From fe0bf509f528dbdc50c7182f81057c6a4e15e4bd Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Sat, 5 Apr 2014 22:42:12 +0000 Subject: Source tree reorg, phase 1. Almost everything moved, no file contents changed. svn path=/branches/tk685/; revision=5757 --- schemas/relaxng/left-right-schema.rnc | 323 ++++++++ schemas/relaxng/left-right-schema.rng | 1089 +++++++++++++++++++++++++ schemas/relaxng/myrpki.rnc | 164 ++++ schemas/relaxng/myrpki.rng | 379 +++++++++ schemas/relaxng/publication-schema.rnc | 137 ++++ schemas/relaxng/publication-schema.rng | 574 +++++++++++++ schemas/relaxng/router-certificate-schema.rnc | 61 ++ schemas/relaxng/router-certificate-schema.rng | 98 +++ schemas/relaxng/up-down-schema.rnc | 113 +++ schemas/relaxng/up-down-schema.rng | 277 +++++++ schemas/sql/pubd.sql | 59 ++ schemas/sql/rpkid.sql | 250 ++++++ 12 files changed, 3524 insertions(+) create mode 100644 schemas/relaxng/left-right-schema.rnc create mode 100644 schemas/relaxng/left-right-schema.rng create mode 100644 schemas/relaxng/myrpki.rnc create mode 100644 schemas/relaxng/myrpki.rng create mode 100644 schemas/relaxng/publication-schema.rnc create mode 100644 schemas/relaxng/publication-schema.rng create mode 100644 schemas/relaxng/router-certificate-schema.rnc create mode 100644 schemas/relaxng/router-certificate-schema.rng create mode 100644 schemas/relaxng/up-down-schema.rnc create mode 100644 schemas/relaxng/up-down-schema.rng create mode 100644 schemas/sql/pubd.sql create mode 100644 schemas/sql/rpkid.sql (limited to 'schemas') diff --git a/schemas/relaxng/left-right-schema.rnc b/schemas/relaxng/left-right-schema.rnc new file mode 100644 index 00000000..b46adeb5 --- /dev/null +++ b/schemas/relaxng/left-right-schema.rnc @@ -0,0 +1,323 @@ +# $Id$ +# +# RelaxNG schema for RPKI left-right protocol. +# +# Copyright (C) 2012--2014 Dragon Research Labs ("DRL") +# Portions copyright (C) 2009--2011 Internet Systems Consortium ("ISC") +# Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notices and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND DRL, ISC, AND ARIN DISCLAIM ALL +# WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DRL, +# ISC, OR ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR +# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS +# OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, +# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION +# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +default namespace = "http://www.hactrn.net/uris/rpki/left-right-spec/" + +# Top level PDU + +start = element msg { + attribute version { xsd:positiveInteger { maxInclusive="1" } }, + ( (attribute type { "query" }, query_elt*) | + (attribute type { "reply" }, reply_elt*) ) +} + +# PDUs allowed in a query +query_elt |= self_query +query_elt |= bsc_query +query_elt |= parent_query +query_elt |= child_query +query_elt |= repository_query +query_elt |= list_roa_requests_query +query_elt |= list_ghostbuster_requests_query +query_elt |= list_ee_certificate_requests_query +query_elt |= list_resources_query +query_elt |= list_published_objects_query +query_elt |= list_received_resources_query + +# PDUs allowed in a reply +reply_elt |= self_reply +reply_elt |= bsc_reply +reply_elt |= parent_reply +reply_elt |= child_reply +reply_elt |= repository_reply +reply_elt |= list_resources_reply +reply_elt |= list_roa_requests_reply +reply_elt |= list_ghostbuster_requests_reply +reply_elt |= list_ee_certificate_requests_reply +reply_elt |= list_published_objects_reply +reply_elt |= list_received_resources_reply +reply_elt |= report_error_reply + +# Tag attributes for bulk operations +tag = attribute tag { xsd:token {maxLength="1024" } }? + +# Combinations of action and type attributes used in later definitions. +# The same patterns repeat in most of the elements in this protocol. +ctl_create = attribute action { "create" }, tag +ctl_set = attribute action { "set" }, tag +ctl_get = attribute action { "get" }, tag +ctl_list = attribute action { "list" }, tag +ctl_destroy = attribute action { "destroy" }, tag + +# Base64 encoded DER stuff +base64 = xsd:base64Binary { maxLength="512000" } + +# Base definition for all fields that are really just SQL primary indices +#sql_id = xsd:nonNegativeInteger + +# ...except that fields containing SQL primary indicies don't belong +# in this protocol, so they're turninging into handles. +# Length restriction is a MySQL implementation issue. +# Handles are case-insensitive (because SQL is, among other reasons). +object_handle = xsd:string { maxLength="255" pattern="[\-_A-Za-z0-9]+" } + +# URIs +uri = xsd:anyURI { maxLength="4096" } + +# Name fields imported from up-down protocol +up_down_name = xsd:token { maxLength="1024" } + +# Resource lists +asn_list = xsd:string { maxLength="512000" pattern="[\-,0-9]*" } +ipv4_list = xsd:string { maxLength="512000" pattern="[\-,0-9/.]*" } +ipv6_list = xsd:string { maxLength="512000" pattern="[\-,0-9/:a-fA-F]*" } + +# element + +self_bool = (attribute rekey { "yes" }?, + attribute reissue { "yes" }?, + attribute revoke { "yes" }?, + attribute run_now { "yes" }?, + attribute publish_world_now { "yes" }?, + attribute revoke_forgotten { "yes" }?, + attribute clear_replay_protection { "yes" }?) + +self_payload = (attribute use_hsm { "yes" | "no" }?, + attribute crl_interval { xsd:positiveInteger }?, + attribute regen_margin { xsd:positiveInteger }?, + element bpki_cert { base64 }?, + element bpki_glue { base64 }?) + +self_handle = attribute self_handle { object_handle } + +self_query |= element self { ctl_create, self_handle, self_bool, self_payload } +self_reply |= element self { ctl_create, self_handle } +self_query |= element self { ctl_set, self_handle, self_bool, self_payload } +self_reply |= element self { ctl_set, self_handle } +self_query |= element self { ctl_get, self_handle } +self_reply |= element self { ctl_get, self_handle, self_payload } +self_query |= element self { ctl_list } +self_reply |= element self { ctl_list, self_handle, self_payload } +self_query |= element self { ctl_destroy, self_handle } +self_reply |= element self { ctl_destroy, self_handle } + +# element. Key parameters hardwired for now. + +bsc_bool = ((attribute generate_keypair { "yes" }, + attribute key_type { "rsa" }?, + attribute hash_alg { "sha256" }?, + attribute key_length { "2048" }?)?) + +bsc_handle = attribute bsc_handle { object_handle } + +bsc_payload = (element signing_cert { base64 }?, + element signing_cert_crl { base64 }?) + +bsc_readonly = element pkcs10_request { base64 }? + +bsc_query |= element bsc { ctl_create, self_handle, bsc_handle, bsc_bool, bsc_payload } +bsc_reply |= element bsc { ctl_create, self_handle, bsc_handle, bsc_readonly } +bsc_query |= element bsc { ctl_set, self_handle, bsc_handle, bsc_bool, bsc_payload } +bsc_reply |= element bsc { ctl_set, self_handle, bsc_handle, bsc_readonly } +bsc_query |= element bsc { ctl_get, self_handle, bsc_handle } +bsc_reply |= element bsc { ctl_get, self_handle, bsc_handle, bsc_payload, bsc_readonly } +bsc_query |= element bsc { ctl_list, self_handle } +bsc_reply |= element bsc { ctl_list, self_handle, bsc_handle, bsc_payload, bsc_readonly } +bsc_query |= element bsc { ctl_destroy, self_handle, bsc_handle } +bsc_reply |= element bsc { ctl_destroy, self_handle, bsc_handle } + +# element + +parent_handle = attribute parent_handle { object_handle } + +parent_bool = (attribute rekey { "yes" }?, + attribute reissue { "yes" }?, + attribute revoke { "yes" }?, + attribute revoke_forgotten { "yes" }?, + attribute clear_replay_protection { "yes" }?) + +parent_payload = (attribute peer_contact_uri { uri }?, + attribute sia_base { uri }?, + bsc_handle?, + repository_handle?, + attribute sender_name { up_down_name }?, + attribute recipient_name { up_down_name }?, + element bpki_cms_cert { base64 }?, + element bpki_cms_glue { base64 }?) + +parent_query |= element parent { ctl_create, self_handle, parent_handle, parent_bool, parent_payload } +parent_reply |= element parent { ctl_create, self_handle, parent_handle } +parent_query |= element parent { ctl_set, self_handle, parent_handle, parent_bool, parent_payload } +parent_reply |= element parent { ctl_set, self_handle, parent_handle } +parent_query |= element parent { ctl_get, self_handle, parent_handle } +parent_reply |= element parent { ctl_get, self_handle, parent_handle, parent_payload } +parent_query |= element parent { ctl_list, self_handle } +parent_reply |= element parent { ctl_list, self_handle, parent_handle, parent_payload } +parent_query |= element parent { ctl_destroy, self_handle, parent_handle } +parent_reply |= element parent { ctl_destroy, self_handle, parent_handle } + +# element + +child_handle = attribute child_handle { object_handle } + +child_bool = (attribute reissue { "yes" }?, + attribute clear_replay_protection { "yes" }?) + +child_payload = (bsc_handle?, + element bpki_cert { base64 }?, + element bpki_glue { base64 }?) + +child_query |= element child { ctl_create, self_handle, child_handle, child_bool, child_payload } +child_reply |= element child { ctl_create, self_handle, child_handle } +child_query |= element child { ctl_set, self_handle, child_handle, child_bool, child_payload } +child_reply |= element child { ctl_set, self_handle, child_handle } +child_query |= element child { ctl_get, self_handle, child_handle } +child_reply |= element child { ctl_get, self_handle, child_handle, child_payload } +child_query |= element child { ctl_list, self_handle } +child_reply |= element child { ctl_list, self_handle, child_handle, child_payload } +child_query |= element child { ctl_destroy, self_handle, child_handle } +child_reply |= element child { ctl_destroy, self_handle, child_handle } + +# element + +repository_handle = attribute repository_handle { object_handle } + +repository_bool = attribute clear_replay_protection { "yes" }? + +repository_payload = (attribute peer_contact_uri { uri }?, + bsc_handle?, + element bpki_cert { base64 }?, + element bpki_glue { base64 }?) + +repository_query |= element repository { ctl_create, self_handle, repository_handle, repository_bool, repository_payload } +repository_reply |= element repository { ctl_create, self_handle, repository_handle } +repository_query |= element repository { ctl_set, self_handle, repository_handle, repository_bool, repository_payload } +repository_reply |= element repository { ctl_set, self_handle, repository_handle } +repository_query |= element repository { ctl_get, self_handle, repository_handle } +repository_reply |= element repository { ctl_get, self_handle, repository_handle, repository_payload } +repository_query |= element repository { ctl_list, self_handle } +repository_reply |= element repository { ctl_list, self_handle, repository_handle, repository_payload } +repository_query |= element repository { ctl_destroy, self_handle, repository_handle } +repository_reply |= element repository { ctl_destroy, self_handle, repository_handle } + +# element + +list_resources_query = element list_resources { + tag, self_handle, child_handle +} + +list_resources_reply = element list_resources { + tag, self_handle, child_handle, + attribute valid_until { xsd:dateTime { pattern=".*Z" } }, + attribute asn { asn_list }?, + attribute ipv4 { ipv4_list }?, + attribute ipv6 { ipv6_list }? +} + +# element + +list_roa_requests_query = element list_roa_requests { + tag, self_handle +} + +list_roa_requests_reply = element list_roa_requests { + tag, self_handle, + attribute asn { xsd:nonNegativeInteger }, + attribute ipv4 { ipv4_list }?, + attribute ipv6 { ipv6_list }? +} + +# element + +list_ghostbuster_requests_query = element list_ghostbuster_requests { + tag, self_handle, parent_handle +} + +list_ghostbuster_requests_reply = element list_ghostbuster_requests { + tag, self_handle, parent_handle, + xsd:string +} + +# element + +list_ee_certificate_requests_query = element list_ee_certificate_requests { + tag, self_handle +} + +list_ee_certificate_requests_reply = element list_ee_certificate_requests { + tag, self_handle, + attribute gski { xsd:token { minLength="27" maxLength="27" } }, + attribute valid_until { xsd:dateTime { pattern=".*Z" } }, + attribute asn { asn_list }?, + attribute ipv4 { ipv4_list }?, + attribute ipv6 { ipv6_list }?, + attribute cn { xsd:string { maxLength="64" pattern="[\-0-9A-Za-z_ ]+" } }?, + attribute sn { xsd:string { maxLength="64" pattern="[0-9A-Fa-f]+" } }?, + attribute eku { xsd:string { maxLength="512000" pattern="[.,0-9]+" } }?, + element pkcs10 { base64 } +} + +# element + +list_published_objects_query = element list_published_objects { + tag, self_handle +} + +list_published_objects_reply = element list_published_objects { + tag, self_handle, + attribute uri { uri }, + attribute child_handle { object_handle }?, + base64 +} + +# element + +list_received_resources_query = element list_received_resources { + tag, self_handle +} + +list_received_resources_reply = element list_received_resources { + tag, self_handle, parent_handle, + attribute notBefore { xsd:dateTime { pattern=".*Z" } }, + attribute notAfter { xsd:dateTime { pattern=".*Z" } }, + attribute uri { uri }, + attribute sia_uri { uri }, + attribute aia_uri { uri }, + attribute asn { asn_list }?, + attribute ipv4 { ipv4_list }?, + attribute ipv6 { ipv6_list }? +} + +# element + +error = xsd:token { maxLength="1024" } + +report_error_reply = element report_error { + tag, self_handle?, + attribute error_code { error }, + xsd:string { maxLength="512000" }? +} + +# Local Variables: +# indent-tabs-mode: nil +# comment-start: "# " +# comment-start-skip: "#[ \t]*" +# End: diff --git a/schemas/relaxng/left-right-schema.rng b/schemas/relaxng/left-right-schema.rng new file mode 100644 index 00000000..6c3d2f1a --- /dev/null +++ b/schemas/relaxng/left-right-schema.rng @@ -0,0 +1,1089 @@ + + + + + + + + + 1 + + + + + + query + + + + + + + + reply + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1024 + + + + + + + + create + + + + + + set + + + + + + get + + + + + + list + + + + + + destroy + + + + + + + 512000 + + + + + + + 255 + [\-_A-Za-z0-9]+ + + + + + + 4096 + + + + + + 1024 + + + + + + 512000 + [\-,0-9]* + + + + + 512000 + [\-,0-9/.]* + + + + + 512000 + [\-,0-9/:a-fA-F]* + + + + + + + yes + + + + + yes + + + + + yes + + + + + yes + + + + + yes + + + + + yes + + + + + yes + + + + + + + + yes + no + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + yes + + + + rsa + + + + + sha256 + + + + + 2048 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + yes + + + + + yes + + + + + yes + + + + + yes + + + + + yes + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + yes + + + + + yes + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + yes + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + .*Z + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 27 + 27 + + + + + .*Z + + + + + + + + + + + + + + + + + + + + + 64 + [\-0-9A-Za-z_ ]+ + + + + + + + 64 + [0-9A-Fa-f]+ + + + + + + + 512000 + [.,0-9]+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + .*Z + + + + + .*Z + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1024 + + + + + + + + + + + + + + 512000 + + + + + + diff --git a/schemas/relaxng/myrpki.rnc b/schemas/relaxng/myrpki.rnc new file mode 100644 index 00000000..156ab0d5 --- /dev/null +++ b/schemas/relaxng/myrpki.rnc @@ -0,0 +1,164 @@ +# $Id$ +# +# RelaxNG schema for MyRPKI XML messages. +# +# This message protocol is on its way out, as we're in the process of +# moving on from the user interface model that produced it, but even +# after we finish replacing it we'll still need the schema for a while +# to validate old messages when upgrading. +# +# libxml2 (including xmllint) only groks the XML syntax of RelaxNG, so +# run the compact syntax through trang to get XML syntax. +# +# Copyright (C) 2009-2011 Internet Systems Consortium ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +default namespace = "http://www.hactrn.net/uris/rpki/myrpki/" + +version = "2" + +base64 = xsd:base64Binary { maxLength="512000" } +object_handle = xsd:string { maxLength="255" pattern="[\-_A-Za-z0-9]+" } +pubd_handle = xsd:string { maxLength="255" pattern="[\-_A-Za-z0-9/]+" } +uri = xsd:anyURI { maxLength="4096" } +asn = xsd:positiveInteger +asn_list = xsd:string { maxLength="512000" pattern="[\-,0-9]+" } +ipv4_list = xsd:string { maxLength="512000" pattern="[\-,0-9/.]+" } +ipv6_list = xsd:string { maxLength="512000" pattern="[\-,0-9/:a-fA-F]+" } +timestamp = xsd:dateTime { pattern=".*Z" } + +# Message formate used between configure_resources and +# configure_daemons. + +start |= element myrpki { + attribute version { version }, + attribute handle { object_handle }, + attribute service_uri { uri }?, + element roa_request { + attribute asn { asn }, + attribute v4 { ipv4_list }, + attribute v6 { ipv6_list } + }*, + element child { + attribute handle { object_handle }, + attribute valid_until { timestamp }, + attribute asns { asn_list }?, + attribute v4 { ipv4_list }?, + attribute v6 { ipv6_list }?, + element bpki_certificate { base64 }? + }*, + element parent { + attribute handle { object_handle }, + attribute service_uri { uri }?, + attribute myhandle { object_handle }?, + attribute sia_base { uri }?, + element bpki_cms_certificate { base64 }? + }*, + element repository { + attribute handle { object_handle }, + attribute service_uri { uri }?, + element bpki_certificate { base64 }? + }*, + element bpki_ca_certificate { base64 }?, + element bpki_crl { base64 }?, + element bpki_bsc_certificate { base64 }?, + element bpki_bsc_pkcs10 { base64 }? +} + +# Format of an identity.xml file. + +start |= element identity { + attribute version { version }, + attribute handle { object_handle }, + element bpki_ta { base64 } +} + +# Format of element used in referrals. The Base64 +# text is a (q. v.) element signed with CMS. + +authorization = element authorization { + attribute referrer { pubd_handle }, + base64 +} + +# Format of element used in referrals. + +contact_info = element contact_info { + attribute uri { uri }?, + xsd:string +} + +# Variant payload portion of a element. + +repository_payload = ( + (attribute type { "none" }) | + (attribute type { "offer" }) | + (attribute type { "referral" }, authorization, contact_info) +) + +# element (response from configure_child). + +start |= element parent { + attribute version { version }, + attribute valid_until { timestamp }?, + attribute service_uri { uri }?, + attribute child_handle { object_handle }, + attribute parent_handle { object_handle }, + element bpki_resource_ta { base64 }, + element bpki_child_ta { base64 }, + element repository { repository_payload }? +} + +# element, types offer and referral +# (input to configure_publication_client). + +start |= element repository { + attribute version { version }, + attribute handle { object_handle }, + attribute parent_handle { object_handle }, + repository_payload, + element bpki_client_ta { base64 } +} + +# element, confirmation type (output of +# configure_publication_client). + +start |= element repository { + attribute version { version }, + attribute type { "confirmed" }, + attribute parent_handle { object_handle }, + attribute client_handle { pubd_handle }, + attribute service_uri { uri }, + attribute sia_base { uri }, + element bpki_server_ta { base64 }, + element bpki_client_ta { base64 }, + authorization?, + contact_info? +} + +# element. This is the entirety of a separate message +# which is signed with CMS then included ase the Base64 content of an +# element in the main message. + +start |= element referral { + attribute version { version }, + attribute authorized_sia_base { uri }, + base64 +} + +# Local Variables: +# indent-tabs-mode: nil +# comment-start: "# " +# comment-start-skip: "#[ \t]*" +# End: diff --git a/schemas/relaxng/myrpki.rng b/schemas/relaxng/myrpki.rng new file mode 100644 index 00000000..07b8beb3 --- /dev/null +++ b/schemas/relaxng/myrpki.rng @@ -0,0 +1,379 @@ + + + + + 2 + + + + 512000 + + + + + 255 + [\-_A-Za-z0-9]+ + + + + + 255 + [\-_A-Za-z0-9/]+ + + + + + 4096 + + + + + + + + 512000 + [\-,0-9]+ + + + + + 512000 + [\-,0-9/.]+ + + + + + 512000 + [\-,0-9/:a-fA-F]+ + + + + + .*Z + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + none + + + offer + + + + referral + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + confirmed + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/schemas/relaxng/publication-schema.rnc b/schemas/relaxng/publication-schema.rnc new file mode 100644 index 00000000..4353ae80 --- /dev/null +++ b/schemas/relaxng/publication-schema.rnc @@ -0,0 +1,137 @@ +# $Id$ +# +# RelaxNG schema for RPKI publication protocol. +# +# Copyright (C) 2012--2014 Dragon Research Labs ("DRL") +# Portions copyright (C) 2009--2011 Internet Systems Consortium ("ISC") +# Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notices and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND DRL, ISC, AND ARIN DISCLAIM ALL +# WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DRL, +# ISC, OR ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR +# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS +# OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, +# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION +# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +default namespace = "http://www.hactrn.net/uris/rpki/publication-spec/" + +# Top level PDU + +start = element msg { + attribute version { xsd:positiveInteger { maxInclusive="1" } }, + ( (attribute type { "query" }, query_elt*) | + (attribute type { "reply" }, reply_elt*) ) +} + +# PDUs allowed in a query +query_elt = ( config_query | client_query | certificate_query | crl_query | + manifest_query | roa_query | ghostbuster_query ) + +# PDUs allowed in a reply +reply_elt = ( config_reply | client_reply | certificate_reply | crl_reply | + manifest_reply | roa_reply | ghostbuster_reply | report_error_reply ) + +# Tag attributes for bulk operations +tag = attribute tag { xsd:token {maxLength="1024" } } + +# Base64 encoded DER stuff +#base64 = xsd:base64Binary { maxLength="512000" } +# +# Sadly, it turns out that CRLs can in fact get longer than this for an active CA. +# Remove length limit for now, think about whether to put it back later. +base64 = xsd:base64Binary + +# Publication URLs +uri_t = xsd:anyURI { maxLength="4096" } +uri = attribute uri { uri_t } + +# Handles on remote objects (replaces passing raw SQL IDs). NB: +# Unlike the up-down protocol, handles in this protocol allow "/" as a +# hierarchy delimiter. +object_handle = xsd:string { maxLength="255" pattern="[\-_A-Za-z0-9/]+" } + +# element (use restricted to repository operator) +# config_handle attribute, create, list, and destroy commands omitted deliberately, see code for details + +config_payload = (element bpki_crl { base64 }?) + +config_query |= element config { attribute action { "set" }, tag?, config_payload } +config_reply |= element config { attribute action { "set" }, tag? } +config_query |= element config { attribute action { "get" }, tag? } +config_reply |= element config { attribute action { "get" }, tag?, config_payload } + +# element (use restricted to repository operator) + +client_handle = attribute client_handle { object_handle } + +client_bool = attribute clear_replay_protection { "yes" }? + +client_payload = (attribute base_uri { uri_t }?, element bpki_cert { base64 }?, element bpki_glue { base64 }?) + +client_query |= element client { attribute action { "create" }, tag?, client_handle, client_bool, client_payload } +client_reply |= element client { attribute action { "create" }, tag?, client_handle } +client_query |= element client { attribute action { "set" }, tag?, client_handle, client_bool, client_payload } +client_reply |= element client { attribute action { "set" }, tag?, client_handle } +client_query |= element client { attribute action { "get" }, tag?, client_handle } +client_reply |= element client { attribute action { "get" }, tag?, client_handle, client_payload } +client_query |= element client { attribute action { "list" }, tag? } +client_reply |= element client { attribute action { "list" }, tag?, client_handle, client_payload } +client_query |= element client { attribute action { "destroy" }, tag?, client_handle } +client_reply |= element client { attribute action { "destroy" }, tag?, client_handle } + +# element + +certificate_query |= element certificate { attribute action { "publish" }, tag?, uri, base64 } +certificate_reply |= element certificate { attribute action { "publish" }, tag?, uri } +certificate_query |= element certificate { attribute action { "withdraw" }, tag?, uri } +certificate_reply |= element certificate { attribute action { "withdraw" }, tag?, uri } + +# element + +crl_query |= element crl { attribute action { "publish" }, tag?, uri, base64 } +crl_reply |= element crl { attribute action { "publish" }, tag?, uri } +crl_query |= element crl { attribute action { "withdraw" }, tag?, uri } +crl_reply |= element crl { attribute action { "withdraw" }, tag?, uri } + +# element + +manifest_query |= element manifest { attribute action { "publish" }, tag?, uri, base64 } +manifest_reply |= element manifest { attribute action { "publish" }, tag?, uri } +manifest_query |= element manifest { attribute action { "withdraw" }, tag?, uri } +manifest_reply |= element manifest { attribute action { "withdraw" }, tag?, uri } + +# element + +roa_query |= element roa { attribute action { "publish" }, tag?, uri, base64 } +roa_reply |= element roa { attribute action { "publish" }, tag?, uri } +roa_query |= element roa { attribute action { "withdraw" }, tag?, uri } +roa_reply |= element roa { attribute action { "withdraw" }, tag?, uri } + +# element + +ghostbuster_query |= element ghostbuster { attribute action { "publish" }, tag?, uri, base64 } +ghostbuster_reply |= element ghostbuster { attribute action { "publish" }, tag?, uri } +ghostbuster_query |= element ghostbuster { attribute action { "withdraw" }, tag?, uri } +ghostbuster_reply |= element ghostbuster { attribute action { "withdraw" }, tag?, uri } + +# element + +error = xsd:token { maxLength="1024" } + +report_error_reply = element report_error { + tag?, + attribute error_code { error }, + xsd:string { maxLength="512000" }? +} + +# Local Variables: +# indent-tabs-mode: nil +# comment-start: "# " +# comment-start-skip: "#[ \t]*" +# End: diff --git a/schemas/relaxng/publication-schema.rng b/schemas/relaxng/publication-schema.rng new file mode 100644 index 00000000..63fb6ea5 --- /dev/null +++ b/schemas/relaxng/publication-schema.rng @@ -0,0 +1,574 @@ + + + + + + + + + 1 + + + + + + query + + + + + + + + reply + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1024 + + + + + + + + + + + 4096 + + + + + + + + + + + 255 + [\-_A-Za-z0-9/]+ + + + + + + + + + + + + + + set + + + + + + + + + + + set + + + + + + + + + + get + + + + + + + + + + get + + + + + + + + + + + + + + + + + yes + + + + + + + + + + + + + + + + + + + + + + + + create + + + + + + + + + + + + + create + + + + + + + + + + + set + + + + + + + + + + + + + set + + + + + + + + + + + get + + + + + + + + + + + get + + + + + + + + + + + + list + + + + + + + + + + list + + + + + + + + + + + + destroy + + + + + + + + + + + destroy + + + + + + + + + + + + publish + + + + + + + + + + + + publish + + + + + + + + + + + withdraw + + + + + + + + + + + withdraw + + + + + + + + + + + + publish + + + + + + + + + + + + publish + + + + + + + + + + + withdraw + + + + + + + + + + + withdraw + + + + + + + + + + + + publish + + + + + + + + + + + + publish + + + + + + + + + + + withdraw + + + + + + + + + + + withdraw + + + + + + + + + + + + publish + + + + + + + + + + + + publish + + + + + + + + + + + withdraw + + + + + + + + + + + withdraw + + + + + + + + + + + + publish + + + + + + + + + + + + publish + + + + + + + + + + + withdraw + + + + + + + + + + + withdraw + + + + + + + + + + + 1024 + + + + + + + + + + + + + 512000 + + + + + + diff --git a/schemas/relaxng/router-certificate-schema.rnc b/schemas/relaxng/router-certificate-schema.rnc new file mode 100644 index 00000000..8cc325ce --- /dev/null +++ b/schemas/relaxng/router-certificate-schema.rnc @@ -0,0 +1,61 @@ +# $Id$ +# +# RelaxNG schema for BGPSEC router certificate interchange format. +# +# At least for now, this is a trivial encapsulation of a PKCS #10 +# request, a set (usually containing exactly one member) of autonomous +# system numbers, and a router-id. Be warned that this could change +# radically by the time we have any real operational understanding of +# how these things will be used, this is just our current best guess +# to let us move forward on initial coding. +# +# Copyright (C) 2014 Dragon Research Labs ("DRL") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND DRL DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL DRL BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +default namespace = "http://www.hactrn.net/uris/rpki/router-certificate/" + +version = "1" +base64 = xsd:base64Binary { maxLength="512000" } +router_id = xsd:unsignedInt +asn_list = xsd:string { maxLength="512000" pattern="[0-9][\-,0-9]*" } +timestamp = xsd:dateTime { pattern=".*Z" } + +# Core payload used in this schema. + +payload = ( + attribute router_id { router_id }, + attribute asn { asn_list }, + attribute valid_until { timestamp }?, + base64 +) + +# We allow two forms, one with a wrapper to allow multiple requests in +# a single file, one without for brevity; the version attribute goes +# in the outermost element in either case. + +start |= element router_certificate_request { + attribute version { version }, + payload +} + +start |= element router_certificate_requests { + attribute version { version }, + element router_certificate_request { payload }* +} + +# Local Variables: +# indent-tabs-mode: nil +# comment-start: "# " +# comment-start-skip: "#[ \t]*" +# End: diff --git a/schemas/relaxng/router-certificate-schema.rng b/schemas/relaxng/router-certificate-schema.rng new file mode 100644 index 00000000..d8be9eda --- /dev/null +++ b/schemas/relaxng/router-certificate-schema.rng @@ -0,0 +1,98 @@ + + + + + 1 + + + + 512000 + + + + + + + + 512000 + [0-9][\-,0-9]* + + + + + .*Z + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/schemas/relaxng/up-down-schema.rnc b/schemas/relaxng/up-down-schema.rnc new file mode 100644 index 00000000..a603b8fe --- /dev/null +++ b/schemas/relaxng/up-down-schema.rnc @@ -0,0 +1,113 @@ +# $Id$ +# +# RelaxNG schema for the up-down protocol, extracted from RFC 6492. +# +# Copyright (c) 2012 IETF Trust and the persons identified as authors +# of the code. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# * Neither the name of Internet Society, IETF or IETF Trust, nor the +# names of specific contributors, may be used to endorse or promote +# products derived from this software without specific prior written +# permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. + +default namespace = "http://www.apnic.net/specs/rescerts/up-down/" + +grammar { + resource_set_as = xsd:string { maxLength="512000" pattern="[\-,0-9]*" } + resource_set_ip4 = xsd:string { maxLength="512000" pattern="[\-,/.0-9]*" } + resource_set_ip6 = xsd:string { maxLength="512000" pattern="[\-,/:0-9a-fA-F]*" } + + class_name = xsd:token { minLength="1" maxLength="1024" } + ski = xsd:token { minLength="27" maxLength="1024" } + label = xsd:token { minLength="1" maxLength="1024" } + cert_url = xsd:string { minLength="10" maxLength="4096" } + base64_binary = xsd:base64Binary { minLength="4" maxLength="512000" } + + start = element message { + attribute version { xsd:positiveInteger { maxInclusive="1" } }, + attribute sender { label }, + attribute recipient { label }, + payload + } + + payload |= attribute type { "list" }, list_request + payload |= attribute type { "list_response"}, list_response + payload |= attribute type { "issue" }, issue_request + payload |= attribute type { "issue_response"}, issue_response + payload |= attribute type { "revoke" }, revoke_request + payload |= attribute type { "revoke_response"}, revoke_response + payload |= attribute type { "error_response"}, error_response + + list_request = empty + list_response = class* + + class = element class { + attribute class_name { class_name }, + attribute cert_url { cert_url }, + attribute resource_set_as { resource_set_as }, + attribute resource_set_ipv4 { resource_set_ip4 }, + attribute resource_set_ipv6 { resource_set_ip6 }, + attribute resource_set_notafter { xsd:dateTime }, + attribute suggested_sia_head { xsd:anyURI { maxLength="1024" pattern="rsync://.+"} }?, + element certificate { + attribute cert_url { cert_url }, + attribute req_resource_set_as { resource_set_as }?, + attribute req_resource_set_ipv4 { resource_set_ip4 }?, + attribute req_resource_set_ipv6 { resource_set_ip6 }?, + base64_binary + }*, + element issuer { base64_binary } + } + + issue_request = element request { + attribute class_name { class_name }, + attribute req_resource_set_as { resource_set_as }?, + attribute req_resource_set_ipv4 { resource_set_ip4 }?, + attribute req_resource_set_ipv6 { resource_set_ip6 }?, + base64_binary + } + issue_response = class + + revoke_request = revocation + revoke_response = revocation + + revocation = element key { + attribute class_name { class_name }, + attribute ski { ski } + } + + error_response = + element status { xsd:positiveInteger { maxInclusive="9999" } }, + element description { attribute xml:lang { xsd:language }, xsd:string { maxLength="1024" } }* +} + +# Local Variables: +# indent-tabs-mode: nil +# comment-start: "# " +# comment-start-skip: "#[ \t]*" +# End: diff --git a/schemas/relaxng/up-down-schema.rng b/schemas/relaxng/up-down-schema.rng new file mode 100644 index 00000000..5368fa65 --- /dev/null +++ b/schemas/relaxng/up-down-schema.rng @@ -0,0 +1,277 @@ + + + + + + 512000 + [\-,0-9]* + + + + + 512000 + [\-,/.0-9]* + + + + + 512000 + [\-,/:0-9a-fA-F]* + + + + + 1 + 1024 + + + + + 27 + 1024 + + + + + 1 + 1024 + + + + + 10 + 4096 + + + + + 4 + 512000 + + + + + + + 1 + + + + + + + + + + + + + + list + + + + + + list_response + + + + + + issue + + + + + + issue_response + + + + + + revoke + + + + + + revoke_response + + + + + + error_response + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1024 + rsync://.