IETF Logo Mail Archive

Re: [Anima] creating iDevID certs with openssl

Kent Watsen <kwatsen@juniper.net> Wed, 16 August 2017 16:43 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF0AE132351 for <anima@ietfa.amsl.com>; Wed, 16 Aug 2017 09:43:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RDtG47aDqjfA for <anima@ietfa.amsl.com>; Wed, 16 Aug 2017 09:43:17 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0092.outbound.protection.outlook.com [104.47.40.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19A85132332 for <anima@ietf.org>; Wed, 16 Aug 2017 09:43:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=VXYnNaP+aVrJFUjTqhVVNLcJ42kdXJqxZMMoXhHW+AQ=; b=M6uDh+WbKMViK8Ry64vCDT/pWhYB8gvyti440AbPUs9cEEEEnFLq38PGnbr8YGFlWEvj6LNCuOBfuhgqY4pv4ze1wdRiEKByOaElOrAQ/7u85tprD0PrEriKhK0tBeOSOxsQAq9TEqe0in9t0jUpinNaa4ImAgsQIyYg2q+vHss=
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com (10.160.117.151) by BN3PR0501MB1348.namprd05.prod.outlook.com (10.160.183.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1362.12; Wed, 16 Aug 2017 16:43:15 +0000
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) by BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) with mapi id 15.01.1362.018; Wed, 16 Aug 2017 16:43:15 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Robert Moskowitz <rgm-sec@htt-consult.com>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] creating iDevID certs with openssl
Thread-Index: AQHTFSUlAUd6DuxmKkeSAjMNgXmwoaKENaWAgAK6hYA=
Date: Wed, 16 Aug 2017 16:43:15 +0000
Message-ID: <31E4D893-7438-4EF4-85DF-4F47D70FF3CF@juniper.net>
References: <d64b22cd-807d-2598-7f2d-2ef07534724b@htt-consult.com> <3a5adc64-1737-9ecc-5c13-b310b48c2ba0@htt-consult.com>
In-Reply-To: <3a5adc64-1737-9ecc-5c13-b310b48c2ba0@htt-consult.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kwatsen@juniper.net;
x-originating-ip: [66.129.241.13]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1348; 6:R98VWNEkrKriQ2COWlGJga4aJvISfYIZ0HvOgl4ZF2DuiSwP+97WROi/oBXY2SVSGlLUTElz4E/TJXqCRQMNjgegsDR0l0GLHtIBlQhnp8gxbSQtRsTeXJi2+u+4i1KuQXSvbb1lL1GLMxyFnjIZc0CDxnm9sa3zTt87ueeZF+16Rk5ZiM8LEXkcG9guRy1tKZVGqqseNarFPhtl+bnCfb+57haNMMPGRC+TSjbQruXWTVfvfAu7Rto9SilwsNJk4bwOJwx1z1ZRCZVxkmRCxDawpieyZUbOCd+g03ueQihuSJD8WNBdXcKVAgWP8joXmEosfJXKptJ1HjPFr2G7Gw==; 5:GvmO0tQ5pf6mrXS0kUgBqdzXgebWTne4ZROH/GoS3jEmuwNSjNx8hC1Ks+Z5MPGf7sPzx+ZC9RS2j0k9ahMsIJww78W23X748QcWZB4xXBM4zAcYPMp4uxdjjr6O8z23b+pk9F7kN8jRGdsj/pRFkw==; 24:cHJZELHYeBMGoESG6qKLhhlTfXdN9O1PsPTdHMVTGLwisab4UtkqsGx9moOvUlltLL9WthFndliYhppm5h1P6FCwmi006MHdwQIBWJHmgPs=; 7:czE6D4Vqu6wo45HxeXtZLsFGmrXGqFK8l7Xa1roHRwgyq9TPVa7oc9+x6d478/lGZrFOr/27DQ3eMwmhwZg+AtTeR8fESq2gOtk5t/E4zec0ZPuAuBRzCHq96K7aR89jHTaWkO0pYZA29DuTSkVvAqpDfTzqVr8iyS4OG0HufAF4CvQGsJquhW4DaUI+Vv9HU6a3esgy9/Tq+IoN0MVUtS0a3eZOjQeZScZAfdPz9Io=
x-ms-office365-filtering-correlation-id: ac5372a1-761a-4d24-e328-08d4e4c5e439
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(48565401081)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BN3PR0501MB1348;
x-ms-traffictypediagnostic: BN3PR0501MB1348:
x-exchange-antispam-report-test: UriScan:(166708455590820);
x-microsoft-antispam-prvs: <BN3PR0501MB134899CFB22344F8E9CE71C0A5820@BN3PR0501MB1348.namprd05.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(93006095)(93001095)(100000703101)(100105400095)(6055026)(6041248)(20161123564025)(20161123555025)(20161123562025)(20161123558100)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN3PR0501MB1348; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN3PR0501MB1348;
x-forefront-prvs: 0401647B7F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(189002)(377454003)(24454002)(199003)(189998001)(33656002)(36756003)(97736004)(478600001)(7736002)(68736007)(4001350100001)(305945005)(25786009)(82746002)(2906002)(6246003)(2501003)(53546010)(86362001)(83716003)(6116002)(83506001)(102836003)(3846002)(6436002)(2950100002)(101416001)(53936002)(50986999)(6512007)(6506006)(966005)(54356999)(76176999)(2900100001)(3280700002)(106356001)(6486002)(5660300001)(6306002)(66066001)(14454004)(99286003)(229853002)(81156014)(3660700001)(8936002)(81166006)(77096006)(105586002)(8676002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1348; H:BN3PR0501MB1442.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <3BACA63EB05C2E45BA263DC26932170F@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Aug 2017 16:43:15.3365 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1348
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/IThknvgnTVCiKblPUYZru4rRstY>
Subject: Re: [Anima] creating iDevID certs with openssl
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 16:43:20 -0000

