Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Feature: key pinning #61

Open
afife opened this issue Jul 9, 2019 · 0 comments
Open

New Feature: key pinning #61

afife opened this issue Jul 9, 2019 · 0 comments

Comments

@afife
Copy link

afife commented Jul 9, 2019

Context / Challenge

CAs are required to replace misissued TLS certificates (e.g. organization name exceeding 64 characters, short serial number, etc) in less than 5 days. Replacing a certificate usually means the CA to reissue the certificate with the same subject public key and corrected fields and revoke the previous certificate.

In this period, sysadmins have to replace the old certificate by the new one (no need to generate new key pairs and/or CSR as the public key is the same).

If an app is doing certificate pinning, it has also to be updated with the new certificate (the certificate and respective certificate fingerprint is different). Depending on the app store program and the test complexity, the release cycle may take over 1 week and the roll out to end users is a gradual and slow process.

Therefore, this 5-days window is nearly impossible to meet without significant outages if doing certificate pinning.

Solution
In order to avoid the need for new app releases whenever a TLS certificate is replaced, this library should also support public key pinning.

Instead of pinning the certificate fingerprint, one would pin the fingerprint of the Subject Public Key Info (SPKI). The SPKI is the binary structure (DER encoded) of the public key and is present in several files: PKCS#8 key file, CSR and certificate.

Here follows the OpenSSL commands to obtain the fingerprint:

# Get public key fingerprint from a PKCS#8 file with the key pair
openssl rsa -in mytls.key -passin pass:myStr0ngP@s§w0rd -pubout -outform DER | openssl dgst -sha256

# Get public key fingerprint from the CSR (PEM format)
openssl req -in mytls.csr -pubkey -noout | openssl rsa -pubin -outform DER | openssl dgst -sha256

# Get public key fingerprint from the certificate (PEM format)
openssl x509 -in mytls.cer -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256

Further references

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant