Is there a particular order in which the subject attributes - C, ST, L, O, OU, CN have to specified. openssl does not seem to enforce an order.
And while generating the Distinguished Name do we pick up all the subject attributes configured in the certificate? Does the ordering of the attributes matter ?
In theory, it doesn't matter but in practice, some crypto libraries are not able to build a chain if the order of tokens in the subject of parent certificate is different than the order of tokens in issuer field in child certificate. They should be exactly the same if you don't want to have any strange issues.
For example, even the windows 10 tool (mmc) doesn't display correctly the chain if the order of tokens in the subject/issuer field is different.
Is there a particular order in which the subject attributes - C, ST, L, O, OU, CN have to specified.
There is no order specified as far as I know. Order that you specify will be used and in this order will DN be generated in i.e. PKCS#10 request.
And while generating the Distinguished Name do we pick up all the subject attributes configured in the certificate?
CA may (and most probably will) use DN from your PKCS#10 request when issuing certificate but it can decide on a different order. Some RDNs (Relative Distinguished Names) can be moved to extensions, i.e. emailAddress or copied to extensions like CN to SubjectAlternativeName when issuing SSL server certificate.
Does the ordering of the attributes matter ?
Ordering does not IMHO matter. It might matter to some application that is consuming the certificate but in general ordering does not matter.
Related
I can not find exactly what is the meaning and what is used for these fields in certificate..
One of the fields is issuer name which contain a lot of fiels. Some of them are distinguished name qualifier, commonName and domainComponent, so can anyone explain me what is used for these field and what is their meaning.. I think that commonName is unique for everyone and if is the name of CA root, but I am not sure is it ok. Thanks in advance.
These are X.520 relative distinguished name (RDN) attributes. Check RFC 1617 for more details and naming guidelines.
The common name depends on the context. For a server it is the host name, for a person the first and last name, for an IoT device it might be a device name, etc.
The domain component is a part of a host name, e.g. google from mail.google.com. I have never seen this in a certificate. It might be used to restrict a certificate to a part of the host name.
The distinguished name qualifier is a global value for entities common from the same source. Same source = same qualifier. It can be used to differentiate distinguished names from different sources using the same distinguished name otherwise in a CA. So it is an attribute to differentiate the source. Example employee John Doe from company A and John Doe from company B. Both companies merge. The CA can use the qualifier company B for the second John Doe. If you have IoT sensors to manage from 3 companies, here maybe 2 qualifiers for the IoT certificates could be used. But I have never seen a certificate using it.
But all definitions are flexible and if you have a reason for your usecase to find a better match, you can apply your rules.
See RF 4519.
I have two use cases: a. Verify Email Address b. Reset forgotten password
For JWT signing, I am just passing a user Id in the payload. Does JWT signing process make sure that two different (unique) JSON tokens be generated for these two use cases? If not, what do I need to do? Kindly help
Thanks
Only when signed using a deterministic algorithm - RS and HS family, all other algorithms (ES, PS, EdDSA) are not deterministic and two tokens with the same header and payload will have different signatures.
I'm working on implementing a web service that uses X509 certificates for authentication and authorization of the caller.
Is it proper to specify the entity type (i.e. "end user" or "device") as part of the subject name, with, say, OU RDN?
Is it proper to specify the identity of the entity as part of the subject name, with CN RDN?
Is the best place for the authorization tokens to be part of the X509.v3 extensions (I understand authorization info, like "have access to cookie jar", doesn't belong in subject name section)?
If I am to include custom extension values into the certificates, is the proper way to do so is to apply for an OID (through PEN), and create child OID(s) that designate authorization information, and use these OID(s) as OIDs for the extensions? If that's wrong for some reason, any pointers to how this should be done in a standard way, would be appreciated.
It is proper to specify the entity's identity in the Common Name (CN) field of the Subject Distinguished Name (DN).
For a user or device, it would be appropriate to also specify the Organization (O) and/or Organizational Unit (OU) to which they belong in the Subject DN. There is also the User ID (UID) component.
There is a standard profile of X.509 for authorization assertions specified in RFC 5755. An attribute certificate bears one or more attributes about an identity such at group membership, role, clearance level, etc, as well as referencing the public key certificate (that is, the usual kind of X.509 certificate) of the identity to which the authorization information applies.
This standardized approach avoids any need to devise custom X.509 extensions, and hence, apply for an official OID (which is just as well, because I don't know the "offical" procedure for this.)
