diff options
Diffstat (limited to 'scripts/Old')
| -rw-r--r-- | scripts/Old/apnic-poke-1.sh | 112 | ||||
| -rw-r--r-- | scripts/Old/apnic-poke-1.yaml | 28 | ||||
| -rw-r--r-- | scripts/Old/apnic-poke-2.sh | 123 | ||||
| -rw-r--r-- | scripts/Old/apnic-poke-2.yaml | 74 | ||||
| -rw-r--r-- | scripts/Old/apnic-test-3.tgz | bin | 0 -> 694571 bytes | |||
| -rw-r--r-- | scripts/Old/async-http.py | 529 | ||||
| -rw-r--r-- | scripts/Old/biz-certs-setup.sh | 81 | ||||
| -rw-r--r-- | scripts/Old/blow-away-databases.sh | 29 | ||||
| -rw-r--r-- | scripts/Old/extract-cert-from-rpki.sh | 35 | ||||
| -rw-r--r-- | scripts/Old/manifests.py | 90 | ||||
| -rw-r--r-- | scripts/Old/pkcs10.py | 100 | ||||
| -rw-r--r-- | scripts/Old/rootd.cnf | 30 | ||||
| -rw-r--r-- | scripts/Old/rootd.sh | 143 | ||||
| -rw-r--r-- | scripts/Old/test-pow-cms.py | 49 | ||||
| -rw-r--r-- | scripts/Old/test-pow-tls.py | 61 | ||||
| -rw-r--r-- | scripts/Old/timers.sh | 55 | ||||
| -rw-r--r-- | scripts/Old/tls-client.py | 27 | ||||
| -rw-r--r-- | scripts/Old/tls-server.py | 40 |
18 files changed, 1557 insertions, 49 deletions
diff --git a/scripts/Old/apnic-poke-1.sh b/scripts/Old/apnic-poke-1.sh new file mode 100644 index 00000000..bca4a8f6 --- /dev/null +++ b/scripts/Old/apnic-poke-1.sh @@ -0,0 +1,112 @@ +#!/bin/sh - +# $Id$ + +# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# Script to let APNIC test against my server. +# +# This blows away rpkid's database and rebuilds it with what we need +# for this test, and knows far too much about the id numbers that +# rpkid and mysql will assign. In the long run we must do better than +# this, but gotta start somewhere. + +openssl=../openssl/openssl/apps/openssl + +# Halt on first error and show what's happening + +set -ex + +# Generate new key and cert for rootd.py if needed + +if test ! -r rootd.cer -o ! -r rootd.key +then + $openssl req -new -newkey rsa:2048 -nodes -keyout rootd.key -out rootd.req -config rootd.cnf + + $openssl x509 -req -in rootd.req -out rootd.cer -extfile rootd.cnf -extensions req_x509_ext \ + -signkey rootd.key -text -sha256 + + rm -f rootd.req +fi + +# Blow away old rpkid database (!) so we can start clean + +mysql -u rpki -p`awk '$1 == "sql-password" {print $3}' rpkid.conf` rpki <rpki-db-schema.sql + +# Clear out any old publication results + +rm -rf publication/* + +# Start rpkid so we can configure it, make sure we shut it down on exit +# If we're running under screen, just run it in a different screen instead. + +if test -n "$STY" +then + screen python rpkid.py +else + python rpkid.py >>rpkid.log 2>&1 & rpkid=$! + trap "kill $rpkid" 0 1 2 3 13 15 +fi + +# Create a self instance + +python irbe_cli.py self --action create --crl_interval 84600 + +# Create a business signing context, issue the necessary business cert, and set up the cert chain + +python irbe_cli.py --pem_out bsc.req bsc --action create --self_id 1 \ + --generate_keypair --signing_cert biz-certs/Bob-CA.cer + +$openssl x509 -req -in bsc.req -out bsc.cer -CA biz-certs/Bob-CA.cer \ + -CAkey biz-certs/Bob-CA.key -CAserial biz-certs/Bob-CA.srl + +python irbe_cli.py bsc --action set --self_id 1 --bsc_id 1 --signing_cert bsc.cer + +rm -f bsc.req bsc.cer + +# Create a repository context + +python irbe_cli.py repository --self_id 1 --action create --bsc_id 1 + +# Create a parent context pointing at rootd.py + +python irbe_cli.py parent --self_id 1 --action create --bsc_id 1 --repository_id 1 \ + --peer_contact_uri https://localhost:44333/ \ + --cms_ta biz-certs/Elena-Root.cer \ + --https_ta biz-certs/Elena-Root.cer \ + --sia_base rsync://wombat.invalid/ + +# Create a child context + +python irbe_cli.py child --self_id 1 --action create --bsc_id 1 --cms_ta biz-certs/Frank-Root.cer + +# Run the other daemons, arrange for everything to go away on shutdown, +# run initial cron job to set things up, then wait + +if test -n "$STY" +then + screen python rootd.py + screen python irdbd.py +else + python rootd.py >>rootd.log 2>&1 & rootd=$! + python irdbd.py >>irdbd.log 2>&1 & irdbd=$! + trap "kill $rpkid $irdbd $rootd" 0 1 2 3 13 15 +fi + +python cronjob.py + +if test -z "$STY" +then + tail +0f rpkid.log +fi diff --git a/scripts/Old/apnic-poke-1.yaml b/scripts/Old/apnic-poke-1.yaml new file mode 100644 index 00000000..24b80561 --- /dev/null +++ b/scripts/Old/apnic-poke-1.yaml @@ -0,0 +1,28 @@ +--- +# $Id$ + +version: 1 +posturl: https://adrilankha.hactrn.net:4433/up-down/1 +recipient-id: wombat +sender-id: "1" + +cms-cert-file: biz-certs/Frank-EE.cer +cms-key-file: biz-certs/Frank-EE.key +cms-ca-cert-file: biz-certs/Bob-Root.cer +cms-cert-chain-file: [ biz-certs/Frank-CA.cer ] + +ssl-cert-file: biz-certs/Frank-EE.cer +ssl-key-file: biz-certs/Frank-EE.key +ssl-ca-cert-file: biz-certs/Bob-Root.cer + +requests: + list: + type: list + issue: + type: issue + class: 1 + sia: [ "rsync://bandicoot.invalid/some/where/" ] + revoke: + type: revoke + class: 1 + ski: "CB5K6APY-4KcGAW9jaK_cVPXKX0" diff --git a/scripts/Old/apnic-poke-2.sh b/scripts/Old/apnic-poke-2.sh new file mode 100644 index 00000000..87018111 --- /dev/null +++ b/scripts/Old/apnic-poke-2.sh @@ -0,0 +1,123 @@ +#!