Hi Bob,

I'm watching this thread with interest.  My take on this [1] is a little
different than yours, but I was just prototyping a rough solution, I
never took it to completion...

[1] https://github.com/netconf-wg/zero-touch/blob/master/openssl-test/vendor/idevid-certificate-pki/intermediate-ca/openssl.cnf#L55

Kent

--

Making some progress.


On 08/14/2017 01:44 PM, Robert Moskowitz wrote:
> I have just joined this list.  So if this is covered in the archives 
> anywhere, my weak search foo did not uncover it...
>
> Has anyone created iDevID certs with openssl including subjectAltName 
> with hardwareModuleName?
>
> I have been working on this for a few days and have worked out HOW to 
> even get certs to contain SAN, particularly going the csr route. I 
> have learned on the openssl list that HMN is not directly supported 
> and that you have to use othername.  Something like
>
> [ req_ext ]
> subjectAltName = otherName:1.3.6.1.5.5.7.8.4;SEQ:hmodname
>
> [ hmodname ]
> hwType = OID:1.2.3.4 # Whatever OID you want.
> hwSerialNum = FORMAT:HEX,OCT:01020304 # Some hex

This produces a subjectAltName content of:

     0:d=0  hl=2 l=  27 cons: SEQUENCE
     2:d=1  hl=2 l=  25 cons:  cont [ 0 ]
     4:d=2  hl=2 l=   8 prim:   OBJECT            :1.3.6.1.5.5.7.8.4
    14:d=2  hl=2 l=  13 cons:   cont [ 0 ]
    16:d=3  hl=2 l=  11 cons:    SEQUENCE
    18:d=4  hl=2 l=   3 prim:     OBJECT            :1.2.3.4
    23:d=4  hl=2 l=   4 prim:     OCTET STRING      [HEX DUMP]:01020304


I suspect that hwtype is a full vendor OID for registering this device.  
Say my company, HTT Consulting makes sensor widgets.  The OID for that 
could be:

1.3.6.1.4.1.6715.10.1 (where 10 is HTT's devices and 1 is the sensor 
widget).

> But I am not sure what exactly to do with hwType and hwSerialNum
>
> Are there any extant examples?

So googling around for examples and not finding any.  But then my search 
foo has always been weak.

>
> Currently there is no way to feed any SAN value in at the command like 
> 'openssl req'.  It has to go into the config file, so once I work out 
> WHAT to but into these fields, I will have to do some kludgly stuff to 
> stuff values into the config then run the command. There are examples 
> of this around for SANs of IP, DNS, etc.
>
> BTW, so far I have a simple guide for making a pki of ECDSA certs 
> using openssl.  I would be willing to share what I have done todate.  
> The 802.1AR cert section is understandably incomplete...
>
> Bob

_______________________________________________
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima

v2.23.0 | Report a Bug | By Email