├── .github ├── FUNDING.yml └── workflows │ └── ci.yml ├── .gitignore ├── Cargo.toml ├── Changelog.md ├── LICENSE ├── README.md ├── doc └── relaxed-validation.md ├── src ├── bin │ ├── readcer.rs │ ├── readmft.rs │ └── readroa.rs ├── ca │ ├── csr.rs │ ├── idcert.rs │ ├── idexchange.rs │ ├── mod.rs │ ├── provisioning.rs │ ├── publication.rs │ └── sigmsg.rs ├── crypto │ ├── digest.rs │ ├── keys.rs │ ├── mod.rs │ ├── signature.rs │ ├── signer.rs │ └── softsigner.rs ├── dep.rs ├── lib.rs ├── oid.rs ├── repository │ ├── aspa.rs │ ├── cert.rs │ ├── crl.rs │ ├── error.rs │ ├── manifest.rs │ ├── mod.rs │ ├── resources │ │ ├── asres.rs │ │ ├── chain.rs │ │ ├── choice.rs │ │ ├── ipres.rs │ │ ├── mod.rs │ │ └── set.rs │ ├── roa.rs │ ├── rta.rs │ ├── sigobj.rs │ ├── tal.rs │ └── x509.rs ├── resources │ ├── addr.rs │ ├── asn.rs │ └── mod.rs ├── rrdp.rs ├── rtr │ ├── client.rs │ ├── mod.rs │ ├── payload.rs │ ├── pdu.rs │ ├── server.rs │ └── state.rs ├── slurm.rs ├── uri.rs ├── util │ ├── base64.rs │ ├── hex.rs │ └── mod.rs └── xml │ ├── decode.rs │ ├── encode.rs │ └── mod.rs ├── test-data ├── ca │ ├── drl-csr.der │ ├── id_afrinic.cer │ ├── id_ta.cer │ ├── rfc6492 │ │ ├── afrinic-response.der │ │ ├── apnic-response.der │ │ ├── apnic-testbed-response.der │ │ ├── issue-response.der │ │ ├── issue.der │ │ ├── list-response.ber │ │ ├── list.der │ │ ├── not-performed-response.xml │ │ ├── revoke-req.xml │ │ └── revoke-response.xml │ ├── rfc8181 │ │ ├── error-reply.xml │ │ ├── list-reply-empty-short.xml │ │ ├── list-reply-empty.xml │ │ ├── list-reply-single.xml │ │ ├── list-reply.xml │ │ ├── list.xml │ │ ├── publish-empty-short.xml │ │ ├── publish-empty.xml │ │ ├── publish-multi.xml │ │ ├── publish-single.xml │ │ └── success-reply.xml │ ├── rfc8183 │ │ ├── afrinic-parent-response.xml │ │ ├── apnic-parent-response.xml │ │ ├── apnic-repository-response.xml │ │ ├── krill-0-9-parent-response.xml │ │ ├── krill-0-9-repository-response.xml │ │ ├── rpkid-child-id.xml │ │ ├── rpkid-parent-response-offer.xml │ │ ├── rpkid-parent-response-referral.xml │ │ └── rpkid-publisher-request.xml │ ├── router-csr.der │ └── sigmsg │ │ ├── cms_ta.cer │ │ └── pdu_200.der ├── compat │ └── res_incorrect.cer ├── crypto │ ├── rsa-key.private.der │ └── rsa-key.public.der ├── repository │ ├── aspa-bm.asa │ ├── aspa-content-draft-13.der │ ├── aspa-content.der │ ├── ca1.cer │ ├── ca1.crl │ ├── ca1.mft │ ├── example-ripe.roa │ ├── maxlen-overflow.roa │ ├── maxlen-underflow.roa │ ├── prefix-len-overflow.roa │ ├── ripe.tal │ ├── router.cer │ ├── serde-compat │ │ ├── cert.json │ │ ├── crl.json │ │ ├── manifest.json │ │ └── roa.json │ ├── signature-alg-mismatch.mft │ ├── ta.cer │ ├── ta.crl │ ├── ta.mft │ └── ta.mft.bad-filename ├── rrdp │ ├── bomb-serial.xml.gz │ ├── bomb-snapshot-uri.xml.gz │ ├── bomb-whitespace.xml.gz │ ├── lolz-notification.xml │ ├── ripe-delta.xml │ ├── ripe-notification-unsorted.xml │ ├── ripe-notification-with-gaps.xml │ ├── ripe-notification.xml │ └── ripe-snapshot.xml └── slurm │ ├── full.json │ └── full_v2.json └── tests └── rrdp-resilience.rs /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | github: [NLnetLabs] 2 | custom: ['https://nlnetlabs.nl/funding/'] 3 | -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: ci 2 | on: [push, pull_request] 3 | jobs: 4 | test: 5 | name: test 6 | runs-on: ${{ matrix.os }} 7 | strategy: 8 | matrix: 9 | os: [ubuntu-latest, windows-latest, macOS-latest] 10 | rust: [1.81.0, stable, beta, nightly] 11 | steps: 12 | - name: Checkout repository 13 | uses: actions/checkout@v1 14 | - name: Install Rust 15 | uses: hecrj/setup-rust-action@v1 16 | with: 17 | rust-version: ${{ matrix.rust }} 18 | 19 | # Because of all the features, we run build and test twice -- once with 20 | # full features and once without any features at all -- to make it more 21 | # likely that everything works. 22 | # 23 | # On Windows, we don’t ever want to have to deal with OpenSSL, so we have 24 | # a special feature __windows_ci_all that replaces --all-features. 25 | 26 | # Clippy. 27 | # 28 | # Only do this once with all features enabled. 29 | # Only do Clippy on stable for the moment, due to 30 | # clippy::unknown_clippy_lints being removed. 31 | - if: matrix.rust == 'stable' 32 | run: rustup component add clippy 33 | - if: matrix.os != 'windows-latest' && matrix.rust == 'stable' 34 | run: cargo clippy --all --all-features -- -D warnings 35 | - if: matrix.os == 'windows-latest' && matrix.rust == 'stable' 36 | run: cargo clippy --all --features __windows_ci_all -- -D warnings 37 | 38 | # Build 39 | - if: matrix.os != 'windows-latest' 40 | run: cargo build --verbose --all --all-features 41 | - if: matrix.os == 'windows-latest' 42 | run: cargo build --verbose --all --features __windows_ci_all 43 | - run: cargo build --verbose --all 44 | 45 | # Test 46 | - if: matrix.os != 'windows-latest' 47 | run: cargo test --verbose --all --all-features 48 | - if: matrix.os == 'windows-latest' 49 | run: cargo test --verbose --all --features __windows_ci_all 50 | - run: cargo test --verbose --all 51 | 52 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /target 2 | **/*.rs.bk 3 | /Cargo.lock 4 | .cargo 5 | -------------------------------------------------------------------------------- /Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "rpki" 3 | version = "0.18.6" 4 | edition = "2021" 5 | rust-version = "1.81" 6 | authors = ["NLnet Labs "] 7 | description = "A library for validating and creating RPKI data." 8 | documentation = "https://docs.rs/rpki/" 9 | homepage = "https://github.com/nlnetlabs/rpki-rs/" 10 | repository = "https://github.com/NLnetLabs/rpki-rs" 11 | keywords = ["rpki", "routing-security"] 12 | categories = ["network-programming"] 13 | license = "BSD-3-Clause" 14 | 15 | [package.metadata.docs.rs] 16 | all-features = true 17 | rustdoc-args = ["--cfg", "docsrs"] 18 | 19 | [dependencies] 20 | arbitrary = { version = "1", optional = true, features = ["derive"] } 21 | base64 = "0.22" 22 | bcder = { version = "0.7.3", optional = true } 23 | bytes = "1.0" 24 | chrono = { version = "0.4.35", features = [ "serde" ] } 25 | futures-util = { version = "0.3", optional = true } 26 | log = "0.4.7" 27 | openssl = { version = "0.10.23", optional = true } 28 | quick-xml = { version = "0.31.0", optional = true } 29 | ring = { version = "0.17.6", optional = true } 30 | serde = { version = "1.0.103", optional = true, features = [ "derive" ] } 31 | serde_json = { version = "1.0.40", optional = true } 32 | tokio = { version = "1.0", optional = true, features = ["io-util", "net", "rt", "sync", "time"] } 33 | uuid = "1.1" 34 | untrusted = { version = "0.9", optional = true } 35 | 36 | [dev-dependencies] 37 | serde_json = "1.0.40" 38 | serde_test = "1.0" 39 | tokio = { version="1.0", features=["net", "macros", "rt-multi-thread"]} 40 | hyper = { version = "1.3.1", features = ["server", "http1"] } 41 | hyper-util = { version = "0.1", features = ["server", "tokio"] } 42 | http-body-util = "0.1" 43 | futures-util = "0.3.31" 44 | reqwest = { version = "0.12.9", features = ["gzip", "stream", "blocking"] } 45 | 46 | 47 | [features] 48 | default = [] 49 | 50 | # Main components of the crate. 51 | ca = [ "repository", "serde-support", "rrdp" ] 52 | crypto = [ "bcder", "ring", "untrusted" ] 53 | repository = [ "bcder", "crypto" ] 54 | rrdp = [ "xml", "ring" ] 55 | rtr = [ "futures-util", "tokio" ] 56 | slurm = [ "rtr", "serde-support", "serde_json" ] 57 | 58 | # Feature that provides compatibility with (technically incorrect) objects 59 | # produced by earlier versions of this library, which are rejected now. 60 | compat = [ ] 61 | 62 | # Dependent components of the crate. 63 | xml = [ "quick-xml" ] 64 | 65 | # Extra features provided. 66 | arbitrary = ["dep:arbitrary", "chrono/arbitrary"] 67 | serde-support = ["serde"] 68 | softkeys = [ "openssl" ] 69 | 70 | # Dummy features for Windows CI runs where we don’t want to have to deal 71 | # with OpenSSL 72 | __windows_ci_all = [ "ca", "rrdp", "rtr", "serde-support" ] 73 | 74 | [[bin]] 75 | name = "readcer" 76 | required-features = [ "repository" ] 77 | 78 | [[bin]] 79 | name = "readmft" 80 | required-features = [ "repository" ] 81 | 82 | [[bin]] 83 | name = "readroa" 84 | required-features = [ "repository" ] 85 | 86 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2018, NLnet Labs. All rights reserved. 2 | 3 | This software is open source. 4 | 5 | Redistribution and use in source and binary forms, with or without 6 | modification, are permitted provided that the following conditions 7 | are met: 8 | 9 | Redistributions of source code must retain the above copyright notice, 10 | this list of conditions and the following disclaimer. 11 | 12 | Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | Neither the name of the NLNET LABS nor the names of its contributors may 17 | be used to endorse or promote products derived from this software without 18 | specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 21 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 22 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 23 | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 24 | HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 25 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 26 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 27 | PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 28 | LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 29 | NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 30 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # rpki – A Library for Validating and Creating RPKI Data 2 | 3 | This crate aims to provide the foundation for implementing Resource 4 | Public Key Infrastructure – RPKI –, which is an important building block 5 | in Internet routing security. The crate provides the ability to parse, 6 | validate, and create the the objects published in the RPKI: certificates, 7 | CRLs, manifests, and ROAs. It also provides functionality share between 8 | certification authority and publication software such as the protocol the 9 | two use for communication. 10 | 11 | The crate is work in progress and will grow over time to be more and more 12 | complete. 13 | 14 | 15 | ## Contributing 16 | 17 | If you have comments, proposed changes, or would like to contribute, 18 | please open an issue in the [Github repository]. In particular, if you 19 | would like to use the crate but it is missing functionality for your use 20 | case, we would love to hear from you! 21 | 22 | [Github repository]: (https://github.com/NLnetLabs/rpki-rs) 23 | 24 | ## License 25 | 26 | The _rpki_ crate is distributed under the terms of the BSD-3-clause license. 27 | See LICENSE for details. 28 | 29 | -------------------------------------------------------------------------------- /doc/relaxed-validation.md: -------------------------------------------------------------------------------- 1 | # Relaxed RPKI Validation 2 | 3 | The documents defining RPKI include a number of very strict rules 4 | regarding the formatting of the objects published in the RPKI repository. 5 | However, because PRKI reuses existing technology, real-world applications 6 | produce objects that do not follow these strict requirements. 7 | 8 | As a consequence, a significant portion of the RPKI repository is actually 9 | invalid if the rules are followed. We therefore introduce two validation 10 | modes: strict and relaxed. Strict mode rejects any object that does not 11 | pass all checks laid out by the relevant RFCs. Relaxed mode ignores a 12 | number of these checks. 13 | 14 | This memo documents the violations we encountered and are dealing with in 15 | relaxed validation mode. 16 | 17 | 18 | ## Resource Certificates ([RFC 6487](https://datatracker.ietf.org/doc/html/rfc6487)) 19 | 20 | Resource certificates are defined as a profile on the more general 21 | Internet PKI certificates defined in [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280). 22 | 23 | 24 | ### Subject and Issuer 25 | 26 | The RFC restricts the type used for CommonName attributes to 27 | PrintableString, allowing only a subset of ASCII characters, while RFC 28 | 5280 allows a number of additional string types. At least one CA produces 29 | resource certificates with Utf8Strings. 30 | 31 | In relaxed mode, we will only check that the general structure of the 32 | issuer and subject fields are correct and allow any number and types of 33 | attributes. This seems justified since RPKI explicitly does not use these 34 | fields. 35 | 36 | 37 | ### Subject Information Access 38 | 39 | RFC 6487 forbids any access methods other than id-ad-signedObject for EE 40 | certificates. However, there is CAs that also the id-ad-rpkiNotify method 41 | for RRDP to these certificates which are declared for certificate 42 | authority use by [RFC 8182](https://datatracker.ietf.org/doc/html/rfc8182). 43 | 44 | In relaxed mode, we tolerate id-ad-rpkiNotify access methods in EE 45 | certificates. 46 | 47 | 48 | ## Signed Objects (RFC 6488) 49 | 50 | Signed objects are defined as a profile on CMS messages defined in [RFC 51 | 5652](https://datatracker.ietf.org/doc/html/rfc5652). 52 | 53 | 54 | ### DER Encoding 55 | 56 | [RFC 6488](https://datatracker.ietf.org/doc/html/rfc6488) 57 | demands all signed objects to be DER encoded while the more 58 | general CMS format allows any BER encoding – DER is a stricter subset of 59 | the more general BER. [See Wikipedia for BER vs DER](https://en.wikipedia.org/wiki/X.690). 60 | 61 | At least one CA does indeed produce BER encoded 62 | signed objects. 63 | 64 | In relaxed mode, we will allow BER encoding. 65 | 66 | Note that this isn’t just nit-picking. In BER encoding, octet strings can 67 | be broken up into a sequence of sub-strings. Since those strings are in 68 | some places used to carry encoded content themselves, such an encoding 69 | does make parsing significantly more difficult. At least one CA does 70 | produce such broken-up strings. 71 | 72 | -------------------------------------------------------------------------------- /src/bin/readcer.rs: -------------------------------------------------------------------------------- 1 | extern crate rpki; 2 | 3 | use std::{env, fs}; 4 | use rpki::repository::cert::Cert; 5 | 6 | 7 | fn main() { 8 | let path = match env::args().nth(1) { 9 | Some(path) => path, 10 | None => { 11 | println!("Usage: readcert "); 12 | return 13 | } 14 | }; 15 | let data = match fs::read(path) { 16 | Ok(file) => file, 17 | Err(err) => { 18 | println!("Can’t read file: {}", err); 19 | return; 20 | } 21 | }; 22 | let _cert = match Cert::decode(data.as_ref()) { 23 | Ok(cert) => cert, 24 | Err(err) => { 25 | println!("Can’t decode cert: {}", err); 26 | return 27 | } 28 | }; 29 | } 30 | 31 | -------------------------------------------------------------------------------- /src/bin/readmft.rs: -------------------------------------------------------------------------------- 1 | extern crate rpki; 2 | 3 | use std::{env, fs}; 4 | use rpki::repository::manifest::Manifest; 5 | 6 | 7 | fn main() { 8 | let path = match env::args().nth(1) { 9 | Some(path) => path, 10 | None => { 11 | println!("Usage: readmft "); 12 | return 13 | } 14 | }; 15 | let data = match fs::read(path) { 16 | Ok(file) => file, 17 | Err(err) => { 18 | println!("Can’t read file: {}", err); 19 | return; 20 | } 21 | }; 22 | let _cert = match Manifest::decode(data.as_ref(), false) { 23 | Ok(cert) => cert, 24 | Err(err) => { 25 | println!("Can’t decode manifest: {}", err); 26 | return 27 | } 28 | }; 29 | } 30 | 31 | 32 | -------------------------------------------------------------------------------- /src/bin/readroa.rs: -------------------------------------------------------------------------------- 1 | extern crate rpki; 2 | 3 | use std::{env, fs}; 4 | use rpki::repository::roa::Roa; 5 | 6 | 7 | fn main() { 8 | let path = match env::args().nth(1) { 9 | Some(path) => path, 10 | None => { 11 | println!("Usage: readroa "); 12 | return 13 | } 14 | }; 15 | let data = match fs::read(path) { 16 | Ok(data) => data, 17 | Err(err) => { 18 | println!("Can’t read file: {}", err); 19 | return; 20 | } 21 | }; 22 | 23 | let _cert = match Roa::decode(data.as_ref(), true) { 24 | Ok(cert) => cert, 25 | Err(err) => { 26 | println!("Can’t decode roa: {}", err); 27 | return 28 | } 29 | }; 30 | } 31 | 32 | 33 | -------------------------------------------------------------------------------- /src/ca/mod.rs: -------------------------------------------------------------------------------- 1 | //! CA Support. 2 | //! 3 | //! This module contains support for the communication protocol used between 4 | //! CAs, their parents and the publication server. 5 | //! 6 | //! Relevant RFCs: 7 | //! RFC 8183 out-of-band ID exchanges 8 | //! RFC 8181 publication protocol 9 | //! RFC 6492 provisioning protocol (up/down) [todo] 10 | 11 | #![cfg(feature = "ca")] 12 | 13 | 14 | pub mod csr; 15 | pub mod idcert; 16 | pub mod idexchange; 17 | pub mod provisioning; 18 | pub mod publication; 19 | pub mod sigmsg; 20 | -------------------------------------------------------------------------------- /src/crypto/digest.rs: -------------------------------------------------------------------------------- 1 | //! Digest algorithm and operations. 2 | 3 | use std::io; 4 | use std::io::Read; 5 | use std::fs::File; 6 | use std::path::Path; 7 | use ring::digest; 8 | use bcder::{decode, encode}; 9 | use bcder::decode::DecodeError; 10 | use bcder::encode::PrimitiveContent; 11 | use bcder::Tag; 12 | use crate::oid; 13 | 14 | // Re-export the things from ring for actual digest generation. 15 | pub use ring::digest::Digest; 16 | 17 | 18 | //------------ DigestAlgorithm ----------------------------------------------- 19 | 20 | /// The digest algorithms used by RPKI. 21 | /// 22 | /// These are the algorithms used by the signature algorithms. For use in 23 | /// RPKI, [RFC 7935] limits them to exactly one, SHA-256. Because of 24 | /// that, this type is currently a zero-sized struct. If additional 25 | /// algorithms are ever introduced in the future, it will change into an enum. 26 | /// 27 | /// [RFC 7935]: https://tools.ietf.org/html/rfc7935 28 | #[derive(Clone, Copy, Debug, Default, Eq, Hash, PartialEq)] 29 | pub struct DigestAlgorithm(()); 30 | 31 | impl DigestAlgorithm { 32 | /// Creates a value representing the SHA-256 algorithm. 33 | pub fn sha256() -> Self { 34 | DigestAlgorithm(()) 35 | } 36 | 37 | /// Returns whether the algorithm is in fact SHA-256. 38 | pub fn is_sha256(self) -> bool { 39 | true 40 | } 41 | 42 | /// Returns the digest size in octets for this algorithm. 43 | pub fn digest_len(&self) -> usize { 44 | 32 45 | } 46 | } 47 | 48 | /// # Creating Digest Values 49 | /// 50 | impl DigestAlgorithm { 51 | /// Returns the digest of `data` using this algorithm. 52 | pub fn digest(self, data: &[u8]) -> Digest { 53 | digest::digest(&digest::SHA256, data) 54 | } 55 | 56 | /// Calculates the digest for the content of a file. 57 | pub fn digest_file( 58 | self, path: impl AsRef 59 | ) -> Result { 60 | let mut file = File::open(path)?; 61 | let mut buf = [0u8; 8 * 1024]; 62 | let mut ctx = self.start(); 63 | loop { 64 | let read = file.read(&mut buf)?; 65 | if read == 0 { 66 | break; 67 | } 68 | ctx.update(&buf[..read]); 69 | } 70 | Ok(ctx.finish()) 71 | } 72 | 73 | /// Returns a digest context for multi-step calculation of the digest. 74 | pub fn start(self) -> Context { 75 | Context(digest::Context::new(&digest::SHA256)) 76 | } 77 | } 78 | 79 | 80 | /// # ASN.1 Values 81 | /// 82 | /// Digest algorithms appear in CMS either alone or in sets with the following 83 | /// syntax: 84 | /// 85 | /// ```txt 86 | /// DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier 87 | /// DigestAlgorithmIdentifier ::= AlgorithmIdentifier 88 | /// AlgorithmIdentifier ::= SEQUENCE { 89 | /// algorithm OBJECT IDENTIFIER, 90 | /// parameters ANY DEFINED BY algorithm OPTIONAL } 91 | /// ``` 92 | /// 93 | /// In RPKI signed objects, a set is limited to exactly one identifer. The 94 | /// allowed algorithms are limited, too. In particular, [RFC 7935] only 95 | /// allows SHA-256. Its algorithm identifier is defined in [RFC 5754]. The 96 | /// object identifier to be used is `id-sha256`. When encoding, the 97 | /// _parameters_ field must be absent, whereas when decoding, it may either 98 | /// be absent or `NULL`. 99 | /// 100 | /// Note that this differs from [`SignatureAlgorithm`] identifiers where 101 | /// the `NULL` must be present when encoding. 102 | /// 103 | /// The functions and methods in this section allow decoding and encoding 104 | /// such values. 105 | /// 106 | /// [`SignatureAlgorithm`]: super::SignatureAlgorithm 107 | /// [RFC 5754]: https://tools.ietf.org/html/rfc5754 108 | /// [RFC 7935]: https://tools.ietf.org/html/rfc7935 109 | impl DigestAlgorithm { 110 | /// Takes and returns a single digest algorithm identifier. 111 | /// 112 | /// Returns a malformed error if the algorithm isn’t one of the allowed 113 | /// algorithms or if the value isn’t correctly encoded. 114 | pub fn take_from( 115 | cons: &mut decode::Constructed 116 | ) -> Result> { 117 | cons.take_sequence(Self::from_constructed) 118 | } 119 | 120 | /// Takes and returns an optional digest algorithm identifier. 121 | /// 122 | /// Returns `Ok(None)` if the next value isn’t a sequence. 123 | /// Returns a malformed error if the sequence isn’t a correctly encoded 124 | /// algorithm identifier or if algorithm isn’t one of the allowed 125 | /// algorithms. 126 | pub fn take_opt_from( 127 | cons: &mut decode::Constructed 128 | ) -> Result, DecodeError> { 129 | cons.take_opt_sequence(Self::from_constructed) 130 | } 131 | 132 | /// Takes and returns a set of digest algorithm identifiers. 133 | /// 134 | /// The set must contain exactly one identifier as required everywhere for 135 | /// RPKI. If it contains more than one or identifiers that are not 136 | /// allowed, a malformed error is returned. 137 | pub fn take_set_from( 138 | cons: &mut decode::Constructed 139 | ) -> Result> { 140 | cons.take_set(Self::take_from) 141 | } 142 | 143 | /// Parses the algorithm identifier from the contents of its sequence. 144 | fn from_constructed( 145 | cons: &mut decode::Constructed 146 | ) -> Result> { 147 | oid::SHA256.skip_if(cons)?; 148 | cons.take_opt_null()?; 149 | Ok(DigestAlgorithm::default()) 150 | } 151 | 152 | /// Parses a SET OF DigestAlgorithmIdentifiers. 153 | /// 154 | /// This is used in the digestAlgorithms field of the SignedData 155 | /// container. It provides all the digest algorithms used later on, so 156 | /// that the data can be read over. We don’t really need this, so this 157 | /// function returns `()` on success. 158 | /// 159 | /// Section 2.1.2. of RFC 6488 requires there to be exactly one element 160 | /// chosen from the allowed values. 161 | pub fn skip_set( 162 | cons: &mut decode::Constructed 163 | ) -> Result<(), DecodeError> { 164 | cons.take_constructed_if(Tag::SET, |cons| { 165 | while Self::take_opt_from(cons)?.is_some() { } 166 | Ok(()) 167 | }) 168 | } 169 | 170 | /// Takes a single algorithm object identifier from a constructed value. 171 | pub fn take_oid_from( 172 | cons: &mut decode::Constructed, 173 | ) -> Result> { 174 | oid::SHA256.skip_if(cons)?; 175 | Ok(Self::default()) 176 | } 177 | 178 | /// Provides an encoder for a single algorithm identifier. 179 | pub fn encode(self) -> impl encode::Values { 180 | encode::sequence(oid::SHA256.encode()) 181 | } 182 | 183 | /// Provides an encoder for a identifier as the sole value of a set. 184 | pub fn encode_set(self) -> impl encode::Values { 185 | encode::set( 186 | self.encode() 187 | ) 188 | } 189 | 190 | /// Provides an encoder for just the object identifier of the algorithm. 191 | pub fn encode_oid(self) -> impl encode::Values { 192 | oid::SHA256.encode() 193 | } 194 | } 195 | 196 | 197 | //------------ Sha1 ---------------------------------------------------------- 198 | 199 | pub fn sha1_digest(data: &[u8]) -> Digest { 200 | digest::digest(&digest::SHA1_FOR_LEGACY_USE_ONLY, data) 201 | } 202 | 203 | pub fn start_sha1() -> Context { 204 | Context(digest::Context::new(&digest::SHA1_FOR_LEGACY_USE_ONLY)) 205 | } 206 | 207 | 208 | //------------ Context ------------------------------------------------------- 209 | 210 | #[derive(Clone)] 211 | pub struct Context(digest::Context); 212 | 213 | impl Context { 214 | pub fn update(&mut self, data: &[u8]) { 215 | self.0.update(data) 216 | } 217 | 218 | pub fn finish(self) -> Digest { 219 | self.0.finish() 220 | } 221 | } 222 | 223 | impl io::Write for Context { 224 | fn write(&mut self, buf: &[u8]) -> Result { 225 | self.update(buf); 226 | Ok(buf.len()) 227 | } 228 | 229 | fn flush(&mut self) -> Result<(), io::Error> { 230 | Ok(()) 231 | } 232 | } 233 | 234 | -------------------------------------------------------------------------------- /src/crypto/mod.rs: -------------------------------------------------------------------------------- 1 | //! Signing related implementations. 2 | //! 3 | 4 | #![cfg(feature = "crypto")] 5 | 6 | 7 | pub use self::digest::{Digest, DigestAlgorithm}; 8 | pub use self::keys::{ 9 | KeyIdentifier, PublicKey, PublicKeyFormat, SignatureVerificationError, 10 | }; 11 | pub use self::signer::{Signer, SigningError}; 12 | pub use self::signature::{ 13 | BgpsecSignatureAlgorithm, Signature, SignatureAlgorithm, RpkiSignature, 14 | RpkiSignatureAlgorithm, 15 | }; 16 | 17 | pub mod digest; 18 | pub mod keys; 19 | pub mod signer; 20 | pub mod signature; 21 | #[cfg(feature = "softkeys")] pub mod softsigner; 22 | 23 | -------------------------------------------------------------------------------- /src/crypto/signature.rs: -------------------------------------------------------------------------------- 1 | //! Signature algorithms and operations. 2 | 3 | use bcder::{decode, encode}; 4 | use bcder::{ConstOid, Oid, Tag}; 5 | use bcder::decode::DecodeError; 6 | use bcder::encode::PrimitiveContent; 7 | use bytes::Bytes; 8 | use crate::oid; 9 | use super::keys::PublicKeyFormat; 10 | use super::signer::SigningAlgorithm; 11 | 12 | 13 | //------------ SignatureAlgorithm -------------------------------------------- 14 | 15 | /// The allowed signature algorithms for a certain purpose. 16 | pub trait SignatureAlgorithm: Sized { 17 | type Encoder: encode::Values; 18 | 19 | /// Returns the signing algorithm for this algorithm. 20 | fn signing_algorithm(&self) -> SigningAlgorithm; 21 | 22 | /// Returns the public key format for the algorithm. 23 | fn public_key_format(&self) -> PublicKeyFormat { 24 | self.signing_algorithm().public_key_format() 25 | } 26 | 27 | /// Takes the algorithm identifier from a DER value in X.509 signed data. 28 | fn x509_take_from( 29 | cons: &mut decode::Constructed 30 | ) -> Result>; 31 | 32 | /// Returns a DER encoder. 33 | fn x509_encode(&self) -> Self::Encoder; 34 | } 35 | 36 | 37 | //------------ RpkiSignatureAlgorithm ---------------------------------------- 38 | 39 | /// A signature algorithms used by RPKI. 40 | /// 41 | /// These are the algorithms used for creating and verifying signatures. For 42 | /// RPKI, [RFC 7935] allows only one algorithm, RSA PKCS #1 v1.5 with 43 | /// SHA-256. However, there are two possible representations of the 44 | /// non-existant algorithm parameters. In certain circumstances, it is 45 | /// imporant that these two representations do not compare as equal. 46 | /// Therefore, this type keeps track of the representation used. 47 | /// 48 | /// Should additional algorithms be introduced into RPKI, this type will be 49 | /// adjusted accordingly. 50 | /// 51 | /// You can construct the signature algorithm currently preferred for RPKI 52 | /// via the `Default` implementation. 53 | /// 54 | /// [RFC 7935]: https://tools.ietf.org/html/rfc7935 55 | #[derive(Clone, Copy, Debug, Eq, Hash, PartialEq)] 56 | pub struct RpkiSignatureAlgorithm { 57 | /// Is the parameter field present? 58 | /// 59 | /// If `true`, then a parameter field is present and NULL. Otherwise it 60 | /// is missing. 61 | /// 62 | /// Constructed values will always have this set to `true`. 63 | has_parameter: bool 64 | } 65 | 66 | /// # ASN.1 Values 67 | /// 68 | /// Signature algorithm identifiers appear in certificates and other objects 69 | /// from [RFC 5280] (simply as algorithm identifiers) as well as in signed 70 | /// objects. 71 | /// 72 | /// ```txt 73 | /// SignatureAlgorithmIdentifier ::= AlgorithmIdentifier 74 | /// AlgorithmIdentifier ::= SEQUENCE { 75 | /// algorithm OBJECT IDENTIFIER, 76 | /// parameters ANY DEFINED BY algorithm OPTIONAL } 77 | /// ``` 78 | /// 79 | /// Currently, [RFC 7935] allows only one algorithm, but sadly it uses 80 | /// different identifiers in different places. For X.509-related objects, 81 | /// i.e., certificates, CRLs, and certification requests, this is 82 | /// `sha256WithRSAEncryption` from [RFC 4055]. For signed objects, the 83 | /// identifier must be `rsaEncryption` from [RFC 3370] for constructed 84 | /// objects while both must be accepted when reading objects. 85 | /// 86 | /// Because of these differences, you’ll find two sets of functions and 87 | /// methods in this section. Those prefixed with `x509` deal with the 88 | /// X.509-related identifiers while `cms_` is the prefix for signed objects. 89 | /// 90 | /// The parameters field for the former identifier can be either NULL or 91 | /// missing and must be NULL for the latter. We will, however, accept an 92 | /// absent field for the latter as well. In both cases, the returned value 93 | /// will remember whether there was a parameters field. Values with and 94 | /// without parameters will not compare equal. 95 | /// 96 | /// When constructing identifiers, we will always include a parameters field 97 | /// and set it to NULL, independently of what the value says. 98 | /// 99 | /// [RFC 3370]: https://tools.ietf.org/html/rfc3370 100 | /// [RFC 4055]: https://tools.ietf.org/html/rfc4055 101 | /// [RFC 7935]: https://tools.ietf.org/html/rfc7935 102 | impl RpkiSignatureAlgorithm { 103 | /// Parses the algorithm identifier for X.509 objects. 104 | fn x509_from_constructed( 105 | cons: &mut decode::Constructed 106 | ) -> Result> { 107 | oid::SHA256_WITH_RSA_ENCRYPTION.skip_if(cons)?; 108 | let has_parameter = cons.take_opt_primitive_if( 109 | Tag::NULL, |_| Ok(()) 110 | )?.is_some(); 111 | Ok(RpkiSignatureAlgorithm { has_parameter }) 112 | } 113 | 114 | /// Takes a signature algorithm identifier for CMS objects. 115 | /// 116 | /// Returns a malformed error if the algorithm isn’t the allowed for RPKI 117 | /// or if it isn’t correctly encoded. 118 | pub fn cms_take_from( 119 | cons: &mut decode::Constructed 120 | ) -> Result> { 121 | cons.take_sequence(Self::cms_from_constructed) 122 | } 123 | 124 | /// Parses the algorithm identifier for CMS objects. 125 | fn cms_from_constructed( 126 | cons: &mut decode::Constructed 127 | ) -> Result> { 128 | let oid = Oid::take_from(cons)?; 129 | if 130 | oid != oid::RSA_ENCRYPTION 131 | && oid != oid::SHA256_WITH_RSA_ENCRYPTION 132 | { 133 | return Err(cons.content_err("invalid signature algorithm")) 134 | } 135 | let has_parameter = cons.take_opt_primitive_if( 136 | Tag::NULL, |_| Ok(()) 137 | )?.is_some(); 138 | Ok(RpkiSignatureAlgorithm { has_parameter }) 139 | } 140 | 141 | /// Provides an encoder for X.509 objects. 142 | pub fn x509_encode(self) -> impl encode::Values { 143 | encode::sequence(( 144 | oid::SHA256_WITH_RSA_ENCRYPTION.encode(), 145 | ().encode(), 146 | )) 147 | } 148 | 149 | /// Provides an encoder for CMS objects. 150 | pub fn cms_encode(self) -> impl encode::Values { 151 | encode::sequence(( 152 | oid::RSA_ENCRYPTION.encode(), 153 | ().encode(), 154 | )) 155 | } 156 | } 157 | 158 | 159 | //--- Default 160 | 161 | impl Default for RpkiSignatureAlgorithm { 162 | fn default() -> Self { 163 | RpkiSignatureAlgorithm { has_parameter: true } 164 | } 165 | } 166 | 167 | 168 | //--- SignatureAlgorithm 169 | 170 | impl SignatureAlgorithm for RpkiSignatureAlgorithm { 171 | type Encoder = encode::Constructed<( 172 | encode::Primitive, encode::Primitive<()> 173 | )>; 174 | 175 | fn signing_algorithm(&self) -> SigningAlgorithm { 176 | SigningAlgorithm::RsaSha256 177 | } 178 | 179 | fn x509_take_from( 180 | cons: &mut decode::Constructed 181 | ) -> Result> { 182 | cons.take_sequence(Self::x509_from_constructed) 183 | } 184 | 185 | fn x509_encode(&self) -> Self::Encoder { 186 | encode::Constructed::new( 187 | Tag::SEQUENCE, 188 | (oid::SHA256_WITH_RSA_ENCRYPTION.encode(), ().encode()) 189 | ) 190 | } 191 | } 192 | 193 | 194 | //------------ BgpsecSignatureAlgorithm -------------------------------------- 195 | 196 | /// A signature algorithms used by BGPsec. 197 | /// 198 | /// This is the algorithm used for creating and verifying signatures in 199 | /// certification requests for router certificates. The allowed algorithms 200 | /// are currently defined in [RFC 8608] as only ECDSA with curve P-256 and 201 | /// SHA-256. 202 | /// 203 | /// [RFC 8608]: https://tools.ietf.org/html/rfc8608 204 | #[derive(Clone, Copy, Debug, Default, Eq, PartialEq)] 205 | pub struct BgpsecSignatureAlgorithm(()); 206 | 207 | impl BgpsecSignatureAlgorithm { 208 | /// Parses the algorithm identifier for X.509 objects. 209 | fn x509_from_constructed( 210 | cons: &mut decode::Constructed 211 | ) -> Result> { 212 | oid::ECDSA_WITH_SHA256.skip_if(cons)?; 213 | Ok(BgpsecSignatureAlgorithm(())) 214 | } 215 | } 216 | 217 | impl SignatureAlgorithm for BgpsecSignatureAlgorithm { 218 | type Encoder = encode::Constructed>; 219 | 220 | fn signing_algorithm(&self) -> SigningAlgorithm { 221 | SigningAlgorithm::EcdsaP256Sha256 222 | } 223 | 224 | fn x509_take_from( 225 | cons: &mut decode::Constructed 226 | ) -> Result> { 227 | cons.take_sequence(Self::x509_from_constructed) 228 | } 229 | 230 | fn x509_encode(&self) -> Self::Encoder { 231 | encode::Constructed::new( 232 | Tag::SEQUENCE, 233 | oid::ECDSA_WITH_SHA256.encode() 234 | ) 235 | } 236 | } 237 | 238 | 239 | //------------ Signature ----------------------------------------------------- 240 | 241 | #[derive(Clone, Debug, Eq, PartialEq)] 242 | pub struct Signature { 243 | algorithm: Alg, 244 | value: Bytes 245 | } 246 | 247 | pub type RpkiSignature = Signature; 248 | 249 | impl Signature { 250 | pub fn new(algorithm: Alg, value: Bytes) -> Self { 251 | Signature { algorithm, value } 252 | } 253 | 254 | pub fn algorithm(&self) -> &Alg { 255 | &self.algorithm 256 | } 257 | 258 | pub fn value(&self) -> &Bytes { 259 | &self.value 260 | } 261 | 262 | pub fn unwrap(self) -> (Alg, Bytes) { 263 | (self.algorithm, self.value) 264 | } 265 | } 266 | 267 | -------------------------------------------------------------------------------- /src/crypto/signer.rs: -------------------------------------------------------------------------------- 1 | //! A generic interface to a signer. 2 | 3 | use std::fmt; 4 | use super::keys::{PublicKey, PublicKeyFormat}; 5 | use super::signature::{SignatureAlgorithm, Signature}; 6 | 7 | 8 | //------------ Signer -------------------------------------------------------- 9 | 10 | /// A type that allow creating signatures. 11 | pub trait Signer { 12 | /// The type used for identifying keys. 13 | type KeyId; 14 | 15 | /// An operational error happened in the signer. 16 | type Error: fmt::Debug + fmt::Display; 17 | 18 | /// Creates a new key and returns an identifier. 19 | fn create_key( 20 | &self, 21 | algorithm: PublicKeyFormat 22 | ) -> Result; 23 | 24 | /// Returns the public key information for the given key. 25 | /// 26 | /// If the key identified by `key` does not exist, returns `None`. 27 | fn get_key_info( 28 | &self, 29 | key: &Self::KeyId 30 | ) -> Result>; 31 | 32 | /// Destroys a key. 33 | /// 34 | /// Returns whether the key identified by `key` existed. 35 | fn destroy_key( 36 | &self, 37 | key: &Self::KeyId 38 | ) -> Result<(), KeyError>; 39 | 40 | /// Signs data. 41 | fn sign + ?Sized>( 42 | &self, 43 | key: &Self::KeyId, 44 | algorithm: Alg, 45 | data: &D 46 | ) -> Result, SigningError>; 47 | 48 | /// Signs data using a one time use keypair. 49 | /// 50 | /// Returns both the signature and the public key of the key pair, 51 | /// but will not store this key pair. 52 | fn sign_one_off + ?Sized>( 53 | &self, 54 | algorithm: Alg, 55 | data: &D 56 | ) -> Result<(Signature, PublicKey), Self::Error>; 57 | 58 | /// Creates random data. 59 | /// 60 | /// The method fills the provide bytes slice with random data. 61 | fn rand(&self, target: &mut [u8]) -> Result<(), Self::Error>; 62 | } 63 | 64 | 65 | //------------ SigningAlgorithm ---------------------------------------------- 66 | 67 | /// The algorithm to use for signing. 68 | #[derive(Clone, Copy, Debug)] 69 | pub enum SigningAlgorithm { 70 | /// RSA with PKCS#1 1.5 padding using SHA-256. 71 | RsaSha256, 72 | 73 | /// ECDSA using the P-256 curva and SHA-256. 74 | EcdsaP256Sha256, 75 | } 76 | 77 | impl SigningAlgorithm { 78 | /// Returns the preferred public key format for this algorithm. 79 | pub fn public_key_format(self) -> PublicKeyFormat { 80 | match self { 81 | SigningAlgorithm::RsaSha256 => PublicKeyFormat::Rsa, 82 | SigningAlgorithm::EcdsaP256Sha256 => PublicKeyFormat::EcdsaP256, 83 | } 84 | } 85 | } 86 | 87 | 88 | //------------ KeyError ------------------------------------------------------ 89 | 90 | #[derive(Clone, Debug)] 91 | pub enum KeyError { 92 | /// A key with the given key ID doesn’t exist. 93 | KeyNotFound, 94 | 95 | /// An error happened during signing. 96 | Signer(S) 97 | } 98 | 99 | impl From for KeyError { 100 | fn from(err: S) -> Self { 101 | KeyError::Signer(err) 102 | } 103 | } 104 | 105 | impl fmt::Display for KeyError { 106 | fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { 107 | use self::KeyError::*; 108 | 109 | match *self { 110 | KeyNotFound => write!(f, "key not found"), 111 | Signer(ref s) => s.fmt(f) 112 | } 113 | } 114 | } 115 | 116 | 117 | //------------ SigningError -------------------------------------------------- 118 | 119 | #[derive(Clone, Debug)] 120 | pub enum SigningError { 121 | /// A key with the given key ID doesn’t exist. 122 | KeyNotFound, 123 | 124 | /// The key cannot be used with the algorithm. 125 | IncompatibleKey, 126 | 127 | /// An error happened during signing. 128 | Signer(S) 129 | } 130 | 131 | impl From for SigningError { 132 | fn from(err: S) -> Self { 133 | SigningError::Signer(err) 134 | } 135 | } 136 | 137 | impl From> for SigningError { 138 | fn from(err: KeyError) -> Self { 139 | match err { 140 | KeyError::KeyNotFound => SigningError::KeyNotFound, 141 | KeyError::Signer(err) => SigningError::Signer(err) 142 | } 143 | } 144 | } 145 | 146 | impl fmt::Display for SigningError { 147 | fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { 148 | use self::SigningError::*; 149 | 150 | match *self { 151 | KeyNotFound => write!(f, "key not found"), 152 | IncompatibleKey => write!(f, "key not compatible with algorithm"), 153 | Signer(ref s) => s.fmt(f) 154 | } 155 | } 156 | } 157 | 158 | -------------------------------------------------------------------------------- /src/crypto/softsigner.rs: -------------------------------------------------------------------------------- 1 | //! A signer atop the OpenSSL library. 2 | //! 3 | //! Because this adds a dependency to openssl libs this is disabled by 4 | //! default and should only be used by implementations that need to use 5 | //! software keys to sign things, such as an RPKI Certificate Authority or 6 | //! Publication Server. In particular, this is not required when validating. 7 | 8 | use std::io; 9 | use std::sync::{Arc, RwLock}; 10 | use bcder::decode::IntoSource; 11 | use openssl::rsa::Rsa; 12 | use openssl::pkey::{PKey, Private}; 13 | use openssl::hash::MessageDigest; 14 | use ring::rand; 15 | use ring::rand::SecureRandom; 16 | use super::keys::{PublicKey, PublicKeyFormat}; 17 | use super::signer::{KeyError, Signer, SigningAlgorithm, SigningError}; 18 | use super::signature::{SignatureAlgorithm, Signature}; 19 | 20 | 21 | 22 | //------------ OpenSslSigner ------------------------------------------------- 23 | 24 | /// An OpenSSL based signer. 25 | /// 26 | /// Keeps the keys in memory (for now). 27 | pub struct OpenSslSigner { 28 | keys: RwLock>>>, 29 | rng: rand::SystemRandom, 30 | } 31 | 32 | impl OpenSslSigner { 33 | pub fn new() -> OpenSslSigner { 34 | OpenSslSigner { 35 | keys: Default::default(), 36 | rng: rand::SystemRandom::new(), 37 | } 38 | } 39 | 40 | pub fn key_from_der(&self, der: &[u8]) -> Result { 41 | Ok(self.insert_key(KeyPair::from_der(der)?)) 42 | } 43 | 44 | pub fn key_from_pem(&self, pem: &[u8]) -> Result { 45 | Ok(self.insert_key(KeyPair::from_pem(pem)?)) 46 | } 47 | 48 | fn insert_key(&self, key: KeyPair) -> KeyId { 49 | let mut keys = self.keys.write().unwrap(); 50 | let res = keys.len(); 51 | keys.push(Some(key.into())); 52 | KeyId(res) 53 | } 54 | 55 | fn get_key(&self, id: KeyId) -> Result, KeyError> { 56 | self.keys.read().unwrap().get(id.0).and_then(|key| { 57 | key.as_ref().cloned() 58 | }).ok_or(KeyError::KeyNotFound) 59 | } 60 | 61 | fn delete_key(&self, key: KeyId) -> Result<(), KeyError> { 62 | let mut keys = self.keys.write().unwrap(); 63 | let key = keys.get_mut(key.0); 64 | match key { 65 | Some(key) => { 66 | if key.is_some() { 67 | *key = None; 68 | Ok(()) 69 | } 70 | else { 71 | Err(KeyError::KeyNotFound) 72 | } 73 | } 74 | None => Err(KeyError::KeyNotFound) 75 | } 76 | } 77 | } 78 | 79 | impl Signer for OpenSslSigner { 80 | type KeyId = KeyId; 81 | type Error = io::Error; 82 | 83 | fn create_key( 84 | &self, algorithm: PublicKeyFormat 85 | ) -> Result { 86 | Ok(self.insert_key(KeyPair::new(algorithm)?)) 87 | } 88 | 89 | fn get_key_info( 90 | &self, 91 | id: &Self::KeyId 92 | ) -> Result> { 93 | self.get_key(*id)?.get_key_info().map_err(KeyError::Signer) 94 | } 95 | 96 | fn destroy_key( 97 | &self, key: &Self::KeyId 98 | ) -> Result<(), KeyError> { 99 | self.delete_key(*key) 100 | } 101 | 102 | fn sign + ?Sized>( 103 | &self, 104 | key: &Self::KeyId, 105 | algorithm: Alg, 106 | data: &D 107 | ) -> Result, SigningError> { 108 | self.get_key(*key)?.sign(algorithm, data.as_ref()).map_err(Into::into) 109 | } 110 | 111 | fn sign_one_off + ?Sized>( 112 | &self, 113 | algorithm: Alg, 114 | data: &D 115 | ) -> Result<(Signature, PublicKey), Self::Error> { 116 | let key = KeyPair::new(algorithm.public_key_format())?; 117 | let info = key.get_key_info()?; 118 | let sig = key.sign(algorithm, data.as_ref())?; 119 | Ok((sig, info)) 120 | } 121 | 122 | fn rand(&self, target: &mut [u8]) -> Result<(), Self::Error> { 123 | self.rng.fill(target).map_err(|_| 124 | io::Error::new(io::ErrorKind::Other, "rng error") 125 | ) 126 | } 127 | } 128 | 129 | 130 | impl Default for OpenSslSigner { 131 | fn default() -> Self { 132 | Self::new() 133 | } 134 | } 135 | 136 | 137 | //------------ KeyId --------------------------------------------------------- 138 | 139 | /// This signer’s key identifier. 140 | // 141 | // We wrap this in a newtype so that people won’t start mucking about with 142 | // the integers. 143 | #[derive(Clone, Copy, Debug)] 144 | pub struct KeyId(usize); 145 | 146 | 147 | //------------ KeyPair ------------------------------------------------------- 148 | 149 | /// A key pair kept by the signer. 150 | struct KeyPair(PKey); 151 | 152 | impl KeyPair { 153 | fn new(algorithm: PublicKeyFormat) -> Result { 154 | if algorithm != PublicKeyFormat::Rsa { 155 | return Err(io::Error::new( 156 | io::ErrorKind::Other, "invalid algorithm" 157 | )); 158 | } 159 | // Issues unwrapping this indicate a bug in the openssl library. 160 | // So, there is no way to recover. 161 | let rsa = Rsa::generate(2048)?; 162 | let pkey = PKey::from_rsa(rsa)?; 163 | Ok(KeyPair(pkey)) 164 | } 165 | 166 | fn from_der(der: &[u8]) -> Result { 167 | let res = PKey::private_key_from_der(der)?; 168 | if res.bits() != 2048 { 169 | return Err(io::Error::new( 170 | io::ErrorKind::Other, 171 | format!("invalid key length {}", res.bits()) 172 | )) 173 | } 174 | Ok(KeyPair(res)) 175 | } 176 | 177 | fn from_pem(pem: &[u8]) -> Result { 178 | let res = PKey::private_key_from_pem(pem)?; 179 | if res.bits() != 2048 { 180 | return Err(io::Error::new( 181 | io::ErrorKind::Other, 182 | format!("invalid key length {}", res.bits()) 183 | )) 184 | } 185 | Ok(KeyPair(res)) 186 | } 187 | 188 | fn get_key_info(&self) -> Result 189 | { 190 | // Issues unwrapping this indicate a bug in the openssl 191 | // library. So, there is no way to recover. 192 | let der = self.0.rsa().unwrap().public_key_to_der()?; 193 | Ok(PublicKey::decode(der.as_slice().into_source()).unwrap()) 194 | } 195 | 196 | fn sign( 197 | &self, 198 | algorithm: Alg, 199 | data: &[u8] 200 | ) -> Result, io::Error> { 201 | if !matches!( 202 | algorithm.signing_algorithm(), SigningAlgorithm::RsaSha256 203 | ) { 204 | return Err(io::Error::new( 205 | io::ErrorKind::Other, 206 | "invalid algorithm" 207 | )); 208 | } 209 | let mut signer = ::openssl::sign::Signer::new( 210 | MessageDigest::sha256(), &self.0 211 | )?; 212 | signer.update(data)?; 213 | Ok(Signature::new(algorithm, signer.sign_to_vec()?.into())) 214 | } 215 | } 216 | 217 | 218 | //------------ Tests --------------------------------------------------------- 219 | 220 | #[cfg(test)] 221 | pub mod tests { 222 | 223 | use super::*; 224 | use crate::crypto::signature::RpkiSignatureAlgorithm; 225 | 226 | #[test] 227 | fn info_sign_delete() { 228 | let s = OpenSslSigner::new(); 229 | let ki = s.create_key(PublicKeyFormat::Rsa).unwrap(); 230 | let data = b"foobar"; 231 | let _ = s.get_key_info(&ki).unwrap(); 232 | let _ = s.sign(&ki, RpkiSignatureAlgorithm::default(), data).unwrap(); 233 | s.destroy_key(&ki).unwrap(); 234 | } 235 | 236 | #[test] 237 | fn one_off() { 238 | let s = OpenSslSigner::new(); 239 | s.sign_one_off(RpkiSignatureAlgorithm::default(), b"foobar").unwrap(); 240 | } 241 | } 242 | 243 | -------------------------------------------------------------------------------- /src/dep.rs: -------------------------------------------------------------------------------- 1 | //! Re-exported dependencies. 2 | 3 | #[cfg(feature = "bcder")] 4 | pub use bcder; 5 | -------------------------------------------------------------------------------- /src/lib.rs: -------------------------------------------------------------------------------- 1 | //! All things RPKI. 2 | //! 3 | //! The _Resource Public Key Infrastructure_ (RPKI) is an application of 4 | //! PKI to Internet routing security. It allows owners of IP address prefixes 5 | //! and AS numbers to publish cryptographically signed information about 6 | //! these resources. In particular, RPKI is currently used for route origin 7 | //! validation where these statements list the AS numbers that are allowed 8 | //! to originate routes for prefixes. 9 | //! 10 | //! # Features 11 | //! 12 | //! The crate uses the features to enable functionality that isn’t necessary 13 | //! for all use cases. Currently, the following features are defined: 14 | //! 15 | //! * `"repository"`: support for creating, validating, and processing of 16 | //! repository objects, such as certificates, manifests, or ROAs; 17 | //! * `"rrdp"`: support for the RRDP protocol for synchronising RPKI 18 | //! repositories; 19 | //! * `"rtr"`: support for the RPKI-to-router protocol (RTR); 20 | //! * `"slurm"`: support for local exceptions aka SLURM; 21 | //! * `"serde-support"`: support for Serde serialization and deserialization 22 | //! for many of the crate’s types; 23 | //! * `"softkeys"`: enables an OpenSSL-based signer for creating repository 24 | //! objects – enabling this feature also enables the `"repository"` 25 | //! feature; 26 | //! * `"extra-debug"`: enables printing stack traces when parsing of a 27 | //! repository object fails – this feature should only be used during 28 | //! debugging and must not be enabled in release builds. 29 | 30 | #![allow(renamed_and_removed_lints)] 31 | #![allow(clippy::unknown_clippy_lints)] 32 | 33 | 34 | pub mod ca; 35 | pub mod crypto; 36 | pub mod dep; 37 | pub mod oid; 38 | pub mod repository; 39 | pub mod resources; 40 | pub mod rrdp; 41 | pub mod rtr; 42 | pub mod slurm; 43 | pub mod uri; 44 | pub mod util; 45 | pub mod xml; 46 | 47 | -------------------------------------------------------------------------------- /src/oid.rs: -------------------------------------------------------------------------------- 1 | //! The object identifiers used in this crate. 2 | //! 3 | //! This module collects all the object identifiers used at various places 4 | //! in this crate in one central place. They are public so you can refer to 5 | //! them should that ever become necessary. 6 | 7 | #![cfg(feature = "bcder")] 8 | 9 | use bcder::{ConstOid, Oid}; 10 | 11 | /// [RFC 4055](https://tools.ietf.org/html/rfc4055) `id-sha256` 12 | /// 13 | /// Identifies the SHA-256 one-way hash function. 14 | pub const SHA256: ConstOid 15 | = Oid(&[96, 134, 72, 1, 101, 3, 4, 2, 1]); 16 | 17 | /// [RFC 4055](https://tools.ietf.org/html/rfc4055) `rsaEncryption` 18 | /// 19 | /// Identifies an RSA public key with no limitation to either RSASSA-PSS or 20 | /// RSAES-OEAP. 21 | pub const RSA_ENCRYPTION: ConstOid 22 | = Oid(&[42, 134, 72, 134, 247, 13, 1, 1, 1]); 23 | 24 | /// [RFC 4055](https://tools.ietf.org/html/rfc4055) `sha256WithRSAEncryption` 25 | /// 26 | /// Identifies the PKCS #1 version 1.5 signature algorithm with SHA-256. 27 | pub const SHA256_WITH_RSA_ENCRYPTION: ConstOid 28 | = Oid(&[42, 134, 72, 134, 247, 13, 1, 1, 11]); 29 | 30 | /// [RFC 5480](https://tools.ietf.org/html/rfc5480) `ecPublicKey`. 31 | /// 32 | /// Identifies public keys for elliptic curve cryptography. 33 | pub const EC_PUBLIC_KEY: ConstOid = Oid(&[42, 134, 72, 206, 61, 2, 1]); 34 | 35 | /// [RFC 5480](https://tools.ietf.org/html/rfc5480) `ecdsa-with-SHA256`. 36 | /// 37 | /// Identifies public keys for elliptic curve cryptography. 38 | pub const ECDSA_WITH_SHA256: ConstOid 39 | = Oid(&[42, 134, 72, 206, 61, 4, 3, 2]); 40 | 41 | /// [RFC 5480](https://tools.ietf.org/html/rfc5480) `secp256r1`. 42 | /// 43 | /// Identifies the P-256 curve for elliptic curve cryptography. 44 | pub const SECP256R1: ConstOid = Oid(&[42, 134, 72, 206, 61, 3, 1, 7]); 45 | 46 | 47 | pub const SIGNED_DATA: Oid<&[u8]> 48 | = Oid(&[42, 134, 72, 134, 247, 13, 1, 7, 2]); 49 | pub const CONTENT_TYPE: Oid<&[u8]> 50 | = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 3]); 51 | pub const PROTOCOL_CONTENT_TYPE: Oid<&[u8]> 52 | = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 16, 1, 28]); 53 | pub const MESSAGE_DIGEST: Oid<&[u8]> 54 | = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 4]); 55 | pub const SIGNING_TIME: Oid<&[u8]> 56 | = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 5]); 57 | pub const AA_BINARY_SIGNING_TIME: Oid<&[u8]> = 58 | Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 16, 2, 46]); 59 | 60 | 61 | pub const AD_CA_ISSUERS: Oid<&[u8]> = Oid(&[43, 6, 1, 5, 5, 7, 48, 2]); 62 | pub const AD_CA_REPOSITORY: Oid<&[u8]> = Oid(&[43, 6, 1, 5, 5, 7, 48, 5]); 63 | pub const AD_RPKI_MANIFEST: Oid<&[u8]> = Oid(&[43, 6, 1, 5, 5, 7, 48, 10]); 64 | pub const AD_RPKI_NOTIFY: Oid<&[u8]> = Oid(&[43, 6, 1, 5, 5, 7, 48, 13]); 65 | pub const AD_SIGNED_OBJECT: Oid<&[u8]> = Oid(&[43, 6, 1, 5, 5, 7, 48, 11]); 66 | 67 | pub const AT_COMMON_NAME: Oid<&[u8]> = Oid(&[85, 4, 3]); // 2 5 4 3 68 | pub const AT_SERIAL_NUMBER: Oid<&[u8]> = Oid(&[85, 4, 5]); // 2 5 4 5 69 | 70 | pub const CE_AUTHORITY_KEY_IDENTIFIER: Oid<&[u8]> = Oid(&[85, 29, 35]); 71 | pub const CE_BASIC_CONSTRAINTS: Oid<&[u8]> = Oid(&[85, 29, 19]); 72 | pub const CE_CERTIFICATE_POLICIES: Oid<&[u8]> = Oid(&[85, 29, 32]); 73 | pub const CE_CRL_DISTRIBUTION_POINTS: Oid<&[u8]> = Oid(&[85, 29, 31]); 74 | pub const CE_CRL_NUMBER: Oid<&[u8]> = Oid(&[85, 29, 20]); 75 | pub const CE_EXTENDED_KEY_USAGE: Oid<&[u8]> = Oid(&[85, 29, 37]); 76 | pub const CE_KEY_USAGE: Oid<&[u8]> = Oid(&[85, 29, 15]); 77 | pub const CE_SUBJECT_KEY_IDENTIFIER: Oid<&[u8]> = Oid(&[85, 29, 14]); 78 | 79 | pub const CP_IPADDR_ASNUMBER: Oid<&[u8]> = Oid(&[43, 6, 1, 5, 5, 7, 14, 2]); 80 | pub const CP_IPADDR_ASNUMBER_V2: Oid<&[u8]> = Oid(&[43, 6, 1, 5, 5, 7, 14, 3]); 81 | 82 | pub const CT_RPKI_MANIFEST: ConstOid 83 | = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 16, 1, 26]); 84 | pub const CT_RESOURCE_TAGGED_ATTESTATION: ConstOid 85 | = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 16, 1, 36]); 86 | pub const CT_ASPA: ConstOid 87 | = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 16, 1, 49]); 88 | 89 | pub const KP_BGPSEC_ROUTER: ConstOid 90 | = Oid(&[43, 6, 1, 5, 5, 7, 3, 30]); 91 | 92 | pub const PE_AUTHORITY_INFO_ACCESS: Oid<&[u8]> 93 | = Oid(&[43, 6, 1, 5, 5, 7, 1, 1]); 94 | pub const PE_IP_ADDR_BLOCK: Oid<&[u8]> = Oid(&[43, 6, 1, 5, 5, 7, 1, 7]); 95 | pub const PE_IP_ADDR_BLOCK_V2: Oid<&[u8]> = Oid(&[43, 6, 1, 5, 5, 7, 1, 28]); 96 | pub const PE_AUTONOMOUS_SYS_IDS: Oid<&[u8]> 97 | = Oid(&[43, 6, 1, 5, 5, 7, 1, 8]); 98 | pub const PE_AUTONOMOUS_SYS_IDS_V2: Oid<&[u8]> 99 | = Oid(&[43, 6, 1, 5, 5, 7, 1, 29]); 100 | pub const PE_SUBJECT_INFO_ACCESS: Oid<&[u8]> 101 | = Oid(&[43, 6, 1, 5, 5, 7, 1, 11]); 102 | 103 | pub const ROUTE_ORIGIN_AUTHZ: ConstOid 104 | = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 16, 1, 24]); 105 | 106 | /// [RFC 2985](https://tools.ietf.org/html/rfc2985) `extensionRequest` 107 | pub const EXTENSION_REQUEST: ConstOid 108 | = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 14]); 109 | 110 | -------------------------------------------------------------------------------- /src/repository/error.rs: -------------------------------------------------------------------------------- 1 | //! Error handling for the `repository` module. 2 | //! 3 | 4 | use std::fmt; 5 | use std::convert::Infallible; 6 | use bcder::decode::{DecodeError, ContentError}; 7 | use crate::crypto::keys::SignatureVerificationError; 8 | 9 | 10 | //------------ InspectionError ----------------------------------------------- 11 | 12 | #[derive(Debug)] 13 | pub struct InspectionError{ 14 | inner: ContentError, 15 | } 16 | 17 | impl InspectionError { 18 | pub fn new(err: impl Into) -> Self { 19 | InspectionError { inner: err.into() } 20 | } 21 | } 22 | 23 | impl From for InspectionError { 24 | fn from(err: ContentError) -> InspectionError { 25 | InspectionError { inner: err } 26 | } 27 | } 28 | 29 | impl From for ContentError { 30 | fn from(err: InspectionError) -> Self { 31 | err.inner 32 | } 33 | } 34 | 35 | impl fmt::Display for InspectionError { 36 | fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { 37 | self.inner.fmt(f) 38 | } 39 | } 40 | 41 | 42 | //------------ VerificationError --------------------------------------------- 43 | 44 | #[derive(Debug)] 45 | pub struct VerificationError{ 46 | inner: ContentError, 47 | } 48 | 49 | impl VerificationError { 50 | pub fn new(err: impl Into) -> Self { 51 | VerificationError { inner: err.into() } 52 | } 53 | } 54 | 55 | impl From for VerificationError { 56 | fn from(err: ContentError) -> VerificationError { 57 | VerificationError { inner: err } 58 | } 59 | } 60 | 61 | impl From for VerificationError { 62 | fn from(err: SignatureVerificationError) -> Self { 63 | ContentError::from(err).into() 64 | } 65 | } 66 | 67 | impl fmt::Display for VerificationError { 68 | fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { 69 | self.inner.fmt(f) 70 | } 71 | } 72 | 73 | 74 | //------------ ValidationError ----------------------------------------------- 75 | 76 | #[derive(Debug)] 77 | pub struct ValidationError{ 78 | inner: ValidationErrorKind, 79 | } 80 | 81 | #[derive(Debug)] 82 | enum ValidationErrorKind { 83 | Decoding(DecodeError), 84 | Inspection(InspectionError), 85 | Verification(VerificationError), 86 | } 87 | 88 | impl From> for ValidationError { 89 | fn from(err: DecodeError) -> ValidationError { 90 | ValidationError { 91 | inner: ValidationErrorKind::Decoding(err) 92 | } 93 | } 94 | } 95 | 96 | impl From for ValidationError { 97 | fn from(err: InspectionError) -> ValidationError { 98 | ValidationError { 99 | inner: ValidationErrorKind::Inspection(err) 100 | } 101 | } 102 | } 103 | 104 | impl From for ValidationError { 105 | fn from(err: VerificationError) -> ValidationError { 106 | ValidationError { 107 | inner: ValidationErrorKind::Verification(err) 108 | } 109 | } 110 | } 111 | 112 | impl fmt::Display for ValidationError { 113 | fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { 114 | match self.inner { 115 | ValidationErrorKind::Decoding(ref inner) => inner.fmt(f), 116 | ValidationErrorKind::Inspection(ref inner) => inner.fmt(f), 117 | ValidationErrorKind::Verification(ref inner) => inner.fmt(f), 118 | } 119 | } 120 | } 121 | 122 | -------------------------------------------------------------------------------- /src/repository/mod.rs: -------------------------------------------------------------------------------- 1 | //! Processing the content of RPKI repositories. 2 | //! 3 | //! This module contains types and procedures to parse and verify as well as 4 | //! create all the objects that can appear in an RPKI repository. 5 | 6 | #![cfg(feature = "repository")] 7 | 8 | //--- Re-exports 9 | // 10 | pub use self::cert::{Cert, ResourceCert}; 11 | pub use self::crl::Crl; 12 | pub use self::manifest::Manifest; 13 | pub use self::roa::Roa; 14 | pub use self::rta::Rta; 15 | pub use self::tal::Tal; 16 | 17 | 18 | //--- Modules 19 | // 20 | pub mod aspa; 21 | pub mod cert; 22 | pub mod crl; 23 | pub mod error; 24 | pub mod manifest; 25 | pub mod resources; 26 | pub mod roa; 27 | pub mod rta; 28 | pub mod sigobj; 29 | pub mod tal; 30 | pub mod x509; 31 | -------------------------------------------------------------------------------- /src/repository/resources/choice.rs: -------------------------------------------------------------------------------- 1 | //! An enum offering the choice between inherited and included resources. 2 | //! 3 | //! This is a private module used only internally. 4 | 5 | use std::fmt; 6 | 7 | 8 | //------------ ResourcesChoice ----------------------------------------------- 9 | 10 | /// The option to either include or inherit resources. 11 | /// 12 | /// This is generic over the type of included resources. 13 | #[derive(Clone, Debug, Eq, PartialEq)] 14 | #[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))] 15 | pub enum ResourcesChoice { 16 | /// There are no resources of this type. 17 | /// 18 | /// This is a special case since creating an empty `T` may still be pricy. 19 | Missing, 20 | 21 | /// Resources are to be inherited from the issuer. 22 | Inherit, 23 | 24 | /// The resources are provided as a set of blocks. 25 | Blocks(T), 26 | } 27 | 28 | impl ResourcesChoice { 29 | /// Returns whether the resources are of the inherited variant. 30 | pub fn is_inherited(&self) -> bool { 31 | matches!(self, ResourcesChoice::Inherit) 32 | } 33 | 34 | /// Returns whether the resources are present. 35 | pub fn is_present(&self) -> bool { 36 | !matches!(self, ResourcesChoice::Missing) 37 | } 38 | 39 | /// Converts the resources into blocks or returns an error. 40 | /// 41 | /// In case the resources are missing, returns a default `T`. 42 | pub fn to_blocks(&self) -> Result 43 | where T: Clone + Default { 44 | match self { 45 | ResourcesChoice::Missing => Ok(Default::default()), 46 | ResourcesChoice::Inherit => Err(InheritedResources), 47 | ResourcesChoice::Blocks(ref some) => Ok(some.clone()), 48 | } 49 | } 50 | 51 | /// Converts the choice into a different choice via a closure. 52 | /// 53 | /// If this value is of the included variant, runs the blocks through 54 | /// the provided closure and returns a new choice with the result. If 55 | /// this value is of the inherit or missing variant, does nothing and 56 | /// simply returns the choice. 57 | pub fn map_blocks(self, f: F) -> ResourcesChoice 58 | where F: FnOnce(T) -> U { 59 | match self { 60 | ResourcesChoice::Missing => ResourcesChoice::Missing, 61 | ResourcesChoice::Inherit => ResourcesChoice::Inherit, 62 | ResourcesChoice::Blocks(t) => ResourcesChoice::Blocks(f(t)) 63 | } 64 | } 65 | } 66 | 67 | 68 | //--- Display 69 | 70 | impl fmt::Display for ResourcesChoice { 71 | fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { 72 | match *self { 73 | ResourcesChoice::Missing => Ok(()), 74 | ResourcesChoice::Inherit => write!(f, "inherit"), 75 | ResourcesChoice::Blocks(ref inner) => inner.fmt(f) 76 | } 77 | } 78 | } 79 | 80 | 81 | //------------ InheritedResources -------------------------------------------- 82 | 83 | #[derive(Clone, Copy, Debug)] 84 | pub struct InheritedResources; 85 | 86 | -------------------------------------------------------------------------------- /src/repository/resources/mod.rs: -------------------------------------------------------------------------------- 1 | //! Handling of IP and AS resources. 2 | //! 3 | //! The types in this module implement the certificate extensions defined in 4 | //! [RFC 3779] for including IP address and autonomous system resources in 5 | //! certificates in the restricted form specified by [RFC 6487] for use in 6 | //! RPKI. 7 | //! 8 | //! There are two such resources: [`IpResources`] implements the IP Address 9 | //! Delegation Extension and [`AsResources`] implements the Autonomous System 10 | //! Identifier Delegation Extension. 11 | //! 12 | //! [RFC 3779]: https://tools.ietf.org/html/rfc3779 13 | //! [RFC 6487]: https://tools.ietf.org/html/rfc6487 14 | 15 | pub use self::asres::{ 16 | AsBlock, AsBlocks, AsBlocksBuilder, Asn, AsResources, AsResourcesBuilder, 17 | InheritedAsResources, OverclaimedAsResources, 18 | }; 19 | pub use self::choice::ResourcesChoice; 20 | pub use self::ipres::{ 21 | Addr, AddressFamily, AddressRange, InheritedIpResources, IpBlock, IpBlocks, 22 | Ipv4Block, Ipv4Blocks, Ipv6Block, Ipv6Blocks, IpBlocksBuilder, 23 | IpBlocksForFamily, IpResources, IpResourcesBuilder, OverclaimedIpResources, 24 | OverclaimedIpv4Resources, OverclaimedIpv6Resources, Prefix 25 | }; 26 | pub use self::set::{ 27 | ResourceDiff, ResourceSet 28 | }; 29 | 30 | mod asres; 31 | mod chain; 32 | mod choice; 33 | mod ipres; 34 | mod set; 35 | 36 | -------------------------------------------------------------------------------- /src/repository/resources/set.rs: -------------------------------------------------------------------------------- 1 | use std::fmt; 2 | use std::str::FromStr; 3 | 4 | #[cfg(feature = "serde")] 5 | use serde::{Deserialize, Serialize}; 6 | 7 | use crate::repository::resources::{AsResources, IpResources}; 8 | use crate::repository::Cert; 9 | use crate::repository::{ 10 | resources::{AsBlock, AsBlocks, AsBlocksBuilder, Ipv4Blocks, Ipv6Blocks}, 11 | roa::RoaIpAddress, 12 | }; 13 | use crate::resources::asn::Asn; 14 | 15 | //------------ ResourceSet --------------------------------------------------- 16 | 17 | /// A set of ASN, IPv4 and IPv6 resources. 18 | #[derive(Clone, Debug, Eq, PartialEq)] 19 | #[cfg_attr(feature = "serde", derive(Deserialize, Serialize))] 20 | pub struct ResourceSet { 21 | asn: AsBlocks, 22 | 23 | #[cfg_attr(feature = "serde", serde(alias = "v4"))] 24 | ipv4: Ipv4Blocks, 25 | 26 | #[cfg_attr(feature = "serde", serde(alias = "v6"))] 27 | ipv6: Ipv6Blocks, 28 | } 29 | 30 | impl ResourceSet { 31 | pub fn new(asn: AsBlocks, ipv4: Ipv4Blocks, ipv6: Ipv6Blocks) -> Self { 32 | ResourceSet { asn, ipv4, ipv6 } 33 | } 34 | 35 | pub fn from_strs(asn: &str, ipv4: &str, ipv6: &str) -> Result { 36 | let asn = AsBlocks::from_str(asn).map_err(FromStrError::asn)?; 37 | let ipv4 = Ipv4Blocks::from_str(ipv4).map_err(FromStrError::ipv4)?; 38 | let ipv6 = Ipv6Blocks::from_str(ipv6).map_err(FromStrError::ipv6)?; 39 | 40 | Ok(ResourceSet { asn, ipv4, ipv6 }) 41 | } 42 | 43 | pub fn empty() -> ResourceSet { 44 | Self::default() 45 | } 46 | 47 | pub fn all() -> ResourceSet { 48 | ResourceSet { 49 | asn: AsBlocks::all(), 50 | ipv4: Ipv4Blocks::all(), 51 | ipv6: Ipv6Blocks::all(), 52 | } 53 | } 54 | 55 | pub fn is_empty(&self) -> bool { 56 | self.asn.is_empty() && self.ipv4.is_empty() && self.ipv6.is_empty() 57 | } 58 | 59 | pub fn set_asn(&mut self, asn: AsBlocks) { 60 | self.asn = asn; 61 | } 62 | 63 | pub fn set_ipv4(&mut self, ipv4: Ipv4Blocks) { 64 | self.ipv4 = ipv4; 65 | } 66 | 67 | pub fn set_ipv6(&mut self, ipv6: Ipv6Blocks) { 68 | self.ipv6 = ipv6; 69 | } 70 | 71 | pub fn asn(&self) -> &AsBlocks { 72 | &self.asn 73 | } 74 | 75 | pub fn to_as_resources(&self) -> AsResources { 76 | AsResources::blocks(self.asn.clone()) 77 | } 78 | 79 | pub fn ipv4(&self) -> &Ipv4Blocks { 80 | &self.ipv4 81 | } 82 | 83 | pub fn to_ip_resources_v4(&self) -> IpResources { 84 | self.ipv4.to_ip_resources() 85 | } 86 | 87 | pub fn ipv6(&self) -> &Ipv6Blocks { 88 | &self.ipv6 89 | } 90 | 91 | pub fn to_ip_resources_v6(&self) -> IpResources { 92 | self.ipv6.to_ip_resources() 93 | } 94 | 95 | /// Returns None if there are no ASNs in this ResourceSet. 96 | pub fn asn_opt(&self) -> Option<&AsBlocks> { 97 | if self.asn.is_empty() { 98 | None 99 | } else { 100 | Some(&self.asn) 101 | } 102 | } 103 | 104 | /// Returns None if there is no IPv4 in this ResourceSet. 105 | pub fn ipv4_opt(&self) -> Option<&Ipv4Blocks> { 106 | if self.ipv4.is_empty() { 107 | None 108 | } else { 109 | Some(&self.ipv4) 110 | } 111 | } 112 | 113 | /// Returns None if there is no IPv6 in this ResourceSet. 114 | pub fn ipv6_opt(&self) -> Option<&Ipv6Blocks> { 115 | if self.ipv6.is_empty() { 116 | None 117 | } else { 118 | Some(&self.ipv6) 119 | } 120 | } 121 | 122 | /// Check of the other set is contained by this set. If this set 123 | /// contains inherited resources, then any explicit corresponding 124 | /// resources in the other set will be considered to fall outside of 125 | /// this set. 126 | pub fn contains(&self, other: &ResourceSet) -> bool { 127 | self.asn.contains(other.asn()) 128 | && self.ipv4.contains(&other.ipv4) 129 | && self.ipv6.contains(&other.ipv6) 130 | } 131 | 132 | /// Check if the resource set contains the given Asn 133 | pub fn contains_asn(&self, asn: Asn) -> bool { 134 | let mut blocks = AsBlocksBuilder::new(); 135 | blocks.push(AsBlock::Id(asn)); 136 | let blocks = blocks.finalize(); 137 | self.asn.contains(&blocks) 138 | } 139 | 140 | /// Check if the resource set contains the given ROA address 141 | pub fn contains_roa_address(&self, roa_address: &RoaIpAddress) -> bool { 142 | self.ipv4.contains_roa(roa_address) || self.ipv6.contains_roa(roa_address) 143 | } 144 | 145 | /// Returns the union of this ResourceSet and the other. I.e. a new 146 | /// ResourceSet containing all resources found in one or both. 147 | pub fn union(&self, other: &ResourceSet) -> Self { 148 | let asn = self.asn.union(&other.asn); 149 | let ipv4 = self.ipv4.union(&other.ipv4).into(); 150 | let ipv6 = self.ipv6.union(&other.ipv6).into(); 151 | ResourceSet { asn, ipv4, ipv6 } 152 | } 153 | 154 | /// Returns the intersection of this ResourceSet and the other. I.e. a new 155 | /// ResourceSet containing all resources found in both sets. 156 | pub fn intersection(&self, other: &ResourceSet) -> Self { 157 | let asn = self.asn.intersection(&other.asn); 158 | let ipv4 = self.ipv4.intersection(&other.ipv4).into(); 159 | let ipv6 = self.ipv6.intersection(&other.ipv6).into(); 160 | ResourceSet { asn, ipv4, ipv6 } 161 | } 162 | 163 | /// Returns the difference from another ResourceSet towards `self`. 164 | pub fn difference(&self, other: &ResourceSet) -> ResourceDiff { 165 | let added = ResourceSet { 166 | asn: self.asn.difference(&other.asn), 167 | ipv4: self.ipv4.difference(&other.ipv4).into(), 168 | ipv6: self.ipv6.difference(&other.ipv6).into(), 169 | }; 170 | let removed = ResourceSet { 171 | asn: other.asn.difference(&self.asn), 172 | ipv4: other.ipv4.difference(&self.ipv4).into(), 173 | ipv6: other.ipv6.difference(&self.ipv6).into(), 174 | }; 175 | ResourceDiff { added, removed } 176 | } 177 | } 178 | 179 | impl Default for ResourceSet { 180 | fn default() -> Self { 181 | ResourceSet { 182 | asn: AsBlocks::empty(), 183 | ipv4: Ipv4Blocks::empty(), 184 | ipv6: Ipv6Blocks::empty(), 185 | } 186 | } 187 | } 188 | 189 | //--- Display 190 | 191 | impl fmt::Display for ResourceSet { 192 | fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { 193 | write!( 194 | f, 195 | "asn: '{}', ipv4: '{}', ipv6: '{}'", 196 | self.asn, 197 | self.ipv4, 198 | self.ipv6 199 | ) 200 | } 201 | } 202 | 203 | impl TryFrom<&Cert> for ResourceSet { 204 | type Error = InheritError; 205 | 206 | fn try_from(cert: &Cert) -> Result { 207 | let asn = match cert.as_resources().to_blocks() { 208 | Ok(as_blocks) => as_blocks, 209 | Err(_) => return Err(InheritError), 210 | }; 211 | 212 | let ipv4 = match cert.v4_resources().to_blocks() { 213 | Ok(blocks) => blocks, 214 | Err(_) => return Err(InheritError), 215 | } 216 | .into(); 217 | 218 | let ipv6 = match cert.v6_resources().to_blocks() { 219 | Ok(blocks) => blocks, 220 | Err(_) => return Err(InheritError), 221 | } 222 | .into(); 223 | 224 | Ok(ResourceSet { asn, ipv4, ipv6 }) 225 | } 226 | } 227 | 228 | 229 | //------------ ResourceDiff -------------------------------------------------- 230 | 231 | #[derive(Clone, Debug, Eq, PartialEq)] 232 | #[cfg_attr(feature = "serde", derive(Deserialize, Serialize))] 233 | pub struct ResourceDiff { 234 | added: ResourceSet, 235 | removed: ResourceSet, 236 | } 237 | 238 | impl ResourceDiff { 239 | pub fn is_empty(&self) -> bool { 240 | self.added.is_empty() && self.removed.is_empty() 241 | } 242 | } 243 | 244 | impl fmt::Display for ResourceDiff { 245 | fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { 246 | if self.is_empty() { 247 | write!(f, "")?; 248 | } 249 | if !self.added.is_empty() { 250 | write!(f, "Added:")?; 251 | if !self.added.asn.is_empty() { 252 | write!(f, " asn: {}", self.added.asn)?; 253 | } 254 | if !self.added.ipv4.is_empty() { 255 | write!(f, " ipv4: {}", self.added.ipv4())?; 256 | } 257 | if !self.added.ipv6.is_empty() { 258 | write!(f, " ipv6: {}", self.added.ipv6())?; 259 | } 260 | 261 | if !self.removed.is_empty() { 262 | write!(f, " ")?; 263 | } 264 | } 265 | if !self.removed.is_empty() { 266 | write!(f, "Removed:")?; 267 | 268 | if !self.removed.asn.is_empty() { 269 | write!(f, " asn: {}", self.removed.asn)?; 270 | } 271 | if !self.removed.ipv4.is_empty() { 272 | write!(f, " ipv4: {}", self.removed.ipv4())?; 273 | } 274 | if !self.removed.ipv6.is_empty() { 275 | write!(f, " ipv6: {}", self.removed.ipv6())?; 276 | } 277 | } 278 | 279 | Ok(()) 280 | } 281 | } 282 | 283 | //------------ InheritError -------------------------------------------------- 284 | 285 | #[derive(Clone, Debug)] 286 | pub struct InheritError; 287 | 288 | impl fmt::Display for InheritError { 289 | fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { 290 | write!(f, "cannot determine resources for certificate using inherit") 291 | } 292 | } 293 | 294 | impl std::error::Error for InheritError {} 295 | 296 | 297 | //------------ FromStrError -------------------------------------------------- 298 | 299 | #[derive(Clone, Debug, Eq, PartialEq)] 300 | pub enum FromStrError { 301 | Asn(String), 302 | Ipv4(String), 303 | Ipv6(String) 304 | } 305 | 306 | impl FromStrError { 307 | fn asn(e: super::asres::FromStrError) -> Self { 308 | FromStrError::Asn(e.to_string()) 309 | } 310 | 311 | fn ipv4(e: super::ipres::FromStrError) -> Self { 312 | FromStrError::Ipv4(e.to_string()) 313 | } 314 | 315 | fn ipv6(e: super::ipres::FromStrError) -> Self { 316 | FromStrError::Ipv6(e.to_string()) 317 | } 318 | } 319 | 320 | impl fmt::Display for FromStrError { 321 | fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { 322 | match self { 323 | FromStrError::Asn(e) 324 | => write!(f, "cannot parse ASN resources: {}", e), 325 | FromStrError::Ipv4(e) 326 | => write!(f, "cannot parse IPv4 resources: {}", e), 327 | FromStrError::Ipv6(e) 328 | => write!(f, "cannot parse IPv6 resources: {}", e), 329 | } 330 | } 331 | } 332 | 333 | impl std::error::Error for FromStrError {} 334 | 335 | 336 | //------------ Tests --------------------------------------------------------- 337 | 338 | #[cfg(test)] 339 | mod tests { 340 | 341 | use super::*; 342 | 343 | #[test] 344 | fn test_resource_set_intersection() { 345 | let child_resources = ResourceSet::from_strs("AS65000", "10.0.0.0/8", "fd00::/8").unwrap(); 346 | 347 | let parent_resources = ResourceSet::all(); 348 | 349 | let intersection = parent_resources.intersection(&child_resources); 350 | 351 | assert_eq!(intersection, child_resources); 352 | } 353 | 354 | #[test] 355 | fn resource_set_difference() { 356 | let set1_asns = "AS65000-AS65003, AS65005"; 357 | let set2_asns = "AS65000, AS65003, AS65005"; 358 | let asn_added = "AS65001-AS65002"; 359 | 360 | let set1_ipv4s = "10.0.0.0-10.4.5.6, 192.168.0.0"; 361 | let set2_ipv4s = "10.0.0.0/8, 192.168.0.0"; 362 | let ipv4_removed = "10.4.5.7-10.255.255.255"; 363 | 364 | let set1_ipv6s = "::1, 2001:db8::/32"; 365 | let set2_ipv6s = "::1, 2001:db8::/56"; 366 | let ipv6_added = "2001:db8:0:100::-2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"; 367 | 368 | let set1 = ResourceSet::from_strs(set1_asns, set1_ipv4s, set1_ipv6s).unwrap(); 369 | let set2 = ResourceSet::from_strs(set2_asns, set2_ipv4s, set2_ipv6s).unwrap(); 370 | 371 | let diff = set1.difference(&set2); 372 | 373 | let expected_diff = ResourceDiff { 374 | added: ResourceSet::from_strs(asn_added, "", ipv6_added).unwrap(), 375 | removed: ResourceSet::from_strs("", ipv4_removed, "").unwrap(), 376 | }; 377 | 378 | assert!(!diff.is_empty()); 379 | assert_eq!(expected_diff, diff); 380 | } 381 | 382 | #[test] 383 | fn resource_set_eq() { 384 | let asns = "AS65000-AS65003, AS65005"; 385 | let ipv4s = "10.0.0.0/8, 192.168.0.0"; 386 | let ipv6s = "::1, 2001:db8::/32"; 387 | 388 | let resource_set = ResourceSet::from_strs(asns, ipv4s, ipv6s).unwrap(); 389 | 390 | let asns_2 = "AS65000-AS65003"; 391 | let ipv4s_2 = "192.168.0.0"; 392 | let ipv6s_2 = "2001:db8::/32"; 393 | 394 | let resource_set_asn_differs = ResourceSet::from_strs(asns_2, ipv4s, ipv6s).unwrap(); 395 | let resource_set_v4_differs = ResourceSet::from_strs(asns, ipv4s_2, ipv6s).unwrap(); 396 | let resource_set_v6_differs = ResourceSet::from_strs(asns, ipv4s, ipv6s_2).unwrap(); 397 | let resource_set_2 = ResourceSet::from_strs(asns_2, ipv4s_2, ipv6s_2).unwrap(); 398 | 399 | assert_ne!(resource_set, resource_set_asn_differs); 400 | assert_ne!(resource_set, resource_set_v4_differs); 401 | assert_ne!(resource_set, resource_set_v6_differs); 402 | assert_ne!(resource_set, resource_set_2); 403 | 404 | let default_set = ResourceSet::default(); 405 | let certified = ResourceSet::from_strs( 406 | "", 407 | "10.0.0.0/16, 192.168.0.0/16", 408 | "2001:db8::/32, 2000:db8::/32", 409 | ) 410 | .unwrap(); 411 | assert_ne!(default_set, certified); 412 | assert_ne!(resource_set, certified); 413 | } 414 | 415 | #[test] 416 | fn resource_set_equivalent() { 417 | // Data may be unordered on input, or not use ranges etc. But 418 | // if the resources are the same then we should get equal 419 | // sets in the end. 420 | 421 | let asns_1 = "AS65000-AS65003, AS65005"; 422 | let ipv4_1 = "10.0.0.0/8, 192.168.0.0"; 423 | let ipv6_1 = "::1, 2001:db8::/32"; 424 | 425 | let asns_2 = "AS65005, AS65001-AS65003, AS65000"; 426 | let ipv4_2 = "192.168.0.0, 10.0.0.0/8, "; 427 | let ipv6_2 = "2001:db8::/32, ::1"; 428 | 429 | let set_1 = ResourceSet::from_strs(asns_1, ipv4_1, ipv6_1).unwrap(); 430 | let set_2 = ResourceSet::from_strs(asns_2, ipv4_2, ipv6_2).unwrap(); 431 | 432 | assert_eq!(set_1, set_2); 433 | } 434 | 435 | #[cfg(feature = "serde")] 436 | #[test] 437 | fn serialize_deserialize_resource_set() { 438 | let asns = "AS65000-AS65003, AS65005"; 439 | let ipv4s = "10.0.0.0/8, 192.168.0.0"; 440 | let ipv6s = "::1, 2001:db8::/32"; 441 | 442 | let set = ResourceSet::from_strs(asns, ipv4s, ipv6s).unwrap(); 443 | 444 | let json = serde_json::to_string(&set).unwrap(); 445 | let deser_set = serde_json::from_str(&json).unwrap(); 446 | 447 | assert_eq!(set, deser_set); 448 | } 449 | } 450 | -------------------------------------------------------------------------------- /src/repository/tal.rs: -------------------------------------------------------------------------------- 1 | //! Trust Anchor Locators 2 | 3 | use std::{fmt, str}; 4 | use std::cmp::Ordering; 5 | use std::convert::Infallible; 6 | use std::fs::{read_dir, DirEntry, File, ReadDir}; 7 | use std::io::{self, Read}; 8 | use std::path::Path; 9 | use std::sync::Arc; 10 | use bytes::Bytes; 11 | use bcder::decode; 12 | use bcder::decode::IntoSource; 13 | use log::{debug, error}; 14 | use crate::uri; 15 | use crate::crypto::PublicKey; 16 | use crate::util::base64; 17 | 18 | 19 | //------------ Tal ----------------------------------------------------------- 20 | 21 | #[derive(Clone, Debug)] 22 | pub struct Tal { 23 | uris: Vec, 24 | key_info: PublicKey, 25 | info: Arc, 26 | } 27 | 28 | impl Tal { 29 | pub fn read_dir>(path: P) -> Result { 30 | read_dir(path).map(TalIter) 31 | } 32 | 33 | pub fn read, R: Read>( 34 | path: P, 35 | reader: &mut R 36 | ) -> Result { 37 | Self::read_named( 38 | path.as_ref().file_stem() 39 | .expect("TAL path needs to have a file name") 40 | .to_string_lossy().into_owned(), 41 | reader 42 | ) 43 | } 44 | 45 | pub fn read_named( 46 | name: String, 47 | reader: &mut R 48 | ) -> Result { 49 | let mut data = Vec::new(); 50 | reader.read_to_end(&mut data)?; 51 | 52 | let mut data = data.as_slice(); 53 | let mut uris = Vec::new(); 54 | while let Some(&b'#') = data.first() { 55 | Self::skip_line(&mut data)?; 56 | } 57 | while let Some(uri) = Self::take_uri(&mut data)? { 58 | uris.push(uri) 59 | } 60 | let data: Vec<_> = data.iter().filter_map(|b| 61 | if b.is_ascii_whitespace() { None } 62 | else { Some(*b) } 63 | ).collect(); 64 | let key_info = base64::Xml.decode_bytes(&data)?; 65 | let key_info = PublicKey::decode(key_info.as_slice().into_source())?; 66 | Ok(Tal { 67 | uris, 68 | key_info, 69 | info: Arc::new(TalInfo::from_name(name)) 70 | }) 71 | } 72 | 73 | /// Reorders the TAL URIs placing HTTPS URIs first. 74 | /// 75 | /// The method keeps the order within each scheme. 76 | pub fn prefer_https(&mut self) { 77 | self.uris.sort_by(|left, right| { 78 | match (left.is_https(), right.is_https()) { 79 | (true, false) => Ordering::Less, 80 | (false, true) => Ordering::Greater, 81 | _ => Ordering::Equal 82 | } 83 | }) 84 | } 85 | 86 | fn skip_line(data: &mut &[u8]) -> Result<(), ReadError> { 87 | let mut split = data.splitn(2, |&ch| ch == b'\n'); 88 | let _ = split.next().ok_or(ReadError::UnexpectedEof)?; 89 | *data = split.next().ok_or(ReadError::UnexpectedEof)?; 90 | Ok(()) 91 | } 92 | 93 | fn take_uri(data: &mut &[u8]) -> Result, ReadError> { 94 | let mut split = data.splitn(2, |&ch| ch == b'\n'); 95 | let mut line = split.next().ok_or(ReadError::UnexpectedEof)?; 96 | *data = split.next().ok_or(ReadError::UnexpectedEof)?; 97 | if line.ends_with(b"\r") { 98 | line = line.split_last().unwrap().1; 99 | } 100 | if line.is_empty() { 101 | Ok(None) 102 | } 103 | else { 104 | Ok(Some(TalUri::from_slice(line)?)) 105 | } 106 | } 107 | } 108 | 109 | impl Tal { 110 | pub fn uris(&self) -> ::std::slice::Iter { 111 | self.uris.iter() 112 | } 113 | 114 | pub fn key_info(&self) -> &PublicKey { 115 | &self.key_info 116 | } 117 | 118 | pub fn info(&self) -> &Arc { 119 | &self.info 120 | } 121 | } 122 | 123 | 124 | //------------ TalIter ------------------------------------------------------- 125 | 126 | pub struct TalIter(ReadDir); 127 | 128 | impl Iterator for TalIter { 129 | type Item = Result; 130 | 131 | fn next(&mut self) -> Option { 132 | loop { 133 | match self.0.next() { 134 | Some(Ok(entry)) => { 135 | match next_entry(&entry) { 136 | Ok(Some(res)) => return Some(Ok(res)), 137 | Ok(None) => { }, 138 | Err(err) => { 139 | error!("Bad trust anchor {}", err); 140 | return Some(Err(err)) 141 | } 142 | } 143 | } 144 | Some(Err(err)) => return Some(Err(err.into())), 145 | None => return None 146 | }; 147 | } 148 | } 149 | } 150 | 151 | fn next_entry(entry: &DirEntry) -> Result, ReadError> { 152 | if !entry.file_type()?.is_file() { 153 | return Ok(None) 154 | } 155 | let path = entry.path(); 156 | debug!("Processing TAL {}", path.display()); 157 | Tal::read(&path, &mut File::open(&path)?).map(Some) 158 | } 159 | 160 | 161 | //------------ TalUri -------------------------------------------------------- 162 | 163 | #[derive(Clone, Debug, Eq, Hash, PartialEq)] 164 | #[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))] 165 | pub enum TalUri { 166 | Rsync(uri::Rsync), 167 | Https(uri::Https), 168 | } 169 | 170 | impl TalUri { 171 | pub fn from_string(s: String) -> Result { 172 | Self::from_bytes(Bytes::from(s)) 173 | } 174 | 175 | pub fn from_slice(slice: &[u8]) -> Result { 176 | Self::from_bytes(Bytes::copy_from_slice(slice)) 177 | } 178 | 179 | pub fn from_bytes(bytes: Bytes) -> Result { 180 | if let Ok(uri) = uri::Rsync::from_bytes(bytes.clone()) { 181 | return Ok(TalUri::Rsync(uri)) 182 | } 183 | uri::Https::from_bytes(bytes).map(Into::into) 184 | } 185 | 186 | pub fn is_rsync(&self) -> bool { 187 | matches!(*self, TalUri::Rsync(_)) 188 | } 189 | 190 | pub fn is_https(&self) -> bool { 191 | matches!(*self, TalUri::Https(_)) 192 | } 193 | 194 | pub fn as_str(&self) -> &str { 195 | match *self { 196 | TalUri::Rsync(ref inner) => inner.as_str(), 197 | TalUri::Https(ref inner) => inner.as_str(), 198 | } 199 | } 200 | } 201 | 202 | 203 | //--- From 204 | 205 | impl From for TalUri { 206 | fn from(uri: uri::Rsync) -> Self { 207 | TalUri::Rsync(uri) 208 | } 209 | } 210 | 211 | impl From for TalUri { 212 | fn from(uri: uri::Https) -> Self { 213 | TalUri::Https(uri) 214 | } 215 | } 216 | 217 | 218 | //--- TryFrom and FromStr 219 | 220 | impl TryFrom for TalUri { 221 | type Error = uri::Error; 222 | 223 | fn try_from(s: String) -> Result { 224 | Self::from_string(s) 225 | } 226 | } 227 | 228 | impl str::FromStr for TalUri { 229 | type Err = uri::Error; 230 | 231 | fn from_str(s: &str) -> Result { 232 | Self::from_bytes(Bytes::copy_from_slice(s.as_ref())) 233 | } 234 | } 235 | 236 | 237 | //--- Display 238 | 239 | impl fmt::Display for TalUri { 240 | fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { 241 | match *self { 242 | TalUri::Rsync(ref uri) => uri.fmt(f), 243 | TalUri::Https(ref uri) => uri.fmt(f) 244 | } 245 | } 246 | } 247 | 248 | 249 | //------------ TalInfo ------------------------------------------------------- 250 | 251 | #[derive(Clone, Debug)] 252 | #[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))] 253 | pub struct TalInfo { 254 | name: String, 255 | } 256 | 257 | impl TalInfo { 258 | pub fn from_name(name: String) -> Self { 259 | TalInfo { name } 260 | } 261 | 262 | pub fn into_arc(self) -> Arc { 263 | Arc::new(self) 264 | } 265 | 266 | pub fn name(&self) -> &str { 267 | self.name.as_ref() 268 | } 269 | } 270 | 271 | 272 | //------------ ReadError ----------------------------------------------------- 273 | 274 | #[derive(Debug)] 275 | pub enum ReadError { 276 | Io(io::Error), 277 | UnexpectedEof, 278 | BadUri(uri::Error), 279 | BadKeyInfoEncoding(base64::XmlDecodeError), 280 | BadKeyInfo(decode::DecodeError), 281 | } 282 | 283 | impl From for ReadError { 284 | fn from(err: io::Error) -> ReadError { 285 | ReadError::Io(err) 286 | } 287 | } 288 | 289 | impl From for ReadError { 290 | fn from(err: uri::Error) -> ReadError { 291 | ReadError::BadUri(err) 292 | } 293 | } 294 | 295 | impl From for ReadError { 296 | fn from(err: base64::XmlDecodeError) -> ReadError { 297 | ReadError::BadKeyInfoEncoding(err) 298 | } 299 | } 300 | 301 | impl From> for ReadError { 302 | fn from(err: decode::DecodeError) -> ReadError { 303 | ReadError::BadKeyInfo(err) 304 | } 305 | } 306 | 307 | impl fmt::Display for ReadError { 308 | fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { 309 | match *self { 310 | ReadError::Io(ref err) => err.fmt(f), 311 | ReadError::UnexpectedEof 312 | => f.write_str("unexpected end of file"), 313 | ReadError::BadUri(ref err) 314 | => write!(f, "bad trust anchor URI: {}", err), 315 | ReadError::BadKeyInfoEncoding(ref err) 316 | => write!(f, "bad key info: {}", err), 317 | ReadError::BadKeyInfo(ref err) 318 | => write!(f, "bad key info: {}", err), 319 | } 320 | } 321 | } 322 | 323 | 324 | //============ Testing ======================================================= 325 | 326 | #[cfg(test)] 327 | mod test { 328 | use crate::repository::cert::Cert; 329 | use super::*; 330 | 331 | #[test] 332 | fn tal_read() { 333 | let tal = include_bytes!("../../test-data/repository/ripe.tal"); 334 | let tal = Tal::read("ripe.tal", &mut tal.as_ref()).unwrap(); 335 | let cert = Cert::decode(Bytes::from_static( 336 | include_bytes!("../../test-data/repository/ta.cer") 337 | )).unwrap(); 338 | assert_eq!( 339 | tal.key_info(), 340 | cert.subject_public_key_info(), 341 | ); 342 | } 343 | 344 | #[test] 345 | fn prefer_https() { 346 | let tal = include_bytes!("../../test-data/repository/ripe.tal"); 347 | let mut tal = Tal::read("ripe.tal", &mut tal.as_ref()).unwrap(); 348 | tal.uris = vec![ 349 | TalUri::from_slice(b"rsync://a.example.com/1/1").unwrap(), 350 | TalUri::from_slice(b"https://d.example.com/1/1").unwrap(), 351 | TalUri::from_slice(b"rsync://k.example.com/2/1").unwrap(), 352 | TalUri::from_slice(b"https://2.example.com/2/1").unwrap(), 353 | TalUri::from_slice(b"https://i.example.com/3/1").unwrap(), 354 | TalUri::from_slice(b"rsync://g.example.com/3/1").unwrap(), 355 | TalUri::from_slice(b"https://r.example.com/4/1").unwrap(), 356 | ]; 357 | tal.prefer_https(); 358 | 359 | assert_eq!( 360 | tal.uris, 361 | vec![ 362 | TalUri::from_slice(b"https://d.example.com/1/1").unwrap(), 363 | TalUri::from_slice(b"https://2.example.com/2/1").unwrap(), 364 | TalUri::from_slice(b"https://i.example.com/3/1").unwrap(), 365 | TalUri::from_slice(b"https://r.example.com/4/1").unwrap(), 366 | TalUri::from_slice(b"rsync://a.example.com/1/1").unwrap(), 367 | TalUri::from_slice(b"rsync://k.example.com/2/1").unwrap(), 368 | TalUri::from_slice(b"rsync://g.example.com/3/1").unwrap(), 369 | ] 370 | ); 371 | } 372 | } 373 | -------------------------------------------------------------------------------- /src/resources/mod.rs: -------------------------------------------------------------------------------- 1 | //! Types for AS and IP adress resources. 2 | //! 3 | //! This module cotains the basic types for representing resources protected 4 | //! by RPKI: [`Asn`] for autonomous system numbers, [`Prefix`] for IP address 5 | //! prefixes, and [`MaxLenPrefix`] for prefixes with a prefix length range. 6 | 7 | pub use self::addr::{MaxLenPrefix, Prefix}; 8 | pub use self::asn::{Asn, SmallAsnSet}; 9 | 10 | pub mod addr; 11 | pub mod asn; 12 | -------------------------------------------------------------------------------- /src/rtr/mod.rs: -------------------------------------------------------------------------------- 1 | //! RTR: the RPKI to Router Protocol. 2 | //! 3 | //! RPKI, the Resource Public Key Infrastructure, is a distributed database of 4 | //! signed statements by entities that participate in Internet routing. A 5 | //! typical setup to facilitate this information when making routing decisions 6 | //! first collects and validates all statements into something called a 7 | //! _local cache_ and distributes validated and normalized information from 8 | //! the cache to the actual routers or route servers. The standardized 9 | //! protocol for this distribution is the RPKI to Router Protocol or RTR for 10 | //! short. 11 | //! 12 | //! This crate implements both the server and client side of RTR. Both of 13 | //! these are built atop [Tokio]. They are generic over the concrete socket 14 | //! type and can thus be used with different transports. They also are generic 15 | //! over a type that provides or consumes the data. For more details, see the 16 | //! [`Server`] and [`Client`] types. 17 | //! 18 | //! The crate implements both versions 0 and 1 of the protocol. It does not, 19 | //! currently, support router keys, though. 20 | //! 21 | //! You can read more about RPKI in [RFC 6480]. RTR is currently specified in 22 | //! [RFC 8210]. 23 | //! 24 | //! [`Client`]: client::Client 25 | //! [`Server`]: server::Server 26 | //! [Tokio]: https://crates.io/crates/tokio 27 | //! [RFC 6480]: https://tools.ietf.org/html/rfc6480 28 | //! [RFC 8210]: https://tools.ietf.org/html/rfc8210 29 | 30 | #![cfg(feature = "rtr")] 31 | 32 | pub use self::client::Client; 33 | pub use self::payload::{Action, Payload, PayloadRef, PayloadType, Timing}; 34 | pub use self::server::Server; 35 | pub use self::state::{State, Serial}; 36 | 37 | pub mod client; 38 | pub mod payload; 39 | pub mod state; 40 | pub mod server; 41 | 42 | pub mod pdu; 43 | -------------------------------------------------------------------------------- /src/rtr/payload.rs: -------------------------------------------------------------------------------- 1 | //! The data being transmitted via RTR. 2 | //! 3 | //! The types in here provide a more compact representation than the PDUs. 4 | //! They also implement all the traits to use them as keys in collections to 5 | //! be able to perform difference processing. 6 | //! 7 | //! The types are currently not very rich. They will receive more methods as 8 | //! they become necessary. So don’t hesitate to ask for them! 9 | 10 | use std::{fmt, hash}; 11 | use std::cmp::Ordering; 12 | use std::time::Duration; 13 | use crate::crypto::keys::KeyIdentifier; 14 | use crate::resources::addr::MaxLenPrefix; 15 | use crate::resources::asn::Asn; 16 | use super::pdu::{ProviderAsns, RouterKeyInfo}; 17 | 18 | 19 | //------------ RouteOrigin --------------------------------------------------- 20 | 21 | /// A route origin authorization. 22 | /// 23 | /// Values of this type authorize the autonomous system given in the `asn` 24 | /// field to routes for the IP address prefixes given in the `prefix` field. 25 | /// 26 | /// The type includes authorizations for both IPv4 and IPv6 prefixes which 27 | /// are separate payload types in RTR. 28 | #[derive(Clone, Copy, Debug)] 29 | #[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))] 30 | pub struct RouteOrigin { 31 | /// The address prefix to authorize. 32 | pub prefix: MaxLenPrefix, 33 | 34 | /// The autonomous system allowed to announce the prefixes. 35 | pub asn: Asn, 36 | } 37 | 38 | impl RouteOrigin { 39 | /// Creates a new value from a prefix and an ASN. 40 | pub fn new(prefix: MaxLenPrefix, asn: Asn) -> Self { 41 | RouteOrigin { prefix, asn } 42 | } 43 | 44 | /// Returns whether this is an IPv4 origin. 45 | pub fn is_v4(self) -> bool { 46 | self.prefix.prefix().is_v4() 47 | } 48 | } 49 | 50 | 51 | //--- PartialEq and Eq 52 | impl PartialEq for RouteOrigin { 53 | fn eq(&self, other: &Self) -> bool { 54 | self.prefix.prefix() == other.prefix.prefix() 55 | && self.prefix.resolved_max_len() == other.prefix.resolved_max_len() 56 | && self.asn == other.asn 57 | } 58 | } 59 | 60 | impl Eq for RouteOrigin { } 61 | 62 | 63 | //--- PartialOrd and Ord 64 | 65 | impl PartialOrd for RouteOrigin { 66 | fn partial_cmp(&self, other: &Self) -> Option { 67 | Some(self.cmp(other)) 68 | } 69 | } 70 | 71 | impl Ord for RouteOrigin { 72 | fn cmp(&self, other: &Self) -> Ordering { 73 | match self.prefix.prefix().cmp(&other.prefix.prefix()) { 74 | Ordering::Equal => { } 75 | other => return other 76 | } 77 | match self.prefix.resolved_max_len().cmp( 78 | &other.prefix.resolved_max_len() 79 | ) { 80 | Ordering::Equal => { } 81 | other => return other 82 | } 83 | self.asn.cmp(&other.asn) 84 | } 85 | } 86 | 87 | 88 | //--- Hash 89 | 90 | impl hash::Hash for RouteOrigin { 91 | fn hash(&self, state: &mut H) { 92 | self.prefix.prefix().hash(state); 93 | self.prefix.resolved_max_len().hash(state); 94 | self.asn.hash(state); 95 | } 96 | } 97 | 98 | 99 | //------------ RouterKey ----------------------------------------------------- 100 | 101 | /// A BGPsec router key. 102 | #[derive(Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] 103 | #[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))] 104 | pub struct RouterKey { 105 | /// The subject key identifier of the router key. 106 | pub key_identifier: KeyIdentifier, 107 | 108 | /// The autonomous system authorized to use the key. 109 | pub asn: Asn, 110 | 111 | /// The actual key. 112 | pub key_info: RouterKeyInfo, 113 | } 114 | 115 | impl RouterKey { 116 | /// Creates a new value from the various components. 117 | pub fn new( 118 | key_identifier: KeyIdentifier, asn: Asn, key_info: RouterKeyInfo 119 | ) -> Self { 120 | RouterKey { key_identifier, asn, key_info } 121 | } 122 | } 123 | 124 | 125 | //------------ Aspa ---------------------------------------------------------- 126 | 127 | /// An ASPA ... unit. 128 | #[derive(Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] 129 | #[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))] 130 | pub struct Aspa { 131 | /// The customer ASN. 132 | pub customer: Asn, 133 | 134 | /// The provider ASNs. 135 | pub providers: ProviderAsns, 136 | } 137 | 138 | impl Aspa { 139 | /// Creates a new ASPA unit from its components. 140 | pub fn new( 141 | customer: Asn, providers: ProviderAsns, 142 | ) -> Self { 143 | Self { customer, providers } 144 | } 145 | 146 | /// Returns the ‘key’ of the ASPA. 147 | pub fn key(&self) -> Asn { 148 | self.customer 149 | } 150 | 151 | /// Returns a new ASPA with an empty provider set. 152 | pub fn withdraw(&self) -> Self { 153 | Self::new(self.customer, ProviderAsns::empty()) 154 | } 155 | } 156 | 157 | 158 | //------------ PayloadType --------------------------------------------------- 159 | 160 | /// The type of a payload item. 161 | #[derive(Clone, Copy, Debug, Eq, PartialEq)] 162 | #[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))] 163 | pub enum PayloadType { 164 | Origin, 165 | RouterKey, 166 | Aspa 167 | } 168 | 169 | 170 | //------------ Payload ------------------------------------------------------- 171 | 172 | /// All payload types supported by RTR and this crate. 173 | #[derive(Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] 174 | #[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))] 175 | pub enum Payload { 176 | /// A route origin authorisation. 177 | Origin(RouteOrigin), 178 | 179 | /// A BGPsec router key. 180 | RouterKey(RouterKey), 181 | 182 | /// An ASPA unit. 183 | Aspa(Aspa), 184 | } 185 | 186 | impl Payload { 187 | /// Creates a new prefix origin payload. 188 | pub fn origin(prefix: MaxLenPrefix, asn: Asn) -> Self { 189 | Payload::Origin(RouteOrigin::new(prefix, asn)) 190 | } 191 | 192 | /// Creates a new router key payload. 193 | pub fn router_key( 194 | key_identifier: KeyIdentifier, asn: Asn, key_info: RouterKeyInfo 195 | ) -> Self { 196 | Payload::RouterKey(RouterKey::new(key_identifier, asn, key_info)) 197 | } 198 | 199 | /// Creates a new ASPA unit. 200 | pub fn aspa( 201 | customer: Asn, providers: ProviderAsns, 202 | ) -> Self { 203 | Payload::Aspa(Aspa::new(customer, providers)) 204 | } 205 | 206 | /// Converts a reference to payload into a payload reference. 207 | pub fn as_ref(&self) -> PayloadRef { 208 | match self { 209 | Payload::Origin(origin) => PayloadRef::Origin(*origin), 210 | Payload::RouterKey(key) => PayloadRef::RouterKey(key), 211 | Payload::Aspa(aspa) => PayloadRef::Aspa(aspa), 212 | } 213 | } 214 | 215 | /// Returns the payload type of the value. 216 | pub fn payload_type(&self) -> PayloadType { 217 | match self { 218 | Payload::Origin(_) => PayloadType::Origin, 219 | Payload::RouterKey(_) => PayloadType::RouterKey, 220 | Payload::Aspa(_) => PayloadType::Aspa, 221 | } 222 | } 223 | 224 | /// Returns the origin prefix if the value is of the origin variant. 225 | pub fn to_origin(&self) -> Option { 226 | match *self { 227 | Payload::Origin(origin) => Some(origin), 228 | _ => None 229 | } 230 | } 231 | 232 | /// Returns the router key if the value is of the router key variant. 233 | pub fn as_router_key(&self) -> Option<&RouterKey> { 234 | match *self { 235 | Payload::RouterKey(ref key) => Some(key), 236 | _ => None 237 | } 238 | } 239 | 240 | /// Returns the ASPA unit if the value is of the ASPA variant. 241 | pub fn as_aspa(&self) -> Option<&Aspa> { 242 | match *self { 243 | Payload::Aspa(ref aspa) => Some(aspa), 244 | _ => None 245 | } 246 | } 247 | } 248 | 249 | 250 | //--- From 251 | 252 | impl From for Payload { 253 | fn from(src: RouteOrigin) -> Self { 254 | Payload::Origin(src) 255 | } 256 | } 257 | 258 | impl From for Payload { 259 | fn from(src: RouterKey) -> Self { 260 | Payload::RouterKey(src) 261 | } 262 | } 263 | 264 | impl From for Payload { 265 | fn from(src: Aspa) -> Self { 266 | Payload::Aspa(src) 267 | } 268 | } 269 | 270 | 271 | //------------ PayloadRef ---------------------------------------------------- 272 | 273 | /// All payload types but as references. 274 | #[derive(Clone, Copy, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] 275 | pub enum PayloadRef<'a> { 276 | /// A route origin authorisation. 277 | /// 278 | /// This isn’t a reference because it is `Copy`. 279 | Origin(RouteOrigin), 280 | 281 | /// A BGPsec router key. 282 | RouterKey(&'a RouterKey), 283 | 284 | /// An ASPA unit. 285 | Aspa(&'a Aspa), 286 | } 287 | 288 | //--- From 289 | 290 | impl From for PayloadRef<'_> { 291 | fn from(src: RouteOrigin) -> Self { 292 | PayloadRef::Origin(src) 293 | } 294 | } 295 | 296 | impl<'a> From<&'a RouteOrigin> for PayloadRef<'a> { 297 | fn from(src: &'a RouteOrigin) -> Self { 298 | PayloadRef::Origin(*src) 299 | } 300 | } 301 | 302 | impl<'a> From<&'a RouterKey> for PayloadRef<'a> { 303 | fn from(src: &'a RouterKey) -> Self { 304 | PayloadRef::RouterKey(src) 305 | } 306 | } 307 | 308 | impl<'a> From<&'a Aspa> for PayloadRef<'a> { 309 | fn from(src: &'a Aspa) -> Self { 310 | PayloadRef::Aspa(src) 311 | } 312 | } 313 | 314 | 315 | //------------ Action -------------------------------------------------------- 316 | 317 | /// What to do with a given payload. 318 | #[derive(Clone, Copy, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] 319 | #[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))] 320 | pub enum Action { 321 | /// Announce the payload. 322 | /// 323 | /// In other words, add the payload to your set of VRPs. 324 | Announce, 325 | 326 | /// Withdraw the payload. 327 | /// In other words, remove the payload from your set of VRPs. 328 | Withdraw, 329 | } 330 | 331 | impl Action { 332 | /// Returns whether the action is to announce. 333 | pub fn is_announce(self) -> bool { 334 | matches!(self, Action::Announce) 335 | } 336 | 337 | /// Returns whether the action is to withdraw. 338 | pub fn is_withdraw(self) -> bool { 339 | matches!(self, Action::Withdraw) 340 | } 341 | 342 | /// Creates the action from the flags field of an RTR PDU. 343 | pub fn from_flags(flags: u8) -> Self { 344 | if flags & 1 == 1 { 345 | Action::Announce 346 | } 347 | else { 348 | Action::Withdraw 349 | } 350 | } 351 | 352 | /// Converts the action into the flags field of an RTR PDU. 353 | pub fn into_flags(self) -> u8 { 354 | match self { 355 | Action::Announce => 1, 356 | Action::Withdraw => 0 357 | } 358 | } 359 | } 360 | 361 | 362 | //------------ Afi ----------------------------------------------------------- 363 | 364 | /// The RTR representation of an address family. 365 | #[derive(Clone, Copy, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] 366 | pub struct Afi(u8); 367 | 368 | impl Afi { 369 | pub fn ipv4() -> Self { 370 | Self(0) 371 | } 372 | 373 | pub fn ipv6() -> Self { 374 | Self(1) 375 | } 376 | 377 | pub fn is_ipv4(self) -> bool { 378 | self.0 & 0x01 == 0 379 | } 380 | 381 | pub fn is_ipv6(self) -> bool { 382 | self.0 & 0x01 == 1 383 | } 384 | 385 | pub fn into_u8(self) -> u8 { 386 | self.0 387 | } 388 | 389 | pub fn from_u8(src: u8) -> Self { 390 | Self(src) 391 | } 392 | } 393 | 394 | impl fmt::Display for Afi { 395 | fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { 396 | if self.is_ipv4() { 397 | f.write_str("ipv4") 398 | } 399 | else { 400 | f.write_str("ipv6") 401 | } 402 | } 403 | } 404 | 405 | #[cfg(feature = "arbitrary")] 406 | impl<'a> arbitrary::Arbitrary<'a> for Afi { 407 | fn arbitrary( 408 | u: &mut arbitrary::Unstructured<'a> 409 | ) -> arbitrary::Result { 410 | bool::arbitrary(u).map(|val| { 411 | if val { 412 | Self::ipv4() 413 | } 414 | else { 415 | Self::ipv6() 416 | } 417 | }) 418 | } 419 | } 420 | 421 | 422 | //------------ Timing -------------------------------------------------------- 423 | 424 | /// The timing parameters of a data exchange. 425 | /// 426 | /// These three values are included in the end-of-data PDU of version 1 427 | /// onwards. 428 | #[derive(Clone, Copy, Debug)] 429 | pub struct Timing { 430 | /// The number of seconds until a client should refresh its data. 431 | pub refresh: u32, 432 | 433 | /// The number of seconds a client whould wait before retrying to connect. 434 | pub retry: u32, 435 | 436 | /// The number of secionds before data expires if not refreshed. 437 | pub expire: u32 438 | } 439 | 440 | impl Timing { 441 | pub fn refresh_duration(self) -> Duration { 442 | Duration::from_secs(u64::from(self.refresh)) 443 | } 444 | } 445 | 446 | impl Default for Timing { 447 | fn default() -> Self { 448 | Timing { 449 | refresh: 3600, 450 | retry: 600, 451 | expire: 7200 452 | } 453 | } 454 | } 455 | 456 | -------------------------------------------------------------------------------- /src/rtr/state.rs: -------------------------------------------------------------------------------- 1 | //! Session state. 2 | //! 3 | //! This module defines the types to remember that state of a session with a 4 | //! particular RTR server. The complete state, encapsulated in the type 5 | //! [`State`] consists of a sixteen bit session id and a serial number. Since 6 | //! the serial number follows special rules, it has its own type [`Serial`]. 7 | 8 | use std::{cmp, fmt, hash, str}; 9 | use std::time::SystemTime; 10 | 11 | 12 | //------------ State --------------------------------------------------------- 13 | 14 | /// The RTR session state. 15 | /// 16 | /// This state consists of a session ID describing a continuous session with 17 | /// the same evolving data set a server is running and a serial number that 18 | /// describes a particular version of this set. 19 | /// 20 | /// Both a session ID and an initial serial number are chosen when a new 21 | /// session is started. Whenever data is being updated, the serial number is 22 | /// increased by one. 23 | /// 24 | /// This type contains both these values. You can create the state values for 25 | /// a new session with [`new`] and increase the serial number with [`inc`]. 26 | /// 27 | /// [`new`]: #method.new 28 | /// [`inc`]: #method.inc 29 | #[derive(Clone, Copy, Debug)] 30 | #[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))] 31 | pub struct State { 32 | session: u16, 33 | serial: Serial 34 | } 35 | 36 | impl State { 37 | /// Creates a state value for a new session. 38 | /// 39 | /// This will pick a session ID based on the lower 16 bit of the current 40 | /// Unix time and an initial serial of 0. If you want to choose a 41 | /// different starting serial, you can use [`new_with_serial`] instead. 42 | /// 43 | /// [`new_with_serial`]: #method.new_with_serial 44 | pub fn new() -> Self { 45 | Self::new_with_serial(0.into()) 46 | } 47 | 48 | /// Creates a state value with a given initial serial number. 49 | /// 50 | /// The function will use a session ID based on the lower 16 bit of the 51 | /// current time and an initial serial of `serial`. 52 | pub fn new_with_serial(serial: Serial) -> Self { 53 | State { 54 | session: { 55 | SystemTime::now() 56 | .duration_since(SystemTime::UNIX_EPOCH).unwrap() 57 | .as_secs() as u16 58 | }, 59 | serial 60 | } 61 | } 62 | 63 | /// Creates a new state value from its components. 64 | pub const fn from_parts(session: u16, serial: Serial) -> Self { 65 | State { session, serial } 66 | } 67 | 68 | /// Increases the serial number by one. 69 | /// 70 | /// Serial number may wrap but that’s totally fine. See [`Serial`] for 71 | /// more details. 72 | pub fn inc(&mut self) { 73 | self.serial = self.serial.add(1) 74 | } 75 | 76 | /// Returns the session ID. 77 | pub fn session(self) -> u16 { 78 | self.session 79 | } 80 | 81 | /// Returns the serial number. 82 | pub fn serial(self) -> Serial { 83 | self.serial 84 | } 85 | } 86 | 87 | impl Default for State { 88 | fn default() -> Self { 89 | Self::new() 90 | } 91 | } 92 | 93 | 94 | //------------ Serial -------------------------------------------------------- 95 | 96 | /// A serial number. 97 | /// 98 | /// Serial numbers are regular integers with a special notion for comparison 99 | /// in order to be able to deal with roll-over. 100 | /// 101 | /// Specifically, addition and comparison are defined in [RFC 1982]. 102 | /// Addition, however, is only defined for values up to `2^31 - 1`, so we 103 | /// decided to not implement the `Add` trait but rather have a dedicated 104 | /// method `add` so as to not cause surprise panics. 