Page MenuHomeFreeBSD

System trust configuration and local root keygen
Needs ReviewPublic

Authored by eric_metricspace.net on Aug 3 2018, 1:54 AM.

Details

Reviewers
None
Group Reviewers
manpages
Summary

This is a part of the work on trust.

This adds a man page describing the system trust configuration, entries to the mtree files and hier(7) man page, and an rc script for generating local root keys.

This is not intended to be integrated anytime soon.

Test Plan

This has been tested out.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Lint Skipped
Unit
Unit Tests Skipped

Event Timeline

An alternative I'm considering: have a seldom-used master key named something like "machine", "master", "root", etc. which is the local trust root key. Have "local" be an intermediate keypair, signed by this master key. The master key acts only as a key-signing certificate; it cannot sign code or issue general signatures. The local key can issue more general signatures.

Then have signelf default to the local key, rather than the master key.

bjk added a subscriber: bjk.Aug 4 2018, 1:31 AM

Trying to limit myself to reviewing as manpages and not getting into the design itself...

share/man/man7/trust-config.7
38

This is interpreted as "5)" being the macro argument. For parallelism, I'd suggest:

.Po see
.Xr signed-elf 5 Pc

39

Start new sentences on a new line, please.

43

TERMINOLOGY is not a standard section name (see mdoc(7)); perhaps a subsection is more appropriate, with a list for the individual terms?

69

intermediates are never leaf certs, right? Do you want to say that?

77

What are "assets"?

89

I'd suggest using a Bl variant that allows item heads and skipping the colons.

175

With the same file name, or DN/SAN? If the former, that's kind of an awkward requirement to impose.

185

I don't think Qq is very common -- I see a lot more Dq.

226

DEFAULT is also not a standard section name.

0mp added a subscriber: 0mp.Aug 8 2018, 9:48 AM

I've checked the mdoc syntax. It is going to be fine after the changes suggested by @bjk.

Cheers!

share/man/man7/trust-config.7
141

You may consider using Qq Pa for .pem (or Dq instead of Qq as suggested by @bjk).

142

You may consider using Qq Pa for .pem (or Dq instead of Qq as suggested by @bjk).

146

You may consider using Qq Pa for .pem (or Dq instead of Qq as suggested by @bjk).

185

Yeah, Dq is much more popular. In fact, you rarely see Qq and Sq in the wild: the only manpage I can remember to use those a lot is sh(1).

Sq seems to be used primarily to quote single characters.

If I were to rewrite most of manpages I'd go for Qq instead of Dq but it won't happen any time soon. ๐Ÿ˜„

Note: I want to let this sit for a while, and I'd prefer to commit this along with other components of the trust framework.

eric_metricspace.net edited the test plan for this revision. (Show Details)Aug 21 2018, 1:43 AM
eric_metricspace.net updated this revision to Diff 47011.

Added machine vs. local keys, fixed errors in the scripts, added checking for key expiry, fixed some other issues.

Fixed signing of local cert, and added default DN generation

bcr added a subscriber: bcr.Oct 20 2018, 9:30 PM

Can you bump the .Dd at the beginning of share/man/man7/hier.7 for this content change? Thanks!