Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CAs/CRLs to the PKI engine at runtime #3606

Merged

Conversation

gerardsn
Copy link
Member

@gerardsn gerardsn commented Dec 11, 2024

I've updated some go docs and comments to clarify that the pki engine is only a CRL checker, not a trust manager.

Since trust in the certificate chain must be validated externally (prior to checking the CRLs), we can assume that all presented certificates are part of trusted certificates chains and can be added to the CRL/CA lists at runtime. This simplifies the usage of the PKI engine a bit and closes #3583.

PKI.CreateTLSConfig() returns a tls.Config that contains the truststore that is in the nuts.yaml config. Added clarification that this must not be replaced the internal truststore of the engine. This method only exists here to set the CRL checker on the tls.Config.VerifyPeerCertificate.

Currently the CRLs are checked by the did:x509 resolver that, I think, does not know if the chain should be trusted or not?
This means that the CRLvalidator / PKI engine will be filled based on data/certs presented by external parties -> enables certain attacks on the node.

TODO:

  • update documentation

@gerardsn gerardsn force-pushed the fix-3583/seperate-CRL-checking-from-tlsConfig-generation branch from a3661b7 to c7c8424 Compare December 11, 2024 14:44
@reinkrul
Copy link
Member

reinkrul commented Dec 13, 2024

Currently the CRLs are checked by the did:x509 resolver that, I think, does not know if the chain should be trusted or not?
This means that the CRLvalidator / PKI engine will be filled based on data/certs presented by external parties -> enables certain attacks on the node.

Through PEX you have control over what DIDs you resolve on that part. But now I think of it, we might resolve DID in other places, which is not filtered through PEX/PDs first? Maybe client_did?

This actually also applies to did:web, so I don't think we really need to be afraid of this.

@gerardsn
Copy link
Member Author

I think this is a major concern. We currently have no limitations on when DIDs are allowed to be resolved. I'm assuming there are at least several (if not all) cases where this is not preceded by a check on what DID is being resolved. For example, dereferencing compound services in did:nuts. These can point to a bunch of did:x509 DIDs to rapidly fill the CRL checker with garbage. I know this is a deprecated feature, but the fact that there is no restriction on resolving makes this very vulnerable.

I wonder if the CRL check should take place in the X509Credential validation? This is a revocation check, which does not exist for other DIDs? Although you could argue that this is similar to deactivation for DIDs.

I don't think this applies to did:web? We don't check CRLs there.

@gerardsn
Copy link
Member Author

Only a few (maybe even 1) malicious CRL endpoints in the list is enough to break the CRL checker.

Currently all CRL endpoints are checked every 15 minutes in order (no parallelism).
The PKI engine assumes the CRL endpoints are trusted and therefore has limit restrictions on the http client (such as no limit on downloaded file sizes).
Combining those 2 could cause all legitimate CRLs to expire and possibly break all x509 credential validation.

@reinkrul
Copy link
Member

I don't think this applies to did:web? We don't check CRLs there.

Isn't this a major issue as well, then? ANd when we fix this, the CRL issue still applies?

docs/pages/deployment/certificates.rst Outdated Show resolved Hide resolved
return err
}
if trustStore != nil {
err = p.addCAs(trustStore.Certificates())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this could theoretically add leaf certificates as wel? Maybe better to only add IntermediateCA and RootCA certificates? (I think it has fields for that).

Copy link
Member Author

@gerardsn gerardsn Dec 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

true, but this will only be the case for the first leaf cert presented for an unknown chain. So it just adds a bit of data per issuer that cannot do any harm. It does allow prefetching of its issuers CRL since that can only be found on the leaf cert.

@gerardsn
Copy link
Member Author

I don't think this applies to did:web? We don't check CRLs there.

Isn't this a major issue as well, then? ANd when we fix this, the CRL issue still applies?

We use the hosts truststore for did:web. If you want to do CRL checking on ALL public CAs it's no longer part of the nuts node IMO.

@reinkrul
Copy link
Member

We use the hosts truststore for did:web. If you want to do CRL checking on ALL public CAs it's no longer part of the nuts node IMO.

I'll create an issue for it, since CRL checking is i.m.o. an important part of the security model of did:web. How we implement is, and whether it's hard because of how our internals work, is second concern.

@gerardsn gerardsn force-pushed the fix-3583/seperate-CRL-checking-from-tlsConfig-generation branch from 23346a6 to db83268 Compare December 16, 2024 08:57
@gerardsn
Copy link
Member Author

Following the discussion above I have removed the CRL check form the did:x509 resolver since this would allow unsanitized user input into the CRL database.

CRL checking must be done in the VC validation -> it is a credential revocation check.

@gerardsn gerardsn merged commit 187d5fa into master Dec 16, 2024
9 checks passed
@gerardsn gerardsn deleted the fix-3583/seperate-CRL-checking-from-tlsConfig-generation branch December 16, 2024 12:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

pki.AddTruststore is never called if tls.{certfile,certkeyfile} is not configured
3 participants