#!/usr/bin/env python """ Test framework to configure and drive a collection of rpkid.py and old_irdbd.py instances under control of a master script. yaml_file is a YAML description the tests to be run, and is intended to be implementation-agnostic. CONFIG contains settings for various implementation-specific things that don't belong in yaml_file. """ # $Id$ # # Copyright (C) 2013--2014 Dragon Research Labs ("DRL") # Portions copyright (C) 2009--2012 Internet Systems Consortium ("ISC") # Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notices and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS" AND DRL, ISC, AND ARIN DISCLAIM ALL # WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED # WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DRL, # ISC, OR ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR # CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS # OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, # NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION # WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # pylint: disable=W0621 import os import yaml import subprocess import time import logging import argparse import sys import errno import rpki.resource_set import rpki.sundial import rpki.x509 import rpki.http import rpki.log import rpki.left_right import rpki.config import rpki.publication_control import rpki.async from rpki.mysql_import import MySQLdb logger = logging.getLogger(__name__) os.environ["TZ"] = "UTC" time.tzset() parser = argparse.ArgumentParser(description = __doc__) parser.add_argument("-c", "--config", help = "configuration file") parser.add_argument("--profile", action = "store_true", help = "enable profiling") parser.add_argument("-y", action = "store_true", help = "ignored, present only for backwards compatability") parser.add_argument("yaml_file", type = argparse.FileType("r"), help = "YAML description of test network") args = parser.parse_args() cfg = rpki.config.parser(set_filename = args.config, section = "smoketest", allow_missing = True) # Load the YAML script early, so we can report errors ASAP yaml_script = [y for y in yaml.safe_load_all(args.yaml_file)] # Define port allocator early, so we can use it while reading config def allocate_port(): """ Allocate a TCP port number. """ global base_port p = base_port base_port += 1 return p # Most filenames in the following are relative to the working directory. smoketest_name = cfg.get("smoketest_name", "smoketest") smoketest_dir = cfg.get("smoketest_dir", smoketest_name + ".dir") irdb_db_pass = cfg.get("irdb_db_pass", "fnord") rpki_db_pass = cfg.get("rpki_db_pass", "fnord") pubd_db_pass = cfg.get("pubd_db_pass", "fnord") pubd_db_name = cfg.get("pubd_db_name", "pubd0") pubd_db_user = cfg.get("pubd_db_user", "pubd") base_port = int(cfg.get("base_port", "4400")) rsyncd_port = allocate_port() rootd_port = allocate_port() pubd_port = allocate_port() rsyncd_module = cfg.get("rsyncd_module", smoketest_name) rootd_sia = cfg.get("rootd_sia", "rsync://localhost:%d/%s/" % (rsyncd_port, rsyncd_module)) rootd_name = cfg.get("rootd_name", "rootd") rsyncd_name = cfg.get("rsyncd_name", "rsyncd") rcynic_name = cfg.get("rcynic_name", "rcynic") pubd_name = cfg.get("pubd_name", "pubd") prog_python = cfg.get("prog_python", sys.executable) prog_rpkid = cfg.get("prog_rpkid", "../../rpkid") prog_irdbd = cfg.get("prog_irdbd", "../old_irdbd.py") prog_poke = cfg.get("prog_poke", "../testpoke.py") prog_rootd = cfg.get("prog_rootd", "../../rootd") prog_pubd = cfg.get("prog_pubd", "../../pubd") prog_rsyncd = cfg.get("prog_rsyncd", "rsync") prog_rcynic = cfg.get("prog_rcynic", "../../../rp/rcynic/rcynic") prog_openssl = cfg.get("prog_openssl", "../../../openssl/openssl/apps/openssl") rcynic_stats = cfg.get("rcynic_stats", "echo ; ../../../rp/rcynic/rcynic-text %s.xml ; echo" % rcynic_name) rpki_sql_file = cfg.get("rpki_sql_file", "../../schemas/sql/rpkid.sql") irdb_sql_file = cfg.get("irdb_sql_file", "old_irdbd.sql") pub_sql_file = cfg.get("pub_sql_file", "../../schemas/sql/pubd.sql") startup_delay = int(cfg.get("startup_delay", "10")) rsyncd_dir = None pubd_ta = None pubd_irbe_key = None pubd_irbe_cert = None pubd_pubd_cert = None pubd_last_cms_time = None ecdsa_params = None class CantRekeyYAMLLeaf(Exception): """ Can't rekey YAML leaf. """ class CouldntIssueBSCEECertificate(Exception): """ Couldn't issue BSC EE certificate """ sql_conversions = MySQLdb.converters.conversions.copy() sql_conversions.update({ rpki.sundial.datetime : MySQLdb.converters.DateTime2literal, MySQLdb.converters.FIELD_TYPE.DATETIME : rpki.sundial.datetime.DateTime_or_None }) def main(): """ Main program. """ rpki.log.init(smoketest_name, argparse.Namespace(log_level = logging.DEBUG, log_handler = lambda: logging.StreamHandler(sys.stdout))) logger.info("Starting") rpki.http.http_client.timeout = rpki.sundial.timedelta(hours = 1) pubd_process = None rootd_process = None rsyncd_process = None rpki_sql = mangle_sql(rpki_sql_file) irdb_sql = mangle_sql(irdb_sql_file) pubd_sql = mangle_sql(pub_sql_file) logger.info("Initializing test directory") # Connect to test directory, creating it if necessary try: os.chdir(smoketest_dir) except OSError: os.makedirs(smoketest_dir) os.chdir(smoketest_dir) # Now that we're in the right directory, we can figure out whether # we have a private openssl executable to use global prog_openssl if not os.path.exists(prog_openssl): prog_openssl = "openssl" # Discard everything but keys, which take a while to generate. # Apparently os.walk() can't tell the difference between directories # and symlinks to directories, so we have to handle both. for root, dirs, files in os.walk(".", topdown = False): for fn in files: if not fn.endswith(".key"): os.remove(os.path.join(root, fn)) for d in dirs: try: os.rmdir(os.path.join(root, d)) except OSError, e: if e.errno == errno.ENOTDIR: os.remove(os.path.join(root, d)) else: raise logger.info("Reading master YAML configuration") y = yaml_script.pop(0) logger.info("Constructing internal allocation database") db = allocation_db(y) logger.info("Constructing BPKI keys and certs for rootd") setup_bpki_cert_chain(rootd_name, ee = ("RPKI",)) logger.info("Constructing BPKI keys and certs for pubd") setup_bpki_cert_chain(pubd_name, ee = ("PUBD", "IRBE")) for a in db: a.setup_bpki_certs() setup_publication(pubd_sql, db.root.irdb_db_name) setup_rootd(db.root, y.get("rootd", {}), db) setup_rsyncd() setup_rcynic() for a in db.engines: a.setup_conf_file() a.setup_sql(rpki_sql, irdb_sql) a.sync_sql() try: logger.info("Starting rootd") rootd_process = subprocess.Popen((prog_python, prog_rootd, "--foreground", "--log-stdout", "--log-level", "debug"), env = dict(os.environ, RPKI_CONF = rootd_name + ".conf")) logger.info("Starting pubd") pubd_process = subprocess.Popen((prog_python, prog_pubd, "--foreground", "--log-stdout", "--log-level", "debug") + (("-p", pubd_name + ".prof") if args.profile else ()), env = dict(os.environ, RPKI_CONF = pubd_name + ".conf")) logger.info("Starting rsyncd") rsyncd_process = subprocess.Popen((prog_rsyncd, "--daemon", "--no-detach", "--config", rsyncd_name + ".conf")) # Start rpkid and irdbd instances for a in db.engines: a.run_daemons() # From this point on we'll be running event-driven, so the rest of # the code until final exit is all closures. def start(): rpki.async.iterator(db.engines, create_rpki_objects, create_pubd_objects) def create_rpki_objects(iterator, a): a.create_rpki_objects(iterator) def create_pubd_objects(): call_pubd([rpki.publication_control.client_elt.make_pdu(action = "create", client_handle = db.root.client_handle + "-" + rootd_name, base_uri = rootd_sia, 
/* Certificate creation. Demonstrates some certificate related
 * operations.
 */


#include <stdio.h>
#include <stdlib.h>

#include <openssl/pem.h>
#include <openssl/conf.h>
#include <openssl/x509v3.h>
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif

int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days);
int add_ext(X509 *cert, int nid, char *value);

int main(int argc, char **argv)
	{
	BIO *bio_err;
	X509 *x509=NULL;
	EVP_PKEY *pkey=NULL;

	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);

	bio_err=BIO_new_fp(stderr, BIO_NOCLOSE);

	mkcert(&x509,&pkey,512,0,365);

	RSA_print_fp(stdout,pkey->pkey.rsa,0);
	X509_print_fp(stdout,x509);

	PEM_write_PrivateKey(stdout,pkey,NULL,NULL,0,NULL, NULL);
	PEM_write_X509(stdout,x509);

	X509_free(x509);
	EVP_PKEY_free(pkey);

#ifndef OPENSSL_NO_ENGINE
	ENGINE_cleanup();
#endif
	CRYPTO_cleanup_all_ex_data();

	CRYPTO_mem_leaks(bio_err);
	BIO_free(bio_err);
	return(0);
	}

static void callback(int p, int n, void *arg)
	{
	char c='B';

	if (p == 0) c='.';
	if (p == 1) c='+';
	if (p == 2) c='*';
	if (p == 3) c='\n';
	fputc(c,stderr);
	}

int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days)
	{
	X509 *x;
	EVP_PKEY *pk;
	RSA *rsa;
	X509_NAME *name=NULL;
	
	if ((pkeyp == NULL) || (*pkeyp == NULL))
		{
		if ((pk=EVP_PKEY_new()) == NULL)
			{
			abort(); 
			return(0);
			}
		}
	else
		pk= *pkeyp;

	if ((x509p == NULL) || (*x509p == NULL))
		{
		if ((x=X509_new()) == NULL)
			goto err;
		}
	else
		x= *x509p;

	rsa=RSA_generate_key(bits,RSA_F4,callback,NULL);
	if (!EVP_PKEY_assign_RSA(pk,rsa))
		{
		abort();
		goto err;
		}
	rsa=NULL;

	X509_set_version(x,2);
	ASN1_INTEGER_set(X509_get_serialNumber(x),serial);
	X509_gmtime_adj(X509_get_notBefore(x),0);
	X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days);
	X509_set_pubkey(x,pk);

	name=X509_get_subject_name(x);

	/* This function creates and adds the entry, working out the
	 * correct string type and performing checks on its length.
	 * Normally we'd check the return value for errors...
	 */
	X509_NAME_add_entry_by_txt(name,"C",
				MBSTRING_ASC, "UK", -1, -1, 0);
	X509_NAME_add_entry_by_txt(name,"CN",
				MBSTRING_ASC, "OpenSSL Group", -1, -1, 0);

	/* Its self signed so set the issuer name to be the same as the
 	 * subject.
	 */
	X509_set_issuer_name(x,name);

	/* Add various extensions: standard extensions */
	add_ext(x, NID_basic_constraints, "critical,CA:TRUE");
	add_ext(x, NID_key_usage, "critical,keyCertSign,cRLSign");

	add_ext(x, NID_subject_key_identifier, "hash");

	/* Some Netscape specific extensions */
	add_ext(x, NID_netscape_cert_type, "sslCA");

	add_ext(x, NID_netscape_comment, "example comment extension");


#ifdef CUSTOM_EXT
	/* Maybe even add our own extension based on existing */
	{
		int nid;
		nid = OBJ_create("1.2.3.4", "MyAlias", "My Test Alias Extension");
		X509V3_EXT_add_alias(nid, NID_netscape_comment);
		add_ext(x, nid, "example comment alias");
	}
#endif
	
	if (!X509_sign(x,pk,EVP_md5()))
		goto err;

	*x509p=x;
	*pkeyp=pk;
	return(1);
err:
	return(0);
	}

/* Add extension using V3 code: we can set the config file as NULL
 * because we wont reference any other sections.
 */

int add_ext(X509 *cert, int nid, char *value)
	{
	X509_EXTENSION *ex;
	X509V3_CTX ctx;
	/* This sets the 'context' of the extensions. */
	/* No configuration database */
	X509V3_set_ctx_nodb(&ctx);
	/* Issuer and subject certs: both the target since it is self signed,
	 * no request and no CRL
	 */
	X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
	ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
	if (!ex)
		return 0;

	X509_add_ext(cert,ex,-1);
	X509_EXTENSION_free(ex);
	return 1;
	}
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-14 08:24:59 +0000
otd_fmt_3 % d subprocess.check_call(s, shell = True) def setup_rcynic(): """ Write the config file for rcynic. """ logger.info("Config file for rcynic") d = dict(rcynic_name = rcynic_name, rootd_name = rootd_name, rootd_sia = rootd_sia) f = open(rcynic_name + ".conf", "w") f.write(rcynic_fmt_1 % d) f.close() def setup_rsyncd(): """ Write the config file for rsyncd. """ logger.info("Config file for rsyncd") d = dict(rsyncd_name = rsyncd_name, rsyncd_port = rsyncd_port, rsyncd_module = rsyncd_module, rsyncd_dir = rsyncd_dir) f = open(rsyncd_name + ".conf", "w") f.write(rsyncd_fmt_1 % d) f.close() def setup_publication(pubd_sql, irdb_db_name): """ Set up publication daemon. """ logger.info("Configure publication daemon") publication_dir = os.getcwd() + "/publication" assert rootd_sia.startswith("rsync://") global rsyncd_dir rsyncd_dir = publication_dir + "/".join(rootd_sia.split("/")[4:]) if not rsyncd_dir.endswith("/"): rsyncd_dir += "/" os.makedirs(rsyncd_dir + "root/trunk") db = MySQLdb.connect(db = pubd_db_name, user = pubd_db_user, passwd = pubd_db_pass, conv = sql_conversions) cur = db.cursor() db.autocommit(True) for sql in pubd_sql: try: cur.execute(sql) except Exception: if "DROP TABLE IF EXISTS" not in sql.upper(): raise db.close() d = dict(pubd_name = pubd_name, pubd_port = pubd_port, pubd_db_name = pubd_db_name, pubd_db_user = pubd_db_user, pubd_db_pass = pubd_db_pass, pubd_dir = rsyncd_dir, irdb_db_name = irdb_db_name, irdb_db_pass = irdb_db_pass) f = open(pubd_name + ".conf", "w") f.write(pubd_fmt_1 % d) f.close() global pubd_ta global pubd_irbe_key global pubd_irbe_cert global pubd_pubd_cert pubd_ta = rpki.x509.X509(Auto_file = pubd_name + "-TA.cer") pubd_irbe_key = rpki.x509.RSA( Auto_file = pubd_name + "-IRBE.key") pubd_irbe_cert = rpki.x509.X509(Auto_file = pubd_name + "-IRBE.cer") pubd_pubd_cert = rpki.x509.X509(Auto_file = pubd_name + "-PUBD.cer") def call_pubd(pdus, cb): """ Send a publication control message to publication daemon and return the response. """ logger.info("Calling pubd") q_msg = rpki.publication_control.msg.query(*pdus) q_cms = rpki.publication_control.cms_msg_saxify() q_der = q_cms.wrap(q_msg, pubd_irbe_key, pubd_irbe_cert) q_url = "http://localhost:%d/control" % pubd_port logger.debug(q_cms.pretty_print_content()) def call_pubd_cb(r_der): global pubd_last_cms_time r_cms = rpki.publication_control.cms_msg_saxify(DER = r_der) r_msg = r_cms.unwrap((pubd_ta, pubd_pubd_cert)) pubd_last_cms_time = r_cms.check_replay(pubd_last_cms_time, q_url) logger.debug(r_cms.pretty_print_content()) assert r_msg.is_reply for r_pdu in r_msg: r_pdu.raise_if_error() cb(r_msg) def call_pubd_eb(e): logger.exception("Problem calling pubd") rpki.http.client( url = q_url, msg = q_der, callback = call_pubd_cb, errback = call_pubd_eb) def cross_certify(certificant, certifier): """ Cross-certify and return the resulting certificate. """ certfile = certifier + "-" + certificant + ".cer" logger.info("Cross certifying %s into %s's BPKI (%s)", certificant, certifier, certfile) child = rpki.x509.X509(Auto_file = certificant + ".cer") parent = rpki.x509.X509(Auto_file = certifier + ".cer") keypair = rpki.x509.RSA(Auto_file = certifier + ".key") serial_file = certifier + ".srl" now = rpki.sundial.now() notAfter = now + rpki.sundial.timedelta(days = 30) try: with