# $Id$ # Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH # REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY # AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, # INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM # LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. """ Test framework to configure and drive a collection of rpkid.py and irdbd.py instances under control of a master script. Usage: python rpkid.py [ { -c | --config } config_file ] [ { -h | --help } ] [ { -y | --yaml } yaml_script ] Default config_file is testbed.conf, override with --config option. Default yaml_script is testbed.yaml, override with -yaml option. yaml_script is a YAML file describing the tests to be run, and is intended to be implementation agnostic. config_file contains settings for various implementation-specific things that don't belong in yaml_script. """ import os, yaml, MySQLdb, subprocess, signal, time, datetime, re, getopt, sys, lxml import rpki.resource_set, rpki.sundial, rpki.x509, rpki.https, rpki.log, rpki.left_right, rpki.config os.environ["TZ"] = "UTC" time.tzset() cfg_file = "testbed.conf" yaml_script = None opts,argv = getopt.getopt(sys.argv[1:], "c:hy:?", ["config=", "help", "yaml="]) for o,a in opts: if o in ("-h", "--help", "-?"): print __doc__ sys.exit(0) elif o in ("-c", "--config"): cfg_file = a elif o in ("-y", "--yaml"): yaml_script = a if argv: print __doc__ raise RuntimeError, "Unexpected arguments %s" % argv cfg = rpki.config.parser(cfg_file, "testbed") # Load the YAML script early, so we can report errors ASAP if yaml_script is None: yaml_script = cfg.get("yaml_script", "testbed.yaml") try: yaml_script = [y for y in yaml.safe_load_all(open(yaml_script))] except: print __doc__ raise # Define port allocator early, so we can use it while reading config def allocate_port(): """Allocate a TCP port number.""" global base_port p = base_port base_port += 1 return p # Most filenames in the following are relative to the working directory. testbed_name = cfg.get("testbed_name", "testbed") testbed_dir = cfg.get("testbed_dir", testbed_name + ".dir") irdb_db_pass = cfg.get("irdb_db_pass", "fnord") rpki_db_pass = cfg.get("rpki_db_pass", "fnord") base_port = int(cfg.get("base_port", "4400")) rsyncd_port = allocate_port() rootd_port = allocate_port() rsyncd_module = cfg.get("rsyncd_module", testbed_name) rootd_sia = cfg.get("rootd_sia", "rsync://localhost:%d/%s/" % (rsyncd_port, rsyncd_module)) rootd_name = cfg.get("rootd_name", "rootd") rsyncd_name = cfg.get("rcynic_name", "rsyncd") rcynic_name = cfg.get("rcynic_name", "rcynic") prog_python = cfg.get("prog_python", "python") prog_rpkid = cfg.get("prog_rpkid", "../rpkid.py") prog_irdbd = cfg.get("prog_irdbd", "../irdbd.py") prog_poke = cfg.get("prog_poke", "../testpoke.py") prog_rootd = cfg.get("prog_rootd", "../rootd.py") prog_openssl = cfg.get("prog_openssl", "../../openssl/openssl/apps/openssl") prog_rsyncd = cfg.get("prog_rsyncd", "rsync") prog_rcynic = cfg.get("prog_rcynic", "../../rcynic/rcynic") rcynic_stats = cfg.get("rcynic_stats", "xsltproc --param refresh 0 ../../rcynic/rcynic.xsl %s.xml | w3m -T text/html -dump" % rcynic_name) rpki_sql_file = cfg.get("rpki_sql_file", "../docs/rpki-db-schema.sql") irdb_sql_file = cfg.get("irdb_sql_file", "../docs/sample-irdb.sql") testbed_key = None testbed_certs = None rootd_ta = None startup_delay = int(cfg.get("startup_delay", "10")) def main(): """Main program, up front to make control logic more obvious.""" rpki.log.init(testbed_name) rpki.log.info("Starting") signal.signal(signal.SIGALRM, wakeup) rootd_process = None rsyncd_process = None rpki_sql = mangle_sql(rpki_sql_file) irdb_sql = mangle_sql(irdb_sql_file) try: os.chdir(testbed_dir) except: os.makedirs(testbed_dir) os.chdir(testbed_dir) rpki.log.info("Cleaning up old state") subprocess.check_call(("rm", "-rf", "publication", "rcynic-data", "rootd.subject.pkcs10", "rootd.req")) rpki.log.info("Reading master YAML configuration") db = allocation_db(yaml_script.pop(0)) rpki.log.info("Constructing biz keys and certs for control script") setup_biz_cert_chain(testbed_name) gl
<!--  -*- SGML -*-
  - $Id$
  -
  - Copyright (C) 2009  Internet Systems Consortium ("ISC")
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 --> 

<!--
  - Split Base64 XML text elements into reasonable length chunks, to
  - make the result more readable, allow halfway-sane comparisions of
  - XML using diff, etc.  Makes no attempt to distinguish Base64 from
  - other text, so not suitable for use on XML with text elements that
  - are -not- Base64.  Piping output of this transform into xmlindent
  - produces something halfway readable.  YMMV.
