RFC 7250 raw public keys?

Viktor Dukhovni openssl-users at dukhovni.org
Wed Jul 8 17:51:50 UTC 2020 

On Wed, Jul 08, 2020 at 01:31:04PM -0400, Felipe Gasper wrote:

> > On Jul 8, 2020, at 12:59 PM, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
> > 
> > On Wed, Jul 08, 2020 at 12:48:38PM -0400, Felipe Gasper wrote:
> > 
> >> Does OpenSSL support authentication via raw public keys? (RFC 7250) I
> >> can’t find anything to this effect on openssl.org.
> > 
> > These are not presently supported.  However, you can use DANE-EE(3) TLSA
> > records to authenticate essentially empty leaf certificates:
> 
> That would also require changes to DNS, right?

Sure, but DANE-EE(3) is just one way to authenticate a stand-alone
self-signed certificate.  Indeed OpenSSL does not do the DNS lookups,
you can store the matching digest anywhere and retrieve it in whatever
way makes sense for your application.  You can even compute it on the
fly from a copy of the expected certificate.

Postfix (in which I'm the maintainer of the TLS stack), creates
synthetic DANE TLSA records as the way that it matches certificates
by pre-configured "fingerprint" values.

That said, you also don't need to use DANE authentication, you can
implement your own certificate verification callbacks, ...

My point was primarily that a bit of space overhead side, a minimal
X.509 certificate is in most cases equivalent to a bare public key,
but has broader API support.

> What I’m looking for is a way to authenticate a user over TLS in
> essentially the same manner that SSH’s handshake uses, where a
> signature of a shared secret validates the public key, which is on a
> preconfigured allowlist. I could do it post-handshake by using RFC
> 5705 key material exports as the shared secret--this usage seems to
> exemplify the intent of that extension--but TLS raw public keys seem a
> bit closer to “prior art”.

Indeed DANE is only a good fit for authenticating servers, for
authenticating clients, you just want to compute a public key
fingerprint and do a database lookup.

This is also supported in Postfix, just don't authenticate
the client cert at all (no PKI), grab the key digest and
use it directly for access control.

-- 
    Viktor.

More information about the openssl-users mailing list