| Message ID | 1518490017-112789-1-git-send-email-dmitri.toubelis@litmusautomation.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | Add PKI certificate usage info to the docs | expand |
On 13/02/2018 03:46, Dmitri Toubelis wrote: > Signed-off-by: Dmitri Toubelis <dmitri.toubelis@litmusautomation.com> > --- > doc/source/signed_images.rst | 23 +++++++++++++++++++++-- > 1 file changed, 21 insertions(+), 2 deletions(-) > > diff --git a/doc/source/signed_images.rst b/doc/source/signed_images.rst > index debbb7f..a4c0b8e 100644 > --- a/doc/source/signed_images.rst > +++ b/doc/source/signed_images.rst > @@ -100,12 +100,13 @@ Signing the image is very simple: > > openssl dgst -sha256 -sign priv.pem sw-description > sw-description.sig > > + > Usage with certificates and CMS > ------------------------------- > > -Generating certificates > -....................... > > +Generating self-signed certificates > +................................... > > :: > > @@ -118,6 +119,24 @@ the private key and it is used for signing. It is *not* delivered on the target. > > The target must have "mycert.cert.pem" installed - this is used by SWUpdate for verification. > > + > +Using PKI issued certificates > +............................. > + > +It is also possible to use PKI issued code signing certificates. However, > +SWUpdate uses OpenSSL library for handling CMS signatures and the library > +requires the following attributes to be set on the signing certificate: > + > +:: > + > + keyUsage=digitalSignature > + extendedKeyUsage=emailProtection > + > +It is also possible to completelly disable signing certificate key usage > +checking if this requirement cannot be satisfied. This is controlled by > +`CONFIG_CMS_IGNORE_CERTIFICATE_PURPOSE` configuration option. > + > + > How to sign with CMS > ..................... > > Applied to -master, thanks! Best regards, Stefano Babic
diff --git a/doc/source/signed_images.rst b/doc/source/signed_images.rst index debbb7f..a4c0b8e 100644 --- a/doc/source/signed_images.rst +++ b/doc/source/signed_images.rst @@ -100,12 +100,13 @@ Signing the image is very simple: openssl dgst -sha256 -sign priv.pem sw-description > sw-description.sig + Usage with certificates and CMS ------------------------------- -Generating certificates -....................... +Generating self-signed certificates +................................... :: @@ -118,6 +119,24 @@ the private key and it is used for signing. It is *not* delivered on the target. The target must have "mycert.cert.pem" installed - this is used by SWUpdate for verification. + +Using PKI issued certificates +............................. + +It is also possible to use PKI issued code signing certificates. However, +SWUpdate uses OpenSSL library for handling CMS signatures and the library +requires the following attributes to be set on the signing certificate: + +:: + + keyUsage=digitalSignature + extendedKeyUsage=emailProtection + +It is also possible to completelly disable signing certificate key usage +checking if this requirement cannot be satisfied. This is controlled by +`CONFIG_CMS_IGNORE_CERTIFICATE_PURPOSE` configuration option. + + How to sign with CMS .....................
Signed-off-by: Dmitri Toubelis <dmitri.toubelis@litmusautomation.com> --- doc/source/signed_images.rst | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-)