[PATCH 1/4] key: Add cert chain validation capability to keyring

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH 1/4] key: Add cert chain validation capability to keyring
@ 2016-10-21 20:52 Mat Martineau
  2016-10-21 20:52 ` [PATCH 2/4] unit: Update certificate generation script Mat Martineau
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Mat Martineau @ 2016-10-21 20:52 UTC (permalink / raw)
  To: ell

[-- Attachment #1: Type: text/plain, Size: 2252 bytes --]

Verifying certificate chains was a little awkward using the
L_KEYRING_TRUSTED_ASYM keyring type, which required verifying the
signature and then separately adding the verified certificate to the
"trusted" keyring.

With L_KEYRING_TRUSTED_ASYM_CHAIN, the destination keyring is also
searched for signing keys.

One use model is to have two keyrings:

 1. trust_keyring: contains long-lived root and intermediate CA certs.
 2. verify_keyring: an L_KEYRING_TRUSTED_ASYM_CHAIN keyring that
                    is created with "trust_keyring" referenced for
		    trusted certificates.

In order to validate new certificates, they are added to verify_keyring
in series, starting with certs that are signed by those in
trust_keyring. Once an intermediate CA cert is added to verify_keyring,
certs signed by that intermediate CA can also be added to verify_keyring.
---
 ell/key.c | 22 ++++++++++++++++------
 ell/key.h |  3 ++-
 2 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/ell/key.c b/ell/key.c
index fc20d29..4cf2307 100644
--- a/ell/key.c
+++ b/ell/key.c
@@ -653,15 +653,25 @@ LIB_EXPORT struct l_keyring *l_keyring_new(enum l_keyring_type type,
 	if (!internal_keyring && !setup_internal_keyring())
 		return NULL;
 
-	if (type == L_KEYRING_TRUSTED_ASYM) {
-		if (!trusted)
-			return NULL;
+	switch (type) {
+	case L_KEYRING_SIMPLE:
+		break;
+	case L_KEYRING_TRUSTED_ASYM:
+	case L_KEYRING_TRUSTED_ASYM_CHAIN:
+	{
+		char *option = "";
+
+		if (type == L_KEYRING_TRUSTED_ASYM_CHAIN)
+			option = ":chain";
 
 		payload = l_strdup_printf(
-			"restrict=asymmetric:key_or_keyring:%d",
-			trusted->serial);
+			"restrict=asymmetric:key_or_keyring:%d%s",
+			trusted ? trusted->serial : 0, option);
 		payload_length = strlen(payload);
-	} else if (type != L_KEYRING_SIMPLE) {
+
+		break;
+	}
+	default:
 		/* Unsupported type */
 		return NULL;
 	}
diff --git a/ell/key.h b/ell/key.h
index ff4b543..e7036c6 100644
--- a/ell/key.h
+++ b/ell/key.h
@@ -42,7 +42,8 @@ enum l_key_type {
 
 enum l_keyring_type {
 	L_KEYRING_SIMPLE = 0,
-	L_KEYRING_TRUSTED_ASYM
+	L_KEYRING_TRUSTED_ASYM,
+	L_KEYRING_TRUSTED_ASYM_CHAIN,
 };
 
 enum l_key_cipher_type {
-- 
2.10.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH 2/4] unit: Update certificate generation script
  2016-10-21 20:52 [PATCH 1/4] key: Add cert chain validation capability to keyring Mat Martineau
@ 2016-10-21 20:52 ` Mat Martineau
  2016-10-21 20:52 ` [PATCH 3/4] unit: New certificates for intermediate CA testing Mat Martineau
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Mat Martineau @ 2016-10-21 20:52 UTC (permalink / raw)
  To: ell

[-- Attachment #1: Type: text/plain, Size: 2532 bytes --]

Add an intermediate CA and a certificate signed by the intermediate CA.
---
 unit/gencerts.cnf |  5 +++++
 unit/gencerts.sh  | 15 ++++++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/unit/gencerts.cnf b/unit/gencerts.cnf
index 46eb166..5328734 100644
--- a/unit/gencerts.cnf
+++ b/unit/gencerts.cnf
@@ -8,6 +8,11 @@ basicConstraints = CA:TRUE,pathlen:0
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always
 
+[ int_ext ]
+basicConstraints = CA:TRUE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+
 [ cert_ext ]
 basicConstraints = CA:FALSE
 subjectKeyIdentifier = hash
diff --git a/unit/gencerts.sh b/unit/gencerts.sh
index be186f1..790c715 100755
--- a/unit/gencerts.sh
+++ b/unit/gencerts.sh
@@ -18,4 +18,17 @@ openssl req -new -extensions cert_ext -config ./gencerts.cnf -subj '/O=Bar Examp
 openssl x509 -req -extensions cert_ext -extfile ./gencerts.cnf -in cert-client.csr -CA cert-ca.pem -CAkey cert-ca-key.pem -CAcreateserial -sha256 -days 10000 -out cert-client.pem
 openssl verify -CAfile cert-ca.pem cert-client.pem
 
-rm cert-ca.srl cert-client.csr cert-server.csr
+echo -e "\n*** Intermediate Certificate ***"
+openssl genrsa -out cert-intca-key.pem
+openssl req -new -extensions int_ext -config ./gencerts.cnf -subj '/O=International Union of Example Organizations/CN=Certificate issuer guy/emailAddress=ca(a)mail.example' -key cert-intca-key.pem -out cert-intca.csr
+openssl x509 -req -extensions int_ext -extfile ./gencerts.cnf -in cert-intca.csr -CA cert-ca.pem -CAkey cert-ca-key.pem -CAcreateserial -sha256 -days 10000 -out cert-intca.pem
+openssl verify -CAfile cert-ca.pem cert-intca.pem
+cat cert-intca.pem cert-ca.pem > cert-chain.pem
+
+echo -e "\n*** Intermediate-Signed Certificate ***"
+openssl genrsa -out cert-entity-int-key.pem
+openssl req -new -extensions cert_ext -config ./gencerts.cnf -subj '/O=Baz Example Organization/CN=Baz Example Organization/emailAddress=baz(a)mail.example' -key cert-entity-int-key.pem -out cert-entity-int.csr
+openssl x509 -req -extensions cert_ext -extfile ./gencerts.cnf -in cert-entity-int.csr -CA cert-intca.pem -CAkey cert-intca-key.pem -CAcreateserial -sha256 -days 10000 -out cert-entity-int.pem
+openssl verify -CAfile cert-chain.pem cert-entity-int.pem
+
+rm cert-ca.srl cert-client.csr cert-server.csr cert-intca.srl cert-intca.csr cert-entity-int.csr cert-entity-int-key.pem cert-intca-key.pem cert-chain.pem
-- 
2.10.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH 3/4] unit: New certificates for intermediate CA testing
  2016-10-21 20:52 [PATCH 1/4] key: Add cert chain validation capability to keyring Mat Martineau
  2016-10-21 20:52 ` [PATCH 2/4] unit: Update certificate generation script Mat Martineau
@ 2016-10-21 20:52 ` Mat Martineau
  2016-10-21 20:52 ` [PATCH 4/4] unit: Add L_KEYRING_TRUSTED_ASYM_CHAIN test Mat Martineau
  2016-10-24 16:01 ` [PATCH 1/4] key: Add cert chain validation capability to keyring Denis Kenzior
  3 siblings, 0 replies; 5+ messages in thread
From: Mat Martineau @ 2016-10-21 20:52 UTC (permalink / raw)
  To: ell

[-- Attachment #1: Type: text/plain, Size: 3790 bytes --]

---
 unit/cert-entity-int.pem | 25 +++++++++++++++++++++++++
 unit/cert-intca.pem      | 26 ++++++++++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 unit/cert-entity-int.pem
 create mode 100644 unit/cert-intca.pem

