kmwebnet/OpenSK
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Change PKI so that attestation certs are fully compliant. (#668)

Browse Source 
* Change PKI so that attestation certs are fully compliant.

Initially we generated the smallest certificate possible.
Unfortunately sometimes attestation certificates are
thoroughly checked and the FIDO x509v3 extensions must be present.
This PR now creates a PKI (root CA and signing CA) with corresponding
CRLs and also allows to create multiple batch certificates for the keys
instead of a single one.
The latest generated batch cert/key is automatically symlinked so that
the previous documentation still holds.

* Change openssl options to support older versions

* OSX doesn't support long options

---------

Co-authored-by: kaczmarczyck <43844792+kaczmarczyck@users.noreply.github.com>
This commit is contained in:
Jean-Michel Picod
2023-12-18 10:47:46 +01:00
committed by GitHub
parent 5fdc6e0739
commit 6b8aa3aaf3
6 changed files with 389 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
setup.sh
View File

@@ -1,5 +1,5 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# Copyright 2019 Google LLC # Copyright 2019-2023 Google LLC
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License. # you may not use this file except in compliance with the License.
@@ -40,7 +40,11 @@ check_command "$PIP"
# Ensure we have certificates, keys, etc. so that the tests can run # Ensure we have certificates, keys, etc. so that the tests can run
source tools/gen_key_materials.sh source tools/gen_key_materials.sh
generate_crypto_materials N generate_pki N
if [ ! -f "crypto_data/opensk.key" -o ! -f "crypto_data/opensk_cert.pem" ]
then
generate_new_batch
fi
rustup show rustup show
"$PIP" install --upgrade -r requirements.txt "$PIP" install --upgrade -r requirements.txt

231
tools/gen_key_materials.sh
View File

@@ -1,5 +1,5 @@
#!/bin/bash #!/bin/bash
# Copyright 2019 Google LLC # Copyright 2019-2023 Google LLC
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License. # you may not use this file except in compliance with the License.
@@ -13,20 +13,19 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
generate_crypto_materials () { generate_pki () {
# OpenSSL ext file location # Curve parameters
local openssl_ext_file=tools/openssl.ext local ecparams_file=crypto_data/ecparams.pem
# OpenSK AAGUID # OpenSK AAGUID
local aaguid_file=crypto_data/aaguid.txt local aaguid_file=crypto_data/aaguid.txt
# Root CA key pair and certificate # Root CA key pair and certificate
local ca_priv_key=crypto_data/opensk_ca.key local ca_priv_key=crypto_data/ca/root-ca/private/root-ca.key
local ca_cert_name=crypto_data/opensk_ca local ca_cert_name=crypto_data/ca/root-ca
# Attestation key pair and certificate that will be embedded into the # Signing CA key pair and certificate
# firmware. The certificate will be signed by the Root CA. local signing_ca_priv_key=crypto_data/ca/signing-ca/private/signing-ca.key
local opensk_key=crypto_data/opensk.key local signing_ca_cert_name=crypto_data/ca/signing-ca
local opensk_cert_name=crypto_data/opensk_cert
# The upgrade private key is used for signing, the corresponding public key # The upgrade private key is used for signing, the corresponding public key
# will be COSE encoded and embedded into the firmware. # will be COSE encoded and embedded into the firmware.
@@ -36,6 +35,9 @@ generate_crypto_materials () {
# Allow invoker to override the command with a full path. # Allow invoker to override the command with a full path.
local openssl=${OPENSSL:-$(which openssl)} local openssl=${OPENSSL:-$(which openssl)}
# Print version for debug purposes
${openssl} version
# We need openssl command to continue # We need openssl command to continue
if [ ! -x "${openssl}" ] if [ ! -x "${openssl}" ]
then then
@@ -47,55 +49,109 @@ generate_crypto_materials () {
set -e set -e
force_generate="$1" force_generate="$1"
mkdir -p crypto_data ask_for_password="$2"
if [ ! -f "${ca_priv_key}" ]
if [ "${force_generate}" = "Y" ]
then then
"${openssl}" ecparam -genkey -name prime256v1 -out "${ca_priv_key}" # Remove old OpenSK certs and CRL
rm -rf crypto_data/crl crypto_data/certs
fi fi
if [ ! -f "${ca_cert_name}.pem" ] openssl_keypwd="-nodes"
openssl_batch="-batch"
if [ "${ask_for_password}" = "Y" ]
then then
openssl_keypwd=""
openssl_batch=""
fi
# Create PKI directories
mkdir -p crypto_data/ca/root-ca/private crypto_data/ca/root-ca/db
mkdir -p crypto_data/ca/signing-ca/private crypto_data/ca/signing-ca/db
mkdir -p crypto_data/crl crypto_data/certs
chmod 700 crypto_data/ca/root-ca/private crypto_data/ca/signing-ca/private
# Prepare PKI databases
for fname in \
crypto_data/ca/root-ca/db/root-ca.db \
crypto_data/ca/root-ca/db/root-ca.db.attr \
crypto_data/ca/signing-ca/db/signing-ca.db \
crypto_data/ca/signing-ca/db/signing-ca.db.attr
do
if [ "${force_generate}" = "Y" -o ! -f "${fname}" ]
then
cp /dev/null "${fname}"
fi
done
# Initialize PKI serial numbers
for fname in \
crypto_data/ca/root-ca/db/root-ca.pem.srl \
crypto_data/ca/root-ca/db/root-ca.pem.srl \
crypto_data/ca/signing-ca/db/signing-ca.pem.srl \
crypto_data/ca/signing-ca/db/signing-ca.pem.srl
do
if [ "${force_generate}" = "Y" -o ! -f "${fname}" ]
then
echo 01 > "${fname}"
fi
done
# Generate AAGUID
if [ "${force_generate}" = "Y" -o ! -f "${aaguid_file}" ]
then
uuidgen > "${aaguid_file}"
fi
if [ ! -f "${ecparams_file}" ]
then
"${openssl}" ecparam -param_enc "named_curve" -name "prime256v1" -out "${ecparams_file}"
fi
if [ "${force_generate}" = "Y" -o ! -f "${ca_cert_name}.pem" ]
then
# Create root CA request and key pair
"${openssl}" req \ "${openssl}" req \
-new \ -new \
-key "${ca_priv_key}" \ -config tools/openssl/root-ca.conf \
-out "${ca_cert_name}.csr" \ -out "${ca_cert_name}.csr" \
-subj "/CN=OpenSK CA" -keyout "${ca_priv_key}" \
"${openssl}" x509 \ "${openssl_keypwd}" \
-trustout \ "${openssl_batch}" \
-req \ -newkey "ec:${ecparams_file}"
-days 7305 \
# Make root CA certificate
"${openssl}" ca \
-selfsign \
-config tools/openssl/root-ca.conf \
