RE: FW: X509_verify_cert() rejects all trusted certs with "default" X509_VERIFY_PARAM

2021-06-01 Thread Michael Wojcik 
> From: openssl-users  On Behalf Of Jakob
> Bohm via openssl-users
> Sent: Tuesday, 1 June, 2021 09:58
>
> There is a very common extension to the validation of X.509
> certificates (which should ideally be available as an option
> parameter to OpenSSL validation APIs): The EKU in a CA:True
> certificate limits the end cert EKU values that are acceptable.
> The rule is NOT applied to ocspSigning due to a conflict with
> that EKU authorizing the CA public key to sign OCSP responses
> for the parent CA.
>
> For example a CA with EKU=emailProtection,clientAuth cannot be
> used to issue valid EKU=serverAuth certificates, however it can
> still issue a delegated EKU=ocspSigning delegated OCSP signing
> certificate.
>
> In this filtering anyExtendedKeyUsage acts as a wildcard
> indicating a universal CA, and   In practice, the complete
> absence of the EKU extension acts as an equivalent wildcard.

Makes sense. It would be nice if this were standardized as an update to RFC 
5280.

> The OpenSSL 3 code discussed, as described by Graham, appears
> to incorrectly apply the wildcard check without ORing it with
> the normal check for inclusion of the usage for which the chain
> is built and validated.  (I recommend that where such filtering
> is done, it is part of chain building as different chains may
> succeed for different usages).

Yeah, I suspected that, but I wanted to see if other people more familiar with 
this area of the code were going to comment.

> The CAB/F "guidelines" tend to include arbitrary restrictions above and
> beyond what good X.509 software libraries should do, such as limiting
> validity to 1 year, requiring end certificate holders to be magically
> able to respond to sudden revocations for bureaucratic reasons etc.  Or
> as quoted by Michael, a rule that all roots must be universal roots with
> the no-EKU implicit wildcard.

Agreed. I refer our customers to the CA/BF Basic Requirements when they're 
dealing with browsers and mainstream web servers -- since those programs are 
often written to follow the CA/BF rules -- but try to make it clear that the 
CA/BF doesn't control PKIX.

--
Michael Wojcik

Re: FW: X509_verify_cert() rejects all trusted certs with "default" X509_VERIFY_PARAM

2021-06-01 Thread Jakob Bohm via openssl-users 

On 2021-05-28 22:50, Michael Wojcik wrote:


Just realized I sent this directly to Graham instead of to the list.

-Original Message-
From: Michael Wojcik
Sent: Friday, 28 May, 2021 09:37
To: 'Graham Leggett' 
Subject: RE: X509_verify_cert() rejects all trusted certs with "default" 
X509_VERIFY_PARAM


From: openssl-users  On Behalf Of Graham
Leggett via openssl-users
Sent: Friday, 28 May, 2021 06:30

I am lost - I can fully understand what the code is doing, but I can’t see
why openssl only trusts certs with “anyExtendedKeyUsage”.

Interesting. I wondered if this might be enforcing some RFC 5280 or CA / 
Browser Forum Baseline Requirements rule.

5280 4.2.1.12 says:

In general, this
extension will appear only in end entity certificates.

and

If the extension is present, then the certificate MUST only be used
for one of the purposes indicated.

Your certificate has serverAuth and emailProtection, yes? So it cannot be used to sign 
other certificates, and OpenSSL is correct as far as that goes. 5280 doesn't define an 
EKU for signing certificates; so perhaps the intent of the OpenSSL code is "if EKU 
is present, this probably can't be used as a CA cert without violating 5280, but I'll 
look for this 'any' usage just in case and allow that".

The errata for 5280 and the RFCs which update it do not appear to affect this 
section.

There is a very common extension to the validation of X.509
certificates (which should ideally be available as an option
parameter to OpenSSL validation APIs): The EKU in a CA:True
certificate limits the end cert EKU values that are acceptable.
The rule is NOT applied to ocspSigning due to a conflict with
that EKU authorizing the CA public key to sign OCSP responses
for the parent CA.

For example a CA with EKU=emailProtection,clientAuth cannot be
used to issue valid EKU=serverAuth certificates, however it can
still issue a delegated EKU=ocspSigning delegated OCSP signing
certificate.

In this filtering anyExtendedKeyUsage acts as a wildcard
indicating a universal CA, and   In practice, the complete
absence of the EKU extension acts as an equivalent wildcard.

The OpenSSL 3 code discussed, as described by Graham, appears
to incorrectly apply the wildcard check without ORing it with
the normal check for inclusion of the usage for which the chain
is built and validated.  (I recommend that where such filtering
is done, it is part of chain building as different chains may
succeed for different usages).


The CA/BF BR 7.1.2.1, the part of the certificate profile that covers root 
certificates, says:

d. extKeyUsage
   This extension MUST NOT be present.

Now, there's no particular reason for OpenSSL to enforce CA/BF BR, and good reason for it 
not to (the "CA" part refers to commercial CAs, and not all clients are 
browsers). But it's more evidence that root certificates, at least, should not have 
extKeyUsage because browsers can correctly reject those.

The CA/BF profile is more complicated regarding what it calls "subordinate" certificates, 
aka intermediates, so for non-root trust anchors there are cases where you can get away with 
extKeyUsage. But a good rule is "only put extKeyUsage on entity [leaf] certificates".


So that really leaves us with the question "do we want OpenSSL enforcing the 
extKeyUsage rules of RFC 5280?". And I'm tempted to say yes. In principle, the 
basicConstraints CA flag and the keyUsage keyCertSign option should suffice for this, but 
defense in depth, and in cryptographic protocols consistency is extremely important.

The CAB/F "guidelines" tend to include arbitrary restrictions above and 
beyond what good X.509 software libraries should do, such as limiting 
validity to 1 year, requiring end certificate holders to be magically 
able to respond to sudden revocations for bureaucratic reasons etc.  Or 
as quoted by Michael, a rule that all roots must be universal roots with 
the no-EKU implicit wildcard.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

ODP: CSR creation using pkcs11 dynamic engine

2021-06-01 Thread Piotr Lobacz 
Ok i have written printf in src/p11_rsa.c to check if i'm entering the 
RSA_set_flags callback and yes i am. Printf is being displayed but i still got 
this error, which shouldn't be any more.

Od: openssl-users  w imieniu użytkownika 
Piotr Lobacz 
Wysłane: wtorek, 1 czerwca 2021 17:36
Do: Selva Nair 
DW: openssl-users@openssl.org 
Temat: ODP: CSR creation using pkcs11 dynamic engine

Sorry my bad i was checking bad position in the file...

Od: openssl-users  w imieniu użytkownika 
Piotr Lobacz 
Wysłane: wtorek, 1 czerwca 2021 17:34
Do: Selva Nair 
DW: openssl-users@openssl.org 
Temat: ODP: CSR creation using pkcs11 dynamic engine

Ok not fixed in 0.4.11 it is fixed in master branch... i need to build it from 
master.

Od: openssl-users  w imieniu użytkownika 
Piotr Lobacz 
Wysłane: wtorek, 1 czerwca 2021 17:18
Do: Selva Nair 
DW: openssl-users@openssl.org 
Temat: ODP: CSR creation using pkcs11 dynamic engine

Hi Selva,
btw. i have found one issue in libp11 package 
https://github.com/OpenSC/libp11/issues/304 and i have used 0.4.10 i will check 
firstly with 0.4.11 and give you answer.

BR
Piotr

Od: Selva Nair 
Wysłane: wtorek, 1 czerwca 2021 17:15
Do: Piotr Lobacz 
DW: openssl-users@openssl.org 
Temat: Re: CSR creation using pkcs11 dynamic engine

Hi Piotr,

On Tue, Jun 1, 2021 at 10:57 AM Piotr Lobacz 
mailto:piotr.lob...@softgent.com>> wrote:
Hi,
i have managed to find the engine method static EVP_PKEY *load_privkey(ENGINE 
*engine, const char *s_key_id, UI_METHOD *ui_method, void *callback_data) in 
libp11 package. I have also made a printf callback and i see the output that 
method is being called, but the problem is that i think i need to set this flag 
RSA_FLAG_EXT_PKEY in EVP_PKEY object which i don't know how to do is it even 
possible?

The flag on the key is always set by libp11 (look for RSA_set_key in 
p11_rsa.c). What it doesn't set is any flags on the method -- which you wanted 
to satisfy dotnet. For testing you could add it -- look for 
PKCS11_get_rsa_method in the same file.

Selva
[https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]

Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND

KRS: 674406, NIP: 9581679801, REGON: 367090912

www.softgent.com

Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego 
Rejestru Sądowego

KRS 674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.

ODP: CSR creation using pkcs11 dynamic engine

2021-06-01 Thread Piotr Lobacz 
Sorry my bad i was checking bad position in the file...

Od: openssl-users  w imieniu użytkownika 
Piotr Lobacz 
Wysłane: wtorek, 1 czerwca 2021 17:34
Do: Selva Nair 
DW: openssl-users@openssl.org 
Temat: ODP: CSR creation using pkcs11 dynamic engine

Ok not fixed in 0.4.11 it is fixed in master branch... i need to build it from 
master.

Od: openssl-users  w imieniu użytkownika 
Piotr Lobacz 
Wysłane: wtorek, 1 czerwca 2021 17:18
Do: Selva Nair 
DW: openssl-users@openssl.org 
Temat: ODP: CSR creation using pkcs11 dynamic engine

Hi Selva,
btw. i have found one issue in libp11 package 
https://github.com/OpenSC/libp11/issues/304 and i have used 0.4.10 i will check 
firstly with 0.4.11 and give you answer.

BR
Piotr

Od: Selva Nair 
Wysłane: wtorek, 1 czerwca 2021 17:15
Do: Piotr Lobacz 
DW: openssl-users@openssl.org 
Temat: Re: CSR creation using pkcs11 dynamic engine

Hi Piotr,

On Tue, Jun 1, 2021 at 10:57 AM Piotr Lobacz 
mailto:piotr.lob...@softgent.com>> wrote:
Hi,
i have managed to find the engine method static EVP_PKEY *load_privkey(ENGINE 
*engine, const char *s_key_id, UI_METHOD *ui_method, void *callback_data) in 
libp11 package. I have also made a printf callback and i see the output that 
method is being called, but the problem is that i think i need to set this flag 
RSA_FLAG_EXT_PKEY in EVP_PKEY object which i don't know how to do is it even 
possible?

The flag on the key is always set by libp11 (look for RSA_set_key in 
p11_rsa.c). What it doesn't set is any flags on the method -- which you wanted 
to satisfy dotnet. For testing you could add it -- look for 
PKCS11_get_rsa_method in the same file.

Selva
[https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]

Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND

KRS: 674406, NIP: 9581679801, REGON: 367090912

www.softgent.com

Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego 
Rejestru Sądowego

KRS 674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.

ODP: CSR creation using pkcs11 dynamic engine

2021-06-01 Thread Piotr Lobacz 
Ok not fixed in 0.4.11 it is fixed in master branch... i need to build it from 
master.

Od: openssl-users  w imieniu użytkownika 
Piotr Lobacz 
Wysłane: wtorek, 1 czerwca 2021 17:18
Do: Selva Nair 
DW: openssl-users@openssl.org 
Temat: ODP: CSR creation using pkcs11 dynamic engine

Hi Selva,
btw. i have found one issue in libp11 package 
https://github.com/OpenSC/libp11/issues/304 and i have used 0.4.10 i will check 
firstly with 0.4.11 and give you answer.

BR
Piotr

Od: Selva Nair 
Wysłane: wtorek, 1 czerwca 2021 17:15
Do: Piotr Lobacz 
DW: openssl-users@openssl.org 
Temat: Re: CSR creation using pkcs11 dynamic engine

Hi Piotr,

On Tue, Jun 1, 2021 at 10:57 AM Piotr Lobacz 
mailto:piotr.lob...@softgent.com>> wrote:
Hi,
i have managed to find the engine method static EVP_PKEY *load_privkey(ENGINE 
*engine, const char *s_key_id, UI_METHOD *ui_method, void *callback_data) in 
libp11 package. I have also made a printf callback and i see the output that 
method is being called, but the problem is that i think i need to set this flag 
RSA_FLAG_EXT_PKEY in EVP_PKEY object which i don't know how to do is it even 
possible?

The flag on the key is always set by libp11 (look for RSA_set_key in 
p11_rsa.c). What it doesn't set is any flags on the method -- which you wanted 
to satisfy dotnet. For testing you could add it -- look for 
PKCS11_get_rsa_method in the same file.

Selva
[https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]

Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND

KRS: 674406, NIP: 9581679801, REGON: 367090912

www.softgent.com

Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego 
Rejestru Sądowego

KRS 674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.

ODP: CSR creation using pkcs11 dynamic engine

2021-06-01 Thread Piotr Lobacz 
Hi Selva,
btw. i have found one issue in libp11 package 
https://github.com/OpenSC/libp11/issues/304 and i have used 0.4.10 i will check 
firstly with 0.4.11 and give you answer.

BR
Piotr

Od: Selva Nair 
Wysłane: wtorek, 1 czerwca 2021 17:15
Do: Piotr Lobacz 
DW: openssl-users@openssl.org 
Temat: Re: CSR creation using pkcs11 dynamic engine

Hi Piotr,

On Tue, Jun 1, 2021 at 10:57 AM Piotr Lobacz 
mailto:piotr.lob...@softgent.com>> wrote:
Hi,
i have managed to find the engine method static EVP_PKEY *load_privkey(ENGINE 
*engine, const char *s_key_id, UI_METHOD *ui_method, void *callback_data) in 
libp11 package. I have also made a printf callback and i see the output that 
method is being called, but the problem is that i think i need to set this flag 
RSA_FLAG_EXT_PKEY in EVP_PKEY object which i don't know how to do is it even 
possible?

The flag on the key is always set by libp11 (look for RSA_set_key in 
p11_rsa.c). What it doesn't set is any flags on the method -- which you wanted 
to satisfy dotnet. For testing you could add it -- look for 
PKCS11_get_rsa_method in the same file.

