Bug 2117793

Summary: ca-certificates need to add support for signing certs for .NET [rhel-8.7.0]
Product: Red Hat Enterprise Linux 8 Reporter: Bob Relyea <rrelyea>
Component: ca-certificatesAssignee: Bob Relyea <rrelyea>
Status: CLOSED CURRENTRELEASE QA Contact: Alexander Sosedkin <asosedki>
Severity: medium Docs Contact:
Priority: medium    
Version: ---CC: asosedki, cllang, ssorce, szidek
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ca-certificates-2022.2.54-80.2.el8_6 Doc Type: Enhancement
Doc Text:
Feature: Object Signing certs have been added to ca-certificates. Reason: Application like .NET need to verify that downloaded code fragments came from some trusted source. The certificates that verify these code fragments are often different than certificates that verify TLS, and have different verification requirements. As such we need to mark those certs which have gone through some verification as valid for code signing. Result: New certs for code signing has been added. These certificates should only show up in /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem, /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt and /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit. The latter two, the certs are marked with object signing only. Existing certs may have object signing permission addes. The new object signing certs may be expired.
 Story Points: ---
Clone Of:
: 2117794 2117796 2121485 (view as bug list) Environment:
Last Closed: 2023-06-05 16:27:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2117794, 2117796, 2121485    

Description Bob Relyea 2022-08-11 22:48:51 UTC 
Description of problem:

.NET depends on the internet infrastructure to provide certify the signatures on signed .NET objects. Traditionally the ca's which are used to sign objects are also the ca's that support TLS signing. .NET used the object signing oids EKU on the leaf certs to distinguish between actual object signing certs.

Mozilla used to provide certs that had object signing trust, but mozilla moved away from object signing for extensions and dropped support for those attributes. At the time mozilla dropped object signing, we checked with RHEL users, and dropped supplying any object signing certs as part of the distribution (we maintained the infrastructure, so users could create their own object signing certs).

As a result, when .NET came along they used the tls cert store rather than the object signing cert store. This broke when symantec, the major course of .net object signing certs, was dropped as an email/tls cert, which dropped it from mozilla's supplied roots. This happened around March 2021, and issues were immediately noticed in debian when the picked up the new mozilla root certs.

In 2021, we had discussions with Microsoft and the RH .NET team. For ca-certificates to pick up object signing certs, we needed a repeatable source of object signing cert, which only Microsoft could provide (unless we wanted to create our own root ca program, which we don't). Their was some general website that contained object-signing certs from Microsoft and TLS/Email certs from Mozilla. The issue was the site did not provide properly versioned  images, so we couldn't repeat a build from that site, so there is no way that debian and redhat and other distributions could provide predicable and identifiable versions of ca-certificates.

The problem was put on hold for a year because a solution wasn't available by the time we shipped the ca-certificates release.

.NET turned off object signing until the got agreement with Microsoft on using a microsoft provided object signing list which they shipped internally. Longer turn, they would use the extracted certificates in /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem when they were eventually supplied by the ca-certificate package.

In July 2022, Microsoft was still setting up the code-signing cert. One complication was that they needed both code-signing and time-stamping. Currently most certs that can do time-stampling also does code-signing (again leaf certs get the appropriate EKU), so the lists are combined. Microsoft supplied the first cut of the list to us for our release here:

https://gist.github.com/richlander/800fcac88d595cea225649b76a5361f4

How future releases are made are still TBD. Also we need to deal with Time Stamping in the future as well (will target the first cut of that on Fedora).

Code signing in processes as follows: The above list is just a pem list of code signing certs. That list is read and matched with the mozilla list. Any cert that is in both is lists has the code signing added to the mozilla cert. Any cert that has the same subject as the mozilla cert, but is different is dropped for now (p11-kit does not properly handle those certs). All remaining certs are added to the list as with the comment 'Microsoft code signing only'.

Note that the code signing certs includes expired certs. That is because the code signing signature is based on the time the object was signed, not the current time, so expired certs are still valid. This is why timestamping is important (the timestamp for the object needs to be verified as correct by a time stamping authority at signature time to prevent and end user from playing with their clock to back date the signature to make an expired cert still valid).




Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Bob Relyea 2022-08-12 16:12:03 UTC 
original debian ticket for reference: https://github.com/NuGet/Announcements/issues/49
Comment 10 Clemens Lang 2023-06-05 16:27:51 UTC 
RHEL 8.7 contains ca-certificates-2022.2.54-80.2.el8_6