105 | /// 106 | /// Serial numbers only implement a partial ordering. That is, there are 107 | /// pairs of values that are not equal but there still isn’t one value larger 108 | /// than the other. Since this is neatly implemented by the `PartialOrd` 109 | /// trait, the type implements that. 110 | /// 111 | /// [RFC 1982]: https://tools.ietf.org/html/rfc1982 112 | #[derive(Clone, Copy, Debug)] 113 | #[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))] 114 | pub struct Serial(pub u32); 115 | 116 | impl Serial { 117 | pub const fn from_be(value: u32) -> Self { 118 | Serial(u32::from_be(value)) 119 | } 120 | 121 | pub const fn to_be(self) -> u32 { 122 | self.0.to_be() 123 | } 124 | 125 | /// Add `other` to `self`. 126 | /// 127 | /// Serial numbers only allow values of up to `2^31 - 1` to be added to 128 | /// them. Therefore, this method requires `other` to be a `u32` instead 129 | /// of a `Serial` to indicate that you cannot simply add two serials 130 | /// together. This is also why we don’t implement the `Add` trait. 131 | /// 132 | /// # Panics 133 | /// 134 | /// This method panics if `other` is greater than `2^31 - 1`. 135 | #[allow(clippy::should_implement_trait)] 136 | pub fn add(self, other: u32) -> Self { 137 | assert!(other <= 0x7FFF_FFFF); 138 | Serial(self.0.wrapping_add(other)) 139 | } 140 | } 141 | 142 | 143 | //--- Default 144 | 145 | impl Default for Serial { 146 | fn default() -> Self { 147 | Self::from(0) 148 | } 149 | } 150 | 151 | 152 | //--- From and FromStr 153 | 154 | impl From for Serial { 155 | fn from(value: u32) -> Serial { 156 | Serial(value) 157 | } 158 | } 159 | 160 | impl From for u32 { 161 | fn from(serial: Serial) -> u32 { 162 | serial.0 163 | } 164 | } 165 | 166 | impl str::FromStr for Serial { 167 | type Err = ::Err; 168 | 169 | fn from_str(s: &str) -> Result { 170 | ::from_str(s).map(Into::into) 171 | } 172 | } 173 | 174 | 175 | //--- Display 176 | 177 | impl fmt::Display for Serial { 178 | fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { 179 | write!(f, "{}", self.0) 180 | } 181 | } 182 | 183 | 184 | //--- PartialEq and Eq 185 | 186 | impl PartialEq for Serial { 187 | fn eq(&self, other: &Self) -> bool { 188 | self.0 == other.0 189 | } 190 | } 191 | 192 | impl PartialEq for Serial { 193 | fn eq(&self, other: &u32) -> bool { 194 | self.0.eq(other) 195 | } 196 | } 197 | 198 | impl Eq for Serial { } 199 | 200 | 201 | //--- PartialOrd 202 | 203 | impl cmp::PartialOrd for Serial { 204 | fn partial_cmp(&self, other: &Serial) -> Option { 205 | match self.0.cmp(&other.0) { 206 | cmp::Ordering::Equal => Some(cmp::Ordering::Equal), 207 | cmp::Ordering::Less => { 208 | let sub = other.0 - self.0; 209 | match sub.cmp(&0x8000_0000) { 210 | cmp::Ordering::Less => Some(cmp::Ordering::Less), 211 | cmp::Ordering::Greater => Some(cmp::Ordering::Greater), 212 | _ => None 213 | } 214 | }, 215 | cmp::Ordering::Greater => { 216 | let sub = self.0 - other.0; 217 | match sub.cmp(&0x8000_0000) { 218 | cmp::Ordering::Less => Some(cmp::Ordering::Greater), 219 | cmp::Ordering::Greater => Some(cmp::Ordering::Less), 220 | _ => None 221 | } 222 | } 223 | } 224 | } 225 | } 226 | 227 | 228 | //--- Hash 229 | 230 | impl hash::Hash for Serial { 231 | fn hash(&self, state: &mut H) { 232 | self.0.hash(state) 233 | } 234 | } 235 | 236 | 237 | //============ Testing ======================================================= 238 | 239 | #[cfg(test)] 240 | mod test { 241 | use super::*; 242 | 243 | #[test] 244 | fn good_addition() { 245 | assert_eq!(Serial(0).add(4), Serial(4)); 246 | assert_eq!(Serial(0xFF00_0000).add(0x0F00_0000), 247 | Serial(((0xFF00_0000u64 + 0x0F00_0000u64) 248 | % 0x1_0000_0000) as u32)); 249 | } 250 | 251 | #[test] 252 | #[should_panic] 253 | fn bad_addition() { 254 | let _ = Serial(0).add(0x8000_0000); 255 | } 256 | 257 | #[test] 258 | fn comparison() { 259 | use std::cmp::Ordering::*; 260 | 261 | assert_eq!(Serial(12), Serial(12)); 262 | assert_ne!(Serial(12), Serial(112)); 263 | 264 | assert_eq!(Serial(12).partial_cmp(&Serial(12)), Some(Equal)); 265 | 266 | // s1 is said to be less than s2 if [...] 267 | // (i1 < i2 and i2 - i1 < 2^(SERIAL_BITS - 1)) 268 | assert_eq!(Serial(12).partial_cmp(&Serial(13)), Some(Less)); 269 | assert_ne!(Serial(12).partial_cmp(&Serial(3_000_000_012)), Some(Less)); 270 | 271 | // or (i1 > i2 and i1 - i2 > 2^(SERIAL_BITS - 1)) 272 | assert_eq!(Serial(3_000_000_012).partial_cmp(&Serial(12)), Some(Less)); 273 | assert_ne!(Serial(13).partial_cmp(&Serial(12)), Some(Less)); 274 | 275 | // s1 is said to be greater than s2 if [...] 276 | // (i1 < i2 and i2 - i1 > 2^(SERIAL_BITS - 1)) 277 | assert_eq!(Serial(12).partial_cmp(&Serial(3_000_000_012)), 278 | Some(Greater)); 279 | assert_ne!(Serial(12).partial_cmp(&Serial(13)), Some(Greater)); 280 | 281 | // (i1 > i2 and i1 - i2 < 2^(SERIAL_BITS - 1)) 282 | assert_eq!(Serial(13).partial_cmp(&Serial(12)), Some(Greater)); 283 | assert_ne!(Serial(3_000_000_012).partial_cmp(&Serial(12)), 284 | Some(Greater)); 285 | 286 | // Er, I think that’s what’s left. 287 | assert_eq!(Serial(1).partial_cmp(&Serial(0x8000_0001)), None); 288 | assert_eq!(Serial(0x8000_0001).partial_cmp(&Serial(1)), None); 289 | } 290 | } 291 | 292 | -------------------------------------------------------------------------------- /src/util/base64.rs: -------------------------------------------------------------------------------- 1 | //! Handling of Base 64-encoded data. 2 | //! 3 | //! This module provides various methods for decoding and encoding data in 4 | //! Base 64. Because there are different dialects of Base 64 and applications 5 | //! have slight usage differences atop those, the module provides an number 6 | //! of structs that describe flavors of Base 64 used within in a certain 7 | //! context. That is, you don’t have to remember how an application uses Base 8 | //! 64 exactly but just pick your application. 9 | //! 10 | //! Each flavor implements a number of methods for encoding and decoding. 11 | //! These differ slightly between the flavors based on what they are used 12 | //! for. 13 | use std::{error, fmt, io, str}; 14 | use std::io::{Read, Write}; 15 | use base64::engine::{DecodeEstimate, Engine}; 16 | use base64::engine::general_purpose::{ 17 | GeneralPurpose, GeneralPurposeConfig, STANDARD 18 | }; 19 | 20 | pub use base64::{DecodeError, DecodeSliceError}; 21 | 22 | 23 | //------------ Xml ----------------------------------------------------------- 24 | 25 | /// The flavor used by `base64Binary` defined for XML. 26 | /// 27 | /// This uses the standard alphabet with padding and ASCII white-space allowed 28 | /// between alphabet characters. 29 | pub struct Xml; 30 | 31 | impl Xml { 32 | const ENGINE: GeneralPurpose = STANDARD; 33 | 34 | pub fn decode(self, input: &str) -> Result, XmlDecodeError> { 35 | let mut res = Vec::with_capacity( 36 | Self::ENGINE.internal_decoded_len_estimate( 37 | input.len() 38 | ).decoded_len_estimate() 39 | ); 40 | base64::read::DecoderReader::new( 41 | SkipWhitespace::new(input), 42 | &Self::ENGINE, 43 | ).read_to_end(&mut res)?; 44 | Ok(res) 45 | } 46 | 47 | pub fn decode_bytes( 48 | self, input: &[u8] 49 | ) -> Result, XmlDecodeError> { 50 | let input = str::from_utf8(input).map_err(|err| { 51 | let pos = err.valid_up_to(); 52 | io::Error::new( 53 | io::ErrorKind::Other, 54 | DecodeError::InvalidByte(pos, input[pos]) 55 | ) 56 | })?; 57 | self.decode(input) 58 | } 59 | 60 | pub fn encode(self, data: &[u8]) -> String { 61 | Self::ENGINE.encode(data) 62 | } 63 | 64 | pub fn decode_reader( 65 | self, input: &str, 66 | ) -> XmlDecoderReader { 67 | XmlDecoderReader( 68 | base64::read::DecoderReader::new( 69 | SkipWhitespace::new(input), 70 | &Self::ENGINE 71 | ) 72 | ) 73 | } 74 | 75 | pub fn encode_writer( 76 | self, writer: impl io::Write 77 | ) -> impl io::Write { 78 | base64::write::EncoderWriter::new(writer, &Self::ENGINE) 79 | } 80 | } 81 | 82 | 83 | //------------ Serde -------------------------------------------------------- 84 | 85 | /// The flavor used for serialization of objects in this crate. 86 | /// 87 | /// This flavor is used whenever Base 64 is used for serialization of 88 | /// binary objects in this crate. 89 | /// 90 | /// It uses the standard alphabet with padding and no white space allowed. 91 | pub struct Serde; 92 | 93 | impl Serde { 94 | const ENGINE: GeneralPurpose = STANDARD; 95 | 96 | pub fn decode(self, input: &str) -> Result, DecodeError> { 97 | Self::ENGINE.decode(input) 98 | } 99 | 100 | pub fn encode(self, data: &[u8]) -> String { 101 | Self::ENGINE.encode(data) 102 | } 103 | } 104 | 105 | 106 | //------------ Slurm --------------------------------------------------------- 107 | 108 | /// The flavor prescribed for some data in local exception files. 109 | /// 110 | /// Uses the URL-safe alphabet. When decoding, it accepts both padding and no 111 | /// padding. When encoding, it doesn’t add padding. 112 | pub struct Slurm; 113 | 114 | impl Slurm { 115 | const ENGINE: GeneralPurpose = GeneralPurpose::new( 116 | &base64::alphabet::URL_SAFE, 117 | GeneralPurposeConfig::new() 118 | .with_encode_padding(false) 119 | .with_decode_padding_mode( 120 | base64::engine::DecodePaddingMode::Indifferent 121 | ) 122 | ); 123 | 124 | pub fn decode(self, input: &str) -> Result, DecodeError> { 125 | Self::ENGINE.decode(input) 126 | } 127 | 128 | pub fn decode_slice( 129 | self, input: &str, output: &mut [u8] 130 | ) -> Result { 131 | Self::ENGINE.decode_slice(input, output) 132 | } 133 | 134 | pub fn encode(self, data: &[u8]) -> String { 135 | Self::ENGINE.encode(data) 136 | } 137 | 138 | pub fn write_encoded_slice( 139 | self, data: &[u8], target: &mut impl io::Write 140 | ) -> Result<(), io::Error> { 141 | let mut enc = base64::write::EncoderWriter::new(target, &Self::ENGINE); 142 | enc.write_all(data)?; 143 | enc.finish()?; 144 | Ok(()) 145 | } 146 | 147 | pub fn display(self, data: &[u8]) -> impl fmt::Display + '_ { 148 | base64::display::Base64Display::new(data, &Self::ENGINE) 149 | } 150 | } 151 | 152 | 153 | //------------ SkipWhitespace ------------------------------------------------ 154 | 155 | struct SkipWhitespace<'a> { 156 | splitter: str::SplitAsciiWhitespace<'a>, 157 | current: &'a [u8], 158 | } 159 | 160 | impl<'a> SkipWhitespace<'a> { 161 | fn new(s: &'a str) -> Self { 162 | Self { 163 | splitter: s.split_ascii_whitespace(), 164 | current: b"", 165 | } 166 | } 167 | } 168 | 169 | impl io::Read for SkipWhitespace<'_> { 170 | fn read(&mut self, mut buf: &mut[u8]) -> Result { 171 | let mut res = 0; 172 | 173 | loop { 174 | if self.current.is_empty() { 175 | let next = match self.splitter.next() { 176 | Some(data) => data, 177 | None => return Ok(res) 178 | }; 179 | self.current = next.as_bytes(); 180 | } 181 | let current_len = self.current.len(); 182 | let buf_len = buf.len(); 183 | if current_len < buf_len { 184 | buf[..current_len].copy_from_slice(self.current); 185 | res += current_len; 186 | buf = &mut buf[current_len..]; 187 | self.current = b""; 188 | } 189 | else { 190 | let (head, tail) = self.current.split_at(buf_len); 191 | buf.copy_from_slice(head); 192 | self.current = tail; 193 | return Ok(res + buf_len); 194 | } 195 | } 196 | } 197 | } 198 | 199 | 200 | //------------ XmlDecoderReader ---------------------------------------------- 201 | 202 | pub struct XmlDecoderReader<'a>( 203 | base64::read::DecoderReader< 204 | 'static, GeneralPurpose, SkipWhitespace<'a> 205 | > 206 | ); 207 | 208 | impl io::Read for XmlDecoderReader<'_> { 209 | fn read(&mut self, buf: &mut [u8]) -> Result { 210 | self.0.read(buf) 211 | } 212 | } 213 | 214 | 215 | //------------ XmlDecodeError ------------------------------------------------ 216 | 217 | #[derive(Debug)] 218 | pub struct XmlDecodeError(io::Error); 219 | 220 | impl From for XmlDecodeError { 221 | fn from(err: io::Error) -> Self { 222 | Self(err) 223 | } 224 | } 225 | 226 | impl fmt::Display for XmlDecodeError { 227 | fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { 228 | match self.0.get_ref() { 229 | Some(inner) => fmt::Display::fmt(inner, f), 230 | None => fmt::Display::fmt(&self.0, f), 231 | } 232 | } 233 | } 234 | 235 | impl error::Error for XmlDecodeError { } 236 | 237 | 238 | //============ Tests ========================================================= 239 | 240 | #[cfg(test)] 241 | mod test { 242 | use super::*; 243 | 244 | #[test] 245 | fn skip_whitespace() { 246 | fn test(s: &str) { 247 | let mut left = String::from(s); 248 | left.retain(|ch| !ch.is_ascii_whitespace()); 249 | 250 | let mut right = String::new(); 251 | SkipWhitespace::new(s).read_to_string(&mut right).unwrap(); 252 | 253 | assert_eq!(left, right); 254 | 255 | let mut right = Vec::new(); 256 | let mut reader = SkipWhitespace::new(s); 257 | loop { 258 | let mut buf = [0u8; 2]; 259 | let read = reader.read(&mut buf).unwrap(); 260 | if read == 0 { 261 | break 262 | } 263 | right.extend_from_slice(buf.as_ref()); 264 | } 265 | 266 | assert_eq!(left.as_bytes(), right.as_slice()); 267 | } 268 | 269 | test("foobar"); 270 | test("foo bar"); 271 | test(" foo bar"); 272 | test(" foo bar "); 273 | } 274 | 275 | } 276 | 277 | -------------------------------------------------------------------------------- /src/util/hex.rs: -------------------------------------------------------------------------------- 1 | //! Converting from and to hex strings. 2 | #![allow(dead_code)] 3 | 4 | use std::str; 5 | 6 | 7 | /// Encodes a octet sequence as a hex string. 8 | /// 9 | /// The function uses `dest` as the buffer for encoding which therefore must 10 | /// be exactly twice the length of `src`. It returns a reference to this 11 | /// buffer as a `&str`. 12 | /// 13 | /// # Panics 14 | /// 15 | /// The function panics if `dest` is shorter than twice the length of `src`. 16 | pub fn encode<'a>(src: &[u8], dest: &'a mut [u8]) -> &'a str { 17 | let dest = &mut dest[..src.len() * 2]; 18 | for (s, d) in src.iter().zip(dest.chunks_mut(2)) { 19 | d[0] = DIGITS[usize::from(s >> 4)]; 20 | d[1] = DIGITS[usize::from(s & 0x0F)]; 21 | } 22 | unsafe { str::from_utf8_unchecked(dest) } 23 | } 24 | 25 | pub fn encode_u8(ch: u8) -> [u8; 2] { 26 | [DIGITS[usize::from(ch >> 4)], DIGITS[usize::from(ch & 0x0F)]] 27 | } 28 | 29 | const DIGITS: &[u8] = b"0123456789ABCDEF"; 30 | 31 | -------------------------------------------------------------------------------- /src/util/mod.rs: -------------------------------------------------------------------------------- 1 | pub mod base64; 2 | pub mod hex; 3 | -------------------------------------------------------------------------------- /src/xml/mod.rs: -------------------------------------------------------------------------------- 1 | //! XML decoding and encoding. 2 | 3 | #![cfg(feature = "xml")] 4 | 5 | pub mod decode; 6 | pub mod encode; 7 | -------------------------------------------------------------------------------- /test-data/ca/drl-csr.der: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/ca/drl-csr.der -------------------------------------------------------------------------------- /test-data/ca/id_afrinic.cer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/ca/id_afrinic.cer -------------------------------------------------------------------------------- /test-data/ca/id_ta.cer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/ca/id_ta.cer -------------------------------------------------------------------------------- /test-data/ca/rfc6492/afrinic-response.der: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/ca/rfc6492/afrinic-response.der -------------------------------------------------------------------------------- /test-data/ca/rfc6492/apnic-response.der: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/ca/rfc6492/apnic-response.der -------------------------------------------------------------------------------- /test-data/ca/rfc6492/apnic-testbed-response.der: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/ca/rfc6492/apnic-testbed-response.der -------------------------------------------------------------------------------- /test-data/ca/rfc6492/issue-response.der: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/ca/rfc6492/issue-response.der -------------------------------------------------------------------------------- /test-data/ca/rfc6492/issue.der: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/ca/rfc6492/issue.der -------------------------------------------------------------------------------- /test-data/ca/rfc6492/list-response.ber: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/ca/rfc6492/list-response.ber -------------------------------------------------------------------------------- /test-data/ca/rfc6492/list.der: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/ca/rfc6492/list.der -------------------------------------------------------------------------------- /test-data/ca/rfc6492/not-performed-response.xml: -------------------------------------------------------------------------------- 1 | 2 | 1101 3 | already processing request 4 | -------------------------------------------------------------------------------- /test-data/ca/rfc6492/revoke-req.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | 10 | -------------------------------------------------------------------------------- /test-data/ca/rfc6492/revoke-response.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /test-data/ca/rfc8181/error-reply.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | An object is already present at this URI, yet a "hash" attribute was not specified. 4 | 5 | MIIDJDCCAgygAwIBAgIBATANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDEyBDYXJvbCBCUEtJIFJlc291cmNlIFRydXN0IEFuY2hvcjAeFw0xMTA3MDEwNDA3MjRaFw0xMjA2MzAwNDA3MjRaMCsxKTAnBgNVBAMTIENhcm9sIEJQS0kgUmVzb3VyY2UgVHJ1c3QgQW5jaG9yMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtF0MUjZ88c7YvY72T//02NUs00BE8dDaP9Yp2ByePrcy7ceJBQbL22LKDN6bASXlth+xxQjNUYeua7IwhlFX9HvcCWcClg2hR0Bqa1v4o5jitRL1COdJCvvQcg2B5p7uC74dh9e+w88z7X6u1NqZJS91Xw1GBt/Vi3xNwtlDchfcXcdGGcMObAksfQY9KrddWPfINmz0Cqx5M98BVHgUV1RJdFNBV91WTH2L7wOxW+hyo0CkvCxIfNZLlnL/nn7+OTEUFREVCU8YZz6semjzLb5q1qV46zoI5AmDB2JyddG+zPCqKbEmNWUCza4BYRRZDB/q2Z3T2p4fGV7R8jEJnQIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTrAyu8b8iL0rApak4gUWaHyNjcCTAfBgNVHSMEGDAWgBTrAyu8b8iL0rApak4gUWaHyNjcCTANBgkqhkiG9w0BAQsFAAOCAQEAbrmv72xzD+2zJnZwRrX9NsbKMBu6sEtpyMIND9RduU09yK2KDZLyJ07J1UmIgzaQjcy8Lk6tbveaSOGgu4Nr8Sl0P/YZg83jvmOIa4PXJT7YSrQ9son98akGZf6dEnDhX/S15z+WpCAyuUY8Zgpq6JRSsRrn2eOlzVmf9sE9tFCC8ozSwiGTcyILf1sORqMClhebRenE1GNWJ7Pabe7NkvoN5guMVO5h0lSfHnuxQGutxd2BvD6nOC5lqQMmuPIE47yAN7PNPbwlMl32nUDkUrESCYJ2luFSg3PASHSsHw2Tg/azHFrGcMMEbhIAHd1iOGOIlRjlJhkHLJZFTJOyZw== 6 | 7 | 8 | 9 | Found some other issue. 10 | 11 | -------------------------------------------------------------------------------- /test-data/ca/rfc8181/list-reply-empty-short.xml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /test-data/ca/rfc8181/list-reply-empty.xml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /test-data/ca/rfc8181/list-reply-single.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /test-data/ca/rfc8181/list-reply.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /test-data/ca/rfc8181/list.