[Cryptography Team] Re: SSL Certificate Validation

[Robert Withers]

Ron,

I should be clear that there are additional validation requirements  
that I am not checking.  For instance, the commonName of the  
certificate is supposed to match the hostname of the server.  There  
are lots of rules in this area and a careful perusal of the spec is  
recommended.

I think that adding the ability to generate and sign certificates  
would be useful.  Of course we would need a Squeak root certificate  
and private key to do so, unless we stick with self-signed certs.  If  
we generate a root cert and publish the private key/password, that  
would be little different than access to the swiki for upload - and  
the same level of security.  YMMV.

When I have a little time, I may look into client certificates.  This  
will require testing with OpenSSL.  I'll keep you informed if I get  
into it.

Rob

On Jan 24, 2007, at 6:49 AM, Ron Teitelbaum wrote:

> Very cool Rob!
>
> I've been working with the code, testing on multiple machines and it's
> working well!  I haven't been focusing on the actual certificates,  
> but will
> need to do so in a few months.  I'm hoping to be able to create client
> certificates automatically during installation and to be able to  
> renew them
> periodically.  For all this to work I'll need to have client and  
> server
> certificates working and validated plus a working CA.  I'm planning  
> on using
> certificate extensions to handle service authorization.  I'm very  
> pleased
> with the code and how well it responds.  I'll start working with  
> the new
> code and let you know if I see any issues.
>
> Thank you for your work on this!!
>
> Ron
>
>
>> From: Robert Withers
>> Sent: Wednesday, January 24, 2007 12:29 AM
>>
>> All,
>>
>> I've been doing a little SSL coding, since it isn't a fully developed
>> project yet.  The most glaring omission has been the lack of
>> certificate chain processing and validation, thereby leaving a rather
>> large security hole in the implementation.  The code still doesn't
>> handle client certificates.
>>
>> I have added the capability for a certificate to verify itself with
>> it's parent certificate.  Roughly, this entails comparing the hash of
>> the certificate (tbsCertificate) with its decrypted signature. using
>> the parent certificate's publicKey.  The parent is identified as
>> having the same subject as the child's issuer.  A self-signed
>> certificate has the same issuer and subject.  These are currently
>> allowed.  Furthermore, the certificate is valid if the validity dates
>> enclose the current date.
>>
>> The code hook for all this is in
>> SSLSecurityCoordinator>>#validateCertificateChain: certChain
>>
>> The test certificate currently passes, but will expire later this  
>> year.
>>
>> I also added the CACert, Verisign and Thawte's root CAs to the
>> SSLCertificateStore, but there is no mechanism to add external root
>> certs.
>>
>> I also coded and tested MD2 hash function, so that some certs can be
>> validated.
>>
>> Changes to the following packages:
>> 	Cryptography-ASN1
>> 	Cryptography-MD4
>> 	Cryptography-SSL
>> 	Cryptography-Tests
>> 	Cryptography-X509
>>
>> cheers,
>> Robert
>>
>
>