Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[16903] Chain of trust issues with a single CA certificate #3239

Closed
1 task done
ruffsl opened this issue Jan 23, 2023 · 0 comments · Fixed by #3294
Closed
1 task done

[16903] Chain of trust issues with a single CA certificate #3239

ruffsl opened this issue Jan 23, 2023 · 0 comments · Fixed by #3294
Labels
bug Issue to report a bug

Comments

@ruffsl
Copy link

ruffsl commented Jan 23, 2023

Is there an already existing issue for this?

  • I have searched the existing issues

Expected behavior

I'll quote the same succinctly put issue filled over for OpenDDS here:

OpenDDS/OpenDDS#3992 (comment)

Problem

Assume a usage of DDS Security where the same CA is used for both permissions and identity. The certificates issued to particpants allow them to sign documents. Assume the participant generates a permissions file and then signs it. Chain verification causes verification attempts to succeed since the signing certificate, i.e., the participant's certificate, can be chained back to the permission CA's certificate (which is also the identity CA).

This problem was identified in ros2/sros2#282.

Solution

Implement the suggestion in ros2/sros2#282. Specifically, use PKCS7_NOINTERN to not accept any signatures in the signed document. This, in turn, requires the use of the certs parameter to PKCS7_verify. PKCS7_NOVERIFY is used since the permissions CA certificate will not be chain verified.

Current behavior

ros2/sros2#282 (comment)

Steps to reproduce

ros2/sros2#282 (comment)

Fast DDS version/commit

Example call site for reference:

Fast-DDS/src/cpp/security/accesscontrol/Permissions.cpp

Line 518 in 5076ebc

if (PKCS7_verify(p7, nullptr, local_handle->store_, indata, out, PKCS7_TEXT))

Platform/Architecture

Other. Please specify in Additional context section.

Transport layer

Default configuration, UDPv4 & SHM

Additional context

Fast-DDS v2.6.2 ships with ROS 2 Humble

XML configuration file

No response

Relevant log output

No response

Network traffic capture

No response
@ruffsl ruffsl added the triage Issue pending classification label Jan 23, 2023
@MiguelCompany MiguelCompany added bug Issue to report a bug and removed triage Issue pending classification labels Feb 2, 2023
@MiguelCompany MiguelCompany changed the title Chain of trust issues with a single CA certificate [16903] Chain of trust issues with a single CA certificate Feb 2, 2023
@MiguelCompany MiguelCompany mentioned this issue Feb 13, 2023
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Issue to report a bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[17099] Fix chain of trust issues eProsima/Fast-DDS
2 participants
@ruffsl @MiguelCompany