Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[David Woodhouse via RT]

On Fri, 2015-07-31 at 03:09 +, Salz, Rich wrote:
  If requested, I can still provide a patch with the alternative variant of 
  using a
  X509_V_FLAG_NO_CHECK_TIME flag if that's considered better than using a
  'special' time of (time_t)-1 with X509_VERIFY_PARAM_set_time().
 
 Yes, please.

[dwoodhou@i7 apps]$ ./openssl verify  ~/.cert.20100813/certificate.pem   
C = US, O = Intel Corporation, CN = Intel Intranet Basic Issuing CA 1B
error 10 at 1 depth lookup:certificate has expired
DC = com, DC = intel, DC = corp, DC = ger, OU = Workers, CN = Woodhouse, 
David, emailAddress = david.woodho...@intel.com
error 10 at 0 depth lookup:certificate has expired
/home/dwmw2/.cert.20100813/certificate.pem: OK

[dwoodhou@i7 apps]$ ./openssl verify -no_check_time 
~/.cert.20100813/certificate.pem   
/home/dwmw2/.cert.20100813/certificate.pem: OK

-- 
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com  Intel Corporation

From 782cf323f9a85c9244dc6aceb13d875723253810 Mon Sep 17 00:00:00 2001
From: David Woodhouse david.woodho...@intel.com
Date: Fri, 31 Jul 2015 08:49:50 +0100
Subject: [PATCH] RT3951: Add X509_V_FLAG_NO_CHECK_TIME to suppress time check

In some environments, such as firmware, the current system time is entirely
meaningless. Provide a clean mechanism to suppress the checks against it.
---
 apps/apps.h| 8 +---
 apps/opt.c | 4 
 crypto/x509/x509_vfy.c | 4 
 doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 4 
 include/openssl/x509_vfy.h | 2 ++
 5 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/apps/apps.h b/apps/apps.h
index f2dc812..1781deb 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -179,7 +179,7 @@ void unbuffer(FILE *fp);
 OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL, OPT_V_USE_DELTAS, \
 OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \
 OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \
-OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, \
+OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \
 OPT_V__LAST
 
 # define OPT_V_OPTIONS \
@@ -209,7 +209,8 @@ void unbuffer(FILE *fp);
 { suiteB_128, OPT_V_SUITEB_128, '-' }, \
 { suiteB_192, OPT_V_SUITEB_192, '-' }, \
 { partial_chain, OPT_V_PARTIAL_CHAIN, '-' }, \
-{ no_alt_chains, OPT_V_NO_ALT_CHAINS, '-', Only use the first cert chain found }
+{ no_alt_chains, OPT_V_NO_ALT_CHAINS, '-', Only use the first cert chain found }, \
+{ no_check_time, OPT_V_NO_CHECK_TIME, '-', Do not check validity against current time }
 
 # define OPT_V_CASES \
 OPT_V__FIRST: case OPT_V__LAST: break; \
@@ -239,7 +240,8 @@ void unbuffer(FILE *fp);
 case OPT_V_SUITEB_128: \
 case OPT_V_SUITEB_192: \
 case OPT_V_PARTIAL_CHAIN: \
-case OPT_V_NO_ALT_CHAINS
+case OPT_V_NO_ALT_CHAINS: \
+case OPT_V_NO_CHECK_TIME
 
 /*
  * Common extended? options.
diff --git a/apps/opt.c b/apps/opt.c
index bfb039e..c7dcc43 100644
--- a/apps/opt.c
+++ b/apps/opt.c
@@ -543,6 +543,10 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
 break;
 case OPT_V_NO_ALT_CHAINS:
 X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_ALT_CHAINS);
+	break;
+case OPT_V_NO_CHECK_TIME:
+X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME);
+	break;
 }
 return 1;
 
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 7062ab2..a1bf0f2 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -952,6 +952,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
 ctx-current_crl = crl;
 if (ctx-param-flags  X509_V_FLAG_USE_CHECK_TIME)
 ptime = ctx-param-check_time;
+else if (ctx-param-flags  X509_V_FLAG_NO_CHECK_TIME)
+return 1;
 else
 ptime = NULL;
 
@@ -1672,6 +1674,8 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet)
 
 if (ctx-param-flags  X509_V_FLAG_USE_CHECK_TIME)
 ptime = ctx-param-check_time;
+else if (ctx-param-flags  X509_V_FLAG_NO_CHECK_TIME)
+return 1;
 else
 ptime = NULL;
 
diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
index 066ce0f..57c7b7b 100644
--- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
@@ -203,6 +203,10 @@ chain found is not trusted, then OpenSSL will continue to check to see if an
 alternative chain can be found that is trusted. With this flag set the behaviour
 will match that of OpenSSL versions prior to 1.1.0.
 
+The BX509_V_FLAG_NO_CHECK_TIME flag suppresses checking the validity period
+of certificates and CRLs against the current time. If X509_VERIFY_PARAM_set_time()
+is used to specify a verification time, the check is not suppressed.
+
 

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[David Woodhouse]

On Fri, 2015-07-31 at 03:09 +, Salz, Rich wrote:
  If requested, I can still provide a patch with the alternative variant of 
  using a
  X509_V_FLAG_NO_CHECK_TIME flag if that's considered better than using a
  'special' time of (time_t)-1 with X509_VERIFY_PARAM_set_time().
 
 Yes, please.

[dwoodhou@i7 apps]$ ./openssl verify  ~/.cert.20100813/certificate.pem   
C = US, O = Intel Corporation, CN = Intel Intranet Basic Issuing CA 1B
error 10 at 1 depth lookup:certificate has expired
DC = com, DC = intel, DC = corp, DC = ger, OU = Workers, CN = Woodhouse, 
David, emailAddress = david.woodho...@intel.com
error 10 at 0 depth lookup:certificate has expired
/home/dwmw2/.cert.20100813/certificate.pem: OK

[dwoodhou@i7 apps]$ ./openssl verify -no_check_time 
~/.cert.20100813/certificate.pem   
/home/dwmw2/.cert.20100813/certificate.pem: OK

-- 
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com  Intel Corporation
From 782cf323f9a85c9244dc6aceb13d875723253810 Mon Sep 17 00:00:00 2001
From: David Woodhouse david.woodho...@intel.com
Date: Fri, 31 Jul 2015 08:49:50 +0100
Subject: [PATCH] RT3951: Add X509_V_FLAG_NO_CHECK_TIME to suppress time check

In some environments, such as firmware, the current system time is entirely
meaningless. Provide a clean mechanism to suppress the checks against it.
---
 apps/apps.h| 8 +---
 apps/opt.c | 4 
 crypto/x509/x509_vfy.c | 4 
 doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 4 
 include/openssl/x509_vfy.h | 2 ++
 5 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/apps/apps.h b/apps/apps.h
index f2dc812..1781deb 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -179,7 +179,7 @@ void unbuffer(FILE *fp);
 OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL, OPT_V_USE_DELTAS, \
 OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \
 OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \
-OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, \
+OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \
 OPT_V__LAST
 
 # define OPT_V_OPTIONS \
@@ -209,7 +209,8 @@ void unbuffer(FILE *fp);
 { suiteB_128, OPT_V_SUITEB_128, '-' }, \
 { suiteB_192, OPT_V_SUITEB_192, '-' }, \
 { partial_chain, OPT_V_PARTIAL_CHAIN, '-' }, \
-{ no_alt_chains, OPT_V_NO_ALT_CHAINS, '-', Only use the first cert chain found }
+{ no_alt_chains, OPT_V_NO_ALT_CHAINS, '-', Only use the first cert chain found }, \
+{ no_check_time, OPT_V_NO_CHECK_TIME, '-', Do not check validity against current time }
 
 # define OPT_V_CASES \
 OPT_V__FIRST: case OPT_V__LAST: break; \
@@ -239,7 +240,8 @@ void unbuffer(FILE *fp);
 case OPT_V_SUITEB_128: \
 case OPT_V_SUITEB_192: \
 case OPT_V_PARTIAL_CHAIN: \
-case OPT_V_NO_ALT_CHAINS
+case OPT_V_NO_ALT_CHAINS: \
+case OPT_V_NO_CHECK_TIME
 
 /*
  * Common extended? options.
diff --git a/apps/opt.c b/apps/opt.c
index bfb039e..c7dcc43 100644
--- a/apps/opt.c
+++ b/apps/opt.c
@@ -543,6 +543,10 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
 break;
 case OPT_V_NO_ALT_CHAINS:
 X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_ALT_CHAINS);
+	break;
+case OPT_V_NO_CHECK_TIME:
+X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME);
+	break;
 }
 return 1;
 
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 7062ab2..a1bf0f2 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -952,6 +952,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
 ctx-current_crl = crl;
 if (ctx-param-flags  X509_V_FLAG_USE_CHECK_TIME)
 ptime = ctx-param-check_time;
+else if (ctx-param-flags  X509_V_FLAG_NO_CHECK_TIME)
+return 1;
 else
 ptime = NULL;
 
@@ -1672,6 +1674,8 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet)
 
 if (ctx-param-flags  X509_V_FLAG_USE_CHECK_TIME)
 ptime = ctx-param-check_time;
+else if (ctx-param-flags  X509_V_FLAG_NO_CHECK_TIME)
+return 1;
 else
 ptime = NULL;
 
diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
index 066ce0f..57c7b7b 100644
--- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
@@ -203,6 +203,10 @@ chain found is not trusted, then OpenSSL will continue to check to see if an
 alternative chain can be found that is trusted. With this flag set the behaviour
 will match that of OpenSSL versions prior to 1.1.0.
 
+The BX509_V_FLAG_NO_CHECK_TIME flag suppresses checking the validity period
+of certificates and CRLs against the current time. If X509_VERIFY_PARAM_set_time()
+is used to specify a verification time, the check is not suppressed.
+
 

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[Viktor Dukhovni]

On Thu, Jul 30, 2015 at 09:55:36PM +, Woodhouse, David via RT wrote:

 On Tue, 2015-07-28 at 11:00 +, Salz, Rich via RT wrote:
  It seems that the simplest and most obvious thing is to indicate that 
  you don't care about the dates, which is what this patch does.
 
 Obviously I agree, but life's too short to argue about it and I *do*
 have a viable alternative, with a verify_cb function that just ignores
 X509_V_ERR_CERT_NOT_YET_VALID and X509_V_ERR_CERT_HAS_EXPIRED.

You have to be careful how you do that.  The final error in the
X509_STORE_CTX is the *last* error reported, and other errors
may also have been detected earlier.

If your callback always returns the ok input except for the two
above errors, you're fine.  But if returns 1 in additional cases,
and then in the end you look at the store error status, you may be
in trouble.  That's in issue in applications that don't immediately
terminate the handshake on authentication errors, and disconnect
more gracefully at the application layer when authentication fails.

-- 
Viktor.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[David Woodhouse]

On Thu, 2015-07-30 at 22:08 +, Viktor Dukhovni wrote:
 
  Obviously I agree, but life's too short to argue about it and I *do*
  have a viable alternative, with a verify_cb function that just ignores
  X509_V_ERR_CERT_NOT_YET_VALID and X509_V_ERR_CERT_HAS_EXPIRED.
 
 You have to be careful how you do that.  The final error in the
 X509_STORE_CTX is the *last* error reported, and other errors
 may also have been detected earlier.
 
 If your callback always returns the ok input except for the two
 above errors, you're fine.  But if returns 1 in additional cases,
 and then in the end you look at the store error status, you may be
 in trouble.  That's in issue in applications that don't immediately
 terminate the handshake on authentication errors, and disconnect
 more gracefully at the application layer when authentication fails.

Thanks for the warning. I don't believe we're looking at the store
error status at all; we only care about the return value from
X509_verify_cert() — either directly, or when PKCS7_verify() calls it.

(There's no SSL here; only crypto. It's for verifying certificate
chains and checking signatures on boot images).

So I think it's fine.

-- 
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com  Intel Corporation


smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[Salz, Rich]

 
 If requested, I can still provide a patch with the alternative variant of 
 using a
 X509_V_FLAG_NO_CHECK_TIME flag if that's considered better than using a
 'special' time of (time_t)-1 with X509_VERIFY_PARAM_set_time().

Yes, please.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[Salz, Rich via RT]

 
 If requested, I can still provide a patch with the alternative variant of 
 using a
 X509_V_FLAG_NO_CHECK_TIME flag if that's considered better than using a
 'special' time of (time_t)-1 with X509_VERIFY_PARAM_set_time().

Yes, please.

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[Woodhouse, David via RT]

On Tue, 2015-07-28 at 11:00 +, Salz, Rich via RT wrote:
 It seems that the simplest and most obvious thing is to indicate that 
 you don't care about the dates, which is what this patch does.

Obviously I agree, but life's too short to argue about it and I *do*
have a viable alternative, with a verify_cb function that just ignores
X509_V_ERR_CERT_NOT_YET_VALID and X509_V_ERR_CERT_HAS_EXPIRED.

So (for the record) I've submitted patches to EDKII which do precisely
that, and I don't depend on this patch any more. Close the RT if you
wish.

Having said that, if OpenSSL *does* gain this functionality then I'll
happily change the EDKII code to make use of it, because I think it's
the better approach.

If requested, I can still provide a patch with the alternative variant
of using a X509_V_FLAG_NO_CHECK_TIME flag if that's considered better
than using a 'special' time of (time_t)-1 with
X509_VERIFY_PARAM_set_time().

-- 
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com  Intel Corporation



smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[David Woodhouse]

On Wed, 2015-07-22 at 16:47 +, Viktor Dukhovni wrote:
 On Wed, Jul 22, 2015 at 03:36:40PM +, David Woodhouse via RT 
 wrote:
 
  FWIW the Linux kernel also specifically avoids checking timestamps
  altogether when validating signed modules.
 
 You probably need a dedicated implementation of X509_verify_cert().
 When dealing with data at rest (signed email, signed code, ...)
 certificate expiration needs to be understood in the context of
 time of signature, not time of verification.

Yes, but AFAICT the security model here is entirely bogus.

If we're going to trust a third party to say this is my signature,
oh and trust me, this is when I signed it, then we might as well not
be checking the validity time for that third party's signatures at all.
There is *no* benefit, surely? Just complexity.

 Ideally (this generally works for email), the verifier initially
 verifies the signed object before the expiration time of the
 certificate and then caches this fact in some manner, so that
 subsequent verification can ignore the certificate entirely, and
 just check the the object has not changed since initially verified.

Except that IMAP deliberately provides a *read-only* message store. You
cannot modify messages in any way, by design. You can only add flags.

I don't even want to contemplate a world in which we just have a
'trust me, message signature was OK' flag on a mailstore and allow that
to bypass the *actual* checking.

Actually, if you look at RFC3851 §2.5.1 you'll see that we include a
signingTime attribute in the S/MIME message. Validation is done using
that.

Which makes it entirely pointless, as I said above. You might as well
just not *check* the validity time at all when validating email,
surely?

Hell, it would make more sense in the case of email to do the check
using the Date: header (or the last Resent-Date: header). At least that
wouldn't be *entirely* redundant. And it wouldn't be possible to
falsely sign a message 


 If caching results of initial verification is not an option, then
 perhaps disabling expiration checks is a last-resort option. 

It's not an option. It's not even a good idea.

  There are ways (with care) to do this via the verify callback, which 
 can be made to suppress *only* expiration errors and fail on all 
 other errors.

Yeah. And it turns out that we have verify callbacks in most cases
*already*, to cope with intermediate CAs being present in our trust
store without the ultimate self-signed root CA also being present.
(Although I'd hope there was a better way to handle that; I'll come
back to that later.)

So for now I can live without the requested feature — although
reluctantly because I think the reasons for refusing are utterly bogus
— and fix it up on the EDK2 side just by ignoring/allowing
X509_V_ERR_CERT_{HAS_EXPIRED,NOT_YET_VALID} thus:
  http://git.infradead.org/users/dwmw2/edk2.git/commitdiff/9b89269c

-- 
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com  Intel Corporation


smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[Salz, Rich via RT]

It seems that the simplest and most obvious thing is to indicate that you don't 
care about the dates, which is what this patch does.


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[Tim Hollebeek]

The way this is supposed to work is by using a timestamp from a trusted 
timestamp server to show the certificate was valid at the time the code was 
signed.

See the following text from the draft code signing baseline requirements from 
the CA/Browser forum:

8.2.1: ... With the exception of revocation checking for time-stamped and 
expired Certificates, Platforms are expected to validate Code Signatures in 
accordance with RFC 5280 when first encountered. Subsequent signature 
validation MAY ignore revocation, especially if rejecting the Code will cause 
the device to fail to boot.  When a Platform encounters a Certificate that 
fails to validate due to revocation, the Platform should not permit the Code to 
execute.  When a Platform encounters a Certificate that fails to validate for 
reasons other than revocation, the Platform should treat the Code as unsigned.
Ordinarily, a Code Signature created by a Subscriber is only considered valid 
until expiration of the Certificate.  However, the “Timestamp” method and the 
“Signing Service” methods permit Code to remain valid for longer periods of 
time.
1.  Timestamp Method: In this method, the Subscriber signs the Code, 
appends its Code Signing Certificate and submits it to a Timestamp Authority to 
be time-stamped.  The resulting package can be considered valid after 
expiration of the Code Signing Certificate and expiration of the Timestamp 
Authority certificate if the timestamp is dated prior to the Certificate’s 
expiration date and any applicable revocation date.  (See Section 13.2.)
2.  Signing Service Method: In this method, the Subscriber uses the service 
to sign compiled code, binary, file, app, or similar object.  Alternatively, 
the service MAY sign a digest of the preceding objects.  The resulting Code 
Signature is valid up to the expiration time of the Signing Service’s Code 
Signing Certificate and any applicable revocation date, whichever comes first. 
Signing Services MAY also timestamp signed objects.

This is much better than simply ignoring all date validation.

-Tim

-Original Message-
From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of 
Woodhouse, David via RT
Sent: Wednesday, July 22, 2015 9:10 AM
Cc: openssl-dev@openssl.org
Subject: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time 
checks to be disabled

There are various circumstances in which it makes no sense to be checking the 
start and end times of a certificate's validity.

When validating OS kernel drivers, or indeed when validating the OS kernel 
itself when the firmware loads it, we *really* don't want to have a built-in 
obsolescence date after which the system will no longer function. That would be 
a bad thing even if we *could* reliably trust the system's real time clock at 
this stage in the boot sequence.

This patch gives us a way to disable the time checks entirely, by using
X509_VERIFY_PARAM_set_time() with a time of -1.

There is a slight risk here — if anyone was genuinely using the value of -1 to 
check if a certificate chain was indeed valid in the last second of 1969. I 
judge that risk to be negligible. And it certainly shouldn't be externally 
triggerable — if an attacker could influence the value passed to 
X509_VERIFY_PARAM_set_time() then all bets were off w.r.t. time-based checks 
anyway.

If there are serious concerns, however, I can provide an alternative patch 
which adds an X509_V_FLAG_NO_CHECK_TIME flag for this purpose instead.

I'm happy with anything except the existing version in the UEFI source tree 
that everyone is shipping, which just disables the time check if 
OPENSSL_SYS_UEFI is set¹. That one I *don't* like.

--
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com  Intel Corporation

¹ 
http://scanmail.trustwave.com/?c=4062d=w5av1VNIDJq7CuEBC-sOxIBHFHbcisoH_n4fAJKpMgs=5u=http%3a%2f%2fgit%2einfradead%2eorg%2fusers%2fdwmw2%2fopenssl%2egit%2fcommitdiff%2f2fb12afc2ceb



This transmission may contain information that is privileged, confidential, 
and/or exempt from disclosure under applicable law. If you are not the intended 
recipient, you are hereby notified that any disclosure, copying, distribution, 
or use of the information contained herein (including any reliance thereon) is 
strictly prohibited. If you received this transmission in error, please 
immediately contact the sender and destroy the material in its entirety, 
whether in electronic or hard copy format.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[Alexander Gostrer]

Hi David,

I think that both your proposals will add vulnerabilities. With your
proposal I anticipate that many careless application developers will
disable the date checking forever. As a result, consumers will be blaming
openssl, not these developers.

Current solution for kernels and other firmware without a reliable RTC is
to issue certificates that are valid from 1969 to 2037. We will have a
Y2037 problem similar to Y2000 but this is a wide problem, much wider than
openssl can solve at the moment.

Regards,
Alex Gostrer


On Wed, Jul 22, 2015 at 6:09 AM, Woodhouse, David via RT r...@openssl.org
wrote:

 There are various circumstances in which it makes no sense to be
 checking the start and end times of a certificate's validity.

 When validating OS kernel drivers, or indeed when validating the OS
 kernel itself when the firmware loads it, we *really* don't want to
 have a built-in obsolescence date after which the system will no longer
 function. That would be a bad thing even if we *could* reliably trust
 the system's real time clock at this stage in the boot sequence.

 This patch gives us a way to disable the time checks entirely, by using
 X509_VERIFY_PARAM_set_time() with a time of -1.

 There is a slight risk here — if anyone was genuinely using the value
 of -1 to check if a certificate chain was indeed valid in the last
 second of 1969. I judge that risk to be negligible. And it certainly
 shouldn't be externally triggerable — if an attacker could influence
 the value passed to X509_VERIFY_PARAM_set_time() then all bets were off
 w.r.t. time-based checks anyway.

 If there are serious concerns, however, I can provide an alternative
 patch which adds an X509_V_FLAG_NO_CHECK_TIME flag for this purpose
 instead.

 I'm happy with anything except the existing version in the UEFI source
 tree that everyone is shipping, which just disables the time check if
 OPENSSL_SYS_UEFI is set¹. That one I *don't* like.

 --
 David WoodhouseOpen Source Technology Centre
 david.woodho...@intel.com  Intel Corporation

 ¹ http://git.infradead.org/users/dwmw2/openssl.git/commitdiff/2fb12afc2ceb

 ___
 openssl-bugs-mod mailing list
 openssl-bugs-...@openssl.org
 https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
 ___
 openssl-dev mailing list
 To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[David Woodhouse via RT]

On Wed, 2015-07-22 at 14:52 +, Tim Hollebeek wrote:
 The way this is supposed to work is by using a timestamp from a 
 trusted timestamp server to show the certificate was valid at the 
 time the code was signed.

That would be great. Unfortunately, if the UEFI firmware were suddenly
to start insisting upon that then a lot of operating systems would no
longer boot.

I don't think it's practical to add this requirement for secure boot at
this stage; the UEFI firmware will probably continue to just disable
the time check — even if it's a local patch as it is at the moment.

But I'm *trying* to eliminate those local patches, to make it easier to
keep OpenSSL up to date. It occurs to me that UEFI firmware might be
the *largest* deployment of OpenSSL, so it's unfortunate that the
patches it needs are out-of-tree :)

FWIW the Linux kernel also specifically avoids checking timestamps
altogether when validating signed modules.

-- 
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com  Intel Corporation



smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[Alexander Gostrer via RT]

Hi David,

I think that both your proposals will add vulnerabilities. With your
proposal I anticipate that many careless application developers will
disable the date checking forever. As a result, consumers will be blaming
openssl, not these developers.

Current solution for kernels and other firmware without a reliable RTC is
to issue certificates that are valid from 1969 to 2037. We will have a
Y2037 problem similar to Y2000 but this is a wide problem, much wider than
openssl can solve at the moment.

Regards,
Alex Gostrer


On Wed, Jul 22, 2015 at 6:09 AM, Woodhouse, David via RT r...@openssl.org
wrote:

 There are various circumstances in which it makes no sense to be
 checking the start and end times of a certificate's validity.

 When validating OS kernel drivers, or indeed when validating the OS
 kernel itself when the firmware loads it, we *really* don't want to
 have a built-in obsolescence date after which the system will no longer
 function. That would be a bad thing even if we *could* reliably trust
 the system's real time clock at this stage in the boot sequence.

 This patch gives us a way to disable the time checks entirely, by using
 X509_VERIFY_PARAM_set_time() with a time of -1.

 There is a slight risk here — if anyone was genuinely using the value
 of -1 to check if a certificate chain was indeed valid in the last
 second of 1969. I judge that risk to be negligible. And it certainly
 shouldn't be externally triggerable — if an attacker could influence
 the value passed to X509_VERIFY_PARAM_set_time() then all bets were off
 w.r.t. time-based checks anyway.

 If there are serious concerns, however, I can provide an alternative
 patch which adds an X509_V_FLAG_NO_CHECK_TIME flag for this purpose
 instead.

 I'm happy with anything except the existing version in the UEFI source
 tree that everyone is shipping, which just disables the time check if
 OPENSSL_SYS_UEFI is set¹. That one I *don't* like.

 --
 David WoodhouseOpen Source Technology Centre
 david.woodho...@intel.com  Intel Corporation

 ¹ http://git.infradead.org/users/dwmw2/openssl.git/commitdiff/2fb12afc2ceb

 ___
 openssl-bugs-mod mailing list
 openssl-bugs-...@openssl.org
 https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
 ___
 openssl-dev mailing list
 To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev



___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[David Woodhouse]

On Wed, 2015-07-22 at 14:58 +, Victor Wagner via RT wrote:
 Isn't it better to check if certificate was valid at the time of
 signing?

Is there a benefit to that which would make it worth the additional
complexity?

 Typically compiler somehow puts compilation timestamp into compiled
 binaries. So, I think, this time should be used as argument to
 X509_VERIFY_PARAM_set_time instead of wall clock time.

For the UEFI build we try to avoid all non-repeatable things like that
being included in the binaries. I'm still worrying about how to
approach the patch at the end of the list¹ which removes all those
instances of __FILE__ and __LINE__... I have a vague recollection of
there being a discussion on this list about that, fairly recently, and
I need to go back and find it.

 Or, may be there is something like CMS signing attributes with 
 signing time.

Did I not send the patch which fixes the OPENSSL_NO_CMS build yet? :)


-- 
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com  Intel Corporation

¹ http://git.infradead.org/users/dwmw2/openssl.git/commitdiff/b599f07d

smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[Tim Hollebeek via RT]

The way this is supposed to work is by using a timestamp from a trusted 
timestamp server to show the certificate was valid at the time the code was 
signed.

See the following text from the draft code signing baseline requirements from 
the CA/Browser forum:

8.2.1: ... With the exception of revocation checking for time-stamped and 
expired Certificates, Platforms are expected to validate Code Signatures in 
accordance with RFC 5280 when first encountered. Subsequent signature 
validation MAY ignore revocation, especially if rejecting the Code will cause 
the device to fail to boot.  When a Platform encounters a Certificate that 
fails to validate due to revocation, the Platform should not permit the Code to 
execute.  When a Platform encounters a Certificate that fails to validate for 
reasons other than revocation, the Platform should treat the Code as unsigned.
Ordinarily, a Code Signature created by a Subscriber is only considered valid 
until expiration of the Certificate.  However, the “Timestamp” method and the 
“Signing Service” methods permit Code to remain valid for longer periods of 
time.
1.  Timestamp Method: In this method, the Subscriber signs the Code, 
appends its Code Signing Certificate and submits it to a Timestamp Authority to 
be time-stamped.  The resulting package can be considered valid after 
expiration of the Code Signing Certificate and expiration of the Timestamp 
Authority certificate if the timestamp is dated prior to the Certificate’s 
expiration date and any applicable revocation date.  (See Section 13.2.)
2.  Signing Service Method: In this method, the Subscriber uses the service 
to sign compiled code, binary, file, app, or similar object.  Alternatively, 
the service MAY sign a digest of the preceding objects.  The resulting Code 
Signature is valid up to the expiration time of the Signing Service’s Code 
Signing Certificate and any applicable revocation date, whichever comes first. 
Signing Services MAY also timestamp signed objects.

This is much better than simply ignoring all date validation.

-Tim

-Original Message-
From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of 
Woodhouse, David via RT
Sent: Wednesday, July 22, 2015 9:10 AM
Cc: openssl-dev@openssl.org
Subject: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time 
checks to be disabled

There are various circumstances in which it makes no sense to be checking the 
start and end times of a certificate's validity.

When validating OS kernel drivers, or indeed when validating the OS kernel 
itself when the firmware loads it, we *really* don't want to have a built-in 
obsolescence date after which the system will no longer function. That would be 
a bad thing even if we *could* reliably trust the system's real time clock at 
this stage in the boot sequence.

This patch gives us a way to disable the time checks entirely, by using
X509_VERIFY_PARAM_set_time() with a time of -1.

There is a slight risk here — if anyone was genuinely using the value of -1 to 
check if a certificate chain was indeed valid in the last second of 1969. I 
judge that risk to be negligible. And it certainly shouldn't be externally 
triggerable — if an attacker could influence the value passed to 
X509_VERIFY_PARAM_set_time() then all bets were off w.r.t. time-based checks 
anyway.

If there are serious concerns, however, I can provide an alternative patch 
which adds an X509_V_FLAG_NO_CHECK_TIME flag for this purpose instead.

I'm happy with anything except the existing version in the UEFI source tree 
that everyone is shipping, which just disables the time check if 
OPENSSL_SYS_UEFI is set¹. That one I *don't* like.

--
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com  Intel Corporation

¹ 
http://scanmail.trustwave.com/?c=4062d=w5av1VNIDJq7CuEBC-sOxIBHFHbcisoH_n4fAJKpMgs=5u=http%3a%2f%2fgit%2einfradead%2eorg%2fusers%2fdwmw2%2fopenssl%2egit%2fcommitdiff%2f2fb12afc2ceb



This transmission may contain information that is privileged, confidential, 
and/or exempt from disclosure under applicable law. If you are not the intended 
recipient, you are hereby notified that any disclosure, copying, distribution, 
or use of the information contained herein (including any reliance thereon) is 
strictly prohibited. If you received this transmission in error, please 
immediately contact the sender and destroy the material in its entirety, 
whether in electronic or hard copy format.

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[David Woodhouse]

On Wed, 2015-07-22 at 14:52 +, Tim Hollebeek wrote:
 The way this is supposed to work is by using a timestamp from a 
 trusted timestamp server to show the certificate was valid at the 
 time the code was signed.

That would be great. Unfortunately, if the UEFI firmware were suddenly
to start insisting upon that then a lot of operating systems would no
longer boot.

I don't think it's practical to add this requirement for secure boot at
this stage; the UEFI firmware will probably continue to just disable
the time check — even if it's a local patch as it is at the moment.

But I'm *trying* to eliminate those local patches, to make it easier to
keep OpenSSL up to date. It occurs to me that UEFI firmware might be
the *largest* deployment of OpenSSL, so it's unfortunate that the
patches it needs are out-of-tree :)

FWIW the Linux kernel also specifically avoids checking timestamps
altogether when validating signed modules.

-- 
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com  Intel Corporation


smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[David Woodhouse via RT]

On Wed, 2015-07-22 at 14:58 +, Victor Wagner via RT wrote:
 Isn't it better to check if certificate was valid at the time of
 signing?

Is there a benefit to that which would make it worth the additional
complexity?

 Typically compiler somehow puts compilation timestamp into compiled
 binaries. So, I think, this time should be used as argument to
 X509_VERIFY_PARAM_set_time instead of wall clock time.

For the UEFI build we try to avoid all non-repeatable things like that
being included in the binaries. I'm still worrying about how to
approach the patch at the end of the list¹ which removes all those
instances of __FILE__ and __LINE__... I have a vague recollection of
there being a discussion on this list about that, fairly recently, and
I need to go back and find it.

 Or, may be there is something like CMS signing attributes with 
 signing time.

Did I not send the patch which fixes the OPENSSL_NO_CMS build yet? :)


-- 
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com  Intel Corporation

¹ http://git.infradead.org/users/dwmw2/openssl.git/commitdiff/b599f07d


smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[Viktor Dukhovni]

On Wed, Jul 22, 2015 at 03:36:40PM +, David Woodhouse via RT wrote:

 FWIW the Linux kernel also specifically avoids checking timestamps
 altogether when validating signed modules.

You probably need a dedicated implementation of X509_verify_cert().
When dealing with data at rest (signed email, signed code, ...)
certificate expiration needs to be understood in the context of
time of signature, not time of verification.

Ideally (this generally works for email), the verifier initially
verifies the signed object before the expiration time of the
certificate and then caches this fact in some manner, so that
subsequent verification can ignore the certificate entirely, and
just check the the object has not changed since initially verified.

If caching results of initial verification is not an option, then
perhaps disabling expiration checks is a last-resort option.  There
are ways (with care) to do this via the verify callback, which can
be made to suppress *only* expiration errors and fail on all other
errors.

-- 
Viktor.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[Kurt Roeckx]

On Wed, Jul 22, 2015 at 04:36:27PM +0100, David Woodhouse wrote:
 On Wed, 2015-07-22 at 14:52 +, Tim Hollebeek wrote:
  The way this is supposed to work is by using a timestamp from a 
  trusted timestamp server to show the certificate was valid at the 
  time the code was signed.
 
 That would be great. Unfortunately, if the UEFI firmware were suddenly
 to start insisting upon that then a lot of operating systems would no
 longer boot.

Which operating systems would that be?  As far as I know Windows 7
required this if you wanted to have your drivers stay valid for
longer than 2 years and Windows 10 just always requires it.  So I
would hope that they actually do this for all of their own
software.


Kurt

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[Kurt Roeckx]

On Wed, Jul 22, 2015 at 03:36:40PM +, David Woodhouse via RT wrote:
 
 FWIW the Linux kernel also specifically avoids checking timestamps
 altogether when validating signed modules.

What do you mean wit timestamps?  The trusted timestamp, or the
validity period?

Any idea why they don't check it?  They're not sure about the time
or something at the moment it's checked?


Kurt

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[Kurt Roeckx via RT]

On Wed, Jul 22, 2015 at 04:36:27PM +0100, David Woodhouse wrote:
 On Wed, 2015-07-22 at 14:52 +, Tim Hollebeek wrote:
  The way this is supposed to work is by using a timestamp from a 
  trusted timestamp server to show the certificate was valid at the 
  time the code was signed.
 
 That would be great. Unfortunately, if the UEFI firmware were suddenly
 to start insisting upon that then a lot of operating systems would no
 longer boot.

Which operating systems would that be?  As far as I know Windows 7
required this if you wanted to have your drivers stay valid for
longer than 2 years and Windows 10 just always requires it.  So I
would hope that they actually do this for all of their own
software.


Kurt


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[Alexander Gostrer]

Maybe it is the time to introduce the 64-bit UNIX time? Anything else looks
like a patch.

Regards,
Alex.

On Wed, Jul 22, 2015 at 2:34 PM, David Woodhouse dw...@infradead.org
wrote:

 On Wed, 2015-07-22 at 23:29 +0200, Kurt Roeckx wrote:
  On Wed, Jul 22, 2015 at 09:56:24PM +0100, David Woodhouse wrote:
  
   The more I look at this 'signed timestamp' scheme, the more pointless
   it seems in this situation. We basically don't *care* about the wall
   -clock time, *and* we don't really know it. If we're going to trust
   anyone to say   was the time at which the signature was
   generated, then we might as well forget the whole nonsense about an
   expiry time and just trust that same third party to provide a
   signature... or not.
 
  The whole point of this signed timestamp is that the signature
  doesn't expire and that you don't have to care about the wall
  clock.

 ... which is much more simply achieved by just not caring about the
 validity times of the certificate in the first place.

 --
 dwmw2

 ___
 openssl-dev mailing list
 To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[David Woodhouse]

On Wed, 2015-07-22 at 22:42 +0200, Kurt Roeckx wrote:
 On Wed, Jul 22, 2015 at 03:36:40PM +, David Woodhouse via RT 
 wrote:
  
  FWIW the Linux kernel also specifically avoids checking timestamps
  altogether when validating signed modules.
 
 What do you mean wit timestamps?  The trusted timestamp, or the
 validity period?
 
 Any idea why they don't check it?  They're not sure about the time
 or something at the moment it's checked?

It's running on a computer. Of course they're not sure about the time.

If after a CMOS battery failure you cannot boot the system in order to
log into it and correct the time, because the firmware refuses to load
the OS kernel or because the OS kernel refuses to load its disk driver,
then there is something very wrong with the design.

And if your system is designed to suddenly stop booting in 2037 for no
better reason than the fact that *some* systems had bugs which made it
seem simpler to set that as the expiry date for a cert even though we
didn't really want it to expire *ever*, that's kind of broken too.

The more I look at this 'signed timestamp' scheme, the more pointless
it seems in this situation. We basically don't *care* about the wall
-clock time, *and* we don't really know it. If we're going to trust
anyone to say  THIS was the time at which the signature was
generated, then we might as well forget the whole nonsense about an
expiry time and just trust that same third party to provide a
signature... or not.

-- 
dwmw2


smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[David Woodhouse]

On Wed, 2015-07-22 at 22:40 +0200, Kurt Roeckx wrote:
 On Wed, Jul 22, 2015 at 04:36:27PM +0100, David Woodhouse wrote:
  On Wed, 2015-07-22 at 14:52 +, Tim Hollebeek wrote:
   The way this is supposed to work is by using a timestamp from a 
   trusted timestamp server to show the certificate was valid at the 
   
   time the code was signed.
  
  That would be great. Unfortunately, if the UEFI firmware were 
  suddenly
  to start insisting upon that then a lot of operating systems would 
  no
  longer boot.
 
 Which operating systems would that be?  As far as I know Windows 7
 required this if you wanted to have your drivers stay valid for
 longer than 2 years and Windows 10 just always requires it.  So I
 would hope that they actually do this for all of their own
 software.

Perhaps they do, although the UEFI bootloader they use is a somewhat
different beast.

But there are plenty of other OS bootloeders which are signed for
so-called secure boot, other than Microsoft's. And I would be utterly
shocked if they all have trusted timestamps, given that the UEFI
firmware in all current machines does not require such.

-- 
dwmw2


smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[David Woodhouse via RT]

On Wed, 2015-07-22 at 22:40 +0200, Kurt Roeckx wrote:
 On Wed, Jul 22, 2015 at 04:36:27PM +0100, David Woodhouse wrote:
  On Wed, 2015-07-22 at 14:52 +, Tim Hollebeek wrote:
   The way this is supposed to work is by using a timestamp from a 
   trusted timestamp server to show the certificate was valid at the 
   
   time the code was signed.
  
