Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Participants can sign their own permissions file if the same CA is used for both identity and permissions #3992

Merged
merged 1 commit into from
Jan 19, 2023

Conversation

jrw972
Copy link
Contributor

@jrw972 jrw972 commented Jan 18, 2023

Problem

Assume a usage of DDS Security where the same CA is used for both permissions and identity. The certificates issued to particpants allow them to sign documents. Assume the participant generates a permissions file and then signs it. Chain verification causes verification attempts to succeed since the signing certificate, i.e., the participant's certificate, can be chained back to the permission CA's certificate (which is also the identity CA).

This problem was identified in
ros2/sros2#282.

Solution

Implement the suggestion in ros2/sros2#282. Specifically, use PKCS7_NOINTERN to not accept any signatures in the signed document. This, in turn, requires the use of the certs parameter to PKCS7_verify. PKCS7_NOVERIFY is used since the permissions CA certificate will not be chain verified.

Problem
-------

Assume a usage of DDS Security where the same CA is used for both permissions
and identity.  The certificates issued to particpants allow them to
sign documents.  Assume the participant generates a permissions file
and then signs it.  Chain verification causes verification attempts to
succeed since the signing certificate, i.e., the participant's
certificate, can be chained back to the permission CA's
certificate (which is also the identity CA).

This problem was identified in
ros2/sros2#282.

Solution
--------

Implement the suggestion in ros2/sros2#282.
Specifically, use PKCS7_NOINTERN to not accept any signatures in the
signed document.  This, in turn, requires the use of the `certs` parameter to
`PKCS7_verify`.  PKCS7_NOVERIFY is used since the permissions CA
certificate will not be chain verified.
@jrw972 jrw972 self-assigned this Jan 18, 2023
@jrw972 jrw972 marked this pull request as draft January 18, 2023 22:46
@mitza-oci mitza-oci changed the title Participants can sign their own permissions file Participants can sign their own permissions file if the same CA is used for both identity and permissions Jan 19, 2023
@jrw972 jrw972 marked this pull request as ready for review January 19, 2023 17:08
@mitza-oci mitza-oci merged commit dc3e691 into OpenDDS:master Jan 19, 2023
jpace121 pushed a commit to jpace121/cyclonedds that referenced this pull request Jan 27, 2023
As stated in: OpenDDS/OpenDDS#3992 (comment)

"Implement the suggestion in ros2/sros2#282.
Specifically, use PKCS7_NOINTERN to not accept any signatures in the signed document.
This, in turn, requires the use of the certs parameter to PKCS7_verify.
PKCS7_NOVERIFY is used since the permissions CA certificate will not be chain verified."

Fixes: eclipse-cyclonedds#1546
Related to: ros2/sros2#282

Signed-off-by: James Pace <jpace121@gmail.com>
jpace121 pushed a commit to jpace121/cyclonedds that referenced this pull request Jan 27, 2023
As stated in: OpenDDS/OpenDDS#3992 (comment)

"Implement the suggestion in ros2/sros2#282.
Specifically, use PKCS7_NOINTERN to not accept any signatures in the signed document.
This, in turn, requires the use of the certs parameter to PKCS7_verify.
PKCS7_NOVERIFY is used since the permissions CA certificate will not be chain verified."

Fixes: eclipse-cyclonedds#1546
Related to: ros2/sros2#282

Signed-off-by: James Pace <jpace121@gmail.com>
@jrw972 jrw972 deleted the opendds-756 branch January 31, 2023 16:01
mitza-oci added a commit that referenced this pull request Jan 31, 2023
Participants can sign their own permissions file if the same CA is used for both identity and permissions

(cherry picked from commit dc3e691)
eboasson pushed a commit to eclipse-cyclonedds/cyclonedds that referenced this pull request Feb 2, 2023
As stated in: OpenDDS/OpenDDS#3992 (comment)

"Implement the suggestion in ros2/sros2#282.
Specifically, use PKCS7_NOINTERN to not accept any signatures in the signed document.
This, in turn, requires the use of the certs parameter to PKCS7_verify.
PKCS7_NOVERIFY is used since the permissions CA certificate will not be chain verified."

Fixes: #1546
Related to: ros2/sros2#282

Signed-off-by: James Pace <jpace121@gmail.com>
dpotman pushed a commit to dpotman/cyclonedds that referenced this pull request Feb 23, 2023
As stated in: OpenDDS/OpenDDS#3992 (comment)

"Implement the suggestion in ros2/sros2#282.
Specifically, use PKCS7_NOINTERN to not accept any signatures in the signed document.
This, in turn, requires the use of the certs parameter to PKCS7_verify.
PKCS7_NOVERIFY is used since the permissions CA certificate will not be chain verified."

Fixes: eclipse-cyclonedds#1546
Related to: ros2/sros2#282

Signed-off-by: James Pace <jpace121@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants