
+ c5:90:f3:38:0d:75:ab:4e:5c:2e:40:15:38:76:fe:12:21:14:
+ 32:52:1d:0c:3f:3a:b7:76:ef:60:98:58:ef:47:2a:20:23:bc:
+ ce:63:fe:ef:d7:d5:6a:2c:08:19:61:ec:be:0d:f0:23:09:1d:
+ eb:24:c0:f5:fa:30:dd:3b:65:82:09:23:e1:4b:14:15:35:8b:
+ 71:88:bb:15:4b:a5:69:ff:77:b3:65:7b:32:ee:e8:5a:af:64:
+ 05:cc:7f:f3:eb:72:01:5e:10:66:4c:2f:3b:d7:49:1a:21:9a:
+ 1a:21:01:17:18:a3:b2:39:96:7f:3c:a4:25:c7:ea:a8:36:34:
+ 60:5e:6d:95:32:a4:a7:c8:7d:af:f3:9a:fc:ed:90:05:07:5c:
+ 2e:b3:f2:46:3a:ca:d0:4a:37:41:19:38:9d:f2:32:f8:b7:f2:
+ b8:9b:a7:2a:e2:b2:77:8a:98:49:33:d7:33:04:de:1e:a8:5c:
+ d0:e6:db:45
+-----BEGIN CERTIFICATE-----
+MIIEEDCCAvigAwIBAgIBJzANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcxMDE5MTkwNjA3WhcNMDgxMDE4MTkwNjA3WjAaMRgw
+FgYDVQQDEw9URVNUIEVOVElUWSBSSVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCspybEmGiZtvLnxZcFfvnX8uw55iuOwkKIuY8itjxZsA6KHQ74gbHI
+/0qKGkO8eJE+r7KwlWCpPp3C/5mPj7bc2Ea3hjWm9kIFwsWbhBXiWA9wnLxT1yh2
++PIUeSK91otsDisC5djzM/oWQ5uAh/myRau9fRSyJC9BE29FxNz5TX/Y0+GqXFKd
+yXo4t7BDvbdqN0Ps5zTEO0zKzHsfke+r1DV2QoLU9XngEjwkki7colyD8HGKJpYw
+1LiWTQAsGvAPeVLHJ3NUd8GG+YZhzuBpp6g9dznnJO5BjVIZO1eMhMya1QV85oMs
+4xNtZhuHIIJH4QUm8DspaW28r0iRxEDxAgMBAAGjggFfMIIBWzAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBT7uKejNkgKoJ/wLtyLaLyzXEUl1zAOBgNVHQ8BAf8E
+BAMCAQYwQAYIKwYBBQUHAQsENDAyMDAGCCsGAQUFBzAFhiRyc3luYzovL3dvbWJh
+dHMtci11cy5oYWN0cm4ubmV0L1JJUi8wJgYIKwYBBQUHAQgBAf8EFzAVoBMwETAK
+AgMA/BUCAwD8HAIDAPwgMIGuBggrBgEFBQcBBwEB/wSBnjCBmzAyBAIAATAsAwQA
+CgAAAwQACgMAMA4DBQDAAAIBAwUBwAACIDAOAwUCwAACLAMFAMAAAmQwZQQCAAIw
+XzAmAxECIAENuAAAAAAAAAAAAAAARAMRACABDbgAAAAAAAAAAAAAAQADEAAgAQ24
+AAAAAAAAAAAKAAADEAAgAQ24AAAAAAAAAAAKAwADEQAgAQ24AAAAAAAAABAAAABE
+MA0GCSqGSIb3DQEBCwUAA4IBAQAuRW1TBe3dyXmtPmlCUcKD9Nbmm6vscEVviwiD
+ntuRaeJiA8iE4GueCnaA/wazKK2LfXVsiQ3QkVWj7bsAmzYjjrJ3WAViME3FkPM4
+DXWrTlwuQBU4dv4SIRQyUh0MPzq3du9gmFjvRyogI7zOY/7v19VqLAgZYey+DfAj
+CR3rJMD1+jDdO2WCCSPhSxQVNYtxiLsVS6Vp/3ezZXsy7uhar2QFzH/z63IBXhBm
+TC8710kaIZoaIQEXGKOyOZZ/PKQlx+qoNjRgXm2VMqSnyH2v85r87ZAFB1wus/JG
+OsrQSjdBGTid8jL4t/K4m6cq4rJ3iphJM9czBN4eqFzQ5ttF
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/28.pem b/rpkid/resource-cert-samples/RIR/28.pem
new file mode 100644
index 00000000..5bf407ac
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/28.pem
@@ -0,0 +1,98 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 40 (0x28)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Oct 19 19:06:07 2007 GMT
+ Not After : Oct 18 19:06:07 2008 GMT
+ Subject: CN=TEST ENTITY LIR3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a3:21:57:61:64:af:11:18:d4:cb:de:a6:dc:ad:
+ d9:2c:0f:0f:58:9f:7e:c8:85:55:11:26:4c:7c:f0:
+ 6b:68:1a:9e:6a:0c:8f:e6:dc:3d:83:58:2a:cc:77:
+ ac:19:73:6f:5a:f3:6e:24:ac:cd:1a:dc:1d:0b:4c:
+ 44:f5:6d:8b:0a:17:3d:86:f9:e8:fe:e6:60:e5:9f:
+ 40:6a:e5:94:e8:9a:56:17:17:1c:ab:c1:8c:37:40:
+ 2b:55:bf:2c:5e:dc:8d:ca:25:7f:8a:5f:ee:fb:16:
+ 86:eb:e0:08:d3:26:e5:e3:70:c5:0c:6b:fb:1b:8f:
+ 6b:5c:f6:e2:4a:58:a5:35:01:ea:05:1b:3e:ce:84:
+ be:b5:3f:6d:18:16:4b:68:e5:79:4c:88:7d:b6:a5:
+ 65:a3:3a:c2:32:dc:ad:8f:8a:05:ee:f6:e9:7a:80:
+ da:12:a9:0f:5a:b5:d2:d3:31:ac:3e:d3:19:25:2d:
+ 28:de:79:6c:ce:fd:77:66:d5:e3:2f:a9:cb:f9:85:
+ 8c:20:bb:a2:86:23:f0:93:95:20:04:78:c7:c7:07:
+ a6:fe:f0:f4:45:bb:cf:78:2b:dd:ce:9c:08:a5:46:
+ 68:10:4c:d7:05:62:6c:86:5a:2d:7f:06:38:c2:4d:
+ bb:44:87:00:43:79:d2:8f:f3:6b:b2:f4:5c:1c:b9:
+ 68:01
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 98:BE:04:FF:80:D1:AB:95:39:AA:3D:F2:0E:67:7D:00:AD:A3:FD:C5
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR3/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64534-64540
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ 10.3.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a00::/120
+ 2001:db8:0:0:0:0:a03::/120
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 1e:63:2b:cd:40:87:83:32:a1:6e:ed:4e:17:08:9e:e9:19:3c:
+ 6b:14:68:0b:7a:81:b3:fe:3e:9b:de:9e:19:a5:7d:76:6c:18:
+ 5f:ed:9e:9b:59:5c:a8:1e:08:2a:71:ac:e1:40:61:89:38:fe:
+ 46:c2:ba:81:d0:85:db:0f:78:a6:f6:72:03:43:e1:d5:af:21:
+ 38:d8:77:fc:12:b8:b6:fe:09:8e:a2:c9:db:77:9c:94:f0:28:
+ 28:bc:41:ee:42:7c:65:ce:bb:9a:15:b5:06:8f:c8:a4:cf:10:
+ 39:4d:72:a0:f0:e6:7e:c3:2a:40:fc:be:c5:17:98:fe:3a:08:
+ a5:cb:7b:4c:49:59:5d:c2:bd:87:ac:fe:10:1e:e0:45:69:eb:
+ 2d:3d:ff:f9:12:ef:2f:ef:8a:f9:4d:e6:c1:f8:27:b5:fc:78:
+ 64:cc:ee:94:95:17:cc:ed:2b:03:d6:4e:85:06:0f:a1:e2:70:
+ 0a:a1:fc:01:a0:8e:70:04:0e:b0:0c:86:3e:9a:2f:a9:64:9a:
+ 00:62:b0:82:30:74:6f:2c:fd:e6:bd:2c:9c:74:da:cd:07:a2:
+ 0d:a4:a2:e2:1a:ad:57:4c:35:04:c5:16:7e:c8:9c:a0:57:53:
+ 28:e2:8d:34:92:1a:77:9c:ff:6b:8a:4f:78:e6:2e:70:08:67:
+ 82:b4:7d:9f
+-----BEGIN CERTIFICATE-----
+MIID9DCCAtygAwIBAgIBKDANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcxMDE5MTkwNjA3WhcNMDgxMDE4MTkwNjA3WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAoyFXYWSvERjUy96m3K3ZLA8PWJ9+yIVVESZMfPBraBqeagyP5tw9
+g1gqzHesGXNvWvNuJKzNGtwdC0xE9W2LChc9hvno/uZg5Z9AauWU6JpWFxccq8GM
+N0ArVb8sXtyNyiV/il/u+xaG6+AI0ybl43DFDGv7G49rXPbiSlilNQHqBRs+zoS+
+tT9tGBZLaOV5TIh9tqVlozrCMtytj4oF7vbpeoDaEqkPWrXS0zGsPtMZJS0o3nls
+zv13ZtXjL6nL+YWMILuihiPwk5UgBHjHxwem/vD0RbvPeCvdzpwIpUZoEEzXBWJs
+hlotfwY4wk27RIcAQ3nSj/NrsvRcHLloAQIDAQABo4IBQjCCAT4wDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUmL4E/4DRq5U5qj3yDmd9AK2j/cUwDgYDVR0PAQH/
+BAQDAgEGMEEGCCsGAQUFBwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9MSVIzLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYB
+BQUHMAKGJ3JzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAh
+BggrBgEFBQcBCAEB/wQSMBCgDjAMMAoCAwD8FgIDAPwcMFEGCCsGAQUFBwEHAQH/
+BEIwQDASBAIAATAMAwQACgAAAwQACgMAMCoEAgACMCQDEAAgAQ24AAAAAAAAAAAK
+AAADEAAgAQ24AAAAAAAAAAAKAwAwDQYJKoZIhvcNAQELBQADggEBAB5jK81Ah4My
+oW7tThcInukZPGsUaAt6gbP+PpvenhmlfXZsGF/tnptZXKgeCCpxrOFAYYk4/kbC
+uoHQhdsPeKb2cgND4dWvITjYd/wSuLb+CY6iydt3nJTwKCi8Qe5CfGXOu5oVtQaP
+yKTPEDlNcqDw5n7DKkD8vsUXmP46CKXLe0xJWV3CvYes/hAe4EVp6y09//kS7y/v
+ivlN5sH4J7X8eGTM7pSVF8ztKwPWToUGD6HicAqh/AGgjnAEDrAMhj6aL6lkmgBi
+sIIwdG8s/ea9LJx02s0Hog2kouIarVdMNQTFFn7InKBXUyjijTSSGnec/2uKT3jm
+LnAIZ4K0fZ8=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/29.pem b/rpkid/resource-cert-samples/RIR/29.pem
new file mode 100644
index 00000000..aaed0d68
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/29.pem
@@ -0,0 +1,95 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 41 (0x29)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Oct 19 19:06:07 2007 GMT
+ Not After : Oct 18 19:06:07 2008 GMT
+ Subject: CN=TEST ENTITY LIR2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:f1:18:b6:79:0b:35:c5:83:64:48:83:31:03:9e:
+ e7:72:28:65:b1:ac:61:e1:77:2e:c0:4d:f0:b1:1c:
+ 61:d8:cc:5a:2d:c7:0b:9b:78:7a:3e:fd:37:ad:fa:
+ b0:73:0b:9c:fc:bb:6f:60:ea:38:ef:ae:d1:27:b8:
+ 81:59:0f:b3:e7:d0:67:b2:a2:f5:4f:e2:04:c6:cc:
+ 13:9f:33:28:35:96:7a:db:ce:ac:9d:d3:64:3d:b8:
+ 44:bc:cb:43:22:92:d6:3c:2e:bf:97:6e:39:6a:6e:
+ 68:93:5d:1c:a8:58:b7:a3:7a:26:44:fe:fe:30:ad:
+ e2:05:89:4c:c9:ef:2c:e0:4e:31:69:3f:dd:91:1c:
+ f0:b0:25:4c:3e:84:8a:ea:5e:03:b3:a8:cd:90:1a:
+ 1e:c8:e0:af:fe:11:ed:21:06:bd:3c:5e:08:a1:93:
+ e2:41:43:43:38:d3:21:b3:4c:fa:85:8b:43:57:60:
+ 5d:bb:a0:78:e5:33:47:a8:33:76:be:df:6e:63:61:
+ e3:31:8b:5d:8e:0c:c7:f5:c8:91:0c:be:57:c7:f2:
+ bc:be:0b:ba:7a:1f:f6:19:f1:eb:00:74:c1:12:c2:
+ dc:2b:2e:8d:f0:0a:ff:7f:e8:60:08:90:ba:51:fc:
+ d0:90:11:37:f3:9e:44:b6:64:43:69:5d:61:d3:e1:
+ 8d:77
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 03:7A:DF:0C:DF:DC:93:3D:F7:A5:CC:27:7B:DC:22:F6:E9:55:97:F0
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR2/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 23:d8:22:41:32:ce:3b:82:26:87:5c:52:4b:b3:ec:81:8e:06:
+ 8e:a4:8d:a2:8e:e8:f6:0a:5f:d8:65:43:d2:f6:cf:2d:cb:33:
+ 78:1f:ce:a4:2a:a3:18:8f:23:ef:4c:56:ae:3c:a8:21:19:3d:
+ 98:e2:19:58:99:93:e3:da:25:4e:f1:2a:c9:e8:5b:5b:ed:3a:
+ 2c:2c:9b:7e:5e:f3:8a:63:bf:e8:92:3b:e0:80:8e:50:ee:6e:
+ 16:37:51:eb:34:b1:90:13:a8:13:9e:49:7f:da:aa:e4:b8:c8:
+ e6:c7:5c:5e:15:e4:19:c2:ea:81:54:65:fc:8b:c1:c2:54:89:
+ 0a:2d:d9:ad:96:e7:2b:92:c7:ca:bf:b2:d4:fb:f2:45:51:f3:
+ a0:0e:39:cf:5c:10:f4:7e:8c:4c:e5:0c:65:00:38:fa:d6:24:
+ 5d:5d:93:eb:a7:ee:78:65:05:6c:c5:2b:de:08:a0:3a:65:e8:
+ 13:7f:1e:6c:2e:58:ce:3e:00:4d:a6:e1:28:89:61:ef:b3:66:
+ 2e:6f:81:91:a5:4d:56:47:27:c2:33:28:d8:ae:ac:74:7c:76:
+ eb:bc:0c:43:9a:a9:ae:52:f9:22:24:4b:3c:96:a9:3e:4e:5c:
+ 8b:85:6e:f2:84:9a:5f:fa:b9:c8:66:67:cd:fa:17:3f:23:c4:
+ 45:97:64:36
+-----BEGIN CERTIFICATE-----
+MIID8DCCAtigAwIBAgIBKTANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcxMDE5MTkwNjA3WhcNMDgxMDE4MTkwNjA3WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA8Ri2eQs1xYNkSIMxA57ncihlsaxh4XcuwE3wsRxh2MxaLccLm3h6
+Pv03rfqwcwuc/LtvYOo4767RJ7iBWQ+z59BnsqL1T+IExswTnzMoNZZ6286sndNk
+PbhEvMtDIpLWPC6/l245am5ok10cqFi3o3omRP7+MK3iBYlMye8s4E4xaT/dkRzw
+sCVMPoSK6l4Ds6jNkBoeyOCv/hHtIQa9PF4IoZPiQUNDONMhs0z6hYtDV2Bdu6B4
+5TNHqDN2vt9uY2HjMYtdjgzH9ciRDL5Xx/K8vgu6eh/2GfHrAHTBEsLcKy6N8Ar/
+f+hgCJC6UfzQkBE3855EtmRDaV1h0+GNdwIDAQABo4IBPjCCATowDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUA3rfDN/ckz33pcwne9wi9ulVl/AwDgYDVR0PAQH/
+BAQDAgEGMEEGCCsGAQUFBwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9MSVIyLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYB
+BQUHMAKGJ3JzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAa
+BggrBgEFBQcBCAEB/wQLMAmgBzAFAgMA/CAwVAYIKwYBBQUHAQcBAf8ERTBDMEEE
+AgACMDswJgMRAiABDbgAAAAAAAAAAAAAAEQDEQAgAQ24AAAAAAAAAAAAAAEAAxEA
+IAENuAAAAAAAAAAQAAAARDANBgkqhkiG9w0BAQsFAAOCAQEAI9giQTLOO4Imh1xS
+S7PsgY4GjqSNoo7o9gpf2GVD0vbPLcszeB/OpCqjGI8j70xWrjyoIRk9mOIZWJmT
+49olTvEqyehbW+06LCybfl7zimO/6JI74ICOUO5uFjdR6zSxkBOoE55Jf9qq5LjI
+5sdcXhXkGcLqgVRl/IvBwlSJCi3ZrZbnK5LHyr+y1PvyRVHzoA45z1wQ9H6MTOUM
+ZQA4+tYkXV2T66fueGUFbMUr3gigOmXoE38ebC5Yzj4ATabhKIlh77NmLm+BkaVN
+VkcnwjMo2K6sdHx267wMQ5qprlL5IiRLPJapPk5ci4Vu8oSaX/q5yGZnzfoXPyPE
+RZdkNg==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/2A.pem b/rpkid/resource-cert-samples/RIR/2A.pem
new file mode 100644
index 00000000..7f7116ad
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/2A.pem
@@ -0,0 +1,94 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 42 (0x2a)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Oct 19 19:06:07 2007 GMT
+ Not After : Oct 18 19:06:07 2008 GMT
+ Subject: CN=TEST ENTITY LIR1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:af:5d:1c:f9:d9:bb:d5:01:e1:5b:36:cc:51:f6:
+ fd:86:57:60:aa:9e:c7:ec:4e:05:af:fb:51:5c:7a:
+ c2:58:c4:a8:57:ae:14:62:e9:bc:b6:72:7d:cf:49:
+ c8:4a:40:82:4a:f4:3e:30:b5:94:25:9e:6c:78:81:
+ 57:43:d6:85:02:8d:d1:9c:b5:d7:34:2f:e2:a9:7d:
+ 18:27:b5:47:9a:42:16:c8:90:7f:96:2c:dd:b8:98:
+ 17:1f:77:62:4a:08:00:2d:e0:73:0c:39:37:ba:0f:
+ a7:59:59:4c:7c:cd:e2:5c:d7:98:36:10:6c:88:3e:
+ 45:99:a6:88:2f:f6:7f:31:49:ba:42:2b:13:79:c2:
+ b2:f1:09:d9:ad:37:a4:41:b6:6d:46:a1:18:05:a0:
+ 53:07:8e:e0:98:b2:d1:fd:67:68:77:64:d5:f3:fe:
+ 1d:22:36:9e:26:5a:1a:aa:18:94:c3:2c:7e:9a:af:
+ be:2c:9d:5e:75:2c:49:d6:37:2b:06:1f:cc:63:97:
+ 7e:ee:2c:5f:67:af:4d:62:3e:7a:1f:0c:e1:1e:02:
+ f2:d2:06:75:ae:3f:11:bc:8e:0f:13:64:38:14:36:
+ 1d:5d:02:ec:af:65:d5:b9:68:f4:22:66:2b:ef:47:
+ 5b:ad:3b:f2:af:b6:71:0c:94:56:8a:7c:01:36:f0:
+ 3a:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 8A:94:17:F9:53:F2:5B:94:54:56:DF:76:51:13:29:F6:71:19:A8:B3
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR1/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 56:79:7d:ae:75:85:0f:e2:2f:f9:77:f6:34:78:f7:da:4f:d2:
+ 6d:df:9d:6e:0d:ab:06:15:d9:e3:99:06:ab:7f:5d:09:ec:23:
+ 2b:38:75:bf:f5:43:1d:3b:b9:a7:27:a9:77:89:ba:48:47:a5:
+ 72:14:50:1b:33:3b:bc:cd:9b:5a:fb:17:f3:33:7e:14:59:24:
+ 9c:5c:53:01:68:8a:34:db:43:e7:ef:1c:ad:e6:ba:82:e2:dc:
+ 1c:e6:7e:59:64:5d:58:89:a1:01:c5:23:10:b0:32:c1:62:54:
+ 97:e8:3b:b0:0c:51:52:12:56:ea:7a:4f:4c:b7:43:ef:d0:8c:
+ 65:b3:39:de:7b:95:2b:e4:99:df:2e:d5:9e:b5:77:c6:4d:d4:
+ b8:0a:40:86:13:40:7f:53:ad:c6:5a:38:6a:48:1b:5e:da:7e:
+ 5a:1b:d4:66:c0:cc:4e:e9:0d:48:4d:7f:f5:f0:9a:c8:17:63:
+ 1a:08:80:34:35:ac:ad:b8:5f:26:a1:b7:dc:4f:08:98:3b:36:
+ 2b:d1:65:6d:0c:ce:2d:77:94:88:79:a1:34:7a:55:74:7c:a0:
+ 04:87:e1:a2:7b:1f:c1:06:f5:ea:61:d1:20:69:ea:cd:be:21:
+ b9:41:17:04:a4:3e:8f:bf:dc:da:51:b9:ea:41:77:f3:c0:f6:
+ 02:65:c3:d5
+-----BEGIN CERTIFICATE-----
+MIID1TCCAr2gAwIBAgIBKjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcxMDE5MTkwNjA3WhcNMDgxMDE4MTkwNjA3WjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAr10c+dm71QHhWzbMUfb9hldgqp7H7E4Fr/tRXHrCWMSoV64UYum8
+tnJ9z0nISkCCSvQ+MLWUJZ5seIFXQ9aFAo3RnLXXNC/iqX0YJ7VHmkIWyJB/lizd
+uJgXH3diSggALeBzDDk3ug+nWVlMfM3iXNeYNhBsiD5FmaaIL/Z/MUm6QisTecKy
+8QnZrTekQbZtRqEYBaBTB47gmLLR/Wdod2TV8/4dIjaeJloaqhiUwyx+mq++LJ1e
+dSxJ1jcrBh/MY5d+7ixfZ69NYj56HwzhHgLy0gZ1rj8RvI4PE2Q4FDYdXQLsr2XV
+uWj0ImYr70dbrTvyr7ZxDJRWinwBNvA6PwIDAQABo4IBIzCCAR8wDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUipQX+VPyW5RUVt92URMp9nEZqLMwDgYDVR0PAQH/
+BAQDAgEGMEEGCCsGAQUFBwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9MSVIxLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYB
+BQUHMAKGJ3JzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAa
+BggrBgEFBQcBCAEB/wQLMAmgBzAFAgMA/BUwOQYIKwYBBQUHAQcBAf8EKjAoMCYE
+AgABMCAwDgMFAMAAAgEDBQHAAAIgMA4DBQLAAAIsAwUAwAACZDANBgkqhkiG9w0B
+AQsFAAOCAQEAVnl9rnWFD+Iv+Xf2NHj32k/Sbd+dbg2rBhXZ45kGq39dCewjKzh1
+v/VDHTu5pyepd4m6SEelchRQGzM7vM2bWvsX8zN+FFkknFxTAWiKNNtD5+8crea6
+guLcHOZ+WWRdWImhAcUjELAywWJUl+g7sAxRUhJW6npPTLdD79CMZbM53nuVK+SZ
+3y7VnrV3xk3UuApAhhNAf1Otxlo4akgbXtp+WhvUZsDMTukNSE1/9fCayBdjGgiA
+NDWsrbhfJqG33E8ImDs2K9FlbQzOLXeUiHmhNHpVdHygBIfhonsfwQb16mHRIGnq
+zb4huUEXBKQ+j7/c2lG56kF388D2AmXD1Q==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/2B.pem b/rpkid/resource-cert-samples/RIR/2B.pem
new file mode 100644
index 00000000..7d69f853
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/2B.pem
@@ -0,0 +1,100 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 43 (0x2b)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Oct 29 16:03:51 2007 GMT
+ Not After : Oct 28 16:03:51 2008 GMT
+ Subject: CN=TEST ENTITY RIR
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:ac:a7:26:c4:98:68:99:b6:f2:e7:c5:97:05:7e:
+ f9:d7:f2:ec:39:e6:2b:8e:c2:42:88:b9:8f:22:b6:
+ 3c:59:b0:0e:8a:1d:0e:f8:81:b1:c8:ff:4a:8a:1a:
+ 43:bc:78:91:3e:af:b2:b0:95:60:a9:3e:9d:c2:ff:
+ 99:8f:8f:b6:dc:d8:46:b7:86:35:a6:f6:42:05:c2:
+ c5:9b:84:15:e2:58:0f:70:9c:bc:53:d7:28:76:f8:
+ f2:14:79:22:bd:d6:8b:6c:0e:2b:02:e5:d8:f3:33:
+ fa:16:43:9b:80:87:f9:b2:45:ab:bd:7d:14:b2:24:
+ 2f:41:13:6f:45:c4:dc:f9:4d:7f:d8:d3:e1:aa:5c:
+ 52:9d:c9:7a:38:b7:b0:43:bd:b7:6a:37:43:ec:e7:
+ 34:c4:3b:4c:ca:cc:7b:1f:91:ef:ab:d4:35:76:42:
+ 82:d4:f5:79:e0:12:3c:24:92:2e:dc:a2:5c:83:f0:
+ 71:8a:26:96:30:d4:b8:96:4d:00:2c:1a:f0:0f:79:
+ 52:c7:27:73:54:77:c1:86:f9:86:61:ce:e0:69:a7:
+ a8:3d:77:39:e7:24:ee:41:8d:52:19:3b:57:8c:84:
+ cc:9a:d5:05:7c:e6:83:2c:e3:13:6d:66:1b:87:20:
+ 82:47:e1:05:26:f0:3b:29:69:6d:bc:af:48:91:c4:
+ 40:f1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/RIR/
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533-64540
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ 10.3.0.0/24
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:0:a00::/120
+ 2001:db8:0:0:0:0:a03::/120
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 21:d1:04:bf:8b:88:c1:6f:c5:0b:25:0e:54:72:03:59:1f:bc:
+ c1:16:e1:9b:0b:5c:fa:1d:3d:39:b7:c1:3a:5c:74:a4:12:f3:
+ ae:59:75:f8:82:64:58:24:c5:dd:fb:8b:ae:85:23:e0:6a:3b:
+ de:76:ae:b8:55:df:71:42:5e:26:d6:e7:dc:7e:64:47:fa:2b:
+ 93:c2:2f:b7:3a:bd:f9:a1:4b:5d:8c:c5:91:51:42:82:9b:49:
+ c3:02:3a:a6:b6:c6:f0:3b:df:cb:78:f9:11:87:69:c4:76:dd:
+ 00:8d:c1:35:37:f6:09:0b:7b:d9:62:c0:2e:8b:83:70:0f:47:
+ c5:22:27:39:91:28:95:65:c3:24:d5:54:a0:22:2a:aa:60:a5:
+ ba:4b:72:12:4a:02:ac:15:11:45:cc:70:34:0e:bf:54:f2:fb:
+ 5b:d1:15:3d:04:73:66:0c:2b:58:07:5f:c6:1f:49:a5:bc:c1:
+ 63:6b:5b:d8:f0:0c:07:41:f6:f3:0b:93:27:53:79:77:c6:1b:
+ b1:46:0a:00:d5:55:57:1e:b3:df:1e:40:54:bf:22:b0:92:ff:
+ 54:47:ce:26:ba:75:2b:4c:ad:dd:98:af:12:7b:01:66:b3:94:
+ bc:39:7f:ba:91:f7:eb:5c:cc:f3:58:4a:7d:7d:0e:fc:4c:3f:
+ dc:1e:62:c3
+-----BEGIN CERTIFICATE-----
+MIIEEDCCAvigAwIBAgIBKzANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcxMDI5MTYwMzUxWhcNMDgxMDI4MTYwMzUxWjAaMRgw
+FgYDVQQDEw9URVNUIEVOVElUWSBSSVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCspybEmGiZtvLnxZcFfvnX8uw55iuOwkKIuY8itjxZsA6KHQ74gbHI
+/0qKGkO8eJE+r7KwlWCpPp3C/5mPj7bc2Ea3hjWm9kIFwsWbhBXiWA9wnLxT1yh2
++PIUeSK91otsDisC5djzM/oWQ5uAh/myRau9fRSyJC9BE29FxNz5TX/Y0+GqXFKd
+yXo4t7BDvbdqN0Ps5zTEO0zKzHsfke+r1DV2QoLU9XngEjwkki7colyD8HGKJpYw
+1LiWTQAsGvAPeVLHJ3NUd8GG+YZhzuBpp6g9dznnJO5BjVIZO1eMhMya1QV85oMs
+4xNtZhuHIIJH4QUm8DspaW28r0iRxEDxAgMBAAGjggFfMIIBWzAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBT7uKejNkgKoJ/wLtyLaLyzXEUl1zAOBgNVHQ8BAf8E
+BAMCAQYwQAYIKwYBBQUHAQsENDAyMDAGCCsGAQUFBzAFhiRyc3luYzovL3dvbWJh
+dHMtci11cy5oYWN0cm4ubmV0L1JJUi8wJgYIKwYBBQUHAQgBAf8EFzAVoBMwETAK
+AgMA/BUCAwD8HAIDAPwgMIGuBggrBgEFBQcBBwEB/wSBnjCBmzAyBAIAATAsAwQA
+CgAAAwQACgMAMA4DBQDAAAIBAwUBwAACIDAOAwUCwAACLAMFAMAAAmQwZQQCAAIw
+XzAmAxECIAENuAAAAAAAAAAAAAAARAMRACABDbgAAAAAAAAAAAAAAQADEAAgAQ24
+AAAAAAAAAAAKAAADEAAgAQ24AAAAAAAAAAAKAwADEQAgAQ24AAAAAAAAABAAAABE
+MA0GCSqGSIb3DQEBCwUAA4IBAQAh0QS/i4jBb8ULJQ5UcgNZH7zBFuGbC1z6HT05
+t8E6XHSkEvOuWXX4gmRYJMXd+4uuhSPgajvedq64Vd9xQl4m1ufcfmRH+iuTwi+3
+Or35oUtdjMWRUUKCm0nDAjqmtsbwO9/LePkRh2nEdt0AjcE1N/YJC3vZYsAui4Nw
+D0fFIic5kSiVZcMk1VSgIiqqYKW6S3ISSgKsFRFFzHA0Dr9U8vtb0RU9BHNmDCtY
+B1/GH0mlvMFja1vY8AwHQfbzC5MnU3l3xhuxRgoA1VVXHrPfHkBUvyKwkv9UR84m
+unUrTK3dmK8SewFms5S8OX+6kffrXMzzWEp9fQ78TD/cHmLD
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/2C.pem b/rpkid/resource-cert-samples/RIR/2C.pem
new file mode 100644
index 00000000..b32d729e
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/2C.pem
@@ -0,0 +1,98 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 44 (0x2c)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Oct 29 16:03:51 2007 GMT
+ Not After : Oct 28 16:03:51 2008 GMT
+ Subject: CN=TEST ENTITY LIR3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a3:21:57:61:64:af:11:18:d4:cb:de:a6:dc:ad:
+ d9:2c:0f:0f:58:9f:7e:c8:85:55:11:26:4c:7c:f0:
+ 6b:68:1a:9e:6a:0c:8f:e6:dc:3d:83:58:2a:cc:77:
+ ac:19:73:6f:5a:f3:6e:24:ac:cd:1a:dc:1d:0b:4c:
+ 44:f5:6d:8b:0a:17:3d:86:f9:e8:fe:e6:60:e5:9f:
+ 40:6a:e5:94:e8:9a:56:17:17:1c:ab:c1:8c:37:40:
+ 2b:55:bf:2c:5e:dc:8d:ca:25:7f:8a:5f:ee:fb:16:
+ 86:eb:e0:08:d3:26:e5:e3:70:c5:0c:6b:fb:1b:8f:
+ 6b:5c:f6:e2:4a:58:a5:35:01:ea:05:1b:3e:ce:84:
+ be:b5:3f:6d:18:16:4b:68:e5:79:4c:88:7d:b6:a5:
+ 65:a3:3a:c2:32:dc:ad:8f:8a:05:ee:f6:e9:7a:80:
+ da:12:a9:0f:5a:b5:d2:d3:31:ac:3e:d3:19:25:2d:
+ 28:de:79:6c:ce:fd:77:66:d5:e3:2f:a9:cb:f9:85:
+ 8c:20:bb:a2:86:23:f0:93:95:20:04:78:c7:c7:07:
+ a6:fe:f0:f4:45:bb:cf:78:2b:dd:ce:9c:08:a5:46:
+ 68:10:4c:d7:05:62:6c:86:5a:2d:7f:06:38:c2:4d:
+ bb:44:87:00:43:79:d2:8f:f3:6b:b2:f4:5c:1c:b9:
+ 68:01
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 98:BE:04:FF:80:D1:AB:95:39:AA:3D:F2:0E:67:7D:00:AD:A3:FD:C5
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR3/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64534-64540
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ 10.3.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a00::/120
+ 2001:db8:0:0:0:0:a03::/120
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 5f:28:81:1a:2c:d6:f6:55:be:cc:d2:3c:a1:fe:6c:86:6f:7d:
+ cc:9d:be:96:0d:03:45:27:cd:c4:e7:a5:be:9e:24:59:76:24:
+ ef:4b:3e:14:4a:d4:88:29:90:bf:87:38:75:68:d7:3d:c6:b5:
+ cc:dd:dc:6c:71:3f:92:de:f0:79:c5:f1:3c:83:d7:f9:bb:22:
+ ad:3e:f7:69:df:73:9c:06:9b:cc:47:d9:ef:d4:1f:09:69:38:
+ a9:e4:a9:f6:a6:b7:ec:f7:ee:6e:fd:cf:90:31:db:3b:dc:fe:
+ 8b:45:dc:34:39:8c:fe:0f:6a:53:b6:7f:25:1d:aa:e3:23:9a:
+ 73:73:cc:6f:ad:63:e9:c8:e7:f7:98:68:52:e7:1f:5d:f1:f4:
+ f6:ac:4e:9b:f5:c8:22:ab:b2:01:b5:25:b1:39:d9:21:25:5f:
+ b6:e0:a2:b0:41:7e:15:30:71:ed:39:f2:0a:f9:84:ef:13:78:
+ 9b:91:96:4f:e7:9a:26:a7:5d:f5:7b:36:15:4a:1d:6c:dd:91:
+ 85:8d:be:7c:76:59:05:b9:19:41:76:09:e7:29:d9:86:90:53:
+ b0:64:8a:3e:7c:43:aa:1f:aa:68:60:19:fd:bf:15:9c:be:a8:
+ a6:b8:24:13:76:88:c5:fe:2a:6e:df:4d:67:f4:26:b1:8c:ce:
+ b9:ba:fb:d6
+-----BEGIN CERTIFICATE-----
+MIID9DCCAtygAwIBAgIBLDANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcxMDI5MTYwMzUxWhcNMDgxMDI4MTYwMzUxWjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAoyFXYWSvERjUy96m3K3ZLA8PWJ9+yIVVESZMfPBraBqeagyP5tw9
+g1gqzHesGXNvWvNuJKzNGtwdC0xE9W2LChc9hvno/uZg5Z9AauWU6JpWFxccq8GM
+N0ArVb8sXtyNyiV/il/u+xaG6+AI0ybl43DFDGv7G49rXPbiSlilNQHqBRs+zoS+
+tT9tGBZLaOV5TIh9tqVlozrCMtytj4oF7vbpeoDaEqkPWrXS0zGsPtMZJS0o3nls
+zv13ZtXjL6nL+YWMILuihiPwk5UgBHjHxwem/vD0RbvPeCvdzpwIpUZoEEzXBWJs
+hlotfwY4wk27RIcAQ3nSj/NrsvRcHLloAQIDAQABo4IBQjCCAT4wDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUmL4E/4DRq5U5qj3yDmd9AK2j/cUwDgYDVR0PAQH/
+BAQDAgEGMEEGCCsGAQUFBwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9MSVIzLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYB
+BQUHMAKGJ3JzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAh
+BggrBgEFBQcBCAEB/wQSMBCgDjAMMAoCAwD8FgIDAPwcMFEGCCsGAQUFBwEHAQH/
+BEIwQDASBAIAATAMAwQACgAAAwQACgMAMCoEAgACMCQDEAAgAQ24AAAAAAAAAAAK
+AAADEAAgAQ24AAAAAAAAAAAKAwAwDQYJKoZIhvcNAQELBQADggEBAF8ogRos1vZV
+vszSPKH+bIZvfcydvpYNA0UnzcTnpb6eJFl2JO9LPhRK1IgpkL+HOHVo1z3Gtczd
+3GxxP5Le8HnF8TyD1/m7Iq0+92nfc5wGm8xH2e/UHwlpOKnkqfamt+z37m79z5Ax
+2zvc/otF3DQ5jP4PalO2fyUdquMjmnNzzG+tY+nI5/eYaFLnH13x9PasTpv1yCKr
+sgG1JbE52SElX7bgorBBfhUwce058gr5hO8TeJuRlk/nmianXfV7NhVKHWzdkYWN
+vnx2WQW5GUF2Cecp2YaQU7Bkij58Q6ofqmhgGf2/FZy+qKa4JBN2iMX+Km7fTWf0
+JrGMzrm6+9Y=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/2D.pem b/rpkid/resource-cert-samples/RIR/2D.pem
new file mode 100644
index 00000000..61bb37a9
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/2D.pem
@@ -0,0 +1,95 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 45 (0x2d)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Oct 29 16:03:51 2007 GMT
+ Not After : Oct 28 16:03:51 2008 GMT
+ Subject: CN=TEST ENTITY LIR2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:f1:18:b6:79:0b:35:c5:83:64:48:83:31:03:9e:
+ e7:72:28:65:b1:ac:61:e1:77:2e:c0:4d:f0:b1:1c:
+ 61:d8:cc:5a:2d:c7:0b:9b:78:7a:3e:fd:37:ad:fa:
+ b0:73:0b:9c:fc:bb:6f:60:ea:38:ef:ae:d1:27:b8:
+ 81:59:0f:b3:e7:d0:67:b2:a2:f5:4f:e2:04:c6:cc:
+ 13:9f:33:28:35:96:7a:db:ce:ac:9d:d3:64:3d:b8:
+ 44:bc:cb:43:22:92:d6:3c:2e:bf:97:6e:39:6a:6e:
+ 68:93:5d:1c:a8:58:b7:a3:7a:26:44:fe:fe:30:ad:
+ e2:05:89:4c:c9:ef:2c:e0:4e:31:69:3f:dd:91:1c:
+ f0:b0:25:4c:3e:84:8a:ea:5e:03:b3:a8:cd:90:1a:
+ 1e:c8:e0:af:fe:11:ed:21:06:bd:3c:5e:08:a1:93:
+ e2:41:43:43:38:d3:21:b3:4c:fa:85:8b:43:57:60:
+ 5d:bb:a0:78:e5:33:47:a8:33:76:be:df:6e:63:61:
+ e3:31:8b:5d:8e:0c:c7:f5:c8:91:0c:be:57:c7:f2:
+ bc:be:0b:ba:7a:1f:f6:19:f1:eb:00:74:c1:12:c2:
+ dc:2b:2e:8d:f0:0a:ff:7f:e8:60:08:90:ba:51:fc:
+ d0:90:11:37:f3:9e:44:b6:64:43:69:5d:61:d3:e1:
+ 8d:77
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 03:7A:DF:0C:DF:DC:93:3D:F7:A5:CC:27:7B:DC:22:F6:E9:55:97:F0
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR2/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 5c:f7:ec:cb:ed:16:f2:e4:e2:cd:ca:e8:3c:ae:2f:9d:16:7e:
+ 8b:f1:e7:bf:db:ef:44:85:95:15:ed:d7:8e:99:a5:9d:f5:98:
+ 9e:c2:96:c4:c7:78:23:9a:36:fe:aa:9f:d5:fc:dc:b4:cc:b5:
+ 25:21:79:cd:74:e9:a8:95:b2:05:c4:4f:a0:37:d1:16:b5:bd:
+ 48:de:9b:b1:c1:91:d7:a3:e3:7f:bb:af:ed:59:21:57:1d:ef:
+ 20:ed:a2:4d:a9:34:35:0c:05:a4:cb:8a:8a:08:d6:16:53:07:
+ 9f:a4:63:29:0e:9d:ed:69:34:3f:6e:35:53:8c:90:11:17:36:
+ 75:96:ea:f1:34:fa:d7:73:7c:0c:ab:95:44:d1:a5:e9:85:74:
+ 05:f8:5c:f6:70:6c:94:c2:ea:61:e1:6a:94:f4:b8:66:8d:c3:
+ c5:0e:f5:47:a2:8a:1e:40:f1:30:97:b0:e1:de:e4:89:95:a3:
+ f6:a0:56:64:9f:e6:63:23:24:f5:41:4f:36:01:c2:50:2f:99:
+ dc:53:e8:e0:b0:eb:bd:1d:8d:28:3f:ce:b5:0b:68:2b:a2:cf:
+ e2:14:53:ae:10:2a:3e:51:00:96:5c:09:b5:41:97:fb:ba:19:
+ 94:d4:3e:74:f3:65:9d:bf:0b:77:45:7a:1d:1c:aa:74:f2:ea:
+ 53:a6:92:6d
+-----BEGIN CERTIFICATE-----
+MIID8DCCAtigAwIBAgIBLTANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcxMDI5MTYwMzUxWhcNMDgxMDI4MTYwMzUxWjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA8Ri2eQs1xYNkSIMxA57ncihlsaxh4XcuwE3wsRxh2MxaLccLm3h6
+Pv03rfqwcwuc/LtvYOo4767RJ7iBWQ+z59BnsqL1T+IExswTnzMoNZZ6286sndNk
+PbhEvMtDIpLWPC6/l245am5ok10cqFi3o3omRP7+MK3iBYlMye8s4E4xaT/dkRzw
+sCVMPoSK6l4Ds6jNkBoeyOCv/hHtIQa9PF4IoZPiQUNDONMhs0z6hYtDV2Bdu6B4
+5TNHqDN2vt9uY2HjMYtdjgzH9ciRDL5Xx/K8vgu6eh/2GfHrAHTBEsLcKy6N8Ar/
+f+hgCJC6UfzQkBE3855EtmRDaV1h0+GNdwIDAQABo4IBPjCCATowDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUA3rfDN/ckz33pcwne9wi9ulVl/AwDgYDVR0PAQH/
+BAQDAgEGMEEGCCsGAQUFBwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9MSVIyLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYB
+BQUHMAKGJ3JzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAa
+BggrBgEFBQcBCAEB/wQLMAmgBzAFAgMA/CAwVAYIKwYBBQUHAQcBAf8ERTBDMEEE
+AgACMDswJgMRAiABDbgAAAAAAAAAAAAAAEQDEQAgAQ24AAAAAAAAAAAAAAEAAxEA
+IAENuAAAAAAAAAAQAAAARDANBgkqhkiG9w0BAQsFAAOCAQEAXPfsy+0W8uTizcro
+PK4vnRZ+i/Hnv9vvRIWVFe3XjpmlnfWYnsKWxMd4I5o2/qqf1fzctMy1JSF5zXTp
+qJWyBcRPoDfRFrW9SN6bscGR16Pjf7uv7VkhVx3vIO2iTak0NQwFpMuKigjWFlMH
+n6RjKQ6d7Wk0P241U4yQERc2dZbq8TT613N8DKuVRNGl6YV0Bfhc9nBslMLqYeFq
+lPS4Zo3DxQ71R6KKHkDxMJew4d7kiZWj9qBWZJ/mYyMk9UFPNgHCUC+Z3FPo4LDr
+vR2NKD/OtQtoK6LP4hRTrhAqPlEAllwJtUGX+7oZlNQ+dPNlnb8Ld0V6HRyqdPLq
+U6aSbQ==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/2E.pem b/rpkid/resource-cert-samples/RIR/2E.pem
new file mode 100644
index 00000000..272d774d
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/2E.pem
@@ -0,0 +1,94 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 46 (0x2e)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Oct 29 16:03:51 2007 GMT
+ Not After : Oct 28 16:03:51 2008 GMT
+ Subject: CN=TEST ENTITY LIR1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:af:5d:1c:f9:d9:bb:d5:01:e1:5b:36:cc:51:f6:
+ fd:86:57:60:aa:9e:c7:ec:4e:05:af:fb:51:5c:7a:
+ c2:58:c4:a8:57:ae:14:62:e9:bc:b6:72:7d:cf:49:
+ c8:4a:40:82:4a:f4:3e:30:b5:94:25:9e:6c:78:81:
+ 57:43:d6:85:02:8d:d1:9c:b5:d7:34:2f:e2:a9:7d:
+ 18:27:b5:47:9a:42:16:c8:90:7f:96:2c:dd:b8:98:
+ 17:1f:77:62:4a:08:00:2d:e0:73:0c:39:37:ba:0f:
+ a7:59:59:4c:7c:cd:e2:5c:d7:98:36:10:6c:88:3e:
+ 45:99:a6:88:2f:f6:7f:31:49:ba:42:2b:13:79:c2:
+ b2:f1:09:d9:ad:37:a4:41:b6:6d:46:a1:18:05:a0:
+ 53:07:8e:e0:98:b2:d1:fd:67:68:77:64:d5:f3:fe:
+ 1d:22:36:9e:26:5a:1a:aa:18:94:c3:2c:7e:9a:af:
+ be:2c:9d:5e:75:2c:49:d6:37:2b:06:1f:cc:63:97:
+ 7e:ee:2c:5f:67:af:4d:62:3e:7a:1f:0c:e1:1e:02:
+ f2:d2:06:75:ae:3f:11:bc:8e:0f:13:64:38:14:36:
+ 1d:5d:02:ec:af:65:d5:b9:68:f4:22:66:2b:ef:47:
+ 5b:ad:3b:f2:af:b6:71:0c:94:56:8a:7c:01:36:f0:
+ 3a:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 8A:94:17:F9:53:F2:5B:94:54:56:DF:76:51:13:29:F6:71:19:A8:B3
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR1/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 51:ad:f6:e5:8b:1c:98:ed:f8:31:15:2c:ec:d5:be:9e:97:0d:
+ 4a:f8:ab:6d:dd:35:6c:57:d1:d7:f1:c6:e4:c7:1d:b9:e6:c9:
+ 5b:92:21:ec:64:79:9d:83:0f:5d:5e:5c:20:1b:8f:01:d5:a8:
+ e3:5f:7e:c3:0c:c2:3c:80:f7:f0:aa:e6:ff:c7:6a:16:7f:e7:
+ 94:dc:69:42:1b:dd:36:f0:45:61:f5:cd:1f:a7:6f:20:04:af:
+ 1e:6e:84:76:00:e2:6a:8d:02:81:31:a4:5f:3f:41:62:7a:87:
+ 21:0b:da:08:6a:d3:90:4b:fe:c3:48:99:92:23:c9:f6:35:0b:
+ d8:48:9d:44:8c:e5:26:79:62:7a:78:c6:4b:18:42:65:0b:63:
+ a0:63:18:15:e6:8d:1d:93:12:15:eb:c3:93:c8:7d:10:5a:8f:
+ 49:c5:a4:53:95:11:5c:db:f5:26:b7:2f:90:bd:6e:76:84:f9:
+ 57:90:96:f5:25:75:7f:18:c6:4c:bb:aa:6a:ce:72:6d:0a:a7:
+ 59:11:ea:9e:6f:b5:1f:5d:c9:db:f5:56:74:fe:ca:60:62:80:
+ b5:b1:6c:e7:24:d6:c4:c1:b0:05:0b:76:31:af:82:07:2d:9a:
+ a2:75:4d:18:54:0e:24:29:22:2d:02:ba:bd:51:cd:f0:02:6e:
+ 5b:6e:12:f8
+-----BEGIN CERTIFICATE-----
+MIID1TCCAr2gAwIBAgIBLjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcxMDI5MTYwMzUxWhcNMDgxMDI4MTYwMzUxWjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAr10c+dm71QHhWzbMUfb9hldgqp7H7E4Fr/tRXHrCWMSoV64UYum8
+tnJ9z0nISkCCSvQ+MLWUJZ5seIFXQ9aFAo3RnLXXNC/iqX0YJ7VHmkIWyJB/lizd
+uJgXH3diSggALeBzDDk3ug+nWVlMfM3iXNeYNhBsiD5FmaaIL/Z/MUm6QisTecKy
+8QnZrTekQbZtRqEYBaBTB47gmLLR/Wdod2TV8/4dIjaeJloaqhiUwyx+mq++LJ1e
+dSxJ1jcrBh/MY5d+7ixfZ69NYj56HwzhHgLy0gZ1rj8RvI4PE2Q4FDYdXQLsr2XV
+uWj0ImYr70dbrTvyr7ZxDJRWinwBNvA6PwIDAQABo4IBIzCCAR8wDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUipQX+VPyW5RUVt92URMp9nEZqLMwDgYDVR0PAQH/
+BAQDAgEGMEEGCCsGAQUFBwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9MSVIxLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYB
+BQUHMAKGJ3JzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAa
+BggrBgEFBQcBCAEB/wQLMAmgBzAFAgMA/BUwOQYIKwYBBQUHAQcBAf8EKjAoMCYE
+AgABMCAwDgMFAMAAAgEDBQHAAAIgMA4DBQLAAAIsAwUAwAACZDANBgkqhkiG9w0B
+AQsFAAOCAQEAUa325YscmO34MRUs7NW+npcNSvirbd01bFfR1/HG5McduebJW5Ih
+7GR5nYMPXV5cIBuPAdWo419+wwzCPID38Krm/8dqFn/nlNxpQhvdNvBFYfXNH6dv
+IASvHm6EdgDiao0CgTGkXz9BYnqHIQvaCGrTkEv+w0iZkiPJ9jUL2EidRIzlJnli
+enjGSxhCZQtjoGMYFeaNHZMSFevDk8h9EFqPScWkU5URXNv1JrcvkL1udoT5V5CW
+9SV1fxjGTLuqas5ybQqnWRHqnm+1H13J2/VWdP7KYGKAtbFs5yTWxMGwBQt2Ma+C
+By2aonVNGFQOJCkiLQK6vVHN8AJuW24S+A==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/2F.pem b/rpkid/resource-cert-samples/RIR/2F.pem
new file mode 100644
index 00000000..d7154c7c
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/2F.pem
@@ -0,0 +1,100 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 47 (0x2f)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Oct 29 16:32:33 2007 GMT
+ Not After : Oct 28 16:32:33 2008 GMT
+ Subject: CN=TEST ENTITY RIR
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:ac:a7:26:c4:98:68:99:b6:f2:e7:c5:97:05:7e:
+ f9:d7:f2:ec:39:e6:2b:8e:c2:42:88:b9:8f:22:b6:
+ 3c:59:b0:0e:8a:1d:0e:f8:81:b1:c8:ff:4a:8a:1a:
+ 43:bc:78:91:3e:af:b2:b0:95:60:a9:3e:9d:c2:ff:
+ 99:8f:8f:b6:dc:d8:46:b7:86:35:a6:f6:42:05:c2:
+ c5:9b:84:15:e2:58:0f:70:9c:bc:53:d7:28:76:f8:
+ f2:14:79:22:bd:d6:8b:6c:0e:2b:02:e5:d8:f3:33:
+ fa:16:43:9b:80:87:f9:b2:45:ab:bd:7d:14:b2:24:
+ 2f:41:13:6f:45:c4:dc:f9:4d:7f:d8:d3:e1:aa:5c:
+ 52:9d:c9:7a:38:b7:b0:43:bd:b7:6a:37:43:ec:e7:
+ 34:c4:3b:4c:ca:cc:7b:1f:91:ef:ab:d4:35:76:42:
+ 82:d4:f5:79:e0:12:3c:24:92:2e:dc:a2:5c:83:f0:
+ 71:8a:26:96:30:d4:b8:96:4d:00:2c:1a:f0:0f:79:
+ 52:c7:27:73:54:77:c1:86:f9:86:61:ce:e0:69:a7:
+ a8:3d:77:39:e7:24:ee:41:8d:52:19:3b:57:8c:84:
+ cc:9a:d5:05:7c:e6:83:2c:e3:13:6d:66:1b:87:20:
+ 82:47:e1:05:26:f0:3b:29:69:6d:bc:af:48:91:c4:
+ 40:f1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ FB:B8:A7:A3:36:48:0A:A0:9F:F0:2E:DC:8B:68:BC:B3:5C:45:25:D7
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/RIR/
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533-64540
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ 10.3.0.0/24
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:0:a00::/120
+ 2001:db8:0:0:0:0:a03::/120
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 90:3c:6e:1d:89:9d:00:53:b4:b1:36:ea:2b:cf:21:d5:b2:77:
+ 66:be:da:ad:db:92:35:0d:83:55:f5:92:11:73:93:af:1a:ec:
+ 1d:7a:1a:84:8f:c0:61:29:f1:51:c7:a6:7c:95:7c:a8:38:40:
+ 57:6b:fc:51:38:fd:6b:8a:7a:58:d8:c6:36:a5:0d:9b:7a:b9:
+ b4:47:e1:a5:fc:66:b6:51:22:45:50:94:b4:f2:47:f2:a2:29:
+ 6a:33:6a:3c:26:44:c5:5a:17:ce:7a:f3:4a:46:0e:f4:fd:36:
+ 01:7c:c5:1e:59:bc:3a:e7:36:f3:64:d4:0c:7a:f7:6a:ef:11:
+ ae:32:5a:77:62:b3:e4:b3:9e:16:9f:11:28:cb:11:dd:79:ff:
+ a5:b8:3e:3f:fd:df:34:92:2f:f4:0e:d2:50:a8:80:a1:17:91:
+ 50:c7:d3:af:c5:6e:d8:ca:cd:28:e0:92:28:b3:c4:13:39:9d:
+ fc:a1:57:61:22:22:70:57:27:5f:33:72:17:a8:04:89:9d:44:
+ 9b:7d:1a:66:10:19:f3:b9:9c:17:48:22:71:c6:a5:e0:ba:00:
+ ab:a4:01:bb:c7:2b:8f:0f:25:8a:20:71:21:4f:c0:74:34:14:
+ e5:23:3a:70:48:c2:04:9a:93:97:29:f9:39:7b:ac:1a:e4:2b:
+ 0d:13:b6:b7
+-----BEGIN CERTIFICATE-----
+MIIEEDCCAvigAwIBAgIBLzANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcxMDI5MTYzMjMzWhcNMDgxMDI4MTYzMjMzWjAaMRgw
+FgYDVQQDEw9URVNUIEVOVElUWSBSSVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCspybEmGiZtvLnxZcFfvnX8uw55iuOwkKIuY8itjxZsA6KHQ74gbHI
+/0qKGkO8eJE+r7KwlWCpPp3C/5mPj7bc2Ea3hjWm9kIFwsWbhBXiWA9wnLxT1yh2
++PIUeSK91otsDisC5djzM/oWQ5uAh/myRau9fRSyJC9BE29FxNz5TX/Y0+GqXFKd
+yXo4t7BDvbdqN0Ps5zTEO0zKzHsfke+r1DV2QoLU9XngEjwkki7colyD8HGKJpYw
+1LiWTQAsGvAPeVLHJ3NUd8GG+YZhzuBpp6g9dznnJO5BjVIZO1eMhMya1QV85oMs
+4xNtZhuHIIJH4QUm8DspaW28r0iRxEDxAgMBAAGjggFfMIIBWzAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBT7uKejNkgKoJ/wLtyLaLyzXEUl1zAOBgNVHQ8BAf8E
+BAMCAQYwQAYIKwYBBQUHAQsENDAyMDAGCCsGAQUFBzAFhiRyc3luYzovL3dvbWJh
+dHMtci11cy5oYWN0cm4ubmV0L1JJUi8wJgYIKwYBBQUHAQgBAf8EFzAVoBMwETAK
+AgMA/BUCAwD8HAIDAPwgMIGuBggrBgEFBQcBBwEB/wSBnjCBmzAyBAIAATAsAwQA
+CgAAAwQACgMAMA4DBQDAAAIBAwUBwAACIDAOAwUCwAACLAMFAMAAAmQwZQQCAAIw
+XzAmAxECIAENuAAAAAAAAAAAAAAARAMRACABDbgAAAAAAAAAAAAAAQADEAAgAQ24
+AAAAAAAAAAAKAAADEAAgAQ24AAAAAAAAAAAKAwADEQAgAQ24AAAAAAAAABAAAABE
+MA0GCSqGSIb3DQEBCwUAA4IBAQCQPG4diZ0AU7SxNuorzyHVsndmvtqt25I1DYNV
+9ZIRc5OvGuwdehqEj8BhKfFRx6Z8lXyoOEBXa/xROP1rinpY2MY2pQ2berm0R+Gl
+/Ga2USJFUJS08kfyoilqM2o8JkTFWhfOevNKRg70/TYBfMUeWbw65zbzZNQMevdq
+7xGuMlp3YrPks54WnxEoyxHdef+luD4//d80ki/0DtJQqIChF5FQx9OvxW7Yys0o
+4JIos8QTOZ38oVdhIiJwVydfM3IXqASJnUSbfRpmEBnzuZwXSCJxxqXgugCrpAG7
+xyuPDyWKIHEhT8B0NBTlIzpwSMIEmpOXKfk5e6wa5CsNE7a3
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/30.pem b/rpkid/resource-cert-samples/RIR/30.pem
new file mode 100644
index 00000000..c466f22e
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/30.pem
@@ -0,0 +1,98 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 48 (0x30)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Oct 29 16:32:33 2007 GMT
+ Not After : Oct 28 16:32:33 2008 GMT
+ Subject: CN=TEST ENTITY LIR3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a3:21:57:61:64:af:11:18:d4:cb:de:a6:dc:ad:
+ d9:2c:0f:0f:58:9f:7e:c8:85:55:11:26:4c:7c:f0:
+ 6b:68:1a:9e:6a:0c:8f:e6:dc:3d:83:58:2a:cc:77:
+ ac:19:73:6f:5a:f3:6e:24:ac:cd:1a:dc:1d:0b:4c:
+ 44:f5:6d:8b:0a:17:3d:86:f9:e8:fe:e6:60:e5:9f:
+ 40:6a:e5:94:e8:9a:56:17:17:1c:ab:c1:8c:37:40:
+ 2b:55:bf:2c:5e:dc:8d:ca:25:7f:8a:5f:ee:fb:16:
+ 86:eb:e0:08:d3:26:e5:e3:70:c5:0c:6b:fb:1b:8f:
+ 6b:5c:f6:e2:4a:58:a5:35:01:ea:05:1b:3e:ce:84:
+ be:b5:3f:6d:18:16:4b:68:e5:79:4c:88:7d:b6:a5:
+ 65:a3:3a:c2:32:dc:ad:8f:8a:05:ee:f6:e9:7a:80:
+ da:12:a9:0f:5a:b5:d2:d3:31:ac:3e:d3:19:25:2d:
+ 28:de:79:6c:ce:fd:77:66:d5:e3:2f:a9:cb:f9:85:
+ 8c:20:bb:a2:86:23:f0:93:95:20:04:78:c7:c7:07:
+ a6:fe:f0:f4:45:bb:cf:78:2b:dd:ce:9c:08:a5:46:
+ 68:10:4c:d7:05:62:6c:86:5a:2d:7f:06:38:c2:4d:
+ bb:44:87:00:43:79:d2:8f:f3:6b:b2:f4:5c:1c:b9:
+ 68:01
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 98:BE:04:FF:80:D1:AB:95:39:AA:3D:F2:0E:67:7D:00:AD:A3:FD:C5
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR3/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64534-64540
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 10.0.0.0/24
+ 10.3.0.0/24
+ IPv6:
+ 2001:db8:0:0:0:0:a00::/120
+ 2001:db8:0:0:0:0:a03::/120
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 18:25:58:2e:ac:98:93:f2:ce:b9:cf:fe:31:1d:4e:a4:64:bc:
+ f6:59:19:88:af:01:cb:72:68:04:4a:41:5f:d6:dc:86:f6:c3:
+ a3:83:06:ba:96:4c:fd:eb:26:a5:5d:64:07:08:fa:87:94:df:
+ 00:b2:44:2e:dd:23:f6:cb:6b:80:b4:65:3d:61:e1:4c:3f:de:
+ db:a1:90:0f:da:0d:f1:cc:7c:72:1d:0e:07:50:87:3b:76:4b:
+ 17:06:67:b8:a4:65:4e:94:7c:1e:e0:3f:99:3f:90:8e:9a:c5:
+ 42:6f:35:bb:78:48:6b:0f:83:59:b9:57:70:94:dc:ad:d9:c4:
+ c0:bb:72:9c:c4:0d:e9:d8:69:7b:f1:dc:72:52:95:38:3c:6c:
+ c0:ed:e9:19:f3:48:9c:e5:60:d9:46:55:66:ab:b2:fb:bd:cd:
+ f0:c3:43:eb:48:1a:86:1f:71:6a:b6:11:65:e2:88:43:ab:4e:
+ 69:a3:a7:ba:5c:09:f6:30:c5:93:f3:6a:72:be:9a:cf:5f:ba:
+ ea:3a:76:4f:43:03:13:12:4f:a6:ca:ed:c5:09:2f:2d:be:4a:
+ 02:50:05:7d:f5:2c:61:af:1b:79:31:ad:b1:3b:4c:61:b0:99:
+ 9f:95:19:ab:71:5f:b0:df:0f:9b:bf:38:42:a6:38:b3:a8:e8:
+ 2c:c1:68:13
+-----BEGIN CERTIFICATE-----
+MIID9DCCAtygAwIBAgIBMDANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcxMDI5MTYzMjMzWhcNMDgxMDI4MTYzMjMzWjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAoyFXYWSvERjUy96m3K3ZLA8PWJ9+yIVVESZMfPBraBqeagyP5tw9
+g1gqzHesGXNvWvNuJKzNGtwdC0xE9W2LChc9hvno/uZg5Z9AauWU6JpWFxccq8GM
+N0ArVb8sXtyNyiV/il/u+xaG6+AI0ybl43DFDGv7G49rXPbiSlilNQHqBRs+zoS+
+tT9tGBZLaOV5TIh9tqVlozrCMtytj4oF7vbpeoDaEqkPWrXS0zGsPtMZJS0o3nls
+zv13ZtXjL6nL+YWMILuihiPwk5UgBHjHxwem/vD0RbvPeCvdzpwIpUZoEEzXBWJs
+hlotfwY4wk27RIcAQ3nSj/NrsvRcHLloAQIDAQABo4IBQjCCAT4wDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUmL4E/4DRq5U5qj3yDmd9AK2j/cUwDgYDVR0PAQH/
+BAQDAgEGMEEGCCsGAQUFBwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9MSVIzLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYB
+BQUHMAKGJ3JzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAh
+BggrBgEFBQcBCAEB/wQSMBCgDjAMMAoCAwD8FgIDAPwcMFEGCCsGAQUFBwEHAQH/
+BEIwQDASBAIAATAMAwQACgAAAwQACgMAMCoEAgACMCQDEAAgAQ24AAAAAAAAAAAK
+AAADEAAgAQ24AAAAAAAAAAAKAwAwDQYJKoZIhvcNAQELBQADggEBABglWC6smJPy
+zrnP/jEdTqRkvPZZGYivActyaARKQV/W3Ib2w6ODBrqWTP3rJqVdZAcI+oeU3wCy
+RC7dI/bLa4C0ZT1h4Uw/3tuhkA/aDfHMfHIdDgdQhzt2SxcGZ7ikZU6UfB7gP5k/
+kI6axUJvNbt4SGsPg1m5V3CU3K3ZxMC7cpzEDenYaXvx3HJSlTg8bMDt6RnzSJzl
+YNlGVWarsvu9zfDDQ+tIGoYfcWq2EWXiiEOrTmmjp7pcCfYwxZPzanK+ms9fuuo6
+dk9DAxMST6bK7cUJLy2+SgJQBX31LGGvG3kxrbE7TGGwmZ+VGatxX7DfD5u/OEKm
+OLOo6CzBaBM=
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/31.pem b/rpkid/resource-cert-samples/RIR/31.pem
new file mode 100644
index 00000000..dcc97dd1
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/31.pem
@@ -0,0 +1,95 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 49 (0x31)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Oct 29 16:32:33 2007 GMT
+ Not After : Oct 28 16:32:33 2008 GMT
+ Subject: CN=TEST ENTITY LIR2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:f1:18:b6:79:0b:35:c5:83:64:48:83:31:03:9e:
+ e7:72:28:65:b1:ac:61:e1:77:2e:c0:4d:f0:b1:1c:
+ 61:d8:cc:5a:2d:c7:0b:9b:78:7a:3e:fd:37:ad:fa:
+ b0:73:0b:9c:fc:bb:6f:60:ea:38:ef:ae:d1:27:b8:
+ 81:59:0f:b3:e7:d0:67:b2:a2:f5:4f:e2:04:c6:cc:
+ 13:9f:33:28:35:96:7a:db:ce:ac:9d:d3:64:3d:b8:
+ 44:bc:cb:43:22:92:d6:3c:2e:bf:97:6e:39:6a:6e:
+ 68:93:5d:1c:a8:58:b7:a3:7a:26:44:fe:fe:30:ad:
+ e2:05:89:4c:c9:ef:2c:e0:4e:31:69:3f:dd:91:1c:
+ f0:b0:25:4c:3e:84:8a:ea:5e:03:b3:a8:cd:90:1a:
+ 1e:c8:e0:af:fe:11:ed:21:06:bd:3c:5e:08:a1:93:
+ e2:41:43:43:38:d3:21:b3:4c:fa:85:8b:43:57:60:
+ 5d:bb:a0:78:e5:33:47:a8:33:76:be:df:6e:63:61:
+ e3:31:8b:5d:8e:0c:c7:f5:c8:91:0c:be:57:c7:f2:
+ bc:be:0b:ba:7a:1f:f6:19:f1:eb:00:74:c1:12:c2:
+ dc:2b:2e:8d:f0:0a:ff:7f:e8:60:08:90:ba:51:fc:
+ d0:90:11:37:f3:9e:44:b6:64:43:69:5d:61:d3:e1:
+ 8d:77
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 03:7A:DF:0C:DF:DC:93:3D:F7:A5:CC:27:7B:DC:22:F6:E9:55:97:F0
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR2/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64544
+
+ sbgp-ipAddrBlock: critical
+ IPv6:
+ 2001:db8:0:0:0:0:0:44-2001:db8:0:0:0:0:0:100
+ 2001:db8:0:0:0:10:0:44/128
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 02:2b:a6:e7:ef:15:1e:a6:bf:dc:1f:4e:c5:5d:41:de:c2:82:
+ 03:1b:94:25:3e:35:3f:ed:ac:cc:25:49:cb:f2:a3:91:cb:33:
+ 72:3a:ef:f8:93:24:42:f9:3e:13:5d:50:07:6c:00:40:60:80:
+ 06:22:db:07:43:d2:58:17:37:bd:22:89:d2:8d:9f:a0:e3:7e:
+ 10:cd:e7:98:3d:4e:fa:5a:8b:05:23:b1:c6:88:9c:41:72:a9:
+ b7:7c:b8:a2:37:9f:76:6f:98:23:e2:90:02:75:dc:94:ae:3f:
+ 72:1d:51:53:f3:dc:ec:a1:00:28:6e:13:5f:66:4f:6e:4a:61:
+ c1:0e:4e:b9:db:4e:11:bc:d9:57:fd:07:05:6e:05:5d:7a:52:
+ ae:7f:d5:50:cf:e3:6b:ff:87:03:9f:6c:b2:aa:f4:28:c3:75:
+ 6d:09:bf:31:da:cb:40:fa:8f:ed:15:32:59:a7:9e:5b:8b:0d:
+ b2:4b:f1:1d:fd:37:ac:dc:6b:56:b5:64:1b:ce:56:12:41:e0:
+ d6:ff:7e:f4:84:f5:27:42:a2:2c:c5:b7:47:14:e1:f9:84:80:
+ a9:6e:cf:5f:64:40:ac:36:6e:03:f2:db:ae:e2:bf:ba:d4:98:
+ 99:35:21:6f:5d:d9:db:f1:a9:1b:dc:13:11:aa:86:e7:a8:bc:
+ aa:ee:dd:ce
+-----BEGIN CERTIFICATE-----
+MIID8DCCAtigAwIBAgIBMTANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcxMDI5MTYzMjMzWhcNMDgxMDI4MTYzMjMzWjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA8Ri2eQs1xYNkSIMxA57ncihlsaxh4XcuwE3wsRxh2MxaLccLm3h6
+Pv03rfqwcwuc/LtvYOo4767RJ7iBWQ+z59BnsqL1T+IExswTnzMoNZZ6286sndNk
+PbhEvMtDIpLWPC6/l245am5ok10cqFi3o3omRP7+MK3iBYlMye8s4E4xaT/dkRzw
+sCVMPoSK6l4Ds6jNkBoeyOCv/hHtIQa9PF4IoZPiQUNDONMhs0z6hYtDV2Bdu6B4
+5TNHqDN2vt9uY2HjMYtdjgzH9ciRDL5Xx/K8vgu6eh/2GfHrAHTBEsLcKy6N8Ar/
+f+hgCJC6UfzQkBE3855EtmRDaV1h0+GNdwIDAQABo4IBPjCCATowDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUA3rfDN/ckz33pcwne9wi9ulVl/AwDgYDVR0PAQH/
+BAQDAgEGMEEGCCsGAQUFBwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9MSVIyLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYB
+BQUHMAKGJ3JzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAa
+BggrBgEFBQcBCAEB/wQLMAmgBzAFAgMA/CAwVAYIKwYBBQUHAQcBAf8ERTBDMEEE
+AgACMDswJgMRAiABDbgAAAAAAAAAAAAAAEQDEQAgAQ24AAAAAAAAAAAAAAEAAxEA
+IAENuAAAAAAAAAAQAAAARDANBgkqhkiG9w0BAQsFAAOCAQEAAium5+8VHqa/3B9O
+xV1B3sKCAxuUJT41P+2szCVJy/Kjkcszcjrv+JMkQvk+E11QB2wAQGCABiLbB0PS
+WBc3vSKJ0o2foON+EM3nmD1O+lqLBSOxxoicQXKpt3y4ojefdm+YI+KQAnXclK4/
+ch1RU/Pc7KEAKG4TX2ZPbkphwQ5OudtOEbzZV/0HBW4FXXpSrn/VUM/ja/+HA59s
+sqr0KMN1bQm/MdrLQPqP7RUyWaeeW4sNskvxHf03rNxrVrVkG85WEkHg1v9+9IT1
+J0KiLMW3RxTh+YSAqW7PX2RArDZuA/LbruK/utSYmTUhb13Z2/GpG9wTEaqG56i8
+qu7dzg==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/32.pem b/rpkid/resource-cert-samples/RIR/32.pem
new file mode 100644
index 00000000..348c6275
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/32.pem
@@ -0,0 +1,94 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 50 (0x32)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=TEST ENTITY RIR
+ Validity
+ Not Before: Oct 29 16:32:33 2007 GMT
+ Not After : Oct 28 16:32:33 2008 GMT
+ Subject: CN=TEST ENTITY LIR1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:af:5d:1c:f9:d9:bb:d5:01:e1:5b:36:cc:51:f6:
+ fd:86:57:60:aa:9e:c7:ec:4e:05:af:fb:51:5c:7a:
+ c2:58:c4:a8:57:ae:14:62:e9:bc:b6:72:7d:cf:49:
+ c8:4a:40:82:4a:f4:3e:30:b5:94:25:9e:6c:78:81:
+ 57:43:d6:85:02:8d:d1:9c:b5:d7:34:2f:e2:a9:7d:
+ 18:27:b5:47:9a:42:16:c8:90:7f:96:2c:dd:b8:98:
+ 17:1f:77:62:4a:08:00:2d:e0:73:0c:39:37:ba:0f:
+ a7:59:59:4c:7c:cd:e2:5c:d7:98:36:10:6c:88:3e:
+ 45:99:a6:88:2f:f6:7f:31:49:ba:42:2b:13:79:c2:
+ b2:f1:09:d9:ad:37:a4:41:b6:6d:46:a1:18:05:a0:
+ 53:07:8e:e0:98:b2:d1:fd:67:68:77:64:d5:f3:fe:
+ 1d:22:36:9e:26:5a:1a:aa:18:94:c3:2c:7e:9a:af:
+ be:2c:9d:5e:75:2c:49:d6:37:2b:06:1f:cc:63:97:
+ 7e:ee:2c:5f:67:af:4d:62:3e:7a:1f:0c:e1:1e:02:
+ f2:d2:06:75:ae:3f:11:bc:8e:0f:13:64:38:14:36:
+ 1d:5d:02:ec:af:65:d5:b9:68:f4:22:66:2b:ef:47:
+ 5b:ad:3b:f2:af:b6:71:0c:94:56:8a:7c:01:36:f0:
+ 3a:3f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 8A:94:17:F9:53:F2:5B:94:54:56:DF:76:51:13:29:F6:71:19:A8:B3
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombats-r-us.hactrn.net/LIR1/
+
+ Authority Information Access:
+ CA Issuers - URI:rsync://wombats-r-us.hactrn.net/RIR.cer
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 64533
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 192.0.2.1-192.0.2.33
+ 192.0.2.44-192.0.2.100
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 71:ca:3c:b4:39:4f:ec:c2:ba:bd:c4:e5:9d:b8:9e:12:5a:0d:
+ af:f6:e0:f5:65:0c:54:ac:5c:17:d2:29:92:a4:84:ea:47:09:
+ 53:75:52:7c:af:67:11:7b:fb:35:14:77:9e:8e:34:a9:39:5a:
+ 87:65:7f:5e:e7:81:80:82:4b:b2:e4:07:c3:7d:1e:bf:0a:31:
+ ff:43:9c:66:31:b0:19:0a:ea:52:14:67:62:f6:91:15:5c:d4:
+ da:f7:bb:87:1c:9d:31:4c:0d:8c:f6:c9:1c:44:68:21:09:49:
+ a9:d7:cc:7f:54:c2:cd:44:09:98:e9:7c:73:a3:9d:36:38:e8:
+ e2:bd:16:19:94:fd:97:ff:91:ca:62:22:1a:ff:f7:2c:a0:b9:
+ 79:a4:07:84:37:bb:50:8b:6a:6b:25:9a:8e:3c:fb:4f:09:2b:
+ e1:75:c4:d4:2e:73:a2:cd:ce:f5:83:3c:a5:ca:33:f6:c8:39:
+ f8:dd:78:3f:61:05:7a:ae:09:3c:d4:bc:b1:4e:0d:4d:83:f8:
+ 77:6c:a0:ea:6d:e6:5d:df:c4:e4:e0:7f:0f:9c:da:d0:f1:3b:
+ 37:05:e4:77:1f:54:7b:d0:57:6d:55:dd:ba:41:ba:4b:90:df:
+ 54:8e:a3:cd:0c:a8:ae:c9:09:e8:02:a6:23:e3:f9:62:f8:0e:
+ 39:f7:87:f9
+-----BEGIN CERTIFICATE-----
+MIID1TCCAr2gAwIBAgIBMjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9URVNU
+IEVOVElUWSBSSVIwHhcNMDcxMDI5MTYzMjMzWhcNMDgxMDI4MTYzMjMzWjAbMRkw
+FwYDVQQDExBURVNUIEVOVElUWSBMSVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAr10c+dm71QHhWzbMUfb9hldgqp7H7E4Fr/tRXHrCWMSoV64UYum8
+tnJ9z0nISkCCSvQ+MLWUJZ5seIFXQ9aFAo3RnLXXNC/iqX0YJ7VHmkIWyJB/lizd
+uJgXH3diSggALeBzDDk3ug+nWVlMfM3iXNeYNhBsiD5FmaaIL/Z/MUm6QisTecKy
+8QnZrTekQbZtRqEYBaBTB47gmLLR/Wdod2TV8/4dIjaeJloaqhiUwyx+mq++LJ1e
+dSxJ1jcrBh/MY5d+7ixfZ69NYj56HwzhHgLy0gZ1rj8RvI4PE2Q4FDYdXQLsr2XV
+uWj0ImYr70dbrTvyr7ZxDJRWinwBNvA6PwIDAQABo4IBIzCCAR8wDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUipQX+VPyW5RUVt92URMp9nEZqLMwDgYDVR0PAQH/
+BAQDAgEGMEEGCCsGAQUFBwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21i
+YXRzLXItdXMuaGFjdHJuLm5ldC9MSVIxLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYB
+BQUHMAKGJ3JzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAa
+BggrBgEFBQcBCAEB/wQLMAmgBzAFAgMA/BUwOQYIKwYBBQUHAQcBAf8EKjAoMCYE
+AgABMCAwDgMFAMAAAgEDBQHAAAIgMA4DBQLAAAIsAwUAwAACZDANBgkqhkiG9w0B
+AQsFAAOCAQEAcco8tDlP7MK6vcTlnbieEloNr/bg9WUMVKxcF9IpkqSE6kcJU3VS
+fK9nEXv7NRR3no40qTlah2V/XueBgIJLsuQHw30evwox/0OcZjGwGQrqUhRnYvaR
+FVzU2ve7hxydMUwNjPbJHERoIQlJqdfMf1TCzUQJmOl8c6OdNjjo4r0WGZT9l/+R
+ymIiGv/3LKC5eaQHhDe7UItqayWajjz7Twkr4XXE1C5zos3O9YM8pcoz9sg5+N14
+P2EFeq4JPNS8sU4NTYP4d2yg6m3mXd/E5OB/D5za0PE7NwXkdx9Ue9BXbVXdukG6
+S5DfVI6jzQyorskJ6AKmI+P5YvgOOfeH+Q==
+-----END CERTIFICATE-----
diff --git a/rpkid/resource-cert-samples/RIR/index b/rpkid/resource-cert-samples/RIR/index
new file mode 100644
index 00000000..66733b3b
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/index
@@ -0,0 +1,50 @@
+V 080731054523Z 01 unknown /CN=TEST ENTITY RIR
+V 080731054524Z 02 unknown /CN=TEST ENTITY LIR2
+V 080731054525Z 03 unknown /CN=TEST ENTITY LIR1
+V 080731140529Z 04 unknown /CN=TEST ENTITY RIR
+V 080731140529Z 05 unknown /CN=TEST ENTITY LIR2
+V 080731140529Z 06 unknown /CN=TEST ENTITY LIR1
+V 080731140829Z 07 unknown /CN=TEST ENTITY RIR
+V 080731140829Z 08 unknown /CN=TEST ENTITY LIR2
+V 080731140829Z 09 unknown /CN=TEST ENTITY LIR1
+V 080731140934Z 0A unknown /CN=TEST ENTITY RIR
+V 080731140934Z 0B unknown /CN=TEST ENTITY LIR2
+V 080731140934Z 0C unknown /CN=TEST ENTITY LIR1
+V 080731144816Z 0D unknown /CN=TEST ENTITY RIR
+V 080731144818Z 0E unknown /CN=TEST ENTITY LIR3
+V 080731144818Z 0F unknown /CN=TEST ENTITY LIR2
+V 080731144818Z 10 unknown /CN=TEST ENTITY LIR1
+V 080808233059Z 11 unknown /CN=TEST ENTITY RIR
+V 080808233548Z 12 unknown /CN=TEST ENTITY RIR
+V 080809005817Z 13 unknown /CN=TEST ENTITY RIR
+V 080809005817Z 14 unknown /CN=TEST ENTITY LIR3
+V 080809005817Z 15 unknown /CN=TEST ENTITY LIR2
+V 080809005817Z 16 unknown /CN=TEST ENTITY LIR1
+V 080809010231Z 17 unknown /CN=TEST ENTITY RIR
+V 080809010231Z 18 unknown /CN=TEST ENTITY LIR3
+V 080809010231Z 19 unknown /CN=TEST ENTITY LIR2
+V 080809010231Z 1A unknown /CN=TEST ENTITY LIR1
+V 080809010708Z 1B unknown /CN=TEST ENTITY RIR
+V 080809010708Z 1C unknown /CN=TEST ENTITY LIR3
+V 080809010708Z 1D unknown /CN=TEST ENTITY LIR2
+V 080809010708Z 1E unknown /CN=TEST ENTITY LIR1
+V 080809011339Z 1F unknown /CN=TEST ENTITY RIR
+V 080809011339Z 20 unknown /CN=TEST ENTITY LIR3
+V 080809011339Z 21 unknown /CN=TEST ENTITY LIR2
+V 080809011339Z 22 unknown /CN=TEST ENTITY LIR1
+V 080809011509Z 23 unknown /CN=TEST ENTITY RIR
+V 080809011510Z 24 unknown /CN=TEST ENTITY LIR3
+V 080809011510Z 25 unknown /CN=TEST ENTITY LIR2
+V 080809011510Z 26 unknown /CN=TEST ENTITY LIR1
+V 081018190607Z 27 unknown /CN=TEST ENTITY RIR
+V 081018190607Z 28 unknown /CN=TEST ENTITY LIR3
+V 081018190607Z 29 unknown /CN=TEST ENTITY LIR2
+V 081018190607Z 2A unknown /CN=TEST ENTITY LIR1
+V 081028160351Z 2B unknown /CN=TEST ENTITY RIR
+V 081028160351Z 2C unknown /CN=TEST ENTITY LIR3
+V 081028160351Z 2D unknown /CN=TEST ENTITY LIR2
+V 081028160351Z 2E unknown /CN=TEST ENTITY LIR1
+V 081028163233Z 2F unknown /CN=TEST ENTITY RIR
+V 081028163233Z 30 unknown /CN=TEST ENTITY LIR3
+V 081028163233Z 31 unknown /CN=TEST ENTITY LIR2
+V 081028163233Z 32 unknown /CN=TEST ENTITY LIR1
diff --git a/rpkid/resource-cert-samples/RIR/index.attr b/rpkid/resource-cert-samples/RIR/index.attr
new file mode 100644
index 00000000..3a7e39e6
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/index.attr
@@ -0,0 +1 @@
+unique_subject = no
diff --git a/rpkid/resource-cert-samples/RIR/index.attr.old b/rpkid/resource-cert-samples/RIR/index.attr.old
new file mode 100644
index 00000000..3a7e39e6
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/index.attr.old
@@ -0,0 +1 @@
+unique_subject = no
diff --git a/rpkid/resource-cert-samples/RIR/index.old b/rpkid/resource-cert-samples/RIR/index.old
new file mode 100644
index 00000000..e5d3f927
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/index.old
@@ -0,0 +1,49 @@
+V 080731054523Z 01 unknown /CN=TEST ENTITY RIR
+V 080731054524Z 02 unknown /CN=TEST ENTITY LIR2
+V 080731054525Z 03 unknown /CN=TEST ENTITY LIR1
+V 080731140529Z 04 unknown /CN=TEST ENTITY RIR
+V 080731140529Z 05 unknown /CN=TEST ENTITY LIR2
+V 080731140529Z 06 unknown /CN=TEST ENTITY LIR1
+V 080731140829Z 07 unknown /CN=TEST ENTITY RIR
+V 080731140829Z 08 unknown /CN=TEST ENTITY LIR2
+V 080731140829Z 09 unknown /CN=TEST ENTITY LIR1
+V 080731140934Z 0A unknown /CN=TEST ENTITY RIR
+V 080731140934Z 0B unknown /CN=TEST ENTITY LIR2
+V 080731140934Z 0C unknown /CN=TEST ENTITY LIR1
+V 080731144816Z 0D unknown /CN=TEST ENTITY RIR
+V 080731144818Z 0E unknown /CN=TEST ENTITY LIR3
+V 080731144818Z 0F unknown /CN=TEST ENTITY LIR2
+V 080731144818Z 10 unknown /CN=TEST ENTITY LIR1
+V 080808233059Z 11 unknown /CN=TEST ENTITY RIR
+V 080808233548Z 12 unknown /CN=TEST ENTITY RIR
+V 080809005817Z 13 unknown /CN=TEST ENTITY RIR
+V 080809005817Z 14 unknown /CN=TEST ENTITY LIR3
+V 080809005817Z 15 unknown /CN=TEST ENTITY LIR2
+V 080809005817Z 16 unknown /CN=TEST ENTITY LIR1
+V 080809010231Z 17 unknown /CN=TEST ENTITY RIR
+V 080809010231Z 18 unknown /CN=TEST ENTITY LIR3
+V 080809010231Z 19 unknown /CN=TEST ENTITY LIR2
+V 080809010231Z 1A unknown /CN=TEST ENTITY LIR1
+V 080809010708Z 1B unknown /CN=TEST ENTITY RIR
+V 080809010708Z 1C unknown /CN=TEST ENTITY LIR3
+V 080809010708Z 1D unknown /CN=TEST ENTITY LIR2
+V 080809010708Z 1E unknown /CN=TEST ENTITY LIR1
+V 080809011339Z 1F unknown /CN=TEST ENTITY RIR
+V 080809011339Z 20 unknown /CN=TEST ENTITY LIR3
+V 080809011339Z 21 unknown /CN=TEST ENTITY LIR2
+V 080809011339Z 22 unknown /CN=TEST ENTITY LIR1
+V 080809011509Z 23 unknown /CN=TEST ENTITY RIR
+V 080809011510Z 24 unknown /CN=TEST ENTITY LIR3
+V 080809011510Z 25 unknown /CN=TEST ENTITY LIR2
+V 080809011510Z 26 unknown /CN=TEST ENTITY LIR1
+V 081018190607Z 27 unknown /CN=TEST ENTITY RIR
+V 081018190607Z 28 unknown /CN=TEST ENTITY LIR3
+V 081018190607Z 29 unknown /CN=TEST ENTITY LIR2
+V 081018190607Z 2A unknown /CN=TEST ENTITY LIR1
+V 081028160351Z 2B unknown /CN=TEST ENTITY RIR
+V 081028160351Z 2C unknown /CN=TEST ENTITY LIR3
+V 081028160351Z 2D unknown /CN=TEST ENTITY LIR2
+V 081028160351Z 2E unknown /CN=TEST ENTITY LIR1
+V 081028163233Z 2F unknown /CN=TEST ENTITY RIR
+V 081028163233Z 30 unknown /CN=TEST ENTITY LIR3
+V 081028163233Z 31 unknown /CN=TEST ENTITY LIR2
diff --git a/rpkid/resource-cert-samples/RIR/serial b/rpkid/resource-cert-samples/RIR/serial
new file mode 100644
index 00000000..bb95160c
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/serial
@@ -0,0 +1 @@
+33
diff --git a/rpkid/resource-cert-samples/RIR/serial.old b/rpkid/resource-cert-samples/RIR/serial.old
new file mode 100644
index 00000000..f5c89552
--- /dev/null
+++ b/rpkid/resource-cert-samples/RIR/serial.old
@@ -0,0 +1 @@
+32
diff --git a/rpkid/rootd.cer b/rpkid/rootd.cer
new file mode 100644
index 00000000..205fee80
--- /dev/null
+++ b/rpkid/rootd.cer
@@ -0,0 +1,93 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ a7:85:aa:b9:ac:55:06:68
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Completely Bogus Test Root (NOT FOR PRODUCTION USE)
+ Validity
+ Not Before: Nov 7 01:24:37 2007 GMT
+ Not After : Dec 7 01:24:37 2007 GMT
+ Subject: CN=Completely Bogus Test Root (NOT FOR PRODUCTION USE)
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:b1:b5:66:85:a4:cc:91:81:15:0c:de:bf:dc:fe:
+ 53:bd:34:20:ed:b0:3b:be:25:8c:1e:ab:da:07:20:
+ cd:c3:c0:22:22:1a:0e:dc:38:c8:3a:c2:35:23:9a:
+ 1f:91:32:ea:29:53:fc:be:4a:ce:f1:c2:23:44:16:
+ 0d:cc:9c:c5:02:b7:06:53:46:b1:20:60:c2:73:3c:
+ f8:c2:61:15:c5:c8:65:b9:cd:5d:56:ef:03:e9:44:
+ 80:27:f1:f8:d5:28:d6:f1:be:6b:51:d8:5e:24:26:
+ 8e:5e:29:2d:3d:6b:ac:1c:ce:d9:d1:51:00:22:2c:
+ fb:64:a4:c4:4d:0c:ce:45:10:a0:d6:a1:b5:ac:fa:
+ 4f:1d:41:78:f8:6c:87:8b:e4:52:0c:25:66:6b:75:
+ 42:1e:10:a6:fe:e6:17:2f:ad:07:f7:bc:a8:f3:57:
+ c9:1c:b4:95:e7:f1:19:2d:ab:a6:ef:6d:b2:dd:6e:
+ fe:c2:bb:1a:1c:d5:dd:21:e9:d7:92:27:0b:bb:df:
+ f0:3b:6e:ad:f1:21:55:d1:6e:e2:cc:0b:05:0f:25:
+ 5a:4a:5b:d2:9b:74:f0:2f:fc:c3:45:37:68:ac:6a:
+ d5:3b:f6:09:dd:41:fd:f7:48:47:f9:ab:93:2b:79:
+ 8f:47:ae:d9:34:69:42:f8:60:46:a0:52:d7:b2:a3:
+ 17:55
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ BC:C8:FF:91:73:B7:5F:60:75:A9:CC:2A:5C:DC:CE:AC:83:A0:04:F1
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Subject Information Access:
+ 1.3.6.1.5.5.7.48.5 - URI:rsync://wombat.invalid/
+
+ sbgp-autonomousSysNum: critical
+ Autonomous System Numbers:
+ 1-65535
+
+ sbgp-ipAddrBlock: critical
+ IPv4:
+ 0.0.0.0/0
+ IPv6:
+ :/0
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 9b:05:00:c1:1c:2a:4e:5f:52:1e:2a:2b:c5:46:2e:e9:a4:2f:
+ 4c:a8:4a:67:08:56:e9:62:70:7c:0b:48:c2:13:46:89:7b:31:
+ ba:60:ad:0d:62:0d:fe:df:05:f6:2f:ab:73:ae:4a:1a:b0:7a:
+ 77:7a:11:66:a2:09:6c:99:b6:bc:b2:a6:f5:06:e4:8e:d7:4d:
+ 09:a4:0f:35:11:51:1d:22:42:4e:1a:93:a8:fd:dc:b0:d5:d6:
+ 16:cf:30:a8:c4:fa:21:47:c0:97:ed:26:71:e7:a0:05:d2:8d:
+ 68:f0:b9:cb:48:00:da:d4:c2:18:94:b3:fa:22:f8:57:d1:76:
+ b4:7f:b9:b3:95:21:07:1a:56:71:3d:51:6e:2e:cd:93:ff:48:
+ a0:7c:4a:eb:c3:e0:0a:30:19:4e:b4:8d:d0:33:b8:3b:e8:43:
+ dd:c0:76:76:b8:ff:07:ad:10:67:7f:09:d4:54:86:3d:61:87:
+ c4:56:c4:be:f5:4a:9e:5a:aa:35:a3:10:33:ae:86:e6:10:3b:
+ 2a:6b:d7:3d:cb:3e:c8:94:d8:d3:c0:9a:f6:ae:14:f7:1c:f4:
+ 13:2f:14:45:bb:12:55:00:84:1c:e7:24:f0:f2:a8:42:c0:59:
+ 9c:bb:25:ed:f5:fa:46:6f:43:89:2e:e6:ad:75:c1:ff:df:52:
+ 25:85:c3:37
+-----BEGIN CERTIFICATE-----
+MIIDwjCCAqqgAwIBAgIJAKeFqrmsVQZoMA0GCSqGSIb3DQEBCwUAMD4xPDA6BgNV
+BAMTM0NvbXBsZXRlbHkgQm9ndXMgVGVzdCBSb290IChOT1QgRk9SIFBST0RVQ1RJ
+T04gVVNFKTAeFw0wNzExMDcwMTI0MzdaFw0wNzEyMDcwMTI0MzdaMD4xPDA6BgNV
+BAMTM0NvbXBsZXRlbHkgQm9ndXMgVGVzdCBSb290IChOT1QgRk9SIFBST0RVQ1RJ
+T04gVVNFKTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALG1ZoWkzJGB
+FQzev9z+U700IO2wO74ljB6r2gcgzcPAIiIaDtw4yDrCNSOaH5Ey6ilT/L5KzvHC
+I0QWDcycxQK3BlNGsSBgwnM8+MJhFcXIZbnNXVbvA+lEgCfx+NUo1vG+a1HYXiQm
+jl4pLT1rrBzO2dFRACIs+2SkxE0MzkUQoNahtaz6Tx1BePhsh4vkUgwlZmt1Qh4Q
+pv7mFy+tB/e8qPNXyRy0lefxGS2rpu9tst1u/sK7GhzV3SHp15InC7vf8DturfEh
+VdFu4swLBQ8lWkpb0pt08C/8w0U3aKxq1Tv2Cd1B/fdIR/mrkyt5j0eu2TRpQvhg
+RqBS17KjF1UCAwEAAaOBwjCBvzAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBS8
+yP+Rc7dfYHWpzCpc3M6sg6AE8TAOBgNVHQ8BAf8EBAMCAQYwMwYIKwYBBQUHAQsE
+JzAlMCMGCCsGAQUFBzAFhhdyc3luYzovL3dvbWJhdC5pbnZhbGlkLzAfBggrBgEF
+BQcBCAEB/wQQMA6gDDAKMAgCAQECAwD//zAnBggrBgEFBQcBBwEB/wQYMBYwCQQC
+AAEwAwMBADAJBAIAAjADAwEAMA0GCSqGSIb3DQEBCwUAA4IBAQCbBQDBHCpOX1Ie
+KivFRi7ppC9MqEpnCFbpYnB8C0jCE0aJezG6YK0NYg3+3wX2L6tzrkoasHp3ehFm
+oglsmba8sqb1BuSO100JpA81EVEdIkJOGpOo/dyw1dYWzzCoxPohR8CX7SZx56AF
+0o1o8LnLSADa1MIYlLP6IvhX0Xa0f7mzlSEHGlZxPVFuLs2T/0igfErrw+AKMBlO
+tI3QM7g76EPdwHZ2uP8HrRBnfwnUVIY9YYfEVsS+9UqeWqo1oxAzrobmEDsqa9c9
+yz7IlNjTwJr2rhT3HPQTLxRFuxJVAIQc5yTw8qhCwFmcuyXt9fpGb0OJLuatdcH/
+31IlhcM3
+-----END CERTIFICATE-----
diff --git a/rpkid/rootd.cnf b/rpkid/rootd.cnf
new file mode 100644
index 00000000..1e400c04
--- /dev/null
+++ b/rpkid/rootd.cnf
@@ -0,0 +1,30 @@
+# $Id$
+#
+# Generate test root resource certificate for use with rootd.py server.
+
+[ req ]
+default_bits = 2048
+encrypt_key = no
+distinguished_name = req_dn
+req_extensions = req_x509_ext
+prompt = no
+
+[ req_dn ]
+CN = Completely Bogus Test Root (NOT FOR PRODUCTION USE)
+
+[ req_x509_ext ]
+basicConstraints = critical,CA:true
+subjectKeyIdentifier = hash
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombat.invalid/
+sbgp-autonomousSysNum = critical,@req_asid_ext
+sbgp-ipAddrBlock = critical,@req_addr_ext
+
+[ req_asid_ext ]
+
+AS.0 = 1-65535
+
+[ req_addr_ext ]
+
+IPv4.0 = 0.0.0.0/0
+IPv6.0 = 0::/0
diff --git a/rpkid/rootd.key b/rpkid/rootd.key
new file mode 100644
index 00000000..d97fc64d
--- /dev/null
+++ b/rpkid/rootd.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAsbVmhaTMkYEVDN6/3P5TvTQg7bA7viWMHqvaByDNw8AiIhoO
+3DjIOsI1I5ofkTLqKVP8vkrO8cIjRBYNzJzFArcGU0axIGDCczz4wmEVxchluc1d
+Vu8D6USAJ/H41SjW8b5rUdheJCaOXiktPWusHM7Z0VEAIiz7ZKTETQzORRCg1qG1
+rPpPHUF4+GyHi+RSDCVma3VCHhCm/uYXL60H97yo81fJHLSV5/EZLaum722y3W7+
+wrsaHNXdIenXkicLu9/wO26t8SFV0W7izAsFDyVaSlvSm3TwL/zDRTdorGrVO/YJ
+3UH990hH+auTK3mPR67ZNGlC+GBGoFLXsqMXVQIDAQABAoIBAG5CxlzPltoFBGGa
+5+Kfrqdra67utPLS6zCwojPgB6uYT9Vm46eCV8IVc9EmNMXrmFySLvSHCAX61dTN
+9jvpXVfE5djPuOEFCEFmKFa61D6Gi4+QO4TQAlY+2WFvglwH3e3an04F+MtnXNhR
+pi9A2mZ5da6pGnMaA9U7Yk0IUAeLMva/WfsMtY3+HvTyjNfYtULAOw82nuC4wddc
+SYAOlFL9dw/QJ1bICddVoV0HfyiSJgGWQZbVGFacTeh8w6ir47sXxTOvWiCiUWYn
+gDuhknDI7yXAFIUZYSiJKlJfrSLrbfPEg3l8xNvwZR0FCVZLdrmldhVNSyLg2II8
+IALn92ECgYEA6RcuOx29gjdz9uwFxlkEMYpVKLGOEBABGeSCo8dyFmbBKY1iw22e
+OzSDzVAQoaPk6Fqgbs0XNsrpDpkqoejnrXeqgK6BlyikcE4qelnWXWEvDQy+1tXs
+nJsS9jHGVEr0e+aUGhJAJn9pO3TbDtQnswwbxmLkvSGy35SnNMSAfFkCgYEAwyy/
+dNP02y8zEdpt+8CHysOEnnS/VlJvDXoYGVu6AZ3dWPLwxymJC2YGdxGLqHpVkoNI
+oKlNFrnRbhYMbMIGFOJr6pvTDsM4zxJ0wy86PSE1Oid9JqZwXrNJqnPo861nNW86
+xRopLlZjsQ2RU0VNiPjYgoriaDXOAvTzppzr410CgYA0ddEj4Per/QsOgeRy1coJ
+1FaCSCPvHYsB5to4PkVBIXNMBNQ7o8o/DPy1EtYLazWzzeHZzjLxVA3MCVD9C8xI
+0GwBdkUYXj9UP2N0EhAbCCpsx3eUJqWQQZ6s5lr60bvgvu6KR51EjNyEUzKSTdF5
+jLobllpg7tqxU2WmjKtWUQKBgHUVXAlmuaXfa8CTC5WSCyQdJGq2WK4dJ5erHdfg
+ifY8ULPykXS4uwjGfKxjLyezs6//58rRpXgzoqpquatovaM7rUeBkRxzCppWVQte
+Qo63ZCnt1IsiH5j/7vo9LIs6BAcvIc9qAThWBNoK7JpKodfAiInPbUDcvihR7/SM
+gInVAoGBAKLrNc91EygUaXJR92z/PzEoNI6UGYAbP+z0bmn67jpPLxCjN2aZRUkm
+18MElOmSoedsf+dIcqOHdWvoyiDHVo2i0yxRy0nD54VVH2ZqS2fRLX6+pnCE0XiI
+ulAAjPazIPG5XOugl17O7cKsPAI/uF7bWRcg4OLjXQy7XvPPMoR3
+-----END RSA PRIVATE KEY-----
diff --git a/rpkid/rootd.py b/rpkid/rootd.py
new file mode 100755
index 00000000..212e6469
--- /dev/null
+++ b/rpkid/rootd.py
@@ -0,0 +1,202 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""
+Trivial RPKI up-down protocol root server, for testing. Not suitable
+for production use. Overrides a bunch of method definitions from the
+rpki.* classes in order to reuse as much code as possible.
+
+Usage: python rootd.py [ { -c | --config } configfile ] [ { -h | --help } ]
+
+Default configuration file is rootd.conf, override with --config option.
+"""
+
+import traceback, os, time, getopt, sys, lxml
+import rpki.resource_set, rpki.up_down, rpki.left_right, rpki.x509
+import rpki.https, rpki.config, rpki.cms, rpki.exceptions, rpki.relaxng
+import rpki.sundial, rpki.log
+
+rpki_subject_lifetime = rpki.sundial.timedelta(days = 30)
+
+def get_subject_cert():
+ try:
+ x = rpki.x509.X509(Auto_file = rpki_subject_filename)
+ return x
+ except IOError:
+ return None
+
+def set_subject_cert(cert):
+ f = open(rpki_subject_filename, "wb")
+ f.write(cert.get_DER())
+ f.close()
+
+def del_subject_cert():
+ os.remove(rpki_subject_filename)
+
+def stash_subject_pkcs10(pkcs10):
+ if rpki_pkcs10_filename:
+ f = open(rpki_pkcs10_filename, "wb")
+ f.write(pkcs10.get_DER())
+ f.close()
+
+def compose_response(r_msg):
+ rc = rpki.up_down.class_elt()
+ rc.class_name = rootd_name
+ rc.cert_url = rpki.up_down.multi_uri(rootd_cert)
+ rc.from_resource_bag(rpki_issuer.get_3779resources())
+ rc.issuer = rpki_issuer
+ r_msg.payload.classes.append(rc)
+ rpki_subject = get_subject_cert()
+ if rpki_subject is not None:
+ rc.certs.append(rpki.up_down.certificate_elt())
+ rc.certs[0].cert_url = rpki.up_down.multi_uri(rootd_cert)
+ rc.certs[0].cert = rpki_subject
+
+class list_pdu(rpki.up_down.list_pdu):
+ def serve_pdu(self, xxx1, q_msg, r_msg, xxx2):
+ r_msg.payload = rpki.up_down.list_response_pdu()
+ compose_response(r_msg)
+
+class issue_pdu(rpki.up_down.issue_pdu):
+ def serve_pdu(self, xxx1, q_msg, r_msg, xxx2):
+ stash_subject_pkcs10(self.pkcs10)
+ self.pkcs10.check_valid_rpki()
+ r_msg.payload = rpki.up_down.issue_response_pdu()
+ rpki_subject = get_subject_cert()
+ if rpki_subject is None:
+ resources = rpki_issuer.get_3779resources()
+ rpki.log.info("Generating subject cert with resources " + str(resources))
+ req_key = self.pkcs10.getPublicKey()
+ req_sia = self.pkcs10.get_SIA()
+ crldp = rootd_base + rpki_issuer.gSKI() + ".crl"
+ set_subject_cert(rpki_issuer.issue(keypair = rpki_key,
+ subject_key = req_key,
+ serial = int(time.time()),
+ sia = req_sia,
+ aia = rootd_cert,
+ crldp = crldp,
+ resources = resources,
+ notAfter = rpki.sundial.datetime.utcnow() + rpki_subject_lifetime))
+ now = rpki.sundial.datetime.utcnow()
+ crl = rpki.x509.CRL.generate(
+ keypair = rpki_key,
+ issuer = rpki_issuer,
+ serial = 1,
+ thisUpdate = now,
+ nextUpdate = now + rpki_subject_lifetime,
+ revokedCertificates = ())
+ f = open(os.path.dirname(rpki_subject_filename) + "/" + rpki_issuer.gSKI() + ".crl", "wb")
+ f.write(crl.get_DER())
+ f.close()
+ compose_response(r_msg)
+
+class revoke_pdu(rpki.up_down.revoke_pdu):
+ def serve_pdu(self, xxx1, q_msg, r_msg, xxx2):
+ rpki_subject = get_subject_cert()
+ if rpki_subject is None or rpki_subject.gSKI() != self.ski:
+ raise rpki.exceptions.NotInDatabase
+ del_subject_cert()
+ r_msg.payload = rpki.up_down.revoke_response_pdu()
+ r_msg.payload.class_name = self.class_name
+ r_msg.payload.ski = self.ski
+
+class message_pdu(rpki.up_down.message_pdu):
+ name2type = {
+ "list" : list_pdu,
+ "list_response" : rpki.up_down.list_response_pdu,
+ "issue" : issue_pdu,
+ "issue_response" : rpki.up_down.issue_response_pdu,
+ "revoke" : revoke_pdu,
+ "revoke_response" : rpki.up_down.revoke_response_pdu,
+ "error_response" : rpki.up_down.error_response_pdu }
+ type2name = dict((v,k) for k,v in name2type.items())
+
+class sax_handler(rpki.sax_utils.handler):
+ def create_top_level(self, name, attrs):
+ return message_pdu()
+
+def up_down_handler(query, path):
+ try:
+ q_elt = rpki.cms.xml_verify(query, cms_ta)
+ rpki.relaxng.up_down.assertValid(q_elt)
+ q_msg = sax_handler.saxify(q_elt)
+ except Exception, data:
+ rpki.log.error(traceback.format_exc())
+ return 400, "Could not process PDU: %s" % data
+ try:
+ r_msg = q_msg.serve_top_level(None, None)
+ r_elt = r_msg.toXML()
+ try:
+ rpki.relaxng.up_down.assertValid(r_elt)
+ except lxml.etree.DocumentInvalid:
+ rpki.log.debug(lxml.etree.tostring(r_elt, pretty_print = True, encoding ="utf-8", xml_declaration = True))
+ raise
+ return 200, rpki.cms.xml_sign(r_elt, cms_key, cms_certs, encoding = "utf-8")
+ except Exception, data:
+ rpki.log.error(traceback.format_exc())
+ try:
+ r_msg = q_msg.serve_error(data)
+ r_elt = r_msg.toXML()
+ rpki.relaxng.up_down.assertValid(r_elt)
+ return 200, rpki.cms.xml_sign(r_elt, cms_key, cms_certs, encoding = "utf-8")
+ except Exception, data:
+ rpki.log.error(traceback.format_exc())
+ return 500, "Could not process PDU: %s" % data
+
+os.environ["TZ"] = "UTC"
+time.tzset()
+
+rpki.log.init("rootd")
+
+cfg_file = "rootd.conf"
+
+opts,argv = getopt.getopt(sys.argv[1:], "c:h?", ["config=", "help"])
+for o,a in opts:
+ if o in ("-h", "--help", "-?"):
+ print __doc__
+ sys.exit(0)
+ if o in ("-c", "--config"):
+ cfg_file = a
+if argv:
+ raise RuntimeError, "Unexpected arguments %s" % argv
+
+cfg = rpki.config.parser(cfg_file, "rootd")
+
+cms_ta = rpki.x509.X509(Auto_file = cfg.get("cms-ta"))
+cms_key = rpki.x509.RSA(Auto_file = cfg.get("cms-key"))
+cms_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("cms-certs"))
+
+https_key = rpki.x509.RSA(Auto_file = cfg.get("https-key"))
+https_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-certs"))
+
+https_server_host = cfg.get("server-host", "")
+https_server_port = int(cfg.get("server-port"))
+
+rpki_key = rpki.x509.RSA(Auto_file = cfg.get("rpki-key"))
+rpki_issuer = rpki.x509.X509(Auto_file = cfg.get("rpki-issuer"))
+
+rpki_subject_filename = cfg.get("rpki-subject-filename")
+rpki_pkcs10_filename = cfg.get("rpki-pkcs10-filename", "")
+
+rootd_name = cfg.get("rootd_name", "wombat")
+rootd_base = cfg.get("rootd_base", "rsync://" + rootd_name + ".invalid/")
+rootd_cert = cfg.get("rootd_cert", rootd_base + "rootd.cer")
+
+rpki.https.server(privateKey = https_key,
+ certChain = https_certs,
+ host = https_server_host,
+ port = https_server_port,
+ handlers = up_down_handler)
diff --git a/rpkid/rootd.sh b/rpkid/rootd.sh
new file mode 100644
index 00000000..50f2e90f
--- /dev/null
+++ b/rpkid/rootd.sh
@@ -0,0 +1,143 @@
+#!/bin/sh -
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# Script to test against rootd.py.
+#
+# This blows away rpkid's database and rebuilds it with what we need
+# for this test, and knows far too much about the id numbers that
+# rpkid and mysql will assign. In the long run we must do better than
+# this, but gotta start somewhere.
+
+openssl=../openssl/openssl/apps/openssl
+
+# Halt on first error
+
+set -e
+
+# Generate new key and cert for rootd.py if needed
+
+if test ! -r rootd.cer -o ! -r rootd.key
+then
+ $openssl req -new -newkey rsa:2048 -nodes -keyout rootd.key -out rootd.req -config rootd.cnf
+ $openssl x509 -req -in rootd.req -out rootd.cer -extfile rootd.cnf -extensions req_x509_ext -signkey rootd.key -text -sha256
+ rm -f rootd.req
+fi
+
+# Blow away old rpkid database (!) so we can start clean
+
+mysql -u rpki -p`awk '$1 == "sql-password" {print $3}' rpkid.conf` rpki <../docs/rpki-db-schema.sql
+
+# Start rpkid so we can configure it, make sure we shut it down on exit
+
+python rpkid.py & rpkid=$!
+trap "kill $rpkid" 0 1 2 3 13 15
+
+: Waiting to let rpkid start up; sleep 5
+
+# Create a self instance
+
+time python irbe-cli.py self --action create --crl_interval 84600
+
+# Create a business signing context, issue the necessary business cert, and set up the cert chain
+
+time python irbe-cli.py --pem_out bsc.req bsc --action create --self_id 1 --generate_keypair --signing_cert biz-certs/Bob-CA.cer
+time $openssl x509 -req -in bsc.req -out bsc.cer -CA biz-certs/Bob-CA.cer -CAkey biz-certs/Bob-CA.key -CAserial biz-certs/Bob-CA.srl
+time python irbe-cli.py bsc --action set --self_id 1 --bsc_id 1 --signing_cert bsc.cer
+rm -f bsc.req bsc.cer
+
+# Create a repository context
+
+time python irbe-cli.py repository --self_id 1 --action create --bsc_id 1
+
+# Create a parent context pointing at rootd.py
+
+time python irbe-cli.py parent --self_id 1 --action create --bsc_id 1 --repository_id 1 \
+ --peer_contact_uri https://localhost:44333/ \
+ --cms_ta biz-certs/Elena-Root.cer \
+ --https_ta biz-certs/Elena-Root.cer \
+ --sia_base rsync://wombat.invalid/ \
+ --sender_name tweedledee \
+ --recipient_name tweedledum
+
+# Create a child context
+
+time python irbe-cli.py child --self_id 1 --action create --bsc_id 1 --cms_ta biz-certs/Frank-Root.cer
+
+# Need to link irdb to created child and clear conflicting links.
+# For now, just do this "manually" in MySQL CLI.
+
+echo '
+ UPDATE registrant SET rpki_self_id = NULL, rpki_child_id = NULL;
+ UPDATE registrant SET rpki_self_id = 1, rpki_child_id = 1 WHERE subject_name = "Epilogue Technology Corporation";
+' |
+mysql -u irdb -p`awk '$1 == "sql-password" {print $3}' irbe.conf` irdb
+
+if test "$1" = "run"
+then
+
+ rm -rf publication
+
+ python rootd.py & rootd=$!
+ python irdbd.py & irdbd=$!
+ trap "kill $rpkid $irdbd $rootd" 0 1 2 3 13 15
+
+ : Waiting to let daemons start up; sleep 5
+
+ date; time python cronjob.py
+ date; time python testpoke.py -r list
+ date; time python testpoke.py -r issue
+
+ date; time python cronjob.py
+ date; time python testpoke.py -r list
+ date; time python testpoke.py -r issue
+
+ date; python testpoke.py -r issue |
+ qh |
+ sed -n '/^(certificate/,/^)certificate/s/^-//p' |
+ mimencode -u |
+ $openssl x509 -noout -inform DER -text
+
+ date; time python testpoke.py -r revoke
+ date; time python testpoke.py -r list
+ date; time python cronjob.py
+ date; time python testpoke.py -r list
+
+ date; time python cronjob.py
+ date; time python testpoke.py -r list
+ date; time python testpoke.py -r issue
+
+ date; time python testpoke.py -r revoke
+ date; time python testpoke.py -r list
+ date; time python cronjob.py
+ date; time python testpoke.py -r list
+
+ date; time python testpoke.py -r issue
+ date; time python testpoke.py -r revoke
+ date; time python testpoke.py -r issue
+ date; time python testpoke.py -r revoke
+ date; time python testpoke.py -r issue
+ date; time python testpoke.py -r revoke
+ date; time python testpoke.py -r list
+ date; time python cronjob.py
+ date; time python testpoke.py -r list
+
+ date; time python testpoke.py -r issue
+ date; time python cronjob.py
+ date; time python testpoke.py -r list
+ date
+
+fi
diff --git a/rpkid/rootd.yaml b/rpkid/rootd.yaml
new file mode 100644
index 00000000..2ee5dcd4
--- /dev/null
+++ b/rpkid/rootd.yaml
@@ -0,0 +1,24 @@
+# $Id$
+---
+version: 1
+posturl: https://localhost:4401/up-down/1
+recipient-id: "rootd"
+sender-id: "RIR"
+
+cms-cert-file: RIR-RPKI-EE.cer
+cms-key-file: RIR-RPKI-EE.key
+cms-ca-cert-file: rootd-TA.cer
+cms-cert-chain-file: [ RIR-RPKI-CA.cer ]
+
+ssl-cert-file: RIR-RPKI-EE.cer
+ssl-key-file: RIR-RPKI-EE.key
+ssl-ca-cert-file: rootd-TA.cer
+
+requests:
+ list:
+ type: list
+ issue:
+ type: issue
+ class: 1
+ sia:
+ - rsync://localhost:4400/testbed/RIR/
diff --git a/rpkid/rpki/Doxyfile b/rpkid/rpki/Doxyfile
new file mode 100644
index 00000000..276c0967
--- /dev/null
+++ b/rpkid/rpki/Doxyfile
@@ -0,0 +1,1269 @@
+# $Id$
+
+# Doxyfile 1.5.2
+
+# This file describes the settings to be used by the documentation system
+# doxygen (www.doxygen.org) for a project
+#
+# All text after a hash (#) is considered a comment and will be ignored
+# The format is:
+# TAG = value [value, ...]
+# For lists items can also be appended using:
+# TAG += value [value, ...]