+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 9999 + + + + + + + + + 1024 + + + + + + diff --git a/schemas/sql/pubd.sql b/schemas/sql/pubd.sql new file mode 100644 index 00000000..3a58ec00 --- /dev/null +++ b/schemas/sql/pubd.sql @@ -0,0 +1,59 @@ +-- $Id$ + +-- Copyright (C) 2009--2010 Internet Systems Consortium ("ISC") +-- +-- Permission to use, copy, modify, and distribute this software for any +-- purpose with or without fee is hereby granted, provided that the above +-- copyright notice and this permission notice appear in all copies. +-- +-- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +-- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +-- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +-- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +-- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +-- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +-- PERFORMANCE OF THIS SOFTWARE. + +-- Copyright (C) 2008 American Registry for Internet Numbers ("ARIN") +-- +-- Permission to use, copy, modify, and distribute this software for any +-- purpose with or without fee is hereby granted, provided that the above +-- copyright notice and this permission notice appear in all copies. +-- +-- THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +-- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +-- AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +-- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +-- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +-- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +-- PERFORMANCE OF THIS SOFTWARE. + +-- SQL objects needed by pubd.py. + +-- The config table is weird because we're really only using it +-- to store one BPKI CRL, but putting this here lets us use a lot of +-- existing machinery and the alternatives are whacky in other ways. + +DROP TABLE IF EXISTS client; +DROP TABLE IF EXISTS config; + +CREATE TABLE config ( + config_id SERIAL NOT NULL, + bpki_crl LONGBLOB, + PRIMARY KEY (config_id) +) ENGINE=InnoDB; + +CREATE TABLE client ( + client_id SERIAL NOT NULL, + client_handle VARCHAR(255) NOT NULL, + base_uri TEXT, + bpki_cert LONGBLOB, + bpki_glue LONGBLOB, + last_cms_timestamp DATETIME, + PRIMARY KEY (client_id), + UNIQUE (client_handle) +) ENGINE=InnoDB; + +-- Local Variables: +-- indent-tabs-mode: nil +-- End: diff --git a/schemas/sql/rpkid.sql b/schemas/sql/rpkid.sql new file mode 100644 index 00000000..a7e3dc0a --- /dev/null +++ b/schemas/sql/rpkid.sql @@ -0,0 +1,250 @@ +-- $Id$ + +-- Copyright (C) 2009--2011 Internet Systems Consortium ("ISC") +-- +-- Permission to use, copy, modify, and distribute this software for any +-- purpose with or without fee is hereby granted, provided that the above +-- copyright notice and this permission notice appear in all copies. +-- +-- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +-- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +-- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +-- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +-- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +-- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +-- PERFORMANCE OF THIS SOFTWARE. + +-- Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +-- +-- Permission to use, copy, modify, and distribute this software for any +-- purpose with or without fee is hereby granted, provided that the above +-- copyright notice and this permission notice appear in all copies. +-- +-- THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +-- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +-- AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +-- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +-- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +-- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +-- PERFORMANCE OF THIS SOFTWARE. + +-- SQL objects needed by the RPKI engine (rpkid.py). + +-- DROP TABLE commands must be in correct (reverse dependency) order +-- to satisfy FOREIGN KEY constraints. + +DROP TABLE IF EXISTS ee_cert; +DROP TABLE IF EXISTS ghostbuster; +DROP TABLE IF EXISTS roa_prefix; +DROP TABLE IF EXISTS roa; +DROP TABLE IF EXISTS revoked_cert; +DROP TABLE IF EXISTS child_cert; +DROP TABLE IF EXISTS child; +DROP TABLE IF EXISTS ca_detail; +DROP TABLE IF EXISTS ca; +DROP TABLE IF EXISTS parent; +DROP TABLE IF EXISTS repository; +DROP TABLE IF EXISTS bsc; +DROP TABLE IF EXISTS self; + +CREATE TABLE self ( + self_id SERIAL NOT NULL, + self_handle VARCHAR(255) NOT NULL, + use_hsm BOOLEAN NOT NULL DEFAULT FALSE, + crl_interval BIGINT UNSIGNED, + regen_margin BIGINT UNSIGNED, + bpki_cert LONGBLOB, + bpki_glue LONGBLOB, + PRIMARY KEY (self_id), + UNIQUE (self_handle) +) ENGINE=InnoDB; + +CREATE TABLE bsc ( + bsc_id SERIAL NOT NULL, + bsc_handle VARCHAR(255) NOT NULL, + private_key_id LONGBLOB, + pkcs10_request LONGBLOB, + hash_alg ENUM ('sha256'), + signing_cert LONGBLOB, + signing_cert_crl LONGBLOB, + self_id BIGINT UNSIGNED NOT NULL, + PRIMARY KEY (bsc_id), + CONSTRAINT bsc_self_id + FOREIGN KEY (self_id) REFERENCES self (self_id) ON DELETE CASCADE, + UNIQUE (self_id, bsc_handle) +) ENGINE=InnoDB; + +CREATE TABLE repository ( + repository_id