  That would be great. Unfortunately, if the UEFI firmware were 
  suddenly
  to start insisting upon that then a lot of operating systems would 
  no
  longer boot.
 
 Which operating systems would that be?  As far as I know Windows 7
 required this if you wanted to have your drivers stay valid for
 longer than 2 years and Windows 10 just always requires it.  So I
 would hope that they actually do this for all of their own
 software.

Perhaps they do, although the UEFI bootloader they use is a somewhat
different beast.

But there are plenty of other OS bootloeders which are signed for
so-called secure boot, other than Microsoft's. And I would be utterly
shocked if they all have trusted timestamps, given that the UEFI
firmware in all current machines does not require such.

-- 
dwmw2



smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[David Woodhouse]

On Wed, 2015-07-22 at 23:29 +0200, Kurt Roeckx wrote:
 On Wed, Jul 22, 2015 at 09:56:24PM +0100, David Woodhouse wrote:
  
  The more I look at this 'signed timestamp' scheme, the more pointless
  it seems in this situation. We basically don't *care* about the wall
  -clock time, *and* we don't really know it. If we're going to trust
  anyone to say   was the time at which the signature was
  generated, then we might as well forget the whole nonsense about an
  expiry time and just trust that same third party to provide a
  signature... or not.
 
 The whole point of this signed timestamp is that the signature
 doesn't expire and that you don't have to care about the wall
 clock.

... which is much more simply achieved by just not caring about the
validity times of the certificate in the first place.

-- 
dwmw2


smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[David Woodhouse]

On Thu, 2015-07-23 at 00:29 +0200, Kurt Roeckx wrote:
 On Wed, Jul 22, 2015 at 10:34:53PM +0100, David Woodhouse wrote:
  On Wed, 2015-07-22 at 23:29 +0200, Kurt Roeckx wrote:
   On Wed, Jul 22, 2015 at 09:56:24PM +0100, David Woodhouse wrote:
   
   The whole point of this signed timestamp is that the signature
   doesn't expire and that you don't have to care about the wall
   clock.
  
  ... which is much more simply achieved by just not caring about the
  validity times of the certificate in the first place.
 
 In case of a timestamp you can reduce the check to verify that the
 timestamp was in the validity period of the certificate.

Yes. You can. But it's still pointless complexity in a use case where
*every* valid signature would need a corresponding timestamp to ensure
its validity.

I can kind of understand why we might want the timestamp scheme in
circumstances where *some* signatures should be infinitely valid, and
others not.

But in the case where *all* signatures should be infinitely valid, it
just seems entirely gratuitous.

And retrofitting it into a model where the validity is *already* not
being checked is a inviting a whole bunch of breakage for precisely
zero benefit.

-- 
dwmw2


smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[David Woodhouse]

On Wed, 2015-07-22 at 15:02 -0700, Alexander Gostrer wrote:
 Maybe it is the time to introduce the 64-bit UNIX time? Anything else 
 looks like a patch.

Theoretically, we can already encode notAfter values as a
GeneralizedTime of up to 1231235959Z (i.e. Y10K) in an X.509
certificate.

The limitation is purely an implementation issue — not only is it a
fairly safe bet that a lot of software will crap itself on seeing a
GeneralizedTime at all (since for dates before we MUST use UTCTime
instead), but a lot of 32-bit implementations are known to break even
for UTCTime values later than 2038.

So certificates which do this are just not going to interoperate very
well at all.

-- 
dwmw2


smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[Kurt Roeckx]

On Wed, Jul 22, 2015 at 09:56:24PM +0100, David Woodhouse wrote:
 
 The more I look at this 'signed timestamp' scheme, the more pointless
 it seems in this situation. We basically don't *care* about the wall
 -clock time, *and* we don't really know it. If we're going to trust
 anyone to say  THIS was the time at which the signature was
 generated, then we might as well forget the whole nonsense about an
 expiry time and just trust that same third party to provide a
 signature... or not.

The whole point of this signed timestamp is that the signature
doesn't expire and that you don't have to care about the wall
clock.


Kurt

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[Kurt Roeckx]

On Wed, Jul 22, 2015 at 10:34:53PM +0100, David Woodhouse wrote:
 On Wed, 2015-07-22 at 23:29 +0200, Kurt Roeckx wrote:
  On Wed, Jul 22, 2015 at 09:56:24PM +0100, David Woodhouse wrote:
  
  The whole point of this signed timestamp is that the signature
  doesn't expire and that you don't have to care about the wall
  clock.
 
 ... which is much more simply achieved by just not caring about the
 validity times of the certificate in the first place.

In case of a timestamp you can reduce the check to verify that the
timestamp was in the validity period of the certificate.


Kurt

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

[Victor Wagner via RT]

On Wed, 22 Jul 2015 13:09:48 +
Woodhouse, David via RT r...@openssl.org wrote:

 There are various circumstances in which it makes no sense to be
 checking the start and end times of a certificate's validity.
 
 When validating OS kernel drivers, or indeed when validating the OS
 kernel itself when the firmware loads it, we *really* don't want to
 have a built-in obsolescence date after which the system will no
 longer function. That would be a bad thing even if we *could*
 reliably trust the system's real time clock at this stage in the boot
 sequence.

Isn't it better to check if certificate was valid at the time of
signing?

Typically compiler somehow puts compilation timestamp into compiled
binaries. So, I think, this time should be used as argument to
X509_VERIFY_PARAM_set_time instead of wall clock time.

Or, may be there is something like CMS signing attributes with signing
time.
s


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev