Re: [Anima] creating iDevID certs with openssl

Robert Moskowitz <rgm-sec@htt-consult.com> Fri, 18 August 2017 19:29 UTC

Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68BE01321B8 for <anima@ietfa.amsl.com>; Fri, 18 Aug 2017 12:29:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P3n3rRQXnMWF for <anima@ietfa.amsl.com>; Fri, 18 Aug 2017 12:29:38 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [50.253.254.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4FBF1321A6 for <anima@ietf.org>; Fri, 18 Aug 2017 12:29:37 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id E3F0A62244; Fri, 18 Aug 2017 15:29:36 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id X10Jbf7w6M4P; Fri, 18 Aug 2017 15:29:29 -0400 (EDT)
Received: from lx120e.htt-consult.com (unknown [192.168.160.12]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 0EB466223F; Fri, 18 Aug 2017 15:29:28 -0400 (EDT)
To: Kent Watsen <kwatsen@juniper.net>, "anima@ietf.org" <anima@ietf.org>
References: <d64b22cd-807d-2598-7f2d-2ef07534724b@htt-consult.com> <3a5adc64-1737-9ecc-5c13-b310b48c2ba0@htt-consult.com> <31E4D893-7438-4EF4-85DF-4F47D70FF3CF@juniper.net>
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Message-ID: <5ae589f2-5524-df9c-cd18-d621e012749f@htt-consult.com>
Date: Fri, 18 Aug 2017 15:29:26 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <31E4D893-7438-4EF4-85DF-4F47D70FF3CF@juniper.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/MEuSjybsKpmYnHM6ytD7vhLxDKM>
Subject: Re: [Anima] creating iDevID certs with openssl
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2017 19:29:41 -0000

I want to share my work on building a generic ECDSA pki with an 802.1AR 
leaf.  You can see my work at:

http://www.htt-consult.com/pki.html

I believe I have iDevID properly constructed, but I am not sure about 
hwSerailNumber plus its relationship to the DN's serialNumber.

I am interested in feedback on this.  I am willing to turn it into an 
ID.  First I have to do CRL and OCSP support.

openssl is NOT so easy to use for all this.  :(   Rich Salz and others 
on the openssl-user list were a great help.

Bob


On 08/16/2017 12:43 PM, Kent Watsen wrote:
> Hi Bob,
>
> I'm watching this thread with interest.  My take on this [1] is a little
> different than yours, but I was just prototyping a rough solution, I
> never took it to completion...
>
> [1] https://github.com/netconf-wg/zero-touch/blob/master/openssl-test/vendor/idevid-certificate-pki/intermediate-ca/openssl.cnf#L55
>
> Kent
>
> --
>
> Making some progress.
>
>
> On 08/14/2017 01:44 PM, Robert Moskowitz wrote:
>> I have just joined this list.  So if this is covered in the archives
>> anywhere, my weak search foo did not uncover it...
>>
>> Has anyone created iDevID certs with openssl including subjectAltName
>> with hardwareModuleName?
>>
>> I have been working on this for a few days and have worked out HOW to
>> even get certs to contain SAN, particularly going the csr route. I
>> have learned on the openssl list that HMN is not directly supported
>> and that you have to use othername.  Something like
>>
>> [ req_ext ]
>> subjectAltName = otherName:1.3.6.1.5.5.7.8.4;SEQ:hmodname
>>
>> [ hmodname ]
>> hwType = OID:1.2.3.4 # Whatever OID you want.
>> hwSerialNum = FORMAT:HEX,OCT:01020304 # Some hex
> This produces a subjectAltName content of:
>
>       0:d=0  hl=2 l=  27 cons: SEQUENCE
>       2:d=1  hl=2 l=  25 cons:  cont [ 0 ]
>       4:d=2  hl=2 l=   8 prim:   OBJECT            :1.3.6.1.5.5.7.8.4
>      14:d=2  hl=2 l=  13 cons:   cont [ 0 ]
>      16:d=3  hl=2 l=  11 cons:    SEQUENCE
>      18:d=4  hl=2 l=   3 prim:     OBJECT            :1.2.3.4
>      23:d=4  hl=2 l=   4 prim:     OCTET STRING      [HEX DUMP]:01020304
>
>
> I suspect that hwtype is a full vendor OID for registering this device.
> Say my company, HTT Consulting makes sensor widgets.  The OID for that
> could be:
>
> 1.3.6.1.4.1.6715.10.1 (where 10 is HTT's devices and 1 is the sensor
> widget).
>
>> But I am not sure what exactly to do with hwType and hwSerialNum
>>
>> Are there any extant examples?
> So googling around for examples and not finding any.  But then my search
> foo has always been weak.
>
>> Currently there is no way to feed any SAN value in at the command like
>> 'openssl req'.  It has to go into the config file, so once I work out
>> WHAT to but into these fields, I will have to do some kludgly stuff to
>> stuff values into the config then run the command. There are examples
>> of this around for SANs of IP, DNS, etc.
>>
>> BTW, so far I have a simple guide for making a pki of ECDSA certs
>> using openssl.  I would be willing to share what I have done todate.
>> The 802.1AR cert section is understandably incomplete...
>>
>> Bob
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima
>
>
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima