scripts/regeng-api


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312

;;; -*- Lisp -*-
;;; $Id$
;;;
;;; Scratch pad for working out API design for RPKI engine.
;;;
;;; This file is psuedocode, I just wanted to take advantage of
;;; emacs's built-in support for languages with reasonable syntax.
;;;
;;; Terminology:
;;;
;;; - IRBE: Internet Registry Back End
;;;
;;; - RE: RPKI Engine

;;; Current problems:

;;; Model below is still wrong, although converging on the right
;;; thing.  Children should not be bound within CAs, and CA's can't be
;;; created until we poll parent to find out what to create; CAs need
;;; to be created on the fly.  Children should be business
;;; relationships, not per-CA things.  parent operations should be per
;;; customer not per ca.

;;; Need revoke and rekey operations.

;;; And, er, how do things like publication URIs (which also go into
;;; some of the X.509 extensions in the resource certs) get into the
;;; RE anyway?  This is close to being the same question as how do we
;;; configure the publication point, as the data are largely the same.
;;; Part of the problem is that, if we create CAs on the fly in
;;; response to what we learn from our parent, how do we map that to
;;; any kind of preconfigured data on where we should publish?  This
;;; is a mess.
;;;
;;; Might it help to have per-parent config for this, since we have to
;;; config parents anyway?  That'd give us the head of the publication
;;; URI, leaving us to figure out just the tail.  Could gensym name
;;; tail for dynamically created CAs, could take name tail from chat
;;; with parent (risky?  evil parent gives us dangerous name?), could
;;; take name tail from local config but it's hard to see how.
;;;
;;; We now think that there's a negotiation involved here with both
;;; the parent and the publisher.  The publication URI directory
;;; breaks into three pieces: head/middle/tail/.  head comes from the
;;; publisher, middle comes from the parent, and tail comes from this
;;; RE.  head is just the prefix for where we're allowed to put stuff
;;; within the publication repository; this could be configured by the
;;; IRBE or we could ask the publication repository, we currently
;;; think the latter is better.  Middle comes from this RE's parent,
;;; and should be a new attribute in the up-down XML protocol: it's
;;; the parent's advice on where to put this particular CA's outputs
;;; in order to get the nice hierarchical properties we want.  Tail is
;;; something this RE comes up with, it's per-CA, and all that really
;;; matters is that it's stable; it could be gensymed, or could be our
;;; internal name for the CA, whatever.  This hack may require finding
;;; out the parent's publication URI (which we might get from the
;;; parent's cert or not to be decided later), sort this out later.
;;;
;;; If there is any preliminary negotation with publisher before
;;; publication, it is all hypothetical and assumes that proof will be
;;; given with actual publication request.  Thing that needs to be
;;; proven is that publication client A is not stepping on publication
;;; client B even when B is A's parent.


;;; Protocol operations between RE and signing engine.  This assumes
;;; the model in which the signing engine stores nothing but keypairs
;;; and takes orders from the RE on what to sign; this still needs to
;;; be checked by competent paranoids.

;; Create a keypair.  :length is the number of bits for the key
;; (default 2048?).

(create-keypair :cust-id 42
		:length 2048)
=> (public-key key-id)

;; Destroy a keypair.

(destroy-keypair :cust-id 42
		 :key-id key-id)
=> ()

;; List existing keypairs

(list-keypairs :cust-id 42)
=> ((key-id public-key)
    (key-id public-key)
    ...)

;; Sign something.  how-to-sign tells us both what signature method to
;; use (ie, what kind of object we're signing) and also the signature
;; algorithm to use (where there are multiple choices, which perhaps
;; there should not be?).

(sign-thing :cust-id		42
	    :what-to-sign	cert-without-signature
	    :how-to-sign	:cert-rsa/sha256
	    :key-id		key-id)
=> (signed-thing)


;;; Protocol operations between IRBE and RE.
;;;
;;; This is really two separate protocols over channels that might or
;;; not be the same.  Both are client/server protocols, but for some
;;; the rpki engine and for others the irbe is the client.
;;;
;;; This set of operations are initiated by the IRBE.

(create-cust-id)
=> (customer-id)

(destroy-cust-id :cust-id 42)
=> ()

(list-cust-ids)
=> (customer-id ...)

;; RobK wonders whether there needs to be an operation that blows away
;; most of the context but preserves things like audit logs.  No
;; current consensus on need for this.

