# $Id$
#
# RelaxNG schema for RPKI left-right protocol.
#
# Copyright (C) 2012--2014 Dragon Research Labs ("DRL")
# Portions copyright (C) 2009--2011 Internet Systems Consortium ("ISC")
# Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notices and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND DRL, ISC, AND ARIN DISCLAIM ALL
# WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DRL,
# ISC, OR ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
# OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
default namespace = "http://www.hactrn.net/uris/rpki/left-right-spec/"
version = "1"
# Top level PDU
start = element msg {
attribute version { xsd:positiveInteger { maxInclusive="1" } },
( (attribute type { "query" }, query_elt*) |
(attribute type { "reply" }, reply_elt*) )
}
# PDUs allowed in a query
query_elt |= tenant_query
query_elt |= bsc_query
query_elt |= parent_query
query_elt |= child_query
query_elt |= repository_query
query_elt |= list_roa_requests_query
query_elt |= list_ghostbuster_requests_query
query_elt |= list_ee_certificate_requests_query
query_elt |= list_resources_query
query_elt |= list_published_objects_query
query_elt |= list_received_resources_query
# PDUs allowed in a reply
reply_elt |= tenant_reply
reply_elt |= bsc_reply
reply_elt |= parent_reply
reply_elt |= child_reply
reply_elt |= repository_reply
reply_elt |= list_resources_reply
reply_elt |= list_roa_requests_reply
reply_elt |= list_ghostbuster_requests_reply
reply_elt |= list_ee_certificate_requests_reply
reply_elt |= list_published_objects_reply
reply_elt |= list_received_resources_reply
reply_elt |= report_error_reply
# Tag attributes for bulk operations
tag = attribute tag { xsd:token {maxLength="1024" } }?
# Combinations of action and type attributes used in later definitions.
# The same patterns repeat in most of the elements in this protocol.
ctl_create = attribute action { "create" }, tag
ctl_set = attribute action { "set" }, tag
ctl_get = attribute action { "get" }, tag
ctl_list = attribute action { "list" }, tag
ctl_destroy = attribute action { "destroy" }, tag
# Base64 encoded DER stuff
base64 = xsd:base64Binary { maxLength="512000" }
# Base definition for all fields that are really just SQL primary indices
#sql_id = xsd:nonNegativeInteger
# ...except that fields containing SQL primary indicies don't belong
# in this protocol, so they're turninging into handles.
# Length restriction is a MySQL implementation issue.
# Handles are case-insensitive (because SQL is, among other reasons).
object_handle = xsd:string { maxLength="255" pattern="[\-_A-Za-z0-9]+" }
# URIs
uri = xsd:anyURI { maxLength="4096" }
# Name fields imported from up-down protocol
up_down_name = xsd:token { maxLength="1024" }
# Resource lists
asn_list = xsd:string { maxLength="512000" pattern="[\-,0-9]*" }
ipv4_list = xsd:string { maxLength="512000" pattern="[\-,0-9/.]*" }
ipv6_list = xsd:string { maxLength="512000" pattern="[\-,0-9/:a-fA-F]*" }
# element
tenant_bool = (attribute rekey { "yes" }?,
attribute reissue { "yes" }?,
attribute revoke { "yes" }?,
attribute run_now { "yes" }?,
attribute publish_world_now { "yes" }?,
attribute revoke_forgotten { "yes" }?,
attribute clear_replay_protection { "yes" }?)
tenant_payload = (attribute use_hsm { "yes" | "no" }?,
attribute crl_interval { xsd:positiveInteger }?,
attribute regen_margin { xsd:positiveInteger }?,
element bpki_cert { base64 }?,
element bpki_glue { base64 }?)
tenant_handle = attribute tenant_handle { object_handle }
tenant_query |= element tenant { ctl_create, tenant_handle, tenant_bool, tenant_payload }
tenant_reply |= element tenant { ctl_create, tenant_handle }
tenant_query |= element tenant { ctl_set, tenant_handle, tenant_bool, tenant_payload }
tenant_reply |= element tenant { ctl_set, tenant_handle }
tenant_query |= element tenant { ctl_get, tenant_handle }
tenant_reply |= element tenant { ctl_get, tenant_handle, tenant_payload }
tenant_query |= element tenant { ctl_list }
tenant_reply |= element tenant { ctl_list, tenant_handle, tenant_payload }
tenant_query |= element tenant { ctl_destroy, tenant_handle }
tenant_reply |= element tenant { ctl_destroy, tenant_handle }
# element. Key parameters hardwired for now.
bsc_bool = ((attribute generate_keypair { "yes" },
attribute key_type { "rsa" }?,
attribute hash_alg { "sha256" }?,
attribute key_length { "2048" }?)?)
