IETF Logo Mail Archive

Re: [lamps] EST CSRATTRS specifying the SAN

Russ Housley <housley@vigilsec.com> Mon, 05 July 2021 19:42 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 470F83A12C6 for <spasm@ietfa.amsl.com>; Mon, 5 Jul 2021 12:42:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FnjZQZrY-5T4 for <spasm@ietfa.amsl.com>; Mon, 5 Jul 2021 12:41:56 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 378CC3A12C1 for <spasm@ietf.org>; Mon, 5 Jul 2021 12:41:56 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id CF7C4300BFC for <spasm@ietf.org>; Mon, 5 Jul 2021 15:41:54 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id g7kwyuUaCclf for <spasm@ietf.org>; Mon, 5 Jul 2021 15:41:41 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id AE3C3300232; Mon, 5 Jul 2021 15:41:40 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <401152E2-9743-48FB-A3E1-3DE6873AE0A3@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5F469AEB-5A36-4A64-9F19-788EE90056DE"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Mon, 05 Jul 2021 15:41:40 -0400
In-Reply-To: <6e29b64d-0bc0-d129-beff-4072a482cfbd@von-Oheimb.de>
Cc: Sean Turner <sean@sn3rd.com>, Michael Richardson <mcr+ietf@sandelman.ca>, Eliot Lear <lear@lear.ch>, SPASM <spasm@ietf.org>, Max Pritikin <pritikin@cisco.com>, anima@ietf.org
To: David von Oheimb <nl0@von-Oheimb.de>
References: <83844291-5785-434E-8956-3FF81ECD761C@cisco.com> <9820.1618358856@localhost> <MW3PR11MB47462121627A10A62E006497DB369@MW3PR11MB4746.namprd11.prod.outlook.com> <26435.1623269725@localhost> <25C432F7-EDEE-4FEA-B871-5D7F9311BBF7@sn3rd.com> <6e29b64d-0bc0-d129-beff-4072a482cfbd@von-Oheimb.de>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/xFqRUWNjTVl5OVIaa9RODn3OnHE>
Subject: Re: [lamps] EST CSRATTRS specifying the SAN
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jul 2021 19:42:01 -0000

David:

This proposed "isomorphic" definition:

  CsrAttrs ::= SEQUENCE {
        oids          SET OF OBEJECT IDENTIFIER
        attributes    SET OF Attribute{{ IOSet }}
    }

Does NOT produce the same bits on the wire as the structure defined in RF 7030.

Further, the use of SEQUENCE in RFC 7030 was to avoid the need for the sort that is imposed when DER encoding SET.

