search

NLnetLabs / krill

RPKI Certificate Authority and Publication Server written in Rust
https://nlnetlabs.nl/projects/routing/krill/
Mozilla Public License 2.0
280 stars 37 forks source link

CSR rejected when SIA caRepository is a base URI. #1189

Closed x7mw4 closed 3 months ago

x7mw4 commented 3 months ago

Krill does not accept a CSR if the SIA "caRepository" access method URI is a "base uri". E.g., rsync://rsync.example.com/ (see Example1). When krill receives a certificate issuance request containing a CSR with such a caRepository access method, it fails to process the CSR:

400 Bad Request: {"label":"rfc6492-invalid-csr","msg":"Invalid CSR received: missing ca repository","args":{"cause":"missing ca repository"}}

If the caRepository URI has at least one path element then the CSR is processed correctly. E.g., rsync://rsync.example.com/repo/ (see Example2).

Please correct me if this is the expected behavior.

Example1 (rejected):

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:94:d0:06:16:97:72:17:d9:01:05:6f:43:88:f7:
                    bc:33:60:5b:75:5e:0b:12:fa:fc:4f:65:17:18:ef:
                    ce:2a:6c:24:78:25:43:96:4b:fa:96:5c:71:59:2f:
                    d8:80:be:2d:cd:6e:1d:0b:3b:ec:fb:7e:41:01:2e:
                    73:cd:ce:8f:27:95:6d:05:68:e0:08:dc:6b:da:91:
                    27:27:64:c9:89:dd:db:ca:da:2a:a2:56:a4:f1:d2:
                    e6:80:4d:28:96:44:0c:7f:8d:61:ac:2b:a2:30:17:
                    96:95:13:25:89:c7:6d:17:d9:88:ed:61:a8:4d:f1:
                    49:3a:a8:43:96:e5:b2:32:24:b4:69:e9:4e:27:09:
                    79:98:81:07:a2:40:19:15:08:94:97:2b:08:ed:bf:
                    de:9d:04:81:a8:cf:dc:d9:22:b2:04:9b:4d:04:a8:
                    3d:9c:c7:67:65:6a:3a:24:fd:06:10:b6:b4:c2:f7:
                    ae:b6:b1:1b:b2:19:ba:24:54:98:6d:21:4a:26:8f:
                    96:2b:0c:85:2f:7e:a6:22:4c:7b:21:68:6f:1c:a0:
                    ab:ab:00:c7:d9:eb:35:e8:83:16:ef:b4:b5:78:ff:
                    a4:b5:c0:03:09:78:61:d9:df:91:22:13:88:2f:8b:
                    0e:54:d6:8a:35:c5:25:24:00:55:e5:9a:30:f0:f7:
                    49:4d
                Exponent: 65537 (0x10001)
        Attributes:
            Requested Extensions:
                X509v3 Basic Constraints: critical
                    CA:TRUE
                X509v3 Key Usage: critical
                    Certificate Sign, CRL Sign
