Skip to content

grandamp/rest-service

Repository files navigation

rest-service

Build Status

OpenAPI v3 Compliance

Example Implementations:

A WIP to replace the Treasury SCVP service, with something more modern.

Why? Many mTLS use-cases involve complex certificate validation in the application layer, which is hard to scale.

This implementation is intended to allow a relying party/team to centralize that validation using a simple API, easily hosted by the relying party/team locally, or via AWS Elastic Beanstalk.

Here is some basic performance information.

Example use/business-case (mTLS Client Certificate Validation)

After authenticating a user via mTLS (preferably using RFC9151 (CNSA) requirements), the mTLS relying party can request validation from the service to determine if the certificate that is bound to the private key meets a given organization/team derived validation policy.

Consider the U.S. Federal PKI, and; NIST SP 800-63-3. If you would like to determine if a given mTLS user is leveraging IAL3/AAL3 credentials, a suitable validation policy from an RFC 5280 perspective may be:

(a)  a prospective certification path of length n == {all FPKI Intermediates that have a relationship with FCPCAG2}
(b)  the current date/time
(c)  user-initial-policy-set ==
       {
            2.16.840.1.101.3.2.1.3.7,
            2.16.840.1.101.3.2.1.3.13,
            2.16.840.1.101.3.2.1.3.15,
            2.16.840.1.101.3.2.1.3.16,
            2.16.840.1.101.3.2.1.3.18,
            2.16.840.1.101.3.2.1.3.41 
       }
(d)  trust anchor information == {FCPCAG2}
(e)  initial-policy-mapping-inhibit == false
(f)  initial-explicit-policy == true
(g)  initial-any-policy-inhibit == true
(h)  initial-permitted-subtrees == null
(i)  initial-excluded-subtrees == null

I.e., DoD produces a list of approved policies, however; there is no claimed resolution of IAL/AAL of each policy per NIST 800-63.

This service can implement such a policy using the service's following validationPolicy definition:

