IETF Logo Mail Archive

Re: [Anima] PKCS7 certificate SignerData certificates

Kent Watsen <kwatsen@juniper.net> Wed, 06 September 2017 19:56 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8832124E15 for <anima@ietfa.amsl.com>; Wed, 6 Sep 2017 12:56:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.801
X-Spam-Level:
X-Spam-Status: No, score=-4.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5tkiwVXda06a for <anima@ietfa.amsl.com>; Wed, 6 Sep 2017 12:56:53 -0700 (PDT)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0117.outbound.protection.outlook.com [104.47.38.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9826126B71 for <anima@ietf.org>; Wed, 6 Sep 2017 12:56:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=JmOiIo1duQP5zfGKfsgOHabwDZBShr6rky46HCZ/mdY=; b=Y8Ep6B/drUaRiJaA+g2NQf9NRij7OJ5pEBcDvz55s2BbTN7ULb1WwrcollKl4M1Ftb8cYSm/bdV2oUYYPrjXmh/zwHw43mNgWkoD8h+YHqd2s9n+mJSePa6HEN8CBHtUw/UYJOQbFRtLU8TmpxZI9zNZ7KCnYzJDzlp++83YB2E=
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com (10.160.117.151) by BN3PR0501MB1298.namprd05.prod.outlook.com (10.160.183.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.35.3; Wed, 6 Sep 2017 19:56:50 +0000
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) by BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) with mapi id 15.20.0035.010; Wed, 6 Sep 2017 19:56:49 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "Max Pritikin (pritikin)" <pritikin@cisco.com>, Michael Richardson <mcr+ietf@sandelman.ca>
CC: Anima WG <anima@ietf.org>
Thread-Topic: PKCS7 certificate SignerData certificates
Thread-Index: AQHTJqRrsEcgwhL1eECJLCw/Gd3iLKKnPOUAgADHUYA=
Date: Wed, 06 Sep 2017 19:56:49 +0000
Message-ID: <8EC759E5-598F-43B7-B63E-6008346767B6@juniper.net>
References: <4705.1504656568@obiwan.sandelman.ca> <ED69E4AB-9AE0-48D6-9F2F-725C71AB93DE@cisco.com>
In-Reply-To: <ED69E4AB-9AE0-48D6-9F2F-725C71AB93DE@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.14]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1298; 6:uBAJxYFFJ2zGlp6v5dmCONCcAtWDC+VaKaqhAu15yQ33s/fPcqSRIx6u47PUHoW+s6ryCH8p5t4rdie6ju70Qq7A3NdPahX39t1uI+YaduANdap95wpVQr+anL8LbNlaSVfByoZmr8cbI7T2pSdol486HO0odjpYxC0GMiMLgTaGfA8rOe3bsb8wAXEI3M0E0Ul+q/exngCftSm26wRWQcUNZh7kE2nbwviUji4/oVm0dYKX6ojmkXQIm7AAZlSBSvCE2Gv+pDb7tbHiQVPDK8Kvz0jpfmH8GYtxQ47BwdCee95K1jIyVZYDKwURdo8fA1NJI0fR3h4JnUvvmsEPNQ==; 5:qASQM8RxQBnJIoFi4OpnSATUnO240pQEwn52ZAACt2Mqzak0XC2FckkxI4GubqjbegA+ivIq87933BeFPVBaSD+60i4rhqdwzFKoX0L7FDSDdbMRRiY23pCjQ9Ua9/o5jcSu1iGDy6kkdaIzOSvdvQ==; 24:lqUslOqwqSPxX+R1In043NfvO6Kc5RgsdwFaBGHF0+cFEFrzm+YO5TglmMT/MccBSkGwsA08dsYEN48WmQpxk5JQ0zTZVS++Znuy0DZYKuo=; 7:pQLIvBxpNZvxcDQCzKPyLIaN6pc56aSURVY858COP8AnQFUrPwqo7ZrNyl4JyQ/ApbrlbPN9GAfliBZrqYvGkjtGBlu/rIT5cfWQKOU0wie0It+rhwyujtke9QRVSRiO+/CwdZiK+fRQVAWtqU7o5QTSDK11krblKsFzKQVC454P2iiuFVJHx9X8wLtpMmP8Nfuu6H3DcMhBkYqp+LoGbZE5irWSJx1XD22C+2ps02Y=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 9451eb35-dbd3-4df9-ea73-08d4f56169aa
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(48565401081)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BN3PR0501MB1298;
x-ms-traffictypediagnostic: BN3PR0501MB1298:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kwatsen@juniper.net;
x-exchange-antispam-report-test: UriScan:(60795455431006)(166708455590820);
x-microsoft-antispam-prvs: <BN3PR0501MB129892878BEEC07AD76CC1F8A5970@BN3PR0501MB1298.namprd05.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(93006095)(93001095)(10201501046)(3002001)(6055026)(6041248)(20161123555025)(20161123564025)(20161123558100)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN3PR0501MB1298; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN3PR0501MB1298;
x-forefront-prvs: 0422860ED4
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(199003)(24454002)(57704003)(377454003)(189002)(51444003)(53936002)(6246003)(7736002)(5660300001)(101416001)(14454004)(2950100002)(99286003)(6306002)(966005)(82746002)(6512007)(6486002)(3280700002)(8676002)(8936002)(4326008)(229853002)(83716003)(305945005)(4001350100001)(97736004)(83506001)(2906002)(81156014)(81166006)(86362001)(77096006)(6506006)(66066001)(2900100001)(189998001)(6436002)(3660700001)(68736007)(25786009)(33656002)(105586002)(6116002)(3846002)(102836003)(54356999)(76176999)(50986999)(106356001)(36756003)(478600001)(53546010)(87944003); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1298; H:BN3PR0501MB1442.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <6ABE2DBB8CEAA04EBE4EDACB46E1D284@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Sep 2017 19:56:49.8742 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1298
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/bBPqWK8zV3T-Vh6EWf5wn-wXiG4>
Subject: Re: [Anima] PKCS7 certificate SignerData certificates
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Sep 2017 19:56:56 -0000



> On Sep 5, 2017, at 6:09 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> 
> 
> PKCS7 artifacts have three things in them:
> 1) the content (technically optional, but we need them)
> 2) a set of SignerInfo objects on the content.
> 3) within the SignerData, a bag of certificates, one or more of which has
>   signed the content, and the rest which may be useful to establish a trust
>   path to a CA.

Not that it matters to BRSKI, but:

   The PKCS#7 structure MAY also contain revocation objects for any
   intermediate CAs between the voucher-issuer and the trust anchor
   known to the recipient.


> Max and Kent do we need to say anything about what's in this bag of
> certificates, or whether or not they can/should be used to validate a voucher
> or voucher request.

S6 in the voucher draft says:

   The PKCS#7 structure SHOULD also contain all the certificates leading
   up to and including the signer's trust anchor certificate known to
   the recipient.

and S5.4 in the NETCONF zerotouch draft says:

   The device MUST first authenticate the ownership voucher by
   validating the signature on it to one of its preconfigured trust
   anchors (see Section 5.1).

Perhaps it should add "using any addiiotional intermediate certificates
stapled to the voucher"?




> Both the JRC (Registrar) and the MASA SHOULD validate signed requests are in
> fact signed by the key they claim is making the request.

Indeed, and what Max posted seems to show that it's covered.



> In a signed voucher request from the pledge to the registrar the
> pinned-domain-cert is that of the *PLEDGE* (signed with it's IDevID).
>  a) is that certificate also included in the PKCS7 bag of certificates?
>     I think the answer SHOULD be yes.

Yes, see the SHOULD from S6 above.


>  b) is there any operationally valid reason why there should be additional
>     certificates in the PKCS7 bag?
>     I can not come up with one. The registrar is never going to validate
>     any chain that the manufacturer might have used internally to set up
>     their CA for their IDevID.  It cares about the end-certificate only.

None that I can think of.


> In a signed voucher request from the JRC (registrar) to the MASA the
> pinned-domain-cert is that of the *Registrar* (signed with it's cmcRA marked
> certificate from the domain owner's CA).
> 
>  a) is that certificate also included in the PKCS7 bag of certificates?
>     I think the answer SHOULD be yes.

The signer of the PKCS7 SHOULD put its certificate into the SignedData
struct.   Whether the same certificate is also in the payload of the
PKCS7 is inconsequential.



>>  b) is there any operationally valid reason why there should be additional
>>     certificates in the PKCS7 bag?
>> 
>>     Yes.  At least the domain owner's CA and any certificates in between
>>     the Registrar and the CA SHOULD be presented.
>>     Should the domain owner be using a WebPKI of some sort, I think that
>>     it SHOULD send it all.
>> 
>>     Given pinned-domain-cert (vs our previous ideas), the issued voucher
>>     is going to be pinned to the Registrar's cert (not some DN specified
>>     chain).  But, the audit log probably ought to include the entire chain.
>> 
>>     Additionally, the entire chain MAY be needed in order to properly invoke
>>     the sales channel integration.
>> 
>> If you agree with my analysis, I will cook up some text for the newly
>> created 3.2 Examples section to explain this.  Some adaptation of the
>> text above.
>
> I think we’re close to agreeing. Some comments: 
>
> I like the jwt approach to certs where they include an entire “x5c” chain
> rather than a single cert. Maybe we should be copying that? In particular
> I like it better than trying to specify extra stuff in the certificate bag.
> The less we depend on the pkcs#7 structure the better and I’m willing to
> change the above uses to meet that goal. 

I like a chain more than a single cert as well.  I'm ambivalent to the
TA cert being provided, but I'm okay with it if it alignd better with
x5c.




>> In my code I'm doing:
>> 
>> i.  extract the first certificate from the PKCS7 bag, and use it to
>>    verify the PKCS7, telling the verifyer not to validate the chain,
>>    and not to use any certificates from the PKCS7.
>>    I found that I could not find a way to access the content of the PKCS7
>>    content without verifying first.  I don't know if this is a ruby-openssl,
>>    or underlying libssl limitation yet.
>
> This is an important point. In openssl I believe I was able to crack into the
> details without verifying and then go back and verify once I’d extracted the
> cert bags. 

Wah?  First, we can't assume the 1st cert is the one you want.  In ASN.1
parlance, it is a SET (not a SEQUENCE).  Next, my code [1] validated the
voucher's signature first - I don't understand the need to be out-of-order
here.  Last, yes, you can access the contents without verification using
the smime -noverify flag.

[1] https://github.com/netconf-wg/zero-touch/blob/master/openssl-test/device/removable-storage-device/Makefile



>> ii.  I look at the content now, parse the JSON, pull pinned-domain-cert out.
>> iii. I then use the pinned-domain-cert to verify the PKCS7 again.  Perhaps
>>     I could do a memcpy() against what I had in step (i), and avoid the
>>     second signature check if it was the same.
>> 
>> I could probably be more flexible in (i) by permitting it to use the bag of
>> certificates, but telling it not to validate any chain.   I feel like there
>> may be an attack lurking here because I wouldn't know which certificate
>> actually validated the object, but that's just a gut instinct.
>> {But, the above change makes the same code directly useable on the MASA as
>> well.  But, really, it's only four lines}
>> 
>> Alternatively, in step (i), I should try all the certificates until one
>> works, guarding aginst there being more than one.
>
> Dunno the options. I brought my code up this evening to relook at the 
> pinned-cert discussion in this exact area but didn’t make any progress. 
> I’ll try and look at it tomorrow. 

If you have separately verified the signer cert (e.g.,  valid chain, etc.),
then you can use `smime -noverify -signer ...` which *only* verifies that
the signer cert signed the content (but skips verifying if the signer cert
is itself valid).


K.

v2.23.0 | Report a Bug | By Email