Change PKI so that attestation certs are fully compliant. (#668)
* Change PKI so that attestation certs are fully compliant. Initially we generated the smallest certificate possible. Unfortunately sometimes attestation certificates are thoroughly checked and the FIDO x509v3 extensions must be present. This PR now creates a PKI (root CA and signing CA) with corresponding CRLs and also allows to create multiple batch certificates for the keys instead of a single one. The latest generated batch cert/key is automatically symlinked so that the previous documentation still holds. * Change openssl options to support older versions * OSX doesn't support long options --------- Co-authored-by: kaczmarczyck <43844792+kaczmarczyck@users.noreply.github.com>
This commit is contained in:
Jean-Michel Picod
committed by
GitHub
GitHub
parent
5fdc6e0739
commit
6b8aa3aaf3
91
tools/openssl/signing-ca.conf
Normal file
91
tools/openssl/signing-ca.conf
Normal file
@@ -0,0 +1,91 @@
|
||||
|
||||
oid_section = OIDS
|
||||
|
||||
[ default ]
|
||||
ca = signing-ca
|
||||
dir = ./crypto_data
|
||||
|
||||
[ req ]
|
||||
default_bits = 4096
|
||||
encrypt_key = yes
|
||||
default_md = sha256
|
||||
utf8 = yes
|
||||
string_mask = utf8only
|
||||
prompt = no
|
||||
distinguished_name = ca_dn
|
||||
req_extensions = ca_reqext
|
||||
|
||||
[ OIDS ]
|
||||
fido_attestation = 1.3.6.1.4.1.45724.2.1.1
|
||||
fido_aaguid = 1.3.6.1.4.1.45724.1.1.4
|
||||
|
||||
[ ca_dn ]
|
||||
countryName = "US"
|
||||
organizationName = "OpenSK"
|
||||
organizationalUnitName = "Authenticator Attestation"
|
||||
commonName = "OpenSK Signing"
|
||||
|
||||
[ ca_reqext ]
|
||||
keyUsage = critical,keyCertSign,cRLSign
|
||||
basicConstraints = critical,CA:true,pathlen:0
|
||||
subjectKeyIdentifier = hash
|
||||
|
||||
[ ca ]
|
||||
default_ca = signing_ca
|
||||
|
||||
[ signing_ca ]
|
||||
certificate = $dir/ca/$ca.pem
|
||||
private_key = $dir/ca/$ca/private/$ca.key
|
||||
new_certs_dir = $dir/ca/$ca
|
||||
serial = $dir/ca/$ca/db/$ca.pem.srl
|
||||
crlnumber = $dir/ca/$ca/db/$ca.pem.srl
|
||||
database = $dir/ca/$ca/db/$ca.db
|
||||
unique_subject = no
|
||||
default_days = 35064
|
||||
default_md = sha256
|
||||
policy = match_pol
|
||||
email_in_dn = no
|
||||
preserve = no
|
||||
name_opt = ca_default
|
||||
cert_opt = ca_default
|
||||
copy_extensions = copy
|
||||
x509_extensions = fido_key_ext
|
||||
default_crl_days = 7
|
||||
crl_extensions = crl_ext
|
||||
|
||||
[ match_pol ]
|
||||
countryName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = match
|
||||
commonName = supplied
|
||||
|
||||
[ any_pol ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = optional
|
||||
emailAddress = optional
|
||||
|
||||
[ root_ca_ext ]
|
||||
keyUsage = critical,keyCertSign,cRLSign
|
||||
basicConstraints = critical,CA:true
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always
|
||||
|
||||
[ signing_ca_ext ]
|
||||
keyUsage = critical,keyCertSign,cRLSign
|
||||
basicConstraints = critical,CA:true,pathlen:0
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always
|
||||
|
||||
[ fido_key_ext ]
|
||||
keyUsage = critical,digitalSignature
|
||||
basicConstraints = CA:false
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always
|
||||
|
||||
[ crl_ext ]
|
||||
authorityKeyIdentifier = keyid:always
|
||||
|
||||
Reference in New Issue
Block a user