+# Values that contain spaces should be placed between quotes (" ")
+
+#---------------------------------------------------------------------------
+# Project related configuration options
+#---------------------------------------------------------------------------
+
+# This tag specifies the encoding used for all characters in the config file that
+# follow. The default is UTF-8 which is also the encoding used for all text before
+# the first occurrence of this tag. Doxygen uses libiconv (or the iconv built into
+# libc) for the transcoding. See http://www.gnu.org/software/libiconv for the list of
+# possible encodings.
+
+DOXYFILE_ENCODING = UTF-8
+
+# The PROJECT_NAME tag is a single word (or a sequence of words surrounded
+# by quotes) that should identify the project.
+
+PROJECT_NAME = "Resource PKI Engine"
+
+# The PROJECT_NUMBER tag can be used to enter a project or revision number.
+# This could be handy for archiving the generated documentation or
+# if some version control system is used.
+
+PROJECT_NUMBER = RPKI
+
+# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
+# base path where the generated documentation will be put.
+# If a relative path is entered, it will be relative to the location
+# where doxygen was started. If left blank the current directory will be used.
+
+OUTPUT_DIRECTORY =
+
+# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create
+# 4096 sub-directories (in 2 levels) under the output directory of each output
+# format and will distribute the generated files over these directories.
+# Enabling this option can be useful when feeding doxygen a huge amount of
+# source files, where putting all generated files in the same directory would
+# otherwise cause performance problems for the file system.
+
+CREATE_SUBDIRS = NO
+
+# The OUTPUT_LANGUAGE tag is used to specify the language in which all
+# documentation generated by doxygen is written. Doxygen will use this
+# information to generate all constant output in the proper language.
+# The default language is English, other supported languages are:
+# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional,
+# Croatian, Czech, Danish, Dutch, Finnish, French, German, Greek, Hungarian,
+# Italian, Japanese, Japanese-en (Japanese with English messages), Korean,
+# Korean-en, Lithuanian, Norwegian, Polish, Portuguese, Romanian, Russian,
+# Serbian, Slovak, Slovene, Spanish, Swedish, and Ukrainian.
+
+OUTPUT_LANGUAGE = English
+
+# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will
+# include brief member descriptions after the members that are listed in
+# the file and class documentation (similar to JavaDoc).
+# Set to NO to disable this.
+
+BRIEF_MEMBER_DESC = YES
+
+# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend
+# the brief description of a member or function before the detailed description.
+# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the
+# brief descriptions will be completely suppressed.
+
+REPEAT_BRIEF = YES
+
+# This tag implements a quasi-intelligent brief description abbreviator
+# that is used to form the text in various listings. Each string
+# in this list, if found as the leading text of the brief description, will be
+# stripped from the text and the result after processing the whole list, is
+# used as the annotated text. Otherwise, the brief description is used as-is.
+# If left blank, the following values are used ("$name" is automatically
+# replaced with the name of the entity): "The $name class" "The $name widget"
+# "The $name file" "is" "provides" "specifies" "contains"
+# "represents" "a" "an" "the"
+
+ABBREVIATE_BRIEF = "The $name class" \
+ "The $name widget" \
+ "The $name file" \
+ is \
+ provides \
+ specifies \
+ contains \
+ represents \
+ a \
+ an \
+ the
+
+# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then
+# Doxygen will generate a detailed section even if there is only a brief
+# description.
+
+ALWAYS_DETAILED_SEC = NO
+
+# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all
+# inherited members of a class in the documentation of that class as if those
+# members were ordinary class members. Constructors, destructors and assignment
+# operators of the base classes will not be shown.
+
+INLINE_INHERITED_MEMB = NO
+
+# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full
+# path before files name in the file list and in the header files. If set
+# to NO the shortest path that makes the file name unique will be used.
+
+FULL_PATH_NAMES = NO
+
+# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag
+# can be used to strip a user-defined part of the path. Stripping is
+# only done if one of the specified strings matches the left-hand part of
+# the path. The tag can be used to show relative paths in the file list.
+# If left blank the directory from which doxygen is run is used as the
+# path to strip.
+
+STRIP_FROM_PATH =
+
+# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of
+# the path mentioned in the documentation of a class, which tells
+# the reader which header file to include in order to use a class.
+# If left blank only the name of the header file containing the class
+# definition is used. Otherwise one should specify the include paths that
+# are normally passed to the compiler using the -I flag.
+
+STRIP_FROM_INC_PATH =
+
+# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter
+# (but less readable) file names. This can be useful is your file systems
+# doesn't support long names like on DOS, Mac, or CD-ROM.
+
+SHORT_NAMES = NO
+
+# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen
+# will interpret the first line (until the first dot) of a JavaDoc-style
+# comment as the brief description. If set to NO, the JavaDoc
+# comments will behave just like the Qt-style comments (thus requiring an
+# explicit @brief command for a brief description.
+
+JAVADOC_AUTOBRIEF = NO
+
+# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen
+# treat a multi-line C++ special comment block (i.e. a block of //! or ///
+# comments) as a brief description. This used to be the default behaviour.
+# The new default is to treat a multi-line C++ comment block as a detailed
+# description. Set this tag to YES if you prefer the old behaviour instead.
+
+MULTILINE_CPP_IS_BRIEF = NO
+
+# If the DETAILS_AT_TOP tag is set to YES then Doxygen
+# will output the detailed description near the top, like JavaDoc.
+# If set to NO, the detailed description appears after the member
+# documentation.
+
+DETAILS_AT_TOP = NO
+
+# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented
+# member inherits the documentation from any documented member that it
+# re-implements.
+
+INHERIT_DOCS = YES
+
+# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce
+# a new page for each member. If set to NO, the documentation of a member will
+# be part of the file/class/namespace that contains it.
+
+SEPARATE_MEMBER_PAGES = NO
+
+# The TAB_SIZE tag can be used to set the number of spaces in a tab.
+# Doxygen uses this value to replace tabs by spaces in code fragments.
+
+TAB_SIZE = 8
+
+# This tag can be used to specify a number of aliases that acts
+# as commands in the documentation. An alias has the form "name=value".
+# For example adding "sideeffect=\par Side Effects:\n" will allow you to
+# put the command \sideeffect (or @sideeffect) in the documentation, which
+# will result in a user-defined paragraph with heading "Side Effects:".
+# You can put \n's in the value part of an alias to insert newlines.
+
+ALIASES =
+
+# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C
+# sources only. Doxygen will then generate output that is more tailored for C.
+# For instance, some of the names that are used will be different. The list
+# of all members will be omitted, etc.
+
+OPTIMIZE_OUTPUT_FOR_C = NO
+
+# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java
+# sources only. Doxygen will then generate output that is more tailored for Java.
+# For instance, namespaces will be presented as packages, qualified scopes
+# will look different, etc.
+
+OPTIMIZE_OUTPUT_JAVA = YES
+
+# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want to
+# include (a tag file for) the STL sources as input, then you should
+# set this tag to YES in order to let doxygen match functions declarations and
+# definitions whose arguments contain STL classes (e.g. func(std::string); v.s.
+# func(std::string) {}). This also make the inheritance and collaboration
+# diagrams that involve STL classes more complete and accurate.
+
+BUILTIN_STL_SUPPORT = NO
+
+# If you use Microsoft's C++/CLI language, you should set this option to YES to
+# enable parsing support.
+
+CPP_CLI_SUPPORT = NO
+
+# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC
+# tag is set to YES, then doxygen will reuse the documentation of the first
+# member in the group (if any) for the other members of the group. By default
+# all members of a group must be documented explicitly.
+
+DISTRIBUTE_GROUP_DOC = NO
+
+# Set the SUBGROUPING tag to YES (the default) to allow class member groups of
+# the same type (for instance a group of public functions) to be put as a
+# subgroup of that type (e.g. under the Public Functions section). Set it to
+# NO to prevent subgrouping. Alternatively, this can be done per class using
+# the \nosubgrouping command.
+
+SUBGROUPING = YES
+
+#---------------------------------------------------------------------------
+# Build related configuration options
+#---------------------------------------------------------------------------
+
+# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in
+# documentation are documented, even if no documentation was available.
+# Private class members and static file members will be hidden unless
+# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES
+
+EXTRACT_ALL = YES
+
+# If the EXTRACT_PRIVATE tag is set to YES all private members of a class
+# will be included in the documentation.
+
+EXTRACT_PRIVATE = YES
+
+# If the EXTRACT_STATIC tag is set to YES all static members of a file
+# will be included in the documentation.
+
+EXTRACT_STATIC = YES
+
+# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs)
+# defined locally in source files will be included in the documentation.
+# If set to NO only classes defined in header files are included.
+
+EXTRACT_LOCAL_CLASSES = YES
+
+# This flag is only useful for Objective-C code. When set to YES local
+# methods, which are defined in the implementation section but not in
+# the interface are included in the documentation.
+# If set to NO (the default) only methods in the interface are included.
+
+EXTRACT_LOCAL_METHODS = NO
+
+# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all
+# undocumented members of documented classes, files or namespaces.
+# If set to NO (the default) these members will be included in the
+# various overviews, but no documentation section is generated.
+# This option has no effect if EXTRACT_ALL is enabled.
+
+HIDE_UNDOC_MEMBERS = NO
+
+# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all
+# undocumented classes that are normally visible in the class hierarchy.
+# If set to NO (the default) these classes will be included in the various
+# overviews. This option has no effect if EXTRACT_ALL is enabled.
+
+HIDE_UNDOC_CLASSES = NO
+
+# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all
+# friend (class|struct|union) declarations.
+# If set to NO (the default) these declarations will be included in the
+# documentation.
+
+HIDE_FRIEND_COMPOUNDS = NO
+
+# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any
+# documentation blocks found inside the body of a function.
+# If set to NO (the default) these blocks will be appended to the
+# function's detailed documentation block.
+
+HIDE_IN_BODY_DOCS = NO
+
+# The INTERNAL_DOCS tag determines if documentation
+# that is typed after a \internal command is included. If the tag is set
+# to NO (the default) then the documentation will be excluded.
+# Set it to YES to include the internal documentation.
+
+INTERNAL_DOCS = NO
+
+# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate
+# file names in lower-case letters. If set to YES upper-case letters are also
+# allowed. This is useful if you have classes or files whose names only differ
+# in case and if your file system supports case sensitive file names. Windows
+# and Mac users are advised to set this option to NO.
+
+CASE_SENSE_NAMES = YES
+
+# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen
+# will show members with their full class and namespace scopes in the
+# documentation. If set to YES the scope will be hidden.
+
+HIDE_SCOPE_NAMES = NO
+
+# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen
+# will put a list of the files that are included by a file in the documentation
+# of that file.
+
+SHOW_INCLUDE_FILES = YES
+
+# If the INLINE_INFO tag is set to YES (the default) then a tag [inline]
+# is inserted in the documentation for inline members.
+
+INLINE_INFO = YES
+
+# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen
+# will sort the (detailed) documentation of file and class members
+# alphabetically by member name. If set to NO the members will appear in
+# declaration order.
+
+SORT_MEMBER_DOCS = YES
+
+# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the
+# brief documentation of file, namespace and class members alphabetically
+# by member name. If set to NO (the default) the members will appear in
+# declaration order.
+
+SORT_BRIEF_DOCS = YES
+
+# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be
+# sorted by fully-qualified names, including namespaces. If set to
+# NO (the default), the class list will be sorted only by class name,
+# not including the namespace part.
+# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES.
+# Note: This option applies only to the class list, not to the
+# alphabetical list.
+
+SORT_BY_SCOPE_NAME = YES
+
+# The GENERATE_TODOLIST tag can be used to enable (YES) or
+# disable (NO) the todo list. This list is created by putting \todo
+# commands in the documentation.
+
+GENERATE_TODOLIST = YES
+
+# The GENERATE_TESTLIST tag can be used to enable (YES) or
+# disable (NO) the test list. This list is created by putting \test
+# commands in the documentation.
+
+GENERATE_TESTLIST = YES
+
+# The GENERATE_BUGLIST tag can be used to enable (YES) or
+# disable (NO) the bug list. This list is created by putting \bug
+# commands in the documentation.
+
+GENERATE_BUGLIST = YES
+
+# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or
+# disable (NO) the deprecated list. This list is created by putting
+# \deprecated commands in the documentation.
+
+GENERATE_DEPRECATEDLIST= YES
+
+# The ENABLED_SECTIONS tag can be used to enable conditional
+# documentation sections, marked by \if sectionname ... \endif.
+
+ENABLED_SECTIONS =
+
+# The MAX_INITIALIZER_LINES tag determines the maximum number of lines
+# the initial value of a variable or define consists of for it to appear in
+# the documentation. If the initializer consists of more lines than specified
+# here it will be hidden. Use a value of 0 to hide initializers completely.
+# The appearance of the initializer of individual variables and defines in the
+# documentation can be controlled using \showinitializer or \hideinitializer
+# command in the documentation regardless of this setting.
+
+MAX_INITIALIZER_LINES = 30
+
+# Set the SHOW_USED_FILES tag to NO to disable the list of files generated
+# at the bottom of the documentation of classes and structs. If set to YES the
+# list will mention the files that were used to generate the documentation.
+
+SHOW_USED_FILES = YES
+
+# If the sources in your project are distributed over multiple directories
+# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy
+# in the documentation. The default is NO.
+
+SHOW_DIRECTORIES = NO
+
+# The FILE_VERSION_FILTER tag can be used to specify a program or script that
+# doxygen should invoke to get the current version for each file (typically from the
+# version control system). Doxygen will invoke the program by executing (via
+# popen()) the command <command> <input-file>, where <command> is the value of
+# the FILE_VERSION_FILTER tag, and <input-file> is the name of an input file
+# provided by doxygen. Whatever the program writes to standard output
+# is used as the file version. See the manual for examples.
+
+FILE_VERSION_FILTER = "perl -e '@a = split(q( ), qx(svn stat -v $ARGV[0])); shift @a until $a[0] =~ /^[0-9]+$/ or @a == 0; shift @a; print shift(@a), qq(\n)'"
+
+#---------------------------------------------------------------------------
+# configuration options related to warning and progress messages
+#---------------------------------------------------------------------------
+
+# The QUIET tag can be used to turn on/off the messages that are generated
+# by doxygen. Possible values are YES and NO. If left blank NO is used.
+
+QUIET = YES
+
+# The WARNINGS tag can be used to turn on/off the warning messages that are
+# generated by doxygen. Possible values are YES and NO. If left blank
+# NO is used.
+
+WARNINGS = YES
+
+# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings
+# for undocumented members. If EXTRACT_ALL is set to YES then this flag will
+# automatically be disabled.
+
+WARN_IF_UNDOCUMENTED = YES
+
+# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for
+# potential errors in the documentation, such as not documenting some
+# parameters in a documented function, or documenting parameters that
+# don't exist or using markup commands wrongly.
+
+WARN_IF_DOC_ERROR = YES
+
+# This WARN_NO_PARAMDOC option can be abled to get warnings for
+# functions that are documented, but have no documentation for their parameters
+# or return value. If set to NO (the default) doxygen will only warn about
+# wrong or incomplete parameter documentation, but not about the absence of
+# documentation.
+
+WARN_NO_PARAMDOC = NO
+
+# The WARN_FORMAT tag determines the format of the warning messages that
+# doxygen can produce. The string should contain the $file, $line, and $text
+# tags, which will be replaced by the file and line number from which the
+# warning originated and the warning text. Optionally the format may contain
+# $version, which will be replaced by the version of the file (if it could
+# be obtained via FILE_VERSION_FILTER)
+
+WARN_FORMAT = "$file:$line: $text"
+
+# The WARN_LOGFILE tag can be used to specify a file to which warning
+# and error messages should be written. If left blank the output is written
+# to stderr.
+
+WARN_LOGFILE =
+
+#---------------------------------------------------------------------------
+# configuration options related to the input files
+#---------------------------------------------------------------------------
+
+# The INPUT tag can be used to specify the files and/or directories that contain
+# documented source files. You may enter file names like "myfile.cpp" or
+# directories like "/usr/src/myproject". Separate the files or directories
+# with spaces.
+
+INPUT = .
+
+# This tag can be used to specify the character encoding of the source files that
+# doxygen parses. Internally doxygen uses the UTF-8 encoding, which is also the default
+# input encoding. Doxygen uses libiconv (or the iconv built into libc) for the transcoding.
+# See http://www.gnu.org/software/libiconv for the list of possible encodings.
+
+INPUT_ENCODING = UTF-8
+
+# If the value of the INPUT tag contains directories, you can use the
+# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp
+# and *.h) to filter out the source-files in the directories. If left
+# blank the following patterns are tested:
+# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx
+# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py
+
+FILE_PATTERNS = *.py
+
+# The RECURSIVE tag can be used to turn specify whether or not subdirectories
+# should be searched for input files as well. Possible values are YES and NO.
+# If left blank NO is used.
+
+RECURSIVE = NO
+
+# The EXCLUDE tag can be used to specify files and/or directories that should
+# excluded from the INPUT source files. This way you can easily exclude a
+# subdirectory from a directory tree whose root is specified with the INPUT tag.
+
+EXCLUDE =
+
+# The EXCLUDE_SYMLINKS tag can be used select whether or not files or
+# directories that are symbolic links (a Unix filesystem feature) are excluded
+# from the input.
+
+EXCLUDE_SYMLINKS = NO
+
+# If the value of the INPUT tag contains directories, you can use the
+# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude
+# certain files from those directories. Note that the wildcards are matched
+# against the file with absolute path, so to exclude all test directories
+# for example use the pattern */test/*
+
+EXCLUDE_PATTERNS =
+
+# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names
+# (namespaces, classes, functions, etc.) that should be excluded from the output.
+# The symbol name can be a fully qualified name, a word, or if the wildcard * is used,
+# a substring. Examples: ANamespace, AClass, AClass::ANamespace, ANamespace::*Test
+
+EXCLUDE_SYMBOLS =
+
+# The EXAMPLE_PATH tag can be used to specify one or more files or
+# directories that contain example code fragments that are included (see
+# the \include command).
+
+EXAMPLE_PATH =
+
+# If the value of the EXAMPLE_PATH tag contains directories, you can use the
+# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp
+# and *.h) to filter out the source-files in the directories. If left
+# blank all files are included.
+
+EXAMPLE_PATTERNS = *
+
+# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be
+# searched for input files to be used with the \include or \dontinclude
+# commands irrespective of the value of the RECURSIVE tag.
+# Possible values are YES and NO. If left blank NO is used.
+
+EXAMPLE_RECURSIVE = NO
+
+# The IMAGE_PATH tag can be used to specify one or more files or
+# directories that contain image that are included in the documentation (see
+# the \image command).
+
+IMAGE_PATH =
+
+# The INPUT_FILTER tag can be used to specify a program that doxygen should
+# invoke to filter for each input file. Doxygen will invoke the filter program
+# by executing (via popen()) the command <filter> <input-file>, where <filter>
+# is the value of the INPUT_FILTER tag, and <input-file> is the name of an
+# input file. Doxygen will then use the output that the filter program writes
+# to standard output. If FILTER_PATTERNS is specified, this tag will be
+# ignored.
+
+INPUT_FILTER =
+
+# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern
+# basis. Doxygen will compare the file name with each pattern and apply the
+# filter if there is a match. The filters are a list of the form:
+# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further
+# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER
+# is applied to all files.
+
+FILTER_PATTERNS =
+
+# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using
+# INPUT_FILTER) will be used to filter the input files when producing source
+# files to browse (i.e. when SOURCE_BROWSER is set to YES).
+
+FILTER_SOURCE_FILES = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to source browsing
+#---------------------------------------------------------------------------
+
+# If the SOURCE_BROWSER tag is set to YES then a list of source files will
+# be generated. Documented entities will be cross-referenced with these sources.
+# Note: To get rid of all source code in the generated output, make sure also
+# VERBATIM_HEADERS is set to NO.
+
+SOURCE_BROWSER = YES
+
+# Setting the INLINE_SOURCES tag to YES will include the body
+# of functions and classes directly in the documentation.
+
+INLINE_SOURCES = NO
+
+# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct
+# doxygen to hide any special comment blocks from generated source code
+# fragments. Normal C and C++ comments will always remain visible.
+
+STRIP_CODE_COMMENTS = YES
+
+# If the REFERENCED_BY_RELATION tag is set to YES (the default)
+# then for each documented function all documented
+# functions referencing it will be listed.
+
+REFERENCED_BY_RELATION = YES
+
+# If the REFERENCES_RELATION tag is set to YES (the default)
+# then for each documented function all documented entities
+# called/used by that function will be listed.
+
+REFERENCES_RELATION = YES
+
+# If the REFERENCES_LINK_SOURCE tag is set to YES (the default)
+# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from
+# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will
+# link to the source code. Otherwise they will link to the documentstion.
+
+REFERENCES_LINK_SOURCE = YES
+
+# If the USE_HTAGS tag is set to YES then the references to source code
+# will point to the HTML generated by the htags(1) tool instead of doxygen
+# built-in source browser. The htags tool is part of GNU's global source
+# tagging system (see http://www.gnu.org/software/global/global.html). You
+# will need version 4.8.6 or higher.
+
+USE_HTAGS = NO
+
+# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen
+# will generate a verbatim copy of the header file for each class for
+# which an include is specified. Set to NO to disable this.
+
+VERBATIM_HEADERS = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to the alphabetical class index
+#---------------------------------------------------------------------------
+
+# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index
+# of all compounds will be generated. Enable this if the project
+# contains a lot of classes, structs, unions or interfaces.
+
+ALPHABETICAL_INDEX = YES
+
+# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then
+# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns
+# in which this list will be split (can be a number in the range [1..20])
+
+COLS_IN_ALPHA_INDEX = 5
+
+# In case all classes in a project start with a common prefix, all
+# classes will be put under the same header in the alphabetical index.
+# The IGNORE_PREFIX tag can be used to specify one or more prefixes that
+# should be ignored while generating the index headers.
+
+IGNORE_PREFIX =
+
+#---------------------------------------------------------------------------
+# configuration options related to the HTML output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_HTML tag is set to YES (the default) Doxygen will
+# generate HTML output.
+
+GENERATE_HTML = YES
+
+# The HTML_OUTPUT tag is used to specify where the HTML docs will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be
+# put in front of it. If left blank `html' will be used as the default path.
+
+HTML_OUTPUT = html
+
+# The HTML_FILE_EXTENSION tag can be used to specify the file extension for
+# each generated HTML page (for example: .htm,.php,.asp). If it is left blank
+# doxygen will generate files with .html extension.
+
+HTML_FILE_EXTENSION = .html
+
+# The HTML_HEADER tag can be used to specify a personal HTML header for
+# each generated HTML page. If it is left blank doxygen will generate a
+# standard header.
+
+HTML_HEADER =
+
+# The HTML_FOOTER tag can be used to specify a personal HTML footer for
+# each generated HTML page. If it is left blank doxygen will generate a
+# standard footer.
+
+HTML_FOOTER =
+
+# The HTML_STYLESHEET tag can be used to specify a user-defined cascading
+# style sheet that is used by each HTML page. It can be used to
+# fine-tune the look of the HTML output. If the tag is left blank doxygen
+# will generate a default style sheet. Note that doxygen will try to copy
+# the style sheet file to the HTML output directory, so don't put your own
+# stylesheet in the HTML output directory as well, or it will be erased!
+
+HTML_STYLESHEET =
+
+# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes,
+# files or namespaces will be aligned in HTML using tables. If set to
+# NO a bullet list will be used.
+
+HTML_ALIGN_MEMBERS = YES
+
+# If the GENERATE_HTMLHELP tag is set to YES, additional index files
+# will be generated that can be used as input for tools like the
+# Microsoft HTML help workshop to generate a compressed HTML help file (.chm)
+# of the generated HTML documentation.
+
+GENERATE_HTMLHELP = NO
+
+# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can
+# be used to specify the file name of the resulting .chm file. You
+# can add a path in front of the file if the result should not be
+# written to the html output directory.
+
+CHM_FILE =
+
+# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can
+# be used to specify the location (absolute path including file name) of
+# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run
+# the HTML help compiler on the generated index.hhp.
+
+HHC_LOCATION =
+
+# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag
+# controls if a separate .chi index file is generated (YES) or that
+# it should be included in the master .chm file (NO).
+
+GENERATE_CHI = NO
+
+# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag
+# controls whether a binary table of contents is generated (YES) or a
+# normal table of contents (NO) in the .chm file.
+
+BINARY_TOC = NO
+
+# The TOC_EXPAND flag can be set to YES to add extra items for group members
+# to the contents of the HTML help documentation and to the tree view.
+
+TOC_EXPAND = NO
+
+# The DISABLE_INDEX tag can be used to turn on/off the condensed index at
+# top of each HTML page. The value NO (the default) enables the index and
+# the value YES disables it.
+
+DISABLE_INDEX = NO
+
+# This tag can be used to set the number of enum values (range [1..20])
+# that doxygen will group on one line in the generated HTML documentation.
+
+ENUM_VALUES_PER_LINE = 4
+
+# If the GENERATE_TREEVIEW tag is set to YES, a side panel will be
+# generated containing a tree-like index structure (just like the one that
+# is generated for HTML Help). For this to work a browser that supports
+# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+,
+# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are
+# probably better off using the HTML help feature.
+
+GENERATE_TREEVIEW = NO
+
+# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be
+# used to set the initial width (in pixels) of the frame in which the tree
+# is shown.
+
+TREEVIEW_WIDTH = 250
+
+#---------------------------------------------------------------------------
+# configuration options related to the LaTeX output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will
+# generate Latex output.
+
+GENERATE_LATEX = NO
+
+# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be
+# put in front of it. If left blank `latex' will be used as the default path.
+
+LATEX_OUTPUT = latex
+
+# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be
+# invoked. If left blank `latex' will be used as the default command name.
+
+LATEX_CMD_NAME = latex
+
+# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to
+# generate index for LaTeX. If left blank `makeindex' will be used as the
+# default command name.
+
+MAKEINDEX_CMD_NAME = makeindex
+
+# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact
+# LaTeX documents. This may be useful for small projects and may help to
+# save some trees in general.
+
+COMPACT_LATEX = YES
+
+# The PAPER_TYPE tag can be used to set the paper type that is used
+# by the printer. Possible values are: a4, a4wide, letter, legal and
+# executive. If left blank a4wide will be used.
+
+PAPER_TYPE = letter
+
+# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX
+# packages that should be included in the LaTeX output.
+
+EXTRA_PACKAGES =
+
+# The LATEX_HEADER tag can be used to specify a personal LaTeX header for
+# the generated latex document. The header should contain everything until
+# the first chapter. If it is left blank doxygen will generate a
+# standard header. Notice: only use this tag if you know what you are doing!
+
+LATEX_HEADER =
+
+# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated
+# is prepared for conversion to pdf (using ps2pdf). The pdf file will
+# contain links (just like the HTML output) instead of page references
+# This makes the output suitable for online browsing using a pdf viewer.
+
+PDF_HYPERLINKS = YES
+
+# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of
+# plain latex in the generated Makefile. Set this option to YES to get a
+# higher quality PDF documentation.
+
+USE_PDFLATEX = YES
+
+# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode.
+# command to the generated LaTeX files. This will instruct LaTeX to keep
+# running if errors occur, instead of asking the user for help.
+# This option is also used when generating formulas in HTML.
+
+LATEX_BATCHMODE = YES
+
+# If LATEX_HIDE_INDICES is set to YES then doxygen will not
+# include the index chapters (such as File Index, Compound Index, etc.)
+# in the output.
+
+LATEX_HIDE_INDICES = YES
+
+#---------------------------------------------------------------------------
+# configuration options related to the RTF output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output
+# The RTF output is optimized for Word 97 and may not look very pretty with
+# other RTF readers or editors.
+
+GENERATE_RTF = NO
+
+# The RTF_OUTPUT tag is used to specify where the RTF docs will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be
+# put in front of it. If left blank `rtf' will be used as the default path.
+
+RTF_OUTPUT = rtf
+
+# If the COMPACT_RTF tag is set to YES Doxygen generates more compact
+# RTF documents. This may be useful for small projects and may help to
+# save some trees in general.
+
+COMPACT_RTF = NO
+
+# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated
+# will contain hyperlink fields. The RTF file will
+# contain links (just like the HTML output) instead of page references.
+# This makes the output suitable for online browsing using WORD or other
+# programs which support those fields.
+# Note: wordpad (write) and others do not support links.
+
+RTF_HYPERLINKS = NO
+
+# Load stylesheet definitions from file. Syntax is similar to doxygen's
+# config file, i.e. a series of assignments. You only have to provide
+# replacements, missing definitions are set to their default value.
+
+RTF_STYLESHEET_FILE =
+
+# Set optional variables used in the generation of an rtf document.
+# Syntax is similar to doxygen's config file.
+
+RTF_EXTENSIONS_FILE =
+
+#---------------------------------------------------------------------------
+# configuration options related to the man page output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_MAN tag is set to YES (the default) Doxygen will
+# generate man pages
+
+GENERATE_MAN = NO
+
+# The MAN_OUTPUT tag is used to specify where the man pages will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be
+# put in front of it. If left blank `man' will be used as the default path.
+
+MAN_OUTPUT = man
+
+# The MAN_EXTENSION tag determines the extension that is added to
+# the generated man pages (default is the subroutine's section .3)
+
+MAN_EXTENSION = .3
+
+# If the MAN_LINKS tag is set to YES and Doxygen generates man output,
+# then it will generate one additional man file for each entity
+# documented in the real man page(s). These additional files
+# only source the real man page, but without them the man command
+# would be unable to find the correct page. The default is NO.
+
+MAN_LINKS = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to the XML output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_XML tag is set to YES Doxygen will
+# generate an XML file that captures the structure of
+# the code including all documentation.
+
+GENERATE_XML = NO
+
+# The XML_OUTPUT tag is used to specify where the XML pages will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be
+# put in front of it. If left blank `xml' will be used as the default path.
+
+XML_OUTPUT = xml
+
+# The XML_SCHEMA tag can be used to specify an XML schema,
+# which can be used by a validating XML parser to check the
+# syntax of the XML files.
+
+XML_SCHEMA =
+
+# The XML_DTD tag can be used to specify an XML DTD,
+# which can be used by a validating XML parser to check the
+# syntax of the XML files.
+
+XML_DTD =
+
+# If the XML_PROGRAMLISTING tag is set to YES Doxygen will
+# dump the program listings (including syntax highlighting
+# and cross-referencing information) to the XML output. Note that
+# enabling this will significantly increase the size of the XML output.
+
+XML_PROGRAMLISTING = YES
+
+#---------------------------------------------------------------------------
+# configuration options for the AutoGen Definitions output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will
+# generate an AutoGen Definitions (see autogen.sf.net) file
+# that captures the structure of the code including all
+# documentation. Note that this feature is still experimental
+# and incomplete at the moment.
+
+GENERATE_AUTOGEN_DEF = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to the Perl module output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_PERLMOD tag is set to YES Doxygen will
+# generate a Perl module file that captures the structure of
+# the code including all documentation. Note that this
+# feature is still experimental and incomplete at the
+# moment.
+
+GENERATE_PERLMOD = NO
+
+# If the PERLMOD_LATEX tag is set to YES Doxygen will generate
+# the necessary Makefile rules, Perl scripts and LaTeX code to be able
+# to generate PDF and DVI output from the Perl module output.
+
+PERLMOD_LATEX = NO
+
+# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be
+# nicely formatted so it can be parsed by a human reader. This is useful
+# if you want to understand what is going on. On the other hand, if this
+# tag is set to NO the size of the Perl module output will be much smaller
+# and Perl will parse it just the same.
+
+PERLMOD_PRETTY = YES
+
+# The names of the make variables in the generated doxyrules.make file
+# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX.
+# This is useful so different doxyrules.make files included by the same
+# Makefile don't overwrite each other's variables.
+
+PERLMOD_MAKEVAR_PREFIX =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the preprocessor
+#---------------------------------------------------------------------------
+
+# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will
+# evaluate all C-preprocessor directives found in the sources and include
+# files.
+
+ENABLE_PREPROCESSING = YES
+
+# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro
+# names in the source code. If set to NO (the default) only conditional
+# compilation will be performed. Macro expansion can be done in a controlled
+# way by setting EXPAND_ONLY_PREDEF to YES.
+
+MACRO_EXPANSION = NO
+
+# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES
+# then the macro expansion is limited to the macros specified with the
+# PREDEFINED and EXPAND_AS_DEFINED tags.
+
+EXPAND_ONLY_PREDEF = NO
+
+# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files
+# in the INCLUDE_PATH (see below) will be search if a #include is found.
+
+SEARCH_INCLUDES = YES
+
+# The INCLUDE_PATH tag can be used to specify one or more directories that
+# contain include files that are not input files but should be processed by
+# the preprocessor.
+
+INCLUDE_PATH =
+
+# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard
+# patterns (like *.h and *.hpp) to filter out the header-files in the
+# directories. If left blank, the patterns specified with FILE_PATTERNS will
+# be used.
+
+INCLUDE_FILE_PATTERNS =
+
+# The PREDEFINED tag can be used to specify one or more macro names that
+# are defined before the preprocessor is started (similar to the -D option of
+# gcc). The argument of the tag is a list of macros of the form: name
+# or name=definition (no spaces). If the definition and the = are
+# omitted =1 is assumed. To prevent a macro definition from being
+# undefined via #undef or recursively expanded use the := operator
+# instead of the = operator.
+
+PREDEFINED =
+
+# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then
+# this tag can be used to specify a list of macro names that should be expanded.
+# The macro definition that is found in the sources will be used.
+# Use the PREDEFINED tag if you want to use a different macro definition.
+
+EXPAND_AS_DEFINED =
+
+# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then
+# doxygen's preprocessor will remove all function-like macros that are alone
+# on a line, have an all uppercase name, and do not end with a semicolon. Such
+# function macros are typically used for boiler-plate code, and will confuse
+# the parser if not removed.
+
+SKIP_FUNCTION_MACROS = YES
+
+#---------------------------------------------------------------------------
+# Configuration::additions related to external references
+#---------------------------------------------------------------------------
+
+# The TAGFILES option can be used to specify one or more tagfiles.
+# Optionally an initial location of the external documentation
+# can be added for each tagfile. The format of a tag file without
+# this location is as follows:
+# TAGFILES = file1 file2 ...
+# Adding location for the tag files is done as follows:
+# TAGFILES = file1=loc1 "file2 = loc2" ...
+# where "loc1" and "loc2" can be relative or absolute paths or
+# URLs. If a location is present for each tag, the installdox tool
+# does not have to be run to correct the links.
+# Note that each tag file must have a unique name
+# (where the name does NOT include the path)
+# If a tag file is not located in the directory in which doxygen
+# is run, you must also specify the path to the tagfile here.
+
+TAGFILES =
+
+# When a file name is specified after GENERATE_TAGFILE, doxygen will create
+# a tag file that is based on the input files it reads.
+
+GENERATE_TAGFILE =
+
+# If the ALLEXTERNALS tag is set to YES all external classes will be listed
+# in the class index. If set to NO only the inherited external classes
+# will be listed.
+
+ALLEXTERNALS = NO
+
+# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed
+# in the modules index. If set to NO, only the current project's groups will
+# be listed.
+
+EXTERNAL_GROUPS = YES
+
+# The PERL_PATH should be the absolute path and name of the perl script
+# interpreter (i.e. the result of `which perl').
+
+PERL_PATH = /usr/bin/perl
+
+#---------------------------------------------------------------------------
+# Configuration options related to the dot tool
+#---------------------------------------------------------------------------
+
+# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will
+# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base
+# or super classes. Setting the tag to NO turns the diagrams off. Note that
+# this option is superseded by the HAVE_DOT option below. This is only a
+# fallback. It is recommended to install and use dot, since it yields more
+# powerful graphs.
+
+CLASS_DIAGRAMS = NO
+
+# You can define message sequence charts within doxygen comments using the \msc
+# command. Doxygen will then run the mscgen tool (see http://www.mcternan.me.uk/mscgen/) to
+# produce the chart and insert it in the documentation. The MSCGEN_PATH tag allows you to
+# specify the directory where the mscgen tool resides. If left empty the tool is assumed to
+# be found in the default search path.
+
+MSCGEN_PATH =
+
+# If set to YES, the inheritance and collaboration graphs will hide
+# inheritance and usage relations if the target is undocumented
+# or is not a class.
+
+HIDE_UNDOC_RELATIONS = NO
+
+# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is
+# available from the path. This tool is part of Graphviz, a graph visualization
+# toolkit from AT&T and Lucent Bell Labs. The other options in this section
+# have no effect if this option is set to NO (the default)
+
+HAVE_DOT = YES
+
+# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen
+# will generate a graph for each documented class showing the direct and
+# indirect inheritance relations. Setting this tag to YES will force the
+# the CLASS_DIAGRAMS tag to NO.
+
+CLASS_GRAPH = YES
+
+# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen
+# will generate a graph for each documented class showing the direct and
+# indirect implementation dependencies (inheritance, containment, and
+# class references variables) of the class with other documented classes.
+
+COLLABORATION_GRAPH = NO
+
+# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen
+# will generate a graph for groups, showing the direct groups dependencies
+
+GROUP_GRAPHS = YES
+
+# If the UML_LOOK tag is set to YES doxygen will generate inheritance and
+# collaboration diagrams in a style similar to the OMG's Unified Modeling
+# Language.
+
+UML_LOOK = YES
+
+# If set to YES, the inheritance and collaboration graphs will show the
+# relations between templates and their instances.
+
+TEMPLATE_RELATIONS = NO
+
+# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT
+# tags are set to YES then doxygen will generate a graph for each documented
+# file showing the direct and indirect include dependencies of the file with
+# other documented files.
+
+INCLUDE_GRAPH = YES
+
+# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and
+# HAVE_DOT tags are set to YES then doxygen will generate a graph for each
+# documented header file showing the documented files that directly or
+# indirectly include this file.
+
+INCLUDED_BY_GRAPH = YES
+
+# If the CALL_GRAPH and HAVE_DOT tags are set to YES then doxygen will
+# generate a call dependency graph for every global function or class method.
+# Note that enabling this option will significantly increase the time of a run.
+# So in most cases it will be better to enable call graphs for selected
+# functions only using the \callgraph command.
+
+CALL_GRAPH = YES
+
+# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then doxygen will
+# generate a caller dependency graph for every global function or class method.
+# Note that enabling this option will significantly increase the time of a run.
+# So in most cases it will be better to enable caller graphs for selected
+# functions only using the \callergraph command.
+
+CALLER_GRAPH = YES
+
+# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen
+# will graphical hierarchy of all classes instead of a textual one.
+
+GRAPHICAL_HIERARCHY = NO
+
+# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES
+# then doxygen will show the dependencies a directory has on other directories
+# in a graphical way. The dependency relations are determined by the #include
+# relations between the files in the directories.
+
+DIRECTORY_GRAPH = YES
+
+# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images
+# generated by dot. Possible values are png, jpg, or gif
+# If left blank png will be used.
+
+DOT_IMAGE_FORMAT = png
+
+# The tag DOT_PATH can be used to specify the path where the dot tool can be
+# found. If left blank, it is assumed the dot tool can be found in the path.
+
+DOT_PATH =
+
+# The DOTFILE_DIRS tag can be used to specify one or more directories that
+# contain dot files that are included in the documentation (see the
+# \dotfile command).
+
+DOTFILE_DIRS =
+
+# The MAX_DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of
+# nodes that will be shown in the graph. If the number of nodes in a graph
+# becomes larger than this value, doxygen will truncate the graph, which is
+# visualized by representing a node as a red box. Note that doxygen will always
+# show the root nodes and its direct children regardless of this setting.
+
+DOT_GRAPH_MAX_NODES = 50
+
+# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent
+# background. This is disabled by default, which results in a white background.
+# Warning: Depending on the platform used, enabling this option may lead to
+# badly anti-aliased labels on the edges of a graph (i.e. they become hard to
+# read).
+
+DOT_TRANSPARENT = NO
+
+# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output
+# files in one run (i.e. multiple -o and -T options on the command line). This
+# makes dot run faster, but since only newer versions of dot (>1.8.10)
+# support this, this feature is disabled by default.
+
+DOT_MULTI_TARGETS = NO
+
+# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will
+# generate a legend page explaining the meaning of the various boxes and
+# arrows in the dot generated graphs.
+
+GENERATE_LEGEND = NO
+
+# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will
+# remove the intermediate dot files that are used to generate
+# the various graphs.
+
+DOT_CLEANUP = YES
+
+#---------------------------------------------------------------------------
+# Configuration::additions related to the search engine
+#---------------------------------------------------------------------------
+
+# The SEARCHENGINE tag specifies whether or not a search engine should be
+# used. If set to NO the values of all tags below this one will be ignored.
+
+SEARCHENGINE = NO
diff --git a/rpkid/rpki/__init__.py b/rpkid/rpki/__init__.py
new file mode 100644
index 00000000..610edbb3
--- /dev/null
+++ b/rpkid/rpki/__init__.py
@@ -0,0 +1,42 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# This file exists to tell Python that this the content of this
+# directory constitute a Python package. Since we're not doing
+# anything exotic, this file doesn't need to contain any code, but
+# since its existance defines the package, it's as sensible a place as
+# any to put the Doxygen mainpage.
+
+## @mainpage
+##
+## This collection of Python modules implements a prototype of the
+## RPKI Engine. This is a work in progress.
+##
+## See http://viewvc.hactrn.net/subvert-rpki.hactrn.net/ for code,
+## design documents, a text mirror of portions of APNIC's Wiki, etc.
+##
+## The documentation you're reading is generated automatically by
+## Doxygen from comments and documentation in
+## <a href="http://viewvc.hactrn.net/subvert-rpki.hactrn.net/rpkid/rpki/">the code</a>.
+##
+## This work is funded by <a href="http://www.arin.net/">ARIN</a>, in
+## collaboration with the other RIRs. If you're interested in this
+## package you might also be interested in:
+##
+## @li <a href="http://viewvc.hactrn.net/subvert-rpki.hactrn.net/rcynic/">the rcynic validation tool</a>
+## @li <a href="http://www.hactrn.net/opaque/rcynic.html">a sample of rcynic's summary output</a>
+## @li <a href="http://mirin.apnic.net/resourcecerts/wiki/">APNIC's Wiki</a>
+## @li <a href="http://mirin.apnic.net/trac/">APNIC's project Trac instance</a>
diff --git a/rpkid/rpki/cms.py b/rpkid/rpki/cms.py
new file mode 100644
index 00000000..7b4916dc
--- /dev/null
+++ b/rpkid/rpki/cms.py
@@ -0,0 +1,120 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""CMS routines.
+
+These used to use the OpenSSL CLI too, which was slow. I've since
+added minimal PKCS #7 / CMS capability to POW, so we now use that
+instead. I should write a pretty DER_object wrapper around the POW
+code and include it in x509.py, but I haven't gotten to that yet.
+"""
+
+import os, rpki.x509, rpki.exceptions, lxml.etree, rpki.log, POW
+
+debug = 1
+
+# openssl smime -sign -nodetach -outform DER -signer biz-certs/Alice-EE.cer
+# -certfile biz-certs/Alice-CA.cer -inkey biz-certs/Alice-EE.key
+# -in THING -out THING.der
+
+def sign(plaintext, keypair, certs):
+ """Sign plaintext as CMS with specified key and bag of certificates.
+
+ We have to sort the certificates into the correct order before the
+ OpenSSL CLI tool will accept them. rpki.x509 handles that for us.
+ """
+
+ p7 = POW.PKCS7()
+ p7.sign(certs[0].get_POW(), keypair.get_POW(), [x.get_POW() for x in certs[1:]], plaintext)
+ cms = p7.derWrite()
+
+ if debug >= 2:
+ print
+ print "Signed CMS:"
+ dumpasn1(cms)
+
+ return cms
+
+# openssl smime -verify -inform DER -in THING.der -CAfile biz-certs/Alice-Root.cer
+
+def verify(cms, ta):
+ """Verify the signature of a chunk of CMS.
+
+ Returns the plaintext on success, otherwise raise an exception.
+ """
+
+ if debug >= 2:
+ print
+ print "Verifying CMS:"
+ dumpasn1(cms)
+
+ p7 = POW.derRead(POW.PKCS7_MESSAGE, cms)
+
+ store = POW.X509Store()
+ store.addTrust(ta.get_POW())
+
+ try:
+ return p7.verify(store)
+
+ except:
+ if debug >= 1:
+ print "CMS verification failed, dumping inputs:"
+ print
+ print "TA:"
+ dumpasn1(ta.get_DER())
+ print
+ print "CMS:"
+ dumpasn1(cms)
+ raise rpki.exceptions.CMSVerificationFailed, "CMS verification failed"
+
+# openssl smime -verify -noverify -inform DER -in THING.der
+
+def extract(cms):
+ """Extract the content of a signed CMS message WITHOUT verifying the
+ signature. Don't try this at home, kids.
+ """
+
+ return POW.derRead(POW.PKCS7_MESSAGE, cms).extract()
+
+def xml_verify(cms, ta):
+ """Composite routine to verify CMS-wrapped XML."""
+
+ val = lxml.etree.fromstring(verify(cms, ta))
+ return val
+
+def xml_sign(elt, key, certs, encoding = "us-ascii"):
+ """Composite routine to sign CMS-wrapped XML."""
+
+ val = sign(lxml.etree.tostring(elt, pretty_print = True, encoding = encoding, xml_declaration = True),
+ key, certs)
+ return val
+
+def dumpasn1(thing):
+ """Prettyprint an ASN.1 DER object using cryptlib dumpasn1 tool.
+ Use a temporary file rather than popen4() because dumpasn1 uses
+ seek() when decoding ASN.1 content nested in OCTET STRING values.
+ """
+
+ fn = "dumpasn1.tmp"
+ try:
+ f = open(fn, "w")
+ f.write(thing)
+ f.close()
+ f = os.popen("dumpasn1 2>&1 -a " + fn)
+ print "\n".join(x for x in f.read().splitlines() if x.startswith(" "))
+ f.close()
+ finally:
+ os.unlink(fn)
diff --git a/rpkid/rpki/config.py b/rpkid/rpki/config.py
new file mode 100644
index 00000000..54540bbc
--- /dev/null
+++ b/rpkid/rpki/config.py
@@ -0,0 +1,57 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""Configuration file parsing utilities.
+
+Layered on top of stock Python ConfigParser module.
+"""
+
+import ConfigParser
+
+class parser(ConfigParser.RawConfigParser):
+
+ def __init__(self, file = None, section = None):
+ """Initialize this parser."""
+ ConfigParser.RawConfigParser.__init__(self)
+ if file:
+ self.read(file)
+ self.default_section = section
+
+ def multiget(self, option, section = None):
+ """Parse OpenSSL-style foo.0, foo.1, ... subscripted options.
+
+ Returns a list of values matching the specified option name.
+ """
+ matches = []
+ if section is None:
+ section = self.default_section
+ if self.has_option(section, option):
+ matches.append((-1, self.get(option, section = section)))
+ for key, value in self.items(section):
+ s = key.rsplit(".", 1)
+ if len(s) == 2 and s[0] == option and s[1].isdigit():
+ matches.append((int(s[1]), value))
+ matches.sort()
+ return [match[1] for match in matches]
+
+ def get(self, option, default = None, section = None):
+ """Get an option, perhaps with a default value."""
+ if section is None:
+ section = self.default_section
+ if default is None or self.has_option(section, option):
+ return ConfigParser.RawConfigParser.get(self, section, option)
+ else:
+ return default
diff --git a/rpkid/rpki/exceptions.py b/rpkid/rpki/exceptions.py
new file mode 100644
index 00000000..c1475680
--- /dev/null
+++ b/rpkid/rpki/exceptions.py
@@ -0,0 +1,86 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""Exception definitions for RPKI modules."""
+
+class NotInDatabase(Exception):
+ """Lookup failed for an object expected to be in the database."""
+
+class BadURISyntax(Exception):
+ """Illegal syntax for a URI."""
+
+class BadStatusCode(Exception):
+ """Unrecognized protocol status code."""
+
+class BadQuery(Exception):
+ """Unexpected protocol query."""
+
+class DBConsistancyError(Exception):
+ """Found multiple matches for a database query that shouldn't ever return that."""
+
+class CMSVerificationFailed(Exception):
+ """Verification of a CMS message failed."""
+
+class HTTPRequestFailed(Exception):
+ """HTTP request failed."""
+
+class DERObjectConversionError(Exception):
+ """Error trying to convert a DER-based object from one representation to another."""
+
+class NotACertificateChain(Exception):
+ """Certificates don't form a proper chain."""
+
+class BadContactURL(Exception):
+ """Error trying to parse up-down protocol contact URL."""
+
+class BadClassNameSyntax(Exception):
+ """Illegal syntax for a class_name."""
+
+class BadIssueResponse(Exception):
+ """issue_response PDU with wrong number of classes or certificates."""
+
+class NotImplementedYet(Exception):
+ """Internal error -- not implemented yet."""
+
+class BadPKCS10(Exception):
+ """Bad PKCS #10 object."""
+
+class UpstreamError(Exception):
+ """Received an error from upstream."""
+
+class ChildNotFound(Exception):
+ """Could not find specified child in database."""
+
+class BSCNotFound(Exception):
+ """Could not find specified BSC in database."""
+
+class BadSender(Exception):
+ """Unexpected XML sender value."""
+
+class ClassNameMismatch(Exception):
+ """class_name does not match child context."""
+
+class SKIMismatch(Exception):
+ """SKI value in response does not match request."""
+
+class SubprocessError(Exception):
+ """Subprocess returned unexpected error."""
+
+class BadIRDBReply(Exception):
+ """Unexpected reply to IRDB query."""
+
+class NotFound(Exception):
+ """Object not found in database."""
diff --git a/rpkid/rpki/https.py b/rpkid/rpki/https.py
new file mode 100644
index 00000000..bca5a8b1
--- /dev/null
+++ b/rpkid/rpki/https.py
@@ -0,0 +1,146 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""HTTPS utilities, both client and server.
+
+At the moment this only knows how to use the PEM certs in my
+subversion repository; generalizing it would not be hard, but the more
+general version should use SQL anyway.
+"""
+
+import httplib, BaseHTTPServer, tlslite.api, glob, traceback, urlparse, socket
+import rpki.x509, rpki.exceptions, rpki.log
+
+rpki_content_type = "application/x-rpki"
+
+def client(msg, privateKey, certChain, x509TrustList, url, timeout = 300):
+ """Open client HTTPS connection, send a message, wait for response.
+
+ This function wraps most of what one needs to do to send a message
+ over HTTPS and get a response. The certificate checking isn't quite
+ up to snuff; it's better than with the other packages I've found,
+ but doesn't appear to handle subjectAltName extensions (sigh).
+ """
+
+ u = urlparse.urlparse(url)
+
+ assert u.scheme in ("", "https") and \
+ u.username is None and \
+ u.password is None and \
+ u.params == "" and \
+ u.query == "" and \
+ u.fragment == ""
+
+ # We could add a "settings = foo" argument to the following call to
+ # pass in a tlslite.HandshakeSettings object that would let us
+ # insist on, eg, particular SSL/TLS versions.
+
+ httpc = tlslite.api.HTTPTLSConnection(host = u.hostname or "localhost",
+ port = u.port or 443,
+ privateKey = privateKey.get_tlslite(),
+ certChain = certChain.tlslite_certChain(),
+ x509TrustList = x509TrustList.tlslite_trustList())
+ httpc.connect()
+ httpc.sock.settimeout(timeout)
+ httpc.request("POST", u.path, msg, {"Content-Type" : rpki_content_type})
+ response = httpc.getresponse()
+ if response.status == httplib.OK:
+ return response.read()
+ else:
+ r = response.read()
+ raise rpki.exceptions.HTTPRequestFailed, \
+ "HTTP request failed with status %s, response %s" % (response.status, r)
+
+class requestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
+ """Derived type to supply POST handler and override logging."""
+
+ rpki_handlers = None # Subclass must bind
+
+ def rpki_find_handler(self):
+ """Helper method to search self.rpki_handlers."""
+ for s,h in self.rpki_handlers:
+ if self.path.startswith(s):
+ return h
+ return None
+
+ def do_POST(self):
+ """POST handler."""
+ try:
+ handler = self.rpki_find_handler()
+ if self.headers["Content-Type"] != rpki_content_type:
+ rcode, rtext = 415, "Received Content-Type %s, expected %s" \
+ % (self.headers["Content-Type"], rpki_content_type)
+ elif handler is None:
+ rcode, rtext = 404, "No handler found for URL " + self.path
+ else:
+ rcode, rtext = handler(query = self.rfile.read(int(self.headers["Content-Length"])),
+ path = self.path)
+ except Exception, edata:
+ rpki.log.error(traceback.format_exc())
+ rcode, rtext = 500, "Unhandled exception %s" % edata
+ self.send_response(rcode)
+ self.send_header("Content-Type", rpki_content_type)
+ self.end_headers()
+ self.wfile.write(rtext)
+
+ def log_message(self, format, *args):
+ """Redirect HTTP server logging into our own logging system."""
+ if args:
+ rpki.log.info(format % args)
+ else:
+ rpki.log.info(format)
+
+class httpServer(tlslite.api.TLSSocketServerMixIn, BaseHTTPServer.HTTPServer):
+ """Derived type to handle TLS aspects of HTTPS."""
+
+ rpki_certChain = None
+ rpki_privateKey = None
+ rpki_sessionCache = None
+
+ def handshake(self, tlsConnection):
+ """TLS handshake handler."""
+ assert self.rpki_certChain is not None
+ assert self.rpki_privateKey is not None
+ assert self.rpki_sessionCache is not None
+ try:
+ # We could add a "settings = foo" argument to the following call
+ # to pass in a tlslite.HandshakeSettings object that would let
+ # us insist on, eg, particular SSL/TLS versions.
+ tlsConnection.handshakeServer(certChain = self.rpki_certChain,
+ privateKey = self.rpki_privateKey,
+ sessionCache = self.rpki_sessionCache)
+ tlsConnection.ignoreAbruptClose = True
+ return True
+ except tlslite.api.TLSError, error:
+ rpki.log.warn("TLS handshake failure: " + str(error))
+ return False
+
+def server(handlers, privateKey, certChain, port = 4433, host = ""):
+ """Run an HTTPS server and wait (forever) for connections."""
+
+ if not isinstance(handlers, (tuple, list)):
+ handlers = (("/", handlers),)
+
+ class boundRequestHandler(requestHandler):
+ rpki_handlers = handlers
+
+ httpd = httpServer((host, port), boundRequestHandler)
+
+ httpd.rpki_privateKey = privateKey.get_tlslite()
+ httpd.rpki_certChain = certChain.tlslite_certChain()
+ httpd.rpki_sessionCache = tlslite.api.SessionCache()
+
+ httpd.serve_forever()
diff --git a/rpkid/rpki/ipaddrs.py b/rpkid/rpki/ipaddrs.py
new file mode 100644
index 00000000..4de2f428
--- /dev/null
+++ b/rpkid/rpki/ipaddrs.py
@@ -0,0 +1,70 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""Classes to represent IP addresses.
+
+Given some of the other operations we need to perform on them, it's
+most convenient to represent IP addresses as Python "long" values.
+The classes in this module just wrap suitable read/write syntax around
+the underlying "long" type.
+
+These classes also supply a "bits" attribute for use by other code
+built on these classes; for the most part, IPv6 addresses really are
+just IPv4 addresses with more bits, so we supply the number of bits
+once, here, thus avoiding a lot of duplicate code elsewhere.
+"""
+
+import socket, struct
+
+class v4addr(long):
+ """IPv4 address.
+
+ Derived from long, but supports IPv4 print syntax.
+ """
+
+ bits = 32
+
+ def __new__(cls, x):
+ """Construct a v4addr object."""
+ if isinstance(x, str):
+ x = ".".join(str(int(i)) for i in x.split("."))
+ y = struct.unpack("!I", socket.inet_pton(socket.AF_INET, x))
+ x = y[0]
+ return long.__new__(cls, x)
+
+ def __str__(self):
+ """Convert a v4addr object to string format."""
+ return socket.inet_ntop(socket.AF_INET, struct.pack("!I", long(self)))
+
+class v6addr(long):
+ """IPv6 address.
+
+ Derived from long, but supports IPv6 print syntax.
+ """
+
+ bits = 128
+
+ def __new__(cls, x):
+ """Construct a v6addr object."""
+ if isinstance(x, str):
+ y = struct.unpack("!QQ", socket.inet_pton(socket.AF_INET6, x))
+ x = (y[0] << 64) | y[1]
+ return long.__new__(cls, x)
+
+ def __str__(self):
+ """Convert a v6addr object to string format."""
+ return socket.inet_ntop(socket.AF_INET6,
+ struct.pack("!QQ", long(self) >> 64, long(self) & 0xFFFFFFFFFFFFFFFF))
diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py
new file mode 100644
index 00000000..8a5e3433
--- /dev/null
+++ b/rpkid/rpki/left_right.py
@@ -0,0 +1,1002 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""RPKI "left-right" protocol."""
+
+import base64, lxml.etree, time, traceback, os
+import rpki.sax_utils, rpki.resource_set, rpki.x509, rpki.sql, rpki.exceptions
+import rpki.https, rpki.up_down, rpki.relaxng, rpki.sundial, rpki.log
+
+xmlns = "http://www.hactrn.net/uris/rpki/left-right-spec/"
+
+nsmap = { None : xmlns }
+
+class base_elt(object):
+ """Virtual base type for left-right message elements."""
