> Authenticating the Geofeed data > =============================== > > The uncommented section of the file conforms to RFC 8805: > > $ head -1 geofeed.csv | tee geofeed_tbs > 2001:67c:208c::/48,NL,NL-NH,Amsterdam > > The commented out section of the geofeed.csv file contains a base64 > encoded detached CMS signature (DER) using the 'id-ct-geofeedCSVwithCRLF' > content type, a sha256 message digest, and can be verified against a > public CA. The CA can be reached through the RIPE NCC RPKI Trust Anchor > and has 2001:67c:208c::/48 as subordinate resource. > > Extract DER encoded signature: > > $ cat geofeed.csv | sed '1,2d;$d' | base64 -d > signature.der > > Extract the EE certificate (in PEM format) from the CMS envelope: > > $ openssl cms -verify -noverify -in signature.der -inform DER \ > -certsout ee.pem 2>/dev/zero > > Inspect the EE certificate to see which authority signed it: > > $ openssl x509 -in ee.pem -noout -ext sbgp-ipAddrBlock,authorityInfoAccess > sbgp-ipAddrBlock: critical > IPv6: > 2001:67c:208c::/48 > > Authority Information Access: > CA Issuers - > URI:rsync://rpki.ripe.net/repository/DEFAULT/LMq8Kl3LkWGqticaaLl6IAGSsJ4.cer > > A validated RPKI cache on the local filesystem can be constructed using > a utility like OpenBSD's rpki-client (https://www.rpki-client.org). Copy > the CA certificate from the validated cache, and convert it to PEM format: > > $ openssl x509 \ > -in > /var/cache/rpki-client/rpki.ripe.net/repository/DEFAULT/LMq8Kl3LkWGqticaaLl6IAGSsJ4.cer > \ > -inform DER -out ca.pem > > Finally, verify the signature over the Geofeed content against the > authority: > > $ openssl cms -verify -content geofeed_tbs \ > -in signature.der -inform DER -CAfile ca.pem > 2001:67c:208c::/48,NL,NL-NH,Amsterdam > Verification successful > > Conclusion > ========== > > I believe with the above I've independently implemented all aspects of > draft-ietf-opsawg-finding-geofeeds in one way or another, demonstrating > the described procedures are correct, verifyable, and somewhat > understandable. > > The prefix I used is a real-world example, allowing others to inspect > the referenced inet6num RPSL object, the associated Geofeed file, > including the authentication aspect. Appendix A was very helpful.
folk trying to verify this are whining about some missing code randy _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg