[Hipsec] Making some sample Hierarchical HITs

Robert Moskowitz <rgm@htt-consult.com> Wed, 14 August 2019 13:00 UTC

Return-Path: <rgm@htt-consult.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 934DA12081E for <hipsec@ietfa.amsl.com>; Wed, 14 Aug 2019 06:00:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id DtvSjJj7mZY4 for <hipsec@ietfa.amsl.com>; Wed, 14 Aug 2019 06:00:30 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EED712081D for <hipsec@ietf.org>; Wed, 14 Aug 2019 06:00:30 -0700 (PDT)
Received: from localhost (localhost []) by z9m9z.htt-consult.com (Postfix) with ESMTP id 05839615E6 for <hipsec@ietf.org>; Wed, 14 Aug 2019 09:00:29 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([]) by localhost (z9m9z.htt-consult.com []) (amavisd-new, port 10024) with LMTP id qB-TlmGp2PSy for <hipsec@ietf.org>; Wed, 14 Aug 2019 09:00:22 -0400 (EDT)
Received: from lx140e.htt-consult.com (unknown []) (using TLSv1.2 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id F133460964 for <hipsec@ietf.org>; Wed, 14 Aug 2019 09:00:19 -0400 (EDT)
To: HIP <hipsec@ietf.org>
From: Robert Moskowitz <rgm@htt-consult.com>
Message-ID: <58cfb098-e007-ae40-7c1a-69cd49f90271@htt-consult.com>
Date: Wed, 14 Aug 2019 09:00:10 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------BFD13B20CD8FA287FF6E8F9A"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/NaapKpl1UfIMp4ZVMZakPu8W9Xk>
Subject: [Hipsec] Making some sample Hierarchical HITs
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2019 13:00:33 -0000

This is connected to the Trustworthy Multipurpose Remote IDs 

Right now I am working on what a eddsa pki would be that would back up 
the proposed HHITs and various repositories.  For this I want to 
generate some testing HHITs.

These HHITs will be used in x.509 certs as in rfc 8002, but also as 
subjectName in the signing cert.  This causes some challenges as to how 
to present an IPv6 value in subjectName (this is a separate question 
from this missive).

I will use openssl from my draft-moskowitz-eddsa-pki and HHIT format 
from draft-moskowitz-hierarchical-hip (sec 4).

Note about current HHIT draft and sec 4.  When I did this, I was using 
ecdsa.  The revised version of this draft (soon to be published) uses 
eddsa and I am a bit unsure as to what hash I will recommend.  But for 
this stage, use ed25519/sha256.

I make the ed25519 keypair with:

    openssl genpkey -aes256 -algorithm ed25519 -outform pem -out 

Note the keypair is encrypted; it contains the private key.  This can be 
viewed with:

    openssl pkey -inform pem -in entity.key.pem -text -noout

The public key can be extracted in DER format with:

    openssl pkey -in entity.key.pem -out entity.pub.der -outform DER 

For the HHIT:

RAA = 10
HDA = 20

It would be great to have this as a python or perl script.  That way I 
may learn something along the way.

Inputs are:

key file name
key password
HIT Suite ID

Output should be:

the HHIT in 128bit binary to some file
the HHIT in ipv6 : display format

Thanks on any help.