Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chain of trust issues with a single CA certificate #1546

Closed
ruffsl opened this issue Jan 23, 2023 · 0 comments · Fixed by #1552
Closed

Chain of trust issues with a single CA certificate #1546

ruffsl opened this issue Jan 23, 2023 · 0 comments · Fixed by #1552

Comments

@ruffsl
Copy link

ruffsl commented Jan 23, 2023

I'll quote the same succinctly put issue filled over for OpenDDS here:

OpenDDS/OpenDDS#3992 (comment)

Problem

Assume a usage of DDS Security where the same CA is used for both permissions and identity. The certificates issued to particpants allow them to sign documents. Assume the participant generates a permissions file and then signs it. Chain verification causes verification attempts to succeed since the signing certificate, i.e., the participant's certificate, can be chained back to the permission CA's certificate (which is also the identity CA).

This problem was identified in ros2/sros2#282.

Solution

Implement the suggestion in ros2/sros2#282. Specifically, use PKCS7_NOINTERN to not accept any signatures in the signed document. This, in turn, requires the use of the certs parameter to PKCS7_verify. PKCS7_NOVERIFY is used since the permissions CA certificate will not be chain verified.

Example call site for reference:

cyclonedds/src/security/builtin_plugins/access_control/src/access_control_utils.c

Line 251 in 65981fb

if (PKCS7_verify(p7, NULL, store, inbio, *outbio, PKCS7_TEXT) != 1)

jpace121 pushed a commit to jpace121/cyclonedds that referenced this issue Jan 27, 2023
Add fix suggested in sros2 bug report.
8f2da42 
As stated in: OpenDDS/OpenDDS#3992 (comment)

"Implement the suggestion in ros2/sros2#282.
Specifically, use PKCS7_NOINTERN to not accept any signatures in the signed document.
This, in turn, requires the use of the certs parameter to PKCS7_verify.
PKCS7_NOVERIFY is used since the permissions CA certificate will not be chain verified."

Fixes: eclipse-cyclonedds#1546
Related to: ros2/sros2#282

Signed-off-by: James Pace <[email protected]>
@jpace121 jpace121 mentioned this issue Jan 27, 2023
Closed
jpace121 pushed a commit to jpace121/cyclonedds that referenced this issue Jan 27, 2023
Add fix suggested in sros2 bug report.
c2be80f 
As stated in: OpenDDS/OpenDDS#3992 (comment)

"Implement the suggestion in ros2/sros2#282.
Specifically, use PKCS7_NOINTERN to not accept any signatures in the signed document.
This, in turn, requires the use of the certs parameter to PKCS7_verify.
PKCS7_NOVERIFY is used since the permissions CA certificate will not be chain verified."

Fixes: eclipse-cyclonedds#1546
Related to: ros2/sros2#282

Signed-off-by: James Pace <[email protected]>
@jpace121 jpace121 mentioned this issue Jan 27, 2023
Merged
eboasson pushed a commit that referenced this issue Feb 2, 2023
@eboasson
Add fix suggested in sros2 bug report.
de27a11 
As stated in: OpenDDS/OpenDDS#3992 (comment)

"Implement the suggestion in ros2/sros2#282.
Specifically, use PKCS7_NOINTERN to not accept any signatures in the signed document.
This, in turn, requires the use of the certs parameter to PKCS7_verify.
PKCS7_NOVERIFY is used since the permissions CA certificate will not be chain verified."

Fixes: #1546
Related to: ros2/sros2#282

Signed-off-by: James Pace <[email protected]>
dpotman pushed a commit to dpotman/cyclonedds that referenced this issue Feb 23, 2023
@dpotman
Add fix suggested in sros2 bug report.
b70af47 
As stated in: OpenDDS/OpenDDS#3992 (comment)

"Implement the suggestion in ros2/sros2#282.
Specifically, use PKCS7_NOINTERN to not accept any signatures in the signed document.
This, in turn, requires the use of the certs parameter to PKCS7_verify.
PKCS7_NOVERIFY is used since the permissions CA certificate will not be chain verified."

Fixes: eclipse-cyclonedds#1546
Related to: ros2/sros2#282

Signed-off-by: James Pace <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@ruffsl