From 2413ca2771ab5d26594277d8868c7d551aedd5ca Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Mon, 8 Mar 2010 20:34:46 +0000 Subject: Cleanup svn path=/scripts/Old/apnic-poke-1.sh; revision=3045 --- scripts/Old/apnic-poke-1.sh | 112 +++++++ scripts/Old/apnic-poke-1.yaml | 28 ++ scripts/Old/apnic-poke-2.sh | 123 ++++++++ scripts/Old/apnic-poke-2.yaml | 74 +++++ scripts/Old/apnic-test-3.tgz | Bin 0 -> 694571 bytes scripts/Old/async-http.py | 529 ++++++++++++++++++++++++++++++++++ scripts/Old/biz-certs-setup.sh | 81 ++++++ scripts/Old/blow-away-databases.sh | 29 ++ scripts/Old/extract-cert-from-rpki.sh | 35 +++ scripts/Old/manifests.py | 90 ++++++ scripts/Old/pkcs10.py | 100 +++++++ scripts/Old/rootd.cnf | 30 ++ scripts/Old/rootd.sh | 143 +++++++++ scripts/Old/test-pow-cms.py | 49 ---- scripts/Old/test-pow-tls.py | 61 ++++ scripts/Old/timers.sh | 55 ++++ scripts/Old/tls-client.py | 27 ++ scripts/Old/tls-server.py | 40 +++ scripts/apnic-poke-1.sh | 112 ------- scripts/apnic-poke-1.yaml | 28 -- scripts/apnic-poke-2.sh | 123 -------- scripts/apnic-poke-2.yaml | 74 ----- scripts/apnic-test-3.tgz | Bin 694571 -> 0 bytes scripts/async-http.py | 529 ---------------------------------- scripts/biz-certs-setup.sh | 81 ------ scripts/blow-away-databases.sh | 29 -- scripts/extract-cert-from-rpki.sh | 35 --- scripts/manifests.py | 90 ------ scripts/pkcs10.py | 100 ------- scripts/rootd.cnf | 30 -- scripts/rootd.sh | 143 --------- scripts/test-pow-tls.py | 61 ---- scripts/timers.sh | 55 ---- scripts/tls-client.py | 27 -- scripts/tls-server.py | 40 --- 35 files changed, 1557 insertions(+), 1606 deletions(-) create mode 100644 scripts/Old/apnic-poke-1.sh create mode 100644 scripts/Old/apnic-poke-1.yaml create mode 100644 scripts/Old/apnic-poke-2.sh create mode 100644 scripts/Old/apnic-poke-2.yaml create mode 100644 scripts/Old/apnic-test-3.tgz create mode 100644 scripts/Old/async-http.py create mode 100644 scripts/Old/biz-certs-setup.sh create mode 100644 scripts/Old/blow-away-databases.sh create mode 100644 scripts/Old/extract-cert-from-rpki.sh create mode 100644 scripts/Old/manifests.py create mode 100644 scripts/Old/pkcs10.py create mode 100644 scripts/Old/rootd.cnf create mode 100644 scripts/Old/rootd.sh delete mode 100644 scripts/Old/test-pow-cms.py create mode 100644 scripts/Old/test-pow-tls.py create mode 100644 scripts/Old/timers.sh create mode 100644 scripts/Old/tls-client.py create mode 100644 scripts/Old/tls-server.py delete mode 100644 scripts/apnic-poke-1.sh delete mode 100644 scripts/apnic-poke-1.yaml delete mode 100644 scripts/apnic-poke-2.sh delete mode 100644 scripts/apnic-poke-2.yaml delete mode 100644 scripts/apnic-test-3.tgz delete mode 100644 scripts/async-http.py delete mode 100644 scripts/biz-certs-setup.sh delete mode 100644 scripts/blow-away-databases.sh delete mode 100644 scripts/extract-cert-from-rpki.sh delete mode 100644 scripts/manifests.py delete mode 100644 scripts/pkcs10.py delete mode 100644 scripts/rootd.cnf delete mode 100644 scripts/rootd.sh delete mode 100644 scripts/test-pow-tls.py delete mode 100644 scripts/timers.sh delete mode 100644 scripts/tls-client.py delete mode 100644 scripts/tls-server.py (limited to 'scripts') diff --git a/scripts/Old/apnic-poke-1.sh b/scripts/Old/apnic-poke-1.sh new file mode 100644 index 00000000..bca4a8f6 --- /dev/null +++ b/scripts/Old/apnic-poke-1.sh @@ -0,0 +1,112 @@ +#!/bin/sh - +# $Id$ + +# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# Script to let APNIC test against my server. +# +# This blows away rpkid's database and rebuilds it with what we need +# for this test, and knows far too much about the id numbers that +# rpkid and mysql will assign. In the long run we must do better than +# this, but gotta start somewhere. + +openssl=../openssl/openssl/apps/openssl + +# Halt on first error and show what's happening + +set -ex + +# Generate new key and cert for rootd.py if needed + +if test ! -r rootd.cer -o ! -r rootd.key +then + $openssl req -new -newkey rsa:2048 -nodes -keyout rootd.key -out rootd.req -config rootd.cnf + + $openssl x509 -req -in rootd.req -out rootd.cer -extfile rootd.cnf -extensions req_x509_ext \ + -signkey rootd.key -text -sha256 + + rm -f rootd.req +fi + +# Blow away old rpkid database (!) so we can start clean + +mysql -u rpki -p`awk '$1 == "sql-password" {print $3}' rpkid.conf` rpki >rpkid.log 2>&1 & rpkid=$! + trap "kill $rpkid" 0 1 2 3 13 15 +fi + +# Create a self instance + +python irbe_cli.py self --action create --crl_interval 84600 + +# Create a business signing context, issue the necessary business cert, and set up the cert chain + +python irbe_cli.py --pem_out bsc.req bsc --action create --self_id 1 \ + --generate_keypair --signing_cert biz-certs/Bob-CA.cer + +$openssl x509 -req -in bsc.req -out bsc.cer -CA biz-certs/Bob-CA.cer \ + -CAkey biz-certs/Bob-CA.key -CAserial biz-certs/Bob-CA.srl + +python irbe_cli.py bsc --action set --self_id 1 --bsc_id 1 --signing_cert bsc.cer + +rm -f bsc.req bsc.cer + +# Create a repository context + +python irbe_cli.py repository --self_id 1 --action create --bsc_id 1 + +# Create a parent context pointing at rootd.py + +python irbe_cli.py parent --self_id 1 --action create --bsc_id 1 --repository_id 1 \ + --peer_contact_uri https://localhost:44333/ \ + --cms_ta biz-certs/Elena-Root.cer \ + --https_ta biz-certs/Elena-Root.cer \ + --sia_base rsync://wombat.invalid/ + +# Create a child context + +python irbe_cli.py child --self_id 1 --action create --bsc_id 1 --cms_ta biz-certs/Frank-Root.cer + +# Run the other daemons, arrange for everything to go away on shutdown, +# run initial cron job to set things up, then wait + +if test -n "$STY" +then + screen python rootd.py + screen python irdbd.py +else + python rootd.py >>rootd.log 2>&1 & rootd=$! + python irdbd.py >>irdbd.log 2>&1 & irdbd=$! + trap "kill $rpkid $irdbd $rootd" 0 1 2 3 13 15 +fi + +python cronjob.py + +if test -z "$STY" +then + tail +0f rpkid.log +fi diff --git a/scripts/Old/apnic-poke-1.yaml b/scripts/Old/apnic-poke-1.yaml new file mode 100644 index 00000000..24b80561 --- /dev/null +++ b/scripts/Old/apnic-poke-1.yaml @@ -0,0 +1,28 @@ +--- +# $Id$ + +version: 1 +posturl: https://adrilankha.hactrn.net:4433/up-down/1 +recipient-id: wombat +sender-id: "1" + +cms-cert-file: biz-certs/Frank-EE.cer +cms-key-file: biz-certs/Frank-EE.key +cms-ca-cert-file: biz-certs/Bob-Root.cer +cms-cert-chain-file: [ biz-certs/Frank-CA.cer ] + +ssl-cert-file: biz-certs/Frank-EE.cer +ssl-key-file: biz-certs/Frank-EE.key +ssl-ca-cert-file: biz-certs/Bob-Root.cer + +requests: + list: + type: list + issue: + type: issue + class: 1 + sia: [ "rsync://bandicoot.invalid/some/where/" ] + revoke: + type: revoke + class: 1 + ski: "CB5K6APY-4KcGAW9jaK_cVPXKX0" diff --git a/scripts/Old/apnic-poke-2.sh b/scripts/Old/apnic-poke-2.sh new file mode 100644 index 00000000..87018111 --- /dev/null +++ b/scripts/Old/apnic-poke-2.sh @@ -0,0 +1,123 @@ +#!/bin/sh - +# $Id$ + +# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +openssl=../openssl/openssl/apps/openssl + +# Halt on first error and show what's happening + +set -ex + +# Blow away old rpkid database (!) so we can start clean + +mysql -u rpki -p`awk '$1 == "sql-password" {print $3}' rpkid.conf` rpki >rpkid.log 2>&1 & rpkid=$! + trap "kill $rpkid" 0 1 2 3 13 15 +fi + +# Create a self instance + +python irbe_cli.py self --action create --crl_interval 84600 + +# Create a business signing context, issue the necessary business cert, and set up the cert chain + +python irbe_cli.py --pem_out bsc.req bsc --action create --self_id 1 \ + --generate_keypair --signing_cert biz-certs/Bob-CA.cer +$openssl x509 -req -in bsc.req -out bsc.cer \ + -CA biz-certs/Bob-CA.cer -CAkey biz-certs/Bob-CA.key -CAserial biz-certs/Bob-CA.srl +python irbe_cli.py bsc --action set --self_id 1 --bsc_id 1 --signing_cert bsc.cer +rm -f bsc.req bsc.cer + +# List what's in the BSC, for today's debugging fun + +#python irbe_cli.py bsc --action list --self_id 1 + +# Create a repository context + +python irbe_cli.py repository --self_id 1 --action create --bsc_id 1 + +# Create a parent context pointing at APNIC -- this is where we plug in the values from their YAML + +cat >apnic.pem <<-'EOF' + -----BEGIN CERTIFICATE----- + MIIEFjCCAv6gAwIBAgIBADANBgkqhkiG9w0BAQsFADBJMUcwRQYDVQQDEz5Eb2N1 + bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0gTm90IGZv + ciByZWFsIHVzZTAeFw0wNzEyMDEwNjMyNDdaFw0xNzExMjgwNjMyNDdaMEkxRzBF + BgNVBAMTPkRvY3VtZW50YXRpb24gUHJlZml4ZXMgQ01TIFBhcmVudCBUQSBzaWdu + ZXIgLSBOb3QgZm9yIHJlYWwgdXNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB + CgKCAQEAtsRcgBpO7cTN+QGPnBaPtmfdsUZbctrfSBycS3QhwAItzZryqIHN9stP + A+0WEOC4+cfaY9xETqGwbq725p8FRwxUx9NBQS7jrL1ToNCJ+2qSH5ThK2hOQiCT + 3fv2FNJ/7gFFqofWt3mLyNEmnis95pRwzTtqH6ZaAaZk+AzwL77ww8AlwL/qfLtD + mjrsUfoELfkbS4ywFK0orjVKeGvzG8Dx7WiGvwmdhNNJ8/IAZmJC0NI8r9VIfcw3 + 2B7bnDGkKH3E0NNRIajPmLbaNfT0Dxw+BjIC3Ty48o3ghSScqviyThNFyj8cr9SB + Ww8ReAU6v9q4XWRnlZt8Lc9WIsF/MwIDAQABo4IBBzCCAQMwDAYDVR0TBAUwAwEB + /zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPzZTgRZylsJph8KV9AU3klSgl8r + MHEGA1UdIwRqMGiAFPzZTgRZylsJph8KV9AU3klSgl8roU2kSzBJMUcwRQYDVQQD + Ez5Eb2N1bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0g + Tm90IGZvciByZWFsIHVzZYIBADBRBgNVHR8ESjBIMEagRKBChkBodHRwOi8vbWly + aW4uYXBuaWMubmV0L2RvY3VtZW50YXRpb24tcHJlZml4ZXMvY21zL3BhcmVudC9j + bXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCNz/BUN5bsAyMPi0X7oKZV/cAwmr2S + gQgIxaUHnQ6EJp4b2CUmlpPQ9pT/m+gPbajaRgUZmANfMF0uAFZpCP3hTRAc6NMH + 3Pwjzw1ICGSRRJASSizYN4hSxGpWW1hgghGTB3w5CjCm2VlwrQKJjb7/9H/gb4hi + RRZpaudithCEDlgkFhgU4uttSDLH2Rv14GtfmtyqDpmCE33STA7K+e9rdxaCqHC8 + u33zqm4oQxOX7wuJ/JxeJxExtZ0amu8yTZ+tDtQ4Iiu1VPl67o0mjYrBKRV4z2fC + wa/PKqombrC/qs+2+t/66mB9xaK1YpKnW2FL6Rjs+rZUJJQ16JhJkF7T + -----END CERTIFICATE----- +EOF + +python irbe_cli.py parent --self_id 1 --action create --bsc_id 1 --repository_id 1 \ + --peer_contact_uri https://mirin.apnic.net/cgi-bin/up-down-parent.cgi \ + --cms_ta apnic.pem \ + --https_ta apnic.pem \ + --sia_base rsync://wombat.invalid/ \ + --recipient_name PARENT \ + --sender_name CHILD + +rm -f apnic.pem + +# Create a child context + +python irbe_cli.py child --self_id 1 --action create --bsc_id 1 --cms_ta biz-certs/Frank-Root.cer + +# Run the other daemons, arrange for everything to go