Highway MASA Online uses

Two instances of the Minerva Highway MASA have been set up. In keeping with the slightly Harry Potter naming theme the two instances are named “Wheezes” (after Weasley’s Wizard Wheezes), and “Honeydukes” (after Honeydukes.

The shops do not sell real products. Rather they simply provide the core of the product that we care about: the IDevID certificate and the private key. Of course, a real system wouldn’t make the private key available like this, but this is a way to experiment.

The products are named for incrementing EUI48 addresses. 00d0e5 belongs to a failed dotcom mcr used to work for.

A cronjob runs every two hours to make sure that there are at least five unsold items in the store, and to move sold items aside.

Visit either:

  • https://honeydukes.sandelman.ca/
  • https://wheezes.sandelman.ca/

and pick one of the zip files to download. Instead you’ll find the key pair which can be used with your BRSKI client (you can simulate one with reach).

You will eventually need the masa_secp384r1.crt file in order to verify the voucher that is received.

cd reach
wget https://honeydukes.sandelman.ca/product_00-D0-E5-02-00-0A.zip
unzip product_00-D0-E5-02-00-0A.zip
rake reach:send_voucher_request PRODUCTID=00-D0-E5-02-00-0A JRC=https://fountain-test.sandelman.ca/

This will contact the JRC at the indicated address, and return a voucher.

% rake reach:send_voucher_request PRODUCTID=00-D0-E5-02-00-0A JRC=https://fountain-test.sandelman.ca/
Voucher connects to /DC=ca/DC=sandelman/CN=localhost
vs:   /DC=ca/DC=sandelman/CN=localhost
Voucher authenticates this connection!

The Fountain JRC will see the request, extract the MASA URL from the IDevID, and may say something like:

Contacting server at: https://masa.honeydukes.sandelman.ca/.well-known/est/requestvoucher

The returned voucher is also saved to tmp:

ls tmp
voucher_00-D0-E5-02-00-0A.pkcs  vr_00-D0-E5-02-00-0A.pkcs

The script bin/pkcs2json can be used to decode the result to JSON:

bin/pkcs2json tmp/voucher_00-D0-E5-02-00-0A.pkcs tmp/out1.txt
Verification successful
cat tmp/out1.txt
{"ietf-voucher:voucher":{"assertion":"logged",
"created-on":"2017-10-25T23:45:27.089+00:00",
"serial-number":"00-D0-E5-02-00-0A",
"nonce":"Dss99sBr3pNMOACe-LYY7w",
"pinned-domain-cert":"MII...YRc3o="}}

At this point the Fountain JRC implementation does not do auditlog examination, and the next step (enrollment) is not implemented yet either.

.