aboutsummaryrefslogtreecommitdiff
path: root/schemas
diff options
context:
space:
mode:
Diffstat (limited to 'schemas')
-rw-r--r--schemas/relaxng/left-right-schema.rnc323
-rw-r--r--schemas/relaxng/left-right-schema.rng1089
-rw-r--r--schemas/relaxng/myrpki.rnc164
-rw-r--r--schemas/relaxng/myrpki.rng379
-rw-r--r--schemas/relaxng/publication-schema.rnc137
-rw-r--r--schemas/relaxng/publication-schema.rng574
-rw-r--r--schemas/relaxng/router-certificate-schema.rnc61
-rw-r--r--schemas/relaxng/router-certificate-schema.rng98
-rw-r--r--schemas/relaxng/up-down-schema.rnc113
-rw-r--r--schemas/relaxng/up-down-schema.rng277
-rw-r--r--schemas/sql/pubd.sql59
-rw-r--r--schemas/sql/rpkid.sql250
12 files changed, 3524 insertions, 0 deletions
diff --git a/schemas/relaxng/left-right-schema.rnc b/schemas/relaxng/left-right-schema.rnc
new file mode 100644
index 00000000..b46adeb5
--- /dev/null
+++ b/schemas/relaxng/left-right-schema.rnc
@@ -0,0 +1,323 @@
+# $Id$
+#
+# RelaxNG schema for RPKI left-right protocol.
+#
+# Copyright (C) 2012--2014 Dragon Research Labs ("DRL")
+# Portions copyright (C) 2009--2011 Internet Systems Consortium ("ISC")
+# Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notices and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND DRL, ISC, AND ARIN DISCLAIM ALL
+# WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DRL,
+# ISC, OR ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+# OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+default namespace = "http://www.hactrn.net/uris/rpki/left-right-spec/"
+
+# Top level PDU
+
+start = element msg {
+ attribute version { xsd:positiveInteger { maxInclusive="1" } },
+ ( (attribute type { "query" }, query_elt*) |
+ (attribute type { "reply" }, reply_elt*) )
+}
+
+# PDUs allowed in a query
+query_elt |= self_query
+query_elt |= bsc_query
+query_elt |= parent_query
+query_elt |= child_query
+query_elt |= repository_query
+query_elt |= list_roa_requests_query
+query_elt |= list_ghostbuster_requests_query
+query_elt |= list_ee_certificate_requests_query
+query_elt |= list_resources_query
+query_elt |= list_published_objects_query
+query_elt |= list_received_resources_query
+
+# PDUs allowed in a reply
+reply_elt |= self_reply
+reply_elt |= bsc_reply
+reply_elt |= parent_reply
+reply_elt |= child_reply
+reply_elt |= repository_reply
+reply_elt |= list_resources_reply
+reply_elt |= list_roa_requests_reply
+reply_elt |= list_ghostbuster_requests_reply
+reply_elt |= list_ee_certificate_requests_reply
+reply_elt |= list_published_objects_reply
+reply_elt |= list_received_resources_reply
+reply_elt |= report_error_reply
+
+# Tag attributes for bulk operations
+tag = attribute tag { xsd:token {maxLength="1024" } }?
+
+# Combinations of action and type attributes used in later definitions.
+# The same patterns repeat in most of the elements in this protocol.
+ctl_create = attribute action { "create" }, tag
+ctl_set = attribute action { "set" }, tag
+ctl_get = attribute action { "get" }, tag
+ctl_list = attribute action { "list" }, tag
+ctl_destroy = attribute action { "destroy" }, tag
+
+# Base64 encoded DER stuff
+base64 = xsd:base64Binary { maxLength="512000" }
+
+# Base definition for all fields that are really just SQL primary indices
+#sql_id = xsd:nonNegativeInteger
+
+# ...except that fields containing SQL primary indicies don't belong
+# in this protocol, so they're turninging into handles.
+# Length restriction is a MySQL implementation issue.
+# Handles are case-insensitive (because SQL is, among other reasons).
+object_handle = xsd:string { maxLength="255" pattern="[\-_A-Za-z0-9]+" }
+
+# URIs
+uri = xsd:anyURI { maxLength="4096" }
+
+# Name fields imported from up-down protocol
+up_down_name = xsd:token { maxLength="1024" }
+
+# Resource lists
+asn_list = xsd:string { maxLength="512000" pattern="[\-,0-9]*" }
+ipv4_list = xsd:string { maxLength="512000" pattern="[\-,0-9/.]*" }
+ipv6_list = xsd:string { maxLength="512000" pattern="[\-,0-9/:a-fA-F]*" }
+
+# <self/> element
+
+self_bool = (attribute rekey { "yes" }?,
+ attribute reissue { "yes" }?,
+ attribute revoke { "yes" }?,
+ attribute run_now { "yes" }?,
+ attribute publish_world_now { "yes" }?,
+ attribute revoke_forgotten { "yes" }?,
+ attribute clear_replay_protection { "yes" }?)
+
+self_payload = (attribute use_hsm { "yes" | "no" }?,
+ attribute crl_interval { xsd:positiveInteger }?,
+ attribute regen_margin { xsd:positiveInteger }?,
+ element bpki_cert { base64 }?,
+ element bpki_glue { base64 }?)
+
+self_handle = attribute self_handle { object_handle }
+
+self_query |= element self { ctl_create, self_handle, self_bool, self_payload }
+self_reply |= element self { ctl_create, self_handle }
+self_query |= element self { ctl_set, self_handle, self_bool, self_payload }
+self_reply |= element self { ctl_set, self_handle }
+self_query |= element self { ctl_get, self_handle }
+self_reply |= element self { ctl_get, self_handle, self_payload }
+self_query |= element self { ctl_list }
+self_reply |= element self { ctl_list, self_handle, self_payload }
+self_query |= element self { ctl_destroy, self_handle }
+self_reply |= element self { ctl_destroy, self_handle }
+
+# <bsc/> element. Key parameters hardwired for now.
+
+bsc_bool = ((attribute generate_keypair { "yes" },
+ attribute key_type { "rsa" }?,
+ attribute hash_alg { "sha256" }?,
+ attribute key_length { "2048" }?)?)
+
+bsc_handle = attribute bsc_handle { object_handle }
+
+bsc_payload = (element signing_cert { base64 }?,
+ element signing_cert_crl { base64 }?)
+
+bsc_readonly = element pkcs10_request { base64 }?
+
+bsc_query |= element bsc { ctl_create, self_handle, bsc_handle, bsc_bool, bsc_payload }
+bsc_reply |= element bsc { ctl_create, self_handle, bsc_handle, bsc_readonly }
+bsc_query |= element bsc { ctl_set, self_handle, bsc_handle, bsc_bool, bsc_payload }
+bsc_reply |= element bsc { ctl_set, self_handle, bsc_handle, bsc_readonly }
+bsc_query |= element bsc { ctl_get, self_handle, bsc_handle }
+bsc_reply |= element bsc { ctl_get, self_handle, bsc_handle, bsc_payload, bsc_readonly }
+bsc_query |= element bsc { ctl_list, self_handle }
+bsc_reply |= element bsc { ctl_list, self_handle, bsc_handle, bsc_payload, bsc_readonly }
+bsc_query |= element bsc { ctl_destroy, self_handle, bsc_handle }
+bsc_reply |= element bsc { ctl_destroy, self_handle, bsc_handle }
+
+# <parent/> element
+
+parent_handle = attribute parent_handle { object_handle }
+
+parent_bool = (attribute rekey { "yes" }?,
+ attribute reissue { "yes" }?,
+ attribute revoke { "yes" }?,
+ attribute revoke_forgotten { "yes" }?,
+ attribute clear_replay_protection { "yes" }?)
+
+parent_payload = (attribute peer_contact_uri { uri }?,
+ attribute sia_base { uri }?,
+ bsc_handle?,
+ repository_handle?,
+ attribute sender_name { up_down_name }?,
+ attribute recipient_name { up_down_name }?,
+ element bpki_cms_cert { base64 }?,
+ element bpki_cms_glue { base64 }?)
+
+parent_query |= element parent { ctl_create, self_handle, parent_handle, parent_bool, parent_payload }
+parent_reply |= element parent { ctl_create, self_handle, parent_handle }
+parent_query |= element parent { ctl_set, self_handle, parent_handle, parent_bool, parent_payload }
+parent_reply |= element parent { ctl_set, self_handle, parent_handle }
+parent_query |= element parent { ctl_get, self_handle, parent_handle }
+parent_reply |= element parent { ctl_get, self_handle, parent_handle, parent_payload }
+parent_query |= element parent { ctl_list, self_handle }
+parent_reply |= element parent { ctl_list, self_handle, parent_handle, parent_payload }
+parent_query |= element parent { ctl_destroy, self_handle, parent_handle }
+parent_reply |= element parent { ctl_destroy, self_handle, parent_handle }
+
+# <child/> element
+
+child_handle = attribute child_handle { object_handle }
+
+child_bool = (attribute reissue { "yes" }?,
+ attribute clear_replay_protection { "yes" }?)
+
+child_payload = (bsc_handle?,
+ element bpki_cert { base64 }?,
+ element bpki_glue { base64 }?)
+
+child_query |= element child { ctl_create, self_handle, child_handle, child_bool, child_payload }
+child_reply |= element child { ctl_create, self_handle, child_handle }
+child_query |= element child { ctl_set, self_handle, child_handle, child_bool, child_payload }
+child_reply |= element child { ctl_set, self_handle, child_handle }
+child_query |= element child { ctl_get, self_handle, child_handle }
+child_reply |= element child { ctl_get, self_handle, child_handle, child_payload }
+child_query |= element child { ctl_list, self_handle }
+child_reply |= element child { ctl_list, self_handle, child_handle, child_payload }
+child_query |= element child { ctl_destroy, self_handle, child_handle }
+child_reply |= element child { ctl_destroy, self_handle, child_handle }
+
+# <repository/> element
+
+repository_handle = attribute repository_handle { object_handle }
+
+repository_bool = attribute clear_replay_protection { "yes" }?
+
+repository_payload = (attribute peer_contact_uri { uri }?,
+ bsc_handle?,
+ element bpki_cert { base64 }?,
+ element bpki_glue { base64 }?)
+
+repository_query |= element repository { ctl_create, self_handle, repository_handle, repository_bool, repository_payload }
+repository_reply |= element repository { ctl_create, self_handle, repository_handle }
+repository_query |= element repository { ctl_set, self_handle, repository_handle, repository_bool, repository_payload }
+repository_reply |= element repository { ctl_set, self_handle, repository_handle }
+repository_query |= element repository { ctl_get, self_handle, repository_handle }
+repository_reply |= element repository { ctl_get, self_handle, repository_handle, repository_payload }
+repository_query |= element repository { ctl_list, self_handle }
+repository_reply |= element repository { ctl_list, self_handle, repository_handle, repository_payload }
+repository_query |= element repository { ctl_destroy, self_handle, repository_handle }
+repository_reply |= element repository { ctl_destroy, self_handle, repository_handle }
+
+# <list_resources/> element
+
+list_resources_query = element list_resources {
+ tag, self_handle, child_handle
+}
+
+list_resources_reply = element list_resources {
+ tag, self_handle, child_handle,
+ attribute valid_until { xsd:dateTime { pattern=".*Z" } },
+ attribute asn { asn_list }?,
+ attribute ipv4 { ipv4_list }?,
+ attribute ipv6 { ipv6_list }?
+}
+
+# <list_roa_requests/> element
+
+list_roa_requests_query = element list_roa_requests {
+ tag, self_handle
+}
+
+list_roa_requests_reply = element list_roa_requests {
+ tag, self_handle,
+ attribute asn { xsd:nonNegativeInteger },
+ attribute ipv4 { ipv4_list }?,
+ attribute ipv6 { ipv6_list }?
+}
+
+# <list_ghostbuster_requests/> element
+
+list_ghostbuster_requests_query = element list_ghostbuster_requests {
+ tag, self_handle, parent_handle
+}
+
+list_ghostbuster_requests_reply = element list_ghostbuster_requests {
+ tag, self_handle, parent_handle,
+ xsd:string
+}
+
+# <list_ee_certificate_requests/> element
+
+list_ee_certificate_requests_query = element list_ee_certificate_requests {
+ tag, self_handle
+}
+
+list_ee_certificate_requests_reply = element list_ee_certificate_requests {
+ tag, self_handle,
+ attribute gski { xsd:token { minLength="27" maxLength="27" } },
+ attribute valid_until { xsd:dateTime { pattern=".*Z" } },
+ attribute asn { asn_list }?,
+ attribute ipv4 { ipv4_list }?,
+ attribute ipv6 { ipv6_list }?,
+ attribute cn { xsd:string { maxLength="64" pattern="[\-0-9A-Za-z_ ]+" } }?,
+ attribute sn { xsd:string { maxLength="64" pattern="[0-9A-Fa-f]+" } }?,
+ attribute eku { xsd:string { maxLength="512000" pattern="[.,0-9]+" } }?,
+ element pkcs10 { base64 }
+}
+
+# <list_published_objects/> element
+
+list_published_objects_query = element list_published_objects {
+ tag, self_handle
+}
+
+list_published_objects_reply = element list_published_objects {
+ tag, self_handle,
+ attribute uri { uri },
+ attribute child_handle { object_handle }?,
+ base64
+}
+
+# <list_received_resources/> element
+
+list_received_resources_query = element list_received_resources {
+ tag, self_handle
+}
+
+list_received_resources_reply = element list_received_resources {
+ tag, self_handle, parent_handle,
+ attribute notBefore { xsd:dateTime { pattern=".*Z" } },
+ attribute notAfter { xsd:dateTime { pattern=".*Z" } },
+ attribute uri { uri },
+ attribute sia_uri { uri },
+ attribute aia_uri { uri },
+ attribute asn { asn_list }?,
+ attribute ipv4 { ipv4_list }?,
+ attribute ipv6 { ipv6_list }?
+}
+
+# <report_error/> element
+
+error = xsd:token { maxLength="1024" }
+
+report_error_reply = element report_error {
+ tag, self_handle?,
+ attribute error_code { error },
+ xsd:string { maxLength="512000" }?
+}
+
+# Local Variables:
+# indent-tabs-mode: nil
+# comment-start: "# "
+# comment-start-skip: "#[ \t]*"
+# End:
diff --git a/schemas/relaxng/left-right-schema.rng b/schemas/relaxng/left-right-schema.rng
new file mode 100644
index 00000000..6c3d2f1a
--- /dev/null
+++ b/schemas/relaxng/left-right-schema.rng
@@ -0,0 +1,1089 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ $Id: left-right-schema.rnc 5753 2014-04-05 19:24:26Z sra $
+
+ RelaxNG schema for RPKI left-right protocol.
+
+ Copyright (C) 2012- -2014 Dragon Research Labs ("DRL")
+ Portions copyright (C) 2009- -2011 Internet Systems Consortium ("ISC")
+ Portions copyright (C) 2007- -2008 American Registry for Internet Numbers ("ARIN")
+
+ Permission to use, copy, modify, and distribute this software for any
+ purpose with or without fee is hereby granted, provided that the above
+ copyright notices and this permission notice appear in all copies.
+
+ THE SOFTWARE IS PROVIDED "AS IS" AND DRL, ISC, AND ARIN DISCLAIM ALL
+ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DRL,
+ ISC, OR ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+<grammar ns="http://www.hactrn.net/uris/rpki/left-right-spec/" xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">
+ <!-- Top level PDU -->
+ <start>
+ <element name="msg">
+ <attribute name="version">
+ <data type="positiveInteger">
+ <param name="maxInclusive">1</param>
+ </data>
+ </attribute>
+ <choice>
+ <group>
+ <attribute name="type">
+ <value>query</value>
+ </attribute>
+ <zeroOrMore>
+ <ref name="query_elt"/>
+ </zeroOrMore>
+ </group>
+ <group>
+ <attribute name="type">
+ <value>reply</value>
+ </attribute>
+ <zeroOrMore>
+ <ref name="reply_elt"/>
+ </zeroOrMore>
+ </group>
+ </choice>
+ </element>
+ </start>
+ <!-- PDUs allowed in a query -->
+ <define name="query_elt" combine="choice">
+ <ref name="self_query"/>
+ </define>
+ <define name="query_elt" combine="choice">
+ <ref name="bsc_query"/>
+ </define>
+ <define name="query_elt" combine="choice">
+ <ref name="parent_query"/>
+ </define>
+ <define name="query_elt" combine="choice">
+ <ref name="child_query"/>
+ </define>
+ <define name="query_elt" combine="choice">
+ <ref name="repository_query"/>
+ </define>
+ <define name="query_elt" combine="choice">
+ <ref name="list_roa_requests_query"/>
+ </define>
+ <define name="query_elt" combine="choice">
+ <ref name="list_ghostbuster_requests_query"/>
+ </define>
+ <define name="query_elt" combine="choice">
+ <ref name="list_ee_certificate_requests_query"/>
+ </define>
+ <define name="query_elt" combine="choice">
+ <ref name="list_resources_query"/>
+ </define>
+ <define name="query_elt" combine="choice">
+ <ref name="list_published_objects_query"/>
+ </define>
+ <define name="query_elt" combine="choice">
+ <ref name="list_received_resources_query"/>
+ </define>
+ <!-- PDUs allowed in a reply -->
+ <define name="reply_elt" combine="choice">
+ <ref name="self_reply"/>
+ </define>
+ <define name="reply_elt" combine="choice">
+ <ref name="bsc_reply"/>
+ </define>
+ <define name="reply_elt" combine="choice">
+ <ref name="parent_reply"/>
+ </define>
+ <define name="reply_elt" combine="choice">
+ <ref name="child_reply"/>
+ </define>
+ <define name="reply_elt" combine="choice">
+ <ref name="repository_reply"/>
+ </define>
+ <define name="reply_elt" combine="choice">
+ <ref name="list_resources_reply"/>
+ </define>
+ <define name="reply_elt" combine="choice">
+ <ref name="list_roa_requests_reply"/>
+ </define>
+ <define name="reply_elt" combine="choice">
+ <ref name="list_ghostbuster_requests_reply"/>
+ </define>
+ <define name="reply_elt" combine="choice">
+ <ref name="list_ee_certificate_requests_reply"/>
+ </define>
+ <define name="reply_elt" combine="choice">
+ <ref name="list_published_objects_reply"/>
+ </define>
+ <define name="reply_elt" combine="choice">
+ <ref name="list_received_resources_reply"/>
+ </define>
+ <define name="reply_elt" combine="choice">
+ <ref name="report_error_reply"/>
+ </define>
+ <!-- Tag attributes for bulk operations -->
+ <define name="tag">
+ <optional>
+ <attribute name="tag">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </optional>
+ </define>
+ <!--
+ Combinations of action and type attributes used in later definitions.
+ The same patterns repeat in most of the elements in this protocol.
+ -->
+ <define name="ctl_create">
+ <attribute name="action">
+ <value>create</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <define name="ctl_set">
+ <attribute name="action">
+ <value>set</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <define name="ctl_get">
+ <attribute name="action">
+ <value>get</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <define name="ctl_list">
+ <attribute name="action">
+ <value>list</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <define name="ctl_destroy">
+ <attribute name="action">
+ <value>destroy</value>
+ </attribute>
+ <ref name="tag"/>
+ </define>
+ <!-- Base64 encoded DER stuff -->
+ <define name="base64">
+ <data type="base64Binary">
+ <param name="maxLength">512000</param>
+ </data>
+ </define>
+ <!--
+ Base definition for all fields that are really just SQL primary indices
+ sql_id = xsd:nonNegativeInteger
+ -->
+ <!--
+ ...except that fields containing SQL primary indicies don't belong
+ in this protocol, so they're turninging into handles.
+ Length restriction is a MySQL implementation issue.
+ Handles are case-insensitive (because SQL is, among other reasons).
+ -->
+ <define name="object_handle">
+ <data type="string">
+ <param name="maxLength">255</param>
+ <param name="pattern">[\-_A-Za-z0-9]+</param>
+ </data>
+ </define>
+ <!-- URIs -->
+ <define name="uri">
+ <data type="anyURI">
+ <param name="maxLength">4096</param>
+ </data>
+ </define>
+ <!-- Name fields imported from up-down protocol -->
+ <define name="up_down_name">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </define>
+ <!-- Resource lists -->
+ <define name="asn_list">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,0-9]*</param>
+ </data>
+ </define>
+ <define name="ipv4_list">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,0-9/.]*</param>
+ </data>
+ </define>
+ <define name="ipv6_list">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,0-9/:a-fA-F]*</param>
+ </data>
+ </define>
+ <!-- <self/> element -->
+ <define name="self_bool">
+ <optional>
+ <attribute name="rekey">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="reissue">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="revoke">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="run_now">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="publish_world_now">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="revoke_forgotten">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="clear_replay_protection">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ </define>
+ <define name="self_payload">
+ <optional>
+ <attribute name="use_hsm">
+ <choice>
+ <value>yes</value>
+ <value>no</value>
+ </choice>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="crl_interval">
+ <data type="positiveInteger"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="regen_margin">
+ <data type="positiveInteger"/>
+ </attribute>
+ </optional>
+ <optional>
+ <element name="bpki_cert">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="bpki_glue">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ </define>
+ <define name="self_handle">
+ <attribute name="self_handle">
+ <ref name="object_handle"/>
+ </attribute>
+ </define>
+ <define name="self_query" combine="choice">
+ <element name="self">
+ <ref name="ctl_create"/>
+ <ref name="self_handle"/>
+ <ref name="self_bool"/>
+ <ref name="self_payload"/>
+ </element>
+ </define>
+ <define name="self_reply" combine="choice">
+ <element name="self">
+ <ref name="ctl_create"/>
+ <ref name="self_handle"/>
+ </element>
+ </define>
+ <define name="self_query" combine="choice">
+ <element name="self">
+ <ref name="ctl_set"/>
+ <ref name="self_handle"/>
+ <ref name="self_bool"/>
+ <ref name="self_payload"/>
+ </element>
+ </define>
+ <define name="self_reply" combine="choice">
+ <element name="self">
+ <ref name="ctl_set"/>
+ <ref name="self_handle"/>
+ </element>
+ </define>
+ <define name="self_query" combine="choice">
+ <element name="self">
+ <ref name="ctl_get"/>
+ <ref name="self_handle"/>
+ </element>
+ </define>
+ <define name="self_reply" combine="choice">
+ <element name="self">
+ <ref name="ctl_get"/>
+ <ref name="self_handle"/>
+ <ref name="self_payload"/>
+ </element>
+ </define>
+ <define name="self_query" combine="choice">
+ <element name="self">
+ <ref name="ctl_list"/>
+ </element>
+ </define>
+ <define name="self_reply" combine="choice">
+ <element name="self">
+ <ref name="ctl_list"/>
+ <ref name="self_handle"/>
+ <ref name="self_payload"/>
+ </element>
+ </define>
+ <define name="self_query" combine="choice">
+ <element name="self">
+ <ref name="ctl_destroy"/>
+ <ref name="self_handle"/>
+ </element>
+ </define>
+ <define name="self_reply" combine="choice">
+ <element name="self">
+ <ref name="ctl_destroy"/>
+ <ref name="self_handle"/>
+ </element>
+ </define>
+ <!-- <bsc/> element. Key parameters hardwired for now. -->
+ <define name="bsc_bool">
+ <optional>
+ <attribute name="generate_keypair">
+ <value>yes</value>
+ </attribute>
+ <optional>
+ <attribute name="key_type">
+ <value>rsa</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="hash_alg">
+ <value>sha256</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="key_length">
+ <value>2048</value>
+ </attribute>
+ </optional>
+ </optional>
+ </define>
+ <define name="bsc_handle">
+ <attribute name="bsc_handle">
+ <ref name="object_handle"/>
+ </attribute>
+ </define>
+ <define name="bsc_payload">
+ <optional>
+ <element name="signing_cert">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="signing_cert_crl">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ </define>
+ <define name="bsc_readonly">
+ <optional>
+ <element name="pkcs10_request">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ </define>
+ <define name="bsc_query" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_create"/>
+ <ref name="self_handle"/>
+ <ref name="bsc_handle"/>
+ <ref name="bsc_bool"/>
+ <ref name="bsc_payload"/>
+ </element>
+ </define>
+ <define name="bsc_reply" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_create"/>
+ <ref name="self_handle"/>
+ <ref name="bsc_handle"/>
+ <ref name="bsc_readonly"/>
+ </element>
+ </define>
+ <define name="bsc_query" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_set"/>
+ <ref name="self_handle"/>
+ <ref name="bsc_handle"/>
+ <ref name="bsc_bool"/>
+ <ref name="bsc_payload"/>
+ </element>
+ </define>
+ <define name="bsc_reply" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_set"/>
+ <ref name="self_handle"/>
+ <ref name="bsc_handle"/>
+ <ref name="bsc_readonly"/>
+ </element>
+ </define>
+ <define name="bsc_query" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_get"/>
+ <ref name="self_handle"/>
+ <ref name="bsc_handle"/>
+ </element>
+ </define>
+ <define name="bsc_reply" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_get"/>
+ <ref name="self_handle"/>
+ <ref name="bsc_handle"/>
+ <ref name="bsc_payload"/>
+ <ref name="bsc_readonly"/>
+ </element>
+ </define>
+ <define name="bsc_query" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_list"/>
+ <ref name="self_handle"/>
+ </element>
+ </define>
+ <define name="bsc_reply" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_list"/>
+ <ref name="self_handle"/>
+ <ref name="bsc_handle"/>
+ <ref name="bsc_payload"/>
+ <ref name="bsc_readonly"/>
+ </element>
+ </define>
+ <define name="bsc_query" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_destroy"/>
+ <ref name="self_handle"/>
+ <ref name="bsc_handle"/>
+ </element>
+ </define>
+ <define name="bsc_reply" combine="choice">
+ <element name="bsc">
+ <ref name="ctl_destroy"/>
+ <ref name="self_handle"/>
+ <ref name="bsc_handle"/>
+ </element>
+ </define>
+ <!-- <parent/> element -->
+ <define name="parent_handle">
+ <attribute name="parent_handle">
+ <ref name="object_handle"/>
+ </attribute>
+ </define>
+ <define name="parent_bool">
+ <optional>
+ <attribute name="rekey">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="reissue">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="revoke">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="revoke_forgotten">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="clear_replay_protection">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ </define>
+ <define name="parent_payload">
+ <optional>
+ <attribute name="peer_contact_uri">
+ <ref name="uri"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="sia_base">
+ <ref name="uri"/>
+ </attribute>
+ </optional>
+ <optional>
+ <ref name="bsc_handle"/>
+ </optional>
+ <optional>
+ <ref name="repository_handle"/>
+ </optional>
+ <optional>
+ <attribute name="sender_name">
+ <ref name="up_down_name"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="recipient_name">
+ <ref name="up_down_name"/>
+ </attribute>
+ </optional>
+ <optional>
+ <element name="bpki_cms_cert">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="bpki_cms_glue">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ </define>
+ <define name="parent_query" combine="choice">
+ <element name="parent">
+ <ref name="ctl_create"/>
+ <ref name="self_handle"/>
+ <ref name="parent_handle"/>
+ <ref name="parent_bool"/>
+ <ref name="parent_payload"/>
+ </element>
+ </define>
+ <define name="parent_reply" combine="choice">
+ <element name="parent">
+ <ref name="ctl_create"/>
+ <ref name="self_handle"/>
+ <ref name="parent_handle"/>
+ </element>
+ </define>
+ <define name="parent_query" combine="choice">
+ <element name="parent">
+ <ref name="ctl_set"/>
+ <ref name="self_handle"/>
+ <ref name="parent_handle"/>
+ <ref name="parent_bool"/>
+ <ref name="parent_payload"/>
+ </element>
+ </define>
+ <define name="parent_reply" combine="choice">
+ <element name="parent">
+ <ref name="ctl_set"/>
+ <ref name="self_handle"/>
+ <ref name="parent_handle"/>
+ </element>
+ </define>
+ <define name="parent_query" combine="choice">
+ <element name="parent">
+ <ref name="ctl_get"/>
+ <ref name="self_handle"/>
+ <ref name="parent_handle"/>
+ </element>
+ </define>
+ <define name="parent_reply" combine="choice">
+ <element name="parent">
+ <ref name="ctl_get"/>
+ <ref name="self_handle"/>
+ <ref name="parent_handle"/>
+ <ref name="parent_payload"/>
+ </element>
+ </define>
+ <define name="parent_query" combine="choice">
+ <element name="parent">
+ <ref name="ctl_list"/>
+ <ref name="self_handle"/>
+ </element>
+ </define>
+ <define name="parent_reply" combine="choice">
+ <element name="parent">
+ <ref name="ctl_list"/>
+ <ref name="self_handle"/>
+ <ref name="parent_handle"/>
+ <ref name="parent_payload"/>
+ </element>
+ </define>
+ <define name="parent_query" combine="choice">
+ <element name="parent">
+ <ref name="ctl_destroy"/>
+ <ref name="self_handle"/>
+ <ref name="parent_handle"/>
+ </element>
+ </define>
+ <define name="parent_reply" combine="choice">
+ <element name="parent">
+ <ref name="ctl_destroy"/>
+ <ref name="self_handle"/>
+ <ref name="parent_handle"/>
+ </element>
+ </define>
+ <!-- <child/> element -->
+ <define name="child_handle">
+ <attribute name="child_handle">
+ <ref name="object_handle"/>
+ </attribute>
+ </define>
+ <define name="child_bool">
+ <optional>
+ <attribute name="reissue">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="clear_replay_protection">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ </define>
+ <define name="child_payload">
+ <optional>
+ <ref name="bsc_handle"/>
+ </optional>
+ <optional>
+ <element name="bpki_cert">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="bpki_glue">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ </define>
+ <define name="child_query" combine="choice">
+ <element name="child">
+ <ref name="ctl_create"/>
+ <ref name="self_handle"/>
+ <ref name="child_handle"/>
+ <ref name="child_bool"/>
+ <ref name="child_payload"/>
+ </element>
+ </define>
+ <define name="child_reply" combine="choice">
+ <element name="child">
+ <ref name="ctl_create"/>
+ <ref name="self_handle"/>
+ <ref name="child_handle"/>
+ </element>
+ </define>
+ <define name="child_query" combine="choice">
+ <element name="child">
+ <ref name="ctl_set"/>
+ <ref name="self_handle"/>
+ <ref name="child_handle"/>
+ <ref name="child_bool"/>
+ <ref name="child_payload"/>
+ </element>
+ </define>
+ <define name="child_reply" combine="choice">
+ <element name="child">
+ <ref name="ctl_set"/>
+ <ref name="self_handle"/>
+ <ref name="child_handle"/>
+ </element>
+ </define>
+ <define name="child_query" combine="choice">
+ <element name="child">
+ <ref name="ctl_get"/>
+ <ref name="self_handle"/>
+ <ref name="child_handle"/>
+ </element>
+ </define>
+ <define name="child_reply" combine="choice">
+ <element name="child">
+ <ref name="ctl_get"/>
+ <ref name="self_handle"/>
+ <ref name="child_handle"/>
+ <ref name="child_payload"/>
+ </element>
+ </define>
+ <define name="child_query" combine="choice">
+ <element name="child">
+ <ref name="ctl_list"/>
+ <ref name="self_handle"/>
+ </element>
+ </define>
+ <define name="child_reply" combine="choice">
+ <element name="child">
+ <ref name="ctl_list"/>
+ <ref name="self_handle"/>
+ <ref name="child_handle"/>
+ <ref name="child_payload"/>
+ </element>
+ </define>
+ <define name="child_query" combine="choice">
+ <element name="child">
+ <ref name="ctl_destroy"/>
+ <ref name="self_handle"/>
+ <ref name="child_handle"/>
+ </element>
+ </define>
+ <define name="child_reply" combine="choice">
+ <element name="child">
+ <ref name="ctl_destroy"/>
+ <ref name="self_handle"/>
+ <ref name="child_handle"/>
+ </element>
+ </define>
+ <!-- <repository/> element -->
+ <define name="repository_handle">
+ <attribute name="repository_handle">
+ <ref name="object_handle"/>
+ </attribute>
+ </define>
+ <define name="repository_bool">
+ <optional>
+ <attribute name="clear_replay_protection">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ </define>
+ <define name="repository_payload">
+ <optional>
+ <attribute name="peer_contact_uri">
+ <ref name="uri"/>
+ </attribute>
+ </optional>
+ <optional>
+ <ref name="bsc_handle"/>
+ </optional>
+ <optional>
+ <element name="bpki_cert">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="bpki_glue">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ </define>
+ <define name="repository_query" combine="choice">
+ <element name="repository">
+ <ref name="ctl_create"/>
+ <ref name="self_handle"/>
+ <ref name="repository_handle"/>
+ <ref name="repository_bool"/>
+ <ref name="repository_payload"/>
+ </element>
+ </define>
+ <define name="repository_reply" combine="choice">
+ <element name="repository">
+ <ref name="ctl_create"/>
+ <ref name="self_handle"/>
+ <ref name="repository_handle"/>
+ </element>
+ </define>
+ <define name="repository_query" combine="choice">
+ <element name="repository">
+ <ref name="ctl_set"/>
+ <ref name="self_handle"/>
+ <ref name="repository_handle"/>
+ <ref name="repository_bool"/>
+ <ref name="repository_payload"/>
+ </element>
+ </define>
+ <define name="repository_reply" combine="choice">
+ <element name="repository">
+ <ref name="ctl_set"/>
+ <ref name="self_handle"/>
+ <ref name="repository_handle"/>
+ </element>
+ </define>
+ <define name="repository_query" combine="choice">
+ <element name="repository">
+ <ref name="ctl_get"/>
+ <ref name="self_handle"/>
+ <ref name="repository_handle"/>
+ </element>
+ </define>
+ <define name="repository_reply" combine="choice">
+ <element name="repository">
+ <ref name="ctl_get"/>
+ <ref name="self_handle"/>
+ <ref name="repository_handle"/>
+ <ref name="repository_payload"/>
+ </element>
+ </define>
+ <define name="repository_query" combine="choice">
+ <element name="repository">
+ <ref name="ctl_list"/>
+ <ref name="self_handle"/>
+ </element>
+ </define>
+ <define name="repository_reply" combine="choice">
+ <element name="repository">
+ <ref name="ctl_list"/>
+ <ref name="self_handle"/>
+ <ref name="repository_handle"/>
+ <ref name="repository_payload"/>
+ </element>
+ </define>
+ <define name="repository_query" combine="choice">
+ <element name="repository">
+ <ref name="ctl_destroy"/>
+ <ref name="self_handle"/>
+ <ref name="repository_handle"/>
+ </element>
+ </define>
+ <define name="repository_reply" combine="choice">
+ <element name="repository">
+ <ref name="ctl_destroy"/>
+ <ref name="self_handle"/>
+ <ref name="repository_handle"/>
+ </element>
+ </define>
+ <!-- <list_resources/> element -->
+ <define name="list_resources_query">
+ <element name="list_resources">
+ <ref name="tag"/>
+ <ref name="self_handle"/>
+ <ref name="child_handle"/>
+ </element>
+ </define>
+ <define name="list_resources_reply">
+ <element name="list_resources">
+ <ref name="tag"/>
+ <ref name="self_handle"/>
+ <ref name="child_handle"/>
+ <attribute name="valid_until">
+ <data type="dateTime">
+ <param name="pattern">.*Z</param>
+ </data>
+ </attribute>
+ <optional>
+ <attribute name="asn">
+ <ref name="asn_list"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="ipv4">
+ <ref name="ipv4_list"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="ipv6">
+ <ref name="ipv6_list"/>
+ </attribute>
+ </optional>
+ </element>
+ </define>
+ <!-- <list_roa_requests/> element -->
+ <define name="list_roa_requests_query">
+ <element name="list_roa_requests">
+ <ref name="tag"/>
+ <ref name="self_handle"/>
+ </element>
+ </define>
+ <define name="list_roa_requests_reply">
+ <element name="list_roa_requests">
+ <ref name="tag"/>
+ <ref name="self_handle"/>
+ <attribute name="asn">
+ <data type="nonNegativeInteger"/>
+ </attribute>
+ <optional>
+ <attribute name="ipv4">
+ <ref name="ipv4_list"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="ipv6">
+ <ref name="ipv6_list"/>
+ </attribute>
+ </optional>
+ </element>
+ </define>
+ <!-- <list_ghostbuster_requests/> element -->
+ <define name="list_ghostbuster_requests_query">
+ <element name="list_ghostbuster_requests">
+ <ref name="tag"/>
+ <ref name="self_handle"/>
+ <ref name="parent_handle"/>
+ </element>
+ </define>
+ <define name="list_ghostbuster_requests_reply">
+ <element name="list_ghostbuster_requests">
+ <ref name="tag"/>
+ <ref name="self_handle"/>
+ <ref name="parent_handle"/>
+ <data type="string"/>
+ </element>
+ </define>
+ <!-- <list_ee_certificate_requests/> element -->
+ <define name="list_ee_certificate_requests_query">
+ <element name="list_ee_certificate_requests">
+ <ref name="tag"/>
+ <ref name="self_handle"/>
+ </element>
+ </define>
+ <define name="list_ee_certificate_requests_reply">
+ <element name="list_ee_certificate_requests">
+ <ref name="tag"/>
+ <ref name="self_handle"/>
+ <attribute name="gski">
+ <data type="token">
+ <param name="minLength">27</param>
+ <param name="maxLength">27</param>
+ </data>
+ </attribute>
+ <attribute name="valid_until">
+ <data type="dateTime">
+ <param name="pattern">.*Z</param>
+ </data>
+ </attribute>
+ <optional>
+ <attribute name="asn">
+ <ref name="asn_list"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="ipv4">
+ <ref name="ipv4_list"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="ipv6">
+ <ref name="ipv6_list"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="cn">
+ <data type="string">
+ <param name="maxLength">64</param>
+ <param name="pattern">[\-0-9A-Za-z_ ]+</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="sn">
+ <data type="string">
+ <param name="maxLength">64</param>
+ <param name="pattern">[0-9A-Fa-f]+</param>
+ </data>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="eku">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[.,0-9]+</param>
+ </data>
+ </attribute>
+ </optional>
+ <element name="pkcs10">
+ <ref name="base64"/>
+ </element>
+ </element>
+ </define>
+ <!-- <list_published_objects/> element -->
+ <define name="list_published_objects_query">
+ <element name="list_published_objects">
+ <ref name="tag"/>
+ <ref name="self_handle"/>
+ </element>
+ </define>
+ <define name="list_published_objects_reply">
+ <element name="list_published_objects">
+ <ref name="tag"/>
+ <ref name="self_handle"/>
+ <attribute name="uri">
+ <ref name="uri"/>
+ </attribute>
+ <optional>
+ <attribute name="child_handle">
+ <ref name="object_handle"/>
+ </attribute>
+ </optional>
+ <ref name="base64"/>
+ </element>
+ </define>
+ <!-- <list_received_resources/> element -->
+ <define name="list_received_resources_query">
+ <element name="list_received_resources">
+ <ref name="tag"/>
+ <ref name="self_handle"/>
+ </element>
+ </define>
+ <define name="list_received_resources_reply">
+ <element name="list_received_resources">
+ <ref name="tag"/>
+ <ref name="self_handle"/>
+ <ref name="parent_handle"/>
+ <attribute name="notBefore">
+ <data type="dateTime">
+ <param name="pattern">.*Z</param>
+ </data>
+ </attribute>
+ <attribute name="notAfter">
+ <data type="dateTime">
+ <param name="pattern">.*Z</param>
+ </data>
+ </attribute>
+ <attribute name="uri">
+ <ref name="uri"/>
+ </attribute>
+ <attribute name="sia_uri">
+ <ref name="uri"/>
+ </attribute>
+ <attribute name="aia_uri">
+ <ref name="uri"/>
+ </attribute>
+ <optional>
+ <attribute name="asn">
+ <ref name="asn_list"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="ipv4">
+ <ref name="ipv4_list"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="ipv6">
+ <ref name="ipv6_list"/>
+ </attribute>
+ </optional>
+ </element>
+ </define>
+ <!-- <report_error/> element -->
+ <define name="error">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </define>
+ <define name="report_error_reply">
+ <element name="report_error">
+ <ref name="tag"/>
+ <optional>
+ <ref name="self_handle"/>
+ </optional>
+ <attribute name="error_code">
+ <ref name="error"/>
+ </attribute>
+ <optional>
+ <data type="string">
+ <param name="maxLength">512000</param>
+ </data>
+ </optional>
+ </element>
+ </define>
+</grammar>
+<!--
+ Local Variables:
+ indent-tabs-mode: nil
+ comment-start: "# "
+ comment-start-skip: "#[ \t]*"
+ End:
+-->
diff --git a/schemas/relaxng/myrpki.rnc b/schemas/relaxng/myrpki.rnc
new file mode 100644
index 00000000..156ab0d5
--- /dev/null
+++ b/schemas/relaxng/myrpki.rnc
@@ -0,0 +1,164 @@
+# $Id$
+#
+# RelaxNG schema for MyRPKI XML messages.
+#
+# This message protocol is on its way out, as we're in the process of
+# moving on from the user interface model that produced it, but even
+# after we finish replacing it we'll still need the schema for a while
+# to validate old messages when upgrading.
+#
+# libxml2 (including xmllint) only groks the XML syntax of RelaxNG, so
+# run the compact syntax through trang to get XML syntax.
+#
+# Copyright (C) 2009-2011 Internet Systems Consortium ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+default namespace = "http://www.hactrn.net/uris/rpki/myrpki/"
+
+version = "2"
+
+base64 = xsd:base64Binary { maxLength="512000" }
+object_handle = xsd:string { maxLength="255" pattern="[\-_A-Za-z0-9]+" }
+pubd_handle = xsd:string { maxLength="255" pattern="[\-_A-Za-z0-9/]+" }
+uri = xsd:anyURI { maxLength="4096" }
+asn = xsd:positiveInteger
+asn_list = xsd:string { maxLength="512000" pattern="[\-,0-9]+" }
+ipv4_list = xsd:string { maxLength="512000" pattern="[\-,0-9/.]+" }
+ipv6_list = xsd:string { maxLength="512000" pattern="[\-,0-9/:a-fA-F]+" }
+timestamp = xsd:dateTime { pattern=".*Z" }
+
+# Message formate used between configure_resources and
+# configure_daemons.
+
+start |= element myrpki {
+ attribute version { version },
+ attribute handle { object_handle },
+ attribute service_uri { uri }?,
+ element roa_request {
+ attribute asn { asn },
+ attribute v4 { ipv4_list },
+ attribute v6 { ipv6_list }
+ }*,
+ element child {
+ attribute handle { object_handle },
+ attribute valid_until { timestamp },
+ attribute asns { asn_list }?,
+ attribute v4 { ipv4_list }?,
+ attribute v6 { ipv6_list }?,
+ element bpki_certificate { base64 }?
+ }*,
+ element parent {
+ attribute handle { object_handle },
+ attribute service_uri { uri }?,
+ attribute myhandle { object_handle }?,
+ attribute sia_base { uri }?,
+ element bpki_cms_certificate { base64 }?
+ }*,
+ element repository {
+ attribute handle { object_handle },
+ attribute service_uri { uri }?,
+ element bpki_certificate { base64 }?
+ }*,
+ element bpki_ca_certificate { base64 }?,
+ element bpki_crl { base64 }?,
+ element bpki_bsc_certificate { base64 }?,
+ element bpki_bsc_pkcs10 { base64 }?
+}
+
+# Format of an identity.xml file.
+
+start |= element identity {
+ attribute version { version },
+ attribute handle { object_handle },
+ element bpki_ta { base64 }
+}
+
+# Format of <authorization/> element used in referrals. The Base64
+# text is a <referral/> (q. v.) element signed with CMS.
+
+authorization = element authorization {
+ attribute referrer { pubd_handle },
+ base64
+}
+
+# Format of <contact_info/> element used in referrals.
+
+contact_info = element contact_info {
+ attribute uri { uri }?,
+ xsd:string
+}
+
+# Variant payload portion of a <repository/> element.
+
+repository_payload = (
+ (attribute type { "none" }) |
+ (attribute type { "offer" }) |
+ (attribute type { "referral" }, authorization, contact_info)
+)
+
+# <parent/> element (response from configure_child).
+
+start |= element parent {
+ attribute version { version },
+ attribute valid_until { timestamp }?,
+ attribute service_uri { uri }?,
+ attribute child_handle { object_handle },
+ attribute parent_handle { object_handle },
+ element bpki_resource_ta { base64 },
+ element bpki_child_ta { base64 },
+ element repository { repository_payload }?
+}
+
+# <repository/> element, types offer and referral
+# (input to configure_publication_client).
+
+start |= element repository {
+ attribute version { version },
+ attribute handle { object_handle },
+ attribute parent_handle { object_handle },
+ repository_payload,
+ element bpki_client_ta { base64 }
+}
+
+# <repository/> element, confirmation type (output of
+# configure_publication_client).
+
+start |= element repository {
+ attribute version { version },
+ attribute type { "confirmed" },
+ attribute parent_handle { object_handle },
+ attribute client_handle { pubd_handle },
+ attribute service_uri { uri },
+ attribute sia_base { uri },
+ element bpki_server_ta { base64 },
+ element bpki_client_ta { base64 },
+ authorization?,
+ contact_info?
+}
+
+# <referral/> element. This is the entirety of a separate message
+# which is signed with CMS then included ase the Base64 content of an
+# <authorization/> element in the main message.
+
+start |= element referral {
+ attribute version { version },
+ attribute authorized_sia_base { uri },
+ base64
+}
+
+# Local Variables:
+# indent-tabs-mode: nil
+# comment-start: "# "
+# comment-start-skip: "#[ \t]*"
+# End:
diff --git a/schemas/relaxng/myrpki.rng b/schemas/relaxng/myrpki.rng
new file mode 100644
index 00000000..07b8beb3
--- /dev/null
+++ b/schemas/relaxng/myrpki.rng
@@ -0,0 +1,379 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ $Id: myrpki.rnc 5753 2014-04-05 19:24:26Z sra $
+
+ RelaxNG schema for MyRPKI XML messages.
+
+ This message protocol is on its way out, as we're in the process of
+ moving on from the user interface model that produced it, but even
+ after we finish replacing it we'll still need the schema for a while
+ to validate old messages when upgrading.
+
+ libxml2 (including xmllint) only groks the XML syntax of RelaxNG, so
+ run the compact syntax through trang to get XML syntax.
+
+ Copyright (C) 2009-2011 Internet Systems Consortium ("ISC")
+
+ Permission to use, copy, modify, and distribute this software for any
+ purpose with or without fee is hereby granted, provided that the above
+ copyright notice and this permission notice appear in all copies.
+
+ THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ PERFORMANCE OF THIS SOFTWARE.
+-->
+<grammar ns="http://www.hactrn.net/uris/rpki/myrpki/" xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">
+ <define name="version">
+ <value>2</value>
+ </define>
+ <define name="base64">
+ <data type="base64Binary">
+ <param name="maxLength">512000</param>
+ </data>
+ </define>
+ <define name="object_handle">
+ <data type="string">
+ <param name="maxLength">255</param>
+ <param name="pattern">[\-_A-Za-z0-9]+</param>
+ </data>
+ </define>
+ <define name="pubd_handle">
+ <data type="string">
+ <param name="maxLength">255</param>
+ <param name="pattern">[\-_A-Za-z0-9/]+</param>
+ </data>
+ </define>
+ <define name="uri">
+ <data type="anyURI">
+ <param name="maxLength">4096</param>
+ </data>
+ </define>
+ <define name="asn">
+ <data type="positiveInteger"/>
+ </define>
+ <define name="asn_list">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,0-9]+</param>
+ </data>
+ </define>
+ <define name="ipv4_list">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,0-9/.]+</param>
+ </data>
+ </define>
+ <define name="ipv6_list">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,0-9/:a-fA-F]+</param>
+ </data>
+ </define>
+ <define name="timestamp">
+ <data type="dateTime">
+ <param name="pattern">.*Z</param>
+ </data>
+ </define>
+ <!--
+ Message formate used between configure_resources and
+ configure_daemons.
+ -->
+ <start combine="choice">
+ <element name="myrpki">
+ <attribute name="version">
+ <ref name="version"/>
+ </attribute>
+ <attribute name="handle">
+ <ref name="object_handle"/>
+ </attribute>
+ <optional>
+ <attribute name="service_uri">
+ <ref name="uri"/>
+ </attribute>
+ </optional>
+ <zeroOrMore>
+ <element name="roa_request">
+ <attribute name="asn">
+ <ref name="asn"/>
+ </attribute>
+ <attribute name="v4">
+ <ref name="ipv4_list"/>
+ </attribute>
+ <attribute name="v6">
+ <ref name="ipv6_list"/>
+ </attribute>
+ </element>
+ </zeroOrMore>
+ <zeroOrMore>
+ <element name="child">
+ <attribute name="handle">
+ <ref name="object_handle"/>
+ </attribute>
+ <attribute name="valid_until">
+ <ref name="timestamp"/>
+ </attribute>
+ <optional>
+ <attribute name="asns">
+ <ref name="asn_list"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="v4">
+ <ref name="ipv4_list"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="v6">
+ <ref name="ipv6_list"/>
+ </attribute>
+ </optional>
+ <optional>
+ <element name="bpki_certificate">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ </element>
+ </zeroOrMore>
+ <zeroOrMore>
+ <element name="parent">
+ <attribute name="handle">
+ <ref name="object_handle"/>
+ </attribute>
+ <optional>
+ <attribute name="service_uri">
+ <ref name="uri"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="myhandle">
+ <ref name="object_handle"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="sia_base">
+ <ref name="uri"/>
+ </attribute>
+ </optional>
+ <optional>
+ <element name="bpki_cms_certificate">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ </element>
+ </zeroOrMore>
+ <zeroOrMore>
+ <element name="repository">
+ <attribute name="handle">
+ <ref name="object_handle"/>
+ </attribute>
+ <optional>
+ <attribute name="service_uri">
+ <ref name="uri"/>
+ </attribute>
+ </optional>
+ <optional>
+ <element name="bpki_certificate">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ </element>
+ </zeroOrMore>
+ <optional>
+ <element name="bpki_ca_certificate">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="bpki_crl">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="bpki_bsc_certificate">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="bpki_bsc_pkcs10">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ </element>
+ </start>
+ <!-- Format of an identity.xml file. -->
+ <start combine="choice">
+ <element name="identity">
+ <attribute name="version">
+ <ref name="version"/>
+ </attribute>
+ <attribute name="handle">
+ <ref name="object_handle"/>
+ </attribute>
+ <element name="bpki_ta">
+ <ref name="base64"/>
+ </element>
+ </element>
+ </start>
+ <!--
+ Format of <authorization/> element used in referrals. The Base64
+ text is a <referral/> (q. v.) element signed with CMS.
+ -->
+ <define name="authorization">
+ <element name="authorization">
+ <attribute name="referrer">
+ <ref name="pubd_handle"/>
+ </attribute>
+ <ref name="base64"/>
+ </element>
+ </define>
+ <!-- Format of <contact_info/> element used in referrals. -->
+ <define name="contact_info">
+ <element name="contact_info">
+ <optional>
+ <attribute name="uri">
+ <ref name="uri"/>
+ </attribute>
+ </optional>
+ <data type="string"/>
+ </element>
+ </define>
+ <!-- Variant payload portion of a <repository/> element. -->
+ <define name="repository_payload">
+ <choice>
+ <attribute name="type">
+ <value>none</value>
+ </attribute>
+ <attribute name="type">
+ <value>offer</value>
+ </attribute>
+ <group>
+ <attribute name="type">
+ <value>referral</value>
+ </attribute>
+ <ref name="authorization"/>
+ <ref name="contact_info"/>
+ </group>
+ </choice>
+ </define>
+ <!-- <parent/> element (response from configure_child). -->
+ <start combine="choice">
+ <element name="parent">
+ <attribute name="version">
+ <ref name="version"/>
+ </attribute>
+ <optional>
+ <attribute name="valid_until">
+ <ref name="timestamp"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="service_uri">
+ <ref name="uri"/>
+ </attribute>
+ </optional>
+ <attribute name="child_handle">
+ <ref name="object_handle"/>
+ </attribute>
+ <attribute name="parent_handle">
+ <ref name="object_handle"/>
+ </attribute>
+ <element name="bpki_resource_ta">
+ <ref name="base64"/>
+ </element>
+ <element name="bpki_child_ta">
+ <ref name="base64"/>
+ </element>
+ <optional>
+ <element name="repository">
+ <ref name="repository_payload"/>
+ </element>
+ </optional>
+ </element>
+ </start>
+ <!--
+ <repository/> element, types offer and referral
+ (input to configure_publication_client).
+ -->
+ <start combine="choice">
+ <element name="repository">
+ <attribute name="version">
+ <ref name="version"/>
+ </attribute>
+ <attribute name="handle">
+ <ref name="object_handle"/>
+ </attribute>
+ <attribute name="parent_handle">
+ <ref name="object_handle"/>
+ </attribute>
+ <ref name="repository_payload"/>
+ <element name="bpki_client_ta">
+ <ref name="base64"/>
+ </element>
+ </element>
+ </start>
+ <!--
+ <repository/> element, confirmation type (output of
+ configure_publication_client).
+ -->
+ <start combine="choice">
+ <element name="repository">
+ <attribute name="version">
+ <ref name="version"/>
+ </attribute>
+ <attribute name="type">
+ <value>confirmed</value>
+ </attribute>
+ <attribute name="parent_handle">
+ <ref name="object_handle"/>
+ </attribute>
+ <attribute name="client_handle">
+ <ref name="pubd_handle"/>
+ </attribute>
+ <attribute name="service_uri">
+ <ref name="uri"/>
+ </attribute>
+ <attribute name="sia_base">
+ <ref name="uri"/>
+ </attribute>
+ <element name="bpki_server_ta">
+ <ref name="base64"/>
+ </element>
+ <element name="bpki_client_ta">
+ <ref name="base64"/>
+ </element>
+ <optional>
+ <ref name="authorization"/>
+ </optional>
+ <optional>
+ <ref name="contact_info"/>
+ </optional>
+ </element>
+ </start>
+ <!--
+ <referral/> element. This is the entirety of a separate message
+ which is signed with CMS then included ase the Base64 content of an
+ <authorization/> element in the main message.
+ -->
+ <start combine="choice">
+ <element name="referral">
+ <attribute name="version">
+ <ref name="version"/>
+ </attribute>
+ <attribute name="authorized_sia_base">
+ <ref name="uri"/>
+ </attribute>
+ <ref name="base64"/>
+ </element>
+ </start>
+</grammar>
+<!--
+ Local Variables:
+ indent-tabs-mode: nil
+ comment-start: "# "
+ comment-start-skip: "#[ \t]*"
+ End:
+-->
diff --git a/schemas/relaxng/publication-schema.rnc b/schemas/relaxng/publication-schema.rnc
new file mode 100644
index 00000000..4353ae80
--- /dev/null
+++ b/schemas/relaxng/publication-schema.rnc
@@ -0,0 +1,137 @@
+# $Id$
+#
+# RelaxNG schema for RPKI publication protocol.
+#
+# Copyright (C) 2012--2014 Dragon Research Labs ("DRL")
+# Portions copyright (C) 2009--2011 Internet Systems Consortium ("ISC")
+# Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notices and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND DRL, ISC, AND ARIN DISCLAIM ALL
+# WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DRL,
+# ISC, OR ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+# OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+default namespace = "http://www.hactrn.net/uris/rpki/publication-spec/"
+
+# Top level PDU
+
+start = element msg {
+ attribute version { xsd:positiveInteger { maxInclusive="1" } },
+ ( (attribute type { "query" }, query_elt*) |
+ (attribute type { "reply" }, reply_elt*) )
+}
+
+# PDUs allowed in a query
+query_elt = ( config_query | client_query | certificate_query | crl_query |
+ manifest_query | roa_query | ghostbuster_query )
+
+# PDUs allowed in a reply
+reply_elt = ( config_reply | client_reply | certificate_reply | crl_reply |
+ manifest_reply | roa_reply | ghostbuster_reply | report_error_reply )
+
+# Tag attributes for bulk operations
+tag = attribute tag { xsd:token {maxLength="1024" } }
+
+# Base64 encoded DER stuff
+#base64 = xsd:base64Binary { maxLength="512000" }
+#
+# Sadly, it turns out that CRLs can in fact get longer than this for an active CA.
+# Remove length limit for now, think about whether to put it back later.
+base64 = xsd:base64Binary
+
+# Publication URLs
+uri_t = xsd:anyURI { maxLength="4096" }
+uri = attribute uri { uri_t }
+
+# Handles on remote objects (replaces passing raw SQL IDs). NB:
+# Unlike the up-down protocol, handles in this protocol allow "/" as a
+# hierarchy delimiter.
+object_handle = xsd:string { maxLength="255" pattern="[\-_A-Za-z0-9/]+" }
+
+# <config/> element (use restricted to repository operator)
+# config_handle attribute, create, list, and destroy commands omitted deliberately, see code for details
+
+config_payload = (element bpki_crl { base64 }?)
+
+config_query |= element config { attribute action { "set" }, tag?, config_payload }
+config_reply |= element config { attribute action { "set" }, tag? }
+config_query |= element config { attribute action { "get" }, tag? }
+config_reply |= element config { attribute action { "get" }, tag?, config_payload }
+
+# <client/> element (use restricted to repository operator)
+
+client_handle = attribute client_handle { object_handle }
+
+client_bool = attribute clear_replay_protection { "yes" }?
+
+client_payload = (attribute base_uri { uri_t }?, element bpki_cert { base64 }?, element bpki_glue { base64 }?)
+
+client_query |= element client { attribute action { "create" }, tag?, client_handle, client_bool, client_payload }
+client_reply |= element client { attribute action { "create" }, tag?, client_handle }
+client_query |= element client { attribute action { "set" }, tag?, client_handle, client_bool, client_payload }
+client_reply |= element client { attribute action { "set" }, tag?, client_handle }
+client_query |= element client { attribute action { "get" }, tag?, client_handle }
+client_reply |= element client { attribute action { "get" }, tag?, client_handle, client_payload }
+client_query |= element client { attribute action { "list" }, tag? }
+client_reply |= element client { attribute action { "list" }, tag?, client_handle, client_payload }
+client_query |= element client { attribute action { "destroy" }, tag?, client_handle }
+client_reply |= element client { attribute action { "destroy" }, tag?, client_handle }
+
+# <certificate/> element
+
+certificate_query |= element certificate { attribute action { "publish" }, tag?, uri, base64 }
+certificate_reply |= element certificate { attribute action { "publish" }, tag?, uri }
+certificate_query |= element certificate { attribute action { "withdraw" }, tag?, uri }
+certificate_reply |= element certificate { attribute action { "withdraw" }, tag?, uri }
+
+# <crl/> element
+
+crl_query |= element crl { attribute action { "publish" }, tag?, uri, base64 }
+crl_reply |= element crl { attribute action { "publish" }, tag?, uri }
+crl_query |= element crl { attribute action { "withdraw" }, tag?, uri }
+crl_reply |= element crl { attribute action { "withdraw" }, tag?, uri }
+
+# <manifest/> element
+
+manifest_query |= element manifest { attribute action { "publish" }, tag?, uri, base64 }
+manifest_reply |= element manifest { attribute action { "publish" }, tag?, uri }
+manifest_query |= element manifest { attribute action { "withdraw" }, tag?, uri }
+manifest_reply |= element manifest { attribute action { "withdraw" }, tag?, uri }
+
+# <roa/> element
+
+roa_query |= element roa { attribute action { "publish" }, tag?, uri, base64 }
+roa_reply |= element roa { attribute action { "publish" }, tag?, uri }
+roa_query |= element roa { attribute action { "withdraw" }, tag?, uri }
+roa_reply |= element roa { attribute action { "withdraw" }, tag?, uri }
+
+# <ghostbuster/> element
+
+ghostbuster_query |= element ghostbuster { attribute action { "publish" }, tag?, uri, base64 }
+ghostbuster_reply |= element ghostbuster { attribute action { "publish" }, tag?, uri }
+ghostbuster_query |= element ghostbuster { attribute action { "withdraw" }, tag?, uri }
+ghostbuster_reply |= element ghostbuster { attribute action { "withdraw" }, tag?, uri }
+
+# <report_error/> element
+
+error = xsd:token { maxLength="1024" }
+
+report_error_reply = element report_error {
+ tag?,
+ attribute error_code { error },
+ xsd:string { maxLength="512000" }?
+}
+
+# Local Variables:
+# indent-tabs-mode: nil
+# comment-start: "# "
+# comment-start-skip: "#[ \t]*"
+# End:
diff --git a/schemas/relaxng/publication-schema.rng b/schemas/relaxng/publication-schema.rng
new file mode 100644
index 00000000..63fb6ea5
--- /dev/null
+++ b/schemas/relaxng/publication-schema.rng
@@ -0,0 +1,574 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ $Id: publication-schema.rnc 5753 2014-04-05 19:24:26Z sra $
+
+ RelaxNG schema for RPKI publication protocol.
+
+ Copyright (C) 2012- -2014 Dragon Research Labs ("DRL")
+ Portions copyright (C) 2009- -2011 Internet Systems Consortium ("ISC")
+ Portions copyright (C) 2007- -2008 American Registry for Internet Numbers ("ARIN")
+
+ Permission to use, copy, modify, and distribute this software for any
+ purpose with or without fee is hereby granted, provided that the above
+ copyright notices and this permission notice appear in all copies.
+
+ THE SOFTWARE IS PROVIDED "AS IS" AND DRL, ISC, AND ARIN DISCLAIM ALL
+ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DRL,
+ ISC, OR ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+<grammar ns="http://www.hactrn.net/uris/rpki/publication-spec/" xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">
+ <!-- Top level PDU -->
+ <start>
+ <element name="msg">
+ <attribute name="version">
+ <data type="positiveInteger">
+ <param name="maxInclusive">1</param>
+ </data>
+ </attribute>
+ <choice>
+ <group>
+ <attribute name="type">
+ <value>query</value>
+ </attribute>
+ <zeroOrMore>
+ <ref name="query_elt"/>
+ </zeroOrMore>
+ </group>
+ <group>
+ <attribute name="type">
+ <value>reply</value>
+ </attribute>
+ <zeroOrMore>
+ <ref name="reply_elt"/>
+ </zeroOrMore>
+ </group>
+ </choice>
+ </element>
+ </start>
+ <!-- PDUs allowed in a query -->
+ <define name="query_elt">
+ <choice>
+ <ref name="config_query"/>
+ <ref name="client_query"/>
+ <ref name="certificate_query"/>
+ <ref name="crl_query"/>
+ <ref name="manifest_query"/>
+ <ref name="roa_query"/>
+ <ref name="ghostbuster_query"/>
+ </choice>
+ </define>
+ <!-- PDUs allowed in a reply -->
+ <define name="reply_elt">
+ <choice>
+ <ref name="config_reply"/>
+ <ref name="client_reply"/>
+ <ref name="certificate_reply"/>
+ <ref name="crl_reply"/>
+ <ref name="manifest_reply"/>
+ <ref name="roa_reply"/>
+ <ref name="ghostbuster_reply"/>
+ <ref name="report_error_reply"/>
+ </choice>
+ </define>
+ <!-- Tag attributes for bulk operations -->
+ <define name="tag">
+ <attribute name="tag">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </attribute>
+ </define>
+ <!--
+ Base64 encoded DER stuff
+ base64 = xsd:base64Binary { maxLength="512000" }
+
+ Sadly, it turns out that CRLs can in fact get longer than this for an active CA.
+ Remove length limit for now, think about whether to put it back later.
+ -->
+ <define name="base64">
+ <data type="base64Binary"/>
+ </define>
+ <!-- Publication URLs -->
+ <define name="uri_t">
+ <data type="anyURI">
+ <param name="maxLength">4096</param>
+ </data>
+ </define>
+ <define name="uri">
+ <attribute name="uri">
+ <ref name="uri_t"/>
+ </attribute>
+ </define>
+ <!--
+ Handles on remote objects (replaces passing raw SQL IDs). NB:
+ Unlike the up-down protocol, handles in this protocol allow "/" as a
+ hierarchy delimiter.
+ -->
+ <define name="object_handle">
+ <data type="string">
+ <param name="maxLength">255</param>
+ <param name="pattern">[\-_A-Za-z0-9/]+</param>
+ </data>
+ </define>
+ <!--
+ <config/> element (use restricted to repository operator)
+ config_handle attribute, create, list, and destroy commands omitted deliberately, see code for details
+ -->
+ <define name="config_payload">
+ <optional>
+ <element name="bpki_crl">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ </define>
+ <define name="config_query" combine="choice">
+ <element name="config">
+ <attribute name="action">
+ <value>set</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="config_payload"/>
+ </element>
+ </define>
+ <define name="config_reply" combine="choice">
+ <element name="config">
+ <attribute name="action">
+ <value>set</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ </element>
+ </define>
+ <define name="config_query" combine="choice">
+ <element name="config">
+ <attribute name="action">
+ <value>get</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ </element>
+ </define>
+ <define name="config_reply" combine="choice">
+ <element name="config">
+ <attribute name="action">
+ <value>get</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="config_payload"/>
+ </element>
+ </define>
+ <!-- <client/> element (use restricted to repository operator) -->
+ <define name="client_handle">
+ <attribute name="client_handle">
+ <ref name="object_handle"/>
+ </attribute>
+ </define>
+ <define name="client_bool">
+ <optional>
+ <attribute name="clear_replay_protection">
+ <value>yes</value>
+ </attribute>
+ </optional>
+ </define>
+ <define name="client_payload">
+ <optional>
+ <attribute name="base_uri">
+ <ref name="uri_t"/>
+ </attribute>
+ </optional>
+ <optional>
+ <element name="bpki_cert">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="bpki_glue">
+ <ref name="base64"/>
+ </element>
+ </optional>
+ </define>
+ <define name="client_query" combine="choice">
+ <element name="client">
+ <attribute name="action">
+ <value>create</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="client_handle"/>
+ <ref name="client_bool"/>
+ <ref name="client_payload"/>
+ </element>
+ </define>
+ <define name="client_reply" combine="choice">
+ <element name="client">
+ <attribute name="action">
+ <value>create</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="client_handle"/>
+ </element>
+ </define>
+ <define name="client_query" combine="choice">
+ <element name="client">
+ <attribute name="action">
+ <value>set</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="client_handle"/>
+ <ref name="client_bool"/>
+ <ref name="client_payload"/>
+ </element>
+ </define>
+ <define name="client_reply" combine="choice">
+ <element name="client">
+ <attribute name="action">
+ <value>set</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="client_handle"/>
+ </element>
+ </define>
+ <define name="client_query" combine="choice">
+ <element name="client">
+ <attribute name="action">
+ <value>get</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="client_handle"/>
+ </element>
+ </define>
+ <define name="client_reply" combine="choice">
+ <element name="client">
+ <attribute name="action">
+ <value>get</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="client_handle"/>
+ <ref name="client_payload"/>
+ </element>
+ </define>
+ <define name="client_query" combine="choice">
+ <element name="client">
+ <attribute name="action">
+ <value>list</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ </element>
+ </define>
+ <define name="client_reply" combine="choice">
+ <element name="client">
+ <attribute name="action">
+ <value>list</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="client_handle"/>
+ <ref name="client_payload"/>
+ </element>
+ </define>
+ <define name="client_query" combine="choice">
+ <element name="client">
+ <attribute name="action">
+ <value>destroy</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="client_handle"/>
+ </element>
+ </define>
+ <define name="client_reply" combine="choice">
+ <element name="client">
+ <attribute name="action">
+ <value>destroy</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="client_handle"/>
+ </element>
+ </define>
+ <!-- <certificate/> element -->
+ <define name="certificate_query" combine="choice">
+ <element name="certificate">
+ <attribute name="action">
+ <value>publish</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="uri"/>
+ <ref name="base64"/>
+ </element>
+ </define>
+ <define name="certificate_reply" combine="choice">
+ <element name="certificate">
+ <attribute name="action">
+ <value>publish</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="uri"/>
+ </element>
+ </define>
+ <define name="certificate_query" combine="choice">
+ <element name="certificate">
+ <attribute name="action">
+ <value>withdraw</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="uri"/>
+ </element>
+ </define>
+ <define name="certificate_reply" combine="choice">
+ <element name="certificate">
+ <attribute name="action">
+ <value>withdraw</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="uri"/>
+ </element>
+ </define>
+ <!-- <crl/> element -->
+ <define name="crl_query" combine="choice">
+ <element name="crl">
+ <attribute name="action">
+ <value>publish</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="uri"/>
+ <ref name="base64"/>
+ </element>
+ </define>
+ <define name="crl_reply" combine="choice">
+ <element name="crl">
+ <attribute name="action">
+ <value>publish</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="uri"/>
+ </element>
+ </define>
+ <define name="crl_query" combine="choice">
+ <element name="crl">
+ <attribute name="action">
+ <value>withdraw</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="uri"/>
+ </element>
+ </define>
+ <define name="crl_reply" combine="choice">
+ <element name="crl">
+ <attribute name="action">
+ <value>withdraw</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="uri"/>
+ </element>
+ </define>
+ <!-- <manifest/> element -->
+ <define name="manifest_query" combine="choice">
+ <element name="manifest">
+ <attribute name="action">
+ <value>publish</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="uri"/>
+ <ref name="base64"/>
+ </element>
+ </define>
+ <define name="manifest_reply" combine="choice">
+ <element name="manifest">
+ <attribute name="action">
+ <value>publish</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="uri"/>
+ </element>
+ </define>
+ <define name="manifest_query" combine="choice">
+ <element name="manifest">
+ <attribute name="action">
+ <value>withdraw</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="uri"/>
+ </element>
+ </define>
+ <define name="manifest_reply" combine="choice">
+ <element name="manifest">
+ <attribute name="action">
+ <value>withdraw</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="uri"/>
+ </element>
+ </define>
+ <!-- <roa/> element -->
+ <define name="roa_query" combine="choice">
+ <element name="roa">
+ <attribute name="action">
+ <value>publish</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="uri"/>
+ <ref name="base64"/>
+ </element>
+ </define>
+ <define name="roa_reply" combine="choice">
+ <element name="roa">
+ <attribute name="action">
+ <value>publish</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="uri"/>
+ </element>
+ </define>
+ <define name="roa_query" combine="choice">
+ <element name="roa">
+ <attribute name="action">
+ <value>withdraw</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="uri"/>
+ </element>
+ </define>
+ <define name="roa_reply" combine="choice">
+ <element name="roa">
+ <attribute name="action">
+ <value>withdraw</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="uri"/>
+ </element>
+ </define>
+ <!-- <ghostbuster/> element -->
+ <define name="ghostbuster_query" combine="choice">
+ <element name="ghostbuster">
+ <attribute name="action">
+ <value>publish</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="uri"/>
+ <ref name="base64"/>
+ </element>
+ </define>
+ <define name="ghostbuster_reply" combine="choice">
+ <element name="ghostbuster">
+ <attribute name="action">
+ <value>publish</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="uri"/>
+ </element>
+ </define>
+ <define name="ghostbuster_query" combine="choice">
+ <element name="ghostbuster">
+ <attribute name="action">
+ <value>withdraw</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="uri"/>
+ </element>
+ </define>
+ <define name="ghostbuster_reply" combine="choice">
+ <element name="ghostbuster">
+ <attribute name="action">
+ <value>withdraw</value>
+ </attribute>
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <ref name="uri"/>
+ </element>
+ </define>
+ <!-- <report_error/> element -->
+ <define name="error">
+ <data type="token">
+ <param name="maxLength">1024</param>
+ </data>
+ </define>
+ <define name="report_error_reply">
+ <element name="report_error">
+ <optional>
+ <ref name="tag"/>
+ </optional>
+ <attribute name="error_code">
+ <ref name="error"/>
+ </attribute>
+ <optional>
+ <data type="string">
+ <param name="maxLength">512000</param>
+ </data>
+ </optional>
+ </element>
+ </define>
+</grammar>
+<!--
+ Local Variables:
+ indent-tabs-mode: nil
+ comment-start: "# "
+ comment-start-skip: "#[ \t]*"
+ End:
+-->
diff --git a/schemas/relaxng/router-certificate-schema.rnc b/schemas/relaxng/router-certificate-schema.rnc
new file mode 100644
index 00000000..8cc325ce
--- /dev/null
+++ b/schemas/relaxng/router-certificate-schema.rnc
@@ -0,0 +1,61 @@
+# $Id$
+#
+# RelaxNG schema for BGPSEC router certificate interchange format.
+#
+# At least for now, this is a trivial encapsulation of a PKCS #10
+# request, a set (usually containing exactly one member) of autonomous
+# system numbers, and a router-id. Be warned that this could change
+# radically by the time we have any real operational understanding of
+# how these things will be used, this is just our current best guess
+# to let us move forward on initial coding.
+#
+# Copyright (C) 2014 Dragon Research Labs ("DRL")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND DRL DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL DRL BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+default namespace = "http://www.hactrn.net/uris/rpki/router-certificate/"
+
+version = "1"
+base64 = xsd:base64Binary { maxLength="512000" }
+router_id = xsd:unsignedInt
+asn_list = xsd:string { maxLength="512000" pattern="[0-9][\-,0-9]*" }
+timestamp = xsd:dateTime { pattern=".*Z" }
+
+# Core payload used in this schema.
+
+payload = (
+ attribute router_id { router_id },
+ attribute asn { asn_list },
+ attribute valid_until { timestamp }?,
+ base64
+)
+
+# We allow two forms, one with a wrapper to allow multiple requests in
+# a single file, one without for brevity; the version attribute goes
+# in the outermost element in either case.
+
+start |= element router_certificate_request {
+ attribute version { version },
+ payload
+}
+
+start |= element router_certificate_requests {
+ attribute version { version },
+ element router_certificate_request { payload }*
+}
+
+# Local Variables:
+# indent-tabs-mode: nil
+# comment-start: "# "
+# comment-start-skip: "#[ \t]*"
+# End:
diff --git a/schemas/relaxng/router-certificate-schema.rng b/schemas/relaxng/router-certificate-schema.rng
new file mode 100644
index 00000000..d8be9eda
--- /dev/null
+++ b/schemas/relaxng/router-certificate-schema.rng
@@ -0,0 +1,98 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ $Id: router-certificate-schema.rnc 5753 2014-04-05 19:24:26Z sra $
+
+ RelaxNG schema for BGPSEC router certificate interchange format.
+
+ At least for now, this is a trivial encapsulation of a PKCS #10
+ request, a set (usually containing exactly one member) of autonomous
+ system numbers, and a router-id. Be warned that this could change
+ radically by the time we have any real operational understanding of
+ how these things will be used, this is just our current best guess
+ to let us move forward on initial coding.
+
+ Copyright (C) 2014 Dragon Research Labs ("DRL")
+
+ Permission to use, copy, modify, and distribute this software for any
+ purpose with or without fee is hereby granted, provided that the above
+ copyright notice and this permission notice appear in all copies.
+
+ THE SOFTWARE IS PROVIDED "AS IS" AND DRL DISCLAIMS ALL WARRANTIES WITH
+ REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS. IN NO EVENT SHALL DRL BE LIABLE FOR ANY SPECIAL, DIRECT,
+ INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ PERFORMANCE OF THIS SOFTWARE.
+-->
+<grammar ns="http://www.hactrn.net/uris/rpki/router-certificate/" xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">
+ <define name="version">
+ <value>1</value>
+ </define>
+ <define name="base64">
+ <data type="base64Binary">
+ <param name="maxLength">512000</param>
+ </data>
+ </define>
+ <define name="router_id">
+ <data type="unsignedInt"/>
+ </define>
+ <define name="asn_list">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[0-9][\-,0-9]*</param>
+ </data>
+ </define>
+ <define name="timestamp">
+ <data type="dateTime">
+ <param name="pattern">.*Z</param>
+ </data>
+ </define>
+ <!-- Core payload used in this schema. -->
+ <define name="payload">
+ <attribute name="router_id">
+ <ref name="router_id"/>
+ </attribute>
+ <attribute name="asn">
+ <ref name="asn_list"/>
+ </attribute>
+ <optional>
+ <attribute name="valid_until">
+ <ref name="timestamp"/>
+ </attribute>
+ </optional>
+ <ref name="base64"/>
+ </define>
+ <!--
+ We allow two forms, one with a wrapper to allow multiple requests in
+ a single file, one without for brevity; the version attribute goes
+ in the outermost element in either case.
+ -->
+ <start combine="choice">
+ <element name="router_certificate_request">
+ <attribute name="version">
+ <ref name="version"/>
+ </attribute>
+ <ref name="payload"/>
+ </element>
+ </start>
+ <start combine="choice">
+ <element name="router_certificate_requests">
+ <attribute name="version">
+ <ref name="version"/>
+ </attribute>
+ <zeroOrMore>
+ <element name="router_certificate_request">
+ <ref name="payload"/>
+ </element>
+ </zeroOrMore>
+ </element>
+ </start>
+</grammar>
+<!--
+ Local Variables:
+ indent-tabs-mode: nil
+ comment-start: "# "
+ comment-start-skip: "#[ \t]*"
+ End:
+-->
diff --git a/schemas/relaxng/up-down-schema.rnc b/schemas/relaxng/up-down-schema.rnc
new file mode 100644
index 00000000..a603b8fe
--- /dev/null
+++ b/schemas/relaxng/up-down-schema.rnc
@@ -0,0 +1,113 @@
+# $Id$
+#
+# RelaxNG schema for the up-down protocol, extracted from RFC 6492.
+#
+# Copyright (c) 2012 IETF Trust and the persons identified as authors
+# of the code. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in
+# the documentation and/or other materials provided with the
+# distribution.
+#
+# * Neither the name of Internet Society, IETF or IETF Trust, nor the
+# names of specific contributors, may be used to endorse or promote
+# products derived from this software without specific prior written
+# permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+default namespace = "http://www.apnic.net/specs/rescerts/up-down/"
+
+grammar {
+ resource_set_as = xsd:string { maxLength="512000" pattern="[\-,0-9]*" }
+ resource_set_ip4 = xsd:string { maxLength="512000" pattern="[\-,/.0-9]*" }
+ resource_set_ip6 = xsd:string { maxLength="512000" pattern="[\-,/:0-9a-fA-F]*" }
+
+ class_name = xsd:token { minLength="1" maxLength="1024" }
+ ski = xsd:token { minLength="27" maxLength="1024" }
+ label = xsd:token { minLength="1" maxLength="1024" }
+ cert_url = xsd:string { minLength="10" maxLength="4096" }
+ base64_binary = xsd:base64Binary { minLength="4" maxLength="512000" }
+
+ start = element message {
+ attribute version { xsd:positiveInteger { maxInclusive="1" } },
+ attribute sender { label },
+ attribute recipient { label },
+ payload
+ }
+
+ payload |= attribute type { "list" }, list_request
+ payload |= attribute type { "list_response"}, list_response
+ payload |= attribute type { "issue" }, issue_request
+ payload |= attribute type { "issue_response"}, issue_response
+ payload |= attribute type { "revoke" }, revoke_request
+ payload |= attribute type { "revoke_response"}, revoke_response
+ payload |= attribute type { "error_response"}, error_response
+
+ list_request = empty
+ list_response = class*
+
+ class = element class {
+ attribute class_name { class_name },
+ attribute cert_url { cert_url },
+ attribute resource_set_as { resource_set_as },
+ attribute resource_set_ipv4 { resource_set_ip4 },
+ attribute resource_set_ipv6 { resource_set_ip6 },
+ attribute resource_set_notafter { xsd:dateTime },
+ attribute suggested_sia_head { xsd:anyURI { maxLength="1024" pattern="rsync://.+"} }?,
+ element certificate {
+ attribute cert_url { cert_url },
+ attribute req_resource_set_as { resource_set_as }?,
+ attribute req_resource_set_ipv4 { resource_set_ip4 }?,
+ attribute req_resource_set_ipv6 { resource_set_ip6 }?,
+ base64_binary
+ }*,
+ element issuer { base64_binary }
+ }
+
+ issue_request = element request {
+ attribute class_name { class_name },
+ attribute req_resource_set_as { resource_set_as }?,
+ attribute req_resource_set_ipv4 { resource_set_ip4 }?,
+ attribute req_resource_set_ipv6 { resource_set_ip6 }?,
+ base64_binary
+ }
+ issue_response = class
+
+ revoke_request = revocation
+ revoke_response = revocation
+
+ revocation = element key {
+ attribute class_name { class_name },
+ attribute ski { ski }
+ }
+
+ error_response =
+ element status { xsd:positiveInteger { maxInclusive="9999" } },
+ element description { attribute xml:lang { xsd:language }, xsd:string { maxLength="1024" } }*
+}
+
+# Local Variables:
+# indent-tabs-mode: nil
+# comment-start: "# "
+# comment-start-skip: "#[ \t]*"
+# End:
diff --git a/schemas/relaxng/up-down-schema.rng b/schemas/relaxng/up-down-schema.rng
new file mode 100644
index 00000000..5368fa65
--- /dev/null
+++ b/schemas/relaxng/up-down-schema.rng
@@ -0,0 +1,277 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ $Id: up-down-schema.rnc 5753 2014-04-05 19:24:26Z sra $
+
+ RelaxNG schema for the up-down protocol, extracted from RFC 6492.
+
+ Copyright (c) 2012 IETF Trust and the persons identified as authors
+ of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in
+ the documentation and/or other materials provided with the
+ distribution.
+
+ * Neither the name of Internet Society, IETF or IETF Trust, nor the
+ names of specific contributors, may be used to endorse or promote
+ products derived from this software without specific prior written
+ permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+-->
+<grammar ns="http://www.apnic.net/specs/rescerts/up-down/" xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">
+ <define name="resource_set_as">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,0-9]*</param>
+ </data>
+ </define>
+ <define name="resource_set_ip4">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,/.0-9]*</param>
+ </data>
+ </define>
+ <define name="resource_set_ip6">
+ <data type="string">
+ <param name="maxLength">512000</param>
+ <param name="pattern">[\-,/:0-9a-fA-F]*</param>
+ </data>
+ </define>
+ <define name="class_name">
+ <data type="token">
+ <param name="minLength">1</param>
+ <param name="maxLength">1024</param>
+ </data>
+ </define>
+ <define name="ski">
+ <data type="token">
+ <param name="minLength">27</param>
+ <param name="maxLength">1024</param>
+ </data>
+ </define>
+ <define name="label">
+ <data type="token">
+ <param name="minLength">1</param>
+ <param name="maxLength">1024</param>
+ </data>
+ </define>
+ <define name="cert_url">
+ <data type="string">
+ <param name="minLength">10</param>
+ <param name="maxLength">4096</param>
+ </data>
+ </define>
+ <define name="base64_binary">
+ <data type="base64Binary">
+ <param name="minLength">4</param>
+ <param name="maxLength">512000</param>
+ </data>
+ </define>
+ <start>
+ <element name="message">
+ <attribute name="version">
+ <data type="positiveInteger">
+ <param name="maxInclusive">1</param>
+ </data>
+ </attribute>
+ <attribute name="sender">
+ <ref name="label"/>
+ </attribute>
+ <attribute name="recipient">
+ <ref name="label"/>
+ </attribute>
+ <ref name="payload"/>
+ </element>
+ </start>
+ <define name="payload" combine="choice">
+ <attribute name="type">
+ <value>list</value>
+ </attribute>
+ <ref name="list_request"/>
+ </define>
+ <define name="payload" combine="choice">
+ <attribute name="type">
+ <value>list_response</value>
+ </attribute>
+ <ref name="list_response"/>
+ </define>
+ <define name="payload" combine="choice">
+ <attribute name="type">
+ <value>issue</value>
+ </attribute>
+ <ref name="issue_request"/>
+ </define>
+ <define name="payload" combine="choice">
+ <attribute name="type">
+ <value>issue_response</value>
+ </attribute>
+ <ref name="issue_response"/>
+ </define>
+ <define name="payload" combine="choice">
+ <attribute name="type">
+ <value>revoke</value>
+ </attribute>
+ <ref name="revoke_request"/>
+ </define>
+ <define name="payload" combine="choice">
+ <attribute name="type">
+ <value>revoke_response</value>
+ </attribute>
+ <ref name="revoke_response"/>
+ </define>
+ <define name="payload" combine="choice">
+ <attribute name="type">
+ <value>error_response</value>
+ </attribute>
+ <ref name="error_response"/>
+ </define>
+ <define name="list_request">
+ <empty/>
+ </define>
+ <define name="list_response">
+ <zeroOrMore>
+ <ref name="class"/>
+ </zeroOrMore>
+ </define>
+ <define name="class">
+ <element name="class">
+ <attribute name="class_name">
+ <ref name="class_name"/>
+ </attribute>
+ <attribute name="cert_url">
+ <ref name="cert_url"/>
+ </attribute>
+ <attribute name="resource_set_as">
+ <ref name="resource_set_as"/>
+ </attribute>
+ <attribute name="resource_set_ipv4">
+ <ref name="resource_set_ip4"/>
+ </attribute>
+ <attribute name="resource_set_ipv6">
+ <ref name="resource_set_ip6"/>
+ </attribute>
+ <attribute name="resource_set_notafter">
+ <data type="dateTime"/>
+ </attribute>
+ <optional>
+ <attribute name="suggested_sia_head">
+ <data type="anyURI">
+ <param name="maxLength">1024</param>
+ <param name="pattern">rsync://.+</param>
+ </data>
+ </attribute>
+ </optional>
+ <zeroOrMore>
+ <element name="certificate">
+ <attribute name="cert_url">
+ <ref name="cert_url"/>
+ </attribute>
+ <optional>
+ <attribute name="req_resource_set_as">
+ <ref name="resource_set_as"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="req_resource_set_ipv4">
+ <ref name="resource_set_ip4"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="req_resource_set_ipv6">
+ <ref name="resource_set_ip6"/>
+ </attribute>
+ </optional>
+ <ref name="base64_binary"/>
+ </element>
+ </zeroOrMore>
+ <element name="issuer">
+ <ref name="base64_binary"/>
+ </element>
+ </element>
+ </define>
+ <define name="issue_request">
+ <element name="request">
+ <attribute name="class_name">
+ <ref name="class_name"/>
+ </attribute>
+ <optional>
+ <attribute name="req_resource_set_as">
+ <ref name="resource_set_as"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="req_resource_set_ipv4">
+ <ref name="resource_set_ip4"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="req_resource_set_ipv6">
+ <ref name="resource_set_ip6"/>
+ </attribute>
+ </optional>
+ <ref name="base64_binary"/>
+ </element>
+ </define>
+ <define name="issue_response">
+ <ref name="class"/>
+ </define>
+ <define name="revoke_request">
+ <ref name="revocation"/>
+ </define>
+ <define name="revoke_response">
+ <ref name="revocation"/>
+ </define>
+ <define name="revocation">
+ <element name="key">
+ <attribute name="class_name">
+ <ref name="class_name"/>
+ </attribute>
+ <attribute name="ski">
+ <ref name="ski"/>
+ </attribute>
+ </element>
+ </define>
+ <define name="error_response">
+ <element name="status">
+ <data type="positiveInteger">
+ <param name="maxInclusive">9999</param>
+ </data>
+ </element>
+ <zeroOrMore>
+ <element name="description">
+ <attribute name="xml:lang">
+ <data type="language"/>
+ </attribute>
+ <data type="string">
+ <param name="maxLength">1024</param>
+ </data>
+ </element>
+ </zeroOrMore>
+ </define>
+</grammar>
+<!--
+ Local Variables:
+ indent-tabs-mode: nil
+ comment-start: "# "
+ comment-start-skip: "#[ \t]*"
+ End:
+-->
diff --git a/schemas/sql/pubd.sql b/schemas/sql/pubd.sql
new file mode 100644
index 00000000..3a58ec00
--- /dev/null
+++ b/schemas/sql/pubd.sql
@@ -0,0 +1,59 @@
+-- $Id$
+
+-- Copyright (C) 2009--2010 Internet Systems Consortium ("ISC")
+--
+-- Permission to use, copy, modify, and distribute this software for any
+-- purpose with or without fee is hereby granted, provided that the above
+-- copyright notice and this permission notice appear in all copies.
+--
+-- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+-- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+-- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+-- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+-- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+-- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+-- PERFORMANCE OF THIS SOFTWARE.
+
+-- Copyright (C) 2008 American Registry for Internet Numbers ("ARIN")
+--
+-- Permission to use, copy, modify, and distribute this software for any
+-- purpose with or without fee is hereby granted, provided that the above
+-- copyright notice and this permission notice appear in all copies.
+--
+-- THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+-- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+-- AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+-- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+-- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+-- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+-- PERFORMANCE OF THIS SOFTWARE.
+
+-- SQL objects needed by pubd.py.
+
+-- The config table is weird because we're really only using it
+-- to store one BPKI CRL, but putting this here lets us use a lot of
+-- existing machinery and the alternatives are whacky in other ways.