away on shutdown, +# run initial cron job to set things up, then wait + +if test -n "$STY" +then + screen python irdbd.py +else + python irdbd.py >>irdbd.log 2>&1 & irdbd=$! + trap "kill $rpkid $irdbd" 0 1 2 3 13 15 +fi + +python cronjob.py + +if test -z "$STY" +then + tail +0f rpkid.log +fi diff --git a/scripts/Old/apnic-poke-2.yaml b/scripts/Old/apnic-poke-2.yaml new file mode 100644 index 00000000..6ba93729 --- /dev/null +++ b/scripts/Old/apnic-poke-2.yaml @@ -0,0 +1,74 @@ +--- +# $Id$ +# +# This sender config file was created by the make_cfg tool +# Account: TELSTRA-AU + +version: 1 +recipient-id: PARENT +sender-id: CHILD + +cms-cert-file: biz-certs/Bob-EE.cer +cms-key-file: biz-certs/Bob-EE.key +cms-cert-chain-file: [ biz-certs/Bob-CA.cer ] + +cms-ca-cert: | + -----BEGIN CERTIFICATE----- + MIIEFjCCAv6gAwIBAgIBADANBgkqhkiG9w0BAQsFADBJMUcwRQYDVQQDEz5Eb2N1 + bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0gTm90IGZv + ciByZWFsIHVzZTAeFw0wNzEyMDEwNjMyNDdaFw0xNzExMjgwNjMyNDdaMEkxRzBF + BgNVBAMTPkRvY3VtZW50YXRpb24gUHJlZml4ZXMgQ01TIFBhcmVudCBUQSBzaWdu + ZXIgLSBOb3QgZm9yIHJlYWwgdXNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB + CgKCAQEAtsRcgBpO7cTN+QGPnBaPtmfdsUZbctrfSBycS3QhwAItzZryqIHN9stP + A+0WEOC4+cfaY9xETqGwbq725p8FRwxUx9NBQS7jrL1ToNCJ+2qSH5ThK2hOQiCT + 3fv2FNJ/7gFFqofWt3mLyNEmnis95pRwzTtqH6ZaAaZk+AzwL77ww8AlwL/qfLtD + mjrsUfoELfkbS4ywFK0orjVKeGvzG8Dx7WiGvwmdhNNJ8/IAZmJC0NI8r9VIfcw3 + 2B7bnDGkKH3E0NNRIajPmLbaNfT0Dxw+BjIC3Ty48o3ghSScqviyThNFyj8cr9SB + Ww8ReAU6v9q4XWRnlZt8Lc9WIsF/MwIDAQABo4IBBzCCAQMwDAYDVR0TBAUwAwEB + /zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPzZTgRZylsJph8KV9AU3klSgl8r + MHEGA1UdIwRqMGiAFPzZTgRZylsJph8KV9AU3klSgl8roU2kSzBJMUcwRQYDVQQD + Ez5Eb2N1bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0g + Tm90IGZvciByZWFsIHVzZYIBADBRBgNVHR8ESjBIMEagRKBChkBodHRwOi8vbWly + aW4uYXBuaWMubmV0L2RvY3VtZW50YXRpb24tcHJlZml4ZXMvY21zL3BhcmVudC9j + bXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCNz/BUN5bsAyMPi0X7oKZV/cAwmr2S + gQgIxaUHnQ6EJp4b2CUmlpPQ9pT/m+gPbajaRgUZmANfMF0uAFZpCP3hTRAc6NMH + 3Pwjzw1ICGSRRJASSizYN4hSxGpWW1hgghGTB3w5CjCm2VlwrQKJjb7/9H/gb4hi + RRZpaudithCEDlgkFhgU4uttSDLH2Rv14GtfmtyqDpmCE33STA7K+e9rdxaCqHC8 + u33zqm4oQxOX7wuJ/JxeJxExtZ0amu8yTZ+tDtQ4Iiu1VPl67o0mjYrBKRV4z2fC + wa/PKqombrC/qs+2+t/66mB9xaK1YpKnW2FL6Rjs+rZUJJQ16JhJkF7T + -----END CERTIFICATE----- + +ssl-cert-file: biz-certs/Bob-EE.cer +ssl-key-file: biz-certs/Bob-EE.key + +ssl-ca-cert: | + -----BEGIN CERTIFICATE----- + MIIEFjCCAv6gAwIBAgIBADANBgkqhkiG9w0BAQsFADBJMUcwRQYDVQQDEz5Eb2N1 + bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0gTm90IGZv + ciByZWFsIHVzZTAeFw0wNzEyMDEwNjMyNDdaFw0xNzExMjgwNjMyNDdaMEkxRzBF + BgNVBAMTPkRvY3VtZW50YXRpb24gUHJlZml4ZXMgQ01TIFBhcmVudCBUQSBzaWdu + ZXIgLSBOb3QgZm9yIHJlYWwgdXNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB + CgKCAQEAtsRcgBpO7cTN+QGPnBaPtmfdsUZbctrfSBycS3QhwAItzZryqIHN9stP + A+0WEOC4+cfaY9xETqGwbq725p8FRwxUx9NBQS7jrL1ToNCJ+2qSH5ThK2hOQiCT + 3fv2FNJ/7gFFqofWt3mLyNEmnis95pRwzTtqH6ZaAaZk+AzwL77ww8AlwL/qfLtD + mjrsUfoELfkbS4ywFK0orjVKeGvzG8Dx7WiGvwmdhNNJ8/IAZmJC0NI8r9VIfcw3 + 2B7bnDGkKH3E0NNRIajPmLbaNfT0Dxw+BjIC3Ty48o3ghSScqviyThNFyj8cr9SB + Ww8ReAU6v9q4XWRnlZt8Lc9WIsF/MwIDAQABo4IBBzCCAQMwDAYDVR0TBAUwAwEB + /zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPzZTgRZylsJph8KV9AU3klSgl8r + MHEGA1UdIwRqMGiAFPzZTgRZylsJph8KV9AU3klSgl8roU2kSzBJMUcwRQYDVQQD + Ez5Eb2N1bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0g + Tm90IGZvciByZWFsIHVzZYIBADBRBgNVHR8ESjBIMEagRKBChkBodHRwOi8vbWly + aW4uYXBuaWMubmV0L2RvY3VtZW50YXRpb24tcHJlZml4ZXMvY21zL3BhcmVudC9j + bXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCNz/BUN5bsAyMPi0X7oKZV/cAwmr2S + gQgIxaUHnQ6EJp4b2CUmlpPQ9pT/m+gPbajaRgUZmANfMF0uAFZpCP3hTRAc6NMH + 3Pwjzw1ICGSRRJASSizYN4hSxGpWW1hgghGTB3w5CjCm2VlwrQKJjb7/9H/gb4hi + RRZpaudithCEDlgkFhgU4uttSDLH2Rv14GtfmtyqDpmCE33STA7K+e9rdxaCqHC8 + u33zqm4oQxOX7wuJ/JxeJxExtZ0amu8yTZ+tDtQ4Iiu1VPl67o0mjYrBKRV4z2fC + wa/PKqombrC/qs+2+t/66mB9xaK1YpKnW2FL6Rjs+rZUJJQ16JhJkF7T + -----END CERTIFICATE----- + +posturl: https://mirin.apnic.net/cgi-bin/up-down-parent.cgi + +requests: + list: + type: list diff --git a/scripts/Old/apnic-test-3.tgz b/scripts/Old/apnic-test-3.tgz new file mode 100644 index 00000000..2d50fe3f Binary files /dev/null and b/scripts/Old/apnic-test-3.tgz differ diff --git a/scripts/Old/async-http.py b/scripts/Old/async-http.py new file mode 100644 index 00000000..5b5fc1cd --- /dev/null +++ b/scripts/Old/async-http.py @@ -0,0 +1,529 @@ +""" +Testbed for figuring out how to write asynchronous HTTPS code. + +$Id$ + +Copyright (C) 2009 Internet Systems Consortium ("ISC") + +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +PERFORMANCE OF THIS SOFTWARE. +""" + +# Command that may be useful for testing server side of this: +# +# lynx -post_data -mime_header -source http://127.0.0.1:8000/ +# +# Testing the client side of this is more entertaining, both because +# we need to be liberal in what we accept and also because servers do +# wildly different things depending both on HTTP version number and +# options signaled by the client and also on internal details in the +# server context (such as whether the content is static or generated +# by CGI). It's useful to test against static content, but also to +# test against CGI-generated output, eg, the following trivial script: +# +# print "Content-Type: text/plain; charset=US-ASCII\r" +# print "\r" +# for i in xrange(100): +# print "%08d" % i, "." * 120, "\r" +# +# At least with Apache 2.0, result of running this differs +# significantly depending on whether client signals HTTP 1.0 or 1.1; +# the latter produces chunked output. + +import sys, os, time, socket, asyncore, asynchat, traceback, urlparse +import rpki.async, rpki.sundial + +debug = True + +want_persistent_client = True +want_persistent_server = True + +idle_timeout_default = rpki.sundial.timedelta(seconds = 60) +active_timeout_default = rpki.sundial.timedelta(seconds = 15) + +default_http_version = (1, 1) + +class http_message(object): + + software_name = "BalmyBandicoot HTTP test code" + + def __init__(self, version = None, body = None, headers = None): + self.version = version + self.body = body + self.headers = headers + self.normalize_headers() + + def normalize_headers(self, headers = None): + if headers is None: + headers = () if self.headers is None else self.headers.items() + translate_underscore = True + else: + translate_underscore = False + result = {} + for k,v in headers: + if translate_underscore: + k = k.replace("_", "-") + k = "-".join(s.capitalize() for s in k.split("-")) + v = v.strip() + if k in result: + result[k] += ", " + v + else: + result[k] = v + self.headers = result + + @classmethod + def parse_from_wire(cls, headers): + self = cls() + headers = headers.split("\r\n") + self.parse_first_line(*headers.pop(0).split(None, 2)) + for i in xrange(len(headers) - 2, -1, -1): + if headers[i + 1][0].isspace(): + headers[i] += headers[i + 1] + del headers[i + 1] + self.normalize_headers([h.split(":", 1) for h in headers]) + return self + + def format(self): + s = self.format_first_line() + if self.body is not None: + assert isinstance(self.body, str) + self.headers["Content-Length"] = len(self.body) + for kv in self.headers.iteritems(): + s += "%s: %s\r\n" % kv + s += "\r\n" + if self.body is not None: + s += self.body + return s + + def __str__(self): + return self.format() + + def parse_version(self, version): + if version[:5] != "HTTP/": + raise RuntimeError, "Couldn't parse version %s" % version + self.version = tuple(int(i) for i in version[5:].split(".")) + + def persistent(self): + c = self.headers.get("Connection") + if self.version == (1, 1): + return c is None or "close" not in c.lower() + elif self.version == (1, 0): + return c is not None and "keep-alive" in c.lower() + else: + return False + +class http_request(http_message): + + def __init__(self, cmd = None, path = None, version = default_http_version, body = None, callback = None, **headers): + if cmd is not None and cmd != "POST" and body is not None: + raise RuntimeError + http_message.__init__(self, version = version, body = body, headers = headers) + self.cmd = cmd + self.path = path + self.callback = callback + + def parse_first_line(self, cmd, path, version): + self.parse_version(version) + self.cmd = cmd + self.path = path + + def format_first_line(self): + self.headers.setdefault("User-Agent", self.software_name) + return "%s %s HTTP/%d.%d\r\n" % (self.cmd, self.path, self.version[0], self.version[1]) + +class http_response(http_message): + + def __init__(self, code = None, reason = None, version = default_http_version, body = None, **headers): + http_message.__init__(self, version = version, body = body, headers = headers) + self.code = code + self.reason = reason + + def parse_first_line(self, version, code, reason): + self.parse_version(version) + self.code = int(code) + self.reason = reason + + def format_first_line(self): + self.headers.setdefault("Date", time.strftime("%a, %d %b %Y %T GMT")) + self.headers.setdefault("Server", self.software_name) + return "HTTP/%d.%d %s %s\r\n" % (self.version[0], self.version[1], self.code, self.reason) + +def logger(self, msg): + if debug: + print "[%s %r: %s]" % (rpki.sundial.now().strftime("%T"), self, msg) + +class http_stream(asynchat.async_chat): + + log = logger + + idle_timeout = idle_timeout_default + active_timeout = active_timeout_default + + def __init__(self, conn = None): + asynchat.async_chat.__init__(self, conn = conn) + self.buffer = [] + self.timer = rpki.async.timer(self.handle_timeout) + self.restart() + + def restart(self, idle = True): + assert not self.buffer + self.chunk_handler = None + self.set_terminator("\r\n\r\n") + timeout = self.idle_timeout if idle else self.active_timeout + if timeout is not None: + self.timer.set(timeout) + else: + self.timer.cancel() + + def update_active_timeout(self): + if self.active_timeout is not None: + self.timer.set(self.active_timeout) + else: + self.timer.cancel() + + def collect_incoming_data(self, data): + """Buffer the data""" + self.buffer.append(data) + self.update_active_timeout() + + def get_buffer(self): + val = "".join(self.buffer) + self.buffer = [] + return val + + def found_terminator(self): + self.update_active_timeout() + if self.chunk_handler: + self.chunk_handler() + elif not isinstance(self.get_terminator(), str): + self.handle_body() + else: + self.log("Got headers") + self.msg = self.parse_type.parse_from_wire(self.get_buffer()) + if self.msg.version == (1, 1) and "chunked" in self.msg.headers.get("Transfer-Encoding", "").lower(): + self.msg.body = [] + self.chunk_handler = self.chunk_header + self.set_terminator("\r\n") + elif "Content-Length" in self.msg.headers: + self.set_terminator(int(self.msg.headers["Content-Length"])) + else: + self.handle_no_content_length() + + def chunk_header(self): + n = int(self.get_buffer().partition(";")[0], 16) + self.log("Chunk length %s" % n) + if n: + self.chunk_handler = self.chunk_body + self.set_terminator(n) + else: + self.msg.body = "".join(self.msg.body) + self.chunk_handler = self.chunk_discard_trailer + + def chunk_body(self): + self.log("Chunk body") + self.msg.body += self.buffer + self.buffer = [] + self.chunk_handler = self.chunk_discard_crlf + self.set_terminator("\r\n") + + def chunk_discard_crlf(self): + self.log("Chunk CRLF") + s = self.get_buffer() + assert s == "", "Expected chunk CRLF, got '%s'" % s + self.chunk_handler = self.chunk_header + + def chunk_discard_trailer(self): + self.log("Chunk trailer") + s = self.get_buffer() + assert s == "", "Expected end of chunk trailers, got '%s'" % s + self.chunk_handler = None + self.handle_message() + + def handle_body(self): + self.msg.body = self.get_buffer() + self.handle_message() + + def handle_error(self): + self.log("Error in HTTP stream handler") + print traceback.format_exc() + asyncore.close_all() + + def handle_timeout(self): + self.log("Timeout, closing") + self.close() + + def handle_close(self): + asynchat.async_chat.handle_close(self) + self.timer.cancel() + self.log("Closed") + +class http_server(http_stream): + + parse_type = http_request + + def __init__(self, conn, handlers): + self.handlers = handlers + http_stream.__init__(self, conn) + self.expect_close = not want_persistent_server + + def handle_no_content_length(self): + self.handle_message() + + def find_handler(self, path): + """Helper method to search self.handlers.""" + for s, h in self.handlers: + if path.startswith(s): + return h + return None + + def handle_message(self): + if not self.msg.persistent(): + self.expect_close = True + handler = self.find_handler(self.msg.path) + error = None + if False and self.msg.cmd != "POST": + error = 501, "No handler for method %s" % self.msg.cmd + elif False and self.headers["Content-Type"] != rpki_content_type: + error = 415, "No handler for Content-Type %s" % self.headers["Content-Type"] + elif handler is None: + error = 404, "No handler for URL %s" % self.msg.path + if error is None: + handler(self.msg, self.send_message) + else: + self.send_error(*error) + + def send_error(self, code, reason): + self.handle_message_message(http_response(code = code, reason = reason)) + + def send_message(self, msg): + msg.headers["Connection"] = "Close" if self.expect_close else "Keep-Alive" + self.push(msg.format()) + if self.expect_close: + self.log("Closing") + self.timer.cancel() + self.close_when_done() + else: + self.log("Listening for next message") + self.restart() + +class http_listener(asyncore.dispatcher): + + log = logger + + def __init__(self, handlers, port = 80, host = ""): + asyncore.dispatcher.__init__(self) + self.handlers = handlers + self.create_socket(socket.AF_INET, socket.SOCK_STREAM) + self.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + self.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1) + self.bind((host, port)) + self.listen(5) + self.log("Listening on (host, port) %r, handlers %r" % ((host, port), handlers)) + + def handle_accept(self): + self.log("Accepting connection") + server = http_server(conn = self.accept()[0], handlers = self.handlers) + + def handle_error(self): + self.log("Error in HTTP listener") + print traceback.format_exc() + asyncore.close_all() + +class http_client(http_stream): + + parse_type = http_response + + def __init__(self, queue, hostport): + self.log("Creating new connection to %s" % repr(hostport)) + http_stream.__init__(self) + self.queue = queue + self.state = "idle" + self.expect_close = not want_persistent_client + self.create_socket(socket.AF_INET, socket.SOCK_STREAM) + self.connect(hostport) + + def handle_no_content_length(self): + self.set_terminator(None) + + def send_request(self, msg): + self.log("Sending request") + assert self.state == "idle" + if msg is not None: + self.state = "request-sent" + msg.headers["Connection"] = "Close" if self.expect_close else "Keep-Alive" + self.push(msg.format()) + self.restart(idle = False) + + def handle_message(self): + if not self.msg.persistent(): + self.expect_close = True + self.log("Message received, state %s" % self.state) + msg = None + if self.state == "request-sent": + msg = self.queue.done_with_request() + elif self.state == "idle": + self.log("Received unsolicited message") + elif self.state == "closing": + assert not self.msg.body + self.log("Ignoring empty response received while closing") + return + else: + raise RuntimeError, "[%r: Unexpected state]" % self + self.state = "idle" + if msg != None: + msg.callback(self.msg) + msg = self.queue.next_request(not self.expect_close) + if msg is not None: + self.log("Got a new message to send from my queue") + self.send_request(msg) + elif self.expect_close: + self.log("Closing") + self.state = "closing" + self.queue.closing(self) + self.close_when_done() + else: + self.log("Idling") + self.timer.set(self.idle_timeout) + + def handle_connect(self): + self.log("Connected") + self.send_request(self.queue.next_request(True)) + + def kickstart(self): + self.log("Kickstart") + assert self.state == "idle" + self.send_request(self.queue.next_request(True)) + + def handle_close(self): + http_stream.handle_close(self) + self.queue.closing(self) + if self.get_terminator() is None: + self.handle_body() + +class http_queue(object): + + log = logger + + def __init__(self, hostport): + self.log("Creating queue for %s" % repr(hostport)) + self.hostport = hostport + self.client = None + self.queue = [] + + def request(self, *requests): + self.log("Adding requests %r" % requests) + need_kick = self.client is not None and not self.queue + self.queue.extend(requests) + if self.client is None: + self.client = http_client(self, self.hostport) + elif need_kick: + self.client.kickstart() + + def done_with_request(self): + req = self.queue.pop(0) + self.log("Dequeuing request %r" % req) + return req + + def next_request(self, usable): + if not self.queue: + self.log("Queue is empty") + return None + self.log("Queue: %r" % self.queue) + if usable: + self.log("Queue not empty and connection usable") + return self.queue[0] + else: + self.log("Queue not empty but connection not usable, spawning") + self.client = http_client(self, self.hostport) + self.log("Spawned connection %r" % self.client) + return None + + def closing(self, client): + if client is self.client: + self.log("Removing client") + self.client = None + +class http_manager(dict): + + log = logger + + def query(self, url, callback, body = None): + u = urlparse.urlparse(url) + assert u.scheme == "http" and u.username is None and u.password is None and u.params == "" and u.query == "" and u.fragment == "" + request = http_request(cmd = "POST", path = u.path, body = body, callback = callback, + Host = u.hostname, Content_Type = "text/plain") + hostport = (u.hostname or "localhost", u.port or 80) + self.log("Created request %r for %r" % (request, hostport)) + if hostport not in self: + self[hostport] = http_queue(hostport) + self[hostport].request(request) + + def __repr__(self): + return "<%s object at %s>" % (self.__class__.__name__, id(self)) + +def client(msg, url, timeout = 300, callback = None): + pass + +def server(handlers, port, host =""): + if not isinstance(handlers, (tuple, list)): + handlers = (("/", handlers),) + listener = http_listener(port = 8000, handlers = handlers) + rpki.async.event_loop() + +if len(sys.argv) == 1: + + def handler(query_message, reply_callback): + reply_callback(http_response( + code = 200, + reason = "OK", + body = str(query_message), + Cache_Control = "no-cache,no-store", + Content_Type = "text/plain")) + + def other_handler(query_message, reply_callback): + reply_callback(http_response( + code = 200, + reason = "OK", + body = "Ok, you found it.\r\n\r\n" + str(query_message), + Cache_Control = "no-cache,no-store", + Content_Type = "text/plain")) + + server(port = 8000, handlers = (("/wombat", other_handler), ("/", handler))) + +else: + + def got_one(msg): + logger(None, "Got response") + if True: + print msg + print + + manager = http_manager() + + timer = rpki.async.timer() + + def loop(iterator, url): + logger(None, "Scheduler loop") + manager.query(url = url, callback = got_one, body = "Hi, I'm trying to talk to URL %s" % url) + timer.set(rpki.sundial.timedelta(seconds = 3)) + + def done(): + logger(None, "Scheduler done") + + timer.set_handler(rpki.async.iterator(sys.argv[1:], loop, done)) + + rpki.async.event_loop() + + for q in manager.values(): + assert not q.queue, "Requests still scheduled: %r %r %r" % (q, q.hostport, q.queue) + + assert not rpki.async.timer.queue, "Timers still scheduled: %r" % rpki.async.timer.queue diff --git a/scripts/Old/biz-certs-setup.sh b/scripts/Old/biz-certs-setup.sh new file mode 100644 index 00000000..64ebd7d8 --- /dev/null +++ b/scripts/Old/biz-certs-setup.sh @@ -0,0 +1,81 @@ +#!/bin/sh - +# $Id$ + +# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# Quick hack to generate a set of business keys and certs for use with +# early prototype code. Not for production use. +# +# All we're trying to do here is generate a three-level-deep set of +# certs for each of several independent entities. Could easily be +# deeper in practice but this should be enough for simple tests: a +# self-signed root cert to use as a trust anchor, a working CA, and an +# EE cert used for CMS or TLS. +# +# Among other things missing here, we're not doing any restrictions +# beyond basicConstraints and we're not doing CRLs. +# +# One can extract the public key from a .key file by doing: +# +# $ openssl rsa -in foo.key -pubout +# +# I ended up needing this to build simulated packets for the +# left-right protocol. + +for i in Alice Bob Carol Dave Elena Frank Ginny Harry +do + for j in Root CA EE + do + + case $j in + EE) ca=false;; + *) ca=true;; + esac + + test -r $i-$j.cnf || cat >$i-$j.cnf <<-EOF + + [ req ] + distinguished_name = req_dn + x509_extensions = req_x509_ext + prompt = no + default_md = sha256 + + [ req_dn ] + CN = Test Certificate $i $j + + [ req_x509_ext ] + basicConstraints = CA:$ca + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid:always + + EOF + + test -r $i-$j.key || openssl genrsa -out $i-$j.key 2048 + test -r $i-$j.req || openssl req -new -sha256 -key $i-$j.key -out $i-$j.req -config $i-$j.cnf + + done + + test -r $i-Root.cer || openssl x509 -sha256 -req -in $i-Root.req -out $i-Root.cer -extfile $i-Root.cnf -extensions req_x509_ext -signkey $i-Root.key -days 60 + test -r $i-CA.cer || openssl x509 -sha256 -req -in $i-CA.req -out $i-CA.cer -extfile $i-CA.cnf -extensions req_x509_ext -CA $i-Root.cer -CAkey $i-Root.key -CAcreateserial + test -r $i-EE.cer || openssl x509 -sha256 -req -in $i-EE.req -out $i-EE.cer -extfile $i-EE.cnf -extensions req_x509_ext -CA $i-CA.cer -CAkey $i-CA.key -CAcreateserial + +done + +for i in *.cer +do + h=`openssl x509 -noout -hash -in $i`.0 + test -r $h || + ln -s $i $h +done diff --git a/scripts/Old/blow-away-databases.sh b/scripts/Old/blow-away-databases.sh new file mode 100644 index 00000000..44df7861 --- /dev/null +++ b/scripts/Old/blow-away-databases.sh @@ -0,0 +1,29 @@ +#!/bin/sh - +# $Id$ + +# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# GRANT ALL ON rpki.* TO rpki@localhost IDENTIFIED BY ''; +# GRANT ALL ON irdb.* TO irdb@localhost IDENTIFIED BY ''; + +echo "This script destroys and rebuilds our databases." +echo "Don't type the password unless you're sure you want to do this." + +(echo 'DROP DATABASE rpki; CREATE DATABASE rpki; USE rpki;' + cat ../docs/rpki-db-schema.sql + echo 'DROP DATABASE irdb; CREATE DATABASE irdb; USE irdb;' + cat ../docs/sample-irdb.sql +) | +mysql -u root -p diff --git a/scripts/Old/extract-cert-from-rpki.sh b/scripts/Old/extract-cert-from-rpki.sh new file mode 100644 index 00000000..3d28bfdb --- /dev/null +++ b/scripts/Old/extract-cert-from-rpki.sh @@ -0,0 +1,35 @@ +#!/bin/sh - +# $Id$ + +# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +: ${instance=R0} + +python ../rpkid.py -c $instance.conf & +rpkid=$! + +python ../irbe-cli.py -c $instance.conf bsc --self_id 1 --action list | +qh 2>/dev/null | +awk ' + /\(signing_cert/ {p = 1} + /\)signing_cert/ {p = 0} + p && /^-/ { + sub(/-/,""); + cmd = "mimencode -u | openssl x509 -text -inform DER -out " NR ".pem"; + print | cmd; + } +' + +kill $rpkid diff --git a/scripts/Old/manifests.py b/scripts/Old/manifests.py new file mode 100644 index 00000000..df8bc2d4 --- /dev/null +++ b/scripts/Old/manifests.py @@ -0,0 +1,90 @@ +# $Id$ + +# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +import time, glob, os +import rpki.x509, rpki.manifest, rpki.sundial + +show_content_1 = False +show_signed_manifest_PEM = False +show_signed_manifest_asn1dump = True +show_content_2 = False +show_content_3 = False +dump_signed_manifest_DER = False +dump_manifest_content_DER = False +test_empty_manifest = False + +def dumpasn1(thing): + # Save to file rather than using popen4() because dumpasn1 uses + # seek() when decoding ASN.1 content nested in OCTET STRING values. + try: + fn = "dumpasn1.tmp" + f = open(fn, "w") + f.write(thing) + f.close() + f = os.popen("dumpasn1 2>&1 -a " + fn) + print "\n".join(x for x in f.read().splitlines() if x.startswith(" ")) + f.close() + finally: + os.unlink(fn) + +if test_empty_manifest: + names_and_objs = [] +else: + names_and_objs = [(fn, rpki.x509.X509(Auto_file = fn)) for fn in glob.glob("resource-cert-samples/*.cer")] + +now = rpki.sundial.datetime.utcnow() + +m = rpki.x509.SignedManifest() +m.build( + serial = 17, + thisUpdate = now, + nextUpdate = now + rpki.sundial.timedelta(days = 1), + names_and_objs = names_and_objs, + keypair = rpki.x509.RSA(Auto_file = "biz-certs/Alice-EE.key"), + certs = rpki.x509.X509_chain(Auto_files = ("biz-certs/Alice-EE.cer", "biz-certs/Alice-CA.cer"))) + +if show_content_1: + dumpasn1(m.get_content().toString()) + +if show_signed_manifest_PEM: + print m.get_PEM() + +if dump_manifest_content_DER: + f = open("manifest-content.der", "wb") + f.write(m.get_content().toString()) + f.close() + +if dump_signed_manifest_DER: + f = open("signed-manifest.der", "wb") + f.write(m.get_DER()) + f.close() + +if show_signed_manifest_asn1dump: + dumpasn1(m.get_DER()) + +n = rpki.x509.SignedManifest(DER = m.get_DER()) + +n.verify(ta = rpki.x509.X509(Auto_file = "biz-certs/Alice-Root.cer")) + +if show_content_2: + dumpasn1(n.get_content().toString()) + +assert m.get_content().toString() == n.get_content().toString() +assert m.get_content().get() == n.get_content().get() + +if show_content_3: + print + print n.get_content().get() diff --git a/scripts/Old/pkcs10.py b/scripts/Old/pkcs10.py new file mode 100644 index 00000000..386229f2 --- /dev/null +++ b/scripts/Old/pkcs10.py @@ -0,0 +1,100 @@ +# $Id$ + +# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +import POW.pkix, glob, os +import rpki.x509, rpki.resource_set, rpki.oids + +parse_test = False +generate_test = True + +parse_extensions = True +show_attributes = False +show_algorithm = False +do_verify = True +show_signature = False +show_publickey = False + +def hexify(thing): + return ":".join(["%02X" % ord(i) for i in thing]) + +if parse_test: + + for name in glob.glob("resource-cert-samples/*.req") + glob.glob("biz-certs/*.req"): + pkcs10 = rpki.x509.PKCS10(Auto_file = name).get_POWpkix() + + print "[", name, "]" + + if show_algorithm: + print pkcs10.signatureAlgorithm + print + print pkcs10.signatureAlgorithm.get() + print + + if show_signature: + print pkcs10.signatureValue, hexify(pkcs10.signatureValue.get()) + print + + if show_publickey: + print pkcs10.certificationRequestInfo.subjectPublicKeyInfo + print pkcs10.certificationRequestInfo.subjectPublicKeyInfo.get() + print hexify(pkcs10.certificationRequestInfo.subjectPublicKeyInfo.toString()) + print + + if show_attributes: + print pkcs10.certificationRequestInfo.attributes.oid, pkcs10.certificationRequestInfo.attributes.oid.get() + print + print pkcs10.certificationRequestInfo.attributes.val, pkcs10.certificationRequestInfo.attributes.val.get() + print + print pkcs10.certificationRequestInfo.attributes.val.choice, pkcs10.certificationRequestInfo.attributes.val.choices + print + print pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice] + print + print len(pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice]) + print + if len(pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice]) > 0: + print pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice][0] + print + + if parse_extensions: + + exts = pkcs10.getExtensions() + + bag = rpki.resource_set.parse_extensions(exts) + if bag.as: print "ASN =", bag.as + if bag.v4: print "IPv4 =", bag.v4 + if bag.v6: print "IPv6 =", bag.v6 + + for oid, crit, val in exts: + if oid in (rpki.oids.name2oid["sbgp-ipAddrBlock"], + rpki.oids.name2oid["sbgp-autonomousSysNum"]): + continue + if isinstance(val, str): + val = hexify(val) + print POW.pkix.oid2obj(oid), oid, "=", val + + if do_verify: + print + print "Signature verification: %s" % pkcs10.verify() + + print + +if generate_test: + keypair = rpki.x509.RSA() + keypair.generate() + pkcs10 = rpki.x509.PKCS10.create(keypair) + f = os.popen("openssl req -text -config /dev/null", "w") + f.write(pkcs10.get_PEM()) + f.close() diff --git a/scripts/Old/rootd.cnf b/scripts/Old/rootd.cnf new file mode 100644 index 00000000..1e400c04 --- /dev/null +++ b/scripts/Old/rootd.cnf @@ -0,0 +1,30 @@ +# $Id$ +# +# Generate test root resource certificate for use with rootd.py server. + +[ req ] +default_bits = 2048 +encrypt_key = no +distinguished_name = req_dn +req_extensions = req_x509_ext +prompt = no + +[ req_dn ] +CN = Completely Bogus Test Root (NOT FOR PRODUCTION USE) + +[ req_x509_ext ] +basicConstraints = critical,CA:true +subjectKeyIdentifier = hash +keyUsage = critical,keyCertSign,cRLSign +subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombat.invalid/ +sbgp-autonomousSysNum = critical,@req_asid_ext +sbgp-ipAddrBlock = critical,@req_addr_ext + +[ req_asid_ext ] + +AS.0 = 1-65535 + +[ req_addr_ext ] + +IPv4.0 = 0.0.0.0/0 +IPv6.0 = 0::/0 diff --git a/scripts/Old/rootd.sh b/scripts/Old/rootd.sh new file mode 100644 index 00000000..73411a16 --- /dev/null +++ b/scripts/Old/rootd.sh @@ -0,0 +1,143 @@ +#!/bin/sh - +# $Id$ + +# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# Script to test against rootd.py. +# +# This blows away rpkid's database and rebuilds it with what we need +# for this test, and knows far too much about the id numbers that +# rpkid and mysql will assign. In the long run we must do better than +# this, but gotta start somewhere. + +openssl=../openssl/openssl/apps/openssl + +# Halt on first error + +set -e + +# Generate new key and cert for rootd.py if needed + +if test ! -r rootd.cer -o ! -r rootd.key +then + $openssl req -new -newkey rsa:2048 -nodes -keyout rootd.key -out rootd.req -config rootd.cnf + $openssl x509 -req -in rootd.req -out rootd.cer -extfile rootd.cnf -extensions req_x509_ext -signkey rootd.key -text -sha256 + rm -f rootd.req +fi + +# Blow away old rpkid database (!) so we can start clean + +mysql -u rpki -p`awk '$1 == "sql-password" {print $3}' rpkid.conf` rpki >==; + s=/u/sra/rpki/subvert-rpki.hactrn.net/[a-z]*/rpki/==; + s= timedelta([0-9, ]*)==; + s= None = =; + s= at = =; + s= to from = from = + ' | +awk ' + BEGIN { + SUBSEP = "<"; + } + { + #print; + state[$1, $5] = $3; + } + /Creating/ { + created[$1, $5] = $NF; + } + END { + for (i in state) + print i, state[i], created[i]; + } + ' | +sort diff --git a/scripts/Old/tls-client.py b/scripts/Old/tls-client.py new file mode 100644 index 00000000..ef879a5c --- /dev/null +++ b/scripts/Old/tls-client.py @@ -0,0 +1,27 @@ +# $Id$ + +import socket, POW, time + +key = POW.pemRead(POW.RSA_PRIVATE_KEY, open("Carol.key", "r").read()) +cer = POW.pemRead(POW.X509_CERTIFICATE, open("Carol.cer", "r").read()) +ta = POW.pemRead(POW.X509_CERTIFICATE, open("Alice-TA.cer", "r").read()) + +s = socket.socket() +s.connect(('',6666)) + +ssl = POW.Ssl(POW.TLSV1_CLIENT_METHOD) + +ssl.useCertificate(cer) +ssl.useKey(key) +ssl.setVerifyMode(POW.SSL_VERIFY_PEER | POW.SSL_VERIFY_FAIL_IF_NO_PEER_CERT) +ssl.trustCertificate(ta) + +ssl.setFd(s.fileno()) +ssl.connect() + +peer = ssl.peerCertificate() +if peer is not None: + print peer.pprint() + +print ssl.read(100) +ssl.write("Bye") diff --git a/scripts/Old/tls-server.py b/scripts/Old/tls-server.py new file mode 100644 index 00000000..d3798a32 --- /dev/null +++ b/scripts/Old/tls-server.py @@ -0,0 +1,40 @@ +# $Id$ + +import socket, POW, time + +key = POW.pemRead(POW.RSA_PRIVATE_KEY, open("Alice.key", "r").read()) +cer = POW.pemRead(POW.X509_CERTIFICATE, open("Alice.cer", "r").read()) +ta = POW.pemRead(POW.X509_CERTIFICATE, open("Carol-TA.cer", "r").read()) + +listener = socket.socket() +listener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) +listener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1) +listener.bind(('',6666)) +listener.listen(5) + +s, addr = listener.accept() +while not s: + time.sleep(2) + s, addr = listener.accept() + +s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) +s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1) + +print "Got connection %r from %r" % (s, addr) + +ssl = POW.Ssl(POW.TLSV1_SERVER_METHOD) + +ssl.useCertificate(cer) +ssl.useKey(key) +ssl.setVerifyMode(POW.SSL_VERIFY_PEER | POW.SSL_VERIFY_FAIL_IF_NO_PEER_CERT) +ssl.trustCertificate(ta) + +ssl.setFd(s.fileno()) +ssl.accept() + +peer = ssl.peerCertificate() +if peer is not None: + print peer.pprint() + +ssl.write("Hello, TLS") +print ssl.read(100) diff --git a/scripts/apnic-poke-1.sh b/scripts/apnic-poke-1.sh deleted file mode 100644 index bca4a8f6..00000000 --- a/scripts/apnic-poke-1.sh +++ /dev/null @@ -1,112 +0,0 @@ -#!/bin/sh - -# $Id$ - -# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# Script to let APNIC test against my server. -# -# This blows away rpkid's database and rebuilds it with what we need -# for this test, and knows far too much about the id numbers that -# rpkid and mysql will assign. In the long run we must do better than -# this, but gotta start somewhere. - -openssl=../openssl/openssl/apps/openssl - -# Halt on first error and show what's happening - -set -ex - -# Generate new key and cert for rootd.py if needed - -if test ! -r rootd.cer -o ! -r rootd.key -then - $openssl req -new -newkey rsa:2048 -nodes -keyout rootd.key -out rootd.req -config rootd.cnf - - $openssl x509 -req -in rootd.req -out rootd.cer -extfile rootd.cnf -extensions req_x509_ext \ - -signkey rootd.key -text -sha256 - - rm -f rootd.req -fi - -# Blow away old rpkid database (!) so we can start clean - -mysql -u rpki -p`awk '$1 == "sql-password" {print $3}' rpkid.conf` rpki >rpkid.log 2>&1 & rpkid=$! - trap "kill $rpkid" 0 1 2 3 13 15 -fi - -# Create a self instance - -python irbe_cli.py self --action create --crl_interval 84600 - -# Create a business signing context, issue the necessary business cert, and set up the cert chain - -python irbe_cli.py --pem_out bsc.req bsc --action create --self_id 1 \ - --generate_keypair --signing_cert biz-certs/Bob-CA.cer - -$openssl x509 -req -in bsc.req -out bsc.cer -CA biz-certs/Bob-CA.cer \ - -CAkey biz-certs/Bob-CA.key -CAserial biz-certs/Bob-CA.srl - -python irbe_cli.py bsc --action set --self_id 1 --bsc_id 1 --signing_cert bsc.cer - -rm -f bsc.req bsc.cer - -# Create a repository context - -python irbe_cli.py repository --self_id 1 --action create --bsc_id 1 - -# Create a parent context pointing at rootd.py - -python irbe_cli.py parent --self_id 1 --action create --bsc_id 1 --repository_id 1 \ - --peer_contact_uri https://localhost:44333/ \ - --cms_ta biz-certs/Elena-Root.cer \ - --https_ta biz-certs/Elena-Root.cer \ - --sia_base rsync://wombat.invalid/ - -# Create a child context - -python irbe_cli.py child --self_id 1 --action create --bsc_id 1 --cms_ta biz-certs/Frank-Root.cer - -# Run the other daemons, arrange for everything to go away on shutdown, -# run initial cron job to set things up, then wait - -if test -n "$STY" -then - screen python rootd.py - screen python irdbd.py -else - python rootd.py >>rootd.log 2>&1 & rootd=$! - python irdbd.py >>irdbd.log 2>&1 & irdbd=$! - trap "kill $rpkid $irdbd $rootd" 0 1 2 3 13 15 -fi - -python cronjob.py - -if test -z "$STY" -then - tail +0f rpkid.log -fi diff --git a/scripts/apnic-poke-1.yaml b/scripts/apnic-poke-1.yaml deleted file mode 100644 index 24b80561..00000000 --- a/scripts/apnic-poke-1.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# $Id$ - -version: 1 -posturl: https://adrilankha.hactrn.net:4433/up-down/1 -recipient-id: wombat -sender-id: "1" - -cms-cert-file: biz-certs/Frank-EE.cer -cms-key-file: biz-certs/Frank-EE.key -cms-ca-cert-file: biz-certs/Bob-Root.cer -cms-cert-chain-file: [ biz-certs/Frank-CA.cer ] - -ssl-cert-file: biz-certs/Frank-EE.cer -ssl-key-file: biz-certs/Frank-EE.key -ssl-ca-cert-file: biz-certs/Bob-Root.cer - -requests: - list: - type: list - issue: - type: issue - class: 1 - sia: [ "rsync://bandicoot.invalid/some/where/" ] - revoke: - type: revoke - class: 1 - ski: "CB5K6APY-4KcGAW9jaK_cVPXKX0" diff --git a/scripts/apnic-poke-2.sh b/scripts/apnic-poke-2.sh deleted file mode 100644 index 87018111..00000000 --- a/scripts/apnic-poke-2.sh +++ /dev/null @@ -1,123 +0,0 @@ -#!/bin/sh - -# $Id$ - -# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -openssl=../openssl/openssl/apps/openssl - -# Halt on first error and show what's happening - -set -ex - -# Blow away old rpkid database (!) so we can start clean - -mysql -u rpki -p`awk '$1 == "sql-password" {print $3}' rpkid.conf` rpki >rpkid.log 2>&1 & rpkid=$! - trap "kill $rpkid" 0 1 2 3 13 15 -fi - -# Create a self instance - -python irbe_cli.py self --action create --crl_interval 84600 - -# Create a business signing context, issue the necessary business cert, and set up the cert chain - -python irbe_cli.py --pem_out bsc.req bsc --action create --self_id 1 \ - --generate_keypair --signing_cert biz-certs/Bob-CA.cer -$openssl x509 -req -in bsc.req -out bsc.cer \ - -CA biz-certs/Bob-CA.cer -CAkey biz-certs/Bob-CA.key -CAserial biz-certs/Bob-CA.srl -python irbe_cli.py bsc --action set --self_id 1 --bsc_id 1 --signing_cert bsc.cer -rm -f bsc.req bsc.cer - -# List what's in the BSC, for today's debugging fun - -#python irbe_cli.py bsc --action list --self_id 1 - -# Create a repository context - -python irbe_cli.py repository --self_id 1 --action create --bsc_id 1 - -# Create a parent context pointing at APNIC -- this is where we plug in the values from their YAML - -cat >apnic.pem <<-'EOF' - -----BEGIN CERTIFICATE----- - MIIEFjCCAv6gAwIBAgIBADANBgkqhkiG9w0BAQsFADBJMUcwRQYDVQQDEz5Eb2N1 - bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0gTm90IGZv - ciByZWFsIHVzZTAeFw0wNzEyMDEwNjMyNDdaFw0xNzExMjgwNjMyNDdaMEkxRzBF - BgNVBAMTPkRvY3VtZW50YXRpb24gUHJlZml4ZXMgQ01TIFBhcmVudCBUQSBzaWdu - ZXIgLSBOb3QgZm9yIHJlYWwgdXNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB - CgKCAQEAtsRcgBpO7cTN+QGPnBaPtmfdsUZbctrfSBycS3QhwAItzZryqIHN9stP - A+0WEOC4+cfaY9xETqGwbq725p8FRwxUx9NBQS7jrL1ToNCJ+2qSH5ThK2hOQiCT - 3fv2FNJ/7gFFqofWt3mLyNEmnis95pRwzTtqH6ZaAaZk+AzwL77ww8AlwL/qfLtD - mjrsUfoELfkbS4ywFK0orjVKeGvzG8Dx7WiGvwmdhNNJ8/IAZmJC0NI8r9VIfcw3 - 2B7bnDGkKH3E0NNRIajPmLbaNfT0Dxw+BjIC3Ty48o3ghSScqviyThNFyj8cr9SB - Ww8ReAU6v9q4XWRnlZt8Lc9WIsF/MwIDAQABo4IBBzCCAQMwDAYDVR0TBAUwAwEB - /zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPzZTgRZylsJph8KV9AU3klSgl8r - MHEGA1UdIwRqMGiAFPzZTgRZylsJph8KV9AU3klSgl8roU2kSzBJMUcwRQYDVQQD - Ez5Eb2N1bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0g - Tm90IGZvciByZWFsIHVzZYIBADBRBgNVHR8ESjBIMEagRKBChkBodHRwOi8vbWly - aW4uYXBuaWMubmV0L2RvY3VtZW50YXRpb24tcHJlZml4ZXMvY21zL3BhcmVudC9j - bXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCNz/BUN5bsAyMPi0X7oKZV/cAwmr2S - gQgIxaUHnQ6EJp4b2CUmlpPQ9pT/m+gPbajaRgUZmANfMF0uAFZpCP3hTRAc6NMH - 3Pwjzw1ICGSRRJASSizYN4hSxGpWW1hgghGTB3w5CjCm2VlwrQKJjb7/9H/gb4hi - RRZpaudithCEDlgkFhgU4uttSDLH2Rv14GtfmtyqDpmCE33STA7K+e9rdxaCqHC8 - u33zqm4oQxOX7wuJ/JxeJxExtZ0amu8yTZ+tDtQ4Iiu1VPl67o0mjYrBKRV4z2fC - wa/PKqombrC/qs+2+t/66mB9xaK1YpKnW2FL6Rjs+rZUJJQ16JhJkF7T - -----END CERTIFICATE----- -EOF - -python irbe_cli.py parent --self_id 1 --action create --bsc_id 1 --repository_id 1 \ - --peer_contact_uri https://mirin.apnic.net/cgi-bin/up-down-parent.cgi \ - --cms_ta apnic.pem \ - --https_ta apnic.pem \ - --sia_base rsync://wombat.invalid/ \ - --recipient_name PARENT \ - --sender_name CHILD - -rm -f apnic.pem - -# Create a child context - -python irbe_cli.py child --self_id 1 --action create --bsc_id 1 --cms_ta biz-certs/Frank-Root.cer - -# Run the other daemons, arrange for everything to go away on shutdown, -# run initial cron job to set things up, then wait - -if test -n "$STY" -then - screen python irdbd.py -else - python irdbd.py >>irdbd.log 2>&1 & irdbd=$! - trap "kill $rpkid $irdbd" 0 1 2 3 13 15 -fi - -python cronjob.py - -if test -z "$STY" -then - tail +0f rpkid.log -fi diff --git a/scripts/apnic-poke-2.yaml b/scripts/apnic-poke-2.yaml deleted file mode 100644 index 6ba93729..00000000 --- a/scripts/apnic-poke-2.yaml +++ /dev/null @@ -1,74 +0,0 @@ ---- -# $Id$ -# -# This sender config file was created by the make_cfg tool -# Account: TELSTRA-AU - -version: 1 -recipient-id: PARENT -sender-id: CHILD - -cms-cert-file: biz-certs/Bob-EE.cer -cms-key-file: biz-certs/Bob-EE.key -cms-cert-chain-file: [ biz-certs/Bob-CA.cer ] - -cms-ca-cert: | - -----BEGIN CERTIFICATE----- - MIIEFjCCAv6gAwIBAgIBADANBgkqhkiG9w0BAQsFADBJMUcwRQYDVQQDEz5Eb2N1 - bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0gTm90IGZv - ciByZWFsIHVzZTAeFw0wNzEyMDEwNjMyNDdaFw0xNzExMjgwNjMyNDdaMEkxRzBF - BgNVBAMTPkRvY3VtZW50YXRpb24gUHJlZml4ZXMgQ01TIFBhcmVudCBUQSBzaWdu - ZXIgLSBOb3QgZm9yIHJlYWwgdXNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB - CgKCAQEAtsRcgBpO7cTN+QGPnBaPtmfdsUZbctrfSBycS3QhwAItzZryqIHN9stP - A+0WEOC4+cfaY9xETqGwbq725p8FRwxUx9NBQS7jrL1ToNCJ+2qSH5ThK2hOQiCT - 3fv2FNJ/7gFFqofWt3mLyNEmnis95pRwzTtqH6ZaAaZk+AzwL77ww8AlwL/qfLtD - mjrsUfoELfkbS4ywFK0orjVKeGvzG8Dx7WiGvwmdhNNJ8/IAZmJC0NI8r9VIfcw3 - 2B7bnDGkKH3E0NNRIajPmLbaNfT0Dxw+BjIC3Ty48o3ghSScqviyThNFyj8cr9SB - Ww8ReAU6v9q4XWRnlZt8Lc9WIsF/MwIDAQABo4IBBzCCAQMwDAYDVR0TBAUwAwEB - /zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPzZTgRZylsJph8KV9AU3klSgl8r - MHEGA1UdIwRqMGiAFPzZTgRZylsJph8KV9AU3klSgl8roU2kSzBJMUcwRQYDVQQD - Ez5Eb2N1bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0g - Tm90IGZvciByZWFsIHVzZYIBADBRBgNVHR8ESjBIMEagRKBChkBodHRwOi8vbWly - aW4uYXBuaWMubmV0L2RvY3VtZW50YXRpb24tcHJlZml4ZXMvY21zL3BhcmVudC9j - bXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCNz/BUN5bsAyMPi0X7oKZV/cAwmr2S - gQgIxaUHnQ6EJp4b2CUmlpPQ9pT/m+gPbajaRgUZmANfMF0uAFZpCP3hTRAc6NMH - 3Pwjzw1ICGSRRJASSizYN4hSxGpWW1hgghGTB3w5CjCm2VlwrQKJjb7/9H/gb4hi - RRZpaudithCEDlgkFhgU4uttSDLH2Rv14GtfmtyqDpmCE33STA7K+e9rdxaCqHC8 - u33zqm4oQxOX7wuJ/JxeJxExtZ0amu8yTZ+tDtQ4Iiu1VPl67o0mjYrBKRV4z2fC - wa/PKqombrC/qs+2+t/66mB9xaK1YpKnW2FL6Rjs+rZUJJQ16JhJkF7T - -----END CERTIFICATE----- - -ssl-cert-file: biz-certs/Bob-EE.cer -ssl-key-file: biz-certs/Bob-EE.key - -ssl-ca-cert: | - -----BEGIN CERTIFICATE----- - MIIEFjCCAv6gAwIBAgIBADANBgkqhkiG9w0BAQsFADBJMUcwRQYDVQQDEz5Eb2N1 - bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0gTm90IGZv - ciByZWFsIHVzZTAeFw0wNzEyMDEwNjMyNDdaFw0xNzExMjgwNjMyNDdaMEkxRzBF - BgNVBAMTPkRvY3VtZW50YXRpb24gUHJlZml4ZXMgQ01TIFBhcmVudCBUQSBzaWdu - ZXIgLSBOb3QgZm9yIHJlYWwgdXNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB - CgKCAQEAtsRcgBpO7cTN+QGPnBaPtmfdsUZbctrfSBycS3QhwAItzZryqIHN9stP - A+0WEOC4+cfaY9xETqGwbq725p8FRwxUx9NBQS7jrL1ToNCJ+2qSH5ThK2hOQiCT - 3fv2FNJ/7gFFqofWt3mLyNEmnis95pRwzTtqH6ZaAaZk+AzwL77ww8AlwL/qfLtD - mjrsUfoELfkbS4ywFK0orjVKeGvzG8Dx7WiGvwmdhNNJ8/IAZmJC0NI8r9VIfcw3 - 2B7bnDGkKH3E0NNRIajPmLbaNfT0Dxw+BjIC3Ty48o3ghSScqviyThNFyj8cr9SB - Ww8ReAU6v9q4XWRnlZt8Lc9WIsF/MwIDAQABo4IBBzCCAQMwDAYDVR0TBAUwAwEB - /zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPzZTgRZylsJph8KV9AU3klSgl8r - MHEGA1UdIwRqMGiAFPzZTgRZylsJph8KV9AU3klSgl8roU2kSzBJMUcwRQYDVQQD - Ez5Eb2N1bWVudGF0aW9uIFByZWZpeGVzIENNUyBQYXJlbnQgVEEgc2lnbmVyIC0g - Tm90IGZvciByZWFsIHVzZYIBADBRBgNVHR8ESjBIMEagRKBChkBodHRwOi8vbWly - aW4uYXBuaWMubmV0L2RvY3VtZW50YXRpb24tcHJlZml4ZXMvY21zL3BhcmVudC9j - bXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCNz/BUN5bsAyMPi0X7oKZV/cAwmr2S - gQgIxaUHnQ6EJp4b2CUmlpPQ9pT/m+gPbajaRgUZmANfMF0uAFZpCP3hTRAc6NMH - 3Pwjzw1ICGSRRJASSizYN4hSxGpWW1hgghGTB3w5CjCm2VlwrQKJjb7/9H/gb4hi - RRZpaudithCEDlgkFhgU4uttSDLH2Rv14GtfmtyqDpmCE33STA7K+e9rdxaCqHC8 - u33zqm4oQxOX7wuJ/JxeJxExtZ0amu8yTZ+tDtQ4Iiu1VPl67o0mjYrBKRV4z2fC - wa/PKqombrC/qs+2+t/66mB9xaK1YpKnW2FL6Rjs+rZUJJQ16JhJkF7T - -----END CERTIFICATE----- - -posturl: https://mirin.apnic.net/cgi-bin/up-down-parent.cgi - -requests: - list: - type: list diff --git a/scripts/apnic-test-3.tgz b/scripts/apnic-test-3.tgz deleted file mode 100644 index 2d50fe3f..00000000 Binary files a/scripts/apnic-test-3.tgz and /dev/null differ diff --git a/scripts/async-http.py b/scripts/async-http.py deleted file mode 100644 index 5b5fc1cd..00000000 --- a/scripts/async-http.py +++ /dev/null @@ -1,529 +0,0 @@ -""" -Testbed for figuring out how to write asynchronous HTTPS code. - -$Id$ - -Copyright (C) 2009 Internet Systems Consortium ("ISC") - -Permission to use, copy, modify, and distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -PERFORMANCE OF THIS SOFTWARE. -""" - -# Command that may be useful for testing server side of this: -# -# lynx -post_data -mime_header -source http://127.0.0.1:8000/ -# -# Testing the client side of this is more entertaining, both because -# we need to be liberal in what we accept and also because servers do -# wildly different things depending both on HTTP version number and -# options signaled by the client and also on internal details in the -# server context (such as whether the content is static or generated -# by CGI). It's useful to test against static content, but also to -# test against CGI-generated output, eg, the following trivial script: -# -# print "Content-Type: text/plain; charset=US-ASCII\r" -# print "\r" -# for i in xrange(100): -# print "%08d" % i, "." * 120, "\r" -# -# At least with Apache 2.0, result of running this differs -# significantly depending on whether client signals HTTP 1.0 or 1.1; -# the latter produces chunked output. - -import sys, os, time, socket, asyncore, asynchat, traceback, urlparse -import rpki.async, rpki.sundial - -debug = True - -want_persistent_client = True -want_persistent_server = True - -idle_timeout_default = rpki.sundial.timedelta(seconds = 60) -active_timeout_default = rpki.sundial.timedelta(seconds = 15) - -default_http_version = (1, 1) - -class http_message(object): - - software_name = "BalmyBandicoot HTTP test code" - - def __init__(self, version = None, body = None, headers = None): - self.version = version - self.body = body - self.headers = headers - self.normalize_headers() - - def normalize_headers(self, headers = None): - if headers is None: - headers = () if self.headers is None else self.headers.items() - translate_underscore = True - else: - translate_underscore = False - result = {} - for k,v in headers: - if translate_underscore: - k = k.replace("_", "-") - k = "-".join(s.capitalize() for s in k.split("-")) - v = v.strip() - if k in result: - result[k] += ", " + v - else: - result[k] = v - self.headers = result - - @classmethod - def parse_from_wire(cls, headers): - self = cls() - headers = headers.split("\r\n") - self.parse_first_line(*headers.pop(0).split(None, 2)) - for i in xrange(len(headers) - 2, -1, -1): - if headers[i + 1][0].isspace(): - headers[i] += headers[i + 1] - del headers[i + 1] - self.normalize_headers([h.split(":", 1) for h in headers]) - return self - - def format(self): - s = self.format_first_line() - if self.body is not None: - assert isinstance(self.body, str) - self.headers["Content-Length"] = len(self.body) - for kv in self.headers.iteritems(): - s += "%s: %s\r\n" % kv - s += "\r\n" - if self.body is not None: - s += self.body - return s - - def __str__(self): - return self.format() - - def parse_version(self, version): - if version[:5] != "HTTP/": - raise RuntimeError, "Couldn't parse version %s" % version - self.version = tuple(int(i) for i in version[5:].split(".")) - - def persistent(self): - c = self.headers.get("Connection") - if self.version == (1, 1): - return c is None or "close" not in c.lower() - elif self.version == (1, 0): - return c is not None and "keep-alive" in c.lower() - else: - return False - -class http_request(http_message): - - def __init__(self, cmd = None, path = None, version = default_http_version, body = None, callback = None, **headers): - if cmd is not None and cmd != "POST" and body is not None: - raise RuntimeError - http_message.__init__(self, version = version, body = body, headers = headers) - self.cmd = cmd - self.path = path - self.callback = callback - - def parse_first_line(self, cmd, path, version): - self.parse_version(version) - self.cmd = cmd - self.path = path - - def format_first_line(self): - self.headers.setdefault("User-Agent", self.software_name) - return "%s %s HTTP/%d.%d\r\n" % (self.cmd, self.path, self.version[0], self.version[1]) - -class http_response(http_message): - - def __init__(self, code = None, reason = None, version = default_http_version, body = None, **headers): - http_message.__init__(self, version = version, body = body, headers = headers) - self.code = code - self.reason = reason - - def parse_first_line(self, version, code, reason): - self.parse_version(version) - self.code = int(code) - self.reason = reason - - def format_first_line(self): - self.headers.setdefault("Date", time.strftime("%a, %d %b %Y %T GMT")) - self.headers.setdefault("Server", self.software_name) - return "HTTP/%d.%d %s %s\r\n" % (self.version[0], self.version[1], self.code, self.reason) - -def logger(self, msg): - if debug: - print "[%s %r: %s]" % (rpki.sundial.now().strftime("%T"), self, msg) - -class http_stream(asynchat.async_chat): - - log = logger - - idle_timeout = idle_timeout_default - active_timeout = active_timeout_default - - def __init__(self, conn = None): - asynchat.async_chat.__init__(self, conn = conn) - self.buffer = [] - self.timer = rpki.async.timer(self.handle_timeout) - self.restart() - - def restart(self, idle = True): - assert not self.buffer - self.chunk_handler = None - self.set_terminator("\r\n\r\n") - timeout = self.idle_timeout if idle else self.active_timeout - if timeout is not None: - self.timer.set(timeout) - else: - self.timer.cancel() - - def update_active_timeout(self): - if self.active_timeout is not None: - self.timer.set(self.active_timeout) - else: - self.timer.cancel() - - def collect_incoming_data(self, data): - """Buffer the data""" - self.buffer.append(data) - self.update_active_timeout() - - def get_buffer(self): - val = "".join(self.buffer) - self.buffer = [] - return val - - def found_terminator(self): - self.update_active_timeout() - if self.chunk_handler: - self.chunk_handler() - elif not isinstance(self.get_terminator(), str): - self.handle_body() - else: - self.log("Got headers") - self.msg = self.parse_type.parse_from_wire(self.get_buffer()) - if self.msg.version == (1, 1) and "chunked" in self.msg.headers.get("Transfer-Encoding", "").lower(): - self.msg.body = [] - self.chunk_handler = self.chunk_header - self.set_terminator("\r\n") - elif "Content-Length" in self.msg.headers: - self.set_terminator(int(self.msg.headers["Content-Length"])) - else: - self.handle_no_content_length() - - def chunk_header(self): - n = int(self.get_buffer().partition(";")[0], 16) - self.log("Chunk length %s" % n) - if n: - self.chunk_handler = self.chunk_body - self.set_terminator(n) - else: - self.msg.body = "".join(self.msg.body) - self.chunk_handler = self.chunk_discard_trailer - - def chunk_body(self): - self.log("Chunk body") - self.msg.body += self.buffer - self.buffer = [] - self.chunk_handler = self.chunk_discard_crlf - self.set_terminator("\r\n") - - def chunk_discard_crlf(self): - self.log("Chunk CRLF") - s = self.get_buffer() - assert s == "", "Expected chunk CRLF, got '%s'" % s - self.chunk_handler = self.chunk_header - - def chunk_discard_trailer(self): - self.log("Chunk trailer") - s = self.get_buffer() - assert s == "", "Expected end of chunk trailers, got '%s'" % s - self.chunk_handler = None - self.handle_message() - - def handle_body(self): - self.msg.body = self.get_buffer() - self.handle_message() - - def handle_error(self): - self.log("Error in HTTP stream handler") - print traceback.format_exc() - asyncore.close_all() - - def handle_timeout(self): - self.log("Timeout, closing") - self.close() - - def handle_close(self): - asynchat.async_chat.handle_close(self) - self.timer.cancel() - self.log("Closed") - -class http_server(http_stream): - - parse_type = http_request - - def __init__(self, conn, handlers): - self.handlers = handlers - http_stream.__init__(self, conn) - self.expect_close = not want_persistent_server - - def handle_no_content_length(self): - self.handle_message() - - def find_handler(self, path): - """Helper method to search self.handlers.""" - for s, h in self.handlers: - if path.startswith(s): - return h - return None - - def handle_message(self): - if not self.msg.persistent(): - self.expect_close = True - handler = self.find_handler(self.msg.path) - error = None - if False and self.msg.cmd != "POST": - error = 501, "No handler for method %s" % self.msg.cmd - elif False and self.headers["Content-Type"] != rpki_content_type: - error = 415, "No handler for Content-Type %s" % self.headers["Content-Type"] - elif handler is None: - error = 404, "No handler for URL %s" % self.msg.path - if error is None: - handler(self.msg, self.send_message) - else: - self.send_error(*error) - - def send_error(self, code, reason): - self.handle_message_message(http_response(code = code, reason = reason)) - - def send_message(self, msg): - msg.headers["Connection"] = "Close" if self.expect_close else "Keep-Alive" - self.push(msg.format()) - if self.expect_close: - self.log("Closing") - self.timer.cancel() - self.close_when_done() - else: - self.log("Listening for next message") - self.restart() - -class http_listener(asyncore.dispatcher): - - log = logger - - def __init__(self, handlers, port = 80, host = ""): - asyncore.dispatcher.__init__(self) - self.handlers = handlers - self.create_socket(socket.AF_INET, socket.SOCK_STREAM) - self.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) - self.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1) - self.bind((host, port)) - self.listen(5) - self.log("Listening on (host, port) %r, handlers %r" % ((host, port), handlers)) - - def handle_accept(self): - self.log("Accepting connection") - server = http_server(conn = self.accept()[0], handlers = self.handlers) - - def handle_error(self): - self.log("Error in HTTP listener") - print traceback.format_exc() - asyncore.close_all() - -class http_client(http_stream): - - parse_type = http_response - - def __init__(self, queue, hostport): - self.log("Creating new connection to %s" % repr(hostport)) - http_stream.__init__(self) - self.queue = queue - self.state = "idle" - self.expect_close = not want_persistent_client - self.create_socket(socket.AF_INET, socket.SOCK_STREAM) - self.connect(hostport) - - def handle_no_content_length(self): - self.set_terminator(None) - - def send_request(self, msg): - self.log("Sending request") - assert self.state == "idle" - if msg is not None: - self.state = "request-sent" - msg.headers["Connection"] = "Close" if self.expect_close else "Keep-Alive" - self.push(msg.format()) - self.restart(idle = False) - - def handle_message(self): - if not self.msg.persistent(): - self.expect_close = True - self.log("Message received, state %s" % self.state) - msg = None - if self.state == "request-sent": - msg = self.queue.done_with_request() - elif self.state == "idle": - self.log("Received unsolicited message") - elif self.state == "closing": - assert not self.msg.body - self.log("Ignoring empty response received while closing") - return - else: - raise RuntimeError, "[%r: Unexpected state]" % self - self.state = "idle" - if msg != None: - msg.callback(self.msg) - msg = self.queue.next_request(not self.expect_close) - if msg is not None: - self.log("Got a new message to send from my queue") - self.send_request(msg) - elif self.expect_close: - self.log("Closing") - self.state = "closing" - self.queue.closing(self) - self.close_when_done() - else: - self.log("Idling") - self.timer.set(self.idle_timeout) - - def handle_connect(self): - self.log("Connected") - self.send_request(self.queue.next_request(True)) - - def kickstart(self): - self.log("Kickstart") - assert self.state == "idle" - self.send_request(self.queue.next_request(True)) - - def handle_close(self): - http_stream.handle_close(self) - self.queue.closing(self) - if self.get_terminator() is None: - self.handle_body() - -class http_queue(object): - - log = logger - - def __init__(self, hostport): - self.log("Creating queue for %s" % repr(hostport)) - self.hostport = hostport - self.client = None - self.queue = [] - - def request(self, *requests): - self.log("Adding requests %r" % requests) - need_kick = self.client is not None and not self.queue - self.queue.extend(requests) - if self.client is None: - self.client = http_client(self, self.hostport) - elif need_kick: - self.client.kickstart() - - def done_with_request(self): - req = self.queue.pop(0) - self.log("Dequeuing request %r" % req) - return req - - def next_request(self, usable): - if not self.queue: - self.log("Queue is empty") - return None - self.log("Queue: %r" % self.queue) - if usable: - self.log("Queue not empty and connection usable") - return self.queue[0] - else: - self.log("Queue not empty but connection not usable, spawning") - self.client = http_client(self, self.hostport) - self.log("Spawned connection %r" % self.client) - return None - - def closing(self, client): - if client is self.client: - self.log("Removing client") - self.client = None - -class http_manager(dict): - - log = logger - - def query(self, url, callback, body = None): - u = urlparse.urlparse(url) - assert u.scheme == "http" and u.username is None and u.password is None and u.params == "" and u.query == "" and u.fragment == "" - request = http_request(cmd = "POST", path = u.path, body = body, callback = callback, - Host = u.hostname, Content_Type = "text/plain") - hostport = (u.hostname or "localhost", u.port or 80) - self.log("Created request %r for %r" % (request, hostport)) - if hostport not in self: - self[hostport] = http_queue(hostport) - self[hostport].request(request) - - def __repr__(self): - return "<%s object at %s>" % (self.__class__.__name__, id(self)) - -def client(msg, url, timeout = 300, callback = None): - pass - -def server(handlers, port, host =""): - if not isinstance(handlers, (tuple, list)): - handlers = (("/", handlers),) - listener = http_listener(port = 8000, handlers = handlers) - rpki.async.event_loop() - -if len(sys.argv) == 1: - - def handler(query_message, reply_callback): - reply_callback(http_response( - code = 200, - reason = "OK", - body = str(query_message), - Cache_Control = "no-cache,no-store", - Content_Type = "text/plain")) - - def other_handler(query_message, reply_callback): - reply_callback(http_response( - code = 200, - reason = "OK", - body = "Ok, you found it.\r\n\r\n" + str(query_message), - Cache_Control = "no-cache,no-store", - Content_Type = "text/plain")) - - server(port = 8000, handlers = (("/wombat", other_handler), ("/", handler))) - -else: - - def got_one(msg): - logger(None, "Got response") - if True: - print msg - print - - manager = http_manager() - - timer = rpki.async.timer() - - def loop(iterator, url): - logger(None, "Scheduler loop") - manager.query(url = url, callback = got_one, body = "Hi, I'm trying to talk to URL %s" % url) - timer.set(rpki.sundial.timedelta(seconds = 3)) - - def done(): - logger(None, "Scheduler done") - - timer.set_handler(rpki.async.iterator(sys.argv[1:], loop, done)) - - rpki.async.event_loop() - - for q in manager.values(): - assert not q.queue, "Requests still scheduled: %r %r %r" % (q, q.hostport, q.queue) - - assert not rpki.async.timer.queue, "Timers still scheduled: %r" % rpki.async.timer.queue diff --git a/scripts/biz-certs-setup.sh b/scripts/biz-certs-setup.sh deleted file mode 100644 index 64ebd7d8..00000000 --- a/scripts/biz-certs-setup.sh +++ /dev/null @@ -1,81 +0,0 @@ -#!/bin/sh - -# $Id$ - -# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# Quick hack to generate a set of business keys and certs for use with -# early prototype code. Not for production use. -# -# All we're trying to do here is generate a three-level-deep set of -# certs for each of several independent entities. Could easily be -# deeper in practice but this should be enough for simple tests: a -# self-signed root cert to use as a trust anchor, a working CA, and an -# EE cert used for CMS or TLS. -# -# Among other things missing here, we're not doing any restrictions -# beyond basicConstraints and we're not doing CRLs. -# -# One can extract the public key from a .key file by doing: -# -# $ openssl rsa -in foo.key -pubout -# -# I ended up needing this to build simulated packets for the -# left-right protocol. - -for i in Alice Bob Carol Dave Elena Frank Ginny Harry -do - for j in Root CA EE - do - - case $j in - EE) ca=false;; - *) ca=true;; - esac - - test -r $i-$j.cnf || cat >$i-$j.cnf <<-EOF - - [ req ] - distinguished_name = req_dn - x509_extensions = req_x509_ext - prompt = no - default_md = sha256 - - [ req_dn ] - CN = Test Certificate $i $j - - [ req_x509_ext ] - basicConstraints = CA:$ca - subjectKeyIdentifier = hash - authorityKeyIdentifier = keyid:always - - EOF - - test -r $i-$j.key || openssl genrsa -out $i-$j.key 2048 - test -r $i-$j.req || openssl req -new -sha256 -key $i-$j.key -out $i-$j.req -config $i-$j.cnf - - done - - test -r $i-Root.cer || openssl x509 -sha256 -req -in $i-Root.req -out $i-Root.cer -extfile $i-Root.cnf -extensions req_x509_ext -signkey $i-Root.key -days 60 - test -r $i-CA.cer || openssl x509 -sha256 -req -in $i-CA.req -out $i-CA.cer -extfile $i-CA.cnf -extensions req_x509_ext -CA $i-Root.cer -CAkey $i-Root.key -CAcreateserial - test -r $i-EE.cer || openssl x509 -sha256 -req -in $i-EE.req -out $i-EE.cer -extfile $i-EE.cnf -extensions req_x509_ext -CA $i-CA.cer -CAkey $i-CA.key -CAcreateserial - -done - -for i in *.cer -do - h=`openssl x509 -noout -hash -in $i`.0 - test -r $h || - ln -s $i $h -done diff --git a/scripts/blow-away-databases.sh b/scripts/blow-away-databases.sh deleted file mode 100644 index 44df7861..00000000 --- a/scripts/blow-away-databases.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/sh - -# $Id$ - -# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# GRANT ALL ON rpki.* TO rpki@localhost IDENTIFIED BY ''; -# GRANT ALL ON irdb.* TO irdb@localhost IDENTIFIED BY ''; - -echo "This script destroys and rebuilds our databases." -echo "Don't type the password unless you're sure you want to do this." - -(echo 'DROP DATABASE rpki; CREATE DATABASE rpki; USE rpki;' - cat ../docs/rpki-db-schema.sql - echo 'DROP DATABASE irdb; CREATE DATABASE irdb; USE irdb;' - cat ../docs/sample-irdb.sql -) | -mysql -u root -p diff --git a/scripts/extract-cert-from-rpki.sh b/scripts/extract-cert-from-rpki.sh deleted file mode 100644 index 3d28bfdb..00000000 --- a/scripts/extract-cert-from-rpki.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/sh - -# $Id$ - -# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -: ${instance=R0} - -python ../rpkid.py -c $instance.conf & -rpkid=$! - -python ../irbe-cli.py -c $instance.conf bsc --self_id 1 --action list | -qh 2>/dev/null | -awk ' - /\(signing_cert/ {p = 1} - /\)signing_cert/ {p = 0} - p && /^-/ { - sub(/-/,""); - cmd = "mimencode -u | openssl x509 -text -inform DER -out " NR ".pem"; - print | cmd; - } -' - -kill $rpkid diff --git a/scripts/manifests.py b/scripts/manifests.py deleted file mode 100644 index df8bc2d4..00000000 --- a/scripts/manifests.py +++ /dev/null @@ -1,90 +0,0 @@ -# $Id$ - -# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -import time, glob, os -import rpki.x509, rpki.manifest, rpki.sundial - -show_content_1 = False -show_signed_manifest_PEM = False -show_signed_manifest_asn1dump = True -show_content_2 = False -show_content_3 = False -dump_signed_manifest_DER = False -dump_manifest_content_DER = False -test_empty_manifest = False - -def dumpasn1(thing): - # Save to file rather than using popen4() because dumpasn1 uses - # seek() when decoding ASN.1 content nested in OCTET STRING values. - try: - fn = "dumpasn1.tmp" - f = open(fn, "w") - f.write(thing) - f.close() - f = os.popen("dumpasn1 2>&1 -a " + fn) - print "\n".join(x for x in f.read().splitlines() if x.startswith(" ")) - f.close() - finally: - os.unlink(fn) - -if test_empty_manifest: - names_and_objs = [] -else: - names_and_objs = [(fn, rpki.x509.X509(Auto_file = fn)) for fn in glob.glob("resource-cert-samples/*.cer")] - -now = rpki.sundial.datetime.utcnow() - -m = rpki.x509.SignedManifest() -m.build( - serial = 17, - thisUpdate = now, - nextUpdate = now + rpki.sundial.timedelta(days = 1), - names_and_objs = names_and_objs, - keypair = rpki.x509.RSA(Auto_file = "biz-certs/Alice-EE.key"), - certs = rpki.x509.X509_chain(Auto_files = ("biz-certs/Alice-EE.cer", "biz-certs/Alice-CA.cer"))) - -if show_content_1: - dumpasn1(m.get_content().toString()) - -if show_signed_manifest_PEM: - print m.get_PEM() - -if dump_manifest_content_DER: - f = open("manifest-content.der", "wb") - f.write(m.get_content().toString()) - f.close() - -if dump_signed_manifest_DER: - f = open("signed-manifest.der", "wb") - f.write(m.get_DER()) - f.close() - -if show_signed_manifest_asn1dump: - dumpasn1(m.get_DER()) - -n = rpki.x509.SignedManifest(DER = m.get_DER()) - -n.verify(ta = rpki.x509.X509(Auto_file = "biz-certs/Alice-Root.cer")) - -if show_content_2: - dumpasn1(n.get_content().toString()) - -assert m.get_content().toString() == n.get_content().toString() -assert m.get_content().get() == n.get_content().get() - -if show_content_3: - print - print n.get_content().get() diff --git a/scripts/pkcs10.py b/scripts/pkcs10.py deleted file mode 100644 index 386229f2..00000000 --- a/scripts/pkcs10.py +++ /dev/null @@ -1,100 +0,0 @@ -# $Id$ - -# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -import POW.pkix, glob, os -import rpki.x509, rpki.resource_set, rpki.oids - -parse_test = False -generate_test = True - -parse_extensions = True -show_attributes = False -show_algorithm = False -do_verify = True -show_signature = False -show_publickey = False - -def hexify(thing): - return ":".join(["%02X" % ord(i) for i in thing]) - -if parse_test: - - for name in glob.glob("resource-cert-samples/*.req") + glob.glob("biz-certs/*.req"): - pkcs10 = rpki.x509.PKCS10(Auto_file = name).get_POWpkix() - - print "[", name, "]" - - if show_algorithm: - print pkcs10.signatureAlgorithm - print - print pkcs10.signatureAlgorithm.get() - print - - if show_signature: - print pkcs10.signatureValue, hexify(pkcs10.signatureValue.get()) - print - - if show_publickey: - print pkcs10.certificationRequestInfo.subjectPublicKeyInfo - print pkcs10.certificationRequestInfo.subjectPublicKeyInfo.get() - print hexify(pkcs10.certificationRequestInfo.subjectPublicKeyInfo.toString()) - print - - if show_attributes: - print pkcs10.certificationRequestInfo.attributes.oid, pkcs10.certificationRequestInfo.attributes.oid.get() - print - print pkcs10.certificationRequestInfo.attributes.val, pkcs10.certificationRequestInfo.attributes.val.get() - print - print pkcs10.certificationRequestInfo.attributes.val.choice, pkcs10.certificationRequestInfo.attributes.val.choices - print - print pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice] - print - print len(pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice]) - print - if len(pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice]) > 0: - print pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice][0] - print - - if parse_extensions: - - exts = pkcs10.getExtensions() - - bag = rpki.resource_set.parse_extensions(exts) - if bag.as: print "ASN =", bag.as - if bag.v4: print "IPv4 =", bag.v4 - if bag.v6: print "IPv6 =", bag.v6 - - for oid, crit, val in exts: - if oid in (rpki.oids.name2oid["sbgp-ipAddrBlock"], - rpki.oids.name2oid["sbgp-autonomousSysNum"]): - continue - if isinstance(val, str): - val = hexify(val) - print POW.pkix.oid2obj(oid), oid, "=", val - - if do_verify: - print - print "Signature verification: %s" % pkcs10.verify() - - print - -if generate_test: - keypair = rpki.x509.RSA() - keypair.generate() - pkcs10 = rpki.x509.PKCS10.create(keypair) - f = os.popen("openssl req -text -config /dev/null", "w") - f.write(pkcs10.get_PEM()) - f.close() diff --git a/scripts/rootd.cnf b/scripts/rootd.cnf deleted file mode 100644 index 1e400c04..00000000 --- a/scripts/rootd.cnf +++ /dev/null @@ -1,30 +0,0 @@ -# $Id$ -# -# Generate test root resource certificate for use with rootd.py server. - -[ req ] -default_bits = 2048 -encrypt_key = no -distinguished_name = req_dn -req_extensions = req_x509_ext -prompt = no - -[ req_dn ] -CN = Completely Bogus Test Root (NOT FOR PRODUCTION USE) - -[ req_x509_ext ] -basicConstraints = critical,CA:true -subjectKeyIdentifier = hash -keyUsage = critical,keyCertSign,cRLSign -subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombat.invalid/ -sbgp-autonomousSysNum = critical,@req_asid_ext -sbgp-ipAddrBlock = critical,@req_addr_ext - -[ req_asid_ext ] - -AS.0 = 1-65535 - -[ req_addr_ext ] - -IPv4.0 = 0.0.0.0/0 -IPv6.0 = 0::/0 diff --git a/scripts/rootd.sh b/scripts/rootd.sh deleted file mode 100644 index 73411a16..00000000 --- a/scripts/rootd.sh +++ /dev/null @@ -1,143 +0,0 @@ -#!/bin/sh - -# $Id$ - -# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# Script to test against rootd.py. -# -# This blows away rpkid's database and rebuilds it with what we need -# for this test, and knows far too much about the id numbers that -# rpkid and mysql will assign. In the long run we must do better than -# this, but gotta start somewhere. - -openssl=../openssl/openssl/apps/openssl - -# Halt on first error - -set -e - -# Generate new key and cert for rootd.py if needed - -if test ! -r rootd.cer -o ! -r rootd.key -then - $openssl req -new -newkey rsa:2048 -nodes -keyout rootd.key -out rootd.req -config rootd.cnf - $openssl x509 -req -in rootd.req -out rootd.cer -extfile rootd.cnf -extensions req_x509_ext -signkey rootd.key -text -sha256 - rm -f rootd.req -fi - -# Blow away old rpkid database (!) so we can start clean - -mysql -u rpki -p`awk '$1 == "sql-password" {print $3}' rpkid.conf` rpki >==; - s=/u/sra/rpki/subvert-rpki.hactrn.net/[a-z]*/rpki/==; - s= timedelta([0-9, ]*)==; - s= None = =; - s= at = =; - s= to from = from = - ' | -awk ' - BEGIN { - SUBSEP = "<"; - } - { - #print; - state[$1, $5] = $3; - } - /Creating/ { - created[$1, $5] = $NF; - } - END { - for (i in state) - print i, state[i], created[i]; - } - ' | -sort diff --git a/scripts/tls-client.py b/scripts/tls-client.py deleted file mode 100644 index ef879a5c..00000000 --- a/scripts/tls-client.py +++ /dev/null @@ -1,27 +0,0 @@ -# $Id$ - -import socket, POW, time - -key = POW.pemRead(POW.RSA_PRIVATE_KEY, open("Carol.key", "r").read()) -cer = POW.pemRead(POW.X509_CERTIFICATE, open("Carol.cer", "r").read()) -ta = POW.pemRead(POW.X509_CERTIFICATE, open("Alice-TA.cer", "r").read()) - -s = socket.socket() -s.connect(('',6666)) - -ssl = POW.Ssl(POW.TLSV1_CLIENT_METHOD) - -ssl.useCertificate(cer) -ssl.useKey(key) -ssl.setVerifyMode(POW.SSL_VERIFY_PEER | POW.SSL_VERIFY_FAIL_IF_NO_PEER_CERT) -ssl.trustCertificate(ta) - -ssl.setFd(s.fileno()) -ssl.connect() - -peer = ssl.peerCertificate() -if peer is not None: - print peer.pprint() - -print ssl.read(100) -ssl.write("Bye") diff --git a/scripts/tls-server.py b/scripts/tls-server.py deleted file mode 100644 index d3798a32..00000000 --- a/scripts/tls-server.py +++ /dev/null @@ -1,40 +0,0 @@ -# $Id$ - -import socket, POW, time - -key = POW.pemRead(POW.RSA_PRIVATE_KEY, open("Alice.key", "r").read()) -cer = POW.pemRead(POW.X509_CERTIFICATE, open("Alice.cer", "r").read()) -ta = POW.pemRead(POW.X509_CERTIFICATE, open("Carol-TA.cer", "r").read()) - -listener = socket.socket() -listener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) -listener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1) -listener.bind(('',6666)) -listener.listen(5) - -s, addr = listener.accept() -while not s: - time.sleep(2) - s, addr = listener.accept() - -s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) -s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1) - -print "Got connection %r from %r" % (s, addr) - -ssl = POW.Ssl(POW.TLSV1_SERVER_METHOD) - -ssl.useCertificate(cer) -ssl.useKey(key) -ssl.setVerifyMode(POW.SSL_VERIFY_PEER | POW.SSL_VERIFY_FAIL_IF_NO_PEER_CERT) -ssl.trustCertificate(ta) - -ssl.setFd(s.fileno()) -ssl.accept() - -peer = ssl.peerCertificate() -if peer is not None: - print peer.pprint() - -ssl.write("Hello, TLS") -print ssl.read(100) -- cgit v1.2.3