                Subject Information Access: 
                    CA Repository - URI:rsync://rsync.example.com/
                    RPKI Manifest - URI:rsync://rsync.example.com/manifest.mft
                    RPKI Notify - URI:https://rrdp.example.com/notification.xml
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        91:2b:d9:18:34:34:40:e4:47:f0:89:3e:46:54:01:68:01:b5:
        0c:3c:d6:a7:f4:4c:f7:f4:27:42:e4:64:a4:27:15:9f:fa:aa:
        11:e9:d8:7a:df:69:2a:0e:38:aa:31:fa:42:32:6e:26:df:f3:
        81:cd:9e:8a:e5:cd:12:7d:8e:6a:04:13:9e:66:b3:76:4a:7e:
        df:12:cf:f1:d5:f5:25:ce:db:45:98:fe:f1:ef:f3:50:f9:3e:
        86:68:b0:90:a5:c9:6f:3e:19:2b:59:80:fe:6a:38:e1:20:72:
        e7:22:70:81:4f:c4:bd:74:1f:42:e4:89:a9:10:25:81:69:6d:
        08:c2:f0:49:7e:a1:a6:d5:c1:57:91:69:35:b6:8d:52:e8:9e:
        dd:f7:29:00:5e:ac:d8:3a:44:a7:c7:fd:d9:ed:a2:0d:ff:66:
        fd:43:e9:9a:48:9e:43:7e:a9:9b:76:15:35:00:4e:d1:77:22:
        a0:ea:85:0a:32:dc:75:2f:8d:0e:f8:6c:7b:50:75:d7:b0:e6:
        1a:80:cb:59:85:ab:39:91:af:30:4a:91:a5:02:a2:aa:52:4a:
        7e:5f:14:67:75:c1:04:07:6a:59:b2:19:22:89:ef:57:98:3e:
        e1:d9:44:33:d4:c7:59:57:22:ba:67:c6:50:c4:cc:e7:76:90:
        8d:9a:b5:9f
-----BEGIN CERTIFICATE REQUEST-----
MIIDITCCAgkCAQAwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJTQ
BhaXchfZAQVvQ4j3vDNgW3VeCxL6/E9lFxjvzipsJHglQ5ZL+pZccVkv2IC+Lc1u
HQs77Pt+QQEuc83OjyeVbQVo4Ajca9qRJydkyYnd28raKqJWpPHS5oBNKJZEDH+N
YawrojAXlpUTJYnHbRfZiO1hqE3xSTqoQ5blsjIktGnpTicJeZiBB6JAGRUIlJcr
CO2/3p0EgajP3NkisgSbTQSoPZzHZ2VqOiT9BhC2tML3rraxG7IZuiRUmG0hSiaP
lisMhS9+piJMeyFobxygq6sAx9nrNeiDFu+0tXj/pLXAAwl4YdnfkSITiC+LDlTW
ijXFJSQAVeWaMPD3SU0CAwEAAaCB2zCB2AYJKoZIhvcNAQkOMYHKMIHHMA8GA1Ud
EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMIGjBggrBgEFBQcBCwSBljCBkzAm
BggrBgEFBQcwBYYacnN5bmM6Ly9yc3luYy5leGFtcGxlLmNvbS8wMgYIKwYBBQUH
MAqGJnJzeW5jOi8vcnN5bmMuZXhhbXBsZS5jb20vbWFuaWZlc3QubWZ0MDUGCCsG
AQUFBzANhilodHRwczovL3JyZHAuZXhhbXBsZS5jb20vbm90aWZpY2F0aW9uLnht
bDANBgkqhkiG9w0BAQsFAAOCAQEAkSvZGDQ0QORH8Ik+RlQBaAG1DDzWp/RM9/Qn
QuRkpCcVn/qqEenYet9pKg44qjH6QjJuJt/zgc2eiuXNEn2OagQTnmazdkp+3xLP
8dX1Jc7bRZj+8e/zUPk+hmiwkKXJbz4ZK1mA/mo44SBy5yJwgU/EvXQfQuSJqRAl
gWltCMLwSX6hptXBV5FpNbaNUuie3fcpAF6s2DpEp8f92e2iDf9m/UPpmkieQ36p
m3YVNQBO0XcioOqFCjLcdS+NDvhse1B117DmGoDLWYWrOZGvMEqRpQKiqlJKfl8U
Z3XBBAdqWbIZIonvV5g+4dlEM9THWVciumfGUMTM53aQjZq1nw==
-----END CERTIFICATE REQUEST-----

Example2 (accepted):

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:94:d0:06:16:97:72:17:d9:01:05:6f:43:88:f7:
                    bc:33:60:5b:75:5e:0b:12:fa:fc:4f:65:17:18:ef:
                    ce:2a:6c:24:78:25:43:96:4b:fa:96:5c:71:59:2f:
                    d8:80:be:2d:cd:6e:1d:0b:3b:ec:fb:7e:41:01:2e:
                    73:cd:ce:8f:27:95:6d:05:68:e0:08:dc:6b:da:91:
                    27:27:64:c9:89:dd:db:ca:da:2a:a2:56:a4:f1:d2:
                    e6:80:4d:28:96:44:0c:7f:8d:61:ac:2b:a2:30:17:
                    96:95:13:25:89:c7:6d:17:d9:88:ed:61:a8:4d:f1:
                    49:3a:a8:43:96:e5:b2:32:24:b4:69:e9:4e:27:09:
                    79:98:81:07:a2:40:19:15:08:94:97:2b:08:ed:bf:
                    de:9d:04:81:a8:cf:dc:d9:22:b2:04:9b:4d:04:a8:
                    3d:9c:c7:67:65:6a:3a:24:fd:06:10:b6:b4:c2:f7:
                    ae:b6:b1:1b:b2:19:ba:24:54:98:6d:21:4a:26:8f:
                    96:2b:0c:85:2f:7e:a6:22:4c:7b:21:68:6f:1c:a0:
                    ab:ab:00:c7:d9:eb:35:e8:83:16:ef:b4:b5:78:ff:
                    a4:b5:c0:03:09:78:61:d9:df:91:22:13:88:2f:8b:
                    0e:54:d6:8a:35:c5:25:24:00:55:e5:9a:30:f0:f7:
                    49:4d
                Exponent: 65537 (0x10001)
        Attributes:
            Requested Extensions:
                X509v3 Basic Constraints: critical
                    CA:TRUE
                X509v3 Key Usage: critical
                    Certificate Sign, CRL Sign
                Subject Information Access: 
                    CA Repository - URI:rsync://rsync.example.com/repo/
                    RPKI Manifest - URI:rsync://rsync.example.com/repo/manifest.mft
                    RPKI Notify - URI:https://rrdp.example.com/notification.xml
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        63:f8:6e:52:cc:5b:98:ef:df:a7:2a:ce:1c:99:3d:e9:92:e4:
        5a:6e:20:a9:16:5c:9d:d5:db:1d:0f:b4:54:76:c4:04:68:03:
        64:4e:75:5b:ef:ad:86:92:61:00:46:df:c7:85:91:28:4d:29:
        25:d3:73:1d:70:f1:22:91:4c:30:99:48:32:07:29:27:a4:f8:
        28:4b:f3:e8:a6:2c:fd:fd:94:97:f5:eb:ae:3c:6e:cd:55:6b:
        f9:2d:e5:57:6f:da:5f:bf:e4:d5:30:e1:8b:e6:3b:8c:dd:76:
        f0:25:9e:22:a4:5b:48:3e:71:9f:65:c5:e6:08:21:51:01:e8:
        9a:e3:5f:de:f6:15:a6:34:b5:48:da:65:79:6e:fc:0d:40:36:
        13:fc:03:59:f3:21:7d:0a:f7:cd:bb:47:bf:71:89:27:82:79:
        b0:dd:ad:f3:b1:92:92:03:58:7b:6d:ed:70:2b:04:a8:fe:49:
        ec:98:33:77:24:24:4a:07:6a:b9:08:f2:70:d0:30:b1:71:2e:
        6b:ac:de:03:83:88:48:52:3a:1f:82:eb:0c:34:40:34:6d:b5:
        78:77:f6:32:01:a0:8d:77:07:e5:d7:1b:d6:d7:aa:9e:6c:59:
        ec:55:69:b7:af:af:5c:c5:e2:2a:a7:cc:5f:11:7a:ba:54:11:
        d0:51:3d:96
-----BEGIN CERTIFICATE REQUEST-----
MIIDKzCCAhMCAQAwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJTQ
BhaXchfZAQVvQ4j3vDNgW3VeCxL6/E9lFxjvzipsJHglQ5ZL+pZccVkv2IC+Lc1u
HQs77Pt+QQEuc83OjyeVbQVo4Ajca9qRJydkyYnd28raKqJWpPHS5oBNKJZEDH+N
YawrojAXlpUTJYnHbRfZiO1hqE3xSTqoQ5blsjIktGnpTicJeZiBB6JAGRUIlJcr
CO2/3p0EgajP3NkisgSbTQSoPZzHZ2VqOiT9BhC2tML3rraxG7IZuiRUmG0hSiaP
lisMhS9+piJMeyFobxygq6sAx9nrNeiDFu+0tXj/pLXAAwl4YdnfkSITiC+LDlTW
ijXFJSQAVeWaMPD3SU0CAwEAAaCB5TCB4gYJKoZIhvcNAQkOMYHUMIHRMA8GA1Ud
EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMIGtBggrBgEFBQcBCwSBoDCBnTAr
BggrBgEFBQcwBYYfcnN5bmM6Ly9yc3luYy5leGFtcGxlLmNvbS9yZXBvLzA3Bggr
BgEFBQcwCoYrcnN5bmM6Ly9yc3luYy5leGFtcGxlLmNvbS9yZXBvL21hbmlmZXN0
Lm1mdDA1BggrBgEFBQcwDYYpaHR0cHM6Ly9ycmRwLmV4YW1wbGUuY29tL25vdGlm
aWNhdGlvbi54bWwwDQYJKoZIhvcNAQELBQADggEBAGP4blLMW5jv36cqzhyZPemS
5FpuIKkWXJ3V2x0PtFR2xARoA2ROdVvvrYaSYQBG38eFkShNKSXTcx1w8SKRTDCZ
SDIHKSek+ChL8+imLP39lJf16648bs1Va/kt5Vdv2l+/5NUw4YvmO4zddvAlniKk
W0g+cZ9lxeYIIVEB6JrjX972FaY0tUjaZXlu/A1ANhP8A1nzIX0K9827R79xiSeC
ebDdrfOxkpIDWHtt7XArBKj+SeyYM3ckJEoHarkI8nDQMLFxLmus3gODiEhSOh+C
6ww0QDRttXh39jIBoI13B+XXG9bXqp5sWexVabevr1zF4iqnzF8RerpUEdBRPZY=
-----END CERTIFICATE REQUEST-----
x7mw4 commented 3 months ago

Apologies, just realized that a URI without at least one element path is not a valid rsync URI [RFC5781].