Job:
> The example signature chain still is broken :-/
Thank you for your very careful review.
> 1/ The Trust Anchor cert still doesn't mark its RFC 3779
> autonomousSysNum extension as critical. RFC 6487 section 4.8.11
> requires this.
I must have done something very clumsy when I composed the XML, because looking
at my individual files, the extension is marked critical.
$openssl x509 -in exampleta.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
12:08:32:70:da:05:55:18:c0:b8:df:c5:c3:b5:11:bb:40:c4:64:d0
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = example-ta
Validity
Not Before: Sep 19 20:33:39 2023 GMT
Not After : Sep 16 20:33:39 2033 GMT
Subject: CN = example-ta
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:a6:b4:7e:83:f8:b8:27:23:9b:55:44:53:a7:
52:69:18:cd:b7:bc:63:f2:13:97:c3:28:53:ea:57:
ba:f0:33:50:26:9b:b7:27:7b:0e:ba:53:4d:88:cd:
5d:17:e6:88:af:e6:74:86:7d:15:f9:53:1b:1b:47:
eb:f0:3c:13:1c:79:0c:83:81:2e:65:7b:11:62:bf:
87:c1:fd:58:df:0d:3d:aa:5f:f5:23:b0:b2:fd:40:
e7:9a:48:e8:7b:4e:82:52:2e:39:ad:a5:ad:03:f6:
2c:fb:7e:e9:77:85:dc:51:8e:93:0c:66:21:3f:ad:
e5:fd:ff:29:9d:a5:6f:c4:76:0d:05:eb:e4:fd:58:
66:44:d6:68:8f:78:88:e5:e4:e6:70:9e:62:c7:09:
fb:64:37:f6:9a:62:4d:62:3c:d8:cd:9e:21:d8:20:
e8:c2:d6:34:a9:00:19:a8:67:24:e3:b2:0a:f0:2c:
4d:85:d5:f2:11:91:59:30:01:2a:93:a2:af:c3:e6:
ff:6f:a1:76:98:61:a5:d4:34:96:f8:1f:fe:70:7a:
74:6e:bd:3e:4e:fe:7e:8f:5e:1e:f4:ac:c4:32:17:
9c:b3:2e:cf:7a:ca:dc:6a:83:98:06:5f:d9:1a:6d:
59:ef:c4:55:3c:9c:77:cf:6b:4a:e1:97:07:d3:26:
79:63
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
C0:BD:52:5D:BE:D2:78:B2:16:EC:B3:A3:43:95:D2:06:0B:99:08:32
X509v3 Authority Key Identifier:
C0:BD:52:5D:BE:D2:78:B2:16:EC:B3:A3:43:95:D2:06:0B:99:08:32
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Certificate Policies: critical
Policy: ipAddr-asNumber
Subject Information Access:
RPKI Manifest -
URI:rsync://rpki.example.net/repository/example-ta.mft
RPKI Notify - URI:https://rrdp.example.net/notification.xml
CA Repository - URI:rsync://rpki.example.net/repository/
sbgp-ipAddrBlock: critical
IPv4:
0.0.0.0/0
IPv6:
::/0
sbgp-autonomousSysNum: critical
Autonomous System Numbers:
0-4294967295
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
6b:d7:8b:63:d4:00:9a:79:59:38:8c:8e:cd:ba:6d:6b:9c:2a:
70:e5:10:57:fc:91:ee:8f:f4:d7:39:04:65:a4:9a:bc:a0:6d:
d7:d9:4c:2b:a0:17:66:ea:f1:d5:3e:63:ca:32:30:1b:b6:c4:
b5:96:53:86:3b:47:da:6f:34:57:99:1c:da:db:05:8d:2a:bf:
ca:9e:cd:24:17:25:30:75:5d:de:d5:ec:7b:d2:1f:de:75:d8:
17:86:f1:44:87:22:af:59:57:94:06:d8:37:e1:28:d5:4d:e2:
e6:a2:4e:f9:fc:68:bb:3b:7b:31:ea:e4:d8:38:a1:9e:c7:a7:
4d:e5:ca:cc:de:ed:7e:6b:82:61:96:47:08:2f:2f:88:2a:09:
59:d1:fe:a3:5b:91:33:84:e2:40:0a:59:b1:42:7c:b0:5e:13:
00:1a:eb:44:99:80:fc:47:79:bf:40:93:05:b8:2a:4f:1e:f2:
83:4f:95:6a:b1:4b:3d:d9:e3:62:0b:69:a0:22:6a:c0:4d:82:
d5:4a:57:d7:9a:d9:49:a2:d5:b8:65:ed:6f:05:dd:fd:c1:c4:
83:9b:c5:5b:a4:13:b0:c7:8c:40:51:14:6b:a8:64:89:c0:c6:
b7:12:d3:51:d8:5c:90:18:26:08:6a:05:da:79:59:8a:2e:5f:
d4:14:d6:02
> 2/ The intermediate CA cert lists
>
> URI:rsync://rpki.example.net/repository/3ACE2CEF4FB21B7D11E3E184EFC1E297B3778642.crl
> as its CRLDP; but instead must reference
> URI:rsync://rpki.example.net/repository/example-ta.crl
> The intermediate CA is subordinate to the TA, and thus should
> reference the CRL signed by the TA (not the CRL it signed itself).
Indeed. This is a cut-and-paste error. just corrected it.
I have a long plane ride tomorrow. I'll try to correctly generate the XML on
the plane.
Russ
_______________________________________________
OPSAWG mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsawg
