randy/draft-9092update
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ee cert pem from russ

Browse source
This commit is contained in:
Randy Bush 2023-09-13 08:43:01 -07:00
parent 49c464b452
commit 7a0189af1d
1 changed files with 195 additions and 211 deletions
Download patch file Download diff file Expand all files Collapse all files

406
draft-ietf-opsawg-9092-update.xml
View file

@ -473,9 +473,11 @@
format="default"/>.
</t>
<t>
The address range of the signing certificate MUST
cover all prefixes in the geofeed file it signs.
</t>
The address range of the signing certificate MUST cover all
prefixes on the geofeed file it signs. The certificate MUST NOT
include the Autonomous System Identifier Delegation certificate
extension <xref target="RFC3779"/>.
</t>
<t>
An address range A "covers" address range B if the range of B is
identical to or a subset of A. "Address range" is used here
@ -912,7 +914,8 @@
<t>
The trust anchor is represented by a self-signed certificate. As
usual in the RPKI, the trust anchor has authority over all IPv4
address blocks, all IPv6 address blocks, and all Autonomous System (AS) numbers.
address blocks, all IPv6 address blocks, and all Autonomous System
(AS) numbers.
</t>
<sourcecode type=""><![CDATA[
-----BEGIN CERTIFICATE-----
@ -978,16 +981,16 @@
-----END CERTIFICATE-----
]]></sourcecode>
<t>
The end-entity certificate is issued by the CA. This
certificate grants signature authority for one IPv4 address block
(192.0.2.0/24). Signature authority for AS numbers is not needed for
geofeed data signatures, so no AS numbers are included in the
certificate.</t>
The end-entity certificate is issued by the CA. This certificate
grants signature authority for one IPv4 address block (192.0.2.0/24).
Signature authority for AS numbers is not needed for geofeed data
signatures, so AS numbers MUST NOT be included in the certificate.
</t>
<sourcecode type=""><![CDATA[
-----BEGIN CERTIFICATE-----
MIIEpTCCA42gAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZuQwDQYJKoZIhvcNAQEL
MIIEXjCCA0agAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZuUwDQYJKoZIhvcNAQEL
BQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExRTNFMTg0RUZDMUUyOTdC
Mzc3ODY0MjAeFw0yMTA1MjAxNjA1NDVaFw0yMjAzMTYxNjA1NDVaMDMxMTAvBgNV
Mzc3ODY0MjAeFw0yMzA5MTIyMTI0MzJaFw0yNDA3MDgyMTI0MzJaMDMxMTAvBgNV
BAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM0NUFCRjA1M0ExODcwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycTQrOb/qB2W3i3Ki8PhA/DEW
yii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQgtPCVwr62hTQZCIowBN0BL0c
@ -995,21 +998,20 @@
BXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXhaFLe08y4DPfr/S/tXJOBm7QzQp
tmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKGzqTFCcc3EW9l5UFE1MFLlnoEog
qtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQft5w6g6cmxG+aYDdIEB34zrAgMB
AAGjggGvMIIBqzAdBgNVHQ4EFgQUkUZSo71RwUQmAZiIn1xFq/BToYcwHwYDVR0j
AAGjggFoMIIBZDAdBgNVHQ4EFgQUkUZSo71RwUQmAZiIn1xFq/BToYcwHwYDVR0j
BBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkIwDAYDVR0TAQH/BAIwADAOBgNVHQ8B
Af8EBAMCB4AwGAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjBhBgNVHR8EWjBYMFag
VKBShlByc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8zQUNFMkNF
RjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0IzNzc4NjQyLmNybDBsBggrBgEFBQcB
AQRgMF4wXAYIKwYBBQUHMAKGUHJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBv
c2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIu
Y2VyMBkGCCsGAQUFBwEHAQH/BAowCDAGBAIAAQUAMEUGCCsGAQUFBwELBDkwNzA1
BggrBgEFBQcwDYYpaHR0cHM6Ly9ycmRwLmV4YW1wbGUubmV0L25vdGlmaWNhdGlv
bi54bWwwDQYJKoZIhvcNAQELBQADggEBAEjC98gVp0Mb7uiKaHylP0453mtJ+AkN
07fsK/qGw/e90DJv7cp1hvjj4uy3sgf7PJQ7cKNGrgybq/lE0jce+ARgVjbi2Brz
ZsWAnB846Snwsktw6cenaif6Aww6q00NspAepMBd2Vg/9sKFvOwJFVOgNcqiQiXP
5rGJPWBcOMv52a/7adjfXwpnOijiTOgMloQGmC2TPZpydZKjlxEATdFEQssa33xD
nlpp+/r9xuNVYRtRcC36oWraVA3jzN6F6rDE8r8xs3ylISVz6JeCQ4YRYwbMsjjc
/tiJLM7ZYxIe5IrYz1ZtN6n/SEssJAswRIgps2EhCt/HS2xAmGCOhgU=
Y2VyMBkGCCsGAQUFBwEHAQH/BAowCDAGBAIAAQUAMA0GCSqGSIb3DQEBCwUAA4IB
AQDQhboLqwjpRHppCszugzqgaH29mEzCDvkbtWbfo97u2Edf/gRtfUoJ0hxherfH
faBdkS/yCQSgZXnA1UwnsnkavoRlOtlKLMicZ/Al6O8ef9DPpm01yz09Zu94UFie
TCRJQorJ3d4aURC/7Ox/MXoQRdffwT2swSKkWst/r7FL6JN5ZdIznWjnOErQXXbM
Dxp361/3TXUjX5fvNkKf/tivaOCngoBpG1FLSN62gAiVWQhunXO7nP+1ugw+aCvP
5l7FXEvVmTscrmy5SETQiDKIDwB+BlwfFdHufmKSpsaasRGbIe6e1SzmpBsymj+Z
ppLVbCS7uCs/8yKfjZdkVI7K
-----END CERTIFICATE-----
]]></sourcecode>
<t>
@ -1017,197 +1019,179 @@
brevity, the other two certificates are not.
</t>
<sourcecode type=""><![CDATA[
0 1189: SEQUENCE {
4 909: SEQUENCE {
8 3: [0] {
10 1: INTEGER 2
: }
13 20: INTEGER 27AD394083D7F2B5B99B8670C775B2B96EE166E4
35 13: SEQUENCE {
37 9: OBJECT IDENTIFIER
: sha256WithRSAEncryption (1 2 840 113549 1 1 11)
48 0: NULL
: }
50 51: SEQUENCE {
52 49: SET {
54 47: SEQUENCE {
56 3: OBJECT IDENTIFIER commonName (2 5 4 3)
61 40: PrintableString
: '3ACE2CEF4FB21B7D11E3E184EFC1E297B3778642'
: }
: }
: }
103 30: SEQUENCE {
105 13: UTCTime 20/05/2021 16:05:45 GMT
120 13: UTCTime 16/03/2022 16:05:45 GMT
: }
135 51: SEQUENCE {
137 49: SET {
139 47: SEQUENCE {
141 3: OBJECT IDENTIFIER commonName (2 5 4 3)
146 40: PrintableString
: '914652A3BD51C144260198889F5C45ABF053A187'
: }
: }
: }
188 290: SEQUENCE {
192 13: SEQUENCE {
194 9: OBJECT IDENTIFIER rsaEncryption
: (1 2 840 113549 1 1 1)
205 0: NULL
: }
207 271: BIT STRING, encapsulates {
212 266: SEQUENCE {
216 257: INTEGER
: 00 B2 71 34 2B 39 BF EA 07 65 B7 8B 72 A2 F0 F8
: 40 FC 31 16 CA 28 B6 4E 01 A8 F6 98 02 C0 EF 65
: B0 84 48 E9 96 FF 93 E6 92 89 65 8F F6 44 9C CE
: 57 10 82 D3 C2 57 0A FA DA 14 D0 64 22 28 C0 13
: 74 04 BD 1C 2B 4F F9 93 58 A6 25 D8 B9 A9 D3 37
: 9E F2 AC C0 CF 02 9E 84 75 D6 F0 7C A5 01 70 AE
: E6 66 AF 9C 69 85 74 6F 13 E9 B3 B8 95 4B 82 ED
: 95 D6 EA 66 05 7B 96 96 87 B2 9A E7 61 E9 65 89
: F8 60 E3 C0 F5 CE DD 18 97 05 E8 C1 AC E1 4D 5E
: 16 85 2D ED 3C CB 80 CF 7E BF D2 FE D5 C9 38 19
: BB 43 34 29 B6 66 CF 2D 8B 46 7E 9A D8 BB 8E 65
: 88 51 6A A8 FF 78 51 E2 E9 21 27 D7 77 7E 80 28
: 6C EA 4C 50 9C 73 71 16 F6 5E 54 14 4D 4C 14 B9
: 67 A0 4A 20 AA DA 0B A0 A0 01 B7 42 24 38 51 8A
: 78 2F C4 81 E6 81 75 62 DE E3 AF 5D 74 2F 6B 41
: FB 79 C3 A8 3A 72 6C 46 F9 A6 03 74 81 01 DF 8C
: EB
477 3: INTEGER 65537
: }
: }
: }
482 431: [3] {
486 427: SEQUENCE {
490 29: SEQUENCE {
492 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
497 22: OCTET STRING, encapsulates {
499 20: OCTET STRING
: 91 46 52 A3 BD 51 C1 44 26 01 98 88 9F 5C 45 AB
: F0 53 A1 87
: }
: }
521 31: SEQUENCE {
523 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35)
528 24: OCTET STRING, encapsulates {
530 22: SEQUENCE {
532 20: [0]
: 3A CE 2C EF 4F B2 1B 7D 11 E3 E1 84 EF C1 E2 97
: B3 77 86 42
: }
: }
: }
554 12: SEQUENCE {
556 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
561 1: BOOLEAN TRUE
564 2: OCTET STRING, encapsulates {
566 0: SEQUENCE {}
: }
: }
568 14: SEQUENCE {
570 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
575 1: BOOLEAN TRUE
578 4: OCTET STRING, encapsulates {
580 2: BIT STRING 7 unused bits
: '1'B (bit 0)
: }
: }
584 24: SEQUENCE {
586 3: OBJECT IDENTIFIER certificatePolicies (2 5 29 32)
591 1: BOOLEAN TRUE
594 14: OCTET STRING, encapsulates {
596 12: SEQUENCE {
598 10: SEQUENCE {
600 8: OBJECT IDENTIFIER
: resourceCertificatePolicy (1 3 6 1 5 5 7 14 2)
: }
: }
: }
: }
610 97: SEQUENCE {
612 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
617 90: OCTET STRING, encapsulates {
619 88: SEQUENCE {
621 86: SEQUENCE {
623 84: [0] {
625 82: [0] {
627 80: [6]
: 'rsync://rpki.example.net/repository/3ACE2CEF4F'
: 'B21B7D11E3E184EFC1E297B3778642.crl'
: }
: }
: }
: }
: }
: }
709 108: SEQUENCE {
711 8: OBJECT IDENTIFIER authorityInfoAccess
: (1 3 6 1 5 5 7 1 1)
721 96: OCTET STRING, encapsulates {
723 94: SEQUENCE {
725 92: SEQUENCE {
727 8: OBJECT IDENTIFIER caIssuers (1 3 6 1 5 5 7 48 2)
737 80: [6]
: 'rsync://rpki.example.net/repository/3ACE2CEF4F'
: 'B21B7D11E3E184EFC1E297B3778642.cer'
: }
: }
: }
: }
819 25: SEQUENCE {
821 8: OBJECT IDENTIFIER ipAddrBlocks (1 3 6 1 5 5 7 1 7)
831 1: BOOLEAN TRUE
834 10: OCTET STRING, encapsulates {
836 8: SEQUENCE {
838 6: SEQUENCE {
840 2: OCTET STRING 00 01
844 0: NULL
: }
: }
: }
: }
846 69: SEQUENCE {
848 8: OBJECT IDENTIFIER subjectInfoAccess
: (1 3 6 1 5 5 7 1 11)
858 57: OCTET STRING, encapsulates {
860 55: SEQUENCE {
862 53: SEQUENCE {
864 8: OBJECT IDENTIFIER '1 3 6 1 5 5 7 48 13'
874 41: [6]
: 'https://rrdp.example.net/notification.xml'
: }
: }
: }
: }
: }
: }
: }
917 13: SEQUENCE {
919 9: OBJECT IDENTIFIER sha256WithRSAEncryption
: (1 2 840 113549 1 1 11)
930 0: NULL
: }
932 257: BIT STRING
: 48 C2 F7 C8 15 A7 43 1B EE E8 8A 68 7C A5 3F 4E
: 39 DE 6B 49 F8 09 0D D3 B7 EC 2B FA 86 C3 F7 BD
: D0 32 6F ED CA 75 86 F8 E3 E2 EC B7 B2 07 FB 3C
: 94 3B 70 A3 46 AE 0C 9B AB F9 44 D2 37 1E F8 04
: 60 56 36 E2 D8 1A F3 66 C5 80 9C 1F 38 E9 29 F0
: B2 4B 70 E9 C7 A7 6A 27 FA 03 0C 3A AB 4D 0D B2
: 90 1E A4 C0 5D D9 58 3F F6 C2 85 BC EC 09 15 53
: A0 35 CA A2 42 25 CF E6 B1 89 3D 60 5C 38 CB F9
: D9 AF FB 69 D8 DF 5F 0A 67 3A 28 E2 4C E8 0C 96
: 84 06 98 2D 93 3D 9A 72 75 92 A3 97 11 00 4D D1
: 44 42 CB 1A DF 7C 43 9E 5A 69 FB FA FD C6 E3 55
: 61 1B 51 70 2D FA A1 6A DA 54 0D E3 CC DE 85 EA
: B0 C4 F2 BF 31 B3 7C A5 21 25 73 E8 97 82 43 86
: 11 63 06 CC B2 38 DC FE D8 89 2C CE D9 63 12 1E
: E4 8A D8 CF 56 6D 37 A9 FF 48 4B 2C 24 0B 30 44
: 88 29 B3 61 21 0A DF C7 4B 6C 40 98 60 8E 86 05
: }
0 1118: SEQUENCE {
4 838: SEQUENCE {
8 3: [0] {
10 1: INTEGER 2
: }
13 20: INTEGER 27 AD 39 40 83 D7 F2 B5 B9 9B 86 70 C7 75 B2 B9 6E E1 66 E5
35 13: SEQUENCE {
37 9: OBJECT IDENTIFIER
: sha256WithRSAEncryption (1 2 840 113549 1 1 11)
48 0: NULL
: }
50 51: SEQUENCE {
52 49: SET {
54 47: SEQUENCE {
56 3: OBJECT IDENTIFIER commonName (2 5 4 3)
61 40: PrintableString '3ACE2CEF4FB21B7D11E3E184EFC1E297B3778642'
: }
: }
: }
103 30: SEQUENCE {
105 13: UTCTime 12/09/2023 21:24:32 GMT
120 13: UTCTime 08/07/2024 21:24:32 GMT
: }
135 51: SEQUENCE {
137 49: SET {
139 47: SEQUENCE {
141 3: OBJECT IDENTIFIER commonName (2 5 4 3)
146 40: PrintableString '914652A3BD51C144260198889F5C45ABF053A187'
: }
: }
: }
188 290: SEQUENCE {
192 13: SEQUENCE {
194 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
205 0: NULL
: }
207 271: BIT STRING, encapsulates {
212 266: SEQUENCE {
216 257: INTEGER
: 00 B2 71 34 2B 39 BF EA 07 65 B7 8B 72 A2 F0 F8
: 40 FC 31 16 CA 28 B6 4E 01 A8 F6 98 02 C0 EF 65
: B0 84 48 E9 96 FF 93 E6 92 89 65 8F F6 44 9C CE
: 57 10 82 D3 C2 57 0A FA DA 14 D0 64 22 28 C0 13
: 74 04 BD 1C 2B 4F F9 93 58 A6 25 D8 B9 A9 D3 37
: 9E F2 AC C0 CF 02 9E 84 75 D6 F0 7C A5 01 70 AE
: E6 66 AF 9C 69 85 74 6F 13 E9 B3 B8 95 4B 82 ED
: 95 D6 EA 66 05 7B 96 96 87 B2 9A E7 61 E9 65 89
: F8 60 E3 C0 F5 CE DD 18 97 05 E8 C1 AC E1 4D 5E
: 16 85 2D ED 3C CB 80 CF 7E BF D2 FE D5 C9 38 19
: BB 43 34 29 B6 66 CF 2D 8B 46 7E 9A D8 BB 8E 65
: 88 51 6A A8 FF 78 51 E2 E9 21 27 D7 77 7E 80 28
: 6C EA 4C 50 9C 73 71 16 F6 5E 54 14 4D 4C 14 B9
: 67 A0 4A 20 AA DA 0B A0 A0 01 B7 42 24 38 51 8A
: 78 2F C4 81 E6 81 75 62 DE E3 AF 5D 74 2F 6B 41
: FB 79 C3 A8 3A 72 6C 46 F9 A6 03 74 81 01 DF 8C
: EB
477 3: INTEGER 65537
: }
: }
: }
482 360: [3] {
486 356: SEQUENCE {
490 29: SEQUENCE {
492 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
497 22: OCTET STRING, encapsulates {
499 20: OCTET STRING
: 91 46 52 A3 BD 51 C1 44 26 01 98 88 9F 5C 45 AB
: F0 53 A1 87
: }
: }
521 31: SEQUENCE {
523 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35)
528 24: OCTET STRING, encapsulates {
530 22: SEQUENCE {
532 20: [0]
: 3A CE 2C EF 4F B2 1B 7D 11 E3 E1 84 EF C1 E2 97
: B3 77 86 42
: }
: }
: }
554 12: SEQUENCE {
556 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
561 1: BOOLEAN TRUE
564 2: OCTET STRING, encapsulates {
566 0: SEQUENCE {}
: }
: }
568 14: SEQUENCE {
570 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
575 1: BOOLEAN TRUE
578 4: OCTET STRING, encapsulates {
580 2: BIT STRING 7 unused bits
: '1'B (bit 0)
: }
: }
584 24: SEQUENCE {
586 3: OBJECT IDENTIFIER certificatePolicies (2 5 29 32)
591 1: BOOLEAN TRUE
594 14: OCTET STRING, encapsulates {
596 12: SEQUENCE {
598 10: SEQUENCE {
600 8: OBJECT IDENTIFIER
: resourceCertificatePolicy (1 3 6 1 5 5 7 14 2)
: }
: }
: }
: }
610 97: SEQUENCE {
612 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
617 90: OCTET STRING, encapsulates {
619 88: SEQUENCE {
621 86: SEQUENCE {
623 84: [0] {
625 82: [0] {
627 80: [6]
: 'rsync://rpki.example.net/repository/3ACE2CEF4FB2'
: '1B7D11E3E184EFC1E297B3778642.crl'
: }
: }
: }
: }
: }
: }
709 108: SEQUENCE {
711 8: OBJECT IDENTIFIER authorityInfoAccess (1 3 6 1 5 5 7 1 1)
721 96: OCTET STRING, encapsulates {
723 94: SEQUENCE {
725 92: SEQUENCE {
727 8: OBJECT IDENTIFIER caIssuers (1 3 6 1 5 5 7 48 2)
737 80: [6]
: 'rsync://rpki.example.net/repository/3ACE2CEF4FB2'
: '1B7D11E3E184EFC1E297B3778642.cer'
: }
: }
: }
: }
819 25: SEQUENCE {
821 8: OBJECT IDENTIFIER ipAddrBlocks (1 3 6 1 5 5 7 1 7)
831 1: BOOLEAN TRUE
834 10: OCTET STRING, encapsulates {
836 8: SEQUENCE {
838 6: SEQUENCE {
840 2: OCTET STRING 00 01
844 0: NULL
: }
: }
: }
: }
: }
: }
: }
846 13: SEQUENCE {
848 9: OBJECT IDENTIFIER sha256WithRSAEncryption (1 2 840 113549 1 1 11)
859 0: NULL
: }
861 257: BIT STRING
: D0 85 BA 0B AB 08 E9 44 7A 69 0A CC EE 83 3A A0
: 68 7D BD 98 4C C2 0E F9 1B B5 66 DF A3 DE EE D8
: 47 5F FE 04 6D 7D 4A 09 D2 1C 61 7A B7 C7 7D A0
: 5D 91 2F F2 09 04 A0 65 79 C0 D5 4C 27 B2 79 1A
: BE 84 65 3A D9 4A 2C C8 9C 67 F0 25 E8 EF 1E 7F
: D0 CF A6 6D 35 CB 3D 3D 66 EF 78 50 58 9E 4C 24
: 49 42 8A C9 DD DE 1A 51 10 BF EC EC 7F 31 7A 10
: 45 D7 DF C1 3D AC C1 22 A4 5A CB 7F AF B1 4B E8
: 93 79 65 D2 33 9D 68 E7 38 4A D0 5D 76 CC 0F 1A
: 77 EB 5F F7 4D 75 23 5F 97 EF 36 42 9F FE D8 AF
: 68 E0 A7 82 80 69 1B 51 4B 48 DE B6 80 08 95 59
: 08 6E 9D 73 BB 9C FF B5 BA 0C 3E 68 2B CF E6 5E
: C5 5C 4B D5 99 3B 1C AE 6C B9 48 44 D0 88 32 88
: 0F 00 7E 06 5C 1F 15 D1 EE 7E 62 92 A6 C6 9A B1
: 11 9B 21 EE 9E D5 2C E6 A4 1B 32 9A 3F 99 A6 92
: D5 6C 24 BB B8 2B 3F F3 22 9F 8D 97 64 54 8E CA
: }
]]></sourcecode>
<t>
To allow reproduction of the signature results, the end-entity