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /test-data/ca/rfc8181/publish-empty-short.xml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /test-data/ca/rfc8181/publish-empty.xml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /test-data/ca/rfc8181/publish-multi.xml: -------------------------------------------------------------------------------- 1 | 2 | MIIDJDCCAgygAwIBAgIBATANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDEyBDYXJvbCBCUEtJIFJlc291cmNlIFRydXN0IEFuY2hvcjAeFw0xMTA3MDEwNDA3MjRaFw0xMjA2MzAwNDA3MjRaMCsxKTAnBgNVBAMTIENhcm9sIEJQS0kgUmVzb3VyY2UgVHJ1c3QgQW5jaG9yMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtF0MUjZ88c7YvY72T//02NUs00BE8dDaP9Yp2ByePrcy7ceJBQbL22LKDN6bASXlth+xxQjNUYeua7IwhlFX9HvcCWcClg2hR0Bqa1v4o5jitRL1COdJCvvQcg2B5p7uC74dh9e+w88z7X6u1NqZJS91Xw1GBt/Vi3xNwtlDchfcXcdGGcMObAksfQY9KrddWPfINmz0Cqx5M98BVHgUV1RJdFNBV91WTH2L7wOxW+hyo0CkvCxIfNZLlnL/nn7+OTEUFREVCU8YZz6semjzLb5q1qV46zoI5AmDB2JyddG+zPCqKbEmNWUCza4BYRRZDB/q2Z3T2p4fGV7R8jEJnQIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTrAyu8b8iL0rApak4gUWaHyNjcCTAfBgNVHSMEGDAWgBTrAyu8b8iL0rApak4gUWaHyNjcCTANBgkqhkiG9w0BAQsFAAOCAQEAbrmv72xzD+2zJnZwRrX9NsbKMBu6sEtpyMIND9RduU09yK2KDZLyJ07J1UmIgzaQjcy8Lk6tbveaSOGgu4Nr8Sl0P/YZg83jvmOIa4PXJT7YSrQ9son98akGZf6dEnDhX/S15z+WpCAyuUY8Zgpq6JRSsRrn2eOlzVmf9sE9tFCC8ozSwiGTcyILf1sORqMClhebRenE1GNWJ7Pabe7NkvoN5guMVO5h0lSfHnuxQGutxd2BvD6nOC5lqQMmuPIE47yAN7PNPbwlMl32nUDkUrESCYJ2luFSg3PASHSsHw2Tg/azHFrGcMMEbhIAHd1iOGOIlRjlJhkHLJZFTJOyZw== 3 | MIIL9wYJKoZIhvcNAQcCoIIL6DCCC+QCAQMxDTALBglghkgBZQMEAgEwggVyBgsqhkiG9w0BCRABHKCCBWEEggVdPD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnPz4KPG1lc3NhZ2UgeG1sbnM9Imh0dHA6Ly93d3cuYXBuaWMubmV0L3NwZWNzL3Jlc2NlcnRzL3VwLWRvd24vIiB2ZXJzaW9uPSIxIiBzZW5kZXI9IkNhcm9sIiByZWNpcGllbnQ9IkJvYiIgdHlwZT0iaXNzdWUiPgogIDxyZXF1ZXN0IGNsYXNzX25hbWU9IjIiPgpNSUlEV0RDQ0FrQUNBUUF3TXpFeE1DOEdBMVVFQXhNb01qSTRRMFl3T1RNd09FVkVNVUUxUWpOQlJFUTNORGRECk5VSTJPVFk0UkRjd056TkNOVEk0TlRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUIKQUx4aHl0Y0ppTlFhR2dER2NuUTc5QW9QTi9yc0FuRnJzTy9vQzJ1YmFxY1Q4bnFlMHhSblhCM0l1d3E5UklLcwp5UnA0OUpzWGxMNTl6b0o2QUJpWlU4bHQrNVRKa3YrcVJ2aWtSRklPZ2xqanRJNCtBM0Y2YlM0ZnJDbnYwZGN5CmQ2Z0dIZFVxNUx6T1ZnaE5tSldDN3RRbit6WGdRQk8xdVROb21kOEsvdk1ha3pIQ0FkSGZNUFNCZlMvNzhRZEcKVTJjR2xzbFNuWEhEYURReEhXanByVC9QaHhqL29nSkJWUkQ1UXkyellEQzhIRTh2L2VxcnVMclpESUl3bXFuZgpHWTAvZjlDL2RBaTFFODB0Qk9jYnRaUm1JTU1HNDFGYkZYUE44SVNybWU5b09ub1dXa3ZPVTgybHhhY2hSZ1dWClNxNzdlWm1VMlJmQlpycTNTdlVSc0owQ0F3RUFBYUNCM3pDQjNBWUpLb1pJaHZjTkFRa09NWUhPTUlITE1BOEcKQTFVZEV3RUIvd1FGTUFNQkFmOHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01JR25CZ2dyQmdFRkJRY0JDd1NCbWpDQgpsekE2QmdnckJnRUZCUWN3QllZdWNuTjVibU02THk5c2IyTmhiR2h2YzNRNk5EUXdOQzl5Y0d0cEwwRnNhV05sCkwwSnZZaTlEWVhKdmJDOHpMekJaQmdnckJnRUZCUWN3Q29aTmNuTjVibU02THk5c2IyTmhiR2h2YzNRNk5EUXcKTkM5eWNHdHBMMEZzYVdObEwwSnZZaTlEWVhKdmJDOHpMMGx2ZW5kcmQycDBSMnh6TmpOWVVqaFhNbXh2TVhkagpOMVZ2VlM1dGJtWXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSkV0d1R5VUJRUjVwU3dpWFlBTWdyWVFER1o3CmpDOHl4NHFOZzNHV1hwaFo3VUdjbnAzMC84ZFlEWW12ckRnSmszUkZzNVlpek9lTEhNekNYU29GN0hxVm9mUC8KY0gzSWo0c1ZGMmZxeUx2dnd5Zi9EMzZRTzZFQTZ6QVNPdSs2ekZnc1dZdlVkZkVMYjhCZVgzU0pDL0syU1E3Rgo1MXZZSzNYZGVNL2ptRzRleFBZRGZNVWZHS082TFQ1UE9XOGhDR0ZOeU5oZitFRGloTjh3NHBJbTQ3M1BaTWxFCkVCTWFNTkxtU2l2dnZOTWhVVk4yNWpnSEpvcjVKWldsMFQyMlpxb1hnYStVa3BFK2owbGtkc3pYdlhxM0FkNGQKQW9NSmhFSm9YYUhXMGxSRU16SURBakRxMHdoZnBIVGRYay9uMEJaNkV1MFRaMmxEV21jQTVTUHBtVEk9CjwvcmVxdWVzdD4KPC9tZXNzYWdlPgqgggMfMIIDGzCCAgOgAwIBAgIBBDANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDEyBDYXJvbCBCUEtJIFJlc291cmNlIFRydXN0IEFuY2hvcjAeFw0xMTA3MDEwNDA4MDNaFw0xMjA2MzAwNDA4MDNaMDMxMTAvBgNVBAMTKEM4NDlCMkVBMjRBNjkwOUM4NjY3QUYyOTE3NTQxMkQ4QkIxRDAwMzkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBY0FK5NJlRiqYii7t8XX/4Vye0g+5mltYb1miCuDpsMgZPlrVhRprFu8cBzrCzvY6b0J0p+1lNoZcvkwPKIWT9YeL5VbiRL9XPjk78D0fS2Rpl7H5wUZx1vSjqzcsi//IwVETsHtFcJ9C9nNhTaZfLGWpRrzNHWtH2TUUXmXou+NnXknOO5TD6SiacrxIw4G5Z2LCsmQWDPvcnu0qdWBWcV8/0nZ0BMNXsdyRBKavANlTK4cfY7FFS8Jpqh3bcdCXRQYwx/b+cKzVbNOVs/+9j50jnx1gfe1cFWYfzjzN0uERF/4ylhaV2u1fkueDwvUUf6DNDbRwGdGubJvo3RA5AgMBAAGjQjBAMB0GA1UdDgQWBBTISbLqJKaQnIZnrykXVBLYux0AOTAfBgNVHSMEGDAWgBTrAyu8b8iL0rApak4gUWaHyNjcCTANBgkqhkiG9w0BAQsFAAOCAQEAYai1LRRG78adcxY/hc4eA023IHxPIPCwylQO8N6grJ5GTh6mmTG9LLFMK8vcbMdgwyUFzhvrSeWVJpsesnkMdUzoiNNrvXexEy5x3EQ/sEXgZt/y8/pJ/VDOhK9s8we5a7XKY8uD77Rq6ijvWx5S6E/UQd4T3X+AgSzNH11mGGoHWREUUv0SSKu/a0vU9HOzuI5woEWwn5k2n08zJC0xDRoVcaWE0P7L/+S8n/qLQlz1Phj+GOu/q2hFCBCLQRLBFdsUzlm7dATiwABZoEzR+VbUUfVcHmTSgnFXALyLepoRuK6x4MKj6Lv9uXfctILCeEW9LNC2wJQ3gusSL+wc1qGCAYcwggGDMG0CAQEwDQYJKoZIhvcNAQELBQAwKzEpMCcGA1UEAxMgQ2Fyb2wgQlBLSSBSZXNvdXJjZSBUcnVzdCBBbmNob3IXDTExMDcwMTA0MDcyNFoXDTEyMDYzMDA0MDcyNFqgDjAMMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUAA4IBAQCIE9O/NShSJgJPpv/PAzMOFlFQ5AQQLK9GQM42qnNc67ncie44bu0VugPLqLt4Z/Vr81XMIRbg1UlIU8UC/uU8YDQNOHn2Lzj0dpxAx1wdZkkKDs3I7/7LzTneWB3QfIzofKTb0+Q0Rltewj2gSn8FsH54oFZCJdxYfEvNksJmhRuNvX11qdOyvqufWDk0w8v5W7LevdT3zBtrMAZZDk5QX6vcsdL4qs6fjuASlEkqyYsvCaG1PNeaVZrxhB2kXanlgCkdR2M+agHXspN+ILAKnbLHDNOCqX17iqaWqjvy5XOVCJ7IyV5KPp+1R8KUdA6S9wjbHQD3l82Skr9jcxh1MYIBqjCCAaYCAQOAFMhJsuokppCchmevKRdUEti7HQA5MAsGCWCGSAFlAwQCAaBrMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABHDAcBgkqhkiG9w0BCQUxDxcNMTEwNzAxMDQwOTA1WjAvBgkqhkiG9w0BCQQxIgQgm/3IfXFnJT/10dy9m3nuZt3i13nd6yunn6TipHrhXhowDQYJKoZIhvcNAQEBBQAEggEARUgsPpls3HpmnOg3vwgk53Z1vYLiSoYCzA5zRLyDQDwEok1ddqgCRk6DOatAPS+OOa4U5xabfJDg1b43suo/d2vlFPbym8Ja3lLnMNAWMUM6lh2W4ahbPWfnvNx6moVcw4DPJe17zVqcM2zupSUri/jNsq3kx+Hk8eDBhY7uGoFdtqeV2/4CsE7S33Rj6GjAV1j72mpGk50y0f7gi6ODKLHf+zXsOccQY/g6MU3mFYMMOyndXjraprCcgqBSzpHWqKzdkLPLuUzjYxgtuv37kut+k9xSJV+u+UjYItNnUKJNJ+zLxf3c9YhchWJOmPCGmzscwlTou6kUkR2sBms8bA== 4 | 5 | -------------------------------------------------------------------------------- /test-data/ca/rfc8181/publish-single.xml: -------------------------------------------------------------------------------- 1 | 2 | MIIDJDCCAgygAwIBAgIBATANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDEyBDYXJvbCBCUEtJIFJlc291cmNlIFRydXN0IEFuY2hvcjAeFw0xMTA3MDEwNDA3MjRaFw0xMjA2MzAwNDA3MjRaMCsxKTAnBgNVBAMTIENhcm9sIEJQS0kgUmVzb3VyY2UgVHJ1c3QgQW5jaG9yMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtF0MUjZ88c7YvY72T//02NUs00BE8dDaP9Yp2ByePrcy7ceJBQbL22LKDN6bASXlth+xxQjNUYeua7IwhlFX9HvcCWcClg2hR0Bqa1v4o5jitRL1COdJCvvQcg2B5p7uC74dh9e+w88z7X6u1NqZJS91Xw1GBt/Vi3xNwtlDchfcXcdGGcMObAksfQY9KrddWPfINmz0Cqx5M98BVHgUV1RJdFNBV91WTH2L7wOxW+hyo0CkvCxIfNZLlnL/nn7+OTEUFREVCU8YZz6semjzLb5q1qV46zoI5AmDB2JyddG+zPCqKbEmNWUCza4BYRRZDB/q2Z3T2p4fGV7R8jEJnQIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTrAyu8b8iL0rApak4gUWaHyNjcCTAfBgNVHSMEGDAWgBTrAyu8b8iL0rApak4gUWaHyNjcCTANBgkqhkiG9w0BAQsFAAOCAQEAbrmv72xzD+2zJnZwRrX9NsbKMBu6sEtpyMIND9RduU09yK2KDZLyJ07J1UmIgzaQjcy8Lk6tbveaSOGgu4Nr8Sl0P/YZg83jvmOIa4PXJT7YSrQ9son98akGZf6dEnDhX/S15z+WpCAyuUY8Zgpq6JRSsRrn2eOlzVmf9sE9tFCC8ozSwiGTcyILf1sORqMClhebRenE1GNWJ7Pabe7NkvoN5guMVO5h0lSfHnuxQGutxd2BvD6nOC5lqQMmuPIE47yAN7PNPbwlMl32nUDkUrESCYJ2luFSg3PASHSsHw2Tg/azHFrGcMMEbhIAHd1iOGOIlRjlJhkHLJZFTJOyZw== 3 | -------------------------------------------------------------------------------- /test-data/ca/rfc8181/success-reply.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /test-data/ca/rfc8183/afrinic-parent-response.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | MIIGGDCCBACgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZ0xCzAJBgNVBAYTAlpBMRAwDgYDVQQIDAdHYXV0ZW5nMQwwCgYDVQQHDANKTkIxFDASBgNVBAoMC0FGUklOSUMgTHRkMRwwGgYDVQQLDBNJbmZyYXN0cnVjdHVyZSBVbml0MRUwEwYDVQQDDAxSUEtJIFJvb3QgQ0ExIzAhBgkqhkiG9w0BCQEWFHN5c2FkbWluQGFmcmluaWMubmV0MB4XDTIxMDMwMTA3MjYzOVoXDTMxMDIyNzA3MjYzOVowgZcxCzAJBgNVBAYTAlpBMRAwDgYDVQQIDAdHYXV0ZW5nMRQwEgYDVQQKDAtBRlJJTklDIEx0ZDEcMBoGA1UECwwTSW5mcmFzdHJ1Y3R1cmUgVW5pdDEdMBsGA1UEAwwUUlBLSSBJbnRlcm1lZGlhdGUgQ0ExIzAhBgkqhkiG9w0BCQEWFHN5c2FkbWluQGFmcmluaWMubmV0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp+ttTAMezX5HbhvssiWH3DOshSzGzzfHbKTIk7gM3q1B9edPSD5FiMGb2/oTo0/OddPxyHkhwXUN0j/gKk/SG8jSefX4CNpuA+UbjgI4z06WGGcINWK0Zg8sGtvQ1QXhBRyMyQT6dIK6O2BU0DAmBSV61OY2jAQjkAnq/eDVDYtk/skZcLbcw8oWiHYpHk4rqWyeCQX80EnH7uOKiZ0NAIMom0QBEHjOrCcrJ9T8+VYWUM6RLB/78VmVO34OFJzTcxhAQRGffzO/EDYGPkOkAYGPtan1ZJuQLzJ7U3c7jP3PZJBBqlr8m77RenJkZgBrnuO4RjbVAG3u95MgvAWrFbaeh7KXgvteXuGyK9Bmo/28vB7Aa/OsaZlOV1nOMX7GGJNFeq7+RAA8uR4mjVuSoQZWv1D04eEkrYU8RmS20O0qVKGTiQsw8l1G2qEK/vHc6iWAeBKUNwAQOJHTUywXkLNmTWSFGYQ+Blerrw35kcd90+zr+WctGBPSRheAiFtaCJD/LdPbtRI5vpnFP2SMVPMw2zup+dtKqPdlh0jORqJsHZoUqbCSX2OLLQds0q/sBNcXcsaPm5RrvfOVaL2hUEdlIQVQ1CCZoqKjvEvszK9EG0EjoCEGysjG0UuyEKUA5XHTAiGfxDt7Z1aiRrCDEaDGpL9mywkXVT845tkuAe8CAwEAAaNmMGQwHQYDVR0OBBYEFN/ZWLI9n30bz+m7j6prmLEtfKVRMB8GA1UdIwQYMBaAFP9YJ31GaEt54LwXCQ8twk6YuxEyMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQDrM8Cb/XUtviAT7R2zohlhDevXQxvgAsa2fgS8bFqyehjG2xcIZbGy9f/xcbJA+c2uZbi+BXnIUj1+RWTrybWKcQJqC0scwJBKgOeNRWvuzWEBQnTLtgOODl12A9iCyss/N+rrqUqIdlALyY0oM3IC8TCh+vcpYbMAQ+mI38iQNQYTYf89Oo5FZdgm4725gIUQpPZzRUIrPTsFnYVlUUAS88Fcombheu0AEezlpO72IuKaGvAVdXhc7JhkEwv3RXF9OUrOpLQcswttFe3lbf1NFIFfSqO7FW2PSOljqeAgbrHlIYYYJ7WsjwOonqYcdlY1UnylRAQSsnNkWR8N73lbzWslFcZIQYXEz63ImFGdJfVdZX6f1Ev1dHvcuEoFYwaIaBvsvVy9RGEUSIqDSucUszqLn7ViIOJDTmbOWG6X8QN6LbeXUXEoEy9+EQqZO4pnw6YwS34mvj8gkQ3H+w2/n4cBpaUXFcKx+pwBzuhmiz5Aj/AxwSZRbSLc4ZJ2fMOSoC1Ih3iCIgKk+ugzbjtIPBPBM5yQxQwYjo6tun/RbFhdjxcEEEdYvB6/GC/Skdaw3HTlEGJpfeqgkOTX4LZ60YINwSm+v7pZUkFtUPMpIrhInJDlf5aa2eGNw7YrJNbio5WgCpH4gT55LRk0fpFdknejr56gAtFyDGt4/dxybA== 4 | 5 | 6 | -------------------------------------------------------------------------------- /test-data/ca/rfc8183/apnic-parent-response.xml: -------------------------------------------------------------------------------- 1 | 2 | MIID4zCCAsugAwIBAgIITKrO/XzCs0IwDQYJKoZIhvcNAQELBQAwgYgxKzApBgNV 3 | BAMMIkFQTklDIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIDAeBgNVBAsM 4 | F0luZnJhc3RydWN0dXJlIFNlcnZpY2VzMRYwFAYDVQQKDA1BUE5JQyBQdHkgTHRk 5 | MRIwEAYKCZImiZPyLGQBGRYCQ0ExCzAJBgNVBAYTAkFVMB4XDTE0MDcxNjAzMzc1 6 | MFoXDTI0MDcxMzAzMzc1MFowdTEYMBYGA1UEAwwPQVBOSUMgU2VydmVyIENBMSAw 7 | HgYDVQQLDBdJbmZyYXN0cnVjdHVyZSBTZXJ2aWNlczEWMBQGA1UECgwNQVBOSUMg 8 | UHR5IEx0ZDESMBAGCgmSJomT8ixkARkWAkNBMQswCQYDVQQGEwJBVTCCASIwDQYJ 9 | KoZIhvcNAQEBBQADggEPADCCAQoCggEBALMGsE2/26JMANdhX+kUEOl4nD5UkrZd 10 | 7pfWy1wne1ZJ2p4EJsUpZRpqcwDdYt41eYEet4bKNZSzourwgav0N+LXSSA8VWB/ 11 | kKX14s/jXmghZtglE5+b9RsY6O/AldSrSiDuTOhQv3LTz3E3VxS1NchvxShoAUz0 12 | rZsuIPU1+DaIKjSEuWdQc98s9O1tmeP92kYmfLAqxNoMpMSgi+W2VtrMgf9+zql2 13 | 2gyqb3/tl3CLX7sX/l5uOTdX8ysK04MyjkUlOh7ciD1pGP0GvlT+oLnr00TFXnHM 14 | bmo+o/MXcX9bKH+St9CBoKzy+c6kn4AmrY/N9NZL4R41QT7K+tPsRz8CAwEAAaNj 15 | MGEwHQYDVR0OBBYEFBlb9K/QxXnAPlRSTHpwPPkxWlNvMA8GA1UdEwEB/wQFMAMB 16 | Af8wHwYDVR0jBBgwFoAU9cbRu559RBE43B+iF/zNow/zxn8wDgYDVR0PAQH/BAQD 17 | AgGGMA0GCSqGSIb3DQEBCwUAA4IBAQAJcmBFknIHX7qwDkcsq/banAhL7ug66V09 18 | ecfTcmj6kjxuAehQ3QqQ2DLE8L4nTCtBbIxw1BeAw4tYp8BS7UssIXcL562hUBxP 19 | j95bNhCb/WozG7/6dQ6C7y3piwtE11XyT/FTxOgUAx/Ncg6TK/+HfsSqBxBolB5j 20 | Uc6aWUYkDTZQj+0v4hugCNLyIIBFE47K49uaS95R4ETUADVSFVtPZ9wlkrlvbIJn 21 | ejtJIBHBJZHAK0S5RBgM99XOXuRpW6aCM4pyZgQ4EUF4BzHAFqbSpV/tyORtM8sF 22 | iiq12E3yr53JYYzR+/OnOUv/vXFiPpJCdCKip89JOVT+e0M9v6Kn 23 | 24 | 25 | -------------------------------------------------------------------------------- /test-data/ca/rfc8183/apnic-repository-response.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | MIID4zCCAsugAwIBAgIITKrO/XzCs0IwDQYJKoZIhvcNAQELBQAwgYgxKzApBgNV 7 | BAMMIkFQTklDIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIDAeBgNVBAsM 8 | F0luZnJhc3RydWN0dXJlIFNlcnZpY2VzMRYwFAYDVQQKDA1BUE5JQyBQdHkgTHRk 9 | MRIwEAYKCZImiZPyLGQBGRYCQ0ExCzAJBgNVBAYTAkFVMB4XDTE0MDcxNjAzMzc1 10 | MFoXDTI0MDcxMzAzMzc1MFowdTEYMBYGA1UEAwwPQVBOSUMgU2VydmVyIENBMSAw 11 | HgYDVQQLDBdJbmZyYXN0cnVjdHVyZSBTZXJ2aWNlczEWMBQGA1UECgwNQVBOSUMg 12 | UHR5IEx0ZDESMBAGCgmSJomT8ixkARkWAkNBMQswCQYDVQQGEwJBVTCCASIwDQYJ 13 | KoZIhvcNAQEBBQADggEPADCCAQoCggEBALMGsE2/26JMANdhX+kUEOl4nD5UkrZd 14 | 7pfWy1wne1ZJ2p4EJsUpZRpqcwDdYt41eYEet4bKNZSzourwgav0N+LXSSA8VWB/ 15 | kKX14s/jXmghZtglE5+b9RsY6O/AldSrSiDuTOhQv3LTz3E3VxS1NchvxShoAUz0 16 | rZsuIPU1+DaIKjSEuWdQc98s9O1tmeP92kYmfLAqxNoMpMSgi+W2VtrMgf9+zql2 17 | 2gyqb3/tl3CLX7sX/l5uOTdX8ysK04MyjkUlOh7ciD1pGP0GvlT+oLnr00TFXnHM 18 | bmo+o/MXcX9bKH+St9CBoKzy+c6kn4AmrY/N9NZL4R41QT7K+tPsRz8CAwEAAaNj 19 | MGEwHQYDVR0OBBYEFBlb9K/QxXnAPlRSTHpwPPkxWlNvMA8GA1UdEwEB/wQFMAMB 20 | Af8wHwYDVR0jBBgwFoAU9cbRu559RBE43B+iF/zNow/zxn8wDgYDVR0PAQH/BAQD 21 | AgGGMA0GCSqGSIb3DQEBCwUAA4IBAQAJcmBFknIHX7qwDkcsq/banAhL7ug66V09 22 | ecfTcmj6kjxuAehQ3QqQ2DLE8L4nTCtBbIxw1BeAw4tYp8BS7UssIXcL562hUBxP 23 | j95bNhCb/WozG7/6dQ6C7y3piwtE11XyT/FTxOgUAx/Ncg6TK/+HfsSqBxBolB5j 24 | Uc6aWUYkDTZQj+0v4hugCNLyIIBFE47K49uaS95R4ETUADVSFVtPZ9wlkrlvbIJn 25 | ejtJIBHBJZHAK0S5RBgM99XOXuRpW6aCM4pyZgQ4EUF4BzHAFqbSpV/tyORtM8sF 26 | iiq12E3yr53JYYzR+/OnOUv/vXFiPpJCdCKip89JOVT+e0M9v6Kn 27 | 28 | 29 | -------------------------------------------------------------------------------- /test-data/ca/rfc8183/krill-0-9-parent-response.xml: -------------------------------------------------------------------------------- 1 | 2 | MIIDPDCCAiSgAwIBAgIBATANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEygwREI4NEY3RTE2RTMyRTc0MUI0NjZBMzIxQTY0MjYxODg4RDQ5MTg3MCAXDTE5MTIxMDEzMjkwNVoYDzIxMTkxMjEwMTMzNDA1WjAzMTEwLwYDVQQDEygwREI4NEY3RTE2RTMyRTc0MUI0NjZBMzIxQTY0MjYxODg4RDQ5MTg3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAupja8HWSDinTtA0wrnkmDz1LkqQm8d/odbQUgU5s4QJxJRkOYSnbugvo8MWUxOCqerOp9HPidvpJkxb1cLAff+RTaCCDRTHi8GzQ95yT0F13oztXXiJkuMiTW+I97pVF4CJvHoKmq99/kyU1uJ/PaNB7MyQfCIEdQ7W0YpRHzstQXnQwmtXbw6O2UCLiqxAgvH4zbc2gSL05Y/lw+XNuWEZORD1Z01Kn+xmuG1R4/vuzkNn6G2sZdoLMiAV7HKKDZBfHtCQBSMwKY2Hllhsv78mBCOLCub9m+vWHqtHQDPGhnr9MQ9v/3fKZUWSY5hPFAfjpxylkFvrtU7RKgY7K5wIDAQABo1kwVzAPBgNVHRMBAf8EBTADAQH/MCAGA1UdDgEBAAQWBBQNuE9+FuMudBtGajIaZCYYiNSRhzAiBgNVHSMBAQAEGDAWgBQNuE9+FuMudBtGajIaZCYYiNSRhzANBgkqhkiG9w0BAQsFAAOCAQEACuUvBIWls54zWXlW7Vpq9aZvtFgbq3CVNUeVuksJx2wMIkN5KRd0Q0axECO8On0xnr+nPHeOzjfd5fIvUh54N5Vm0bkwiVKVkHVgEgSLfsz623PAf+q9MGU3N3Zo0MHUIVCFVE8GPTgrT/KFf118FPdpDxOZCOLK7qqJO83GPDHTY5lq9v8V0rfAZ1F+nW3bpl9M6cySP9NIrfTOKxPMrw1N3NuibZM88LL67GuSgVb9bsLopyzasYVuZLfP4LYjNnp5Va5jA23IRtcFSiBatfWVl81CxJEHqqKnuxK6ILTOq7aW2c1BWJ7wqF/QFQjVJY9QIJgNX2wFD4BYluKQZw== 3 | -------------------------------------------------------------------------------- /test-data/ca/rfc8183/krill-0-9-repository-response.xml: -------------------------------------------------------------------------------- 1 | 2 | MIIDPDCCAiSgAwIBAgIBATANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEyg5NTJEODYyQzcxNzQ4NENFRTdGQ0Q0QjlCRTIyM0FFM0FCNkRGNjAzMCAXDTE5MTIxMDEzMjEyMFoYDzIxMTkxMjEwMTMyNjIwWjAzMTEwLwYDVQQDEyg5NTJEODYyQzcxNzQ4NENFRTdGQ0Q0QjlCRTIyM0FFM0FCNkRGNjAzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAru8vg4KPf2RpTzLO200u238krnsUZz0XY1bFwscuzx6AM3uu/cBFXyXKe5vwqcNyhBvslnZZWx11/JAJweEmFCLTpiSa0VAoUpBXRoaibjuWLvACKnObi4L0+fipN1OH7lJ1gHwaV6bY14gFQkOu+Sz86cVTIQVWql/Bp8GwZiSVTH3uZr/jvdurF334VyVUjl6xd++W/v2Dp3/bCkQ77cSY+mPcIhUDqcpAggm6XOSYPwS2OU7w+TGnNhNCOyEOT+wtVXgQwMLIdm+0pU/N2+HeVV+gZpT/uIBf+lxlh6xGO+wMwQhHslDdzBWjg9LtxZ0cjxJHq40daVZYVVxcyQIDAQABo1kwVzAPBgNVHRMBAf8EBTADAQH/MCAGA1UdDgEBAAQWBBSVLYYscXSEzuf81Lm+Ijrjq232AzAiBgNVHSMBAQAEGDAWgBSVLYYscXSEzuf81Lm+Ijrjq232AzANBgkqhkiG9w0BAQsFAAOCAQEAeOJKnCyQuxa2o4Zg/5Wzj2luBjsKQT3kniE9caPlD+a/rNyVi0pvfLrXDa/uaoiCKrl13nhWdTAoAEcAsCwhEQ28Xh0GlQL/1hVBvk7VJ4p3Fq5H/WOcHUBZYSiEBV1xHHT81ahdmT7YIBhK/20WKJrLJy8YnBDkFQVx7WcdW6M5Wyri5g2rtsQ8Wqnw+6553KhKj7mjqdiZdNUyy6ZIcmz62mwQoCVCg6HbeVsrVBVHlU1Qfoljfh/XCfY9FRXM9ryjPfqHTLJto1OFO9wf8DyoTRvro34fokPfASgNmpTUxXeKfjNBUKjXwrsG7D53lCU5yUk8daWmfj9NV6n+hw== 3 | -------------------------------------------------------------------------------- /test-data/ca/rfc8183/rpkid-child-id.xml: -------------------------------------------------------------------------------- 1 | 5 | 6 | MIIDJDCCAgygAwIBAgIBATANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDEyBDYXJv 7 | bCBCUEtJIFJlc291cmNlIFRydXN0IEFuY2hvcjAeFw0xMTA3MDEwNDA3MjRaFw0x 8 | MjA2MzAwNDA3MjRaMCsxKTAnBgNVBAMTIENhcm9sIEJQS0kgUmVzb3VyY2UgVHJ1 9 | c3QgQW5jaG9yMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtF0MUjZ8 10 | 8c7YvY72T//02NUs00BE8dDaP9Yp2ByePrcy7ceJBQbL22LKDN6bASXlth+xxQjN 11 | UYeua7IwhlFX9HvcCWcClg2hR0Bqa1v4o5jitRL1COdJCvvQcg2B5p7uC74dh9e+ 12 | w88z7X6u1NqZJS91Xw1GBt/Vi3xNwtlDchfcXcdGGcMObAksfQY9KrddWPfINmz0 13 | Cqx5M98BVHgUV1RJdFNBV91WTH2L7wOxW+hyo0CkvCxIfNZLlnL/nn7+OTEUFREV 14 | CU8YZz6semjzLb5q1qV46zoI5AmDB2JyddG+zPCqKbEmNWUCza4BYRRZDB/q2Z3T 15 | 2p4fGV7R8jEJnQIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTr 16 | Ayu8b8iL0rApak4gUWaHyNjcCTAfBgNVHSMEGDAWgBTrAyu8b8iL0rApak4gUWaH 17 | yNjcCTANBgkqhkiG9w0BAQsFAAOCAQEAbrmv72xzD+2zJnZwRrX9NsbKMBu6sEtp 18 | yMIND9RduU09yK2KDZLyJ07J1UmIgzaQjcy8Lk6tbveaSOGgu4Nr8Sl0P/YZg83j 19 | vmOIa4PXJT7YSrQ9son98akGZf6dEnDhX/S15z+WpCAyuUY8Zgpq6JRSsRrn2eOl 20 | zVmf9sE9tFCC8ozSwiGTcyILf1sORqMClhebRenE1GNWJ7Pabe7NkvoN5guMVO5h 21 | 0lSfHnuxQGutxd2BvD6nOC5lqQMmuPIE47yAN7PNPbwlMl32nUDkUrESCYJ2luFS 22 | 23 | g3PASHSsHw2Tg/azHFrGcMMEbhIAHd1iOGOIlRjlJhkHLJZFTJOyZw== 24 | 25 | 26 | -------------------------------------------------------------------------------- /test-data/ca/rfc8183/rpkid-parent-response-offer.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | MIIDJDCCAgygAwIBAgIBATANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDEyBBbGlj 4 | ZSBCUEtJIFJlc291cmNlIFRydXN0IEFuY2hvcjAeFw0xMTA3MDEwNDA3MTlaFw0x 5 | MjA2MzAwNDA3MTlaMCsxKTAnBgNVBAMTIEFsaWNlIEJQS0kgUmVzb3VyY2UgVHJ1 6 | c3QgQW5jaG9yMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0nVOC7Ik 7 | bc9D3lNPspAp96LEmxqhfWcF70wOk8MHX2skMoHYa3UsyTMOJR4Pv+DRieLbPI8E 8 | ExrLZRqTrY4+OKRG5sekk3zeIc40g4p8jw6aPxlPUFvJAQdsW+iOYljaPhgWMiGH 9 | Qm2ZfsXUlvr8XtmkryGbzcaJy2CaAnUi5dwUmpMx7GEcUz+LpJ6tfyB1aF1CpnBm 10 | pvOhIl+Tlk55Zpo2Nn1Ty0TiTX40fK/ToKZn+/5LkRBKXjGUSWlMyWBVJZVCHo/Z 11 | PLtPbjUr0gczIYp24q4GxmAHbK12GT/4vGdnQCyadKBDF4Kv0BP6TFf+BP3aE2P7 12 | biQa919zuZzfCQIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQj 13 | tovHYOZzUno6MsFjYyKdJZf3NDAfBgNVHSMEGDAWgBQjtovHYOZzUno6MsFjYyKd 14 | JZf3NDANBgkqhkiG9w0BAQsFAAOCAQEApkybLXSqUGFf6TxVz+AXVbMtTr22tUJ+ 15 | nMocs6lDsyXt2QC/ef3iPTECfJXJrWxCF3PaAWcjV/QQVw3Z2BqblHPmNPM0DxhJ 16 | OBv065L041zZla4163XSzEzRHJn+99E9jPs15w7if2A1m2XH2W2gg3aSMBSqZXcM 17 | 6Z+W6XsH0dx5c10YspJBSXRls7SsKRpS30fCs2+jSYA0AWvxCTfCNmVf6ssMmAyr 18 | 6Ynrt3fS0MpprBPxJF3KWveHLhaUxLYefSsnsV6o3nfZYwyDlo9m7t3IQCg+Yg7k 19 | FO2iB8/TDRIdP6bpBvpVrQ13FvWqC6CglZ0fbFRNklotIVxcP1cuNw== 20 | 21 | 22 | -------------------------------------------------------------------------------- /test-data/ca/rfc8183/rpkid-parent-response-referral.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | MIIDQDCCAiigAwIBAgIBATANBgkqhkiG9w0BAQsFADA5MTcwNQYDVQQDEy5yaXBl 4 | LW5jYy1ycGtpZC10ZXN0IEJQS0kgUmVzb3VyY2UgVHJ1c3QgQW5jaG9yMB4XDTEx 5 | MDcyNjE0MDQwMloXDTEyMDcyNTE0MDQwMlowOTE3MDUGA1UEAxMucmlwZS1uY2Mt 6 | cnBraWQtdGVzdCBCUEtJIFJlc291cmNlIFRydXN0IEFuY2hvcjCCASIwDQYJKoZI 7 | hvcNAQEBBQADggEPADCCAQoCggEBANHzI6LqbEY9q02guhcmSSX1ccciB8szNUz3 8 | ybeHLJPVwcQ6ubEIHMILCJbyioLia8kuJTnZxYTK3B+91jE9ECfZyJ6p6s+Jnow4 9 | 5qKWTISml0MZUjsuK3KNtX0ITu1GQIik5fEKyXRqNFAVjcG6WvSvL0tYdodSBoii 10 | FHAqwFqhBtclxGAiGD20YNzPKuLKFYuMJNj04MWBqcg39TjzAfwHDrxYSXHZHcGS 11 | 7KP02jIe5qDc9inoAsIypm9BpKmkdHSI4k0ZcozjYTRVE/ldDTXWjQuQqK2AeWUE 12 | 0nw/+6Ld4E+7X99StbO4Gd2qozR1F3FrmdxQJlXzoUUYsSKBoNUCAwEAAaNTMFEw 13 | DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUTyG3NNeIWT/yaH22w/0RftTIS9sw 14 | HwYDVR0jBBgwFoAUTyG3NNeIWT/yaH22w/0RftTIS9swDQYJKoZIhvcNAQELBQAD 15 | ggEBAATQYlnFklxHWpGZK2e/h0ERf3og3ebvJFRlwhmnjXflHn7hsmbFWjiCZJys 16 | B/AbczPm3x/gWrMKbO1m/qBz7BvI7ASgU3dBvZNoHAEaAzoJ/vT+lP+3Chs/El8r 17 | 3TZ4R94fwxbYEo9w7xfcdxkzgAbVXt921Hrayl1ThY7W8xQC4nyYcmTo6vxX5c5b 18 | tLwqMr74WedpQSzspPg3b21/v7IL2f8VulzyRNwnRCY9k6thGJcDi7yT9uH/6H/Z 19 | 5mIAV77DWWGBkQtJ4SiTdBu0LpJ6ZPkUiguRYTNAllSqBMz76eyc1DFHix7GoHY0 20 | ShsnKgqdi16hS+2QV6xrvjWr1s4= 21 | 22 | 23 | MIIKTwYJKoZIhvcNAQcCoIIKQDCCCjwCAQMxDTALBglghkgBZQMEAgEwggVHBgsqhkiG9w0BCRABH 24 | KCCBTYEggUyPG5zMDpyZWZlcnJhbCB4bWxuczpuczA9Imh0dHA6Ly93d3cuaGFjdHJuLm5ldC91cm 25 | lzL3Jwa2kvbXlycGtpLyIgYXV0aG9yaXplZF9zaWFfYmFzZT0icnN5bmM6Ly9sb2NhbGhvc3QvcnB 26 | raS9yaXBlLW5jYy1ycGtpZC10ZXN0LzYwZTQ0NWY1LTk3ZDEtNGZjYi1iYzk1LWI4ZTZlZjc5MzE5 27 | ZS8iIHZlcnNpb249IjIiPk1JSURSRENDQWl5Z0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBR 28 | EF6TVRFd0x3WURWUVFERXloaVpERmhaR1JoTlRWa01EVmoKT1RNeE5EazNZVEU1T0RaaVpEQmlZMl 29 | ppTkRsak5ERXhOREZtTUI0WERURXhNRGN5TmpFNE5ESXdORm9YRFRJeE1EY3lOakU0TkRJdwpORm9 30 | 3TXpFeE1DOEdBMVVFQXhNb1ltUXhZV1JrWVRVMVpEQTFZemt6TVRRNU4yRXhPVGcyWW1Rd1ltTm1Z 31 | alE1WXpReE1UUXhaakNDCkFTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBS 32 | UsxNzRGam00anhMNXVVdWQzZzNvb3VNRE50VitjR3dEWGQKWFFIUlZuR0YzZGlLQUZxSkpiNTlncD 33 | dZTzc3QVlEZjZLd1QvUFBScVo1cTEvRVZjNndTck9Eek1YL1lKZytidFI2T3BBZDVrME1WWQpmSkN 34 | EMzMzQkJsL3lWSjBlb1p5QjRmbHNOZ2VNMmphRXFoeHNKZ0tHVWZhNlJUNGMyNW5FNms4OHlGZnhi 35 | ZkU4UnlteUFhb2p0VGtKCkJjYzhFU3VianNHYmkzYnNPNnRVYXU1MnlSdVhnaUo4czhRWXlNUGQ0N 36 | ER2dU8wVmYzdVk5SWJnTngwZFFHTUd0aXNSODNKc3l5bDIKKzNTTTc0N0IyQ3Q5RVNBbU9vYjV4RH 37 | IyQVArVlZrUjBYZHNjTzNIclBEWndRS2tKTXI0UTZuT0FFQ0FtTWlUQkNaejY5bkRiVDlNbQp5Z01 38 | DQXdFQUFhTmpNR0V3SFFZRFZSME9CQllFRkwwYTNhVmRCY2t4U1hvWmhyMEx6N1NjUVJRZk1COEdB 39 | MVVkSXdRWU1CYUFGTDBhCjNhVmRCY2t4U1hvWmhyMEx6N1NjUVJRZk1BOEdBMVVkRXdFQi93UUZNQ 40 | U1CQWY4d0RnWURWUjBQQVFIL0JBUURBZ0VHTUEwR0NTcUcKU0liM0RRRUJDd1VBQTRJQkFRQkJ1ST 41 | ZlQ01aTlQ2eTFjMzYyTzQ3YXVSSE5kWXVMYnl0YnBrRTF3WHBGZ2dIZlFSVGQwb3hJTHc1NQpnSEF 42 | EcEFCOWx6enMxUHUvT3RaM2JIZ2dwVkJjYXgrbmpSWk9vemNWZkV3R01YclMyOGFaUUxqZU4xM0hQ 43 | MERmQ0JqK1BMVy9FcUpKCm8vdU1uRTBZMGI2azg0UTNLeG84Mm0xSHJjYTVmcmJWbjNRbXV0c0JvR 44 | VpZZlZUZS9zcDhJeW51NjlSdWpSaGtmTjdzcTVhUVY2S3IKNUQ4MkpiZ2JrcTJuSCtvS1BTbVBZek 45 | xSc2JlUDhUT240d3EvcjJPM29YaThCNzI2aXFjdTNZd2l4QlQ5OGZMell6clI3QTA0bUxOUwpZdEt 46 | xWkJGemFyRnpSSzZQS05FNU82enBBMWZWM0lCc1NRcU9QejRFY3VQeXlWY0F6Ylp2TzZseDwvbnMw 47 | OnJlZmVycmFsPqCCAy0wggMpMIICEaADAgECAgEFMA0GCSqGSIb3DQEBCwUAMDkxNzA1BgNVBAMTL 48 | nJpcGUtbmNjLXJwa2lkLXRlc3QgQlBLSSBSZXNvdXJjZSBUcnVzdCBBbmNob3IwHhcNMTEwNzI2MT 49 | g0NTU4WhcNMTIwNzI1MTg0NTU4WjAzMTEwLwYDVQQDEyhyaXBlLW5jYy1ycGtpZC10ZXN0IFB1Ymx 50 | pY2F0aW9uIFJlZmVycmFsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoj1avlj+9qFa 51 | 2f2F9vaY+Oxy2LuS1gE6OyUSv2yw7nLwM+HgUkBg/eeO5uFHOjvf5GWpt6JF0EN8hXkasg9A0xM3Y 52 | M2/52+XujZJUl1Neaxhd8fsb0cZ7v2vbjvZyNmx00m7/nZ2a9Km44onyPFdVjnre8aQUQLZ1aas/G 53 | JDNHdTYoLm62SN3ilXOxWCe/F8CLg1c8v4ziDHuzpw4MshplS1rndkxK+c8Fr3ZbOowecm/ER3+CG 54 | CFNSomx0cpaXmymTU6Bo5u/uHV0Kt1nbHi00Q9I7he6nmB/KiEHpprWmtGv+57YoiIlZqlJuDoBRx 55 | 2V5SlNwnp7pK7j6zIlco8QIDAQABo0IwQDAdBgNVHQ4EFgQU4E/1E709vJlfvcOigiG5lg9Z70IwH 56 | wYDVR0jBBgwFoAUTyG3NNeIWT/yaH22w/0RftTIS9swDQYJKoZIhvcNAQELBQADggEBAGeZaJhfR1 57 | E+mDYeYWDP8PKHP78N9/TmaNKWAmyN6oOtU/mOoqxs0x92njxYyx/qmUuzK8yOsmNs80ENOSDQzMZ 58 | NqnZoPn+rsPypVNg6Kr2pC+rXRFTidzBgA/QGK5hIhYjhpiSFiyeTH/m/MDcKN1HBsXerm5XeTPnZ 59 | UHCBcF8HtPMsAyz0BprjgbR0zeBrQlPpUyel4QJT5n5RP41GDRDAqHrU49tYpJCDHZhZfI3MbHnj1 60 | nd9c8tNJxhY2JxUMykWI8LkCC429x5SZcKPBFs8mpVYrlqYNFTyly3yY/XdjN7TgcBrgzIOr9jiR7 61 | QQM6AXeBAAKiiNKeTpdKgqRPkxggGqMIIBpgIBA4AU4E/1E709vJlfvcOigiG5lg9Z70IwCwYJYIZ 62 | IAWUDBAIBoGswGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEcMBwGCSqGSIb3DQEJBTEPFw0xMTA3 63 | MjYxODQ1NThaMC8GCSqGSIb3DQEJBDEiBCB8gyLk+tQBfAbMglyktmcBPB5UlWNXKAs9/jPtW77sI 64 | TANBgkqhkiG9w0BAQEFAASCAQBZ5xrouaB57scG8vxSN/hzEaUrXvfUM9t/X0vP1vQxp+qSMuVMy3 65 | Z/zrx/wAUuyiw/1qwO2Uxeo4FAWxgc3oJSbywfSiIMTG4i5QK1rRRwJwWIMTqCi4D2O7JAPAm+loZ 66 | ufiHVxja5NGBCnl9JtR7HW8RxQKFhJvlH/WxSRIadfkGWAGXyOs67u9LNOWaDfzzXlZ+UCshaa9y3 67 | 3b7fwWnYLj4YpHylgl3z6nVJDqc+0yHZtdQDirbMHQVvrTY9KKphd4oPTNqX0GXB3NSRhh9FVO7Sn 68 | ZgehM2m1PkgxNTlWoZeRfwDdkbpWVxu3WTChQibem3ePr3zuu5uHfXUGjSv 69 | 70 | -------------------------------------------------------------------------------- /test-data/ca/rfc8183/rpkid-publisher-request.xml: -------------------------------------------------------------------------------- 1 | 6 | 7 | MIIDIDCCAgigAwIBAgIBATANBgkqhkiG9w0BAQsFADApMScwJQYDVQQDEx5Cb2Ig 8 | QlBLSSBSZXNvdXJjZSBUcnVzdCBBbmNob3IwHhcNMTEwNzAxMDQwNzIzWhcNMTIw 9 | NjMwMDQwNzIzWjApMScwJQYDVQQDEx5Cb2IgQlBLSSBSZXNvdXJjZSBUcnVzdCBB 10 | bmNob3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEk1f7cVzHu3r/ 11 | fJ5gkBxnWMNJ1CP0kPtfP8oFOEVVH1lX0MHuFKhdKA4WCkGkeFtGb/4T/nGgsD+z 12 | exZid6RR8zjHkwMLvAl0x6wdKa46XJbFu+wTSu+vlowVY9rGzH+ttv4Fj6E2Y3DG 13 | 983/dVNJfXl00+Ts7rlvVcn9lI5dWvzsLoUOdhD4hsyKp53k8i4HexiD+0ugPeh9 14 | 4PKiyZOuMjSRNQSBUA3ElqJSRZz7nWvs/j6zhwHdFa+lN56575Mc5mrwr+KePwW5 15 | DLt3izYpjwKffVuxUKPTrhvnOOg5kBBv0ihync21LSLds6jusxaMYUwUElO8KQyn 16 | NUAeGPd/AgMBAAGjUzBRMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFORFOC3G 17 | PjYKn7V1/BJHDmZ4W7J+MB8GA1UdIwQYMBaAFORFOC3GPjYKn7V1/BJHDmZ4W7J+ 18 | MA0GCSqGSIb3DQEBCwUAA4IBAQBqsP4ENtWTkNdsekYB+4hO/Afq20Ho0W8lyTkM 19 | JO1UFDt/dzFAmTT4uM7pmwuQfqmCYjNDWon8nsdFno4tA0is3aiq6yIMAYzBE5ub 20 | bnJMxldqLoWuakco1wYa3kZFzWPwecxgJ4ZlqTPGu0Loyjibt25IE9MfixyWDw+D 21 | MhyfonLLgFb5jz7A3BTE63vlTp359uDbFb1nRdyoT31s3FUBK8jF4B5pWzPiLdct 22 | bOMVjYUBs8aFC3fDXyGSr/RcjE4OOZQyTkYZn8zCPUJ4KqOPAUV9u9jx2FPvOcA3 23 | 1BjcmhYHqott+cnK1ITOjLe9EKejRZv/7/BFsmpzm2Zbq1KA 24 | 25 | -------------------------------------------------------------------------------- /test-data/ca/router-csr.der: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/ca/router-csr.der -------------------------------------------------------------------------------- /test-data/ca/sigmsg/cms_ta.cer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/ca/sigmsg/cms_ta.cer -------------------------------------------------------------------------------- /test-data/ca/sigmsg/pdu_200.der: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/ca/sigmsg/pdu_200.der -------------------------------------------------------------------------------- /test-data/compat/res_incorrect.cer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/compat/res_incorrect.cer -------------------------------------------------------------------------------- /test-data/crypto/rsa-key.private.der: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/crypto/rsa-key.private.der -------------------------------------------------------------------------------- /test-data/crypto/rsa-key.public.der: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/crypto/rsa-key.public.der -------------------------------------------------------------------------------- /test-data/repository/aspa-bm.asa: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/repository/aspa-bm.asa -------------------------------------------------------------------------------- /test-data/repository/aspa-content-draft-13.der: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/repository/aspa-content-draft-13.der -------------------------------------------------------------------------------- /test-data/repository/aspa-content.der: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/repository/aspa-content.der -------------------------------------------------------------------------------- /test-data/repository/ca1.cer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/repository/ca1.cer -------------------------------------------------------------------------------- /test-data/repository/ca1.crl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/repository/ca1.crl -------------------------------------------------------------------------------- /test-data/repository/ca1.mft: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/repository/ca1.mft -------------------------------------------------------------------------------- /test-data/repository/example-ripe.roa: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/repository/example-ripe.roa -------------------------------------------------------------------------------- /test-data/repository/maxlen-overflow.roa: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/repository/maxlen-overflow.roa -------------------------------------------------------------------------------- /test-data/repository/maxlen-underflow.roa: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/repository/maxlen-underflow.roa -------------------------------------------------------------------------------- /test-data/repository/prefix-len-overflow.roa: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/repository/prefix-len-overflow.roa -------------------------------------------------------------------------------- /test-data/repository/ripe.tal: -------------------------------------------------------------------------------- 1 | rsync://rpki.ripe.net/ta/ripe-ncc-ta.cer 2 | 3 | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1j 4 | Q6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83Hw 5 | A26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0G 6 | Z0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eM 7 | kE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs 8 | 6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2 9 | VwIDAQAB 10 | -------------------------------------------------------------------------------- /test-data/repository/router.cer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/repository/router.cer -------------------------------------------------------------------------------- /test-data/repository/serde-compat/cert.json: -------------------------------------------------------------------------------- 1 | "MIIECjCCAvKgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAxMLcmlwZS1uY2MtdGEwIBcNMTcxMTI4MTQzOTU1WhgPMjExNzExMjgxNDM5NTVaMBYxFDASBgNVBAMTC3JpcGUtbmNjLXRhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQABo4IBXjCCAVowHQYDVR0OBBYEFOhVKx/W0aT35ATG2OVoDR68Fj/DMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMIGxBggrBgEFBQcBCwSBpDCBoTA8BggrBgEFBQcwCoYwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvcmlwZS1uY2MtdGEubWZ0MDIGCCsGAQUFBzANhiZodHRwczovL3JyZHAucmlwZS5uZXQvbm90aWZpY2F0aW9uLnhtbDAtBggrBgEFBQcwBYYhcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvMBgGA1UdIAEB/wQOMAwwCgYIKwYBBQUHDgIwJwYIKwYBBQUHAQcBAf8EGDAWMAkEAgABMAMDAQAwCQQCAAIwAwMBADAhBggrBgEFBQcBCAEB/wQSMBCgDjAMMAoCAQACBQD/////MA0GCSqGSIb3DQEBCwUAA4IBAQAVgJjrZ3wFppC8Yk8D2xgzwSeWVT2vtYq96CQQsjaKb8nbeVz3DwcS3a7RIsevrNVGo43k3AGymg1ki+AWJjvHvJ+tSzCbn5+X6Z7AfYTf2g37xINVDHru0PTQUargSMBAz/MBNpFG8KThtT7WbJrK4+f/lvx0m8QOlYm2a17iXS3AGQJ6RHcq9ADscqGdumxmMMDjwED26bGaYdmru1hNIpwF//jVM/eRjBFoPHKFlx0kLd/yoCQNmx1kW+xANx4uyWxi/DYgSV7Oynq+C60OucW+d8tIhkblh8+YfrmukJdsV+vo2L72yerdbsP9xjqvhZrLKfsLZjYK4SdYYthi" -------------------------------------------------------------------------------- /test-data/repository/serde-compat/crl.json: -------------------------------------------------------------------------------- 1 | "MIICEDCB+QIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtyaXBlLW5jYy10YRcNMTkwMjI2MTMxNDQ0WhcNMTkwNTI2MTMxNDQ0WjB+MBMCAgDMFw0xODA1MDExMzMzMTZaMBMCAgDOFw0xODA3MjUxMjQ3MzlaMBMCAgDQFw0xODEwMTExMjE1NDlaMBMCAgDSFw0xODEyMTgxMzIyMTFaMBMCAgDUFw0xOTAyMjYxMzE0NDRaMBMCAgDVFw0xOTAyMjYxMzE0NDRaoC8wLTAfBgNVHSMEGDAWgBToVSsf1tGk9+QExtjlaA0evBY/wzAKBgNVHRQEAwIBMjANBgkqhkiG9w0BAQsFAAOCAQEAKoHF+OsJtcOOiTanlolt/19DdgD0yEJbbnUE4KVNK3o5v98oAtqXIWmqmQ1p7L4wwsh62tey47fnZ+kYdgZCljaSpLQzK0rHN5XjQeOWKP9il9mWo9uzxkCTmrWQLDQujMr1j9jWwtCSAdIDoZuMmFR4ay645JOva/aVn9AgZAA8xWenJDCWeD0tFCol6dMw5pGZHl0xVoRGg7zScuQyVigyQuAQ2LKyMZj/ETgR71tpc3mbZk2Mbb2T8MwxJca3L7sO+ulTIEWCGrtEVe4TN2VOUFdAaAr8BusKVNxIlUQJ2Jo1h+bcgDskbSJZj9bl0lols+sMNZgMENHQYW3Zfw==" -------------------------------------------------------------------------------- /test-data/repository/serde-compat/manifest.json: -------------------------------------------------------------------------------- 1 | "MIIGQQYJKoZIhvcNAQcCoIIGMjCCBi4CAQMxDTALBglghkgBZQMEAgEwYwYLKoZIhvcNAQkQARqgVARSMFACAQwYDzIwMTAwMjI4MTYzMjAwWhgPMjAxMDExMTQyMTAyMTBaBglghkgBZQMEAgEwHjANFgRmaWxlAwUAaGFzaDANFgRmaWxlAwUAaGFzaKCCBCMwggQfMIIDB6ADAgECAgEMMA0GCSqGSIb3DQEBCwUAMDMxMTAvBgNVBAMTKDVEN0RDQUI3MkVEM0Y2OUI1Mzk1NzgwQkYyODMyQjI3MjMxNUVEMEUwHhcNMTAwMjI4MTYzMjAwWhcNMTAxMTE0MjEwMjEwWjAzMTEwLwYDVQQDEyg0NzE3QzNBQkRGQTFGMEIzRDY0ODE5MTc4MDdBRDdDOUJBMUUxRjk4MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs3FFcY/U4ln6P+cgaJEj/BqrZbTiTp2+hKYh3IY2rs4EokFW2cvrdRnjd8JVdmif6hQ3DQJinAkua59csn0CzyjxYZATa0ynfmOcNBCxcBz8qTdex+fTnzHdYwxBOG2QVDZ2ochW3lyNIiyaED7s8KhSl9We/bI+PwJg9ot539BzwVHi3fpaBo6N1a1DJT+03olno1VpY1hVsWpvRVddDY55RL+I+dOoiW4C2Whq56iO4DPmUJay3miReaiCfh4DV9VVAIteK4gqQpQgPn8nUrORB2f41D5WIbDISrT0IaZc/g0pSLTsuhDw17LprTXsGcqhcTFJfBrfpOCngS64HwIDAQABo4IBPDCCATgwHQYDVR0OBBYEFEcXw6vfofCz1kgZF4B618m6Hh+YMB8GA1UdIwQYMBaAFF19yrcu0/abU5V4C/KDKycjFe0OMA4GA1UdDwEB/wQEAwIHgDAoBgNVHR8EITAfMB2gG6AZhhdyc3luYzovL2V4YW1wbGUuY29tL20vcDAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAKGF3JzeW5jOi8vZXhhbXBsZS5jb20vbS9wMDMGCCsGAQUFBwELBCcwJTAjBggrBgEFBQcwC4YXcnN5bmM6Ly9leGFtcGxlLmNvbS9tL3AwGAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjAhBggrBgEFBQcBBwEB/wQSMBAwBgQCAAEFADAGBAIAAgUAMBUGCCsGAQUFBwEIAQH/BAYwBKACBQAwDQYJKoZIhvcNAQELBQADggEBAI6ydxkmhTAFJtUTa1+1WifumxsWylMz4s0Fmbc10S85zjqxnfz0XQLlsM6sZKs8ugeUtnvr5IC7/RqPtQ5vZNiLT1rYS4wm5TFJBHNDklYm+jZ+5jYxQNYO/5vB/yZSZ/8RpEIGFKDNPS26ZdCgl5vQGcMKkI10r/OYg5VElXIDn+hQ7mbZTTgZnvf4LOUkW5lLU903dL0BhJvfJwjH+S6zx0t6lnt+4ly1gEbovdwWCDaJAb1+KigQKhhrZtznQEoIVFpl1IV2gupnpBVhPpRI/bwoJv/Uq4fzA9xQTxYbwxm0OD2Ym+UH7e0bV+R5rfOkWFbh9WGZhbFcGDWtDokxggGMMIIBiAIBA4AURxfDq9+h8LPWSBkXgHrXyboeH5gwCwYJYIZIAWUDBAIBoE0wGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEaMC8GCSqGSIb3DQEJBDEiBCDgG8B6+4m4UKQ6ni/jx8OBrTz9G4H67/F64g64QS1aFzANBgkqhkiG9w0BAQEFAASCAQAvnXhpS5UAB0LPJZnHupAdU3TQiyeC3PEaR+tVtpgOdeBb89e5pK87g2BUDd+06riSYbxVdS9YKgUe0MTjToJKInyo+n7V4UREkUo4qfxUbaZOMSRGKMIcQQAWnrESvBudwlthvRfAntV9ER2y3+vMcSFULThIgEMO4VQw4gr3XDUHS/MlYuZUicDsYmsdUzMTYEHOt3k/tPTBo0mak3Am6IIkiCEYVicNoNBlrwl/nkfDByRuZjxO01eO1k45U0VfOcDgk1+sYFoSH/NC7XButcaNjgfGjYId1IRGl5IzMTex9LmmpLJRV1qKtuNR4vGhNLu5mQvG3kyBkzWRbePR" -------------------------------------------------------------------------------- /test-data/repository/serde-compat/roa.json: -------------------------------------------------------------------------------- 1 | "MIIF7wYJKoZIhvcNAQcCoIIF4DCCBdwCAQMxDTALBglghkgBZQMEAgEwKgYLKoZIhvcNAQkQARigGwQZMBcCAwD78DAQMA4EAgABMAgwBgMEAMAAAqCCBAowggQGMIIC7qADAgECAgEMMA0GCSqGSIb3DQEBCwUAMDMxMTAvBgNVBAMTKEE0QTQxQjZDRkVDM0M0NDc0NDhDMDVENEFFM0Q3MUUyNUQwMDhBQTcwHhcNMjMwNzA0MTE1MDQxWhcNMjMwNzA1MTE1MDQxWjAzMTEwLwYDVQQDEyhEMzFBMTZCRjIzQTc0MTczRTU4RTY4NkNEM0QzMjdCM0M2QjFGREM5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp08rvEasxPSWtylZ5LhM+5vdO4xautuSNkTlW8l+KT+qcfA66yNPCGOymaBbUj4X6/OOrONvu6QWHzakhOMH4WLhCVMY8xEfWNBs1CqI5VSp9DAYu/kFtfDoL3LrnopnUIF4GX3IdjItSRWTsnNiqfNTXjzXdVO/euKkduAiZ4Xs+37SO3hM3h2s6IVHq4SxckpR3xdlGeO+mlibwOYfrvW5y488nuIk468yz+j9J1SpLzf6E1Y6fdvko+DVa+A91pgrBq4cUJcIoa7Fp5ZeZ6rxPhyMxrehoyIl330U7+30xoapIU58wlfswIMXGuyJRjAR9UGzTQWcU9pyAUjiQQIDAQABo4IBIzCCAR8wHQYDVR0OBBYEFNMaFr8jp0Fz5Y5obNPTJ7PGsf3JMB8GA1UdIwQYMBaAFKSkG2z+w8RHRIwF1K49ceJdAIqnMA4GA1UdDwEB/wQEAwIHgDAoBgNVHR8EITAfMB2gG6AZhhdyc3luYzovL2V4YW1wbGUuY29tL20vcDAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAKGF3JzeW5jOi8vZXhhbXBsZS5jb20vbS9wMDMGCCsGAQUFBwELBCcwJTAjBggrBgEFBQcwC4YXcnN5bmM6Ly9leGFtcGxlLmNvbS9tL3AwGAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjAfBggrBgEFBQcBBwEB/wQQMA4wDAQCAAEwBgMEAMAAAjANBgkqhkiG9w0BAQsFAAOCAQEARk8K1ugBAjwFlKZPper8IFbKCQySB0NY2dbSklSx761SXkhz0gZzPBNj2Al2p17uuJsX+jA65zcW1e/AsoHYjtTaPigja44gomkKnCNMsFHzxPqAE79r7hXPH6B+ZiNqAs59KMf5iGAmV31M8ZqLYC7Kum5xOq1cUfLk16n43NrIpg3VsATDBWV/b51RL9nagbFOSaZKqV/B0J2KPPcEvZPBz42uSN1CCScfKSlvgnUsITEFKtltRXj8iOkKGwqvvHNS2t7XbNllqTUm7VY8n8H6PAz+Ch+YIePMa6HNnEtoFZK9RL4Bj5fEAeECoskjVoBipsN6Hxb4rlHjsti7mjGCAYwwggGIAgEDgBTTGha/I6dBc+WOaGzT0yezxrH9yTALBglghkgBZQMEAgGgTTAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQARgwLwYJKoZIhvcNAQkEMSIEINoyv74NjuoPXTtWAjxV0cI6qR31AjP4nDJQhrKyBtWiMA0GCSqGSIb3DQEBAQUABIIBAH/R5kpS8Htl5xlM/sIblSoc6gUqXTr7Vj38wUMvuL57mbftJSYVLnhvB9kawr15hxILvYw3X6suOcxpCqTM93Y9D9Qa+f2Wobnwwl4Sjj9Dq8zwujshJPKvqhLNTiXUne+XX0BLuLngofIjKMXrGQIkreUHJ/SBiuiv3d3KZLq/Y3KeEIbenUlQ4P5ry6skWZGRf7zUvtDcVZR93xwXGVLOcGALYjOqoJWjXiacsF8azBi9qVHYlYTKO5R3e9fI8aGAD0FRE+/OqJRvlYH8zbqSkGiuCUCptw7bPgVD4+hoGivqEkisyXZo34wKQxde4016CH8DJC6qXizG/fo1sDI=" -------------------------------------------------------------------------------- /test-data/repository/signature-alg-mismatch.mft: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/repository/signature-alg-mismatch.mft -------------------------------------------------------------------------------- /test-data/repository/ta.cer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/repository/ta.cer -------------------------------------------------------------------------------- /test-data/repository/ta.crl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/repository/ta.crl -------------------------------------------------------------------------------- /test-data/repository/ta.mft: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/repository/ta.mft -------------------------------------------------------------------------------- /test-data/repository/ta.mft.bad-filename: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/repository/ta.mft.bad-filename -------------------------------------------------------------------------------- /test-data/rrdp/bomb-serial.xml.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/rrdp/bomb-serial.xml.gz -------------------------------------------------------------------------------- /test-data/rrdp/bomb-snapshot-uri.xml.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/rrdp/bomb-snapshot-uri.xml.gz -------------------------------------------------------------------------------- /test-data/rrdp/bomb-whitespace.xml.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NLnetLabs/rpki-rs/0677b14607dffc527419a349f32be974b61d26ef/test-data/rrdp/bomb-whitespace.xml.gz -------------------------------------------------------------------------------- /test-data/rrdp/lolz-notification.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | ]> 15 | 16 | &lol9; 17 | 18 | 19 | -------------------------------------------------------------------------------- /test-data/rrdp/ripe-notification-unsorted.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /test-data/rrdp/ripe-notification-with-gaps.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /test-data/rrdp/ripe-notification.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /test-data/slurm/full.json: -------------------------------------------------------------------------------- 1 | { 2 | "slurmVersion": 1, 3 | "validationOutputFilters": { 4 | "prefixFilters": [ 5 | { 6 | "prefix": "192.0.2.0/24", 7 | "comment": "All VRPs encompassed by prefix" 8 | }, 9 | { 10 | "asn": 64496, 11 | "comment": "All VRPs matching ASN" 12 | }, 13 | { 14 | "prefix": "198.51.100.0/24", 15 | "asn": 64497, 16 | "comment": "All VRPs encompassed by prefix, matching ASN" 17 | } 18 | ], 19 | "bgpsecFilters": [ 20 | { 21 | "asn": 64496, 22 | "comment": "All keys for ASN" 23 | }, 24 | { 25 | "SKI": "MTIzNDU2Nzg5MDEyMzQ1Njc4OTA", 26 | "comment": "Key matching Router SKI" 27 | }, 28 | { 29 | "asn": 64497, 30 | "SKI": "ZGVhZGJlYXRkZWFkYmVhdGRlYWQ", 31 | "comment": "Key for ASN matching SKI" 32 | } 33 | ] 34 | }, 35 | "locallyAddedAssertions": { 36 | "prefixAssertions": [ 37 | { 38 | "asn": 64496, 39 | "prefix": "198.51.100.0/24", 40 | "comment": "My other important route" 41 | }, 42 | { 43 | "asn": 64496, 44 | "prefix": "2001:DB8::/32", 45 | "maxPrefixLength": 48, 46 | "comment": "My de-aggregated route" 47 | } 48 | ], 49 | "bgpsecAssertions": [ 50 | { 51 | "asn": 64496, 52 | "SKI": "MTIzNDU2Nzg5MDEyMzQ1Njc4OTA", 53 | "routerPublicKey": "Ymx1YmI" 54 | } 55 | ] 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /test-data/slurm/full_v2.json: -------------------------------------------------------------------------------- 1 | { 2 | "slurmVersion": 2, 3 | "validationOutputFilters": { 4 | "prefixFilters": [ 5 | { 6 | "prefix": "192.0.2.0/24", 7 | "comment": "All VRPs encompassed by prefix" 8 | }, 9 | { 10 | "asn": 64496, 11 | "comment": "All VRPs matching ASN" 12 | }, 13 | { 14 | "prefix": "198.51.100.0/24", 15 | "asn": 64497, 16 | "comment": "All VRPs encompassed by prefix, matching ASN" 17 | } 18 | ], 19 | "bgpsecFilters": [ 20 | { 21 | "asn": 64496, 22 | "comment": "All keys for ASN" 23 | }, 24 | { 25 | "SKI": "MTIzNDU2Nzg5MDEyMzQ1Njc4OTA", 26 | "comment": "Key matching Router SKI" 27 | }, 28 | { 29 | "asn": 64497, 30 | "SKI": "ZGVhZGJlYXRkZWFkYmVhdGRlYWQ", 31 | "comment": "Key for ASN matching SKI" 32 | } 33 | ], 34 | "aspaFilters": [ 35 | { 36 | "customerAsid": 64496, 37 | "comment": "ASPAs matching Customer ASID 64496" 38 | } 39 | ] 40 | }, 41 | "locallyAddedAssertions": { 42 | "prefixAssertions": [ 43 | { 44 | "asn": 64496, 45 | "prefix": "198.51.100.0/24", 46 | "comment": "My other important route" 47 | }, 48 | { 49 | "asn": 64496, 50 | "prefix": "2001:DB8::/32", 51 | "maxPrefixLength": 48, 52 | "comment": "My de-aggregated route" 53 | } 54 | ], 55 | "bgpsecAssertions": [ 56 | { 57 | "asn": 64496, 58 | "SKI": "MTIzNDU2Nzg5MDEyMzQ1Njc4OTA", 59 | "routerPublicKey": "Ymx1YmI" 60 | } 61 | ], 62 | "aspaAssertions": [ 63 | { 64 | "customerAsid": 64496, 65 | "providerSet": [64497, 64498], 66 | "comment": "Locally assert 64497 and 64498 are providers for 64496" 67 | } 68 | ] 69 | } 70 | } 71 | -------------------------------------------------------------------------------- /tests/rrdp-resilience.rs: -------------------------------------------------------------------------------- 1 | #![cfg(feature = "repository")] 2 | #[cfg(test)] 3 | mod tests { 4 | use std::convert::Infallible; 5 | use std::io; 6 | use http_body_util::Full; 7 | use hyper::body::Bytes; 8 | use hyper::server::conn::http1; 9 | use hyper::service::service_fn; 10 | use hyper::{Request, Response}; 11 | use hyper_util::rt::TokioIo; 12 | use tokio::net::TcpListener; 13 | use rpki::rrdp::NotificationFile; 14 | 15 | async fn serve( 16 | test_bytes: &'static[u8], 17 | _: Request 18 | ) -> Result>, Infallible> { 19 | let body = Full::new(Bytes::from_static(test_bytes)); 20 | 21 | Ok(Response::builder() 22 | .header("Content-Encoding", "gzip") 23 | .body(body) 24 | .unwrap()) 25 | } 26 | 27 | async fn run(test_bytes: &'static[u8]) -> 28 | Result<(), Box> { 29 | let listener = TcpListener::bind(("127.0.0.1", 0)).await?; 30 | let port = match listener.local_addr() { 31 | Ok(addr) => addr.port(), 32 | _ => panic!("Could not bind to port") 33 | }; 34 | 35 | let handle = tokio::task::spawn(async move { 36 | let (stream, _) = listener.accept().await.unwrap(); 37 | let io = TokioIo::new(stream); 38 | 39 | let _ = http1::Builder::new() 40 | .serve_connection(io, service_fn(|req| serve(test_bytes, req))) 41 | .await; 42 | }); 43 | 44 | tokio::time::sleep(tokio::time::Duration::from_secs(2)).await; 45 | let handle2 = tokio::task::spawn_blocking( 46 | move || -> Result<(), Box> { 47 | let client = reqwest::blocking::Client::builder() 48 | .gzip(true) 49 | .build()?; 50 | let r = client.get(format!("http://127.0.0.1:{:?}/", port)).send()?; 51 | 52 | let reader = io::BufReader::new(r); 53 | let p = NotificationFile::parse(reader); 54 | assert!(p.is_err()); 55 | Ok(()) 56 | }); 57 | 58 | let _ = handle.await; 59 | let _ = handle2.await; 60 | Ok(()) 61 | } 62 | 63 | #[tokio::test] 64 | async fn test_serial() { 65 | let bytes = include_bytes!("../test-data/rrdp/bomb-serial.xml.gz"); 66 | assert!(run(bytes).await.is_ok()); 67 | } 68 | 69 | #[tokio::test] 70 | async fn test_snapshot_uri() { 71 | let bytes = include_bytes!( 72 | "../test-data/rrdp/bomb-snapshot-uri.xml.gz" 73 | ); 74 | assert!(run(bytes).await.is_ok()); 75 | } 76 | 77 | #[tokio::test] 78 | async fn test_whitespace() { 79 | let bytes = include_bytes!("../test-data/rrdp/bomb-whitespace.xml.gz"); 80 | assert!(run(bytes).await.is_ok()); 81 | } 82 | } 83 | --------------------------------------------------------------------------------