# $Id: myrpki.conf 2722 2009-08-31 22:24:48Z sra $
#
# Config file for myrpki.py, myirbe.py, and RPKI daemons when used
# with myrpki.py etc.  Notes:
#
# - There's some duplication of settings between some of the sections,
#   because each of the several daemons and control programs was
#   written as a free-standing program.  Lumping all of the config for
#   all of them into a single config file is just a convenience for
#   simple configurations; in complex cases you might not have any two
#   of them running on the same machine.
#
# - This config file is also read by the OpenSSL command line tool
#   running under mypki.py, so syntax must remain compatable with both
#   OpenSSL and Python config file parsers, and there's a big chunk of
#   OpenSSL voodoo towards the end of this file.

################################################################

[myrpki]

# Handle naming hosted resource-holding entity (<self/>) represented
# by this myrpki instance.  Syntax is an identifier (ASCII letters,
# digits, hyphen, underscore -- no whitespace, non-ASCII characters,
# or other punctuation).  You need to set this.

handle				= Me

# BPKI trust anchor for the repository in which this <self/> will be
# publishing its outputs.  You need to set this.

repository_bpki_certificate	= repository-ta.cer

# Name by which repository will know this <self/>.  This may be a
# structured handle, eg, "Grandma/Mom/Me" or might be a simple handle,
# depending on how the repository is set up.  Syntax is same as
# "handle", with the addition of "/" characters as an allowed
# delimiter.  You need to set this.

repository_handle		= Me

# Names of various input and output files.  Don't change these without
# a good reason.

roa_csv				= roas.csv
children_csv			= children.csv
parents_csv			= parents.csv
prefix_csv			= prefixes.csv
asn_csv				= asns.csv
xml_filename			= myrpki.xml
bpki_directory			= bpki.myrpki

#################################################################

[myirbe]

# Base of service URL for pubd.  myirbe.py uses this value to
# configure <repository/> objects in rpkid.  If you are running your
# own copy of pubd (see "want_pubd"), myirbe.py also uses this to
# contact your copy of pubd in order to configure it.
#
# You need to configure this.

pubd_base			= https://pubd.example.org:4402/

# Base of service URL for rpkid.  myirbe.py uses this to contact your
# rpkid so it can configure it.
#
# You need to configure this.

rpkid_base			= https://rpkid.example.org:4404

# Whether you want myirbe.py to attempt to configure your own copy of
# pubd.  In general, it's best to use your parent's pubd if you can,
# to reduce the overall number of publication sites that relying
# parties need to check, so don't enable this unless you have a good
# reason.  See the [pubd] section if you do enable this.
#
# Enabling this when you are -not- running your own copy of pubd will
# cause myirbe.py to fail when it attempts to perform runtime
# configuration of your nonexistant pubd.

want_pubd			= false

# Whether you want myirbe.py to generate BPKI certs for running your
# very own copy of rootd.  Don't enable this unless you really know
# what you're doing.  See [rootd] section below for further comments.

want_rootd			= false

# Where to put BPKI stuff for the IRBE operator (entity that operates
# rpkid etc).  Don't change this without a reason.

bpki_directory			= bpki.myirbe

#################################################################

[rpkid]

# MySQL database name, user name, and password for rpkid to use to
# store its data.  You need  to configure these.

sql-database			= rpki
sql-username			= rpki
sql-password    		= fnord

# Host and port on which rpkid should listen for HTTPS service
# requests.  These should match rpkid_base in the [myirbe] section.
# You need to configure these.

server-host     		= rpkid.example.org
server-port     		= 4404

# HTTPS service URL rpkid should use to contact irdbd.  If irdbd is
# running on the same machine as rpkid, this can and probably should
# be a loopback URL, since nobody but rpkid needs to talk to irdbd.

irdb-url        		= https://localhost:4403/

# Where rpkid should look for BPKI certs and keys used in the
# left-right protocol.  The following values match where myirbe.py
# will have placed things.  Don't change these without a reason.

bpki-ta         		= bpki.myirbe/ca.cer
rpkid-key       		= bpki.myirbe/rpkid.key
rpkid-cert      		= bpki.myirbe/rpkid.cer
irdb-cert       		= bpki.myirbe/irdbd.cer
irbe-cert       		= bpki.myirbe/irbe.cer

#################################################################

[irdbd]

# MySQL database name, user name, and password for irdbd to use to
# store its data.  You need to configure these.

sql-database    		= irdb
sql-username    		= irdb
sql-password    		= fnord

# HTTP service URL irdbd should listen on.  This should match the
# irdb-url parameter in the [rpkid] section; see comments there.

https-url			= https://localhost:4403/

# Where irdbd should look for BPKI certs and keys used in the
# left-right protocol.  The following values match where myirbe.py
# will have placed things.  Don't change these without a reason.

bpki-ta         		= bpki.myirbe/ca.cer
rpkid-cert      		= bpki.myirbe/rpkid.cer
irdbd-cert      		= bpki.myirbe/irdbd.cer
irdbd-key       		= bpki.myirbe/irdbd.key

#################################################################

[pubd]

# MySQL database name, user name, and password for pubd to use to
# store (some of) its data.  You need to configure these.

sql-database            	= pubd
sql-username            	= pubd
sql-password            	= fnord

# Root of directory tree where pubd should write out published data.
# You need to configure this, and the configuration should match up
# with the directory where you point rsyncd.  Neither pubd nor rsyncd
# much cares -where- you tell them to put this stuff, the important
# thing is that the rsync:// URIs in generated certificates match up
# with the published objects so that relying parties can find and
# verify rpkid's published outputs.

publication-base        	= publication/

# Host and port on which pubd should listen for HTTPS service
# requests.  These should match pubd_base in the [myirbe] section.
# You need to configure these.

server-host             	= pubd.example.org
server-port             	= 4402

# Where pubd should look for BPKI certs and keys used in the
# left-right protocol.  The following values match where myirbe.py
# will have placed things.  Don't change these without a reason.

bpki-ta                 	= bpki.myirbe/ca.cer
pubd-cert               	= bpki.myirbe/pubd.cer
pubd-key                	= bpki.myirbe/pubd.key
irbe-cert               	= bpki.myirbe/irbe.cer

#################################################################

[irbe_cli]

# HTTPS service URL for rpkid

rpkid-url                       = https://rpkid.example.org:4404/left-right/

# BPKI certificates and keys for talking to rpkid

rpkid-bpki-ta                   = bpki.myirbe/ca.cer
rpkid-irbe-key                  = bpki.myirbe/irbe.key
rpkid-irbe-cert                 = bpki.myirbe/irbe.cer
rpkid-cert                      = bpki.myirbe/rpkid.cer

# HTTPS service URL for pubd

pubd-url                        = https://localhost:4402/control/

# BPKI certificates and keys for talking to pubd

pubd-bpki-ta                    = bpki.myirbe/ca.cer
pubd-irbe-key                   = bpki.myirbe/irbe.key
pubd-irbe-cert                  = bpki.myirbe/irbe.cer
pubd-cert                       = bpki.myirbe/pubd.cer

#################################################################

# You don't need to run rootd unless you're IANA, are certifying
# private address space, or are an RIR which refuses to accept IANA as
# the root of the public address hierarchy.
#
# Ok, if that wasn't enough to scare you off: rootd is a kludge, and
# needs to be rewritten, or, better, merged into rpkid.  It does a
# number of things wrong, and requires far too many configuration
# parameters.  You have been warned....

[rootd]

# BPKI certificates and keys for rootd

bpki-ta                 	= bpki.myirbe/ca.cer
rootd-bpki-crl          	= bpki.myirbe/ca.crl
rootd-bpki-cert         	= bpki.myirbe/rootd.cer
rootd-bpki-key          	= bpki.myirbe/rootd.key
child-bpki-cert         	= bpki.myirbe/child.cer

# Server port on which rootd should listen.

server-port             	= 4401

# Where rootd should write its output.  Yes, rootd should be using
# pubd instead of publishing directly, but it doesn't.

rpki-root-dir           	= publication/

# rsync URI for directory containing rootd's outputs

rpki-base-uri           	= rsync://rpki.example.org/Me/

# rsync URI for rootd's root (self-signed) RPKI certificate

rpki-root-cert-uri      	= rsync://rpki.example.org/Me/root.cer

# Private key corresponding to rootd's root RPKI certificate

rpki-root-key           	= bpki.myirbe/ca.key

# Filename (as opposed to rsync URI) of rootd's root RPKI certificate

rpki-root-cert          	= publication/root.cer

# Where rootd should stash a copy of the PKCS #10 request it gets from
# its one (and only) child

rpki-subject-pkcs10     	= rootd.subject.pkcs10

# Lifetime of the one and only certificate rootd issues

rpki-subject-lifetime   	= 30d

# Filename (relative to rootd-base-uri and rpki-root-dir) of the CRL
# for rootd's root RPKI certificate

rpki-root-crl           	= root.crl

# Filename (relative to rootd-base-uri and rpki-root-dir) of the
# manifest for rootd's root RPKI certificate

rpki-root-manifest      	= root.mnf

# Up-down protocol class name for RPKI certificate rootd issues to its
# one (and only) child

rpki-class-name         	= Me

# Filename (relative to rootd-base-uri and rpki-root-dir) of the one
# (and only) RPKI certificate rootd issues

rpki-subject-cert       	= Me.cer

# The last four paramters in this section are really parameters for
# myirbe.py to use when constructing rootd's root RPKI certificate,
# via an indirection hack in the OpenSSL voodoo portion of this file.
# Don't ask why some of these are duplicated from other paramters in
# this section, you don't want to know (really, you don't).

# ASNs to include in rootd's root RPKI certificate, in openssl.conf format

root_cert_asns			= AS:0-4294967295

# IP addresses to include in rootd's root RPKI certificate, in
# openssl.conf format

root_cert_addrs			= IPv4:0.0.0.0/0,IPv6:0::/0

# Whatever you put in rpki-base-uri, earlier in this section

root_cert_sia			= rsync://rpki.example.org/Me/

# root_cert_sia + rpki-root-manifest

root_cert_manifest		= rsync://rpki.example.org/Me/root.mnf

#################################################################

# Constants for OpenSSL voodoo portion of this file, to make them
# easier to find.

[constants]

# Digest algorithm.  Don't change this.

digest				= sha256

# RSA key length.   Don't change this.

key_length			= 2048

# Lifetime of BPKI certificates (and rootd RPKI root certificate).
# Don't change this unless you know what you're doing.

cert_days			= 365

# Lifetime of BPKI CRLs.  Don't change this unless you know what
# you're doing.

crl_days			= 365

#################################################################

# The rest of this file is OpenSSL configuration voodoo.  Don't touch
# anything below here even if you -do- know what you're doing.  Even
# by OpenSSL standards, some of this is weird, and interacts in
# non-obvious ways with code in myrpki.py and myirbe.py.  If you touch
# this stuff and something breaks, don't say you weren't warned.

[req]
default_bits			= ${constants::key_length}
default_md			= ${constants::digest}
distinguished_name		= req_dn
prompt				= no
encrypt_key			= no

[req_dn]
CN                      	= Dummy name for certificate request

[ca_x509_ext_ee]
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid:always

[ca_x509_ext_xcert0]
basicConstraints		= critical,CA:true,pathlen:0
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid:always

[ca_x509_ext_xcert1]
basicConstraints		= critical,CA:true,pathlen:1
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid:always

[ca_x509_ext_ca]
basicConstraints		= critical,CA:true
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid:always

[ca]
default_ca			= ca
dir				= ${ENV::BPKI_DIRECTORY}
new_certs_dir			= $dir
database			= $dir/index
certificate			= $dir/ca.cer
private_key			= $dir/ca.key
default_days			= ${constants::cert_days}
default_crl_days		= ${constants::crl_days}
default_md			= ${constants::digest}
policy				= ca_dn_policy
unique_subject			= no
serial				= $dir/serial
crlnumber			= $dir/crl_number

[ca_dn_policy]
countryName			= optional
stateOrProvinceName		= optional
localityName			= optional
organizationName		= optional
organizationalUnitName		= optional
commonName			= supplied
emailAddress			= optional
givenName			= optional
surname				= optional

[rootd_x509_extensions]
basicConstraints        	= critical,CA:true
subjectKeyIdentifier    	= hash
keyUsage                	= critical,keyCertSign,cRLSign
subjectInfoAccess       	= 1.3.6.1.5.5.7.48.5;URI:${rootd::root_cert_sia},1.3.6.1.5.5.7.48.10;URI:${rootd::root_cert_manifest}
sbgp-autonomousSysNum   	= critical,${rootd::root_cert_asns}
sbgp-ipAddrBlock        	= critical,${rootd::root_cert_addrs}
certificatePolicies     	= critical,1.3.6.1.5.5.7.14.2