Binding between JWT and CSR in a JWK provisioning request

[daFritz84]

Hi,
I try to get a basic understanding how the JWK provisioning workflow is supposed to work and why it is considered secure.

So what I understood so far is that the binding between the authorizing JWT and the CSR is solely based on the SANs field. Assume the SAN is something weak, i.e. generic like "sans":["localhost"], the CSR might easily be exchanged (man-in-the-middle) while retaining some usefulness for the attacker. Shouldn't the binding between the JWT and the CSR be something more explicit, like a signed hash of the CSR?

I'm a bit puzzled regarding this case. Thanks for any help on this,
Stefan

[maraino]

Hi @daFritz84, that's a good point, but it would block some use cases where the CSR is not known beforehand. For example, if you use a configuration management system to configure a list of servers, you can generate a JWT for each server. Then, when the server is being configured, it can create a CSR and use the generated token to get a new certificate.

Although a mitm attack is possible, there are some remediations in place. step will only trust the root certificate used at bootstrap time, and the TLS connection with that root of trust already protects you against simple attacks. A successful mitm will need to control your DNS and already have a certificate from your CA with the appropriate SANs.

You also have to take into account that the JWK provisioner will only authorize CSRs that match the information in the token.

---

However it can be a good optional improvement to add.

[tashian]

I'll just add that the design goal here is to keep the final private key and certificate from having to be moved.
And in order to do that, you may have to move the JWT around for certain use cases.
For example, a hypervisor giving a VM a token on first boot that it can use to get a host certificate.
And, as Mariano mentioned, you also may need to generate the JWT before the CSR.
It helps that the JWT is short-lived and single-use.

[maraino]

I've added this issue for our next triage session #1637

[daFritz84]

Hi @maraino, thanks for the explanation. I suspected myself, that the TLS tunnel might be the clue. I'm currently researching possible solutions to a case where the TLS tunnel is not end-to-end, but is terminated at the edge and the CSR & JWT are then forwarded via Apache Kafka.

That said, #1637 would be perfect for my use case. You guys should add a "buy me a coffee" button 😄, at least so I can show some short-term gratitude. For the long-run I should ask my boss to start negotiations about an 'on-premise' license.