/bin/sh - +# $Id$ + +# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +openssl=../openssl/openssl/apps/openssl + +# Halt on first error and show what's happening + +set -ex + +# Blow away old rpkid database (!) so we can start clean + +mysql -u rpki -p`awk '$1 == "sql-password" {print $3}' rpkid.conf` rpki <rpki-db-schema.sql + +# Clear out any old publication results + +rm -rf publication/* + +# Start rpkid so we can configure it, make sure we shut it down on exit +# If we're running under screen, just run it in a different screen instead. + +if test -n "$STY" +then + screen python rpkid.py +else + python rpkid.py >>rpkid.log 2>&1 & rpkid=$! + trap "kill $rpkid" 0 1 2 3 13 15 +fi + +# Create a self instance + +python irbe_cli.py self --action create --crl_interval 84600 + +# Create a business signing context, issue the necessary business cert, and set up the cert chain + +python irbe_cli.py --pem_out bsc.req bsc --action create --self_id 1 \ + --generate_keypair --signing_cert biz-certs/Bob-CA.cer +$openssl x509 -req -in bsc.req -out bsc.cer \ + -CA biz-certs/Bob-CA.cer -CAkey biz-certs/Bob-CA.key -CAserial biz-certs/Bob-CA.srl +python irbe_cli.py bsc --action set --self_id 1 --bsc_id 1 --signing_cert bsc.cer +rm -f bsc.req bsc.cer + +# List what's in the BSC, for today's debugging fun + +#python irbe_cli.py bsc --action list --self_id 1 + +# Create a repository context + +python irbe_cli.py repository --self_id 1 --action create --bsc_id 1 + +# Create a parent context pointing at APNIC -- this is where we plug in the values from their YAML + +cat >apnic.pem <<-'EOF' + -----BEGIN CERTIFICATE----- + MIIEFjCCAv6gAwIBAgIBADANBgkqhkiG9w0BAQsFADBJMUcwRQYDVQQDEz5Eb2N1 + bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0gTm90IGZv + ciByZWFsIHVzZTAeFw0wNzEyMDEwNjMyNDdaFw0xNzExMjgwNjMyNDdaMEkxRzBF + BgNVBAMTPkRvY3VtZW50YXRpb24gUHJlZml4ZXMgQ01TIFBhcmVudCBUQSBzaWdu + ZXIgLSBOb3QgZm9yIHJlYWwgdXNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB + CgKCAQEAtsRcgBpO7cTN+QGPnBaPtmfdsUZbctrfSBycS3QhwAItzZryqIHN9stP + A+0WEOC4+cfaY9xETqGwbq725p8FRwxUx9NBQS7jrL1ToNCJ+2qSH5ThK2hOQiCT + 3fv2FNJ/7gFFqofWt3mLyNEmnis95pRwzTtqH6ZaAaZk+AzwL77ww8AlwL/qfLtD + mjrsUfoELfkbS4ywFK0orjVKeGvzG8Dx7WiGvwmdhNNJ8/IAZmJC0NI8r9VIfcw3 + 2B7bnDGkKH3E0NNRIajPmLbaNfT0Dxw+BjIC3Ty48o3ghSScqviyThNFyj8cr9SB + Ww8ReAU6v9q4XWRnlZt8Lc9WIsF/MwIDAQABo4IBBzCCAQMwDAYDVR0TBAUwAwEB + /zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPzZTgRZylsJph8KV9AU3klSgl8r + MHEGA1UdIwRqMGiAFPzZTgRZylsJph8KV9AU3klSgl8roU2kSzBJMUcwRQYDVQQD + Ez5Eb2N1bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0g + Tm90IGZvciByZWFsIHVzZYIBADBRBgNVHR8ESjBIMEagRKBChkBodHRwOi8vbWly + aW4uYXBuaWMubmV0L2RvY3VtZW50YXRpb24tcHJlZml4ZXMvY21zL3BhcmVudC9j + bXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCNz/BUN5bsAyMPi0X7oKZV/cAwmr2S + gQgIxaUHnQ6EJp4b2CUmlpPQ9pT/m+gPbajaRgUZmANfMF0uAFZpCP3hTRAc6NMH + 3Pwjzw1ICGSRRJASSizYN4hSxGpWW1hgghGTB3w5CjCm2VlwrQKJjb7/9H/gb4hi + RRZpaudithCEDlgkFhgU4uttSDLH2Rv14GtfmtyqDpmCE33STA7K+e9rdxaCqHC8 + u33zqm4oQxOX7wuJ/JxeJxExtZ0amu8yTZ+tDtQ4Iiu1VPl67o0mjYrBKRV4z2fC + wa/PKqombrC/qs+2+t/66mB9xaK1YpKnW2FL6Rjs+rZUJJQ16JhJkF7T + -----END CERTIFICATE----- +EOF + +python irbe_cli.py parent --self_id 1 --action create --bsc_id 1 --repository_id 1 \ + --peer_contact_uri https://mirin.apnic.net/cgi-bin/up-down-parent.cgi \ + --cms_ta apnic.pem \ + --https_ta apnic.pem \ + --sia_base rsync://wombat.invalid/ \ + --recipient_name PARENT \ + --sender_name CHILD + +rm -f apnic.pem + +# Create a child context + +python irbe_cli.py child --self_id 1 --action create --bsc_id 1 --cms_ta biz-certs/Frank-Root.cer + +# Run the other daemons, arrange for everything to go away on shutdown, +# run initial cron job to set things up, then wait + +if test -n "$STY" +then + screen python irdbd.py +else + python irdbd.py >>irdbd.log 2>&1 & irdbd=$! + trap "kill $rpkid $irdbd" 0 1 2 3 13 15 +fi + +python cronjob.py + +if test -z "$STY" +then + tail +0f rpkid.log +fi diff --git a/scripts/Old/apnic-poke-2.yaml b/scripts/Old/apnic-poke-2.yaml new file mode 100644 index 00000000..6ba93729 --- /dev/null +++ b/scripts/Old/apnic-poke-2.yaml @@ -0,0 +1,74 @@ +--- +# $Id$ +# +# This sender config file was created by the make_cfg tool +# Account: TELSTRA-AU + +version: 1 +recipient-id: PARENT +sender-id: CHILD + +cms-cert-file: biz-certs/Bob-EE.cer +cms-key-file: biz-certs/Bob-EE.key +cms-cert-chain-file: [ biz-certs/Bob-CA.cer ] + +cms-ca-cert: | + -----BEGIN CERTIFICATE----- + MIIEFjCCAv6gAwIBAgIBADANBgkqhkiG9w0BAQsFADBJMUcwRQYDVQQDEz5Eb2N1 + bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0gTm90IGZv + ciByZWFsIHVzZTAeFw0wNzEyMDEwNjMyNDdaFw0xNzExMjgwNjMyNDdaMEkxRzBF + BgNVBAMTPkRvY3VtZW50YXRpb24gUHJlZml4ZXMgQ01TIFBhcmVudCBUQSBzaWdu + ZXIgLSBOb3QgZm9yIHJlYWwgdXNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB + CgKCAQEAtsRcgBpO7cTN+QGPnBaPtmfdsUZbctrfSBycS3QhwAItzZryqIHN9stP + A+0WEOC4+cfaY9xETqGwbq725p8FRwxUx9NBQS7jrL1ToNCJ+2qSH5ThK2hOQiCT + 3fv2FNJ/7gFFqofWt3mLyNEmnis95pRwzTtqH6ZaAaZk+AzwL77ww8AlwL/qfLtD + mjrsUfoELfkbS4ywFK0orjVKeGvzG8Dx7WiGvwmdhNNJ8/IAZmJC0NI8r9VIfcw3 + 2B7bnDGkKH3E0NNRIajPmLbaNfT0Dxw+BjIC3Ty48o3ghSScqviyThNFyj8cr9SB + Ww8ReAU6v9q4XWRnlZt8Lc9WIsF/MwIDAQABo4IBBzCCAQMwDAYDVR0TBAUwAwEB + /zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPzZTgRZylsJph8KV9AU3klSgl8r + MHEGA1UdIwRqMGiAFPzZTgRZylsJph8KV9AU3klSgl8roU2kSzBJMUcwRQYDVQQD + Ez5Eb2N1bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0g + Tm90IGZvciByZWFsIHVzZYIBADBRBgNVHR8ESjBIMEagRKBChkBodHRwOi8vbWly + aW4uYXBuaWMubmV0L2RvY3VtZW50YXRpb24tcHJlZml4ZXMvY21zL3BhcmVudC9j + bXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCNz/BUN5bsAyMPi0X7oKZV/cAwmr2S + gQgIxaUHnQ6EJp4b2CUmlpPQ9pT/m+gPbajaRgUZmANfMF0uAFZpCP3hTRAc6NMH + 3Pwjzw1ICGSRRJASSizYN4hSxGpWW1hgghGTB3w5CjCm2VlwrQKJjb7/9H/gb4hi + RRZpaudithCEDlgkFhgU4uttSDLH2Rv14GtfmtyqDpmCE33STA7K+e9rdxaCqHC8 + u33zqm4oQxOX7wuJ/JxeJxExtZ0amu8yTZ+tDtQ4Iiu1VPl67o0mjYrBKRV4z2fC + wa/PKqombrC/qs+2+t/66mB9xaK1YpKnW2FL6Rjs+rZUJJQ16JhJkF7T + -----END CERTIFICATE----- + +ssl-cert-file: biz-certs/Bob-EE.cer +ssl-key-file: biz-certs/Bob-EE.key + +ssl-ca-cert: | + -----BEGIN CERTIFICATE----- + MIIEFjCCAv6gAwIBAgIBADANBgkqhkiG9w0BAQsFADBJMUcwRQYDVQQDEz5Eb2N1 + bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0gTm90IGZv + ciByZWFsIHVzZTAeFw0wNzEyMDEwNjMyNDdaFw0xNzExMjgwNjMyNDdaMEkxRzBF + BgNVBAMTPkRvY3VtZW50YXRpb24gUHJlZml4ZXMgQ01TIFBhcmVudCBUQSBzaWdu + ZXIgLSBOb3QgZm9yIHJlYWwgdXNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB + CgKCAQEAtsRcgBpO7cTN+QGPnBaPtmfdsUZbctrfSBycS3QhwAItzZryqIHN9stP + A+0WEOC4+cfaY9xETqGwbq725p8FRwxUx9NBQS7jrL1ToNCJ+2qSH5ThK2hOQiCT + 3fv2FNJ/7gFFqofWt3mLyNEmnis95pRwzTtqH6ZaAaZk+AzwL77ww8AlwL/qfLtD + mjrsUfoELfkbS4ywFK0orjVKeGvzG8Dx7WiGvwmdhNNJ8/IAZmJC0NI8r9VIfcw3 + 2B7bnDGkKH3E0NNRIajPmLbaNfT0Dxw+BjIC3Ty48o3ghSScqviyThNFyj8cr9SB + Ww8ReAU6v9q4XWRnlZt8Lc9WIsF/MwIDAQABo4IBBzCCAQMwDAYDVR0TBAUwAwEB + /zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPzZTgRZylsJph8KV9AU3klSgl8r + MHEGA1UdIwRqMGiAFPzZTgRZylsJph8KV9AU3klSgl8roU2kSzBJMUcwRQYDVQQD + Ez5Eb2N1bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0g + Tm90IGZvciByZWFsIHVzZYIBADBRBgNVHR8ESjBIMEagRKBChkBodHRwOi8vbWly + aW4uYXBuaWMubmV0L2RvY3VtZW50YXRpb24tcHJlZml4ZXMvY21zL3BhcmVudC9j + bXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCNz/BUN5bsAyMPi0X7oKZV/cAwmr2S + gQgIxaUHnQ6EJp4b2CUmlpPQ9pT/m+gPbajaRgUZmANfMF0uAFZpCP3hTRAc6NMH + 3Pwjzw1ICGSRRJASSizYN4hSxGpWW1hgghGTB3w5CjCm2VlwrQKJjb7/9H/gb4hi + RRZpaudithCEDlgkFhgU4uttSDLH2Rv14GtfmtyqDpmCE33STA7K+e9rdxaCqHC8 + u33zqm4oQxOX7wuJ/JxeJxExtZ0amu8yTZ+tDtQ4Iiu1VPl67o0mjYrBKRV4z2fC + wa/PKqombrC/qs+2+t/66mB9xaK1YpKnW2FL6Rjs+rZUJJQ16JhJkF7T + -----END CERTIFICATE----- + +posturl: https://mirin.apnic.net/cgi-bin/up-down-parent.cgi + +requests: + list: + type: list diff --git a/scripts/Old/apnic-test-3.tgz b/scripts/Old/apnic-test-3.tgz Binary files differnew file mode 100644 index 00000000..2d50fe3f --- /dev/null +++ b/scripts/Old/apnic-test-3.tgz diff --git a/scripts/Old/async-http.py b/scripts/Old/async-http.py new file mode 100644 index 00000000..5b5fc1cd --- /dev/null +++ b/scripts/Old/async-http.py @@ -0,0 +1,529 @@ +""" +Testbed for figuring out how to write asynchronous HTTPS code. + +$Id$ + +Copyright (C) 2009 Internet Systems Consortium ("ISC") + +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +PERFORMANCE OF THIS SOFTWARE. +""" + +# Command that may be useful for testing server side of this: +# +# lynx -post_data -mime_header -source http://127.0.0.1:8000/ +# +# Testing the client side of this is more entertaining, both because +# we need to be liberal in what we accept and also because servers do +# wildly different things depending both on HTTP version number and +# options signaled by the client and also on internal details in the +# server context (such as whether the content is static or generated +# by CGI). It's useful to test against static content, but also to +# test against CGI-generated output, eg, the following trivial script: +# +# print "Content-Type: text/plain; charset=US-ASCII\r" +# print "\r" +# for i in xrange(100): +# print "%08d" % i, "." * 120, "\r" +# +# At least with Apache 2.0, result of running this differs +# significantly depending on whether client signals HTTP 1.0 or 1.1; +# the latter produces chunked output. + +import sys, os, time, socket, asyncore, asynchat, traceback, urlparse +import rpki.async, rpki.sundial + +debug = True + +want_persistent_client = True +want_persistent_server = True + +idle_timeout_default = rpki.sundial.timedelta(seconds = 60) +active_timeout_default = rpki.sundial.timedelta(seconds = 15) + +default_http_version = (1, 1) + +class http_message(object): + + software_name = "BalmyBandicoot HTTP test code" + + def __init__(self, version = None, body = None, headers = None): + self.version = version + self.body = body + self.headers = headers + self.normalize_headers() + + def normalize_headers(self, headers = None): + if headers is None: + headers = () if self.headers is None else self.headers.items() + translate_underscore = True + else: + translate_underscore = False + result = {} + for k,v in headers: + if translate_underscore: + k = k.replace("_", "-") + k = "-".join(s.capitalize() for s in k.split("-")) + v = v.strip() + if k in result: + result[k] += ", " + v + else: + result[k] = v + self.headers = result + + @classmethod + def parse_from_wire(cls, headers): + self = cls() + headers = headers.split("\r\n") + self.parse_first_line(*headers.pop(0).split(None, 2)) + for i in xrange(len(headers) - 2, -1, -1): + if headers[i + 1][0].isspace(): + headers[i] += headers[i + 1] + del headers[i + 1] + self.normalize_headers([h.split(":", 1) for h in headers]) + return self + + def format(self): + s = self.format_first_line() + if self.body is not None: + assert isinstance(self.body, str) + self.headers["Content-Length"] = len(self.body) + for kv in self.headers.iteritems(): + s += "%s: %s\r\n" % kv + s += "\r\n" + if self.body is not None: + s += self.body + return s + + def __str__(self): + return self.format() + + def parse_version(self, version): + if version[:5] != "HTTP/": + raise RuntimeError, "Couldn't parse version %s" % version + self.version = tuple(int(i) for i in version[5:].split(".")) + + def persistent(self): + c = self.headers.get("Connection") + if self.version == (1, 1): + return c is None or "close" not in c.lower() + elif self.version == (1, 0): + return c is not None and "keep-alive" in c.lower() + else: + return False + +class http_request(http_message): + + def __init__(self, cmd = None, path = None, version = default_http_version, body = None, callback = None, **headers): + if cmd is not None and cmd != "POST" and body is not None: + raise RuntimeError + http_message.__init__(self, version = version, body = body, headers = headers) + self.cmd = cmd + self.path = path + self.callback = callback + + def parse_first_line(self, cmd, path, version): + self.parse_version(version) + self.cmd = cmd + self.path = path + + def format_first_line(self): + self.headers.setdefault("User-Agent", self.software_name) + return "%s %s HTTP/%d.%d\r\n" % (self.cmd, self.path, self.version[0], self.version[1]) + +class http_response(http_message): + + def __init__(self, code = None, reason = None, version = default_http_version, body = None, **headers): + http_message.__init__(self, version = version, body = body, headers = headers) + self.code = code + self.reason = reason + + def parse_first_line(self, version, code, reason): + self.parse_version(version) + self.code = int(code) + self.reason = reason + + def format_first_line(self): + self.headers.setdefault("Date", time.strftime("%a, %d %b %Y %T GMT")) + self.headers.setdefault("Server", self.software_name) + return "HTTP/%d.%d %s %s\r\n" % (self.version[0], self.version[1], self.code, self.reason) + +def logger(self, msg): + if debug: + print "[%s %r: %s]" % (rpki.sundial.now().strftime("%T"), self, msg) + +class http_stream(asynchat.async_chat): + + log = logger + + idle_timeout = idle_timeout_default + active_timeout = active_timeout_default + + def __init__(self, conn = None): + asynchat.async_chat.__init__(self, conn = conn) + self.buffer = [] + self.timer = rpki.async.timer(self.handle_timeout) + self.restart() + + def restart(self, idle = True): + assert not self.buffer + self.chunk_handler = None + self.set_terminator("\r\n\r\n") + timeout = self.idle_timeout if idle else self.active_timeout + if timeout is not None: + self.timer.set(timeout) + else: + self.timer.cancel() + + def update_active_timeout(self): + if self.active_timeout is not None: + self.timer.set(self.active_timeout) + else: + self.timer.cancel() + + def collect_incoming_data(self, data): + """Buffer the data""" + self.buffer.append(data) + self.update_active_timeout() + + def get_buffer(self): + val = "".join(self.buffer) + self.buffer = [] + return val + + def found_terminator(self): + self.update_active_timeout() + if self.chunk_handler: + self.chunk_handler() + elif not isinstance(self.get_terminator(), str): + self.handle_body() + else: + self.log("Got headers") + self.msg = self.parse_type.parse_from_wire(self.get_buffer()) + if self.msg.version == (1, 1) and "chunked" in self.msg.headers.get("Transfer-Encoding", "").lower(): + self.msg.body = [] + self.chunk_handler = self.chunk_header + self.set_terminator("\r\n") + elif "Content-Length" in self.msg.headers: + self.set_terminator(int(self.msg.headers["Content-Length"])) + else: + self.handle_no_content_length() + + def chunk_header(self): + n = int(self.get_buffer().partition(";")[0], 16) + self.log("Chunk length %s" % n) + if n: + self.chunk_handler = self.chunk_body + self.set_terminator(n) + else: + self.msg.body = "".join(self.msg.body) + self.chunk_handler = self.chunk_discard_trailer + + def chunk_body(self): + self.log("Chunk body") + self.msg.body += self.buffer + self.buffer = [] + self.chunk_handler = self.chunk_discard_crlf + self.set_terminator("\r\n") + + def chunk_discard_crlf(self): + self.log("Chunk CRLF") + s = self.get_buffer() + assert s == "", "Expected chunk CRLF, got '%s'" % s + self.chunk_handler = self.chunk_header + + def chunk_discard_trailer(self): + self.log("Chunk trailer") + s = self.get_buffer() + assert s == "", "Expected end of chunk trailers, got '%s'" % s + self.chunk_handler = None + self.handle_message() + + def handle_body(self): + self.msg.body = self.get_buffer() + self.handle_message() + + def handle_error(self): + self.log("Error in HTTP stream handler") + print traceback.format_exc() + asyncore.close_all() + + def handle_timeout(self): + self.log("Timeout, closing") + self.close() + + def handle_close(self): + asynchat.async_chat.handle_close(self) + self.timer.cancel() + self.log("Closed") + +class http_server(http_stream): + + parse_type = http_request + + def __init__(self, conn, handlers): + self.handlers = handlers + http_stream.__init__(self, conn) + self.expect_close = not want_persistent_server + + def handle_no_content_length(self): + self.handle_message() + + def find_handler(self, path): + """Helper method to search self.handlers.""" + for s, h in self.handlers: + if path.startswith(s): + return h + return None + + def handle_message(self): + if not self.msg.persistent(): + self.expect_close = True + handler = self.find_handler(self.msg.path) + error = None + if False and self.msg.cmd != "POST": + error = 501, "No handler for method %s" % self.msg.cmd + elif False and self.headers["Content-Type"] != rpki_content_type: + error = 415, "No handler for Content-Type %s" % self.headers["Content-Type"] + elif handler is None: + error = 404, "No handler for URL %s" % self.msg.path + if error is None: + handler(self.msg, self.send_message) + else: + self.send_error(*error) + + def send_error(self, code, reason): + self.handle_message_message(http_response(code = code, reason = reason)) + + def send_message(self, msg): + msg.headers["Connection"] = "Close" if self.expect_close else "Keep-Alive" + self.push(msg.format()) + if self.expect_close: + self.log("Closing") + self.timer.cancel() + self.close_when_done() + else: + self.log("Listening for next message") + self.restart() + +class http_listener(asyncore.dispatcher): + + log = logger + + def __init__(self, handlers, port = 80, host = ""): + asyncore.dispatcher.__init__(self) + self.handlers = handlers + self.create_socket(socket.AF_INET, socket.SOCK_STREAM) + self.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + self.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1) + self.bind((host, port)) + self.listen(5) + self.log("Listening on (host, port) %r, handlers %r" % ((host, port), handlers)) + + def handle_accept(self): + self.log("Accepting connection") + server = http_server(conn = self.accept()[0], handlers = self.handlers) + + def handle_error(self): + self.log("Error in HTTP listener") + print traceback.format_exc() + asyncore.close_all() + +class http_client(http_stream): + + parse_type = http_response + + def __init__(self, queue, hostport): + self.log("Creating new connection to %s" % repr(hostport)) + http_stream.