Message ID | 1526345752-21072-1-git-send-email-brett.grandbois@opengear.com |
---|---|
Headers | show |
Series | Signed-Boot OpenSSL support | expand |
On Tue, 2018-05-15 at 10:55 +1000, Brett Grandbois wrote: > Changes in v2: > * add build support for openssl 1.1.x Reviewed-by: Samuel Mendoza-Jonas <sam@mendozajonas.com> Looking good to me. Timothy, this of course touches on your GPGME work but shouldn't make any functional changes to it. Any thoughts? Cheers, Sam > > Add support for configuration choice between GPGME or OpenSSL for signed-boot. > > For configuration the --with-signed-boot option now takes the following values: > > no - disable signed boot (as before) > gpgme - configure for gpgme (as before), fail if not found > openssl - configure for openssl, fail if not found > yes - look first for gpgme and the openssl using first found, fail on none > this should behave as before if gpgme is installed > > fail on any other invalid options > > Add the following variables: > > KEYRING_PATH - path to the gpgme home dir, currently unused in openssl but could > be expanded to be the certificate store for verification. default > is /etc/gpg as before > > VERIFY_DIGEST - string to specify signature verifcation MD in OpenSSL raw dgst mode > > The OpenSSL support works like this: > > he pb-lockdown file is a PKCS12 file or X509 certificate or PEM-encoded > raw public key. To follow the current conventions the presence of a > PKCS12 file as a lockdown signals decrypt mode because of the presence > of the private key, anything else signals signature verification mode. > The keyring path is currently ignored but in the future could be used to > point to an X509 certificate chain for validity checking. Because of > this self-signed certificates are currently supported and really just > used as a public key container. > > Signature verification mode supports: > > * Cryptographic Message Syntax (CMS) as detached S/MIME, this is really > more for consistency for the encryption mode (see below). This mode > requires the lockdown file to be an X509 certificate. > > A sample creation command would be: > openssl cms -sign -in (infile) -out (outfile) -binary -nocerts \ > -inkey (private key) -signer (recipient certificate) > > * Raw signature digest as output from openssl dgst -sign command. This > mode can have the lockdown file be an X509 certificate or a PEM raw > public key but the digest algorithm must be pre-defined by the > VERIFY_DIGEST configure argument. The default is SHA256. > > A sample creation command would be: > openssl dgst -sign (private key) -out (outfile) -(digest mode) \ > (infile) > > Decryption mode supports: > > * CMS signed-envelope as attached S/MIME. This is for consistency with > the current expectation of no external file for decryption. Some > future enhancement could be to come up with some proprietary external > file format containing the cipher used, the encrypted cipher key, and > the IV (if necessary). > > A sample creation command would be: > openssl cms -sign -in (infile) -signer (recipient certificate) \ > -binary -nocerts -nodetach -inkey (private key) | \ > openssl cms -encrypt -(cipher mode) -out (outfile) \ > (recipient certificate) > > The PKCS12 file is expecting the private key to have password of NULL or > "" as there is currently no mechanism to supply a custom one. > > Brett Grandbois (5): > configure: Add signed-boot openssl configuration support > lib/security: add in openssl support > discover: Update to reflect generic signed boot API > ui/ncurses: Update LOCKDOWN_FILE check to reflect generic SIGNED_BOOT > test/lib: Add OpenSSL verify and decrypt tests > > configure.ac | 95 +++-- > discover/Makefile.am | 3 +- > discover/boot.c | 12 +- > lib/Makefile.am | 42 ++- > lib/security/common.c | 230 +++++++++++++ > lib/security/gpg.c | 202 +---------- > lib/security/gpg.h | 83 ----- > lib/security/none.c | 61 ++++ > lib/security/openssl.c | 476 ++++++++++++++++++++++++++ > lib/security/security.h | 46 +++ > m4/ax_check_openssl.m4 | 124 +++++++ > test/lib/Makefile.am | 7 + > test/lib/data/security/cert.p12 | Bin 0 -> 2469 bytes > test/lib/data/security/cert.pem | 21 ++ > test/lib/data/security/key.pem | 28 ++ > test/lib/data/security/pubkey.pem | 9 + > test/lib/data/security/rootdata.cmsenc | 17 + > test/lib/data/security/rootdata.cmsencver | 41 +++ > test/lib/data/security/rootdata.cmsver | 31 ++ > test/lib/data/security/rootdata.txt | 2 + > test/lib/data/security/rootdata_different.txt | 2 + > test/lib/data/security/rootdatasha256.sig | Bin 0 -> 256 bytes > test/lib/data/security/rootdatasha512.sig | Bin 0 -> 256 bytes > test/lib/data/security/wrong_cert.pem | 21 ++ > test/lib/data/security/wrong_key.pem | 28 ++ > test/lib/test-security-openssl-decrypt.c | 82 +++++ > test/lib/test-security-openssl-verify.c | 103 ++++++ > ui/ncurses/nc-boot-editor.c | 2 +- > 28 files changed, 1419 insertions(+), 349 deletions(-) > create mode 100644 lib/security/common.c > delete mode 100644 lib/security/gpg.h > create mode 100644 lib/security/none.c > create mode 100644 lib/security/openssl.c > create mode 100644 lib/security/security.h > create mode 100644 m4/ax_check_openssl.m4 > create mode 100644 test/lib/data/security/cert.p12 > create mode 100644 test/lib/data/security/cert.pem > create mode 100644 test/lib/data/security/key.pem > create mode 100644 test/lib/data/security/pubkey.pem > create mode 100644 test/lib/data/security/rootdata.cmsenc > create mode 100644 test/lib/data/security/rootdata.cmsencver > create mode 100644 test/lib/data/security/rootdata.cmsver > create mode 100644 test/lib/data/security/rootdata.txt > create mode 100644 test/lib/data/security/rootdata_different.txt > create mode 100644 test/lib/data/security/rootdatasha256.sig > create mode 100644 test/lib/data/security/rootdatasha512.sig > create mode 100644 test/lib/data/security/wrong_cert.pem > create mode 100644 test/lib/data/security/wrong_key.pem > create mode 100644 test/lib/test-security-openssl-decrypt.c > create mode 100644 test/lib/test-security-openssl-verify.c >
On Wed, 2018-05-23 at 11:04 +1000, Samuel Mendoza-Jonas wrote: > On Tue, 2018-05-15 at 10:55 +1000, Brett Grandbois wrote: > > Changes in v2: > > * add build support for openssl 1.1.x > > Reviewed-by: Samuel Mendoza-Jonas <sam@mendozajonas.com> Merged as d47114d > > Looking good to me. Timothy, this of course touches on your GPGME work > but shouldn't make any functional changes to it. Any thoughts? > > Cheers, > Sam > > > > > Add support for configuration choice between GPGME or OpenSSL for signed-boot. > > > > For configuration the --with-signed-boot option now takes the following values: > > > > no - disable signed boot (as before) > > gpgme - configure for gpgme (as before), fail if not found > > openssl - configure for openssl, fail if not found > > yes - look first for gpgme and the openssl using first found, fail on none > > this should behave as before if gpgme is installed > > > > fail on any other invalid options > > > > Add the following variables: > > > > KEYRING_PATH - path to the gpgme home dir, currently unused in openssl but could > > be expanded to be the certificate store for verification. default > > is /etc/gpg as before > > > > VERIFY_DIGEST - string to specify signature verifcation MD in OpenSSL raw dgst mode > > > > The OpenSSL support works like this: > > > > he pb-lockdown file is a PKCS12 file or X509 certificate or PEM-encoded > > raw public key. To follow the current conventions the presence of a > > PKCS12 file as a lockdown signals decrypt mode because of the presence > > of the private key, anything else signals signature verification mode. > > The keyring path is currently ignored but in the future could be used to > > point to an X509 certificate chain for validity checking. Because of > > this self-signed certificates are currently supported and really just > > used as a public key container. > > > > Signature verification mode supports: > > > > * Cryptographic Message Syntax (CMS) as detached S/MIME, this is really > > more for consistency for the encryption mode (see below). This mode > > requires the lockdown file to be an X509 certificate. > > > > A sample creation command would be: > > openssl cms -sign -in (infile) -out (outfile) -binary -nocerts \ > > -inkey (private key) -signer (recipient certificate) > > > > * Raw signature digest as output from openssl dgst -sign command. This > > mode can have the lockdown file be an X509 certificate or a PEM raw > > public key but the digest algorithm must be pre-defined by the > > VERIFY_DIGEST configure argument. The default is SHA256. > > > > A sample creation command would be: > > openssl dgst -sign (private key) -out (outfile) -(digest mode) \ > > (infile) > > > > Decryption mode supports: > > > > * CMS signed-envelope as attached S/MIME. This is for consistency with > > the current expectation of no external file for decryption. Some > > future enhancement could be to come up with some proprietary external > > file format containing the cipher used, the encrypted cipher key, and > > the IV (if necessary). > > > > A sample creation command would be: > > openssl cms -sign -in (infile) -signer (recipient certificate) \ > > -binary -nocerts -nodetach -inkey (private key) | \ > > openssl cms -encrypt -(cipher mode) -out (outfile) \ > > (recipient certificate) > > > > The PKCS12 file is expecting the private key to have password of NULL or > > "" as there is currently no mechanism to supply a custom one. > > > > Brett Grandbois (5): > > configure: Add signed-boot openssl configuration support > > lib/security: add in openssl support > > discover: Update to reflect generic signed boot API > > ui/ncurses: Update LOCKDOWN_FILE check to reflect generic SIGNED_BOOT > > test/lib: Add OpenSSL verify and decrypt tests > > > > configure.ac | 95 +++-- > > discover/Makefile.am | 3 +- > > discover/boot.c | 12 +- > > lib/Makefile.am | 42 ++- > > lib/security/common.c | 230 +++++++++++++ > > lib/security/gpg.c | 202 +---------- > > lib/security/gpg.h | 83 ----- > > lib/security/none.c | 61 ++++ > > lib/security/openssl.c | 476 ++++++++++++++++++++++++++ > > lib/security/security.h | 46 +++ > > m4/ax_check_openssl.m4 | 124 +++++++ > > test/lib/Makefile.am | 7 + > > test/lib/data/security/cert.p12 | Bin 0 -> 2469 bytes > > test/lib/data/security/cert.pem | 21 ++ > > test/lib/data/security/key.pem | 28 ++ > > test/lib/data/security/pubkey.pem | 9 + > > test/lib/data/security/rootdata.cmsenc | 17 + > > test/lib/data/security/rootdata.cmsencver | 41 +++ > > test/lib/data/security/rootdata.cmsver | 31 ++ > > test/lib/data/security/rootdata.txt | 2 + > > test/lib/data/security/rootdata_different.txt | 2 + > > test/lib/data/security/rootdatasha256.sig | Bin 0 -> 256 bytes > > test/lib/data/security/rootdatasha512.sig | Bin 0 -> 256 bytes > > test/lib/data/security/wrong_cert.pem | 21 ++ > > test/lib/data/security/wrong_key.pem | 28 ++ > > test/lib/test-security-openssl-decrypt.c | 82 +++++ > > test/lib/test-security-openssl-verify.c | 103 ++++++ > > ui/ncurses/nc-boot-editor.c | 2 +- > > 28 files changed, 1419 insertions(+), 349 deletions(-) > > create mode 100644 lib/security/common.c > > delete mode 100644 lib/security/gpg.h > > create mode 100644 lib/security/none.c > > create mode 100644 lib/security/openssl.c > > create mode 100644 lib/security/security.h > > create mode 100644 m4/ax_check_openssl.m4 > > create mode 100644 test/lib/data/security/cert.p12 > > create mode 100644 test/lib/data/security/cert.pem > > create mode 100644 test/lib/data/security/key.pem > > create mode 100644 test/lib/data/security/pubkey.pem > > create mode 100644 test/lib/data/security/rootdata.cmsenc > > create mode 100644 test/lib/data/security/rootdata.cmsencver > > create mode 100644 test/lib/data/security/rootdata.cmsver > > create mode 100644 test/lib/data/security/rootdata.txt > > create mode 100644 test/lib/data/security/rootdata_different.txt > > create mode 100644 test/lib/data/security/rootdatasha256.sig > > create mode 100644 test/lib/data/security/rootdatasha512.sig > > create mode 100644 test/lib/data/security/wrong_cert.pem > > create mode 100644 test/lib/data/security/wrong_key.pem > > create mode 100644 test/lib/test-security-openssl-decrypt.c > > create mode 100644 test/lib/test-security-openssl-verify.c > > > > _______________________________________________ > Petitboot mailing list > Petitboot@lists.ozlabs.org > https://lists.ozlabs.org/listinfo/petitboot