"${openssl_batch}" \
-in "${ca_cert_name}.csr" \ -in "${ca_cert_name}.csr" \
-signkey "${ca_priv_key}" \
-outform pem \
-out "${ca_cert_name}.pem" \ -out "${ca_cert_name}.pem" \
-sha256 -extensions root_ca_ext
fi fi
if [ "${force_generate}" = "Y" -o ! -f "${opensk_key}" ] if [ "${force_generate}" = "Y" -o ! -f "${signing_ca_cert_name}.pem" ]
then
"${openssl}" ecparam -genkey -name prime256v1 -out "${opensk_key}"
fi
if [ "${force_generate}" = "Y" -o ! -f "${opensk_cert_name}.pem" ]
then then
# Create signing CA request
"${openssl}" req \ "${openssl}" req \
-new \ -new \
-key "${opensk_key}" \ -config tools/openssl/signing-ca.conf \
-out "${opensk_cert_name}.csr" \ -out "${signing_ca_cert_name}.csr" \
-subj "/C=US/O=OpenSK/OU=Authenticator Attestation/CN=OpenSK Hacker Edition" -keyout "${signing_ca_priv_key}" \
"${openssl}" x509 \ "${openssl_keypwd}" \
-req \ "${openssl_batch}" \
-days 3652 \ -newkey "ec:${ecparams_file}"
-in "${opensk_cert_name}.csr" \
-CA "${ca_cert_name}.pem" \ # Make signing CA certificate
-extfile "${openssl_ext_file}" \ "${openssl}" ca \
-CAkey "${ca_priv_key}" \ -config tools/openssl/root-ca.conf \
-CAcreateserial \ "${openssl_batch}" \
-outform pem \ -in "${signing_ca_cert_name}.csr" \
-out "${opensk_cert_name}.pem" \ -out "${signing_ca_cert_name}.pem" \
-sha256 -extensions signing_ca_ext
fi fi
# Create firmware update key pair
if [ "${force_generate}" = "Y" -o ! -f "${opensk_upgrade}" ] if [ "${force_generate}" = "Y" -o ! -f "${opensk_upgrade}" ]
then then
"${openssl}" ecparam -genkey -name prime256v1 -out "${opensk_upgrade}" "${openssl}" ecparam -genkey -name prime256v1 -out "${opensk_upgrade}"
@@ -106,11 +162,88 @@ generate_crypto_materials () {
then then
"${openssl}" ec -in "${opensk_upgrade}" -pubout -out "${opensk_upgrade_pub}" "${openssl}" ec -in "${opensk_upgrade}" -pubout -out "${opensk_upgrade_pub}"
fi fi
if [ "${force_generate}" = "Y" -o ! -f "${aaguid_file}" ]
then
uuidgen > "${aaguid_file}"
fi
} }
generate_crypto_materials "$1" generate_new_batch () {
local openssl=${OPENSSL:-$(which openssl)}
# Curve parameters
local ecparams_file=crypto_data/ecparams.pem
# OpenSK AAGUID
local aaguid_file=crypto_data/aaguid.txt
set -e
# We need openssl command to continue
if [ ! -x "${openssl}" ]
then
echo "Missing openssl command. Try to specify its full path using OPENSSL environment variable."
exit 1
fi
if [ ! -f "${ecparams_file}" ]
then
echo "Missing curve parameters. Has the PKI been generated?"
exit 1
fi
if [ ! -f "${aaguid_file}" ]
then
echo "Missing AAGUID file."
exit 1
fi
batch_id=$(uuidgen | tr -d '-')
aaguid=$(tr -d '-' < "${aaguid_file}")
# Attestation key pair and certificate that will be embedded into the
# firmware. The certificate will be signed by the Root CA.
local opensk_key=certs/${batch_id}.key
local opensk_cert_name=certs/${batch_id}
# x509v3 extension values are passed through environment variables.
export OPENSK_AAGUID="${aaguid}"
# Comma separated values of supported transport for the batch attestation certificate.
# 0=BTC, 1=BLE, 2=USB, 3=NFC
# Default to USB only
export OPENSK_TRANSPORT="${OPENSK_TRANSPORT:-2}" # comma separated values. 1=BLE, 2=USB, 3=NFC
ask_for_password="$1"
openssl_keypwd="-nodes"
openssl_batch="-batch"
if [ "${ask_for_password}" = "Y" ]
then
openssl_keypwd=""
openssl_batch=""
fi
# Generate certificate request for the current batch
"${openssl}" req \
-new \
-config "tools/openssl/opensk.conf" \
-keyout "crypto_data/${opensk_key}" \
-out "crypto_data/${opensk_cert_name}.csr" \
"${openssl_keypwd}" \
"${openssl_batch}" \
-newkey "ec:${ecparams_file}"
# Sign it using signing-CA and injecting the AAGUID as an extension
"${openssl}" ca \
-config "tools/openssl/signing-ca.conf" \
"${openssl_batch}" \
-in "crypto_data/${opensk_cert_name}.csr" \
-out "crypto_data/${opensk_cert_name}.pem" \
-extensions "fido_key_ext"
# Force symlink to the latest batch
ln -s -f "${opensk_cert_name}.pem" crypto_data/opensk_cert.pem
ln -s -f "${opensk_key}" crypto_data/opensk.key
}
if [ "X${1}" != "X" ]
then
ask_for_password=${2:-N}
generate_pki $1 $ask_for_password
if [ "$1" = "Y" -o ! -f "crypto_data/opensk.key" -o ! -f "crypto_data/opensk_cert.pem" ]
then
generate_new_batch $ask_for_password
fi
fi

1
tools/openssl.ext
View File

@@ -1 +0,0 @@
basicConstraints=CA:FALSE

26
tools/openssl/opensk.conf Normal file
View File

@@ -0,0 +1,26 @@
oid_section = OIDS
[ OIDS ]
fido_attestation = 1.3.6.1.4.1.45724.2.1.1
fido_aaguid = 1.3.6.1.4.1.45724.1.1.4
[ req ]
encrypt_key = no
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = fido_dn
req_extensions = fido_reqext
[ fido_dn ]
countryName = "US"
organizationName = "OpenSK"
organizationalUnitName = "Authenticator Attestation"
commonName = "OpenSK Hacker Edition"
[ fido_reqext ]
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
fido_attestation = ASN1:FORMAT:BITLIST,BITSTRING:${ENV::OPENSK_TRANSPORT}
fido_aaguid = ASN1:FORMAT:HEX,OCTETSTRING:${ENV::OPENSK_AAGUID}

84
tools/openssl/root-ca.conf Normal file
View File

@@ -0,0 +1,84 @@
oid_section = OIDS
[ default ]
ca = root-ca
dir = ./crypto_data
[ req ]
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
req_extensions = ca_reqext
[ OIDS ]
fido_attestation = 1.3.6.1.4.1.45724.2.1.1
fido_aaguid = 1.3.6.1.4.1.45724.1.1.4
[ ca_dn ]
countryName = "US"
organizationName = "OpenSK"
organizationalUnitName = "Authenticator Attestation"
commonName = "OpenSK CA"
[ ca_reqext ]
keyUsage = critical,keyCertSign,cRLSign
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
[ ca ]
default_ca = root_ca
[ root_ca ]
certificate = $dir/ca/$ca.pem
private_key = $dir/ca/$ca/private/$ca.key
new_certs_dir = $dir/ca/$ca
serial = $dir/ca/$ca/db/$ca.pem.srl
crlnumber = $dir/ca/$ca/db/$ca.pem.srl
database = $dir/ca/$ca/db/$ca.db
unique_subject = no
default_days = 36525
default_md = sha256
policy = match_pol
email_in_dn = no
preserve = no
name_opt = ca_default
cert_opt = ca_default
copy_extensions = none
x509_extensions = signing_ca_ext
default_crl_days = 365
crl_extensions = crl_ext
[ match_pol ]
countryName = match
organizationName = match
organizationalUnitName = match
commonName = supplied
[ any_pol ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
[ root_ca_ext ]
keyUsage = critical,keyCertSign,cRLSign
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
fido_attestation = ASN1:FORMAT:HEX,BITSTRING:00
[ signing_ca_ext ]
keyUsage = critical,keyCertSign,cRLSign
basicConstraints = critical,CA:true,pathlen:0
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
[ crl_ext ]
authorityKeyIdentifier = keyid:always

91
tools/openssl/signing-ca.conf Normal file
View File

@@ -0,0 +1,91 @@
oid_section = OIDS
[ default ]
ca = signing-ca
dir = ./crypto_data
[ req ]
default_bits = 4096
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
req_extensions = ca_reqext
[ OIDS ]
fido_attestation = 1.3.6.1.4.1.45724.2.1.1
fido_aaguid = 1.3.6.1.4.1.45724.1.1.4
[ ca_dn ]
countryName = "US"
organizationName = "OpenSK"
organizationalUnitName = "Authenticator Attestation"
commonName = "OpenSK Signing"
[ ca_reqext ]
keyUsage = critical,keyCertSign,cRLSign
basicConstraints = critical,CA:true,pathlen:0
subjectKeyIdentifier = hash
[ ca ]
default_ca = signing_ca
[ signing_ca ]
certificate = $dir/ca/$ca.pem
private_key = $dir/ca/$ca/private/$ca.key
new_certs_dir = $dir/ca/$ca
serial = $dir/ca/$ca/db/$ca.pem.srl
crlnumber = $dir/ca/$ca/db/$ca.pem.srl
database = $dir/ca/$ca/db/$ca.db
unique_subject = no
default_days = 35064
default_md = sha256
policy = match_pol
email_in_dn = no
preserve = no
name_opt = ca_default
cert_opt = ca_default
copy_extensions = copy
x509_extensions = fido_key_ext
default_crl_days = 7
crl_extensions = crl_ext
[ match_pol ]
countryName = match
organizationName = match
organizationalUnitName = match
commonName = supplied
[ any_pol ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
[ root_ca_ext ]
keyUsage = critical,keyCertSign,cRLSign
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
[ signing_ca_ext ]
keyUsage = critical,keyCertSign,cRLSign
basicConstraints = critical,CA:true,pathlen:0
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
[ fido_key_ext ]
keyUsage = critical,digitalSignature
basicConstraints = CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
[ crl_ext ]
authorityKeyIdentifier = keyid:always