__init__(self) + self.queue = queue + self.state = "idle" + self.expect_close = not want_persistent_client + self.create_socket(socket.AF_INET, socket.SOCK_STREAM) + self.connect(hostport) + + def handle_no_content_length(self): + self.set_terminator(None) + + def send_request(self, msg): + self.log("Sending request") + assert self.state == "idle" + if msg is not None: + self.state = "request-sent" + msg.headers["Connection"] = "Close" if self.expect_close else "Keep-Alive" + self.push(msg.format()) + self.restart(idle = False) + + def handle_message(self): + if not self.msg.persistent(): + self.expect_close = True + self.log("Message received, state %s" % self.state) + msg = None + if self.state == "request-sent": + msg = self.queue.done_with_request() + elif self.state == "idle": + self.log("Received unsolicited message") + elif self.state == "closing": + assert not self.msg.body + self.log("Ignoring empty response received while closing") + return + else: + raise RuntimeError, "[%r: Unexpected state]" % self + self.state = "idle" + if msg != None: + msg.callback(self.msg) + msg = self.queue.next_request(not self.expect_close) + if msg is not None: + self.log("Got a new message to send from my queue") + self.send_request(msg) + elif self.expect_close: + self.log("Closing") + self.state = "closing" + self.queue.closing(self) + self.close_when_done() + else: + self.log("Idling") + self.timer.set(self.idle_timeout) + + def handle_connect(self): + self.log("Connected") + self.send_request(self.queue.next_request(True)) + + def kickstart(self): + self.log("Kickstart") + assert self.state == "idle" + self.send_request(self.queue.next_request(True)) + + def handle_close(self): + http_stream.handle_close(self) + self.queue.closing(self) + if self.get_terminator() is None: + self.handle_body() + +class http_queue(object): + + log = logger + + def __init__(self, hostport): + self.log("Creating queue for %s" % repr(hostport)) + self.hostport = hostport + self.client = None + self.queue = [] + + def request(self, *requests): + self.log("Adding requests %r" % requests) + need_kick = self.client is not None and not self.queue + self.queue.extend(requests) + if self.client is None: + self.client = http_client(self, self.hostport) + elif need_kick: + self.client.kickstart() + + def done_with_request(self): + req = self.queue.pop(0) + self.log("Dequeuing request %r" % req) + return req + + def next_request(self, usable): + if not self.queue: + self.log("Queue is empty") + return None + self.log("Queue: %r" % self.queue) + if usable: + self.log("Queue not empty and connection usable") + return self.queue[0] + else: + self.log("Queue not empty but connection not usable, spawning") + self.client = http_client(self, self.hostport) + self.log("Spawned connection %r" % self.client) + return None + + def closing(self, client): + if client is self.client: + self.log("Removing client") + self.client = None + +class http_manager(dict): + + log = logger + + def query(self, url, callback, body = None): + u = urlparse.urlparse(url) + assert u.scheme == "http" and u.username is None and u.password is None and u.params == "" and u.query == "" and u.fragment == "" + request = http_request(cmd = "POST", path = u.path, body = body, callback = callback, + Host = u.hostname, Content_Type = "text/plain") + hostport = (u.hostname or "localhost", u.port or 80) + self.log("Created request %r for %r" % (request, hostport)) + if hostport not in self: + self[hostport] = http_queue(hostport) + self[hostport].request(request) + + def __repr__(self): + return "<%s object at %s>" % (self.__class__.__name__, id(self)) + +def client(msg, url, timeout = 300, callback = None): + pass + +def server(handlers, port, host =""): + if not isinstance(handlers, (tuple, list)): + handlers = (("/", handlers),) + listener = http_listener(port = 8000, handlers = handlers) + rpki.async.event_loop() + +if len(sys.argv) == 1: + + def handler(query_message, reply_callback): + reply_callback(http_response( + code = 200, + reason = "OK", + body = str(query_message), + Cache_Control = "no-cache,no-store", + Content_Type = "text/plain")) + + def other_handler(query_message, reply_callback): + reply_callback(http_response( + code = 200, + reason = "OK", + body = "Ok, you found it.\r\n\r\n" + str(query_message), + Cache_Control = "no-cache,no-store", + Content_Type = "text/plain")) + + server(port = 8000, handlers = (("/wombat", other_handler), ("/", handler))) + +else: + + def got_one(msg): + logger(None, "Got response") + if True: + print msg + print + + manager = http_manager() + + timer = rpki.async.timer() + + def loop(iterator, url): + logger(None, "Scheduler loop") + manager.query(url = url, callback = got_one, body = "Hi, I'm trying to talk to URL %s" % url) + timer.set(rpki.sundial.timedelta(seconds = 3)) + + def done(): + logger(None, "Scheduler done") + + timer.set_handler(rpki.async.iterator(sys.argv[1:], loop, done)) + + rpki.async.event_loop() + + for q in manager.values(): + assert not q.queue, "Requests still scheduled: %r %r %r" % (q, q.hostport, q.queue) + + assert not rpki.async.timer.queue, "Timers still scheduled: %r" % rpki.async.timer.queue diff --git a/scripts/Old/biz-certs-setup.sh b/scripts/Old/biz-certs-setup.sh new file mode 100644 index 00000000..64ebd7d8 --- /dev/null +++ b/scripts/Old/biz-certs-setup.sh @@ -0,0 +1,81 @@ +#!/bin/sh - +# $Id$ + +# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# Quick hack to generate a set of business keys and certs for use with +# early prototype code. Not for production use. +# +# All we're trying to do here is generate a three-level-deep set of +# certs for each of several independent entities. Could easily be +# deeper in practice but this should be enough for simple tests: a +# self-signed root cert to use as a trust anchor, a working CA, and an +# EE cert used for CMS or TLS. +# +# Among other things missing here, we're not doing any restrictions +# beyond basicConstraints and we're not doing CRLs. +# +# One can extract the public key from a .key file by doing: +# +# $ openssl rsa -in foo.key -pubout +# +# I ended up needing this to build simulated packets for the +# left-right protocol. + +for i in Alice Bob Carol Dave Elena Frank Ginny Harry +do + for j in Root CA EE + do + + case $j in + EE) ca=false;; + *) ca=true;; + esac + + test -r $i-$j.cnf || cat >$i-$j.cnf <<-EOF + + [ req ] + distinguished_name = req_dn + x509_extensions = req_x509_ext + prompt = no + default_md = sha256 + + [ req_dn ] + CN = Test Certificate $i $j + + [ req_x509_ext ] + basicConstraints = CA:$ca + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid:always + + EOF + + test -r $i-$j.key || openssl genrsa -out $i-$j.key 2048 + test -r $i-$j.req || openssl req -new -sha256 -key $i-$j.key -out $i-$j.req -config $i-$j.cnf + + done + + test -r $i-Root.cer || openssl x509 -sha256 -req -in $i-Root.req -out $i-Root.cer -extfile $i-Root.cnf -extensions req_x509_ext -signkey $i-Root.key -days 60 + test -r $i-CA.cer || openssl x509 -sha256 -req -in $i-CA.req -out $i-CA.cer -extfile $i-CA.cnf -extensions req_x509_ext -CA $i-Root.cer -CAkey $i-Root.key -CAcreateserial + test -r $i-EE.cer || openssl x509 -sha256 -req -in $i-EE.req -out $i-EE.cer -extfile $i-EE.cnf -extensions req_x509_ext -CA $i-CA.cer -CAkey $i-CA.key -CAcreateserial + +done + +for i in *.cer +do + h=`openssl x509 -noout -hash -in $i`.0 + test -r $h || + ln -s $i $h +done diff --git a/scripts/Old/blow-away-databases.sh b/scripts/Old/blow-away-databases.sh new file mode 100644 index 00000000..44df7861 --- /dev/null +++ b/scripts/Old/blow-away-databases.sh @@ -0,0 +1,29 @@ +#!/bin/sh - +# $Id$ + +# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# GRANT ALL ON rpki.* TO rpki@localhost IDENTIFIED BY '<secret>'; +# GRANT ALL ON irdb.* TO irdb@localhost IDENTIFIED BY '<secret>'; + +echo "This script destroys and rebuilds our databases." +echo "Don't type the password unless you're sure you want to do this." + +(echo 'DROP DATABASE rpki; CREATE DATABASE rpki; USE rpki;' + cat ../docs/rpki-db-schema.sql + echo 'DROP DATABASE irdb; CREATE DATABASE irdb; USE irdb;' + cat ../docs/sample-irdb.sql +) | +mysql -u root -p diff --git a/scripts/Old/extract-cert-from-rpki.sh b/scripts/Old/extract-cert-from-rpki.sh new file mode 100644 index 00000000..3d28bfdb --- /dev/null +++ b/scripts/Old/extract-cert-from-rpki.sh @@ -0,0 +1,35 @@ +#!/bin/sh - +# $Id$ + +# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +: ${instance=R0} + +python ../rpkid.py -c $instance.conf & +rpkid=$! + +python ../irbe-cli.py -c $instance.conf bsc --self_id 1 --action list | +qh 2>/dev/null | +awk ' + /\(signing_cert/ {p = 1} + /\)signing_cert/ {p = 0} + p && /^-/ { + sub(/-/,""); + cmd = "mimencode -u | openssl x509 -text -inform DER -out " NR ".pem"; + print | cmd; + } +' + +kill $rpkid diff --git a/scripts/Old/manifests.py b/scripts/Old/manifests.py new file mode 100644 index 00000000..df8bc2d4 --- /dev/null +++ b/scripts/Old/manifests.py @@ -0,0 +1,90 @@ +# $Id$ + +# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +import time, glob, os +import rpki.x509, rpki.manifest, rpki.sundial + +show_content_1 = False +show_signed_manifest_PEM = False +show_signed_manifest_asn1dump = True +show_content_2 = False +show_content_3 = False +dump_signed_manifest_DER = False +dump_manifest_content_DER = False +test_empty_manifest = False + +def dumpasn1(thing): + # Save to file rather than using popen4() because dumpasn1 uses + # seek() when decoding ASN.1 content nested in OCTET STRING values. + try: + fn = "dumpasn1.tmp" + f = open(fn, "w") + f.write(thing) + f.close() + f = os.popen("dumpasn1 2>&1 -a " + fn) + print "\n".join(x for x in f.read().splitlines() if x.startswith(" ")) + f.close() + finally: + os.unlink(fn) + +if test_empty_manifest: + names_and_objs = [] +else: + names_and_objs = [(fn, rpki.x509.X509(Auto_file = fn)) for fn in glob.glob("resource-cert-samples/*.cer")] + +now = rpki.sundial.datetime.utcnow() + +m = rpki.x509.SignedManifest() +m.build( + serial = 17, + thisUpdate = now, + nextUpdate = now + rpki.sundial.timedelta(days = 1), + names_and_objs = names_and_objs, + keypair = rpki.x509.RSA(Auto_file = "biz-certs/Alice-EE.key"), + certs = rpki.x509.X509_chain(Auto_files = ("biz-certs/Alice-EE.cer", "biz-certs/Alice-CA.cer"))) + +if show_content_1: + dumpasn1(m.get_content().toString()) + +if show_signed_manifest_PEM: + print m.get_PEM() + +if dump_manifest_content_DER: + f = open("manifest-content.der", "wb") + f.write(m.get_content().toString()) + f.close() + +if dump_signed_manifest_DER: + f = open("signed-manifest.der", "wb") + f.write(m.get_DER()) + f.close() + +if show_signed_manifest_asn1dump: + dumpasn1(m.get_DER()) + +n = rpki.x509.SignedManifest(DER = m.get_DER()) + +n.verify(ta = rpki.x509.X509(Auto_file = "biz-certs/Alice-Root.cer")) + +if show_content_2: + dumpasn1(n.get_content().toString()) + +assert m.get_content().toString() == n.get_content().toString() +assert m.get_content().get() == n.get_content().get() + +if show_content_3: + print + print n.get_content().get() diff --git a/scripts/Old/pkcs10.py b/scripts/Old/pkcs10.py new file mode 100644 index 00000000..386229f2 --- /dev/null +++ b/scripts/Old/pkcs10.py @@ -0,0 +1,100 @@ +# $Id$ + +# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +import POW.pkix, glob, os +import rpki.x509, rpki.resource_set, rpki.oids + +parse_test = False +generate_test = True + +parse_extensions = True +show_attributes = False +show_algorithm = False +do_verify = True +show_signature = False +show_publickey = False + +def hexify(thing): + return ":".join(["%02X" % ord(i) for i in thing]) + +if parse_test: + + for name in glob.glob("resource-cert-samples/*.req") + glob.glob("biz-certs/*.req"): + pkcs10 = rpki.x509.PKCS10(Auto_file = name).get_POWpkix() + + print "[", name, "]" + + if show_algorithm: + print pkcs10.signatureAlgorithm + print + print pkcs10.signatureAlgorithm.get() + print + + if show_signature: + print pkcs10.signatureValue, hexify(pkcs10.signatureValue.get()) + print + + if show_publickey: + print pkcs10.certificationRequestInfo.subjectPublicKeyInfo + print pkcs10.certificationRequestInfo.subjectPublicKeyInfo.get() + print hexify(pkcs10.certificationRequestInfo.subjectPublicKeyInfo.toString()) + print + + if show_attributes: + print pkcs10.certificationRequestInfo.attributes.oid, pkcs10.certificationRequestInfo.attributes.oid.get() + print + print pkcs10.certificationRequestInfo.attributes.val, pkcs10.certificationRequestInfo.attributes.val.get() + print + print pkcs10.certificationRequestInfo.attributes.val.choice, pkcs10.certificationRequestInfo.attributes.val.choices + print + print pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice] + print + print len(pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice]) + print + if len(pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice]) > 0: + print pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice][0] + print + + if parse_extensions: + + exts = pkcs10.getExtensions() + + bag = rpki.resource_set.parse_extensions(exts) + if bag.as: print "ASN =", bag.as + if bag.v4: print "IPv4 =", bag.v4 + if bag.v6: print "IPv6 =", bag.v6 + + for oid, crit, val in exts: + if oid in (rpki.oids.name2oid["sbgp-ipAddrBlock"], + rpki.oids.name2oid["sbgp-autonomousSysNum"]): + continue + if isinstance(val, str): + val = hexify(val) + print POW.pkix.oid2obj(oid), oid, "=", val + + if do_verify: + print + print "Signature verification: %s" % pkcs10.verify() + + print + +if generate_test: + keypair = rpki.x509.RSA() + keypair.generate() + pkcs10 = rpki.x509.PKCS10.create(keypair) + f = os.popen("openssl req -text -config /dev/null", "w") + f.write(pkcs10.get_PEM()) + f.close() diff --git a/scripts/Old/rootd.cnf b/scripts/Old/rootd.cnf new file mode 100644 index 00000000..1e400c04 --- /dev/null +++ b/scripts/Old/rootd.cnf @@ -0,0 +1,30 @@ +# $Id$ +# +# Generate test root resource certificate for use with rootd.py server. + +[ req ] +default_bits = 2048 +encrypt_key = no +distinguished_name = req_dn +req_extensions = req_x509_ext +prompt = no + +[ req_dn ] +CN = Completely Bogus Test Root (NOT FOR PRODUCTION USE) + +[ req_x509_ext ] +basicConstraints = critical,CA:true +subjectKeyIdentifier = hash +keyUsage = critical,keyCertSign,cRLSign +subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombat.invalid/ +sbgp-autonomousSysNum = critical,@req_asid_ext +sbgp-ipAddrBlock = critical,@req_addr_ext + +[ req_asid_ext ] + +AS.0 = 1-65535 + +[ req_addr_ext ] + +IPv4.0 = 0.0.0.0/0 +IPv6.0 = 0::/0 diff --git a/scripts/Old/rootd.sh b/scripts/Old/rootd.sh new file mode 100644 index 00000000..73411a16 --- /dev/null +++ b/scripts/Old/rootd.sh @@ -0,0 +1,143 @@ +#!/bin/sh - +# $Id$ + +# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# Script to test against rootd.py. +# +# This blows away rpkid's database and rebuilds it with what we need +# for this test, and knows far too much about the id numbers that +# rpkid and mysql will assign. In the long run we must do better than +# this, but gotta start somewhere. + +openssl=../openssl/openssl/apps/openssl + +# Halt on first error + +set -e + +# Generate new key and cert for rootd.py if needed + +if test ! -r rootd.cer -o ! -r rootd.key +then + $openssl req -new -newkey rsa:2048 -nodes -keyout rootd.key -out rootd.req -config rootd.cnf + $openssl x509 -req -in rootd.req -out rootd.cer -extfile rootd.cnf -extensions req_x509_ext -signkey rootd.key -text -sha256 + rm -f rootd.req +fi + +# Blow away old rpkid database (!) so we can start clean + +mysql -u rpki -p`awk '$1 == "sql-password" {print $3}' rpkid.conf` rpki <rpki-db-schema.sql + +# Start rpkid so we can configure it, make sure we shut it down on exit + +python rpkid.py & rpkid=$! +trap "kill $rpkid" 0 1 2 3 13 15 + +: Waiting to let rpkid start up; sleep 5 + +# Create a self instance + +time python irbe_cli.py self --action create --crl_interval 84600 + +# Create a business signing context, issue the necessary business cert, and set up the cert chain + +time python irbe_cli.py --pem_out bsc.req bsc --action create --self_id 1 --generate_keypair --signing_cert biz-certs/Bob-CA.cer +time $openssl x509 -req -in bsc.req -out bsc.cer -CA biz-certs/Bob-CA.cer -CAkey biz-certs/Bob-CA.key -CAserial biz-certs/Bob-CA.srl +time python irbe_cli.py bsc --action set --self_id 1 --bsc_id 1 --signing_cert bsc.cer +rm -f bsc.req bsc.cer + +# Create a repository context + +time python irbe_cli.py repository --self_id 1 --action create --bsc_id 1 + +# Create a parent context pointing at rootd.py + +time python irbe_cli.py parent --self_id 1 --action create --bsc_id 1 --repository_id 1 \ + --peer_contact_uri https://localhost:44333/ \ + --cms_ta biz-certs/Elena-Root.cer \ + --https_ta biz-certs/Elena-Root.cer \ + --sia_base rsync://wombat.invalid/ \ + --sender_name tweedledee \ + --recipient_name tweedledum + +# Create a child context + +time python irbe_cli.py child --self_id 1 --action create --bsc_id 1 --cms_ta biz-certs/Frank-Root.cer + +# Need to link irdb to created child and clear conflicting links. +# For now, just do this "manually" in MySQL CLI. + +echo ' + UPDATE registrant SET rpki_self_id = NULL, rpki_child_id = NULL; + UPDATE registrant SET rpki_self_id = 1, rpki_child_id = 1 WHERE subject_name = "Epilogue Technology Corporation"; +' | +mysql -u irdb -p`awk '$1 == "sql-password" {print $3}' irbe.conf` irdb + +if test "$1" = "run" +then + + rm -rf publication + + python rootd.py & rootd=$! + python irdbd.py & irdbd=$! + trap "kill $rpkid $irdbd $rootd" 0 1 2 3 13 15 + + : Waiting to let daemons start up; sleep 5 + + date; time python cronjob.py + date; time python testpoke.py -r list + date; time python testpoke.py -r issue + + date; time python cronjob.py + date; time python testpoke.py -r list + date; time python testpoke.py -r issue + + date; python testpoke.py -r issue | + qh | + sed -n '/^(certificate/,/^)certificate/s/^-//p' | + mimencode -u | + $openssl x509 -noout -inform DER -text + + date; time python testpoke.py -r revoke + date; time python testpoke.py -r list + date; time python cronjob.py + date; time python testpoke.py -r list + + date; time python cronjob.py + date; time python testpoke.py -r list + date; time python testpoke.py -r issue + + date; time python testpoke.py -r revoke + date; time python testpoke.py -r list + date; time python cronjob.py + date; time python testpoke.py -r list + + date; time python testpoke.py -r issue + date; time python testpoke.py -r revoke + date; time python testpoke.py -r issue + date; time python testpoke.py -r revoke + date; time python testpoke.py -r issue + date; time python testpoke.py -r revoke + date; time python testpoke.py -r list + date; time python cronjob.py + date; time python testpoke.py -r list + + date; time python testpoke.py -r issue + date; time python cronjob.py + date; time python testpoke.py -r list + date + +fi diff --git a/scripts/Old/test-pow-cms.py b/scripts/Old/test-pow-cms.py deleted file mode 100644 index 36bebb8f..00000000 --- a/scripts/Old/test-pow-cms.py +++ /dev/null @@ -1,49 +0,0 @@ -# $Id$ - -# Copyright (C) 2008 American Registry for Internet Numbers ("ARIN") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -import POW, rpki.x509 - -key = rpki.x509.RSA(Auto_file = "biz-certs/Alice-EE.key").get_POW() -ee = rpki.x509.X509(Auto_file = "biz-certs/Alice-EE.cer").get_POW() - -ca = rpki.x509.X509(Auto_file = "biz-certs/Alice-CA.cer").get_POW() -ta = rpki.x509.X509(Auto_file = "biz-certs/Alice-Root.cer").get_POW() - -plaintext = "Wombats Are Us" - -p7 = POW.PKCS7() - -#p7.sign(ee, key, [ca], plaintext) -p7.sign(ee, key, [], plaintext) - -#print p7.pemWrite() - -store = POW.X509Store() -store.addTrust(ta) - -if store.verify(ca): - print "Verified CA" - store.addTrust(ca) -else: - print "Couldn't verify CA" - -if store.verify(ee): - print "Verified EE" -else: - print "Couldn't verify EE" - -result = p7.verify(store) -print result diff --git a/scripts/Old/test-pow-tls.py b/scripts/Old/test-pow-tls.py new file mode 100644 index 00000000..bc9ea9a0 --- /dev/null +++ b/scripts/Old/test-pow-tls.py @@ -0,0 +1,61 @@ +""" +Grope towards testing TLS functionality in POW + +$Id$ + +Copyright (C) 2008 American Registry for Internet Numbers ("ARIN") + +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +PERFORMANCE OF THIS SOFTWARE. +""" + +# openssl s_server -tls1 -Verify 9 -cert biz-certs/Alice-EE.cer -key biz-certs/Alice-EE.key -www -CApath biz-certs -chain + +# openssl s_client -connect localhost:4433 -tls1 -cert biz-certs/Bob-EE.cer -key biz-certs/Bob-EE.key -verify 9 -CApath biz-certs -crlf + +import POW, socket + +def pow_error_iterator(): + err = POW.getError() + if err is None: + raise StopIteration + else: + yield err + +key = POW.pemRead(POW.RSA_PRIVATE_KEY, open("biz-certs/Bob-EE.key").read()) +cer = POW.pemRead(POW.X509_CERTIFICATE, open("biz-certs/Bob-EE.cer").read()) +ca = POW.pemRead(POW.X509_CERTIFICATE, open("biz-certs/Bob-CA.cer").read()) + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect(("localhost", 4433)) + +try: + t = POW.Ssl(POW.TLSV1_CLIENT_METHOD) + t.useCertificate(cer) + t.useKey(key) + t.addCertificate(ca) + t.setFd(s.fileno()) + t.connect() + x = t.peerCertificate() + if x is not None: + print "Peer", x.pprint() + t.write("GET / HTTP/1.0\r\n") + if False: + print t.read(10000) + else: + while True: + print t.read() +except: + print "ERROR:" + for e in pow_error_iterator(): + print e + raise diff --git a/scripts/Old/timers.sh b/scripts/Old/timers.sh new file mode 100644 index 00000000..c880a029 --- /dev/null +++ b/scripts/Old/timers.sh @@ -0,0 +1,55 @@ +#!/bin/sh - +# $Id$ +# +# Copyright (C) 2009 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# Postprocess output of timer debug log. I'll probably never need +# this again, but I'd rather not have to write it a second time. + +awk ' + /<timer/ { + time = $2; tag = $3; $1 = $2 = $3 = ""; + print tag, time, $0; + } + ' ${1-screenlog.0} | +sort | +sed ' + s=
==; + /testbed\[/d; + s= datetime([0-9, ]*)==; + s=<bound method.*>>==; + s=/u/sra/rpki/subvert-rpki.hactrn.net/[a-z]*/rpki/==; + s= timedelta([0-9, ]*)==; + s= None = =; + s= at = =; + s= to from = from = + ' | +awk ' + BEGIN { + SUBSEP = "<"; + } + { + #print; + state[$1, $5] = $3; + } + /Creating/ { + created[$1, $5] = $NF; + } + END { + for (i in state) + print i, state[i], created[i]; + } + ' | +sort diff --git a/scripts/Old/tls-client.py b/scripts/Old/tls-client.py new file mode 100644 index 00000000..ef879a5c --- /dev/null +++ b/scripts/Old/tls-client.py @@ -0,0 +1,27 @@ +# $Id$ + +import socket, POW, time + +key = POW.pemRead(POW.RSA_PRIVATE_KEY, open("Carol.key", "r").read()) +cer = POW.pemRead(POW.X509_CERTIFICATE, open("Carol.cer", "r").read()) +ta = POW.pemRead(POW.X509_CERTIFICATE, open("Alice-TA.cer", "r").read()) + +s = socket.socket() +s.connect(('',6666)) + +ssl = POW.Ssl(POW.TLSV1_CLIENT_METHOD) + +ssl.useCertificate(cer) +ssl.useKey(key) +ssl.setVerifyMode(POW.SSL_VERIFY_PEER | POW.SSL_VERIFY_FAIL_IF_NO_PEER_CERT) +ssl.trustCertificate(ta) + +ssl.setFd(s.fileno()) +ssl.connect() + +peer = ssl.peerCertificate() +if peer is not None: + print peer.pprint() + +print ssl.read(100) +ssl.write("Bye") diff --git a/scripts/Old/tls-server.py b/scripts/Old/tls-server.py new file mode 100644 index 00000000..d3798a32 --- /dev/null +++ b/scripts/Old/tls-server.py @@ -0,0 +1,40 @@ +# $Id$ + +import socket, POW, time + +key = POW.pemRead(POW.RSA_PRIVATE_KEY, open("Alice.key", "r").read()) +cer = POW.pemRead(POW.X509_CERTIFICATE, open("Alice.cer", "r").read()) +ta = POW.pemRead(POW.X509_CERTIFICATE, open("Carol-TA.cer", "r").read()) + +listener = socket.socket() +listener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) +listener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1) +listener.bind(('',6666)) +listener.listen(5) + +s, addr = listener.accept() +while not s: + time.sleep(2) + s, addr = listener.accept() + +s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) +s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1) + +print "Got connection %r from %r" % (s, addr) + +ssl = POW.Ssl(POW.TLSV1_SERVER_METHOD) + +ssl.useCertificate(cer) +ssl.useKey(key) +ssl.setVerifyMode(POW.SSL_VERIFY_PEER | POW.SSL_VERIFY_FAIL_IF_NO_PEER_CERT) +ssl.trustCertificate(ta) + +ssl.setFd(s.fileno()) +ssl.accept() + +peer = ssl.peerCertificate() +if peer is not None: + print peer.pprint() + +ssl.write("Hello, TLS") +print ssl.read(100) |