-
Notifications
You must be signed in to change notification settings - Fork 293
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sign: Support x509 signature type #3278
base: main
Are you sure you want to change the base?
Commits on Sep 11, 2024
-
sign: Fix typo in error messages and comments
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for 334e0b0 - Browse repository at this point
Copy the full SHA 334e0b0View commit details -
sign: Use explicit_bzero to clear secret key material
Suggested in: ostreedev#3278 (comment) Signed-off-by: Daiki Ueno <dueno@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for 62e5452 - Browse repository at this point
Copy the full SHA 62e5452View commit details -
sign: Factor out logic to read key blobs
This defines a new interface OstreeBlobReader, which encapsulates the key file parsing logic. This would make it easy to support custom file formats such as PEM. Signed-off-by: Daiki Ueno <dueno@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for ef44e33 - Browse repository at this point
Copy the full SHA ef44e33View commit details
Commits on Sep 12, 2024
-
sign: Add PEM reading facility
This adds a new class OstreePemReader, which reads PEM blocks from an input stream. This would be useful for the "x509" signing backend, as the keys are typically stored in the PEM format. Signed-off-by: Daiki Ueno <dueno@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for 0fa1061 - Browse repository at this point
Copy the full SHA 0fa1061View commit details -
tests: Use tap_ok/tap_end in test-signed-commit.sh
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for 5583563 - Browse repository at this point
Copy the full SHA 5583563View commit details
Commits on Sep 17, 2024
-
sign: Support spki signature type
The current "ed25519" signing type assumes raw Ed25519 key format for both public and private keys. That requires custom processing of keys after generated with openssl tools, and also lacks cryptographic agility[1]; when Ed25519 becomes vulnerable, it would not be straightforward to migrate to other algorithms, such as post-quantum signature algorithms. This patch adds a new signature type "spki" which uses the X.509 SubjectPublicKeyInfo format for public keys. Keys in this format can easily be created with openssl tools and provide crypto agility as the format embeds algorithm identifier. Currently, the corresponding private keys shall be in the PKCS#8 format, while future extensions may support other format such as opaque key handles on a hardware token. The "spki" signature type prefers keys to be encoded in the PEM format on disk, while it still accepts base64 encoded keys when given through the command-line. 1. https://en.wikipedia.org/wiki/Cryptographic_agility Signed-off-by: Daiki Ueno <dueno@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for e83eda0 - Browse repository at this point
Copy the full SHA e83eda0View commit details