Join Log in
Score:0
christopher westburry avatar Server

AWS BYOIP: The CidrAuthorizationContext signature could not be verified with the X509 certificates in the RIR records

az flag
christopher westburry

My goal

I am trying to bring my own /46 IPv6 prefix to Amazon AWS following this documentation: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html#prepare-for-byoip

What I need in a nutshell:

signing "1|aws|123456789012|abcd:efab:cde::/46|20230101|SHA256|RSAPSS" in a way with my private key that Amazon can verify the signature using my certificate.

What I did so far

So, I've followed the guide, put a ROA record allowing Amazons ASNs to announce the /46 prefix (of the /44 IPv6 PA assigned to my ASN). Furthermore I added the certificate to the descr element of my inet6num object. Amazon seems to load it, too.

The certificate was generated as follows:

$ openssl genpkey -aes256 -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private-key.pem
$ openssl rsa -in private-key.pem -pubout > public-key.pem
$ openssl req -new -x509 -key private-key.pem -days 365 | tr -d "\n" > certificate.pem

When I enter

$ aws ec2 describe-byoip-cidrs --max-results 5 --region eu-central-1

The result looks like this:

{
    "ByoipCidr": {
            "Cidr": "abcd:efab:cde::/46",
            "StatusMessage": "The CidrAuthorizationContext signature could not b
e verified with the X509 certificates in the RIR records.",
            "State": "failed-provision"
        }
}

So, I tried this:

$ echo "1|aws|123456789012|abcd:efab:cde::/46|20230101|SHA256|RSAPSS" > file.txt
$ cat file.txt | openssl dgst -sha256 -sign private-key.pem -keyform PEM > rsasign.txt
$ openssl sha256 -verify certificate.pem -signature rsasign.txt file.txt
unable to load key file

The signature is only verified when I enter:

$ openssl sha256 -verify public-key.pem -signature rsasign.txt file.txt
Verified OK

I believe that's the reason for the message "The CidrAuthorizationContext signature could not b e verified with the X509 certificates in the RIR records". Amazon needs to be able to verify the signature using just the certificate after all.

Question: How do I sign a text using my private key in a way the signature will be verified using the certificate (not the public key)? Does anyone have any concrete advice with BYOIP?

24
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.