 --> 

<xsl:transform xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">

  <xsl:output method="xml"/>

  <xsl:param name="width" select="64"/>

  <xsl:template match="text()">
    <xsl:text>&#10;</xsl:text>
    <xsl:call-template name="wrap">
      <xsl:with-param name="input" select="translate(normalize-space(), ' ', '')"/>
    </xsl:call-template>
  </xsl:template>

  <xsl:template match="node()|@*">
    <xsl:copy>
      <xsl:copy-of select="@*"/>
      <xsl:apply-templates/>
    </xsl:copy>
  </xsl:template>

  <xsl:template name="wrap">
    <xsl:param name="input"/>
    <xsl:text>            </xsl:text>
    <xsl:choose>
      <xsl:when test="string-length($input) > $width">
        <xsl:value-of select="substring($input, 1, $width)"/>
	<xsl:text>&#10;</xsl:text>
	<xsl:call-template name="wrap">
	  <xsl:with-param name="input" select="substring($input, $width+1)"/>
	</xsl:call-template>
      </xsl:when>
      <xsl:otherwise>
        <xsl:value-of select="$input"/>
	<xsl:text>&#10;</xsl:text>
      </xsl:otherwise>
    </xsl:choose>
  </xsl:template>

</xsl:transform>
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-12 10:25:18 +0000
wd = irdb_db_pass) cur = db.cursor() cur.execute("DELETE FROM asn") cur.execute("DELETE FROM net") for kid in self.kids: cur.execute("SELECT registrant_id FROM registrant WHERE IRBE_mapped_id = %s", (kid.name,)) registrant_id = cur.fetchone()[0] for as_range in kid.resources.as: cur.execute("INSERT asn (start_as, end_as, registrant_id) VALUES (%s, %s, %s)", (as_range.min, as_range.max, registrant_id)) for v4_range in kid.resources.v4: cur.execute("INSERT net (start_ip, end_ip, version, registrant_id) VALUES (%s, %s, 4, %s)", (v4_range.min, v4_range.max, registrant_id)) for v6_range in kid.resources.v6: cur.execute("INSERT net (start_ip, end_ip, version, registrant_id) VALUES (%s, %s, 6, %s)", (v6_range.min, v6_range.max, registrant_id)) cur.execute("UPDATE registrant SET valid_until = %s WHERE registrant_id = %s", (kid.resources.valid_until, registrant_id)) db.close() def run_daemons(self): """Run daemons for this entity.""" rpki.log.info("Running daemons for %s" % self.name) self.rpkid_process = subprocess.Popen((prog_python, prog_rpkid, "-c", self.name + ".conf")) self.irdbd_process = subprocess.Popen((prog_python, prog_irdbd, "-c", self.name + ".conf")) def kill_daemons(self): """Kill daemons for this entity.""" rpki.log.info("Killing daemons for %s" % self.name) for proc in (self.rpkid_process, self.irdbd_process): try: os.kill(proc.pid, signal.SIGTERM) except: pass proc.wait() def call_rpkid(self, pdu): """Send a left-right message to this entity's RPKI daemon and return the response. """ rpki.log.info("Calling rpkid for %s" % self.name) pdu.type = "query" elt = rpki.left_right.msg((pdu,)).toXML() rpki.relaxng.left_right.assertValid(elt) rpki.log.debug(lxml.etree.tostring(elt, pretty_print = True, encoding = "us-ascii")) cms = rpki.cms.xml_sign( elt = elt, key = testbed_key, certs = testbed_certs) url = "https://localhost:%d/left-right" % self.rpki_port rpki.log.debug("Attempting to connect to %s" % url) cms = rpki.https.client( client_key = testbed_key, client_certs = testbed_certs, server_ta = rpki.x509.X509_chain(self.rpkid_ta), url = url, msg = cms) elt = rpki.cms.xml_verify(cms = cms, ta = self.rpkid_ta) rpki.relaxng.left_right.assertValid(elt) rpki.log.debug(lxml.etree.tostring(elt, pretty_print = True, encoding = "us-ascii")) pdu = rpki.left_right.sax_handler.saxify(elt)[0] assert pdu.type == "reply" and not isinstance(pdu, rpki.left_right.report_error_elt) return pdu def create_rpki_objects(self): """Create RPKI engine objects for this engine. Parent and child objects are tricky: - Parent object needs to know child_id by which parent refers to this engine in order to set the contact URI correctly. - Child object needs to record the child_id by which this engine refers to the child. This all just works so long as we walk the set of engines in the right order (parents before their children). Root node of the engine tree is special, it too has a parent but that one is the magic self-signed micro engine. """ rpki.log.info("Creating rpkid self object for %s" % self.name) self.self_id = self.call_rpkid(rpki.left_right.self_elt.make_pdu(action = "create", crl_interval = self.crl_interval)).self_id rpki.log.info("Creating rpkid BSC object for %s" % self.name) pdu = self.call_rpkid(rpki.left_right.bsc_elt.make_pdu(action = "create", self_id = self.self_id, generate_keypair = True)) self.bsc_id = pdu.bsc_id rpki.log.info("Issuing BSC EE cert for %s" % self.name) cmd = (prog_openssl, "x509", "-req", "-CA", self.name + "-RPKI-CA.cer", "-CAkey", self.name + "-RPKI-CA.key", "-CAserial", self.name + "-RPKI-CA.srl") signer = subprocess.Popen(cmd, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE) bsc_ee = rpki.x509.X509(PEM = signer.communicate(input = pdu.pkcs10_cert_request.get_PEM())[0]) rpki.log.info("Installing BSC EE cert for %s" % self.name) self.call_rpkid(rpki.left_right.bsc_elt.make_pdu(action = "set", self_id = self.self_id, bsc_id = self.bsc_id, signing_cert = [bsc_ee, rpki.x509.X509(PEM_file = self.name + "-RPKI-CA.cer")])) rpki.log.info("Creating rpkid repository object for %s" % self.name) self.repository_id = self.call_rpkid(rpki.left_right.repository_elt.make_pdu(action = "create", self_id = self.self_id, bsc_id = self.bsc_id)).repository_id rpki.log.info("Creating rpkid parent object for %s" % self.name) if self.parent is None: self.parent_id = self.call_rpkid(rpki.left_right.parent_elt.make_pdu( action = "create", self_id = self.self_id, bsc_id = self.bsc_id, repository_id = self.repository_id, sia_base = self.sia_base, cms_ta = rootd_ta, https_ta = rootd_ta, sender_name = self.name, recipient_name = "Walrus", peer_contact_uri = "https://localhost:%s/" % rootd_port)).parent_id else: self.parent_id = self.call_rpkid(rpki.left_right.parent_elt.make_pdu( action = "create", self_id = self.self_id, bsc_id = self.bsc_id, repository_id = self.repository_id, sia_base = self.sia_base, cms_ta = self.parent.rpkid_ta, https_ta = self.parent.rpkid_ta, sender_name = self.name, recipient_name = self.parent.name, peer_contact_uri = "https://localhost:%s/up-down/%s" % (self.parent.rpki_port, self.child_id))).parent_id rpki.log.info("Creating rpkid child objects for %s" % self.name) db = MySQLdb.connect(user = "irdb", db = self.irdb_db_name, passwd = irdb_db_pass) cur = db.cursor() for kid in self.kids: kid.child_id = self.call_rpkid(rpki.left_right.child_elt.make_pdu(action = "create", self_id = self.self_id, bsc_id = self.bsc_id, cms_ta = kid.rpkid_ta)).child_id cur.execute("UPDATE registrant SET rpki_self_id = %s, rpki_child_id = %s WHERE IRBE_mapped_id = %s", (self.self_id, kid.child_id, kid.name)) db.close() def write_leaf_yaml(self): """Write YAML scripts for leaf nodes. Only supports list requests at the moment: issue requests would require class and SIA values, revoke requests would require class and SKI values. ...Except that we can cheat and assume class 1 because we just know that rpkid will assign that with the current setup. So we also support issue, kludge though this is. """ rpki.log.info("Writing leaf YAML for %s" % self.name) f = open(self.name + ".yaml", "w") f.write(yaml_fmt_1 % { "child_id" : self.child_id, "parent_name" : self.parent.name, "my_name" : self.name, "https_port" : self.parent.rpki_port, "sia" : self.sia_base }) f.close() def run_cron(self): """Trigger cron run for this engine.""" rpki.log.info("Running cron for %s" % self.name) rpki.https.client(client_key = testbed_key, client_certs = testbed_certs, server_ta = rpki.x509.X509_chain(self.rpkid_ta), url = "https://localhost:%d/cronjob" % self.rpki_port, msg = "Run cron now, please") def run_yaml(self): """Run YAML scripts for this leaf entity.""" rpki.log.info("Running YAML for %s" % self.name) subprocess.check_call((prog_python, prog_poke, "-y", self.name + ".yaml", "-r", "list")) subprocess.check_call((prog_python, prog_poke, "-y", self.name + ".yaml", "-r", "issue")) def setup_biz_cert_chain(name): """Build a set of business certs.""" s = "exec >/dev/null 2>&1\n" for kind in ("EE", "CA", "TA"): d = { "name" : name, "kind" : kind, "ca" : "true" if kind in ("CA", "TA") else "false", "openssl" : prog_openssl } f = open("%(name)s-%(kind)s.cnf" % d, "w") f.write(biz_cert_fmt_1 % d) f.close() if not os.path.exists("%(name)s-%(kind)s.key" % d): s += biz_cert_fmt_2 % d s += biz_cert_fmt_3 % d s += (biz_cert_fmt_4 % { "name" : name, "openssl" : prog_openssl }) subprocess.check_call(s, shell = True) def setup_rootd(rpkid_name): """Write the config files for rootd.""" rpki.log.info("Writing config files for %s" % rootd_name) d = { "rootd_name" : rootd_name, "rootd_port" : rootd_port, "rpkid_name" : rpkid_name, "rootd_sia" : rootd_sia, "rsyncd_dir" : rsyncd_dir, "openssl" : prog_openssl } f = open(rootd_name + ".conf", "w") f.write(rootd_fmt_1 % d) f.close() s = "exec >/dev/null 2>&1\n" if not os.path.exists(rootd_name + ".key"): s += rootd_fmt_2 % d s += rootd_fmt_3 % d subprocess.check_call(s, shell = True) def setup_rcynic(): """Write the config file for rcynic.""" rpki.log.info("Config file for rcynic") d = { "rcynic_name" : rcynic_name, "rootd_name" : rootd_name } f = open(rcynic_name + ".conf", "w") f.write(rcynic_fmt_1 % d) f.close() def setup_rsyncd(): """Write the config file for rsyncd.""" rpki.log.info("Config file for rsyncd") d = { "rsyncd_name" : rsyncd_name, "rsyncd_port" : rsyncd_port, "rsyncd_module" : rsyncd_module, "rsyncd_dir" : rsyncd_dir } f = open(rsyncd_name + ".conf", "w") f.write(rsyncd_fmt_1 % d) f.close() def setup_publication(): """Set up (pseudo) publication directory.""" rpki.log.info("Creating (pseudo) publication directory") assert rootd_sia.startswith("rsync://") global rsyncd_dir rsyncd_dir = os.getcwd() + "/publication/" + rootd_sia[len("rsync://"):] os.makedirs(rsyncd_dir) def run_rcynic(): """Run rcynic to see whether what was published makes sense.""" rpki.log.info("Running rcynic") env = os.environ.copy() env["TZ"] = "" subprocess.check_call((prog_rcynic, "-c", rcynic_name + ".conf"), env = env) subprocess.call(rcynic_stats, shell = True, env = env) def mangle_sql(filename): """Mangle an SQL file into a sequence of SQL statements.""" # # There is no pretty way to do this. Just shut your eyes, it'll be over soon. # f = open(filename) statements = " ".join(" ".join(word for word in line.expandtabs().split(" ") if word) for line in [line.strip(" \t\n") for line in f.readlines()] if line and not line.startswith("--")).rstrip(";").split(";") f.close() return [stmt.strip() for stmt in statements] biz_cert_fmt_1 = '''\ [ req ] distinguished_name = req_dn x509_extensions = req_x509_ext prompt = no default_md = sha256 [ req_dn ] CN = Test Certificate %(name)s %(kind)s [ req_x509_ext ] basicConstraints = CA:%(ca)s subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always ''' biz_cert_fmt_2 = '''\ %(openssl)s genrsa -out %(name)s-%(kind)s.key 2048 && ''' biz_cert_fmt_3 = '''\ %(openssl)s req -new -key %(name)s-%(kind)s.key -out %(name)s-%(kind)s.req -config %(name)s-%(kind)s.cnf && ''' biz_cert_fmt_4 = '''\ %(openssl)s x509 -req -in %(name)s-TA.req -out %(name)s-TA.cer -extfile %(name)s-TA.cnf -extensions req_x509_ext -signkey %(name)s-TA.key -days 60 && %(openssl)s x509 -req -in %(name)s-CA.req -out %(name)s-CA.cer -extfile %(name)s-CA.cnf -extensions req_x509_ext -CA %(name)s-TA.cer -CAkey %(name)s-TA.key -CAcreateserial && %(openssl)s x509 -req -in %(name)s-EE.req -out %(name)s-EE.cer -extfile %(name)s-EE.cnf -extensions req_x509_ext -CA %(name)s-CA.cer -CAkey %(name)s-CA.key -CAcreateserial ''' yaml_fmt_1 = '''--- version: 1 posturl: https://localhost:%(https_port)s/up-down/%(child_id)s recipient-id: "%(parent_name)s" sender-id: "%(my_name)s" cms-cert-file: %(my_name)s-RPKI-EE.cer cms-key-file: %(my_name)s-RPKI-EE.key cms-ca-cert-file: %(parent_name)s-RPKI-TA.cer cms-cert-chain-file: [ %(my_name)s-RPKI-CA.cer ] ssl-cert-file: %(my_name)s-RPKI-EE.cer ssl-key-file: %(my_name)s-RPKI-EE.key ssl-ca-cert-file: %(parent_name)s-RPKI-TA.cer requests: list: type: list issue: type: issue # # This is cheating, we know a priori that the class will be "1" # class: 1 sia: - %(sia)s ''' conf_fmt_1 = '''\ [irdbd] startup-message = This is %(my_name)s irdbd sql-database = %(irdb_db_name)s sql-username = irdb sql-password = %(irdb_db_pass)s cms-key = %(my_name)s-IRDB-EE.key cms-cert.0 = %(my_name)s-IRDB-EE.cer cms-cert.1 = %(my_name)s-IRDB-CA.cer cms-ta = %(my_name)s-RPKI-TA.cer https-key = %(my_name)s-IRDB-EE.key https-cert.0 = %(my_name)s-IRDB-EE.cer https-cert.1 = %(my_name)s-IRDB-CA.cer https-ta = %(my_name)s-RPKI-TA.cer https-url = https://localhost:%(irdb_port)d/ [irbe-cli] cms-key = %(testbed_name)s-EE.key cms-cert.0 = %(testbed_name)s-EE.cer cms-cert.1 = %(testbed_name)s-CA.cer cms-ta = %(my_name)s-RPKI-TA.cer https-key = %(testbed_name)s-EE.key https-cert.0 = %(testbed_name)s-EE.cer https-cert.1 = %(testbed_name)s-CA.cer https-ta = %(my_name)s-RPKI-TA.cer https-url = https://localhost:%(rpki_port)d/left-right [rpkid] startup-message = This is %(my_name)s rpkid sql-database = %(rpki_db_name)s sql-username = rpki sql-password = %(rpki_db_pass)s cms-key = %(my_name)s-RPKI-EE.key cms-cert.0 = %(my_name)s-RPKI-EE.cer cms-cert.1 = %(my_name)s-RPKI-CA.cer cms-ta-irdb = %(my_name)s-IRDB-TA.cer cms-ta-irbe = %(testbed_name)s-TA.cer https-key = %(my_name)s-RPKI-EE.key https-cert.0 = %(my_name)s-RPKI-EE.cer https-cert.1 = %(my_name)s-RPKI-CA.cer https-ta-irdb = %(my_name)s-IRDB-TA.cer https-ta-irbe = %(testbed_name)s-TA.cer irdb-url = https://localhost:%(irdb_port)d/ server-host = localhost server-port = %(rpki_port)d ''' rootd_fmt_1 = '''\ [rootd] cms-key = %(rootd_name)s-EE.key cms-cert.0 = %(rootd_name)s-EE.cer cms-cert.1 = %(rootd_name)s-CA.cer cms-ta = %(rpkid_name)s-RPKI-TA.cer https-key = %(rootd_name)s-EE.key https-cert.0 = %(rootd_name)s-EE.cer https-cert.1 = %(rootd_name)s-CA.cer https-ta = %(rpkid_name)s-RPKI-TA.cer server-port = %(rootd_port)s rootd_base = %(rootd_sia)s rootd_cert = %(rootd_sia)sWOMBAT.cer rpki-subject-filename = %(rsyncd_dir)sWOMBAT.cer rpki-key = %(rootd_name)s.key rpki-issuer = %(rootd_name)s.cer rpki-pkcs10-filename = %(rootd_name)s.subject.pkcs10 [req] default_bits = 2048 encrypt_key = no distinguished_name = req_dn req_extensions = req_x509_ext prompt = no [req_dn] CN = Completely Bogus Test Root (NOT FOR PRODUCTION USE) [req_x509_ext] basicConstraints = critical,CA:true subjectKeyIdentifier = hash keyUsage = critical,keyCertSign,cRLSign subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:%(rootd_sia)s sbgp-autonomousSysNum = critical,AS:0-4294967295 sbgp-ipAddrBlock = critical,IPv4:0.0.0.0/0,IPv6:0::/0 ''' rootd_fmt_2 = '''\ %(openssl)s genrsa -out %(rootd_name)s.key 2048 && ''' rootd_fmt_3 = '''\ %(openssl)s req -new -key %(rootd_name)s.key -out %(rootd_name)s.req -config %(rootd_name)s.conf -text && %(openssl)s x509 -req -in %(rootd_name)s.req -out %(rootd_name)s.cer -outform DER -extfile %(rootd_name)s.conf -extensions req_x509_ext -signkey %(rootd_name)s.key -sha256 ''' rcynic_fmt_1 = '''\ [rcynic] xml-summary = %(rcynic_name)s.xml jitter = 0 use-links = yes use-syslog = yes use-stderr = yes log-level = log_telemetry trust-anchor = %(rootd_name)s.cer ''' rsyncd_fmt_1 = '''\ port = %(rsyncd_port)d address = localhost [%(rsyncd_module)s] read only = yes transfer logging = yes use chroot = no path = %(rsyncd_dir)s comment = RPKI test ''' main()