Security/Tizen 2.X ca-certificates

From Tizen Wiki
Jump to: navigation, search

Introduction

  • Certification authority (CA) certificates are certificates that are issued by a CA to itself or to a second CA for the purpose of creating a defined relationship between the two CAs.
  • Trusted certificates are typically used to make secure connections to a server over the Internet. A certificate is required in order to avoid the case that a malicious party which happens to be on the path to the target server pretends to be the target. Such a scenario is commonly referred to as a man-in-the-middle attack. The client uses the CA certificate to verify the CA signature on the server certificate, as part of the checks before establishing a secure connection. Usually, client software—for example, browsers—include a set of trusted CA certificates. That makes sense in as much as users need to trust their client software: A malicious or compromised client can skip any security check and still fool its users into believing otherwise.
  • The customers of a CA are server administrators who need a certificate that their servers will present to clients. Commercial CAs charge to issue certificates, and their customers expect the CA's certificate to be included by most web browsers, so that secure connections to the certified server work smoothly out of the box. The number of web browsers and other devices and applications that trust a particular certificate authority is referred to as ubiquity. Mozilla, which is a non-profit organization, distributes several commercial CA certificates with its products. While Mozilla developed their own policy, the CA/Browser Forum developed similar guidelines for CA trust. A single CA certificate may be shared among multiple CAs or their resellers. A root CA certificate may be the base to issue multiple intermediate CA certificates with varying validation requirements.
  • Aside from commercial CAs, some providers issue digital certificates to the public at no cost; a noteworthy example is CAcert. Large institutions or government entities may have their own PKIs, each including their own CAs. Formally, any site using self-signed certificates acts as its own CA too. At any rate, decent clients allow users to add or remove CA certificates at will. While server certificates usually last for a rather short period, CA certificates last much longer, so, for frequently visited servers, it is less error-prone to import and trust the CA that issues their certificates rather than confirm a security exception every time the server's certificate is renewed.
  • A less frequent usage of trusted certificates is for encrypting or signing messages. CAs issue end-user certificates too, which can be used with S/MIME. However, encryption requires the recipient's public key and, since authors and recipients of encrypted messages presumably know one another, the usefulness of a trusted third party remains confined to the signature verification of messages sent to public mailing lists.

CA certificates in Tizen

  • Tizen platform has a set of system trusted CA certificates for SSL(Secure Socket Layer).
    • directories
      • /etc/ssl/certs directory accommodates all system trusted CA certificates in the PEM format. Actually, this directory is a symbolic link file pointing to a real certificate repository(/opt/etc/ssl/certs). And another link file(/opt/share/cert-svc/certs/ssl) also points to this repository.
      • The file name of CA certificate is the hash value of the subject. You can get these hash values using openssl commands.
 sh-3.2# ls -al /etc/ssl/certs
 lrwxrwxrwx 1 root root 19 Jan 12  2015 /etc/ssl/certs -> /opt/etc/ssl/certs/
 sh-3.2# ls -al /opt/etc/ssl/certs/
 total 2148
 drwxr-xr-x 2 root root 12288 Jan 12  2015 .
 drwxr-xr-x 3 root root  4096 Jan 12  2015 ..
 -rw-r--r-- 1 root root  4767 Mar  6  2014 00673b5b.0
 lrwxrwxrwx 1 root root    10 Jan 12  2015 02265526.0 -> 455f1b52.0
 lrwxrwxrwx 1 root root    10 Jan 12  2015 024dc131.0 -> f61bff45.0
 lrwxrwxrwx 1 root root    10 Jan 12  2015 039c618a.0 -> 56b8a0b6.0
 sh-3.2# ls -al /opt/share/cert-svc/certs/ssl
 lrwxrwxrwx 1 root root 18 Jan 12  2015 /opt/share/cert-svc/certs/ssl -> /opt/etc/ssl/certs
 sh-3.2# ls -al /opt/share/cert-svc/ca-certificate.crt
 -rwxr-xr-x 1 root app 208315 Jan  9  2015 /opt/share/cert-svc/ca-certificate.crt
 sh-3.2# openssl x509 -subject_hash -noout  -in 00673b5b.0
 2e4eed3c
 sh-3.2# openssl x509 -subject_hash_old -noout  -in 00673b5b.0
 00673b5b
Tizen platform has another form of CA certificates. ca-certificate.crt file has all system trusted CA certificates in it.
 sh-3.2# cat /opt/share/cert-svc/ca-certificate.crt
 -----BEGIN CERTIFICATE-----
 MIIEEjCCAvqgAwIBAgIPAMEAizw8iBHRPvZj7N9AMA0GCSqGSIb3DQEBBAUAMHAx
 KzApBgNVBAsTIkNvcHlyaWdodCAoYykgMTk5NyBNaWNyb3NvZnQgQ29ycC4xHjAc
 BgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEhMB8GA1UEAxMYTWljcm9zb2Z0
 ... ...
 BOSoRQTIWjM4bk0cDWK3CqKM09VUP0bNHFWmcNsSOoeTdZ+n0qA=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCB
 qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
 ... ...
  • How to protect CA certificates in devices
  • System trusted CA certificates in Tizen platform are protected by the root privilege. Even if all users can read them, only the root user can modify them.
  • For now, a user cannot add his or her user trusted CA certificates for SSL. This feature will be provided soon.