From 14a9628f0552d3818cd58fb085e7544cdbb3b5eb Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Wed, 3 Aug 2016 18:27:49 +0000
Subject: Dump of rpki.net Wiki, to capture content not linked into the manual.

---
 doc/wiki-dump/doc%2FRPKI%2FUtils | 179 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 179 insertions(+)
 create mode 100644 doc/wiki-dump/doc%2FRPKI%2FUtils

(limited to 'doc/wiki-dump/doc%2FRPKI%2FUtils')

diff --git a/doc/wiki-dump/doc%2FRPKI%2FUtils b/doc/wiki-dump/doc%2FRPKI%2FUtils
new file mode 100644
index 00000000..59ae491d
--- /dev/null
+++ b/doc/wiki-dump/doc%2FRPKI%2FUtils
@@ -0,0 +1,179 @@
+= RPKI utility programs =
+
+[[TracNav(doc/RPKI/TOC)]]
+
+The distribution contains a few small utility programs.  Most of these
+are nominally relying party tools, but work at a low enough level that
+they may also be useful in diagnosing CA problems.
+
+Unless otherwise specified, all of these tools expect RPKI objects
+(certificates, CRLs, CMS signed objects) to be in DER format.
+
+Several of these tools accept an `rcynic_directory` argument.  Which
+directory to specify here depends on what you're trying to do, but if
+you're just trying to look at authenticated data in your RP cache, and
+assuming you've installed everything in the default locations, the
+directory you want is probably `/var/rcynic/data/authenticated`.
+
+== uri ==
+
+`uri` is a utility program to extract URIs from the SIA, AIA, and
+CRLDP extensions of one or more X.509v3 certificates, either specified
+directly or as CMS objects containing X.509v3 certificates within the
+CMS wrapper.
+
+Usage:
+
+{{{
+#!sh
+$ uri [-h | --help] [-s | --single-line] cert [cert...]
+}}}
+
+ `-h --help`::
+   Show help
+ `-s --single-line`::
+    Single output line per input file
+ `cert`::
+    Object(s) to examine
+
+== hashdir ==
+
+`hashdir` copies an authenticated result tree from an rcynic run into
+the format expected by most OpenSSL-based programs: a collection of
+"PEM" format files with names in the form that OpenSSL's `-CApath`
+lookup routines expect.  This can be useful for validating RPKI
+objects which are not distributed as part of the repository system.
+
+Usage:
+
+{{{
+#!sh
+$ hashdir [-h | --help] [-v | --verbose] rcynic_directory output_directory
+}}}
+
+ `-h --help`::
+   Show help
+ `-v --verbose`::
+   Whistle while you work
+ `rcynic_directory`::
+   rcynic authenticated output tree
+ `output_directory`::
+   Output directory to create
+
+== print_rpki_manifest ==
+
+`print_rpki_manifest` pretty-prints the content of a manifest.  It
+does //NOT// attempt to verify the signature.
+
+Usage:
+
+{{{
+#!sh
+$ print_rpki_manifest [-h | --help] [-c | --cms] manifest [manifest...]
+}}}
+
+ `-h --help`::
+    Show help
+ `-c --cms`::
+   Print text representation of entire CMS blob
+ `manifest`::
+   Manifest(s) to print
+
+== print_roa ==
+
+`print_roa` pretty-prints the content of a ROA.  It does //NOT//
+attempt to verify the signature.
+
+Usage:
+
+{{{
+#!sh
+$ print_roa [-h | --help] [-b | --brief] [-c | --cms] [-s | --signing-time] ROA [ROA...]
+}}}
+
+ `-h --help`::
+   Show help
+ `-b --brief`::
+   Brief mode (only show ASN and prefix)
+ `-c --cms`::
+   Print text representation of entire CMS blob
+ `-s --signing-time`::
+   Show CMS signingTime
+ `ROA`::
+   ROA object(s) to print
+
+== find_roa ==
+
+`find_roa` searches the authenticated result tree from an rcynic run
+for ROAs matching specified prefixes.
+
+Usage:
+
+{{{
+#!sh
+$ find_roa [-h | --help] [-a | --all]
+           [-m | --match-maxlength ] [-f | --show-filenames]
+           [-i | --show-inception]   [-e | --show-expiration]
+           authtree [prefix...]
+}}}
+
+ `-h --help`::
+   Show help
+ `-a --all`::
+   Show all ROAs, do no prefix matching at all
+ `-e --show-expiration`::
+   Show ROA chain expiration dates
+ `-f --show-filenames`::
+   Show filenames instead of URIs
+ `-i --show-inception`::
+   Show inception dates
+ `-m -match-maxlength`::
+   Pay attention to maxLength values
+ `authtree`::
+   rcynic authenticated output tree
+ `prefix`::
+   ROA prefix(es) to on which to match
+
+== scan_roas ==
+
+`scan_roas` searchs the authenticated result tree from an rcynic
+run for ROAs, and prints out the signing time, ASN, and prefixes for
+each ROA, one ROA per line.
+
+Other programs such as the [[RP/rpki-rtr|rpki-rtr client]] use
+`scan_roas` to extract the validated ROA payload after an rcynic
+validation run.
+
+Usage:
+
+{{{
+#!sh
+$ scan_roas [-h | --help] rcynic_directory [rcynic_directory...]
+}}}
+
+ `-h --help`::
+   Show help
+ `rcynic_directory`::
+   rcynic authenticated output tree
+
+== scan_routercerts ==
+
+`scan_routercerts` searchs the authenticated result tree from an
+rcynic run for BGPSEC router certificates, and prints out data of
+interest to the rpki-rtr code.
+
+Other programs such as the [[RP/rpki-rtr|rpki-rtr client]] use
+`scan_routercerts` to extract the validated ROA payload after an
+rcynic validation run.
+
+Usage:
+
+{{{
+#!sh
+$ scan_routercerts [-h | --help] rcynic_directory [rcynic_directory...]
+}}}
+
+ `-h --help`::
+   Show help
+ `rcynic_directory`::
+   rcynic authenticated output tree
-- 
cgit v1.2.3