(get-preference :cust-id 42
		:preference-name :favorite-color)
=> ("obsidian")

(set-preference :cust-id 42
		:name  :favorite-color
		:value "obsidian")
=> ()

;; Extensions might also show up as preferences that nobody but this
;; IRBE operator has ever heard of

;; The following create RPKI CA contexts

(create-ca-context :cust-id 42)
=> (ca-id)

(destroy-ca-context :cust-id 42
		    :ca-id foo)
=> ()

;; This creates both a context and a keypair
(create-biz-signing-context :cust-id 42)
=> (biz-signing-context-id pkcs10-cert-request)

(destroy-biz-signing-context :cust-id 42
			     :biz-signing-context-id biz-context-id)
=> ()

(list-biz-signing-contexts :cust-id 42)
=> (biz-signing-context-id ...)

(get-biz-signing-certs :cust-id 42
		       :biz-signing-context-id splat)
=> (cert ...)

(set-biz-signing-certs :cust-id 42
		       :biz-signing-context-id splat
		       (cert ...))
=> ()

(set-ca-parent-ta :cust-id 42
		  :ca foo
		  :ta ta)
=> ()

(get-ca-parent-ta :cust-id 42
		  :ca foo)
=> (ta)

(set-ca-parent-uri :cust-id 42
		   :ca foo
		   :uri uri)
=> ()

(get-ca-parent-uri :cust-id 42
		   :ca foo)
=> (uri)

(set-ca-parent-biz-signing-context :cust-id 42
				   :ca foo
				   :biz-signing-context foo)
=> ()

(get-ca-parent-biz-signing-context :cust-id 42
				   :ca foo)
=> (biz-signing-context)

(create-ca-child :cust-id 42
		 :ca foo)
=> (child)

(destroy-ca-child :cust-id 42
		  :ca foo
		  :child bar)
=> ()

(list-ca-children  :cust-id id
		   :ca foo)
=> (child ...)

(set-child-ta :cust-id 42
	      :child foo
	      :ta bar)
=> ()

(get-child-ta :cust-id 42
	      :child foo)
=> (ta)

(set-child-biz-signing-context :cust-id 42
			       :child foo
			       :biz-signing-context bar)
=> ()

(get-child-biz-signing-context :cust-id 42
			       :child foo)
=> (signing-context)

(set-ca-repo-ta :cust-id 42
		:ca foo
		:ta ta)
=> ()

(get-ca-repo-ta :cust-id 42
		:ca foo)
=> (ta)

(set-ca-repo-uri :cust-id 42
		 :ca foo
		 :uri uri)
=> ()

(get-ca-repo-uri :cust-id 42
		 :ca foo)
=> (uri)

(set-ca-repo-biz-signing-context :cust-id 42
				 :ca foo
				 :biz-signing-context foo)
=> ()

(get-ca-repo-biz-signing-context :cust-id 42
				 :ca foo)
=> (biz-signing-context)

(please-run-this-cust-id-now :cust-id 42)
=> ()


;;; Protocol operations between IRBE and RE.
;;;
;;; This is really two separate protocols over channels that might or
;;; not be the same.  Both are client/server protocols, but for some
;;; the rpki engine and for others the irbe is the client.
;;;
;;; This set of operations are initiated by the RE.

(list-resources :cust-id 42
		&optional
		:ca ca)			; If left off, we're asking about self rather than child
=> ((:ipv4-address "10.0.0.44/32" "10.3.0.44/32")
    (:ipv6-address "fe80:dead:beef::/24")
    ...)

(list-rights-to-route :cust-id 42)	; Self
=> ((as-number :ipv4 prefix-or-range :ipv6 prefix-or-range ...)
    (as-number "ipv6 prefix-or-range :ipv6 prefix-or-range :ipv4 prefix-or-range ...)
    ...)

(report-error :cust-id 42
	      :error-token :your-hair-is-on-fire
	      :bag-of-data whatever)
=> ()


;;; Repository update protocol.  Same basic CMS-signed XML mess we use
;;; elsewhere, this time with RE as client, lodging repository as
;;; server.  Authorization is a combination of business key and
;;; resource key/cert: biz key demonstrates that we're authorized to
;;; play with this repository at all, resource cert demonstrates
;;; relationship to the datum to be published.

(publish-thing :thing-type :crl
	       :signed-thing signed-thing)
=> ()

;;; Where signed-thing looks like:
;;;
;;;      (repo-biz-key-signature
;;;	   (ca-key-signature
;;;	     object-to-publish))
;;;
;;; NB: the ca-key-signature is a simple signature with no
;;; certificates embedded, as we can't assume that the repository
;;; knows the trust anchor.  More precisely, if the crypto guys tell
;;; us that we must do cert chain verification here, the business
;;; setup for all this has to make sure that the repository operator
;;; -does- know the RPKI trust anchor and we'd kind of rather not go
;;; there.  The repo-biz-key-signature is cms with the full signer
;;; cert chain in the bag plus the resource cert as an extra cert in
;;; the bag.
;;;
;;; SIA in the signing resource cert's tells us where to publish the
;;; object.