securedrop
securedrop copied to clipboard
freedomofpress
Add support for generating signed CSRs for Harica and Digicert in securedrop-admin
Description
Harica and Digicert now apparently require that CSRs for certs for onion services be signed with the service's private key. Harica have written a tool to support this: https://github.com/HARICA-official/onion-csr
Unfortunately it requires that Ruby and gcc be available on the machine running the Tor daemon (or that you copy the hsdir contents to wherever you run the tool). Given that the tool itself seems to be pretty simple (generate a CSR, sign it), and the keys are available on an instance's Admin Workstation, it might make sense to port to Python and fold this functionality into the securedrop-admin tool.
The relevant spec is in Appendix B of this doc: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.7.4.pdf
User Research Evidence
Some instances do use HTTPS and will require this to update their certs in the future
User Stories
As an admin I want to be able to request/renew certificates without adding to the application server's attack surface.
Another alternative would be to document the process of temporarily installing and using the onion-csr tool above in tails, which would go a little like this:
In the Tails admin workstation, with an admin password set:
$ cd ~/
...git clone with submodules as per docs
$ sudo apt-get install ruby-dev rubygems build-essentials
...choose "install only once"
$ torify gem install --user-install ffi
$ gcc -shared -o libed25519.so -fPIC ed25519/src/*.c
...confirm it works:
$ ./onion-csr -h
...now copy over the public and secret key for the source service...
$ mkdir hsdir
$ ssh app sudo cat /var/lib/tor/sourcev3/hostname > hsdir/hostname
$ ssh app sudo cat /var/lib/tor/sourcev3/hs_ed25519_public_key > hsdir/hs_ed25519_public_key
$ ssh app sudo cat /var/lib/tor/sourcev3/hs_ed25519_secret_key > hsdir/hs_ed25519_secret_key
... generate ye CSR:
$ ./onion-csr -n <your nonce here > -d ./hsdir
... nuke the local keys...
$ srm -rf ./hsdir
```
The onion-csr tool just looks like a wrapper around openssl, I suspect it's possible to do this with just plain openssl commands. The tricky part might be adding in the nonces. I searched around a bit and found stuff like https://mdleom.com/blog/2021/07/04/ecdsa-tls-tor-caddy/, except that guide generates a new private key instead of using the hidden service's key and doesn't include the nonce.
yeah the nonce comes from the CA so it would just have to be input rather than generated - iirc the only non-openssl thing that the harica tool is doing is the ed25519 signing operation. But it seems pretty straightforward.
For me it's an open question as to whether reusing the service keys like this is a good idea - if nothing else it seems like they'd need to be added in the Apache config as well? But I can't point to an obvious problem with it.