IETF Logo Mail Archive

Re: [Anima] PKCS7 certificate SignerData certificates

"Max Pritikin (pritikin)" <pritikin@cisco.com> Wed, 06 September 2017 04:03 UTC

Return-Path: <pritikin@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60C05132376 for <anima@ietfa.amsl.com>; Tue, 5 Sep 2017 21:03:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.521
X-Spam-Level:
X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hg4O3kTztRGb for <anima@ietfa.amsl.com>; Tue, 5 Sep 2017 21:03:39 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3777A1321A4 for <anima@ietf.org>; Tue, 5 Sep 2017 21:03:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10834; q=dns/txt; s=iport; t=1504670619; x=1505880219; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=h4jD88RYV97qTm0m+b2b14R7ZKlL1su3TFdmdSsY5Vs=; b=CApbnJGAjE3IvXnvF5V44LoaVNcbGNPUnG/7CUSKGLIkOXwqoGr7tRFa +2jDNy0DtJPnHlJ8z6J9nzaEX+gbgIR6uUzMHBXyZ9qcXrawOR8/UIO4V RIPXCIuDWnPuUQm3IqOa8ohNcyjGb8djT2cENJc9FNRRGykeXszJGMYyg M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BAAgA/c69Z/4YNJK1eGQEBAQEBAQEBAQEBBwEBAQEBg1qBeQeDcJpCgXGWKA6CBAqCA4M7AhqEGEEWAQIBAQEBAQEBayiFGAEBAQECASMRRQULAgEIGAICJgICAjAVEAIEDgWKKQiuYIInizoBAQEBAQEBAQEBAQEBAQEBAQEBAQEdgQ2CGQSCAoMxK4J9hF2DKzCCMQWKEpZiAosziRwMkmWUfgIDCwIYAYE4ASYDLoENdxVbAYUAggh2h2YrgQWBDwEBAQ
X-IronPort-AV: E=Sophos;i="5.41,482,1498521600"; d="scan'208";a="294800102"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 06 Sep 2017 04:03:27 +0000
Received: from XCH-RCD-012.cisco.com (xch-rcd-012.cisco.com [173.37.102.22]) by alln-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id v8643R7H012061 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 6 Sep 2017 04:03:27 GMT
Received: from xch-aln-013.cisco.com (173.36.7.23) by XCH-RCD-012.cisco.com (173.37.102.22) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 5 Sep 2017 23:03:26 -0500
Received: from xch-aln-013.cisco.com ([173.36.7.23]) by XCH-ALN-013.cisco.com ([173.36.7.23]) with mapi id 15.00.1263.000; Tue, 5 Sep 2017 23:03:26 -0500
From: "Max Pritikin (pritikin)" <pritikin@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: Anima WG <anima@ietf.org>, Kent Watsen <kwatsen@juniper.net>
Thread-Topic: PKCS7 certificate SignerData certificates
Thread-Index: AQHTJqRqifnVkYJPxUmkEeSk4gXn+6KnkOeA
Date: Wed, 06 Sep 2017 04:03:26 +0000
Message-ID: <ED69E4AB-9AE0-48D6-9F2F-725C71AB93DE@cisco.com>
References: <4705.1504656568@obiwan.sandelman.ca>
In-Reply-To: <4705.1504656568@obiwan.sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.99.106.3]
Content-Type: text/plain; charset="utf-8"
Content-ID: <911EA71445F60E4CA1DBE38EC9878BB8@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/VJr6S7tuwnzb6SiZyeNEqr8TZNw>
Subject: Re: [Anima] PKCS7 certificate SignerData certificates
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Sep 2017 04:03:41 -0000

> On Sep 5, 2017, at 6:09 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> 
> 
> PKCS7 artifacts have three things in them:
> 1) the content (technically optional, but we need them)
> 2) a set of SignerInfo objects on the content.
> 3) within the SignerData, a bag of certificates, one or more of which has
>   signed the content, and the rest which may be useful to establish a trust
>   path to a CA.
> 
> Max and Kent do we need to say anything about what's in this bag of
> certificates, or whether or not they can/should be used to validate a voucher
> or voucher request.

The voucher-request has this additional requirement:

s3.3 of BRSKI-07,
      The request is a "YANG-defined JSON
      document that has been signed using a PKCS#7 structure" as
      described in [I-D.ietf-anima-voucher] using the JSON encoded
      described in [RFC7951].  The Registrar MUST sign the request.  The
      entire Registrar certificate chain, up to and including the Domain
      CA, MUST be included in the PKCS#7 structure.

> Both the JRC (Registrar) and the MASA SHOULD validate signed requests are in
> fact signed by the key they claim is making the request.

s3.3 of BRSKI-07,

      The MASA validation checks before issuing a voucher are as follows:
      [additional requirements removed for brevity]

      Voucher signature consistency:  The MASA MUST verify that the voucher
      request is signed by a Registrar.  This is confirmed by verifying
      that the id-kp-cmcRA extended key usage extension field (as
      detailed in EST RFC7030 section 3.6.1) exists in the certificate
      of the entity that signed the voucher request.  This verification
      is only a consistency check that the unauthenticated domain CA
      intended this to be a Registrar.  Performing this check provides
      value to domain PKI by assuring the domain administrator that the
      MASA service will only respect claims from authorized Registration
      Authorities of the domain.  (The requirement for the Registrar to
      include the Domain CA certificate in the signature structure was
      stated above).

> In a signed voucher request from the pledge to the registrar the
> pinned-domain-cert is that of the *PLEDGE* (signed with it's IDevID).

Actually this pinned-domain-cert is thus, from s3.2 of BRSKI-07,

   pinned-domain-cert:  In a Pledge voucher request this is the
      Registrar certificate as extracted from the TLS handshake (for
      example the first certificate in the TLS 'certificate_list'
      sequence (see [RFC5246]).  This MUST be populated in a Pledge's
      voucher request if the "proximity" assertion is populated.

I was wondering earlier today if this was confusing. We could add a leaf for “tls-domain-cert” or something. An additional point is that the *assumption* is that this is the same cert as the id-kp-cmcRA cert in the chain discussed above and in s3.3 but maybe that is an assumption too far and we should support bags of certs and arbitrary complexity? I’m tired of this PKI mess.

>  a) is that certificate also included in the PKCS7 bag of certificates?
>     I think the answer SHOULD be yes.
>  b) is there any operationally valid reason why there should be additional
>     certificates in the PKCS7 bag?
>     I can not come up with one. The registrar is never going to validate
>     any chain that the manufacturer might have used internally to set up
>     their CA for their IDevID.  It cares about the end-certificate only.

The reason s3.3. mandates the entire chain, including the domain CA certificate, is to allow the above consistency checks. But originally this was so that the domainCA certificate would be used for the pinned cert. Moving to just the RA cert in the pinned-domain-cert field would be a simplification? The text of the voucher-05 leaf description seems to allow this.

> 
> In a signed voucher request from the JRC (registrar) to the MASA the
> pinned-domain-cert is that of the *Registrar* (signed with it's cmcRA marked
> certificate from the domain owner's CA).
> 
>  a) is that certificate also included in the PKCS7 bag of certificates?
>     I think the answer SHOULD be yes.

This is the current language and *not* that the pinned-domain-cert is populated at all. In fact if you look at the new voucher-request-yang branch and Example (2) of the voucher requests you see:

   {
       "ietf-voucher-request:voucher": {
           "created-on": "2017-01-01T00:00:02.000Z",
           "assertion": "TBD",
           "idevid-issuer": "base64encodedvalue=="
           "serial-number": "JADA123456789"
       }
   }

I was considering opening an issue about this TBD and the resulting uncertainty about the meaning of the pinned-domain-cert in this situation. 

> 
>  b) is there any operationally valid reason why there should be additional
>     certificates in the PKCS7 bag?
> 
>     Yes.  At least the domain owner's CA and any certificates in between
>     the Registrar and the CA SHOULD be presented.
>     Should the domain owner be using a WebPKI of some sort, I think that
>     it SHOULD send it all.
> 
>     Given pinned-domain-cert (vs our previous ideas), the issued voucher
>     is going to be pinned to the Registrar's cert (not some DN specified
>     chain).  But, the audit log probably ought to include the entire chain.
> 
>     Additionally, the entire chain MAY be needed in order to properly invoke
>     the sales channel integration.
> 
> If you agree with my analysis, I will cook up some text for the newly
> created 3.2 Examples section to explain this.  Some adaptation of the text above.

I think we’re close to agreeing. Some comments: 

I like the jwt approach to certs where they include an entire “x5c” chain rather than a single cert. Maybe we should be copying that? In particular I like it better than trying to specify extra stuff in the certificate bag. The less we depend on the pkcs#7 structure the better and I’m willing to change the above uses to meet that goal. 

> In my code I'm doing:
> 
> i.  extract the first certificate from the PKCS7 bag, and use it to
>    verify the PKCS7, telling the verifyer not to validate the chain,
>    and not to use any certificates from the PKCS7.
>    I found that I could not find a way to access the content of the PKCS7
>    content without verifying first.  I don't know if this is a ruby-openssl,
>    or underlying libssl limitation yet.

This is an important point. In openssl I believe I was able to crack into the details without verifying and then go back and verify once I’d extracted the cert bags. 

> 
> ii.  I look at the content now, parse the JSON, pull pinned-domain-cert out.
> iii. I then use the pinned-domain-cert to verify the PKCS7 again.  Perhaps
>     I could do a memcpy() against what I had in step (i), and avoid the
>     second signature check if it was the same.
> 
> I could probably be more flexible in (i) by permitting it to use the bag of
> certificates, but telling it not to validate any chain.   I feel like there
> may be an attack lurking here because I wouldn't know which certificate
> actually validated the object, but that's just a gut instinct.
> {But, the above change makes the same code directly useable on the MASA as
> well.  But, really, it's only four lines}
> 
> Alternatively, in step (i), I should try all the certificates until one
> works, guarding aginst there being more than one.

Dunno the options. I brought my code up this evening to relook at the pinned-cert discussion in this exact area but didn’t make any progress. I’ll try and look at it tomorrow. 

- max

> 
> 
> 
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
> 
> 
>

v2.23.0 | Report a Bug | By Email