Re: [netconf] crypto-types and keystore comments

Martin Bjorklund <mbj@tail-f.com> Thu, 14 November 2019 09:06 UTC

Return-Path: <mbj@tail-f.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD3C91208A5 for <netconf@ietfa.amsl.com>; Thu, 14 Nov 2019 01:06:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rio2IGbYu_yL for <netconf@ietfa.amsl.com>; Thu, 14 Nov 2019 01:06:31 -0800 (PST)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id 7FFF4120232 for <netconf@ietf.org>; Thu, 14 Nov 2019 01:06:31 -0800 (PST)
Received: from localhost (unknown [173.38.220.41]) by mail.tail-f.com (Postfix) with ESMTPSA id B2AF41AE0312; Thu, 14 Nov 2019 10:06:29 +0100 (CET)
Date: Thu, 14 Nov 2019 10:05:58 +0100 (CET)
Message-Id: <20191114.100558.1371995383202419404.mbj@tail-f.com>
To: kent@watsen.net
Cc: netconf@ietf.org, wang.haiguang.shieldlab@huawei.com
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <0100016e66c9b02d-382d9d6e-6d88-47ec-a117-5f38a3699fb1-000000@email.amazonses.com>
References: <20191113.135649.2218807015240802033.mbj@tail-f.com> <0100016e66c9b02d-382d9d6e-6d88-47ec-a117-5f38a3699fb1-000000@email.amazonses.com>
X-Mailer: Mew version 6.8 on Emacs 25.2
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/mqAYn7s4pvOLvXyBJvia09HAOhI>
Subject: Re: [netconf] crypto-types and keystore comments
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Nov 2019 09:06:35 -0000

Kent Watsen <kent@watsen.net> wrote:
> 
> 
> Hi Martin,
> 
> 
> > o  Is the key-format there to support multiple formats for the same
> >   kind of key (e.g., ssh key), or is it there to be able to have
> >   different kinds of keys in the same list?  (Or both?)
> > 
> >   I.e., is the intentation that a client can freely pick any
> >   private-key-format (that is supported by the server), regardless of
> >   how the key is used?
> 
> Firstly, see:
> https://mailarchive.ietf.org/arch/msg/netconf/5Zpj8Xxh7bHvAJeQf2Lj0t6h8hg
> <https://mailarchive.ietf.org/arch/msg/netconf/5Zpj8Xxh7bHvAJeQf2Lj0t6h8hg>
> 
> That said, there are some limitations that are likely not represented
> yet.  For instance, an encrypted private key must use "identity
> encrypted-private-key-format" and an encrypted symmetric key must use
> "identity encrypted-symmetric-key-format", as there is no way to
> express it otherwise.
> 
> But your question is likely more regarding the other direction, for an
> *unencrypted" asymmetric key, can a client arbitrarily choose one of
> the *-private-key-format identities or "identity
> one-asymmetric-key-format"; likewise, for an *unencrypted* symmetric
> key, can a client arbitrarily use either "identity
> octet-string-key-format" or "identity one-symmetric-key-format".
> 
> The goal is for the use of OneAsymmetricKey and OneSymmetricKey
> formats to be an advanced feature.  As said above, these structures
> must be used for encrypted keys, and should be used for unencrypted
> key (as the structure carries security attributes not present in the
> raw formats), but it's more likely that implementations will support
> the raw formats.
> 
> My thoughts are that, if an implementation is updated to support for
> One[A]SymmetricKey for encrypted keys, then letting a client
> optionally use One[A]SymmetricKey for unencrypted keys isn't that big
> of an implementation effort.  Thus I suggest adding features called
> "one-symmetric-key" and "one-asymmetric-key", and place if-feature
> statements under these identities so that servers can express when
> they support them.

Suppose I want to configure a ssh host-key as the server-identity for
my NETCONF server.  Is the intention that a client can pick either
"ssh-public-key-format" or "subject-public-key-info-format", and the
server must support both?


> > o  One idea that was floating around was to have separate keystore
> >   lists for different things (see the ML archives, e.g. some mails in
> >   the thread "crypto-types fallback strategy").  I.e. instead of the
> >   current:
> > 
> >   +--rw keystore
> >      +--rw asymmetric-keys
> >      |  +--rw asymmetric-key* [name]
> > 
> > 
> >   we would have something like:
> > 
> >   +--rw keystores
> >      +--rw ssh-keystore
> >      |  ...
> >      +--rw tls-keystore  // x509-keystore?
> >         ...
> 
> Right, but that approach was deemed not viable before.
> 
> 
> >   If we don't have to support multiple formats for the same kind
> >   of key, I don't think we need the key-format in this case.
> 
> Maybe.
> 
> 
> >   With the current design it is not obvious to me how I can find all
> >   ssh keys, for example.
> 
> That's because keys don't have to have a set purpose.  For instance,
> an IDevID shipped with the device could be used for either SSH or TLS.
> 
> 
> >   This said, *if* we use a single generic list, I think the list in
> >   the current model works fine.  It is a bit complicated, but some
> >   complexity is inevitable with a generic model like this.
> 
> Yes and yes.
> 
> 
> 
> 
> > o   iana- modules
> > 
> >  The iana modules have a list of supported algorithms, e.g.:
> > 
> >       list supported-asymmetric-algorithm
> > 
> >  I mentioned this before - I don't think a global list like this is
> >  sufficient.  For example, perhaps my TLS code supports "secp521r1",
> >  but my SSH code does not.
> 
> Yes, well, this is a known problem (e.g.,
> https://github.com/netmod-wg/yang-next/issues/82
> <https://github.com/netmod-wg/yang-next/issues/82>).

That is quite different.

You're using a normal config false list for this (which is fine), but
I don't think you can use a single global list like this.


> I realize that
> you're not specifically talking about feature statements, but it's
> similar.  One difference between #82 and this is that here, the
> capabilities are presented in "config false" lists instead, which
> might bring us to https://github.com/netmod-wg/yang-next/issues/41
> <https://github.com/netmod-wg/yang-next/issues/41> again...
> 
> 
> 
> > And some random small things I noticed:
> > 
> > o  ssh-public-key-format
> > 
> >  The crypto model has:
> > 
> >    identity ssh-public-key-formatp {
> >      base "public-key-format";
> >      description
> >        "The public key format described by RFC 4716.";
> >    }
> > 
> >  I think that this should be:
> > 
> >    description
> >      "The binary public key data for an SSH key, as
> >       specified by RFC 4253, Section 6.6, i.e.:
> > 
> >         string    certificate or public key format
> >                   identifier
> >         byte[n]   key/certificate data.";
> >    reference
> >      "RFC 4253: The Secure Shell (SSH) Transport Layer
> >                 Protocol";
> > 
> >  Note that the public key format in 4716 is textual:
> > 
> >    ---- BEGIN SSH2 PUBLIC KEY ----
> >    Header-tag ':' ' ' Header-value
> >    BODY
> >    ---- END SSH2 PUBLIC KEY ----
> > 
> >  Where BODY is:
> > 
> >   The body of a public key file is the base64 encoded ([RFC2045])
> >   public key data as specified by [RFC4253], Section 6.6:
> > 
> >         string    certificate or public key format identifier
> >         byte[n]   key/certificate data
> > 
> >  So with your current definition we would take this textual format
> >  (that has the key base64-encoded), and base64 encode the whole
> >  thing (includign the already base64-encoded key).
> 
> I will say that the definition above was given because it is the only
> *standards* based key that `openssh` can output (i.e., `ssh-keygen -e
> [-m RFC4716] -f <private-key-file>`).

With my proposal you can take the output of this openssh command and
copy & paste the base64-encoded data from this output to a YANG node
using ssh-public-key-format.

With your proposal you have to copy the entire output, base64 encode
it *again*, and then copy & paste that result to the YANG node.


> That said, if you refer to the link I provided at top, it is my belief
> that the "key-format" node may be extended to support alternate
> encodings (e.g., DER vs PEM and, potentially, CMS vs multi-part PEM).
> To this end, perhaps we could support both the 4716 and 4253 formats.

Do we really want to go there?  This is already quite complex, and
having a multitude of optional formats for the same thing may make
things even more complex, to understand and get right.

> > o  subject-public-key-info-format
> > 
> >  The crypto model has:
> > 
> >    identity subject-public-key-info-format {
> >      base "public-key-format";
> >      description
> >        "A SubjectPublicKeyInfo (from RFC 5280).";
> >    }
> > 
> >  Should this be "DER encoded"?
> > 
> >  (this and other defintions have references to RFCs in the
> >  description; they should be moved to proper "reference" statements)
> 
> Yes.  I put together these definitions in as a test/protocol to gauge
> viability with the plan to enhance the definitions if the WG committed
> to the approach.  I just added some "FIXME" comments to my local copy.

Ok.


> > o  iana-hash-algs
> > 
> >  This module has a bunch of shake-*:
> > 
> >      enum shake-224 {
> >        value 7;
> >        description
> >          "The SHA3 algorithm with 224-bits output.";
> > 
> >  I think this should be "sha3-224" etc.
> > 
> >  (there are just two shake hash functions defined; shake 128 & 256,
> >  and they have variable output)
> > 
> >  (and BTW, FIPS PUB 202 doesn't define sha3-128)
> 
> I don't know.  These are are/were specified by my co-author Haiguang
> (CC-ed).  Haiguang, can you comment?
> 
> 
> Kent // contributor
> 
> 



/martin