open(serial_file, "r") as f: serial = int(f.read().splitlines()[0], 16) except IOError: serial = 1 x = parent.bpki_cross_certify( keypair = keypair, source_cert = child, serial = serial, notAfter = notAfter, now = now) with open(serial_file, "w") as f: f.write("%02x\n" % (serial + 1)) with open(certfile, "w") as f: f.write(x.get_PEM()) logger.debug("Cross certified %s:", certfile) logger.debug(" Issuer %s [%s]", x.getIssuer(), x.hAKI()) logger.debug(" Subject %s [%s]", x.getSubject(), x.hSKI()) return x last_rcynic_run = None def run_rcynic(): """ Run rcynic to see whether what was published makes sense. """ logger.info("Running rcynic") env = os.environ.copy() env["TZ"] = "" global last_rcynic_run if int(time.time()) == last_rcynic_run: time.sleep(1) subprocess.check_call((prog_rcynic, "-c", rcynic_name + ".conf"), env = env) subprocess.call(rcynic_stats, shell = True, env = env) last_rcynic_run = int(time.time()) os.link("%s.xml" % rcynic_name, "%s.%s.xml" % (rcynic_name, last_rcynic_run)) def mangle_sql(filename): """ Mangle an SQL file into a sequence of SQL statements. """ words = [] f = open(filename) for line in f: words.extend(line.partition("--")[0].split()) f.close() return " ".join(words).strip(";").split(";") bpki_cert_fmt_1 = '''\ [req] distinguished_name = req_dn x509_extensions = req_x509_ext prompt = no default_md = sha256 [req_dn] CN = Test Certificate %(name)s %(kind)s [req_x509_ext] basicConstraints = critical,CA:%(ca)s subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always [ca] default_ca = ca_default [ca_default] certificate = %(name)s-%(kind)s.cer serial = %(name)s-%(kind)s.srl private_key = %(name)s-%(kind)s.key database = %(name)s-%(kind)s.idx crlnumber = %(name)s-%(kind)s.cnm default_crl_days = 30 default_md = sha256 ''' bpki_cert_fmt_2 = '''\ %(openssl)s genrsa -out %(name)s-%(kind)s.key 2048 && ''' bpki_cert_fmt_3 = '''\ %(openssl)s req -new \ -sha256 \ -key %(name)s-%(kind)s.key \ -out %(name)s-%(kind)s.req \ -config %(name)s-%(kind)s.conf && touch %(name)s-%(kind)s.idx && echo >%(name)s-%(kind)s.cnm 01 && ''' bpki_cert_fmt_4 = '''\ %(openssl)s x509 -req -sha256 \ -in %(name)s-TA.req \ -out %(name)s-TA.cer \ -extfile %(name)s-TA.conf \ -extensions req_x509_ext \ -signkey %(name)s-TA.key \ -days 60 -text \ ''' bpki_cert_fmt_5 = ''' && \ %(openssl)s x509 -req \ -sha256 \ -in %(name)s-%(kind)s.req \ -out %(name)s-%(kind)s.cer \ -extfile %(name)s-%(kind)s.conf \ -extensions req_x509_ext \ -days 30 \ -text \ -CA %(name)s-TA.cer \ -CAkey %(name)s-TA.key \ -CAcreateserial \ ''' bpki_cert_fmt_6 = ''' && \ %(openssl)s ca -batch \ -gencrl \ -out %(name)s-%(kind)s.crl \ -config %(name)s-%(kind)s.conf \ ''' conf_fmt_1 = '''\ [irdbd] startup-message = This is %(my_name)s irdbd sql-database = %(irdb_db_name)s sql-username = irdb sql-password = %(irdb_db_pass)s bpki-ta = %(my_name)s-TA.cer rpkid-cert = %(my_name)s-RPKI.cer irdbd-cert = %(my_name)s-IRDB.cer irdbd-key = %(my_name)s-IRDB.key http-url = http://localhost:%(irdb_port)d/ enable_tracebacks = yes [irbe_cli] rpkid-bpki-ta = %(my_name)s-TA.cer rpkid-cert = %(my_name)s-RPKI.cer rpkid-irbe-cert = %(my_name)s-IRBE.cer rpkid-irbe-key = %(my_name)s-IRBE.key rpkid-url = http://localhost:%(rpki_port)d/left-right enable_tracebacks = yes [rpkid] startup-message = This is %(my_name)s rpkid sql-database = %(rpki_db_name)s sql-username = rpki sql-password = %(rpki_db_pass)s bpki-ta = %(my_name)s-TA.cer rpkid-key = %(my_name)s-RPKI.key rpkid-cert = %(my_name)s-RPKI.cer irdb-cert = %(my_name)s-IRDB.cer irbe-cert = %(my_name)s-IRBE.cer irdb-url = http://localhost:%(irdb_port)d/ server-host = localhost server-port = %(rpki_port)d use-internal-cron = false enable_tracebacks = yes [myrpki] start_rpkid = yes start_irdbd = yes start_pubd = no ''' rootd_fmt_1 = '''\ [rootd] bpki-ta = %(rootd_name)s-TA.cer rootd-bpki-cert = %(rootd_name)s-RPKI.cer rootd-bpki-key = %(rootd_name)s-RPKI.key rootd-bpki-crl = %(rootd_name)s-TA.crl child-bpki-cert = %(rootd_name)s-TA-%(rpkid_name)s-SELF.cer pubd-bpki-cert = %(rootd_name)s-TA-%(pubd_name)s-TA.cer server-port = %(rootd_port)s rpki-class-name = trunk pubd-contact-uri = http://localhost:%(pubd_port)d/client/%(rootd_handle)s rpki-root-cert-file = root.cer rpki-root-cert-uri = %(rootd_sia)sroot.cer rpki-root-key-file = root.key rpki-subject-cert-file = trunk.cer rpki-subject-cert-uri = %(rootd_sia)sroot/trunk.cer rpki-subject-pkcs10-file= trunk.p10 rpki-subject-lifetime = %(lifetime)s rpki-root-crl-file = root.crl rpki-root-crl-uri = %(rootd_sia)sroot/root.crl rpki-root-manifest-file = root.mft rpki-root-manifest-uri = %(rootd_sia)sroot/root.mft include-bpki-crl = yes enable_tracebacks = yes [req] default_bits = 2048 encrypt_key = no distinguished_name = req_dn prompt = no default_md = sha256 default_days = 60 [req_dn] CN = Completely Bogus Test Root (NOT FOR PRODUCTION USE) [req_x509_ext] basicConstraints = critical,CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always [req_x509_rpki_ext] basicConstraints = critical,CA:true subjectKeyIdentifier = hash keyUsage = critical,keyCertSign,cRLSign subjectInfoAccess = @sia sbgp-autonomousSysNum = critical,AS:0-4294967295 sbgp-ipAddrBlock = critical,IPv4:0.0.0.0/0,IPv6:0::/0 certificatePolicies = critical, @rpki_certificate_policy [sia] 1.3.6.1.5.5.7.48.5;URI = %(rootd_sia)sroot/ 1.3.6.1.5.5.7.48.10;URI = %(rootd_sia)sroot/root.mft [rpki_certificate_policy] policyIdentifier = 1.3.6.1.5.5.7.14.2 ''' rootd_fmt_2 = '''\ %(openssl)s genrsa -out root.key 2048 && ''' rootd_fmt_3 = '''\ echo >%(rootd_name)s.tal %(rootd_sia)sroot.cer && echo >>%(rootd_name)s.tal && %(openssl)s rsa -pubout -in root.key | awk '!/-----(BEGIN|END)/' >>%(rootd_name)s.tal && %(openssl)s req -new -text -sha256 \ -key root.key \ -out %(rootd_name)s.req \ -config %(rootd_name)s.conf \ -extensions req_x509_rpki_ext && %(openssl)s x509 -req -sha256 \ -in %(rootd_name)s.req \ -out root.cer \ -outform DER \ -extfile %(rootd_name)s.conf \ -extensions req_x509_rpki_ext \ -signkey root.key ''' rcynic_fmt_1 = '''\ [rcynic] xml-summary = %(rcynic_name)s.xml jitter = 0 use-links = yes use-syslog = no use-stderr = yes log-level = log_debug trust-anchor-locator = %(rootd_name)s.tal ''' rsyncd_fmt_1 = '''\ port = %(rsyncd_port)d address = localhost [%(rsyncd_module)s] read only = yes transfer logging = yes use chroot = no path = %(rsyncd_dir)s comment = RPKI test ''' pubd_fmt_1 = '''\ [pubd] sql-database = %(pubd_db_name)s sql-username = %(pubd_db_user)s sql-password = %(pubd_db_pass)s bpki-ta = %(pubd_name)s-TA.cer pubd-crl = %(pubd_name)s-TA.crl pubd-cert = %(pubd_name)s-PUBD.cer pubd-key = %(pubd_name)s-PUBD.key irbe-cert = %(pubd_name)s-IRBE.cer server-host = localhost server-port = %(pubd_port)d publication-base = %(pubd_dir)s enable_tracebacks = yes [irdbd] sql-database = %(irdb_db_name)s sql-username = irdb sql-password = %(irdb_db_pass)s [myrpki] start_rpkid = no start_irdbd = no start_pubd = yes ''' main()