SERIAL NOT NULL, + repository_handle VARCHAR(255) NOT NULL, + peer_contact_uri TEXT, + bpki_cert LONGBLOB, + bpki_glue LONGBLOB, + last_cms_timestamp DATETIME, + bsc_id BIGINT UNSIGNED NOT NULL, + self_id BIGINT UNSIGNED NOT NULL, + PRIMARY KEY (repository_id), + CONSTRAINT repository_self_id + FOREIGN KEY (self_id) REFERENCES self (self_id) ON DELETE CASCADE, + CONSTRAINT repository_bsc_id + FOREIGN KEY (bsc_id) REFERENCES bsc (bsc_id) ON DELETE CASCADE, + UNIQUE (self_id, repository_handle) +) ENGINE=InnoDB; + +CREATE TABLE parent ( + parent_id SERIAL NOT NULL, + parent_handle VARCHAR(255) NOT NULL, + bpki_cms_cert LONGBLOB, + bpki_cms_glue LONGBLOB, + peer_contact_uri TEXT, + sia_base TEXT, + sender_name TEXT, + recipient_name TEXT, + last_cms_timestamp DATETIME, + self_id BIGINT UNSIGNED NOT NULL, + bsc_id BIGINT UNSIGNED NOT NULL, + repository_id BIGINT UNSIGNED NOT NULL, + PRIMARY KEY (parent_id), + CONSTRAINT parent_repository_id + FOREIGN KEY (repository_id) REFERENCES repository (repository_id) ON DELETE CASCADE, + CONSTRAINT parent_bsc_id + FOREIGN KEY (bsc_id) REFERENCES bsc (bsc_id) ON DELETE CASCADE, + CONSTRAINT parent_self_id + FOREIGN KEY (self_id) REFERENCES self (self_id) ON DELETE CASCADE, + UNIQUE (self_id, parent_handle) +) ENGINE=InnoDB; + +CREATE TABLE ca ( + ca_id SERIAL NOT NULL, + last_crl_sn BIGINT UNSIGNED NOT NULL, + last_manifest_sn BIGINT UNSIGNED NOT NULL, + next_manifest_update DATETIME, + next_crl_update DATETIME, + last_issued_sn BIGINT UNSIGNED NOT NULL, + sia_uri TEXT, + parent_resource_class TEXT, + parent_id BIGINT UNSIGNED NOT NULL, + PRIMARY KEY (ca_id), + CONSTRAINT ca_parent_id + FOREIGN KEY (parent_id) REFERENCES parent (parent_id) ON DELETE CASCADE +) ENGINE=InnoDB; + +CREATE TABLE ca_detail ( + ca_detail_id SERIAL NOT NULL, + public_key LONGBLOB, + private_key_id LONGBLOB, + latest_crl LONGBLOB, + crl_published DATETIME, + latest_ca_cert LONGBLOB, + manifest_private_key_id LONGBLOB, + manifest_public_key LONGBLOB, + latest_manifest_cert LONGBLOB, + latest_manifest LONGBLOB, + manifest_published DATETIME, + state ENUM ('pending', 'active', 'deprecated', 'revoked') NOT NULL, + ca_cert_uri TEXT, + ca_id BIGINT UNSIGNED NOT NULL, + PRIMARY KEY (ca_detail_id), + CONSTRAINT ca_detail_ca_id + FOREIGN KEY (ca_id) REFERENCES ca (ca_id) ON DELETE CASCADE +) ENGINE=InnoDB; + +CREATE TABLE child ( + child_id SERIAL NOT NULL, + child_handle VARCHAR(255) NOT NULL, + bpki_cert LONGBLOB, + bpki_glue LONGBLOB, + last_cms_timestamp DATETIME, + self_id BIGINT UNSIGNED NOT NULL, + bsc_id BIGINT UNSIGNED NOT NULL, + PRIMARY KEY (child_id), + CONSTRAINT child_bsc_id + FOREIGN KEY (bsc_id) REFERENCES bsc (bsc_id) ON DELETE CASCADE, + CONSTRAINT child_self_id + FOREIGN KEY (self_id) REFERENCES self (self_id) ON DELETE CASCADE, + UNIQUE (self_id, child_handle) +) ENGINE=InnoDB; + +CREATE TABLE child_cert ( + child_cert_id SERIAL NOT NULL, + cert LONGBLOB NOT NULL, + published DATETIME, + ski TINYBLOB NOT NULL, + child_id BIGINT UNSIGNED NOT NULL, + ca_detail_id BIGINT UNSIGNED NOT NULL, + PRIMARY KEY (child_cert_id), + CONSTRAINT child_cert_ca_detail_id + FOREIGN KEY (ca_detail_id) REFERENCES ca_detail (ca_detail_id) ON DELETE CASCADE, + CONSTRAINT child_cert_child_id + FOREIGN KEY (child_id) REFERENCES child (child_id) ON DELETE CASCADE +) ENGINE=InnoDB; + +CREATE TABLE revoked_cert ( + revoked_cert_id SERIAL NOT NULL, + serial BIGINT UNSIGNED NOT NULL, + revoked DATETIME NOT NULL, + expires DATETIME NOT NULL, + ca_detail_id BIGINT UNSIGNED NOT NULL, + PRIMARY KEY (revoked_cert_id), + CONSTRAINT revoked_cert_ca_detail_id + FOREIGN KEY (ca_detail_id) REFERENCES ca_detail (ca_detail_id) ON DELETE CASCADE +) ENGINE=InnoDB; + +CREATE TABLE roa ( + roa_id SERIAL NOT NULL, + asn BIGINT UNSIGNED NOT NULL, + cert LONGBLOB NOT NULL, + roa LONGBLOB NOT NULL, + published DATETIME, + self_id BIGINT UNSIGNED NOT NULL, + ca_detail_id BIGINT UNSIGNED NOT NULL, + PRIMARY KEY (roa_id), + CONSTRAINT roa_self_id + FOREIGN KEY (self_id) REFERENCES self (self_id) ON DELETE CASCADE, + CONSTRAINT roa_ca_detail_id + FOREIGN KEY (ca_detail_id) REFERENCES ca_detail (ca_detail_id) ON DELETE CASCADE +) ENGINE=InnoDB; + +CREATE TABLE roa_prefix ( + prefix VARCHAR(40) NOT NULL, + prefixlen TINYINT UNSIGNED NOT NULL, + max_prefixlen TINYINT UNSIGNED NOT NULL, + version TINYINT UNSIGNED NOT NULL, + roa_id BIGINT UNSIGNED NOT NULL, + PRIMARY KEY (roa_id, prefix, prefixlen, max_prefixlen), + CONSTRAINT roa_prefix_roa_id + FOREIGN KEY (roa_id) REFERENCES roa (roa_id) ON DELETE CASCADE +) ENGINE=InnoDB; + +CREATE TABLE ghostbuster ( + ghostbuster_id SERIAL NOT NULL, + vcard LONGBLOB NOT NULL, + cert LONGBLOB NOT NULL, + ghostbuster LONGBLOB NOT NULL, + published DATETIME, + self_id BIGINT UNSIGNED NOT NULL, + ca_detail_id BIGINT UNSIGNED NOT NULL, + PRIMARY KEY (ghostbuster_id), + CONSTRAINT ghostbuster_self_id + FOREIGN KEY (self_id) REFERENCES self (self_id) ON DELETE CASCADE, + CONSTRAINT ghostbuster_ca_detail_id + FOREIGN KEY (ca_detail_id) REFERENCES ca_detail (ca_detail_id) ON DELETE CASCADE +) ENGINE=InnoDB; + +CREATE TABLE ee_cert ( + ee_cert_id SERIAL NOT NULL, + ski BINARY(20) NOT NULL, + cert LONGBLOB NOT NULL, + published DATETIME, + self_id BIGINT UNSIGNED NOT NULL, + ca_detail_id BIGINT UNSIGNED NOT NULL, + PRIMARY KEY (ee_cert_id), + CONSTRAINT ee_cert_self_id + FOREIGN KEY (self_id) REFERENCES self (self_id) ON DELETE CASCADE, + CONSTRAINT ee_cert_ca_detail_id + FOREIGN KEY (ca_detail_id) REFERENCES ca_detail (ca_detail_id) ON DELETE CASCADE +) ENGINE=InnoDB; + +-- Local Variables: +-- indent-tabs-mode: nil +-- End: -- cgit v1.2.3