Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to bind JWK provisioner tokens with CSR #1637

Open
maraino opened this issue Nov 29, 2023 · 7 comments · May be fixed by #1660 or smallstep/cli#1092
Open

Option to bind JWK provisioner tokens with CSR #1637

maraino opened this issue Nov 29, 2023 · 7 comments · May be fixed by #1660 or smallstep/cli#1092
Assignees
@maraino
Labels
enhancement needs docs needs triage Waiting for discussion / prioritization by team
Milestone
v0.26.2

Comments

@maraino
Copy link
Contributor

maraino commented Nov 29, 2023

Description

In #1636, @daFritz84 proposes that binding JWT tokens for the JWK provisioner to a given CSR might be a good option to prevent some attacks.

Optionally, adding a new field in the token with a CSR fingerprint can be a good idea. Commands that generate their own token and CSR can always add the new field, and the JWK provisioner will validate it. step ca token can have an extra flag to add that fingerprint and a flag to pass a CSR to get the fingerprint from.

It might also be a good idea to add a fingerprint to x509util.CertificateRequest, so it can be optionally checked in a template or in a webhook, although the raw CSR is also present in a webhook request.
@maraino maraino added enhancement needs triage Waiting for discussion / prioritization by team labels Nov 29, 2023
@maraino maraino transferred this issue from smallstep/cli Nov 29, 2023
@daFritz84
Copy link

Quick note: Unlike certificates, there is no canonical "fingerprint" for CSRs as far as I know. Rather one would generate the message digest of the der format.

openssl req -in example.csr -outform DER | openssl dgst -sha256 -c

There is a rather 🔥 discussion on this right here: https://security.stackexchange.com/questions/262476/getting-fingerprint-of-certificate-signing-request

@maraino
Copy link
Contributor Author

maraino commented Dec 9, 2023

@daFritz84, that was the idea, and that's exactly how the certificate fingerprint is calculated.

@maraino
Copy link
Contributor Author

maraino commented Dec 9, 2023

@daFritz84 after our team discussion, some voices were not fully convinced about adding this.
Can you provide more insight into why and how you want to use this? How are your token/certificate flows that this can be a problem?

@daFritz84
Copy link

daFritz84 commented Dec 11, 2023
edited

@maraino sure thing. I whipped up a quick sketch to illustrate my case:
github_sketch

So I do have a scenario where an 'IoT device' is requesting a certifcate from the 'Certificate authority' in the cloud. The request is transfered via asynchronous communication (publish/subscribe). There is only segment-by-segment encrypted tunnels, and the CSR (as by the nature of async communication of Kafka and MQTT) cached at, at least, two other services. Hence I would prefer a strong binding between the JWT and the CSR.

I hope I have described the scenario clearly, and this brings my point across. Btw. async communication (MQTT) was implemented due to low bandwidth/unreliable networks. In my threat model, the edge gateway or the proxy could be compromised to allow MITM attacks on the CSRs.

@hslatman hslatman added this to the v0.25.3 milestone Dec 19, 2023
@maraino
Copy link
Contributor Author

maraino commented Dec 19, 2023

@daFritz84, we will add support for this in our cli and certificates, it is not a high priority, so it can take some time.

@daFritz84
Copy link

@maraino Thanks for the x-mas gift 😄, I'll take it.

@maraino
Copy link
Contributor Author

maraino commented Dec 28, 2023

I've been working on a yet incomplete implementation where tokens for the JWK and X5C provisioners can have a confirmation claim, cnf with a kid parameter as defined in RFC 7800#section-3.4.

The payload of a token with this will look like:

{
  "aud": "https://ca.smallstep.com:9000/1.0/sign",
  "cnf": {
    "kid": "PJLNhtQoBE1yGN_ZKzr4Y2U5pyqIGiyyszkoz2raDOw"
  },
  "exp": 1703803318,
  "iat": 1703803018,
  "iss": "mariano@smallstep.com",
  "jti": "458bd150aaa7ba0bf1b0c927f17e1f52e22954db64e3aaa3b7da92a4ddcdc832",
  "nbf": 1703803018,
  "sans": [
    "mariano@smallstep.com"
  ],
  "sha": "a78a850025c0c234385eda23d7192964ca56aa9d727f535653b0afb81c1e0559",
  "sub": "mariano@smallstep.com"
}

In this case, that kid is SHA-256 of the raw data of a CSR using the base64url without padding encoding. In the same way, I'm also working on adding the same functionality for SSH certificates. In this case, the fingerprint will be in the marshaling of the SSH public key.

When the JWK or X5C provisioner of the CA sees a token with that confirmation claim, it will validate that the fingerprint matches the provided CSR or SSH public key; if it does not, it will return a 403 error.

Note that the fingerprint for a CSR will be based on the full CSR, not just the key.

maraino added a commit that referenced this issue Dec 29, 2023
@maraino
Check cnf claim with CSR or SSH public key fingerprint
c8c99db 
This commit allows to tie tokens with the provided  CSR or SSH public
key. Tokens with a confirmation claim kid (cnf.kid) will validate that
the provided fingerprint (kid) matches the CSR or SSH public key.

This check will  only be present in JWK and X5C provisioners.

Fixes #1637
@maraino maraino linked a pull request Dec 29, 2023 that will close this issue
Open
1 task
maraino added a commit that referenced this issue Dec 29, 2023
@maraino
Check cnf claim with CSR or SSH public key fingerprint
59e39b7 
This commit allows tying tokens with the provided  CSR or SSH public
key. Tokens with a confirmation claim kid (cnf.kid) will validate that
the provided fingerprint (kid) matches the CSR or SSH public key.

This check will only be present in JWK and X5C provisioners.

Fixes #1637
@maraino maraino linked a pull request Dec 29, 2023 that will close this issue
Open
1 task
maraino added a commit to smallstep/cli that referenced this issue Dec 29, 2023
@maraino
Allow to add confirmation claims to tokens
8a7ccc8 
This commit allows passing confirmation claims to tokens to tie the
tokens with a provided CSR or SSH public key.

Fixes smallstep/certificates#1637
maraino added a commit that referenced this issue Jan 5, 2024
@maraino
Check cnf claim with CSR or SSH public key fingerprint
508b6e8 
This commit allows tying tokens with the provided  CSR or SSH public
key. Tokens with a confirmation claim kid (cnf.kid) will validate that
the provided fingerprint (kid) matches the CSR or SSH public key.

This check will only be present in JWK and X5C provisioners.

Fixes #1637
maraino added a commit to smallstep/cli that referenced this issue Jan 12, 2024
@maraino
Allow to add confirmation claims to tokens
4616c58 
This commit allows passing confirmation claims to tokens to tie the
tokens with a provided CSR or SSH public key.

The confirmation claim is implemented in the token command as well as
the com commands that uses a given CSR or ssh public key. Those are:

  - step ca token
  - step ca sign
  - step ssh certificate --sign

Fixes smallstep/certificates#1637
@hslatman hslatman modified the milestones: v0.26.0, v0.26.1 Mar 29, 2024
@hslatman hslatman modified the milestones: v0.26.1, v0.26.2 Apr 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maraino maraino

Labels
enhancement needs docs needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
v0.26.2
4 participants
@tashian @maraino @hslatman @daFritz84