sra/rpki.net - Dragon Research Labs RPKI Toolkit

Age	Commit message (Collapse)	Author
2014-04-05	Source tree reorg, phase 1. Almost everything moved, no file contents changed.	Rob Austein
	svn path=/branches/tk685/; revision=5757
2014-04-04	Update copyrights.	Rob Austein
	svn path=/branches/tk671/; revision=5746
2014-02-25	Router certificates working again after changes to get subject name out of ↵	Rob Austein
	the PKCS !#10. svn path=/branches/tk671/; revision=5683
2014-02-25	Something broke MySQLdb on my laptop during a recent upgrade, and I	Rob Austein
	have better things to do than shaving that particular yak today. So I'm committing untested changes (to a development branch that nobody but me is using) so I can test them on a working development platform. svn path=/branches/tk671/; revision=5682
2014-01-31	Checkpoint. Untested implementation of left-right	Rob Austein
	<list_ee_certificate_requests/> PDU. svn path=/branches/tk671/; revision=5657
2012-07-06	Add control interface to clear CMS-timestamp-based replay protection,	Rob Austein
	so we can recover from misconfigured clocks. Closes #265. Add child_handle attribute to <list_published_objects/> response. Closes #266. svn path=/trunk/; revision=4588
2012-02-17	Allow AS 0 in <roa_request/> objects. Closes #195.	Rob Austein
	svn path=/trunk/; revision=4346
2011-03-21	First cut at Ghostbusters support.	Rob Austein
	svn path=/rpkid/irdbd.sql; revision=3730
2011-03-18	Add @property decorators to a bunch of methods that are just syntactic	Rob Austein
	sugar around cached SQL object fetches. Checkpoint of incomplete support for Ghostbusters reords. Clean up a few extraneous imports. svn path=/rpkid/Makefile.in; revision=3725
2010-10-07	Nit in copyright comment	Rob Austein
	svn path=/rpkid/left-right-schema.rnc; revision=3466
2010-10-07	Merge rpkid.without_tls/ branch to rpkid/ trunk.	Rob Austein
	svn path=/rpkid/Makefile; revision=3465
2010-06-29	Add parent_handle to <list_received_resources/> reply PDU.	Rob Austein
	svn path=/rpkid/irbe_cli.py; revision=3302
2010-03-16	Cleanup	Rob Austein
	svn path=/rpkid/left-right-schema.rnc; revision=3109
2010-03-16	Add some missing copyright notices.	Rob Austein
	svn path=/myrpki.rototill/examples/rsyncd.conf; revision=3108
2010-02-23	Doh, list of ASNs, not single ASN	Rob Austein
	svn path=/rpkid/left-right-schema.rnc; revision=3000
2010-02-23	Sample XML	Rob Austein
	svn path=/rpkid/left-right-protocol-samples.xml; revision=2999
2010-02-23	Add <list_received_resources/> (not yet tested)	Rob Austein
	svn path=/rpkid/left-right-schema.rnc; revision=2995
2009-09-29	Add left-right "revoke_forgotten" command to clean up certs that the	Rob Austein
	parent remembers but the child has forgotten. svn path=/rpkid/left-right-schema.rnc; revision=2793
2009-09-28	Add <list_published_objects/> PDU to left-right protocol, to support	Rob Austein
	audit of what rpkid thinks should be published vs what really is. svn path=/rpkid/irbe_cli.py; revision=2790
2009-09-23	Collapse HTTPS and CMS BPKI certs for pubd, separation not needed	Rob Austein
	svn path=/myrpki/myirbe.py; revision=2781
2009-06-09	Cleanup: get rid of <route_origin/> object	Rob Austein
	svn path=/rpkid/README; revision=2511
2009-06-09	Convert ROA generation code from push model (<route_origin/> objects	Rob Austein
	in rpkid) to pull model (IRDB for <list_roa_request/> queries). Still need to clean up old code, but new code seems to work properly. svn path=/rpkid/Makefile; revision=2510
2009-06-07	Checkpoint	Rob Austein
	svn path=/rpkid/Makefile; revision=2500
2009-06-04	Rototill left-right and publication protocol to replace SQL-assigned	Rob Austein
	numeric identifiers with IRBE-assigned "handles". Daemons and test harness have been converted and seem to work; some tools like irbe_cli haven't been updated yet. svn path=/rpkid/doc/Installation; revision=2493
2009-06-03	Checkpoint: first step towards cleanup of SQL and left-right protocol.	Rob Austein
	svn path=/rpkid/doc/Installation; revision=2491
2009-05-10	Can't require self_id in <report_error/>, <self action="create"/> can't ↵	Rob Austein
	supply it. svn path=/rpkid/left-right-schema.rnc; revision=2416
2008-06-02	Add BPKI CRL to pubd's SQL database, and clean up a lot of redundant	Rob Austein
	SAX code. svn path=/rpkid/irbe-cli.py; revision=1835
2008-05-22	Back out excessively fancy RelaxNG, per previous log message	Rob Austein
	svn path=/rpkid/left-right-protocol-samples.xml; revision=1813
2008-05-22	Finally figured out how to write a RelaxNG schema that allows	Rob Austein
	arbitrary XML to be passed within the <report_error/> element. This was the original intent, I just didn't know how to do it until now. Having finally figured out how to do this, am checking it in for posterity but will then revert to something simpler. svn path=/rpkid/left-right-protocol-samples.xml; revision=1812
2008-05-21	Get rid of extension_preferences (YAGNI!).	Rob Austein
	svn path=/rpkid/irbe-cli.py; revision=1806
2008-05-21	Move left-right "type" attribute to <msg/> element because fixing this	Rob Austein
	is easier than explaining why it was broken. svn path=/rpkid/irbe-cli.py; revision=1804
2008-05-18	Convert to generating new ROA format	Rob Austein
	svn path=/rpkid/left-right-schema.rnc; revision=1800
2008-05-17	"as" will be a reserved word in Python 2.6, stop using it as an	Rob Austein
	identifier. svn path=/rpkid/irdbd.py; revision=1798
2008-05-16	Clean up header comments	Rob Austein
	svn path=/rpkid/left-right-schema.rnc; revision=1792
2008-05-16	Tighten up left-right schema checks	Rob Austein
	svn path=/rpkid/left-right-protocol-samples.xml; revision=1788
2008-05-01	Simplify BSC and start adding BPKI CRL support; the latter doesn't	Rob Austein
	work yet due to an apparent bug in OpenSSL (CMS_add0_crl() dumps core). If through some bizzare twist of fate we revive the idea of allowing CA certs in CMS messages, this is the change that will need to be (partly) backed out. svn path=/docs/left-right-xml; revision=1730
2008-04-25	New trust anchor model sort of working. make test runs again, anyway.	Rob Austein
	svn path=/docs/left-right-xml; revision=1704
2008-04-24	Checkpoint. Partly converted to new BPKI model. This breaks make	Rob Austein
	test, mostly because the cross-certification stuff isn't done yet. svn path=/docs/left-right-xml; revision=1701
2008-04-16	Rework ROA generation and maintenance.	Rob Austein
	svn path=/docs/left-right-xml; revision=1668
2008-04-11	Checkpoint. ROA generation almost working, but not quite.	Rob Austein
	This checkpoint breaks "make test", will be fixed shortly. svn path=/docs/left-right-xml; revision=1654
2008-04-09	First stage of rototill to support new trust anchor model.	Rob Austein
	svn path=/docs/left-right-xml; revision=1640
2008-04-08	Per RobK, save generated BSC pkcs10_request in SQL and get rid of	Rob Austein
	useless public_key field. svn path=/rpkid/Makefile; revision=1637
2008-02-27	Filename cleanup	Rob Austein
	svn path=/rpkid/Makefile; revision=1531

# $Id$ # # RelaxNG Schema for RPKI left-right protocol. # # libxml2 (including xmllint) only groks the XML syntax of RelaxNG, so # run the compact syntax through trang to get XML syntax. # # Copyright (C) 2009-2011 Internet Systems Consortium ("ISC") # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH # REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY # AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, # INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM # LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. # # Portions copyright (C) 2007-2008 American Registry for Internet Numbers ("ARIN") # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH # REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY # AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, # INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM # LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. default namespace = "http://www.hactrn.net/uris/rpki/left-right-spec/" # Top level PDU start = element msg { attribute version { xsd:positiveInteger { maxInclusive="1" } }, ( (attribute type { "query" }, query_elt*) | (attribute type { "reply" }, reply_elt*) ) } # PDUs allowed in a query query_elt |= self_query query_elt |= bsc_query query_elt |= parent_query query_elt |= child_query query_elt |= repository_query query_elt |= list_roa_requests_query query_elt |= list_ghostbuster_requests_query query_elt |= list_resources_query query_elt |= list_published_objects_query query_elt |= list_received_resources_query # PDUs allowed in a reply reply_elt |= self_reply reply_elt |= bsc_reply reply_elt |= parent_reply reply_elt |= child_reply reply_elt |= repository_reply reply_elt |= list_resources_reply reply_elt |= list_roa_requests_reply reply_elt |= list_ghostbuster_requests_reply reply_elt |= list_published_objects_reply reply_elt |= list_received_resources_reply reply_elt |= report_error_reply # Tag attributes for bulk operations tag = attribute tag { xsd:token {maxLength="1024" } }? # Combinations of action and type attributes used in later definitions. # The same patterns repeat in most of the elements in this protocol. ctl_create = attribute action { "create" }, tag ctl_set = attribute action { "set" }, tag ctl_get = attribute action { "get" }, tag ctl_list = attribute action { "list" }, tag ctl_destroy = attribute action { "destroy" }, tag # Base64 encoded DER stuff base64 = xsd:base64Binary { maxLength="512000" } # Base definition for all fields that are really just SQL primary indices #sql_id = xsd:nonNegativeInteger # ...except that fields containing SQL primary indicies don't belong # in this protocol, so they're turninging into handles. # Length restriction is a MySQL implementation issue. # Handles are case-insensitive (because SQL is, among other reasons). object_handle = xsd:string { maxLength="255" pattern="[\-_A-Za-z0-9]*" } # URIs uri = xsd:anyURI { maxLength="4096" } # Name fields imported from up-down protocol up_down_name = xsd:token { maxLength="1024" } # Resource lists asn_list = xsd:string { maxLength="512000" pattern="[\-,0-9]*" } ipv4_list = xsd:string { maxLength="512000" pattern="[\-,0-9/.]*" } ipv6_list = xsd:string { maxLength="512000" pattern="[\-,0-9/:a-fA-F]*" } # <self/> element self_bool = (attribute rekey { "yes" }?, attribute reissue { "yes" }?, attribute revoke { "yes" }?, attribute run_now { "yes" }?, attribute publish_world_now { "yes" }?, attribute revoke_forgotten { "yes" }?) self_payload = (attribute use_hsm { "yes" | "no" }?, attribute crl_interval { xsd:positiveInteger }?, attribute regen_margin { xsd:positiveInteger }?, element bpki_cert { base64 }?, element bpki_glue { base64 }?) self_handle = attribute self_handle { object_handle } self_query |= element self { ctl_create, self_handle, self_bool, self_payload } self_reply |= element self { ctl_create, self_handle } self_query |= element self { ctl_set, self_handle, self_bool, self_payload } self_reply |= element self { ctl_set, self_handle } self_query |= element self { ctl_get, self_handle } self_reply |= element self { ctl_get, self_handle, self_payload } self_query |= element self { ctl_list } self_reply |= element self { ctl_list, self_handle, self_payload } self_query |= element self { ctl_destroy, self_handle } self_reply |= element self { ctl_destroy, self_handle } # <bsc/> element. Key parameters hardwired for now. bsc_bool = ((attribute generate_keypair { "yes" }, attribute key_type { "rsa" }?, attribute hash_alg { "sha256" }?, attribute key_length { "2048" }?)?) bsc_handle = attribute bsc_handle { object_handle } bsc_payload = (element signing_cert { base64 }?, element signing_cert_crl { base64 }?) bsc_pkcs10 = element pkcs10_request { base64 }? bsc_query |= element bsc { ctl_create, self_handle, bsc_handle, bsc_bool, bsc_payload } bsc_reply |= element bsc { ctl_create, self_handle, bsc_handle, bsc_pkcs10 } bsc_query |= element bsc { ctl_set, self_handle, bsc_handle, bsc_bool, bsc_payload } bsc_reply |= element bsc { ctl_set, self_handle, bsc_handle, bsc_pkcs10 } bsc_query |= element bsc { ctl_get, self_handle, bsc_handle } bsc_reply |= element bsc { ctl_get, self_handle, bsc_handle, bsc_payload, bsc_pkcs10 } bsc_query |= element bsc { ctl_list, self_handle } bsc_reply |= element bsc { ctl_list, self_handle, bsc_handle, bsc_payload, bsc_pkcs10 } bsc_query |= element bsc { ctl_destroy, self_handle, bsc_handle } bsc_reply |= element bsc { ctl_destroy, self_handle, bsc_handle } # <parent/> element parent_handle = attribute parent_handle { object_handle } parent_bool = (attribute rekey { "yes" }?, attribute reissue { "yes" }?, attribute revoke { "yes" }?, attribute revoke_forgotten { "yes" }?) parent_payload = (attribute peer_contact_uri { uri }?, attribute sia_base { uri }?, bsc_handle?, repository_handle?, attribute sender_name { up_down_name }?, attribute recipient_name { up_down_name }?, element bpki_cms_cert { base64 }?, element bpki_cms_glue { base64 }?) parent_query |= element parent { ctl_create, self_handle, parent_handle, parent_bool, parent_payload } parent_reply |= element parent { ctl_create, self_handle, parent_handle } parent_query |= element parent { ctl_set, self_handle, parent_handle, parent_bool, parent_payload } parent_reply |= element parent { ctl_set, self_handle, parent_handle } parent_query |= element parent { ctl_get, self_handle, parent_handle } parent_reply |= element parent { ctl_get, self_handle, parent_handle, parent_payload } parent_query |= element parent { ctl_list, self_handle } parent_reply |= element parent { ctl_list, self_handle, parent_handle, parent_payload } parent_query |= element parent { ctl_destroy, self_handle, parent_handle } parent_reply |= element parent { ctl_destroy, self_handle, parent_handle } # <child/> element child_handle = attribute child_handle { object_handle } child_bool = attribute reissue { "yes" }? child_payload = (bsc_handle?, element bpki_cert { base64 }?, element bpki_glue { base64 }?) child_query |= element child { ctl_create, self_handle, child_handle, child_bool, child_payload } child_reply |= element child { ctl_create, self_handle, child_handle } child_query |= element child { ctl_set, self_handle, child_handle, child_bool, child_payload } child_reply |= element child { ctl_set, self_handle, child_handle } child_query |= element child { ctl_get, self_handle, child_handle } child_reply |= element child { ctl_get, self_handle, child_handle, child_payload } child_query |= element child { ctl_list, self_handle } child_reply |= element child { ctl_list, self_handle, child_handle, child_payload } child_query |= element child { ctl_destroy, self_handle, child_handle } child_reply |= element child { ctl_destroy, self_handle, child_handle } # <repository/> element repository_handle = attribute repository_handle { object_handle } repository_payload = (attribute peer_contact_uri { uri }?, bsc_handle?, element bpki_cert { base64 }?, element bpki_glue { base64 }?) repository_query |= element repository { ctl_create, self_handle, repository_handle, repository_payload } repository_reply |= element repository { ctl_create, self_handle, repository_handle } repository_query |= element repository { ctl_set, self_handle, repository_handle, repository_payload } repository_reply |= element repository { ctl_set, self_handle, repository_handle } repository_query |= element repository { ctl_get, self_handle, repository_handle } repository_reply |= element repository { ctl_get, self_handle, repository_handle, repository_payload } repository_query |= element repository { ctl_list, self_handle } repository_reply |= element repository { ctl_list, self_handle, repository_handle, repository_payload } repository_query |= element repository { ctl_destroy, self_handle, repository_handle } repository_reply |= element repository { ctl_destroy, self_handle, repository_handle } # <list_resources/> element list_resources_query = element list_resources { tag, self_handle, child_handle } list_resources_reply = element list_resources { tag, self_handle, child_handle, attribute valid_until { xsd:dateTime { pattern=".*Z" } }, attribute asn { asn_list }?, attribute ipv4 { ipv4_list }?, attribute ipv6 { ipv6_list }? } # <list_roa_requests/> element list_roa_requests_query = element list_roa_requests { tag, self_handle } list_roa_requests_reply = element list_roa_requests { tag, self_handle, attribute asn { xsd:positiveInteger }, attribute ipv4 { ipv4_list }?, attribute ipv6 { ipv6_list }? } # <list_ghostbuster_requests/> element list_ghostbuster_requests_query = element list_ghostbuster_requests { tag, self_handle, parent_handle } list_ghostbuster_requests_reply = element list_ghostbuster_requests { tag, self_handle, parent_handle, xsd:string } # <list_published_objects/> element list_published_objects_query = element list_published_objects { tag, self_handle } list_published_objects_reply = element list_published_objects { tag, self_handle, attribute uri { uri }, base64 } # <list_received_resources/> element list_received_resources_query = element list_received_resources { tag, self_handle } list_received_resources_reply = element list_received_resources { tag, self_handle, parent_handle, attribute notBefore { xsd:dateTime { pattern=".*Z" } }, attribute notAfter { xsd:dateTime { pattern=".*Z" } }, attribute uri { uri }, attribute sia_uri { uri }, attribute aia_uri { uri }, attribute asn { asn_list }?, attribute ipv4 { ipv4_list }?, attribute ipv6 { ipv6_list }? } # <report_error/> element error = xsd:token { maxLength="1024" } report_error_reply = element report_error { tag, self_handle?, attribute error_code { error }, xsd:string { maxLength="512000" }? } # Local Variables: # indent-tabs-mode: nil # End: