From e62cfb013638b5e68218c0702e88c6c4dfeb06f9 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Mon, 24 Dec 2007 06:36:18 +0000 Subject: Cleanup svn path=/scripts/Old/check-hashes.sh; revision=1434 --- scripts/Old/check-hashes.sh | 13 ++ scripts/Old/encode-test.py | 161 +++++++++++++++++++ scripts/Old/gen-verify-test.pl | 104 ++++++++++++ scripts/Old/generate-testrepo.pl | 337 +++++++++++++++++++++++++++++++++++++++ scripts/Old/gki.pl | 46 ++++++ scripts/Old/make-hashes.pl | 42 +++++ scripts/Old/master.sh | 24 +++ scripts/Old/mirror-apnic.sh | 12 ++ scripts/Old/mirror-ripe.sh | 46 ++++++ scripts/Old/resource-set.py | 83 ++++++++++ scripts/Old/test-pow.py | 89 +++++++++++ scripts/Old/test-sql.py | 36 +++++ scripts/Old/uri.pl | 53 ++++++ scripts/check-hashes.sh | 13 -- scripts/encode-test.py | 161 ------------------- scripts/gen-verify-test.pl | 104 ------------ scripts/generate-testrepo.pl | 337 --------------------------------------- scripts/generate-testrepo.py | 234 --------------------------- scripts/gki.pl | 46 ------ scripts/make-hashes.pl | 42 ----- scripts/master.sh | 24 --- scripts/mirror-apnic.sh | 12 -- scripts/mirror-ripe.sh | 46 ------ scripts/resource-cert-samples.py | 234 +++++++++++++++++++++++++++ scripts/resource-set.py | 83 ---------- scripts/test-pow.py | 89 ----------- scripts/test-sql.py | 36 ----- scripts/uri.pl | 53 ------ 28 files changed, 1280 insertions(+), 1280 deletions(-) create mode 100644 scripts/Old/check-hashes.sh create mode 100755 scripts/Old/encode-test.py create mode 100644 scripts/Old/gen-verify-test.pl create mode 100644 scripts/Old/generate-testrepo.pl create mode 100644 scripts/Old/gki.pl create mode 100644 scripts/Old/make-hashes.pl create mode 100644 scripts/Old/master.sh create mode 100644 scripts/Old/mirror-apnic.sh create mode 100644 scripts/Old/mirror-ripe.sh create mode 100644 scripts/Old/resource-set.py create mode 100644 scripts/Old/test-pow.py create mode 100644 scripts/Old/test-sql.py create mode 100644 scripts/Old/uri.pl delete mode 100644 scripts/check-hashes.sh delete mode 100755 scripts/encode-test.py delete mode 100644 scripts/gen-verify-test.pl delete mode 100644 scripts/generate-testrepo.pl delete mode 100644 scripts/generate-testrepo.py delete mode 100644 scripts/gki.pl delete mode 100644 scripts/make-hashes.pl delete mode 100644 scripts/master.sh delete mode 100644 scripts/mirror-apnic.sh delete mode 100644 scripts/mirror-ripe.sh create mode 100644 scripts/resource-cert-samples.py delete mode 100644 scripts/resource-set.py delete mode 100644 scripts/test-pow.py delete mode 100644 scripts/test-sql.py delete mode 100644 scripts/uri.pl (limited to 'scripts') diff --git a/scripts/Old/check-hashes.sh b/scripts/Old/check-hashes.sh new file mode 100644 index 00000000..87c140de --- /dev/null +++ b/scripts/Old/check-hashes.sh @@ -0,0 +1,13 @@ +#!/bin/sh - +# $Id$ + +: ${openssl=/u/sra/isc/route-pki/subvert-rpki.hactrn.net/openssl/openssl/apps/openssl} +: ${switches='-verbose -crl_check_all -policy_check -explicit_policy -policy 1.3.6.1.5.5.7.14.2 -x509_strict'} +: ${hashtree=hashed} + +find $hashtree -type f -name '*.[0-9]*' 2>&1 -print -exec \ + $openssl verify $switches -CApath $(find $hashtree -type d | tr \\012 : | sed 's=:$==') {} \; + +# Hack for analyzing results of running this script: +# +# awk -F: '/^hashed/ && NF == 1 {f = $0; p = 1; next} /^hashed/ && NF == 2 && $1 == f && $2 == " OK" {next} p {print "\n" f; p = 0} {print}' check-hashes.log diff --git a/scripts/Old/encode-test.py b/scripts/Old/encode-test.py new file mode 100755 index 00000000..b4709866 --- /dev/null +++ b/scripts/Old/encode-test.py @@ -0,0 +1,161 @@ +# $Id$ + +import os + +def run(func, arg, *cmd): + i, o = func(cmd) + i.write(arg) + i.close() + value = o.read() + o.close() + return value + +def encode(xml, cer, key): + return run(os.popen2, xml, "openssl", "smime", "-sign", "-nodetach", "-outform", "PEM", "-signer", cer, "-inkey", key) + +def decode(cms, dir): + return run(os.popen2, cms, "openssl", "smime", "-verify", "-inform", "PEM", "-CApath", dir) + +def relaxng(xml, rng): + return run(os.popen4, xml, "xmllint", "--noout", "--relaxng", rng, "-") + +def main(): + dir = "biz-certs" + cer = "biz-certs/Alice-EE.cer" + key = "biz-certs/Alice-EE.key" + rng = "up-down-schema.rng" + + for x in xml: + print x + e = encode(x, cer, key) + print e + d = decode(e, dir) + print d + v = relaxng(d, rng) + print v + print "=====\n" + +# Ugly inline stuff here for initial testing + +xml = [ +''' + + 2001 + 17 + [Readable text] + +''', +''' + + + deadbeef + + +''', +''' + + + + deadbeef + + deadbeef + + +''', +''' + +''', +''' + + + + deadbeef + + + deadbeef + + +''', +''' + + + +''', +''' + + + +''' +] + +main() diff --git a/scripts/Old/gen-verify-test.pl b/scripts/Old/gen-verify-test.pl new file mode 100644 index 00000000..e1b53579 --- /dev/null +++ b/scripts/Old/gen-verify-test.pl @@ -0,0 +1,104 @@ +: +# $Id$ +eval 'exec perl -w -S $0 ${1+"$@"}' + if 0; + +use strict; + +my $openssl = "/u/sra/isc/route-pki/subvert-rpki.hactrn.net/openssl/openssl/apps/openssl"; + +my $verify_options = "-verbose -crl_check_all -policy_check -explicit_policy -policy 1.3.6.1.5.5.7.14.2 -x509_strict"; + +my $verbose = 1; + +my $debug = $ENV{DEBUG}; + +exit unless (@ARGV); + +# Find all certificates in the repository + +open(F, "-|", "find", @ARGV, qw(-type f -name *.cer)) + or die("Couldn't run find: $!\n"); +chomp(my @files = ); +close(F); +@ARGV = (); + +# Snarf all the AIA and CDP values from the certs we're examining. +# Icky screen scraping, better mechanism needed. + +my %aia; +my %cdp; + +for my $f (@files) { + my ($a, $c) = (0, 0); + open(F, "-|", $openssl, qw(x509 -noout -text -inform DER -in), $f) + or die("Couldn't run openssl x509 on $f: $!\n"); + while () { + chomp; + s{^.+URI:rsync://}{}; + $a = $. + 1 + if (/Authority Information Access:/); + $c = $. + 1 + if (/X509v3 CRL Distribution Points:/); + $aia{$f} = $_ + if ($a && $. == $a); + $cdp{$f} = $_ + if ($c && $. == $c); + } + print(STDERR $f, " ", ($aia{$f} || "-"), " ", ($cdp{$f} || "-"), "\n") + if ($debug); + close(F); +} + +# Sort out ancestry + +my %daddy; + +for my $f (@files) { + next unless ($aia{$f}); + my @daddy = grep({ $_ eq $aia{$f} } @files); + die("Can't figure out who my daddy is! $f @{[join(' ', @daddy)]}\n") + if (@daddy > 1); + $daddy{$f} = $daddy[0] + if (@daddy && $daddy[0] ne $f); + print(STDERR "me: $f, daddy: $daddy[0]\n") + if ($debug); +} + +# Generate a test script based on all of the above + +for my $f (@files) { + my @ancestors; + for (my $d = $daddy{$f}; $d; $d = $daddy{$d}) { + push(@ancestors, $d); + } + next unless (@ancestors); + my @crls; + for my $c (map {$cdp{$_}} ($f, @ancestors)) { + push(@crls, $c) + unless (grep {$_ eq $c} @crls); + } + print("echo ", "=" x 40, "\n", + "echo Checking chain:\n") + if ($verbose > 0); + for (($f, @ancestors)) { + print("echo ' Certificate: $_'\n") + if ($verbose > 0); + print("$openssl x509 -noout -text -inform DER -certopt no_header,no_signame,no_validity,no_pubkey,no_sigdump,no_version -in $_\n") + if ($verbose > 1); + } + for (@crls) { + print("echo ' CRL: $_'\n") + if ($verbose > 0); + print("$openssl crl -noout -text -inform DER -in $_\n") + if ($verbose > 1); + } + print("rm -f CAfile.pem cert-in-hand.pem\n"); + print("$openssl x509 -inform DER -outform PEM >>CAfile.pem -in $_\n") + foreach (@ancestors); + print("$openssl crl -inform DER -outform PEM >>CAfile.pem -in $_\n") + foreach (@crls); + print("$openssl x509 -inform DER -outform PEM -out cert-in-hand.pem -in $f\n", + "$openssl verify -CAfile CAfile.pem $verify_options cert-in-hand.pem\n", + "rm -f CAfile.pem cert-in-hand.pem\n"); +} diff --git a/scripts/Old/generate-testrepo.pl b/scripts/Old/generate-testrepo.pl new file mode 100644 index 00000000..bacbe0de --- /dev/null +++ b/scripts/Old/generate-testrepo.pl @@ -0,0 +1,337 @@ +# $Id$ + +# Hack to generate a small test repository for testing Apache + OpenSSL + RPKI + +use strict; + +my %resources; +my %parent; +my @ordering; +my %hashes; + +my $openssl = "../../openssl/openssl/apps/openssl"; +my $subdir = "apacheca"; +my $passwd = "fnord"; +my $keybits = 2048; +my $verbose = 0; +my $debug = 1; +my $revoke = 0; + +sub openssl { + print(STDERR join(" ", qw(+ openssl), @_), "\n") + if ($debug); + !system($openssl, @_) + or die("openssl @_ returned $?