Russ


> On Jul 5, 2021, at 2:26 PM, David von Oheimb <nl0@von-Oheimb.de> wrote:
> 
> The ASN.1 declaration of the Attribute type, which is the core of CsrAttrs type given in RFC 7030 section 4.5.2:
> 
>   CsrAttrs ::= SEQUENCE SIZE (0..MAX) OF AttrOrOID
> 
>   AttrOrOID ::= CHOICE (oid OBJECT IDENTIFIER, attribute Attribute }
> 
>   Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
>         type   ATTRIBUTE.&id({IOSet}),
>         values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) }
> has been copied over from PKCS#10: https://datatracker.ietf.org/doc/html/rfc2986#section-4 <https://datatracker.ietf.org/doc/html/rfc2986#section-4>.
> Since it is pretty incomprehensible for ASN.1 non-experts (including myself), the reader has to rely in the interpretation following it in prose and on the example given, but unfortunately both of them are not very clear. In particular, the meaning of the values field or of a "value" in the given text remains ambiguous or even misleading. In the given example,
> 
>          Attribute:  type = extensionRequest (1.2.840.113549.1.9.14)
>                      value = macAddress (1.3.6.1.1.1.1.22)
> the "value" is not a MAC address but the OID of MAC addresses. This corresponds to what is explained as follows:
>    Requests for descriptive information from the client are made by an attribute, to be
>    represented as Attributes of the CSR, with a type indicating the
>    [RFC2985 <https://datatracker.ietf.org/doc/html/rfc2985>] extensionRequest and the values indicating the particular
>    attributes desired to be included in the resulting certificate's extensions.
> AFAICS, the key to understanding how to encode a concrete value (such as a MAC address, a SAN value, etc.) is to appreciate the following sentence, which provides the key idea for reusing the  Attribute type:
>   The structure of the CSR Attributes Response SHOULD, to the greatest
>    extent possible, reflect the structure of the CSR it is requesting.
> So in essence, the CSR attribute response is to be formed like the attributes part of a template PCKS#10 CertificationRequestInfo structure and simply can be given exactly as in a PKCS#10 CSR structure including any (actual) values, yet with two generalizations:
> Actual values may be left out, and this way are requested to be filled in by the client/EE.
> Additional OIDs may be given for requesting the use of the challengePassword and for specifying algorithms (such as the expected type of the public key).
> Note that under the (fair) assumption that the order of the AttrOrOID entries in the CsrAttrs sequence does not play a role, and glossing over some Attribute subtype peculiarities, the CsrAttrs type is isomorphic to 
> 
>   CsrAttrs ::= SEQUENCE {
>         oids          SET OF OBEJECT IDENTIFIER
>         attributes    SET OF Attribute{{ IOSet }}
>     }
>   Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
>         type   ATTRIBUTE.&id({IOSet}),
>         values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
>   }
> from which the similarity with a classical PKCS#10 structure:
>    CertificationRequestInfo ::= SEQUENCE {
>         version       INTEGER { v1(0) } (v1,...),
>         subject       Name,
>         subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
>         attributes    [0] Attributes{{ CRIAttributes }}
>    }
> 
>    CRIAttributes  ATTRIBUTE  ::= {
>         ... -- add any locally defined attributes here -- }
> 
>    Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }}
> 
>    Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
>          type   ATTRIBUTE.&id({IOSet}),
>          values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
>    }
> would have been more apparent.
> 
> Further, RFC 7030 section 4.5.2 does not cover the fact that names and name components in a CSR may be part of not only various X.509 extensions such as SAN (which are to be encoded via the extra indirection of the extensionRequest OID) but also of the subject field/attribute of type (Distinguished)Name.
> 
> At least a more comprehensive example would have been very helpful to clarify the details of the intended encoding, and likewise any serious reference/example implementation, for instance in Cisco's libEST, which has remained extremely sketchy regarding the csrattrs topic.
>     David
> 
> 
> 
> On 21.06.21 19:29, Sean Turner wrote:
>> Sorry for just getting to this now. I haven’t read upstream so if this gets answer there oops.
>> 
>>> On Jun 9, 2021, at 16:15, Michael Richardson <mcr+ietf@sandelman.ca> <mailto:mcr+ietf@sandelman.ca> wrote:
>>> 
>>> Signed PGP part
>>> 
>>> Eliot has suggested that:
>>>      https://datatracker.ietf.org/doc/html/rfc7030#section-4.5.2 <https://datatracker.ietf.org/doc/html/rfc7030#section-4.5.2>
>>> does not appear to allow the returned CSR Attributes to contain a value.
>>> Please correct me if I'm understanding the problem wrong.
>> Oh yeah it does! The whole point of CSRattrs is to allow the client to say “hey RA/CA what do you want my CSR to look like”. The response could just be an OID or it can be an actual attribute with some values:
>> 
>>   Requests for descriptive information from the client are made
>>   by an attribute, to be represented as Attributes of the CSR, with
>>   a type indicating the [RFC2985] extensionRequest and the
>>   values indicating the particular attributes desired to be included
>>   in the resulting certificate’s extensions. 
>> 
>> Note the word “values” above.
>> 
>> I also figured that there might be brain dead EEs out there so instead of returning a string of attributes the EST server could just return the entire CSR - see Appendix B of RFC 8295. That way the EE would only need sign the request (for PoP).
>> 
>>> RFC8994 assignment of IPv6 ULA can not, as far as I can understand, work
>>> without assigning a value.  The Registrar must allocate a prefix for the new
>>> ACP node, and this has to go into the CSR in order for the CA to sign it.
>>> 
>>> (Yes, the Registrar has to *check* that the CSR contains the right value along
>>> the way too.  Yes, if the Registrar is ALSO the CA, then it can shortcut, but
>>> that's not in general true)
>>> 
>>> My unit testing code is at:
>>>  https://github.com/AnimaGUS-minerva/fountain/blob/master/spec/models/csr_attributes_spec.rb <https://github.com/AnimaGUS-minerva/fountain/blob/master/spec/models/csr_attributes_spec.rb>
>>> 
>>> 
>>> I found the ASN.1 code in section 4.5.2 beyond my understanding, so I muddled
>>> through, since fortunately, there was an example.
>>> 
>>>   CsrAttrs ::= SEQUENCE SIZE (0..MAX) OF AttrOrOID
>>>   AttrOrOID ::= CHOICE (oid OBJECT IDENTIFIER, attribute Attribute }
>>>   Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
>>>        type   ATTRIBUTE.&id({IOSet}),
>>>        values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) }
>>> 
>>> What I think that this says is that one can have:
>>>  a) a Sequence of stuff.
>> a sequence of stuff that might be empty
>> 
>>>  b) the stuff is either an OID.
>>>  c) or the stuff is a SEQUENCE [ type, value ].
>>> The complicated &id... is just saying that when you have some attribute type
>>> "FOO", then you can have the things that would be valid as values.  I'm
>>> actually rather amazed at this level of meta-programming. (Can CDDL do that?)
>> So this is the parameterized ASN.1 syntax. What you could so is define an IOSet of attributes. These attributes value values. But, yeah if it’s an attribute it’s an OID and the associated syntax. e.g.,
>> 
>> pKCS7PDU ATTRIBUTE ::= {
>>        WITH SYNTAX ContentInfo
>>        ID pkcs-9-at-pkcs7PDU
>>        }
>> 
>>    pkcs-9-at-pkcs7PDU OBJECT IDENTIFIER ::= {
>>        iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
>>        pkcs-9-at(25) 5
>>        }
>> 
>> The OID would be 1.2.840.113549.1.9.25.5
>> 
>> and the values (really only one) is:
>> 
>> PKIData ::= SEQUENCE {
>>        reqSequence        SEQUENCE SIZE(0..MAX) OF TaggedRequest
>>        }
>> 
>>> An example is provided:
>>>   MEEGCSqGSIb3DQEJBzASBgcqhkjOPQIBMQcGBSuBBAAiMBYGCSqGSIb3DQEJDjEJ
>>>   BgcrBgEBAQEWBggqhkjOPQQDAw==
>>> 
>>> %echo 'MEEGCSqGSIb3DQEJBzASBgcqhkjOPQIBMQcGBSuBBAAiMBYGCSqGSIb3DQEJDjEJBgcrBgEBAQEWBggqhkjOPQQDAw==' | base64 -d | dumpasn1 -
>>>  0  65: SEQUENCE {
>>>  2   9:   OBJECT IDENTIFIER challengePassword (1 2 840 113549 1 9 7)
>>> 13  18:   SEQUENCE {
>>> 15   7:     OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1)
>>> 24   7:     SET {
>>> 26   5:       OBJECT IDENTIFIER secp384r1 (1 3 132 0 34)
>>>       :       }
>>>       :     }
>>> 33  22:   SEQUENCE {
>>> 35   9:     OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14)
>>> 46   9:     SET {
>>> 48   7:       OBJECT IDENTIFIER '1 3 6 1 1 1 1 22'
>>>       :       }
>>>       :     }
>>> 57   8:   OBJECT IDENTIFIER ecdsaWithSHA384 (1 2 840 10045 4 3 3)
>>>       :   }
>>> 
>>> 
>>> At 2, we have the OID "challengePassword", which tells the client that this
>>> attribute should be included (that's [b]).
>>> At 13-26, we have an attributed, ecPublicKey, with a *value* secp384r1.
>>> This tells the client what kind of things to sign with.  (that's [c])
>>> At 33, we have extensionRequest with oid value 1.3.6.1.1.1.1.22. (also [c])
>>> Finally, at 57, we have just the attribute ecdsaWithSHA384, which is telling
>>> the client to use SHA2-384.
>>> 
>>> In order to get this all right, I used the example above, made sure I could
>>> decode it, and then made sure that I could encode exactly that.
>> Yep!
>> 
>>> I have an example building the subjectAltName rfc822Name (yes, my code hasn't
>>> caught up to otherName as specified in RFC8994 yet) which is:
>>> 
>>> obiwan-[projects/pandora/fountain](2.6.6) mcr 10263 %dumpasn1 tmp/hellobulb0.der
>>>  0  32: SEQUENCE {
>>>  2  30:   SEQUENCE {
>>>  4   3:     OBJECT IDENTIFIER subjectAltName (2 5 29 17)
>>>  9  23:     SET {
>>> 11  21:       SEQUENCE {
>>> 13  19:         [1] {
>>> 15  17:           UTF8String 'hello@example.com <mailto:hello@example.com>'
>>>       :           }
>>>       :         }
>>>       :       }
>>>       :     }
>>>       :   }
>>> 
>>> I don't know what the [1] is actually, but possibly that's the rfc822Name.
>>> Yup, it is:
>>>  #        rfc822Name                      [1]     IA5String,   <-- this one
>> The one is the tag.
>> 
>>> So, I think that I'm entirely within spec for CSR Attributes, and I'd like to
>>> understand more from Owen and Eliot as to what problems they are having with
>>> CSR Attributes.
>>> 
>>> Eliot has suggested we do it all in JSON (CBOR?), and I would certainly be
>>> happy with that.
>>> 
>>> --
>>> Michael Richardson <mcr+IETF@sandelman.ca> <mailto:mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>>>           Sandelman Software Works Inc, Ottawa and Worldwide
>>> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email