bsc_handle = attribute bsc_handle { object_handle }
bsc_payload = (element signing_cert { base64 }?,
element signing_cert_crl { base64 }?)
bsc_readonly = element pkcs10_request { base64 }?
bsc_query |= element bsc { ctl_create, tenant_handle, bsc_handle, bsc_bool, bsc_payload }
bsc_reply |= element bsc { ctl_create, tenant_handle, bsc_handle, bsc_readonly }
bsc_query |= element bsc { ctl_set, tenant_handle, bsc_handle, bsc_bool, bsc_payload }
bsc_reply |= element bsc { ctl_set, tenant_handle, bsc_handle, bsc_readonly }
bsc_query |= element bsc { ctl_get, tenant_handle, bsc_handle }
bsc_reply |= element bsc { ctl_get, tenant_handle, bsc_handle, bsc_payload, bsc_readonly }
bsc_query |= element bsc { ctl_list, tenant_handle }
bsc_reply |= element bsc { ctl_list, tenant_handle, bsc_handle, bsc_payload, bsc_readonly }
bsc_query |= element bsc { ctl_destroy, tenant_handle, bsc_handle }
bsc_reply |= element bsc { ctl_destroy, tenant_handle, bsc_handle }
# element
parent_handle = attribute parent_handle { object_handle }
parent_bool = (attribute rekey { "yes" }?,
attribute reissue { "yes" }?,
attribute revoke { "yes" }?,
attribute revoke_forgotten { "yes" }?,
attribute clear_replay_protection { "yes" }?)
parent_payload = (attribute peer_contact_uri { uri }?,
attribute sia_base { uri }?,
bsc_handle?,
repository_handle?,
attribute sender_name { up_down_name }?,
attribute recipient_name { up_down_name }?,
attribute root_asn_resources { asn_list }?,
attribute root_ipv4_resources { ipv4_list }?,
attribute root_ipv6_resources { ipv6_list }?,
element bpki_cert { base64 }?,
element bpki_glue { base64 }?)
parent_readonly = element rpki_root_cert { base64 }?
parent_query |= element parent { ctl_create, tenant_handle, parent_handle, parent_bool, parent_payload }
parent_reply |= element parent { ctl_create, tenant_handle, parent_handle, parent_readonly }
parent_query |= element parent { ctl_set, tenant_handle, parent_handle, parent_bool, parent_payload }
parent_reply |= element parent { ctl_set, tenant_handle, parent_handle, parent_readonly }
parent_query |= element parent { ctl_get, tenant_handle, parent_handle }
parent_reply |= element parent { ctl_get, tenant_handle, parent_handle, parent_payload, parent_readonly }
parent_query |= element parent { ctl_list, tenant_handle }
parent_reply |= element parent { ctl_list, tenant_handle, parent_handle, parent_payload, parent_readonly }
parent_query |= element parent { ctl_destroy, tenant_handle, parent_handle }
parent_reply |= element parent { ctl_destroy, tenant_handle, parent_handle }
# element
child_handle = attribute child_handle { object_handle }
child_bool = (attribute reissue { "yes" }?,
attribute clear_replay_protection { "yes" }?)
child_payload = (bsc_handle?,
element bpki_cert { base64 }?,
element bpki_glue { base64 }?)
child_query |= element child { ctl_create, tenant_handle, child_handle, child_bool, child_payload }
child_reply |= element child { ctl_create, tenant_handle, child_handle }
child_query |= element child { ctl_set, tenant_handle, child_handle, child_bool, child_payload }
child_reply |= element child { ctl_set, tenant_handle, child_handle }
child_query |= element child { ctl_get, tenant_handle, child_handle }
child_reply |= element child { ctl_get, tenant_handle, child_handle, child_payload }
child_query |= element child { ctl_list, tenant_handle }
child_reply |= element child { ctl_list, tenant_handle, child_handle, child_payload }
child_query |= element child { ctl_destroy, tenant_handle, child_handle }
child_reply |= element child { ctl_destroy, tenant_handle, child_handle }
# element
repository_handle = attribute repository_handle { object_handle }
repository_bool = attribute clear_replay_protection { "yes" }?
repository_payload = (attribute peer_contact_uri { uri }?,
bsc_handle?,
attribute rrdp_notification_uri { uri }?,
element bpki_cert { base64 }?,
element bpki_glue { base64 }?)
repository_query |= element repository { ctl_create, tenant_handle, repository_handle, repository_bool, repository_payload }
repository_reply |= element repository { ctl_create, tenant_handle, repository_handle }
repository_query |= element repository { ctl_set, tenant_handle, repository_handle, repository_bool, repository_payload }
repository_reply |= element repository { ctl_set, tenant_handle, repository_handle }
repository_query |= element repository { ctl_get, tenant_handle, repository_handle }
repository_reply |= element repository { ctl_get, tenant_handle, repository_handle, repository_payload }
repository_query |= element repository { ctl_list, tenant_handle }
repository_reply |= element repository { ctl_list, tenant_handle, repository_handle, repository_payload }
repository_query |= element repository { ctl_destroy, tenant_handle, repository_handle }
repository_reply |= element repository { ctl_destroy, tenant_handle, repository_handle }
# element
list_resources_query = element list_resources {
tag, tenant_handle, child_handle
}
list_resources_reply = element list_resources {
tag, tenant_handle, child_handle,
attribute valid_until { xsd:dateTime { pattern=".*Z" } },
attribute asn { asn_list }?,
attribute ipv4 { ipv4_list }?,
attribute ipv6 { ipv6_list }?
}
# element
list_roa_requests_query = element list_roa_requests {
tag, tenant_handle
}
list_roa_requests_reply = element list_roa_requests {
tag, tenant_handle,
attribute asn { xsd:nonNegativeInteger },
attribute ipv4 { ipv4_list }?,
attribute ipv6 { ipv6_list }?
}
# element
list_ghostbuster_requests_query = element list_ghostbuster_requests {
tag, tenant_handle, parent_handle
}
list_ghostbuster_requests_reply = element list_ghostbuster_requests {
tag, tenant_handle, parent_handle,
xsd:string
}
# element
list_ee_certificate_requests_query = element list_ee_certificate_requests {
tag, tenant_handle
}
list_ee_certificate_requests_reply = element list_ee_certificate_requests {
tag, tenant_handle,
attribute gski { xsd:token { minLength="27" maxLength="27" } },
attribute valid_until { xsd:dateTime { pattern=".*Z" } },
attribute asn { asn_list }?,
attribute ipv4 { ipv4_list }?,
attribute ipv6 { ipv6_list }?,
attribute cn { xsd:string { maxLength="64" pattern="[\-0-9A-Za-z_ ]+" } },
attribute sn { xsd:string { maxLength="64" pattern="[0-9A-Fa-f]+" } }?,
attribute eku { xsd:string { maxLength="512000" pattern="[.,0-9]+" } }?,
element pkcs10 { base64 }
}
# element
list_published_objects_query = element list_published_objects {
tag, tenant_handle
}
list_published_objects_reply = element list_published_objects {
tag, tenant_handle,
attribute uri { uri },
attribute child_handle { object_handle }?,
base64
}
# element
list_received_resources_query = element list_received_resources {
tag, tenant_handle
}
list_received_resources_reply = element list_received_resources {
tag, tenant_handle, parent_handle,
attribute notBefore { xsd:dateTime { pattern=".*Z" } },
attribute notAfter { xsd:dateTime { pattern=".*Z" } },
attribute uri { uri },
attribute sia_uri { uri },
attribute aia_uri { uri },
attribute asn { asn_list }?,
attribute ipv4 { ipv4_list }?,
attribute ipv6 { ipv6_list }?
}
# element
error = xsd:token { maxLength="1024" }
report_error_reply = element report_error {
tag, tenant_handle?,
attribute error_code { error },
xsd:string { maxLength="512000" }?
}
# Local Variables:
# indent-tabs-mode: nil
# comment-start: "# "
# comment-start-skip: "#[ \t]*"
# End: