Re: [Anima] creating iDevID certs with openssl

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 24 August 2017 03:23 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE236132814 for <anima@ietfa.amsl.com>; Wed, 23 Aug 2017 20:23:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GH1r9ZiLZV6w for <anima@ietfa.amsl.com>; Wed, 23 Aug 2017 20:23:05 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 919531321BE for <anima@ietf.org>; Wed, 23 Aug 2017 20:23:05 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 73C00E1A7; Wed, 23 Aug 2017 23:26:08 -0400 (EDT)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 1CA56842A0; Wed, 23 Aug 2017 23:23:04 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Robert Moskowitz <rgm-sec@htt-consult.com>
cc: anima@ietf.org
In-Reply-To: <d64b22cd-807d-2598-7f2d-2ef07534724b@htt-consult.com>
References: <d64b22cd-807d-2598-7f2d-2ef07534724b@htt-consult.com>
X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Wed, 23 Aug 2017 23:23:04 -0400
Message-ID: <31117.1503544984@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/GpoIjSn0Hk6eBcDEDJr7ewhC8fw>
Subject: Re: [Anima] creating iDevID certs with openssl
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Aug 2017 03:23:08 -0000

Robert Moskowitz <rgm-sec@htt-consult.com> wrote:
    > I have just joined this list.  So if this is covered in the archives
    > anywhere, my weak search foo did not uncover it...

    > Has anyone created iDevID certs with openssl including subjectAltName with
    > hardwareModuleName?

Not exactly, I was also adding my own PEN OID with the Serial Number.
    # the OID: 1.3.6.1.4.1.46930.1 is a Private Enterprise Number OID:
    #    iso.org.dod.internet.private.enterprise . SANDELMAN=46930 . 1
    # subjectAltName=otherName:1.2.3.4;UTF8:some other identifier

I added:

    > [ req_ext ]
    > subjectAltName = otherName:1.3.6.1.5.5.7.8.4;SEQ:hmodname

My ruby code looks like:

    # include the official HardwareModule OID:  1.3.6.1.5.5.7.8.4
    @idevid.add_extension(ef.create_extension(
                                   "subjectAltName",
                                   sprintf("otherName:1.3.6.1.5.5.7.8.4;UTF8:%s",
                                   self.sanitized_eui64),
                                    false))

see: https://github.com/mcr/highway/blob/master/app/models/device.rb#L43

I include what I think is an IDevID for a device with EUI-48 12-00-00-66-4D-02.
I'm not 100% sure that's a valid hwSerialNumber, which is why I had used my own
OID :-)

https://github.com/mcr/fountain/tree/master/spec/certs has the public key
that signed the cert attached (and the cert as well)

The thing I found impossible to do programmatically was to create the
Registrar CA cert with the cmcRA bit set.  I had to resort to configuration
files like yours, see: https://github.com/mcr/fountain/blob/master/trialra.sh


-----BEGIN CERTIFICATE-----
MIICLTCCAbOgAwIBAgIBATAKBggqhkjOPQQDAjBNMRIwEAYKCZImiZPyLGQBGRYC
Y2ExGTAXBgoJkiaJk/IsZAEZFglzYW5kZWxtYW4xHDAaBgNVBAMME1Vuc3RydW5n
IEhpZ2h3YXkgQ0EwIBcNMTcwODI0MDI1MDI5WhgPMjk5OTEyMzEwMDAwMDBaMEsx
EjAQBgoJkiaJk/IsZAEZFgJjYTEZMBcGCgmSJomT8ixkARkWCXNhbmRlbG1hbjEa
MBgGA1UEAwwRMTItMDAtMDAtNjYtNEQtMDIwVjAQBgcqhkjOPQIBBgUrgQQACgNC
AASfhqT+9Zz3Zy2nKwIm1dm+rDZZJ7d+JuCzAu7B3VN2RZvwESyku+0rmNYfNkCB
D9NejMCMEOuUAmvOgYirUj3Bo4GGMIGDMB0GA1UdDgQWBBSyfPSc8Zj02BLgEy9x
sm9DApe7QzAJBgNVHRMEAjAAMCsGA1UdEQQkMCKgIAYJKwYBBAGC7lIBoBMMETEy
LTAwLTAwLTY2LTRELTAyMCoGA1UdEQQjMCGgHwYIKwYBBQUHCASgEwwRMTItMDAt
MDAtNjYtNEQtMDIwCgYIKoZIzj0EAwIDaAAwZQIwa2ZnBc85oOLibxoQSaV8g9aw
uP8alLY8UNq+ysfgl1Iw2JeAsabxSBz/9nK7WgvUAjEA3dBLrp0RRuZfUTtkMCSG
5kbwg6A+R8yPAxGT7WVZeSlN2Xz9DX6FfPzRHv5QtOHz
-----END CERTIFICATE-----


--
Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-