1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
|
****** RPKI utility programs ******
The distribution contains a few small utility programs. Most of these are
nominally relying party tools, but work at a low enough level that they may
also be useful in diagnosing CA problems.
Unless otherwise specified, all of these tools expect RPKI objects
(certificates, CRLs, CMS signed objects) to be in DER format.
Several of these tools accept an rcynic_directory argument. Which directory to
specify here depends on what you're trying to do, but if you're just trying to
look at authenticated data in your RP cache, and assuming you've installed
everything in the default locations, the directory you want is probably /var/
rcynic/data/authenticated.
***** uri *****
uri is a utility program to extract URIs from the SIA, AIA, and CRLDP
extensions of one or more X.509v3 certificates, either specified directly or as
CMS objects containing X.509v3 certificates within the CMS wrapper.
Usage:
$ uri [-h | --help] [-s | --single-line] cert [cert...]
-h --help
Show help
-s --single-line
Single output line per input file
cert
Object(s) to examine
***** hashdir *****
hashdir copies an authenticated result tree from an rcynic run into the format
expected by most OpenSSL-based programs: a collection of "PEM" format files
with names in the form that OpenSSL's -CApath lookup routines expect. This can
be useful for validating RPKI objects which are not distributed as part of the
repository system.
Usage:
$ hashdir [-h | --help] [-v | --verbose] rcynic_directory output_directory
-h --help
Show help
-v --verbose
Whistle while you work
rcynic_directory
rcynic authenticated output tree
output_directory
Output directory to create
***** print_rpki_manifest *****
print_rpki_manifest pretty-prints the content of a manifest. It does NOT
attempt to verify the signature.
Usage:
$ print_rpki_manifest [-h | --help] [-c | --cms] manifest [manifest...]
-h --help
Show help
-c --cms
Print text representation of entire CMS blob
manifest
Manifest(s) to print
***** print_roa *****
print_roa pretty-prints the content of a ROA. It does NOT attempt to verify the
signature.
Usage:
$ print_roa [-h | --help] [-b | --brief] [-c | --cms] [-s | --signing-time]
ROA [ROA...]
-h --help
Show help
-b --brief
Brief mode (only show ASN and prefix)
-c --cms
Print text representation of entire CMS blob
-s --signing-time
Show CMS signingTime
ROA
ROA object(s) to print
***** find_roa *****
find_roa searches the authenticated result tree from an rcynic run for ROAs
matching specified prefixes.
Usage:
$ find_roa [-h | --help] [-a | --all]
[-m | --match-maxlength ] [-f | --show-filenames]
[-i | --show-inception] [-e | --show-expiration]
authtree [prefix...]
-h --help
Show help
-a --all
Show all ROAs, do no prefix matching at all
-e --show-expiration
Show ROA chain expiration dates
-f --show-filenames
Show filenames instead of URIs
-i --show-inception
Show inception dates
-m -match-maxlength
Pay attention to maxLength values
authtree
rcynic authenticated output tree
prefix
ROA prefix(es) to on which to match
***** scan_roas *****
scan_roas searchs the authenticated result tree from an rcynic run for ROAs,
and prints out the signing time, ASN, and prefixes for each ROA, one ROA per
line.
Other programs such as the rpki-rtr client use scan_roas to extract the
validated ROA payload after an rcynic validation run.
Usage:
$ scan_roas [-h | --help] rcynic_directory [rcynic_directory...]
-h --help
Show help
rcynic_directory
rcynic authenticated output tree
***** scan_routercerts *****
scan_routercerts searchs the authenticated result tree from an rcynic run for
BGPSEC router certificates, and prints out data of interest to the rpki-rtr
code.
Other programs such as the rpki-rtr client use scan_routercerts to extract the
validated ROA payload after an rcynic validation run.
Usage:
$ scan_routercerts [-h | --help] rcynic_directory [rcynic_directory...]
-h --help
Show help
rcynic_directory
rcynic authenticated output tree
|