I am currently working on an architecture, where users can post content any server. To ensure the content has actually been posted by a certain user (and has not been altered after being posted), a signature is created using the private key of the author of the content, whose public key is accessible for everyone on a centralized repository.
Problem is, I have no control over how the content is actually stored on these servers. So I might transmit the content e.g. as a JSON object with all data being base64-encoded and the signature is created using a hash of this the base64-encoded content concatenated in a certain order:
{
"a": "b",
"c": "d",
"signature": "xyz"
}
with
signature := sign(PrivKey, hash(b + d);
Now the server will probably store the content of this in another way, e.g. a database. So maybe the encoding changes. Maybe a mysql_real_escape_string() is done in PHP so stuff gets lost. Now if one wants to check the signature there might be problems.
So usually when creating signatures you have a fixed encoding and a byte sequence (or string) with some kind of unambiguous delimiter - which is not the case here.
Hence the question: How to deal with signatures in this kinda scenario?
It is still required to have a specific message representation in bits or bytes to be able to sign it. There are two ways to do this:
just store the byte representation of the message and don't alter it afterwards (if the message is a string, first encode it with a well defined character encoding);
define a canonical representation of the message, you can either store the canonical representation the message directly or convert it in memory when you are updating the hash within your signature.
A canonical representation of a message is a special, unique representation of the data that somehow distinguishes it from all other possible messages; this may for instance also include sorting the entries of a table (as long as the order doesn't change the meaning of the table), removing whitespace etc.
XML encryption for instance contains canonicalization methods for XML encoding. Obviously it is not possible to define canonicalization for data that has no intrinsic structure. Another (even) more complicated canonical representation is DER for ASN.1 messages (e.g. X509 certificates themselves as well as within RSA signatures).
I think you're really asking two different questions:
How should data be signed?
I suggest using standard digital signature data format when possible, and "detached signatures" at other times. What this means in practice: PDF, Word, Excel and other file formats that provide for digital signatures should remain in those formats.
File formats that don't provide for digital signatures should be signed using a detached signature. The recommended standard for detached signatures is the .p7b file type–A PKCS#7 digital signature structure without the data. Here is an example of signing data with a detached signature from my company.
This means that the "Relying Party" -- the person downloading/receiving the information -- would download two files. The first is the original data file, unchanged. The second file will be the detached signature for the first.
Benefits The signed file formats that directly support digital signatures can have their signatures verified using the file's usual software app. Ie, the free Adobe PDF Reader app knows how to verify digitally signed PDFs. In the same way, MS Word know how to verify signed Word files.
And for the other file types, the associated detached signature file will guarantee to the recipient that the file was not modified since it was signed and who the signer was (depending on the trust issue, see below).
Re database storage -- you don't care how the data is stored on the different servers (database, file system, etc.) In any or all cases, the data should remain unchanged.
How to establish trust between the signer and the recipient
I suggest that the organization create its own root certificate. You can then put the certificate as a file on your SSL web site. (Your web site's SSL certificate should be from a CA, eg Comodo, VeriSign, etc.) The result is that people who trust your web site's SSL certificate can then trust your organizational certificate. And your signers' certificates should be chained to your organization's certificate, thus establishing trust for the recipients.
This method of creating a self-signed organizational certificate is low cost and provides a high level of trust. But relying parties will need to download and install your organization's certificate.
If that is not good, you can get certificates for your signers from a public Certificate Authority (CA), but that will drive up the cost by at least an order of magnitude due to the charges from the CA. My company, CoSign, supports all of these configurations.
My root certificates are stored as several files in ASN.1 format.
Assume I have a chained end entity certificate in the same format. How do I efficiently determine the root certificate of this certificate?
Currently I have to take a brute force approach which extracts the public key of the end entity certificate and validates that against all root certificates and the first match is considered the root certificate. Is this the right approach??
To find the issuer of a certificate, you should use the "Issuer DN" and match it with the "Subject DN" of the certificates in your CA store. This should reduce significantly the number of signature verification.
It is possible to have different CA certificates with the same "Subject DN" (with different public keys, validity dates, etc.), so your algorithm should be prepared to handle that. The "Subject Key Identifier" and "Authority Key Identifier" can also help to reduce the number of candidates.
Finding the issuing authority is only a small part of the "right approach" to validating certificates. I would advise you to look at part 6 of http://www.ietf.org/rfc/rfc5280.txt "Certification Path Validation". Some parts are most probably overkill (i.e. most things having to do with policies).