[Anima] PKCS7 certificate SignerData certificates
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 06 September 2017 00:09 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 053E01321CB for <anima@ietfa.amsl.com>; Tue, 5 Sep 2017 17:09:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gb8oNUlkP3dX for <anima@ietfa.amsl.com>; Tue, 5 Sep 2017 17:09:30 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31EBE12426E for <anima@ietf.org>; Tue, 5 Sep 2017 17:09:30 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 0E24120566; Tue, 5 Sep 2017 20:13:17 -0400 (EDT)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id E52A280B17; Tue, 5 Sep 2017 20:09:28 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: anima@ietf.org
cc: max pritikin <pritikin@cisco.com>, Kent Watsen <kwatsen@juniper.net>
X-Attribution: mcr
X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 05 Sep 2017 20:09:28 -0400
Message-ID: <4705.1504656568@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/beOplH4ON9exq14fIFsE7pAndnQ>
Subject: [Anima] PKCS7 certificate SignerData certificates
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Sep 2017 00:09:32 -0000
PKCS7 artifacts have three things in them: 1) the content (technically optional, but we need them) 2) a set of SignerInfo objects on the content. 3) within the SignerData, a bag of certificates, one or more of which has signed the content, and the rest which may be useful to establish a trust path to a CA. Max and Kent do we need to say anything about what's in this bag of certificates, or whether or not they can/should be used to validate a voucher or voucher request. Both the JRC (Registrar) and the MASA SHOULD validate signed requests are in fact signed by the key they claim is making the request. In a signed voucher request from the pledge to the registrar the pinned-domain-cert is that of the *PLEDGE* (signed with it's IDevID). a) is that certificate also included in the PKCS7 bag of certificates? I think the answer SHOULD be yes. b) is there any operationally valid reason why there should be additional certificates in the PKCS7 bag? I can not come up with one. The registrar is never going to validate any chain that the manufacturer might have used internally to set up their CA for their IDevID. It cares about the end-certificate only. In a signed voucher request from the JRC (registrar) to the MASA the pinned-domain-cert is that of the *Registrar* (signed with it's cmcRA marked certificate from the domain owner's CA). a) is that certificate also included in the PKCS7 bag of certificates? I think the answer SHOULD be yes. b) is there any operationally valid reason why there should be additional certificates in the PKCS7 bag? Yes. At least the domain owner's CA and any certificates in between the Registrar and the CA SHOULD be presented. Should the domain owner be using a WebPKI of some sort, I think that it SHOULD send it all. Given pinned-domain-cert (vs our previous ideas), the issued voucher is going to be pinned to the Registrar's cert (not some DN specified chain). But, the audit log probably ought to include the entire chain. Additionally, the entire chain MAY be needed in order to properly invoke the sales channel integration. If you agree with my analysis, I will cook up some text for the newly created 3.2 Examples section to explain this. Some adaptation of the text above. In my code I'm doing: i. extract the first certificate from the PKCS7 bag, and use it to verify the PKCS7, telling the verifyer not to validate the chain, and not to use any certificates from the PKCS7. I found that I could not find a way to access the content of the PKCS7 content without verifying first. I don't know if this is a ruby-openssl, or underlying libssl limitation yet. ii. I look at the content now, parse the JSON, pull pinned-domain-cert out. iii. I then use the pinned-domain-cert to verify the PKCS7 again. Perhaps I could do a memcpy() against what I had in step (i), and avoid the second signature check if it was the same. I could probably be more flexible in (i) by permitting it to use the bag of certificates, but telling it not to validate any chain. I feel like there may be an attack lurking here because I wouldn't know which certificate actually validated the object, but that's just a gut instinct. {But, the above change makes the same code directly useable on the MASA as well. But, really, it's only four lines} Alternatively, in step (i), I should try all the certificates until one works, guarding aginst there being more than one. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Anima] PKCS7 certificate SignerData certificates Michael Richardson
- Re: [Anima] PKCS7 certificate SignerData certific… Max Pritikin (pritikin)
- Re: [Anima] PKCS7 certificate SignerData certific… Kent Watsen
- Re: [Anima] PKCS7 certificate SignerData certific… Michael Richardson
- Re: [Anima] PKCS7 certificate SignerData certific… Michael Richardson
- Re: [Anima] PKCS7 certificate SignerData certific… Max Pritikin (pritikin)
- [Anima] resolving overload of pinnned-domain-cert… Max Pritikin (pritikin)