This repository has been archived by the owner on Jun 9, 2024. It is now read-only.
TA's tree should've been considered invalid because of invalid signature identifier #66
Comments
|
A dump of the broken data is available here http://sobornost.net/~job/arin-broken-state-20200812.tar.gz the RIR is expected to fix the issue in the next few hours |
|
Thanks for raising! I'll try to come up with a fix by next week. |
|
Cross referencing over to NLnetLabs/routinator#365 (comment) |
lspgn
added a commit
that referenced
this issue
Oct 15, 2020
* reported in #66 * signature identifier in CMS and EE certificate must be the same * signature identifier must have NULL flag * requires some hacks in order to check for NULL value (the Go library is flexible on conversion)
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Yesterday ARIN introduced incorrect algorithm identifier encodings in their RPKI data.
It appears that for some reason Cloudflare's RPKI validation process did not catch this error and continued to produce VRPs based on cryptographically invalid data
A more detailed analysis of what transpired is available here http://sobornost.net/~job/arin-manifest-issue-2020.08.12.txt
ARIN confirmed the analysis was correct and is now working to restore CA services.
tested on cfrpki 1.2.0-pre
The text was updated successfully, but these errors were encountered: