Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Linking Identity and POP Information (tls-unique) #2

Open
achuchev opened this issue Oct 17, 2019 · 3 comments
Open

Linking Identity and POP Information (tls-unique) #2

achuchev opened this issue Oct 17, 2019 · 3 comments
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@achuchev
Copy link

First of all, I want to say that I really like this EST client. Great job!

I want to check if the "Linking Identity and POP Information" as described it https://tools.ietf.org/html/rfc7030#section-3.5 is supported? I don’t see it listed in https://github.com/thales-e-security/estclient#analysis-of-rfc-requirements

3.5. Linking Identity and POP Information

Server policy will determine whether clients are required to use the
mechanism specified in this section. This specification provides a
method of linking identity and proof-of-possession by including
information specific to the current authenticated TLS session within
the signed certification request. The client can determine if the
server requires the linking of identity and POP by examining the CSR
Attributes Response (see Section 4.5.2). Regardless of the CSR
Attributes Response, clients SHOULD link identity and POP by
embedding tls-unique information in the certification request. If
tls-unique information is included by the client, the server MUST
verify it. The EST server MAY reject requests without tls-unique
information as indicated by server policy.
@dmjones
Copy link

dmjones commented Oct 18, 2019

Good question. It's not supported at the moment. Our API expects you to pass in a certificate request that you obtained yourself.

One way to support this would be to add an enrolment function that accepts a callback:

type ReqGenerator interface {
  Generate(tlsUnique []byte) (*x509.CertificateRequest, error)
}

func SimpleEnrollWithPOP(authData AuthData, generator ReqGenerator) {
  // Complete handshake, then call generator
}

PRs welcome :-)

@achuchev
Copy link
Author

@dmjones Thanks for the quick reply.
Unfortunately, my Golang skills are limited, so I will let this to the experts :)

@dmjones dmjones added enhancement New feature or request help wanted Extra attention is needed labels Oct 24, 2019
@Neustradamus
Copy link

Any progress on it?

I think that you have seen the jabber.ru MITM and Channel Binding is the solution:

Little details, to know easily:

  • tls-unique for TLS =< 1.2
  • tls-server-end-point
  • tls-exporter for TLS = 1.3

Thanks in advance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Neustradamus @dmjones @achuchev