+
+ attributes = ()
+ elements = ()
+ booleans = ()
+
+ def startElement(self, stack, name, attrs):
+ """Default startElement() handler: just process attributes."""
+ self.read_attrs(attrs)
+
+ def endElement(self, stack, name, text):
+ """Default endElement() handler: just pop the stack."""
+ stack.pop()
+
+ def read_attrs(self, attrs):
+ """Template-driven attribute reader."""
+ for key in self.attributes:
+ val = attrs.get(key, None)
+ if isinstance(val, str) and val.isdigit():
+ val = long(val)
+ setattr(self, key, val)
+ for key in self.booleans:
+ setattr(self, key, attrs.get(key, False))
+
+ def make_elt(self):
+ """XML element constructor."""
+ elt = lxml.etree.Element("{%s}%s" % (xmlns, self.element_name), nsmap = nsmap)
+ for key in self.attributes:
+ val = getattr(self, key, None)
+ if val is not None:
+ elt.set(key, str(val))
+ for key in self.booleans:
+ if getattr(self, key, False):
+ elt.set(key, "yes")
+ return elt
+
+ def make_b64elt(self, elt, name, value = None):
+ """Constructor for Base64-encoded subelement."""
+ if value is None:
+ value = getattr(self, name, None)
+ if value is not None:
+ lxml.etree.SubElement(elt, "{%s}%s" % (xmlns, name), nsmap = nsmap).text = base64.b64encode(value)
+
+ def __str__(self):
+ """Convert a base_elt object to string format."""
+ lxml.etree.tostring(self.toXML(), pretty_print = True, encoding = "us-ascii")
+
+class data_elt(base_elt, rpki.sql.sql_persistant):
+ """Virtual class for top-level left-right protocol data elements."""
+
+ def self(this, gctx):
+ """Fetch self object to which this object links."""
+ return self_elt.sql_fetch(gctx, this.self_id)
+
+ def bsc(self, gctx):
+ """Return BSC object to which this object links."""
+ return bsc_elt.sql_fetch(gctx, self.bsc_id)
+
+ @classmethod
+ def make_pdu(cls, **kargs):
+ """Generic left-right PDU constructor."""
+ self = cls()
+ for k,v in kargs.items():
+ setattr(self, k, v)
+ return self
+
+ def make_reply(self, r_pdu = None):
+ """Construct a reply PDU."""
+ if r_pdu is None:
+ r_pdu = self.__class__()
+ r_pdu.self_id = self.self_id
+ setattr(r_pdu, self.sql_template.index, getattr(self, self.sql_template.index))
+ else:
+ for b in r_pdu.booleans:
+ setattr(r_pdu, b, False)
+ r_pdu.action = self.action
+ r_pdu.type = "reply"
+ r_pdu.tag = self.tag
+ return r_pdu
+
+ def serve_pre_save_hook(self, gctx, q_pdu, r_pdu):
+ """Overridable hook."""
+ pass
+
+ def serve_post_save_hook(self, gctx, q_pdu, r_pdu):
+ """Overridable hook."""
+ pass
+
+ def serve_create(self, gctx, r_msg):
+ """Handle a create action."""
+ r_pdu = self.make_reply()
+ self.serve_pre_save_hook(gctx, self, r_pdu)
+ self.sql_store(gctx)
+ setattr(r_pdu, self.sql_template.index, getattr(self, self.sql_template.index))
+ self.serve_post_save_hook(gctx, self, r_pdu)
+ r_msg.append(r_pdu)
+
+ def serve_fetch_one(self, gctx):
+ """Find the object on which a get, set, or destroy method should
+ operate. This is a separate method because the self object needs
+ to override it.
+ """
+ where = self.sql_template.index + " = %s AND self_id = %s"
+ args = (getattr(self, self.sql_template.index), self.self_id)
+ r = self.sql_fetch_where1(gctx, where, args)
+ if r is None:
+ raise rpki.exceptions.NotFound, "Lookup failed where %s" + (where % args)
+ return r
+
+ def serve_set(self, gctx, r_msg):
+ """Handle a set action."""
+ db_pdu = self.serve_fetch_one(gctx)
+ r_pdu = self.make_reply()
+ for a in db_pdu.sql_template.columns[1:]:
+ v = getattr(self, a)
+ if v is not None:
+ setattr(db_pdu, a, v)
+ db_pdu.sql_mark_dirty()
+ db_pdu.serve_pre_save_hook(gctx, self, r_pdu)
+ db_pdu.sql_store(gctx)
+ db_pdu.serve_post_save_hook(gctx, self, r_pdu)
+ r_msg.append(r_pdu)
+
+ def serve_get(self, gctx, r_msg):
+ """Handle a get action."""
+ r_pdu = self.serve_fetch_one(gctx)
+ self.make_reply(r_pdu)
+ r_msg.append(r_pdu)
+
+ def serve_list(self, gctx, r_msg):
+ """Handle a list action for non-self objects."""
+ for r_pdu in self.sql_fetch_where(gctx, "self_id = %s", (self.self_id,)):
+ self.make_reply(r_pdu)
+ r_msg.append(r_pdu)
+
+ def serve_destroy(self, gctx, r_msg):
+ """Handle a destroy action."""
+ db_pdu = self.serve_fetch_one(gctx)
+ db_pdu.sql_delete(gctx)
+ r_msg.append(self.make_reply())
+
+ def serve_dispatch(self, gctx, r_msg):
+ """Action dispatch handler."""
+ dispatch = { "create" : self.serve_create,
+ "set" : self.serve_set,
+ "get" : self.serve_get,
+ "list" : self.serve_list,
+ "destroy" : self.serve_destroy }
+ if self.type != "query" or self.action not in dispatch:
+ raise rpki.exceptions.BadQuery, "Unexpected query: type %s, action %s" % (self.type, self.action)
+ dispatch[self.action](gctx, r_msg)
+
+ def unimplemented_control(self, *controls):
+ """Uniform handling for unimplemented control operations."""
+ unimplemented = [x for x in controls if getattr(self, x, False)]
+ if unimplemented:
+ raise rpki.exceptions.NotImplementedYet, "Unimplemented control %s" % ", ".join(unimplemented)
+
+class extension_preference_elt(base_elt):
+ """Container for extension preferences."""
+
+ element_name = "extension_preference"
+ attributes = ("name",)
+
+ def startElement(self, stack, name, attrs):
+ """Handle <extension_preference/> elements."""
+ assert name == "extension_preference", "Unexpected name %s, stack %s" % (name, stack)
+ self.read_attrs(attrs)
+
+ def endElement(self, stack, name, text):
+ """Handle <extension_preference/> elements."""
+ self.value = text
+ stack.pop()
+
+ def toXML(self):
+ """Generate <extension_preference/> elements."""
+ elt = self.make_elt()
+ elt.text = self.value
+ return elt
+
+class self_elt(data_elt):
+ """<self/> element."""
+
+ element_name = "self"
+ attributes = ("action", "type", "tag", "self_id", "crl_interval")
+ elements = ("extension_preference",)
+ booleans = ("rekey", "reissue", "revoke", "run_now", "publish_world_now", "clear_extension_preferences")
+
+ sql_template = rpki.sql.template("self", "self_id", "use_hsm", "crl_interval")
+
+ self_id = None
+ use_hsm = False
+ crl_interval = None
+
+ def __init__(self):
+ """Initialize a self_elt."""
+ self.prefs = []
+
+ def sql_fetch_hook(self, gctx):
+ """Extra SQL fetch actions for self_elt -- handle extension preferences."""
+ gctx.cur.execute("SELECT pref_name, pref_value FROM self_pref WHERE self_id = %s", (self.self_id,))
+ for name, value in gctx.cur.fetchall():
+ e = extension_preference_elt()
+ e.name = name
+ e.value = value
+ self.prefs.append(e)
+
+ def sql_insert_hook(self, gctx):
+ """Extra SQL insert actions for self_elt -- handle extension preferences."""
+ if self.prefs:
+ gctx.cur.executemany("INSERT self_pref (self_id, pref_name, pref_value) VALUES (%s, %s, %s)",
+ ((e.name, e.value, self.self_id) for e in self.prefs))
+
+ def sql_delete_hook(self, gctx):
+ """Extra SQL delete actions for self_elt -- handle extension preferences."""
+ gctx.cur.execute("DELETE FROM self_pref WHERE self_id = %s", (self.self_id,))
+
+ def bscs(self, gctx):
+ """Fetch all BSC objects that link to this self object."""
+ return bsc_elt.sql_fetch_where(gctx, "self_id = %s", (self.self_id,))
+
+ def repositories(self, gctx):
+ """Fetch all repository objects that link to this self object."""
+ return repository_elt.sql_fetch_where(gctx, "self_id = %s", (self.self_id,))
+
+ def parents(self, gctx):
+ """Fetch all parent objects that link to this self object."""
+ return parent_elt.sql_fetch_where(gctx, "self_id = %s", (self.self_id,))
+
+ def children(self, gctx):
+ """Fetch all child objects that link to this self object."""
+ return child_elt.sql_fetch_where(gctx, "self_id = %s", (self.self_id,))
+
+ def route_origins(self, gctx):
+ """Fetch all route_origin objects that link to this self object."""
+ return route_origin_elt.sql_fetch_where(gctx, "self_id = %s", (self.self_id,))
+
+ def serve_pre_save_hook(self, gctx, q_pdu, r_pdu):
+ """Extra server actions for self_elt -- handle extension preferences."""
+ rpki.log.trace()
+ if self is not q_pdu:
+ if q_pdu.clear_extension_preferences:
+ self.prefs = []
+ self.prefs.extend(q_pdu.prefs)
+
+ def serve_post_save_hook(self, gctx, q_pdu, r_pdu):
+ """Extra server actions for self_elt."""
+ rpki.log.trace()
+ if q_pdu.rekey:
+ self.serve_rekey(gctx)
+ if q_pdu.revoke:
+ self.serve_revoke(gctx)
+ self.unimplemented_control("reissue", "run_now", "publish_world_now")
+
+ def serve_rekey(self, gctx):
+ """Handle a left-right rekey action for this self."""
+ rpki.log.trace()
+ for parent in self.parents(gctx):
+ parent.serve_rekey(gctx)
+
+ def serve_revoke(self, gctx):
+ """Handle a left-right revoke action for this self."""
+ rpki.log.trace()
+ for parent in self.parents(gctx):
+ parent.serve_revoke(gctx)
+
+ def serve_fetch_one(self, gctx):
+ """Find the self object on which a get, set, or destroy method
+ should operate.
+ """
+ r = self.sql_fetch(gctx, self.self_id)
+ if r is None:
+ raise rpki.exceptions.NotFound
+ return r
+
+ def serve_list(self, gctx, r_msg):
+ """Handle a list action for self objects. This is different from
+ the list action for all other objects, where list only works
+ within a given self_id context.
+ """
+ for r_pdu in self.sql_fetch_all(gctx):
+ self.make_reply(r_pdu)
+ r_msg.append(r_pdu)
+
+ def startElement(self, stack, name, attrs):
+ """Handle <self/> element."""
+ if name == "extension_preference":
+ pref = extension_preference_elt()
+ self.prefs.append(pref)
+ stack.append(pref)
+ pref.startElement(stack, name, attrs)
+ else:
+ assert name == "self", "Unexpected name %s, stack %s" % (name, stack)
+ self.read_attrs(attrs)
+
+ def endElement(self, stack, name, text):
+ """Handle <self/> element."""
+ assert name == "self", "Unexpected name %s, stack %s" % (name, stack)
+ stack.pop()
+
+ def toXML(self):
+ """Generate <self/> element."""
+ elt = self.make_elt()
+ elt.extend([i.toXML() for i in self.prefs])
+ return elt
+
+ def client_poll(self, gctx):
+ """Run the regular client poll cycle with each of this self's parents in turn."""
+
+ rpki.log.trace()
+
+ for parent in self.parents(gctx):
+
+ # This will need a callback when we go event-driven
+ r_msg = rpki.up_down.list_pdu.query(gctx, parent)
+
+ ca_map = dict((ca.parent_resource_class, ca) for ca in parent.cas(gctx))
+ for rc in r_msg.payload.classes:
+ if rc.class_name in ca_map:
+ ca = ca_map[rc.class_name]
+ del ca_map[rc.class_name]
+ ca.check_for_updates(gctx, parent, rc)
+ else:
+ rpki.sql.ca_obj.create(gctx, parent, rc)
+ for ca in ca_map.values():
+ ca.delete(gctx, parent) # CA not listed by parent
+ rpki.sql.sql_sweep(gctx)
+
+ def update_children(self, gctx):
+ """Check for updated IRDB data for all of this self's children and
+ issue new certs as necessary. Must handle changes both in
+ resources and in expiration date.
+ """
+
+ rpki.log.trace()
+
+ now = rpki.sundial.datetime.utcnow()
+
+ for child in self.children(gctx):
+ child_certs = child.child_certs(gctx)
+ if not child_certs:
+ continue
+
+ # This will require a callback when we go event-driven
+ irdb_resources = rpki.left_right.irdb_query(gctx, child.self_id, child.child_id)
+
+ for child_cert in child_certs:
+ ca_detail = child_cert.ca_detail(gctx)
+ if ca_detail.state != "active":
+ continue
+ old_resources = child_cert.cert.get_3779resources()
+ new_resources = irdb_resources.intersection(old_resources)
+ if old_resources != new_resources:
+ rpki.log.debug("Need to reissue %s" % repr(child_cert))
+ child_cert.reissue(
+ gctx = gctx,
+ ca_detail = ca_detail,
+ resources = new_resources)
+ elif old_resources.valid_until < now:
+ parent = ca.parent(gctx)
+ repository = parent.repository(gctx)
+ child_cert.sql_delete(gctx)
+ ca_detail.generate_manifest(gctx)
+ repository.withdraw(gctx, child_cert.cert, child_cert.uri(ca))
+
+ def regenerate_crls_and_manifests(self, gctx):
+ """Generate new CRLs and manifests as necessary for all of this
+ self's CAs. Extracting nextUpdate from a manifest is hard at the
+ moment due to implementation silliness, so for now we generate a
+ new manifest whenever we generate a new CRL
+
+ This method also cleans up tombstones left behind by revoked
+ ca_detail objects, since we're walking through the relevant
+ portions of the database anyway.
+ """
+
+ rpki.log.trace()
+
+ now = rpki.sundial.datetime.utcnow()
+ for parent in self.parents(gctx):
+ repository = parent.repository(gctx)
+ for ca in parent.cas(gctx):
+ for ca_detail in ca.fetch_revoked(gctx):
+ if now > ca_detail.latest_crl.getNextUpdate():
+ ca_detail.delete(gctx, ca, repository)
+ ca_detail = ca.fetch_active(gctx)
+ if now > ca_detail.latest_crl.getNextUpdate():
+ ca_detail.generate_crl(gctx)
+ ca_detail.generate_manifest(gctx)
+
+class bsc_elt(data_elt):
+ """<bsc/> (Business Signing Context) element."""
+
+ element_name = "bsc"
+ attributes = ("action", "type", "tag", "self_id", "bsc_id", "key_type", "hash_alg", "key_length")
+ elements = ('signing_cert',)
+ booleans = ("generate_keypair", "clear_signing_certs")
+
+ sql_template = rpki.sql.template("bsc", "bsc_id", "self_id",
+ ("public_key", rpki.x509.RSApublic),
+ ("private_key_id", rpki.x509.RSA), "hash_alg")
+
+ pkcs10_cert_request = None
+ public_key = None
+ private_key_id = None
+
+ def __init__(self):
+ """Initialize bsc_elt."""
+ self.signing_cert = rpki.x509.X509_chain()
+
+ def sql_fetch_hook(self, gctx):
+ """Extra SQL fetch actions for bsc_elt -- handle signing certs."""
+ gctx.cur.execute("SELECT cert FROM bsc_cert WHERE bsc_id = %s", (self.bsc_id,))
+ self.signing_cert[:] = [rpki.x509.X509(DER = x) for (x,) in gctx.cur.fetchall()]
+
+ def sql_insert_hook(self, gctx):
+ """Extra SQL insert actions for bsc_elt -- handle signing certs."""
+ if self.signing_cert:
+ gctx.cur.executemany("INSERT bsc_cert (cert, bsc_id) VALUES (%s, %s)",
+ ((x.get_DER(), self.bsc_id) for x in self.signing_cert))
+
+ def sql_delete_hook(self, gctx):
+ """Extra SQL delete actions for bsc_elt -- handle signing certs."""
+ gctx.cur.execute("DELETE FROM bsc_cert WHERE bsc_id = %s", (self.bsc_id,))
+
+ def repositories(self, gctx):
+ """Fetch all repository objects that link to this BSC object."""
+ return repository_elt.sql_fetch_where(gctx, "bsc_id = %s", (self.bsc_id,))
+
+ def parents(self, gctx):
+ """Fetch all parent objects that link to this BSC object."""
+ return parent_elt.sql_fetch_where(gctx, "bsc_id = %s", (self.bsc_id,))
+
+ def children(self, gctx):
+ """Fetch all child objects that link to this BSC object."""
+ return child_elt.sql_fetch_where(gctx, "bsc_id = %s", (self.bsc_id,))
+
+ def serve_pre_save_hook(self, gctx, q_pdu, r_pdu):
+ """Extra server actions for bsc_elt -- handle signing certs and key generation."""
+ if self is not q_pdu:
+ if q_pdu.clear_signing_certs:
+ self.signing_cert[:] = []
+ self.signing_cert.extend(q_pdu.signing_cert)
+ if q_pdu.generate_keypair:
+ #
+ # For the moment we only support 2048-bit RSA with SHA-256, no
+ # HSM. Assertion just checks that the schema hasn't changed out
+ # from under this code.
+ #
+ assert (q_pdu.key_type is None or q_pdu.key_type == "rsa") and \
+ (q_pdu.hash_alg is None or q_pdu.hash_alg == "sha256") and \
+ (q_pdu.key_length is None or q_pdu.key_length == 2048)
+ keypair = rpki.x509.RSA()
+ keypair.generate()
+ self.private_key_id = keypair
+ self.public_key = keypair.get_RSApublic()
+ r_pdu.pkcs10_cert_request = rpki.x509.PKCS10.create(keypair)
+
+ def startElement(self, stack, name, attrs):
+ """Handle <bsc/> element."""
+ if not name in ("signing_cert", "public_key", "pkcs10_cert_request"):
+ assert name == "bsc", "Unexpected name %s, stack %s" % (name, stack)
+ self.read_attrs(attrs)
+
+ def endElement(self, stack, name, text):
+ """Handle <bsc/> element."""
+ if name == "signing_cert":
+ self.signing_cert.append(rpki.x509.X509(Base64 = text))
+ elif name == "public_key":
+ self.public_key = rpki.x509.RSApublic(Base64 = text)
+ elif name == "pkcs10_cert_request":
+ self.pkcs10_cert_request = rpki.x509.PKCS10(Base64 = text)
+ else:
+ assert name == "bsc", "Unexpected name %s, stack %s" % (name, stack)
+ stack.pop()
+
+ def toXML(self):
+ """Generate <bsc/> element."""
+ elt = self.make_elt()
+ for cert in self.signing_cert:
+ self.make_b64elt(elt, "signing_cert", cert.get_DER())
+ if self.pkcs10_cert_request is not None:
+ self.make_b64elt(elt, "pkcs10_cert_request", self.pkcs10_cert_request.get_DER())
+ if self.public_key is not None:
+ self.make_b64elt(elt, "public_key", self.public_key.get_DER())
+ return elt
+
+class parent_elt(data_elt):
+ """<parent/> element."""
+
+ element_name = "parent"
+ attributes = ("action", "type", "tag", "self_id", "parent_id", "bsc_id", "repository_id",
+ "peer_contact_uri", "sia_base", "sender_name", "recipient_name")
+ elements = ("cms_ta", "https_ta")
+ booleans = ("rekey", "reissue", "revoke")
+
+ sql_template = rpki.sql.template("parent", "parent_id", "self_id", "bsc_id", "repository_id",
+ ("cms_ta", rpki.x509.X509), ("https_ta", rpki.x509.X509),
+ "peer_contact_uri", "sia_base", "sender_name", "recipient_name")
+
+ cms_ta = None
+ https_ta = None
+
+ def repository(self, gctx):
+ """Fetch repository object to which this parent object links."""
+ return repository_elt.sql_fetch(gctx, self.repository_id)
+
+ def cas(self, gctx):
+ """Fetch all CA objects that link to this parent object."""
+ return rpki.sql.ca_obj.sql_fetch_where(gctx, "parent_id = %s", (self.parent_id,))
+
+ def serve_post_save_hook(self, gctx, q_pdu, r_pdu):
+ """Extra server actions for parent_elt."""
+ if q_pdu.rekey:
+ self.serve_rekey(gctx)
+ if q_pdu.revoke:
+ self.serve_revoke(gctx)
+ self.unimplemented_control("reissue")
+
+ def serve_rekey(self, gctx):
+ """Handle a left-right rekey action for this parent."""
+ for ca in self.cas(gctx):
+ ca.rekey(gctx)
+
+ def serve_revoke(self, gctx):
+ """Handle a left-right revoke action for this parent."""
+ for ca in self.cas(gctx):
+ ca.revoke(gctx)
+
+ def startElement(self, stack, name, attrs):
+ """Handle <parent/> element."""
+ if name not in ("cms_ta", "https_ta"):
+ assert name == "parent", "Unexpected name %s, stack %s" % (name, stack)
+ self.read_attrs(attrs)
+
+ def endElement(self, stack, name, text):
+ """Handle <parent/> element."""
+ if name == "cms_ta":
+ self.cms_ta = rpki.x509.X509(Base64 = text)
+ elif name == "https_ta":
+ self.https_ta = rpki.x509.X509(Base64 = text)
+ else:
+ assert name == "parent", "Unexpected name %s, stack %s" % (name, stack)
+ stack.pop()
+
+ def toXML(self):
+ """Generate <parent/> element."""
+ elt = self.make_elt()
+ if self.cms_ta and not self.cms_ta.empty():
+ self.make_b64elt(elt, "cms_ta", self.cms_ta.get_DER())
+ if self.https_ta and not self.https_ta.empty():
+ self.make_b64elt(elt, "https_ta", self.https_ta.get_DER())
+ return elt
+
+ def query_up_down(self, gctx, q_pdu):
+ """Client code for sending one up-down query PDU to this parent.
+
+ I haven't figured out yet whether this method should do something
+ clever like dispatching via a method in the response PDU payload,
+ or just hand back the whole response to the caller. In the long
+ run this will have to become event driven with a context object
+ that has methods of its own, but as this method is common code for
+ several different queries and I don't yet know what the response
+ processing looks like, it's too soon to tell what will make sense.
+
+ For now, keep this dead simple lock step, rewrite it later.
+ """
+
+ rpki.log.trace()
+
+ bsc = self.bsc(gctx)
+ if bsc is None:
+ raise rpki.exceptions.BSCNotFound, "Could not find BSC %s" % self.bsc_id
+ q_msg = rpki.up_down.message_pdu.make_query(
+ payload = q_pdu,
+ sender = self.sender_name,
+ recipient = self.recipient_name)
+ q_elt = q_msg.toXML()
+ try:
+ rpki.relaxng.up_down.assertValid(q_elt)
+ except lxml.etree.DocumentInvalid:
+ rpki.log.error("Message does not pass schema check: " + lxml.etree.tostring(q_elt, pretty_print = True))
+ raise
+ q_cms = rpki.cms.xml_sign(q_elt, bsc.private_key_id, bsc.signing_cert, encoding = "UTF-8")
+ r_cms = rpki.https.client(x509TrustList = rpki.x509.X509_chain(self.https_ta),
+ privateKey = gctx.https_key,
+ certChain = gctx.https_certs,
+ msg = q_cms,
+ url = self.peer_contact_uri)
+ r_elt = rpki.cms.xml_verify(r_cms, self.cms_ta)
+ rpki.relaxng.up_down.assertValid(r_elt)
+ r_msg = rpki.up_down.sax_handler.saxify(r_elt)
+ r_msg.payload.check_response()
+ return r_msg
+
+
+class child_elt(data_elt):
+ """<child/> element."""
+
+ element_name = "child"
+ attributes = ("action", "type", "tag", "self_id", "child_id", "bsc_id")
+ elements = ("cms_ta",)
+ booleans = ("reissue", )
+
+ sql_template = rpki.sql.template("child", "child_id", "self_id", "bsc_id", ("cms_ta", rpki.x509.X509))
+
+ cms_ta = None
+
+ def child_certs(self, gctx, ca_detail = None, ski = None, revoked = False, unique = False):
+ """Fetch all child_cert objects that link to this child object."""
+ return rpki.sql.child_cert_obj.fetch(gctx, self, ca_detail, ski, revoked, unique)
+
+ def parents(self, gctx):
+ """Fetch all parent objects that link to self object to which this child object links."""
+ return parent_elt.sql_fetch_where(gctx, "self_id = %s", (self.self_id,))
+
+ def ca_from_class_name(self, gctx, class_name):
+ """Fetch the CA corresponding to an up-down class_name."""
+ if not class_name.isdigit():
+ raise rpki.exceptions.BadClassNameSyntax, "Bad class name %s" % class_name
+ ca = rpki.sql.ca_obj.sql_fetch(gctx, long(class_name))
+ parent = ca.parent(gctx)
+ if self.self_id != parent.self_id:
+ raise rpki.exceptions.ClassNameMismatch, "child.self_id = %d, parent.self_id = %d" % (self.self_id, parent.self_id)
+ return ca
+
+ def serve_post_save_hook(self, gctx, q_pdu, r_pdu):
+ """Extra server actions for child_elt."""
+ self.unimplemented_control("reissue")
+
+ def startElement(self, stack, name, attrs):
+ """Handle <child/> element."""
+ if name != "cms_ta":
+ assert name == "child", "Unexpected name %s, stack %s" % (name, stack)
+ self.read_attrs(attrs)
+
+ def endElement(self, stack, name, text):
+ """Handle <child/> element."""
+ if name == "cms_ta":
+ self.cms_ta = rpki.x509.X509(Base64 = text)
+ else:
+ assert name == "child", "Unexpected name %s, stack %s" % (name, stack)
+ stack.pop()
+
+ def toXML(self):
+ """Generate <child/> element."""
+ elt = self.make_elt()
+ if self.cms_ta:
+ self.make_b64elt(elt, "cms_ta", self.cms_ta.get_DER())
+ return elt
+
+ def serve_up_down(self, gctx, query):
+ """Outer layer of server handling for one up-down PDU from this child."""
+
+ rpki.log.trace()
+
+ bsc = self.bsc(gctx)
+ if bsc is None:
+ raise rpki.exceptions.BSCNotFound, "Could not find BSC %s" % self.bsc_id
+ q_elt = rpki.cms.xml_verify(query, self.cms_ta)
+ rpki.relaxng.up_down.assertValid(q_elt)
+ q_msg = rpki.up_down.sax_handler.saxify(q_elt)
+ #if q_msg.sender != str(self.child_id):
+ # raise rpki.exceptions.BadSender, "Unexpected XML sender %s" % q_msg.sender
+ try:
+ r_msg = q_msg.serve_top_level(gctx, self)
+ except Exception, data:
+ rpki.log.error(traceback.format_exc())
+ r_msg = q_msg.serve_error(data)
+ #
+ # Exceptions from this point on are problematic, as we have no
+ # sane way of reporting errors in the error reporting mechanism.
+ # May require refactoring, ignore the issue for now.
+ #
+ r_elt = r_msg.toXML()
+ try:
+ rpki.relaxng.up_down.assertValid(r_elt)
+ except:
+ rpki.log.debug(lxml.etree.tostring(r_elt, pretty_print = True, encoding = "UTF-8"))
+ rpki.log.error(traceback.format_exc())
+ raise
+ return rpki.cms.xml_sign(r_elt, bsc.private_key_id, bsc.signing_cert, encoding = "UTF-8")
+
+class repository_elt(data_elt):
+ """<repository/> element."""
+
+ element_name = "repository"
+ attributes = ("action", "type", "tag", "self_id", "repository_id", "bsc_id", "peer_contact_uri")
+ elements = ("cms_ta", "https_ta")
+
+ sql_template = rpki.sql.template("repository", "repository_id", "self_id", "bsc_id",
+ ("cms_ta", rpki.x509.X509), "peer_contact_uri",
+ ("https_ta", rpki.x509.X509))
+
+ cms_ta = None
+ https_ta = None
+
+ def parents(self, gctx):
+ """Fetch all parent objects that link to this repository object."""
+ return parent_elt.sql_fetch_where(gctx, "repository_id = %s", (self.repository_id,))
+
+ def startElement(self, stack, name, attrs):
+ """Handle <repository/> element."""
+ if name not in ("cms_ta", "https_ta"):
+ assert name == "repository", "Unexpected name %s, stack %s" % (name, stack)
+ self.read_attrs(attrs)
+
+ def endElement(self, stack, name, text):
+ """Handle <repository/> element."""
+ if name == "cms_ta":
+ self.cms_ta = rpki.x509.X509(Base64 = text)
+ elif name == "https_ta":
+ self.https_ta = rpki.x509.X509(Base64 = text)
+ else:
+ assert name == "repository", "Unexpected name %s, stack %s" % (name, stack)
+ stack.pop()
+
+ def toXML(self):
+ """Generate <repository/> element."""
+ elt = self.make_elt()
+ if self.cms_ta:
+ self.make_b64elt(elt, "cms_ta", self.cms_ta.get_DER())
+ if self.https_ta:
+ self.make_b64elt(elt, "https_ta", self.https_ta.get_DER())
+ return elt
+
+ @staticmethod
+ def uri_to_filename(base, uri):
+ """Convert a URI to a filename. [TEMPORARY]"""
+ if not uri.startswith("rsync://"):
+ raise rpki.exceptions.BadURISyntax
+ filename = base + uri[len("rsync://"):]
+ if filename.find("//") >= 0 or filename.find("/../") >= 0 or filename.endswith("/.."):
+ raise rpki.exceptions.BadURISyntax
+ return filename
+
+ @classmethod
+ def object_write(cls, base, uri, obj):
+ """Write an object to disk. [TEMPORARY]"""
+ rpki.log.trace()
+ filename = cls.uri_to_filename(base, uri)
+ dirname = os.path.dirname(filename)
+ if not os.path.isdir(dirname):
+ os.makedirs(dirname)
+ f = open(filename, "wb")
+ f.write(obj.get_DER())
+ f.close()
+
+ @classmethod
+ def object_delete(cls, base, uri):
+ """Delete an object from disk. [TEMPORARY]"""
+ rpki.log.trace()
+ os.remove(cls.uri_to_filename(base, uri))
+
+ def publish(self, gctx, obj, uri):
+ """Placeholder for publication operation. [TEMPORARY]"""
+ rpki.log.trace()
+ rpki.log.info("Publishing %s to repository %s at %s" % (repr(obj), repr(self), repr(uri)))
+ self.object_write(gctx.publication_kludge_base, uri, obj)
+
+ def withdraw(self, gctx, obj, uri):
+ """Placeholder for publication withdrawal operation. [TEMPORARY]"""
+ rpki.log.trace()
+ rpki.log.info("Withdrawing %s from repository %s at %s" % (repr(obj), repr(self), repr(uri)))
+ self.object_delete(gctx.publication_kludge_base, uri)
+
+class route_origin_elt(data_elt):
+ """<route_origin/> element."""
+
+ element_name = "route_origin"
+ attributes = ("action", "type", "tag", "self_id", "route_origin_id", "as_number", "ipv4", "ipv6")
+ booleans = ("suppress_publication",)
+
+ sql_template = rpki.sql.template("route_origin", "route_origin_id", "self_id", "as_number",
+ "ca_detail_id", "roa")
+
+ ca_detail_id = None
+ roa = None
+
+ def sql_fetch_hook(self, gctx):
+ """Extra SQL fetch actions for route_origin_elt -- handle address ranges."""
+ self.ipv4 = rpki.resource_set.resource_set_ipv4.from_sql(gctx.cur, """
+ SELECT start_ip, end_ip FROM route_origin_range
+ WHERE route_origin_id = %s AND start_ip NOT LIKE '%:%'
+ """, (self.route_origin_id,))
+ self.ipv6 = rpki.resource_set.resource_set_ipv6.from_sql(gctx.cur, """
+ SELECT start_ip, end_ip FROM route_origin_range
+ WHERE route_origin_id = %s AND start_ip LIKE '%:%'
+ """, (self.route_origin_id,))
+
+ def sql_insert_hook(self, gctx):
+ """Extra SQL insert actions for route_origin_elt -- handle address ranges."""
+ if self.ipv4 + self.ipv6:
+ gctx.cur.executemany("""
+ INSERT route_origin_range (route_origin_id, start_ip, end_ip)
+ VALUES (%s, %s, %s)""",
+ ((self.route_origin_id, x.min, x.max) for x in self.ipv4 + self.ipv6))
+
+ def sql_delete_hook(self, gctx):
+ """Extra SQL delete actions for route_origin_elt -- handle address ranges."""
+ gctx.cur.execute("DELETE FROM route_origin_range WHERE route_origin_id = %s", (self.route_origin_id,))
+
+ def ca_detail(self, gctx):
+ """Fetch all ca_detail objects that link to this route_origin object."""
+ return rpki.sql.ca_detail_obj.sql_fetch(gctx, self.ca_detail_id)
+
+ def serve_post_save_hook(self, gctx, q_pdu, r_pdu):
+ """Extra server actions for route_origin_elt."""
+ self.unimplemented_control("suppress_publication")
+
+ def startElement(self, stack, name, attrs):
+ """Handle <route_origin/> element."""
+ assert name == "route_origin", "Unexpected name %s, stack %s" % (name, stack)
+ self.read_attrs(attrs)
+ if self.as_number is not None:
+ self.as_number = long(self.as_number)
+ if self.ipv4 is not None:
+ self.ipv4 = rpki.resource_set.resource_set_ipv4(self.ipv4)
+ if self.ipv6 is not None:
+ self.ipv6 = rpki.resource_set.resource_set_ipv6(self.ipv4)
+
+ def endElement(self, stack, name, text):
+ """Handle <route_origin/> element."""
+ assert name == "route_origin", "Unexpected name %s, stack %s" % (name, stack)
+ stack.pop()
+
+ def toXML(self):
+ """Generate <route_origin/> element."""
+ return self.make_elt()
+
+class list_resources_elt(base_elt):
+ """<list_resources/> element."""
+
+ element_name = "list_resources"
+ attributes = ("type", "self_id", "tag", "child_id", "valid_until", "as", "ipv4", "ipv6", "subject_name")
+ valid_until = None
+
+ def startElement(self, stack, name, attrs):
+ """Handle <list_resources/> element."""
+ assert name == "list_resources", "Unexpected name %s, stack %s" % (name, stack)
+ self.read_attrs(attrs)
+ if isinstance(self.valid_until, str):
+ self.valid_until = rpki.sundial.datetime.fromXMLtime(self.valid_until)
+ if self.as is not None:
+ self.as = rpki.resource_set.resource_set_as(self.as)
+ if self.ipv4 is not None:
+ self.ipv4 = rpki.resource_set.resource_set_ipv4(self.ipv4)
+ if self.ipv6 is not None:
+ self.ipv6 = rpki.resource_set.resource_set_ipv6(self.ipv6)
+
+ def toXML(self):
+ """Generate <list_resources/> element."""
+ elt = self.make_elt()
+ if isinstance(self.valid_until, int):
+ elt.set("valid_until", self.valid_until.toXMLtime())
+ return elt
+
+class report_error_elt(base_elt):
+ """<report_error/> element."""
+
+ element_name = "report_error"
+ attributes = ("tag", "self_id", "error_code")
+
+ def startElement(self, stack, name, attrs):
+ """Handle <report_error/> element."""
+ assert name == self.element_name, "Unexpected name %s, stack %s" % (name, stack)
+ self.read_attrs(attrs)
+
+ def toXML(self):
+ """Generate <report_error/> element."""
+ return self.make_elt()
+
+ @classmethod
+ def from_exception(cls, exc, self_id = None):
+ """Generate a <report_error/> element from an exception."""
+ self = cls()
+ self.self_id = self_id
+ self.error_code = exc.__class__.__name__
+ return self
+
+class msg(list):
+ """Left-right PDU."""
+
+ ## @var version
+ # Protocol version
+ version = 1
+
+ ## @var pdus
+ # Dispatch table of PDUs for this protocol.
+ pdus = dict((x.element_name, x)
+ for x in (self_elt, child_elt, parent_elt, bsc_elt, repository_elt,
+ route_origin_elt, list_resources_elt, report_error_elt))
+
+ def startElement(self, stack, name, attrs):
+ """Handle left-right PDU."""
+ if name == "msg":
+ assert self.version == int(attrs["version"])
+ else:
+ elt = self.pdus[name]()
+ self.append(elt)
+ stack.append(elt)
+ elt.startElement(stack, name, attrs)
+
+ def endElement(self, stack, name, text):
+ """Handle left-right PDU."""
+ assert name == "msg", "Unexpected name %s, stack %s" % (name, stack)
+ assert len(stack) == 1
+ stack.pop()
+
+ def __str__(self):
+ """Convert msg object to string."""
+ lxml.etree.tostring(self.toXML(), pretty_print = True, encoding = "us-ascii")
+
+ def toXML(self):
+ """Generate left-right PDU."""
+ elt = lxml.etree.Element("{%s}msg" % (xmlns), nsmap = nsmap, version = str(self.version))
+ elt.extend([i.toXML() for i in self])
+ return elt
+
+ def serve_top_level(self, gctx):
+ """Serve one msg PDU."""
+ r_msg = self.__class__()
+ for q_pdu in self:
+ q_pdu.serve_dispatch(gctx, r_msg)
+ return r_msg
+
+class sax_handler(rpki.sax_utils.handler):
+ """SAX handler for Left-Right protocol."""
+
+ ## @var pdu
+ # Top-level PDU class
+ pdu = msg
+
+ def create_top_level(self, name, attrs):
+ """Top-level PDU for this protocol is <msg/>."""
+ assert name == "msg" and attrs["version"] == "1"
+ return self.pdu()
+
+def irdb_query(gctx, self_id, child_id = None):
+ """Perform an IRDB callback query. In the long run this should not
+ be a blocking routine, it should instead issue a query and set up a
+ handler to receive the response. For the moment, though, we are
+ doing simple lock step and damn the torpedos. Not yet doing
+ anything useful with subject name. Most likely this function should
+ really be wrapped up in a class that carries both the query result
+ and also the intermediate state needed for the event-driven code
+ that this function will need to become.
+ """
+
+ rpki.log.trace()
+
+ q_msg = msg()
+ q_msg.append(list_resources_elt())
+ q_msg[0].type = "query"
+ q_msg[0].self_id = self_id
+ q_msg[0].child_id = child_id
+ q_elt = q_msg.toXML()
+ rpki.relaxng.left_right.assertValid(q_elt)
+ q_cms = rpki.cms.xml_sign(q_elt, gctx.cms_key, gctx.cms_certs)
+ r_cms = rpki.https.client(
+ privateKey = gctx.https_key,
+ certChain = gctx.https_certs,
+ x509TrustList = gctx.https_ta,
+ url = gctx.irdb_url,
+ msg = q_cms)
+ r_elt = rpki.cms.xml_verify(r_cms, gctx.cms_ta_irdb)
+ rpki.relaxng.left_right.assertValid(r_elt)
+ r_msg = rpki.left_right.sax_handler.saxify(r_elt)
+ if len(r_msg) == 0 or not isinstance(r_msg[0], list_resources_elt) or r_msg[0].type != "reply":
+ raise rpki.exceptions.BadIRDBReply, "Unexpected response to IRDB query: %s" % lxml.etree.tostring(r_msg.toXML(), pretty_print = True, encoding = "us-ascii")
+ return rpki.resource_set.resource_bag(
+ as = r_msg[0].as,
+ v4 = r_msg[0].ipv4,
+ v6 = r_msg[0].ipv6,
+ valid_until = r_msg[0].valid_until)
diff --git a/rpkid/rpki/log.py b/rpkid/rpki/log.py
new file mode 100644
index 00000000..1f85f667
--- /dev/null
+++ b/rpkid/rpki/log.py
@@ -0,0 +1,54 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""Logging facilities for RPKI libraries.
+"""
+
+import syslog, traceback
+
+enable_trace = False
+
+def init(ident = "rpki", flags = syslog.LOG_PID | syslog.LOG_PERROR, facility = syslog.LOG_DAEMON):
+ """Initialize logging system."""
+
+ return syslog.openlog(ident, flags, facility)
+
+def set_trace(trace):
+ """Enable or disable call tracing."""
+
+ global enable_trace
+ enable_trace = trace
+
+class logger(object):
+ """Closure for logging."""
+
+ def __init__(self, priority):
+ self.priority = priority
+
+ def __call__(self, message):
+ return syslog.syslog(self.priority, message)
+
+error = logger(syslog.LOG_ERR)
+warn = logger(syslog.LOG_WARNING)
+note = logger(syslog.LOG_NOTICE)
+info = logger(syslog.LOG_INFO)
+debug = logger(syslog.LOG_DEBUG)
+
+def trace():
+ """Execution trace -- where are we now, and whence came we here?"""
+ if enable_trace:
+ bt = traceback.extract_stack(limit = 3)
+ return debug("[%s() at %s:%d from %s:%d]" % (bt[1][2], bt[1][0], bt[1][1], bt[0][0], bt[0][1]))
diff --git a/rpkid/rpki/manifest.py b/rpkid/rpki/manifest.py
new file mode 100644
index 00000000..c219cc8f
--- /dev/null
+++ b/rpkid/rpki/manifest.py
@@ -0,0 +1,53 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""Signed manifests. This is just the ASN.1 encoder, the rest is in
+rpki.x509 with the rest of the DER_object code.
+
+Note that rpki.x509.SignedManifest implements the signed manifest;
+the structures here are just the payload of the CMS eContent field.
+"""
+
+from POW._der import *
+
+class FileAndHash(Sequence):
+ def __init__(self, optional=0, default=''):
+ self.file = IA5String()
+ self.hash = AltBitString()
+ contents = [ self.file, self.hash ]
+ Sequence.__init__(self, contents, optional, default)
+
+class FilesAndHashes(SequenceOf):
+ def __init__(self, optional=0, default=''):
+ SequenceOf.__init__(self, FileAndHash, optional, default)
+
+class Manifest(Sequence):
+ def __init__(self, optional=0, default=''):
+ self.version = Integer()
+ self.explicitVersion = Explicit(CLASS_CONTEXT, FORM_CONSTRUCTED, 0, self.version, 0, 'oAMCAQA=')
+ self.manifestNumber = Integer()
+ self.thisUpdate = GeneralizedTime()
+ self.nextUpdate = GeneralizedTime()
+ self.fileHashAlg = Oid()
+ self.fileList = FilesAndHashes()
+
+ contents = [ self.explicitVersion,
+ self.manifestNumber,
+ self.thisUpdate,
+ self.nextUpdate,
+ self.fileHashAlg,
+ self.fileList ]
+ Sequence.__init__(self, contents, optional, default)
diff --git a/rpkid/rpki/oids.py b/rpkid/rpki/oids.py
new file mode 100644
index 00000000..4e08aef7
--- /dev/null
+++ b/rpkid/rpki/oids.py
@@ -0,0 +1,49 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""OID database."""
+
+## @var oid2name
+# Mapping table of OIDs to conventional string names.
+
+oid2name = {
+ (1, 2, 840, 113549, 1, 1, 11) : "sha256WithRSAEncryption",
+ (1, 2, 840, 113549, 1, 1, 12) : "sha384WithRSAEncryption",
+ (1, 2, 840, 113549, 1, 1, 13) : "sha512WithRSAEncryption",
+ (1, 3, 6, 1, 5, 5, 7, 1, 1) : "authorityInfoAccess",
+ (1, 3, 6, 1, 5, 5, 7, 1, 11) : "subjectInfoAccess",
+ (1, 3, 6, 1, 5, 5, 7, 1, 7) : "sbgp-ipAddrBlock",
+ (1, 3, 6, 1, 5, 5, 7, 1, 8) : "sbgp-autonomousSysNum",
+ (1, 3, 6, 1, 5, 5, 7, 14, 2) : "id-cp-ipAddr-asNumber",
+ (1, 3, 6, 1, 5, 5, 7, 48, 2) : "id-ad-caIssuers",
+ (1, 3, 6, 1, 5, 5, 7, 48, 5) : "id-ad-caRepository",
+ (1, 3, 6, 1, 5, 5, 7, 48, 9) : "id-ad-signedObjectRepository",
+ (1, 3, 6, 1, 5, 5, 7, 48, 10) : "id-ad-rpkiManifest",
+ (1, 3, 6, 1, 5, 5, 7, 48, 11) : "id-ad-signedObject",
+ (2, 5, 29, 14) : "subjectKeyIdentifier",
+ (2, 5, 29, 15) : "keyUsage",
+ (2, 5, 29, 19) : "basicConstraints",
+ (2, 5, 29, 20) : "cRLNumber",
+ (2, 5, 29, 31) : "cRLDistributionPoints",
+ (2, 5, 29, 32) : "certificatePolicies",
+ (2, 5, 29, 35) : "authorityKeyIdentifier",
+ (2, 5, 4, 3) : "commonName",
+}
+
+## @var name2oid
+# Mapping table of string names to OIDs
+
+name2oid = dict((v,k) for k,v in oid2name.items())
diff --git a/rpkid/rpki/pkcs10.py b/rpkid/rpki/pkcs10.py
new file mode 100644
index 00000000..9ed38470
--- /dev/null
+++ b/rpkid/rpki/pkcs10.py
@@ -0,0 +1,62 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""Old code to generate PKCS #10 certification requests.
+
+This has been replaced by direct support for PKCS #10 in my hacked
+version of the POW package. This module will go away eventually, I'm
+just keeping it around in case I discover some horrible bug in the new
+code that would make me want to fall back to this.
+"""
+
+raise NotImplementedError, "You shouldn't be using this module anymore, see rpki.x509.PKCS10"
+
+import POW, rpki.x509, os, rpki.exceptions, binascii
+
+req_fmt = '''
+[ req ]
+distinguished_name = req_dn
+default_md = sha256
+prompt = no
+
+[ req_dn ]
+CN = %s
+'''
+
+def make_request(keypair):
+ """Generate a PKCS #10 request."""
+
+ digest = POW.Digest(POW.SHA1_DIGEST)
+ digest.update(keypair.get_POW().derWrite(POW.RSA_PUBLIC_KEY))
+ commonName = "0x" + binascii.hexlify(digest.digest())
+
+ try:
+ config_filename = "req.tmp.conf"
+ f = open(config_filename, "w")
+ f.write(req_fmt % commonName)
+ f.close()
+
+ i,o = os.popen2(["openssl", "req", "-config", config_filename, "-new",
+ "-key", "/dev/stdin", "-outform", "DER"])
+ i.write(keypair.get_PEM())
+ i.close()
+ pkcs10 = rpki.x509.PKCS10(DER = o.read())
+ o.close()
+
+ finally:
+ os.unlink(config_filename)
+
+ return pkcs10
diff --git a/rpkid/rpki/relaxng.py b/rpkid/rpki/relaxng.py
new file mode 100644
index 00000000..b045b1c6
--- /dev/null
+++ b/rpkid/rpki/relaxng.py
@@ -0,0 +1,1208 @@
+# Automatically generated, do not edit.
+
+import lxml.etree
+
+## @var left_right
+## Parsed RelaxNG left_right schema
+left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ $Id: left-right-schema.rnc 1383 2007-12-17 18:20:46Z sra $
+
+ RelaxNG (Compact Syntax) Schema for RPKI left-right protocol.
+
+ libxml2 (including xmllint) only groks the XML syntax of RelaxNG, so
+ run the compact syntax through trang to get XML syntax.
+-->
+<grammar ns="http://www.hactrn.net/uris/rpki/left-right-spec/" xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">
+ <!-- Top level PDU -->
+ <start>
+ <element name="msg">
+ <attribute name="version">
+ <data type="positiveInteger">
+ <param name="maxInclusive">1</param>
+ </data>
+ </attribute>
+ <zeroOrMore>
+ <choice>
+ <ref name="self_elt"/>
+ <ref name="bsc_elt"/>
+ <ref name="parent_elt"/>
+ <ref name="child_elt"/>
+ <ref name="repository_elt"/>
+ <ref name="ro_elt"/>
+ <ref name="list_resources_elt"/>
+ <ref name="report_error_elt"/>
+ </choice>
+ </zeroOrMore>
+ </element>
+ </start>
+ <!-- Tag attributes for bulk operations -->
+ <define name="tag">
+ <optional>
+ <attribute name="tag">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ </define>
+ <!--
+ Combinations of action and type attributes used in later definitions.
+ The same patterns repeat in most of the elements in this protocol.
+ -->
+ <define name="ctl_cq">
+ <attribute name="action">
+ <value>create</value>
+ </attribute>
+ <attribute name="type">
+ <value>query</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <define name="ctl_sq">
+ <attribute name="action">
+ <value>set</value>
+ </attribute>
+ <attribute name="type">
+ <value>query</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <define name="ctl_gq">
+ <attribute name="action">
+ <value>get</value>
+ </attribute>
+ <attribute name="type">
+ <value>query</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <define name="ctl_lq">
+ <attribute name="action">
+ <value>list</value>
+ </attribute>
+ <attribute name="type">
+ <value>query</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <define name="ctl_dq">
+ <attribute name="action">
+ <value>destroy</value>
+ </attribute>
+ <attribute name="type">
+ <value>query</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <define name="ctl_cr">
+ <attribute name="action">
+ <value>create</value>
+ </attribute>
+ <attribute name="type">
+ <value>reply</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <define name="ctl_sr">
+ <attribute name="action">
+ <value>set</value>
+ </attribute>
+ <attribute name="type">
+ <value>reply</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <define name="ctl_gr">
+ <attribute name="action">
+ <value>get</value>
+ </attribute>
+ <attribute name="type">
+ <value>reply</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <define name="ctl_lr">
+ <attribute name="action">
+ <value>list</value>
+ </attribute>
+ <attribute name="type">
+ <value>reply</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <define name="ctl_dr">
+ <attribute name="action">
+ <value>destroy</value>
+ </attribute>
+ <attribute name="type">
+ <value>reply</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <!-- Base64 encoded DER stuff -->
+ <define name="base64">
+ <data type="base64Binary">
+ <param name="maxLength">512000</param>
+ </data>
+ </define>
+ <!-- How we wrap trust anchor elements -->
+ <define name="cms_ta">
+ <element name="cms_ta">
+ <ref name="base64"/>
+ </element>
+ </define>
+ <define name="https_ta">
+ <element name="https_ta">
+ <ref name="base64"/>
+ </element>
+ </define>
+ <!-- Base definition for all fields that are really just SQL primary indices -->
+ <define name="sql_id">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </define>
+ <!-- <self/> element -->
+ <define name="self_bool">
+ <optional>
+ <attribute name="rekey">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="reissue">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="revoke">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="run_now">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="publish_world_now">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="clear_extension_preferences">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ </define>
+ <define name="self_payload">
+ <optional>
+ <attribute name="use_hsm">
+ <choice>
+ <value>yes</value>
+ <value>no</value>
+ </choice>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="crl_interval">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <zeroOrMore>
+ <element name="extension_preference">
+ <attribute name="name">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ <data type="string">
+ <param name="maxLength">512000</param>
+ </data>
+ </element>
+ </zeroOrMore>
+ </define>
+ <define name="self_id">
+ <attribute name="self_id">
+ <ref name="sql_id"/>
+ </attribute>
+ </define>
+ <define name="self_elt" combine="choice">
+ <element name="self">
+ <ref name="ctl_cq"/>
+ <ref name="self_bool"/>
+ <ref name="self_payload"/>
+ </element>
+ </define>
+ <define name="self_elt" combine="choice">
+ <element name="self">
+ <ref name="ctl_cr"/>
+ <ref name="self_id"/>
+ </element>
+ </define>
+ <define name="self_elt" combine="choice">
+ <element name="self">
+ <ref name="ctl_sq"/>
+ <ref name="self_id"/>
+ <ref name="self_bool"/>
+ <ref name="self_payload"/>
+ </element>
+ </define>
+ <define name="self_elt" combine="choice">
+ <element name="self">
+ <ref name="ctl_sr"/>
+ <ref name="self_id"/>
+ </element>
+ </define>
+ <define name="self_elt" combine="choice">
+ <element name="self">
+ <ref name="ctl_gq"/>
+ <ref name="self_id"/>
+ </element>
+ </define>
+ <define name="self_elt" combine="choice">
+ <element name="self">
+ <ref name="ctl_gr"/>
+ <ref name="self_id"/>
+ <ref name="self_payload"/>
+ </element>
+ </define>
+ <define name="self_elt" combine="choice">
+ <element name="self">
+ <ref name="ctl_lq"/>
+ </element>
+ </define>
+ <define name="self_elt" combine="choice">
+ <element name="self">
+ <ref name="ctl_lr"/>
+ <ref name="self_id"/>
+ <ref name="self_payload"/>
+ </element>
+ </define>
+ <define name="self_elt" combine="choice">
+ <element name="self">
+ <ref name="ctl_dq"/>
+ <ref name="self_id"/>
+ </element>
+ </define>
+ <define name="self_elt" combine="choice">
+ <element name="self">
+ <ref name="ctl_dr"/>
+ <ref name="self_id"/>
+ </element>
+ </define>
+ <!-- <bsc/> element. Key parameters hardwired for now. -->
+ <define name="bsc_bool">
+ <optional>
+ <attribute name="generate_keypair">
+ <value>yes</value>
+ </attribute>
+ <optional>
+ <attribute name="key_type">
+ <value>rsa</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="hash_alg">
+ <value>sha256</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="key_length">
+ <value>2048</value>
+ </attribute>
+ </optional>
+ </optional>
+ <optional>
+ <attribute name="clear_signing_certs">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ </define>
+ <define name="bsc_id">
+ <attribute name="bsc_id">
+ <ref name="sql_id"/>
+ </attribute>
+ </define>
+ <define name="bsc_payload">
+ <zeroOrMore>
+ <element name="signing_cert">
+ <ref name="base64"/>
+ </element>
+ </zeroOrMore>
+ <optional>
+ <element name="public_key">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ </define>
+ <define name="bsc_pkcs10">
+ <optional>
+ <element name="pkcs10_cert_request">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ </define>
+ <define name="bsc_elt" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_cq"/>
+ <ref name="self_id"/>
+ <ref name="bsc_bool"/>
+ <ref name="bsc_payload"/>
+ </element>
+ </define>
+ <define name="bsc_elt" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_cr"/>
+ <ref name="self_id"/>
+ <ref name="bsc_id"/>
+ <ref name="bsc_pkcs10"/>
+ </element>
+ </define>
+ <define name="bsc_elt" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_sq"/>
+ <ref name="self_id"/>
+ <ref name="bsc_id"/>
+ <ref name="bsc_bool"/>
+ <ref name="bsc_payload"/>
+ </element>
+ </define>
+ <define name="bsc_elt" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_sr"/>
+ <ref name="self_id"/>
+ <ref name="bsc_id"/>
+ <ref name="bsc_pkcs10"/>
+ </element>
+ </define>
+ <define name="bsc_elt" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_gq"/>
+ <ref name="self_id"/>
+ <ref name="bsc_id"/>
+ </element>
+ </define>
+ <define name="bsc_elt" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_gr"/>
+ <ref name="self_id"/>
+ <ref name="bsc_id"/>
+ <ref name="bsc_payload"/>
+ </element>
+ </define>
+ <define name="bsc_elt" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_lq"/>
+ <ref name="self_id"/>
+ </element>
+ </define>
+ <define name="bsc_elt" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_lr"/>
+ <ref name="self_id"/>
+ <ref name="bsc_id"/>
+ <ref name="bsc_payload"/>
+ </element>
+ </define>
+ <define name="bsc_elt" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_dq"/>
+ <ref name="self_id"/>
+ <ref name="bsc_id"/>
+ </element>
+ </define>
+ <define name="bsc_elt" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_dr"/>
+ <ref name="self_id"/>
+ <ref name="bsc_id"/>
+ </element>
+ </define>
+ <!-- <parent/> element -->
+ <define name="parent_id">
+ <attribute name="parent_id">
+ <ref name="sql_id"/>
+ </attribute>
+ </define>
+ <define name="parent_bool">
+ <optional>
+ <attribute name="rekey">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="reissue">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="revoke">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ </define>
+ <define name="parent_payload">
+ <optional>
+ <attribute name="peer_contact_uri">
+ <data type="anyURI">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="sia_base">
+ <data type="anyURI">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="bsc_id">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="repository_id">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="sender_name">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="recipient_name">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <ref name="cms_ta"/>
+ </optional>
+ <optional>
+ <ref name="https_ta"/>
+ </optional>
+ </define>
+ <define name="parent_elt" combine="choice">
+ <element name="parent">
+ <ref name="ctl_cq"/>
+ <ref name="self_id"/>
+ <ref name="parent_bool"/>
+ <ref name="parent_payload"/>
+ </element>
+ </define>
+ <define name="parent_elt" combine="choice">
+ <element name="parent">
+ <ref name="ctl_cr"/>
+ <ref name="self_id"/>
+ <ref name="parent_id"/>
+ </element>
+ </define>
+ <define name="parent_elt" combine="choice">
+ <element name="parent">
+ <ref name="ctl_sq"/>
+ <ref name="self_id"/>
+ <ref name="parent_id"/>
+ <ref name="parent_bool"/>
+ <ref name="parent_payload"/>
+ </element>
+ </define>
+ <define name="parent_elt" combine="choice">
+ <element name="parent">
+ <ref name="ctl_sr"/>
+ <ref name="self_id"/>
+ <ref name="parent_id"/>
+ </element>
+ </define>
+ <define name="parent_elt" combine="choice">
+ <element name="parent">
+ <ref name="ctl_gq"/>
+ <ref name="self_id"/>
+ <ref name="parent_id"/>
+ </element>
+ </define>
+ <define name="parent_elt" combine="choice">
+ <element name="parent">
+ <ref name="ctl_gr"/>
+ <ref name="self_id"/>
+ <ref name="parent_id"/>
+ <ref name="parent_payload"/>
+ </element>
+ </define>
+ <define name="parent_elt" combine="choice">
+ <element name="parent">
+ <ref name="ctl_lq"/>
+ <ref name="self_id"/>
+ </element>
+ </define>
+ <define name="parent_elt" combine="choice">
+ <element name="parent">
+ <ref name="ctl_lr"/>
+ <ref name="self_id"/>
+ <ref name="parent_id"/>
+ <ref name="parent_payload"/>
+ </element>
+ </define>
+ <define name="parent_elt" combine="choice">
+ <element name="parent">
+ <ref name="ctl_dq"/>
+ <ref name="self_id"/>
+ <ref name="parent_id"/>
+ </element>
+ </define>
+ <define name="parent_elt" combine="choice">
+ <element name="parent">
+ <ref name="ctl_dr"/>
+ <ref name="self_id"/>
+ <ref name="parent_id"/>
+ </element>
+ </define>
+ <!-- <child/> element -->
+ <define name="child_id">
+ <attribute name="child_id">
+ <ref name="sql_id"/>
+ </attribute>
+ </define>
+ <define name="child_bool">
+ <optional>
+ <attribute name="reissue">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ </define>
+ <define name="child_payload">
+ <optional>
+ <attribute name="bsc_id">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <ref name="cms_ta"/>
+ </optional>
+ </define>
+ <define name="child_elt" combine="choice">
+ <element name="child">
+ <ref name="ctl_cq"/>
+ <ref name="self_id"/>
+ <ref name="child_bool"/>
+ <ref name="child_payload"/>
+ </element>
+ </define>
+ <define name="child_elt" combine="choice">
+ <element name="child">
+ <ref name="ctl_cr"/>
+ <ref name="self_id"/>
+ <ref name="child_id"/>
+ </element>
+ </define>
+ <define name="child_elt" combine="choice">
+ <element name="child">
+ <ref name="ctl_sq"/>
+ <ref name="self_id"/>
+ <ref name="child_id"/>
+ <ref name="child_bool"/>
+ <ref name="child_payload"/>
+ </element>
+ </define>
+ <define name="child_elt" combine="choice">
+ <element name="child">
+ <ref name="ctl_sr"/>
+ <ref name="self_id"/>
+ <ref name="child_id"/>
+ </element>
+ </define>
+ <define name="child_elt" combine="choice">
+ <element name="child">
+ <ref name="ctl_gq"/>
+ <ref name="self_id"/>
+ <ref name="child_id"/>
+ </element>
+ </define>
+ <define name="child_elt" combine="choice">
+ <element name="child">
+ <ref name="ctl_gr"/>
+ <ref name="self_id"/>
+ <ref name="child_id"/>
+ <ref name="child_payload"/>
+ </element>
+ </define>
+ <define name="child_elt" combine="choice">
+ <element name="child">
+ <ref name="ctl_lq"/>
+ <ref name="self_id"/>
+ </element>
+ </define>
+ <define name="child_elt" combine="choice">
+ <element name="child">
+ <ref name="ctl_lr"/>
+ <ref name="self_id"/>
+ <ref name="child_id"/>
+ <ref name="child_payload"/>
+ </element>
+ </define>
+ <define name="child_elt" combine="choice">
+ <element name="child">
+ <ref name="ctl_dq"/>
+ <ref name="self_id"/>
+ <ref name="child_id"/>
+ </element>
+ </define>
+ <define name="child_elt" combine="choice">
+ <element name="child">
+ <ref name="ctl_dr"/>
+ <ref name="self_id"/>
+ <ref name="child_id"/>
+ </element>
+ </define>
+ <!-- <repository/> element -->
+ <define name="repository_id">
+ <attribute name="repository_id">
+ <ref name="sql_id"/>
+ </attribute>
+ </define>
+ <define name="repository_payload">
+ <optional>
+ <attribute name="peer_contact_uri">
+ <data type="anyURI">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="bsc_id">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <ref name="cms_ta"/>
+ </optional>
+ <optional>
+ <ref name="https_ta"/>
+ </optional>
+ </define>
+ <define name="repository_elt" combine="choice">
+ <element name="repository">
+ <ref name="ctl_cq"/>
+ <ref name="self_id"/>
+ <ref name="repository_payload"/>
+ </element>
+ </define>
+ <define name="repository_elt" combine="choice">
+ <element name="repository">
+ <ref name="ctl_cr"/>
+ <ref name="self_id"/>
+ <ref name="repository_id"/>
+ </element>
+ </define>
+ <define name="repository_elt" combine="choice">
+ <element name="repository">
+ <ref name="ctl_sq"/>
+ <ref name="self_id"/>
+ <ref name="repository_id"/>
+ <ref name="repository_payload"/>
+ </element>
+ </define>
+ <define name="repository_elt" combine="choice">
+ <element name="repository">
+ <ref name="ctl_sr"/>
+ <ref name="self_id"/>
+ <ref name="repository_id"/>
+ </element>
+ </define>
+ <define name="repository_elt" combine="choice">
+ <element name="repository">
+ <ref name="ctl_gq"/>
+ <ref name="self_id"/>
+ <ref name="repository_id"/>
+ </element>
+ </define>
+ <define name="repository_elt" combine="choice">
+ <element name="repository">
+ <ref name="ctl_gr"/>
+ <ref name="self_id"/>
+ <ref name="repository_id"/>
+ <ref name="repository_payload"/>
+ </element>
+ </define>
+ <define name="repository_elt" combine="choice">
+ <element name="repository">
+ <ref name="ctl_lq"/>
+ <ref name="self_id"/>
+ </element>
+ </define>
+ <define name="repository_elt" combine="choice">
+ <element name="repository">
+ <ref name="ctl_lr"/>
+ <ref name="self_id"/>
+ <ref name="repository_id"/>
+ <ref name="repository_payload"/>
+ </element>
+ </define>
+ <define name="repository_elt" combine="choice">
+ <element name="repository">
+ <ref name="ctl_dq"/>
+ <ref name="self_id"/>
+ <ref name="repository_id"/>
+ </element>
+ </define>
+ <define name="repository_elt" combine="choice">
+ <element name="repository">
+ <ref name="ctl_dr"/>
+ <ref name="self_id"/>
+ <ref name="repository_id"/>
+ </element>
+ </define>
+ <!-- <route_origin/> element -->
+ <define name="ro_id">
+ <attribute name="route_origin_id">
+ <ref name="sql_id"/>
+ </attribute>
+ </define>
+ <define name="ro_bool">
+ <optional>
+ <attribute name="suppress_publication">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ </define>
+ <define name="ro_payload">
+ <optional>
+ <attribute name="as_number">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="ipv4">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="ipv6">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ </define>
+ <define name="ro_elt" combine="choice">
+ <element name="route_origin">
+ <ref name="ctl_cq"/>
+ <ref name="self_id"/>
+ <ref name="ro_bool"/>
+ <ref name="ro_payload"/>
+ </element>
+ </define>
+ <define name="ro_elt" combine="choice">
+ <element name="route_origin">
+ <ref name="ctl_cr"/>
+ <ref name="self_id"/>
+ <ref name="ro_id"/>
+ </element>
+ </define>
+ <define name="ro_elt" combine="choice">
+ <element name="route_origin">
+ <ref name="ctl_sq"/>
+ <ref name="self_id"/>
+ <ref name="ro_id"/>
+ <ref name="ro_bool"/>
+ <ref name="ro_payload"/>
+ </element>
+ </define>
+ <define name="ro_elt" combine="choice">
+ <element name="route_origin">
+ <ref name="ctl_sr"/>
+ <ref name="self_id"/>
+ <ref name="ro_id"/>
+ </element>
+ </define>
+ <define name="ro_elt" combine="choice">
+ <element name="route_origin">
+ <ref name="ctl_gq"/>
+ <ref name="self_id"/>
+ <ref name="ro_id"/>
+ </element>
+ </define>
+ <define name="ro_elt" combine="choice">
+ <element name="route_origin">
+ <ref name="ctl_gr"/>
+ <ref name="self_id"/>
+ <ref name="ro_id"/>
+ <ref name="ro_payload"/>
+ </element>
+ </define>
+ <define name="ro_elt" combine="choice">
+ <element name="route_origin">
+ <ref name="ctl_lq"/>
+ <ref name="self_id"/>
+ </element>
+ </define>
+ <define name="ro_elt" combine="choice">
+ <element name="route_origin">
+ <ref name="ctl_lr"/>
+ <ref name="self_id"/>
+ <ref name="ro_id"/>
+ <ref name="ro_payload"/>
+ </element>
+ </define>
+ <define name="ro_elt" combine="choice">
+ <element name="route_origin">
+ <ref name="ctl_dq"/>
+ <ref name="self_id"/>
+ <ref name="ro_id"/>
+ </element>
+ </define>
+ <define name="ro_elt" combine="choice">
+ <element name="route_origin">
+ <ref name="ctl_dr"/>
+ <ref name="self_id"/>
+ <ref name="ro_id"/>
+ </element>
+ </define>
+ <!-- <list_resources/> element -->
+ <define name="list_resources_elt">
+ <element name="list_resources">
+ <choice>
+ <group>
+ <attribute name="type">
+ <value>query</value>
+ </attribute>
+ <ref name="tag"/>
+ <ref name="self_id"/>
+ <ref name="child_id"/>
+ </group>
+ <group>
+ <attribute name="type">
+ <value>reply</value>
+ </attribute>
+ <ref name="tag"/>
+ <ref name="self_id"/>
+ <ref name="child_id"/>
+ <attribute name="valid_until">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ <optional>
+ <attribute name="subject_name">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="as">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="ipv4">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="ipv6">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ </group>
+ </choice>
+ </element>
+ </define>
+ <!-- <report_error/> element -->
+ <define name="report_error_elt">
+ <element name="report_error">
+ <ref name="tag"/>
+ <ref name="self_id"/>
+ <attribute name="error_code">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ <optional>
+ <data type="string">
+ <param name="maxLength">512000</param>
+ </data>
+ </optional>
+ </element>
+ </define>
+</grammar>
+'''))
+
+## @var up_down
+## Parsed RelaxNG up_down schema
+up_down = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ $Id: up-down-schema.rng 1354 2007-12-04 06:20:10Z sra $
+
+ RelaxNG (Compact Syntax) Scheme for up-down protocol, extracted
+ from APNIC Wiki.
+
+ libxml2 (including xmllint) only groks the XML syntax of RelaxNG,
+ so run this through a converter like /usr/ports/textproc/trang to get
+ XML syntax:
+
+ $ trang up-down-schema.rnc up-down-schema.rng
+-->
+<grammar ns="http://www.apnic.net/specs/rescerts/up-down/" xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">
+ <start>
+ <element name="message">
+ <attribute name="version">
+ <data type="positiveInteger">
+ <param name="maxInclusive">1</param>
+ </data>
+ </attribute>
+ <attribute name="sender">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ <attribute name="recipient">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ <ref name="payload"/>
+ </element>
+ </start>
+ <define name="payload" combine="choice">
+ <attribute name="type">
+ <value>list</value>
+ </attribute>
+ <ref name="list_request"/>
+ </define>
+ <define name="payload" combine="choice">
+ <attribute name="type">
+ <value>list_response</value>
+ </attribute>
+ <ref name="list_response"/>
+ </define>
+ <define name="payload" combine="choice">
+ <attribute name="type">
+ <value>issue</value>
+ </attribute>
+ <ref name="issue_request"/>
+ </define>
+ <define name="payload" combine="choice">
+ <attribute name="type">
+ <value>issue_response</value>
+ </attribute>
+ <ref name="issue_response"/>
+ </define>
+ <define name="payload" combine="choice">
+ <attribute name="type">
+ <value>revoke</value>
+ </attribute>
+ <ref name="revoke_request"/>
+ </define>
+ <define name="payload" combine="choice">
+ <attribute name="type">
+ <value>revoke_response</value>
+ </attribute>
+ <ref name="revoke_response"/>
+ </define>
+ <define name="payload" combine="choice">
+ <attribute name="type">
+ <value>error_response</value>
+ </attribute>
+ <ref name="error_response"/>
+ </define>
+ <define name="list_request">
+ <empty/>
+ </define>
+ <define name="list_response">
+ <zeroOrMore>
+ <ref name="class"/>
+ </zeroOrMore>
+ </define>
+ <define name="class">
+ <element name="class">
+ <attribute name="class_name">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ <attribute name="cert_url">
+ <data type="string">
+ <param name="maxLength">4096</param>
+ </data>
+ </attribute>
+ <attribute name="resource_set_as">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,0-9]*</param>
+ </data>
+ </attribute>
+ <attribute name="resource_set_ipv4">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,/.0-9]*</param>
+ </data>
+ </attribute>
+ <attribute name="resource_set_ipv6">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,/:0-9a-fA-F]*</param>
+ </data>
+ </attribute>
+ <optional>
+ <attribute name="resource_set_notafter">
+ <data type="dateTime">
+ <param name="pattern">.*Z</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="suggested_sia_head">
+ <data type="anyURI">
+ <param name="maxLength">1024</param>
+ <param name="pattern">rsync://.+</param>
+ </data>
+ </attribute>
+ </optional>
+ <zeroOrMore>
+ <element name="certificate">
+ <attribute name="cert_url">
+ <data type="string">
+ <param name="maxLength">4096</param>
+ </data>
+ </attribute>
+ <optional>
+ <attribute name="req_resource_set_as">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,0-9]*</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="req_resource_set_ipv4">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,/.0-9]*</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="req_resource_set_ipv6">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,/:0-9a-fA-F]*</param>
+ </data>
+ </attribute>
+ </optional>
+ <data type="base64Binary">
+ <param name="maxLength">512000</param>
+ </data>
+ </element>
+ </zeroOrMore>
+ <element name="issuer">
+ <data type="base64Binary">
+ <param name="maxLength">512000</param>
+ </data>
+ </element>
+ </element>
+ </define>
+ <define name="issue_request">
+ <element name="request">
+ <attribute name="class_name">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ <optional>
+ <attribute name="req_resource_set_as">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,0-9]*</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="req_resource_set_ipv4">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,/.0-9]*</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="req_resource_set_ipv6">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,/:0-9a-fA-F]*</param>
+ </data>
+ </attribute>
+ </optional>
+ <data type="base64Binary">
+ <param name="maxLength">512000</param>
+ </data>
+ </element>
+ </define>
+ <define name="issue_response">
+ <ref name="class"/>
+ </define>
+ <define name="revoke_request">
+ <ref name="revocation"/>
+ </define>
+ <define name="revoke_response">
+ <ref name="revocation"/>
+ </define>
+ <define name="revocation">
+ <element name="key">
+ <attribute name="class_name">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ <attribute name="ski">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </element>
+ </define>
+ <define name="error_response">
+ <element name="status">
+ <data type="positiveInteger">
+ <param name="maxInclusive">999999999999999</param>
+ </data>
+ </element>
+ <optional>
+ <element name="description">
+ <attribute name="xml:lang">
+ <data type="language"/>
+ </attribute>
+ <data type="string">
+ <param name="maxLength">1024</param>
+ </data>
+ </element>
+ </optional>
+ </define>
+</grammar>
+'''))
diff --git a/rpkid/rpki/resource_set.py b/rpkid/rpki/resource_set.py
new file mode 100644
index 00000000..8497dad5
--- /dev/null
+++ b/rpkid/rpki/resource_set.py
@@ -0,0 +1,528 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""Classes dealing with sets of resources.
+
+The basic mechanics of a resource set are the same for any of the
+resources we handle (ASNs, IPv4 addresses, or IPv6 addresses), so we
+can provide the same operations on any of them, even though the
+underlying details vary.
+
+We also provide some basic set operations (union, intersection, etc).
+"""
+
+import re
+import rpki.ipaddrs, rpki.oids
+
+inherit_token = "<inherit>"
+
+class resource_range(object):
+ """Generic resource range type.
+
+ Assumes underlying type is some kind of integer. You probably don't
+ want to use this type directly.
+ """
+
+ def __init__(self, min, max):
+ """Initialize and sanity check a resource_range."""
+ assert min <= max, "Mis-ordered range: %s before %s" % (str(min), str(max))
+ self.min = min
+ self.max = max
+
+ def __cmp__(self, other):
+ """Compare two resource_range objects."""
+ c = self.min - other.min
+ if c == 0: c = self.max - other.max
+ if c < 0: c = -1
+ if c > 0: c = 1
+ return c
+
+class resource_range_as(resource_range):
+ """Range of Autonomous System Numbers.
+
+ Denotes a single ASN by a range whose min and max values are identical.
+ """
+
+ datum_type = long
+
+ def __str__(self):
+ """Convert a resource_range_as to string format."""
+ if self.min == self.max:
+ return str(self.min)
+ else:
+ return str(self.min) + "-" + str(self.max)
+
+ def to_tuple(self):
+ """Convert a resource_range_as to tuple format for ASN.1 encoding."""
+ if self.min == self.max:
+ return ("id", self.min)
+ else:
+ return ("range", (self.min, self.max))
+
+class resource_range_ip(resource_range):
+ """Range of (generic) IP addresses.
+
+ Prefixes are converted to ranges on input, and ranges that can be
+ represented as prefixes are written as prefixes on output.
+ """
+
+ def _prefixlen(self):
+ """Determine whether a resource_range_ip can be expressed as a prefix."""
+ mask = self.min ^ self.max
+ prefixlen = self.datum_type.bits
+ while mask & 1:
+ prefixlen -= 1
+ mask >>= 1
+ if mask:
+ return -1
+ else:
+ return prefixlen
+
+ def __str__(self):
+ """Convert a resource_range_ip to string format."""
+ prefixlen = self._prefixlen()
+ if prefixlen < 0:
+ return str(self.min) + "-" + str(self.max)
+ else:
+ return str(self.min) + "/" + str(prefixlen)
+
+ def to_tuple(self):
+ """Convert a resource_range_ip to tuple format for ASN.1 encoding."""
+ prefixlen = self._prefixlen()
+ if prefixlen < 0:
+ return ("addressRange", (_long2bs(self.min, self.datum_type.bits, strip = 0),
+ _long2bs(self.max, self.datum_type.bits, strip = 1)))
+ else:
+ return ("addressPrefix", _long2bs(self.min, self.datum_type.bits, prefixlen = prefixlen))
+
+class resource_range_ipv4(resource_range_ip):
+ """Range of IPv4 addresses."""
+
+ datum_type = rpki.ipaddrs.v4addr
+
+class resource_range_ipv6(resource_range_ip):
+ """Range of IPv6 addresses."""
+
+ datum_type = rpki.ipaddrs.v6addr
+
+def _rsplit(rset, that):
+ """Split a resource range into two resource ranges."""
+ this = rset.pop(0)
+ cell_type = type(this.min)
+ assert type(this) is type(that) and type(this.max) is cell_type and \
+ type(that.min) is cell_type and type(that.max) is cell_type
+ if this.min < that.min:
+ rset.insert(0, type(this)(this.min, cell_type(that.min - 1)))
+ rset.insert(1, type(this)(that.min, this.max))
+ else:
+ assert this.max > that.max
+ rset.insert(0, type(this)(this.min, that.max))
+ rset.insert(1, type(this)(cell_type(that.max + 1), this.max))
+
+class resource_set(list):
+ """Generic resource set.
+
+ List type containing resource ranges. You probably don't want to
+ use this type directly.
+ """
+
+ inherit = False
+
+ def __init__(self, ini = None):
+ """Initialize a resource_set."""
+ if isinstance(ini, int) or isinstance(ini, long):
+ ini = str(ini)
+ if ini == inherit_token:
+ self.inherit = True
+ elif isinstance(ini, str) and len(ini):
+ self.extend(map(self.parse_str, ini.split(",")))
+ elif isinstance(ini, tuple):
+ self.parse_tuple(ini)
+ elif isinstance(ini, list):
+ self.extend(ini)
+ else:
+ assert ini is None or ini == "", "Unexpected initializer: %s" % str(ini)
+ assert not self.inherit or not self
+ self.sort()
+ if __debug__:
+ for i in range(0, len(self) - 1):
+ assert self[i].max < self[i+1].min, "Resource overlap: %s %s" % (self[i], self[i+1])
+
+ def __str__(self):
+ """Convert a resource_set to string format."""
+ if self.inherit:
+ return inherit_token
+ else:
+ return ",".join(map(str, self))
+
+ def _comm(self, other):
+ """Like comm(1), sort of.
+
+ Returns a tuple of three resource sets: resources only in self,
+ resources only in other, and resources in both. Used (not very
+ efficiently) as the basis for most set operations on resource
+ sets.
+ """
+ assert not self.inherit
+ assert type(self) is type(other), "Type mismatch %s %s" % (repr(type(self)), repr(type(other)))
+ set1 = self[:]
+ set2 = other[:]
+ only1, only2, both = [], [], []
+ while set1 or set2:
+ if set1 and (not set2 or set1[0].max < set2[0].min):
+ only1.append(set1.pop(0))
+ elif set2 and (not set1 or set2[0].max < set1[0].min):
+ only2.append(set2.pop(0))
+ elif set1[0].min < set2[0].min:
+ _rsplit(set1, set2[0])
+ elif set2[0].min < set1[0].min:
+ _rsplit(set2, set1[0])
+ elif set1[0].max < set2[0].max:
+ _rsplit(set2, set1[0])
+ elif set2[0].max < set1[0].max:
+ _rsplit(set1, set2[0])
+ else:
+ assert set1[0].min == set2[0].min and set1[0].max == set2[0].max
+ both.append(set1.pop(0))
+ set2.pop(0)
+ return type(self)(only1), type(self)(only2), type(self)(both)
+
+ def union(self, other):
+ """Set union for resource sets."""
+ assert not self.inherit
+ assert type(self) is type(other), "Type mismatch: %s %s" % (repr(type(self)), repr(type(other)))
+ set1 = self[:]
+ set2 = other[:]
+ result = []
+ while set1 or set2:
+ if set1 and (not set2 or set1[0].max < set2[0].min):
+ result.append(set1.pop(0))
+ elif set2 and (not set1 or set2[0].max < set1[0].min):
+ result.append(set2.pop(0))
+ else:
+ this = set1.pop(0)
+ that = set2.pop(0)
+ assert type(this) is type(that)
+ if this.min < that.min: min = this.min
+ else: min = that.min
+ if this.max > that.max: max = this.max
+ else: max = that.max
+ result.append(type(this)(min, max))
+ for i in range(len(result) - 2, -1, -1):
+ if result[i].max + 1 == result[i + 1].min:
+ result[i].max = result[i + 1].max
+ result.pop(i + 1)
+ return type(self)(result)
+
+ def intersection(self, other):
+ """Set intersection for resource sets."""
+ return self._comm(other)[2]
+
+ def difference(self, other):
+ """Set difference for resource sets."""
+ return self._comm(other)[0]
+
+ def symmetric_difference(self, other):
+ """Set symmetric difference (XOR) for resource sets."""
+ com = self._comm(other)
+ return com[0].union(com[1])
+
+ def contains(self, item):
+ """Set membership test for resource sets."""
+ assert not self.inherit
+ for i in self:
+ if isinstance(item, type(i)) and i.min <= item.min and i.max >= item.max:
+ return True
+ elif isinstance(item, type(i.min)) and i.min <= item and i.max >= item:
+ return True
+ else:
+ assert isinstance(item, (type(i), type(i.min)))
+ return False
+
+ def issubset(self, other):
+ """Test whether self is a subset (possibly improper) of other."""
+ for i in self:
+ if not other.contains(i):
+ return False
+ return True
+
+ def issuperset(self, other):
+ """Test whether self is a superset (possibly improper) of other."""
+ return other.issubset(self)
+
+ @classmethod
+ def from_sql(cls, cur, query, args = None):
+ """Create resource set from an SQL query.
+
+ cur is a DB API 2.0 cursor object.
+
+ query is an SQL query that returns a sequence of (min, max) pairs.
+ """
+
+ cur.execute(query, args)
+ return cls(ini = [cls.range_type(cls.range_type.datum_type(b),
+ cls.range_type.datum_type(e))
+ for (b,e) in cur.fetchall()])
+
+class resource_set_as(resource_set):
+ """ASN resource set."""
+
+ range_type = resource_range_as
+
+ def parse_str(self, x):
+ """Parse AS resource sets from text (eg, XML attributes)."""
+ r = re.match("^([0-9]+)-([0-9]+)$", x)
+ if r:
+ return resource_range_as(long(r.group(1)), long(r.group(2)))
+ else:
+ return resource_range_as(long(x), long(x))
+
+ def parse_tuple(self, x):
+ """Parse AS resource sets from intermediate form generated by ASN.1 decoder."""
+ if x[0] == "asIdsOrRanges":
+ for aor in x[1]:
+ if aor[0] == "range":
+ min = aor[1][0]
+ max = aor[1][1]
+ else:
+ min = aor[1]
+ max = min
+ self.append(resource_range_as(min, max))
+ else:
+ assert x[0] == "inherit"
+ self.inherit = True
+
+ def to_tuple(self):
+ """Encode AS resource set into intermediate form used by ASN.1 encoder."""
+ if self:
+ return ("asIdsOrRanges", tuple(a.to_tuple() for a in self))
+ elif self.inherit:
+ return ("inherit", "")
+ else:
+ return None
+
+class resource_set_ip(resource_set):
+ """(Generic) IP address resource set.
+
+ You probably don't want to use this type directly.
+ """
+
+ def parse_str(self, x):
+ """Parse IP address resource sets from text (eg, XML attributes)."""
+ r = re.match("^([0-9:.a-fA-F]+)-([0-9:.a-fA-F]+)$", x)
+ if r:
+ return self.range_type(self.range_type.datum_type(r.group(1)), self.range_type.datum_type(r.group(2)))
+ r = re.match("^([0-9:.a-fA-F]+)/([0-9]+)$", x)
+ if r:
+ min = self.range_type.datum_type(r.group(1))
+ prefixlen = int(r.group(2))
+ mask = (1 << (self.range_type.datum_type.bits - prefixlen)) - 1
+ assert (min & mask) == 0, "Resource not in canonical form: %s" % (x)
+ max = self.range_type.datum_type(min | mask)
+ return self.range_type(min, max)
+ raise RuntimeError, 'Bad IP resource "%s"' % (x)
+
+ def parse_tuple(self, x):
+ """Parse IP address resource sets from intermediate form generated by ASN.1 decoder."""
+ if x[0] == "addressesOrRanges":
+ for aor in x[1]:
+ if aor[0] == "addressRange":
+ min = _bs2long(aor[1][0]) << (self.range_type.datum_type.bits - len(aor[1][0]))
+ max = _bs2long(aor[1][1]) << (self.range_type.datum_type.bits - len(aor[1][1]))
+ mask = (1L << (self.range_type.datum_type.bits - len(aor[1][1]))) - 1
+ else:
+ min = _bs2long(aor[1]) << (self.range_type.datum_type.bits - len(aor[1]))
+ mask = (1L << (self.range_type.datum_type.bits - len(aor[1]))) - 1
+ assert (min & mask) == 0, "Resource not in canonical form: %s" % (str(x))
+ max = min | mask
+ self.append(self.range_type(self.range_type.datum_type(min), self.range_type.datum_type(max)))
+ else:
+ assert x[0] == "inherit"
+ self.inherit = True
+
+ def to_tuple(self):
+ """Encode IP resource set into intermediate form used by ASN.1 encoder."""
+ if self:
+ return (self.afi, ("addressesOrRanges", tuple(a.to_tuple() for a in self)))
+ elif self.inherit:
+ return (self.afi, ("inherit", ""))
+ else:
+ return None
+
+class resource_set_ipv4(resource_set_ip):
+ """IPv4 address resource set."""
+
+ range_type = resource_range_ipv4
+ afi = "\x00\x01"
+
+class resource_set_ipv6(resource_set_ip):
+ """IPv6 address resource set."""
+
+ range_type = resource_range_ipv6
+ afi = "\x00\x02"
+
+def _bs2long(bs):
+ """Convert a bitstring (tuple representation) into a long."""
+ return reduce(lambda x, y: (x << 1) | y, bs, 0L)
+
+def _long2bs(number, addrlen, prefixlen = None, strip = None):
+ """Convert a long into a tuple bitstring. This is a bit complicated
+ because it supports the fiendishly compact encoding used in RFC 3779.
+ """
+ assert prefixlen is None or strip is None
+ bs = []
+ while number:
+ bs.append(int(number & 1))
+ number >>= 1
+ if addrlen > len(bs):
+ bs.extend((0 for i in xrange(addrlen - len(bs))))
+ bs.reverse()
+ if prefixlen is not None:
+ return tuple(bs[0:prefixlen])
+ if strip is not None:
+ while bs and bs[-1] == strip:
+ bs.pop()
+ return tuple(bs)
+
+class resource_bag(object):
+ """Container to simplify passing around the usual triple of AS,
+ IPv4, and IPv6 resource sets.
+ """
+
+ def __init__(self, as = None, v4 = None, v6 = None, valid_until = None):
+ self.as = as or resource_set_as()
+ self.v4 = v4 or resource_set_ipv4()
+ self.v6 = v6 or resource_set_ipv6()
+ self.valid_until = valid_until
+
+ def oversized(self, other):
+ """True iff self is oversized with respect to other."""
+ return not self.as.issubset(other.as) or \
+ not self.v4.issubset(other.v4) or \
+ not self.v6.issubset(other.v6)
+
+ def undersized(self, other):
+ """True iff self is undersized with respect to other."""
+ return not other.as.issubset(self.as) or \
+ not other.v4.issubset(self.v4) or \
+ not other.v6.issubset(self.v6)
+
+ @classmethod
+ def from_asn1_tuples(cls, exts):
+ """Build a resource_bag from intermediate form returned by ASN.1 decoder."""
+ as = None
+ v4 = None
+ v6 = None
+ for x in exts:
+ if x[0] == rpki.oids.name2oid["sbgp-autonomousSysNum"]: #
+ assert len(x[2]) == 1 or x[2][1] is None, "RDI not implemented: %s" % (str(x))
+ assert as is None
+ as = resource_set_as(x[2][0])
+ if x[0] == rpki.oids.name2oid["sbgp-ipAddrBlock"]:
+ for fam in x[2]:
+ if fam[0] == resource_set_ipv4.afi:
+ assert v4 is None
+ v4 = resource_set_ipv4(fam[1])
+ if fam[0] == resource_set_ipv6.afi:
+ assert v6 is None
+ v6 = resource_set_ipv6(fam[1])
+ return cls(as, v4, v6)
+
+ def empty(self):
+ """Return True iff all resource sets in this bag are empty."""
+ return not self.as and not self.v4 and not self.v6
+
+ def __eq__(self, other):
+ return self.as == other.as and \
+ self.v4 == other.v4 and \
+ self.v6 == other.v6 and \
+ self.valid_until == other.valid_until
+
+ def __ne__(self, other):
+ return not (self == other)
+
+ def intersection(self, other):
+ """Compute intersection with another resource_bag.
+ valid_until attribute (if any) inherits from self.
+ """
+ return self.__class__(self.as.intersection(other.as),
+ self.v4.intersection(other.v4),
+ self.v6.intersection(other.v6),
+ self.valid_until)
+
+ def union(self, other):
+ """Compute union with another resource_bag.
+ valid_until attribute (if any) inherits from self.
+ """
+ return self.__class__(self.as.union(other.as),
+ self.v4.union(other.v4),
+ self.v6.union(other.v6),
+ self.valid_until)
+
+ def __str__(self):
+ s = ""
+ if self.as:
+ s += "AS: %s" % self.as
+ if self.v4:
+ if s:
+ s += ", "
+ s += "V4: %s" % self.v4
+ if self.v6:
+ if s:
+ s += ", "
+ s += "V6: %s" % self.v6
+ return s
+
+# Test suite for set operations. This will probably go away eventually
+
+if __name__ == "__main__":
+
+ def test(t, s1, s2):
+ print
+ r1 = t(s1)
+ r2 = t(s2)
+ print "x: ", r1
+ print "y: ", r2
+ v1 = r1._comm(r2)
+ v2 = r2._comm(r1)
+ assert v1[0] == v2[1] and v1[1] == v2[0] and v1[2] == v2[2]
+ for i in r1: assert r1.contains(i) and r1.contains(i.min) and r1.contains(i.max)
+ for i in r2: assert r2.contains(i) and r2.contains(i.min) and r2.contains(i.max)
+ for i in v1[0]: assert r1.contains(i) and not r2.contains(i)
+ for i in v1[1]: assert not r1.contains(i) and r2.contains(i)
+ for i in v1[2]: assert r1.contains(i) and r2.contains(i)
+ v1 = r1.union(r2)
+ v2 = r2.union(r1)
+ assert v1 == v2
+ print "x|y:", v1
+ v1 = r1.difference(r2)
+ v2 = r2.difference(r1)
+ print "x-y:", v1
+ print "y-x:", v2
+ v1 = r1.symmetric_difference(r2)
+ v2 = r2.symmetric_difference(r1)
+ assert v1 == v2
+ print "x^y:", v1
+ v1 = r1.intersection(r2)
+ v2 = r2.intersection(r1)
+ assert v1 == v2
+ print "x&y:", v1
+
+ print "Testing set operations on resource sets"
+ test(resource_set_as, "1,2,3,4,5,6,11,12,13,14,15", "1,2,3,4,5,6,111,121,131,141,151")
+ test(resource_set_ipv4, "10.0.0.44/32,10.6.0.2/32", "10.3.0.0/24,10.0.0.77/32")
+ test(resource_set_ipv4, "10.0.0.44/32,10.6.0.2/32", "10.0.0.0/24")
+ test(resource_set_ipv4, "10.0.0.0/24", "10.3.0.0/24,10.0.0.77/32")
diff --git a/rpkid/rpki/roa.py b/rpkid/rpki/roa.py
new file mode 100644
index 00000000..15d1c6eb
--- /dev/null
+++ b/rpkid/rpki/roa.py
@@ -0,0 +1,49 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+""" ROA (Route Origin Authorization).
+
+At the moment this is just the ASN.1 encoder.
+
+This corresponds to draft-ietf-sidr-roa-format-01, which is a work in
+progress, so this may need updating later.
+"""
+
+from POW._der import *
+
+class IPAddresses(SequenceOf):
+ def __init__(self, optional=0, default=''):
+ SequenceOf.__init__(self, BitString, optional, default)
+
+class ROAIPAddressFamily(Sequence):
+ def __init__(self, optional=0, default=''):
+ self.addressFamily = OctetString()
+ self.addresses = IPAddresses()
+ contents = [ self.addressFamily, self.addresses ]
+ Sequence.__init__(self, contents, optional, default)
+
+class ROAIPAddrBlocks(SequenceOf):
+ def __init__(self, optional=0, default=''):
+ SequenceOf.__init__(self, ROAIPAddressFamily, optional, default)
+
+class RouteOriginAttestation(Sequence):
+ def __init__(self, optional=0, default=''):
+ self.version = Integer(0, chr(0x00))
+ self.asID = Integer()
+ self.exactMatch = Boolean()
+ self.ipAddrBlocks = ROAIPAddrBlocks()
+ contents = [ self.version, self.asID, self.exactMatch, self.ipAddrBlocks ]
+ Sequence.__init__(self, contents, optional, default)
diff --git a/rpkid/rpki/sax_utils.py b/rpkid/rpki/sax_utils.py
new file mode 100644
index 00000000..a472bee9
--- /dev/null
+++ b/rpkid/rpki/sax_utils.py
@@ -0,0 +1,93 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""SAX utilities."""
+
+import xml.sax, lxml.sax
+
+class handler(xml.sax.handler.ContentHandler):
+ """SAX handler for RPKI protocols.
+
+ This class provides some basic amenities for parsing protocol XML of
+ the kind we use in the RPKI protocols, including whacking all the
+ protocol element text into US-ASCII, simplifying accumulation of
+ text fields, and hiding some of the fun relating to XML namespaces.
+
+ General assumption: by the time this parsing code gets invoked, the
+ XML has already passed RelaxNG validation, so we only have to check
+ for errors that the schema can't catch, and we don't have to play as
+ many XML namespace games.
+ """
+
+ def __init__(self):
+ """Initialize SAX handler."""
+ self.text = ""
+ self.stack = []
+
+ def startElementNS(self, name, qname, attrs):
+ """Redirect startElementNS() events to startElement()."""
+ return self.startElement(name[1], attrs)
+
+ def endElementNS(self, name, qname):
+ """Redirect endElementNS() events to endElement()."""
+ return self.endElement(name[1])
+
+ def characters(self, content):
+ """Accumulate a chuck of element content (text)."""
+ self.text += content
+
+ def startElement(self, name, attrs):
+ """Handle startElement() events.
+
+ We maintain a stack of nested elements under construction so that
+ we can feed events directly to the current element rather than
+ having to pass them through all the nesting elements.
+
+ If the stack is empty, this event is for the outermost element, so
+ we call a virtual method to create the corresponding object and
+ that's the object we'll be returning as our final result.
+ """
+ a = dict()
+ for k,v in attrs.items():
+ if isinstance(k, tuple):
+ if k == ("http://www.w3.org/XML/1998/namespace", "lang"):
+ k = "xml:lang"
+ else:
+ assert k[0] is None
+ k = k[1]
+ a[k.encode("ascii")] = v.encode("ascii")
+ if len(self.stack) == 0:
+ assert not hasattr(self, "result")
+ self.result = self.create_top_level(name, a)
+ self.stack.append(self.result)
+ self.stack[-1].startElement(self.stack, name, a)
+
+ def endElement(self, name):
+ """Handle endElement() events.
+
+ Mostly this means handling any accumulated element text.
+ """
+ text = self.text.encode("ascii").strip()
+ self.text = ""
+ self.stack[-1].endElement(self.stack, name, text)
+
+ @classmethod
+ def saxify(cls, elt):
+ """Create a one-off SAX parser, parse an ETree, return the result.
+ """
+ self = cls()
+ lxml.sax.saxify(elt, self)
+ return self.result
diff --git a/rpkid/rpki/sql.py b/rpkid/rpki/sql.py
new file mode 100644
index 00000000..022e4dd5
--- /dev/null
+++ b/rpkid/rpki/sql.py
@@ -0,0 +1,801 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+import MySQLdb, time
+import rpki.x509, rpki.resource_set, rpki.sundial
+
+def connect(cfg):
+ """Connect to a MySQL database using connection parameters from an
+ rpki.config.parser object.
+ """
+ return MySQLdb.connect(user = cfg.get("sql-username"),
+ db = cfg.get("sql-database"),
+ passwd = cfg.get("sql-password"))
+
+class template(object):
+ """SQL template generator."""
+ def __init__(self, table_name, index_column, *data_columns):
+ """Build a SQL template."""
+ type_map = dict((x[0],x[1]) for x in data_columns if isinstance(x, tuple))
+ data_columns = tuple(isinstance(x, tuple) and x[0] or x for x in data_columns)
+ columns = (index_column,) + data_columns
+ self.table = table_name
+ self.index = index_column
+ self.columns = columns
+ self.map = type_map
+ self.select = "SELECT %s FROM %s" % (", ".join(columns), table_name)
+ self.insert = "INSERT %s (%s) VALUES (%s)" % (table_name, ", ".join(data_columns),
+ ", ".join("%(" + s + ")s" for s in data_columns))
+ self.update = "UPDATE %s SET %s WHERE %s = %%(%s)s" % \
+ (table_name, ", ".join(s + " = %(" + s + ")s" for s in data_columns),
+ index_column, index_column)
+ self.delete = "DELETE FROM %s WHERE %s = %%s" % (table_name, index_column)
+
+## @var sql_cache
+# Cache of objects pulled from SQL.
+
+sql_cache = {}
+
+## @var sql_dirty
+# Set of objects that need to be written back to SQL.
+
+sql_dirty = set()
+
+def sql_cache_clear():
+ """Clear the object cache."""
+ sql_cache.clear()
+
+def sql_assert_pristine():
+ """Assert that there are no dirty objects in the cache."""
+ assert not sql_dirty, "Dirty objects in SQL cache: %s" % sql_dirty
+
+def sql_sweep(gctx):
+ """Write any dirty objects out to SQL."""
+ for s in sql_dirty.copy():
+ rpki.log.debug("Sweeping %s" % repr(s))
+ s.sql_store(gctx)
+ sql_assert_pristine()
+
+class sql_persistant(object):
+ """Mixin for persistant class that needs to be stored in SQL.
+ """
+
+ ## @var sql_in_db
+ # Whether this object is already in SQL or not.
+ sql_in_db = False
+
+ @classmethod
+ def sql_fetch(cls, gctx, id):
+ """Fetch one object from SQL, based on its primary key. Since in
+ this one case we know that the primary index is also the cache
+ key, we check for a cache hit directly in the hope of bypassing the
+ SQL lookup entirely.
+ """
+ key = (cls, id)
+ if key in sql_cache:
+ return sql_cache[key]
+ else:
+ return cls.sql_fetch_where1(gctx, "%s = %s", (cls.sql_template.index, id))
+
+ @classmethod
+ def sql_fetch_where1(cls, gctx, where, args = None):
+ """Fetch one object from SQL, based on an arbitrary SQL WHERE expression."""
+ results = cls.sql_fetch_where(gctx, where, args)
+ if len(results) == 0:
+ return None
+ elif len(results) == 1:
+ return results[0]
+ else:
+ raise rpki.exceptions.DBConsistancyError, \
+ "Database contained multiple matches for %s where %s" % \
+ (cls.__name__, where % tuple(repr(a) for a in args))
+
+ @classmethod
+ def sql_fetch_all(cls, gctx):
+ """Fetch all objects of this type from SQL."""
+ return cls.sql_fetch_where(gctx, None)
+
+ @classmethod
+ def sql_fetch_where(cls, gctx, where, args = None):
+ """Fetch objects of this type matching an arbitrary SQL WHERE expression."""
+ if where is None:
+ gctx.cur.execute(cls.sql_template.select)
+ else:
+ gctx.cur.execute(cls.sql_template.select + " WHERE " + where, args)
+ results = []
+ for row in gctx.cur.fetchall():
+ key = (cls, row[0])
+ if key in sql_cache:
+ results.append(sql_cache[key])
+ else:
+ results.append(cls.sql_init(gctx, row, key))
+ return results
+
+ @classmethod
+ def sql_init(cls, gctx, row, key):
+ """Initialize one Python object from the result of a SQL query."""
+ self = cls()
+ self.sql_decode(dict(zip(cls.sql_template.columns, row)))
+ sql_cache[key] = self
+ self.sql_in_db = True
+ self.sql_fetch_hook(gctx)
+ return self
+
+ def sql_mark_dirty(self):
+ """Mark this object as needing to be written back to SQL."""
+ sql_dirty.add(self)
+
+ def sql_mark_clean(self):
+ """Mark this object as not needing to be written back to SQL."""
+ sql_dirty.discard(self)
+
+ def sql_is_dirty(self):
+ """Query whether this object needs to be written back to SQL."""
+ return self in sql_dirty
+
+ def sql_store(self, gctx):
+ """Store this object to SQL."""
+ if not self.sql_in_db:
+ gctx.cur.execute(self.sql_template.insert, self.sql_encode())
+ setattr(self, self.sql_template.index, gctx.cur.lastrowid)
+ sql_cache[(self.__class__, gctx.cur.lastrowid)] = self
+ self.sql_insert_hook(gctx)
+ else:
+ gctx.cur.execute(self.sql_template.update, self.sql_encode())
+ self.sql_update_hook(gctx)
+ key = (self.__class__, getattr(self, self.sql_template.index))
+ assert key in sql_cache and sql_cache[key] == self
+ self.sql_mark_clean()
+ self.sql_in_db = True
+
+ def sql_delete(self, gctx):
+ """Delete this object from SQL."""
+ if self.sql_in_db:
+ id = getattr(self, self.sql_template.index)
+ gctx.cur.execute(self.sql_template.delete, id)
+ self.sql_delete_hook(gctx)
+ key = (self.__class__, id)
+ if sql_cache.get(key) == self:
+ del sql_cache[key]
+ self.sql_in_db = False
+ self.sql_mark_clean()
+
+ def sql_encode(self):
+ """Convert object attributes into a dict for use with canned SQL
+ queries. This is a default version that assumes a one-to-one
+ mapping between column names in SQL and attribute names in Python.
+ If you need something fancier, override this.
+ """
+ d = dict((a, getattr(self, a, None)) for a in self.sql_template.columns)
+ for i in self.sql_template.map:
+ if d.get(i) is not None:
+ d[i] = self.sql_template.map[i].to_sql(d[i])
+ return d
+
+ def sql_decode(self, vals):
+ """Initialize an object with values returned by self.sql_fetch().
+ This is a default version that assumes a one-to-one mapping
+ between column names in SQL and attribute names in Python. If you
+ need something fancier, override this.
+ """
+ for a in self.sql_template.columns:
+ if vals.get(a) is not None and a in self.sql_template.map:
+ setattr(self, a, self.sql_template.map[a].from_sql(vals[a]))
+ else:
+ setattr(self, a, vals[a])
+
+ def sql_fetch_hook(self, gctx):
+ """Customization hook."""
+ pass
+
+ def sql_insert_hook(self, gctx):
+ """Customization hook."""
+ pass
+
+ def sql_update_hook(self, gctx):
+ """Customization hook."""
+ self.sql_delete_hook(gctx)
+ self.sql_insert_hook(gctx)
+
+ def sql_delete_hook(self, gctx):
+ """Customization hook."""
+ pass
+
+# Some persistant objects are defined in rpki.left_right, since
+# they're also left-right PDUs. The rest are defined below, for now.
+
+class ca_obj(sql_persistant):
+ """Internal CA object."""
+
+ sql_template = template(
+ "ca", "ca_id", "last_crl_sn",
+ ("next_crl_update", rpki.sundial.datetime),
+ "last_issued_sn", "last_manifest_sn",
+ ("next_manifest_update", rpki.sundial.datetime),
+ "sia_uri", "parent_id", "parent_resource_class")
+
+ last_crl_sn = 0
+ last_issued_sn = 0
+ last_manifest_sn = 0
+
+ def parent(self, gctx):
+ """Fetch parent object to which this CA object links."""
+ return rpki.left_right.parent_elt.sql_fetch(gctx, self.parent_id)
+
+ def ca_details(self, gctx):
+ """Fetch all ca_detail objects that link to this CA object."""
+ return ca_detail_obj.sql_fetch_where(gctx, "ca_id = %s", (self.ca_id,))
+
+ def fetch_pending(self, gctx):
+ """Fetch the pending ca_details for this CA, if any."""
+ return ca_detail_obj.sql_fetch_where(gctx, "ca_id = %s AND state = 'pending'", (self.ca_id,))
+
+ def fetch_active(self, gctx):
+ """Fetch the active ca_detail for this CA, if any."""
+ return ca_detail_obj.sql_fetch_where1(gctx, "ca_id = %s AND state = 'active'", (self.ca_id,))
+
+ def fetch_deprecated(self, gctx):
+ """Fetch deprecated ca_details for this CA, if any."""
+ return ca_detail_obj.sql_fetch_where(gctx, "ca_id = %s AND state = 'deprecated'", (self.ca_id,))
+
+ def fetch_revoked(self, gctx):
+ """Fetch revoked ca_details for this CA, if any."""
+ return ca_detail_obj.sql_fetch_where(gctx, "ca_id = %s AND state = 'revoked'", (self.ca_id,))
+
+ def construct_sia_uri(self, gctx, parent, rc):
+ """Construct the sia_uri value for this CA given configured
+ information and the parent's up-down protocol list_response PDU.
+ """
+
+ repository = parent.repository(gctx)
+ sia_uri = rc.suggested_sia_head and rc.suggested_sia_head.rsync()
+ if not sia_uri or not sia_uri.startswith(parent.sia_base):
+ sia_uri = parent.sia_base
+ elif not sia_uri.endswith("/"):
+ raise rpki.exceptions.BadURISyntax, "SIA URI must end with a slash: %s" % sia_uri
+ return sia_uri + str(self.ca_id) + "/"
+
+ def check_for_updates(self, gctx, parent, rc):
+ """Parent has signaled continued existance of a resource class we
+ already knew about, so we need to check for an updated
+ certificate, changes in resource coverage, revocation and reissue
+ with the same key, etc.
+ """
+
+ sia_uri = self.construct_sia_uri(gctx, parent, rc)
+ sia_uri_changed = self.sia_uri != sia_uri
+ if sia_uri_changed:
+ self.sia_uri = sia_uri
+ self.sql_mark_dirty()
+
+ rc_resources = rc.to_resource_bag()
+ cert_map = dict((c.cert.get_SKI(), c) for c in rc.certs)
+
+ for ca_detail in ca_detail_obj.sql_fetch_where(gctx, "ca_id = %s AND latest_ca_cert IS NOT NULL AND state != 'revoked'", (self.ca_id,)):
+ ski = ca_detail.latest_ca_cert.get_SKI()
+ if ca_detail.state in ("pending", "active"):
+ current_resources = ca_detail.latest_ca_cert.get_3779resources()
+ if sia_uri_changed or \
+ ca_detail.latest_ca_cert != cert_map[ski].cert or \
+ current_resources.undersized(rc_resources) or \
+ current_resources.oversized(rc_resources):
+ ca_detail.update(
+ gctx = gctx,
+ parent = parent,
+ ca = self,
+ rc = rc,
+ sia_uri_changed = sia_uri_changed,
+ old_resources = current_resources)
+ del cert_map[ski]
+ assert not cert_map, "Certificates in list_response missing from our database, SKIs %s" % ", ".join(c.cert.hSKI() for c in cert_map.values())
+
+ @classmethod
+ def create(cls, gctx, parent, rc):
+ """Parent has signaled existance of a new resource class, so we
+ need to create and set up a corresponding CA object.
+ """
+
+ self = cls()
+ self.parent_id = parent.parent_id
+ self.parent_resource_class = rc.class_name
+ self.sql_store(gctx)
+ self.sia_uri = self.construct_sia_uri(gctx, parent, rc)
+ ca_detail = ca_detail_obj.create(gctx, self)
+
+ # This will need a callback when we go event-driven
+ issue_response = rpki.up_down.issue_pdu.query(gctx, parent, self, ca_detail)
+
+ ca_detail.activate(
+ gctx = gctx,
+ ca = self,
+ cert = issue_response.payload.classes[0].certs[0].cert,
+ uri = issue_response.payload.classes[0].certs[0].cert_url)
+
+ def delete(self, gctx, parent):
+ """The list of current resource classes received from parent does
+ not include the class corresponding to this CA, so we need to
+ delete it (and its little dog too...).
+
+ All certs published by this CA are now invalid, so need to
+ withdraw them, the CRL, and the manifest from the repository,
+ delete all child_cert and ca_detail records associated with this
+ CA, then finally delete this CA itself.
+ """
+
+ repository = parent.repository(gctx)
+ for ca_detail in self.ca_details(gctx):
+ ca_detail.delete(gctx, ca, repository)
+ self.sql_delete(gctx)
+
+ def next_serial_number(self):
+ """Allocate a certificate serial number."""
+ self.last_issued_sn += 1
+ self.sql_mark_dirty()
+ return self.last_issued_sn
+
+ def next_manifest_number(self):
+ """Allocate a manifest serial number."""
+ self.last_manifest_sn += 1
+ self.sql_mark_dirty()
+ return self.last_manifest_sn
+
+ def next_crl_number(self):
+ """Allocate a CRL serial number."""
+ self.last_crl_sn += 1
+ self.sql_mark_dirty()
+ return self.last_crl_sn
+
+ def rekey(self, gctx):
+ """Initiate a rekey operation for this ca.
+
+ Tasks:
+
+ - Generate a new keypair.
+
+ - Request cert from parent using new keypair.
+
+ - Mark result as our active ca_detail.
+
+ - Reissue all child certs issued by this ca using the new ca_detail.
+ """
+
+ rpki.log.trace()
+
+ parent = self.parent(gctx)
+ old_detail = self.fetch_active(gctx)
+ new_detail = ca_detail_obj.create(gctx, self)
+
+ # This will need a callback when we go event-driven
+ issue_response = rpki.up_down.issue_pdu.query(gctx, parent, self, new_detail)
+
+ new_detail.activate(
+ gctx = gctx,
+ ca = self,
+ cert = issue_response.payload.classes[0].certs[0].cert,
+ uri = issue_response.payload.classes[0].certs[0].cert_url,
+ predecessor = old_detail)
+
+ def revoke(self, gctx):
+ """Revoke deprecated ca_detail objects associated with this ca."""
+
+ rpki.log.trace()
+
+ for ca_detail in self.fetch_deprecated(gctx):
+ ca_detail.revoke(gctx)
+
+class ca_detail_obj(sql_persistant):
+ """Internal CA detail object."""
+
+ sql_template = template(
+ "ca_detail",
+ "ca_detail_id",
+ ("private_key_id", rpki.x509.RSA),
+ ("public_key", rpki.x509.RSApublic),
+ ("latest_ca_cert", rpki.x509.X509),
+ ("manifest_private_key_id", rpki.x509.RSA),
+ ("manifest_public_key", rpki.x509.RSApublic),
+ ("latest_manifest_cert", rpki.x509.X509),
+ ("latest_manifest", rpki.x509.SignedManifest),
+ ("latest_crl", rpki.x509.CRL),
+ "state",
+ "ca_cert_uri",
+ "ca_id")
+
+ def sql_decode(self, vals):
+ """Extra assertions for SQL decode of a ca_detail_obj."""
+ sql_persistant.sql_decode(self, vals)
+ assert (self.public_key is None and self.private_key_id is None) or \
+ self.public_key.get_DER() == self.private_key_id.get_public_DER()
+ assert (self.manifest_public_key is None and self.manifest_private_key_id is None) or \
+ self.manifest_public_key.get_DER() == self.manifest_private_key_id.get_public_DER()
+
+ def ca(self, gctx):
+ """Fetch CA object to which this ca_detail links."""
+ return ca_obj.sql_fetch(gctx, self.ca_id)
+
+ def child_certs(self, gctx, child = None, ski = None, revoked = False, unique = False):
+ """Fetch all child_cert objects that link to this ca_detail."""
+ return rpki.sql.child_cert_obj.fetch(gctx, child, self, ski, revoked, unique)
+
+ def route_origins(self, gctx):
+ """Fetch all route_origin objects that link to this ca_detail."""
+ return rpki.left_right.route_origin_elt.sql_fetch_where(gctx, "ca_detail_id = %s", (self.ca_detail_id,))
+
+ def crl_uri(self, ca):
+ """Return publication URI for this ca_detail's CRL."""
+ return ca.sia_uri + self.public_key.gSKI() + ".crl"
+
+ def manifest_uri(self, ca):
+ """Return publication URI for this ca_detail's manifest."""
+ return ca.sia_uri + self.public_key.gSKI() + ".mnf"
+
+ def activate(self, gctx, ca, cert, uri, predecessor = None):
+ """Activate this ca_detail."""
+
+ self.latest_ca_cert = cert
+ self.ca_cert_uri = uri.rsync()
+ self.generate_manifest_cert(ca)
+ self.generate_crl(gctx)
+ self.generate_manifest(gctx)
+ self.state = "active"
+ self.sql_mark_dirty()
+
+ if predecessor is not None:
+ predecessor.state = "deprecated"
+ predecessor.sql_mark_dirty()
+ for child_cert in predecessor.child_certs(gctx):
+ child_cert.reissue(gctx, self)
+
+ def delete(self, gctx, ca, repository):
+ """Delete this ca_detail and all of its associated child_cert objects."""
+
+ for child_cert in self.child_certs(gctx):
+ repository.withdraw(gctx, child_cert.cert, child_cert.uri(ca))
+ child_cert.sql_delete(gctx)
+ for child_cert in self.child_certs(gctx, revoked = True):
+ child_cert.sql_delete(gctx)
+ repository.withdraw(gctx, self.latest_manifest, self.manifest_uri(ca))
+ repository.withdraw(gctx, self.latest_crl, self.crl_uri())
+ self.sql_delete(gctx)
+
+ def revoke(self, gctx):
+ """Request revocation of all certificates whose SKI matches the key for this ca_detail.
+
+ Tasks:
+
+ - Request revocation of old keypair by parent.
+
+ - Revoke all child certs issued by the old keypair.
+
+ - Generate a final CRL, signed with the old keypair, listing all
+ the revoked certs, with a next CRL time after the last cert or
+ CRL signed by the old keypair will have expired.
+
+ - Destroy old keypair (and manifest keypair).
+
+ - Leave final CRL in place until its next CRL time has passed.
+ """
+
+ # This will need a callback when we go event-driven
+ r_msg = rpki.up_down.revoke_pdu.query(gctx, self)
+
+ if r_msg.payload.ski != self.latest_ca_cert.gSKI():
+ raise rpki.exceptions.SKIMismatch
+
+ ca = self.ca(gctx)
+ parent = ca.parent(gctx)
+ crl_interval = rpki.sundial.timedelta(seconds = parent.self(gctx).crl_interval)
+
+ nextUpdate = rpki.sundial.datetime.utcnow()
+
+ if self.latest_manifest is not None:
+ nextUpdate = nextUpdate.later(self.latest_manifest.getNextUpdate())
+
+ if self.latest_crl is not None:
+ nextUpdate = nextUpdate.later(self.latest_crl.getNextUpdate())
+
+ for child_cert in self.child_certs(gctx):
+ nextUpdate = nextUpdate.later(child_cert.cert.getNotAfter())
+ child_cert.revoke(gctx)
+
+ nextUpdate += crl_interval
+
+ self.generate_crl(gctx, nextUpdate)
+ self.generate_manifest(gctx, nextUpdate)
+
+ self.private_key_id = None
+ self.manifest_private_key_id = None
+ self.manifest_public_key = None
+ self.latest_manifest_cert = None
+ self.state = "revoked"
+ self.sql_mark_dirty()
+
+ def update(self, gctx, parent, ca, rc, sia_uri_changed, old_resources):
+ """Need to get a new certificate for this ca_detail and perhaps
+ frob children of this ca_detail.
+ """
+
+ # This will need a callback when we go event-driven
+ issue_response = rpki.up_down.issue_pdu.query(gctx, parent, ca, self)
+
+ self.latest_ca_cert = issue_response.payload.classes[0].certs[0].cert
+ new_resources = self.latest_ca_cert.get_3779resources()
+
+ if sia_uri_changed or old_resources.oversized(new_resources):
+ for child_cert in self.child_certs(gctx):
+ child_resources = child_cert.cert.get_3779resources()
+ if sia_uri_changed or child_resources.oversized(new_resources):
+ child_cert.reissue(
+ gctx = gctx,
+ ca_detail = self,
+ resources = child_resources.intersection(new_resources))
+
+ @classmethod
+ def create(cls, gctx, ca):
+ """Create a new ca_detail object for a specified CA."""
+ self = cls()
+ self.ca_id = ca.ca_id
+ self.state = "pending"
+
+ self.private_key_id = rpki.x509.RSA()
+ self.private_key_id.generate()
+ self.public_key = self.private_key_id.get_RSApublic()
+
+ self.manifest_private_key_id = rpki.x509.RSA()
+ self.manifest_private_key_id.generate()
+ self.manifest_public_key = self.manifest_private_key_id.get_RSApublic()
+
+ self.sql_store(gctx)
+ return self
+
+ def generate_manifest_cert(self, ca):
+ """Generate a new manifest certificate for this ca_detail."""
+
+ resources = rpki.resource_set.resource_bag(
+ as = rpki.resource_set.resource_set_as("<inherit>"),
+ v4 = rpki.resource_set.resource_set_ipv4("<inherit>"),
+ v6 = rpki.resource_set.resource_set_ipv6("<inherit>"))
+
+ self.latest_manifest_cert = self.latest_ca_cert.issue(
+ keypair = self.private_key_id,
+ subject_key = self.manifest_public_key,
+ serial = ca.next_manifest_number(),
+ sia = None,
+ aia = self.ca_cert_uri,
+ crldp = self.crl_uri(ca),
+ resources = resources,
+ notAfter = self.latest_ca_cert.getNotAfter(),
+ is_ca = False)
+
+ def issue(self, gctx, ca, child, subject_key, sia, resources, child_cert = None):
+ """Issue a new certificate to a child. Optional child_cert
+ argument specifies an existing child_cert object to update in
+ place; if not specified, we create a new one. Returns the
+ child_cert object containing the newly issued cert.
+ """
+
+ assert child_cert is None or (child_cert.child_id == child.child_id and
+ child_cert.ca_detail_id == self.ca_detail_id)
+
+ cert = self.latest_ca_cert.issue(
+ keypair = self.private_key_id,
+ subject_key = subject_key,
+ serial = ca.next_serial_number(),
+ aia = self.ca_cert_uri,
+ crldp = self.crl_uri(ca),
+ sia = sia,
+ resources = resources,
+ notAfter = resources.valid_until)
+
+ if child_cert is None:
+ child_cert = rpki.sql.child_cert_obj(
+ child_id = child.child_id,
+ ca_detail_id = self.ca_detail_id,
+ cert = cert)
+ rpki.log.debug("Created new child_cert %s" % repr(child_cert))
+ else:
+ child_cert.cert = cert
+ rpki.log.debug("Reusing existing child_cert %s" % repr(child_cert))
+
+ child_cert.ski = cert.get_SKI()
+
+ child_cert.sql_store(gctx)
+
+ ca.parent(gctx).repository(gctx).publish(gctx, child_cert.cert, child_cert.uri(ca))
+
+ self.generate_manifest(gctx)
+
+ return child_cert
+
+ def generate_crl(self, gctx, nextUpdate = None):
+ """Generate a new CRL for this ca_detail. At the moment this is
+ unconditional, that is, it is up to the caller to decide whether a
+ new CRL is needed.
+ """
+
+ ca = self.ca(gctx)
+ parent = ca.parent(gctx)
+ repository = parent.repository(gctx)
+ crl_interval = rpki.sundial.timedelta(seconds = parent.self(gctx).crl_interval)
+ now = rpki.sundial.datetime.utcnow()
+
+ if nextUpdate is None:
+ nextUpdate = now + crl_interval
+
+ certlist = []
+ for child_cert in self.child_certs(gctx, revoked = True):
+ if now > child_cert.cert.getNotAfter() + crl_interval:
+ child_cert.sql_delete()
+ else:
+ certlist.append((child_cert.cert.getSerial(), child_cert.revoked.toASN1tuple(), ()))
+ certlist.sort()
+
+ self.latest_crl = rpki.x509.CRL.generate(
+ keypair = self.private_key_id,
+ issuer = self.latest_ca_cert,
+ serial = ca.next_crl_number(),
+ thisUpdate = now,
+ nextUpdate = nextUpdate,
+ revokedCertificates = certlist)
+
+ repository.publish(gctx, self.latest_crl, self.crl_uri(ca))
+
+ def generate_manifest(self, gctx, nextUpdate = None):
+ """Generate a new manifest for this ca_detail."""
+
+ ca = self.ca(gctx)
+ parent = ca.parent(gctx)
+ repository = parent.repository(gctx)
+ crl_interval = rpki.sundial.timedelta(seconds = parent.self(gctx).crl_interval)
+ now = rpki.sundial.datetime.utcnow()
+
+ if nextUpdate is None:
+ nextUpdate = now + crl_interval
+
+ certs = self.child_certs(gctx)
+
+ m = rpki.x509.SignedManifest()
+ m.build(
+ serial = ca.next_manifest_number(),
+ thisUpdate = now,
+ nextUpdate = nextUpdate,
+ names_and_objs = [(c.uri_tail(), c.cert) for c in certs],
+ keypair = self.manifest_private_key_id,
+ certs = rpki.x509.X509_chain(self.latest_manifest_cert))
+ self.latest_manifest = m
+
+ repository.publish(gctx, self.latest_manifest, self.manifest_uri(ca))
+
+class child_cert_obj(sql_persistant):
+ """Certificate that has been issued to a child."""
+
+ sql_template = template("child_cert", "child_cert_id", ("cert", rpki.x509.X509), "child_id", "ca_detail_id", "ski", ("revoked", rpki.sundial.datetime))
+
+ def __init__(self, child_id = None, ca_detail_id = None, cert = None):
+ """Initialize a child_cert_obj."""
+ self.child_id = child_id
+ self.ca_detail_id = ca_detail_id
+ self.cert = cert
+ self.revoked = None
+ if child_id or ca_detail_id or cert:
+ self.sql_mark_dirty()
+
+ def child(self, gctx):
+ """Fetch child object to which this child_cert object links."""
+ return rpki.left_right.child_elt.sql_fetch(gctx, self.child_id)
+
+ def ca_detail(self, gctx):
+ """Fetch ca_detail object to which this child_cert object links."""
+ return ca_detail_obj.sql_fetch(gctx, self.ca_detail_id)
+
+ def uri_tail(self):
+ """Return the tail (filename) portion of the URI for this child_cert."""
+ return self.cert.gSKI() + ".cer"
+
+ def uri(self, ca):
+ """Return the publication URI for this child_cert."""
+ return ca.sia_uri + self.uri_tail()
+
+ def revoke(self, gctx):
+ """Mark a child cert as revoked."""
+ if self.revoked is None:
+ rpki.log.debug("Revoking %s" % repr(self))
+ self.revoked = rpki.sundial.datetime.utcnow()
+ ca = self.ca_detail(gctx).ca(gctx)
+ repository = ca.parent(gctx).repository(gctx)
+ repository.withdraw(gctx, self.cert, self.uri(ca))
+ self.sql_mark_dirty()
+
+ def reissue(self, gctx, ca_detail, resources = None, sia = None):
+ """Reissue an existing cert, reusing the public key. If the cert
+ we would generate is identical to the one we already have, we just
+ return the one we already have. If we have to revoke the old
+ certificate when generating the new one, we have to generate a new
+ child_cert_obj, so calling code that needs the updated
+ child_cert_obj must use the return value from this method.
+ """
+
+ ca = ca_detail.ca(gctx)
+ child = self.child(gctx)
+
+ old_resources = self.cert.get_3779resources()
+ old_sia = self.cert.get_SIA()
+ old_ca_detail = self.ca_detail(gctx)
+
+ if resources is None:
+ resources = old_resources
+
+ if sia is None:
+ sia = old_sia
+
+ assert resources.valid_until is not None and old_resources.valid_until is not None
+
+ if resources == old_resources and sia == old_sia and ca_detail == old_ca_detail:
+ return self
+
+ must_revoke = old_resources.oversized(resources) or old_resources.valid_until > resources.valid_until
+ new_issuer = ca_detail != old_ca_detail
+
+ if resources.valid_until != old_resources.valid_until:
+ rpki.log.debug("Validity changed: %s %s" % ( old_resources.valid_until, resources.valid_until))
+
+ if must_revoke or new_issuer:
+ child_cert = None
+ else:
+ child_cert = self
+
+ child_cert = ca_detail.issue(
+ gctx = gctx,
+ ca = ca,
+ child = child,
+ subject_key = self.cert.getPublicKey(),
+ sia = sia,
+ resources = resources,
+ child_cert = child_cert)
+
+ if must_revoke:
+ for cert in child.child_certs(gctx = gctx, ca_detail = ca_detail, ski = self.ski):
+ if cert is not child_cert:
+ cert.revoke(gctx)
+
+ return child_cert
+
+ @classmethod
+ def fetch(cls, gctx, child = None, ca_detail = None, ski = None, revoked = False, unique = False):
+ """Fetch all child_cert objects matching a particular set of
+ parameters. This is a wrapper to consolidate various queries that
+ would otherwise be inline SQL WHERE expressions. In most cases
+ code calls this indirectly, through methods in other classes.
+ """
+
+ args = []
+ where = "revoked IS"
+ if revoked:
+ where += " NOT"
+ where += " NULL"
+ if child:
+ where += " AND child_id = %s"
+ args.append(child.child_id)
+ if ca_detail:
+ where += " AND ca_detail_id = %s"
+ args.append(ca_detail.ca_detail_id)
+ if ski:
+ where += " AND ski = %s"
+ args.append(ski)
+ if unique:
+ return cls.sql_fetch_where1(gctx, where, args)
+ else:
+ return cls.sql_fetch_where(gctx, where, args)
diff --git a/rpkid/rpki/sundial.py b/rpkid/rpki/sundial.py
new file mode 100644
index 00000000..a1ffde62
--- /dev/null
+++ b/rpkid/rpki/sundial.py
@@ -0,0 +1,147 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""Unified RPKI date/time handling, based on the standard Python datetime module.
+
+Module name chosen to sidestep a nightmare of import-related errors
+that occur with the more obvious module names.
+"""
+
+import datetime as pydatetime
+
+class datetime(pydatetime.datetime):
+ """RPKI extensions to standard datetime.datetime class. All work
+ here is in UTC, so we use naive datetime objects.
+ """
+
+ def totimestamp(self):
+ """Convert to seconds from epoch (like time.time()). Conversion
+ method is a bit silly, but avoids time module timezone whackiness.
+ """
+ return int(self.strftime("%s"))
+
+ @classmethod
+ def fromUTCTime(cls, x):
+ """Convert from ASN.1 UTCTime."""
+ return cls.strptime(x, "%y%m%d%H%M%SZ")
+
+ def toUTCTime(self):
+ """Convert to ASN.1 UTCTime."""
+ return self.strftime("%y%m%d%H%M%SZ")
+
+ @classmethod
+ def fromGeneralizedTime(cls, x):
+ """Convert from ASN.1 GeneralizedTime."""
+ return cls.strptime(x, "%Y%m%d%H%M%SZ")
+
+ def toGeneralizedTime(self):
+ """Convert to ASN.1 GeneralizedTime."""
+ return self.strftime("%Y%m%d%H%M%SZ")
+
+ @classmethod
+ def fromASN1tuple(cls, x):
+ """Convert from ASN.1 tuple representation."""
+ assert isinstance(x, tuple) and len(x) == 2 and x[0] in ("utcTime", "generalTime")
+ if x[0] == "utcTime":
+ return cls.fromUTCTime(x[1])
+ else:
+ return cls.fromGeneralizedTime(x[1])
+
+ ## @var PKIX_threshhold
+ # Threshold specified in RFC 3280 for switchover from UTCTime to GeneralizedTime.
+
+ PKIX_threshhold = pydatetime.datetime(2050, 1, 1)
+
+ def toASN1tuple(self):
+ """Convert to ASN.1 tuple representation."""
+ if self < self.PKIX_threshhold:
+ return "utcTime", self.toUTCTime()
+ else:
+ return "generalTime", self.toGeneralizedTime()
+
+ @classmethod
+ def fromXMLtime(cls, x):
+ """Convert from XML time representation."""
+ if x is None:
+ return None
+ else:
+ return cls.strptime(x, "%Y-%m-%dT%H:%M:%SZ")
+
+ def toXMLtime(self):
+ """Convert to XML time representation."""
+ return self.strftime("%Y-%m-%dT%H:%M:%SZ")
+
+ def __str__(self):
+ return self.toXMLtime()
+
+ @classmethod
+ def fromdatetime(cls, x):
+ """Convert a datetime.datetime object into this subclass.
+ This is whacky due to the weird constructors for datetime.
+ """
+ return cls.combine(x.date(), x.time())
+
+ def __add__(self, other):
+ """Force correct class for timedelta results."""
+ return self.fromdatetime(pydatetime.datetime.__add__(self, other))
+
+ def __sub__(self, other):
+ """Force correct class for timedelta results."""
+ return self.fromdatetime(pydatetime.datetime.__sub__(self, other))
+
+ @classmethod
+ def from_sql(cls, x):
+ """Convert from SQL storage format."""
+ return cls.fromdatetime(x)
+
+ def to_sql(self):
+ """Convert to SQL storage format."""
+ return self
+
+ def later(self, other):
+ """Return the later of two timestamps."""
+ return other if other > self else self
+
+ def earlier(self, other):
+ """Return the earlier of two timestamps."""
+ return other if other < self else self
+
+# Alias to simplify imports for callers
+
+timedelta = pydatetime.timedelta
+
+if __name__ == "__main__":
+
+ now = datetime.utcnow()
+ print now
+ print repr(now)
+ print now.strftime("%s")
+ print now.toUTCTime()
+ print now.toGeneralizedTime()
+ print now.toASN1tuple()
+ print now.toXMLtime()
+
+ print
+
+ then = now
+ then += timedelta(days = 30)
+ print then
+ print repr(then)
+ print then.strftime("%s")
+ print then.toUTCTime()
+ print then.toGeneralizedTime()
+ print then.toASN1tuple()
+ print then.toXMLtime()
diff --git a/rpkid/rpki/up_down.py b/rpkid/rpki/up_down.py
new file mode 100644
index 00000000..f902d86c
--- /dev/null
+++ b/rpkid/rpki/up_down.py
@@ -0,0 +1,518 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""RPKI "up-down" protocol."""
+
+import base64, lxml.etree, time
+import rpki.sax_utils, rpki.resource_set, rpki.x509, rpki.exceptions
+
+xmlns="http://www.apnic.net/specs/rescerts/up-down/"
+
+nsmap = { None : xmlns }
+
+class base_elt(object):
+ """Generic PDU object.
+
+ Virtual class, just provides some default methods.
+ """
+
+ def startElement(self, stack, name, attrs):
+ """Ignore startElement() if there's no specific handler.
+
+ Some elements have no attributes and we only care about their
+ text content.
+ """
+ pass
+
+ def endElement(self, stack, name, text):
+ """Ignore endElement() if there's no specific handler.
+
+ If we don't need to do anything else, just pop the stack.
+ """
+ stack.pop()
+
+ def make_elt(self, name, *attrs):
+ """Construct a element, copying over a set of attributes."""
+ elt = lxml.etree.Element("{%s}%s" % (xmlns, name), nsmap=nsmap)
+ for key in attrs:
+ val = getattr(self, key, None)
+ if val is not None:
+ elt.set(key, str(val))
+ return elt
+
+ def make_b64elt(self, elt, name, value=None):
+ """Construct a sub-element with Base64 text content."""
+ if value is None:
+ value = getattr(self, name, None)
+ if value is not None:
+ lxml.etree.SubElement(elt, "{%s}%s" % (xmlns, name), nsmap=nsmap).text = base64.b64encode(value)
+
+ def serve_pdu(self, gctx, q_msg, r_msg, child):
+ """Default PDU handler to catch unexpected types."""
+ raise rpki.exceptions.BadQuery, "Unexpected query type %s" % q_msg.type
+
+ def check_response(self):
+ """Placeholder for response checking."""
+ pass
+
+class multi_uri(list):
+ """Container for a set of URIs."""
+
+ def __init__(self, ini):
+ """Initialize a set of URIs, which includes basic some syntax checking."""
+ if isinstance(ini, (list, tuple)):
+ self[:] = ini
+ elif isinstance(ini, str):
+ self[:] = ini.split(",")
+ for s in self:
+ if s.strip() != s or s.find("://") < 0:
+ raise rpki.exceptions.BadURISyntax, "Bad URI \"%s\"" % s
+ else:
+ raise TypeError
+
+ def __str__(self):
+ """Convert a multi_uri back to a string representation."""
+ return ",".join(self)
+
+ def rsync(self):
+ """Find first rsync://... URI in self."""
+ for s in self:
+ if s.startswith("rsync://"):
+ return s
+ return None
+
+class certificate_elt(base_elt):
+ """Up-Down protocol representation of an issued certificate."""
+
+ def startElement(self, stack, name, attrs):
+ """Handle attributes of <certificate/> element."""
+ assert name == "certificate", "Unexpected name %s, stack %s" % (name, stack)
+ self.cert_url = multi_uri(attrs["cert_url"])
+ self.req_resource_set_as = rpki.resource_set.resource_set_as(attrs.get("req_resource_set_as"))
+ self.req_resource_set_ipv4 = rpki.resource_set.resource_set_ipv4(attrs.get("req_resource_set_ipv4"))
+ self.req_resource_set_ipv6 = rpki.resource_set.resource_set_ipv6(attrs.get("req_resource_set_ipv6"))
+
+ def endElement(self, stack, name, text):
+ """Handle text content of a <certificate/> element."""
+ assert name == "certificate", "Unexpected name %s, stack %s" % (name, stack)
+ self.cert = rpki.x509.X509(Base64=text)
+ stack.pop()
+
+ def toXML(self):
+ """Generate a <certificate/> element."""
+ elt = self.make_elt("certificate", "cert_url",
+ "req_resource_set_as", "req_resource_set_ipv4", "req_resource_set_ipv6")
+ elt.text = self.cert.get_Base64()
+ return elt
+
+class class_elt(base_elt):
+ """Up-Down protocol representation of a resource class."""
+
+ issuer = None
+
+ def __init__(self):
+ """Initialize class_elt."""
+ self.certs = []
+
+ def startElement(self, stack, name, attrs):
+ """Handle <class/> elements and their children."""
+ if name == "certificate":
+ cert = certificate_elt()
+ self.certs.append(cert)
+ stack.append(cert)
+ cert.startElement(stack, name, attrs)
+ elif name != "issuer":
+ assert name == "class", "Unexpected name %s, stack %s" % (name, stack)
+ self.class_name = attrs["class_name"]
+ self.cert_url = multi_uri(attrs["cert_url"])
+ self.suggested_sia_head = attrs.get("suggested_sia_head")
+ self.resource_set_as = rpki.resource_set.resource_set_as(attrs["resource_set_as"])
+ self.resource_set_ipv4 = rpki.resource_set.resource_set_ipv4(attrs["resource_set_ipv4"])
+ self.resource_set_ipv6 = rpki.resource_set.resource_set_ipv6(attrs["resource_set_ipv6"])
+ self.resource_set_notafter = rpki.sundial.datetime.fromXMLtime(attrs.get("resource_set_notafter"))
+
+ def endElement(self, stack, name, text):
+ """Handle <class/> elements and their children."""
+ if name == "issuer":
+ self.issuer = rpki.x509.X509(Base64=text)
+ else:
+ assert name == "class", "Unexpected name %s, stack %s" % (name, stack)
+ stack.pop()
+
+ def toXML(self):
+ """Generate a <class/> element."""
+ elt = self.make_elt("class", "class_name", "cert_url", "resource_set_as",
+ "resource_set_ipv4", "resource_set_ipv6",
+ "resource_set_notafter", "suggested_sia_head")
+ elt.extend([i.toXML() for i in self.certs])
+ if self.issuer is not None:
+ self.make_b64elt(elt, "issuer", self.issuer.get_DER())
+ return elt
+
+ def to_resource_bag(self):
+ """Build a resource_bag from from this <class/> element."""
+ return rpki.resource_set.resource_bag(self.resource_set_as,
+ self.resource_set_ipv4,
+ self.resource_set_ipv6,
+ self.resource_set_notafter)
+
+ def from_resource_bag(self, bag):
+ """Set resources of this class element from a resource_bag."""
+ self.resource_set_as = bag.as
+ self.resource_set_ipv4 = bag.v4
+ self.resource_set_ipv6 = bag.v6
+ self.resource_set_notafter = bag.valid_until
+
+class list_pdu(base_elt):
+ """Up-Down protocol "list" PDU."""
+
+ def toXML(self):
+ """Generate (empty) payload of "list" PDU."""
+ return []
+
+ def serve_pdu(self, gctx, q_msg, r_msg, child):
+ """Serve one "list" PDU."""
+ r_msg.payload = list_response_pdu()
+
+ # This will require a callback when we go event-driven
+ irdb_resources = rpki.left_right.irdb_query(gctx, child.self_id, child.child_id)
+
+ for parent in child.parents(gctx):
+ for ca in parent.cas(gctx):
+ ca_detail = ca.fetch_active(gctx)
+ if not ca_detail:
+ continue
+ resources = ca_detail.latest_ca_cert.get_3779resources().intersection(irdb_resources)
+ if resources.empty():
+ continue
+ rc = class_elt()
+ rc.class_name = str(ca.ca_id)
+ rc.cert_url = multi_uri(ca_detail.ca_cert_uri)
+ rc.from_resource_bag(resources)
+ for child_cert in child.child_certs(gctx, ca_detail = ca_detail):
+ c = certificate_elt()
+ c.cert_url = multi_uri(child_cert.uri(ca))
+ c.cert = child_cert.cert
+ rc.certs.append(c)
+ rc.issuer = ca_detail.latest_ca_cert
+ r_msg.payload.classes.append(rc)
+
+ @classmethod
+ def query(cls, gctx, parent):
+ """Send a "list" query to parent."""
+ return parent.query_up_down(gctx, cls())
+
+class class_response_syntax(base_elt):
+ """Syntax for Up-Down protocol "list_response" and "issue_response" PDUs."""
+
+ def __init__(self):
+ """Initialize class_response_syntax."""
+ self.classes = []
+
+ def startElement(self, stack, name, attrs):
+ """Handle "list_response" and "issue_response" PDUs."""
+ assert name == "class", "Unexpected name %s, stack %s" % (name, stack)
+ c = class_elt()
+ self.classes.append(c)
+ stack.append(c)
+ c.startElement(stack, name, attrs)
+
+ def toXML(self):
+ """Generate payload of "list_response" and "issue_response" PDUs."""
+ return [c.toXML() for c in self.classes]
+
+class list_response_pdu(class_response_syntax):
+ """Up-Down protocol "list_response" PDU."""
+
+ pass
+
+class issue_pdu(base_elt):
+ """Up-Down protocol "issue" PDU."""
+
+ def startElement(self, stack, name, attrs):
+ """Handle "issue" PDU."""
+ assert name == "request", "Unexpected name %s, stack %s" % (name, stack)
+ self.class_name = attrs["class_name"]
+ self.req_resource_set_as = rpki.resource_set.resource_set_as(attrs.get("req_resource_set_as"))
+ self.req_resource_set_ipv4 = rpki.resource_set.resource_set_ipv4(attrs.get("req_resource_set_ipv4"))
+ self.req_resource_set_ipv6 = rpki.resource_set.resource_set_ipv6(attrs.get("req_resource_set_ipv6"))
+
+ def endElement(self, stack, name, text):
+ """Handle "issue" PDU."""
+ assert name == "request", "Unexpected name %s, stack %s" % (name, stack)
+ self.pkcs10 = rpki.x509.PKCS10(Base64=text)
+ stack.pop()
+
+ def toXML(self):
+ """Generate payload of "issue" PDU."""
+ elt = self.make_elt("request", "class_name", "req_resource_set_as",
+ "req_resource_set_ipv4", "req_resource_set_ipv6")
+ elt.text = self.pkcs10.get_Base64()
+ return [elt]
+
+ def serve_pdu(self, gctx, q_msg, r_msg, child):
+ """Serve one issue request PDU."""
+
+ # Check the request
+ ca = child.ca_from_class_name(gctx, self.class_name)
+ ca_detail = ca.fetch_active(gctx)
+ self.pkcs10.check_valid_rpki()
+
+ # Check current cert, if any
+
+ # This will require a callback when we go event-driven
+ irdb_resources = rpki.left_right.irdb_query(gctx, child.self_id, child.child_id)
+
+ resources = irdb_resources.intersection(ca_detail.latest_ca_cert.get_3779resources())
+ req_key = self.pkcs10.getPublicKey()
+ req_sia = self.pkcs10.get_SIA()
+ child_cert = child.child_certs(gctx, ca_detail = ca_detail, ski = req_key.get_SKI(), unique = True)
+
+ # Generate new cert or regenerate old one if necessary
+
+ if child_cert is None:
+ child_cert = ca_detail.issue(
+ gctx = gctx,
+ ca = ca,
+ child = child,
+ subject_key = req_key,
+ sia = req_sia,
+ resources = resources)
+ else:
+ child_cert = child_cert.reissue(
+ gctx = gctx,
+ ca_detail = ca_detail,
+ sia = req_sia,
+ resources = resources)
+
+ # Save anything we modified and generate response
+ rpki.sql.sql_sweep(gctx)
+ assert child_cert and child_cert.sql_in_db
+ c = certificate_elt()
+ c.cert_url = multi_uri(child_cert.uri(ca))
+ c.cert = child_cert.cert
+ rc = class_elt()
+ rc.class_name = self.class_name
+ rc.cert_url = multi_uri(ca_detail.ca_cert_uri)
+ rc.from_resource_bag(resources)
+ rc.certs.append(c)
+ rc.issuer = ca_detail.latest_ca_cert
+ r_msg.payload = issue_response_pdu()
+ r_msg.payload.classes.append(rc)
+
+ @classmethod
+ def query(cls, gctx, parent, ca, ca_detail):
+ """Send an "issue" request to parent associated with ca."""
+ assert ca_detail is not None and ca_detail.state in ("pending", "active")
+ sia = ((rpki.oids.name2oid["id-ad-caRepository"], ("uri", ca.sia_uri)),
+ (rpki.oids.name2oid["id-ad-rpkiManifest"], ("uri", ca_detail.manifest_uri(ca))))
+ self = cls()
+ self.class_name = ca.parent_resource_class
+ self.pkcs10 = rpki.x509.PKCS10.create_ca(ca_detail.private_key_id, sia)
+ return parent.query_up_down(gctx, self)
+
+class issue_response_pdu(class_response_syntax):
+ """Up-Down protocol "issue_response" PDU."""
+
+ def check_response(self):
+ """Check whether this looks like a reasonable issue_response PDU.
+ XML schema should be tighter for this response.
+ """
+ if len(self.classes) != 1 or len(self.classes[0].certs) != 1:
+ raise rpki.exceptions.BadIssueResponse
+
+class revoke_syntax(base_elt):
+ """Syntax for Up-Down protocol "revoke" and "revoke_response" PDUs."""
+
+ def startElement(self, stack, name, attrs):
+ """Handle "revoke" PDU."""
+ self.class_name = attrs["class_name"]
+ self.ski = attrs["ski"]
+
+ def toXML(self):
+ """Generate payload of "revoke" PDU."""
+ return [self.make_elt("key", "class_name", "ski")]
+
+class revoke_pdu(revoke_syntax):
+ """Up-Down protocol "revoke" PDU."""
+
+ def get_SKI(self):
+ """Convert g(SKI) encoding from PDU back to raw SKI."""
+ return base64.urlsafe_b64decode(self.ski + "=")
+
+ def serve_pdu(self, gctx, q_msg, r_msg, child):
+ """Serve one revoke request PDU."""
+ for ca_detail in child.ca_from_class_name(gctx, self.class_name).ca_details(gctx):
+ for child_cert in child.child_certs(gctx, ca_detail = ca_detail, ski = self.get_SKI()):
+ child_cert.revoke(gctx)
+ rpki.sql.sql_sweep(gctx)
+ r_msg.payload = revoke_response_pdu()
+ r_msg.payload.class_name = self.class_name
+ r_msg.payload.ski = self.ski
+
+ @classmethod
+ def query(cls, gctx, ca_detail):
+ """Send a "revoke" request to parent associated with ca_detail."""
+ ca = ca_detail.ca(gctx)
+ parent = ca.parent(gctx)
+ self = cls()
+ self.class_name = ca.parent_resource_class
+ self.ski = ca_detail.latest_ca_cert.gSKI()
+ return parent.query_up_down(gctx, self)
+
+class revoke_response_pdu(revoke_syntax):
+ """Up-Down protocol "revoke_response" PDU."""
+
+ pass
+
+class error_response_pdu(base_elt):
+ """Up-Down protocol "error_response" PDU."""
+
+ codes = {
+ 1101 : "Already processing request",
+ 1102 : "Version number error",
+ 1103 : "Unrecognised request type",
+ 1201 : "Request - no such resource class",
+ 1202 : "Request - no resources allocated in resource class",
+ 1203 : "Request - badly formed certificate request",
+ 1301 : "Revoke - no such resource class",
+ 1302 : "Revoke - no such key",
+ 2001 : "Internal Server Error - Request not performed" }
+
+ exceptions = {}
+
+ def __init__(self, exception = None):
+ """Initialize an error_response PDU from an exception object."""
+ if exception is not None:
+ if exception in self.exceptions:
+ self.status = exceptions[exception]
+ else:
+ self.status = 2001
+ self.description = str(exception)
+
+ def endElement(self, stack, name, text):
+ """Handle "error_response" PDU."""
+ if name == "status":
+ code = int(text)
+ if code not in self.codes:
+ raise rpki.exceptions.BadStatusCode, "%s is not a known status code"
+ self.status = code
+ elif name == "description":
+ self.description = text
+ else:
+ assert name == "message", "Unexpected name %s, stack %s" % (name, stack)
+ stack.pop()
+ stack[-1].endElement(stack, name, text)
+
+ def toXML(self):
+ """Generate payload of "error_response" PDU."""
+ assert self.status in self.codes
+ elt = self.make_elt("status")
+ elt.text = str(self.status)
+ payload = [elt]
+ if self.description:
+ elt = self.make_elt("description")
+ elt.text = str(self.description)
+ elt.set("{http://www.w3.org/XML/1998/namespace}lang", "en-US")
+ payload.append(elt)
+ return payload
+
+ def check_response(self):
+ """Handle an error response. For now, just raise an exception,
+ perhaps figure out something more clever to do later.
+ """
+ raise rpki.exceptions.UpstreamError, self.codes[self.status]
+
+class message_pdu(base_elt):
+ """Up-Down protocol message wrapper PDU."""
+
+ version = 1
+
+ name2type = {
+ "list" : list_pdu,
+ "list_response" : list_response_pdu,
+ "issue" : issue_pdu,
+ "issue_response" : issue_response_pdu,
+ "revoke" : revoke_pdu,
+ "revoke_response" : revoke_response_pdu,
+ "error_response" : error_response_pdu }
+
+ type2name = dict((v,k) for k,v in name2type.items())
+
+ def toXML(self):
+ """Generate payload of message PDU."""
+ elt = self.make_elt("message", "version", "sender", "recipient", "type")
+ elt.extend(self.payload.toXML())
+ return elt
+
+ def startElement(self, stack, name, attrs):
+ """Handle message PDU.
+
+ Payload of the <message/> element varies depending on the "type"
+ attribute, so after some basic checks we have to instantiate the
+ right class object to handle whatever kind of PDU this is.
+ """
+ assert name == "message", "Unexpected name %s, stack %s" % (name, stack)
+ assert self.version == int(attrs["version"])
+ self.sender = attrs["sender"]
+ self.recipient = attrs["recipient"]
+ self.type = attrs["type"]
+ self.payload = self.name2type[attrs["type"]]()
+ stack.append(self.payload)
+
+ def __str__(self):
+ """Convert a message PDU to a string."""
+ lxml.etree.tostring(self.toXML(), pretty_print = True, encoding = "UTF-8")
+
+ def serve_top_level(self, gctx, child):
+ """Serve one message request PDU."""
+ r_msg = message_pdu()
+ r_msg.sender = self.recipient
+ r_msg.recipient = self.sender
+ self.payload.serve_pdu(gctx, self, r_msg, child)
+ r_msg.type = self.type2name[type(r_msg.payload)]
+ return r_msg
+
+ def serve_error(self, exception):
+ """Generate an error_response message PDU."""
+ r_msg = message_pdu()
+ r_msg.sender = self.recipient
+ r_msg.recipient = self.sender
+ r_msg.payload = error_response_pdu(exception)
+ r_msg.type = self.type2name[type(r_msg.payload)]
+ return r_msg
+
+ @classmethod
+ def make_query(cls, payload, sender, recipient):
+ """Construct one message PDU."""
+ assert not cls.type2name[type(payload)].endswith("_response")
+ if sender is None:
+ sender = "tweedledee"
+ if recipient is None:
+ recipient = "tweedledum"
+ self = cls()
+ self.sender = sender
+ self.recipient = recipient
+ self.payload = payload
+ self.type = self.type2name[type(payload)]
+ return self
+
+class sax_handler(rpki.sax_utils.handler):
+ """SAX handler for Up-Down protocol."""
+
+ def create_top_level(self, name, attrs):
+ """Top-level PDU for this protocol is <message/>."""
+ return message_pdu()
diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py
new file mode 100644
index 00000000..c029e5f3
--- /dev/null
+++ b/rpkid/rpki/x509.py
@@ -0,0 +1,700 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""One X.509 implementation to rule them all...
+
+...and in the darkness hide the twisty maze of partially overlapping
+X.509 support packages in Python.
+
+There are several existing packages, none of which do quite what I
+need, due to age, lack of documentation, specialization, or lack of
+foresight on somebody's part (perhaps mine). This module attempts to
+bring together the functionality I need in a way that hides at least
+some of the nasty details. This involves a lot of format conversion.
+"""
+
+import POW, tlslite.api, POW.pkix, base64, time
+import rpki.exceptions, rpki.resource_set, rpki.manifest, rpki.cms, rpki.oids, rpki.sundial
+
+def calculate_SKI(public_key_der):
+ """Calculate the SKI value given the DER representation of a public
+ key, which requires first peeling the ASN.1 wrapper off the key.
+ """
+ k = POW.pkix.SubjectPublicKeyInfo()
+ k.fromString(public_key_der)
+ d = POW.Digest(POW.SHA1_DIGEST)
+ d.update(k.subjectPublicKey.get())
+ return d.digest()
+
+class PEM_converter(object):
+ """Convert between DER and PEM encodings for various kinds of ASN.1 data."""
+
+ def __init__(self, kind): # "CERTIFICATE", "RSA PRIVATE KEY", ...
+ """Initialize PEM_converter."""
+ self.b = "-----BEGIN %s-----" % kind
+ self.e = "-----END %s-----" % kind
+
+ def looks_like_PEM(self, text):
+ """Guess whether text looks like a PEM encoding."""
+ b = text.find(self.b)
+ return b >= 0 and text.find(self.e) > b + len(self.b)
+
+ def to_DER(self, pem):
+ """Convert from PEM to DER."""
+ lines = [line.strip() for line in pem.splitlines(0)]
+ while lines and lines.pop(0) != self.b:
+ pass
+ while lines and lines.pop(-1) != self.e:
+ pass
+ assert lines
+ return base64.b64decode("".join(lines))
+
+ def to_PEM(self, der):
+ """Convert from DER to PEM."""
+ b64 = base64.b64encode(der)
+ pem = self.b + "\n"
+ while len(b64) > 64:
+ pem += b64[0:64] + "\n"
+ b64 = b64[64:]
+ return pem + b64 + "\n" + self.e + "\n"
+
+class DER_object(object):
+ """Virtual class to hold a generic DER object."""
+
+ ## Formats supported in this object
+ formats = ("DER",)
+
+ ## PEM converter for this object
+ pem_converter = None
+
+ ## Other attributes that self.clear() should whack
+ other_clear = ()
+
+ ## @var DER
+ ## DER value of this object
+
+ def empty(self):
+ """Test whether this object is empty."""
+ for a in self.formats:
+ if getattr(self, a, None) is not None:
+ return False
+ return True
+
+ def clear(self):
+ """Make this object empty."""
+ for a in self.formats + self.other_clear:
+ setattr(self, a, None)
+
+ def __init__(self, **kw):
+ """Initialize a DER_object."""
+ self.clear()
+ if len(kw):
+ self.set(**kw)
+
+ def set(self, **kw):
+ """Set this object by setting one of its known formats.
+
+ This method only allows one to set one format at a time.
+ Subsequent calls will clear the object first. The point of all
+ this is to let the object's internal converters handle mustering
+ the object into whatever format you need at the moment.
+ """
+ if len(kw) == 1:
+ name = kw.keys()[0]
+ if name in self.formats:
+ self.clear()
+ setattr(self, name, kw[name])
+ return
+ if name == "PEM":
+ self.clear()
+ self.DER = self.pem_converter.to_DER(kw[name])
+ return
+ if name == "Base64":
+ self.clear()
+ self.DER = base64.b64decode(kw[name])
+ return
+ if name in ("PEM_file", "DER_file", "Auto_file"):
+ f = open(kw[name], "rb")
+ value = f.read()
+ f.close()
+ if name == "PEM_file" or (name == "Auto_file" and self.pem_converter.looks_like_PEM(value)):
+ value = self.pem_converter.to_DER(value)
+ self.clear()
+ self.DER = value
+ return
+ raise rpki.exceptions.DERObjectConversionError, "Can't honor conversion request %s" % repr(kw)
+
+ def get_DER(self):
+ """Get the DER value of this object.
+
+ Subclasses will almost certainly override this method.
+ """
+ assert not self.empty()
+ if self.DER:
+ return self.DER
+ raise rpki.exceptions.DERObjectConversionError, "No conversion path to DER available"
+
+ def get_Base64(self):
+ """Get the Base64 encoding of the DER value of this object."""
+ return base64.b64encode(self.get_DER())
+
+ def get_PEM(self):
+ """Get the PEM representation of this object."""
+ return self.pem_converter.to_PEM(self.get_DER())
+
+ def __cmp__(self, other):
+ """Compare two DER-encoded objects."""
+ return cmp(self.get_DER(), other.get_DER())
+
+ def hSKI(self):
+ """Return hexadecimal string representation of SKI for this
+ object. Only work for subclasses that implement get_SKI().
+ """
+ return ":".join(("%02X" % ord(i) for i in self.get_SKI()))
+
+ def gSKI(self):
+ """Calculate g(SKI) for this object. Only work for subclasses
+ that implement get_SKI().
+ """
+ return base64.urlsafe_b64encode(self.get_SKI()).rstrip("=")
+
+ def get_AKI(self):
+ """Get the AKI extension from this object. Only works for subclasses that support getExtension()."""
+ return (self.get_POWpkix().getExtension(rpki.oids.name2oid["authorityKeyIdentifier"]) or ((), 0, None))[2]
+
+ def get_SKI(self):
+ """Get the SKI extension from this object. Only works for subclasses that support getExtension()."""
+ return (self.get_POWpkix().getExtension(rpki.oids.name2oid["subjectKeyIdentifier"]) or ((), 0, None))[2]
+
+ def get_SIA(self):
+ """Get the SIA extension from this object. Only works for subclasses that support getExtension()."""
+ return (self.get_POWpkix().getExtension(rpki.oids.name2oid["subjectInfoAccess"]) or ((), 0, None))[2]
+
+ def get_AIA(self):
+ """Get the SIA extension from this object. Only works for subclasses that support getExtension()."""
+ return (self.get_POWpkix().getExtension(rpki.oids.name2oid["subjectInfoAccess"]) or ((), 0, None))[2]
+
+ def get_3779resources(self):
+ """Get RFC 3779 resources as rpki.resource_set objects.
+ Only works for subclasses that support getExtensions().
+ """
+ resources = rpki.resource_set.resource_bag.from_asn1_tuples(self.get_POWpkix().getExtensions())
+ try:
+ resources.valid_until = self.getNotAfter()
+ except AttributeError:
+ pass
+ return resources
+
+ @classmethod
+ def from_sql(cls, x):
+ """Convert from SQL storage format."""
+ return cls(DER = x)
+
+ def to_sql(self):
+ """Convert to SQL storage format."""
+ return self.get_DER()
+
+class X509(DER_object):
+ """X.509 certificates.
+
+ This class is designed to hold all the different representations of
+ X.509 certs we're using and convert between them. X.509 support in
+ Python a nasty maze of half-cooked stuff (except perhaps for
+ cryptlib, which is just different). Users of this module should not
+ have to care about this implementation nightmare.
+ """
+
+ formats = ("DER", "POW", "POWpkix", "tlslite")
+ pem_converter = PEM_converter("CERTIFICATE")
+
+ def get_DER(self):
+ """Get the DER value of this certificate."""
+ assert not self.empty()
+ if self.DER:
+ return self.DER
+ if self.POW:
+ self.DER = self.POW.derWrite()
+ return self.get_DER()
+ if self.POWpkix:
+ self.DER = self.POWpkix.toString()
+ return self.get_DER()
+ raise rpki.exceptions.DERObjectConversionError, "No conversion path to DER available"
+
+ def get_POW(self):
+ """Get the POW value of this certificate."""
+ assert not self.empty()
+ if not self.POW:
+ self.POW = POW.derRead(POW.X509_CERTIFICATE, self.get_DER())
+ return self.POW
+
+ def get_POWpkix(self):
+ """Get the POW.pkix value of this certificate."""
+ assert not self.empty()
+ if not self.POWpkix:
+ cert = POW.pkix.Certificate()
+ cert.fromString(self.get_DER())
+ self.POWpkix = cert
+ return self.POWpkix
+
+ def get_tlslite(self):
+ """Get the tlslite value of this certificate."""
+ assert not self.empty()
+ if not self.tlslite:
+ cert = tlslite.api.X509()
+ cert.parseBinary(self.get_DER())
+ self.tlslite = cert
+ return self.tlslite
+
+ def getIssuer(self):
+ """Get the issuer of this certificate."""
+ return self.get_POW().getIssuer()
+
+ def getSubject(self):
+ """Get the subject of this certificate."""
+ return self.get_POW().getSubject()
+
+ def getNotBefore(self):
+ """Get the inception time of this certificate."""
+ return rpki.sundial.datetime.fromASN1tuple(self.get_POWpkix().tbs.validity.notBefore.get())
+
+ def getNotAfter(self):
+ """Get the expiration time of this certificate."""
+ return rpki.sundial.datetime.fromASN1tuple(self.get_POWpkix().tbs.validity.notAfter.get())
+
+ def getSerial(self):
+ """Get the serial number of this certificate."""
+ return self.get_POW().getSerial()
+
+ def getPublicKey(self):
+ """Extract the public key from this certificate."""
+ return RSApublic(DER = self.get_POWpkix().tbs.subjectPublicKeyInfo.toString())
+
+ def issue(self, keypair, subject_key, serial, sia, aia, crldp, notAfter,
+ cn = None, resources = None, is_ca = True):
+ """Issue a certificate."""
+
+ now = rpki.sundial.datetime.utcnow()
+ aki = self.get_SKI()
+ ski = subject_key.get_SKI()
+
+ if cn is None:
+ cn = "".join(("%02X" % ord(i) for i in ski))
+
+ # if notAfter is None: notAfter = now + rpki.sundial.timedelta(days = 30)
+
+ cert = POW.pkix.Certificate()
+ cert.setVersion(2)
+ cert.setSerial(serial)
+ cert.setIssuer(self.get_POWpkix().getSubject())
+ cert.setSubject((((rpki.oids.name2oid["commonName"], ("printableString", cn)),),))
+ cert.setNotBefore(now.toASN1tuple())
+ cert.setNotAfter(notAfter.toASN1tuple())
+ cert.tbs.subjectPublicKeyInfo.fromString(subject_key.get_DER())
+
+ exts = [ ["subjectKeyIdentifier", False, ski],
+ ["authorityKeyIdentifier", False, (aki, (), None)],
+ ["cRLDistributionPoints", False, ((("fullName", (("uri", crldp),)), None, ()),)],
+ ["authorityInfoAccess", False, ((rpki.oids.name2oid["id-ad-caIssuers"], ("uri", aia)),)],
+ ["certificatePolicies", True, ((rpki.oids.name2oid["id-cp-ipAddr-asNumber"], ()),)] ]
+
+ if is_ca:
+ exts.append(["basicConstraints", True, (1, None)])
+ exts.append(["keyUsage", True, (0, 0, 0, 0, 0, 1, 1)])
+ else:
+ exts.append(["keyUsage", True, (1,)])
+
+ if sia is not None:
+ exts.append(["subjectInfoAccess", False, sia])
+ else:
+ assert not is_ca
+
+ if resources is not None and resources.as:
+ exts.append(["sbgp-autonomousSysNum", True, (resources.as.to_tuple(), None)])
+
+ if resources is not None and (resources.v4 or resources.v6):
+ exts.append(["sbgp-ipAddrBlock", True, [x for x in (resources.v4.to_tuple(), resources.v6.to_tuple()) if x is not None]])
+
+ for x in exts:
+ x[0] = rpki.oids.name2oid[x[0]]
+ cert.setExtensions(exts)
+
+ cert.sign(keypair.get_POW(), POW.SHA256_DIGEST)
+
+ return X509(POWpkix = cert)
+
+class X509_chain(list):
+ """Collections of certs.
+
+ This class provides sorting and conversion functions for various
+ packages.
+ """
+
+ def __init__(self, *args, **kw):
+ """Initialize an X509_chain."""
+ if args:
+ self[:] = args
+ elif "PEM_files" in kw:
+ self.load_from_PEM(kw["PEM_files"])
+ elif "DER_files" in kw:
+ self.load_from_DER(kw["DER_files"])
+ elif "Auto_files" in kw:
+ self.load_from_Auto(kw["Auto_files"])
+ elif kw:
+ raise TypeError
+
+ def chainsort(self):
+ """Sort a bag of certs into a chain, leaf first.
+
+ Various other routines want their certs presented in this order.
+ """
+ if len(self) > 1:
+ bag = self[:]
+ issuer_names = [x.getIssuer() for x in bag]
+ subject_map = dict([(x.getSubject(), x) for x in bag])
+ chain = []
+ for subject in subject_map:
+ if subject not in issuer_names:
+ cert = subject_map[subject]
+ chain.append(cert)
+ bag.remove(cert)
+ if len(chain) != 1:
+ raise rpki.exceptions.NotACertificateChain, "Certificates in bag don't form a proper chain"
+ while bag:
+ cert = subject_map[chain[-1].getIssuer()]
+ chain.append(cert)
+ bag.remove(cert)
+ self[:] = chain
+
+ def tlslite_certChain(self):
+ """Return a certChain in the format tlslite likes."""
+ self.chainsort()
+ return tlslite.api.X509CertChain([x.get_tlslite() for x in self])
+
+ def tlslite_trustList(self):
+ """Return a trustList in the format tlslite likes."""
+ return [x.get_tlslite() for x in self]
+
+ def clear(self):
+ """Drop all certs from this bag onto the floor."""
+ self[:] = []
+
+ def load_from_PEM(self, files):
+ """Load a set of certs from a list of PEM files."""
+ self.extend([X509(PEM_file=f) for f in files])
+
+ def load_from_DER(self, files):
+ """Load a set of certs from a list of DER files."""
+ self.extend([X509(DER_file=f) for f in files])
+
+ def load_from_Auto(self, files):
+ """Load a set of certs from a list of DER or PEM files (guessing)."""
+ self.extend([X509(Auto_file=f) for f in files])
+
+class PKCS10(DER_object):
+ """Class to hold a PKCS #10 request."""
+
+ formats = ("DER", "POWpkix")
+ pem_converter = PEM_converter("CERTIFICATE REQUEST")
+
+ def get_DER(self):
+ """Get the DER value of this certification request."""
+ assert not self.empty()
+ if self.DER:
+ return self.DER
+ if self.POWpkix:
+ self.DER = self.POWpkix.toString()
+ return self.get_DER()
+ raise rpki.exceptions.DERObjectConversionError, "No conversion path to DER available"
+
+ def get_POWpkix(self):
+ """Get the POW.pkix value of this certification request."""
+ assert not self.empty()
+ if not self.POWpkix:
+ req = POW.pkix.CertificationRequest()
+ req.fromString(self.get_DER())
+ self.POWpkix = req
+ return self.POWpkix
+
+ def getPublicKey(self):
+ """Extract the public key from this certification request."""
+ return RSApublic(DER = self.get_POWpkix().certificationRequestInfo.subjectPublicKeyInfo.toString())
+
+ def check_valid_rpki(self):
+ """Check this certification request to see whether it's a valid
+ request for an RPKI certificate. This is broken out of the
+ up-down protocol code because it's somewhat involved and the
+ up-down code doesn't need to know the details.
+
+ Throws an exception if the request isn't valid, so if this method
+ returns at all, the request is ok.
+ """
+
+ if not self.get_POWpkix().verify():
+ raise rpki.exceptions.BadPKCS10, "Signature check failed"
+
+ if self.get_POWpkix().certificationRequestInfo.version.get() != 0:
+ raise rpki.exceptions.BadPKCS10, \
+ "Bad version number %s" % self.get_POWpkix().certificationRequestInfo.version
+
+ if rpki.oids.oid2name.get(self.get_POWpkix().signatureAlgorithm.algorithm.get()) \
+ not in ("sha256WithRSAEncryption", "sha384WithRSAEncryption", "sha512WithRSAEncryption"):
+ raise rpki.exceptions.BadPKCS10, "Bad signature algorithm %s" % self.get_POWpkix().signatureAlgorithm
+
+ exts = self.get_POWpkix().getExtensions()
+ for oid, critical, value in exts:
+ if rpki.oids.oid2name.get(oid) not in ("basicConstraints", "keyUsage", "subjectInfoAccess"):
+ raise rpki.exceptions.BadExtension, "Forbidden extension %s" % oid
+ req_exts = dict((rpki.oids.oid2name[oid], value) for (oid, critical, value) in exts)
+
+ if "basicConstraints" not in req_exts or not req_exts["basicConstraints"][0]:
+ raise rpki.exceptions.BadPKCS10, "request for EE cert not allowed here"
+
+ if req_exts["basicConstraints"][1] is not None:
+ raise rpki.exceptions.BadPKCS10, "basicConstraints must not specify Path Length"
+
+ if "keyUsage" in req_exts and (not req_exts["keyUsage"][5] or not req_exts["keyUsage"][6]):
+ raise rpki.exceptions.BadPKCS10, "keyUsage doesn't match basicConstraints"
+
+ for method, location in req_exts.get("subjectInfoAccess", ()):
+ if rpki.oids.oid2name.get(method) == "id-ad-caRepository" and \
+ (location[0] != "uri" or (location[1].startswith("rsync://") and not location[1].endswith("/"))):
+ raise rpki.exceptions.BadPKCS10, "Certificate request includes bad SIA component: %s" % repr(location)
+
+ # This one is an implementation restriction. I don't yet
+ # understand what the spec is telling me to do in this case.
+ assert "subjectInfoAccess" in req_exts, "Can't (yet) handle PKCS #10 without an SIA extension"
+
+ @classmethod
+ def create_ca(cls, keypair, sia = None):
+ """Create a new request for a given keypair, including given SIA value."""
+ exts = [["basicConstraints", True, (1, None)],
+ ["keyUsage", True, (0, 0, 0, 0, 0, 1, 1)]]
+ if sia is not None:
+ exts.append(["subjectInfoAccess", False, sia])
+ for x in exts:
+ x[0] = rpki.oids.name2oid[x[0]]
+ return cls.create(keypair, exts)
+
+ @classmethod
+ def create(cls, keypair, exts = None):
+ """Create a new request for a given keypair, including given extensions."""
+ cn = "".join(("%02X" % ord(i) for i in keypair.get_SKI()))
+ req = POW.pkix.CertificationRequest()
+ req.certificationRequestInfo.version.set(0)
+ req.certificationRequestInfo.subject.set((((rpki.oids.name2oid["commonName"],
+ ("printableString", cn)),),))
+ if exts is not None:
+ req.setExtensions(exts)
+ req.sign(keypair.get_POW(), POW.SHA256_DIGEST)
+ return cls(POWpkix = req)
+
+class RSA(DER_object):
+ """Class to hold an RSA key pair."""
+
+ formats = ("DER", "POW", "tlslite")
+ pem_converter = PEM_converter("RSA PRIVATE KEY")
+
+ def get_DER(self):
+ """Get the DER value of this keypair."""
+ assert not self.empty()
+ if self.DER:
+ return self.DER
+ if self.POW:
+ self.DER = self.POW.derWrite(POW.RSA_PRIVATE_KEY)
+ return self.get_DER()
+ raise rpki.exceptions.DERObjectConversionError, "No conversion path to DER available"
+
+ def get_POW(self):
+ """Get the POW value of this keypair."""
+ assert not self.empty()
+ if not self.POW:
+ self.POW = POW.derRead(POW.RSA_PRIVATE_KEY, self.get_DER())
+ return self.POW
+
+ def get_tlslite(self):
+ """Get the tlslite value of this keypair."""
+ assert not self.empty()
+ if not self.tlslite:
+ self.tlslite = tlslite.api.parsePEMKey(self.get_PEM(), private=True)
+ return self.tlslite
+
+ def generate(self, keylength = 2048):
+ """Generate a new keypair."""
+ self.clear()
+ self.set(POW=POW.Asymmetric(POW.RSA_CIPHER, keylength))
+
+ def get_public_DER(self):
+ """Get the DER encoding of the public key from this keypair."""
+ return self.get_POW().derWrite(POW.RSA_PUBLIC_KEY)
+
+ def get_SKI(self):
+ """Calculate the SKI of this keypair."""
+ return calculate_SKI(self.get_public_DER())
+
+ def get_RSApublic(self):
+ """Convert the public key of this keypair into a RSApublic object."""
+ return RSApublic(DER = self.get_public_DER())
+
+class RSApublic(DER_object):
+ """Class to hold an RSA public key."""
+
+ formats = ("DER", "POW")
+ pem_converter = PEM_converter("RSA PUBLIC KEY")
+
+ def get_DER(self):
+ """Get the DER value of this public key."""
+ assert not self.empty()
+ if self.DER:
+ return self.DER
+ if self.POW:
+ self.DER = self.POW.derWrite(POW.RSA_PUBLIC_KEY)
+ return self.get_DER()
+ raise rpki.exceptions.DERObjectConversionError, "No conversion path to DER available"
+
+ def get_POW(self):
+ """Get the POW value of this public key."""
+ assert not self.empty()
+ if not self.POW:
+ self.POW = POW.derRead(POW.RSA_PUBLIC_KEY, self.get_DER())
+ return self.POW
+
+ def get_SKI(self):
+ """Calculate the SKI of this public key."""
+ return calculate_SKI(self.get_DER())
+
+class SignedManifest(DER_object):
+ """Class to hold a signed manifest.
+
+ Signed manifests are a little different from the other DER_object
+ types because the signed object is CMS wrapping inner content that's
+ also ASN.1, and due to our current minimal support for CMS we can't
+ just handle this as a pretty composite object. So, for now anyway,
+ this SignedManifest object refers to the outer CMS wrapped manifest
+ so that the usual DER and PEM operations do the obvious things, and
+ the inner content is handle via separate methods using rpki.manifest.
+ """
+
+ formats = ("DER",)
+ other_clear = ("content",)
+ pem_converter = PEM_converter("RPKI MANIFEST")
+
+ def get_DER(self):
+ """Get the DER value of this manifest."""
