Add 802.1X (PNAC) and SCEP certificate enrollment support #136
Conversation
milan-zededa
force-pushed
the
802-1x
branch
2 times, most recently
from
455144a to
6d8319d
Compare
This change introduces API support for IEEE 802.1X port-based network access control (PNAC) and certificate enrollment using SCEP. Key additions include: - PNAC configuration for physical Ethernet ports, including EAP method selection and certificate enrollment profile binding. - SCEP configuration profiles defining server access, trust anchors, challenge passwords, and CSR parameters. - Unified key and hash algorithm definitions for certificate enrollment. - Device info reporting for enrolled certificates and per-port 802.1X supplicant state. - Per-port 802.1X metrics (EAPOL counters) for observability. - A controller-side SCEP proxy API for relaying SCEP requests when direct server access is not possible. These API extensions enable certificate-based 802.1X authentication (EAP-TLS) on edge devices while supporting both direct and controller-proxied SCEP deployments. Signed-off-by: Milan Lenco <milan@zededa.com>
No functional changes; generated code and assets only. Signed-off-by: Milan Lenco <milan@zededa.com>
| * The Controller MUST verify that the requested SCEP server URL corresponds to a SCEP profile | ||
| enabled for the given Edge Device. | ||
| * Requests targeting unauthorized SCEP servers (not configured for use by the given device) | ||
| MUST be rejected. |
There was a problem hiding this comment.
Why does the device need to know the URL? Is this because you want the controller to behave like a https proxy?
| * The Device MUST unwrap the SCEP response. | ||
| * For PKI_MESSAGE responses: | ||
| * The response payload MUST be decrypted using the Device’s SCEP private key. | ||
| * The CA signature on the response MUST be validated. |
There was a problem hiding this comment.
Which chain(s) and root(s) should this be verified agaist? The usual TLS root CAs or something more limited?
|
|
||
| #### Security Properties | ||
|
|
||
| * The Device private key used for SCEP enrollment never leaves the Edge Device. |
There was a problem hiding this comment.
Is the private key generated by the TPM and kept in the TPM?
|
|
||
| // Certificate enrollment profile to use (currently SCEP only). | ||
| // Relevant only when the selected EAP method requires a certificate (e.g., EAP-TLS). | ||
| UUIDandVersion cert_enrollment_profile = 10; |
There was a problem hiding this comment.
Does some standards define UUIDs for the these profiles? Or are we assuming that the controller will generate them? (I'm curious because the addition of a version to the UUID is a local EVE API thing.)
There was a problem hiding this comment.
Ah - if you add a reference to the SCEPProfile message in the comment it would be easier to follow.
|
|
||
| // Trusted CA certificates used for SCEP operations. | ||
| // Required by RFC 8894, Section 2.2. | ||
| // These certificates are used to encrypt certificate enrollment requests |
There was a problem hiding this comment.
Which of the potentially multiple certificates are used for encryption?
| // X.509 Distinguished Name (DN) attributes. | ||
| string common_name = 2; // CN | ||
| string organization = 3; // O | ||
| string organizational_unit = 4; // OU | ||
| string country = 5; // C | ||
| string state = 6; // ST | ||
| string locality = 7; // L | ||
|
|
||
| // X.509 Subject Alternative Name (SAN) attributes. | ||
| repeated string san_dns = 10; // DNS names | ||
| repeated string san_ip = 11; // IP addresses | ||
| repeated string san_uri = 12; // URIs | ||
| repeated string san_email = 13; // Email addresses | ||
|
|
||
| // Issuer Distinguished Name (DN) attributes. | ||
| string issuer_common_name = 20; // Issuer CN | ||
| string issuer_organization = 21; // Issuer O | ||
| string issuer_organizational_unit = 22; // Issuer OU | ||
| string issuer_country = 23; // Issuer C | ||
| string issuer_state = 24; // Issuer ST | ||
| string issuer_locality = 25; // Issuer L | ||
|
|
||
| // Certificate validity period. | ||
| google.protobuf.Timestamp issue_timestamp = 30; // notBefore | ||
| google.protobuf.Timestamp expiration_timestamp = 31; // notAfter | ||
|
|
||
| // SHA-256 fingerprint of the certificate (hex-encoded). | ||
| string sha256_fingerprint = 35; |
There was a problem hiding this comment.
Is there no existing definition of this somewhere else?
Some details might be off, for insteance I think there can be multiple OUs. So importing from somewhere else would be preferred.
|
|
||
| import "google/protobuf/timestamp.proto"; | ||
|
|
||
| // Device-reported information about an enrolled X.509 certificate. |
There was a problem hiding this comment.
Can we and should we associate these certificates with logical_labels?
2 participants
This change introduces API support for IEEE 802.1X port-based network
access control (PNAC) and certificate enrollment using SCEP.
Key additions include:
selection and certificate enrollment profile binding.
challenge passwords, and CSR parameters.
supplicant state.
server access is not possible.
These API extensions enable certificate-based 802.1X authentication
(EAP-TLS) on edge devices while supporting both direct and
controller-proxied SCEP deployments.