IETF Logo Mail Archive

Re: [netmod] x509c2n:cert-to-name problem [WAS: [netconf-wg/https-notif] What is the user-id of the entity sending the notification? (#3)]

Kent Watsen <kent@watsen.net> Fri, 25 October 2019 18:03 UTC

Return-Path: <0100016e0416c312-13b65019-1c32-4fc8-b8b2-f2b7cc591a00-000000@amazonses.watsen.net>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42BBB120817 for <netmod@ietfa.amsl.com>; Fri, 25 Oct 2019 11:03:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VmcwZOlK3K-B for <netmod@ietfa.amsl.com>; Fri, 25 Oct 2019 11:03:52 -0700 (PDT)
Received: from a8-33.smtp-out.amazonses.com (a8-33.smtp-out.amazonses.com [54.240.8.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C9EE120043 for <netmod@ietf.org>; Fri, 25 Oct 2019 11:03:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1572026631; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=TkafFKjAjNqdLkb/CqxD6mPdwtjshjlQX4qPd0ihGK4=; b=Jqxr7o4kVlRXM/SSNV/OSa9YSelXIFY8PqhvzqEv5gdxIA8IAkzh6RZfBEUflOsk 8D0yjJfV2pZpgzsCntSusClKgUywfluywJ+C6U/AjQEIlKPbjFl264Y9shXqm/BD3WA H9EfeZ2/ICKDTa2Hh8+1AtR/jsdpon3ZpAaICfOo=
From: Kent Watsen <kent@watsen.net>
Message-ID: <0100016e0416c312-13b65019-1c32-4fc8-b8b2-f2b7cc591a00-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D9EB0028-9A8C-491E-9853-A5AED096BFC5"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Fri, 25 Oct 2019 18:03:51 +0000
In-Reply-To: <20191023.101844.48270589337022568.mbj@tail-f.com>
Cc: "netmod@ietf.org" <netmod@ietf.org>
To: Martin Bjorklund <mbj@tail-f.com>
References: <netconf-wg/https-notif/issues/3@github.com> <netconf-wg/https-notif/issues/3/545072069@github.com> <20191023.101844.48270589337022568.mbj@tail-f.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2019.10.25-54.240.8.33
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/Vqt8K2SA__U2fnKpJ9Y5gc4_lDg>
Subject: Re: [netmod] x509c2n:cert-to-name problem [WAS: [netconf-wg/https-notif] What is the user-id of the entity sending the notification? (#3)]
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Oct 2019 18:03:55 -0000


> On Oct 23, 2019, at 4:18 AM, Martin Bjorklund <mbj@tail-f.com> wrote:
> 
> Hi,
> 
> Since this is a problem with ietf-x509-cert-to-name I reply to this
> question here, rather than buried in a reply to another issue for
> another document ;-)
> 
> Kent Watsen <notifications@github.com> wrote:
>> Separately, I just noticed an issue with the
>> `ietf-[net/rest]conf-server` modules using x509c2n:cert-to-name.
>> 
>> ```
>>         leaf fingerprint {
>>           type x509c2n:tls-fingerprint;
>>           mandatory true;
>>           description
>>             "Specifies a value with which the fingerprint of the
>>              full certificate presented by the peer is compared.  If
>>              the fingerprint of the full certificate presented by the
>>              peer does not match the fingerprint configured, then the
>>              entry is skipped, and the search for a match continues.";
>> ```
>> 
>> This definition seems to exclude authenticating client certificates
>> via a trust anchor certificate as, if one can configure a fingerprint,
>> then one could also configure the whole certificate (e.g.,
>> `tls-server-parameters/client-authentication/client-certs`), thus
>> obviating the need for
>> `tls-server-parameters/client-authentication/ca-certs`.
> 
> [...]
> 
>> A better definition (I think) would've been:
>> 
>> ```
>> OLD: full certificate presented by the peer 
>> NEW: full certificate of the certificate used to authenticate the
>> certificate presented by the peer, which MAY be the peer's end-entity
>> certificate.
>> ```
> 
> Hmm, I think you found an inconsisteny in this module.  Note that the
> description of the list itself has:
> 
>         The cert-to-name entry's fingerprint
>         determines whether the list entry is a match:
> 
>         1) If the cert-to-name list entry's fingerprint value
>            matches that of the presented certificate, then consider
>            the list entry a successful match.
> 
>         2) If the cert-to-name list entry's fingerprint value
>            matches that of a locally held copy of a trusted CA
>            certificate, and that CA certificate was part of the CA
>            certificate chain to the presented certificate, then
>            consider the list entry a successful match.
> 
> Also note:
> 
>        Security administrators are encouraged to make use of
>        certificates with subjectAltName fields that can be mapped to
>        names so that a single root CA certificate can allow all
>        child certificates' subjectAltName fields to map directly to
>        a name via a 1:1 transformation.
> 
> So I think this is a bug in the description of "leaf fingerprint".

I'd rather it be that than a bug in "list cert-to-name".    Would an erratum be appropriate here?   While the fix effectively changes the meaning of "fingerprint", it only would do so in order to resolve the inconsistency, and thus seems necessary.

Martin, if you agree, would to like to propose text or go straight to submitting an erratum?


>> I note that `fingerprint` may be 0 characters in length, which is what
>> netconf/restconf servers wanting to support authenticating clients via
>> a trust anchor will need to do in their configurations.  I'll update
>> the examples in those drafts to include an empty `fingerprint` node.
> 
> But 0-length fingerprint won't match anything, which means you won't
> get a user name and the client can't be authenticated, and the session
> dropped.

Actually, I thought that this was on purpose, as SnmpTLSFingerprint in RFC 6353 (referenced by "typedef tls-fingerprint" says (note the 3rd paragraph):

SnmpTLSFingerprint ::= TEXTUAL-CONVENTION
    DISPLAY-HINT "1x:1x"
    STATUS       current
    DESCRIPTION
       "A fingerprint value that can be used to uniquely reference
       other data of potentially arbitrary length.

       An SnmpTLSFingerprint value is composed of a 1-octet hashing
       algorithm identifier followed by the fingerprint value.  The
       octet value encoded is taken from the IANA TLS HashAlgorithm
       Registry (RFC 5246).  The remaining octets are filled using the
       results of the hashing algorithm.

       This TEXTUAL-CONVENTION allows for a zero-length (blank)
       SnmpTLSFingerprint value for use in tables where the
       fingerprint value may be optional.  MIB definitions or
       implementations may refuse to accept a zero-length value as
       appropriate."
       REFERENCE "RFC 5246: The Transport Layer
                  Security (TLS) Protocol Version 1.2
                  http://www.iana.org/assignments/tls-parameters/
       "
    SYNTAX OCTET STRING (SIZE (0..255))

Does it not have the same meaning?

Kent // contributor


> 
> 
> /martin
> 
> _______________________________________________
> netmod mailing list
> netmod@ietf.org
> https://www.ietf.org/mailman/listinfo/netmod

v2.23.0 | Report a Bug | By Email