diff options
Diffstat (limited to 'scripts/Old')
| -rw-r--r-- | scripts/Old/check-hashes.sh | 13 | ||||
| -rwxr-xr-x | scripts/Old/encode-test.py | 161 | ||||
| -rw-r--r-- | scripts/Old/gen-verify-test.pl | 104 | ||||
| -rw-r--r-- | scripts/Old/generate-testrepo.pl | 337 | ||||
| -rw-r--r-- | scripts/Old/gki.pl | 46 | ||||
| -rw-r--r-- | scripts/Old/make-hashes.pl | 42 | ||||
| -rw-r--r-- | scripts/Old/master.sh | 24 | ||||
| -rw-r--r-- | scripts/Old/mirror-apnic.sh | 12 | ||||
| -rw-r--r-- | scripts/Old/mirror-ripe.sh | 46 | ||||
| -rw-r--r-- | scripts/Old/resource-set.py | 83 | ||||
| -rw-r--r-- | scripts/Old/test-pow.py | 89 | ||||
| -rw-r--r-- | scripts/Old/test-sql.py | 36 | ||||
| -rw-r--r-- | scripts/Old/uri.pl | 53 |
13 files changed, 1046 insertions, 0 deletions
diff --git a/scripts/Old/check-hashes.sh b/scripts/Old/check-hashes.sh new file mode 100644 index 00000000..87c140de --- /dev/null +++ b/scripts/Old/check-hashes.sh @@ -0,0 +1,13 @@ +#!/bin/sh - +# $Id$ + +: ${openssl=/u/sra/isc/route-pki/subvert-rpki.hactrn.net/openssl/openssl/apps/openssl} +: ${switches='-verbose -crl_check_all -policy_check -explicit_policy -policy 1.3.6.1.5.5.7.14.2 -x509_strict'} +: ${hashtree=hashed} + +find $hashtree -type f -name '*.[0-9]*' 2>&1 -print -exec \ + $openssl verify $switches -CApath $(find $hashtree -type d | tr \\012 : | sed 's=:$==') {} \; + +# Hack for analyzing results of running this script: +# +# awk -F: '/^hashed/ && NF == 1 {f = $0; p = 1; next} /^hashed/ && NF == 2 && $1 == f && $2 == " OK" {next} p {print "\n" f; p = 0} {print}' check-hashes.log diff --git a/scripts/Old/encode-test.py b/scripts/Old/encode-test.py new file mode 100755 index 00000000..b4709866 --- /dev/null +++ b/scripts/Old/encode-test.py @@ -0,0 +1,161 @@ +# $Id$ + +import os + +def run(func, arg, *cmd): + i, o = func(cmd) + i.write(arg) + i.close() + value = o.read() + o.close() + return value + +def encode(xml, cer, key): + return run(os.popen2, xml, "openssl", "smime", "-sign", "-nodetach", "-outform", "PEM", "-signer", cer, "-inkey", key) + +def decode(cms, dir): + return run(os.popen2, cms, "openssl", "smime", "-verify", "-inform", "PEM", "-CApath", dir) + +def relaxng(xml, rng): + return run(os.popen4, xml, "xmllint", "--noout", "--relaxng", rng, "-") + +def main(): + dir = "biz-certs" + cer = "biz-certs/Alice-EE.cer" + key = "biz-certs/Alice-EE.key" + rng = "up-down-schema.rng" + + for x in xml: + print x + e = encode(x, cer, key) + print e + d = decode(e, dir) + print d + v = relaxng(d, rng) + print v + print "=====\n" + +# Ugly inline stuff here for initial testing + +xml = [ +'''<?xml version="1.0" encoding="UTF-8"?> +<message xmlns="http://www.apnic.net/specs/rescerts/up-down/" + version="1" + sender="sender name" + recipient="recipient name" + msg_ref="42" + type="error_response"> + <status>2001</status> + <last_msg_processed>17</last_msg_processed> + <description xml:lang="en-US">[Readable text]</description> +</message> +''', +'''<?xml version="1.0" encoding="UTF-8"?> +<message xmlns="http://www.apnic.net/specs/rescerts/up-down/" + version="1" + sender="sender name" + recipient="recipient name" + msg_ref="42" type="issue"> + <request class_name="class name" + req_resource_set_as="" + req_resource_set_ipv4="10.0.0.44/32" + req_resource_set_ipv6="dead:beef::/32"> + deadbeef + </request> +</message> +''', +'''<?xml version="1.0" encoding="UTF-8"?> +<message xmlns="http://www.apnic.net/specs/rescerts/up-down/" + version="1" + sender="sender name" + recipient="recipient name" + msg_ref="1" + type="issue_response"> + <class class_name="class name" + cert_url="url" + cert_ski="g(ski)" + resource_set_as="22,42,44444-5555555" + resource_set_ipv4="10.0.0.44-10.3.0.44,10.6.0.2/32" + resource_set_ipv6="dead:beef::/128"> + <certificate cert_url="url" + cert_ski="g(ski)" + cert_aki="g(aki)" + cert_serial="1" + resource_set_as="14-17" + resource_set_ipv4="128.224.1.136/22" + resource_set_ipv6="0:0::/22" + req_resource_set_as="" + req_resource_set_ipv4="10.0.0.77/16,127.0.0.1/8" + req_resource_set_ipv6="dead:beef::/16" + status="match"> + deadbeef + </certificate> + <issuer>deadbeef</issuer> + </class> +</message> +''', +'''<?xml version="1.0" encoding="UTF-8"?