802.1AR certificate generation and the config file

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

802.1AR certificate generation and the config file

Robert Moskowitz
Now that I can build a generic PKI with EDDSA, the next step is to add
creation of 802.1AR iDevID certificates.  I am using the current draft,
sec 8, 802.1ARce-d2-2, but for this purpose it is essentially the same
(but clearer written) as sec 7, 802.1AR-2009.

I start with making the following section in my openssl.cnf file:

[ 8021AR_idevid ]
# Extensions for IEEE 802.1AR iDevID certificates (`man ????`).
basicConstraints = CA:FALSE
# subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment

Note that clause 7.6 says:

"The Subject Key Identifier extension should not be included in DevID
certificates."

The clause goes on to state that Subject Key Identifier IS included in
CA certificates for certificate path building.

My challenge comes to subjectAltName and its subfield hardwareModuleName
per RFC 4108.   I guess I am not 'getting' the subjectAltName section of
'man x509v3_config'.

Any help greatly appreciated.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: 802.1AR certificate generation and the config file

OpenSSL - User mailing list
> My challenge comes to subjectAltName and its subfield
> hardwareModuleName
> per RFC 4108.   I guess I am not 'getting' the subjectAltName section of
> 'man x509v3_config'.

Not all forms of SAN names are supported.  If you look in include/openssl/x509v3.h you see the following:
# define GEN_OTHERNAME   0
# define GEN_EMAIL       1
# define GEN_DNS         2
# define GEN_X400        3
# define GEN_DIRNAME     4
# define GEN_EDIPARTY    5
# define GEN_URI         6
# define GEN_IPADD       7
# define GEN_RID         8

crypto/x509v3/v3_alt.c you can find details and corner-case information.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: 802.1AR certificate generation and the config file

Robert Moskowitz
Thanks for the response, Rich.

On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote:

>> My challenge comes to subjectAltName and its subfield
>> hardwareModuleName
>> per RFC 4108.   I guess I am not 'getting' the subjectAltName section of
>> 'man x509v3_config'.
> Not all forms of SAN names are supported.  If you look in include/openssl/x509v3.h you see the following:
> # define GEN_OTHERNAME   0
> # define GEN_EMAIL       1
> # define GEN_DNS         2
> # define GEN_X400        3
> # define GEN_DIRNAME     4
> # define GEN_EDIPARTY    5
> # define GEN_URI         6
> # define GEN_IPADD       7
> # define GEN_RID         8
>
> crypto/x509v3/v3_alt.c you can find details and corner-case information.
>
A couple things.  As we have discussed directly, I am not a coder;
haven't coded since working with 'B' on Honeywells in the mid-80s. So
looking at 'C' code is a bit of a struggle.  That said,

Given these supported names, what goes into the config file to create a
SAN without having to specify it on the command line?

And further it seems you are saying there is no support for HMN at all.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: 802.1AR certificate generation and the config file

OpenSSL - User mailing list
> Given these supported names, what goes into the config file to create a SAN
> without having to specify it on the command line?

In the certificate extensions section you do something like:
        subjectAltName = dns:www.example.com, IP:127.0.0.1
and so on.  The "pki.tgz"

> And further it seems you are saying there is no support for HMN at all.

Right.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: 802.1AR certificate generation and the config file

Robert Moskowitz


On 08/11/2017 11:29 AM, Salz, Rich wrote:
>> Given these supported names, what goes into the config file to create a SAN
>> without having to specify it on the command line?
> In the certificate extensions section you do something like:
> subjectAltName = dns:www.example.com, IP:127.0.0.1
> and so on.  The "pki.tgz"

OK.  I am beginning to get this.  Will set some things up and test.

>
>> And further it seems you are saying there is no support for HMN at all.
> Right.

What is the procedure to get it added.  RFC 4108 has been around for a
while, as has 802.1AR-2009.

Though I am assuming from a prior comment that even if it were added
today, it would not be available until the 1.1.1 release?

thanks

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: 802.1AR certificate generation and the config file

OpenSSL - User mailing list
> What is the procedure to get it added.  RFC 4108 has been around for a while,
> as has 802.1AR-2009.

Simplest way is to (get someone to) write the code and make a github pull requests.

Next way is to post a patch.

Next way is to open an issue and hope someone gets around to it.
 
> Though I am assuming from a prior comment that even if it were added
> today, it would not be available until the 1.1.1 release?

Right.  But someone could always backport the changes to their own 1.1.0 release.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: 802.1AR certificate generation and the config file

Robert Moskowitz
Sigh.  Well let's see want I can get done on this by the next
IEEE802/IETF week pair.

On 08/11/2017 11:56 AM, Salz, Rich wrote:

>> What is the procedure to get it added.  RFC 4108 has been around for a while,
>> as has 802.1AR-2009.
> Simplest way is to (get someone to) write the code and make a github pull requests.
>
> Next way is to post a patch.
>
> Next way is to open an issue and hope someone gets around to it.
>  
>> Though I am assuming from a prior comment that even if it were added
>> today, it would not be available until the 1.1.1 release?
> Right.  But someone could always backport the changes to their own 1.1.0 release.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: 802.1AR certificate generation and the config file

Viktor Dukhovni
In reply to this post by OpenSSL - User mailing list
On Fri, Aug 11, 2017 at 03:29:25PM +0000, Salz, Rich via openssl-users wrote:

> In the certificate extensions section you do something like:
> subjectAltName = dns:www.example.com, IP:127.0.0.1
> and so on.  The "pki.tgz"
>
> > And further it seems you are saying there is no support for HMN at all.
>
> Right.

From the x509v3_config manpage:

    ARBITRARY EXTENSIONS
       If an extension is not supported by the OpenSSL code then it must be
       encoded using the arbitrary extension format. It is also possible to
       use the arbitrary format for supported extensions. Extreme care should
       be taken to ensure that the data is formatted correctly for the given
       extension type.

       There are two ways to encode arbitrary extensions.

       The first way is to use the word ASN1 followed by the extension content
       using the same syntax as ASN1_generate_nconf(3).  For example:

        1.2.3.4=critical,ASN1:UTF8String:Some random data

        1.2.3.4=ASN1:SEQUENCE:seq_sect

        [seq_sect]

        field1 = UTF8:field1
        field2 = UTF8:field2

       It is also possible to use the word DER to include the raw encoded data
       in any extension.

        1.2.3.4=critical,DER:01:02:03:04
        1.2.3.4=DER:01020304

       The value following DER is a hex dump of the DER encoding of the
       extension Any extension can be placed in this form to override the
       default behaviour.  For example:

        basicConstraints=critical,DER:00:01:02:03

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: 802.1AR certificate generation and the config file

Robert Moskowitz
Why thank you, Viktor.  Let's see if I can get this right from RFC4108

On 08/11/2017 12:47 PM, Viktor Dukhovni wrote:

> On Fri, Aug 11, 2017 at 03:29:25PM +0000, Salz, Rich via openssl-users wrote:
>
>> In the certificate extensions section you do something like:
>> subjectAltName = dns:www.example.com, IP:127.0.0.1
>> and so on.  The "pki.tgz"
>>
>>> And further it seems you are saying there is no support for HMN at all.
>> Right.
> >From the x509v3_config manpage:
>
>      ARBITRARY EXTENSIONS
>         If an extension is not supported by the OpenSSL code then it must be
>         encoded using the arbitrary extension format. It is also possible to
>         use the arbitrary format for supported extensions. Extreme care should
>         be taken to ensure that the data is formatted correctly for the given
>         extension type.
>
>         There are two ways to encode arbitrary extensions.
>
>         The first way is to use the word ASN1 followed by the extension content
>         using the same syntax as ASN1_generate_nconf(3).  For example:
>
>          1.2.3.4=critical,ASN1:UTF8String:Some random data
>
>          1.2.3.4=ASN1:SEQUENCE:seq_sect
>
>          [seq_sect]
>
>          field1 = UTF8:field1
>          field2 = UTF8:field2
>
>         It is also possible to use the word DER to include the raw encoded data
>         in any extension.
>
>          1.2.3.4=critical,DER:01:02:03:04
>          1.2.3.4=DER:01020304
>
>         The value following DER is a hex dump of the DER encoding of the
>         extension Any extension can be placed in this form to override the
>         default behaviour.  For example:
>
>          basicConstraints=critical,DER:00:01:02:03
>
       id-on-hardwareModuleName OBJECT IDENTIFIER ::= {
         iso(1) identified-organization(3) dod(6) internet(1) security(5)
         mechanisms(5) pkix(7) on(8) 4 }


