From 977bcac2d56a8793ed93b4aac7016ef36b51a07f Mon Sep 17 00:00:00 2001 From: Dimitri Staessens Date: Fri, 12 Jun 2026 19:34:27 +0200 Subject: irmd: Add issuer and digest pinning to OAP A peer certificate that verifies against the CA store could have been issued by any trusted CA, and a peer could pick any supported digest for its signature. Tighten the authentication contract with two local policies. cacert= pins the issuing CA: a peer certificate, if presented, must chain through the pinned CA. Whether a certificate is mandatory at all remains controlled by auth= alone. digest= now also pins the signature digest: a classical peer must sign with the locally configured digest, and may not omit the digest NID to fall back to the key's default digest. PQC signatures (ML-DSA, SLH-DSA) have an intrinsic digest and may be NID_undef. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders --- enc.conf.in | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'enc.conf.in') diff --git a/enc.conf.in b/enc.conf.in index 17b480c1..980cfb2e 100644 --- a/enc.conf.in +++ b/enc.conf.in @@ -91,6 +91,19 @@ # the server too for mutual authentication. Combine encryption=none # with auth=required for authenticated but unencrypted flows. # +# Issuer Pinning (cacert=): +# ------------------------- +# +# cacert= Path to a CA certificate that must be part of the +# peer certificate's verified chain +# +# The peer certificate is always validated against the trusted CA +# store; cacert= further restricts which CA must have issued it: a +# certificate, if presented, must chain through the pinned CA. Whether +# a certificate is mandatory is controlled by auth= alone: under +# auth=optional a peer may still connect without one. The pinned CA +# must load when the config is read, otherwise flow allocation fails. +# # KEM Mode (kem_mode=): # --------------------- # -- cgit v1.2.3