search

notaryproject / notation

A CLI tool to sign and verify artifacts
https://notaryproject.dev/
Apache License 2.0
306 stars 84 forks source link

Ability to relax CA certificate requirements #909

Closed zosocanuck closed 1 week ago

zosocanuck commented 3 months ago

Is your feature request related to a problem?

Consider an enterprise code signing scenario with an existing private CA and the CA certificate has the key usage extension that was not marked critical during original generation.

When running notation sign the following error occurs:

Error: generated signature failed verification: certificate-chain is invalid, certificate with subject "CN=CA01 I2,OU=Engineering,O=Acme,L=San Jose,ST=CA,C=US": key usage extension must be marked critical

There are private CA deployments that have been in production for a while, and in many cases it is very difficult to re-issue and deploy the updated trust chain to endpoints. This would impact adoption of the notation tool in these types of environments.

It is much easier to update the leaf certificate template in a customer environment, and hence why the focus is on the Issuing CA certificate.

What solution do you propose?

It would be great to add the ability to relax the CA certificate requirements via some notation parameter(s), such that a consumer can proceed with signing while understanding the requirements were not met.

What alternatives have you considered?

There are no alternatives at the moment given that if a customer's CA doesn't meet notation's requirements, and even if the leaf certificates are compliant, they are unable to sign with notation.

Any additional context?

No response

yizha1 commented 3 months ago

@zosocanuck Thanks for creating this issue, we discussed this issue in the community meeting on Mar 25, 2024. The conclusion is this issue won't be fixed. The reason is: First, it is a base requirement for code signing certificate, see 7.1.2.1 Root CA Certificate. Second, it is not secure if key usage is not marked as critical, since the root CA certificate can be used for different purposes besides codesigning. However, the use of the same key for two different cryptographic processes may weaken the security provided by one or both of the processes. See NIST 5.2 Key usage for details. /cc @priteshbandi @shizhMSFT to comment if any.

github-actions[bot] commented 1 month ago

This issue is stale because it has been opened for 60 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days.

github-actions[bot] commented 1 week ago

Issue closed due to no activity in the past 30 days.