# OpenSSL meets P4 AAAA via LoTW

Prototype for using OpenSSL to authenticate using ARRL Logbook of The World certificates.

User is first asked to run TQSL, go to the `Callsign Certificates` screen, select the desired callsign certificate, and click `Save a Callsign Certificate`. This saves all the crypto information (including the private parts) to a file. That filename is entered below as PKCS12_filename.

Here we are using Python's libraries `cryptography` and `OpenSSL` (aka pyopenssl). See also the notebook that uses the OpenSSL command line tool, and another that combines the two for comparison purposes.

In [1]:
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.serialization import pkcs12, Encoding
from cryptography import x509
import OpenSSL
import os
import re
import subprocess

os.chdir(os.path.expanduser('~/Desktop/AAAA_test'))
trusted_certs_filename = 'trusted/all_trusted.pem'
trusted_root_filename = 'trusted/arrlroot.pem'
trusted_prod_filename = 'trusted/arrlprod.pem'
PKCS12_filename = "KB5MU.p12"

process = subprocess.run(['ls', '-l', PKCS12_filename])

-rw-r--r-- 1 kb5mu kb5mu 6691 Jun 22 14:23 KB5MU.p12


Our first task is to find out the callsign associated with this certificate. The PKCS12 file format include "Subject" information that describes what the certificate applies to, in a standardized way. ITU X.520 https://www.itu.int/rec/T-REC-X.520-201910-I/en specifies the format, a Relative Distinguished Name. One of the ways this can be specified is with a Private Enterprise Number, which is a dot-separated sequence of numbers starting with `1.3.6.1.4.1` and followed by a number from the Enterprise Numbers list maintained by IANA at https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers, plus some further sequence of numbers specified by that enterprise. The number for ARRL is `12348`, and they've apparently assigned `1.1` to mean amateur radio callsign.

With the API we can get the callsign out semantically by checking for a match with the desired Object Identifier.

From here, we're assuming that the user doesn't have a password set on his private key, just to simplify the demonstration.

In [2]:
with open(PKCS12_filename, "rb") as f:
    buffer = f.read()

p12 = pkcs12.load_pkcs12(buffer, None)
for name in p12.cert.certificate.subject.rdns:
    attributes = name.get_attributes_for_oid(x509.ObjectIdentifier('1.3.6.1.4.1.12348.1.1'))
    if attributes:
        callsign = attributes[0].value
        break
else:
    printf('Did not find a matching Object ID for the callsign')
    
callsign

'KB5MU'

Now we can grab our private key, public key, and certificates out of the PKCS12.

In [3]:
# In the API, there are already accessors for everything we need:
[
p12.key,                             # my private key
p12.additional_certs,                # upstream certificates signing my certificate
p12.cert.certificate,                # my certificate
p12.cert.certificate.public_key(),   # my public key
]

[<cryptography.hazmat.backends.openssl.rsa._RSAPrivateKey at 0x7efcde1e4e50>,
 [<PKCS12Certificate(<Certificate(subject=<Name(C=US,ST=CT,L=Newington,O=American Radio Relay League,OU=Logbook of the World,CN=Logbook of the World Production CA,DC=arrl.org,1.2.840.113549.1.9.1=lotw@arrl.org)>, ...)>, friendly_name=None)>,
  <PKCS12Certificate(<Certificate(subject=<Name(C=US,ST=CT,L=Newington,O=American Radio Relay League,OU=Logbook of the World,CN=Logbook of the World Root CA,DC=arrl.org,1.2.840.113549.1.9.1=lotw@arrl.org)>, ...)>, friendly_name=None)>],
 <Certificate(subject=<Name(1.3.6.1.4.1.12348.1.1=KB5MU,CN=PAUL T WILLIAMSON,1.2.840.113549.1.9.1=paul@mustbeart.com)>, ...)>,
 <cryptography.hazmat.backends.openssl.rsa._RSAPublicKey at 0x7efcf406fa00>]

At this point, we (the ground station) would send our authentication request to the payload, including my certificate. This certificate contains and authenticates my public key.

The payload will need to validate this certificate against the trusted LoTW root certificate and production certificate(s), which it already knows.

Unfortunately, `cryptography` doesn't have a nice way to check a certificate. We'll have to use the older `OpenSSL` library for that.

In [4]:
mycert = OpenSSL.crypto.X509.from_cryptography(p12.cert.certificate)

with open(trusted_root_filename, "r") as f:
    c = f.read()
    arrlroot = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM,c)

with open(trusted_prod_filename, "r") as f:
    c = f.read()
    arrlprod = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM,c)

# Trust ARRL's root certificate
store = OpenSSL.crypto.X509Store()
store.add_cert(arrlroot)

# only add production certificate if it can be verified by root
ctx = OpenSSL.crypto.X509StoreContext(store, arrlprod)
ctx.verify_certificate()
try:
    ctx.verify_certificate()
except:
    print('Problem with production certificate')
else:
    print('Production certificate verified')
    store.add_cert(arrlprod)

# now try to verify the offered certificate
ctx = OpenSSL.crypto.X509StoreContext(store, mycert)
try:
    ctx.verify_certificate()
except:
    print('User certificate not accepted')
else:
    print('User certificate OK')

Production certificate verified
User certificate OK


The payload will now want to extract our public key from the certificate, so it can retain the public key for checking our signatures. In fact, it will probably want to convert it to binary to minimize storage costs.

In [5]:
payload_saved_public_key = p12.cert.certificate.public_key()
payload_saved_public_key

<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey at 0x7efcde259220>

We are now in a position to sign things (using our private key) and the payload is in a position to verify that signature (using our public key, which it will have had to retain). Like so:

In [6]:
high_value_message = "My name is Ozymandias, King of Kings"

In [7]:
# for cryptography we need the message as bytes
hv_message = bytes(high_value_message, 'ascii')

# on the ground, sign the message with our private key
signature = p12.key.sign(hv_message,
                        padding.PKCS1v15(   # for legacy compatibility
#                        padding.PSS(       # recommended for new applications
#                        mgf=padding.MGF1(hashes.SHA256()),
#                        salt_length=padding.PSS.MAX_LENGTH
                        ),
                        hashes.SHA256())

signature.hex()

# in the payload, verify the signature with our public key
try:
    payload_saved_public_key.verify(signature, hv_message,
                        padding.PKCS1v15(   # for legacy compatibility
#                        padding.PSS(       # recommended for new applications
#                        mgf=padding.MGF1(hashes.SHA256()),
#                        salt_length=padding.PSS.MAX_LENGTH
                        ),
                        hashes.SHA256())
except:
    print("Signature rejected")
else:
    print("Signature OK")

Signature OK


# Ta Dah!

We've demonstrated that we can use the ARRL's LoTW public key infrastructure to securely authenticate our callsign identity and sign messages, and the payload can verify their authenticity without needing to know any of ARRL's secrets.

The security here is, of course, limited by how secure ARRL's authentication of licensed radio amateurs is. In the United States, ARRL sends a postcard to the applicant's FCC-registered mailing address. That's as secure as anything the Federal government uses for amateur radio licensees. That may not be saying a whole lot, but there's no point in us trying to be more secure than the licensing body. For amateurs outside the United States, ARRL requires them to email images of proof of their license status. Presumably ARRL looks at these documents and perhaps cross-checks them with available databases when possible. This is roughly the same amount of scrutiny the FCC would give to reciprocal license applicants, so I think we can be reasonably assured that this is sufficient.

The other limit on security is the individual amateur's ability and incentive to keep their private key a secret. Logbook of The World also relies on this. If a private key is known to be compromised, certificates can be revoked and reissued. I don't know how often that happens, or how difficult the procedure might be. If our payload is to automatically take advantage of this mechanism, it would have to perform some transactions on the Internet for each certificate verification. That wouldn't necessarily have to happen in real time.

A payload with full-featured Authentication and Authorization needs to have the capability to maintain a block list of stations not permitted to use the system. The need to handle revoked certificates cleanly points to a requirement that the block list be able to distinguish between permanent blocks on a callsign (say, for bad behavior) and blocks due to compromised private keys. Probably it would be enough if each blocked callsign also stored a date. Any certificates for that callsign older than the stored date would be rejected. Permanant blocks would just have a date in the very far future.