+ assert not self.empty()
+ if self.DER:
+ return self.DER
+ raise rpki.exceptions.DERObjectConversionError, "No conversion path to DER available"
+
+ def get_content(self):
+ """Get the inner content of this manifest."""
+ assert self.content is not None
+ return self.content
+
+ def set_content(self, content):
+ """Set the (inner) content of this manifest, clearing the wrapper."""
+ self.clear()
+ self.content = content
+
+ def getThisUpdate(self):
+ """Get thisUpdate value from this manifest."""
+ return rpki.sundial.datetime.fromGeneralizedTime(self.get_content().thisUpdate.get())
+
+ def getNextUpdate(self):
+ """Get nextUpdate value from this manifest."""
+ return rpki.sundial.datetime.fromGeneralizedTime(self.get_content().nextUpdate.get())
+
+ def verify(self, ta):
+ """Verify this manifest."""
+ m = rpki.manifest.Manifest()
+ s = rpki.cms.verify(self.get_DER(), ta)
+ m.fromString(s)
+ self.content = m
+
+ def build(self, serial, thisUpdate, nextUpdate, names_and_objs, keypair, certs, version = 0):
+ """Build the inner content of this manifest and sign it with CMS."""
+ filelist = []
+ for name, obj in names_and_objs:
+ d = POW.Digest(POW.SHA256_DIGEST)
+ d.update(obj.get_DER())
+ filelist.append((name.rpartition("/")[2], d.digest()))
+ filelist.sort(key = lambda x: x[0])
+ m = rpki.manifest.Manifest()
+ m.version.set(version)
+ m.manifestNumber.set(serial)
+ m.thisUpdate.set(thisUpdate.toGeneralizedTime())
+ m.nextUpdate.set(nextUpdate.toGeneralizedTime())
+ m.fileHashAlg.set((2, 16, 840, 1, 101, 3, 4, 2, 1)) # id-sha256
+ m.fileList.set(filelist)
+ self.set_content(m)
+ self.DER = rpki.cms.sign(m.toString(), keypair, certs)
+
+class CRL(DER_object):
+ """Class to hold a Certificate Revocation List."""
+
+ formats = ("DER", "POW", "POWpkix")
+ pem_converter = PEM_converter("X509 CRL")
+
+ def get_DER(self):
+ """Get the DER value of this CRL."""
+ assert not self.empty()
+ if self.DER:
+ return self.DER
+ if self.POW:
+ self.DER = self.POW.derWrite()
+ return self.get_DER()
+ if self.POWpkix:
+ self.DER = self.POWpkix.toString()
+ return self.get_DER()
+ raise rpki.exceptions.DERObjectConversionError, "No conversion path to DER available"
+
+ def get_POW(self):
+ """Get the POW value of this CRL."""
+ assert not self.empty()
+ if not self.POW:
+ self.POW = POW.derRead(POW.X509_CRL, self.get_DER())
+ return self.POW
+
+ def get_POWpkix(self):
+ """Get the POW.pkix value of this CRL."""
+ assert not self.empty()
+ if not self.POWpkix:
+ crl = POW.pkix.CertificateList()
+ crl.fromString(self.get_DER())
+ self.POWpkix = crl
+ return self.POWpkix
+
+ def getThisUpdate(self):
+ """Get thisUpdate value from this CRL."""
+ return rpki.sundial.datetime.fromASN1tuple(self.get_POWpkix().getThisUpdate())
+
+ def getNextUpdate(self):
+ """Get nextUpdate value from this CRL."""
+ return rpki.sundial.datetime.fromASN1tuple(self.get_POWpkix().getNextUpdate())
+
+ @classmethod
+ def generate(cls, keypair, issuer, serial, thisUpdate, nextUpdate, revokedCertificates, version = 1, digestType = "sha256WithRSAEncryption"):
+ crl = POW.pkix.CertificateList()
+ crl.setVersion(version)
+ crl.setIssuer(issuer.get_POWpkix().getSubject())
+ crl.setThisUpdate(thisUpdate.toASN1tuple())
+ crl.setNextUpdate(nextUpdate.toASN1tuple())
+ if revokedCertificates:
+ crl.setRevokedCertificates(revokedCertificates)
+ crl.setExtensions(
+ ((rpki.oids.name2oid["authorityKeyIdentifier"], False, (issuer.get_SKI(), (), None)),
+ (rpki.oids.name2oid["cRLNumber"], False, serial)))
+ crl.sign(keypair.get_POW(), digestType)
+ return cls(POWpkix = crl)
diff --git a/rpkid/rpkid.py b/rpkid/rpkid.py
new file mode 100755
index 00000000..5779753b
--- /dev/null
+++ b/rpkid/rpkid.py
@@ -0,0 +1,137 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""
+RPKI engine daemon. This is still very much a work in progress.
+
+Usage: python rpkid.py [ { -c | --config } configfile ] [ { -h | --help } ]
+
+Default configuration file is rpkid.conf, override with --config option.
+"""
+
+import traceback, os, time, getopt, sys, MySQLdb, lxml.etree
+import rpki.resource_set, rpki.up_down, rpki.left_right, rpki.x509, rpki.sql
+import rpki.https, rpki.config, rpki.cms, rpki.exceptions, rpki.relaxng, rpki.log
+
+def left_right_handler(query, path):
+ """Process one left-right PDU."""
+ rpki.log.trace()
+ try:
+ q_elt = rpki.cms.xml_verify(query, gctx.cms_ta_irbe)
+ rpki.relaxng.left_right.assertValid(q_elt)
+ q_msg = rpki.left_right.sax_handler.saxify(q_elt)
+ r_msg = q_msg.serve_top_level(gctx)
+ r_elt = r_msg.toXML()
+ rpki.relaxng.left_right.assertValid(r_elt)
+ reply = rpki.cms.xml_sign(r_elt, gctx.cms_key, gctx.cms_certs)
+ rpki.sql.sql_sweep(gctx)
+ return 200, reply
+ except lxml.etree.DocumentInvalid:
+ rpki.log.warn("Received reply document does not pass schema check: " + lxml.etree.tostring(r_elt, pretty_print = True))
+ rpki.log.warn(traceback.format_exc())
+ return 500, "Schema violation"
+ except Exception, data:
+ rpki.log.error(traceback.format_exc())
+ return 500, "Unhandled exception %s" % data
+
+def up_down_handler(query, path):
+ """Process one up-down PDU."""
+ rpki.log.trace()
+ try:
+ child_id = path.partition("/up-down/")[2]
+ if not child_id.isdigit():
+ raise rpki.exceptions.BadContactURL, "Bad path: %s" % path
+ child = rpki.left_right.child_elt.sql_fetch(gctx, long(child_id))
+ if child is None:
+ raise rpki.exceptions.ChildNotFound, "Could not find child %s" % child_id
+ reply = child.serve_up_down(gctx, query)
+ rpki.sql.sql_sweep(gctx)
+ return 200, reply
+ except Exception, data:
+ rpki.log.error(traceback.format_exc())
+ return 400, "Could not process PDU: %s" % data
+
+def cronjob_handler(query, path):
+ """Periodic tasks. As simple as possible for now, may need to break
+ this up into separate handlers later.
+ """
+
+ rpki.log.trace()
+ for s in rpki.left_right.self_elt.sql_fetch_all(gctx):
+ s.client_poll(gctx)
+ s.update_children(gctx)
+ s.regenerate_crls_and_manifests(gctx)
+ rpki.sql.sql_sweep(gctx)
+ return 200, "OK"
+
+class global_context(object):
+ """A container for various global parameters."""
+
+ def __init__(self, cfg):
+
+ self.db = MySQLdb.connect(user = cfg.get("sql-username"),
+ db = cfg.get("sql-database"),
+ passwd = cfg.get("sql-password"))
+ self.cur = self.db.cursor()
+
+ self.cms_ta_irdb = rpki.x509.X509(Auto_file = cfg.get("cms-ta-irdb"))
+ self.cms_ta_irbe = rpki.x509.X509(Auto_file = cfg.get("cms-ta-irbe"))
+ self.cms_key = rpki.x509.RSA(Auto_file = cfg.get("cms-key"))
+ self.cms_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("cms-cert"))
+
+ self.https_key = rpki.x509.RSA(Auto_file = cfg.get("https-key"))
+ self.https_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert"))
+ self.https_ta = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta"))
+
+ self.irdb_url = cfg.get("irdb-url")
+
+ self.https_server_host = cfg.get("server-host", "")
+ self.https_server_port = int(cfg.get("server-port", "4433"))
+
+ self.publication_kludge_base = cfg.get("publication-kludge-base", "publication/")
+
+os.environ["TZ"] = "UTC"
+time.tzset()
+
+rpki.log.init("rpkid")
+
+cfg_file = "rpkid.conf"
+
+opts,argv = getopt.getopt(sys.argv[1:], "c:h?", ["config=", "help"])
+for o,a in opts:
+ if o in ("-h", "--help", "-?"):
+ print __doc__
+ sys.exit(0)
+ if o in ("-c", "--config"):
+ cfg_file = a
+if argv:
+ raise RuntimeError, "Unexpected arguments %s" % argv
+
+cfg = rpki.config.parser(cfg_file, "rpkid")
+
+startup_msg = cfg.get("startup-message", "")
+if startup_msg:
+ rpki.log.info(startup_msg)
+
+gctx = global_context(cfg)
+
+rpki.https.server(privateKey = gctx.https_key,
+ certChain = gctx.https_certs,
+ host = gctx.https_server_host,
+ port = gctx.https_server_port,
+ handlers=(("/left-right", left_right_handler),
+ ("/up-down/", up_down_handler),
+ ("/cronjob", cronjob_handler)))
diff --git a/rpkid/test-pow-tls.py b/rpkid/test-pow-tls.py
new file mode 100644
index 00000000..99e412f0
--- /dev/null
+++ b/rpkid/test-pow-tls.py
@@ -0,0 +1,59 @@
+# $Id$
+
+# Copyright (C) 2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# Grope towards testing TLS functionality in POW
+
+# openssl s_server -tls1 -Verify 9 -cert biz-certs/Alice-EE.cer -key biz-certs/Alice-EE.key -www -CApath biz-certs -chain
+
+# openssl s_client -connect localhost:4433 -tls1 -cert biz-certs/Bob-EE.cer -key biz-certs/Bob-EE.key -verify 9 -CApath biz-certs -crlf
+
+import POW, socket
+
+def pow_error_iterator():
+ err = POW.getError()
+ if err is None:
+ raise StopIteration
+ else:
+ yield err
+
+key = POW.pemRead(POW.RSA_PRIVATE_KEY, open("biz-certs/Bob-EE.key").read())
+cer = POW.pemRead(POW.X509_CERTIFICATE, open("biz-certs/Bob-EE.cer").read())
+ca = POW.pemRead(POW.X509_CERTIFICATE, open("biz-certs/Bob-CA.cer").read())
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect(("localhost", 4433))
+
+try:
+ t = POW.Ssl(POW.TLSV1_CLIENT_METHOD)
+ t.useCertificate(cer)
+ t.useKey(key)
+ t.addCertificate(ca)
+ t.setFd(s.fileno())
+ t.connect()
+ x = t.peerCertificate()
+ if x is not None:
+ print "Peer", x.pprint()
+ t.write("GET / HTTP/1.0\r\n")
+ if False:
+ print t.read(10000)
+ else:
+ while True:
+ print t.read()
+except:
+ print "ERROR:"
+ for e in pow_error_iterator():
+ print e
+ raise
diff --git a/rpkid/testbed.1.yaml b/rpkid/testbed.1.yaml
new file mode 100644
index 00000000..acee42e2
--- /dev/null
+++ b/rpkid/testbed.1.yaml
@@ -0,0 +1,47 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+name: RIR
+#valid_until: 2008-07-14T12:30:00Z
+valid_for: 2d
+kids:
+ - name: R0
+ kids:
+ - name: Alice
+ ipv4: 192.0.2.1-192.0.2.33
+ asn: 64533
+---
+- name: R0
+ rekey:
+---
+- name: R0
+ revoke:
+---
+- name: Alice
+ valid_add: 10
+---
+- name: Alice
+ add_as: 33
+ valid_add: 2d
+# valid_until: 2009-07-14T12:30:00Z
+---
+- name: Alice
+# valid_until: 2009-04-01T00:00:00
+ valid_sub: 2d
+---
+- name: Alice
+# valid_until: 2009-04-01T00:00:00
+ valid_for: 10d
diff --git a/rpkid/testbed.2.yaml b/rpkid/testbed.2.yaml
new file mode 100644
index 00000000..9b154579
--- /dev/null
+++ b/rpkid/testbed.2.yaml
@@ -0,0 +1,92 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+name: RIR
+valid_until: 2008-07-14T12:30:00Z
+kids:
+ - name: R0
+ kids:
+ - name: Alice
+ ipv4: 192.0.2.1-192.0.2.33
+ asn: 64533
+ - name: Bob
+ ipv4: 192.0.2.44-192.0.2.100
+ - name: R1
+ kids:
+ - name: Carol
+ ipv6: 2001:db8::44-2001:db8::100
+ - name: Dave
+ ipv6: 2001:db8::10:0:44/128
+ asn: 64544
+ - name: R2
+ kids:
+ - name: Elena
+ ipv4: 10.0.0.0/24
+ ipv6: 2001:db8::a00:0/120
+ - name: Frank
+ ipv4: 10.3.0.0/24
+ ipv6: 2001:db8::a03:0/120
+ - name: R3
+ kids:
+ - name: Ginny
+ asn: 64534-64540
+ - name: Harry
+ asn: 666-677
+ - name: R4
+ kids:
+ - name: Ilse
+ ipv4: 10.3.0.0/16
+ - name: Jack
+ ipv4: 10.2.0.0/16
+ - name: R5
+ kids:
+ - name: Kari
+ asn: 222-233
+ - name: Leon
+ asn: 244-255
+ - name: R6
+ kids:
+ - name: Mary
+ ipv4: 10.77.0.0/16
+ - name: Neal
+ ipv4: 10.66.0.0/16
+ - name: R7
+ kids:
+ - name: Olga
+ ipv4: 10.88.0.0/16
+ - name: Piet
+ ipv4: 10.99.0.0/16
+ - name: R8
+ kids:
+ - name: Qi
+ asn: 111-122
+ - name: Rex
+ asn: 333-344
+ - name: R9
+ kids:
+ - name: Sandra
+ asn: 555-566
+ - name: Thad
+ asn: 577-588
+---
+- name: Alice
+ add_as: 33
+---
+- name: Alice
+ sub_as: 33
+---
+- name: Alice
+ valid_until: 2009-07-14T12:30:00Z
diff --git a/rpkid/testbed.py b/rpkid/testbed.py
new file mode 100644
index 00000000..97a66a2b
--- /dev/null
+++ b/rpkid/testbed.py
@@ -0,0 +1,941 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""
+Test framework to configure and drive a collection of rpkid.py and
+irdbd.py instances under control of a master script.
+
+Usage: python rpkid.py [ { -c | --config } config_file ]
+ [ { -h | --help } ]
+ [ { -y | --yaml } yaml_script ]
+
+Default config_file is testbed.conf, override with --config option.
+
+Default yaml_script is testbed.yaml, override with -yaml option.
+
+yaml_script is a YAML file describing the tests to be run, and is
+intended to be implementation agnostic.
+
+config_file contains settings for various implementation-specific
+things that don't belong in yaml_script.
+"""
+
+import os, yaml, MySQLdb, subprocess, signal, time, datetime, re, getopt, sys, lxml
+import rpki.resource_set, rpki.sundial, rpki.x509, rpki.https, rpki.log, rpki.left_right, rpki.config
+
+os.environ["TZ"] = "UTC"
+time.tzset()
+
+cfg_file = "testbed.conf"
+
+yaml_script = None
+
+opts,argv = getopt.getopt(sys.argv[1:], "c:hy:?", ["config=", "help", "yaml="])
+for o,a in opts:
+ if o in ("-h", "--help", "-?"):
+ print __doc__
+ sys.exit(0)
+ elif o in ("-c", "--config"):
+ cfg_file = a
+ elif o in ("-y", "--yaml"):
+ yaml_script = a
+if argv:
+ print __doc__
+ raise RuntimeError, "Unexpected arguments %s" % argv
+
+cfg = rpki.config.parser(cfg_file, "testbed")
+
+# Load the YAML script early, so we can report errors ASAP
+
+if yaml_script is None:
+ yaml_script = cfg.get("yaml_script", "testbed.yaml")
+try:
+ yaml_script = [y for y in yaml.safe_load_all(open(yaml_script))]
+except:
+ print __doc__
+ raise
+
+# Define port allocator early, so we can use it while reading config
+
+def allocate_port():
+ """Allocate a TCP port number."""
+ global base_port
+ p = base_port
+ base_port += 1
+ return p
+
+# Most filenames in the following are relative to the working directory.
+
+testbed_name = cfg.get("testbed_name", "testbed")
+testbed_dir = cfg.get("testbed_dir", testbed_name + ".dir")
+
+irdb_db_pass = cfg.get("irdb_db_pass", "fnord")
+rpki_db_pass = cfg.get("rpki_db_pass", "fnord")
+
+base_port = int(cfg.get("base_port", "4400"))
+
+rsyncd_port = allocate_port()
+rootd_port = allocate_port()
+
+rsyncd_module = cfg.get("rsyncd_module", testbed_name)
+rootd_sia = cfg.get("rootd_sia", "rsync://localhost:%d/%s/" % (rsyncd_port, rsyncd_module))
+
+rootd_name = cfg.get("rootd_name", "rootd")
+rsyncd_name = cfg.get("rcynic_name", "rsyncd")
+rcynic_name = cfg.get("rcynic_name", "rcynic")
+
+prog_python = cfg.get("prog_python", "python")
+prog_rpkid = cfg.get("prog_rpkid", "../rpkid.py")
+prog_irdbd = cfg.get("prog_irdbd", "../irdbd.py")
+prog_poke = cfg.get("prog_poke", "../testpoke.py")
+prog_rootd = cfg.get("prog_rootd", "../rootd.py")
+prog_openssl = cfg.get("prog_openssl", "../../openssl/openssl/apps/openssl")
+prog_rsyncd = cfg.get("prog_rsyncd", "rsync")
+prog_rcynic = cfg.get("prog_rcynic", "../../rcynic/rcynic")
+
+rcynic_stats = cfg.get("rcynic_stats", "xsltproc --param refresh 0 ../../rcynic/rcynic.xsl %s.xml | w3m -T text/html -dump" % rcynic_name)
+
+rpki_sql_file = cfg.get("rpki_sql_file", "../docs/rpki-db-schema.sql")
+irdb_sql_file = cfg.get("irdb_sql_file", "../docs/sample-irdb.sql")
+
+rpki_sql = open(rpki_sql_file).read()
+irdb_sql = open(irdb_sql_file).read()
+
+testbed_key = None
+testbed_certs = None
+rootd_ta = None
+
+
+def main():
+ """Main program, up front to make control logic more obvious."""
+
+ rpki.log.init(testbed_name)
+
+ signal.signal(signal.SIGALRM, wakeup)
+
+ rootd_process = None
+ rsyncd_process = None
+
+ try:
+ os.chdir(testbed_dir)
+ except:
+ os.makedirs(testbed_dir)
+ os.chdir(testbed_dir)
+
+ # Clean up old state
+
+ subprocess.check_call(("rm", "-rf", "publication", "rcynic-data", "rootd.subject.pkcs10", "rootd.req"))
+
+ # Read the first YAML document as our master configuration
+
+ db = allocation_db(yaml_script.pop(0))
+
+ # Construct biz keys and certs for this script to use
+
+ setup_biz_cert_chain(testbed_name)
+ global testbed_key, testbed_certs
+ testbed_key = rpki.x509.RSA(PEM_file = testbed_name + "-EE.key")
+ testbed_certs = rpki.x509.X509_chain(PEM_files = (testbed_name + "-EE.cer", testbed_name + "-CA.cer"))
+
+ # Construct biz keys and certs for rootd instance to use
+
+ setup_biz_cert_chain(rootd_name)
+ global rootd_ta
+ rootd_ta = rpki.x509.X509(PEM_file = rootd_name + "-TA.cer")
+
+ # Construct biz keys and certs for rpkid and irdbd instances.
+
+ for a in db:
+ a.setup_biz_certs()
+
+ # Create the (psuedo) publication directory
+
+ setup_publication()
+
+ # Construct config files for rootd, rsyncd, rcynic instances
+
+ setup_rootd(db.root.name)
+ setup_rsyncd()
+ setup_rcynic()
+
+ # Construct config files for rpkid and irdbd instances
+
+ for a in db.engines:
+ a.setup_conf_file()
+
+ # Initialize SQL for rpkid and irdbd instances
+
+ for a in db.engines:
+ a.setup_sql(rpki_sql, irdb_sql)
+
+ # Populate IRDB(s)
+
+ for a in db.engines:
+ a.sync_sql()
+
+ try:
+
+ # Start rootd instance
+
+ rpki.log.info("Running rootd")
+ rootd_process = subprocess.Popen((prog_python, prog_rootd, "-c", rootd_name + ".conf"))
+
+ # Start rsyncd instance
+
+ rpki.log.info("Running rsyncd")
+ rsyncd_process = subprocess.Popen((prog_rsyncd, "--daemon", "--no-detach", "--config", rsyncd_name + ".conf"))
+
+ # Start rpkid and irdbd instances
+
+ for a in db.engines:
+ a.run_daemons()
+
+ # Wait a little while for all those instances to come up
+
+ rpki.log.info("Sleeping while daemons start up")
+ time.sleep(10)
+
+ # Create objects in RPKI engines
+
+ for a in db.engines:
+ a.create_rpki_objects()
+
+ # Write YAML files for leaves
+
+ for a in db.leaves:
+ a.write_leaf_yaml()
+
+ # 8: Start cycle:
+
+ while True:
+
+ # Run cron in all RPKI instances
+
+ for a in db.engines:
+ a.run_cron()
+
+ # Run all YAML clients
+
+ for a in db.leaves:
+ a.run_yaml()
+
+ # Make sure that everybody got what they were supposed to get
+ # and that everything that was supposed to be published has been
+ # published.
+ #
+ # As a first cut at this, try running rcynic on the outputs.
+
+ run_rcynic()
+
+ # If we've run out of deltas to apply, we're done
+
+ if not yaml_script:
+ break
+
+ # Apply next deltas and resync IRDBs
+
+ db.apply_delta(yaml_script.pop(0))
+
+ for a in db.engines:
+ a.sync_sql()
+
+ # Clean up
+
+ finally:
+
+ try:
+ for a in db.engines:
+ a.kill_daemons()
+ for p,n in ((rootd_process, "rootd"), (rsyncd_process, "rsyncd")):
+ if p is not None:
+ rpki.log.info("Killing %s" % n)
+ os.kill(p.pid, signal.SIGTERM)
+ except Exception, data:
+ rpki.log.warn("Couldn't clean up daemons (%s), continuing" % data)
+
+# Define time delta parser early, so we can use it while reading config
+
+class timedelta(datetime.timedelta):
+ """Timedelta with text parsing. This accepts two input formats:
+
+ - A simple integer, indicating a number of seconds.
+
+ - A string of the form "wD xH yM zS" where w, x, y, and z are integers
+ and D, H, M, and S indicate days, hours, minutes, and seconds.
+ All of the fields are optional, but at least one must be specified.
+ Eg, "3D4H" means "three days plus four hours".
+ """
+
+ ## @var regexp
+ # Hideously ugly regular expression to parse the complex text form.
+ # Tags are intended for use with re.MatchObject.groupdict() and map
+ # directly to the keywords expected by the timedelta constructor.
+
+ regexp = re.compile("\\s*(?:(?P<days>\\d+)D)?" +
+ "\\s*(?:(?P<hours>\\d+)H)?" +
+ "\\s*(?:(?P<minutes>\\d+)M)?" +
+ "\\s*(?:(?P<seconds>\\d+)S)?\\s*", re.I)
+
+ @classmethod
+ def parse(cls, arg):
+ """Parse text into a timedelta object."""
+ if not isinstance(arg, str):
+ return cls(seconds = arg)
+ elif arg.isdigit():
+ return cls(seconds = int(arg))
+ else:
+ return cls(**dict((k, int(v)) for (k, v) in cls.regexp.match(arg).groupdict().items() if v is not None))
+
+ def convert_to_seconds(self):
+ """Convert a timedelta interval to seconds."""
+ return self.days * 24 * 60 * 60 + self.seconds
+
+def wakeup(signum, frame):
+ """Handler called when we receive a SIGALRM signal."""
+ rpki.log.info("Wakeup call received, continuing")
+
+def cmd_sleep(interval = None):
+ """Set an alarm, then wait for it to go off."""
+ if interval is None:
+ rpki.log.info("Pausing indefinitely, send a SIGALRM to wake me up")
+ else:
+ seconds = timedelta.parse(interval).convert_to_seconds()
+ rpki.log.info("Sleeping %s seconds" % seconds)
+ signal.alarm(seconds)
+ signal.pause()
+
+def cmd_shell(*cmd):
+ """Run a shell command."""
+ cmd = " ".join(cmd)
+ status = subprocess.call(cmd, shell = True)
+ rpki.log.info("Shell command returned status %d" % status)
+
+def cmd_echo(*words):
+ """Echo some text to the log."""
+ rpki.log.note(" ".join(words))
+
+## @var cmds
+# Dispatch table for commands embedded in delta sections
+
+cmds = { "sleep" : cmd_sleep,
+ "shell" : cmd_shell,
+ "echo" : cmd_echo }
+
+class allocation_db(list):
+ """Representation of all the entities and allocations in the test system.
+ Almost everything is generated out of this database.
+ """
+
+ def __init__(self, yaml):
+ """Initialize database from the (first) YAML document."""
+ self.root = allocation(yaml, self)
+ assert self.root.is_root()
+ if self.root.crl_interval is None:
+ self.root.crl_interval = timedelta.parse(cfg.get("crl_interval", "1d")).convert_to_seconds()
+ for a in self:
+ if a.sia_base is None and a.parent is not None:
+ a.sia_base = a.parent.sia_base + a.name + "/"
+ elif a.sia_base is None and a.parent is None:
+ a.sia_base = rootd_sia + a.name + "/"
+ if a.base.valid_until is None:
+ a.base.valid_until = a.parent.base.valid_until
+ if a.crl_interval is None:
+ a.crl_interval = a.parent.crl_interval
+ self.root.closure()
+ self.map = dict((a.name, a) for a in self)
+ self.engines = [a for a in self if not a.is_leaf()]
+ self.leaves = [a for a in self if a.is_leaf()]
+ for i, a in zip(range(len(self.engines)), self.engines):
+ a.set_engine_number(i)
+
+ def apply_delta(self, delta):
+ """Apply a delta or run a command."""
+ for d in delta:
+ if isinstance(d, str):
+ c = d.split()
+ cmds[c[0]](*c[1:])
+ else:
+ self.map[d["name"]].apply_delta(d)
+ self.root.closure()
+
+ def dump(self):
+ """Print content of the database."""
+ for a in self:
+ print a
+
+class allocation(object):
+
+ parent = None
+ irdb_db_name = None
+ irdb_port = None
+ rpki_db_name = None
+ rpki_port = None
+ crl_interval = None
+
+ def __init__(self, yaml, db, parent = None):
+ """Initialize one entity and insert it into the database."""
+ db.append(self)
+ self.name = yaml["name"]
+ self.parent = parent
+ self.kids = [allocation(k, db, self) for k in yaml.get("kids", ())]
+ valid_until = yaml.get("valid_until")
+ if valid_until is None and "valid_for" in yaml:
+ valid_until = datetime.datetime.utcnow() + timedelta.parse(yaml["valid_for"])
+ self.base = rpki.resource_set.resource_bag(
+ as = rpki.resource_set.resource_set_as(yaml.get("asn")),
+ v4 = rpki.resource_set.resource_set_ipv4(yaml.get("ipv4")),
+ v6 = rpki.resource_set.resource_set_ipv6(yaml.get("ipv6")),
+ valid_until = valid_until)
+ self.sia_base = yaml.get("sia_base")
+ if "crl_interval" in yaml:
+ self.crl_interval = timedelta.parse(yaml["crl_interval"]).convert_to_seconds()
+ self.extra_conf = yaml.get("extra_conf", [])
+
+ def closure(self):
+ """Compute the transitive resource closure."""
+ resources = self.base
+ for kid in self.kids:
+ resources = resources.union(kid.closure())
+ self.resources = resources
+ return resources
+
+ def apply_delta(self, yaml):
+ """Apply deltas to this entity."""
+ rpki.log.info("Applying delta: %s" % yaml)
+ for k,v in yaml.items():
+ if k != "name":
+ getattr(self, "apply_" + k)(v)
+
+ def apply_add_as(self, text): self.base.as = self.base.as.union(rpki.resource_set.resource_set_as(text))
+ def apply_add_v4(self, text): self.base.v4 = self.base.v4.union(rpki.resource_set.resource_set_ipv4(text))
+ def apply_add_v6(self, text): self.base.v6 = self.base.v6.union(rpki.resource_set.resource_set_ipv6(text))
+ def apply_sub_as(self, text): self.base.as = self.base.as.difference(rpki.resource_set.resource_set_as(text))
+ def apply_sub_v4(self, text): self.base.v4 = self.base.v4.difference(rpki.resource_set.resource_set_ipv4(text))
+ def apply_sub_v6(self, text): self.base.v6 = self.base.v6.difference(rpki.resource_set.resource_set_ipv6(text))
+
+ def apply_valid_until(self, stamp): self.base.valid_until = stamp
+ def apply_valid_for(self, text): self.base.valid_until = datetime.datetime.utcnow() + timedelta.parse(text)
+ def apply_valid_add(self, text): self.base.valid_until += timedelta.parse(text)
+ def apply_valid_sub(self, text): self.base.valid_until -= timedelta.parse(text)
+
+ def apply_rekey(self, target):
+ if self.is_leaf():
+ raise RuntimeError, "Can't rekey YAML leaf %s, sorry" % self.name
+ elif target is None:
+ rpki.log.info("Rekeying <self/> %s" % self.name)
+ self.call_rpkid(rpki.left_right.self_elt.make_pdu(action = "set", self_id = self.self_id, rekey = "yes"))
+ else:
+ rpki.log.info("Rekeying <parent/> %s %s" % (self.name, target))
+ self.call_rpkid(rpki.left_right.parent_elt.make_pdu(action = "set", self_id = self.self_id, parent_id = target, rekey = "yes"))
+
+ def apply_revoke(self, target):
+ if self.is_leaf():
+ rpki.log.info("Attempting to revoke YAML leaf %s" % self.name)
+ subprocess.check_call((prog_python, prog_poke, "-y", self.name + ".yaml", "-r", "revoke"))
+ elif target is None:
+ rpki.log.info("Revoking <self/> %s" % self.name)
+ self.call_rpkid(rpki.left_right.self_elt.make_pdu(action = "set", self_id = self.self_id, revoke = "yes"))
+ else:
+ rpki.log.info("Revoking <parent/> %s %s" % (self.name, target))
+ self.call_rpkid(rpki.left_right.parent_elt.make_pdu(action = "set", self_id = self.self_id, parent_id = target, revoke = "yes"))
+
+ def __str__(self):
+ s = self.name + "\n"
+ if self.resources.as: s += " ASN: %s\n" % self.resources.as
+ if self.resources.v4: s += " IPv4: %s\n" % self.resources.v4
+ if self.resources.v6: s += " IPv6: %s\n" % self.resources.v6
+ if self.kids: s += " Kids: %s\n" % ", ".join(k.name for k in self.kids)
+ if self.parent: s += " Up: %s\n" % self.parent.name
+ if self.sia_base: s += " SIA: %s\n" % self.sia_base
+ return s + "Until: %s\n" % self.resources.valid_until.strftime("%Y-%m-%dT%H:%M:%SZ")
+
+ def is_leaf(self): return not self.kids
+ def is_root(self): return self.parent is None
+ def is_twig(self): return self.parent is not None and self.kids
+
+ def set_engine_number(self, n):
+ """Set the engine number for this entity."""
+ self.irdb_db_name = "irdb%d" % n
+ self.irdb_port = allocate_port()
+ self.rpki_db_name = "rpki%d" % n
+ self.rpki_port = allocate_port()
+
+ def setup_biz_certs(self):
+ """Create business certs for this entity."""
+ rpki.log.info("Biz certs for %s" % self.name)
+ for tag in ("RPKI", "IRDB"):
+ setup_biz_cert_chain(self.name + "-" + tag)
+ self.rpkid_ta = rpki.x509.X509(PEM_file = self.name + "-RPKI-TA.cer")
+
+ def setup_conf_file(self):
+ """Write config files for this entity."""
+ rpki.log.info("Config files for %s" % self.name)
+ d = { "my_name" : self.name,
+ "testbed_name" : testbed_name,
+ "irdb_db_name" : self.irdb_db_name,
+ "irdb_db_pass" : irdb_db_pass,
+ "irdb_port" : self.irdb_port,
+ "rpki_db_name" : self.rpki_db_name,
+ "rpki_db_pass" : rpki_db_pass,
+ "rpki_port" : self.rpki_port }
+ f = open(self.name + ".conf", "w")
+ f.write(conf_fmt_1 % d)
+ for line in self.extra_conf:
+ f.write(line + "\n")
+ f.close()
+
+ def setup_sql(self, rpki_sql, irdb_sql):
+ """Set up this entity's IRDB."""
+ rpki.log.info("MySQL setup for %s" % self.name)
+ db = MySQLdb.connect(user = "rpki", db = self.rpki_db_name, passwd = rpki_db_pass)
+ cur = db.cursor()
+ for sql in rpki_sql.split(";"):
+ cur.execute(sql)
+ db.close()
+ db = MySQLdb.connect(user = "irdb", db = self.irdb_db_name, passwd = irdb_db_pass)
+ cur = db.cursor()
+ for sql in irdb_sql.split(";"):
+ cur.execute(sql)
+ for kid in self.kids:
+ cur.execute("INSERT registrant (IRBE_mapped_id, subject_name, valid_until) VALUES (%s, %s, %s)", (kid.name, kid.name, kid.resources.valid_until))
+ db.close()
+
+ def sync_sql(self):
+ """Whack this entity's IRDB to match our master database. We do
+ this once during setup, then do it again every time we apply a
+ delta to this entity.
+ """
+ rpki.log.info("MySQL sync for %s" % self.name)
+ db = MySQLdb.connect(user = "irdb", db = self.irdb_db_name, passwd = irdb_db_pass)
+ cur = db.cursor()
+ cur.execute("DELETE FROM asn")
+ cur.execute("DELETE FROM net")
+ for kid in self.kids:
+ cur.execute("SELECT registrant_id FROM registrant WHERE IRBE_mapped_id = %s", (kid.name,))
+ registrant_id = cur.fetchone()[0]
+ for as_range in kid.resources.as:
+ cur.execute("INSERT asn (start_as, end_as, registrant_id) VALUES (%s, %s, %s)", (as_range.min, as_range.max, registrant_id))
+ for v4_range in kid.resources.v4:
+ cur.execute("INSERT net (start_ip, end_ip, version, registrant_id) VALUES (%s, %s, 4, %s)", (v4_range.min, v4_range.max, registrant_id))
+ for v6_range in kid.resources.v6:
+ cur.execute("INSERT net (start_ip, end_ip, version, registrant_id) VALUES (%s, %s, 6, %s)", (v6_range.min, v6_range.max, registrant_id))
+ cur.execute("UPDATE registrant SET valid_until = %s WHERE registrant_id = %s", (kid.resources.valid_until, registrant_id))
+ db.close()
+
+ def run_daemons(self):
+ """Run daemons for this entity."""
+ rpki.log.info("Running daemons for %s" % self.name)
+ self.rpkid_process = subprocess.Popen((prog_python, prog_rpkid, "-c", self.name + ".conf"))
+ self.irdbd_process = subprocess.Popen((prog_python, prog_irdbd, "-c", self.name + ".conf"))
+
+ def kill_daemons(self):
+ """Kill daemons for this entity."""
+ rpki.log.info("Killing daemons for %s" % self.name)
+ for proc in (self.rpkid_process, self.irdbd_process):
+ try:
+ os.kill(proc.pid, signal.SIGTERM)
+ except:
+ pass
+ proc.wait()
+
+ def call_rpkid(self, pdu):
+ """Send a left-right message to this entity's RPKI daemon and
+ return the response.
+ """
+ rpki.log.info("Calling rpkid for %s" % self.name)
+ pdu.type = "query"
+ elt = rpki.left_right.msg((pdu,)).toXML()
+ rpki.relaxng.left_right.assertValid(elt)
+ rpki.log.debug(lxml.etree.tostring(elt, pretty_print = True, encoding = "us-ascii"))
+ cms = rpki.cms.xml_sign(
+ elt = elt,
+ key = testbed_key,
+ certs = testbed_certs)
+ url = "https://localhost:%d/left-right" % self.rpki_port
+ rpki.log.debug("Attempting to connect to %s" % url)
+ cms = rpki.https.client(
+ privateKey = testbed_key,
+ certChain = testbed_certs,
+ x509TrustList = rpki.x509.X509_chain(self.rpkid_ta),
+ url = url,
+ msg = cms)
+ elt = rpki.cms.xml_verify(cms = cms, ta = self.rpkid_ta)
+ rpki.relaxng.left_right.assertValid(elt)
+ rpki.log.debug(lxml.etree.tostring(elt, pretty_print = True, encoding = "us-ascii"))
+ pdu = rpki.left_right.sax_handler.saxify(elt)[0]
+ assert pdu.type == "reply" and not isinstance(pdu, rpki.left_right.report_error_elt)
+ return pdu
+
+ def create_rpki_objects(self):
+ """Create RPKI engine objects for this engine.
+
+ Parent and child objects are tricky:
+
+ - Parent object needs to know child_id by which parent refers to
+ this engine in order to set the contact URI correctly.
+
+ - Child object needs to record the child_id by which this engine
+ refers to the child.
+
+ This all just works so long as we walk the set of engines in the
+ right order (parents before their children).
+
+ Root node of the engine tree is special, it too has a parent but
+ that one is the magic self-signed micro engine.
+ """
+
+ rpki.log.info("Creating rpkid self object for %s" % self.name)
+ self.self_id = self.call_rpkid(rpki.left_right.self_elt.make_pdu(action = "create", crl_interval = self.crl_interval)).self_id
+
+ rpki.log.info("Creating rpkid BSC object for %s" % self.name)
+ pdu = self.call_rpkid(rpki.left_right.bsc_elt.make_pdu(action = "create", self_id = self.self_id, generate_keypair = True))
+ self.bsc_id = pdu.bsc_id
+
+ rpki.log.info("Issuing BSC EE cert for %s" % self.name)
+ cmd = (prog_openssl, "x509", "-req", "-CA", self.name + "-RPKI-CA.cer", "-CAkey", self.name + "-RPKI-CA.key", "-CAserial", self.name + "-RPKI-CA.srl")
+ signer = subprocess.Popen(cmd, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE)
+ bsc_ee = rpki.x509.X509(PEM = signer.communicate(input = pdu.pkcs10_cert_request.get_PEM())[0])
+
+ rpki.log.info("Installing BSC EE cert for %s" % self.name)
+ self.call_rpkid(rpki.left_right.bsc_elt.make_pdu(action = "set", self_id = self.self_id, bsc_id = self.bsc_id,
+ signing_cert = [bsc_ee, rpki.x509.X509(PEM_file = self.name + "-RPKI-CA.cer")]))
+
+ rpki.log.info("Creating rpkid repository object for %s" % self.name)
+ self.repository_id = self.call_rpkid(rpki.left_right.repository_elt.make_pdu(action = "create", self_id = self.self_id, bsc_id = self.bsc_id)).repository_id
+
+ rpki.log.info("Creating rpkid parent object for %s" % self.name)
+ if self.parent is None:
+ self.parent_id = self.call_rpkid(rpki.left_right.parent_elt.make_pdu(
+ action = "create", self_id = self.self_id, bsc_id = self.bsc_id, repository_id = self.repository_id, sia_base = self.sia_base,
+ cms_ta = rootd_ta, https_ta = rootd_ta, sender_name = self.name, recipient_name = "Walrus",
+ peer_contact_uri = "https://localhost:%s/" % rootd_port)).parent_id
+ else:
+ self.parent_id = self.call_rpkid(rpki.left_right.parent_elt.make_pdu(
+ action = "create", self_id = self.self_id, bsc_id = self.bsc_id, repository_id = self.repository_id, sia_base = self.sia_base,
+ cms_ta = self.parent.rpkid_ta, https_ta = self.parent.rpkid_ta, sender_name = self.name, recipient_name = self.parent.name,
+ peer_contact_uri = "https://localhost:%s/up-down/%s" % (self.parent.rpki_port, self.child_id))).parent_id
+
+ rpki.log.info("Creating rpkid child objects for %s" % self.name)
+ db = MySQLdb.connect(user = "irdb", db = self.irdb_db_name, passwd = irdb_db_pass)
+ cur = db.cursor()
+ for kid in self.kids:
+ kid.child_id = self.call_rpkid(rpki.left_right.child_elt.make_pdu(action = "create", self_id = self.self_id, bsc_id = self.bsc_id, cms_ta = kid.rpkid_ta)).child_id
+ cur.execute("UPDATE registrant SET rpki_self_id = %s, rpki_child_id = %s WHERE IRBE_mapped_id = %s", (self.self_id, kid.child_id, kid.name))
+ db.close()
+
+ def write_leaf_yaml(self):
+ """Write YAML scripts for leaf nodes. Only supports list requests
+ at the moment: issue requests would require class and SIA values,
+ revoke requests would require class and SKI values.
+
+ ...Except that we can cheat and assume class 1 because we just
+ know that rpkid will assign that with the current setup. So we
+ also support issue, kludge though this is.
+ """
+
+ rpki.log.info("Writing leaf YAML for %s" % self.name)
+ f = open(self.name + ".yaml", "w")
+ f.write(yaml_fmt_1 % {
+ "child_id" : self.child_id,
+ "parent_name" : self.parent.name,
+ "my_name" : self.name,
+ "https_port" : self.parent.rpki_port,
+ "sia" : self.sia_base })
+ f.close()
+
+ def run_cron(self):
+ """Trigger cron run for this engine."""
+
+ rpki.log.info("Running cron for %s" % self.name)
+ rpki.https.client(privateKey = testbed_key,
+ certChain = testbed_certs,
+ x509TrustList = rpki.x509.X509_chain(self.rpkid_ta),
+ url = "https://localhost:%d/cronjob" % self.rpki_port,
+ msg = "Run cron now, please")
+
+ def run_yaml(self):
+ """Run YAML scripts for this leaf entity."""
+ rpki.log.info("Running YAML for %s" % self.name)
+ subprocess.check_call((prog_python, prog_poke, "-y", self.name + ".yaml", "-r", "list"))
+ subprocess.check_call((prog_python, prog_poke, "-y", self.name + ".yaml", "-r", "issue"))
+
+def setup_biz_cert_chain(name):
+ """Build a set of business certs."""
+ s = "exec >/dev/null 2>&1\n"
+ for kind in ("EE", "CA", "TA"):
+ d = { "name" : name,
+ "kind" : kind,
+ "ca" : "true" if kind in ("CA", "TA") else "false",
+ "openssl" : prog_openssl }
+ f = open("%(name)s-%(kind)s.cnf" % d, "w")
+ f.write(biz_cert_fmt_1 % d)
+ f.close()
+ if not os.path.exists("%(name)s-%(kind)s.key" % d):
+ s += biz_cert_fmt_2 % d
+ s += biz_cert_fmt_3 % d
+ s += (biz_cert_fmt_4 % { "name" : name, "openssl" : prog_openssl })
+ subprocess.check_call(s, shell = True)
+
+def setup_rootd(rpkid_name):
+ """Write the config files for rootd."""
+ rpki.log.info("Config files for %s" % rootd_name)
+ d = { "rootd_name" : rootd_name,
+ "rootd_port" : rootd_port,
+ "rpkid_name" : rpkid_name,
+ "rootd_sia" : rootd_sia,
+ "rsyncd_dir" : rsyncd_dir,
+ "openssl" : prog_openssl }
+ f = open(rootd_name + ".conf", "w")
+ f.write(rootd_fmt_1 % d)
+ f.close()
+ s = "exec >/dev/null 2>&1\n"
+ if not os.path.exists(rootd_name + ".key"):
+ s += rootd_fmt_2 % d
+ s += rootd_fmt_3 % d
+ subprocess.check_call(s, shell = True)
+
+def setup_rcynic():
+ """Write the config file for rcynic."""
+ rpki.log.info("Config file for rcynic")
+ d = { "rcynic_name" : rcynic_name,
+ "rootd_name" : rootd_name }
+ f = open(rcynic_name + ".conf", "w")
+ f.write(rcynic_fmt_1 % d)
+ f.close()
+
+def setup_rsyncd():
+ """Write the config file for rsyncd."""
+ rpki.log.info("Config file for rsyncd")
+ d = { "rsyncd_name" : rsyncd_name,
+ "rsyncd_port" : rsyncd_port,
+ "rsyncd_module" : rsyncd_module,
+ "rsyncd_dir" : rsyncd_dir }
+ f = open(rsyncd_name + ".conf", "w")
+ f.write(rsyncd_fmt_1 % d)
+ f.close()
+
+def setup_publication():
+ """Set up (pseudo) publication directory."""
+ rpki.log.info("Pseudo-publication directory")
+ assert rootd_sia.startswith("rsync://")
+ global rsyncd_dir
+ rsyncd_dir = os.getcwd() + "/publication/" + rootd_sia[len("rsync://"):]
+ os.makedirs(rsyncd_dir)
+
+def run_rcynic():
+ """Run rcynic to see whether what was published makes sense."""
+ rpki.log.info("Running rcynic")
+ env = os.environ.copy()
+ env["TZ"] = ""
+ subprocess.check_call((prog_rcynic, "-c", rcynic_name + ".conf"), env = env)
+ subprocess.call(rcynic_stats, shell = True, env = env)
+
+biz_cert_fmt_1 = '''\
+[ req ]
+distinguished_name = req_dn
+x509_extensions = req_x509_ext
+prompt = no
+default_md = sha256
+
+[ req_dn ]
+CN = Test Certificate %(name)s %(kind)s
+
+[ req_x509_ext ]
+basicConstraints = CA:%(ca)s
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+'''
+
+biz_cert_fmt_2 = '''\
+%(openssl)s genrsa -out %(name)s-%(kind)s.key 2048 &&
+'''
+
+biz_cert_fmt_3 = '''\
+%(openssl)s req -new -key %(name)s-%(kind)s.key -out %(name)s-%(kind)s.req -config %(name)s-%(kind)s.cnf &&
+'''
+
+biz_cert_fmt_4 = '''\
+%(openssl)s x509 -req -in %(name)s-TA.req -out %(name)s-TA.cer -extfile %(name)s-TA.cnf -extensions req_x509_ext -signkey %(name)s-TA.key -days 60 &&
+%(openssl)s x509 -req -in %(name)s-CA.req -out %(name)s-CA.cer -extfile %(name)s-CA.cnf -extensions req_x509_ext -CA %(name)s-TA.cer -CAkey %(name)s-TA.key -CAcreateserial &&
+%(openssl)s x509 -req -in %(name)s-EE.req -out %(name)s-EE.cer -extfile %(name)s-EE.cnf -extensions req_x509_ext -CA %(name)s-CA.cer -CAkey %(name)s-CA.key -CAcreateserial
+'''
+
+yaml_fmt_1 = '''---
+version: 1
+posturl: https://localhost:%(https_port)s/up-down/%(child_id)s
+recipient-id: "%(parent_name)s"
+sender-id: "%(my_name)s"
+
+cms-cert-file: %(my_name)s-RPKI-EE.cer
+cms-key-file: %(my_name)s-RPKI-EE.key
+cms-ca-cert-file: %(parent_name)s-RPKI-TA.cer
+cms-cert-chain-file: [ %(my_name)s-RPKI-CA.cer ]
+
+ssl-cert-file: %(my_name)s-RPKI-EE.cer
+ssl-key-file: %(my_name)s-RPKI-EE.key
+ssl-ca-cert-file: %(parent_name)s-RPKI-TA.cer
+
+requests:
+ list:
+ type: list
+ issue:
+ type: issue
+ #
+ # This is cheating, we know a priori that the class will be "1"
+ #
+ class: 1
+ sia:
+ - %(sia)s
+'''
+
+conf_fmt_1 = '''\
+
+[irdbd]
+
+startup-message = This is %(my_name)s irdbd
+
+sql-database = %(irdb_db_name)s
+sql-username = irdb
+sql-password = %(irdb_db_pass)s
+
+cms-key = %(my_name)s-IRDB-EE.key
+cms-certs.0 = %(my_name)s-IRDB-EE.cer
+cms-certs.1 = %(my_name)s-IRDB-CA.cer
+cms-ta = %(my_name)s-RPKI-TA.cer
+
+https-key = %(my_name)s-IRDB-EE.key
+https-certs.0 = %(my_name)s-IRDB-EE.cer
+https-certs.1 = %(my_name)s-IRDB-CA.cer
+
+https-url = https://localhost:%(irdb_port)d/
+
+[irbe-cli]
+
+cms-key = %(testbed_name)s-EE.key
+cms-certs.0 = %(testbed_name)s-EE.cer
+cms-certs.1 = %(testbed_name)s-CA.cer
+cms-tas = %(my_name)s-RPKI-TA.cer
+
+https-key = %(testbed_name)s-EE.key
+https-certs.0 = %(testbed_name)s-EE.cer
+https-certs.1 = %(testbed_name)s-CA.cer
+https-tas = %(my_name)s-RPKI-TA.cer
+
+https-url = https://localhost:%(rpki_port)d/left-right
+
+[rpkid]
+
+startup-message = This is %(my_name)s rpkid
+
+sql-database = %(rpki_db_name)s
+sql-username = rpki
+sql-password = %(rpki_db_pass)s
+
+cms-key = %(my_name)s-RPKI-EE.key
+cms-cert.0 = %(my_name)s-RPKI-EE.cer
+cms-cert.1 = %(my_name)s-RPKI-CA.cer
+
+cms-ta-irdb = %(my_name)s-IRDB-TA.cer
+cms-ta-irbe = %(testbed_name)s-TA.cer
+
+https-key = %(my_name)s-RPKI-EE.key
+https-cert.0 = %(my_name)s-RPKI-EE.cer
+https-cert.1 = %(my_name)s-RPKI-CA.cer
+
+https-ta = %(my_name)s-IRDB-TA.cer
+
+irdb-url = https://localhost:%(irdb_port)d/
+
+server-host = localhost
+server-port = %(rpki_port)d
+'''
+
+rootd_fmt_1 = '''\
+
+[rootd]
+
+cms-key = %(rootd_name)s-EE.key
+cms-certs.0 = %(rootd_name)s-EE.cer
+cms-certs.1 = %(rootd_name)s-CA.cer
+cms-ta = %(rpkid_name)s-RPKI-TA.cer
+
+https-key = %(rootd_name)s-EE.key
+https-certs.0 = %(rootd_name)s-EE.cer
+https-certs.1 = %(rootd_name)s-CA.cer
+
+server-port = %(rootd_port)s
+
+rootd_base = %(rootd_sia)s
+rootd_cert = %(rootd_sia)sWOMBAT.cer
+
+rpki-subject-filename = %(rsyncd_dir)sWOMBAT.cer
+
+rpki-key = %(rootd_name)s.key
+rpki-issuer = %(rootd_name)s.cer
+rpki-pkcs10-filename = %(rootd_name)s.subject.pkcs10
+
+[req]
+default_bits = 2048
+encrypt_key = no
+distinguished_name = req_dn
+req_extensions = req_x509_ext
+prompt = no
+
+[req_dn]
+CN = Completely Bogus Test Root (NOT FOR PRODUCTION USE)
+
+[req_x509_ext]
+basicConstraints = critical,CA:true
+subjectKeyIdentifier = hash
+keyUsage = critical,keyCertSign,cRLSign
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:%(rootd_sia)s
+sbgp-autonomousSysNum = critical,AS:0-4294967295
+sbgp-ipAddrBlock = critical,IPv4:0.0.0.0/0,IPv6:0::/0
+'''
+
+rootd_fmt_2 = '''\
+%(openssl)s genrsa -out %(rootd_name)s.key 2048 &&
+'''
+
+rootd_fmt_3 = '''\
+%(openssl)s req -new -key %(rootd_name)s.key -out %(rootd_name)s.req -config %(rootd_name)s.conf -text &&
+%(openssl)s x509 -req -in %(rootd_name)s.req -out %(rootd_name)s.cer -outform DER -extfile %(rootd_name)s.conf -extensions req_x509_ext -signkey %(rootd_name)s.key -sha256
+'''
+
+rcynic_fmt_1 = '''\
+[rcynic]
+xml-summary = %(rcynic_name)s.xml
+jitter = 0
+use-links = yes
+use-syslog = yes
+use-stderr = yes
+log-level = log_telemetry
+trust-anchor = %(rootd_name)s.cer
+'''
+
+rsyncd_fmt_1 = '''\
+port = %(rsyncd_port)d
+address = localhost
+
+[%(rsyncd_module)s]
+read only = yes
+transfer logging = yes
+use chroot = no
+path = %(rsyncd_dir)s
+comment = RPKI test
+'''
+
+main()
diff --git a/rpkid/testbed.sql b/rpkid/testbed.sql
new file mode 100644
index 00000000..c8cb90b0
--- /dev/null
+++ b/rpkid/testbed.sql
@@ -0,0 +1,57 @@
+-- $Id$
+--
+-- Run this manually under the MySQL CLI to set up databases for testdb.py.
+-- testdb.py doesn't do this automatically because it requires privileges
+-- that testbed.py doesn't (or at least shouldn't) have.
+
+CREATE DATABASE irdb0;
+CREATE DATABASE irdb1;
+CREATE DATABASE irdb2;
+CREATE DATABASE irdb3;
+CREATE DATABASE irdb4;
+CREATE DATABASE irdb5;
+CREATE DATABASE irdb6;
+CREATE DATABASE irdb7;
+CREATE DATABASE irdb8;
+CREATE DATABASE irdb9;
+CREATE DATABASE irdb10;
+CREATE DATABASE irdb11;
+
+CREATE DATABASE rpki0;
+CREATE DATABASE rpki1;
+CREATE DATABASE rpki2;
+CREATE DATABASE rpki3;
+CREATE DATABASE rpki4;
+CREATE DATABASE rpki5;
+CREATE DATABASE rpki6;
+CREATE DATABASE rpki7;
+CREATE DATABASE rpki8;
+CREATE DATABASE rpki9;
+CREATE DATABASE rpki10;
+CREATE DATABASE rpki11;
+
+GRANT ALL ON irdb0.* TO irdb@localhost IDENTIFIED BY 'fnord';
+GRANT ALL ON irdb1.* TO irdb@localhost IDENTIFIED BY 'fnord';
+GRANT ALL ON irdb2.* TO irdb@localhost IDENTIFIED BY 'fnord';
+GRANT ALL ON irdb3.* TO irdb@localhost IDENTIFIED BY 'fnord';
+GRANT ALL ON irdb4.* TO irdb@localhost IDENTIFIED BY 'fnord';
+GRANT ALL ON irdb5.* TO irdb@localhost IDENTIFIED BY 'fnord';
+GRANT ALL ON irdb6.* TO irdb@localhost IDENTIFIED BY 'fnord';
+GRANT ALL ON irdb7.* TO irdb@localhost IDENTIFIED BY 'fnord';
+GRANT ALL ON irdb8.* TO irdb@localhost IDENTIFIED BY 'fnord';
+GRANT ALL ON irdb9.* TO irdb@localhost IDENTIFIED BY 'fnord';
+GRANT ALL ON irdb10.* TO irdb@localhost IDENTIFIED BY 'fnord';
+GRANT ALL ON irdb11.* TO irdb@localhost IDENTIFIED BY 'fnord';
+
+GRANT ALL ON rpki0.* TO rpki@localhost IDENTIFIED BY 'fnord';
+GRANT ALL ON rpki1.* TO rpki@localhost IDENTIFIED BY 'fnord';
+GRANT ALL ON rpki2.* TO rpki@localhost IDENTIFIED BY 'fnord';
+GRANT ALL ON rpki3.* TO rpki@localhost IDENTIFIED BY 'fnord';
+GRANT ALL ON rpki4.* TO rpki@localhost IDENTIFIED BY 'fnord';
+GRANT ALL ON rpki5.* TO rpki@localhost IDENTIFIED BY 'fnord';
+GRANT ALL ON rpki6.* TO rpki@localhost IDENTIFIED BY 'fnord';
+GRANT ALL ON rpki7.* TO rpki@localhost IDENTIFIED BY 'fnord';
+GRANT ALL ON rpki8.* TO rpki@localhost IDENTIFIED BY 'fnord';
+GRANT ALL ON rpki9.* TO rpki@localhost IDENTIFIED BY 'fnord';
+GRANT ALL ON rpki10.* TO rpki@localhost IDENTIFIED BY 'fnord';
+GRANT ALL ON rpki11.* TO rpki@localhost IDENTIFIED BY 'fnord';
diff --git a/rpkid/testpoke.py b/rpkid/testpoke.py
new file mode 100644
index 00000000..3d23751b
--- /dev/null
+++ b/rpkid/testpoke.py
@@ -0,0 +1,139 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""
+Trivial RPKI up-down protocol client, for testing.
+
+Configuration file is YAML to be compatable with APNIC rpki_poke.pl tool.
+
+Usage: python testpoke.py [ { -y | --yaml } configfile ]
+ [ { -r | --request } requestname ]
+ [ { -h | --help } ]
+
+Default configuration file is testpoke.yaml, override with --yaml option.
+"""
+
+import os, time, getopt, sys, lxml, yaml
+import rpki.resource_set, rpki.up_down, rpki.left_right, rpki.x509
+import rpki.https, rpki.config, rpki.cms, rpki.exceptions
+import rpki.relaxng, rpki.oids
+
+os.environ["TZ"] = "UTC"
+time.tzset()
+
+def usage(code):
+ print __doc__
+ sys.exit(code)
+
+yaml_file = "testpoke.yaml"
+yaml_cmd = None
+
+opts,argv = getopt.getopt(sys.argv[1:], "y:r:h?", ["yaml=", "request=", "help"])
+for o,a in opts:
+ if o in ("-h", "--help", "-?"):
+ usage(0)
+ elif o in ("-y", "--yaml"):
+ yaml_file = a
+ elif o in ("-r", "--request"):
+ yaml_cmd = a
+if argv:
+ usage(1)
+
+f = open(yaml_file)
+yaml_data = yaml.load(f)
+f.close()
+
+if yaml_cmd is None and len(yaml_data["requests"]) == 1:
+ yaml_cmd = yaml_data["requests"].keys()[0]
+
+if yaml_cmd is None:
+ usage(1)
+
+yaml_req = yaml_data["requests"][yaml_cmd]
+
+def get_PEM(name, cls, y = yaml_data):
+ if name in y:
+ return cls(PEM = y[name])
+ if name + "-file" in y:
+ return cls(PEM_file = y[name + "-file"])
+ return None
+
+def get_PEM_chain(name, cert = None):
+ chain = rpki.x509.X509_chain()
+ if cert is not None:
+ chain.append(cert)
+ if name in yaml_data:
+ chain.extend([rpki.x509.X509(PEM = x) for x in yaml_data[name]])
+ elif name + "-file" in yaml_data:
+ chain.extend([rpki.x509.X509(PEM_file = x) for x in yaml_data[name + "-file"]])
+ return chain
+
+def query_up_down(q_pdu):
+ q_msg = rpki.up_down.message_pdu.make_query(
+ payload = q_pdu,
+ sender = yaml_data["sender-id"],
+ recipient = yaml_data["recipient-id"])
+ q_elt = q_msg.toXML()
+ rpki.relaxng.up_down.assertValid(q_elt)
+ q_cms = rpki.cms.xml_sign(q_elt, cms_key, cms_certs, encoding = "UTF-8")
+ r_cms = rpki.https.client(
+ x509TrustList = https_ta,
+ privateKey = https_key,
+ certChain = https_certs,
+ msg = q_cms,
+ url = yaml_data["posturl"])
+ r_xml = rpki.cms.verify(r_cms, cms_ta)
+ r_elt = lxml.etree.fromstring(r_xml)
+ rpki.relaxng.up_down.assertValid(r_elt)
+ return r_xml
+
+def do_list():
+ print query_up_down(rpki.up_down.list_pdu())
+
+def do_issue():
+ q_pdu = rpki.up_down.issue_pdu()
+ req_key = get_PEM("cert-request-key", rpki.x509.RSA, yaml_req) or cms_key
+ sia = ((rpki.oids.name2oid["id-ad-caRepository"], ("uri", yaml_req["sia"][0])),
+ (rpki.oids.name2oid["id-ad-rpkiManifest"], ("uri", yaml_req["sia"][0] + req_key.gSKI() + ".mnf")))
+ q_pdu.class_name = yaml_req["class"]
+ q_pdu.pkcs10 = rpki.x509.PKCS10.create_ca(req_key, sia)
+ print query_up_down(q_pdu)
+
+def do_revoke():
+ q_pdu = rpki.up_down.revoke_pdu()
+ q_pdu.class_name = yaml_req["class"]
+ q_pdu.ski = yaml_req["ski"]
+ print query_up_down(q_pdu)
+
+dispatch = { "list" : do_list, "issue" : do_issue, "revoke" : do_revoke }
+
+cms_ta = get_PEM("cms-ca-cert", rpki.x509.X509)
+cms_cert = get_PEM("cms-cert", rpki.x509.X509)
+cms_key = get_PEM("cms-key", rpki.x509.RSA)
+cms_certs = get_PEM_chain("cms-cert-chain", cms_cert)
+
+https_ta = get_PEM("ssl-ta", rpki.x509.X509)
+https_key = get_PEM("ssl-key", rpki.x509.RSA)
+https_cert = get_PEM("ssl-cert", rpki.x509.X509)
+https_certs = get_PEM_chain("ssl-cert-chain", https_cert)
+
+ta = https_ta
+https_ta = rpki.x509.X509_chain()
+if ta is not None:
+ https_ta.append(ta)
+del ta
+
+dispatch[yaml_req["type"]]()
diff --git a/rpkid/testpoke.sh b/rpkid/testpoke.sh
new file mode 100644
index 00000000..6e6a0b74
--- /dev/null
+++ b/rpkid/testpoke.sh
@@ -0,0 +1,8 @@
+#!/bin/sh -
+# $Id$
+#
+# Test client using APNIC's rpki_poke.pl script.
+
+: ${pokedir=../../mirin.apnic.net/rpki_engine/branches/gary-poker/client/poke}
+
+exec perl -I $pokedir $pokedir/rpki_poke.pl ${1+"$@"}
diff --git a/rpkid/testpoke.yaml b/rpkid/testpoke.yaml
new file mode 100644
index 00000000..22e2d35f
--- /dev/null
+++ b/rpkid/testpoke.yaml
@@ -0,0 +1,28 @@
+---
+# $Id$
+
+version: 1
+posturl: https://localhost:4433/up-down/1
+recipient-id: wombat
+sender-id: "1"
+
+cms-cert-file: biz-certs/Frank-EE.cer
+cms-key-file: biz-certs/Frank-EE.key
+cms-ca-cert-file: biz-certs/Bob-Root.cer
+cms-cert-chain-file: [ biz-certs/Frank-CA.cer ]
+
+ssl-cert-file: biz-certs/Frank-EE.cer
+ssl-key-file: biz-certs/Frank-EE.key
+ssl-ca-cert-file: biz-certs/Bob-Root.cer
+
+requests:
+ list:
+ type: list
+ issue:
+ type: issue
+ class: 1
+ sia: [ "rsync://bandicoot.invalid/some/where/" ]
+ revoke:
+ type: revoke
+ class: 1
+ ski: "CB5K6APY-4KcGAW9jaK_cVPXKX0"
diff --git a/rpkid/up-down-protocol-samples/Makefile b/rpkid/up-down-protocol-samples/Makefile
new file mode 100644
index 00000000..10ee791a
--- /dev/null
+++ b/rpkid/up-down-protocol-samples/Makefile
@@ -0,0 +1,11 @@
+XMLLINT = xmllint --noout --relaxng
+JING = java -jar /usr/local/share/java/classes/jing.jar
+SCHEMA = ../up-down-medium-schema.rng
+
+all: jing xmllint
+
+jing:
+ ${JING} ${SCHEMA} *.xml
+
+xmllint:
+ ${XMLLINT} ${SCHEMA} *.xml
diff --git a/rpkid/up-down-protocol-samples/error_response.xml b/rpkid/up-down-protocol-samples/error_response.xml
new file mode 100644
index 00000000..83af6649
--- /dev/null
+++ b/rpkid/up-down-protocol-samples/error_response.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<message xmlns="http://www.apnic.net/specs/rescerts/up-down/"
+ version="1"
+ sender="sender name"
+ recipient="recipient name"
+ type="error_response">
+ <status>2001</status>
+ <description xml:lang="en-US">[Readable text]</description>
+</message>
diff --git a/rpkid/up-down-protocol-samples/issue1.xml b/rpkid/up-down-protocol-samples/issue1.xml
new file mode 100644
index 00000000..4b8366f9
--- /dev/null
+++ b/rpkid/up-down-protocol-samples/issue1.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<message xmlns="http://www.apnic.net/specs/rescerts/up-down/"
+ version="1"
+ sender="sender name"
+ recipient="recipient name"
+ type="issue">
+ <request class_name="class name"
+ req_resource_set_as="64534-64540"
+ req_resource_set_ipv4=""
+ req_resource_set_ipv6="">
+ MIICYTCCAUkCAQAwHDEaMBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWMwggEiMA0G
+ CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIi6ElZd/uon9Ur1IKGhr6DXWzPOng
+ KdOJIOlRSWcsQ9qgLNREs5YUqQd3YLlvAe+OVKV0rFpn+DBNEPmsn7h1YQv253zq
+ m1yYeks+xOJZQtMZyg9YDrfIgk7lu6z9kuWIsvxkz244OxiD/OemrvuQNtDhyk2Q
+ QQ8POyrADNl7fehQE/YJc4Kj0uO7ggiHf9K7Dg56KLYlArXZUfwzMkdH/89/vO4A
+ AbsFXi4Dmq2VO8rCxodkdDmqWWuu4KdRGgfyjkyOZS/f8pm64LaKT8AgcnmYAI8N
+ UBM90T6Mvdx0qTOoVh0xeHznAp6NChQSbdM3x3rwhBD+/k0olyZuCIWhAgMBAAGg
+ ADANBgkqhkiG9w0BAQUFAAOCAQEAj9bYIVfREySBzUhQSlbNi9kfdXgivC/4A7pn
+ b4sMm081S05u0QLhyh1XNF/L3/U5yVElVHE8xobM/CuAkXpy7N5GSYj2T28Fmn77
+ 1y/xdGg6Jp26OkbrqY3gjQAaMigYg9/6tPAc9fgLiQAJLUUYb2hRqaqu4Ze8RrxU
+ RsnVpAHWYDFWJhNqEp8eErzAVLqxpmoYJKgmpK6TKyYKuf8+xf3Rlkb4+iu2FotR
+ DQrmcd6jmMjp9xLejDEuoPgcfpVP2CB1jUCAIW7yE7+a7vj9Mop1gs61zP8y/p2V
+ rVnXgEy93WZLjQt1D29oKhlcFGtCG4nqIBCDAWVuz/LGACB85w==
+ </request>
+</message>
diff --git a/rpkid/up-down-protocol-samples/issue2.xml b/rpkid/up-down-protocol-samples/issue2.xml
new file mode 100644
index 00000000..a991cbcd
--- /dev/null
+++ b/rpkid/up-down-protocol-samples/issue2.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<message xmlns="http://www.apnic.net/specs/rescerts/up-down/"
+ version="1"
+ sender="sender name"
+ recipient="recipient name"
+ type="issue">
+ <request class_name="class name"
+ req_resource_set_ipv4=""
+ req_resource_set_ipv6="">
+ MIICYTCCAUkCAQAwHDEaMBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWMwggEiMA0G
+ CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIi6ElZd/uon9Ur1IKGhr6DXWzPOng
+ KdOJIOlRSWcsQ9qgLNREs5YUqQd3YLlvAe+OVKV0rFpn+DBNEPmsn7h1YQv253zq
+ m1yYeks+xOJZQtMZyg9YDrfIgk7lu6z9kuWIsvxkz244OxiD/OemrvuQNtDhyk2Q
+ QQ8POyrADNl7fehQE/YJc4Kj0uO7ggiHf9K7Dg56KLYlArXZUfwzMkdH/89/vO4A
+ AbsFXi4Dmq2VO8rCxodkdDmqWWuu4KdRGgfyjkyOZS/f8pm64LaKT8AgcnmYAI8N
+ UBM90T6Mvdx0qTOoVh0xeHznAp6NChQSbdM3x3rwhBD+/k0olyZuCIWhAgMBAAGg
+ ADANBgkqhkiG9w0BAQUFAAOCAQEAj9bYIVfREySBzUhQSlbNi9kfdXgivC/4A7pn
+ b4sMm081S05u0QLhyh1XNF/L3/U5yVElVHE8xobM/CuAkXpy7N5GSYj2T28Fmn77
+ 1y/xdGg6Jp26OkbrqY3gjQAaMigYg9/6tPAc9fgLiQAJLUUYb2hRqaqu4Ze8RrxU
+ RsnVpAHWYDFWJhNqEp8eErzAVLqxpmoYJKgmpK6TKyYKuf8+xf3Rlkb4+iu2FotR
+ DQrmcd6jmMjp9xLejDEuoPgcfpVP2CB1jUCAIW7yE7+a7vj9Mop1gs61zP8y/p2V
+ rVnXgEy93WZLjQt1D29oKhlcFGtCG4nqIBCDAWVuz/LGACB85w==
+ </request>
+</message>
diff --git a/rpkid/up-down-protocol-samples/issue_response.xml b/rpkid/up-down-protocol-samples/issue_response.xml
new file mode 100644
index 00000000..39f6b954
--- /dev/null
+++ b/rpkid/up-down-protocol-samples/issue_response.xml
@@ -0,0 +1,116 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<message xmlns="http://www.apnic.net/specs/rescerts/up-down/"
+ version="1"
+ sender="sender name"
+ recipient="recipient name"
+ type="issue_response">
+ <class class_name="ISP5"
+ cert_url="rsync://wombat.example/ISP5"
+ resource_set_as="64534-64540"
+ resource_set_ipv4="10.0.0.0/24,10.3.0.0/24"
+ resource_set_ipv6="2001:db8:0:0:0:0:a00::/120,2001:db8:0:0:0:0:a03::/120"
+ suggested_sia_head="rsync://wombat.example/fnord/">
+ <certificate cert_url="rsync://wombat.example/ISP5a"
+ req_resource_set_as=""
+ req_resource_set_ipv4="10.0.0.0/24"
+ req_resource_set_ipv6="2001:db8:0:0:0:0:a00::/120">
+ MIID3jCCAsagAwIBAgIBAzANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+ IEVOVElUWSBMSVIzMB4XDTA3MDgwMTE0NDgyMloXDTA4MDczMTE0NDgyMlowHDEa
+ MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+ DwAwggEKAoIBAQDmS614KGvmUBtlgdWNK1Z3zbvJR6CqMrAsrB/x5JArwjNv51Ox
+ 0B2rBSedt6HuqE/IWzYj4xLkUVknzf16qtxWBaFzq3ndPIKyj6757MA2OOYCqv2J
+ YCFSW7YzgHXlf/2sbuzUmiYvfihFFilHffOKctXkZfr0VG+uSDNiwTLxK4MzNmNg
+ nrzH55ldUdrNL4+DRyCe6cyjcsByvUktxFLqb9pCRnGQx69/n8fdC5aWPEWfwOpl
+ akPj85LV4XPAbiD1F+XRWNohs+kMTfDovXy374HJ9XDPqCB94mr5G2apyHHWMvhy
+ PYOZGQ0Ma+n4ks0zF4ZqPa8NBZSrHNQspEXLAgMBAAGjggEqMIIBJjAPBgNVHRMB
+ Af8EBTADAQH/MB0GA1UdDgQWBBQJ8BQLefsL/6jvVLnsPrmL0Muc7DAfBgNVHSME
+ GDAWgBSYvgT/gNGrlTmqPfIOZ30AraP9xTAOBgNVHQ8BAf8EBAMCAQYwQgYIKwYB
+ BQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dvbWJhdHMtci11cy5oYWN0
+ cm4ubmV0L0lTUDVhLzBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAKGKHJzeW5j
+ Oi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5jZXIwOQYIKwYBBQUHAQcB
+ Af8EKjAoMAwEAgABMAYDBAAKAAAwGAQCAAIwEgMQACABDbgAAAAAAAAAAAoAADAN
+ BgkqhkiG9w0BAQUFAAOCAQEAkzKZYt3F6vAfWFAQN9M5N9n2klEmL9b9b4K4Vmv9
+ DPNCBFbtZytCAphWB/FILS60MrvXHCcUoOmtOx3+Cw5D3yKX8Y9z2HbWmw2/7iDo
+ dxejgwGzI0OFa79vzC5pRwVz9CFFlMiuIShBFpHuSElmWmcxcQTJSXGU1fSGXHvG
+ Pv6RHSGzFJhUrW5RKOmoIrqk0JyM49R8IRAM+aMA+MOfALRTNAavW0pDlcuy+4wY
+ AIYRKF4k4ZDYZ9gA/LYnH56xvpEXwRE1bpxgUC5n8wQrdIn5/pJz3R5EgWe4CGOo
+ n/SMvEfe8d+LEc0C7LmtCwYoDOKENoOF809GVkbV9fjL8w==
+ </certificate>
+ <certificate cert_url="rsync://wombat.example/ISP5b"
+ req_resource_set_as=""
+ req_resource_set_ipv4="10.3.0.0/24"
+ req_resource_set_ipv6="2001:db8:0:0:0:0:a03::/120">
+ MIID3jCCAsagAwIBAgIBAjANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+ IEVOVElUWSBMSVIzMB4XDTA3MDgwMTE0NDgyMFoXDTA4MDczMTE0NDgyMFowHDEa
+ MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+ DwAwggEKAoIBAQC/j1nY/PodBHApznsBZCFA3FxD/kyviMhim76cco+KpTSKOyON
+ m4pPv2asaHGc/WhZ9b+fTS611uP6vfNgU1y3EayVC8CHzZmelFeN7AW436r8jjjT
+ D2VtCWDy4ZiBcthRPkGRsxCV9fXQ+eVcoYX6cSaF49FMAn8U4h5KipZontYWpe+t
+ tYNizSN0fIJWtNE0U1qKemGfrlRb7/lW3odrQpK8SfS1wzUHShhH0pLGHBZ0dLHp
+ OTxTEgWd69ycciuXTSchd5Z9TM55DPunuJlrZiAuVpxEtONegMR9eKG0BfcgfSYe
+ RL9daRU8eiRnvbm1CA8zTa87Lee5qx0r1vtzAgMBAAGjggEqMIIBJjAPBgNVHRMB
+ Af8EBTADAQH/MB0GA1UdDgQWBBRss2WU/safSlCdTYtAGqH9lxeXkjAfBgNVHSME
+ GDAWgBSYvgT/gNGrlTmqPfIOZ30AraP9xTAOBgNVHQ8BAf8EBAMCAQYwQgYIKwYB
+ BQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dvbWJhdHMtci11cy5oYWN0
+ cm4ubmV0L0lTUDViLzBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAKGKHJzeW5j
+ Oi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5jZXIwOQYIKwYBBQUHAQcB
+ Af8EKjAoMAwEAgABMAYDBAAKAwAwGAQCAAIwEgMQACABDbgAAAAAAAAAAAoDADAN
+ BgkqhkiG9w0BAQUFAAOCAQEARNgVrXF+6W7sMytC7YyKSt+CpJGZV7AvzKNZKv8k
+ xazhefrXkrpyK0caz4BtCHbptZFgNR/dDOC9M3wn0PcRTh9ISgW8beNfut16uj1F
+ fZdylJvNMXa4lt/wfRbzKqPicusCH0nutkRIW2mZuLuAO8v1vKr4umgZU+z/rXWu
+ glEA7OeBwmvPoqKixbgER5GtnTNySKIVVa1DUo/2CaPT/YjT48P0zXHoy6rnNgcn
+ 2emkoegzzS2cN+5I5I+O8IRnZInqmiPgEgElgEFw+rg6xw23yax5Nyqx12J56tt0
+ tPWGhrYe1dCwKZajWKn3P9+NMcGQ0d8bw/QU+B3RyVeVfw==
+ </certificate>
+ <certificate cert_url="rsync://wombat.example/ISP5c"
+ req_resource_set_as="64534-64540"
+ req_resource_set_ipv4=""
+ req_resource_set_ipv6="">
+ MIIDxjCCAq6gAwIBAgIBATANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+ IEVOVElUWSBMSVIzMB4XDTA3MDgwMTE0NDgxOFoXDTA4MDczMTE0NDgxOFowHDEa
+ MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+ DwAwggEKAoIBAQDIi6ElZd/uon9Ur1IKGhr6DXWzPOngKdOJIOlRSWcsQ9qgLNRE
+ s5YUqQd3YLlvAe+OVKV0rFpn+DBNEPmsn7h1YQv253zqm1yYeks+xOJZQtMZyg9Y
+ DrfIgk7lu6z9kuWIsvxkz244OxiD/OemrvuQNtDhyk2QQQ8POyrADNl7fehQE/YJ
+ c4Kj0uO7ggiHf9K7Dg56KLYlArXZUfwzMkdH/89/vO4AAbsFXi4Dmq2VO8rCxodk
+ dDmqWWuu4KdRGgfyjkyOZS/f8pm64LaKT8AgcnmYAI8NUBM90T6Mvdx0qTOoVh0x
+ eHznAp6NChQSbdM3x3rwhBD+/k0olyZuCIWhAgMBAAGjggESMIIBDjAPBgNVHRMB
+ Af8EBTADAQH/MB0GA1UdDgQWBBQth8Ga+FgrvcL4fjBHs6mIN8nrRjAfBgNVHSME
+ GDAWgBSYvgT/gNGrlTmqPfIOZ30AraP9xTAOBgNVHQ8BAf8EBAMCAQYwQgYIKwYB
+ BQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dvbWJhdHMtci11cy5oYWN0
+ cm4ubmV0L0lTUDVjLzBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAKGKHJzeW5j
+ Oi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5jZXIwIQYIKwYBBQUHAQgB
+ Af8EEjAQoA4wDDAKAgMA/BYCAwD8HDANBgkqhkiG9w0BAQUFAAOCAQEAUGsbhHfl
+ kwhe3EIkhnARJPgRkWgPCJtJ9konhROT7VlJ0Pim0kSrJWlBWUCLeKvSjQmowP4g
+ SddHxN4ZoXnSjb0pCDeomrZeViVQ2hxH6L/tHkl5SIEHl9MvFOe8junvgpq9GGAI
+ CFcibkW7Gp9p4A+GQkns0l9v+wGwuVZmqmJk4YBo7hHZRbg6/IFL1MD3HKeXmn33
+ lCwFhjUuDIMXRbY/1k5fui13QUolN7mLSk60NvXJ94Tga68c1eCIpapvhxAYw69G
+ 7mOX42aYu1FnidZNj7Lt9jOuW0REHlavrG17HxP5loTuCNtLH1ZIrJcO7rUz9C0D
+ YqMybYWFUqZHyg==
+ </certificate>
+ <issuer>
+ MIIEFTCCAv2gAwIBAgIBDjANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU
+ IEVOVElUWSBSSVIwHhcNMDcwODAxMTQ0ODE4WhcNMDgwNzMxMTQ0ODE4WjAbMRkw
+ FwYDVQQDExBURVNUIEVOVElUWSBMSVIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+ MIIBCgKCAQEAoyFXYWSvERjUy96m3K3ZLA8PWJ9+yIVVESZMfPBraBqeagyP5tw9
+ g1gqzHesGXNvWvNuJKzNGtwdC0xE9W2LChc9hvno/uZg5Z9AauWU6JpWFxccq8GM
+ N0ArVb8sXtyNyiV/il/u+xaG6+AI0ybl43DFDGv7G49rXPbiSlilNQHqBRs+zoS+
+ tT9tGBZLaOV5TIh9tqVlozrCMtytj4oF7vbpeoDaEqkPWrXS0zGsPtMZJS0o3nls
+ zv13ZtXjL6nL+YWMILuihiPwk5UgBHjHxwem/vD0RbvPeCvdzpwIpUZoEEzXBWJs
+ hlotfwY4wk27RIcAQ3nSj/NrsvRcHLloAQIDAQABo4IBYzCCAV8wDwYDVR0TAQH/
+ BAUwAwEB/zAdBgNVHQ4EFgQUmL4E/4DRq5U5qj3yDmd9AK2j/cUwHwYDVR0jBBgw
+ FoAU+7inozZICqCf8C7ci2i8s1xFJdcwDgYDVR0PAQH/BAQDAgEGMEEGCCsGAQUF
+ BwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJu
+ Lm5ldC9MSVIzLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ3JzeW5jOi8v
+ d29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAhBggrBgEFBQcBCAEB/wQS
+ MBCgDjAMMAoCAwD8FgIDAPwcMFEGCCsGAQUFBwEHAQH/BEIwQDASBAIAATAMAwQA
+ CgAAAwQACgMAMCoEAgACMCQDEAAgAQ24AAAAAAAAAAAKAAADEAAgAQ24AAAAAAAA
+ AAAKAwAwDQYJKoZIhvcNAQEFBQADggEBAEhmCa7kUuozB6aST0Gd2XStJBcR1oWI
+ 8mZS5WEOjnjbVvuryDEb0fLs3x2HgCHZgZ7IAOg31cNxJpc1Ff6ZYEG+m3LpkcG/
+ yOMllfOVK8RQSY+nKuya2fm2J3dCOKogEjBW20HwxNd1WgFLrDaOTR9V+iROBPKs
+ 3ppMPp6ksPqEqDU/3N3bLHROIISlFwWHilXuTK5ZAnzncDIQnm+zUuxI/0d3v6Fp
+ 8VxVlNBHqzo0VpakZOkxwqo01qJRsoxVaIxeetGNQ4noPhtj6bEM4Y8xDS9f3R7o
+ eEHUSTnKonMemm/AB3KZnjwL7rkL2FI1ThmDRO3Z3lprbThjThJF8EU=
+ </issuer>
+ </class>
+</message>
diff --git a/rpkid/up-down-protocol-samples/list.xml b/rpkid/up-down-protocol-samples/list.xml
new file mode 100644
index 00000000..01a803f3
--- /dev/null
+++ b/rpkid/up-down-protocol-samples/list.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<message xmlns="http://www.apnic.net/specs/rescerts/up-down/"
+ version="1"
+ sender="sender name"
+ recipient="recipient name"
+ type="list" />
diff --git a/rpkid/up-down-protocol-samples/list_response.xml b/rpkid/up-down-protocol-samples/list_response.xml
new file mode 100644
index 00000000..9e368f5a
--- /dev/null
+++ b/rpkid/up-down-protocol-samples/list_response.xml
@@ -0,0 +1,169 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<message xmlns="http://www.apnic.net/specs/rescerts/up-down/"
+ version="1"
+ sender="sender name"
+ recipient="recipient name"
+ type="list_response">
+ <class class_name="ISP5"
+ cert_url="rsync://wombat.example/ISP5"
+ resource_set_as="64534-64540"
+ resource_set_ipv4="10.0.0.0/24,10.3.0.0/24"
+ resource_set_ipv6="2001:db8:0:0:0:0:a00::/120,2001:db8:0:0:0:0:a03::/120"
+ suggested_sia_head="rsync://wombat.example/fnord/">
+ <certificate cert_url="rsync://wombat.example/ISP5a"
+ req_resource_set_as=""
+ req_resource_set_ipv4="10.0.0.0/24"
+ req_resource_set_ipv6="2001:db8:0:0:0:0:a00::/120">
+ MIID3jCCAsagAwIBAgIBAzANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+ IEVOVElUWSBMSVIzMB4XDTA3MDgwMTE0NDgyMloXDTA4MDczMTE0NDgyMlowHDEa
+ MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+ DwAwggEKAoIBAQDmS614KGvmUBtlgdWNK1Z3zbvJR6CqMrAsrB/x5JArwjNv51Ox
+ 0B2rBSedt6HuqE/IWzYj4xLkUVknzf16qtxWBaFzq3ndPIKyj6757MA2OOYCqv2J
+ YCFSW7YzgHXlf/2sbuzUmiYvfihFFilHffOKctXkZfr0VG+uSDNiwTLxK4MzNmNg
+ nrzH55ldUdrNL4+DRyCe6cyjcsByvUktxFLqb9pCRnGQx69/n8fdC5aWPEWfwOpl
+ akPj85LV4XPAbiD1F+XRWNohs+kMTfDovXy374HJ9XDPqCB94mr5G2apyHHWMvhy
+ PYOZGQ0Ma+n4ks0zF4ZqPa8NBZSrHNQspEXLAgMBAAGjggEqMIIBJjAPBgNVHRMB
+ Af8EBTADAQH/MB0GA1UdDgQWBBQJ8BQLefsL/6jvVLnsPrmL0Muc7DAfBgNVHSME
+ GDAWgBSYvgT/gNGrlTmqPfIOZ30AraP9xTAOBgNVHQ8BAf8EBAMCAQYwQgYIKwYB
+ BQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dvbWJhdHMtci11cy5oYWN0
+ cm4ubmV0L0lTUDVhLzBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAKGKHJzeW5j
+ Oi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5jZXIwOQYIKwYBBQUHAQcB
+ Af8EKjAoMAwEAgABMAYDBAAKAAAwGAQCAAIwEgMQACABDbgAAAAAAAAAAAoAADAN
+ BgkqhkiG9w0BAQUFAAOCAQEAkzKZYt3F6vAfWFAQN9M5N9n2klEmL9b9b4K4Vmv9
+ DPNCBFbtZytCAphWB/FILS60MrvXHCcUoOmtOx3+Cw5D3yKX8Y9z2HbWmw2/7iDo
+ dxejgwGzI0OFa79vzC5pRwVz9CFFlMiuIShBFpHuSElmWmcxcQTJSXGU1fSGXHvG
+ Pv6RHSGzFJhUrW5RKOmoIrqk0JyM49R8IRAM+aMA+MOfALRTNAavW0pDlcuy+4wY
+ AIYRKF4k4ZDYZ9gA/LYnH56xvpEXwRE1bpxgUC5n8wQrdIn5/pJz3R5EgWe4CGOo
+ n/SMvEfe8d+LEc0C7LmtCwYoDOKENoOF809GVkbV9fjL8w==
+ </certificate>
+ <certificate cert_url="rsync://wombat.example/ISP5b"
+ req_resource_set_as=""
+ req_resource_set_ipv4="10.3.0.0/24"
+ req_resource_set_ipv6="2001:db8:0:0:0:0:a03::/120">
+ MIID3jCCAsagAwIBAgIBAjANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+ IEVOVElUWSBMSVIzMB4XDTA3MDgwMTE0NDgyMFoXDTA4MDczMTE0NDgyMFowHDEa
+ MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+ DwAwggEKAoIBAQC/j1nY/PodBHApznsBZCFA3FxD/kyviMhim76cco+KpTSKOyON
+ m4pPv2asaHGc/WhZ9b+fTS611uP6vfNgU1y3EayVC8CHzZmelFeN7AW436r8jjjT
+ D2VtCWDy4ZiBcthRPkGRsxCV9fXQ+eVcoYX6cSaF49FMAn8U4h5KipZontYWpe+t
+ tYNizSN0fIJWtNE0U1qKemGfrlRb7/lW3odrQpK8SfS1wzUHShhH0pLGHBZ0dLHp
+ OTxTEgWd69ycciuXTSchd5Z9TM55DPunuJlrZiAuVpxEtONegMR9eKG0BfcgfSYe
+ RL9daRU8eiRnvbm1CA8zTa87Lee5qx0r1vtzAgMBAAGjggEqMIIBJjAPBgNVHRMB
+ Af8EBTADAQH/MB0GA1UdDgQWBBRss2WU/safSlCdTYtAGqH9lxeXkjAfBgNVHSME
+ GDAWgBSYvgT/gNGrlTmqPfIOZ30AraP9xTAOBgNVHQ8BAf8EBAMCAQYwQgYIKwYB
+ BQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dvbWJhdHMtci11cy5oYWN0
+ cm4ubmV0L0lTUDViLzBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAKGKHJzeW5j
+ Oi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5jZXIwOQYIKwYBBQUHAQcB
+ Af8EKjAoMAwEAgABMAYDBAAKAwAwGAQCAAIwEgMQACABDbgAAAAAAAAAAAoDADAN
+ BgkqhkiG9w0BAQUFAAOCAQEARNgVrXF+6W7sMytC7YyKSt+CpJGZV7AvzKNZKv8k
+ xazhefrXkrpyK0caz4BtCHbptZFgNR/dDOC9M3wn0PcRTh9ISgW8beNfut16uj1F
+ fZdylJvNMXa4lt/wfRbzKqPicusCH0nutkRIW2mZuLuAO8v1vKr4umgZU+z/rXWu
+ glEA7OeBwmvPoqKixbgER5GtnTNySKIVVa1DUo/2CaPT/YjT48P0zXHoy6rnNgcn
+ 2emkoegzzS2cN+5I5I+O8IRnZInqmiPgEgElgEFw+rg6xw23yax5Nyqx12J56tt0
+ tPWGhrYe1dCwKZajWKn3P9+NMcGQ0d8bw/QU+B3RyVeVfw==
+ </certificate>
+ <certificate cert_url="rsync://wombat.example/ISP5c"
+ req_resource_set_as="64534-64540"
+ req_resource_set_ipv4=""
+ req_resource_set_ipv6="">
+ MIIDxjCCAq6gAwIBAgIBATANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+ IEVOVElUWSBMSVIzMB4XDTA3MDgwMTE0NDgxOFoXDTA4MDczMTE0NDgxOFowHDEa
+ MBgGA1UEAxMRVEVTVCBFTlRJVFkgSVNQNWMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+ DwAwggEKAoIBAQDIi6ElZd/uon9Ur1IKGhr6DXWzPOngKdOJIOlRSWcsQ9qgLNRE
+ s5YUqQd3YLlvAe+OVKV0rFpn+DBNEPmsn7h1YQv253zqm1yYeks+xOJZQtMZyg9Y
+ DrfIgk7lu6z9kuWIsvxkz244OxiD/OemrvuQNtDhyk2QQQ8POyrADNl7fehQE/YJ
+ c4Kj0uO7ggiHf9K7Dg56KLYlArXZUfwzMkdH/89/vO4AAbsFXi4Dmq2VO8rCxodk
+ dDmqWWuu4KdRGgfyjkyOZS/f8pm64LaKT8AgcnmYAI8NUBM90T6Mvdx0qTOoVh0x
+ eHznAp6NChQSbdM3x3rwhBD+/k0olyZuCIWhAgMBAAGjggESMIIBDjAPBgNVHRMB
+ Af8EBTADAQH/MB0GA1UdDgQWBBQth8Ga+FgrvcL4fjBHs6mIN8nrRjAfBgNVHSME
+ GDAWgBSYvgT/gNGrlTmqPfIOZ30AraP9xTAOBgNVHQ8BAf8EBAMCAQYwQgYIKwYB
+ BQUHAQsENjA0MDIGCCsGAQUFBzAFhiZyc3luYzovL3dvbWJhdHMtci11cy5oYWN0
+ cm4ubmV0L0lTUDVjLzBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAKGKHJzeW5j
+ Oi8vd29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvTElSMy5jZXIwIQYIKwYBBQUHAQgB
+ Af8EEjAQoA4wDDAKAgMA/BYCAwD8HDANBgkqhkiG9w0BAQUFAAOCAQEAUGsbhHfl
+ kwhe3EIkhnARJPgRkWgPCJtJ9konhROT7VlJ0Pim0kSrJWlBWUCLeKvSjQmowP4g
+ SddHxN4ZoXnSjb0pCDeomrZeViVQ2hxH6L/tHkl5SIEHl9MvFOe8junvgpq9GGAI
+ CFcibkW7Gp9p4A+GQkns0l9v+wGwuVZmqmJk4YBo7hHZRbg6/IFL1MD3HKeXmn33
+ lCwFhjUuDIMXRbY/1k5fui13QUolN7mLSk60NvXJ94Tga68c1eCIpapvhxAYw69G
+ 7mOX42aYu1FnidZNj7Lt9jOuW0REHlavrG17HxP5loTuCNtLH1ZIrJcO7rUz9C0D
+ YqMybYWFUqZHyg==
+ </certificate>
+ <issuer>
+ MIIEFTCCAv2gAwIBAgIBDjANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU
+ IEVOVElUWSBSSVIwHhcNMDcwODAxMTQ0ODE4WhcNMDgwNzMxMTQ0ODE4WjAbMRkw
+ FwYDVQQDExBURVNUIEVOVElUWSBMSVIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+ MIIBCgKCAQEAoyFXYWSvERjUy96m3K3ZLA8PWJ9+yIVVESZMfPBraBqeagyP5tw9
+ g1gqzHesGXNvWvNuJKzNGtwdC0xE9W2LChc9hvno/uZg5Z9AauWU6JpWFxccq8GM
+ N0ArVb8sXtyNyiV/il/u+xaG6+AI0ybl43DFDGv7G49rXPbiSlilNQHqBRs+zoS+
+ tT9tGBZLaOV5TIh9tqVlozrCMtytj4oF7vbpeoDaEqkPWrXS0zGsPtMZJS0o3nls
+ zv13ZtXjL6nL+YWMILuihiPwk5UgBHjHxwem/vD0RbvPeCvdzpwIpUZoEEzXBWJs
+ hlotfwY4wk27RIcAQ3nSj/NrsvRcHLloAQIDAQABo4IBYzCCAV8wDwYDVR0TAQH/
+ BAUwAwEB/zAdBgNVHQ4EFgQUmL4E/4DRq5U5qj3yDmd9AK2j/cUwHwYDVR0jBBgw
+ FoAU+7inozZICqCf8C7ci2i8s1xFJdcwDgYDVR0PAQH/BAQDAgEGMEEGCCsGAQUF
+ BwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJu
+ Lm5ldC9MSVIzLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ3JzeW5jOi8v
+ d29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAhBggrBgEFBQcBCAEB/wQS
+ MBCgDjAMMAoCAwD8FgIDAPwcMFEGCCsGAQUFBwEHAQH/BEIwQDASBAIAATAMAwQA
+ CgAAAwQACgMAMCoEAgACMCQDEAAgAQ24AAAAAAAAAAAKAAADEAAgAQ24AAAAAAAA
+ AAAKAwAwDQYJKoZIhvcNAQEFBQADggEBAEhmCa7kUuozB6aST0Gd2XStJBcR1oWI
+ 8mZS5WEOjnjbVvuryDEb0fLs3x2HgCHZgZ7IAOg31cNxJpc1Ff6ZYEG+m3LpkcG/
+ yOMllfOVK8RQSY+nKuya2fm2J3dCOKogEjBW20HwxNd1WgFLrDaOTR9V+iROBPKs
+ 3ppMPp6ksPqEqDU/3N3bLHROIISlFwWHilXuTK5ZAnzncDIQnm+zUuxI/0d3v6Fp
+ 8VxVlNBHqzo0VpakZOkxwqo01qJRsoxVaIxeetGNQ4noPhtj6bEM4Y8xDS9f3R7o
+ eEHUSTnKonMemm/AB3KZnjwL7rkL2FI1ThmDRO3Z3lprbThjThJF8EU=
+ </issuer>
+ </class>
+ <class class_name="ISP2"
+ cert_url="rsync://wombat.example/ISP2"
+ resource_set_as=""
+ resource_set_ipv4="192.0.2.44-192.0.2.100"
+ resource_set_ipv6="">
+ <certificate cert_url="http://wombat.example/ISP2a,rsync://wombat.example/ISP2a,ftp://wombat.example/ISP2a">
+ MIIDzDCCArSgAwIBAgIBCTANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
+ IEVOVElUWSBMSVIxMB4XDTA3MDgwMTE0NDgyMloXDTA4MDczMTE0NDgyMlowGzEZ
+ MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ ADCCAQoCggEBANB338Qhrxtaa6inKNdDyJttJdiNf5Er45X9kmCsFBLXI2iFSw7b
+ K+Y44EjbGDePQMCQWA4/CWdfjj8EdQZgkkLz5EUENZVd6SJCLPZcpn15jOEIGXw1
+ nTr95/+bKbXuiUfMDYOg4XOvHwmEqAuDzHmIv3wdc9arQhtkmlwZgyud5a1MWAV2
+ lXAj7qXAMcqip8gdHvLJ8j04gsJT5VSG8nyxc+Hc6YZzCKxZO74vWMFCxYAYjDoK
+ KjL2/ijQKFKDxjBpUZBZGZvT1MLgUmrBTlmaGOR4Llf5fytddijJycV+5UOhm2jS
+ Bhy+P2n5wvqeT2jPY2/bbfxnNcCxbgo37DMCAwEAAaOCARkwggEVMA8GA1UdEwEB
+ /wQFMAMBAf8wHQYDVR0OBBYEFHOyFhrN3NcwYA/6gZX4ovVOlfOtMB8GA1UdIwQY
+ MBaAFIqUF/lT8luUVFbfdlETKfZxGaizMA4GA1UdDwEB/wQEAwIBBjBBBggrBgEF
+ BQcBCwQ1MDMwMQYIKwYBBQUHMAWGJXJzeW5jOi8vd29tYmF0cy1yLXVzLmhhY3Ry
+ bi5uZXQvSVNQMi8wRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihyc3luYzov
+ L3dvbWJhdHMtci11cy5oYWN0cm4ubmV0L0xJUjEuY2VyMCkGCCsGAQUFBwEHAQH/
+ BBowGDAWBAIAATAQMA4DBQLAAAIsAwUAwAACZDANBgkqhkiG9w0BAQUFAAOCAQEA
+ CvG1rzj5fZOV1Oq/SO+NYzxOHIA9egYgQg4NUpmqSz6v17RhR0+3tPfMmzxepTs8
+ ut23KieOG7RcPGvR2f/CEvedgrrPdTS81wu01qhPWJNqriN6N+Mu8XCK3fUO+t+w
+ PxLUWqwzrRUcpdy+CMOOGg81Eg7e77iAeJCp648AChUdBRI6HTfp9PlKd25pJ7fj
+ f654MpKGbTkWXllPkxC1sL4cJUcq4o+Sn1zAKkjXUwAUjp6G6s+mIWZQiZU5Pv8n
+ lYXvPciYf83+wTBllLGtSFyut8hk6WmiB8rC1/5jS96pJaGRSxejqd0r99GlPre+
+ QgMe2TRfFuM1esod7j1M1Q==
+ </certificate>
+ <issuer>
+ MIID9jCCAt6gAwIBAgIBEDANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9URVNU
+ IEVOVElUWSBSSVIwHhcNMDcwODAxMTQ0ODE4WhcNMDgwNzMxMTQ0ODE4WjAbMRkw
+ FwYDVQQDExBURVNUIEVOVElUWSBMSVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+ MIIBCgKCAQEAr10c+dm71QHhWzbMUfb9hldgqp7H7E4Fr/tRXHrCWMSoV64UYum8
+ tnJ9z0nISkCCSvQ+MLWUJZ5seIFXQ9aFAo3RnLXXNC/iqX0YJ7VHmkIWyJB/lizd
+ uJgXH3diSggALeBzDDk3ug+nWVlMfM3iXNeYNhBsiD5FmaaIL/Z/MUm6QisTecKy
+ 8QnZrTekQbZtRqEYBaBTB47gmLLR/Wdod2TV8/4dIjaeJloaqhiUwyx+mq++LJ1e
+ dSxJ1jcrBh/MY5d+7ixfZ69NYj56HwzhHgLy0gZ1rj8RvI4PE2Q4FDYdXQLsr2XV
+ uWj0ImYr70dbrTvyr7ZxDJRWinwBNvA6PwIDAQABo4IBRDCCAUAwDwYDVR0TAQH/
+ BAUwAwEB/zAdBgNVHQ4EFgQUipQX+VPyW5RUVt92URMp9nEZqLMwHwYDVR0jBBgw
+ FoAU+7inozZICqCf8C7ci2i8s1xFJdcwDgYDVR0PAQH/BAQDAgEGMEEGCCsGAQUF
+ BwELBDUwMzAxBggrBgEFBQcwBYYlcnN5bmM6Ly93b21iYXRzLXItdXMuaGFjdHJu
+ Lm5ldC9MSVIxLzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ3JzeW5jOi8v
+ d29tYmF0cy1yLXVzLmhhY3Rybi5uZXQvUklSLmNlcjAaBggrBgEFBQcBCAEB/wQL
+ MAmgBzAFAgMA/BUwOQYIKwYBBQUHAQcBAf8EKjAoMCYEAgABMCAwDgMFAMAAAgED
+ BQHAAAIgMA4DBQLAAAIsAwUAwAACZDANBgkqhkiG9w0BAQUFAAOCAQEAcn3dpGAj
+ ceSZKAuaulzTl0ty64mBPBGFjCXtebJQpeiuDjd0+SyhvpaDNUANNvkyFnQlnPcP
+ zUZHjrnNrAx+06yEXvYx9KnyBc2C1+DXOySbxxXR253CHZL3Gam4oWcK+z0jOgWD
+ KQVQ4wAnqYD+u1HxPjsMmK7x7tETckZkj0syTs9kzxqlsTSm8F8Y+ES7E+qNXyR9
+ OxVgjr70vdgEp9AQftMQZ781SclWz7eLe5sXC1TuIct1sD6NssHGfCaxfFipSjEk
+ zeU/pZodfREUQSrlVbbb9HU0N59eHfGGKvZ0vojhuWPOrVzpPJGKTI20aQPn+VJ5
+ KH3Nf1ICSa7Vxw==
+ </issuer>
+ </class>
+</message>
diff --git a/rpkid/up-down-protocol-samples/revoke.xml b/rpkid/up-down-protocol-samples/revoke.xml
new file mode 100644
index 00000000..eb4b3efb
--- /dev/null
+++ b/rpkid/up-down-protocol-samples/revoke.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<message xmlns="http://www.apnic.net/specs/rescerts/up-down/"
+ version="1"
+ sender="sender name"
+ recipient="recipient name"
+ type="revoke">
+ <key class_name="ISP5"
+ ski="CfAUC3n7C_-o71S57D65i9DLnOw"/>
+</message>
diff --git a/rpkid/up-down-protocol-samples/revoke_response.xml b/rpkid/up-down-protocol-samples/revoke_response.xml
new file mode 100644
index 00000000..9f4ebacc
--- /dev/null
+++ b/rpkid/up-down-protocol-samples/revoke_response.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<message xmlns="http://www.apnic.net/specs/rescerts/up-down/"
+ version="1"
+ sender="sender name"
+ recipient="recipient name"
+ type="revoke_response">
+ <key class_name="ISP5"
+ ski="CfAUC3n7C_-o71S57D65i9DLnOw"/>
+</message>
diff --git a/rpkid/up-down-schema.rnc b/rpkid/up-down-schema.rnc
new file mode 100644
index 00000000..10736576
--- /dev/null
+++ b/rpkid/up-down-schema.rnc
@@ -0,0 +1,71 @@
+# $Id$
+#
+# RelaxNG (Compact Syntax) Scheme for up-down protocol, extracted
+# from APNIC Wiki.
+#
+# libxml2 (including xmllint) only groks the XML syntax of RelaxNG,
+# so run this through a converter like /usr/ports/textproc/trang to get
+# XML syntax:
+#
+# $ trang up-down-schema.rnc up-down-schema.rng
+
+ default namespace = "http://www.apnic.net/specs/rescerts/up-down/"
+
+ grammar {
+ start = element message {
+ attribute version { xsd:positiveInteger { maxInclusive="1" } },
+ attribute sender { xsd:token { maxLength="1024" } },
+ attribute recipient { xsd:token { maxLength="1024" } },
+ payload
+ }
+
+ payload |= attribute type { "list" }, list_request
+ payload |= attribute type { "list_response"}, list_response
+ payload |= attribute type { "issue" }, issue_request
+ payload |= attribute type { "issue_response"}, issue_response
+ payload |= attribute type { "revoke" }, revoke_request
+ payload |= attribute type { "revoke_response"}, revoke_response
+ payload |= attribute type { "error_response"}, error_response
+
+ list_request = empty
+ list_response = class*
+
+ class = element class {
+ attribute class_name { xsd:token { maxLength="1024" } },
+ attribute cert_url { xsd:string { maxLength="4096" } },
+ attribute resource_set_as { xsd:string { maxLength="512000" pattern="[\-,0-9]*" } },
+ attribute resource_set_ipv4 { xsd:string { maxLength="512000" pattern="[\-,/.0-9]*" } },
+ attribute resource_set_ipv6 { xsd:string { maxLength="512000" pattern="[\-,/:0-9a-fA-F]*" } },
+ attribute resource_set_notafter { xsd:dateTime { pattern=".*Z" } }?,
+ attribute suggested_sia_head { xsd:anyURI { maxLength="1024" pattern="rsync://.+"} }?,
+ element certificate {
+ attribute cert_url { xsd:string { maxLength="4096" } },
+ attribute req_resource_set_as { xsd:string { maxLength="512000" pattern="[\-,0-9]*" } }?,
+ attribute req_resource_set_ipv4 { xsd:string { maxLength="512000" pattern="[\-,/.0-9]*" } }?,
+ attribute req_resource_set_ipv6 { xsd:string { maxLength="512000" pattern="[\-,/:0-9a-fA-F]*" } }?,
+ xsd:base64Binary { maxLength="512000" }
+ }*,
+ element issuer { xsd:base64Binary { maxLength="512000" } }
+ }
+
+ issue_request = element request {
+ attribute class_name { xsd:token { maxLength="1024" } },
+ attribute req_resource_set_as { xsd:string { maxLength="512000" pattern="[\-,0-9]*" } }?,
+ attribute req_resource_set_ipv4 { xsd:string { maxLength="512000" pattern="[\-,/.0-9]*" } }?,
+ attribute req_resource_set_ipv6 { xsd:string { maxLength="512000" pattern="[\-,/:0-9a-fA-F]*" } }?,
+ xsd:base64Binary { maxLength="512000" }
+ }
+ issue_response = class
+
+ revoke_request = revocation
+ revoke_response = revocation
+
+ revocation = element key {
+ attribute class_name { xsd:token { maxLength="1024" } },
+ attribute ski { xsd:token { maxLength="1024" } }
+ }
+
+ error_response =
+ element status { xsd:positiveInteger { maxInclusive="999999999999999" } },
+ element description { attribute xml:lang { xsd:language }, xsd:string { maxLength="1024" } }?
+ }
diff --git a/rpkid/up-down-schema.rng b/rpkid/up-down-schema.rng
new file mode 100644
index 00000000..1c6cd854
--- /dev/null
+++ b/rpkid/up-down-schema.rng
@@ -0,0 +1,249 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ $Id$
+
+ RelaxNG (Compact Syntax) Scheme for up-down protocol, extracted
+ from APNIC Wiki.
+
+ libxml2 (including xmllint) only groks the XML syntax of RelaxNG,
+ so run this through a converter like /usr/ports/textproc/trang to get
+ XML syntax:
+
+ $ trang up-down-schema.rnc up-down-schema.rng
+-->
+<grammar ns="http://www.apnic.net/specs/rescerts/up-down/" xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">
+ <start>
+ <element name="message">
+ <attribute name="version">
+ <data type="positiveInteger">
+ <param name="maxInclusive">1</param>
+ </data>
+ </attribute>
+ <attribute name="sender">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ <attribute name="recipient">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ <ref name="payload"/>
+ </element>
+ </start>
+ <define name="payload" combine="choice">
+ <attribute name="type">
+ <value>list</value>
+ </attribute>
+ <ref name="list_request"/>
+ </define>
+ <define name="payload" combine="choice">
+ <attribute name="type">
+ <value>list_response</value>
+ </attribute>
+ <ref name="list_response"/>
+ </define>
+ <define name="payload" combine="choice">
+ <attribute name="type">
+ <value>issue</value>
+ </attribute>
+ <ref name="issue_request"/>
+ </define>
+ <define name="payload" combine="choice">
+ <attribute name="type">
+ <value>issue_response</value>
+ </attribute>
+ <ref name="issue_response"/>
+ </define>
+ <define name="payload" combine="choice">
+ <attribute name="type">
+ <value>revoke</value>
+ </attribute>
+ <ref name="revoke_request"/>
+ </define>
+ <define name="payload" combine="choice">
+ <attribute name="type">
+ <value>revoke_response</value>
+ </attribute>
+ <ref name="revoke_response"/>
+ </define>
+ <define name="payload" combine="choice">
+ <attribute name="type">
+ <value>error_response</value>
+ </attribute>
+ <ref name="error_response"/>
+ </define>
+ <define name="list_request">
+ <empty/>
+ </define>
+ <define name="list_response">
+ <zeroOrMore>
+ <ref name="class"/>
+ </zeroOrMore>
+ </define>
+ <define name="class">
+ <element name="class">
+ <attribute name="class_name">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ <attribute name="cert_url">
+ <data type="string">
+ <param name="maxLength">4096</param>
+ </data>
+ </attribute>
+ <attribute name="resource_set_as">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,0-9]*</param>
+ </data>
+ </attribute>
+ <attribute name="resource_set_ipv4">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,/.0-9]*</param>
+ </data>
+ </attribute>
+ <attribute name="resource_set_ipv6">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,/:0-9a-fA-F]*</param>
+ </data>
+ </attribute>
+ <optional>
+ <attribute name="resource_set_notafter">
+ <data type="dateTime">
+ <param name="pattern">.*Z</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="suggested_sia_head">
+ <data type="anyURI">
+ <param name="maxLength">1024</param>
+ <param name="pattern">rsync://.+</param>
+ </data>
+ </attribute>
+ </optional>
+ <zeroOrMore>
+ <element name="certificate">
+ <attribute name="cert_url">
+ <data type="string">
+ <param name="maxLength">4096</param>
+ </data>
+ </attribute>
+ <optional>
+ <attribute name="req_resource_set_as">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,0-9]*</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="req_resource_set_ipv4">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,/.0-9]*</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="req_resource_set_ipv6">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,/:0-9a-fA-F]*</param>
+ </data>
+ </attribute>
+ </optional>
+ <data type="base64Binary">
+ <param name="maxLength">512000</param>
+ </data>
+ </element>
+ </zeroOrMore>
+ <element name="issuer">
+ <data type="base64Binary">
+ <param name="maxLength">512000</param>
+ </data>
+ </element>
+ </element>
+ </define>
+ <define name="issue_request">
+ <element name="request">
+ <attribute name="class_name">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ <optional>
+ <attribute name="req_resource_set_as">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,0-9]*</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="req_resource_set_ipv4">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,/.0-9]*</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="req_resource_set_ipv6">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,/:0-9a-fA-F]*</param>
+ </data>
+ </attribute>
+ </optional>
+ <data type="base64Binary">
+ <param name="maxLength">512000</param>
+ </data>
+ </element>
+ </define>
+ <define name="issue_response">
+ <ref name="class"/>
+ </define>
+ <define name="revoke_request">
+ <ref name="revocation"/>
+ </define>
+ <define name="revoke_response">
+ <ref name="revocation"/>
+ </define>
+ <define name="revocation">
+ <element name="key">
+ <attribute name="class_name">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ <attribute name="ski">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </element>
+ </define>
+ <define name="error_response">
+ <element name="status">
+ <data type="positiveInteger">
+ <param name="maxInclusive">999999999999999</param>
+ </data>
+ </element>
+ <optional>
+ <element name="description">
+ <attribute name="xml:lang">
+ <data type="language"/>
+ </attribute>
+ <data type="string">
+ <param name="maxLength">1024</param>
+ </data>
+ </element>
+ </optional>
+ </define>
+</grammar>
diff --git a/rpkid/xml-parse-test.py b/rpkid/xml-parse-test.py
new file mode 100755
index 00000000..bde7d167
--- /dev/null
+++ b/rpkid/xml-parse-test.py
@@ -0,0 +1,67 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+import glob, rpki.up_down, rpki.left_right, rpki.relaxng, xml.sax, lxml.etree, lxml.sax, POW, POW.pkix
+
+verbose = True
+
+def test(fileglob, rng, sax_handler, encoding, tester=None):
+ files = glob.glob(fileglob)
+ files.sort()
+ for f in files:
+ print "\n<!--", f, "-->"
+ handler = sax_handler()
+ elt_in = lxml.etree.parse(f).getroot()
+ rng.assertValid(elt_in)
+ lxml.sax.saxify(elt_in, handler)
+ elt_out = handler.result.toXML()
+ rng.assertValid(elt_out)
+ if (tester):
+ tester(elt_in, elt_out, handler.result)
+ print lxml.etree.tostring(elt_out, pretty_print=True, encoding=encoding, xml_declaration=True)
+
+def pprint_cert(cert):
+ print cert.get_POW().pprint()
+
+def ud_tester(elt_in, elt_out, msg):
+ assert isinstance(msg, rpki.up_down.message_pdu)
+ if verbose:
+ if isinstance(msg.payload, rpki.up_down.list_response_pdu):
+ for c in msg.payload.classes:
+ for i in range(len(c.certs)):
+ print "[Certificate #%d]" % i
+ pprint_cert(c.certs[i].cert)
+ print "[Issuer]"
+ pprint_cert(c.issuer)
+
+def lr_tester(elt_in, elt_out, msg):
+ assert isinstance(msg, rpki.left_right.msg)
+ if verbose:
+ for bsc in [x for x in msg if isinstance(x, rpki.left_right.bsc_elt)]:
+ for cert in bsc.signing_cert:
+ pprint_cert(cert)
+
+test(fileglob="up-down-protocol-samples/*.xml",
+ rng=rpki.relaxng.up_down,
+ sax_handler=rpki.up_down.sax_handler,
+ encoding="utf-8",
+ tester=ud_tester)
+
+test(fileglob="left-right-protocol-samples/*.xml",
+ rng=rpki.relaxng.left_right,
+ sax_handler=rpki.left_right.sax_handler,
+ encoding="us-ascii",
+ tester=lr_tester)
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-11 19:34:56 +0000