Verify signed topology file against TRC #6
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
matzf
reviewed
Feb 22, 2022
|
Thanks for your comments @matzf From your comments, it seems like we want to do more checks than we can easily do with the
This puts us in a similar case as with a detached signature, where we also need to infer the signer. About the EKU (Extended Key Usage), crypto/x509 Verify insists on verifying the EKU from the signer, to the issuer through to the root (which in production only has EKU Time Stamping and an internal EKU 1.3.6.1.4.1.55324.1.3.3), so we have to ignore EKUs anyway since there is no valid EKU. Not sure that restricting the EKU on the root certificates is intentional. |
matzf
reviewed
Feb 25, 2022
FR4NK-W
changed the title
matzf
reviewed
Apr 6, 2022
matzf
reviewed
Apr 8, 2022
FR4NK-W
force-pushed
the
fetcher_attached_signature
branch
from
4a9127f
to
3e6ab77
Compare
matzf
reviewed
Apr 13, 2022
Unless the insecure flag is set, download a signed topology file and TRC and verify the signature. Verifies the certificate chain of the included certificate against the TRC. Crypto operations are only done using the tools scion-pki and openssl.
Parse topology to get ISD ID to check against TRC root and AS ID to check against signer AS cert.
Perform additional checks on payload, signer certificate and TRC: - Match TRC ISD Id to unverified topology IA - Match signer certificate Subject DN to topology IA
Introduce security modes for differentiated validation modes of TRCs and signature verification: - strict: only store a TRC if it validates against an existing TRC update chain - permissive: only store a TRC if it does not conflict with an existing TRC update chain, enables fetching TRCs with TOFU semantics - insecure: store any TRC received, mark it as insecure to not compromise later checks in other operation modes, do not validate the topology signature using any certificate, or certificate chain tying it to any TRC. Default mode is `permissive`.
Pull TRCs ordered by update chain, allowing to check each TRC against the update chain before storing.
Check TRC update chain against local TRC files Accept empty update chain only in the permissive mode
Only keep latest 10 intermediate verify directories. We keep the latest 10 verify directories, to allow manual auditing of the signature verification and payload extraction, but not more to avoid cluttering the disk.
Sort TRC files by their ISD ID, base number and serial number, since `scion-pki`requires a sorted list of TRC files to verify an update chain.
Only move or symlink TRCs to final directory after update chain validity check or mode check
Do not rely on TRC filenames to infer TRC ISD, base number or serial, directly use the values contained in the TRC Simplify obtaining paths to TRC files sorted by TRC update chain
Split out and comment CLI tool commands for `scion-pki` and `openssl` subcommands
Check if we already have a TRC before fetching it, so we do not fetch TRCs we are dismissing anyway. Update comment about purpose of `scion-pki cert verify` check
Use signer IA to drive the topology signature verification Encapsulate functionality and checks, improve comments
Add more comments
Add some more tests for cppki verification and security mode change
FR4NK-W
force-pushed
the
fetcher_attached_signature
branch
from
9416efa
to
8fe9707
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Unless the insecure flag is set, download a TRC, a signed topology file and verify the signature.
Verifies the certificate chain of the included certificate against the TRC.
Crypto operations are only done using the tools scion-pki and openssl.