\n"); +} + +# Ok, this is a bit complicated, but the idea is to let us specify the +# resources we're giving to each leaf entity and let the program do +# the work of figuring out what resources each issuers need to have, +# the order in which we need to generate the certificates, which +# certificates need to sign which other certificates, etcetera. +# +# This would be much easier to read in a sane language (eg, Scheme). + +{ + my @ctx; + my $loop ; + $loop= sub { + my $x = shift; + if (ref($x) eq "HASH") { + while (my ($k, $v) = each(%$x)) { + $parent{$k} = $ctx[@ctx - 1]; + push(@ordering, $k); + push(@ctx, $k); $loop->($v); pop(@ctx); + } + } else { + for my $c (@ctx) { push(@{$resources{$c}}, @$x) } + } + }; + $loop->({ + RIR => { + LIR1 => { + ISP1 => [IPv4 => "192.0.2.1-192.0.2.33", AS => "64533"], + ISP2 => [IPv4 => "192.0.2.44-192.0.2.100"], + }, + LIR2 => { + ISP3 => [IPv6 => "2001:db8::44-2001:db8::100"], + ISP4 => [IPv6 => "2001:db8::10:0:44", AS => "64544"], + }, + }, + }); +} + +# Put this stuff into a subdirectory + +mkdir($subdir) unless (-d $subdir); +chdir($subdir) or die; + +# Generate configurations for each entity. + +while (my ($entity, $resources) = each(%resources)) { + my %r; + print($entity, ":\n") + if ($verbose); + for (my $i = 0; $i < @$resources; $i += 2) { + printf(" %4s: %s\n", $resources->[$i], $resources->[$i+1]) + if ($verbose); + push(@{$r{$resources->[$i]}}, $resources->[$i+1]); + } + open(F, ">${entity}.cnf") or die; + print(F <${entity}/index") or die; + close(F); + } + if (!-f "${entity}/serial") { + open(F, ">${entity}/serial") or die; + print(F "01\n") or die; + close(F); + } + + openssl("ca", "-batch", "-verbose", "-out", "${entity}.cer", "-in", "${entity}.req", + "-extensions", "req_x509_ext", "-extfile", "${entity}.cnf", + ($parent{$entity} + ? ("-config", "${parent{$entity}}.cnf") + : ("-config", "${entity}.cnf", "-selfsign"))); +} + +# Generate CRLs + +for my $entity (@ordering) { + openssl("ca", "-batch", "-verbose", "-out", "${entity}.crl", + "-config", "${entity}.cnf", "-gencrl"); +} + +# Generate EE certs + +for my $parent (@ordering) { + my $entity = "${parent}-EE"; + open(F, ">${entity}.cnf") or die; + print(F <${entity}/index") or die; + close(F); + } + if (!-f "${entity}/serial") { + open(F, ">${entity}/serial") or die; + print(F "01\n") or die; + close(F); + } + + openssl("ca", "-batch", "-verbose", "-config", "${parent}.cnf", + "-extensions", "req_x509_ext", "-extfile", "${entity}.cnf", + "-out", "${entity}.cer", "-in", "${entity}.req"); +} + +# Generate hashes + +for my $cert (map({("$_.cer", "$_-EE.cer")} @ordering)) { + my $hash = `$openssl x509 -noout -hash -in $cert`; + chomp($hash); + $hash .= "."; + $hash .= (0 + $hashes{$hash}++); + unlink($hash) if (-l $hash); + symlink($cert, $hash) + or die("Couldn't link $hash to $cert: $!\n"); +} + +for my $crl (map({"$_.crl"} @ordering)) { + my $hash = `$openssl crl -noout -hash -in $crl`; + chomp($hash); + $hash .= ".r"; + $hash .= (0 + $hashes{$hash}++); + unlink($hash) if (-l $hash); + symlink($crl, $hash) + or die("Couldn't link $hash to $crl: $!\n"); +} + +# Generate PKCS12 forms of EE certificates +# -chain argument to pkcs12 requires certificate store, which we configure via an environment variable + +$ENV{SSL_CERT_DIR} = do { my $pwd = `pwd`; chomp($pwd); $pwd; }; + +for my $ee (map({"$_-EE"} @ordering)) { + my @cmd = ("pkcs12", "-export", "-in", "$ee.cer", "-inkey", "$ee.key", "-password", "pass:$passwd"); + openssl(@cmd, "-out", "$ee.p12"); + openssl(@cmd, "-out", "$ee.chain.p12", "-chain"); +} + +# Finally, generate an unrelated self-signed certificate for the server + +my $hostname = `hostname`; +chomp($hostname); +open(F, ">server.cnf") or die; +print(F <) { + chomp; + s/^\s*//; + s/^keyid://; + $a = $. + 1 + if (/X509v3 Authority Key Identifier:/); + $s = $. + 1 + if (/X509v3 Subject Key Identifier:/); + $aki = $_ + if ($a && $. == $a); + $ski = $_ + if ($s && $. == $s); + } + close(F); + my $gaki = $aki ? g($aki) : "=" x 27; + my $gski = $ski ? g($ski) : "=" x 27; + print("$gaki $gski $file\n"); +} diff --git a/scripts/Old/make-hashes.pl b/scripts/Old/make-hashes.pl new file mode 100644 index 00000000..4b58a9d0 --- /dev/null +++ b/scripts/Old/make-hashes.pl @@ -0,0 +1,42 @@ +# -*- Perl -*- +# $Id$ + +use strict; + +my $openssl = "/u/sra/isc/route-pki/subvert-rpki.hactrn.net/openssl/openssl/apps/openssl"; +my $dir = "hashed"; + +my @cmds; +my %hashes; + +exit unless (@ARGV); + +open(F, "-|", "find", @ARGV, qw{-type f ( -name *.cer -o -name *.crl )}) + or die("Couldn't run find: $!\n"); + +@ARGV = (); + +while () { + chomp; + my $f = $_; + my $type = /\.cer$/ ? "x509" : "crl"; + $_ = "$dir/$f"; + s=/[^/]+$==; + my $d = $_; + my $h = `$openssl $type -inform DER -in $f -noout -hash`; + chomp($h); + $h .= "."; + $h .= "r" if ($type eq "crl"); + $h .= 0 + $hashes{$d}{$h}++; + push(@cmds, "$openssl $type -inform DER -outform PEM -out $d/$h -in $f\n"); +} + +close(F); + +print("rm -rf $dir\n"); + +print("test -d $_ || mkdir -p $_\n") + foreach (sort(keys(%hashes))); + +print($_) + foreach (@cmds); diff --git a/scripts/Old/master.sh b/scripts/Old/master.sh new file mode 100644 index 00000000..8f59d357 --- /dev/null +++ b/scripts/Old/master.sh @@ -0,0 +1,24 @@ +#!/bin/sh - +# $Id$ + +scripts="subvert-rpki.hactrn.net/scripts" + +repositories="ca-trial.ripe.net/RIPE ca-trial.ripe.net/ARIN repository.apnic.net" + +cd `dirname $0` + +. $scripts/mirror-apnic.sh +. $scripts/mirror-ripe.sh + +perl $scripts/gen-verify-test.pl $repositories | +tee verify.sh | +sh 2>&1 | +tee verify.log + +perl $scripts/make-hashes.pl $repositories | +tee make-hashes.sh | +sh 2>&1 | +tee make-hashes.log + +sh $scripts/check-hashes.sh 2>&1 | +tee check-hashes.log diff --git a/scripts/Old/mirror-apnic.sh b/scripts/Old/mirror-apnic.sh new file mode 100644 index 00000000..995efcb8 --- /dev/null +++ b/scripts/Old/mirror-apnic.sh @@ -0,0 +1,12 @@ +#!/bin/sh - +# $Id$ + +# An unknown entity representing itself as gmm says that this is the +# trust anchor for the APNIC test repository. +# +fetch -m -o repository.apnic.net/trust-anchor.cer \ + http://mirin.apnic.net/resourcecerts/trust-anchor.cer + +# Mirror the repository itself +# +rsync -aiz --delete rsync://repository.apnic.net/APNIC/ repository.apnic.net/APNIC/ diff --git a/scripts/Old/mirror-ripe.sh b/scripts/Old/mirror-ripe.sh new file mode 100644 index 00000000..f2ba5a17 --- /dev/null +++ b/scripts/Old/mirror-ripe.sh @@ -0,0 +1,46 @@ +#!/bin/sh - +# $Id$ + +# The following are freshly produced in conformance with Geoff & +# George's latest developments - I hope. + +# Trust Anchors (consider this an out-of-band delivery method): + +# RIPE TA: +fetch -m -o ca-trial.ripe.net/riperoot/repos/root.cer \ + http://ca-trial.ripe.net/~riperoot/repos/root.cer + +# ARIN TA: +fetch -m -o ca-trial.ripe.net/arinroot/repos/root.cer \ + http://ca-trial.ripe.net/~arinroot/repos/root.cer + +# The repositories are here: +rsync -aiz --delete rsync://ca-trial.ripe.net/RIPE/ ca-trial.ripe.net/RIPE/ +rsync -aiz --delete rsync://ca-trial.ripe.net/ARIN/ ca-trial.ripe.net/ARIN/ + +# Some test certificates: + +# RIPE->RIPE->ISP: +fetch -m -o ca-trial.ripe.net/ripeprod/repos/ripe-08.cer \ + http://ca-trial.ripe.net/~ripeprod/repos/ripe-08.cer + +# ARIN->ARIN->ISP: +fetch -m -o ca-trial.ripe.net/arinprod/repos/arin-01.cer \ + http://ca-trial.ripe.net/~arinprod/repos/arin-01.cer + +# RIPE->ARIN->ISP: +fetch -m -o ca-trial.ripe.net/arinprod/repos/ripe-01.cer \ + http://ca-trial.ripe.net/~arinprod/repos/ripe-01.cer + +# ARIN->RIPE->ISP: +fetch -m -o ca-trial.ripe.net/ripeprod/repos/arin-01.cer \ + http://ca-trial.ripe.net/~ripeprod/repos/arin-01.cer + +# I think they work with full up-down chaining, provided that I copied +# everything in place. +# +# George, please look at these, I believe I only need your SIA for these to be +# ready: +# +# RIPE->APNIC cert currently: http://ca-trial.ripe.net/~riperoot/repos/root-0E.cer +# ARIN->APNIC cert currently: http://ca-trial.ripe.net/~arinroot/repos/root-09.cer diff --git a/scripts/Old/resource-set.py b/scripts/Old/resource-set.py new file mode 100644 index 00000000..fe0da8d3 --- /dev/null +++ b/scripts/Old/resource-set.py @@ -0,0 +1,83 @@ +# $Id$ + +import socket +import re + +class ip_address(object): + + def __init__(self, text): + self.addr = socket.inet_pton(self.af, text) + + def __str__(self): + return socket.inet_ntop(self.af, self.addr) + + def __eq__(self, other): + return self.addr == other.addr + + def __hash__(self): + return self.addr.__hash__() + +class ipv4_address(ip_address): + af = socket.AF_INET + +class ipv6_address(ip_address): + af = socket.AF_INET6 + +class resource(object): + pass + +class asn(resource, long): + pass + +class ip_prefix(resource): + + def __init__(self, addr, prefixlen): + self.addr = self.ac(addr) + self.prefixlen = prefixlen + + def __str__(self): + return str(self.addr) + "/" + str(self.prefixlen) + + def __eq__(self, other): + return self.addr == other.addr and self.prefixlen == other.prefixlen + + def __hash__(self): + return self.addr.__hash__() + self.prefixlen.__hash__() + +class ipv4_prefix(ip_prefix): + ac = ipv4_address + +class ipv6_prefix(ip_prefix): + ac = ipv6_address + +class resource_range(resource): + + def __init__(self, min, max): + assert isinstance(min, resource) and isinstance(max, resource) + self.min = min + self.max = max + + def __str__(self): + return str(self.min) + "-" + str(self.max) + + def __eq__(self, other): + return self.min == other.min and self.max == other.max + + def __hash__(self): + return self.min.__hash__() + self.max.__hash__() + +class resource_set(set): + + def __init__(self, *elts): + for e in elts: + assert isinstance(e, resource) + set.__init__(self, elts) + + def __str__(self): + s = [i for i in self] + s.sort() + return "{" + ", ".join(map(str, s)) + "}" + +s = resource_set(ipv6_prefix("fe80::", 16), ipv4_prefix("10.0.0.44", 32), ipv4_prefix("10.3.0.44", 32)) + +print s diff --git a/scripts/Old/test-pow.py b/scripts/Old/test-pow.py new file mode 100644 index 00000000..06827995 --- /dev/null +++ b/scripts/Old/test-pow.py @@ -0,0 +1,89 @@ +# $Id$ + +import POW, POW.pkix, base64, rpki.ipaddrs, rpki.resource_set + +Alice_EE = """ +MIIDGDCCAgCgAwIBAgIJANkdU8+R7K3dMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV +BAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxpY2UgQ0EwHhcNMDcwNjE5MTk1MzE4WhcN +MDcwNzE5MTk1MzE4WjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEFsaWNl +IEVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzxuYZsSzM7J4D/GN +TiSB/EzRF7U91bYIoqZHG/NcLePFJfHKvKd7LuRNXI4WXrUjQ+6VlcQGdPfo6uvZ +9r/UKocS3ATc7p28CkMNM99RcLM4OWg70021MwmS04CaMpUftsQCtSwAVrWkL3dM +C9LuMdChA619q1x56RGrBeqgnk9NfHahUjmqjhUVQejTk2fYfLcINdxUwOQP9GT5 +bQLhf5hxq+QsixyBjB0BE/h1KxCRJITu5JLzCZIxHxMeN/MdDz3T0m1Vhwd7KZZS +H1Iq5WIBArhzuLQsekSL4GmDLXSxuLi68w8W53YEpc4hRzS29+p1mMK5bZMttvYN +hfoVOQIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTDNm3cT2DjtkzqsI7N +hTSoXmbGsDAfBgNVHSMEGDAWgBRqTejqD9pJQzENNALChYOBrglzEzANBgkqhkiG +9w0BAQUFAAOCAQEAZac7WWRWCItjea9O6YJgB1EUy0NdN7rRuzQSJg9LQfsevwJK +s2R/gV6RF8c53BnexUoVOu5VxSFZin9qRMMZxEMzo3TlFY2JuhPchLFrnYQ5SsjL +w25iLY9xaswZoaAdu4HG5IbN+Drew4Hlfqfoqgi1x79MbL4i+xdPjrHjV+5T/bLE +hADax/Ki7qWOMW2eMWIYuhyHwlqaJaa4xvgSuBdzccPur9nYuYyMQhR5FEtiBrFk +H+SG3DPUYnJjHo/0hqZ+cRRtoNJO00gfgzDUYGIrDak4aGapJsGcJ5/6xIvYKrpu +mkmvYl9m3IB1QYSAtu+0C98ShPgIFNqLvWOceA== +""" + +APNIC_Root = """ +MIIHMjCCBhqgAwIBAgIBcjANBgkqhkiG9w0BAQsFADBNMS4wLAYDVQQDEyVEZW1v +IEFQTklDIFJPT1QgQ0EgLSBOb3QgZm9yIHJlYWwgdXNlMRswGQYJKoZIhvcNAQkB +FgxjYUBhcG5pYy5uZXQwHhcNMDYxMTE2MDU1MDEwWhcNMDcxMTE2MDU1MDEwWjA2 +MTQwMgYDVQQDEytEZW1vIFByb2R1Y3Rpb24gQVBOSUMgQ0EgLSBOb3QgZm9yIHJl +YWwgdXNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA64tZcEhcMvdF +s0sXVF+op473Px/0ANRBHKl772wzTIBno6I4+RNmh8zkasTh6aKhNwcpkc03AaTs +cFmPrlq5PREyZrO1vzq6McShEH5/FcVLUcHKKq46/f+0mx7ec/ExaeRljHJeIVxJ +TuKUrs87PbPYBz+KI6bjb4e0ICsVgomat6DphPPd3krCBJVNqBD6W2UCv1huK9Kx +6egiWaqAYzcrI3W0TFNA5+RUnjnybB0qg1pOkdgKDOEFnIkl0MnX4ENSWNOnezHF +myV3ypJ+42Zllu5OZacqbPh+UJzHv4rMdfKjwpvn1ofiqglYG74HY2lzXSUyYPuA +cZX9572A9wIDAQABo4IEMjCCBC4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E +BAMCAQYwHQYDVR0OBBYEFKuuiK1khrgRO46sfDwFBwJRwqkcMB8GA1UdIwQYMBaA +FKb6Y78FHkIsdnueF/Hxm4ZnWDKNMBgGA1UdIAEB/wQOMAwwCgYIKwYBBQUHDgIw +PQYDVR0fBDYwNDAyoDCgLoYscnN5bmM6Ly9yZXBvc2l0b3J5LmFwbmljLm5ldC9B +UE5JQy9BUE5JQy5jcmwwTwYIKwYBBQUHAQEEQzBBMD8GCCsGAQUFBzAChjNyc3lu +YzovL3JlcG9zaXRvcnkuYXBuaWMubmV0L1RSVVNUQU5DSE9SUy9hcG5pYy5jZXIw +WwYIKwYBBQUHAQsETzBNMEsGCCsGAQUFBzAFhj9yc3luYzovL3JlcG9zaXRvcnku +YXBuaWMubmV0L0FQTklDL3E2NklyV1NHdUJFN2pxeDhQQVVIQWxIQ3FSdy8wggJF +BggrBgEFBQcBCAEB/wSCAjQwggIwoIICLDCCAigCAgCtAgICqQICBMUCAgTRAgIE +1QICBOICAgZ7AgIGqDAIAgIG6AICBukCAgb1AgIHOwICB/oCAghgAgIJUTAIAgIJ +wQICCeACAgnpAgIJ+gICCgMwCAICCgkCAgoKAgIKiQICCpICAgqZAgIKxAICCswC +AgrUAgILBwICC1sCAgtjMAgCAgttAgILbgICDR0CAg0jAgINNgICDT8CAg1DAgIN +hAICDYYCAg2gAgINtgICDd4wCAICDeYCAg3nAgIN/wICDhUCAg4YMAgCAg5NAgIO +TjAIAgIOaQICDm0CAg5/AgIOhTAIAgIOowICDqQwCAICDq0CAg6uAgIOvQICDr8C +Ag7IMAgCAg7KAgIOywICDuUCAg7xAgIO/DAIAgIO/wICDwACAg9ZAgIPgQICD4gC +Ag+nAgIPyAICD9ECAg/aAgIP3AICECYCAhAuAgIQPjAIAgIQTgICEE8CAhBlAgIQ +agICEJsCAhCyAgIRADAIAgIRHQICER4CAhFPMAgCAhFRAgIRUgICEaMCAhGwAgIR +ugICEfICAhH9MAgCAhIAAgITAAICE2EwCAICE5kCAhOaAgITuwICE90CAhPfAgIW +TQICF7QCAhgTAgIYdgICGdsCAhn4AgIb2wICHAcwCAICHSsCAh4qAgIerwICHt0w +CAICJAACAif/AgIqNwICLMswCAICRAACAkf/AgJM+TAIAgJcAAICX/8wCgIDAJQA +AgMAl/8wewYIKwYBBQUHAQcBAf8EbDBqMDQEAgABMC4wCAMCAToDAgE8MAgDAgB5 +AwIAfgMCAJYDAgCjAwIBygMCAdIwCAMCAdoDAgDeMDIEAgACMCwDBAEgAQIDBAIg +AQwDBAEgAUQwDAMEByABgAMEBCABoDAKAwICJAMEAyQAQDANBgkqhkiG9w0BAQsF +AAOCAQEAxjUMY1cBdWUXWmPOwK6zk8E7BOVR3U7U62AfYqlE75cjt2RhRQBcc0XP +tEG8rl6DJMmzH6XB0+czrsUijeBdRBeC+WTMbJd1ZMzgqrqHgXI0CjdjPMR0k6Dx +qpsdDXmlIuAIUHy/GISIel9N/eXSu8ctsWXV2YYlaf7WVGHIhmJs03iSu324vJSk +vhlLtNxdV+neQhkXT54mrx7mADxWYz5+rjWFvJuiOfQicXJI4uh5oAN8POcfx4hu +7xYYqCunudhilCEz53CCcjzCAx5pW1jl32YdguWEwTf6ttwTnTsXQ0a+waMk4ljw +uMsR5Xzvy12ti/m+7MSTLR1kMxJOFA== +""" + +alice = base64.b64decode(Alice_EE) +apnic = base64.b64decode(APNIC_Root) + +verbose = True + +for der in (alice, apnic): + cert = POW.derRead(POW.X509_CERTIFICATE, der) + print cert.pprint() + cert = POW.pkix.Certificate() + cert.fromString(der) + if verbose: + for oid, crit, val in cert.getExtensions(): + print " OID: ", oid, POW.pkix.oid2obj(oid) + print " Crit: ", crit + print " Value:", val + print + bag = rpki.resource_set.parse_extensions(cert.getExtensions()) + if bag.as: print ",".join(map(lambda x: "AS:" + str(x), bag.as)) + if bag.v4: print ",".join(map(lambda x: "IPv4:" + str(x), bag.v4)) + if bag.v6: print ",".join(map(lambda x: "IPv6:" + str(x), bag.v6)) + if bag.as is not None: print bag.as.to_tuple() + if bag.v4 is not None: print bag.v4.to_tuple() + if bag.v6 is not None: print bag.v6.to_tuple() diff --git a/scripts/Old/test-sql.py b/scripts/Old/test-sql.py new file mode 100644 index 00000000..6357ed42 --- /dev/null +++ b/scripts/Old/test-sql.py @@ -0,0 +1,36 @@ +# $Id$ + +import MySQLdb, rpki.config + +def test(filename, section): + + print "[Checking " + filename + "]\n" + + cfg = rpki.config.parser(filename) + + db = MySQLdb.connect(user = cfg.get(section, "sql-username"), + db = cfg.get(section, "sql-database"), + passwd = cfg.get(section, "sql-password")) + + cur = db.cursor() + + def duh(db, cmd, header): + cur.execute(cmd) + print header + print "-" * len(header) + print cur.description + for i in cur.fetchall(): + print i[0] + print + + duh(db, "SHOW DATABASES", "Databases") + duh(db, "SELECT DATABASE()", "Current database") + duh(db, "SHOW TABLES", "Current tables") + + db.close() + +print MySQLdb.Timestamp(2007,6,9,9,45,51), MySQLdb.DateFromTicks(1000), \ + MySQLdb.Binary("Hi, Mom!"), MySQLdb.STRING, MySQLdb.BINARY, MySQLdb.NUMBER, MySQLdb.NULL, "\n" + +test("re.conf", "rpki") +test("irbe.conf", "irdb") diff --git a/scripts/Old/uri.pl b/scripts/Old/uri.pl new file mode 100644 index 00000000..cd029fec --- /dev/null +++ b/scripts/Old/uri.pl @@ -0,0 +1,53 @@ +: +# $Id$ +eval 'exec perl -w -S $0 ${1+"$@"}' + if 0; + +use strict; + +my $format = "DER"; +my $badsia = 0; + +while ($ARGV[0] =~ /^--/) { + $_ = shift; + if (/^--der/) { $format = "DER"; next } + if (/^--pem/) { $format = "PEM"; next } + if (/^--badsia/) { $badsia = 1; next } + if (/^--help/) { + print("$0 [ --der | --pem ] [ --badsia ] cert [ cert ...]\n"); + exit; + } + die("Unrecognized option: $_"); +} + +while (@ARGV) { + my $file = shift(@ARGV); + my ($aia, $sia, $cdp, $a, $s, $c) = qw(- - -); + next unless ($file =~ /\.cer$/); + open(F, "-|", ( qw(openssl x509 -noout -inform), $format, + qw(-text -in), $file)) + or die("Couldn't run openssl x509 on $file: $!\n"); + while () { + chomp; + s{^.+URI:rsync://}{}; + $a = $. + 1 + if (/Authority Information Access:/); + $s = $. + 1 + if (/Subject Information Access:/); + $c = $. + 1 + if (/X509v3 CRL Distribution Points:/); + $aia = $_ + if ($a && $. == $a); + $sia = $_ + if ($s && $. == $s); + $cdp = $_ + if ($c && $. == $c); + } + close(F); + if ($badsia) { + print("$file\n\t$sia\n") + if ($sia && $sia =~ m=[^/]$=); + } else { + print("$aia $sia $cdp $file\n"); + } +} diff --git a/scripts/check-hashes.sh b/scripts/check-hashes.sh deleted file mode 100644 index 87c140de..00000000 --- a/scripts/check-hashes.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh - -# $Id$ - -: ${openssl=/u/sra/isc/route-pki/subvert-rpki.hactrn.net/openssl/openssl/apps/openssl} -: ${switches='-verbose -crl_check_all -policy_check -explicit_policy -policy 1.3.6.1.5.5.7.14.2 -x509_strict'} -: ${hashtree=hashed} - -find $hashtree -type f -name '*.[0-9]*' 2>&1 -print -exec \ - $openssl verify $switches -CApath $(find $hashtree -type d | tr \\012 : | sed 's=:$==') {} \; - -# Hack for analyzing results of running this script: -# -# awk -F: '/^hashed/ && NF == 1 {f = $0; p = 1; next} /^hashed/ && NF == 2 && $1 == f && $2 == " OK" {next} p {print "\n" f; p = 0} {print}' check-hashes.log diff --git a/scripts/encode-test.py b/scripts/encode-test.py deleted file mode 100755 index b4709866..00000000 --- a/scripts/encode-test.py +++ /dev/null @@ -1,161 +0,0 @@ -# $Id$ - -import os - -def run(func, arg, *cmd): - i, o = func(cmd) - i.write(arg) - i.close() - value = o.read() - o.close() - return value - -def encode(xml, cer, key): - return run(os.popen2, xml, "openssl", "smime", "-sign", "-nodetach", "-outform", "PEM", "-signer", cer, "-inkey", key) - -def decode(cms, dir): - return run(os.popen2, cms, "openssl", "smime", "-verify", "-inform", "PEM", "-CApath", dir) - -def relaxng(xml, rng): - return run(os.popen4, xml, "xmllint", "--noout", "--relaxng", rng, "-") - -def main(): - dir = "biz-certs" - cer = "biz-certs/Alice-EE.cer" - key = "biz-certs/Alice-EE.key" - rng = "up-down-schema.rng" - - for x in xml: - print x - e = encode(x, cer, key) - print e - d = decode(e, dir) - print d - v = relaxng(d, rng) - print v - print "=====\n" - -# Ugly inline stuff here for initial testing - -xml = [ -''' - - 2001 - 17 - [Readable text] - -''', -''' - - - deadbeef - - -''', -''' - - - - deadbeef - - deadbeef - - -''', -''' - -''', -''' - - - - deadbeef - - - deadbeef - - -''', -''' - - - -''', -''' - - - -''' -] - -main() diff --git a/scripts/gen-verify-test.pl b/scripts/gen-verify-test.pl deleted file mode 100644 index e1b53579..00000000 --- a/scripts/gen-verify-test.pl +++ /dev/null @@ -1,104 +0,0 @@ -: -# $Id$ -eval 'exec perl -w -S $0 ${1+"$@"}' - if 0; - -use strict; - -my $openssl = "/u/sra/isc/route-pki/subvert-rpki.hactrn.net/openssl/openssl/apps/openssl"; - -my $verify_options = "-verbose -crl_check_all -policy_check -explicit_policy -policy 1.3.6.1.5.5.7.14.2 -x509_strict"; - -my $verbose = 1; - -my $debug = $ENV{DEBUG}; - -exit unless (@ARGV); - -# Find all certificates in the repository - -open(F, "-|", "find", @ARGV, qw(-type f -name *.cer)) - or die("Couldn't run find: $!\n"); -chomp(my @files = ); -close(F); -@ARGV = (); - -# Snarf all the AIA and CDP values from the certs we're examining. -# Icky screen scraping, better mechanism needed. - -my %aia; -my %cdp; - -for my $f (@files) { - my ($a, $c) = (0, 0); - open(F, "-|", $openssl, qw(x509 -noout -text -inform DER -in), $f) - or die("Couldn't run openssl x509 on $f: $!\n"); - while () { - chomp; - s{^.+URI:rsync://}{}; - $a = $. + 1 - if (/Authority Information Access:/); - $c = $. + 1 - if (/X509v3 CRL Distribution Points:/); - $aia{$f} = $_ - if ($a && $. == $a); - $cdp{$f} = $_ - if ($c && $. == $c); - } - print(STDERR $f, " ", ($aia{$f} || "-"), " ", ($cdp{$f} || "-"), "\n") - if ($debug); - close(F); -} - -# Sort out ancestry - -my %daddy; - -for my $f (@files) { - next unless ($aia{$f}); - my @daddy = grep({ $_ eq $aia{$f} } @files); - die("Can't figure out who my daddy is! $f @{[join(' ', @daddy)]}\n") - if (@daddy > 1); - $daddy{$f} = $daddy[0] - if (@daddy && $daddy[0] ne $f); - print(STDERR "me: $f, daddy: $daddy[0]\n") - if ($debug); -} - -# Generate a test script based on all of the above - -for my $f (@files) { - my @ancestors; - for (my $d = $daddy{$f}; $d; $d = $daddy{$d}) { - push(@ancestors, $d); - } - next unless (@ancestors); - my @crls; - for my $c (map {$cdp{$_}} ($f, @ancestors)) { - push(@crls, $c) - unless (grep {$_ eq $c} @crls); - } - print("echo ", "=" x 40, "\n", - "echo Checking chain:\n") - if ($verbose > 0); - for (($f, @ancestors)) { - print("echo ' Certificate: $_'\n") - if ($verbose > 0); - print("$openssl x509 -noout -text -inform DER -certopt no_header,no_signame,no_validity,no_pubkey,no_sigdump,no_version -in $_\n") - if ($verbose > 1); - } - for (@crls) { - print("echo ' CRL: $_'\n") - if ($verbose > 0); - print("$openssl crl -noout -text -inform DER -in $_\n") - if ($verbose > 1); - } - print("rm -f CAfile.pem cert-in-hand.pem\n"); - print("$openssl x509 -inform DER -outform PEM >>CAfile.pem -in $_\n") - foreach (@ancestors); - print("$openssl crl -inform DER -outform PEM >>CAfile.pem -in $_\n") - foreach (@crls); - print("$openssl x509 -inform DER -outform PEM -out cert-in-hand.pem -in $f\n", - "$openssl verify -CAfile CAfile.pem $verify_options cert-in-hand.pem\n", - "rm -f CAfile.pem cert-in-hand.pem\n"); -} diff --git a/scripts/generate-testrepo.pl b/scripts/generate-testrepo.pl deleted file mode 100644 index bacbe0de..00000000 --- a/scripts/generate-testrepo.pl +++ /dev/null @@ -1,337 +0,0 @@ -# $Id$ - -# Hack to generate a small test repository for testing Apache + OpenSSL + RPKI - -use strict; - -my %resources; -my %parent; -my @ordering; -my %hashes; - -my $openssl = "../../openssl/openssl/apps/openssl"; -my $subdir = "apacheca"; -my $passwd = "fnord"; -my $keybits = 2048; -my $verbose = 0; -my $debug = 1; -my $revoke = 0; - -sub openssl { - print(STDERR join(" ", qw(+ openssl), @_), "\n") - if ($debug); - !system($openssl, @_) - or die("openssl @_ returned $?\n"); -} - -# Ok, this is a bit complicated, but the idea is to let us specify the -# resources we're giving to each leaf entity and let the program do -# the work of figuring out what resources each issuers need to have, -# the order in which we need to generate the certificates, which -# certificates need to sign which other certificates, etcetera. -# -# This would be much easier to read in a sane language (eg, Scheme). - -{ - my @ctx; - my $loop ; - $loop= sub { - my $x = shift; - if (ref($x) eq "HASH") { - while (my ($k, $v) = each(%$x)) { - $parent{$k} = $ctx[@ctx - 1]; - push(@ordering, $k); - push(@ctx, $k); $loop->($v); pop(@ctx); - } - } else { - for my $c (@ctx) { push(@{$resources{$c}}, @$x) } - } - }; - $loop->({ - RIR => { - LIR1 => { - ISP1 => [IPv4 => "192.0.2.1-192.0.2.33", AS => "64533"], - ISP2 => [IPv4 => "192.0.2.44-192.0.2.100"], - }, - LIR2 => { - ISP3 => [IPv6 => "2001:db8::44-2001:db8::100"], - ISP4 => [IPv6 => "2001:db8::10:0:44", AS => "64544"], - }, - }, - }); -} - -# Put this stuff into a subdirectory - -mkdir($subdir) unless (-d $subdir); -chdir($subdir) or die; - -# Generate configurations for each entity. - -while (my ($entity, $resources) = each(%resources)) { - my %r; - print($entity, ":\n") - if ($verbose); - for (my $i = 0; $i < @$resources; $i += 2) { - printf(" %4s: %s\n", $resources->[$i], $resources->[$i+1]) - if ($verbose); - push(@{$r{$resources->[$i]}}, $resources->[$i+1]); - } - open(F, ">${entity}.cnf") or die; - print(F <${entity}/index") or die; - close(F); - } - if (!-f "${entity}/serial") { - open(F, ">${entity}/serial") or die; - print(F "01\n") or die; - close(F); - } - - openssl("ca", "-batch", "-verbose", "-out", "${entity}.cer", "-in", "${entity}.req", - "-extensions", "req_x509_ext", "-extfile", "${entity}.cnf", - ($parent{$entity} - ? ("-config", "${parent{$entity}}.cnf") - : ("-config", "${entity}.cnf", "-selfsign"))); -} - -# Generate CRLs - -for my $entity (@ordering) { - openssl("ca", "-batch", "-verbose", "-out", "${entity}.crl", - "-config", "${entity}.cnf", "-gencrl"); -} - -# Generate EE certs - -for my $parent (@ordering) { - my $entity = "${parent}-EE"; - open(F, ">${entity}.cnf") or die; - print(F <${entity}/index") or die; - close(F); - } - if (!-f "${entity}/serial") { - open(F, ">${entity}/serial") or die; - print(F "01\n") or die; - close(F); - } - - openssl("ca", "-batch", "-verbose", "-config", "${parent}.cnf", - "-extensions", "req_x509_ext", "-extfile", "${entity}.cnf", - "-out", "${entity}.cer", "-in", "${entity}.req"); -} - -# Generate hashes - -for my $cert (map({("$_.cer", "$_-EE.cer")} @ordering)) { - my $hash = `$openssl x509 -noout -hash -in $cert`; - chomp($hash); - $hash .= "."; - $hash .= (0 + $hashes{$hash}++); - unlink($hash) if (-l $hash); - symlink($cert, $hash) - or die("Couldn't link $hash to $cert: $!\n"); -} - -for my $crl (map({"$_.crl"} @ordering)) { - my $hash = `$openssl crl -noout -hash -in $crl`; - chomp($hash); - $hash .= ".r"; - $hash .= (0 + $hashes{$hash}++); - unlink($hash) if (-l $hash); - symlink($crl, $hash) - or die("Couldn't link $hash to $crl: $!\n"); -} - -# Generate PKCS12 forms of EE certificates -# -chain argument to pkcs12 requires certificate store, which we configure via an environment variable - -$ENV{SSL_CERT_DIR} = do { my $pwd = `pwd`; chomp($pwd); $pwd; }; - -for my $ee (map({"$_-EE"} @ordering)) { - my @cmd = ("pkcs12", "-export", "-in", "$ee.cer", "-inkey", "$ee.key", "-password", "pass:$passwd"); - openssl(@cmd, "-out", "$ee.p12"); - openssl(@cmd, "-out", "$ee.chain.p12", "-chain"); -} - -# Finally, generate an unrelated self-signed certificate for the server - -my $hostname = `hostname`; -chomp($hostname); -open(F, ">server.cnf") or die; -print(F <%(self)s/serial - %(openssl)s ca -batch -out $@ -in %(self)s.req -extfile %(self)s.cnf -config %(signconf)s - - -show_req:: - %(openssl)s req -noout -text -in %(self)s.req -config /dev/null - -show_cer:: - %(openssl)s x509 -noout -text -in %(self)s.cer -''' - -openssl_cfg_fmt = '''# Automatically generated, do not edit. - -[ ca ] -default_ca = ca_default - -[ ca_default ] -certificate = %(self)s.cer -serial = %(self)s/serial -private_key = %(self)s.key -database = %(self)s/index -new_certs_dir = %(self)s -name_opt = ca_default -cert_opt = ca_default -default_days = 365 -default_crl_days = 30 -default_md = sha256 -preserve = no -copy_extensions = copy -policy = ca_policy_anything -unique_subject = no -x509_extensions = ca_x509_ext -crl_extensions = crl_x509_ext - -[ ca_policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional -givenName = optional -surname = optional - -[ req ] -default_bits = %(keybits)d -encrypt_key = no -distinguished_name = req_dn -req_extensions = req_x509_ext -prompt = no - -[ req_dn ] -CN = TEST ENTITY %(self)s - -[ req_x509_ext ] -basicConstraints = critical,CA:true -subjectKeyIdentifier = hash -keyUsage = critical,keyCertSign,cRLSign -subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/%(self)s/ -%(no_parent)sauthorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/%(parent)s.cer -%(no_asid)ssbgp-autonomousSysNum = critical,%(asid)s -%(no_addr)ssbgp-ipAddrBlock = critical,%(addr)s - -[ ca_x509_ext ] -basicConstraints = critical,CA:true -%(no_parent)sauthorityKeyIdentifier = keyid:always -keyUsage = critical,keyCertSign,cRLSign -subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/%(self)s/ -%(no_parent)sauthorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/%(parent)s.cer -%(no_asid)ssbgp-autonomousSysNum = critical,%(asid)s -%(no_addr)ssbgp-ipAddrBlock = critical,%(addr)s - -[ crl_x509_ext ] -authorityKeyIdentifier = keyid:always -''' - -main() diff --git a/scripts/gki.pl b/scripts/gki.pl deleted file mode 100644 index e91c4abe..00000000 --- a/scripts/gki.pl +++ /dev/null @@ -1,46 +0,0 @@ -: -# $Id$ -eval 'exec perl -w -S $0 ${1+"$@"}' - if 0; - -use MIME::Base64; - -sub g { - my $x = shift; - $x =~ s{:}{}g; - $x = pack("H*", $x); - $x = encode_base64($x, ""); - $x =~ y{+/}{-_}; - $x =~ s{=+$}{}; - return $x; -} - -while (@ARGV) { - my ($file, $aki, $ski, $a, $s) = shift(@ARGV); - if ($file =~ /\.cer$/) { - open(F, "-|", qw(openssl x509 -noout -inform DER -text -in), $file) - or die("Couldn't run openssl x509 on $file: $!\n"); - } elsif ($file =~ /\.crl$/) { - open(F, "-|", qw(openssl crl -noout -inform DER -text -in), $file) - or die("Couldn't run openssl x509 on $file: $!\n"); - } else { - next; - } - while () { - chomp; - s/^\s*//; - s/^keyid://; - $a = $. + 1 - if (/X509v3 Authority Key Identifier:/); - $s = $. + 1 - if (/X509v3 Subject Key Identifier:/); - $aki = $_ - if ($a && $. == $a); - $ski = $_ - if ($s && $. == $s); - } - close(F); - my $gaki = $aki ? g($aki) : "=" x 27; - my $gski = $ski ? g($ski) : "=" x 27; - print("$gaki $gski $file\n"); -} diff --git a/scripts/make-hashes.pl b/scripts/make-hashes.pl deleted file mode 100644 index 4b58a9d0..00000000 --- a/scripts/make-hashes.pl +++ /dev/null @@ -1,42 +0,0 @@ -# -*- Perl -*- -# $Id$ - -use strict; - -my $openssl = "/u/sra/isc/route-pki/subvert-rpki.hactrn.net/openssl/openssl/apps/openssl"; -my $dir = "hashed"; - -my @cmds; -my %hashes; - -exit unless (@ARGV); - -open(F, "-|", "find", @ARGV, qw{-type f ( -name *.cer -o -name *.crl )}) - or die("Couldn't run find: $!\n"); - -@ARGV = (); - -while () { - chomp; - my $f = $_; - my $type = /\.cer$/ ? "x509" : "crl"; - $_ = "$dir/$f"; - s=/[^/]+$==; - my $d = $_; - my $h = `$openssl $type -inform DER -in $f -noout -hash`; - chomp($h); - $h .= "."; - $h .= "r" if ($type eq "crl"); - $h .= 0 + $hashes{$d}{$h}++; - push(@cmds, "$openssl $type -inform DER -outform PEM -out $d/$h -in $f\n"); -} - -close(F); - -print("rm -rf $dir\n"); - -print("test -d $_ || mkdir -p $_\n") - foreach (sort(keys(%hashes))); - -print($_) - foreach (@cmds); diff --git a/scripts/master.sh b/scripts/master.sh deleted file mode 100644 index 8f59d357..00000000 --- a/scripts/master.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/sh - -# $Id$ - -scripts="subvert-rpki.hactrn.net/scripts" - -repositories="ca-trial.ripe.net/RIPE ca-trial.ripe.net/ARIN repository.apnic.net" - -cd `dirname $0` - -. $scripts/mirror-apnic.sh -. $scripts/mirror-ripe.sh - -perl $scripts/gen-verify-test.pl $repositories | -tee verify.sh | -sh 2>&1 | -tee verify.log - -perl $scripts/make-hashes.pl $repositories | -tee make-hashes.sh | -sh 2>&1 | -tee make-hashes.log - -sh $scripts/check-hashes.sh 2>&1 | -tee check-hashes.log diff --git a/scripts/mirror-apnic.sh b/scripts/mirror-apnic.sh deleted file mode 100644 index 995efcb8..00000000 --- a/scripts/mirror-apnic.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh - -# $Id$ - -# An unknown entity representing itself as gmm says that this is the -# trust anchor for the APNIC test repository. -# -fetch -m -o repository.apnic.net/trust-anchor.cer \ - http://mirin.apnic.net/resourcecerts/trust-anchor.cer - -# Mirror the repository itself -# -rsync -aiz --delete rsync://repository.apnic.net/APNIC/ repository.apnic.net/APNIC/ diff --git a/scripts/mirror-ripe.sh b/scripts/mirror-ripe.sh deleted file mode 100644 index f2ba5a17..00000000 --- a/scripts/mirror-ripe.sh +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/sh - -# $Id$ - -# The following are freshly produced in conformance with Geoff & -# George's latest developments - I hope. - -# Trust Anchors (consider this an out-of-band delivery method): - -# RIPE TA: -fetch -m -o ca-trial.ripe.net/riperoot/repos/root.cer \ - http://ca-trial.ripe.net/~riperoot/repos/root.cer - -# ARIN TA: -fetch -m -o ca-trial.ripe.net/arinroot/repos/root.cer \ - http://ca-trial.ripe.net/~arinroot/repos/root.cer - -# The repositories are here: -rsync -aiz --delete rsync://ca-trial.ripe.net/RIPE/ ca-trial.ripe.net/RIPE/ -rsync -aiz --delete rsync://ca-trial.ripe.net/ARIN/ ca-trial.ripe.net/ARIN/ - -# Some test certificates: - -# RIPE->RIPE->ISP: -fetch -m -o ca-trial.ripe.net/ripeprod/repos/ripe-08.cer \ - http://ca-trial.ripe.net/~ripeprod/repos/ripe-08.cer - -# ARIN->ARIN->ISP: -fetch -m -o ca-trial.ripe.net/arinprod/repos/arin-01.cer \ - http://ca-trial.ripe.net/~arinprod/repos/arin-01.cer - -# RIPE->ARIN->ISP: -fetch -m -o ca-trial.ripe.net/arinprod/repos/ripe-01.cer \ - http://ca-trial.ripe.net/~arinprod/repos/ripe-01.cer - -# ARIN->RIPE->ISP: -fetch -m -o ca-trial.ripe.net/ripeprod/repos/arin-01.cer \ - http://ca-trial.ripe.net/~ripeprod/repos/arin-01.cer - -# I think they work with full up-down chaining, provided that I copied -# everything in place. -# -# George, please look at these, I believe I only need your SIA for these to be -# ready: -# -# RIPE->APNIC cert currently: http://ca-trial.ripe.net/~riperoot/repos/root-0E.cer -# ARIN->APNIC cert currently: http://ca-trial.ripe.net/~arinroot/repos/root-09.cer diff --git a/scripts/resource-cert-samples.py b/scripts/resource-cert-samples.py new file mode 100644 index 00000000..9ebcf5bc --- /dev/null +++ b/scripts/resource-cert-samples.py @@ -0,0 +1,234 @@ +# $Id$ + +"""Generate an RPKI test repository. + +This script generates a toy RPKI repository for test purposes. It's +designed to be relatively easy to reconfigure, making it simple to +test whatever is of interest on a given day, without a lot of setup +overhead. + +Outputs are a bunch of config files for the OpenSSL CLI tool and a +makefile to drive everything. +""" + +import rpki.resource_set, os + +subdir = "resource-cert-samples" +openssl = "../../openssl/openssl/apps/openssl" +keybits = 2048 + +def main(): + """Main program, including the toy database itself.""" + + db = allocation_db() + db.add("ISP1", ipv4="192.0.2.1-192.0.2.33", asn="64533") + db.add("ISP2", ipv4="192.0.2.44-192.0.2.100") + db.add("ISP3", ipv6="2001:db8::44-2001:db8::100") + db.add("ISP4", ipv6="2001:db8::10:0:44/128", asn="64544") + db.add("ISP5a", ipv4="10.0.0.0/24", ipv6="2001:db8::a00:0/120") + db.add("ISP5b", ipv4="10.3.0.0/24", ipv6="2001:db8::a03:0/120") + db.add("ISP5c", asn="64534-64540") + db.add("LIR1", children=["ISP1", "ISP2"]) + db.add("LIR2", children=["ISP3", "ISP4"]) + db.add("LIR3", children=["ISP5a", "ISP5b", "ISP5c"]) + db.add("RIR", children=["LIR1", "LIR2", "LIR3"]) + + if not os.path.isdir(subdir): + os.mkdir(subdir) + + for i in db: + write_maybe("%s/%s.cnf" % (subdir, i.name), i.cfg_string()) + + write_maybe("%s/Makefile" % subdir, + "# Automatically generated, do not edit.\n" + + "".join([i.makefile_rules() for i in db])) + +def write_maybe(name, new_content): + """Write a file if and only if its contents have changed. + This simplifies interactions with "make". + """ + old_content = None + if os.path.isfile(name): + f = open(name, "r") + old_content = f.read() + f.close() + if old_content != new_content: + print "Writing", name + f = open(name, "w") + f.write(new_content) + f.close() + +class allocation_db(list): + """Class to represent an allocation database.""" + + def __init__(self): + self.allocation_map = {} + + def add(self, name, **kw): + """Add a new entry to this allocation database. + All arguments passed through to the allocation constructor. + """ + self.insert(0, allocation(name = name, allocation_map = self.allocation_map, **kw)) + +class allocation(object): + """Class representing one entity holding allocated resources. + + In order to simplify configuration, this class automatically + computes the set of resources that this entity must hold in order to + serve both itself and its children. + """ + + parent = None + + def __init__(self, name, asn = None, ipv4 = None, ipv6 = None, children = [], allocation_map = None): + """Create a new allocation entry. + + This binds the parent attributes of any children, and computes the + transitive closure of the set of resources this entity needs. + """ + self.name = name + self.children = [allocation_map[i] for i in children] + for child in self.children: + assert child.parent is None + child.parent = self + self.asn = self.summarize("asn", rpki.resource_set.resource_set_as(asn)) + self.ipv4 = self.summarize("ipv4", rpki.resource_set.resource_set_ipv4(ipv4)) + self.ipv6 = self.summarize("ipv6", rpki.resource_set.resource_set_ipv6(ipv6)) + allocation_map[name] = self + + def summarize(self, attrname, seed = None): + """Compute the transitive resource closure for one resource attribute.""" + if seed is None: + seed = getattr(self, attrname) + for child in self.children: + seed = seed.union(child.summarize(attrname)) + return seed + + def __str__(self): + return "%s\n ASN: %s\n IPv4: %s\n IPv6: %s" % (self.name, self.asn, self.ipv4, self.ipv6) + + def cfg_string(self): + """Generate the OpenSSL configuration file needed for this entity.""" + keys = { "self" : self.name, + "keybits" : keybits, + "no_parent" : "#", + "no_asid" : "#", + "no_addr" : "#", + "parent" : "???", + "asid" : "???", + "addr" : "???" } + if self.parent: + keys["no_parent"] = "" + keys["parent"] = self.parent.name + if self.asn: + keys["no_asid"] = "" + keys["asid"] = ",".join(["AS:" + str(x) for x in self.asn]) + if self.ipv4 or self.ipv6: + keys["no_addr"] = "" + keys["addr"] = ",".join(["IPv4:" + str(x) for x in self.ipv4] + ["IPv6:" + str(x) for x in self.ipv6]) + return openssl_cfg_fmt % keys + + def makefile_rules(self): + """Generate the makefile rules needed for this entity.""" + keys = { "self" : self.name, + "keybits" : keybits, + "openssl" : openssl } + if self.parent: + keys["signconf"] = "%s.cnf" % self.parent.name + keys["signdeps"] = "%s.key" % self.parent.name + else: + keys["signconf"] = "%s.cnf -selfsign" % self.name + keys["signdeps"] = "%s.key" % self.name + return makefile_fmt % keys + +makefile_fmt = '''\ + +all:: %(self)s.cer + +%(self)s.key: + %(openssl)s genrsa -out $@ %(keybits)d + +%(self)s.req: %(self)s.key %(self)s.cnf Makefile + %(openssl)s req -new -config %(self)s.cnf -key %(self)s.key -out $@ + +%(self)s.cer: %(self)s.req %(self)s.cnf %(signdeps)s Makefile + @test -d %(self)s || mkdir %(self)s + @test -f %(self)s/index || touch %(self)s/index + @test -f %(self)s/serial || echo 01 >%(self)s/serial + %(openssl)s ca -batch -out $@ -in %(self)s.req -extfile %(self)s.cnf -config %(signconf)s + + +show_req:: + %(openssl)s req -noout -text -in %(self)s.req -config /dev/null + +show_cer:: + %(openssl)s x509 -noout -text -in %(self)s.cer +''' + +openssl_cfg_fmt = '''# Automatically generated, do not edit. + +[ ca ] +default_ca = ca_default + +[ ca_default ] +certificate = %(self)s.cer +serial = %(self)s/serial +private_key = %(self)s.key +database = %(self)s/index +new_certs_dir = %(self)s +name_opt = ca_default +cert_opt = ca_default +default_days = 365 +default_crl_days = 30 +default_md = sha256 +preserve = no +copy_extensions = copy +policy = ca_policy_anything +unique_subject = no +x509_extensions = ca_x509_ext +crl_extensions = crl_x509_ext + +[ ca_policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional +givenName = optional +surname = optional + +[ req ] +default_bits = %(keybits)d +encrypt_key = no +distinguished_name = req_dn +req_extensions = req_x509_ext +prompt = no + +[ req_dn ] +CN = TEST ENTITY %(self)s + +[ req_x509_ext ] +basicConstraints = critical,CA:true +subjectKeyIdentifier = hash +keyUsage = critical,keyCertSign,cRLSign +subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/%(self)s/ +%(no_parent)sauthorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/%(parent)s.cer +%(no_asid)ssbgp-autonomousSysNum = critical,%(asid)s +%(no_addr)ssbgp-ipAddrBlock = critical,%(addr)s + +[ ca_x509_ext ] +basicConstraints = critical,CA:true +%(no_parent)sauthorityKeyIdentifier = keyid:always +keyUsage = critical,keyCertSign,cRLSign +subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/%(self)s/ +%(no_parent)sauthorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/%(parent)s.cer +%(no_asid)ssbgp-autonomousSysNum = critical,%(asid)s +%(no_addr)ssbgp-ipAddrBlock = critical,%(addr)s + +[ crl_x509_ext ] +authorityKeyIdentifier = keyid:always +''' + +main() diff --git a/scripts/resource-set.py b/scripts/resource-set.py deleted file mode 100644 index fe0da8d3..00000000 --- a/scripts/resource-set.py +++ /dev/null @@ -1,83 +0,0 @@ -# $Id$ - -import socket -import re - -class ip_address(object): - - def __init__(self, text): - self.addr = socket.inet_pton(self.af, text) - - def __str__(self): - return socket.inet_ntop(self.af, self.addr) - - def __eq__(self, other): - return self.addr == other.addr - - def __hash__(self): - return self.addr.__hash__() - -class ipv4_address(ip_address): - af = socket.AF_INET - -class ipv6_address(ip_address): - af = socket.AF_INET6 - -class resource(object): - pass - -class asn(resource, long): - pass - -class ip_prefix(resource): - - def __init__(self, addr, prefixlen): - self.addr = self.ac(addr) - self.prefixlen = prefixlen - - def __str__(self): - return str(self.addr) + "/" + str(self.prefixlen) - - def __eq__(self, other): - return self.addr == other.addr and self.prefixlen == other.prefixlen - - def __hash__(self): - return self.addr.__hash__() + self.prefixlen.__hash__() - -class ipv4_prefix(ip_prefix): - ac = ipv4_address - -class ipv6_prefix(ip_prefix): - ac = ipv6_address - -class resource_range(resource): - - def __init__(self, min, max): - assert isinstance(min, resource) and isinstance(max, resource) - self.min = min - self.max = max - - def __str__(self): - return str(self.min) + "-" + str(self.max) - - def __eq__(self, other): - return self.min == other.min and self.max == other.max - - def __hash__(self): - return self.min.__hash__() + self.max.__hash__() - -class resource_set(set): - - def __init__(self, *elts): - for e in elts: - assert isinstance(e, resource) - set.__init__(self, elts) - - def __str__(self): - s = [i for i in self] - s.sort() - return "{" + ", ".join(map(str, s)) + "}" - -s = resource_set(ipv6_prefix("fe80::", 16), ipv4_prefix("10.0.0.44", 32), ipv4_prefix("10.3.0.44", 32)) - -print s diff --git a/scripts/test-pow.py b/scripts/test-pow.py deleted file mode 100644 index 06827995..00000000 --- a/scripts/test-pow.py +++ /dev/null @@ -1,89 +0,0 @@ -# $Id$ - -import POW, POW.pkix, base64, rpki.ipaddrs, rpki.resource_set - -Alice_EE = """ -MIIDGDCCAgCgAwIBAgIJANkdU8+R7K3dMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV -BAMTGVRlc3QgQ2VydGlmaWNhdGUgQWxpY2UgQ0EwHhcNMDcwNjE5MTk1MzE4WhcN -MDcwNzE5MTk1MzE4WjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEFsaWNl -IEVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzxuYZsSzM7J4D/GN -TiSB/EzRF7U91bYIoqZHG/NcLePFJfHKvKd7LuRNXI4WXrUjQ+6VlcQGdPfo6uvZ -9r/UKocS3ATc7p28CkMNM99RcLM4OWg70021MwmS04CaMpUftsQCtSwAVrWkL3dM -C9LuMdChA619q1x56RGrBeqgnk9NfHahUjmqjhUVQejTk2fYfLcINdxUwOQP9GT5 -bQLhf5hxq+QsixyBjB0BE/h1KxCRJITu5JLzCZIxHxMeN/MdDz3T0m1Vhwd7KZZS -H1Iq5WIBArhzuLQsekSL4GmDLXSxuLi68w8W53YEpc4hRzS29+p1mMK5bZMttvYN -hfoVOQIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTDNm3cT2DjtkzqsI7N -hTSoXmbGsDAfBgNVHSMEGDAWgBRqTejqD9pJQzENNALChYOBrglzEzANBgkqhkiG -9w0BAQUFAAOCAQEAZac7WWRWCItjea9O6YJgB1EUy0NdN7rRuzQSJg9LQfsevwJK -s2R/gV6RF8c53BnexUoVOu5VxSFZin9qRMMZxEMzo3TlFY2JuhPchLFrnYQ5SsjL -w25iLY9xaswZoaAdu4HG5IbN+Drew4Hlfqfoqgi1x79MbL4i+xdPjrHjV+5T/bLE -hADax/Ki7qWOMW2eMWIYuhyHwlqaJaa4xvgSuBdzccPur9nYuYyMQhR5FEtiBrFk -H+SG3DPUYnJjHo/0hqZ+cRRtoNJO00gfgzDUYGIrDak4aGapJsGcJ5/6xIvYKrpu -mkmvYl9m3IB1QYSAtu+0C98ShPgIFNqLvWOceA== -""" - -APNIC_Root = """ -MIIHMjCCBhqgAwIBAgIBcjANBgkqhkiG9w0BAQsFADBNMS4wLAYDVQQDEyVEZW1v -IEFQTklDIFJPT1QgQ0EgLSBOb3QgZm9yIHJlYWwgdXNlMRswGQYJKoZIhvcNAQkB -FgxjYUBhcG5pYy5uZXQwHhcNMDYxMTE2MDU1MDEwWhcNMDcxMTE2MDU1MDEwWjA2 -MTQwMgYDVQQDEytEZW1vIFByb2R1Y3Rpb24gQVBOSUMgQ0EgLSBOb3QgZm9yIHJl -YWwgdXNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA64tZcEhcMvdF -s0sXVF+op473Px/0ANRBHKl772wzTIBno6I4+RNmh8zkasTh6aKhNwcpkc03AaTs -cFmPrlq5PREyZrO1vzq6McShEH5/FcVLUcHKKq46/f+0mx7ec/ExaeRljHJeIVxJ -TuKUrs87PbPYBz+KI6bjb4e0ICsVgomat6DphPPd3krCBJVNqBD6W2UCv1huK9Kx -6egiWaqAYzcrI3W0TFNA5+RUnjnybB0qg1pOkdgKDOEFnIkl0MnX4ENSWNOnezHF -myV3ypJ+42Zllu5OZacqbPh+UJzHv4rMdfKjwpvn1ofiqglYG74HY2lzXSUyYPuA -cZX9572A9wIDAQABo4IEMjCCBC4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E -BAMCAQYwHQYDVR0OBBYEFKuuiK1khrgRO46sfDwFBwJRwqkcMB8GA1UdIwQYMBaA -FKb6Y78FHkIsdnueF/Hxm4ZnWDKNMBgGA1UdIAEB/wQOMAwwCgYIKwYBBQUHDgIw -PQYDVR0fBDYwNDAyoDCgLoYscnN5bmM6Ly9yZXBvc2l0b3J5LmFwbmljLm5ldC9B -UE5JQy9BUE5JQy5jcmwwTwYIKwYBBQUHAQEEQzBBMD8GCCsGAQUFBzAChjNyc3lu -YzovL3JlcG9zaXRvcnkuYXBuaWMubmV0L1RSVVNUQU5DSE9SUy9hcG5pYy5jZXIw -WwYIKwYBBQUHAQsETzBNMEsGCCsGAQUFBzAFhj9yc3luYzovL3JlcG9zaXRvcnku -YXBuaWMubmV0L0FQTklDL3E2NklyV1NHdUJFN2pxeDhQQVVIQWxIQ3FSdy8wggJF -BggrBgEFBQcBCAEB/wSCAjQwggIwoIICLDCCAigCAgCtAgICqQICBMUCAgTRAgIE -1QICBOICAgZ7AgIGqDAIAgIG6AICBukCAgb1AgIHOwICB/oCAghgAgIJUTAIAgIJ -wQICCeACAgnpAgIJ+gICCgMwCAICCgkCAgoKAgIKiQICCpICAgqZAgIKxAICCswC -AgrUAgILBwICC1sCAgtjMAgCAgttAgILbgICDR0CAg0jAgINNgICDT8CAg1DAgIN -hAICDYYCAg2gAgINtgICDd4wCAICDeYCAg3nAgIN/wICDhUCAg4YMAgCAg5NAgIO -TjAIAgIOaQICDm0CAg5/AgIOhTAIAgIOowICDqQwCAICDq0CAg6uAgIOvQICDr8C -Ag7IMAgCAg7KAgIOywICDuUCAg7xAgIO/DAIAgIO/wICDwACAg9ZAgIPgQICD4gC -Ag+nAgIPyAICD9ECAg/aAgIP3AICECYCAhAuAgIQPjAIAgIQTgICEE8CAhBlAgIQ -agICEJsCAhCyAgIRADAIAgIRHQICER4CAhFPMAgCAhFRAgIRUgICEaMCAhGwAgIR -ugICEfICAhH9MAgCAhIAAgITAAICE2EwCAICE5kCAhOaAgITuwICE90CAhPfAgIW -TQICF7QCAhgTAgIYdgICGdsCAhn4AgIb2wICHAcwCAICHSsCAh4qAgIerwICHt0w -CAICJAACAif/AgIqNwICLMswCAICRAACAkf/AgJM+TAIAgJcAAICX/8wCgIDAJQA -AgMAl/8wewYIKwYBBQUHAQcBAf8EbDBqMDQEAgABMC4wCAMCAToDAgE8MAgDAgB5 -AwIAfgMCAJYDAgCjAwIBygMCAdIwCAMCAdoDAgDeMDIEAgACMCwDBAEgAQIDBAIg -AQwDBAEgAUQwDAMEByABgAMEBCABoDAKAwICJAMEAyQAQDANBgkqhkiG9w0BAQsF -AAOCAQEAxjUMY1cBdWUXWmPOwK6zk8E7BOVR3U7U62AfYqlE75cjt2RhRQBcc0XP -tEG8rl6DJMmzH6XB0+czrsUijeBdRBeC+WTMbJd1ZMzgqrqHgXI0CjdjPMR0k6Dx -qpsdDXmlIuAIUHy/GISIel9N/eXSu8ctsWXV2YYlaf7WVGHIhmJs03iSu324vJSk -vhlLtNxdV+neQhkXT54mrx7mADxWYz5+rjWFvJuiOfQicXJI4uh5oAN8POcfx4hu -7xYYqCunudhilCEz53CCcjzCAx5pW1jl32YdguWEwTf6ttwTnTsXQ0a+waMk4ljw -uMsR5Xzvy12ti/m+7MSTLR1kMxJOFA== -""" - -alice = base64.b64decode(Alice_EE) -apnic = base64.b64decode(APNIC_Root) - -verbose = True - -for der in (alice, apnic): - cert = POW.derRead(POW.X509_CERTIFICATE, der) - print cert.pprint() - cert = POW.pkix.Certificate() - cert.fromString(der) - if verbose: - for oid, crit, val in cert.getExtensions(): - print " OID: ", oid, POW.pkix.oid2obj(oid) - print " Crit: ", crit - print " Value:", val - print - bag = rpki.resource_set.parse_extensions(cert.getExtensions()) - if bag.as: print ",".join(map(lambda x: "AS:" + str(x), bag.as)) - if bag.v4: print ",".join(map(lambda x: "IPv4:" + str(x), bag.v4)) - if bag.v6: print ",".join(map(lambda x: "IPv6:" + str(x), bag.v6)) - if bag.as is not None: print bag.as.to_tuple() - if bag.v4 is not None: print bag.v4.to_tuple() - if bag.v6 is not None: print bag.v6.to_tuple() diff --git a/scripts/test-sql.py b/scripts/test-sql.py deleted file mode 100644 index 6357ed42..00000000 --- a/scripts/test-sql.py +++ /dev/null @@ -1,36 +0,0 @@ -# $Id$ - -import MySQLdb, rpki.config - -def test(filename, section): - - print "[Checking " + filename + "]\n" - - cfg = rpki.config.parser(filename) - - db = MySQLdb.connect(user = cfg.get(section, "sql-username"), - db = cfg.get(section, "sql-database"), - passwd = cfg.get(section, "sql-password")) - - cur = db.cursor() - - def duh(db, cmd, header): - cur.execute(cmd) - print header - print "-" * len(header) - print cur.description - for i in cur.fetchall(): - print i[0] - print - - duh(db, "SHOW DATABASES", "Databases") - duh(db, "SELECT DATABASE()", "Current database") - duh(db, "SHOW TABLES", "Current tables") - - db.close() - -print MySQLdb.Timestamp(2007,6,9,9,45,51), MySQLdb.DateFromTicks(1000), \ - MySQLdb.Binary("Hi, Mom!"), MySQLdb.STRING, MySQLdb.BINARY, MySQLdb.NUMBER, MySQLdb.NULL, "\n" - -test("re.conf", "rpki") -test("irbe.conf", "irdb") diff --git a/scripts/uri.pl b/scripts/uri.pl deleted file mode 100644 index cd029fec..00000000 --- a/scripts/uri.pl +++ /dev/null @@ -1,53 +0,0 @@ -: -# $Id$ -eval 'exec perl -w -S $0 ${1+"$@"}' - if 0; - -use strict; - -my $format = "DER"; -my $badsia = 0; - -while ($ARGV[0] =~ /^--/) { - $_ = shift; - if (/^--der/) { $format = "DER"; next } - if (/^--pem/) { $format = "PEM"; next } - if (/^--badsia/) { $badsia = 1; next } - if (/^--help/) { - print("$0 [ --der | --pem ] [ --badsia ] cert [ cert ...]\n"); - exit; - } - die("Unrecognized option: $_"); -} - -while (@ARGV) { - my $file = shift(@ARGV); - my ($aia, $sia, $cdp, $a, $s, $c) = qw(- - -); - next unless ($file =~ /\.cer$/); - open(F, "-|", ( qw(openssl x509 -noout -inform), $format, - qw(-text -in), $file)) - or die("Couldn't run openssl x509 on $file: $!\n"); - while () { - chomp; - s{^.+URI:rsync://}{}; - $a = $. + 1 - if (/Authority Information Access:/); - $s = $. + 1 - if (/Subject Information Access:/); - $c = $. + 1 - if (/X509v3 CRL Distribution Points:/); - $aia = $_ - if ($a && $. == $a); - $sia = $_ - if ($s && $. == $s); - $cdp = $_ - if ($c && $. == $c); - } - close(F); - if ($badsia) { - print("$file\n\t$sia\n") - if ($sia && $sia =~ m=[^/]$=); - } else { - print("$aia $sia $cdp $file\n"); - } -} -- cgit v1.2.3