Open lixincnnic opened 7 years ago
sraustein
commented
7 years ago As described, this transaction doesn't make sense: identity.xml doesn't contain CMS, and even if it did there would be no reason to include a CRL for a trust anchor. I suspect something has been left out of this report. -- Sent from a phone, please excuse brevity and typos.
lixincnnic
commented
7 years ago Thanks your reply.
I am from CNNIC, I will describe my problem more clearly.
We use rpki-1.0,in the step connecting CNNIC RPKI production environment and APNIC RPKI production environment. We do the following operation.
① On CNNIC side,we did
and sent A9162E3D0000.identity.xml to APNIC
And APNIC said "The A9162E3D0000.identity.xml attached to the email contains a BPKI TA certificate, rather than a signing certificate. What is needed is the certificate that is being used to sign the messages sent over the provisioning protocol.
So my first problem is "how to generate the certificate?"
② APNIC sent us parent-response.xml,and on CNNIC side we do,
③ On CNNIC side we do,
and then APNIC allocate resources for CNNIC,but CNNIC can't get resources from APNIC, we modify models.py and CNNIC get resource successfully.
# diff -Nuar models.py-org models.py
--- models.py-org 2017-08-09 17:14:41.088684218 +0800
+++ models.py 2017-08-10 09:39:12.758301237 +0800
@@ -742,8 +742,7 @@
keypair = ca_detail.private_key_id,
is_ca = True,
caRepository = ca.sia_uri,
- rpkiManifest = ca_detail.manifest_uri,
- rpkiNotify = ca.parent.repository.rrdp_notification_uri)
+ rpkiManifest = ca_detail.manifest_uri)
q_msg = self._compose_up_down_query("issue")
q_pdu = SubElement(q_msg, rpki.up_down.tag_request, class_name = ca.parent_resource_class)
q_pdu.text = pkcs10.get_Base64()But after about one month,CNNIC can't get resources from APNIC again, in the rpkid.log, we see the error as "HTTPError: HTTP 400: Bad Request".
And APNIC said " Your system appears to be reissuing provisioning protocol signing certificates each month. As a result, we will need to manually update our system whenever a new signing certificate is issued, until your system is able to include CRLs with the requests. Once CRLs are included, we can revert to using standard certificate chain validation. "
So my second problem is "how to include CRLs with the requests" and "how to deal with the fact that my system is reissuing provisioning protocol signing certificates each month"
Thanks&Regards,
lixin
sraustein
commented
7 years ago APNIC is investigating, more when we hear back.
ggm-at-apnic
commented
7 years ago We're aware of a problem in APNIC code and we're working on it. I would suggest that the temporary fixes you applied should be removed.
lixincnnic
commented
7 years ago Yes,we had removed the temporary fixes.
In the step of connecting CNNIC RPKI production environment and APNIC RPKI production environment, We used "rpkic create_identity A9162E3D0000" to create identity.xml and sent to APNIC, APNIC said " lack of a CRL in the CMS." and CNNIC can not get resource list from APNIC.
So how to include a CRL in the CMS?