[PATCH 1/4] key: Add cert chain validation capability to keyring

[PATCH 1/4] key: Add cert chain validation capability to keyring

[Mat Martineau]

[-- Attachment #1: Type: text/plain, Size: 2252 bytes --]

Verifying certificate chains was a little awkward using the
L_KEYRING_TRUSTED_ASYM keyring type, which required verifying the
signature and then separately adding the verified certificate to the
"trusted" keyring.

With L_KEYRING_TRUSTED_ASYM_CHAIN, the destination keyring is also
searched for signing keys.

One use model is to have two keyrings:

 1. trust_keyring: contains long-lived root and intermediate CA certs.
 2. verify_keyring: an L_KEYRING_TRUSTED_ASYM_CHAIN keyring that
                    is created with "trust_keyring" referenced for
		    trusted certificates.

In order to validate new certificates, they are added to verify_keyring
in series, starting with certs that are signed by those in
trust_keyring. Once an intermediate CA cert is added to verify_keyring,
certs signed by that intermediate CA can also be added to verify_keyring.
---
 ell/key.c | 22 ++++++++++++++++------
 ell/key.h |  3 ++-
 2 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/ell/key.c b/ell/key.c
index fc20d29..4cf2307 100644
--- a/ell/key.c
+++ b/ell/key.c
@@ -653,15 +653,25 @@ LIB_EXPORT struct l_keyring *l_keyring_new(enum l_keyring_type type,
 	if (!internal_keyring && !setup_internal_keyring())
 		return NULL;
 
-	if (type == L_KEYRING_TRUSTED_ASYM) {
-		if (!trusted)
-			return NULL;
+	switch (type) {
+	case L_KEYRING_SIMPLE:
+		break;
+	case L_KEYRING_TRUSTED_ASYM:
+	case L_KEYRING_TRUSTED_ASYM_CHAIN:
+	{
+		char *option = "";
+
+		if (type == L_KEYRING_TRUSTED_ASYM_CHAIN)
+			option = ":chain";
 
 		payload = l_strdup_printf(
-			"restrict=asymmetric:key_or_keyring:%d",
-			trusted->serial);
+			"restrict=asymmetric:key_or_keyring:%d%s",
+			trusted ? trusted->serial : 0, option);
 		payload_length = strlen(payload);
-	} else if (type != L_KEYRING_SIMPLE) {
+
+		break;
+	}
+	default:
 		/* Unsupported type */
 		return NULL;
 	}
diff --git a/ell/key.h b/ell/key.h
index ff4b543..e7036c6 100644
--- a/ell/key.h
+++ b/ell/key.h
@@ -42,7 +42,8 @@ enum l_key_type {
 
 enum l_keyring_type {
 	L_KEYRING_SIMPLE = 0,
-	L_KEYRING_TRUSTED_ASYM
+	L_KEYRING_TRUSTED_ASYM,
+	L_KEYRING_TRUSTED_ASYM_CHAIN,
 };
 
 enum l_key_cipher_type {
-- 
2.10.1

[PATCH 2/4] unit: Update certificate generation script

[Mat Martineau]

[-- Attachment #1: Type: text/plain, Size: 2532 bytes --]

Add an intermediate CA and a certificate signed by the intermediate CA.
---
 unit/gencerts.cnf |  5 +++++
 unit/gencerts.sh  | 15 ++++++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/unit/gencerts.cnf b/unit/gencerts.cnf
index 46eb166..5328734 100644
--- a/unit/gencerts.cnf
+++ b/unit/gencerts.cnf
@@ -8,6 +8,11 @@ basicConstraints = CA:TRUE,pathlen:0
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always
 
+[ int_ext ]
+basicConstraints = CA:TRUE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+
 [ cert_ext ]
 basicConstraints = CA:FALSE
 subjectKeyIdentifier = hash
diff --git a/unit/gencerts.sh b/unit/gencerts.sh
index be186f1..790c715 100755
--- a/unit/gencerts.sh
+++ b/unit/gencerts.sh
@@ -18,4 +18,17 @@ openssl req -new -extensions cert_ext -config ./gencerts.cnf -subj '/O=Bar Examp
 openssl x509 -req -extensions cert_ext -extfile ./gencerts.cnf -in cert-client.csr -CA cert-ca.pem -CAkey cert-ca-key.pem -CAcreateserial -sha256 -days 10000 -out cert-client.pem
 openssl verify -CAfile cert-ca.pem cert-client.pem
 
-rm cert-ca.srl cert-client.csr cert-server.csr
+echo -e "\n*** Intermediate Certificate ***"
+openssl genrsa -out cert-intca-key.pem
+openssl req -new -extensions int_ext -config ./gencerts.cnf -subj '/O=International Union of Example Organizations/CN=Certificate issuer guy/emailAddress=ca(a)mail.example' -key cert-intca-key.pem -out cert-intca.csr
+openssl x509 -req -extensions int_ext -extfile ./gencerts.cnf -in cert-intca.csr -CA cert-ca.pem -CAkey cert-ca-key.pem -CAcreateserial -sha256 -days 10000 -out cert-intca.pem
+openssl verify -CAfile cert-ca.pem cert-intca.pem
+cat cert-intca.pem cert-ca.pem > cert-chain.pem
+
+echo -e "\n*** Intermediate-Signed Certificate ***"
+openssl genrsa -out cert-entity-int-key.pem
+openssl req -new -extensions cert_ext -config ./gencerts.cnf -subj '/O=Baz Example Organization/CN=Baz Example Organization/emailAddress=baz(a)mail.example' -key cert-entity-int-key.pem -out cert-entity-int.csr
+openssl x509 -req -extensions cert_ext -extfile ./gencerts.cnf -in cert-entity-int.csr -CA cert-intca.pem -CAkey cert-intca-key.pem -CAcreateserial -sha256 -days 10000 -out cert-entity-int.pem
+openssl verify -CAfile cert-chain.pem cert-entity-int.pem
+
+rm cert-ca.srl cert-client.csr cert-server.csr cert-intca.srl cert-intca.csr cert-entity-int.csr cert-entity-int-key.pem cert-intca-key.pem cert-chain.pem
-- 
2.10.1

[PATCH 3/4] unit: New certificates for intermediate CA testing

[Mat Martineau]

[-- Attachment #1: Type: text/plain, Size: 3790 bytes --]

---
 unit/cert-entity-int.pem | 25 +++++++++++++++++++++++++
 unit/cert-intca.pem      | 26 ++++++++++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 unit/cert-entity-int.pem
 create mode 100644 unit/cert-intca.pem

diff --git a/unit/cert-entity-int.pem b/unit/cert-entity-int.pem
new file mode 100644
index 0000000..20384ad
--- /dev/null
+++ b/unit/cert-entity-int.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEPTCCAyWgAwIBAgIJAI7NK3vBJ/f2MA0GCSqGSIb3DQEBCwUAMHgxNTAzBgNV
+BAoMLEludGVybmF0aW9uYWwgVW5pb24gb2YgRXhhbXBsZSBPcmdhbml6YXRpb25z
+MR8wHQYDVQQDDBZDZXJ0aWZpY2F0ZSBpc3N1ZXIgZ3V5MR4wHAYJKoZIhvcNAQkB
+Fg9jYUBtYWlsLmV4YW1wbGUwHhcNMTYxMDIxMjAxMTMyWhcNNDQwMzA4MjAxMTMy
+WjBnMSEwHwYDVQQKDBhCYXogRXhhbXBsZSBPcmdhbml6YXRpb24xITAfBgNVBAMM
+GEJheiBFeGFtcGxlIE9yZ2FuaXphdGlvbjEfMB0GCSqGSIb3DQEJARYQYmF6QG1h
+aWwuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL2bi0cR
+ppjr5lSqdu0aUFvCvl1JqDh2+lUGpvrDqqJ67bVNbx9L6wts8VPYdpyTe/kG+PPf
+Mjys4M8UzTzJWYqpZuXzcYdzllZpjHEC+ujv3qHKwrVEdi8r2xa9TLrakLHiI5v/
+QvbUhQUAFU3m3IWV9bCc6uais3RHMCvOfGpPrYxj5Q+iA830I6TEHklIz7SqrHfA
+i45izx8YSZg744EmS29FGMAgOFeXyi1n+wvjrKv4E7miyYxPDNtaGtuurvE4dHqV
+oq4n9JNKo6tkV0CEVpaxPXBj9CM4bJgort4GktCWuY9/Fzz4waZOKmL4hwoLA8Oh
+IG4fCTbofusIQgkCAwEAAaOB2jCB1zAJBgNVHRMEAjAAMB0GA1UdDgQWBBS8N7xQ
+LmUgt+W2cyJ8nLDwXS6hoDCBqgYDVR0jBIGiMIGfgBSC3aq471/QsqUr3Rys9bLD
+4TC4xaF8pHoweDE1MDMGA1UECgwsSW50ZXJuYXRpb25hbCBVbmlvbiBvZiBFeGFt
+cGxlIE9yZ2FuaXphdGlvbnMxHzAdBgNVBAMMFkNlcnRpZmljYXRlIGlzc3VlciBn
+dXkxHjAcBgkqhkiG9w0BCQEWD2NhQG1haWwuZXhhbXBsZYIJAIJ0sZ9yZ5EBMA0G
+CSqGSIb3DQEBCwUAA4IBAQAoBhPIAoX2UpT0Y9xoFI2Pv0jIZYhECzCtlrsrsaAn
+xqo7sWp00HwlDGVc2QbRowSaGHDmsVKvwvV1EskbvX7SjfSV2zSBn41iOkNYdjwu
+8q5Kbqx/wq/fYB6DXniSMy0/d8522A9sxO8acZLg0dyUUvIVZGB/6ymCHnyqUe+8
+sZytSzLKEjxK6y08SmhThKYtgWFnNiQHCuJw6rsPu+zzJbOoZ4zQdmNjWwvtD8Nj
+WnKTwcYS1+gz2UhW/bhzqxAldkjN20HACb3WzUq7pjri7ddAYL5MCKffklUVC5ic
+/eYl7Ti8l2RvSYymB0Yg7YAEmz43W7kmAn5Vml8SYotJ
+-----END CERTIFICATE-----
diff --git a/unit/cert-intca.pem b/unit/cert-intca.pem
new file mode 100644
index 0000000..7bd4d72
--- /dev/null
+++ b/unit/cert-intca.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEUTCCAzmgAwIBAgIJAIJ0sZ9yZ5EBMA0GCSqGSIb3DQEBCwUAMHgxNTAzBgNV
+BAoMLEludGVybmF0aW9uYWwgVW5pb24gb2YgRXhhbXBsZSBPcmdhbml6YXRpb25z
+MR8wHQYDVQQDDBZDZXJ0aWZpY2F0ZSBpc3N1ZXIgZ3V5MR4wHAYJKoZIhvcNAQkB
+Fg9jYUBtYWlsLmV4YW1wbGUwHhcNMTYxMDIxMjAxMTMyWhcNNDQwMzA4MjAxMTMy
+WjB4MTUwMwYDVQQKDCxJbnRlcm5hdGlvbmFsIFVuaW9uIG9mIEV4YW1wbGUgT3Jn
+YW5pemF0aW9uczEfMB0GA1UEAwwWQ2VydGlmaWNhdGUgaXNzdWVyIGd1eTEeMBwG
+CSqGSIb3DQEJARYPY2FAbWFpbC5leGFtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAuUa9iIt7rgZSg3gjYLvH8+CyWV/ULDdjtgwEGfB2vHckL1fV
+gY7NBfXrgxXcjjWNxUnNWALsP7bcvJlMzZrlKffWSo2zkybv8yuajuZE++hsY2fT
+f4wnqkGJLSu1XJh+BwdslIA133nb5IbDayrRFArivI+LD/cIubmgSEnL6wr1XN3M
+h3M+NKF/LVXK2s6pB/Njaz4lAGzLpHfo4dauU7Xo+XPAdW7C2G34UEsZSr39watK
+e7Z8NkyrZ4zapz+LEmDFrKdNOVFgavlMvhXX8b4Pr8XlK3p2yvKgpjs9YP4vPjvL
+gKoWd8hx660kf2qwELQvuYkioi8DAjhfM7M9RQIDAQABo4HdMIHaMAwGA1UdEwQF
+MAMBAf8wHQYDVR0OBBYEFILdqrjvX9CypSvdHKz1ssPhMLjFMIGqBgNVHSMEgaIw
+gZ+AFO+M3tJAELTnseUqZyP4vl5X7SmUoXykejB4MTUwMwYDVQQKDCxJbnRlcm5h
+dGlvbmFsIFVuaW9uIG9mIEV4YW1wbGUgT3JnYW5pemF0aW9uczEfMB0GA1UEAwwW
+Q2VydGlmaWNhdGUgaXNzdWVyIGd1eTEeMBwGCSqGSIb3DQEJARYPY2FAbWFpbC5l
+eGFtcGxlggkAma3ZbsK60e8wDQYJKoZIhvcNAQELBQADggEBADCm6aMD9hZunlnx
+cWyRCMT37gamRdCDkQ1/jrixZLZpyl9I/O8zbBLLR+bfArdxmOkpO1CgX3l4Zbhk
+xetdelVXatmaFsSQXCQsrVuue2Q9aUAzVoztgg27qyuXaSafx7PvOPnpTJcn5pcQ
+TecYKQjIVZInGZ1t7Oe+U5AiE0CLEgGnTsdABD1pNjoUXnQZx1RkvLiUsSH+YNQN
+G7vC5GiCkNFDRGk/M0Qec7kaYIwHjag1a0uitIpUv1LaloL/GIePFPT/Hh6rVsf4
+kLaXK5f78Rc09W4X8Uf818sPZkgL1pinH/XmwcySM0PucP3nQbkIpnAZETTcIcBN
+03wfDNA=
+-----END CERTIFICATE-----
-- 
2.10.1

[PATCH 4/4] unit: Add L_KEYRING_TRUSTED_ASYM_CHAIN test

[Mat Martineau]

[-- Attachment #1: Type: text/plain, Size: 2298 bytes --]

---
 unit/test-key.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git a/unit/test-key.c b/unit/test-key.c
index 80a1916..1195da4 100644
--- a/unit/test-key.c
+++ b/unit/test-key.c
@@ -408,6 +408,63 @@ static void test_trusted_keyring(const void *data)
 	l_free(cert);
 }
 
+static void test_trust_chain(const void *data)
+{
+	struct l_keyring *ring;
+	struct l_keyring *trust;
+	uint8_t *cacert;
+	size_t cacertlen;
+	uint8_t *intcert;
+	size_t intcertlen;
+	uint8_t *cert;
+	size_t certlen;
+	struct l_key *cakey;
+	struct l_key *intkey;
+	struct l_key *key;
+	bool success;
+
+	cacert = l_pem_load_certificate(TESTDATADIR "/cert-ca.pem", &cacertlen);
+	assert(cacert);
+	intcert = l_pem_load_certificate(TESTDATADIR "/cert-intca.pem",
+						&intcertlen);
+	assert(intcert);
+	cert = l_pem_load_certificate(TESTDATADIR "/cert-entity-int.pem",
+					&certlen);
+	assert(cert);
+
+	cakey = l_key_new(L_KEY_RSA, cacert, cacertlen);
+	assert(cakey);
+	intkey = l_key_new(L_KEY_RSA, intcert, intcertlen);
+	assert(intkey);
+	key = l_key_new(L_KEY_RSA, cert, certlen);
+	assert(key);
+
+	trust = l_keyring_new(L_KEYRING_SIMPLE, NULL);
+	assert(trust);
+	ring = l_keyring_new(L_KEYRING_TRUSTED_ASYM_CHAIN, trust);
+	assert(ring);
+
+	success = l_keyring_link(ring, key);
+	assert(!success);
+	success = l_keyring_link(ring, intkey);
+	assert(!success);
+	success = l_keyring_link(trust, cakey);
+	assert(success);
+	success = l_keyring_link(ring, key);
+	assert(!success);
+	success = l_keyring_link(ring, intkey);
+	assert(success);
+	success = l_keyring_link(ring, key);
+	assert(success);
+
+	l_keyring_free(trust);
+	l_keyring_free(ring);
+	l_key_free(cakey);
+	l_key_free(key);
+	l_free(cacert);
+	l_free(cert);
+}
+
 /* Reference ciphertext:
  * $ openssl rsautl -in reference_plaintext -inkey cert-client.pem -encrypt \
  * > -pkcs -out reference_ciphertext
@@ -600,6 +657,7 @@ int main(int argc, char *argv[])
 
 	l_test_add("simple keyring", test_simple_keyring, NULL);
 	l_test_add("trusted keyring", test_trusted_keyring, NULL);
+	l_test_add("trust chain", test_trust_chain, NULL);
 
 	l_test_add("key crypto", test_key_crypto, NULL);
 
-- 
2.10.1

Re: [PATCH 1/4] key: Add cert chain validation capability to keyring

[Denis Kenzior]

[-- Attachment #1: Type: text/plain, Size: 1155 bytes --]

Hi Mat,

On 10/21/2016 03:52 PM, Mat Martineau wrote:
> Verifying certificate chains was a little awkward using the
> L_KEYRING_TRUSTED_ASYM keyring type, which required verifying the
> signature and then separately adding the verified certificate to the
> "trusted" keyring.
>
> With L_KEYRING_TRUSTED_ASYM_CHAIN, the destination keyring is also
> searched for signing keys.
>
> One use model is to have two keyrings:
>
>   1. trust_keyring: contains long-lived root and intermediate CA certs.
>   2. verify_keyring: an L_KEYRING_TRUSTED_ASYM_CHAIN keyring that
>                      is created with "trust_keyring" referenced for
> 		    trusted certificates.
>
> In order to validate new certificates, they are added to verify_keyring
> in series, starting with certs that are signed by those in
> trust_keyring. Once an intermediate CA cert is added to verify_keyring,
> certs signed by that intermediate CA can also be added to verify_keyring.
> ---
>   ell/key.c | 22 ++++++++++++++++------
>   ell/key.h |  3 ++-
>   2 files changed, 18 insertions(+), 7 deletions(-)
>

All four applied, thanks.

Regards,
-Denis