       HardwareModuleName ::= SEQUENCE {
         hwType OBJECT IDENTIFIER,
         hwSerialNum OCTET STRING }

    The fields of the HardwareModuleName type have the following
    meanings:

    hwType is an object identifier that identifies the type of hardware
       module.  A unique object identifier names a hardware model and
       revision.

    hwSerialNum is the serial number of the hardware module.  No
       particular structure is imposed on the serial number; it need not
       be an integer.  However, the combination of the hwType and
       hwSerialNum uniquely identifies the hardware module.

In my [ 8021ar_idevid ] section I would have a line:

1.3.6.1.5.5.7.8.4=ASN1:SEQUENCE:HardwareModuleName

then have:

[ HardwareModuleName ]
hwType= ??
hwSerialNum= ??

I would want the 'openssl req' command to prompt for hwType and
hsSerialNum.  At least for now.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: 802.1AR certificate generation and the config file

Robert Moskowitz
In reply to this post by OpenSSL - User mailing list
Frustrated...

On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote:

>> My challenge comes to subjectAltName and its subfield
>> hardwareModuleName
>> per RFC 4108.   I guess I am not 'getting' the subjectAltName section of
>> 'man x509v3_config'.
> Not all forms of SAN names are supported.  If you look in include/openssl/x509v3.h you see the following:
> # define GEN_OTHERNAME   0
> # define GEN_EMAIL       1
> # define GEN_DNS         2
> # define GEN_X400        3
> # define GEN_DIRNAME     4
> # define GEN_EDIPARTY    5
> # define GEN_URI         6
> # define GEN_IPADD       7
> # define GEN_RID         8

I just spent over an hour googling around as well as reading openssl
docs to get a list of distinguished_name fields.  Both in their full
form and abbreviated form.  All I fined are the common ones in examples.

And for the list above for SAN, how are they presented in the openssl
cli/config.  Again, just not finding it.

My search foo is weak.

pointers greatly appreciated.

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: 802.1AR certificate generation and the config file

Dr. Stephen Henson
On Fri, Aug 11, 2017, Robert Moskowitz wrote:

> Frustrated...
>
> On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote:
> >>My challenge comes to subjectAltName and its subfield
> >>hardwareModuleName
> >>per RFC 4108.   I guess I am not 'getting' the subjectAltName section of
> >>'man x509v3_config'.
> >Not all forms of SAN names are supported.  If you look in include/openssl/x509v3.h you see the following:
> ># define GEN_OTHERNAME   0
> ># define GEN_EMAIL       1
> ># define GEN_DNS         2
> ># define GEN_X400        3
> ># define GEN_DIRNAME     4
> ># define GEN_EDIPARTY    5
> ># define GEN_URI         6
> ># define GEN_IPADD       7
> ># define GEN_RID         8
>
> I just spent over an hour googling around as well as reading openssl
> docs to get a list of distinguished_name fields.  Both in their full
> form and abbreviated form.  All I fined are the common ones in
> examples.
>
> And for the list above for SAN, how are they presented in the
> openssl cli/config.  Again, just not finding it.
>
> My search foo is weak.
>
> pointers greatly appreciated.
>

You can use the mini-ASN.1 compiler with the otherName syntax. This will
create the extension in the appropriate form but you wont get it displayed.

In outline it's like this:

----
# Use id-on-hardwareModuleName OID with otherName
subjectAltName = otherName:1.3.6.1.5.5.7.8.4;SEQ:hmodname

[hmodname]
hwType = OID:1.2.3.4 # Whatever OID you want.
hwSerialNum = FORMAT:HEX,OCT:01020304 # Some hex
----

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: 802.1AR certificate generation and the config file

Dr. Stephen Henson
In reply to this post by Robert Moskowitz
On Fri, Aug 11, 2017, Robert Moskowitz wrote:

>
> I would want the 'openssl req' command to prompt for hwType and
> hsSerialNum.  At least for now.
>

Note that you can't get the 'openssl req' command prompt for this but you can
generate the extension in an appropriate syntax: see my other message for
details.

You could prompt externally and pass the values as environment variables to
openssl req of constuct the whole config file on the fly.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: 802.1AR certificate generation and the config file

Robert Moskowitz


On 08/11/2017 02:47 PM, Dr. Stephen Henson wrote:

> On Fri, Aug 11, 2017, Robert Moskowitz wrote:
>
>> I would want the 'openssl req' command to prompt for hwType and
>> hsSerialNum.  At least for now.
>>
> Note that you can't get the 'openssl req' command prompt for this but you can
> generate the extension in an appropriate syntax: see my other message for
> details.
>
> You could prompt externally and pass the values as environment variables to
> openssl req of constuct the whole config file on the fly.

Sigh.

Making some headway.  Figured out you cannot have an alternative [ req ]
section in the config; no way to specify it.  Thus a completely separate
config_8021AR to specify a different distinguishedname set of fields.  
Got that, now to get started on SAN.  Will read your previous message.

thanks

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: 802.1AR certificate generation and the config file

Robert Moskowitz
In reply to this post by Dr. Stephen Henson


On 08/11/2017 02:39 PM, Dr. Stephen Henson wrote:

> On Fri, Aug 11, 2017, Robert Moskowitz wrote:
>
>> Frustrated...
>>
>> On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote:
>>>> My challenge comes to subjectAltName and its subfield
>>>> hardwareModuleName
>>>> per RFC 4108.   I guess I am not 'getting' the subjectAltName section of
>>>> 'man x509v3_config'.
>>> Not all forms of SAN names are supported.  If you look in include/openssl/x509v3.h you see the following:
>>> # define GEN_OTHERNAME   0
>>> # define GEN_EMAIL       1
>>> # define GEN_DNS         2
>>> # define GEN_X400        3
>>> # define GEN_DIRNAME     4
>>> # define GEN_EDIPARTY    5
>>> # define GEN_URI         6
>>> # define GEN_IPADD       7
>>> # define GEN_RID         8
>> I just spent over an hour googling around as well as reading openssl
>> docs to get a list of distinguished_name fields.  Both in their full
>> form and abbreviated form.  All I fined are the common ones in
>> examples.
>>
>> And for the list above for SAN, how are they presented in the
>> openssl cli/config.  Again, just not finding it.
>>
>> My search foo is weak.
>>
>> pointers greatly appreciated.
>>
> You can use the mini-ASN.1 compiler with the otherName syntax. This will
> create the extension in the appropriate form but you wont get it displayed.
>
> In outline it's like this:
>
> ----
> # Use id-on-hardwareModuleName OID with otherName
> subjectAltName = otherName:1.3.6.1.5.5.7.8.4;SEQ:hmodname

Is that suppose to be a semi-colon before SEQ?  Or a typo?

>
> [hmodname]
> hwType = OID:1.2.3.4 # Whatever OID you want.
> hwSerialNum = FORMAT:HEX,OCT:01020304 # Some hex
> ----
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: 802.1AR certificate generation and the config file

Michael Ströder
In reply to this post by Robert Moskowitz
Robert Moskowitz wrote:

> On 08/11/2017 02:47 PM, Dr. Stephen Henson wrote:
>> On Fri, Aug 11, 2017, Robert Moskowitz wrote:
>>
>>> I would want the 'openssl req' command to prompt for hwType and
>>> hsSerialNum.  At least for now.
>>>
>> Note that you can't get the 'openssl req' command prompt for this but you can
>> generate the extension in an appropriate syntax: see my other message for
>> details.
>>
>> You could prompt externally and pass the values as environment variables to
>> openssl req of constuct the whole config file on the fly.
>
> Sigh.
>
> Making some headway.  Figured out you cannot have an alternative [ req ] section in the
> config; no way to specify it.  Thus a completely separate config_8021AR to specify a
> different distinguishedname set of fields.  Got that, now to get started on SAN.  Will
> read your previous message.
Maybe you should look at the following CLI options for "openssl req":

 -subj arg      set or modify request subject
[..]
 -extensions .. specify certificate extension section (override value in config file)
 -reqexts ..    specify request extension section (override value in config file)

Ciao, Michael.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 802.1AR certificate generation and the config file

Robert Moskowitz
I am getting a SAN in the csr e.g.:

         Attributes:
         Requested Extensions:
             X509v3 Subject Alternative Name:
                 IP Address:192.168.2.1

this is with the following in the config:

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only
req_extensions = req_ext

....

[ req_ext ]
subjectAltName = IP:192.168.2.1

But I am not getting SAN in the cert.  Perhaps I need something for SAN
in the -extensions section?  Right now I only have:

[ 8021ar_idevid ]
# Extensions for IEEE 802.1AR iDevID certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment

????


On 08/12/2017 10:28 AM, Michael Ströder wrote:

> Robert Moskowitz wrote:
>> On 08/11/2017 02:47 PM, Dr. Stephen Henson wrote:
>>> On Fri, Aug 11, 2017, Robert Moskowitz wrote:
>>>
>>>> I would want the 'openssl req' command to prompt for hwType and
>>>> hsSerialNum.  At least for now.
>>>>
>>> Note that you can't get the 'openssl req' command prompt for this but you can
>>> generate the extension in an appropriate syntax: see my other message for
>>> details.
>>>
>>> You could prompt externally and pass the values as environment variables to
>>> openssl req of constuct the whole config file on the fly.
>> Sigh.
>>
>> Making some headway.  Figured out you cannot have an alternative [ req ] section in the
>> config; no way to specify it.  Thus a completely separate config_8021AR to specify a
>> different distinguishedname set of fields.  Got that, now to get started on SAN.  Will
>> read your previous message.
> Maybe you should look at the following CLI options for "openssl req":
>
>   -subj arg      set or modify request subject
> [..]
>   -extensions .. specify certificate extension section (override value in config file)
>   -reqexts ..    specify request extension section (override value in config file)
>
> Ciao, Michael.
>

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: 802.1AR certificate generation and the config file

Michael Ströder
Robert Moskowitz wrote:
> I am getting a SAN in the csr e.g.:
>
>         Attributes:
>         Requested Extensions:
>             X509v3 Subject Alternative Name:
>                 IP Address:192.168.2.1
> [..]
> But I am not getting SAN in the cert.  Perhaps I need something for SAN in the
> -extensions section?  Right now I only have:

Are you using "openssl ca" for signing the cert?

If yes, you could add the line

copy_extensions = copy

to your CA config section.

http://cmrg.fifthhorseman.net/wiki/SubjectAltName

https://wiki.openssl.org/index.php/Manual:Ca%281%29#CONFIGURATION_FILE_OPTIONS

Ciao, Michael.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 802.1AR certificate generation and the config file

Robert Moskowitz


On 08/14/2017 07:16 AM, Michael Ströder wrote:

> Robert Moskowitz wrote:
>> I am getting a SAN in the csr e.g.:
>>
>>          Attributes:
>>          Requested Extensions:
>>              X509v3 Subject Alternative Name:
>>                  IP Address:192.168.2.1
>> [..]
>> But I am not getting SAN in the cert.  Perhaps I need something for SAN in the
>> -extensions section?  Right now I only have:
> Are you using "openssl ca" for signing the cert?

Yes, I am.

> If yes, you could add the line
>
> copy_extensions = copy
>
> to your CA config section.
>
> http://cmrg.fifthhorseman.net/wiki/SubjectAltName
>
> https://wiki.openssl.org/index.php/Manual:Ca%281%29#CONFIGURATION_FILE_OPTIONS
>
> Ciao, Michael.

Thanks.  That works.  Now that I can get a SAN into the certs I need to
research using othername and what a hardwaremodulename OID looks like
and make it happen.  Got to google some and ask around more.

Again thanks for helping me get this far.

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users