Re: [Anima] creating iDevID certs with openssl

Robert Moskowitz <rgm-sec@htt-consult.com> Wed, 23 August 2017 12:28 UTC

Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF04D132964 for <anima@ietfa.amsl.com>; Wed, 23 Aug 2017 05:28:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q2myG9Si5_Ec for <anima@ietfa.amsl.com>; Wed, 23 Aug 2017 05:28:41 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [50.253.254.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8455B132992 for <anima@ietf.org>; Wed, 23 Aug 2017 05:28:41 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 747FB615E4 for <anima@ietf.org>; Wed, 23 Aug 2017 08:28:40 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 54za8PQp-3kB for <anima@ietf.org>; Wed, 23 Aug 2017 08:28:35 -0400 (EDT)
Received: from lx120e.htt-consult.com (unknown [192.168.160.12]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id C09E36210C for <anima@ietf.org>; Wed, 23 Aug 2017 08:28:34 -0400 (EDT)
From: Robert Moskowitz <rgm-sec@htt-consult.com>
To: anima@ietf.org
References: <d64b22cd-807d-2598-7f2d-2ef07534724b@htt-consult.com>
Message-ID: <581cee9d-2004-e684-45c3-404f5bbbe297@htt-consult.com>
Date: Wed, 23 Aug 2017 08:28:17 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <d64b22cd-807d-2598-7f2d-2ef07534724b@htt-consult.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/dEm7cnGiJlBjRLCfxmNtg6Nj6Y0>
Subject: Re: [Anima] creating iDevID certs with openssl
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Aug 2017 12:28:45 -0000

I have updated my guide for building a little ECDSA pki, including 
iDevID certs.  You can see it at:

www.htt-consult.com/pki

PEM works.  DER does not work.  I have been finding problems with 
openssl command line support for DER.  Which brings up a question for 
this list:

What format do you expect to see for: 
draft-ietf-anima-bootstrapping-keyinfra

PEM or DER?

PEM supports cert chains, DER does not.
DER is nice and small for small devices.  A PEM non-password P-256 
private key object is 241 bytes.  DER is 121 bytes (DER does not support 
encrypting the private key object).  This is a real cost of secure 
storage for some devices.

What format are the various bootstrap objects (eg vouchers)?  Has anyone 
built any of these for PoC?


On 08/14/2017 01:44 PM, Robert Moskowitz wrote:
> I have just joined this list.  So if this is covered in the archives 
> anywhere, my weak search foo did not uncover it...
>
> Has anyone created iDevID certs with openssl including subjectAltName 
> with hardwareModuleName?
>
> I have been working on this for a few days and have worked out HOW to 
> even get certs to contain SAN, particularly going the csr route. I 
> have learned on the openssl list that HMN is not directly supported 
> and that you have to use othername.  Something like
>
> [ req_ext ]
> subjectAltName = otherName:1.3.6.1.5.5.7.8.4;SEQ:hmodname
>
> [ hmodname ]
> hwType = OID:1.2.3.4 # Whatever OID you want.
> hwSerialNum = FORMAT:HEX,OCT:01020304 # Some hex
>
> But I am not sure what exactly to do with hwType and hwSerialNum
>
> Are there any extant examples?
>
> Currently there is no way to feed any SAN value in at the command like 
> 'openssl req'.  It has to go into the config file, so once I work out 
> WHAT to but into these fields, I will have to do some kludgly stuff to 
> stuff values into the config then run the command. There are examples 
> of this around for SANs of IP, DNS, etc.
>
> BTW, so far I have a simple guide for making a pki of ECDSA certs 
> using openssl.  I would be willing to share what I have done todate.  
> The 802.1AR cert section is understandably incomplete...
>
> Bob
>
>
>
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima