Re: [Anima] PKCS7 certificate SignerData certificates
Michael Richardson <mcr+ietf@sandelman.ca> Thu, 07 September 2017 15:19 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E3181321BB for <anima@ietfa.amsl.com>; Thu, 7 Sep 2017 08:19:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MrH8Ci__FjOd for <anima@ietfa.amsl.com>; Thu, 7 Sep 2017 08:19:23 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14109132A65 for <anima@ietf.org>; Thu, 7 Sep 2017 08:19:22 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 57A62203B2; Thu, 7 Sep 2017 11:23:14 -0400 (EDT)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id A8C6F806B4; Thu, 7 Sep 2017 11:19:20 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Max Pritikin (pritikin)" <pritikin@cisco.com>
cc: Anima WG <anima@ietf.org>, Kent Watsen <kwatsen@juniper.net>
In-Reply-To: <ED69E4AB-9AE0-48D6-9F2F-725C71AB93DE@cisco.com>
References: <4705.1504656568@obiwan.sandelman.ca> <ED69E4AB-9AE0-48D6-9F2F-725C71AB93DE@cisco.com>
X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Thu, 07 Sep 2017 11:19:20 -0400
Message-ID: <27261.1504797560@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/ETKXSZMbzrCjBC2SueMJyUVFSo8>
Subject: Re: [Anima] PKCS7 certificate SignerData certificates
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Sep 2017 15:19:26 -0000
Max Pritikin (pritikin) <pritikin@cisco.com> wrote: > The voucher-request has this additional requirement: > s3.3 of BRSKI-07, > The request is a "YANG-defined JSON > document that has been signed using a PKCS#7 structure" as > described in [I-D.ietf-anima-voucher] using the JSON encoded > described in [RFC7951]. The Registrar MUST sign the request. The > entire Registrar certificate chain, up to and including the Domain > CA, MUST be included in the PKCS#7 structure. I feel dumb, because I was sure that I looked for such a sentence, and I didn't find it. Good that it is there. >> In a signed voucher request from the pledge to the registrar the >> pinned-domain-cert is that of the *PLEDGE* (signed with it's IDevID). > Actually this pinned-domain-cert is thus, from s3.2 of BRSKI-07, > pinned-domain-cert: In a Pledge voucher request this is the > Registrar certificate as extracted from the TLS handshake (for > example the first certificate in the TLS 'certificate_list' > sequence (see [RFC5246]). This MUST be populated in a Pledge's > voucher request if the "proximity" assertion is populated. Huh, this is actually surprising... I guess we need the Registrar to keep the same thing there, and really the voucher *HAS* to be issued for this key in order for the Pledge to get out of provisional state... > I was wondering earlier today if this was confusing. We could add a > leaf for “tls-domain-cert” or something. An additional point is that > the *assumption* is that this is the same cert as the id-kp-cmcRA cert > in the chain discussed above and in s3.3 but maybe that is an > assumption too far and we should support bags of certs and arbitrary > complexity? I’m tired of this PKI mess. Yes, that's an assumption. The *VOUCHER* that results has to match the certificate in the TLS. So it makes sense for the PLEDGE to indicate what certificate it is expecting. That lets the Registrar be built using a variety of certificates for load balancing purposes, and deals with a race condition that could occur if the Registrar's certificate is renewed during the imprinting process. If a Registrar wants/needs to update it's cmcRA cert, it could present the previously signed voucher to the MASA with previous... >> a) is that certificate also included in the PKCS7 bag of certificates? >> I think the answer SHOULD be yes. >> b) is there any operationally valid reason why there should be additional >> certificates in the PKCS7 bag? >> I can not come up with one. The registrar is never going to validate >> any chain that the manufacturer might have used internally to set up >> their CA for their IDevID. It cares about the end-certificate only. > The reason s3.3. mandates the entire chain, including the domain CA > certificate, is to allow the above consistency checks. But originally > this was so that the domainCA certificate would be used for the pinned > cert. Moving to just the RA cert in the pinned-domain-cert field would > be a simplification? The text of the voucher-05 leaf description seems > to allow this. I would like it to be just the RA cert. >> In a signed voucher request from the JRC (registrar) to the MASA the >> pinned-domain-cert is that of the *Registrar* (signed with it's cmcRA marked >> certificate from the domain owner's CA). >> >> a) is that certificate also included in the PKCS7 bag of certificates? >> I think the answer SHOULD be yes. > This is the current language and *not* that the pinned-domain-cert is > populated at all. In fact if you look at the new voucher-request-yang > branch and Example (2) of the voucher requests you see: Are you saying that pinned-domain-cert should not be populated in the voucher request ("VR") from Registrar->MASA? > I think we’re close to agreeing. Some comments: > I like the jwt approach to certs where they include an entire “x5c” > chain rather than a single cert. Maybe we should be copying that? In > particular I like it better than trying to specify extra stuff in the > certificate bag. The less we depend on the pkcs#7 structure the better > and I’m willing to change the above uses to meet that goal. So, our pinned-domain-cert in the VR would include the entire chain? What format would we use? Is it just concatenated DER of certificates? >> In my code I'm doing: >> >> i. extract the first certificate from the PKCS7 bag, and use it to >> verify the PKCS7, telling the verifyer not to validate the chain, >> and not to use any certificates from the PKCS7. >> I found that I could not find a way to access the content of the PKCS7 >> content without verifying first. I don't know if this is a ruby-openssl, >> or underlying libssl limitation yet. > This is an important point. In openssl I believe I was able to crack > into the details without verifying and then go back and verify once I’d > extracted the cert bags. I believe it should be possible, but that I may not have access to the right API from ruby-openssl. I've now upstreamed one patch for ruby-openssl, so I'll probably fix that and upstream and another patch. >> Alternatively, in step (i), I should try all the certificates until one >> works, guarding aginst there being more than one. > Dunno the options. I brought my code up this evening to relook at the > pinned-cert discussion in this exact area but didn’t make any > progress. I’ll try and look at it tomorrow. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Anima] PKCS7 certificate SignerData certificates Michael Richardson
- Re: [Anima] PKCS7 certificate SignerData certific… Max Pritikin (pritikin)
- Re: [Anima] PKCS7 certificate SignerData certific… Kent Watsen
- Re: [Anima] PKCS7 certificate SignerData certific… Michael Richardson
- Re: [Anima] PKCS7 certificate SignerData certific… Michael Richardson
- Re: [Anima] PKCS7 certificate SignerData certific… Max Pritikin (pritikin)
- [Anima] resolving overload of pinnned-domain-cert… Max Pritikin (pritikin)