From d8eb94e6f5d7f23d1c208339052587647f60416d Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Mon, 7 Apr 2014 02:58:47 +0000 Subject: RP cleanup and test rules. svn path=/branches/tk685/; revision=5759 --- rp/rcynic/rcynic-cron | 2 ++ rp/rcynic/rcynic-html | 2 ++ rp/rcynic/rcynic-svn | 2 ++ rp/rcynic/rcynic-text | 2 ++ rp/rcynic/rpki-torrent.py | 4 +-- rp/rcynic/validation_status | 2 ++ rp/utils/Makefile.in | 36 ++++++++++++++++++----- rp/utils/scan_routercerts | 69 ++++++++++++++++++++++++++++++++++++++++++++ rp/utils/scan_routercerts.py | 69 -------------------------------------------- 9 files changed, 109 insertions(+), 79 deletions(-) create mode 100755 rp/utils/scan_routercerts delete mode 100755 rp/utils/scan_routercerts.py (limited to 'rp') diff --git a/rp/rcynic/rcynic-cron b/rp/rcynic/rcynic-cron index 4da1d5cd..73368e0d 100755 --- a/rp/rcynic/rcynic-cron +++ b/rp/rcynic/rcynic-cron @@ -1,3 +1,5 @@ +#!/usr/bin/env python +# # $Id$ # # Copyright (C) 2014 Dragon Research Labs ("DRL") diff --git a/rp/rcynic/rcynic-html b/rp/rcynic/rcynic-html index 6070cd13..a7de2291 100755 --- a/rp/rcynic/rcynic-html +++ b/rp/rcynic/rcynic-html @@ -1,3 +1,5 @@ +#!/usr/bin/env python +# # $Id$ # # Copyright (C) 2013--2014 Dragon Research Labs ("DRL") diff --git a/rp/rcynic/rcynic-svn b/rp/rcynic/rcynic-svn index fd0df500..c667ec4a 100755 --- a/rp/rcynic/rcynic-svn +++ b/rp/rcynic/rcynic-svn @@ -1,3 +1,5 @@ +#!/usr/bin/env python +# # $Id$ # # Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") diff --git a/rp/rcynic/rcynic-text b/rp/rcynic/rcynic-text index a8e56dac..c837e88b 100755 --- a/rp/rcynic/rcynic-text +++ b/rp/rcynic/rcynic-text @@ -1,3 +1,5 @@ +#!/usr/bin/env python +# # $Id$ # # Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") diff --git a/rp/rcynic/rpki-torrent.py b/rp/rcynic/rpki-torrent.py index 9b97f298..cc0798e7 100644 --- a/rp/rcynic/rpki-torrent.py +++ b/rp/rcynic/rpki-torrent.py @@ -1,5 +1,5 @@ -#!/usr/local/bin/python - +#!/usr/bin/env python +# # $Id$ # # Copyright (C) 2013--2014 Dragon Research Labs ("DRL") diff --git a/rp/rcynic/validation_status b/rp/rcynic/validation_status index 1f7a704d..1ff17e75 100755 --- a/rp/rcynic/validation_status +++ b/rp/rcynic/validation_status @@ -1,3 +1,5 @@ +#!/usr/bin/env python +# # $Id$ # # Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") diff --git a/rp/utils/Makefile.in b/rp/utils/Makefile.in index 03c041a4..137230b4 100644 --- a/rp/utils/Makefile.in +++ b/rp/utils/Makefile.in @@ -25,22 +25,19 @@ BINS = find_roa hashdir print_rpki_manifest print_roa scan_roas uri SCRIPTS = scan_routercerts -all: ${BINS} +all:: ${BINS} -clean: +clean:: rm -rf ${BINS} *.o *.dSYM -test: - @true - -install: all +install:: all if test -d ${DESTDIR}${bindir} ; then :; else ${INSTALL} -d ${DESTDIR}${bindir}; fi ${INSTALL} ${BINS} ${SCRIPTS} ${DESTDIR}${bindir} -deinstall uninstall: +deinstall uninstall:: for i in ${BINS} ${SCRIPTS}; do rm -f ${DESTDIR}${bindir}/$$i; done -distclean: clean +distclean:: clean rm -f Makefile find_roa: find_roa.c @@ -60,3 +57,26 @@ scan_roas: scan_roas.c uri: uri.c ${CC} ${CFLAGS} -o $@ uri.c ${LDFLAGS} ${LIBS} + +# Tests + +RSYNC_AUTH_DIR = ${abs_top_builddir}/rp/rcynic/rcynic-data/authenticated +HASHDIR_OUTPUT = hashed-pem-dir +TARGET_PREFIXES = 10.3.0.44 10.2.0.6 10.0.0.0/24 + +test:: ${BINS} ${SCRIPTS} + if test -d ${RSYNC_AUTH_DIR}; \ + then \ + rm -rf ${HASHDIR_OUTPUT} ; \ + mkdir ${HASHDIR_OUTPUT} ; \ + ./hashdir ${RSYNC_AUTH_DIR} ${HASHDIR_OUTPUT}; \ + ./find_roa ${RSYNC_AUTH_DIR} ${TARGET_PREFIXES} ; \ + date -u +'now: %Y%m%d%H%M%SZ' || : ; \ + find ${RSYNC_AUTH_DIR} -type f -name '*.roa' -print -exec ./print_roa {} \; ; \ + find ${RSYNC_AUTH_DIR} -type f -name '*.mft' -print -exec ./print_rpki_manifest {} \; ; \ + ./scan_roas ${RSYNC_AUTH_DIR} ; \ + ./scan_routercerts ${RSYNC_AUTH_DIR} ; \ + fi + +clean:: + rm -rf ${HASHDIR_OUTPUT} diff --git a/rp/utils/scan_routercerts b/rp/utils/scan_routercerts new file mode 100755 index 00000000..342fa272 --- /dev/null +++ b/rp/utils/scan_routercerts @@ -0,0 +1,69 @@ +#!/usr/bin/env python +# $Id$ +# +# Copyright (C) 2014 Dragon Research Labs ("DRL") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND DRL DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL DRL BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +""" +Scan rcynic validated output looking for router certificates, print +out stuff that the rpki-rtr code cares about. +""" + +# This program represents a weird temporary state, mostly to avoid +# diving into a recursive yak shaving exercise. +# +# Under the old scheme, anything used by the RP code should be either +# C code or pure Python code using just the standard libraries. This +# has gotten silly, but we haven't yet refactored the current packaged +# builds from two packages into three (adding a -libs package). +# +# So, by rights, this program should be a C monstrosity written using +# the OpenSSL C API. I started coding it that way, but it was just +# too painful for something we're probably going to rewrite as a few +# lines of Python once we refactor, but by the same token I didn't +# want to delay router certificate support until the refactoring. +# +# So this program anticipates the new scheme of things, but makes one +# concession to current reality: if it has a problem importing the +# RPKI-specific libraries, it just quietly exits as if everything were +# fine and there simply are no router certificates to report. This +# isn't the right answer in the long run, but will suffice to avoid +# further bald yaks. + +import os +import sys +import base64 + +try: + import rpki.POW + import rpki.oids +except ImportError: + sys.exit(0) + +rcynic_dir = sys.argv[1] + +for root, dirs, files in os.walk(rcynic_dir): + for fn in files: + if not fn.endswith(".cer"): + continue + x = rpki.POW.X509.derReadFile(os.path.join(root, fn)) + + if rpki.oids.id_kp_bgpsec_router not in (x.getEKU() or ()): + continue + + sys.stdout.write(base64.urlsafe_b64encode(x.getSKI()).rstrip("=")) + for min_asn, max_asn in x.getRFC3779()[0]: + for asn in xrange(min_asn, max_asn + 1): + sys.stdout.write(" %s" % asn) + sys.stdout.write(" %s\n" % base64.b64encode(x.getPublicKey().derWritePublic())) diff --git a/rp/utils/scan_routercerts.py b/rp/utils/scan_routercerts.py deleted file mode 100755 index 342fa272..00000000 --- a/rp/utils/scan_routercerts.py +++ /dev/null @@ -1,69 +0,0 @@ -#!/usr/bin/env python -# $Id$ -# -# Copyright (C) 2014 Dragon Research Labs ("DRL") -# -# Permission to use, copy, modify, and/or distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND DRL DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL DRL BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -""" -Scan rcynic validated output looking for router certificates, print -out stuff that the rpki-rtr code cares about. -""" - -# This program represents a weird temporary state, mostly to avoid -# diving into a recursive yak shaving exercise. -# -# Under the old scheme, anything used by the RP code should be either -# C code or pure Python code using just the standard libraries. This -# has gotten silly, but we haven't yet refactored the current packaged -# builds from two packages into three (adding a -libs package). -# -# So, by rights, this program should be a C monstrosity written using -# the OpenSSL C API. I started coding it that way, but it was just -# too painful for something we're probably going to rewrite as a few -# lines of Python once we refactor, but by the same token I didn't -# want to delay router certificate support until the refactoring. -# -# So this program anticipates the new scheme of things, but makes one -# concession to current reality: if it has a problem importing the -# RPKI-specific libraries, it just quietly exits as if everything were -# fine and there simply are no router certificates to report. This -# isn't the right answer in the long run, but will suffice to avoid -# further bald yaks. - -import os -import sys -import base64 - -try: - import rpki.POW - import rpki.oids -except ImportError: - sys.exit(0) - -rcynic_dir = sys.argv[1] - -for root, dirs, files in os.walk(rcynic_dir): - for fn in files: - if not fn.endswith(".cer"): - continue - x = rpki.POW.X509.derReadFile(os.path.join(root, fn)) - - if rpki.oids.id_kp_bgpsec_router not in (x.getEKU() or ()): - continue - - sys.stdout.write(base64.urlsafe_b64encode(x.getSKI()).rstrip("=")) - for min_asn, max_asn in x.getRFC3779()[0]: - for asn in xrange(min_asn, max_asn + 1): - sys.stdout.write(" %s" % asn) - sys.stdout.write(" %s\n" % base64.b64encode(x.getPublicKey().derWritePublic())) -- cgit v1.2.3