Selva
[https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]

Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND

KRS: 674406, NIP: 9581679801, REGON: 367090912

www.softgent.com

Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego 
Rejestru Sądowego

KRS 674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.

Re: CSR creation using pkcs11 dynamic engine

2021-06-01 Thread Selva Nair 
On Tue, Jun 1, 2021 at 11:15 AM Selva Nair  wrote:
>
> Hi Piotr,
>
> On Tue, Jun 1, 2021 at 10:57 AM Piotr Lobacz  
> wrote:
>>
>> Hi,
>> i have managed to find the engine method static EVP_PKEY 
>> *load_privkey(ENGINE *engine, const char *s_key_id, UI_METHOD *ui_method, 
>> void *callback_data) in libp11 package. I have also made a printf callback 
>> and i see the output that method is being called, but the problem is that i 
>> think i need to set this flag RSA_FLAG_EXT_PKEY in EVP_PKEY object which i 
>> don't know how to do is it even possible?
>
>
> The flag on the key is always set by libp11 (look for RSA_set_key in 
> p11_rsa.c).

Read that as RSA_set_flags, not RSA_set_key

selva

Re: CSR creation using pkcs11 dynamic engine

2021-06-01 Thread Selva Nair 
Hi Piotr,

On Tue, Jun 1, 2021 at 10:57 AM Piotr Lobacz 
wrote:

> Hi,
> i have managed to find the engine method static EVP_PKEY
> *load_privkey(ENGINE *engine, const char *s_key_id, UI_METHOD *ui_method,
> void *callback_data) in libp11 package. I have also made a printf callback
> and i see the output that method is being called, but the problem is that i
> think i need to set this flag RSA_FLAG_EXT_PKEY in EVP_PKEY object which
> i don't know how to do is it even possible?
>

The flag on the key is always set by libp11 (look for RSA_set_key in
p11_rsa.c). What it doesn't set is any flags on the method -- which you
wanted to satisfy dotnet. For testing you could add it -- look for
PKCS11_get_rsa_method in the same file.

Selva

ODP: CSR creation using pkcs11 dynamic engine

2021-06-01 Thread Piotr Lobacz 
Hi,
i have managed to find the engine method static EVP_PKEY *load_privkey(ENGINE 
*engine, const char *s_key_id, UI_METHOD *ui_method, void *callback_data) in 
libp11 package. I have also made a printf callback and i see the output that 
method is being called, but the problem is that i think i need to set this flag 
RSA_FLAG_EXT_PKEY in EVP_PKEY object which i don't know how to do is it even 
possible?

BR
Piotr Łobacz

Od: openssl-users  w imieniu użytkownika 
Piotr Lobacz 
Wysłane: sobota, 29 maja 2021 20:12
Do: Selva Nair 
DW: openssl-users@openssl.org 
Temat: ODP: CSR creation using pkcs11 dynamic engine

Hi, unfortunately that is not that simple :( These methods are not being 
exposed by the dotnet. Porting them would take to much time because of the 
method struct. Recompiling the whole dotnet sdk is also not an option.

You know, i've been reading your mail and keep thinking and for now i see that 
the fastest way is to simply modify libp11 proxy engine in EVP_load_private_key 
method. First i can verify there the EVP_test_flag on the key and second modify 
the engine flags. This way i will be 100% sure that the problem is on dotnet 
side. Because when i was testing this key on the token i was generating 1024 
bit length key and written it's length to the console. Than i have erased it 
completly and generated a new key pair with modified key length to 2048. The 
output result was changed: 1024 -> 2048. So the conclusion was that the key i 
taken correclty.

I will check this on monday and keep you inform. Have a nice weekend.

BR
Piotr

Od: Selva Nair 
Wysłane: sobota, 29 maja 2021 03:34
Do: Piotr Lobacz 
Temat: Re: CSR creation using pkcs11 dynamic engine

Hi,

I will also check these flags of my RSA object using RSA_test_flags and give 
you the answer. In the meantime as you have already told, the experts in here 
can share their knowledge, but i rather suspect that all you said is correct :] 
and the bug is in the dotnet implementation...

You could probably work around it by getting the method from the key using meth 
= RSA_get_method(rsa) and then setting the flag on the method using 
RSA_meth_set_flags(meth, flags). May not be a nice thing to do to a method 
owned by the engine, but should work if those API are exposed via dotnet.

If this is indeed the problem, you could try lobbying two places: dotnet devs 
to add a check for flags in the key, and libp11/pkcs11 engine devs to also set 
the flags on the method. One of them may oblige, depending on their thoughts on 
what is "right".

Selva
[https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]

Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND

KRS: 674406, NIP: 9581679801, REGON: 367090912

www.softgent.com

Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego 
Rejestru Sądowego

KRS 674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.