[Anima] creating iDevID certs with openssl

Robert Moskowitz <rgm-sec@htt-consult.com> Mon, 14 August 2017 17:45 UTC

Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB3DF1323C0 for <anima@ietfa.amsl.com>; Mon, 14 Aug 2017 10:45:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.801
X-Spam-Level:
X-Spam-Status: No, score=-2.801 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lkrc91Vbgl5W for <anima@ietfa.amsl.com>; Mon, 14 Aug 2017 10:45:33 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [50.253.254.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B914E1323B6 for <anima@ietf.org>; Mon, 14 Aug 2017 10:45:33 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id CF52362177 for <anima@ietf.org>; Mon, 14 Aug 2017 13:45:32 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id V4PFyQUav9rf for <anima@ietf.org>; Mon, 14 Aug 2017 13:45:26 -0400 (EDT)
Received: from lx120e.htt-consult.com (unknown [192.168.160.12]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id C6D6062174 for <anima@ietf.org>; Mon, 14 Aug 2017 13:45:25 -0400 (EDT)
To: anima@ietf.org
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Message-ID: <d64b22cd-807d-2598-7f2d-2ef07534724b@htt-consult.com>
Date: Mon, 14 Aug 2017 13:44:42 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/k5UCPqBgHw78ea5mxW7hwMWQLUs>
Subject: [Anima] creating iDevID certs with openssl
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2017 17:45:37 -0000

I have just joined this list.  So if this is covered in the archives 
anywhere, my weak search foo did not uncover it...

Has anyone created iDevID certs with openssl including subjectAltName 
with hardwareModuleName?

I have been working on this for a few days and have worked out HOW to 
even get certs to contain SAN, particularly going the csr route. I have 
learned on the openssl list that HMN is not directly supported and that 
you have to use othername.  Something like

[ req_ext ]
subjectAltName = otherName:1.3.6.1.5.5.7.8.4;SEQ:hmodname

[ hmodname ]
hwType = OID:1.2.3.4 # Whatever OID you want.
hwSerialNum = FORMAT:HEX,OCT:01020304 # Some hex

But I am not sure what exactly to do with hwType and hwSerialNum

Are there any extant examples?

Currently there is no way to feed any SAN value in at the command like 
'openssl req'.  It has to go into the config file, so once I work out 
WHAT to but into these fields, I will have to do some kludgly stuff to 
stuff values into the config then run the command. There are examples of 
this around for SANs of IP, DNS, etc.

BTW, so far I have a simple guide for making a pki of ECDSA certs using 
openssl.  I would be willing to share what I have done todate.  The 
802.1AR cert section is understandably incomplete...

Bob