{
  "validationPolicyId": "cc54e0ec-49da-333a-8150-2dd00b758b17",
  "validationPolicyName": "aal3",
  "validationPolicyDescription": "Derived from legacy LOA4 validation policy (2.16.840.1.101.10.2.18.2.1.4)",
  "trustAnchors": [
    {
      "x5t#S256": "X5rswkYWshkTcmAN2A9t0yDIyloM638JyYXr8GlpNPw=",
      "x509Certificate": "MIIF3TCCA8WgAwIBAgIUIeW5oMyVbeJ4ygErqP3Fipiz++owDQYJKoZIhvcNAQEMBQAwXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEkMCIGA1UEAxMbRmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcyMB4XDTIwMTAxNDEzMzUxMloXDTQwMTAxNDEzMzUxMlowXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEkMCIGA1UEAxMbRmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA19fTFzEmIRgQKkFty6+99sRRjCTYBYh7LloRpCZs4rgpBk+/5P4aZYd5v01GYBfOKywGJyFh4xk33/Q4yACoOT1uZOloNq/qhhT0r92UogKf77n5JgMhvg/bThVB3lxxahZQMM0YqUhg1rtaKRKsXm0AplhalNT6c3mA3YDSt4+75i105oE3JbsFjDY5DtGMYB9JIhxobtWTSnhL5E5HzO0GVI9UvhWAPVAhxm8oT4wxSOIjZ/MywXflfBrDktZu1PNsJkkYJpvFgDmSFuEPzivcOrytoPiPfgXMqY/P7zO4opLrh2EV5yA4XYEdoyA2dVD8jmm+Lk7zgRFah/84P2guxNtWpZAtQ9Nsag4w4EmtRq82JLqZQlyrMbvLvhWFecEkyfDzwGkFRIOBn1IbUfKTtN5GWpndl8HCUPbR2i7hpV9CFfkXTgsLGTwMNV2xPz2xThrLDu0jrDG+3/k42jB7KH3SQse72yo6MyNF46uumO7vORHlhOTVkWyxotBU327XZfq3BNupUDL6+R4dUG+pQADSstRJ60gePp0IAtQSHZYd1iRiXKpTLl0kofB2Y3LgAFNdYmaHrbrid0dlKIs9QioDwjm+wrDLAmuT4bjLZePhc3qt8ubjhZN2Naz+4YP5+nfSPPClLiyM/UT2el7eY4l6OaqXMIRfJxNIHwcCAwEAAaOBljCBkzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU9CdcqcN8R/T6pqewWZeq3TUmF+MwUQYIKwYBBQUHAQsERTBDMEEGCCsGAQUFBzAFhjVodHRwOi8vcmVwby5mcGtpLmdvdi9mY3BjYS9jYUNlcnRzSXNzdWVkQnlmY3BjYWcyLnA3YzANBgkqhkiG9w0BAQwFAAOCAgEAAWQ3MAzwzr3O1RSBkg06NCj7eIL7/I5fwTBLhpoMhE0XoaoPUie0gqRo3KO2MhuBtacjy55ihIY87hShGoKQcbA1fh7e4Cly5QkOY+KbQsltkKzgod2zmPyC0bEOYD2LO141HyeDWdQ6dDXDz6dr8ObntOfMzgdo7vodCMuKU8+ysTdxRxTCi6AVz3uqe5k+ObJYpC0aXHNMy1OnFgL6oxMeGMlSecU/QUAIf0ncDurYFSctFwXitTC0CrcLO9/AGHqTFSHzUrIlbrgd/aGO+E3o3QoU+ThCPPnu1K2KZLG4pyMqdBm4y7rVGPRikLmFhIv/b6b2CL8yiYL0+mJDcrTVs0PYfALtQxMpSA8n053gajlPwhG3O5jcL8SzqlaGPmGqpnEi9aWAYHJXTzbjzGUAc2u8+Kw8Xv4JffhVWIxVKH4NS5PCtgXwxifgrmPi0/uU1w0crclEsSsya7FIBVRTURoSwwda25wIIWPIkQsQK1snJxgEyUzXi10MUDR0WSDqQAdhbOLcmcyhED5hphYQnf8sD8FpoUDjoLCPkU/ytfZoplmcBM4SQ4Ejgjyk63vMqBDcCMXTHciFTsV2e+aReLvIvU4YmaBQQl3vCFj1qMPIkRsTby1Ff8hRDQG3kH0vefcVtcicsdU8kV2Mee/xJ/c0cIHZWMw0HoRZPbo=",
      "X509SubjectName": "CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US"
    }
  ],
  "userPolicySet": [
    "2.16.840.1.101.3.2.1.3.7",
    "2.16.840.1.101.3.2.1.3.13",
    "2.16.840.1.101.3.2.1.3.15",
    "2.16.840.1.101.3.2.1.3.16",
    "2.16.840.1.101.3.2.1.3.18",
    "2.16.840.1.101.3.2.1.3.41"
  ],
  "inhibitPolicyMapping": false,
  "requireExplicitPolicy": true,
  "inhibitAnyPolicy": true,
  "validCacheLifetime": 900,
  "inValidCacheLifetime": 900,
  "cmsIntermediateHintListUri": [
    "https://raw.githubusercontent.com/grandamp/rest-service/main/configuration/FCPCAG2-Intermediates/valid-c21f969b-5f03-333d-83e0-4f8f136e7682-current.p7b",
    "https://raw.githubusercontent.com/GSA/ficam-playbooks/federalist-pages/_fpki/tools/CACertificatesValidatingToFederalCommonPolicyG2.p7b",
    "https://monitor.certipath.com/fpki/download/all/p7b/"
  ],
  "cmsIntermediateHintListRefresh": 900,
  "excludeIntermediates": [
    {
      "x509SubjectName": "CN=Federal Common Policy CA G2,OU=FPKI,O=U.S. Government,C=US",
      "x509IssuerName": "CN=Federal Common Policy CA G2,OU=FPKI,O=U.S. Government,C=US",
      "excludeReason": "current trust anchor",
      "x5t#S256": "X5rswkYWshkTcmAN2A9t0yDIyloM638JyYXr8GlpNPw="
    },
    {
      "x509SubjectName": "CN=Federal Bridge CA G4,OU=FPKI,O=U.S. Government,C=US",
      "x509IssuerName": "CN=TSCP SHA256 Bridge CA,OU=CAs,O=TSCP Inc.,C=US",
      "excludeReason": "wrong direction",
      "x5t#S256": "OO5H7b6JjmMdoV5ecbtcTQG2M+YNqcml4gusdkopUl4="
    },
    {
      "x509SubjectName": "CN=Federal Bridge CA G4,OU=FPKI,O=U.S. Government,C=US",
      "x509IssuerName": "CN=STRAC Bridge Root Certification Authority,OU=STRAC PKI Trust Infrastructure,O=STRAC,C=US",
      "excludeReason": "wrong direction",
      "x5t#S256": "bDP35teW2+4ku8ODIZe6UwNDWfjQgbg05YygB8dze/E="
    },
    {
      "x509SubjectName": "CN=Federal Common Policy CA G2,OU=FPKI,O=U.S. Government,C=US",
      "x509IssuerName": "CN=Federal Bridge CA G4,OU=FPKI,O=U.S. Government,C=US",
      "excludeReason": "wrong direction",
      "x5t#S256": "C2WMJ3J9/WzUfjeK4jkOo3bZcI7PSwZ3X47nvFARmZE="
    },
    {
      "x509SubjectName": "CN=Federal Bridge CA G4,OU=FPKI,O=U.S. Government,C=US",
      "x509IssuerName": "CN=CertiPath Bridge CA - G3,OU=Certification Authorities,O=CertiPath,C=US",
      "excludeReason": "wrong direction",
      "x5t#S256": "8FU5ti7BioqYOiNPsidDa2/xDSEE11pxiOO4Fwp/grY="
    }
  ]
}

To validate a certificate that was presented by the client against this policy, the client simply needs to send the following request to the service (such as my example service), and parse the response {example via curl and jq}:

curl -v -X 'POST' \
'https://api.keysupport.org/vss/v2/validate' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"validationPolicyId": "c21f969b-5f03-333d-83e0-4f8f136e7682",
"x509Certificate": "MIIFYjCCBEqgAwIBAgIRAOgIWMWQtieIECed/Q2JONIwDQYJKoZIhvcNAQELBQAwRjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxEzARBgNVBAMTCkdUUyBDQSAxRDQwHhcNMjIxMDEwMjAwMDU2WhcNMjMwMTA4MjAwMDU1WjAZMRcwFQYDVQQDEw5rZXlzdXBwb3J0Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALftackigK3dmFReOqr4txPVJrdTPRMbsz3+4ueBGtBd2OIKcFXDi8apCf76Fh8WBheDVOyDzUhkag+mTnPw0BXqYNyFntPcwosDkv7kviJgF4KmSWf3myTYmHoc0CAqoRqYsfTFkB7fK83OBnevqSZ8pgc2X7h6qSgx9Z/0dprl+2mWndIB82SZSCzpuaGXs5SPFDZVrB8Y7fUWqu1nPaTLfOzIlAIf8SHf1+f81D0Mg1rm/rAAi9HFwx+fLPnFvZUUWeErPEi9JmBJzU+TJdF3dDRldtJVgFdQXcvMMwgSjmlL+ToOwf/VRU/usIVGxLI/qoxLj+Y97ht5tzMILXMCAwEAAaOCAnYwggJyMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQHEqvLbOftuY4bf2Ojy3InQEZctzAfBgNVHSMEGDAWgBQl4hgOsleRlCrl1F2GkIPeU7O4kjB4BggrBgEFBQcBAQRsMGowNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwLnBraS5nb29nL3MvZ3RzMWQ0L1NRMUZ6enViUFlNMDEGCCsGAQUFBzAChiVodHRwOi8vcGtpLmdvb2cvcmVwby9jZXJ0cy9ndHMxZDQuZGVyMBkGA1UdEQQSMBCCDmtleXN1cHBvcnQub3JnMCEGA1UdIAQaMBgwCAYGZ4EMAQIBMAwGCisGAQQB1nkCBQMwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybHMucGtpLmdvb2cvZ3RzMWQ0L0oyajNSQ2lFeTA0LmNybDCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABg8PAFU0AAAQDAEgwRgIhAInKXSrciK8OHtFWvQienDeIwBGCfDojh62EeoD62ngyAiEA6HO5HRCE00qCIKNCx6CuS9gDkvgrNm4xIS+gPc5Z8i8AdgCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yCigAAAYPDwBVHAAAEAwBHMEUCIQDOGktHy094r8OdqDhS7IPj44qJ1V9RRdR2ZEq4Sz5WOwIgcAlszeHnUNnp/jlDJPk1vIBJxh8/lokFwDBFiUU1EhAwDQYJKoZIhvcNAQELBQADggEBAGiaDoyFu4aLlLvsYnIVlTvf6bfUZ0xf3F9gSyjJBxFxFMF4BTiWWbCXGCpBT7+hHLSvq2fKKzKn2bR17XnDJkcVNBA5kxc9MQu6YE26+QkV4nk23hNidmaRimuiq4FLivsp/9gDrU+q5lutXP6n7EYI0ibXtuGk+Tx/qW9xvT4V9snhhw+4ks0Yw0B3AcdwNqRgmKYOftOLDPivLe5+lTmxbiMIPXSvkXzGVDFwj8/D8APp173Jg6XmHPHC9DSYF33e0q3nmmKQOV3PjR4mlFkY5Ewv9pKLJRnbwp01CArMs2YYdSqERZnLCH69lcHM/kuEKgMmdgLnEky2Xa03c84="
}' | jq

With the example above, the validation would fail, because a TLS client using my API gateway certificate would not validate successfully via the policy described above.

The service logs all requests, as well as all responses. This allows for post authentication analysis of the certificates to improve the overall infrastructure.

As a relying party, you can perform post-processing on the logs for:

Building and Testing

Deploying to AWS Elasitic Beanstalk

Current API Documentation & API Example

How to Contribute

The source repository exists here.

Public domain

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published