The distribution contains a few small utility programs. Most of these are
nominally relying party tools, but work at a low enough level that they may
also be useful in diagnosing CA problems.
Unless otherwise specified, all of these tools expect RPKI objects
(certificates, CRLs, CMS signed objects) to be in DER format.
Several of these tools accept an rcynic_directory argument. Which directory
to specify here depends on what you're trying to do, but if you're just trying
to look at authenticated data in your RP cache, and assuming you've installed
everything in the default locations, the directory you want is probably
/var/rcynic/data/authenticated.
uri is a utility program to extract URIs from the SIA, AIA, and CRLDP
extensions of one or more X.509v3 certificates, either specified directly or
as CMS objects containing X.509v3 certificates within the CMS wrapper.
Usage:
$ uri [-h | --help] [-s | --single-line] cert [cert...]
-h --help
-s --single-line
Single output line per input file
cert
hashdir copies an authenticated result tree from an rcynic run into the
format expected by most OpenSSL-based programs: a collection of "PEM" format
files with names in the form that OpenSSL's -CApath lookup routines expect.
This can be useful for validating RPKI objects which are not distributed as
part of the repository system.
Usage:
$ hashdir [-h | --help] [-v | --verbose] rcynic_directory output_directory
-h --help
-v --verbose
rcynic_directory
rcynic authenticated output tree
output_directory
Output directory to create
print_rpki_manifest pretty-prints the content of a manifest. It does NOT
attempt to verify the signature.
Usage:
$ print_rpki_manifest [-h | --help] [-c | --cms] manifest [manifest...]
-h --help
-c --cms
Print text representation of entire CMS blob
manifest
print_roa pretty-prints the content of a ROA. It does NOT attempt to
verify the signature.
Usage:
$ print_roa [-h | --help] [-b | --brief] [-c | --cms] [-s | --signing-time] ROA [ROA...]
-h --help
-b --brief
Brief mode (only show ASN and prefix)
-c --cms
Print text representation of entire CMS blob
-s --signing-time
ROA
find_roa searches the authenticated result tree from an rcynic run for ROAs
matching specified prefixes.
Usage:
$ find_roa [-h | --help] [-a | --all]
[-m | --match-maxlength ] [-f | --show-filenames]
[-i | --show-inception] [-e | --show-expiration]
authtree [prefix...]
-h --help
-a --all
Show all ROAs, do no prefix matching at all
-e --show-expiration
Show ROA chain expiration dates
-f --show-filenames
Show filenames instead of URIs
-i --show-inception
-m -match-maxlength
Pay attention to maxLength values
authtree
rcynic authenticated output tree
prefix
ROA prefix(es) to on which to match
scan_roas searchs the authenticated result tree from an rcynic run for ROAs,
and prints out the signing time, ASN, and prefixes for each ROA, one ROA per
line.
Other programs such as the rpki-rtr client use scan_roas to extract the
validated ROA payload after an rcynic validation run.
Usage:
$ scan_roas [-h | --help] rcynic_directory [rcynic_directory...]
-h --help
rcynic_directory
rcynic authenticated output tree
scan_routercerts searchs the authenticated result tree from an rcynic run
for BGPSEC router certificates, and prints out data of interest to the rpki-
rtr code.
Other programs such as the rpki-rtr client use scan_routercerts to extract
the validated ROA payload after an rcynic validation run.
Usage:
$ scan_routercerts [-h | --help] rcynic_directory [rcynic_directory...]
-h --help
rcynic_directory
rcynic authenticated output tree
