IETF Logo Mail Archive

[IPsec] Matching of IKE ID on certificate subject and RDN ordering

Tero Kivinen <kivinen@iki.fi> Sun, 10 May 2020 12:02 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4882B3A091A for <ipsec@ietfa.amsl.com>; Sun, 10 May 2020 05:02:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iki.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gf6l-Jx9wKoq for <ipsec@ietfa.amsl.com>; Sun, 10 May 2020 05:02:51 -0700 (PDT)
Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [IPv6:2a00:1c30:1c1::55]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B961A3A0917 for <ipsec@ietf.org>; Sun, 10 May 2020 05:02:49 -0700 (PDT)
Received: from fireball.acr.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: kivinen) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id F3F501B000A0; Sun, 10 May 2020 15:02:45 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1589112166; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XcQym6hylxIBcy8hpfdqTClrRa8aCFazmQnwqmGDlZY=; b=humcZYkB74WZ3z+8hs94JgfntebDWttvRXJvrk8Avts7naZOdCF2Z0DFKIaTOR+Rk34zAg BPeRngvM66HuXlTRCLlNvaqKVQ2rVlgZnaVtBNQKEZ3caa0AgCIZM1QU1IWDdKAbSTu7id 0Y2NsyQH4tz5vfcBZkopHeknoiKw4nUaNbq1/Td+w6AJFgArvKING/XjPeYThSRPZodgPq NczLy4oCQ8ambZ1IMwDrSaSKeWvLJ8gYOmATLrCWcT/wBRDRN/f2hXKfCaeS0Lat+PBX8s r9i88vWcrg8N+vFZpsb5iyFl6Qsy3TF5U5rWqw0zMIAvPLnyB+x5q9acApc7BA==
Received: by fireball.acr.fi (Postfix, from userid 15204) id D7A4525C15D7; Sun, 10 May 2020 15:02:44 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <24247.60772.749384.75052@fireball.acr.fi>
Date: Sun, 10 May 2020 15:02:44 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Wouters <paul@nohats.ca>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>
In-Reply-To: <alpine.LRH.2.21.2005071902140.2069@bofh.nohats.ca>
References: <alpine.LRH.2.21.2005071902140.2069@bofh.nohats.ca>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 27 min
X-Total-Time: 33 min
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1589112166; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XcQym6hylxIBcy8hpfdqTClrRa8aCFazmQnwqmGDlZY=; b=FTOnmyUhCx2MG9YFAwV8dpXNDXk51KKxIXLqGYaFX05zVOZnRioujnJX8xuFJpdf347puS kpN+G0udGqLeF1F0YOvO10dY+sez3RNPWaXVqGWg0wW+WzZHAke6iJx74PtPsKBs6QVSPD mbHn9CK/0uuAMc7KZ4TZ9fIF/SXG7GW47h6PHbNYQ22gq7wn0ZWhYj+ugLkrx9RzGB3ddf ry1vPLk37YehZ1LWARvabI79i74QZ5l77Yc5y7SINNOPsYj994gyEVWrAd5Uh8TSMueEId 7VYxcGDXe2x7whqj+rzYja0NoqQXCe8R4stHCNpBZKwju9UD8vrn09ANs6X6SQ==
ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1589112166; a=rsa-sha256; cv=none; b=Ho3hDS4XGeK1CY06H8thh9kaESAn/Dd2SOAc+3gc545ROKfEhYf7vIrsFbbW2X4lp0I23u ULmabZdn4ltrQCFkXHrKHFeWvdq7/dfqbFteKk6zIneGpDkmDvCufJhv9n+2zOSIBgM+uZ dScfH6riOMPd9b5SqtoT4oCba8TqnQdcrcDSsPvDJuVeoyQTuX5xy9WrYm9EmB8PAZkuUD Bzr/0datFrMgYrlrLE4stboVbuQz2r+NL/Ktv9YFQZp4ZMu2L5w3462yFpopPs8GAg2d4e dkQW4lB2iZBjJVus+XzkbMHvTBxsnVoDQE3/Efz0MukSG465+yz1pp8BuqbWCw==
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen smtp.mailfrom=kivinen@iki.fi
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/z92qZVobCliuiObpZI4nBCplXdc>
Subject: [IPsec] Matching of IKE ID on certificate subject and RDN ordering
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 May 2020 12:02:56 -0000

Paul Wouters writes:
> 
> Recently I had an interesting issue come up. I needed to generate a
> certificate with a specific OU= content that our openssl/python
> code couldn't do, and I switched to nss's cert-util to generate
> a cert of sets for a test.
> 
> Then I noticed something strange. Let's say you have the following
> DN specified for certificate generation:
> 
>  	C=CZ, ST=Moravia, L=Brno, O=Test Example, OU="Global, Support, Services", CN=server
> 
> For openssl, when checking the subject of the cert, it matches in this
> order. but when I generated the same certificate with nss cert-util
> and re-read it back in openssl, it showed me:
> 
>  	CN=server, OU="Global, Support, Services", O=Test Example, L=Brno, ST=Moravia, C=CZ
> 
> Note that C= and CN= are swapped. These are differences in the binary data, not the presentation.

Most likely another assumes bitwise DN order, and other used LDAP DN
order. Another is most significant part first, another is least
significant part first. I.e., I assume you made certificate
incorrectly when you switched to new tool, as you assumed it takes DN
in same order than openssl tools took it.

Most of the tools just take the DN you give to them and do not look at
the order of C, ST, L, etc parts, but just encode the sequence in the
order you gave them in. But some tools assume you give the DN in LDAP
order which is reversed order from what you have in the actual binary
DER, so they reverse the list before doing this encoding.

>From RFC4514:
----------------------------------------------------------------------
2.1.  Converting the RDNSequence

   If the RDNSequence is an empty sequence, the result is the empty or
   zero-length string.

   Otherwise, the output consists of the string encodings of each
   RelativeDistinguishedName in the RDNSequence (according to Section
   2.2), starting with the last element of the sequence and moving
   backwards toward the first.
----------------------------------------------------------------------

If you look at the
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil
page you notice that examples do have DN in reverse order, i.e. CN
first etc, while openssl takes them in other order. So it clearly
assumes you give the DN in ldap order, not in the most significant
part first order.

BTW, If I remember right the reason for LDAP to use the least
significant part first order was that it allowed searching the
database using partial searches like "CN=kivinen" without the need to
fill in the OU, O, C etc parts and search could then simply assume
default values for those omitted parts. Or something like that.

> When reading https://tools.ietf.org/html/rfc5280#section-7.1 we see:
> 
>     Two distinguished names DN1 and DN2 match if they
>     have the same number of RDNs, for each RDN in DN1 there is a matching
>     RDN in DN2, and the matching RDNs appear in the same order in both
>     DNs.
> 
> 
> So technically, when we expect one, receiving the other order would be
> wrong. So should we really do matching based on the same order of RDNs.
> What do other implementations do?

You MUST match them in order. If the order is wrong then the DNs do
not match.

Note, that there can be multiple OU fields in the same certificate and
the order of those must be preserved, and also those are reversed
depending on the string format used, so you cannot just take the
attributes and sort them in some order, you must know which order is
supposed to be used and use that.

I.e., if you have

C=FI, O=example Corp, OU=Development, OU=Support, CN=server

and

C=FI, O=example Corp, OU=Support, OU=Development, CN=server

then they are two different sub devisions inside the same
organization, and you must be able to limit developments version
control server so that only support people of the development division
can access it and the global support devision do not have any access
to it.... Same goes with other things for example for DC attributes.

And when you reverse those for least significant part first order, you
do reverse the order of OU fields too.

> Now, I guess I can weasel myself out of here, by claiming that we are
> not comparing two certificates. We just get one via CERT payload and
> validate it, and _then_ compare its DN against our IKE ID (which is a
> DN, sorta kinda). So perhaps I can say the IKE ID can take RDN's in
> any order. As we are dealing with (private) CA's, we can probably be
> ensured it would not create two certs that only differ in RDN ordering.

It is better to properly make the certificates so that the most
significant part of the DN is first in sequence (i.e., C first inside
ASN.1 sequence) and make sure you give then DN in the order that will
result in that to the tool you are using. 

If you ever use any string representation for the DN you must clarify
in your documentation which format you use, i.e., whether you use most
significant part first, or least siginifanct part first. And when you
encode and print them you always consistently do the encoding and
printing in same order. And do matching using binary representation in
the order they are in the DER sequence.
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email