[Cryptech Tech] Some problems with the repo access

Rob Austein sra at hactrn.net
Sat Feb 15 01:07:04 UTC 2014 

At Sat, 15 Feb 2014 09:23:41 +0900, Randy Bush wrote:
> 
> and, for those of us wishing to use the hack on other zones with other
> certs, what is at ca.hactrn.net?

I'm going to answer the question you probably meant first.

I suspect that what you meant to ask was "how might I go about
generating something like that for my own zone?"

Current answer is a quick Makefile hack, one could do better in a real
programming language, or maybe Jakob has a better tool:

    hactrn.net/tlsa.zone:  /usr/local/etc/certs/hactrn-cacert.pem
	    ( echo -n "ca.hactrn.net. TLSA 2 0 0 ("; \
	      openssl x509 -in $< -outform DER     | \
	      hexdump -v -e '"\n\t\t" 40/1 "%02x"' ; \
	      echo " )" ) >$@

I then $INCLUDE this into the final hactrn.net zone; hack as necessary
to suit your tool chain.

The digest-of-CA-certificate approach Jakob was suggesting would be
more like this (but, be warned that (a) this is keyboard and has not
been tested and (b) it relies on the TLS server supplying the CA
certificate, which your Apache may not, cryptech.is's doesn't):

    hactrn.net/tlsa.zone:  /usr/local/etc/certs/hactrn-cacert.pem
	    ( echo -n "ca.hactrn.net. TLSA 2 1 1 ("; \
	      openssl x509 -in $< -noout -pubkey   | \
	      openssl pkey -pubin -outform DER     | \
	      openssl dgst -sha256 -binary         | \
	      hexdump -v -e '"\n\t\t" 40/1 "%02x"' ; \
	      echo " )" ) >$@

I can go into detail about why I like this approach (rather than just
stuffing EE certificate digests into the DNS) if anybody cares.  For
now just take it as read that DANE allows both approaches.

The literal answer to the question you asked is:

    ; <<>> DiG 9.9.5 <<>> +dnssec TLSA ca.hactrn.net
    ;; ANSWER SECTION:
    ca.hactrn.net.		3600	IN	TLSA	2 0 0 (
    				308204473082032FA003020102020100300D06092A864886F70D0101
    				0505003075310B3009060355040613025553310B3009060355040813
				024D413110300E0603550407130752656164696E673121301F060355
				040A13184772756E636877656174686572204173736F636961746573
				3124302206092A864886F70D0109011615706F73746D617374657240
				68616374726E2E6E65743020170D3130303932353035333434325A18
				0F32313039303932353035333434325A3075310B3009060355040613
				025553310B3009060355040813024D413110300E0603550407130752
				656164696E673121301F060355040A13184772756E63687765617468
				6572204173736F6369617465733124302206092A864886F70D010901
				1615706F73746D61737465724068616374726E2E6E65743082012230
				0D06092A864886F70D01010105000382010F003082010A0282010100
				C1FEF6DD511A5A8CEEC890B2B448059043170DDD7B4530A16F8442A6
				A16B96CC1B284938FD5C3B22F05E2D835F97917CD61C7A71AEC2538A
				83FB8B5591A9C9EDD2614FD6B58D63CA8F1FD7CFCAE9641483CE0883
				64D9605F88220C78C6DC9BBC41C4FD125A71E12101C5E695125D805D
				7B1286FD4FAD2A42B7D594752FB4350900EF3DDC5C048D3CE045A084
				CCDFBA42DB59EE42EA1CA631536865F0E6CDFF16156070A4941E640D
				E547582B9376C3BA5C9FB515DAFF765056121BD7048D02F90DF3EACC
				978B7A6CE6525F9706A49F63F80F0B225D00F3AE75F967172A6D56FD
				C1AE6310604C8905E467B76A3969859DAB5C36C01D873EC120966D4A
				D7D804A10203010001A381DF3081DC300C0603551D13040530030101
				FF300B0603551D0F040403020106301D0603551D0E0416041424AD46
				55D4C798A417139E9B2E4FAD143D18C26630819F0603551D23048197
				308194801424AD4655D4C798A417139E9B2E4FAD143D18C266A179A4
				773075310B3009060355040613025553310B3009060355040813024D
				413110300E0603550407130752656164696E673121301F060355040A
				13184772756E636877656174686572204173736F6369617465733124
				302206092A864886F70D0109011615706F73746D6173746572406861
				6374726E2E6E6574820100300D06092A864886F70D01010505000382
				01010031E0739B8C7A865C1B72B47C01C8D23F84BFF3EA56E16B2692
				E2A564CC8FFC4E2B7360E95418BD5919CBB50A10F850D4E3B5641B50
				FDEE2F87631D4ACBB5BCA14E180775EBA6DA007A75668903959DB325
				BAE425C416BC25B3A2CEDF81CCBD0D2440BA807BC2613E5298516C26
				05C141934FA5125B703CEE8A57F76FABC216D44BFA10FBE5514B9258
				D05945ADE7D70D3C686D048B6CAB7ABBD8B6767ED3E093DB9F0B6877
				C2196F69A6657521469CF45C1605D8614A28B52874C945B69481E7E7
				6B3FB4F44DE975E7ADDCFE70B50209C85290F3A243DABF50581A5D47
				ADB2A95BE7A3C834EACB654A407EA0B8C45055568DA8234B9B16AD7B
				DD09404D0A67FF )
    ca.hactrn.net.		3600	IN	RRSIG	TLSA 14 3 3600 (
				20140316143636 20140214133636 62808 hactrn.net.
				IKsdRbMGx0A91eyHDMB4UKp2YGGS7aLWVau54WqeF7lPjWPFApX6qxlG
				qsopiSqxcaJqK+Cd12V/5N9/oNdFzyB+EWjai/yl0oL9CZTLBYHSEu8N
				GmIiIkUeAJDgHrIB )

More information about the Tech mailing list