diff --git a/unit/cert-entity-int.pem b/unit/cert-entity-int.pem
new file mode 100644
index 0000000..20384ad
--- /dev/null
+++ b/unit/cert-entity-int.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEPTCCAyWgAwIBAgIJAI7NK3vBJ/f2MA0GCSqGSIb3DQEBCwUAMHgxNTAzBgNV
+BAoMLEludGVybmF0aW9uYWwgVW5pb24gb2YgRXhhbXBsZSBPcmdhbml6YXRpb25z
+MR8wHQYDVQQDDBZDZXJ0aWZpY2F0ZSBpc3N1ZXIgZ3V5MR4wHAYJKoZIhvcNAQkB
+Fg9jYUBtYWlsLmV4YW1wbGUwHhcNMTYxMDIxMjAxMTMyWhcNNDQwMzA4MjAxMTMy
+WjBnMSEwHwYDVQQKDBhCYXogRXhhbXBsZSBPcmdhbml6YXRpb24xITAfBgNVBAMM
+GEJheiBFeGFtcGxlIE9yZ2FuaXphdGlvbjEfMB0GCSqGSIb3DQEJARYQYmF6QG1h
+aWwuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL2bi0cR
+ppjr5lSqdu0aUFvCvl1JqDh2+lUGpvrDqqJ67bVNbx9L6wts8VPYdpyTe/kG+PPf
+Mjys4M8UzTzJWYqpZuXzcYdzllZpjHEC+ujv3qHKwrVEdi8r2xa9TLrakLHiI5v/
+QvbUhQUAFU3m3IWV9bCc6uais3RHMCvOfGpPrYxj5Q+iA830I6TEHklIz7SqrHfA
+i45izx8YSZg744EmS29FGMAgOFeXyi1n+wvjrKv4E7miyYxPDNtaGtuurvE4dHqV
+oq4n9JNKo6tkV0CEVpaxPXBj9CM4bJgort4GktCWuY9/Fzz4waZOKmL4hwoLA8Oh
+IG4fCTbofusIQgkCAwEAAaOB2jCB1zAJBgNVHRMEAjAAMB0GA1UdDgQWBBS8N7xQ
+LmUgt+W2cyJ8nLDwXS6hoDCBqgYDVR0jBIGiMIGfgBSC3aq471/QsqUr3Rys9bLD
+4TC4xaF8pHoweDE1MDMGA1UECgwsSW50ZXJuYXRpb25hbCBVbmlvbiBvZiBFeGFt
+cGxlIE9yZ2FuaXphdGlvbnMxHzAdBgNVBAMMFkNlcnRpZmljYXRlIGlzc3VlciBn
+dXkxHjAcBgkqhkiG9w0BCQEWD2NhQG1haWwuZXhhbXBsZYIJAIJ0sZ9yZ5EBMA0G
+CSqGSIb3DQEBCwUAA4IBAQAoBhPIAoX2UpT0Y9xoFI2Pv0jIZYhECzCtlrsrsaAn
+xqo7sWp00HwlDGVc2QbRowSaGHDmsVKvwvV1EskbvX7SjfSV2zSBn41iOkNYdjwu
+8q5Kbqx/wq/fYB6DXniSMy0/d8522A9sxO8acZLg0dyUUvIVZGB/6ymCHnyqUe+8
+sZytSzLKEjxK6y08SmhThKYtgWFnNiQHCuJw6rsPu+zzJbOoZ4zQdmNjWwvtD8Nj
+WnKTwcYS1+gz2UhW/bhzqxAldkjN20HACb3WzUq7pjri7ddAYL5MCKffklUVC5ic
+/eYl7Ti8l2RvSYymB0Yg7YAEmz43W7kmAn5Vml8SYotJ
+-----END CERTIFICATE-----
diff --git a/unit/cert-intca.pem b/unit/cert-intca.pem
new file mode 100644
index 0000000..7bd4d72
--- /dev/null
+++ b/unit/cert-intca.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEUTCCAzmgAwIBAgIJAIJ0sZ9yZ5EBMA0GCSqGSIb3DQEBCwUAMHgxNTAzBgNV
+BAoMLEludGVybmF0aW9uYWwgVW5pb24gb2YgRXhhbXBsZSBPcmdhbml6YXRpb25z
+MR8wHQYDVQQDDBZDZXJ0aWZpY2F0ZSBpc3N1ZXIgZ3V5MR4wHAYJKoZIhvcNAQkB
+Fg9jYUBtYWlsLmV4YW1wbGUwHhcNMTYxMDIxMjAxMTMyWhcNNDQwMzA4MjAxMTMy
+WjB4MTUwMwYDVQQKDCxJbnRlcm5hdGlvbmFsIFVuaW9uIG9mIEV4YW1wbGUgT3Jn
+YW5pemF0aW9uczEfMB0GA1UEAwwWQ2VydGlmaWNhdGUgaXNzdWVyIGd1eTEeMBwG
+CSqGSIb3DQEJARYPY2FAbWFpbC5leGFtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAuUa9iIt7rgZSg3gjYLvH8+CyWV/ULDdjtgwEGfB2vHckL1fV
+gY7NBfXrgxXcjjWNxUnNWALsP7bcvJlMzZrlKffWSo2zkybv8yuajuZE++hsY2fT
+f4wnqkGJLSu1XJh+BwdslIA133nb5IbDayrRFArivI+LD/cIubmgSEnL6wr1XN3M
+h3M+NKF/LVXK2s6pB/Njaz4lAGzLpHfo4dauU7Xo+XPAdW7C2G34UEsZSr39watK
+e7Z8NkyrZ4zapz+LEmDFrKdNOVFgavlMvhXX8b4Pr8XlK3p2yvKgpjs9YP4vPjvL
+gKoWd8hx660kf2qwELQvuYkioi8DAjhfM7M9RQIDAQABo4HdMIHaMAwGA1UdEwQF
+MAMBAf8wHQYDVR0OBBYEFILdqrjvX9CypSvdHKz1ssPhMLjFMIGqBgNVHSMEgaIw
+gZ+AFO+M3tJAELTnseUqZyP4vl5X7SmUoXykejB4MTUwMwYDVQQKDCxJbnRlcm5h
+dGlvbmFsIFVuaW9uIG9mIEV4YW1wbGUgT3JnYW5pemF0aW9uczEfMB0GA1UEAwwW
+Q2VydGlmaWNhdGUgaXNzdWVyIGd1eTEeMBwGCSqGSIb3DQEJARYPY2FAbWFpbC5l
+eGFtcGxlggkAma3ZbsK60e8wDQYJKoZIhvcNAQELBQADggEBADCm6aMD9hZunlnx
+cWyRCMT37gamRdCDkQ1/jrixZLZpyl9I/O8zbBLLR+bfArdxmOkpO1CgX3l4Zbhk
+xetdelVXatmaFsSQXCQsrVuue2Q9aUAzVoztgg27qyuXaSafx7PvOPnpTJcn5pcQ
+TecYKQjIVZInGZ1t7Oe+U5AiE0CLEgGnTsdABD1pNjoUXnQZx1RkvLiUsSH+YNQN
+G7vC5GiCkNFDRGk/M0Qec7kaYIwHjag1a0uitIpUv1LaloL/GIePFPT/Hh6rVsf4
+kLaXK5f78Rc09W4X8Uf818sPZkgL1pinH/XmwcySM0PucP3nQbkIpnAZETTcIcBN
+03wfDNA=
+-----END CERTIFICATE-----
-- 
2.10.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH 4/4] unit: Add L_KEYRING_TRUSTED_ASYM_CHAIN test
  2016-10-21 20:52 [PATCH 1/4] key: Add cert chain validation capability to keyring Mat Martineau
  2016-10-21 20:52 ` [PATCH 2/4] unit: Update certificate generation script Mat Martineau
  2016-10-21 20:52 ` [PATCH 3/4] unit: New certificates for intermediate CA testing Mat Martineau
@ 2016-10-21 20:52 ` Mat Martineau
  2016-10-24 16:01 ` [PATCH 1/4] key: Add cert chain validation capability to keyring Denis Kenzior
  3 siblings, 0 replies; 5+ messages in thread
From: Mat Martineau @ 2016-10-21 20:52 UTC (permalink / raw)
  To: ell

[-- Attachment #1: Type: text/plain, Size: 2298 bytes --]

---
 unit/test-key.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git a/unit/test-key.c b/unit/test-key.c
index 80a1916..1195da4 100644
--- a/unit/test-key.c
+++ b/unit/test-key.c
@@ -408,6 +408,63 @@ static void test_trusted_keyring(const void *data)
 	l_free(cert);
 }
 
+static void test_trust_chain(const void *data)
+{
+	struct l_keyring *ring;
+	struct l_keyring *trust;
+	uint8_t *cacert;
+	size_t cacertlen;
+	uint8_t *intcert;
+	size_t intcertlen;
+	uint8_t *cert;
+	size_t certlen;
+	struct l_key *cakey;
+	struct l_key *intkey;
+	struct l_key *key;
+	bool success;
+
+	cacert = l_pem_load_certificate(TESTDATADIR "/cert-ca.pem", &cacertlen);
+	assert(cacert);
+	intcert = l_pem_load_certificate(TESTDATADIR "/cert-intca.pem",
+						&intcertlen);
+	assert(intcert);
+	cert = l_pem_load_certificate(TESTDATADIR "/cert-entity-int.pem",
+					&certlen);
+	assert(cert);
+
+	cakey = l_key_new(L_KEY_RSA, cacert, cacertlen);
+	assert(cakey);
+	intkey = l_key_new(L_KEY_RSA, intcert, intcertlen);
+	assert(intkey);
+	key = l_key_new(L_KEY_RSA, cert, certlen);
+	assert(key);
+
+	trust = l_keyring_new(L_KEYRING_SIMPLE, NULL);
+	assert(trust);
+	ring = l_keyring_new(L_KEYRING_TRUSTED_ASYM_CHAIN, trust);
+	assert(ring);
+
+	success = l_keyring_link(ring, key);
+	assert(!success);
+	success = l_keyring_link(ring, intkey);
+	assert(!success);
+	success = l_keyring_link(trust, cakey);
+	assert(success);
+	success = l_keyring_link(ring, key);
+	assert(!success);
+	success = l_keyring_link(ring, intkey);
+	assert(success);
+	success = l_keyring_link(ring, key);
+	assert(success);
+
+	l_keyring_free(trust);
+	l_keyring_free(ring);
+	l_key_free(cakey);
+	l_key_free(key);
+	l_free(cacert);
+	l_free(cert);
+}
+
 /* Reference ciphertext:
  * $ openssl rsautl -in reference_plaintext -inkey cert-client.pem -encrypt \
  * > -pkcs -out reference_ciphertext
@@ -600,6 +657,7 @@ int main(int argc, char *argv[])
 
 	l_test_add("simple keyring", test_simple_keyring, NULL);
 	l_test_add("trusted keyring", test_trusted_keyring, NULL);
+	l_test_add("trust chain", test_trust_chain, NULL);
 
 	l_test_add("key crypto", test_key_crypto, NULL);
 
-- 
2.10.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/4] key: Add cert chain validation capability to keyring
  2016-10-21 20:52 [PATCH 1/4] key: Add cert chain validation capability to keyring Mat Martineau
                   ` (2 preceding siblings ...)
  2016-10-21 20:52 ` [PATCH 4/4] unit: Add L_KEYRING_TRUSTED_ASYM_CHAIN test Mat Martineau
@ 2016-10-24 16:01 ` Denis Kenzior
  3 siblings, 0 replies; 5+ messages in thread
From: Denis Kenzior @ 2016-10-24 16:01 UTC (permalink / raw)
  To: ell

[-- Attachment #1: Type: text/plain, Size: 1155 bytes --]

Hi Mat,

On 10/21/2016 03:52 PM, Mat Martineau wrote:
> Verifying certificate chains was a little awkward using the
> L_KEYRING_TRUSTED_ASYM keyring type, which required verifying the
> signature and then separately adding the verified certificate to the
> "trusted" keyring.
>
> With L_KEYRING_TRUSTED_ASYM_CHAIN, the destination keyring is also
> searched for signing keys.
>
> One use model is to have two keyrings:
>
>   1. trust_keyring: contains long-lived root and intermediate CA certs.
>   2. verify_keyring: an L_KEYRING_TRUSTED_ASYM_CHAIN keyring that
>                      is created with "trust_keyring" referenced for
> 		    trusted certificates.
>
> In order to validate new certificates, they are added to verify_keyring
> in series, starting with certs that are signed by those in
> trust_keyring. Once an intermediate CA cert is added to verify_keyring,
> certs signed by that intermediate CA can also be added to verify_keyring.
> ---
>   ell/key.c | 22 ++++++++++++++++------
>   ell/key.h |  3 ++-
>   2 files changed, 18 insertions(+), 7 deletions(-)
>

All four applied, thanks.

Regards,
-Denis


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2016-10-24 16:01 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-21 20:52 [PATCH 1/4] key: Add cert chain validation capability to keyring Mat Martineau
2016-10-21 20:52 ` [PATCH 2/4] unit: Update certificate generation script Mat Martineau
2016-10-21 20:52 ` [PATCH 3/4] unit: New certificates for intermediate CA testing Mat Martineau
2016-10-21 20:52 ` [PATCH 4/4] unit: Add L_KEYRING_TRUSTED_ASYM_CHAIN test Mat Martineau
2016-10-24 16:01 ` [PATCH 1/4] key: Add cert chain validation capability to keyring Denis Kenzior

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.