Whether attribute certificates can be used in the public_key module.

tanaka · October 4, 2023, 12:18pm

We are trying to implement a feature for issuing attribute certificates using records such as AttributeCertificate, which are defined in public_key.hrl

We checked if a certificate generated by the public_key module could be read/parsed correctly by a modified OpenSSL 3 implementation with the attribute certificates.

Since I could confirm that the record was defined in the header, I obtained a test acert.pem that was included in the pull request to make openssl3 support attribute certificates, and tried to see if I could parse it.

github.com/openssl/openssl

Attribute certificate (RFC 5755)

openssl:master ← dhobsong:attribute_cert_wip

opened 07:38AM - 22 Jun 21 UTC

dhobsong

+2403 -21

Closes #14648 Please see the checklist below for sub-task completion status.… Right now I've split this implementation over several patches to try to keep the sizes a little more manageable, but I can squash them if that makes more sense. Some of the areas of concern regarding this patch series are listed below. Any feedback related to these (or anything else) would be greatly appreciated ### Attribute values RFC 5755 defines several Attribute types that have ASN.1 SEQUENCEs as their value fields. E.g. [group](https://datatracker.ietf.org/doc/html/rfc5755#section-4.4.4) and [role](https://datatracker.ietf.org/doc/html/rfc5755#section-4.4.5). As far as I can tell, there is no nice way to handle Attributes that don't have string (or similar) values for printing or parsing. The current code just uses the output of `ANS1_item_print()` for printing, and parses from the config file using `ASN1_generate_nconf()`. Maybe some framework, similar to the `X509V3_EXT_METHOD` used for extensions might be useful for X509_ATTRIBUTEs? ### public API RFC 5755 defines the attribute certificate format using several new ASN.1 sequence types that don't seem to be used in any other profiles. I've tried to find a good balance of what to expose in the public API, but if there are any opinions on whether I should be exposing more or less, I would be happy to hear them. ### file separation I'm not 100% sure that all of the function implementations are in the right location (correct function in correct file). I've tried to follow the way that the X509, X509_REQ and X509_CRL implementation is divided, but maybe there is some room for improvement there.  #### Checklist - [x] file / BIO input output for attribute certificates (AC) - [x] setters / getters for AC fields - [x] read AC attribute values from config file - [x] documentation is added or updated - [x] tests are added or updated

I tried to see if I could expand it with public_key:pem_decode/1, but it only returned an empty list.

1> {ok, Bin} = file:read_file("acert.pem").
<<"-----BEGIN ATTRIBUTE CERTIFICATE-----\nMIICPTCCASUCAQEwN6AWMBGkDzANMQswCQYDVQQDDAJDQQIBAqEdpBswGTEXMBUG\nA1UEAwwOc2Vyd"...>>
2> public_key:pem_decode(Bin).
[]

After removing the header and footer listed in the PEM format and changing it to DER format with base64 decoding, we confirmed that it could be read with public_key:der_decode/2.

1> {ok, Bin} = file:read_file("acert.der").
{ok,<<48,130,2,61,48,130,1,37,2,1,1,48,55,160,22,48,17,
      164,15,48,13,49,11,48,9,6,3,...>>}
2> public_key:der_decode('AttributeCertificate', Bin).
{'AttributeCertificate',{'AttributeCertificateInfo',v2,
                                                    {'Holder',{'IssuerSerial',[{directoryName,{rdnSequence,[[{'AttributeTypeAndValue',{2,
                                                                                                                                       5,4,3},
                                                                                                                                      <<12,2,67,65>>}]]}}],
                                                                              2,asn1_NOVALUE},
                                                              [{directoryName,{rdnSequence,[[{'AttributeTypeAndValue',{2,
                                                                                                                       5,4,3},
                                                                                                                      <<12,14,115,101,114,118,101,114,46,101,120,...>>}]]}}],
                                                              asn1_NOVALUE},
                                                    {v2Form,{'V2Form',[{directoryName,{rdnSequence,[[{'AttributeTypeAndValue',{2,
                                                                                                                               5,4,3},
                                                                                                                              <<12,28,65,116,116,114,105,98,117,...>>}]]}}],
                                                                      asn1_NOVALUE,asn1_NOVALUE}},
                                                    {'AlgorithmIdentifier',{1,2,840,113549,1,1,11},<<5,0>>},
                                                    21175981651213461252787528108986572854611892162,
                                                    {'AttCertValidityPeriod',"20210615123500Z",
                                                                             "20310613123500Z"},
                                                    [{'Attribute',{1,3,6,1,5,5,7,10,4},
                                                                  [<<48,21,160,9,134,7,84,101,115,116,118,97,108,48,...>>]},
                                                     {'Attribute',{2,5,4,72},
                                                                  [<<48,17,161,15,131,13,97,100,109,105,110,105,115,...>>]}],
                                                    asn1_NOVALUE,
                                                    [{'Extension',{2,5,29,35},
                                                                  false,
                                                                  <<48,22,128,20,98,110,201,104,103,108,100,187,...>>},
                                                     {'Extension',{2,5,29,56},false,<<5,0>>}]},
                        {'AlgorithmIdentifier',{1,2,840,113549,1,1,11},<<5,0>>},
                        <<69,138,69,18,58,43,116,222,188,53,116,139,152,54,158,
                          186,187,177,135,15,153,178,191,70,174,...>>}

The current functionality that has already been implemented in public_key module is sufficient for our objective of handling the certificate in DER format.

We would like to use the public_key module functionality for issuing a platform certificate defined by TCG.

https://trustedcomputinggroup.org/resource/tcg-platform-certificate-profile/

I would like to confirm that the handling of attribute certificates in the public_key module of Erlang/OTP will not be deprecated and will remain supported.

Are the attribute certificates defined in RFC5755 and the related RFCs currently supported in the public_key module?

jimdigriz · October 8, 2023, 8:07am

My understanding is that the support, as it is for general X.509 work, is this support is mostly incidental as this is all just pure ASN.1 decoding.

Lurking in https://github.com/erlang/otp/tree/master/lib/public_key/asn1 is a list of .asn1 files that tend to be just verbatim extracted from IETF materials and elsewhere.

During the building of OTP, these get converted into records that represent the underlying ASN.1 form. public_key then provides some functions to work with these records (typically outputting DER).

Anything not in there I suspect would just appear as raw non-human readable objects…plus nothing stops anyone just using their own ASN.1 definitions.

So probably not a question of ‘support’ as all this needs is an ASN.1 decoder which OTP has built in.

To actually work with AttributeCertificate you still need to do the hard coding part which not even OpenSSL does