Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

a ROA with EE cert replaced with specially-crafted invalid cert is sort-of accepted in certain circumstances #28

Open
dseomn opened this issue Nov 5, 2015 · 0 comments
Open

a ROA with EE cert replaced with specially-crafted invalid cert is sort-of accepted in certain circumstances #28

dseomn opened this issue Nov 5, 2015 · 0 comments
Labels
auto-migrated bug sourceforge

Comments

@dseomn
Copy link
Member

dseomn commented Nov 5, 2015

WIth the following sequence of events:

  1. empty the RPSTIR database
  2. get/generate a valid ROA file and call it good.roa
  3. extract the EE certificate
  4. invalidate the extracted EE certificate in some way that's not immediately detectable by RPSTIR without additional information (e.g., re-issue the same EE cert from different CA that doesn't hold the resources in the EE cert)
  5. put the bad certificate back in the ROA and call the resulting file bad.roa
  6. add bad.roa into the RPSTIR database
  7. add the original good.roa into the database
  8. add all of the relevant CA certificates

RPSTIR will print the following error message when adding good.roa:

ERR: Add failed: good.roa: error Duplicate signature (-90)

and the query utility will report bad.roa and good.roa.cer as accepted. It should accept good.roa, not bad.roa (the two are identical, however, when you ignore the EE cert).

Reported by: rhansen

Original Ticket: rpstir/tickets/28
rhansen added a commit to rhansen/rpstir that referenced this issue Jan 18, 2016
@rhansen
add roa-ee-munge test
3dbe879 
addresses [bgpsecurity#28]
rhansen added a commit to rhansen/rpstir that referenced this issue Feb 18, 2016
@rhansen
add roa-ee-munge test
74671c7 
addresses [bgpsecurity#28]
rhansen added a commit to rhansen/rpstir that referenced this issue Feb 18, 2016
@rhansen
add roa-ee-munge test
e2a4187 
addresses [bgpsecurity#28]
@rhansen rhansen added the bug label Feb 19, 2016
@rhansen rhansen removed their assignment Feb 19, 2016
rhansen added a commit to rhansen/rpstir that referenced this issue Feb 20, 2016
@rhansen
add roa-ee-munge test
16f1b6a 
addresses [bgpsecurity#28]
rhansen added a commit to rhansen/rpstir that referenced this issue Feb 24, 2016
@rhansen
add roa-ee-munge test
a7da23d 
addresses [bgpsecurity#28]
rhansen added a commit to rhansen/rpstir that referenced this issue Feb 26, 2016
@rhansen
add roa-ee-munge test
4fd605e 
addresses [bgpsecurity#28]
rhansen added a commit to rhansen/rpstir that referenced this issue Apr 22, 2016
@rhansen
add roa-ee-munge test
6ac86de 
addresses [bgpsecurity#28]
@rhansen rhansen mentioned this issue Apr 22, 2016
Merged
@rhansen rhansen mentioned this issue Jun 15, 2016
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated bug sourceforge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rhansen @dseomn