Add functionality for external signatures #2
Commits on Jan 27, 2021
-
Add functionality for auth generation with signed data instead of pri…
…vate key Previously, if a user wanted to make a signed auth file, they would need to supply secvarctl with public and private key pairs for signing the data. Recently, it has come to our attention that some users will not have access to their private keys as it may be under the guard of a signing framework server. In this case, the most secvarctl can do is to generate the hash to be signed. From their, it is up to the user to generate the signature with their signing framework. Then the user can give secvarctl the signature and the generation of PKCS7/auth files can resume. It is important the user uses the same timestamp in both the presignature generation and auth/PKCS7 generation. Now, with this commit, the user can use a signing framework to generate an auth file using the below commands: - $ secvarctl generate c:x -n <varName> -t <timeStamp> -i <certificate> -o <sha256.hash> - $ <user sends hash to be signed -in <sha256.hash> -out <signature.bin> - $ secvarctl generate c:a -n <varName> <timeStamp> -i <certificate> -o <newAuth> -c <signingCert> -s <signature.bin> -
Documentation: Update documentation for external signing funcitonality
In the previous commit, abilities to create auth and PKCS7 files with a raw signed data files in replacement of private key arguments was introduced. This commit adds those changes to the documentation and help messages
-
runSvcGenerateTests.py: Add tests for external signature
In the two previus commits, documentation and functionality were added to allow for secvarctl to accept an external signature rather than generating the signature internally. Now, we add tests to ensure that the enhanement was executed appropriately. To test we generate a signed auth file to work as our control. Then we generate an unsigned hash digest and sign it externally with openssl. We then use the signature to generate another signed auth file that will be our experiment. If the control and experiment contain the exact same data then the test passes.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.