Change PKI so that attestation certs are fully compliant. (#668)

* Change PKI so that attestation certs are fully compliant. Initially we generated the smallest certificate possible. Unfortunately sometimes attestation certificates are thoroughly checked and the FIDO x509v3 extensions must be present. This PR now creates a PKI (root CA and signing CA) with corresponding CRLs and also allows to create multiple batch certificates for the keys instead of a single one. The latest generated batch cert/key is automatically symlinked so that the previous documentation still holds. * Change openssl options to support older versions * OSX doesn't support long options --------- Co-authored-by: kaczmarczyck <43844792+kaczmarczyck@users.noreply.github.com>
2023-12-18 10:47:46 +01:00
parent 5fdc6e0739
commit 6b8aa3aaf3
6 changed files with 389 additions and 52 deletions
--- a/tools/openssl/opensk.conf
+++ b/tools/openssl/opensk.conf
@@ -0,0 +1,26 @@
+oid_section = OIDS
+
+[ OIDS ]
+fido_attestation = 1.3.6.1.4.1.45724.2.1.1
+fido_aaguid = 1.3.6.1.4.1.45724.1.1.4
+
+[ req ]
+encrypt_key = no
+default_md = sha256
+utf8 = yes
+string_mask = utf8only
+prompt = no
+distinguished_name = fido_dn
+req_extensions = fido_reqext
+
+[ fido_dn ]
+countryName = "US"
+organizationName = "OpenSK"
+organizationalUnitName = "Authenticator Attestation"
+commonName = "OpenSK Hacker Edition"
+
+[ fido_reqext ]
+keyUsage                = critical,digitalSignature
+subjectKeyIdentifier    = hash
+fido_attestation        = ASN1:FORMAT:BITLIST,BITSTRING:${ENV::OPENSK_TRANSPORT}
+fido_aaguid             = ASN1:FORMAT:HEX,OCTETSTRING:${ENV::OPENSK_AAGUID}
--- a/tools/openssl/root-ca.conf
+++ b/tools/openssl/root-ca.conf
@@ -0,0 +1,84 @@
+oid_section = OIDS
+
+[ default ]
+ca = root-ca
+dir = ./crypto_data
+
+[ req ]
+encrypt_key = yes
+default_md = sha256
+utf8 = yes
+string_mask = utf8only
+prompt = no
+distinguished_name = ca_dn
+req_extensions = ca_reqext
+
+[ OIDS ]
+fido_attestation = 1.3.6.1.4.1.45724.2.1.1
+fido_aaguid = 1.3.6.1.4.1.45724.1.1.4
+
+[ ca_dn ]
+countryName = "US"
+organizationName = "OpenSK"
+organizationalUnitName = "Authenticator Attestation"
+commonName = "OpenSK CA"
+
+[ ca_reqext ]
+keyUsage = critical,keyCertSign,cRLSign
+basicConstraints = critical,CA:true
+subjectKeyIdentifier = hash
+
+[ ca ]
+default_ca = root_ca
+
+[ root_ca ]
+certificate = $dir/ca/$ca.pem
+private_key = $dir/ca/$ca/private/$ca.key
+new_certs_dir = $dir/ca/$ca
+serial = $dir/ca/$ca/db/$ca.pem.srl
+crlnumber = $dir/ca/$ca/db/$ca.pem.srl
+database = $dir/ca/$ca/db/$ca.db
+unique_subject = no
+default_days = 36525
+default_md = sha256
+policy = match_pol
+email_in_dn = no
+preserve = no
+name_opt = ca_default
+cert_opt = ca_default
+copy_extensions = none
+x509_extensions = signing_ca_ext
+default_crl_days = 365
+crl_extensions = crl_ext
+
+[ match_pol ]
+countryName = match
+organizationName = match
+organizationalUnitName = match
+commonName = supplied
+
+[ any_pol ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = optional
+emailAddress = optional
+
+[ root_ca_ext ]
+keyUsage = critical,keyCertSign,cRLSign
+basicConstraints = critical,CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+fido_attestation = ASN1:FORMAT:HEX,BITSTRING:00
+
+[ signing_ca_ext ]
+keyUsage = critical,keyCertSign,cRLSign
+basicConstraints = critical,CA:true,pathlen:0
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
+[ crl_ext ]
+authorityKeyIdentifier = keyid:always
+
--- a/tools/openssl/signing-ca.conf
+++ b/tools/openssl/signing-ca.conf
@@ -0,0 +1,91 @@
+
+oid_section = OIDS
+
+[ default ]
+ca = signing-ca
+dir = ./crypto_data
+
+[ req ]
+default_bits = 4096
+encrypt_key = yes
+default_md = sha256
+utf8 = yes
+string_mask = utf8only
+prompt = no
+distinguished_name = ca_dn
+req_extensions = ca_reqext
+
+[ OIDS ]
+fido_attestation = 1.3.6.1.4.1.45724.2.1.1
+fido_aaguid = 1.3.6.1.4.1.45724.1.1.4
+
+[ ca_dn ]
+countryName = "US"
+organizationName = "OpenSK"
+organizationalUnitName = "Authenticator Attestation"
+commonName = "OpenSK Signing"
+
+[ ca_reqext ]
+keyUsage = critical,keyCertSign,cRLSign
+basicConstraints = critical,CA:true,pathlen:0
+subjectKeyIdentifier = hash
+
+[ ca ]
+default_ca = signing_ca
+
+[ signing_ca ]
+certificate = $dir/ca/$ca.pem
+private_key = $dir/ca/$ca/private/$ca.key
+new_certs_dir = $dir/ca/$ca
+serial = $dir/ca/$ca/db/$ca.pem.srl
+crlnumber = $dir/ca/$ca/db/$ca.pem.srl
+database = $dir/ca/$ca/db/$ca.db
+unique_subject = no
+default_days = 35064
+default_md = sha256
+policy = match_pol
+email_in_dn = no
+preserve = no
+name_opt = ca_default
+cert_opt = ca_default
+copy_extensions = copy
+x509_extensions = fido_key_ext
+default_crl_days = 7
+crl_extensions = crl_ext
+
+[ match_pol ]
+countryName = match
+organizationName = match
+organizationalUnitName = match
+commonName = supplied
+
+[ any_pol ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = optional
+emailAddress = optional
+
+[ root_ca_ext ]
+keyUsage = critical,keyCertSign,cRLSign
+basicConstraints = critical,CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
+[ signing_ca_ext ]
+keyUsage = critical,keyCertSign,cRLSign
+basicConstraints = critical,CA:true,pathlen:0
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
+[ fido_key_ext ]
+keyUsage = critical,digitalSignature
+basicConstraints = CA:false
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
+[ crl_ext ]
+authorityKeyIdentifier = keyid:always
+