[Gllug] X.509 authentication for RIPE updates

David Damerell damerell at chiark.greenend.org.uk
Fri Feb 5 17:18:42 UTC 2010


Is anyone using X.509 authentication for RIPE updates? We're trying
to, and it's driving me mad. Here's what I've done so far, in the hope
that one of you chaps does do it and can say "Oh, not that, you idiot".

I'm not a LIR, so I generate my own self-signed certificate:

openssl req -new -newkey rsa:2048 -x509 -days 7000 >cert

Why -days 7000? If the end of validity is past 2038, it shows up as
being 1973 or whenever UNIX time_t starts. I supply a passphrase,
selected by the usual method of picking up a book and opening it
somewhere.

This also generates a file "privkey.pem". I cat them together:

cat cert privkey.pem > certandprivkey.pem

I create a RIPE X.509 keycert object, using:

< cert perl -nwe 'print "certif: "; print'

to get a series of "certif" lines in the correct format, then input
that via Webupdates to create a new key-cert object, X509-2106 (all
numbers/names have been changed to protect the guilty). I add that as
an "auth" line to WAZCO-MNT using the existing MD5 password.

I prepare a file called "update" which is the text of WAZCO-MNT
altered slightly, and sign it with:

/usr/local/ssl/bin/openssl smime  -sign  -in update -out update.signed -signer certandprivkey.pem

That produces a bit of headers and email message body. My email client
lets me just edit the headers as I please, so I'm away.

Problem; openssl smime replaces LF with CR/LF pairs, but RIPE's email
updates regards CR/LF pairs as separating objects from each
other. Eventually I settle on replacing all the LF in my update with
CR alone, to produce a file "update2"2 (and signing that). I can now
send the update to RIPE and have it rejected for incorrect
authorisation rather than failing the syntax check.

I get worried that my email client is permuting the message somehow,
so I prepare my signed message with:

/usr/local/ssl/bin/openssl smime -text -to auto-dbm at ripe.net -from damerell at chiark.greenend.org.uk  -sign  -in update2 -out update.signed -signer certandprivkey.pem

and send it with:

 < update.signed sendmail -bm auto-dbm at ripe.net damerell

But, no matter what, RIPE tell me every time:

***Info: Authorisation for  [mntner] WAZCO-MNT
         using mnt-by:
         not authenticated by: WAZCO-MNT

/usr/local/ssl/bin/openssl smime -verify -in update.signed -out update.out -noverify

"noverify" just means "don't check the certificate chain". And that
says the signed messages are fine.


-- 
David Damerell <damerell at chiark.greenend.org.uk>
Clown shoes. I hope that doesn't bother you.
Today is Epithumia, February - a weekend.
Tomorrow will be Olethros, February - a weekend.
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list