+
+DROP TABLE IF EXISTS client;
+DROP TABLE IF EXISTS config;
+
+CREATE TABLE config (
+ config_id SERIAL NOT NULL,
+ bpki_crl LONGBLOB,
+ PRIMARY KEY (config_id)
+) ENGINE=InnoDB;
+
+CREATE TABLE client (
+ client_id SERIAL NOT NULL,
+ client_handle VARCHAR(255) NOT NULL,
+ base_uri TEXT,
+ bpki_cert LONGBLOB,
+ bpki_glue LONGBLOB,
+ last_cms_timestamp DATETIME,
+ PRIMARY KEY (client_id),
+ UNIQUE (client_handle)
+) ENGINE=InnoDB;
+
+-- Local Variables:
+-- indent-tabs-mode: nil
+-- End:
diff --git a/schemas/sql/rpkid.sql b/schemas/sql/rpkid.sql
new file mode 100644
index 00000000..a7e3dc0a
--- /dev/null
+++ b/schemas/sql/rpkid.sql
@@ -0,0 +1,250 @@
+-- $Id$
+
+-- Copyright (C) 2009--2011 Internet Systems Consortium ("ISC")
+--
+-- Permission to use, copy, modify, and distribute this software for any
+-- purpose with or without fee is hereby granted, provided that the above
+-- copyright notice and this permission notice appear in all copies.
+--
+-- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+-- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+-- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+-- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+-- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+-- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+-- PERFORMANCE OF THIS SOFTWARE.
+
+-- Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+--
+-- Permission to use, copy, modify, and distribute this software for any
+-- purpose with or without fee is hereby granted, provided that the above
+-- copyright notice and this permission notice appear in all copies.
+--
+-- THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+-- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+-- AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+-- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+-- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+-- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+-- PERFORMANCE OF THIS SOFTWARE.
+
+-- SQL objects needed by the RPKI engine (rpkid.py).
+
+-- DROP TABLE commands must be in correct (reverse dependency) order
+-- to satisfy FOREIGN KEY constraints.
+
+DROP TABLE IF EXISTS ee_cert;
+DROP TABLE IF EXISTS ghostbuster;
+DROP TABLE IF EXISTS roa_prefix;
+DROP TABLE IF EXISTS roa;
+DROP TABLE IF EXISTS revoked_cert;
+DROP TABLE IF EXISTS child_cert;
+DROP TABLE IF EXISTS child;
+DROP TABLE IF EXISTS ca_detail;
+DROP TABLE IF EXISTS ca;
+DROP TABLE IF EXISTS parent;
+DROP TABLE IF EXISTS repository;
+DROP TABLE IF EXISTS bsc;
+DROP TABLE IF EXISTS self;
+
+CREATE TABLE self (
+ self_id SERIAL NOT NULL,
+ self_handle VARCHAR(255) NOT NULL,
+ use_hsm BOOLEAN NOT NULL DEFAULT FALSE,
+ crl_interval BIGINT UNSIGNED,
+ regen_margin BIGINT UNSIGNED,
+ bpki_cert LONGBLOB,
+ bpki_glue LONGBLOB,
+ PRIMARY KEY (self_id),
+ UNIQUE (self_handle)
+) ENGINE=InnoDB;
+
+CREATE TABLE bsc (
+ bsc_id SERIAL NOT NULL,
+ bsc_handle VARCHAR(255) NOT NULL,
+ private_key_id LONGBLOB,
+ pkcs10_request LONGBLOB,
+ hash_alg ENUM ('sha256'),
+ signing_cert LONGBLOB,
+ signing_cert_crl LONGBLOB,
+ self_id BIGINT UNSIGNED NOT NULL,
+ PRIMARY KEY (bsc_id),
+ CONSTRAINT bsc_self_id
+ FOREIGN KEY (self_id) REFERENCES self (self_id) ON DELETE CASCADE,
+ UNIQUE (self_id, bsc_handle)
+) ENGINE=InnoDB;
+
+CREATE TABLE repository (
+ repository_id SERIAL NOT NULL,
+ repository_handle VARCHAR(255) NOT NULL,
+ peer_contact_uri TEXT,
+ bpki_cert LONGBLOB,
+ bpki_glue LONGBLOB,
+ last_cms_timestamp DATETIME,
+ bsc_id BIGINT UNSIGNED NOT NULL,
+ self_id BIGINT UNSIGNED NOT NULL,
+ PRIMARY KEY (repository_id),
+ CONSTRAINT repository_self_id
+ FOREIGN KEY (self_id) REFERENCES self (self_id) ON DELETE CASCADE,
+ CONSTRAINT repository_bsc_id
+ FOREIGN KEY (bsc_id) REFERENCES bsc (bsc_id) ON DELETE CASCADE,
+ UNIQUE (self_id, repository_handle)
+) ENGINE=InnoDB;
+
+CREATE TABLE parent (
+ parent_id SERIAL NOT NULL,
+ parent_handle VARCHAR(255) NOT NULL,
+ bpki_cms_cert LONGBLOB,
+ bpki_cms_glue LONGBLOB,
+ peer_contact_uri TEXT,
+ sia_base TEXT,
+ sender_name TEXT,
+ recipient_name TEXT,
+ last_cms_timestamp DATETIME,
+ self_id BIGINT UNSIGNED NOT NULL,
+ bsc_id BIGINT UNSIGNED NOT NULL,
+ repository_id BIGINT UNSIGNED NOT NULL,
+ PRIMARY KEY (parent_id),
+ CONSTRAINT parent_repository_id
+ FOREIGN KEY (repository_id) REFERENCES repository (repository_id) ON DELETE CASCADE,
+ CONSTRAINT parent_bsc_id
+ FOREIGN KEY (bsc_id) REFERENCES bsc (bsc_id) ON DELETE CASCADE,
+ CONSTRAINT parent_self_id
+ FOREIGN KEY (self_id) REFERENCES self (self_id) ON DELETE CASCADE,
+ UNIQUE (self_id, parent_handle)
+) ENGINE=InnoDB;
+
+CREATE TABLE ca (
+ ca_id SERIAL NOT NULL,
+ last_crl_sn BIGINT UNSIGNED NOT NULL,
+ last_manifest_sn BIGINT UNSIGNED NOT NULL,
+ next_manifest_update DATETIME,
+ next_crl_update DATETIME,
+ last_issued_sn BIGINT UNSIGNED NOT NULL,
+ sia_uri TEXT,
+ parent_resource_class TEXT,
+ parent_id BIGINT UNSIGNED NOT NULL,
+ PRIMARY KEY (ca_id),
+ CONSTRAINT ca_parent_id
+ FOREIGN KEY (parent_id) REFERENCES parent (parent_id) ON DELETE CASCADE
+) ENGINE=InnoDB;
+
+CREATE TABLE ca_detail (
+ ca_detail_id SERIAL NOT NULL,
+ public_key LONGBLOB,
+ private_key_id LONGBLOB,
+ latest_crl LONGBLOB,
+ crl_published DATETIME,
+ latest_ca_cert LONGBLOB,
+ manifest_private_key_id LONGBLOB,
+ manifest_public_key LONGBLOB,
+ latest_manifest_cert LONGBLOB,
+ latest_manifest LONGBLOB,
+ manifest_published DATETIME,
+ state ENUM ('pending', 'active', 'deprecated', 'revoked') NOT NULL,
+ ca_cert_uri TEXT,
+ ca_id BIGINT UNSIGNED NOT NULL,
+ PRIMARY KEY (ca_detail_id),
+ CONSTRAINT ca_detail_ca_id
+ FOREIGN KEY (ca_id) REFERENCES ca (ca_id) ON DELETE CASCADE
+) ENGINE=InnoDB;
+
+CREATE TABLE child (
+ child_id SERIAL NOT NULL,
+ child_handle VARCHAR(255) NOT NULL,
+ bpki_cert LONGBLOB,
+ bpki_glue LONGBLOB,
+ last_cms_timestamp DATETIME,
+ self_id BIGINT UNSIGNED NOT NULL,
+ bsc_id BIGINT UNSIGNED NOT NULL,
+ PRIMARY KEY (child_id),
+ CONSTRAINT child_bsc_id
+ FOREIGN KEY (bsc_id) REFERENCES bsc (bsc_id) ON DELETE CASCADE,
+ CONSTRAINT child_self_id
+ FOREIGN KEY (self_id) REFERENCES self (self_id) ON DELETE CASCADE,
+ UNIQUE (self_id, child_handle)
+) ENGINE=InnoDB;
+
+CREATE TABLE child_cert (
+ child_cert_id SERIAL NOT NULL,
+ cert LONGBLOB NOT NULL,
+ published DATETIME,
+ ski TINYBLOB NOT NULL,
+ child_id BIGINT UNSIGNED NOT NULL,
+ ca_detail_id BIGINT UNSIGNED NOT NULL,
+ PRIMARY KEY (child_cert_id),
+ CONSTRAINT child_cert_ca_detail_id
+ FOREIGN KEY (ca_detail_id) REFERENCES ca_detail (ca_detail_id) ON DELETE CASCADE,
+ CONSTRAINT child_cert_child_id
+ FOREIGN KEY (child_id) REFERENCES child (child_id) ON DELETE CASCADE
+) ENGINE=InnoDB;
+
+CREATE TABLE revoked_cert (
+ revoked_cert_id SERIAL NOT NULL,
+ serial BIGINT UNSIGNED NOT NULL,
+ revoked DATETIME NOT NULL,
+ expires DATETIME NOT NULL,
+ ca_detail_id BIGINT UNSIGNED NOT NULL,
+ PRIMARY KEY (revoked_cert_id),
+ CONSTRAINT revoked_cert_ca_detail_id
+ FOREIGN KEY (ca_detail_id) REFERENCES ca_detail (ca_detail_id) ON DELETE CASCADE
+) ENGINE=InnoDB;
+
+CREATE TABLE roa (
+ roa_id SERIAL NOT NULL,
+ asn BIGINT UNSIGNED NOT NULL,
+ cert LONGBLOB NOT NULL,
+ roa LONGBLOB NOT NULL,
+ published DATETIME,
+ self_id BIGINT UNSIGNED NOT NULL,
+ ca_detail_id BIGINT UNSIGNED NOT NULL,
+ PRIMARY KEY (roa_id),
+ CONSTRAINT roa_self_id
+ FOREIGN KEY (self_id) REFERENCES self (self_id) ON DELETE CASCADE,
+ CONSTRAINT roa_ca_detail_id
+ FOREIGN KEY (ca_detail_id) REFERENCES ca_detail (ca_detail_id) ON DELETE CASCADE
+) ENGINE=InnoDB;
+
+CREATE TABLE roa_prefix (
+ prefix VARCHAR(40) NOT NULL,
+ prefixlen TINYINT UNSIGNED NOT NULL,
+ max_prefixlen TINYINT UNSIGNED NOT NULL,
+ version TINYINT UNSIGNED NOT NULL,
+ roa_id BIGINT UNSIGNED NOT NULL,
+ PRIMARY KEY (roa_id, prefix, prefixlen, max_prefixlen),
+ CONSTRAINT roa_prefix_roa_id
+ FOREIGN KEY (roa_id) REFERENCES roa (roa_id) ON DELETE CASCADE
+) ENGINE=InnoDB;
+
+CREATE TABLE ghostbuster (
+ ghostbuster_id SERIAL NOT NULL,
+ vcard LONGBLOB NOT NULL,
+ cert LONGBLOB NOT NULL,
+ ghostbuster LONGBLOB NOT NULL,
+ published DATETIME,
+ self_id BIGINT UNSIGNED NOT NULL,
+ ca_detail_id BIGINT UNSIGNED NOT NULL,
+ PRIMARY KEY (ghostbuster_id),
+ CONSTRAINT ghostbuster_self_id
+ FOREIGN KEY (self_id) REFERENCES self (self_id) ON DELETE CASCADE,
+ CONSTRAINT ghostbuster_ca_detail_id
+ FOREIGN KEY (ca_detail_id) REFERENCES ca_detail (ca_detail_id) ON DELETE CASCADE
+) ENGINE=InnoDB;
+
+CREATE TABLE ee_cert (
+ ee_cert_id SERIAL NOT NULL,
+ ski BINARY(20) NOT NULL,
+ cert LONGBLOB NOT NULL,
+ published DATETIME,
+ self_id BIGINT UNSIGNED NOT NULL,
+ ca_detail_id BIGINT UNSIGNED NOT NULL,
+ PRIMARY KEY (ee_cert_id),
+ CONSTRAINT ee_cert_self_id
+ FOREIGN KEY (self_id) REFERENCES self (self_id) ON DELETE CASCADE,
+ CONSTRAINT ee_cert_ca_detail_id
+ FOREIGN KEY (ca_detail_id) REFERENCES ca_detail (ca_detail_id) ON DELETE CASCADE
+) ENGINE=InnoDB;
+
+-- Local Variables:
+-- indent-tabs-mode: nil
+-- End:
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-10 07:27:32 +0000