> +<message xmlns="http://www.apnic.net/specs/rescerts/up-down/" + version="1" + sender="sender name" + recipient="recipient name" + msg_ref="42" + type="list"/> +''', +'''<?xml version="1.0" encoding="UTF-8"?> +<message xmlns="http://www.apnic.net/specs/rescerts/up-down/" + version="1" + sender="sender name" + recipient="recipient name" + msg_ref="42" + type="list_response"> + <class class_name="class name" + cert_url="url" + cert_ski="g(ski)" + resource_set_as="1,2,4,6,16-32" + resource_set_ipv4="128.224.1.1-128.22.4.32" + resource_set_ipv6="" + suggested_sia_head="rsync://wombat.example/fnord/"> + <certificate cert_url="url" + cert_ski="g(ski)" + cert_aki="g(aki)" + cert_serial="1" + resource_set_as="" + resource_set_ipv4="" + resource_set_ipv6="" + req_resource_set_as="" + req_resource_set_ipv4="" + req_resource_set_ipv6="" + status="match"> + deadbeef + </certificate> + <!-- Repeated for each current certificate naming the client as subject --> + <issuer>deadbeef</issuer> + </class> +</message> +''', +'''<?xml version="1.0" encoding="UTF-8"?> +<message xmlns="http://www.apnic.net/specs/rescerts/up-down/" + version="1" + sender="sender name" + recipient="recipient name" + msg_ref="42" + type="revoke"> + <key class_name="class name" + ski="g(ski)"/> +</message> +''', +'''<?xml version="1.0" encoding="UTF-8"?> +<message xmlns="http://www.apnic.net/specs/rescerts/up-down/" + version="1" + sender="sender name" + recipient="recipient name" + msg_ref="42" + type="revoke_response"> + <key class_name="class name" + ski="g(ski)"/> +</message> +''' +] + +main() diff --git a/scripts/Old/gen-verify-test.pl b/scripts/Old/gen-verify-test.pl new file mode 100644 index 00000000..e1b53579 --- /dev/null +++ b/scripts/Old/gen-verify-test.pl @@ -0,0 +1,104 @@ +: +# $Id$ +eval 'exec perl -w -S $0 ${1+"$@"}' + if 0; + +use strict; + +my $openssl = "/u/sra/isc/route-pki/subvert-rpki.hactrn.net/openssl/openssl/apps/openssl"; + +my $verify_options = "-verbose -crl_check_all -policy_check -explicit_policy -policy 1.3.6.1.5.5.7.14.2 -x509_strict"; + +my $verbose = 1; + +my $debug = $ENV{DEBUG}; + +exit unless (@ARGV); + +# Find all certificates in the repository + +open(F, "-|", "find", @ARGV, qw(-type f -name *.cer)) + or die("Couldn't run find: $!\n"); +chomp(my @files = <F>); +close(F); +@ARGV = (); + +# Snarf all the AIA and CDP values from the certs we're examining. +# Icky screen scraping, better mechanism needed. + +my %aia; +my %cdp; + +for my $f (@files) { + my ($a, $c) = (0, 0); + open(F, "-|", $openssl, qw(x509 -noout -text -inform DER -in), $f) + or die("Couldn't run openssl x509 on $f: $!\n"); + while (<F>) { + chomp; + s{^.+URI:rsync://}{}; + $a = $. + 1 + if (/Authority Information Access:/); + $c = $. + 1 + if (/X509v3 CRL Distribution Points:/); + $aia{$f} = $_ + if ($a && $. == $a); + $cdp{$f} = $_ + if ($c && $. == $c); + } + print(STDERR $f, " ", ($aia{$f} || "-"), " ", ($cdp{$f} || "-"), "\n") + if ($debug); + close(F); +} + +# Sort out ancestry + +my %daddy; + +for my $f (@files) { + next unless ($aia{$f}); + my @daddy = grep({ $_ eq $aia{$f} } @files); + die("Can't figure out who my daddy is! $f @{[join(' ', @daddy)]}\n") + if (@daddy > 1); + $daddy{$f} = $daddy[0] + if (@daddy && $daddy[0] ne $f); + print(STDERR "me: $f, daddy: $daddy[0]\n") + if ($debug); +} + +# Generate a test script based on all of the above + +for my $f (@files) { + my @ancestors; + for (my $d = $daddy{$f}; $d; $d = $daddy{$d}) { + push(@ancestors, $d); + } + next unless (@ancestors); + my @crls; + for my $c (map {$cdp{$_}} ($f, @ancestors)) { + push(@crls, $c) + unless (grep {$_ eq $c} @crls); + } + print("echo ", "=" x 40, "\n", + "echo Checking chain:\n") + if ($verbose > 0); + for (($f, @ancestors)) { + print("echo ' Certificate: $_'\n") + if ($verbose > 0); + print("$openssl x509 -noout -text -inform DER -certopt no_header,no_signame,no_validity,no_pubkey,no_sigdump,no_version -in $_\n") + if ($verbose > 1); + } + for (@crls) { + print("echo ' CRL: $_'\n") + if ($verbose > 0); + print("$openssl crl -noout -text -inform DER -in $_\n") + if ($verbose > 1); + } + print("rm -f CAfile.pem cert-in-hand.pem\n"); + print("$openssl x509 -inform DER -outform PEM >>CAfile.pem -in $_\n") + foreach (@ancestors); + print("$openssl crl -inform DER -outform PEM >>CAfile.pem -in $_\n") + foreach (@crls); + print("$openssl x509 -inform DER -outform PEM -out cert-in-hand.pem -in $f\n", + "$openssl verify -CAfile CAfile.pem $verify_options cert-in-hand.pem\n", + "rm -f CAfile.pem cert-in-hand.pem\n"); +} diff --git a/scripts/Old/generate-testrepo.pl b/scripts/Old/generate-testrepo.pl new file mode 100644 index 00000000..bacbe0de --- /dev/null +++ b/scripts/Old/generate-testrepo.pl @@ -0,0 +1,337 @@ +# $Id$ + +# Hack to generate a small test repository for testing Apache + OpenSSL + RPKI + +use strict; + +my %resources; +my %parent; +my @ordering; +my %hashes; + +my $openssl = "../../openssl/openssl/apps/openssl"; +my $subdir = "apacheca"; +my $passwd = "fnord"; +my $keybits = 2048; +my $verbose = 0; +my $debug = 1; +my $revoke = 0; + +sub openssl { + print(STDERR join(" ", qw(+ openssl), @_), "\n") + if ($debug); + !system($openssl, @_) + or die("openssl @_ returned $?\n"); +} + +# Ok, this is a bit complicated, but the idea is to let us specify the +# resources we're giving to each leaf entity and let the program do +# the work of figuring out what resources each issuers need to have, +# the order in which we need to generate the certificates, which +# certificates need to sign which other certificates, etcetera. +# +# This would be much easier to read in a sane language (eg, Scheme). + +{ + my @ctx; + my $loop ; + $loop= sub { + my $x = shift; + if (ref($x) eq "HASH") { + while (my ($k, $v) = each(%$x)) { + $parent{$k} = $ctx[@ctx - 1]; + push(@ordering, $k); + push(@ctx, $k); $loop->($v); pop(@ctx); + } + } else { + for my $c (@ctx) { push(@{$resources{$c}}, @$x) } + } + }; + $loop->({ + RIR => { + LIR1 => { + ISP1 => [IPv4 => "192.0.2.1-192.0.2.33", AS => "64533"], + ISP2 => [IPv4 => "192.0.2.44-192.0.2.100"], + }, + LIR2 => { + ISP3 => [IPv6 => "2001:db8::44-2001:db8::100"], + ISP4 => [IPv6 => "2001:db8::10:0:44", AS => "64544"], + }, + }, + }); +} + +# Put this stuff into a subdirectory + +mkdir($subdir) unless (-d $subdir); +chdir($subdir) or die; + +# Generate configurations for each entity. + +while (my ($entity, $resources) = each(%resources)) { + my %r; + print($entity, ":\n") + if ($verbose); + for (my $i = 0; $i < @$resources; $i += 2) { + printf(" %4s: %s\n", $resources->[$i], $resources->[$i+1]) + if ($verbose); + push(@{$r{$resources->[$i]}}, $resources->[$i+1]); + } + open(F, ">${entity}.cnf") or die; + print(F <<EOF); + + [ ca ] + default_ca = ca_default + + [ ca_default ] + + certificate = ${entity}.cer + serial = ${entity}/serial + private_key = ${entity}.key + database = ${entity}/index + new_certs_dir = ${entity} + name_opt = ca_default + cert_opt = ca_default + default_days = 365 + default_crl_days = 30 + default_md = sha1 + preserve = no + copy_extensions = copy + policy = ca_policy_anything + unique_subject = no + + [ ca_policy_anything ] + countryName = optional + stateOrProvinceName = optional + localityName = optional + organizationName = optional + organizationalUnitName = optional + commonName = supplied + emailAddress = optional + givenName = optional + surname = optional + + [ req ] + default_bits = $keybits + encrypt_key = no + distinguished_name = req_dn + x509_extensions = req_x509_ext + prompt = no + + [ req_dn ] + + CN = TEST ENTITY $entity + + [ req_x509_ext ] + + basicConstraints = critical,CA:true + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid + keyUsage = critical,keyCertSign,cRLSign + subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/ + +EOF + + print(F <<EOF) if ($parent{$entity}); + + authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/$parent{$entity}.cer + +EOF + + print(F <<EOF) if ($r{AS} || $r{RDI}); + + sbgp-autonomousSysNum = critical,\@asid_ext + +EOF + + print(F <<EOF) if ($r{IPv4} || $r{IPv6}); + + sbgp-ipAddrBlock = critical,\@addr_ext + +EOF + + print(F <<EOF); + + [ asid_ext ] + +EOF + + for my $n (qw(AS RDI)) { + my $i = 0; + for my $a (@{$r{$n}}) { + print(F "\t", $n, ".", $i++, " = ", $a, "\n"); + } + } + + print(F <<EOF); + + + [ addr_ext ] + +EOF + + for my $n (qw(IPv4 IPv6)) { + my $i = 0; + for my $a (@{$r{$n}}) { + print(F "\t", $n, ".", $i++, " = ", $a, "\n"); + } + } + close(F); +} + +# Revoke old certificates, maybe. + +if ($revoke) { + for my $cert (glob("*/*.pem")) { + my $conf = (split("/", $cert))[0] . ".cnf"; + openssl("ca", "-verbose", "-config", $conf, "-revoke", $cert); + unlink($cert); + } +} + +# Run OpenSSL to create the keys and certificates. We generate keys +# separately to avoid wasting /dev/random bits if we need to change +# the configuration. + +for my $entity (@ordering) { + openssl("genrsa", "-out", "${entity}.key", $keybits) + unless (-f "${entity}.key"); + openssl("req", "-new", "-config", "${entity}.cnf", "-key", "${entity}.key", "-out", "${entity}.req"); + + mkdir($entity) + unless (-d $entity); + if (!-f "${entity}/index") { + open(F, ">${entity}/index") or die; + close(F); + } + if (!-f "${entity}/serial") { + open(F, ">${entity}/serial") or die; + print(F "01\n") or die; + close(F); + } + + openssl("ca", "-batch", "-verbose", "-out", "${entity}.cer", "-in", "${entity}.req", + "-extensions", "req_x509_ext", "-extfile", "${entity}.cnf", + ($parent{$entity} + ? ("-config", "${parent{$entity}}.cnf") + : ("-config", "${entity}.cnf", "-selfsign"))); +} + +# Generate CRLs + +for my $entity (@ordering) { + openssl("ca", "-batch", "-verbose", "-out", "${entity}.crl", + "-config", "${entity}.cnf", "-gencrl"); +} + +# Generate EE certs + +for my $parent (@ordering) { + my $entity = "${parent}-EE"; + open(F, ">${entity}.cnf") or die; + print(F <<EOF); + + [ req ] + default_bits = $keybits + encrypt_key = no + distinguished_name = req_dn + x509_extensions = req_x509_ext + prompt = no + + [ req_dn ] + + CN = TEST ENDPOINT ENTITY ${entity} + + [ req_x509_ext ] + + basicConstraints = critical,CA:false + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid + subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/ + authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/$parent.cer + +EOF + + close(F); + openssl("genrsa", "-out", "${entity}.key", $keybits) + unless (-f "${entity}.key"); + openssl("req", "-new", "-config", "${entity}.cnf", "-key", "${entity}.key", "-out", "${entity}.req"); + + mkdir($entity) + unless (-d $entity); + if (!-f "${entity}/index") { + open(F, ">${entity}/index") or die; + close(F); + } + if (!-f "${entity}/serial") { + open(F, ">${entity}/serial") or die; + print(F "01\n") or die; + close(F); + } + + openssl("ca", "-batch", "-verbose", "-config", "${parent}.cnf", + "-extensions", "req_x509_ext", "-extfile", "${entity}.cnf", + "-out", "${entity}.cer", "-in", "${entity}.req"); +} + +# Generate hashes + +for my $cert (map({("$_.cer", "$_-EE.cer")} @ordering)) { + my $hash = `$openssl x509 -noout -hash -in $cert`; + chomp($hash); + $hash .= "."; + $hash .= (0 + $hashes{$hash}++); + unlink($hash) if (-l $hash); + symlink($cert, $hash) + or die("Couldn't link $hash to $cert: $!\n"); +} + +for my $crl (map({"$_.crl"} @ordering)) { + my $hash = `$openssl crl -noout -hash -in $crl`; + chomp($hash); + $hash .= ".r"; + $hash .= (0 + $hashes{$hash}++); + unlink($hash) if (-l $hash); + symlink($crl, $hash) + or die("Couldn't link $hash to $crl: $!\n"); +} + +# Generate PKCS12 forms of EE certificates +# -chain argument to pkcs12 requires certificate store, which we configure via an environment variable + +$ENV{SSL_CERT_DIR} = do { my $pwd = `pwd`; chomp($pwd); $pwd; }; + +for my $ee (map({"$_-EE"} @ordering)) { + my @cmd = ("pkcs12", "-export", "-in", "$ee.cer", "-inkey", "$ee.key", "-password", "pass:$passwd"); + openssl(@cmd, "-out", "$ee.p12"); + openssl(@cmd, "-out", "$ee.chain.p12", "-chain"); +} + +# Finally, generate an unrelated self-signed certificate for the server + +my $hostname = `hostname`; +chomp($hostname); +open(F, ">server.cnf") or die; +print(F <<EOF); + + [ req ] + default_bits = $keybits + encrypt_key = no + distinguished_name = req_dn + prompt = no + + [ req_dn ] + + CN = $hostname + +EOF + +close(F); +openssl(qw(genrsa -out server.key), $keybits) + unless (-f "server.key"); +openssl(qw(req -new -config server.cnf -key server.key -out server.req)); +openssl(qw(x509 -req -CAcreateserial -in server.req -out server.cer -signkey server.key)); + +# Local Variables: +# compile-command: "perl generate-testrepo.pl" +# End: diff --git a/scripts/Old/gki.pl b/scripts/Old/gki.pl new file mode 100644 index 00000000..e91c4abe --- /dev/null +++ b/scripts/Old/gki.pl @@ -0,0 +1,46 @@ +: +# $Id$ +eval 'exec perl -w -S $0 ${1+"$@"}' + if 0; + +use MIME::Base64; + +sub g { + my $x = shift; + $x =~ s{:}{}g; + $x = pack("H*", $x); + $x = encode_base64($x, ""); + $x =~ y{+/}{-_}; + $x =~ s{=+$}{}; + return $x; +} + +while (@ARGV) { + my ($file, $aki, $ski, $a, $s) = shift(@ARGV); + if ($file =~ /\.cer$/) { + open(F, "-|", qw(openssl x509 -noout -inform DER -text -in), $file) + or die("Couldn't run openssl x509 on $file: $!\n"); + } elsif ($file =~ /\.crl$/) { + open(F, "-|", qw(openssl crl -noout -inform DER -text -in), $file) + or die("Couldn't run openssl x509 on $file: $!\n"); + } else { + next; + } + while (<F>) { + chomp; + s/^\s*//; + s/^keyid://; + $a = $. + 1 + if (/X509v3 Authority Key Identifier:/); + $s = $. + 1 + if (/X509v3 Subject Key Identifier:/); + $aki = $_ + if ($a && $. == $a); + $ski = $_ + if ($s && $. == $s); + } + close(F); + my $gaki = $aki ? g($aki) : "=" x 27; + my $gski = $ski ? g($ski) : "=" x 27; + print("$gaki $gski $file\n"); +} diff --git a/scripts/Old/make-hashes.pl b/scripts/Old/make-hashes.pl new file mode 100644 index 00000000..4b58a9d0 --- /dev/null +++ b/scripts/Old/make-hashes.pl @@ -0,0 +1,42 @@ +# -*- Perl -*- +# $Id$ + +use strict; + +my $openssl = "/u/sra/isc/route-pki/subvert-rpki.hactrn.net/openssl/openssl/apps/openssl"; +my $dir = "hashed"; + +my @cmds; +my %hashes; + +exit unless (@ARGV); + +open(F, "-|", "find", @ARGV, qw{-type f ( -name *.cer -o -name *.crl )}) + or die("Couldn't run find: $!\n"); + +@ARGV = (); + +while (<F>) { + chomp; + my $f = $_; + my $type = /\.cer$/ ? "x509" : "crl"; + $_ = "$dir/$f"; + s=/[^/]+$==; + my $d = $_; + my $h = `$openssl $type -inform DER -in $f -noout -hash`; + chomp($h); + $h .= "."; + $h .= "r" if ($type eq "crl"); + $h .= 0 + $hashes{$d}{$h}++; + push(@cmds, "$openssl $type -inform DER -outform PEM -out $d/$h -in $f\n"); +} + +close(F); + +print("rm -rf $dir\n"); + +print("test -d $_ || mkdir -p $_\n") + foreach (sort(keys(%hashes))); + +print($_) + foreach (@cmds); diff --git a/scripts/Old/master.sh b/scripts/Old/master.sh new file mode 100644 index 00000000..8f59d357 --- /dev/null +++ b/scripts/Old/master.sh @@ -0,0 +1,24 @@ +#!