search

hynek / pem

PEM file parsing in Python.
https://pem.readthedocs.io/
MIT License
156 stars 37 forks source link

No support for trusted certificate #28

Closed tiran closed 3 years ago

tiran commented 7 years ago

OpenSSL has a feature called trusted certificate, see https://www.openssl.org/docs/man1.0.2/apps/x509.html . It's a X.509 certificate with additional auxiliary data. A trusted certificate is enclosed in BEGIN TRUSTED CERTIFICATE / END TRUSTED CERTIFICATE. I suggest that you treat it like a subclass of certificate.

hynek commented 7 years ago

Would you like to start a promising career in open source and provide a PR? :D

hynek commented 6 years ago

Bump 😇

hynek commented 5 years ago

Could you provide me with a valid example of such a file?

adiroiban commented 3 years ago

For reference.

To generate a trusted cert 

$ openssl x509 -in path/regular/ca-cert.pem -trustout
-----BEGIN TRUSTED CERTIFICATE-----
MIICTDCCAbWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJHQjEP

EXACT SAME CONTENT AS NORMAL BEGIN CERTIFICATE

JtNIblnr7VTXcOiB15uakQ==
-----END TRUSTED CERTIFICATE-----

I guess it can be represented as

class TrustedCertificate(Certificate):
    """
    A trusted certificate.
    """
tiran commented 3 years ago

TRUSTED certificates do not have the same content as normal certificates. They payload starts like a normal certificates, but there is additional auxiliary ASN.1 encoded data appended to the certificate.

ASN1_SEQUENCE(X509_CERT_AUX) = {
        ASN1_SEQUENCE_OF_OPT(X509_CERT_AUX, trust, ASN1_OBJECT),
        ASN1_IMP_SEQUENCE_OF_OPT(X509_CERT_AUX, reject, ASN1_OBJECT, 0),
        ASN1_OPT(X509_CERT_AUX, alias, ASN1_UTF8STRING),
        ASN1_OPT(X509_CERT_AUX, keyid, ASN1_OCTET_STRING),
        ASN1_IMP_SEQUENCE_OF_OPT(X509_CERT_AUX, other, X509_ALGOR, 1)
} ASN1_SEQUENCE_END(X509_CERT_AUX)
hynek commented 3 years ago

TRUSTED certificates do not have the same content as normal certificates. They payload starts like a normal certificates, but there is additional auxiliary ASN.1 encoded data appended to the certificate.

That shouldn't be relevant for us tho, because we specifically do not interpret the contents of the PEM objects. All we care about is the start and the end.

adiroiban commented 3 years ago

@hynek let me give this a try :)

tiran commented 3 years ago

That shouldn't be relevant for us tho, because we specifically do not interpret the contents of the PEM objects. All we care about is the start and the end.

That makes sense -- except pem also has sha1_hexdigest property. The SHA-1 hexdigest of a trusted certificate should be equal to the sha1_hexdigest property of a regular certificate, because they are the same certificate. That requires you to understand and strip away the auxiliar suffix.

adiroiban commented 3 years ago

@tiran I am now reading the man page for "trusted certificates" https://www.openssl.org/docs/man1.1.1/man1/x509.html

It this a custom extension created by OpenSSL or is a "standard/de-facto standard" implemented by other x509 handling tools ?

The actual command to generate a trusted cert is

$ openssl x509 -in path/to-normal/ca-cert.pem -trustout -addtrust emailProtection

I was missing the -addtrust part

Right now PEM is not doing any payload handing. I think that comparison of a normal and trusted certificate should be done outside of the PEM library.... or in a separate ticket :)

tiran commented 3 years ago

AFAIK the AUX data extension was invited by OpenSSL and only used by OpenSSL.

NSS and p11-kit have similar features, but implement them on top of Cryptoki API (PKCS#11). For example NSS has CKA PKCS11 properties like CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR. Freedesktop's p11-kit can include additional properties in [p11-kit-object-v1] stanzas, e.g. x-distrusted.