/bin/sh - +# $Id$ + +scripts="subvert-rpki.hactrn.net/scripts" + +repositories="ca-trial.ripe.net/RIPE ca-trial.ripe.net/ARIN repository.apnic.net" + +cd `dirname $0` + +. $scripts/mirror-apnic.sh +. $scripts/mirror-ripe.sh + +perl $scripts/gen-verify-test.pl $repositories | +tee verify.sh | +sh 2>&1 | +tee verify.log + +perl $scripts/make-hashes.pl $repositories | +tee make-hashes.sh | +sh 2>&1 | +tee make-hashes.log + +sh $scripts/check-hashes.sh 2>&1 | +tee check-hashes.log diff --git a/scripts/Old/mirror-apnic.sh b/scripts/Old/mirror-apnic.sh new file mode 100644 index 00000000..995efcb8 --- /dev/null +++ b/scripts/Old/mirror-apnic.sh @@ -0,0 +1,12 @@ +#!/bin/sh - +# $Id$ + +# An unknown entity representing itself as gmm says that this is the +# trust anchor for the APNIC test repository. +# +fetch -m -o repository.apnic.net/trust-anchor.cer \ + http://mirin.apnic.net/resourcecerts/trust-anchor.cer + +# Mirror the repository itself +# +rsync -aiz --delete rsync://repository.apnic.net/APNIC/ repository.apnic.net/APNIC/ diff --git a/scripts/Old/mirror-ripe.sh b/scripts/Old/mirror-ripe.sh new file mode 100644 index 00000000..f2ba5a17 --- /dev/null +++ b/scripts/Old/mirror-ripe.sh @@ -0,0 +1,46 @@ +#!/bin/sh - +# $Id$ + +# The following are freshly produced in conformance with Geoff & +# George's latest developments - I hope. + +# Trust Anchors (consider this an out-of-band delivery method): + +# RIPE TA: +fetch -m -o ca-trial.ripe.net/riperoot/repos/root.cer \ + http://ca-trial.ripe.net/~riperoot/repos/root.cer + +# ARIN TA: +fetch -m -o ca-trial.ripe.net/arinroot/repos/root.cer \ + http://ca-trial.ripe.net/~arinroot/repos/root.cer + +# The repositories are here: +rsync -aiz --delete rsync://ca-trial.ripe.net/RIPE/ ca-trial.ripe.net/RIPE/ +rsync -aiz --delete rsync://ca-trial.ripe.net/ARIN/ ca-trial.ripe.net/ARIN/ + +# Some test certificates: + +# RIPE->RIPE->ISP: +fetch -m -o ca-trial.ripe.net/ripeprod/repos/ripe-08.cer \ + http://ca-trial.ripe.net/~ripeprod/repos/ripe-08.cer + +# ARIN->ARIN->ISP: +fetch -m -o ca-trial.ripe.net/arinprod/repos/arin-01.cer \ + http://ca-trial.ripe.net/~arinprod/repos/arin-01.cer + +# RIPE->ARIN->ISP: +fetch -m -o ca-trial.ripe.net/arinprod/repos/ripe-01.cer \ + http://ca-trial.ripe.net/~arinprod/repos/ripe-01.cer + +# ARIN->RIPE->ISP: +fetch -m -o ca-trial.ripe.net/ripeprod/repos/arin-01.cer \ + http://ca-trial.ripe.net/~ripeprod/repos/arin-01.cer + +# I think they work with full up-down chaining, provided that I copied +# everything in place. +# +# George, please look at these, I believe I only need your SIA for these to be +# ready: +# +# RIPE->APNIC cert currently: http://ca-trial.ripe.net/~riperoot/repos/root-0E.cer +# ARIN->APNIC cert currently: http://ca-trial.ripe.net/~arinroot/repos/root-09.cer diff --git a/scripts/Old/resource-set.py b/scripts/Old/resource-set.py new file mode 100644 index 00000000..fe0da8d3 --- /dev/null +++ b/scripts/Old/resource-set.py @@ -0,0 +1,83 @@ +# $Id$ + +import socket +import re + +class ip_address(object): + + def __init__(self, text): + self.addr = socket.inet_pton(self.af, text) + + def __str__(self): + return socket.inet_ntop(self.af, self.addr) + + def __eq__(self, other): + return self.addr == other.addr + + def __hash__(self): + return self.addr.__hash__() + +class ipv4_address(ip_address): + af = socket.AF_INET + +class ipv6_address(ip_address): + af = socket.AF_INET6 + +class resource(object): + pass + +class asn(resource, long): + pass + +class ip_prefix(resource): + + def __init__(self, addr, prefixlen): + self.addr = self.ac(addr) + self.prefixlen = prefixlen + + def __str__(self): + return str(self.addr) + "/" + str(self.prefixlen) + + def __eq__(self, other): + return self.addr == other.addr and self.prefixlen == other.prefixlen + + def __hash__(self): + return self.addr.__hash__() + self.prefixlen.__hash__() + +class ipv4_prefix(ip_prefix): + ac = ipv4_address + +class ipv6_prefix(ip_prefix): + ac = ipv6_address + +class resource_range(resource): + + def __init__(self, min, max): + assert isinstance(min, resource) and isinstance(max, resource) + self.min = min + self.max = max + + def __str__(self): + return str(self.min) + "-" + str(self.max) + + def __eq__(self, other): + return self.min == other.min and self.max == other.max + + def __hash__(self): + return self.min.__hash__() + self.max.__hash__() + +class resource_set(set): + + def __init__(self, *elts): + for e in elts: + assert isinstance(e, resource) + set.__init__(self, elts) + + def __str__(self): + s = [i for i in self] + s.sort() + return "{" + ", ".join(map(str, s)) + "}" + +s = resource_set(ipv6_prefix("fe80::", 16), ipv4_prefix("10.0.0.44", 32), ipv4_prefix("10.3.0.44", 32)) + +print s diff --git a/scripts/Old/test-pow.py b/scripts/Old/test-pow.py new file mode 100644 index 00000000..06827995 --- /dev/null +++ b/scripts/Old/test-pow.py @@ -0,0 +1,89 @@ +# $Id$ + +import POW, POW.pkix, base64, rpki.ipaddrs, rpki.resource_set + +Alice_EE = """ +MIIDGDCCAgCgAwIBAgIJANkdU8+R7K3dMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV +BAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxpY2UgQ0EwHhcNMDcwNjE5MTk1MzE4WhcN +MDcwNzE5MTk1MzE4WjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEFsaWNl +IEVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzxuYZsSzM7J4D/GN +TiSB/EzRF7U91bYIoqZHG/NcLePFJfHKvKd7LuRNXI4WXrUjQ+6VlcQGdPfo6uvZ +9r/UKocS3ATc7p28CkMNM99RcLM4OWg70021MwmS04CaMpUftsQCtSwAVrWkL3dM +C9LuMdChA619q1x56RGrBeqgnk9NfHahUjmqjhUVQejTk2fYfLcINdxUwOQP9GT5 +bQLhf5hxq+QsixyBjB0BE/h1KxCRJITu5JLzCZIxHxMeN/MdDz3T0m1Vhwd7KZZS +H1Iq5WIBArhzuLQsekSL4GmDLXSxuLi68w8W53YEpc4hRzS29+p1mMK5bZMttvYN +hfoVOQIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTDNm3cT2DjtkzqsI7N +hTSoXmbGsDAfBgNVHSMEGDAWgBRqTejqD9pJQzENNALChYOBrglzEzANBgkqhkiG +9w0BAQUFAAOCAQEAZac7WWRWCItjea9O6YJgB1EUy0NdN7rRuzQSJg9LQfsevwJK +s2R/gV6RF8c53BnexUoVOu5VxSFZin9qRMMZxEMzo3TlFY2JuhPchLFrnYQ5SsjL +w25iLY9xaswZoaAdu4HG5IbN+Drew4Hlfqfoqgi1x79MbL4i+xdPjrHjV+5T/bLE +hADax/Ki7qWOMW2eMWIYuhyHwlqaJaa4xvgSuBdzccPur9nYuYyMQhR5FEtiBrFk +H+SG3DPUYnJjHo/0hqZ+cRRtoNJO00gfgzDUYGIrDak4aGapJsGcJ5/6xIvYKrpu +mkmvYl9m3IB1QYSAtu+0C98ShPgIFNqLvWOceA== +""" + +APNIC_Root = """ +MIIHMjCCBhqgAwIBAgIBcjANBgkqhkiG9w0BAQsFADBNMS4wLAYDVQQDEyVEZW1v +IEFQTklDIFJPT1QgQ0EgLSBOb3QgZm9yIHJlYWwgdXNlMRswGQYJKoZIhvcNAQkB +FgxjYUBhcG5pYy5uZXQwHhcNMDYxMTE2MDU1MDEwWhcNMDcxMTE2MDU1MDEwWjA2 +MTQwMgYDVQQDEytEZW1vIFByb2R1Y3Rpb24gQVBOSUMgQ0EgLSBOb3QgZm9yIHJl +YWwgdXNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA64tZcEhcMvdF +s0sXVF+op473Px/0ANRBHKl772wzTIBno6I4+RNmh8zkasTh6aKhNwcpkc03AaTs +cFmPrlq5PREyZrO1vzq6McShEH5/FcVLUcHKKq46/f+0mx7ec/ExaeRljHJeIVxJ +TuKUrs87PbPYBz+KI6bjb4e0ICsVgomat6DphPPd3krCBJVNqBD6W2UCv1huK9Kx +6egiWaqAYzcrI3W0TFNA5+RUnjnybB0qg1pOkdgKDOEFnIkl0MnX4ENSWNOnezHF +myV3ypJ+42Zllu5OZacqbPh+UJzHv4rMdfKjwpvn1ofiqglYG74HY2lzXSUyYPuA +cZX9572A9wIDAQABo4IEMjCCBC4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E +BAMCAQYwHQYDVR0OBBYEFKuuiK1khrgRO46sfDwFBwJRwqkcMB8GA1UdIwQYMBaA +FKb6Y78FHkIsdnueF/Hxm4ZnWDKNMBgGA1UdIAEB/wQOMAwwCgYIKwYBBQUHDgIw +PQYDVR0fBDYwNDAyoDCgLoYscnN5bmM6Ly9yZXBvc2l0b3J5LmFwbmljLm5ldC9B +UE5JQy9BUE5JQy5jcmwwTwYIKwYBBQUHAQEEQzBBMD8GCCsGAQUFBzAChjNyc3lu +YzovL3JlcG9zaXRvcnkuYXBuaWMubmV0L1RSVVNUQU5DSE9SUy9hcG5pYy5jZXIw +WwYIKwYBBQUHAQsETzBNMEsGCCsGAQUFBzAFhj9yc3luYzovL3JlcG9zaXRvcnku +YXBuaWMubmV0L0FQTklDL3E2NklyV1NHdUJFN2pxeDhQQVVIQWxIQ3FSdy8wggJF +BggrBgEFBQcBCAEB/wSCAjQwggIwoIICLDCCAigCAgCtAgICqQICBMUCAgTRAgIE +1QICBOICAgZ7AgIGqDAIAgIG6AICBukCAgb1AgIHOwICB/oCAghgAgIJUTAIAgIJ +wQICCeACAgnpAgIJ+gICCgMwCAICCgkCAgoKAgIKiQICCpICAgqZAgIKxAICCswC +AgrUAgILBwICC1sCAgtjMAgCAgttAgILbgICDR0CAg0jAgINNgICDT8CAg1DAgIN +hAICDYYCAg2gAgINtgICDd4wCAICDeYCAg3nAgIN/wICDhUCAg4YMAgCAg5NAgIO +TjAIAgIOaQICDm0CAg5/AgIOhTAIAgIOowICDqQwCAICDq0CAg6uAgIOvQICDr8C +Ag7IMAgCAg7KAgIOywICDuUCAg7xAgIO/DAIAgIO/wICDwACAg9ZAgIPgQICD4gC +Ag+nAgIPyAICD9ECAg/aAgIP3AICECYCAhAuAgIQPjAIAgIQTgICEE8CAhBlAgIQ +agICEJsCAhCyAgIRADAIAgIRHQICER4CAhFPMAgCAhFRAgIRUgICEaMCAhGwAgIR +ugICEfICAhH9MAgCAhIAAgITAAICE2EwCAICE5kCAhOaAgITuwICE90CAhPfAgIW +TQICF7QCAhgTAgIYdgICGdsCAhn4AgIb2wICHAcwCAICHSsCAh4qAgIerwICHt0w +CAICJAACAif/AgIqNwICLMswCAICRAACAkf/AgJM+TAIAgJcAAICX/8wCgIDAJQA +AgMAl/8wewYIKwYBBQUHAQcBAf8EbDBqMDQEAgABMC4wCAMCAToDAgE8MAgDAgB5 +AwIAfgMCAJYDAgCjAwIBygMCAdIwCAMCAdoDAgDeMDIEAgACMCwDBAEgAQIDBAIg +AQwDBAEgAUQwDAMEByABgAMEBCABoDAKAwICJAMEAyQAQDANBgkqhkiG9w0BAQsF +AAOCAQEAxjUMY1cBdWUXWmPOwK6zk8E7BOVR3U7U62AfYqlE75cjt2RhRQBcc0XP +tEG8rl6DJMmzH6XB0+czrsUijeBdRBeC+WTMbJd1ZMzgqrqHgXI0CjdjPMR0k6Dx +qpsdDXmlIuAIUHy/GISIel9N/eXSu8ctsWXV2YYlaf7WVGHIhmJs03iSu324vJSk +vhlLtNxdV+neQhkXT54mrx7mADxWYz5+rjWFvJuiOfQicXJI4uh5oAN8POcfx4hu +7xYYqCunudhilCEz53CCcjzCAx5pW1jl32YdguWEwTf6ttwTnTsXQ0a+waMk4ljw +uMsR5Xzvy12ti/m+7MSTLR1kMxJOFA== +""" + +alice = base64.b64decode(Alice_EE) +apnic = base64.b64decode(APNIC_Root) + +verbose = True + +for der in (alice, apnic): + cert = POW.derRead(POW.X509_CERTIFICATE, der) + print cert.pprint() + cert = POW.pkix.Certificate() + cert.fromString(der) + if verbose: + for oid, crit, val in cert.getExtensions(): + print " OID: ", oid, POW.pkix.oid2obj(oid) + print " Crit: ", crit + print " Value:", val + print + bag = rpki.resource_set.parse_extensions(cert.getExtensions()) + if bag.as: print ",".join(map(lambda x: "AS:" + str(x), bag.as)) + if bag.v4: print ",".join(map(lambda x: "IPv4:" + str(x), bag.v4)) + if bag.v6: print ",".join(map(lambda x: "IPv6:" + str(x), bag.v6)) + if bag.as is not None: print bag.as.to_tuple() + if bag.v4 is not None: print bag.v4.to_tuple() + if bag.v6 is not None: print bag.v6.to_tuple() diff --git a/scripts/Old/test-sql.py b/scripts/Old/test-sql.py new file mode 100644 index 00000000..6357ed42 --- /dev/null +++ b/scripts/Old/test-sql.py @@ -0,0 +1,36 @@ +# $Id$ + +import MySQLdb, rpki.config + +def test(filename, section): + + print "[Checking " + filename + "]\n" + + cfg = rpki.config.parser(filename) + + db = MySQLdb.connect(user = cfg.get(section, "sql-username"), + db = cfg.get(section, "sql-database"), + passwd = cfg.get(section, "sql-password")) + + cur = db.cursor() + + def duh(db, cmd, header): + cur.execute(cmd) + print header + print "-" * len(header) + print cur.description + for i in cur.fetchall(): + print i[0] + print + + duh(db, "SHOW DATABASES", "Databases") + duh(db, "SELECT DATABASE()", "Current database") + duh(db, "SHOW TABLES", "Current tables") + + db.close() + +print MySQLdb.Timestamp(2007,6,9,9,45,51), MySQLdb.DateFromTicks(1000), \ + MySQLdb.Binary("Hi, Mom!"), MySQLdb.STRING, MySQLdb.BINARY, MySQLdb.NUMBER, MySQLdb.NULL, "\n" + +test("re.conf", "rpki") +test("irbe.conf", "irdb") diff --git a/scripts/Old/uri.pl b/scripts/Old/uri.pl new file mode 100644 index 00000000..cd029fec --- /dev/null +++ b/scripts/Old/uri.pl @@ -0,0 +1,53 @@ +: +# $Id$ +eval 'exec perl -w -S $0 ${1+"$@"}' + if 0; + +use strict; + +my $format = "DER"; +my $badsia = 0; + +while ($ARGV[0] =~ /^--/) { + $_ = shift; + if (/^--der/) { $format = "DER"; next } + if (/^--pem/) { $format = "PEM"; next } + if (/^--badsia/) { $badsia = 1; next } + if (/^--help/) { + print("$0 [ --der | --pem ] [ --badsia ] cert [ cert ...]\n"); + exit; + } + die("Unrecognized option: $_"); +} + +while (@ARGV) { + my $file = shift(@ARGV); + my ($aia, $sia, $cdp, $a, $s, $c) = qw(- - -); + next unless ($file =~ /\.cer$/); + open(F, "-|", ( qw(openssl x509 -noout -inform), $format, + qw(-text -in), $file)) + or die("Couldn't run openssl x509 on $file: $!\n"); + while (<F>) { + chomp; + s{^.+URI:rsync://}{}; + $a = $. + 1 + if (/Authority Information Access:/); + $s = $. + 1 + if (/Subject Information Access:/); + $c = $. + 1 + if (/X509v3 CRL Distribution Points:/); + $aia = $_ + if ($a && $. == $a); + $sia = $_ + if ($s && $. == $s); + $cdp = $_ + if ($c && $. == $c); + } + close(F); + if ($badsia) { + print("$file\n\t$sia\n") + if ($sia && $sia =~ m=[^/]$=); + } else { + print("$aia $sia $cdp $file\n"); + } +} |